]>
Commit | Line | Data |
---|---|---|
1da177e4 LT |
1 | /* |
2 | * linux/net/sunrpc/gss_krb5_mech.c | |
3 | * | |
4 | * Copyright (c) 2001 The Regents of the University of Michigan. | |
5 | * All rights reserved. | |
6 | * | |
7 | * Andy Adamson <andros@umich.edu> | |
8 | * J. Bruce Fields <bfields@umich.edu> | |
9 | * | |
10 | * Redistribution and use in source and binary forms, with or without | |
11 | * modification, are permitted provided that the following conditions | |
12 | * are met: | |
13 | * | |
14 | * 1. Redistributions of source code must retain the above copyright | |
15 | * notice, this list of conditions and the following disclaimer. | |
16 | * 2. Redistributions in binary form must reproduce the above copyright | |
17 | * notice, this list of conditions and the following disclaimer in the | |
18 | * documentation and/or other materials provided with the distribution. | |
19 | * 3. Neither the name of the University nor the names of its | |
20 | * contributors may be used to endorse or promote products derived | |
21 | * from this software without specific prior written permission. | |
22 | * | |
23 | * THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED | |
24 | * WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF | |
25 | * MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE | |
26 | * DISCLAIMED. IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE | |
27 | * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR | |
28 | * CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF | |
29 | * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR | |
30 | * BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF | |
31 | * LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING | |
32 | * NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS | |
33 | * SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. | |
34 | * | |
35 | */ | |
36 | ||
378c6697 | 37 | #include <linux/err.h> |
1da177e4 LT |
38 | #include <linux/module.h> |
39 | #include <linux/init.h> | |
40 | #include <linux/types.h> | |
41 | #include <linux/slab.h> | |
42 | #include <linux/sunrpc/auth.h> | |
1da177e4 LT |
43 | #include <linux/sunrpc/gss_krb5.h> |
44 | #include <linux/sunrpc/xdr.h> | |
45 | #include <linux/crypto.h> | |
46 | ||
47 | #ifdef RPC_DEBUG | |
48 | # define RPCDBG_FACILITY RPCDBG_AUTH | |
49 | #endif | |
50 | ||
51 | static const void * | |
52 | simple_get_bytes(const void *p, const void *end, void *res, int len) | |
53 | { | |
54 | const void *q = (const void *)((const char *)p + len); | |
55 | if (unlikely(q > end || q < p)) | |
56 | return ERR_PTR(-EFAULT); | |
57 | memcpy(res, p, len); | |
58 | return q; | |
59 | } | |
60 | ||
61 | static const void * | |
62 | simple_get_netobj(const void *p, const void *end, struct xdr_netobj *res) | |
63 | { | |
64 | const void *q; | |
65 | unsigned int len; | |
66 | ||
67 | p = simple_get_bytes(p, end, &len, sizeof(len)); | |
68 | if (IS_ERR(p)) | |
69 | return p; | |
70 | q = (const void *)((const char *)p + len); | |
71 | if (unlikely(q > end || q < p)) | |
72 | return ERR_PTR(-EFAULT); | |
73 | res->data = kmalloc(len, GFP_KERNEL); | |
74 | if (unlikely(res->data == NULL)) | |
75 | return ERR_PTR(-ENOMEM); | |
76 | memcpy(res->data, p, len); | |
77 | res->len = len; | |
78 | return q; | |
79 | } | |
80 | ||
81 | static inline const void * | |
378c6697 | 82 | get_key(const void *p, const void *end, struct crypto_blkcipher **res) |
1da177e4 LT |
83 | { |
84 | struct xdr_netobj key; | |
378c6697 | 85 | int alg; |
1da177e4 LT |
86 | char *alg_name; |
87 | ||
88 | p = simple_get_bytes(p, end, &alg, sizeof(alg)); | |
89 | if (IS_ERR(p)) | |
90 | goto out_err; | |
91 | p = simple_get_netobj(p, end, &key); | |
92 | if (IS_ERR(p)) | |
93 | goto out_err; | |
94 | ||
95 | switch (alg) { | |
96 | case ENCTYPE_DES_CBC_RAW: | |
378c6697 | 97 | alg_name = "cbc(des)"; |
1da177e4 LT |
98 | break; |
99 | default: | |
9e56904e | 100 | printk("gss_kerberos_mech: unsupported algorithm %d\n", alg); |
1da177e4 LT |
101 | goto out_err_free_key; |
102 | } | |
378c6697 HX |
103 | *res = crypto_alloc_blkcipher(alg_name, 0, CRYPTO_ALG_ASYNC); |
104 | if (IS_ERR(*res)) { | |
9e56904e | 105 | printk("gss_kerberos_mech: unable to initialize crypto algorithm %s\n", alg_name); |
378c6697 | 106 | *res = NULL; |
1da177e4 | 107 | goto out_err_free_key; |
9e56904e | 108 | } |
378c6697 | 109 | if (crypto_blkcipher_setkey(*res, key.data, key.len)) { |
9e56904e | 110 | printk("gss_kerberos_mech: error setting key for crypto algorithm %s\n", alg_name); |
1da177e4 | 111 | goto out_err_free_tfm; |
9e56904e | 112 | } |
1da177e4 LT |
113 | |
114 | kfree(key.data); | |
115 | return p; | |
116 | ||
117 | out_err_free_tfm: | |
378c6697 | 118 | crypto_free_blkcipher(*res); |
1da177e4 LT |
119 | out_err_free_key: |
120 | kfree(key.data); | |
121 | p = ERR_PTR(-EINVAL); | |
122 | out_err: | |
123 | return p; | |
124 | } | |
125 | ||
126 | static int | |
127 | gss_import_sec_context_kerberos(const void *p, | |
128 | size_t len, | |
129 | struct gss_ctx *ctx_id) | |
130 | { | |
131 | const void *end = (const void *)((const char *)p + len); | |
132 | struct krb5_ctx *ctx; | |
133 | ||
0da974f4 | 134 | if (!(ctx = kzalloc(sizeof(*ctx), GFP_KERNEL))) |
1da177e4 | 135 | goto out_err; |
1da177e4 LT |
136 | |
137 | p = simple_get_bytes(p, end, &ctx->initiate, sizeof(ctx->initiate)); | |
138 | if (IS_ERR(p)) | |
139 | goto out_err_free_ctx; | |
140 | p = simple_get_bytes(p, end, &ctx->seed_init, sizeof(ctx->seed_init)); | |
141 | if (IS_ERR(p)) | |
142 | goto out_err_free_ctx; | |
143 | p = simple_get_bytes(p, end, ctx->seed, sizeof(ctx->seed)); | |
144 | if (IS_ERR(p)) | |
145 | goto out_err_free_ctx; | |
146 | p = simple_get_bytes(p, end, &ctx->signalg, sizeof(ctx->signalg)); | |
147 | if (IS_ERR(p)) | |
148 | goto out_err_free_ctx; | |
149 | p = simple_get_bytes(p, end, &ctx->sealalg, sizeof(ctx->sealalg)); | |
150 | if (IS_ERR(p)) | |
151 | goto out_err_free_ctx; | |
152 | p = simple_get_bytes(p, end, &ctx->endtime, sizeof(ctx->endtime)); | |
153 | if (IS_ERR(p)) | |
154 | goto out_err_free_ctx; | |
155 | p = simple_get_bytes(p, end, &ctx->seq_send, sizeof(ctx->seq_send)); | |
156 | if (IS_ERR(p)) | |
157 | goto out_err_free_ctx; | |
158 | p = simple_get_netobj(p, end, &ctx->mech_used); | |
159 | if (IS_ERR(p)) | |
160 | goto out_err_free_ctx; | |
161 | p = get_key(p, end, &ctx->enc); | |
162 | if (IS_ERR(p)) | |
163 | goto out_err_free_mech; | |
164 | p = get_key(p, end, &ctx->seq); | |
165 | if (IS_ERR(p)) | |
166 | goto out_err_free_key1; | |
167 | if (p != end) { | |
168 | p = ERR_PTR(-EFAULT); | |
169 | goto out_err_free_key2; | |
170 | } | |
171 | ||
172 | ctx_id->internal_ctx_id = ctx; | |
d6e05edc | 173 | dprintk("RPC: Successfully imported new context.\n"); |
1da177e4 LT |
174 | return 0; |
175 | ||
176 | out_err_free_key2: | |
378c6697 | 177 | crypto_free_blkcipher(ctx->seq); |
1da177e4 | 178 | out_err_free_key1: |
378c6697 | 179 | crypto_free_blkcipher(ctx->enc); |
1da177e4 LT |
180 | out_err_free_mech: |
181 | kfree(ctx->mech_used.data); | |
182 | out_err_free_ctx: | |
183 | kfree(ctx); | |
184 | out_err: | |
185 | return PTR_ERR(p); | |
186 | } | |
187 | ||
188 | static void | |
189 | gss_delete_sec_context_kerberos(void *internal_ctx) { | |
190 | struct krb5_ctx *kctx = internal_ctx; | |
191 | ||
378c6697 HX |
192 | crypto_free_blkcipher(kctx->seq); |
193 | crypto_free_blkcipher(kctx->enc); | |
573dbd95 | 194 | kfree(kctx->mech_used.data); |
1da177e4 LT |
195 | kfree(kctx); |
196 | } | |
197 | ||
1da177e4 LT |
198 | static struct gss_api_ops gss_kerberos_ops = { |
199 | .gss_import_sec_context = gss_import_sec_context_kerberos, | |
200 | .gss_get_mic = gss_get_mic_kerberos, | |
201 | .gss_verify_mic = gss_verify_mic_kerberos, | |
14ae162c BF |
202 | .gss_wrap = gss_wrap_kerberos, |
203 | .gss_unwrap = gss_unwrap_kerberos, | |
1da177e4 LT |
204 | .gss_delete_sec_context = gss_delete_sec_context_kerberos, |
205 | }; | |
206 | ||
207 | static struct pf_desc gss_kerberos_pfs[] = { | |
208 | [0] = { | |
209 | .pseudoflavor = RPC_AUTH_GSS_KRB5, | |
210 | .service = RPC_GSS_SVC_NONE, | |
211 | .name = "krb5", | |
212 | }, | |
213 | [1] = { | |
214 | .pseudoflavor = RPC_AUTH_GSS_KRB5I, | |
215 | .service = RPC_GSS_SVC_INTEGRITY, | |
216 | .name = "krb5i", | |
217 | }, | |
14ae162c BF |
218 | [2] = { |
219 | .pseudoflavor = RPC_AUTH_GSS_KRB5P, | |
220 | .service = RPC_GSS_SVC_PRIVACY, | |
221 | .name = "krb5p", | |
222 | }, | |
1da177e4 LT |
223 | }; |
224 | ||
225 | static struct gss_api_mech gss_kerberos_mech = { | |
226 | .gm_name = "krb5", | |
227 | .gm_owner = THIS_MODULE, | |
228 | .gm_ops = &gss_kerberos_ops, | |
229 | .gm_pf_num = ARRAY_SIZE(gss_kerberos_pfs), | |
230 | .gm_pfs = gss_kerberos_pfs, | |
231 | }; | |
232 | ||
233 | static int __init init_kerberos_module(void) | |
234 | { | |
235 | int status; | |
236 | ||
237 | status = gss_mech_register(&gss_kerberos_mech); | |
238 | if (status) | |
239 | printk("Failed to register kerberos gss mechanism!\n"); | |
240 | return status; | |
241 | } | |
242 | ||
243 | static void __exit cleanup_kerberos_module(void) | |
244 | { | |
245 | gss_mech_unregister(&gss_kerberos_mech); | |
246 | } | |
247 | ||
248 | MODULE_LICENSE("GPL"); | |
249 | module_init(init_kerberos_module); | |
250 | module_exit(cleanup_kerberos_module); |