11da177e4SLinus Torvalds /* 21da177e4SLinus Torvalds * linux/net/sunrpc/gss_krb5_mech.c 31da177e4SLinus Torvalds * 41da177e4SLinus Torvalds * Copyright (c) 2001 The Regents of the University of Michigan. 51da177e4SLinus Torvalds * All rights reserved. 61da177e4SLinus Torvalds * 71da177e4SLinus Torvalds * Andy Adamson <andros@umich.edu> 81da177e4SLinus Torvalds * J. Bruce Fields <bfields@umich.edu> 91da177e4SLinus Torvalds * 101da177e4SLinus Torvalds * Redistribution and use in source and binary forms, with or without 111da177e4SLinus Torvalds * modification, are permitted provided that the following conditions 121da177e4SLinus Torvalds * are met: 131da177e4SLinus Torvalds * 141da177e4SLinus Torvalds * 1. Redistributions of source code must retain the above copyright 151da177e4SLinus Torvalds * notice, this list of conditions and the following disclaimer. 161da177e4SLinus Torvalds * 2. Redistributions in binary form must reproduce the above copyright 171da177e4SLinus Torvalds * notice, this list of conditions and the following disclaimer in the 181da177e4SLinus Torvalds * documentation and/or other materials provided with the distribution. 191da177e4SLinus Torvalds * 3. Neither the name of the University nor the names of its 201da177e4SLinus Torvalds * contributors may be used to endorse or promote products derived 211da177e4SLinus Torvalds * from this software without specific prior written permission. 221da177e4SLinus Torvalds * 231da177e4SLinus Torvalds * THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED 241da177e4SLinus Torvalds * WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF 251da177e4SLinus Torvalds * MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE 261da177e4SLinus Torvalds * DISCLAIMED. IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE 271da177e4SLinus Torvalds * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR 281da177e4SLinus Torvalds * CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF 291da177e4SLinus Torvalds * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR 301da177e4SLinus Torvalds * BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF 311da177e4SLinus Torvalds * LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING 321da177e4SLinus Torvalds * NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS 331da177e4SLinus Torvalds * SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. 341da177e4SLinus Torvalds * 351da177e4SLinus Torvalds */ 361da177e4SLinus Torvalds 37378c6697SHerbert Xu #include <linux/err.h> 381da177e4SLinus Torvalds #include <linux/module.h> 391da177e4SLinus Torvalds #include <linux/init.h> 401da177e4SLinus Torvalds #include <linux/types.h> 411da177e4SLinus Torvalds #include <linux/slab.h> 421da177e4SLinus Torvalds #include <linux/sunrpc/auth.h> 431da177e4SLinus Torvalds #include <linux/sunrpc/gss_krb5.h> 441da177e4SLinus Torvalds #include <linux/sunrpc/xdr.h> 451da177e4SLinus Torvalds #include <linux/crypto.h> 461da177e4SLinus Torvalds 471da177e4SLinus Torvalds #ifdef RPC_DEBUG 481da177e4SLinus Torvalds # define RPCDBG_FACILITY RPCDBG_AUTH 491da177e4SLinus Torvalds #endif 501da177e4SLinus Torvalds 511da177e4SLinus Torvalds static const void * 521da177e4SLinus Torvalds simple_get_bytes(const void *p, const void *end, void *res, int len) 531da177e4SLinus Torvalds { 541da177e4SLinus Torvalds const void *q = (const void *)((const char *)p + len); 551da177e4SLinus Torvalds if (unlikely(q > end || q < p)) 561da177e4SLinus Torvalds return ERR_PTR(-EFAULT); 571da177e4SLinus Torvalds memcpy(res, p, len); 581da177e4SLinus Torvalds return q; 591da177e4SLinus Torvalds } 601da177e4SLinus Torvalds 611da177e4SLinus Torvalds static const void * 621da177e4SLinus Torvalds simple_get_netobj(const void *p, const void *end, struct xdr_netobj *res) 631da177e4SLinus Torvalds { 641da177e4SLinus Torvalds const void *q; 651da177e4SLinus Torvalds unsigned int len; 661da177e4SLinus Torvalds 671da177e4SLinus Torvalds p = simple_get_bytes(p, end, &len, sizeof(len)); 681da177e4SLinus Torvalds if (IS_ERR(p)) 691da177e4SLinus Torvalds return p; 701da177e4SLinus Torvalds q = (const void *)((const char *)p + len); 711da177e4SLinus Torvalds if (unlikely(q > end || q < p)) 721da177e4SLinus Torvalds return ERR_PTR(-EFAULT); 731da177e4SLinus Torvalds res->data = kmalloc(len, GFP_KERNEL); 741da177e4SLinus Torvalds if (unlikely(res->data == NULL)) 751da177e4SLinus Torvalds return ERR_PTR(-ENOMEM); 761da177e4SLinus Torvalds memcpy(res->data, p, len); 771da177e4SLinus Torvalds res->len = len; 781da177e4SLinus Torvalds return q; 791da177e4SLinus Torvalds } 801da177e4SLinus Torvalds 811da177e4SLinus Torvalds static inline const void * 82378c6697SHerbert Xu get_key(const void *p, const void *end, struct crypto_blkcipher **res) 831da177e4SLinus Torvalds { 841da177e4SLinus Torvalds struct xdr_netobj key; 85378c6697SHerbert Xu int alg; 861da177e4SLinus Torvalds char *alg_name; 871da177e4SLinus Torvalds 881da177e4SLinus Torvalds p = simple_get_bytes(p, end, &alg, sizeof(alg)); 891da177e4SLinus Torvalds if (IS_ERR(p)) 901da177e4SLinus Torvalds goto out_err; 911da177e4SLinus Torvalds p = simple_get_netobj(p, end, &key); 921da177e4SLinus Torvalds if (IS_ERR(p)) 931da177e4SLinus Torvalds goto out_err; 941da177e4SLinus Torvalds 951da177e4SLinus Torvalds switch (alg) { 961da177e4SLinus Torvalds case ENCTYPE_DES_CBC_RAW: 97378c6697SHerbert Xu alg_name = "cbc(des)"; 981da177e4SLinus Torvalds break; 991da177e4SLinus Torvalds default: 1009e56904eSJ. Bruce Fields printk("gss_kerberos_mech: unsupported algorithm %d\n", alg); 1011da177e4SLinus Torvalds goto out_err_free_key; 1021da177e4SLinus Torvalds } 103378c6697SHerbert Xu *res = crypto_alloc_blkcipher(alg_name, 0, CRYPTO_ALG_ASYNC); 104378c6697SHerbert Xu if (IS_ERR(*res)) { 1059e56904eSJ. Bruce Fields printk("gss_kerberos_mech: unable to initialize crypto algorithm %s\n", alg_name); 106378c6697SHerbert Xu *res = NULL; 1071da177e4SLinus Torvalds goto out_err_free_key; 1089e56904eSJ. Bruce Fields } 109378c6697SHerbert Xu if (crypto_blkcipher_setkey(*res, key.data, key.len)) { 1109e56904eSJ. Bruce Fields printk("gss_kerberos_mech: error setting key for crypto algorithm %s\n", alg_name); 1111da177e4SLinus Torvalds goto out_err_free_tfm; 1129e56904eSJ. Bruce Fields } 1131da177e4SLinus Torvalds 1141da177e4SLinus Torvalds kfree(key.data); 1151da177e4SLinus Torvalds return p; 1161da177e4SLinus Torvalds 1171da177e4SLinus Torvalds out_err_free_tfm: 118378c6697SHerbert Xu crypto_free_blkcipher(*res); 1191da177e4SLinus Torvalds out_err_free_key: 1201da177e4SLinus Torvalds kfree(key.data); 1211da177e4SLinus Torvalds p = ERR_PTR(-EINVAL); 1221da177e4SLinus Torvalds out_err: 1231da177e4SLinus Torvalds return p; 1241da177e4SLinus Torvalds } 1251da177e4SLinus Torvalds 1261da177e4SLinus Torvalds static int 1271da177e4SLinus Torvalds gss_import_sec_context_kerberos(const void *p, 1281da177e4SLinus Torvalds size_t len, 1291da177e4SLinus Torvalds struct gss_ctx *ctx_id) 1301da177e4SLinus Torvalds { 1311da177e4SLinus Torvalds const void *end = (const void *)((const char *)p + len); 1321da177e4SLinus Torvalds struct krb5_ctx *ctx; 1331da177e4SLinus Torvalds 1340da974f4SPanagiotis Issaris if (!(ctx = kzalloc(sizeof(*ctx), GFP_KERNEL))) 1351da177e4SLinus Torvalds goto out_err; 1361da177e4SLinus Torvalds 1371da177e4SLinus Torvalds p = simple_get_bytes(p, end, &ctx->initiate, sizeof(ctx->initiate)); 1381da177e4SLinus Torvalds if (IS_ERR(p)) 1391da177e4SLinus Torvalds goto out_err_free_ctx; 1401da177e4SLinus Torvalds p = simple_get_bytes(p, end, &ctx->seed_init, sizeof(ctx->seed_init)); 1411da177e4SLinus Torvalds if (IS_ERR(p)) 1421da177e4SLinus Torvalds goto out_err_free_ctx; 1431da177e4SLinus Torvalds p = simple_get_bytes(p, end, ctx->seed, sizeof(ctx->seed)); 1441da177e4SLinus Torvalds if (IS_ERR(p)) 1451da177e4SLinus Torvalds goto out_err_free_ctx; 1461da177e4SLinus Torvalds p = simple_get_bytes(p, end, &ctx->signalg, sizeof(ctx->signalg)); 1471da177e4SLinus Torvalds if (IS_ERR(p)) 1481da177e4SLinus Torvalds goto out_err_free_ctx; 1491da177e4SLinus Torvalds p = simple_get_bytes(p, end, &ctx->sealalg, sizeof(ctx->sealalg)); 1501da177e4SLinus Torvalds if (IS_ERR(p)) 1511da177e4SLinus Torvalds goto out_err_free_ctx; 1521da177e4SLinus Torvalds p = simple_get_bytes(p, end, &ctx->endtime, sizeof(ctx->endtime)); 1531da177e4SLinus Torvalds if (IS_ERR(p)) 1541da177e4SLinus Torvalds goto out_err_free_ctx; 1551da177e4SLinus Torvalds p = simple_get_bytes(p, end, &ctx->seq_send, sizeof(ctx->seq_send)); 1561da177e4SLinus Torvalds if (IS_ERR(p)) 1571da177e4SLinus Torvalds goto out_err_free_ctx; 1581da177e4SLinus Torvalds p = simple_get_netobj(p, end, &ctx->mech_used); 1591da177e4SLinus Torvalds if (IS_ERR(p)) 1601da177e4SLinus Torvalds goto out_err_free_ctx; 1611da177e4SLinus Torvalds p = get_key(p, end, &ctx->enc); 1621da177e4SLinus Torvalds if (IS_ERR(p)) 1631da177e4SLinus Torvalds goto out_err_free_mech; 1641da177e4SLinus Torvalds p = get_key(p, end, &ctx->seq); 1651da177e4SLinus Torvalds if (IS_ERR(p)) 1661da177e4SLinus Torvalds goto out_err_free_key1; 1671da177e4SLinus Torvalds if (p != end) { 1681da177e4SLinus Torvalds p = ERR_PTR(-EFAULT); 1691da177e4SLinus Torvalds goto out_err_free_key2; 1701da177e4SLinus Torvalds } 1711da177e4SLinus Torvalds 1721da177e4SLinus Torvalds ctx_id->internal_ctx_id = ctx; 173d6e05edcSAndreas Mohr dprintk("RPC: Successfully imported new context.\n"); 1741da177e4SLinus Torvalds return 0; 1751da177e4SLinus Torvalds 1761da177e4SLinus Torvalds out_err_free_key2: 177378c6697SHerbert Xu crypto_free_blkcipher(ctx->seq); 1781da177e4SLinus Torvalds out_err_free_key1: 179378c6697SHerbert Xu crypto_free_blkcipher(ctx->enc); 1801da177e4SLinus Torvalds out_err_free_mech: 1811da177e4SLinus Torvalds kfree(ctx->mech_used.data); 1821da177e4SLinus Torvalds out_err_free_ctx: 1831da177e4SLinus Torvalds kfree(ctx); 1841da177e4SLinus Torvalds out_err: 1851da177e4SLinus Torvalds return PTR_ERR(p); 1861da177e4SLinus Torvalds } 1871da177e4SLinus Torvalds 1881da177e4SLinus Torvalds static void 1891da177e4SLinus Torvalds gss_delete_sec_context_kerberos(void *internal_ctx) { 1901da177e4SLinus Torvalds struct krb5_ctx *kctx = internal_ctx; 1911da177e4SLinus Torvalds 192378c6697SHerbert Xu crypto_free_blkcipher(kctx->seq); 193378c6697SHerbert Xu crypto_free_blkcipher(kctx->enc); 1941da177e4SLinus Torvalds kfree(kctx->mech_used.data); 1951da177e4SLinus Torvalds kfree(kctx); 1961da177e4SLinus Torvalds } 1971da177e4SLinus Torvalds 1981da177e4SLinus Torvalds static struct gss_api_ops gss_kerberos_ops = { 1991da177e4SLinus Torvalds .gss_import_sec_context = gss_import_sec_context_kerberos, 2001da177e4SLinus Torvalds .gss_get_mic = gss_get_mic_kerberos, 2011da177e4SLinus Torvalds .gss_verify_mic = gss_verify_mic_kerberos, 20214ae162cSJ. Bruce Fields .gss_wrap = gss_wrap_kerberos, 20314ae162cSJ. Bruce Fields .gss_unwrap = gss_unwrap_kerberos, 2041da177e4SLinus Torvalds .gss_delete_sec_context = gss_delete_sec_context_kerberos, 2051da177e4SLinus Torvalds }; 2061da177e4SLinus Torvalds 2071da177e4SLinus Torvalds static struct pf_desc gss_kerberos_pfs[] = { 2081da177e4SLinus Torvalds [0] = { 2091da177e4SLinus Torvalds .pseudoflavor = RPC_AUTH_GSS_KRB5, 2101da177e4SLinus Torvalds .service = RPC_GSS_SVC_NONE, 2111da177e4SLinus Torvalds .name = "krb5", 2121da177e4SLinus Torvalds }, 2131da177e4SLinus Torvalds [1] = { 2141da177e4SLinus Torvalds .pseudoflavor = RPC_AUTH_GSS_KRB5I, 2151da177e4SLinus Torvalds .service = RPC_GSS_SVC_INTEGRITY, 2161da177e4SLinus Torvalds .name = "krb5i", 2171da177e4SLinus Torvalds }, 21814ae162cSJ. Bruce Fields [2] = { 21914ae162cSJ. Bruce Fields .pseudoflavor = RPC_AUTH_GSS_KRB5P, 22014ae162cSJ. Bruce Fields .service = RPC_GSS_SVC_PRIVACY, 22114ae162cSJ. Bruce Fields .name = "krb5p", 22214ae162cSJ. Bruce Fields }, 2231da177e4SLinus Torvalds }; 2241da177e4SLinus Torvalds 2251da177e4SLinus Torvalds static struct gss_api_mech gss_kerberos_mech = { 2261da177e4SLinus Torvalds .gm_name = "krb5", 2271da177e4SLinus Torvalds .gm_owner = THIS_MODULE, 2281da177e4SLinus Torvalds .gm_ops = &gss_kerberos_ops, 2291da177e4SLinus Torvalds .gm_pf_num = ARRAY_SIZE(gss_kerberos_pfs), 2301da177e4SLinus Torvalds .gm_pfs = gss_kerberos_pfs, 2311da177e4SLinus Torvalds }; 2321da177e4SLinus Torvalds 2331da177e4SLinus Torvalds static int __init init_kerberos_module(void) 2341da177e4SLinus Torvalds { 2351da177e4SLinus Torvalds int status; 2361da177e4SLinus Torvalds 2371da177e4SLinus Torvalds status = gss_mech_register(&gss_kerberos_mech); 2381da177e4SLinus Torvalds if (status) 2391da177e4SLinus Torvalds printk("Failed to register kerberos gss mechanism!\n"); 2401da177e4SLinus Torvalds return status; 2411da177e4SLinus Torvalds } 2421da177e4SLinus Torvalds 2431da177e4SLinus Torvalds static void __exit cleanup_kerberos_module(void) 2441da177e4SLinus Torvalds { 2451da177e4SLinus Torvalds gss_mech_unregister(&gss_kerberos_mech); 2461da177e4SLinus Torvalds } 2471da177e4SLinus Torvalds 2481da177e4SLinus Torvalds MODULE_LICENSE("GPL"); 2491da177e4SLinus Torvalds module_init(init_kerberos_module); 2501da177e4SLinus Torvalds module_exit(cleanup_kerberos_module); 251