11da177e4SLinus Torvalds /* 21da177e4SLinus Torvalds * linux/net/sunrpc/gss_krb5_mech.c 31da177e4SLinus Torvalds * 41da177e4SLinus Torvalds * Copyright (c) 2001 The Regents of the University of Michigan. 51da177e4SLinus Torvalds * All rights reserved. 61da177e4SLinus Torvalds * 71da177e4SLinus Torvalds * Andy Adamson <andros@umich.edu> 81da177e4SLinus Torvalds * J. Bruce Fields <bfields@umich.edu> 91da177e4SLinus Torvalds * 101da177e4SLinus Torvalds * Redistribution and use in source and binary forms, with or without 111da177e4SLinus Torvalds * modification, are permitted provided that the following conditions 121da177e4SLinus Torvalds * are met: 131da177e4SLinus Torvalds * 141da177e4SLinus Torvalds * 1. Redistributions of source code must retain the above copyright 151da177e4SLinus Torvalds * notice, this list of conditions and the following disclaimer. 161da177e4SLinus Torvalds * 2. Redistributions in binary form must reproduce the above copyright 171da177e4SLinus Torvalds * notice, this list of conditions and the following disclaimer in the 181da177e4SLinus Torvalds * documentation and/or other materials provided with the distribution. 191da177e4SLinus Torvalds * 3. Neither the name of the University nor the names of its 201da177e4SLinus Torvalds * contributors may be used to endorse or promote products derived 211da177e4SLinus Torvalds * from this software without specific prior written permission. 221da177e4SLinus Torvalds * 231da177e4SLinus Torvalds * THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED 241da177e4SLinus Torvalds * WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF 251da177e4SLinus Torvalds * MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE 261da177e4SLinus Torvalds * DISCLAIMED. IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE 271da177e4SLinus Torvalds * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR 281da177e4SLinus Torvalds * CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF 291da177e4SLinus Torvalds * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR 301da177e4SLinus Torvalds * BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF 311da177e4SLinus Torvalds * LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING 321da177e4SLinus Torvalds * NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS 331da177e4SLinus Torvalds * SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. 341da177e4SLinus Torvalds * 351da177e4SLinus Torvalds */ 361da177e4SLinus Torvalds 371da177e4SLinus Torvalds #include <linux/module.h> 381da177e4SLinus Torvalds #include <linux/init.h> 391da177e4SLinus Torvalds #include <linux/types.h> 401da177e4SLinus Torvalds #include <linux/slab.h> 411da177e4SLinus Torvalds #include <linux/sunrpc/auth.h> 421da177e4SLinus Torvalds #include <linux/sunrpc/gss_krb5.h> 431da177e4SLinus Torvalds #include <linux/sunrpc/xdr.h> 441da177e4SLinus Torvalds #include <linux/crypto.h> 451da177e4SLinus Torvalds 461da177e4SLinus Torvalds #ifdef RPC_DEBUG 471da177e4SLinus Torvalds # define RPCDBG_FACILITY RPCDBG_AUTH 481da177e4SLinus Torvalds #endif 491da177e4SLinus Torvalds 501da177e4SLinus Torvalds static const void * 511da177e4SLinus Torvalds simple_get_bytes(const void *p, const void *end, void *res, int len) 521da177e4SLinus Torvalds { 531da177e4SLinus Torvalds const void *q = (const void *)((const char *)p + len); 541da177e4SLinus Torvalds if (unlikely(q > end || q < p)) 551da177e4SLinus Torvalds return ERR_PTR(-EFAULT); 561da177e4SLinus Torvalds memcpy(res, p, len); 571da177e4SLinus Torvalds return q; 581da177e4SLinus Torvalds } 591da177e4SLinus Torvalds 601da177e4SLinus Torvalds static const void * 611da177e4SLinus Torvalds simple_get_netobj(const void *p, const void *end, struct xdr_netobj *res) 621da177e4SLinus Torvalds { 631da177e4SLinus Torvalds const void *q; 641da177e4SLinus Torvalds unsigned int len; 651da177e4SLinus Torvalds 661da177e4SLinus Torvalds p = simple_get_bytes(p, end, &len, sizeof(len)); 671da177e4SLinus Torvalds if (IS_ERR(p)) 681da177e4SLinus Torvalds return p; 691da177e4SLinus Torvalds q = (const void *)((const char *)p + len); 701da177e4SLinus Torvalds if (unlikely(q > end || q < p)) 711da177e4SLinus Torvalds return ERR_PTR(-EFAULT); 721da177e4SLinus Torvalds res->data = kmalloc(len, GFP_KERNEL); 731da177e4SLinus Torvalds if (unlikely(res->data == NULL)) 741da177e4SLinus Torvalds return ERR_PTR(-ENOMEM); 751da177e4SLinus Torvalds memcpy(res->data, p, len); 761da177e4SLinus Torvalds res->len = len; 771da177e4SLinus Torvalds return q; 781da177e4SLinus Torvalds } 791da177e4SLinus Torvalds 801da177e4SLinus Torvalds static inline const void * 811da177e4SLinus Torvalds get_key(const void *p, const void *end, struct crypto_tfm **res) 821da177e4SLinus Torvalds { 831da177e4SLinus Torvalds struct xdr_netobj key; 841da177e4SLinus Torvalds int alg, alg_mode; 851da177e4SLinus Torvalds char *alg_name; 861da177e4SLinus Torvalds 871da177e4SLinus Torvalds p = simple_get_bytes(p, end, &alg, sizeof(alg)); 881da177e4SLinus Torvalds if (IS_ERR(p)) 891da177e4SLinus Torvalds goto out_err; 901da177e4SLinus Torvalds p = simple_get_netobj(p, end, &key); 911da177e4SLinus Torvalds if (IS_ERR(p)) 921da177e4SLinus Torvalds goto out_err; 931da177e4SLinus Torvalds 941da177e4SLinus Torvalds switch (alg) { 951da177e4SLinus Torvalds case ENCTYPE_DES_CBC_RAW: 961da177e4SLinus Torvalds alg_name = "des"; 971da177e4SLinus Torvalds alg_mode = CRYPTO_TFM_MODE_CBC; 981da177e4SLinus Torvalds break; 991da177e4SLinus Torvalds default: 1009e56904eSJ. Bruce Fields printk("gss_kerberos_mech: unsupported algorithm %d\n", alg); 1011da177e4SLinus Torvalds goto out_err_free_key; 1021da177e4SLinus Torvalds } 1039e56904eSJ. Bruce Fields if (!(*res = crypto_alloc_tfm(alg_name, alg_mode))) { 1049e56904eSJ. Bruce Fields printk("gss_kerberos_mech: unable to initialize crypto algorithm %s\n", alg_name); 1051da177e4SLinus Torvalds goto out_err_free_key; 1069e56904eSJ. Bruce Fields } 1079e56904eSJ. Bruce Fields if (crypto_cipher_setkey(*res, key.data, key.len)) { 1089e56904eSJ. Bruce Fields printk("gss_kerberos_mech: error setting key for crypto algorithm %s\n", alg_name); 1091da177e4SLinus Torvalds goto out_err_free_tfm; 1109e56904eSJ. Bruce Fields } 1111da177e4SLinus Torvalds 1121da177e4SLinus Torvalds kfree(key.data); 1131da177e4SLinus Torvalds return p; 1141da177e4SLinus Torvalds 1151da177e4SLinus Torvalds out_err_free_tfm: 1161da177e4SLinus Torvalds crypto_free_tfm(*res); 1171da177e4SLinus Torvalds out_err_free_key: 1181da177e4SLinus Torvalds kfree(key.data); 1191da177e4SLinus Torvalds p = ERR_PTR(-EINVAL); 1201da177e4SLinus Torvalds out_err: 1211da177e4SLinus Torvalds return p; 1221da177e4SLinus Torvalds } 1231da177e4SLinus Torvalds 1241da177e4SLinus Torvalds static int 1251da177e4SLinus Torvalds gss_import_sec_context_kerberos(const void *p, 1261da177e4SLinus Torvalds size_t len, 1271da177e4SLinus Torvalds struct gss_ctx *ctx_id) 1281da177e4SLinus Torvalds { 1291da177e4SLinus Torvalds const void *end = (const void *)((const char *)p + len); 1301da177e4SLinus Torvalds struct krb5_ctx *ctx; 1311da177e4SLinus Torvalds 1321da177e4SLinus Torvalds if (!(ctx = kmalloc(sizeof(*ctx), GFP_KERNEL))) 1331da177e4SLinus Torvalds goto out_err; 1341da177e4SLinus Torvalds memset(ctx, 0, sizeof(*ctx)); 1351da177e4SLinus Torvalds 1361da177e4SLinus Torvalds p = simple_get_bytes(p, end, &ctx->initiate, sizeof(ctx->initiate)); 1371da177e4SLinus Torvalds if (IS_ERR(p)) 1381da177e4SLinus Torvalds goto out_err_free_ctx; 1391da177e4SLinus Torvalds p = simple_get_bytes(p, end, &ctx->seed_init, sizeof(ctx->seed_init)); 1401da177e4SLinus Torvalds if (IS_ERR(p)) 1411da177e4SLinus Torvalds goto out_err_free_ctx; 1421da177e4SLinus Torvalds p = simple_get_bytes(p, end, ctx->seed, sizeof(ctx->seed)); 1431da177e4SLinus Torvalds if (IS_ERR(p)) 1441da177e4SLinus Torvalds goto out_err_free_ctx; 1451da177e4SLinus Torvalds p = simple_get_bytes(p, end, &ctx->signalg, sizeof(ctx->signalg)); 1461da177e4SLinus Torvalds if (IS_ERR(p)) 1471da177e4SLinus Torvalds goto out_err_free_ctx; 1481da177e4SLinus Torvalds p = simple_get_bytes(p, end, &ctx->sealalg, sizeof(ctx->sealalg)); 1491da177e4SLinus Torvalds if (IS_ERR(p)) 1501da177e4SLinus Torvalds goto out_err_free_ctx; 1511da177e4SLinus Torvalds p = simple_get_bytes(p, end, &ctx->endtime, sizeof(ctx->endtime)); 1521da177e4SLinus Torvalds if (IS_ERR(p)) 1531da177e4SLinus Torvalds goto out_err_free_ctx; 1541da177e4SLinus Torvalds p = simple_get_bytes(p, end, &ctx->seq_send, sizeof(ctx->seq_send)); 1551da177e4SLinus Torvalds if (IS_ERR(p)) 1561da177e4SLinus Torvalds goto out_err_free_ctx; 1571da177e4SLinus Torvalds p = simple_get_netobj(p, end, &ctx->mech_used); 1581da177e4SLinus Torvalds if (IS_ERR(p)) 1591da177e4SLinus Torvalds goto out_err_free_ctx; 1601da177e4SLinus Torvalds p = get_key(p, end, &ctx->enc); 1611da177e4SLinus Torvalds if (IS_ERR(p)) 1621da177e4SLinus Torvalds goto out_err_free_mech; 1631da177e4SLinus Torvalds p = get_key(p, end, &ctx->seq); 1641da177e4SLinus Torvalds if (IS_ERR(p)) 1651da177e4SLinus Torvalds goto out_err_free_key1; 1661da177e4SLinus Torvalds if (p != end) { 1671da177e4SLinus Torvalds p = ERR_PTR(-EFAULT); 1681da177e4SLinus Torvalds goto out_err_free_key2; 1691da177e4SLinus Torvalds } 1701da177e4SLinus Torvalds 1711da177e4SLinus Torvalds ctx_id->internal_ctx_id = ctx; 1721da177e4SLinus Torvalds dprintk("RPC: Succesfully imported new context.\n"); 1731da177e4SLinus Torvalds return 0; 1741da177e4SLinus Torvalds 1751da177e4SLinus Torvalds out_err_free_key2: 1761da177e4SLinus Torvalds crypto_free_tfm(ctx->seq); 1771da177e4SLinus Torvalds out_err_free_key1: 1781da177e4SLinus Torvalds crypto_free_tfm(ctx->enc); 1791da177e4SLinus Torvalds out_err_free_mech: 1801da177e4SLinus Torvalds kfree(ctx->mech_used.data); 1811da177e4SLinus Torvalds out_err_free_ctx: 1821da177e4SLinus Torvalds kfree(ctx); 1831da177e4SLinus Torvalds out_err: 1841da177e4SLinus Torvalds return PTR_ERR(p); 1851da177e4SLinus Torvalds } 1861da177e4SLinus Torvalds 1871da177e4SLinus Torvalds static void 1881da177e4SLinus Torvalds gss_delete_sec_context_kerberos(void *internal_ctx) { 1891da177e4SLinus Torvalds struct krb5_ctx *kctx = internal_ctx; 1901da177e4SLinus Torvalds 1911da177e4SLinus Torvalds crypto_free_tfm(kctx->seq); 1921da177e4SLinus Torvalds crypto_free_tfm(kctx->enc); 1931da177e4SLinus Torvalds kfree(kctx->mech_used.data); 1941da177e4SLinus Torvalds kfree(kctx); 1951da177e4SLinus Torvalds } 1961da177e4SLinus Torvalds 1971da177e4SLinus Torvalds static struct gss_api_ops gss_kerberos_ops = { 1981da177e4SLinus Torvalds .gss_import_sec_context = gss_import_sec_context_kerberos, 1991da177e4SLinus Torvalds .gss_get_mic = gss_get_mic_kerberos, 2001da177e4SLinus Torvalds .gss_verify_mic = gss_verify_mic_kerberos, 20114ae162cSJ. Bruce Fields .gss_wrap = gss_wrap_kerberos, 20214ae162cSJ. Bruce Fields .gss_unwrap = gss_unwrap_kerberos, 2031da177e4SLinus Torvalds .gss_delete_sec_context = gss_delete_sec_context_kerberos, 2041da177e4SLinus Torvalds }; 2051da177e4SLinus Torvalds 2061da177e4SLinus Torvalds static struct pf_desc gss_kerberos_pfs[] = { 2071da177e4SLinus Torvalds [0] = { 2081da177e4SLinus Torvalds .pseudoflavor = RPC_AUTH_GSS_KRB5, 2091da177e4SLinus Torvalds .service = RPC_GSS_SVC_NONE, 2101da177e4SLinus Torvalds .name = "krb5", 2111da177e4SLinus Torvalds }, 2121da177e4SLinus Torvalds [1] = { 2131da177e4SLinus Torvalds .pseudoflavor = RPC_AUTH_GSS_KRB5I, 2141da177e4SLinus Torvalds .service = RPC_GSS_SVC_INTEGRITY, 2151da177e4SLinus Torvalds .name = "krb5i", 2161da177e4SLinus Torvalds }, 21714ae162cSJ. Bruce Fields [2] = { 21814ae162cSJ. Bruce Fields .pseudoflavor = RPC_AUTH_GSS_KRB5P, 21914ae162cSJ. Bruce Fields .service = RPC_GSS_SVC_PRIVACY, 22014ae162cSJ. Bruce Fields .name = "krb5p", 22114ae162cSJ. Bruce Fields }, 2221da177e4SLinus Torvalds }; 2231da177e4SLinus Torvalds 2241da177e4SLinus Torvalds static struct gss_api_mech gss_kerberos_mech = { 2251da177e4SLinus Torvalds .gm_name = "krb5", 2261da177e4SLinus Torvalds .gm_owner = THIS_MODULE, 2271da177e4SLinus Torvalds .gm_ops = &gss_kerberos_ops, 2281da177e4SLinus Torvalds .gm_pf_num = ARRAY_SIZE(gss_kerberos_pfs), 2291da177e4SLinus Torvalds .gm_pfs = gss_kerberos_pfs, 2301da177e4SLinus Torvalds }; 2311da177e4SLinus Torvalds 2321da177e4SLinus Torvalds static int __init init_kerberos_module(void) 2331da177e4SLinus Torvalds { 2341da177e4SLinus Torvalds int status; 2351da177e4SLinus Torvalds 2361da177e4SLinus Torvalds status = gss_mech_register(&gss_kerberos_mech); 2371da177e4SLinus Torvalds if (status) 2381da177e4SLinus Torvalds printk("Failed to register kerberos gss mechanism!\n"); 2391da177e4SLinus Torvalds return status; 2401da177e4SLinus Torvalds } 2411da177e4SLinus Torvalds 2421da177e4SLinus Torvalds static void __exit cleanup_kerberos_module(void) 2431da177e4SLinus Torvalds { 2441da177e4SLinus Torvalds gss_mech_unregister(&gss_kerberos_mech); 2451da177e4SLinus Torvalds } 2461da177e4SLinus Torvalds 2471da177e4SLinus Torvalds MODULE_LICENSE("GPL"); 2481da177e4SLinus Torvalds module_init(init_kerberos_module); 2491da177e4SLinus Torvalds module_exit(cleanup_kerberos_module); 250