1 /* 2 * linux/net/sunrpc/gss_krb5_mech.c 3 * 4 * Copyright (c) 2001 The Regents of the University of Michigan. 5 * All rights reserved. 6 * 7 * Andy Adamson <andros@umich.edu> 8 * J. Bruce Fields <bfields@umich.edu> 9 * 10 * Redistribution and use in source and binary forms, with or without 11 * modification, are permitted provided that the following conditions 12 * are met: 13 * 14 * 1. Redistributions of source code must retain the above copyright 15 * notice, this list of conditions and the following disclaimer. 16 * 2. Redistributions in binary form must reproduce the above copyright 17 * notice, this list of conditions and the following disclaimer in the 18 * documentation and/or other materials provided with the distribution. 19 * 3. Neither the name of the University nor the names of its 20 * contributors may be used to endorse or promote products derived 21 * from this software without specific prior written permission. 22 * 23 * THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED 24 * WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF 25 * MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE 26 * DISCLAIMED. IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE 27 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR 28 * CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF 29 * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR 30 * BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF 31 * LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING 32 * NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS 33 * SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. 34 * 35 */ 36 37 #include <linux/module.h> 38 #include <linux/init.h> 39 #include <linux/types.h> 40 #include <linux/slab.h> 41 #include <linux/sunrpc/auth.h> 42 #include <linux/sunrpc/gss_krb5.h> 43 #include <linux/sunrpc/xdr.h> 44 #include <linux/crypto.h> 45 46 #ifdef RPC_DEBUG 47 # define RPCDBG_FACILITY RPCDBG_AUTH 48 #endif 49 50 static const void * 51 simple_get_bytes(const void *p, const void *end, void *res, int len) 52 { 53 const void *q = (const void *)((const char *)p + len); 54 if (unlikely(q > end || q < p)) 55 return ERR_PTR(-EFAULT); 56 memcpy(res, p, len); 57 return q; 58 } 59 60 static const void * 61 simple_get_netobj(const void *p, const void *end, struct xdr_netobj *res) 62 { 63 const void *q; 64 unsigned int len; 65 66 p = simple_get_bytes(p, end, &len, sizeof(len)); 67 if (IS_ERR(p)) 68 return p; 69 q = (const void *)((const char *)p + len); 70 if (unlikely(q > end || q < p)) 71 return ERR_PTR(-EFAULT); 72 res->data = kmalloc(len, GFP_KERNEL); 73 if (unlikely(res->data == NULL)) 74 return ERR_PTR(-ENOMEM); 75 memcpy(res->data, p, len); 76 res->len = len; 77 return q; 78 } 79 80 static inline const void * 81 get_key(const void *p, const void *end, struct crypto_tfm **res) 82 { 83 struct xdr_netobj key; 84 int alg, alg_mode; 85 char *alg_name; 86 87 p = simple_get_bytes(p, end, &alg, sizeof(alg)); 88 if (IS_ERR(p)) 89 goto out_err; 90 p = simple_get_netobj(p, end, &key); 91 if (IS_ERR(p)) 92 goto out_err; 93 94 switch (alg) { 95 case ENCTYPE_DES_CBC_RAW: 96 alg_name = "des"; 97 alg_mode = CRYPTO_TFM_MODE_CBC; 98 break; 99 default: 100 printk("gss_kerberos_mech: unsupported algorithm %d\n", alg); 101 goto out_err_free_key; 102 } 103 if (!(*res = crypto_alloc_tfm(alg_name, alg_mode))) { 104 printk("gss_kerberos_mech: unable to initialize crypto algorithm %s\n", alg_name); 105 goto out_err_free_key; 106 } 107 if (crypto_cipher_setkey(*res, key.data, key.len)) { 108 printk("gss_kerberos_mech: error setting key for crypto algorithm %s\n", alg_name); 109 goto out_err_free_tfm; 110 } 111 112 kfree(key.data); 113 return p; 114 115 out_err_free_tfm: 116 crypto_free_tfm(*res); 117 out_err_free_key: 118 kfree(key.data); 119 p = ERR_PTR(-EINVAL); 120 out_err: 121 return p; 122 } 123 124 static int 125 gss_import_sec_context_kerberos(const void *p, 126 size_t len, 127 struct gss_ctx *ctx_id) 128 { 129 const void *end = (const void *)((const char *)p + len); 130 struct krb5_ctx *ctx; 131 132 if (!(ctx = kmalloc(sizeof(*ctx), GFP_KERNEL))) 133 goto out_err; 134 memset(ctx, 0, sizeof(*ctx)); 135 136 p = simple_get_bytes(p, end, &ctx->initiate, sizeof(ctx->initiate)); 137 if (IS_ERR(p)) 138 goto out_err_free_ctx; 139 p = simple_get_bytes(p, end, &ctx->seed_init, sizeof(ctx->seed_init)); 140 if (IS_ERR(p)) 141 goto out_err_free_ctx; 142 p = simple_get_bytes(p, end, ctx->seed, sizeof(ctx->seed)); 143 if (IS_ERR(p)) 144 goto out_err_free_ctx; 145 p = simple_get_bytes(p, end, &ctx->signalg, sizeof(ctx->signalg)); 146 if (IS_ERR(p)) 147 goto out_err_free_ctx; 148 p = simple_get_bytes(p, end, &ctx->sealalg, sizeof(ctx->sealalg)); 149 if (IS_ERR(p)) 150 goto out_err_free_ctx; 151 p = simple_get_bytes(p, end, &ctx->endtime, sizeof(ctx->endtime)); 152 if (IS_ERR(p)) 153 goto out_err_free_ctx; 154 p = simple_get_bytes(p, end, &ctx->seq_send, sizeof(ctx->seq_send)); 155 if (IS_ERR(p)) 156 goto out_err_free_ctx; 157 p = simple_get_netobj(p, end, &ctx->mech_used); 158 if (IS_ERR(p)) 159 goto out_err_free_ctx; 160 p = get_key(p, end, &ctx->enc); 161 if (IS_ERR(p)) 162 goto out_err_free_mech; 163 p = get_key(p, end, &ctx->seq); 164 if (IS_ERR(p)) 165 goto out_err_free_key1; 166 if (p != end) { 167 p = ERR_PTR(-EFAULT); 168 goto out_err_free_key2; 169 } 170 171 ctx_id->internal_ctx_id = ctx; 172 dprintk("RPC: Succesfully imported new context.\n"); 173 return 0; 174 175 out_err_free_key2: 176 crypto_free_tfm(ctx->seq); 177 out_err_free_key1: 178 crypto_free_tfm(ctx->enc); 179 out_err_free_mech: 180 kfree(ctx->mech_used.data); 181 out_err_free_ctx: 182 kfree(ctx); 183 out_err: 184 return PTR_ERR(p); 185 } 186 187 static void 188 gss_delete_sec_context_kerberos(void *internal_ctx) { 189 struct krb5_ctx *kctx = internal_ctx; 190 191 crypto_free_tfm(kctx->seq); 192 crypto_free_tfm(kctx->enc); 193 kfree(kctx->mech_used.data); 194 kfree(kctx); 195 } 196 197 static struct gss_api_ops gss_kerberos_ops = { 198 .gss_import_sec_context = gss_import_sec_context_kerberos, 199 .gss_get_mic = gss_get_mic_kerberos, 200 .gss_verify_mic = gss_verify_mic_kerberos, 201 .gss_wrap = gss_wrap_kerberos, 202 .gss_unwrap = gss_unwrap_kerberos, 203 .gss_delete_sec_context = gss_delete_sec_context_kerberos, 204 }; 205 206 static struct pf_desc gss_kerberos_pfs[] = { 207 [0] = { 208 .pseudoflavor = RPC_AUTH_GSS_KRB5, 209 .service = RPC_GSS_SVC_NONE, 210 .name = "krb5", 211 }, 212 [1] = { 213 .pseudoflavor = RPC_AUTH_GSS_KRB5I, 214 .service = RPC_GSS_SVC_INTEGRITY, 215 .name = "krb5i", 216 }, 217 [2] = { 218 .pseudoflavor = RPC_AUTH_GSS_KRB5P, 219 .service = RPC_GSS_SVC_PRIVACY, 220 .name = "krb5p", 221 }, 222 }; 223 224 static struct gss_api_mech gss_kerberos_mech = { 225 .gm_name = "krb5", 226 .gm_owner = THIS_MODULE, 227 .gm_ops = &gss_kerberos_ops, 228 .gm_pf_num = ARRAY_SIZE(gss_kerberos_pfs), 229 .gm_pfs = gss_kerberos_pfs, 230 }; 231 232 static int __init init_kerberos_module(void) 233 { 234 int status; 235 236 status = gss_mech_register(&gss_kerberos_mech); 237 if (status) 238 printk("Failed to register kerberos gss mechanism!\n"); 239 return status; 240 } 241 242 static void __exit cleanup_kerberos_module(void) 243 { 244 gss_mech_unregister(&gss_kerberos_mech); 245 } 246 247 MODULE_LICENSE("GPL"); 248 module_init(init_kerberos_module); 249 module_exit(cleanup_kerberos_module); 250