1 /* 2 * linux/net/sunrpc/gss_krb5_mech.c 3 * 4 * Copyright (c) 2001 The Regents of the University of Michigan. 5 * All rights reserved. 6 * 7 * Andy Adamson <andros@umich.edu> 8 * J. Bruce Fields <bfields@umich.edu> 9 * 10 * Redistribution and use in source and binary forms, with or without 11 * modification, are permitted provided that the following conditions 12 * are met: 13 * 14 * 1. Redistributions of source code must retain the above copyright 15 * notice, this list of conditions and the following disclaimer. 16 * 2. Redistributions in binary form must reproduce the above copyright 17 * notice, this list of conditions and the following disclaimer in the 18 * documentation and/or other materials provided with the distribution. 19 * 3. Neither the name of the University nor the names of its 20 * contributors may be used to endorse or promote products derived 21 * from this software without specific prior written permission. 22 * 23 * THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED 24 * WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF 25 * MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE 26 * DISCLAIMED. IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE 27 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR 28 * CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF 29 * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR 30 * BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF 31 * LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING 32 * NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS 33 * SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. 34 * 35 */ 36 37 #include <linux/err.h> 38 #include <linux/module.h> 39 #include <linux/init.h> 40 #include <linux/types.h> 41 #include <linux/slab.h> 42 #include <linux/sunrpc/auth.h> 43 #include <linux/sunrpc/gss_krb5.h> 44 #include <linux/sunrpc/xdr.h> 45 #include <linux/crypto.h> 46 47 #ifdef RPC_DEBUG 48 # define RPCDBG_FACILITY RPCDBG_AUTH 49 #endif 50 51 static const void * 52 simple_get_bytes(const void *p, const void *end, void *res, int len) 53 { 54 const void *q = (const void *)((const char *)p + len); 55 if (unlikely(q > end || q < p)) 56 return ERR_PTR(-EFAULT); 57 memcpy(res, p, len); 58 return q; 59 } 60 61 static const void * 62 simple_get_netobj(const void *p, const void *end, struct xdr_netobj *res) 63 { 64 const void *q; 65 unsigned int len; 66 67 p = simple_get_bytes(p, end, &len, sizeof(len)); 68 if (IS_ERR(p)) 69 return p; 70 q = (const void *)((const char *)p + len); 71 if (unlikely(q > end || q < p)) 72 return ERR_PTR(-EFAULT); 73 res->data = kmemdup(p, len, GFP_KERNEL); 74 if (unlikely(res->data == NULL)) 75 return ERR_PTR(-ENOMEM); 76 res->len = len; 77 return q; 78 } 79 80 static inline const void * 81 get_key(const void *p, const void *end, struct crypto_blkcipher **res) 82 { 83 struct xdr_netobj key; 84 int alg; 85 char *alg_name; 86 87 p = simple_get_bytes(p, end, &alg, sizeof(alg)); 88 if (IS_ERR(p)) 89 goto out_err; 90 p = simple_get_netobj(p, end, &key); 91 if (IS_ERR(p)) 92 goto out_err; 93 94 switch (alg) { 95 case ENCTYPE_DES_CBC_RAW: 96 alg_name = "cbc(des)"; 97 break; 98 default: 99 printk("gss_kerberos_mech: unsupported algorithm %d\n", alg); 100 goto out_err_free_key; 101 } 102 *res = crypto_alloc_blkcipher(alg_name, 0, CRYPTO_ALG_ASYNC); 103 if (IS_ERR(*res)) { 104 printk("gss_kerberos_mech: unable to initialize crypto algorithm %s\n", alg_name); 105 *res = NULL; 106 goto out_err_free_key; 107 } 108 if (crypto_blkcipher_setkey(*res, key.data, key.len)) { 109 printk("gss_kerberos_mech: error setting key for crypto algorithm %s\n", alg_name); 110 goto out_err_free_tfm; 111 } 112 113 kfree(key.data); 114 return p; 115 116 out_err_free_tfm: 117 crypto_free_blkcipher(*res); 118 out_err_free_key: 119 kfree(key.data); 120 p = ERR_PTR(-EINVAL); 121 out_err: 122 return p; 123 } 124 125 static int 126 gss_import_sec_context_kerberos(const void *p, 127 size_t len, 128 struct gss_ctx *ctx_id) 129 { 130 const void *end = (const void *)((const char *)p + len); 131 struct krb5_ctx *ctx; 132 int tmp; 133 134 if (!(ctx = kzalloc(sizeof(*ctx), GFP_KERNEL))) 135 goto out_err; 136 137 p = simple_get_bytes(p, end, &ctx->initiate, sizeof(ctx->initiate)); 138 if (IS_ERR(p)) 139 goto out_err_free_ctx; 140 /* The downcall format was designed before we completely understood 141 * the uses of the context fields; so it includes some stuff we 142 * just give some minimal sanity-checking, and some we ignore 143 * completely (like the next twenty bytes): */ 144 if (unlikely(p + 20 > end || p + 20 < p)) 145 goto out_err_free_ctx; 146 p += 20; 147 p = simple_get_bytes(p, end, &tmp, sizeof(tmp)); 148 if (IS_ERR(p)) 149 goto out_err_free_ctx; 150 if (tmp != SGN_ALG_DES_MAC_MD5) 151 goto out_err_free_ctx; 152 p = simple_get_bytes(p, end, &tmp, sizeof(tmp)); 153 if (IS_ERR(p)) 154 goto out_err_free_ctx; 155 if (tmp != SEAL_ALG_DES) 156 goto out_err_free_ctx; 157 p = simple_get_bytes(p, end, &ctx->endtime, sizeof(ctx->endtime)); 158 if (IS_ERR(p)) 159 goto out_err_free_ctx; 160 p = simple_get_bytes(p, end, &ctx->seq_send, sizeof(ctx->seq_send)); 161 if (IS_ERR(p)) 162 goto out_err_free_ctx; 163 p = simple_get_netobj(p, end, &ctx->mech_used); 164 if (IS_ERR(p)) 165 goto out_err_free_ctx; 166 p = get_key(p, end, &ctx->enc); 167 if (IS_ERR(p)) 168 goto out_err_free_mech; 169 p = get_key(p, end, &ctx->seq); 170 if (IS_ERR(p)) 171 goto out_err_free_key1; 172 if (p != end) { 173 p = ERR_PTR(-EFAULT); 174 goto out_err_free_key2; 175 } 176 177 ctx_id->internal_ctx_id = ctx; 178 179 dprintk("RPC: Successfully imported new context.\n"); 180 return 0; 181 182 out_err_free_key2: 183 crypto_free_blkcipher(ctx->seq); 184 out_err_free_key1: 185 crypto_free_blkcipher(ctx->enc); 186 out_err_free_mech: 187 kfree(ctx->mech_used.data); 188 out_err_free_ctx: 189 kfree(ctx); 190 out_err: 191 return PTR_ERR(p); 192 } 193 194 static void 195 gss_delete_sec_context_kerberos(void *internal_ctx) { 196 struct krb5_ctx *kctx = internal_ctx; 197 198 crypto_free_blkcipher(kctx->seq); 199 crypto_free_blkcipher(kctx->enc); 200 kfree(kctx->mech_used.data); 201 kfree(kctx); 202 } 203 204 static const struct gss_api_ops gss_kerberos_ops = { 205 .gss_import_sec_context = gss_import_sec_context_kerberos, 206 .gss_get_mic = gss_get_mic_kerberos, 207 .gss_verify_mic = gss_verify_mic_kerberos, 208 .gss_wrap = gss_wrap_kerberos, 209 .gss_unwrap = gss_unwrap_kerberos, 210 .gss_delete_sec_context = gss_delete_sec_context_kerberos, 211 }; 212 213 static struct pf_desc gss_kerberos_pfs[] = { 214 [0] = { 215 .pseudoflavor = RPC_AUTH_GSS_KRB5, 216 .service = RPC_GSS_SVC_NONE, 217 .name = "krb5", 218 }, 219 [1] = { 220 .pseudoflavor = RPC_AUTH_GSS_KRB5I, 221 .service = RPC_GSS_SVC_INTEGRITY, 222 .name = "krb5i", 223 }, 224 [2] = { 225 .pseudoflavor = RPC_AUTH_GSS_KRB5P, 226 .service = RPC_GSS_SVC_PRIVACY, 227 .name = "krb5p", 228 }, 229 }; 230 231 static struct gss_api_mech gss_kerberos_mech = { 232 .gm_name = "krb5", 233 .gm_owner = THIS_MODULE, 234 .gm_oid = {9, (void *)"\x2a\x86\x48\x86\xf7\x12\x01\x02\x02"}, 235 .gm_ops = &gss_kerberos_ops, 236 .gm_pf_num = ARRAY_SIZE(gss_kerberos_pfs), 237 .gm_pfs = gss_kerberos_pfs, 238 }; 239 240 static int __init init_kerberos_module(void) 241 { 242 int status; 243 244 status = gss_mech_register(&gss_kerberos_mech); 245 if (status) 246 printk("Failed to register kerberos gss mechanism!\n"); 247 return status; 248 } 249 250 static void __exit cleanup_kerberos_module(void) 251 { 252 gss_mech_unregister(&gss_kerberos_mech); 253 } 254 255 MODULE_LICENSE("GPL"); 256 module_init(init_kerberos_module); 257 module_exit(cleanup_kerberos_module); 258