/net/sunrpc/auth_gss/gss_mech_switch.c

http://github.com/mirrors/linux · C · 441 lines · 320 code · 57 blank · 64 comment · 48 complexity · b6563f30079864012e0dc0fc00f2e3cf MD5 · raw file

  1. // SPDX-License-Identifier: BSD-3-Clause
  2. /*
  3. * linux/net/sunrpc/gss_mech_switch.c
  4. *
  5. * Copyright (c) 2001 The Regents of the University of Michigan.
  6. * All rights reserved.
  7. *
  8. * J. Bruce Fields <bfields@umich.edu>
  9. */
  10. #include <linux/types.h>
  11. #include <linux/slab.h>
  12. #include <linux/module.h>
  13. #include <linux/oid_registry.h>
  14. #include <linux/sunrpc/msg_prot.h>
  15. #include <linux/sunrpc/gss_asn1.h>
  16. #include <linux/sunrpc/auth_gss.h>
  17. #include <linux/sunrpc/svcauth_gss.h>
  18. #include <linux/sunrpc/gss_err.h>
  19. #include <linux/sunrpc/sched.h>
  20. #include <linux/sunrpc/gss_api.h>
  21. #include <linux/sunrpc/clnt.h>
  22. #include <trace/events/rpcgss.h>
  23. #if IS_ENABLED(CONFIG_SUNRPC_DEBUG)
  24. # define RPCDBG_FACILITY RPCDBG_AUTH
  25. #endif
  26. static LIST_HEAD(registered_mechs);
  27. static DEFINE_SPINLOCK(registered_mechs_lock);
  28. static void
  29. gss_mech_free(struct gss_api_mech *gm)
  30. {
  31. struct pf_desc *pf;
  32. int i;
  33. for (i = 0; i < gm->gm_pf_num; i++) {
  34. pf = &gm->gm_pfs[i];
  35. kfree(pf->auth_domain_name);
  36. pf->auth_domain_name = NULL;
  37. }
  38. }
  39. static inline char *
  40. make_auth_domain_name(char *name)
  41. {
  42. static char *prefix = "gss/";
  43. char *new;
  44. new = kmalloc(strlen(name) + strlen(prefix) + 1, GFP_KERNEL);
  45. if (new) {
  46. strcpy(new, prefix);
  47. strcat(new, name);
  48. }
  49. return new;
  50. }
  51. static int
  52. gss_mech_svc_setup(struct gss_api_mech *gm)
  53. {
  54. struct pf_desc *pf;
  55. int i, status;
  56. for (i = 0; i < gm->gm_pf_num; i++) {
  57. pf = &gm->gm_pfs[i];
  58. pf->auth_domain_name = make_auth_domain_name(pf->name);
  59. status = -ENOMEM;
  60. if (pf->auth_domain_name == NULL)
  61. goto out;
  62. status = svcauth_gss_register_pseudoflavor(pf->pseudoflavor,
  63. pf->auth_domain_name);
  64. if (status)
  65. goto out;
  66. }
  67. return 0;
  68. out:
  69. gss_mech_free(gm);
  70. return status;
  71. }
  72. /**
  73. * gss_mech_register - register a GSS mechanism
  74. * @gm: GSS mechanism handle
  75. *
  76. * Returns zero if successful, or a negative errno.
  77. */
  78. int gss_mech_register(struct gss_api_mech *gm)
  79. {
  80. int status;
  81. status = gss_mech_svc_setup(gm);
  82. if (status)
  83. return status;
  84. spin_lock(&registered_mechs_lock);
  85. list_add_rcu(&gm->gm_list, &registered_mechs);
  86. spin_unlock(&registered_mechs_lock);
  87. dprintk("RPC: registered gss mechanism %s\n", gm->gm_name);
  88. return 0;
  89. }
  90. EXPORT_SYMBOL_GPL(gss_mech_register);
  91. /**
  92. * gss_mech_unregister - release a GSS mechanism
  93. * @gm: GSS mechanism handle
  94. *
  95. */
  96. void gss_mech_unregister(struct gss_api_mech *gm)
  97. {
  98. spin_lock(&registered_mechs_lock);
  99. list_del_rcu(&gm->gm_list);
  100. spin_unlock(&registered_mechs_lock);
  101. dprintk("RPC: unregistered gss mechanism %s\n", gm->gm_name);
  102. gss_mech_free(gm);
  103. }
  104. EXPORT_SYMBOL_GPL(gss_mech_unregister);
  105. struct gss_api_mech *gss_mech_get(struct gss_api_mech *gm)
  106. {
  107. __module_get(gm->gm_owner);
  108. return gm;
  109. }
  110. EXPORT_SYMBOL(gss_mech_get);
  111. static struct gss_api_mech *
  112. _gss_mech_get_by_name(const char *name)
  113. {
  114. struct gss_api_mech *pos, *gm = NULL;
  115. rcu_read_lock();
  116. list_for_each_entry_rcu(pos, &registered_mechs, gm_list) {
  117. if (0 == strcmp(name, pos->gm_name)) {
  118. if (try_module_get(pos->gm_owner))
  119. gm = pos;
  120. break;
  121. }
  122. }
  123. rcu_read_unlock();
  124. return gm;
  125. }
  126. struct gss_api_mech * gss_mech_get_by_name(const char *name)
  127. {
  128. struct gss_api_mech *gm = NULL;
  129. gm = _gss_mech_get_by_name(name);
  130. if (!gm) {
  131. request_module("rpc-auth-gss-%s", name);
  132. gm = _gss_mech_get_by_name(name);
  133. }
  134. return gm;
  135. }
  136. struct gss_api_mech *gss_mech_get_by_OID(struct rpcsec_gss_oid *obj)
  137. {
  138. struct gss_api_mech *pos, *gm = NULL;
  139. char buf[32];
  140. if (sprint_oid(obj->data, obj->len, buf, sizeof(buf)) < 0)
  141. return NULL;
  142. request_module("rpc-auth-gss-%s", buf);
  143. rcu_read_lock();
  144. list_for_each_entry_rcu(pos, &registered_mechs, gm_list) {
  145. if (obj->len == pos->gm_oid.len) {
  146. if (0 == memcmp(obj->data, pos->gm_oid.data, obj->len)) {
  147. if (try_module_get(pos->gm_owner))
  148. gm = pos;
  149. break;
  150. }
  151. }
  152. }
  153. rcu_read_unlock();
  154. if (!gm)
  155. trace_rpcgss_oid_to_mech(buf);
  156. return gm;
  157. }
  158. static inline int
  159. mech_supports_pseudoflavor(struct gss_api_mech *gm, u32 pseudoflavor)
  160. {
  161. int i;
  162. for (i = 0; i < gm->gm_pf_num; i++) {
  163. if (gm->gm_pfs[i].pseudoflavor == pseudoflavor)
  164. return 1;
  165. }
  166. return 0;
  167. }
  168. static struct gss_api_mech *_gss_mech_get_by_pseudoflavor(u32 pseudoflavor)
  169. {
  170. struct gss_api_mech *gm = NULL, *pos;
  171. rcu_read_lock();
  172. list_for_each_entry_rcu(pos, &registered_mechs, gm_list) {
  173. if (!mech_supports_pseudoflavor(pos, pseudoflavor))
  174. continue;
  175. if (try_module_get(pos->gm_owner))
  176. gm = pos;
  177. break;
  178. }
  179. rcu_read_unlock();
  180. return gm;
  181. }
  182. struct gss_api_mech *
  183. gss_mech_get_by_pseudoflavor(u32 pseudoflavor)
  184. {
  185. struct gss_api_mech *gm;
  186. gm = _gss_mech_get_by_pseudoflavor(pseudoflavor);
  187. if (!gm) {
  188. request_module("rpc-auth-gss-%u", pseudoflavor);
  189. gm = _gss_mech_get_by_pseudoflavor(pseudoflavor);
  190. }
  191. return gm;
  192. }
  193. /**
  194. * gss_svc_to_pseudoflavor - map a GSS service number to a pseudoflavor
  195. * @gm: GSS mechanism handle
  196. * @qop: GSS quality-of-protection value
  197. * @service: GSS service value
  198. *
  199. * Returns a matching security flavor, or RPC_AUTH_MAXFLAVOR if none is found.
  200. */
  201. rpc_authflavor_t gss_svc_to_pseudoflavor(struct gss_api_mech *gm, u32 qop,
  202. u32 service)
  203. {
  204. int i;
  205. for (i = 0; i < gm->gm_pf_num; i++) {
  206. if (gm->gm_pfs[i].qop == qop &&
  207. gm->gm_pfs[i].service == service) {
  208. return gm->gm_pfs[i].pseudoflavor;
  209. }
  210. }
  211. return RPC_AUTH_MAXFLAVOR;
  212. }
  213. /**
  214. * gss_mech_info2flavor - look up a pseudoflavor given a GSS tuple
  215. * @info: a GSS mech OID, quality of protection, and service value
  216. *
  217. * Returns a matching pseudoflavor, or RPC_AUTH_MAXFLAVOR if the tuple is
  218. * not supported.
  219. */
  220. rpc_authflavor_t gss_mech_info2flavor(struct rpcsec_gss_info *info)
  221. {
  222. rpc_authflavor_t pseudoflavor;
  223. struct gss_api_mech *gm;
  224. gm = gss_mech_get_by_OID(&info->oid);
  225. if (gm == NULL)
  226. return RPC_AUTH_MAXFLAVOR;
  227. pseudoflavor = gss_svc_to_pseudoflavor(gm, info->qop, info->service);
  228. gss_mech_put(gm);
  229. return pseudoflavor;
  230. }
  231. /**
  232. * gss_mech_flavor2info - look up a GSS tuple for a given pseudoflavor
  233. * @pseudoflavor: GSS pseudoflavor to match
  234. * @info: rpcsec_gss_info structure to fill in
  235. *
  236. * Returns zero and fills in "info" if pseudoflavor matches a
  237. * supported mechanism. Otherwise a negative errno is returned.
  238. */
  239. int gss_mech_flavor2info(rpc_authflavor_t pseudoflavor,
  240. struct rpcsec_gss_info *info)
  241. {
  242. struct gss_api_mech *gm;
  243. int i;
  244. gm = gss_mech_get_by_pseudoflavor(pseudoflavor);
  245. if (gm == NULL)
  246. return -ENOENT;
  247. for (i = 0; i < gm->gm_pf_num; i++) {
  248. if (gm->gm_pfs[i].pseudoflavor == pseudoflavor) {
  249. memcpy(info->oid.data, gm->gm_oid.data, gm->gm_oid.len);
  250. info->oid.len = gm->gm_oid.len;
  251. info->qop = gm->gm_pfs[i].qop;
  252. info->service = gm->gm_pfs[i].service;
  253. gss_mech_put(gm);
  254. return 0;
  255. }
  256. }
  257. gss_mech_put(gm);
  258. return -ENOENT;
  259. }
  260. u32
  261. gss_pseudoflavor_to_service(struct gss_api_mech *gm, u32 pseudoflavor)
  262. {
  263. int i;
  264. for (i = 0; i < gm->gm_pf_num; i++) {
  265. if (gm->gm_pfs[i].pseudoflavor == pseudoflavor)
  266. return gm->gm_pfs[i].service;
  267. }
  268. return 0;
  269. }
  270. EXPORT_SYMBOL(gss_pseudoflavor_to_service);
  271. bool
  272. gss_pseudoflavor_to_datatouch(struct gss_api_mech *gm, u32 pseudoflavor)
  273. {
  274. int i;
  275. for (i = 0; i < gm->gm_pf_num; i++) {
  276. if (gm->gm_pfs[i].pseudoflavor == pseudoflavor)
  277. return gm->gm_pfs[i].datatouch;
  278. }
  279. return false;
  280. }
  281. char *
  282. gss_service_to_auth_domain_name(struct gss_api_mech *gm, u32 service)
  283. {
  284. int i;
  285. for (i = 0; i < gm->gm_pf_num; i++) {
  286. if (gm->gm_pfs[i].service == service)
  287. return gm->gm_pfs[i].auth_domain_name;
  288. }
  289. return NULL;
  290. }
  291. void
  292. gss_mech_put(struct gss_api_mech * gm)
  293. {
  294. if (gm)
  295. module_put(gm->gm_owner);
  296. }
  297. EXPORT_SYMBOL(gss_mech_put);
  298. /* The mech could probably be determined from the token instead, but it's just
  299. * as easy for now to pass it in. */
  300. int
  301. gss_import_sec_context(const void *input_token, size_t bufsize,
  302. struct gss_api_mech *mech,
  303. struct gss_ctx **ctx_id,
  304. time64_t *endtime,
  305. gfp_t gfp_mask)
  306. {
  307. if (!(*ctx_id = kzalloc(sizeof(**ctx_id), gfp_mask)))
  308. return -ENOMEM;
  309. (*ctx_id)->mech_type = gss_mech_get(mech);
  310. return mech->gm_ops->gss_import_sec_context(input_token, bufsize,
  311. *ctx_id, endtime, gfp_mask);
  312. }
  313. /* gss_get_mic: compute a mic over message and return mic_token. */
  314. u32
  315. gss_get_mic(struct gss_ctx *context_handle,
  316. struct xdr_buf *message,
  317. struct xdr_netobj *mic_token)
  318. {
  319. return context_handle->mech_type->gm_ops
  320. ->gss_get_mic(context_handle,
  321. message,
  322. mic_token);
  323. }
  324. /* gss_verify_mic: check whether the provided mic_token verifies message. */
  325. u32
  326. gss_verify_mic(struct gss_ctx *context_handle,
  327. struct xdr_buf *message,
  328. struct xdr_netobj *mic_token)
  329. {
  330. return context_handle->mech_type->gm_ops
  331. ->gss_verify_mic(context_handle,
  332. message,
  333. mic_token);
  334. }
  335. /*
  336. * This function is called from both the client and server code.
  337. * Each makes guarantees about how much "slack" space is available
  338. * for the underlying function in "buf"'s head and tail while
  339. * performing the wrap.
  340. *
  341. * The client and server code allocate RPC_MAX_AUTH_SIZE extra
  342. * space in both the head and tail which is available for use by
  343. * the wrap function.
  344. *
  345. * Underlying functions should verify they do not use more than
  346. * RPC_MAX_AUTH_SIZE of extra space in either the head or tail
  347. * when performing the wrap.
  348. */
  349. u32
  350. gss_wrap(struct gss_ctx *ctx_id,
  351. int offset,
  352. struct xdr_buf *buf,
  353. struct page **inpages)
  354. {
  355. return ctx_id->mech_type->gm_ops
  356. ->gss_wrap(ctx_id, offset, buf, inpages);
  357. }
  358. u32
  359. gss_unwrap(struct gss_ctx *ctx_id,
  360. int offset,
  361. struct xdr_buf *buf)
  362. {
  363. return ctx_id->mech_type->gm_ops
  364. ->gss_unwrap(ctx_id, offset, buf);
  365. }
  366. /* gss_delete_sec_context: free all resources associated with context_handle.
  367. * Note this differs from the RFC 2744-specified prototype in that we don't
  368. * bother returning an output token, since it would never be used anyway. */
  369. u32
  370. gss_delete_sec_context(struct gss_ctx **context_handle)
  371. {
  372. dprintk("RPC: gss_delete_sec_context deleting %p\n",
  373. *context_handle);
  374. if (!*context_handle)
  375. return GSS_S_NO_CONTEXT;
  376. if ((*context_handle)->internal_ctx_id)
  377. (*context_handle)->mech_type->gm_ops
  378. ->gss_delete_sec_context((*context_handle)
  379. ->internal_ctx_id);
  380. gss_mech_put((*context_handle)->mech_type);
  381. kfree(*context_handle);
  382. *context_handle=NULL;
  383. return GSS_S_COMPLETE;
  384. }