LXR linux/net/sunrpc/auth_gss/gss_mech

   1// SPDX-License-Identifier: BSD-3-Clause
   2/*
   3 *  linux/net/sunrpc/gss_mech_switch.c
   4 *
   5 *  Copyright (c) 2001 The Regents of the University of Michigan.
   6 *  All rights reserved.
   7 *
   8 *  J. Bruce Fields   <bfields@umich.edu>
   9 */
  10
  11#include <linux/types.h>
  12#include <linux/slab.h>
  13#include <linux/module.h>
  14#include <linux/oid_registry.h>
  15#include <linux/sunrpc/msg_prot.h>
  16#include <linux/sunrpc/gss_asn1.h>
  17#include <linux/sunrpc/auth_gss.h>
  18#include <linux/sunrpc/svcauth_gss.h>
  19#include <linux/sunrpc/gss_err.h>
  20#include <linux/sunrpc/sched.h>
  21#include <linux/sunrpc/gss_api.h>
  22#include <linux/sunrpc/clnt.h>
  23#include <trace/events/rpcgss.h>
  24
  25#if IS_ENABLED(CONFIG_SUNRPC_DEBUG)
  26# define RPCDBG_FACILITY        RPCDBG_AUTH
  27#endif
  28
  29static LIST_HEAD(registered_mechs);
  30static DEFINE_SPINLOCK(registered_mechs_lock);
  31
  32static void
  33gss_mech_free(struct gss_api_mech *gm)
  34{
  35        struct pf_desc *pf;
  36        int i;
  37
  38        for (i = 0; i < gm->gm_pf_num; i++) {
  39                pf = &gm->gm_pfs[i];
  40                if (pf->domain)
  41                        auth_domain_put(pf->domain);
  42                kfree(pf->auth_domain_name);
  43                pf->auth_domain_name = NULL;
  44        }
  45}
  46
  47static inline char *
  48make_auth_domain_name(char *name)
  49{
  50        static char     *prefix = "gss/";
  51        char            *new;
  52
  53        new = kmalloc(strlen(name) + strlen(prefix) + 1, GFP_KERNEL);
  54        if (new) {
  55                strcpy(new, prefix);
  56                strcat(new, name);
  57        }
  58        return new;
  59}
  60
  61static int
  62gss_mech_svc_setup(struct gss_api_mech *gm)
  63{
  64        struct auth_domain *dom;
  65        struct pf_desc *pf;
  66        int i, status;
  67
  68        for (i = 0; i < gm->gm_pf_num; i++) {
  69                pf = &gm->gm_pfs[i];
  70                pf->auth_domain_name = make_auth_domain_name(pf->name);
  71                status = -ENOMEM;
  72                if (pf->auth_domain_name == NULL)
  73                        goto out;
  74                dom = svcauth_gss_register_pseudoflavor(
  75                        pf->pseudoflavor, pf->auth_domain_name);
  76                if (IS_ERR(dom)) {
  77                        status = PTR_ERR(dom);
  78                        goto out;
  79                }
  80                pf->domain = dom;
  81        }
  82        return 0;
  83out:
  84        gss_mech_free(gm);
  85        return status;
  86}
  87
  88/**
  89 * gss_mech_register - register a GSS mechanism
  90 * @gm: GSS mechanism handle
  91 *
  92 * Returns zero if successful, or a negative errno.
  93 */
  94int gss_mech_register(struct gss_api_mech *gm)
  95{
  96        int status;
  97
  98        status = gss_mech_svc_setup(gm);
  99        if (status)
 100                return status;
 101        spin_lock(&registered_mechs_lock);
 102        list_add_rcu(&gm->gm_list, &registered_mechs);
 103        spin_unlock(&registered_mechs_lock);
 104        dprintk("RPC:       registered gss mechanism %s\n", gm->gm_name);
 105        return 0;
 106}
 107EXPORT_SYMBOL_GPL(gss_mech_register);
 108
 109/**
 110 * gss_mech_unregister - release a GSS mechanism
 111 * @gm: GSS mechanism handle
 112 *
 113 */
 114void gss_mech_unregister(struct gss_api_mech *gm)
 115{
 116        spin_lock(&registered_mechs_lock);
 117        list_del_rcu(&gm->gm_list);
 118        spin_unlock(&registered_mechs_lock);
 119        dprintk("RPC:       unregistered gss mechanism %s\n", gm->gm_name);
 120        gss_mech_free(gm);
 121}
 122EXPORT_SYMBOL_GPL(gss_mech_unregister);
 123
 124struct gss_api_mech *gss_mech_get(struct gss_api_mech *gm)
 125{
 126        __module_get(gm->gm_owner);
 127        return gm;
 128}
 129EXPORT_SYMBOL(gss_mech_get);
 130
 131static struct gss_api_mech *
 132_gss_mech_get_by_name(const char *name)
 133{
 134        struct gss_api_mech     *pos, *gm = NULL;
 135
 136        rcu_read_lock();
 137        list_for_each_entry_rcu(pos, &registered_mechs, gm_list) {
 138                if (0 == strcmp(name, pos->gm_name)) {
 139                        if (try_module_get(pos->gm_owner))
 140                                gm = pos;
 141                        break;
 142                }
 143        }
 144        rcu_read_unlock();
 145        return gm;
 146
 147}
 148
 149struct gss_api_mech * gss_mech_get_by_name(const char *name)
 150{
 151        struct gss_api_mech *gm = NULL;
 152
 153        gm = _gss_mech_get_by_name(name);
 154        if (!gm) {
 155                request_module("rpc-auth-gss-%s", name);
 156                gm = _gss_mech_get_by_name(name);
 157        }
 158        return gm;
 159}
 160
 161struct gss_api_mech *gss_mech_get_by_OID(struct rpcsec_gss_oid *obj)
 162{
 163        struct gss_api_mech     *pos, *gm = NULL;
 164        char buf[32];
 165
 166        if (sprint_oid(obj->data, obj->len, buf, sizeof(buf)) < 0)
 167                return NULL;
 168        request_module("rpc-auth-gss-%s", buf);
 169
 170        rcu_read_lock();
 171        list_for_each_entry_rcu(pos, &registered_mechs, gm_list) {
 172                if (obj->len == pos->gm_oid.len) {
 173                        if (0 == memcmp(obj->data, pos->gm_oid.data, obj->len)) {
 174                                if (try_module_get(pos->gm_owner))
 175                                        gm = pos;
 176                                break;
 177                        }
 178                }
 179        }
 180        rcu_read_unlock();
 181        if (!gm)
 182                trace_rpcgss_oid_to_mech(buf);
 183        return gm;
 184}
 185
 186static inline int
 187mech_supports_pseudoflavor(struct gss_api_mech *gm, u32 pseudoflavor)
 188{
 189        int i;
 190
 191        for (i = 0; i < gm->gm_pf_num; i++) {
 192                if (gm->gm_pfs[i].pseudoflavor == pseudoflavor)
 193                        return 1;
 194        }
 195        return 0;
 196}
 197
 198static struct gss_api_mech *_gss_mech_get_by_pseudoflavor(u32 pseudoflavor)
 199{
 200        struct gss_api_mech *gm = NULL, *pos;
 201
 202        rcu_read_lock();
 203        list_for_each_entry_rcu(pos, &registered_mechs, gm_list) {
 204                if (!mech_supports_pseudoflavor(pos, pseudoflavor))
 205                        continue;
 206                if (try_module_get(pos->gm_owner))
 207                        gm = pos;
 208                break;
 209        }
 210        rcu_read_unlock();
 211        return gm;
 212}
 213
 214struct gss_api_mech *
 215gss_mech_get_by_pseudoflavor(u32 pseudoflavor)
 216{
 217        struct gss_api_mech *gm;
 218
 219        gm = _gss_mech_get_by_pseudoflavor(pseudoflavor);
 220
 221        if (!gm) {
 222                request_module("rpc-auth-gss-%u", pseudoflavor);
 223                gm = _gss_mech_get_by_pseudoflavor(pseudoflavor);
 224        }
 225        return gm;
 226}
 227
 228/**
 229 * gss_svc_to_pseudoflavor - map a GSS service number to a pseudoflavor
 230 * @gm: GSS mechanism handle
 231 * @qop: GSS quality-of-protection value
 232 * @service: GSS service value
 233 *
 234 * Returns a matching security flavor, or RPC_AUTH_MAXFLAVOR if none is found.
 235 */
 236rpc_authflavor_t gss_svc_to_pseudoflavor(struct gss_api_mech *gm, u32 qop,
 237                                         u32 service)
 238{
 239        int i;
 240
 241        for (i = 0; i < gm->gm_pf_num; i++) {
 242                if (gm->gm_pfs[i].qop == qop &&
 243                    gm->gm_pfs[i].service == service) {
 244                        return gm->gm_pfs[i].pseudoflavor;
 245                }
 246        }
 247        return RPC_AUTH_MAXFLAVOR;
 248}
 249
 250/**
 251 * gss_mech_info2flavor - look up a pseudoflavor given a GSS tuple
 252 * @info: a GSS mech OID, quality of protection, and service value
 253 *
 254 * Returns a matching pseudoflavor, or RPC_AUTH_MAXFLAVOR if the tuple is
 255 * not supported.
 256 */
 257rpc_authflavor_t gss_mech_info2flavor(struct rpcsec_gss_info *info)
 258{
 259        rpc_authflavor_t pseudoflavor;
 260        struct gss_api_mech *gm;
 261
 262        gm = gss_mech_get_by_OID(&info->oid);
 263        if (gm == NULL)
 264                return RPC_AUTH_MAXFLAVOR;
 265
 266        pseudoflavor = gss_svc_to_pseudoflavor(gm, info->qop, info->service);
 267
 268        gss_mech_put(gm);
 269        return pseudoflavor;
 270}
 271
 272/**
 273 * gss_mech_flavor2info - look up a GSS tuple for a given pseudoflavor
 274 * @pseudoflavor: GSS pseudoflavor to match
 275 * @info: rpcsec_gss_info structure to fill in
 276 *
 277 * Returns zero and fills in "info" if pseudoflavor matches a
 278 * supported mechanism.  Otherwise a negative errno is returned.
 279 */
 280int gss_mech_flavor2info(rpc_authflavor_t pseudoflavor,
 281                         struct rpcsec_gss_info *info)
 282{
 283        struct gss_api_mech *gm;
 284        int i;
 285
 286        gm = gss_mech_get_by_pseudoflavor(pseudoflavor);
 287        if (gm == NULL)
 288                return -ENOENT;
 289
 290        for (i = 0; i < gm->gm_pf_num; i++) {
 291                if (gm->gm_pfs[i].pseudoflavor == pseudoflavor) {
 292                        memcpy(info->oid.data, gm->gm_oid.data, gm->gm_oid.len);
 293                        info->oid.len = gm->gm_oid.len;
 294                        info->qop = gm->gm_pfs[i].qop;
 295                        info->service = gm->gm_pfs[i].service;
 296                        gss_mech_put(gm);
 297                        return 0;
 298                }
 299        }
 300
 301        gss_mech_put(gm);
 302        return -ENOENT;
 303}
 304
 305u32
 306gss_pseudoflavor_to_service(struct gss_api_mech *gm, u32 pseudoflavor)
 307{
 308        int i;
 309
 310        for (i = 0; i < gm->gm_pf_num; i++) {
 311                if (gm->gm_pfs[i].pseudoflavor == pseudoflavor)
 312                        return gm->gm_pfs[i].service;
 313        }
 314        return 0;
 315}
 316EXPORT_SYMBOL(gss_pseudoflavor_to_service);
 317
 318bool
 319gss_pseudoflavor_to_datatouch(struct gss_api_mech *gm, u32 pseudoflavor)
 320{
 321        int i;
 322
 323        for (i = 0; i < gm->gm_pf_num; i++) {
 324                if (gm->gm_pfs[i].pseudoflavor == pseudoflavor)
 325                        return gm->gm_pfs[i].datatouch;
 326        }
 327        return false;
 328}
 329
 330char *
 331gss_service_to_auth_domain_name(struct gss_api_mech *gm, u32 service)
 332{
 333        int i;
 334
 335        for (i = 0; i < gm->gm_pf_num; i++) {
 336                if (gm->gm_pfs[i].service == service)
 337                        return gm->gm_pfs[i].auth_domain_name;
 338        }
 339        return NULL;
 340}
 341
 342void
 343gss_mech_put(struct gss_api_mech * gm)
 344{
 345        if (gm)
 346                module_put(gm->gm_owner);
 347}
 348EXPORT_SYMBOL(gss_mech_put);
 349
 350/* The mech could probably be determined from the token instead, but it's just
 351 * as easy for now to pass it in. */
 352int
 353gss_import_sec_context(const void *input_token, size_t bufsize,
 354                       struct gss_api_mech      *mech,
 355                       struct gss_ctx           **ctx_id,
 356                       time64_t                 *endtime,
 357                       gfp_t gfp_mask)
 358{
 359        if (!(*ctx_id = kzalloc(sizeof(**ctx_id), gfp_mask)))
 360                return -ENOMEM;
 361        (*ctx_id)->mech_type = gss_mech_get(mech);
 362
 363        return mech->gm_ops->gss_import_sec_context(input_token, bufsize,
 364                                                *ctx_id, endtime, gfp_mask);
 365}
 366
 367/* gss_get_mic: compute a mic over message and return mic_token. */
 368
 369u32
 370gss_get_mic(struct gss_ctx      *context_handle,
 371            struct xdr_buf      *message,
 372            struct xdr_netobj   *mic_token)
 373{
 374         return context_handle->mech_type->gm_ops
 375                ->gss_get_mic(context_handle,
 376                              message,
 377                              mic_token);
 378}
 379
 380/* gss_verify_mic: check whether the provided mic_token verifies message. */
 381
 382u32
 383gss_verify_mic(struct gss_ctx           *context_handle,
 384               struct xdr_buf           *message,
 385               struct xdr_netobj        *mic_token)
 386{
 387        return context_handle->mech_type->gm_ops
 388                ->gss_verify_mic(context_handle,
 389                                 message,
 390                                 mic_token);
 391}
 392
 393/*
 394 * This function is called from both the client and server code.
 395 * Each makes guarantees about how much "slack" space is available
 396 * for the underlying function in "buf"'s head and tail while
 397 * performing the wrap.
 398 *
 399 * The client and server code allocate RPC_MAX_AUTH_SIZE extra
 400 * space in both the head and tail which is available for use by
 401 * the wrap function.
 402 *
 403 * Underlying functions should verify they do not use more than
 404 * RPC_MAX_AUTH_SIZE of extra space in either the head or tail
 405 * when performing the wrap.
 406 */
 407u32
 408gss_wrap(struct gss_ctx *ctx_id,
 409         int            offset,
 410         struct xdr_buf *buf,
 411         struct page    **inpages)
 412{
 413        return ctx_id->mech_type->gm_ops
 414                ->gss_wrap(ctx_id, offset, buf, inpages);
 415}
 416
 417u32
 418gss_unwrap(struct gss_ctx       *ctx_id,
 419           int                  offset,
 420           int                  len,
 421           struct xdr_buf       *buf)
 422{
 423        return ctx_id->mech_type->gm_ops
 424                ->gss_unwrap(ctx_id, offset, len, buf);
 425}
 426
 427
 428/* gss_delete_sec_context: free all resources associated with context_handle.
 429 * Note this differs from the RFC 2744-specified prototype in that we don't
 430 * bother returning an output token, since it would never be used anyway. */
 431
 432u32
 433gss_delete_sec_context(struct gss_ctx   **context_handle)
 434{
 435        dprintk("RPC:       gss_delete_sec_context deleting %p\n",
 436                        *context_handle);
 437
 438        if (!*context_handle)
 439                return GSS_S_NO_CONTEXT;
 440        if ((*context_handle)->internal_ctx_id)
 441                (*context_handle)->mech_type->gm_ops
 442                        ->gss_delete_sec_context((*context_handle)
 443                                                        ->internal_ctx_id);
 444        gss_mech_put((*context_handle)->mech_type);
 445        kfree(*context_handle);
 446        *context_handle=NULL;
 447        return GSS_S_COMPLETE;
 448}
 449