2 * linux/net/sunrpc/gss_mech_switch.c
4 * Copyright (c) 2001 The Regents of the University of Michigan.
7 * J. Bruce Fields <bfields@umich.edu>
9 * Redistribution and use in source and binary forms, with or without
10 * modification, are permitted provided that the following conditions
13 * 1. Redistributions of source code must retain the above copyright
14 * notice, this list of conditions and the following disclaimer.
15 * 2. Redistributions in binary form must reproduce the above copyright
16 * notice, this list of conditions and the following disclaimer in the
17 * documentation and/or other materials provided with the distribution.
18 * 3. Neither the name of the University nor the names of its
19 * contributors may be used to endorse or promote products derived
20 * from this software without specific prior written permission.
22 * THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED
23 * WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF
24 * MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
25 * DISCLAIMED. IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE
26 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
27 * CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
28 * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR
29 * BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF
30 * LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING
31 * NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS
32 * SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
36 #include <linux/types.h>
37 #include <linux/slab.h>
38 #include <linux/module.h>
39 #include <linux/oid_registry.h>
40 #include <linux/sunrpc/msg_prot.h>
41 #include <linux/sunrpc/gss_asn1.h>
42 #include <linux/sunrpc/auth_gss.h>
43 #include <linux/sunrpc/svcauth_gss.h>
44 #include <linux/sunrpc/gss_err.h>
45 #include <linux/sunrpc/sched.h>
46 #include <linux/sunrpc/gss_api.h>
47 #include <linux/sunrpc/clnt.h>
50 # define RPCDBG_FACILITY RPCDBG_AUTH
53 static LIST_HEAD(registered_mechs
);
54 static DEFINE_SPINLOCK(registered_mechs_lock
);
57 gss_mech_free(struct gss_api_mech
*gm
)
62 for (i
= 0; i
< gm
->gm_pf_num
; i
++) {
64 kfree(pf
->auth_domain_name
);
65 pf
->auth_domain_name
= NULL
;
70 make_auth_domain_name(char *name
)
72 static char *prefix
= "gss/";
75 new = kmalloc(strlen(name
) + strlen(prefix
) + 1, GFP_KERNEL
);
84 gss_mech_svc_setup(struct gss_api_mech
*gm
)
89 for (i
= 0; i
< gm
->gm_pf_num
; i
++) {
91 pf
->auth_domain_name
= make_auth_domain_name(pf
->name
);
93 if (pf
->auth_domain_name
== NULL
)
95 status
= svcauth_gss_register_pseudoflavor(pf
->pseudoflavor
,
96 pf
->auth_domain_name
);
107 * gss_mech_register - register a GSS mechanism
108 * @gm: GSS mechanism handle
110 * Returns zero if successful, or a negative errno.
112 int gss_mech_register(struct gss_api_mech
*gm
)
116 status
= gss_mech_svc_setup(gm
);
119 spin_lock(®istered_mechs_lock
);
120 list_add(&gm
->gm_list
, ®istered_mechs
);
121 spin_unlock(®istered_mechs_lock
);
122 dprintk("RPC: registered gss mechanism %s\n", gm
->gm_name
);
125 EXPORT_SYMBOL_GPL(gss_mech_register
);
128 * gss_mech_unregister - release a GSS mechanism
129 * @gm: GSS mechanism handle
132 void gss_mech_unregister(struct gss_api_mech
*gm
)
134 spin_lock(®istered_mechs_lock
);
135 list_del(&gm
->gm_list
);
136 spin_unlock(®istered_mechs_lock
);
137 dprintk("RPC: unregistered gss mechanism %s\n", gm
->gm_name
);
140 EXPORT_SYMBOL_GPL(gss_mech_unregister
);
142 struct gss_api_mech
*gss_mech_get(struct gss_api_mech
*gm
)
144 __module_get(gm
->gm_owner
);
147 EXPORT_SYMBOL(gss_mech_get
);
149 static struct gss_api_mech
*
150 _gss_mech_get_by_name(const char *name
)
152 struct gss_api_mech
*pos
, *gm
= NULL
;
154 spin_lock(®istered_mechs_lock
);
155 list_for_each_entry(pos
, ®istered_mechs
, gm_list
) {
156 if (0 == strcmp(name
, pos
->gm_name
)) {
157 if (try_module_get(pos
->gm_owner
))
162 spin_unlock(®istered_mechs_lock
);
167 struct gss_api_mech
* gss_mech_get_by_name(const char *name
)
169 struct gss_api_mech
*gm
= NULL
;
171 gm
= _gss_mech_get_by_name(name
);
173 request_module("rpc-auth-gss-%s", name
);
174 gm
= _gss_mech_get_by_name(name
);
179 struct gss_api_mech
*gss_mech_get_by_OID(struct rpcsec_gss_oid
*obj
)
181 struct gss_api_mech
*pos
, *gm
= NULL
;
184 if (sprint_oid(obj
->data
, obj
->len
, buf
, sizeof(buf
)) < 0)
186 dprintk("RPC: %s(%s)\n", __func__
, buf
);
187 request_module("rpc-auth-gss-%s", buf
);
189 spin_lock(®istered_mechs_lock
);
190 list_for_each_entry(pos
, ®istered_mechs
, gm_list
) {
191 if (obj
->len
== pos
->gm_oid
.len
) {
192 if (0 == memcmp(obj
->data
, pos
->gm_oid
.data
, obj
->len
)) {
193 if (try_module_get(pos
->gm_owner
))
199 spin_unlock(®istered_mechs_lock
);
204 mech_supports_pseudoflavor(struct gss_api_mech
*gm
, u32 pseudoflavor
)
208 for (i
= 0; i
< gm
->gm_pf_num
; i
++) {
209 if (gm
->gm_pfs
[i
].pseudoflavor
== pseudoflavor
)
215 static struct gss_api_mech
*_gss_mech_get_by_pseudoflavor(u32 pseudoflavor
)
217 struct gss_api_mech
*gm
= NULL
, *pos
;
219 spin_lock(®istered_mechs_lock
);
220 list_for_each_entry(pos
, ®istered_mechs
, gm_list
) {
221 if (!mech_supports_pseudoflavor(pos
, pseudoflavor
)) {
222 module_put(pos
->gm_owner
);
225 if (try_module_get(pos
->gm_owner
))
229 spin_unlock(®istered_mechs_lock
);
233 struct gss_api_mech
*
234 gss_mech_get_by_pseudoflavor(u32 pseudoflavor
)
236 struct gss_api_mech
*gm
;
238 gm
= _gss_mech_get_by_pseudoflavor(pseudoflavor
);
241 request_module("rpc-auth-gss-%u", pseudoflavor
);
242 gm
= _gss_mech_get_by_pseudoflavor(pseudoflavor
);
248 * gss_mech_list_pseudoflavors - Discover registered GSS pseudoflavors
249 * @array: array to fill in
250 * @size: size of "array"
252 * Returns the number of array items filled in, or a negative errno.
254 * The returned array is not sorted by any policy. Callers should not
255 * rely on the order of the items in the returned array.
257 int gss_mech_list_pseudoflavors(rpc_authflavor_t
*array_ptr
, int size
)
259 struct gss_api_mech
*pos
= NULL
;
262 spin_lock(®istered_mechs_lock
);
263 list_for_each_entry(pos
, ®istered_mechs
, gm_list
) {
264 for (j
= 0; j
< pos
->gm_pf_num
; j
++) {
266 spin_unlock(®istered_mechs_lock
);
269 array_ptr
[i
++] = pos
->gm_pfs
[j
].pseudoflavor
;
272 spin_unlock(®istered_mechs_lock
);
277 * gss_svc_to_pseudoflavor - map a GSS service number to a pseudoflavor
278 * @gm: GSS mechanism handle
279 * @qop: GSS quality-of-protection value
280 * @service: GSS service value
282 * Returns a matching security flavor, or RPC_AUTH_MAXFLAVOR if none is found.
284 rpc_authflavor_t
gss_svc_to_pseudoflavor(struct gss_api_mech
*gm
, u32 qop
,
289 for (i
= 0; i
< gm
->gm_pf_num
; i
++) {
290 if (gm
->gm_pfs
[i
].qop
== qop
&&
291 gm
->gm_pfs
[i
].service
== service
) {
292 return gm
->gm_pfs
[i
].pseudoflavor
;
295 return RPC_AUTH_MAXFLAVOR
;
299 * gss_mech_info2flavor - look up a pseudoflavor given a GSS tuple
300 * @info: a GSS mech OID, quality of protection, and service value
302 * Returns a matching pseudoflavor, or RPC_AUTH_MAXFLAVOR if the tuple is
305 rpc_authflavor_t
gss_mech_info2flavor(struct rpcsec_gss_info
*info
)
307 rpc_authflavor_t pseudoflavor
;
308 struct gss_api_mech
*gm
;
310 gm
= gss_mech_get_by_OID(&info
->oid
);
312 return RPC_AUTH_MAXFLAVOR
;
314 pseudoflavor
= gss_svc_to_pseudoflavor(gm
, info
->qop
, info
->service
);
321 * gss_mech_flavor2info - look up a GSS tuple for a given pseudoflavor
322 * @pseudoflavor: GSS pseudoflavor to match
323 * @info: rpcsec_gss_info structure to fill in
325 * Returns zero and fills in "info" if pseudoflavor matches a
326 * supported mechanism. Otherwise a negative errno is returned.
328 int gss_mech_flavor2info(rpc_authflavor_t pseudoflavor
,
329 struct rpcsec_gss_info
*info
)
331 struct gss_api_mech
*gm
;
334 gm
= gss_mech_get_by_pseudoflavor(pseudoflavor
);
338 for (i
= 0; i
< gm
->gm_pf_num
; i
++) {
339 if (gm
->gm_pfs
[i
].pseudoflavor
== pseudoflavor
) {
340 memcpy(info
->oid
.data
, gm
->gm_oid
.data
, gm
->gm_oid
.len
);
341 info
->oid
.len
= gm
->gm_oid
.len
;
342 info
->qop
= gm
->gm_pfs
[i
].qop
;
343 info
->service
= gm
->gm_pfs
[i
].service
;
354 gss_pseudoflavor_to_service(struct gss_api_mech
*gm
, u32 pseudoflavor
)
358 for (i
= 0; i
< gm
->gm_pf_num
; i
++) {
359 if (gm
->gm_pfs
[i
].pseudoflavor
== pseudoflavor
)
360 return gm
->gm_pfs
[i
].service
;
364 EXPORT_SYMBOL(gss_pseudoflavor_to_service
);
367 gss_service_to_auth_domain_name(struct gss_api_mech
*gm
, u32 service
)
371 for (i
= 0; i
< gm
->gm_pf_num
; i
++) {
372 if (gm
->gm_pfs
[i
].service
== service
)
373 return gm
->gm_pfs
[i
].auth_domain_name
;
379 gss_mech_put(struct gss_api_mech
* gm
)
382 module_put(gm
->gm_owner
);
384 EXPORT_SYMBOL(gss_mech_put
);
386 /* The mech could probably be determined from the token instead, but it's just
387 * as easy for now to pass it in. */
389 gss_import_sec_context(const void *input_token
, size_t bufsize
,
390 struct gss_api_mech
*mech
,
391 struct gss_ctx
**ctx_id
,
395 if (!(*ctx_id
= kzalloc(sizeof(**ctx_id
), gfp_mask
)))
397 (*ctx_id
)->mech_type
= gss_mech_get(mech
);
399 return mech
->gm_ops
->gss_import_sec_context(input_token
, bufsize
,
400 *ctx_id
, endtime
, gfp_mask
);
403 /* gss_get_mic: compute a mic over message and return mic_token. */
406 gss_get_mic(struct gss_ctx
*context_handle
,
407 struct xdr_buf
*message
,
408 struct xdr_netobj
*mic_token
)
410 return context_handle
->mech_type
->gm_ops
411 ->gss_get_mic(context_handle
,
416 /* gss_verify_mic: check whether the provided mic_token verifies message. */
419 gss_verify_mic(struct gss_ctx
*context_handle
,
420 struct xdr_buf
*message
,
421 struct xdr_netobj
*mic_token
)
423 return context_handle
->mech_type
->gm_ops
424 ->gss_verify_mic(context_handle
,
430 * This function is called from both the client and server code.
431 * Each makes guarantees about how much "slack" space is available
432 * for the underlying function in "buf"'s head and tail while
433 * performing the wrap.
435 * The client and server code allocate RPC_MAX_AUTH_SIZE extra
436 * space in both the head and tail which is available for use by
439 * Underlying functions should verify they do not use more than
440 * RPC_MAX_AUTH_SIZE of extra space in either the head or tail
441 * when performing the wrap.
444 gss_wrap(struct gss_ctx
*ctx_id
,
447 struct page
**inpages
)
449 return ctx_id
->mech_type
->gm_ops
450 ->gss_wrap(ctx_id
, offset
, buf
, inpages
);
454 gss_unwrap(struct gss_ctx
*ctx_id
,
458 return ctx_id
->mech_type
->gm_ops
459 ->gss_unwrap(ctx_id
, offset
, buf
);
463 /* gss_delete_sec_context: free all resources associated with context_handle.
464 * Note this differs from the RFC 2744-specified prototype in that we don't
465 * bother returning an output token, since it would never be used anyway. */
468 gss_delete_sec_context(struct gss_ctx
**context_handle
)
470 dprintk("RPC: gss_delete_sec_context deleting %p\n",
473 if (!*context_handle
)
474 return GSS_S_NO_CONTEXT
;
475 if ((*context_handle
)->internal_ctx_id
)
476 (*context_handle
)->mech_type
->gm_ops
477 ->gss_delete_sec_context((*context_handle
)
479 gss_mech_put((*context_handle
)->mech_type
);
480 kfree(*context_handle
);
481 *context_handle
=NULL
;
482 return GSS_S_COMPLETE
;