2 * fs/cifs/cifs_spnego.c -- SPNEGO upcall management for CIFS
4 * Copyright (c) 2007 Red Hat, Inc.
5 * Author(s): Jeff Layton (jlayton@redhat.com)
7 * This library is free software; you can redistribute it and/or modify
8 * it under the terms of the GNU Lesser General Public License as published
9 * by the Free Software Foundation; either version 2.1 of the License, or
10 * (at your option) any later version.
12 * This library is distributed in the hope that it will be useful,
13 * but WITHOUT ANY WARRANTY; without even the implied warranty of
14 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See
15 * the GNU Lesser General Public License for more details.
17 * You should have received a copy of the GNU Lesser General Public License
18 * along with this library; if not, write to the Free Software
19 * Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
22 #include <linux/list.h>
23 #include <linux/slab.h>
24 #include <linux/string.h>
25 #include <keys/user-type.h>
26 #include <linux/key-type.h>
27 #include <linux/keyctl.h>
28 #include <linux/inet.h>
30 #include "cifs_spnego.h"
31 #include "cifs_debug.h"
32 #include "cifsproto.h"
33 static const struct cred
*spnego_cred
;
35 /* create a new cifs key */
37 cifs_spnego_key_instantiate(struct key
*key
, struct key_preparsed_payload
*prep
)
43 payload
= kmemdup(prep
->data
, prep
->datalen
, GFP_KERNEL
);
48 key
->payload
.data
= payload
;
56 cifs_spnego_key_destroy(struct key
*key
)
58 kfree(key
->payload
.data
);
63 * keytype for CIFS spnego keys
65 struct key_type cifs_spnego_key_type
= {
66 .name
= "cifs.spnego",
67 .instantiate
= cifs_spnego_key_instantiate
,
68 .destroy
= cifs_spnego_key_destroy
,
69 .describe
= user_describe
,
72 /* length of longest version string e.g. strlen("ver=0xFF") */
73 #define MAX_VER_STR_LEN 8
75 /* length of longest security mechanism name, eg in future could have
76 * strlen(";sec=ntlmsspi") */
77 #define MAX_MECH_STR_LEN 13
79 /* strlen of "host=" */
80 #define HOST_KEY_LEN 5
82 /* strlen of ";ip4=" or ";ip6=" */
85 /* strlen of ";uid=0x" */
88 /* strlen of ";creduid=0x" */
89 #define CREDUID_KEY_LEN 11
91 /* strlen of ";user=" */
92 #define USER_KEY_LEN 6
94 /* strlen of ";pid=0x" */
97 /* get a key struct with a SPNEGO security blob, suitable for session setup */
99 cifs_get_spnego_key(struct cifs_ses
*sesInfo
)
101 struct TCP_Server_Info
*server
= sesInfo
->server
;
102 struct sockaddr_in
*sa
= (struct sockaddr_in
*) &server
->dstaddr
;
103 struct sockaddr_in6
*sa6
= (struct sockaddr_in6
*) &server
->dstaddr
;
104 char *description
, *dp
;
106 struct key
*spnego_key
;
107 const char *hostname
= server
->hostname
;
108 const struct cred
*saved_cred
;
110 /* length of fields (with semicolons): ver=0xyz ip4=ipaddress
111 host=hostname sec=mechanism uid=0xFF user=username */
112 desc_len
= MAX_VER_STR_LEN
+
113 HOST_KEY_LEN
+ strlen(hostname
) +
114 IP_KEY_LEN
+ INET6_ADDRSTRLEN
+
116 UID_KEY_LEN
+ (sizeof(uid_t
) * 2) +
117 CREDUID_KEY_LEN
+ (sizeof(uid_t
) * 2) +
118 PID_KEY_LEN
+ (sizeof(pid_t
) * 2) + 1;
120 if (sesInfo
->user_name
)
121 desc_len
+= USER_KEY_LEN
+ strlen(sesInfo
->user_name
);
123 spnego_key
= ERR_PTR(-ENOMEM
);
124 description
= kzalloc(desc_len
, GFP_KERNEL
);
125 if (description
== NULL
)
129 /* start with version and hostname portion of UNC string */
130 spnego_key
= ERR_PTR(-EINVAL
);
131 sprintf(dp
, "ver=0x%x;host=%s;", CIFS_SPNEGO_UPCALL_VERSION
,
133 dp
= description
+ strlen(description
);
135 /* add the server address */
136 if (server
->dstaddr
.ss_family
== AF_INET
)
137 sprintf(dp
, "ip4=%pI4", &sa
->sin_addr
);
138 else if (server
->dstaddr
.ss_family
== AF_INET6
)
139 sprintf(dp
, "ip6=%pI6", &sa6
->sin6_addr
);
143 dp
= description
+ strlen(description
);
145 /* for now, only sec=krb5 and sec=mskrb5 are valid */
146 if (server
->sec_kerberos
)
147 sprintf(dp
, ";sec=krb5");
148 else if (server
->sec_mskerberos
)
149 sprintf(dp
, ";sec=mskrb5");
153 dp
= description
+ strlen(description
);
154 sprintf(dp
, ";uid=0x%x",
155 from_kuid_munged(&init_user_ns
, sesInfo
->linux_uid
));
157 dp
= description
+ strlen(description
);
158 sprintf(dp
, ";creduid=0x%x",
159 from_kuid_munged(&init_user_ns
, sesInfo
->cred_uid
));
161 if (sesInfo
->user_name
) {
162 dp
= description
+ strlen(description
);
163 sprintf(dp
, ";user=%s", sesInfo
->user_name
);
166 dp
= description
+ strlen(description
);
167 sprintf(dp
, ";pid=0x%x", current
->pid
);
169 cifs_dbg(FYI
, "key description = %s\n", description
);
170 saved_cred
= override_creds(spnego_cred
);
171 spnego_key
= request_key(&cifs_spnego_key_type
, description
, "");
172 revert_creds(saved_cred
);
174 #ifdef CONFIG_CIFS_DEBUG2
175 if (cifsFYI
&& !IS_ERR(spnego_key
)) {
176 struct cifs_spnego_msg
*msg
= spnego_key
->payload
.data
;
177 cifs_dump_mem("SPNEGO reply blob:", msg
->data
, min(1024U,
178 msg
->secblob_len
+ msg
->sesskey_len
));
180 #endif /* CONFIG_CIFS_DEBUG2 */
188 init_cifs_spnego(void)
194 cifs_dbg(FYI
, "Registering the %s key type\n",
195 cifs_spnego_key_type
.name
);
198 * Create an override credential set with special thread keyring for
202 cred
= prepare_kernel_cred(NULL
);
206 keyring
= keyring_alloc(".cifs_spnego",
207 GLOBAL_ROOT_UID
, GLOBAL_ROOT_GID
, cred
,
208 (KEY_POS_ALL
& ~KEY_POS_SETATTR
) |
209 KEY_USR_VIEW
| KEY_USR_READ
,
210 KEY_ALLOC_NOT_IN_QUOTA
, NULL
);
211 if (IS_ERR(keyring
)) {
212 ret
= PTR_ERR(keyring
);
213 goto failed_put_cred
;
216 ret
= register_key_type(&cifs_spnego_key_type
);
221 * instruct request_key() to use this special keyring as a cache for
222 * the results it looks up
224 set_bit(KEY_FLAG_ROOT_CAN_CLEAR
, &keyring
->flags
);
225 cred
->thread_keyring
= keyring
;
226 cred
->jit_keyring
= KEY_REQKEY_DEFL_THREAD_KEYRING
;
229 cifs_dbg(FYI
, "cifs spnego keyring: %d\n", key_serial(keyring
));
240 exit_cifs_spnego(void)
242 key_revoke(spnego_cred
->thread_keyring
);
243 unregister_key_type(&cifs_spnego_key_type
);
244 put_cred(spnego_cred
);
245 cifs_dbg(FYI
, "Unregistered %s key type\n", cifs_spnego_key_type
.name
);