1 // SPDX-License-Identifier: BSD-3-Clause
3 * linux/net/sunrpc/gss_mech_switch.c
5 * Copyright (c) 2001 The Regents of the University of Michigan.
8 * J. Bruce Fields <bfields@umich.edu>
11 #include <linux/types.h>
12 #include <linux/slab.h>
13 #include <linux/module.h>
14 #include <linux/oid_registry.h>
15 #include <linux/sunrpc/msg_prot.h>
16 #include <linux/sunrpc/gss_asn1.h>
17 #include <linux/sunrpc/auth_gss.h>
18 #include <linux/sunrpc/svcauth_gss.h>
19 #include <linux/sunrpc/gss_err.h>
20 #include <linux/sunrpc/sched.h>
21 #include <linux/sunrpc/gss_api.h>
22 #include <linux/sunrpc/clnt.h>
24 #if IS_ENABLED(CONFIG_SUNRPC_DEBUG)
25 # define RPCDBG_FACILITY RPCDBG_AUTH
28 static LIST_HEAD(registered_mechs);
29 static DEFINE_SPINLOCK(registered_mechs_lock);
32 gss_mech_free(struct gss_api_mech *gm)
37 for (i = 0; i < gm->gm_pf_num; i++) {
39 kfree(pf->auth_domain_name);
40 pf->auth_domain_name = NULL;
45 make_auth_domain_name(char *name)
47 static char *prefix = "gss/";
50 new = kmalloc(strlen(name) + strlen(prefix) + 1, GFP_KERNEL);
59 gss_mech_svc_setup(struct gss_api_mech *gm)
64 for (i = 0; i < gm->gm_pf_num; i++) {
66 pf->auth_domain_name = make_auth_domain_name(pf->name);
68 if (pf->auth_domain_name == NULL)
70 status = svcauth_gss_register_pseudoflavor(pf->pseudoflavor,
71 pf->auth_domain_name);
82 * gss_mech_register - register a GSS mechanism
83 * @gm: GSS mechanism handle
85 * Returns zero if successful, or a negative errno.
87 int gss_mech_register(struct gss_api_mech *gm)
91 status = gss_mech_svc_setup(gm);
94 spin_lock(®istered_mechs_lock);
95 list_add_rcu(&gm->gm_list, ®istered_mechs);
96 spin_unlock(®istered_mechs_lock);
97 dprintk("RPC: registered gss mechanism %s\n", gm->gm_name);
100 EXPORT_SYMBOL_GPL(gss_mech_register);
103 * gss_mech_unregister - release a GSS mechanism
104 * @gm: GSS mechanism handle
107 void gss_mech_unregister(struct gss_api_mech *gm)
109 spin_lock(®istered_mechs_lock);
110 list_del_rcu(&gm->gm_list);
111 spin_unlock(®istered_mechs_lock);
112 dprintk("RPC: unregistered gss mechanism %s\n", gm->gm_name);
115 EXPORT_SYMBOL_GPL(gss_mech_unregister);
117 struct gss_api_mech *gss_mech_get(struct gss_api_mech *gm)
119 __module_get(gm->gm_owner);
122 EXPORT_SYMBOL(gss_mech_get);
124 static struct gss_api_mech *
125 _gss_mech_get_by_name(const char *name)
127 struct gss_api_mech *pos, *gm = NULL;
130 list_for_each_entry_rcu(pos, ®istered_mechs, gm_list) {
131 if (0 == strcmp(name, pos->gm_name)) {
132 if (try_module_get(pos->gm_owner))
142 struct gss_api_mech * gss_mech_get_by_name(const char *name)
144 struct gss_api_mech *gm = NULL;
146 gm = _gss_mech_get_by_name(name);
148 request_module("rpc-auth-gss-%s", name);
149 gm = _gss_mech_get_by_name(name);
154 struct gss_api_mech *gss_mech_get_by_OID(struct rpcsec_gss_oid *obj)
156 struct gss_api_mech *pos, *gm = NULL;
159 if (sprint_oid(obj->data, obj->len, buf, sizeof(buf)) < 0)
161 dprintk("RPC: %s(%s)\n", __func__, buf);
162 request_module("rpc-auth-gss-%s", buf);
165 list_for_each_entry_rcu(pos, ®istered_mechs, gm_list) {
166 if (obj->len == pos->gm_oid.len) {
167 if (0 == memcmp(obj->data, pos->gm_oid.data, obj->len)) {
168 if (try_module_get(pos->gm_owner))
179 mech_supports_pseudoflavor(struct gss_api_mech *gm, u32 pseudoflavor)
183 for (i = 0; i < gm->gm_pf_num; i++) {
184 if (gm->gm_pfs[i].pseudoflavor == pseudoflavor)
190 static struct gss_api_mech *_gss_mech_get_by_pseudoflavor(u32 pseudoflavor)
192 struct gss_api_mech *gm = NULL, *pos;
195 list_for_each_entry_rcu(pos, ®istered_mechs, gm_list) {
196 if (!mech_supports_pseudoflavor(pos, pseudoflavor))
198 if (try_module_get(pos->gm_owner))
206 struct gss_api_mech *
207 gss_mech_get_by_pseudoflavor(u32 pseudoflavor)
209 struct gss_api_mech *gm;
211 gm = _gss_mech_get_by_pseudoflavor(pseudoflavor);
214 request_module("rpc-auth-gss-%u", pseudoflavor);
215 gm = _gss_mech_get_by_pseudoflavor(pseudoflavor);
221 * gss_mech_list_pseudoflavors - Discover registered GSS pseudoflavors
222 * @array_ptr: array to fill in
223 * @size: size of "array"
225 * Returns the number of array items filled in, or a negative errno.
227 * The returned array is not sorted by any policy. Callers should not
228 * rely on the order of the items in the returned array.
230 int gss_mech_list_pseudoflavors(rpc_authflavor_t *array_ptr, int size)
232 struct gss_api_mech *pos = NULL;
236 list_for_each_entry_rcu(pos, ®istered_mechs, gm_list) {
237 for (j = 0; j < pos->gm_pf_num; j++) {
239 spin_unlock(®istered_mechs_lock);
242 array_ptr[i++] = pos->gm_pfs[j].pseudoflavor;
250 * gss_svc_to_pseudoflavor - map a GSS service number to a pseudoflavor
251 * @gm: GSS mechanism handle
252 * @qop: GSS quality-of-protection value
253 * @service: GSS service value
255 * Returns a matching security flavor, or RPC_AUTH_MAXFLAVOR if none is found.
257 rpc_authflavor_t gss_svc_to_pseudoflavor(struct gss_api_mech *gm, u32 qop,
262 for (i = 0; i < gm->gm_pf_num; i++) {
263 if (gm->gm_pfs[i].qop == qop &&
264 gm->gm_pfs[i].service == service) {
265 return gm->gm_pfs[i].pseudoflavor;
268 return RPC_AUTH_MAXFLAVOR;
272 * gss_mech_info2flavor - look up a pseudoflavor given a GSS tuple
273 * @info: a GSS mech OID, quality of protection, and service value
275 * Returns a matching pseudoflavor, or RPC_AUTH_MAXFLAVOR if the tuple is
278 rpc_authflavor_t gss_mech_info2flavor(struct rpcsec_gss_info *info)
280 rpc_authflavor_t pseudoflavor;
281 struct gss_api_mech *gm;
283 gm = gss_mech_get_by_OID(&info->oid);
285 return RPC_AUTH_MAXFLAVOR;
287 pseudoflavor = gss_svc_to_pseudoflavor(gm, info->qop, info->service);
294 * gss_mech_flavor2info - look up a GSS tuple for a given pseudoflavor
295 * @pseudoflavor: GSS pseudoflavor to match
296 * @info: rpcsec_gss_info structure to fill in
298 * Returns zero and fills in "info" if pseudoflavor matches a
299 * supported mechanism. Otherwise a negative errno is returned.
301 int gss_mech_flavor2info(rpc_authflavor_t pseudoflavor,
302 struct rpcsec_gss_info *info)
304 struct gss_api_mech *gm;
307 gm = gss_mech_get_by_pseudoflavor(pseudoflavor);
311 for (i = 0; i < gm->gm_pf_num; i++) {
312 if (gm->gm_pfs[i].pseudoflavor == pseudoflavor) {
313 memcpy(info->oid.data, gm->gm_oid.data, gm->gm_oid.len);
314 info->oid.len = gm->gm_oid.len;
315 info->qop = gm->gm_pfs[i].qop;
316 info->service = gm->gm_pfs[i].service;
327 gss_pseudoflavor_to_service(struct gss_api_mech *gm, u32 pseudoflavor)
331 for (i = 0; i < gm->gm_pf_num; i++) {
332 if (gm->gm_pfs[i].pseudoflavor == pseudoflavor)
333 return gm->gm_pfs[i].service;
337 EXPORT_SYMBOL(gss_pseudoflavor_to_service);
340 gss_pseudoflavor_to_datatouch(struct gss_api_mech *gm, u32 pseudoflavor)
344 for (i = 0; i < gm->gm_pf_num; i++) {
345 if (gm->gm_pfs[i].pseudoflavor == pseudoflavor)
346 return gm->gm_pfs[i].datatouch;
352 gss_service_to_auth_domain_name(struct gss_api_mech *gm, u32 service)
356 for (i = 0; i < gm->gm_pf_num; i++) {
357 if (gm->gm_pfs[i].service == service)
358 return gm->gm_pfs[i].auth_domain_name;
364 gss_mech_put(struct gss_api_mech * gm)
367 module_put(gm->gm_owner);
369 EXPORT_SYMBOL(gss_mech_put);
371 /* The mech could probably be determined from the token instead, but it's just
372 * as easy for now to pass it in. */
374 gss_import_sec_context(const void *input_token, size_t bufsize,
375 struct gss_api_mech *mech,
376 struct gss_ctx **ctx_id,
380 if (!(*ctx_id = kzalloc(sizeof(**ctx_id), gfp_mask)))
382 (*ctx_id)->mech_type = gss_mech_get(mech);
384 return mech->gm_ops->gss_import_sec_context(input_token, bufsize,
385 *ctx_id, endtime, gfp_mask);
388 /* gss_get_mic: compute a mic over message and return mic_token. */
391 gss_get_mic(struct gss_ctx *context_handle,
392 struct xdr_buf *message,
393 struct xdr_netobj *mic_token)
395 return context_handle->mech_type->gm_ops
396 ->gss_get_mic(context_handle,
401 /* gss_verify_mic: check whether the provided mic_token verifies message. */
404 gss_verify_mic(struct gss_ctx *context_handle,
405 struct xdr_buf *message,
406 struct xdr_netobj *mic_token)
408 return context_handle->mech_type->gm_ops
409 ->gss_verify_mic(context_handle,
415 * This function is called from both the client and server code.
416 * Each makes guarantees about how much "slack" space is available
417 * for the underlying function in "buf"'s head and tail while
418 * performing the wrap.
420 * The client and server code allocate RPC_MAX_AUTH_SIZE extra
421 * space in both the head and tail which is available for use by
424 * Underlying functions should verify they do not use more than
425 * RPC_MAX_AUTH_SIZE of extra space in either the head or tail
426 * when performing the wrap.
429 gss_wrap(struct gss_ctx *ctx_id,
432 struct page **inpages)
434 return ctx_id->mech_type->gm_ops
435 ->gss_wrap(ctx_id, offset, buf, inpages);
439 gss_unwrap(struct gss_ctx *ctx_id,
443 return ctx_id->mech_type->gm_ops
444 ->gss_unwrap(ctx_id, offset, buf);
448 /* gss_delete_sec_context: free all resources associated with context_handle.
449 * Note this differs from the RFC 2744-specified prototype in that we don't
450 * bother returning an output token, since it would never be used anyway. */
453 gss_delete_sec_context(struct gss_ctx **context_handle)
455 dprintk("RPC: gss_delete_sec_context deleting %p\n",
458 if (!*context_handle)
459 return GSS_S_NO_CONTEXT;
460 if ((*context_handle)->internal_ctx_id)
461 (*context_handle)->mech_type->gm_ops
462 ->gss_delete_sec_context((*context_handle)
464 gss_mech_put((*context_handle)->mech_type);
465 kfree(*context_handle);
466 *context_handle=NULL;
467 return GSS_S_COMPLETE;