1 // SPDX-License-Identifier: LGPL-2.1
2 /*
3 * SPNEGO upcall management for CIFS
4 *
5 * Copyright (c) 2007 Red Hat, Inc.
6 * Author(s): Jeff Layton (jlayton@redhat.com)
7 *
8 */
9
10 #include <linux/list.h>
11 #include <linux/slab.h>
12 #include <linux/string.h>
13 #include <keys/user-type.h>
14 #include <linux/key-type.h>
15 #include <linux/keyctl.h>
16 #include <linux/inet.h>
17 #include "cifsglob.h"
18 #include "cifs_spnego.h"
19 #include "cifs_debug.h"
20 #include "cifsproto.h"
21 static const struct cred *spnego_cred;
22
23 /* create a new cifs key */
24 static int
cifs_spnego_key_instantiate(struct key * key,struct key_preparsed_payload * prep)25 cifs_spnego_key_instantiate(struct key *key, struct key_preparsed_payload *prep)
26 {
27 char *payload = kmemdup(prep->data, prep->datalen, GFP_KERNEL);
28
29 if (!payload)
30 return -ENOMEM;
31
32 /* attach the data */
33 key->payload.data[0] = payload;
34 return 0;
35 }
36
37 static void
cifs_spnego_key_destroy(struct key * key)38 cifs_spnego_key_destroy(struct key *key)
39 {
40 kfree(key->payload.data[0]);
41 }
42
43
44 /*
45 * keytype for CIFS spnego keys
46 */
47 struct key_type cifs_spnego_key_type = {
48 .name = "cifs.spnego",
49 .instantiate = cifs_spnego_key_instantiate,
50 .destroy = cifs_spnego_key_destroy,
51 .describe = user_describe,
52 };
53
54 /* length of longest version string e.g. strlen("ver=0xFF") */
55 #define MAX_VER_STR_LEN 8
56
57 /* length of longest security mechanism name, eg in future could have
58 * strlen(";sec=ntlmsspi") */
59 #define MAX_MECH_STR_LEN 13
60
61 /* strlen of ";host=" */
62 #define HOST_KEY_LEN 6
63
64 /* strlen of ";ip4=" or ";ip6=" */
65 #define IP_KEY_LEN 5
66
67 /* strlen of ";uid=0x" */
68 #define UID_KEY_LEN 7
69
70 /* strlen of ";creduid=0x" */
71 #define CREDUID_KEY_LEN 11
72
73 /* strlen of ";user=" */
74 #define USER_KEY_LEN 6
75
76 /* strlen of ";pid=0x" */
77 #define PID_KEY_LEN 7
78
79 /* strlen of ";upcall_target=" */
80 #define UPCALL_TARGET_KEY_LEN 15
81
82 /* get a key struct with a SPNEGO security blob, suitable for session setup */
83 struct key *
cifs_get_spnego_key(struct cifs_ses * sesInfo,struct TCP_Server_Info * server)84 cifs_get_spnego_key(struct cifs_ses *sesInfo,
85 struct TCP_Server_Info *server)
86 {
87 struct sockaddr_in *sa = (struct sockaddr_in *) &server->dstaddr;
88 struct sockaddr_in6 *sa6 = (struct sockaddr_in6 *) &server->dstaddr;
89 char *description, *dp;
90 size_t desc_len;
91 struct key *spnego_key;
92 const char *hostname = server->hostname;
93 const struct cred *saved_cred;
94
95 /* length of fields (with semicolons): ver=0xyz ip4=ipaddress
96 host=hostname sec=mechanism uid=0xFF user=username */
97 desc_len = MAX_VER_STR_LEN +
98 HOST_KEY_LEN + strlen(hostname) +
99 IP_KEY_LEN + INET6_ADDRSTRLEN +
100 MAX_MECH_STR_LEN +
101 UID_KEY_LEN + (sizeof(uid_t) * 2) +
102 CREDUID_KEY_LEN + (sizeof(uid_t) * 2) +
103 PID_KEY_LEN + (sizeof(pid_t) * 2) + 1;
104
105 if (sesInfo->user_name)
106 desc_len += USER_KEY_LEN + strlen(sesInfo->user_name);
107
108 if (sesInfo->upcall_target == UPTARGET_MOUNT)
109 desc_len += UPCALL_TARGET_KEY_LEN + 5; // strlen("mount")
110 else
111 desc_len += UPCALL_TARGET_KEY_LEN + 3; // strlen("app")
112
113 spnego_key = ERR_PTR(-ENOMEM);
114 description = kzalloc(desc_len, GFP_KERNEL);
115 if (description == NULL)
116 goto out;
117
118 dp = description;
119 /* start with version and hostname portion of UNC string */
120 spnego_key = ERR_PTR(-EINVAL);
121 dp += sprintf(dp, "ver=0x%x;host=%s;", CIFS_SPNEGO_UPCALL_VERSION,
122 hostname);
123
124 /* add the server address */
125 if (server->dstaddr.ss_family == AF_INET)
126 dp += sprintf(dp, "ip4=%pI4", &sa->sin_addr);
127 else if (server->dstaddr.ss_family == AF_INET6)
128 dp += sprintf(dp, "ip6=%pI6", &sa6->sin6_addr);
129 else
130 goto out;
131
132 /* for now, only sec=krb5 and sec=mskrb5 and iakerb are valid */
133 if (server->sec_kerberos)
134 dp += sprintf(dp, ";sec=krb5");
135 else if (server->sec_mskerberos)
136 dp += sprintf(dp, ";sec=mskrb5");
137 else if (server->sec_iakerb)
138 dp += sprintf(dp, ";sec=iakerb");
139 else {
140 cifs_dbg(VFS, "unknown or missing server auth type, use krb5\n");
141 dp += sprintf(dp, ";sec=krb5");
142 }
143
144 dp += sprintf(dp, ";uid=0x%x",
145 from_kuid_munged(&init_user_ns, sesInfo->linux_uid));
146
147 dp += sprintf(dp, ";creduid=0x%x",
148 from_kuid_munged(&init_user_ns, sesInfo->cred_uid));
149
150 if (sesInfo->user_name)
151 dp += sprintf(dp, ";user=%s", sesInfo->user_name);
152
153 dp += sprintf(dp, ";pid=0x%x", current->pid);
154
155 if (sesInfo->upcall_target == UPTARGET_MOUNT)
156 dp += sprintf(dp, ";upcall_target=mount");
157 else
158 dp += sprintf(dp, ";upcall_target=app");
159
160 cifs_dbg(FYI, "key description = %s\n", description);
161 saved_cred = override_creds(spnego_cred);
162 spnego_key = request_key(&cifs_spnego_key_type, description, "");
163 revert_creds(saved_cred);
164
165 #ifdef CONFIG_CIFS_DEBUG2
166 if (cifsFYI && !IS_ERR(spnego_key)) {
167 struct cifs_spnego_msg *msg = spnego_key->payload.data[0];
168 cifs_dump_mem("SPNEGO reply blob:", msg->data, min(1024U,
169 msg->secblob_len + msg->sesskey_len));
170 }
171 #endif /* CONFIG_CIFS_DEBUG2 */
172
173 out:
174 kfree(description);
175 return spnego_key;
176 }
177
178 int
init_cifs_spnego(void)179 init_cifs_spnego(void)
180 {
181 struct cred *cred;
182 struct key *keyring;
183 int ret;
184
185 cifs_dbg(FYI, "Registering the %s key type\n",
186 cifs_spnego_key_type.name);
187
188 /*
189 * Create an override credential set with special thread keyring for
190 * spnego upcalls.
191 */
192
193 cred = prepare_kernel_cred(&init_task);
194 if (!cred)
195 return -ENOMEM;
196
197 keyring = keyring_alloc(".cifs_spnego",
198 GLOBAL_ROOT_UID, GLOBAL_ROOT_GID, cred,
199 (KEY_POS_ALL & ~KEY_POS_SETATTR) |
200 KEY_USR_VIEW | KEY_USR_READ,
201 KEY_ALLOC_NOT_IN_QUOTA, NULL, NULL);
202 if (IS_ERR(keyring)) {
203 ret = PTR_ERR(keyring);
204 goto failed_put_cred;
205 }
206
207 ret = register_key_type(&cifs_spnego_key_type);
208 if (ret < 0)
209 goto failed_put_key;
210
211 /*
212 * instruct request_key() to use this special keyring as a cache for
213 * the results it looks up
214 */
215 set_bit(KEY_FLAG_ROOT_CAN_CLEAR, &keyring->flags);
216 cred->thread_keyring = keyring;
217 cred->jit_keyring = KEY_REQKEY_DEFL_THREAD_KEYRING;
218 spnego_cred = cred;
219
220 cifs_dbg(FYI, "cifs spnego keyring: %d\n", key_serial(keyring));
221 return 0;
222
223 failed_put_key:
224 key_put(keyring);
225 failed_put_cred:
226 put_cred(cred);
227 return ret;
228 }
229
230 void
exit_cifs_spnego(void)231 exit_cifs_spnego(void)
232 {
233 key_revoke(spnego_cred->thread_keyring);
234 unregister_key_type(&cifs_spnego_key_type);
235 put_cred(spnego_cred);
236 cifs_dbg(FYI, "Unregistered %s key type\n", cifs_spnego_key_type.name);
237 }
238