aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorJ. Bruce Fields <bfields@fieldses.org>2005-10-13 16:55:13 -0400
committerTrond Myklebust <Trond.Myklebust@netapp.com>2005-10-19 02:19:46 -0400
commit14ae162c24d985593d5b19437d7f3d8fd0062b59 (patch)
tree750fbc08e6a6e0cb00bfad7c871144a757ac43de
parentbfa91516b57483fc9c81d8d90325fd2c3c16ac48 (diff)
RPCSEC_GSS: Add support for privacy to krb5 rpcsec_gss mechanism.
Add support for privacy to the krb5 rpcsec_gss mechanism. Signed-off-by: J. Bruce Fields <bfields@citi.umich.edu> Signed-off-by: Trond Myklebust <Trond.Myklebust@netapp.com>
-rw-r--r--include/linux/sunrpc/gss_krb5.h18
-rw-r--r--net/sunrpc/auth_gss/Makefile2
-rw-r--r--net/sunrpc/auth_gss/gss_krb5_crypto.c156
-rw-r--r--net/sunrpc/auth_gss/gss_krb5_mech.c7
-rw-r--r--net/sunrpc/auth_gss/gss_krb5_seal.c4
-rw-r--r--net/sunrpc/auth_gss/gss_krb5_unseal.c2
-rw-r--r--net/sunrpc/auth_gss/gss_krb5_wrap.c370
7 files changed, 552 insertions, 7 deletions
diff --git a/include/linux/sunrpc/gss_krb5.h b/include/linux/sunrpc/gss_krb5.h
index cb35833e2ae3..7f93c2d5ebdb 100644
--- a/include/linux/sunrpc/gss_krb5.h
+++ b/include/linux/sunrpc/gss_krb5.h
@@ -116,7 +116,7 @@ enum seal_alg {
116 116
117s32 117s32
118make_checksum(s32 cksumtype, char *header, int hdrlen, struct xdr_buf *body, 118make_checksum(s32 cksumtype, char *header, int hdrlen, struct xdr_buf *body,
119 struct xdr_netobj *cksum); 119 int body_offset, struct xdr_netobj *cksum);
120 120
121u32 121u32
122krb5_make_token(struct krb5_ctx *context_handle, int qop_req, 122krb5_make_token(struct krb5_ctx *context_handle, int qop_req,
@@ -129,6 +129,15 @@ krb5_read_token(struct krb5_ctx *context_handle,
129 struct xdr_buf *message_buffer, int *qop_state); 129 struct xdr_buf *message_buffer, int *qop_state);
130 130
131u32 131u32
132gss_wrap_kerberos(struct gss_ctx *ctx_id, u32 qop, int offset,
133 struct xdr_buf *outbuf, struct page **pages);
134
135u32
136gss_unwrap_kerberos(struct gss_ctx *ctx_id, u32 *qop, int offset,
137 struct xdr_buf *buf);
138
139
140u32
132krb5_encrypt(struct crypto_tfm * key, 141krb5_encrypt(struct crypto_tfm * key,
133 void *iv, void *in, void *out, int length); 142 void *iv, void *in, void *out, int length);
134 143
@@ -136,6 +145,13 @@ u32
136krb5_decrypt(struct crypto_tfm * key, 145krb5_decrypt(struct crypto_tfm * key,
137 void *iv, void *in, void *out, int length); 146 void *iv, void *in, void *out, int length);
138 147
148int
149gss_encrypt_xdr_buf(struct crypto_tfm *tfm, struct xdr_buf *outbuf, int offset,
150 struct page **pages);
151
152int
153gss_decrypt_xdr_buf(struct crypto_tfm *tfm, struct xdr_buf *inbuf, int offset);
154
139s32 155s32
140krb5_make_seq_num(struct crypto_tfm * key, 156krb5_make_seq_num(struct crypto_tfm * key,
141 int direction, 157 int direction,
diff --git a/net/sunrpc/auth_gss/Makefile b/net/sunrpc/auth_gss/Makefile
index fe1b874084bc..f3431a7e33da 100644
--- a/net/sunrpc/auth_gss/Makefile
+++ b/net/sunrpc/auth_gss/Makefile
@@ -10,7 +10,7 @@ auth_rpcgss-objs := auth_gss.o gss_generic_token.o \
10obj-$(CONFIG_RPCSEC_GSS_KRB5) += rpcsec_gss_krb5.o 10obj-$(CONFIG_RPCSEC_GSS_KRB5) += rpcsec_gss_krb5.o
11 11
12rpcsec_gss_krb5-objs := gss_krb5_mech.o gss_krb5_seal.o gss_krb5_unseal.o \ 12rpcsec_gss_krb5-objs := gss_krb5_mech.o gss_krb5_seal.o gss_krb5_unseal.o \
13 gss_krb5_seqnum.o 13 gss_krb5_seqnum.o gss_krb5_wrap.o
14 14
15obj-$(CONFIG_RPCSEC_GSS_SPKM3) += rpcsec_gss_spkm3.o 15obj-$(CONFIG_RPCSEC_GSS_SPKM3) += rpcsec_gss_spkm3.o
16 16
diff --git a/net/sunrpc/auth_gss/gss_krb5_crypto.c b/net/sunrpc/auth_gss/gss_krb5_crypto.c
index 2baf93f8b8f5..3f3d5437f02d 100644
--- a/net/sunrpc/auth_gss/gss_krb5_crypto.c
+++ b/net/sunrpc/auth_gss/gss_krb5_crypto.c
@@ -218,7 +218,7 @@ checksummer(struct scatterlist *sg, void *data)
218/* checksum the plaintext data and hdrlen bytes of the token header */ 218/* checksum the plaintext data and hdrlen bytes of the token header */
219s32 219s32
220make_checksum(s32 cksumtype, char *header, int hdrlen, struct xdr_buf *body, 220make_checksum(s32 cksumtype, char *header, int hdrlen, struct xdr_buf *body,
221 struct xdr_netobj *cksum) 221 int body_offset, struct xdr_netobj *cksum)
222{ 222{
223 char *cksumname; 223 char *cksumname;
224 struct crypto_tfm *tfm = NULL; /* XXX add to ctx? */ 224 struct crypto_tfm *tfm = NULL; /* XXX add to ctx? */
@@ -243,7 +243,8 @@ make_checksum(s32 cksumtype, char *header, int hdrlen, struct xdr_buf *body,
243 crypto_digest_init(tfm); 243 crypto_digest_init(tfm);
244 buf_to_sg(sg, header, hdrlen); 244 buf_to_sg(sg, header, hdrlen);
245 crypto_digest_update(tfm, sg, 1); 245 crypto_digest_update(tfm, sg, 1);
246 process_xdr_buf(body, 0, body->len, checksummer, tfm); 246 process_xdr_buf(body, body_offset, body->len - body_offset,
247 checksummer, tfm);
247 crypto_digest_final(tfm, cksum->data); 248 crypto_digest_final(tfm, cksum->data);
248 code = 0; 249 code = 0;
249out: 250out:
@@ -252,3 +253,154 @@ out:
252} 253}
253 254
254EXPORT_SYMBOL(make_checksum); 255EXPORT_SYMBOL(make_checksum);
256
257struct encryptor_desc {
258 u8 iv[8]; /* XXX hard-coded blocksize */
259 struct crypto_tfm *tfm;
260 int pos;
261 struct xdr_buf *outbuf;
262 struct page **pages;
263 struct scatterlist infrags[4];
264 struct scatterlist outfrags[4];
265 int fragno;
266 int fraglen;
267};
268
269static int
270encryptor(struct scatterlist *sg, void *data)
271{
272 struct encryptor_desc *desc = data;
273 struct xdr_buf *outbuf = desc->outbuf;
274 struct page *in_page;
275 int thislen = desc->fraglen + sg->length;
276 int fraglen, ret;
277 int page_pos;
278
279 /* Worst case is 4 fragments: head, end of page 1, start
280 * of page 2, tail. Anything more is a bug. */
281 BUG_ON(desc->fragno > 3);
282 desc->infrags[desc->fragno] = *sg;
283 desc->outfrags[desc->fragno] = *sg;
284
285 page_pos = desc->pos - outbuf->head[0].iov_len;
286 if (page_pos >= 0 && page_pos < outbuf->page_len) {
287 /* pages are not in place: */
288 int i = (page_pos + outbuf->page_base) >> PAGE_CACHE_SHIFT;
289 in_page = desc->pages[i];
290 } else {
291 in_page = sg->page;
292 }
293 desc->infrags[desc->fragno].page = in_page;
294 desc->fragno++;
295 desc->fraglen += sg->length;
296 desc->pos += sg->length;
297
298 fraglen = thislen & 7; /* XXX hardcoded blocksize */
299 thislen -= fraglen;
300
301 if (thislen == 0)
302 return 0;
303
304 ret = crypto_cipher_encrypt_iv(desc->tfm, desc->outfrags, desc->infrags,
305 thislen, desc->iv);
306 if (ret)
307 return ret;
308 if (fraglen) {
309 desc->outfrags[0].page = sg->page;
310 desc->outfrags[0].offset = sg->offset + sg->length - fraglen;
311 desc->outfrags[0].length = fraglen;
312 desc->infrags[0] = desc->outfrags[0];
313 desc->infrags[0].page = in_page;
314 desc->fragno = 1;
315 desc->fraglen = fraglen;
316 } else {
317 desc->fragno = 0;
318 desc->fraglen = 0;
319 }
320 return 0;
321}
322
323int
324gss_encrypt_xdr_buf(struct crypto_tfm *tfm, struct xdr_buf *buf, int offset,
325 struct page **pages)
326{
327 int ret;
328 struct encryptor_desc desc;
329
330 BUG_ON((buf->len - offset) % crypto_tfm_alg_blocksize(tfm) != 0);
331
332 memset(desc.iv, 0, sizeof(desc.iv));
333 desc.tfm = tfm;
334 desc.pos = offset;
335 desc.outbuf = buf;
336 desc.pages = pages;
337 desc.fragno = 0;
338 desc.fraglen = 0;
339
340 ret = process_xdr_buf(buf, offset, buf->len - offset, encryptor, &desc);
341 return ret;
342}
343
344EXPORT_SYMBOL(gss_encrypt_xdr_buf);
345
346struct decryptor_desc {
347 u8 iv[8]; /* XXX hard-coded blocksize */
348 struct crypto_tfm *tfm;
349 struct scatterlist frags[4];
350 int fragno;
351 int fraglen;
352};
353
354static int
355decryptor(struct scatterlist *sg, void *data)
356{
357 struct decryptor_desc *desc = data;
358 int thislen = desc->fraglen + sg->length;
359 int fraglen, ret;
360
361 /* Worst case is 4 fragments: head, end of page 1, start
362 * of page 2, tail. Anything more is a bug. */
363 BUG_ON(desc->fragno > 3);
364 desc->frags[desc->fragno] = *sg;
365 desc->fragno++;
366 desc->fraglen += sg->length;
367
368 fraglen = thislen & 7; /* XXX hardcoded blocksize */
369 thislen -= fraglen;
370
371 if (thislen == 0)
372 return 0;
373
374 ret = crypto_cipher_decrypt_iv(desc->tfm, desc->frags, desc->frags,
375 thislen, desc->iv);
376 if (ret)
377 return ret;
378 if (fraglen) {
379 desc->frags[0].page = sg->page;
380 desc->frags[0].offset = sg->offset + sg->length - fraglen;
381 desc->frags[0].length = fraglen;
382 desc->fragno = 1;
383 desc->fraglen = fraglen;
384 } else {
385 desc->fragno = 0;
386 desc->fraglen = 0;
387 }
388 return 0;
389}
390
391int
392gss_decrypt_xdr_buf(struct crypto_tfm *tfm, struct xdr_buf *buf, int offset)
393{
394 struct decryptor_desc desc;
395
396 /* XXXJBF: */
397 BUG_ON((buf->len - offset) % crypto_tfm_alg_blocksize(tfm) != 0);
398
399 memset(desc.iv, 0, sizeof(desc.iv));
400 desc.tfm = tfm;
401 desc.fragno = 0;
402 desc.fraglen = 0;
403 return process_xdr_buf(buf, offset, buf->len - offset, decryptor, &desc);
404}
405
406EXPORT_SYMBOL(gss_decrypt_xdr_buf);
diff --git a/net/sunrpc/auth_gss/gss_krb5_mech.c b/net/sunrpc/auth_gss/gss_krb5_mech.c
index 8b9066fdfda5..37a9ad97ccd4 100644
--- a/net/sunrpc/auth_gss/gss_krb5_mech.c
+++ b/net/sunrpc/auth_gss/gss_krb5_mech.c
@@ -226,6 +226,8 @@ static struct gss_api_ops gss_kerberos_ops = {
226 .gss_import_sec_context = gss_import_sec_context_kerberos, 226 .gss_import_sec_context = gss_import_sec_context_kerberos,
227 .gss_get_mic = gss_get_mic_kerberos, 227 .gss_get_mic = gss_get_mic_kerberos,
228 .gss_verify_mic = gss_verify_mic_kerberos, 228 .gss_verify_mic = gss_verify_mic_kerberos,
229 .gss_wrap = gss_wrap_kerberos,
230 .gss_unwrap = gss_unwrap_kerberos,
229 .gss_delete_sec_context = gss_delete_sec_context_kerberos, 231 .gss_delete_sec_context = gss_delete_sec_context_kerberos,
230}; 232};
231 233
@@ -240,6 +242,11 @@ static struct pf_desc gss_kerberos_pfs[] = {
240 .service = RPC_GSS_SVC_INTEGRITY, 242 .service = RPC_GSS_SVC_INTEGRITY,
241 .name = "krb5i", 243 .name = "krb5i",
242 }, 244 },
245 [2] = {
246 .pseudoflavor = RPC_AUTH_GSS_KRB5P,
247 .service = RPC_GSS_SVC_PRIVACY,
248 .name = "krb5p",
249 },
243}; 250};
244 251
245static struct gss_api_mech gss_kerberos_mech = { 252static struct gss_api_mech gss_kerberos_mech = {
diff --git a/net/sunrpc/auth_gss/gss_krb5_seal.c b/net/sunrpc/auth_gss/gss_krb5_seal.c
index 2511834e6e52..fb852d9ab06f 100644
--- a/net/sunrpc/auth_gss/gss_krb5_seal.c
+++ b/net/sunrpc/auth_gss/gss_krb5_seal.c
@@ -116,8 +116,8 @@ krb5_make_token(struct krb5_ctx *ctx, int qop_req,
116 *(u16 *)(krb5_hdr + 2) = htons(ctx->signalg); 116 *(u16 *)(krb5_hdr + 2) = htons(ctx->signalg);
117 memset(krb5_hdr + 4, 0xff, 4); 117 memset(krb5_hdr + 4, 0xff, 4);
118 118
119 if (make_checksum(checksum_type, krb5_hdr, 8, text, &md5cksum)) 119 if (make_checksum(checksum_type, krb5_hdr, 8, text, 0, &md5cksum))
120 goto out_err; 120 goto out_err;
121 121
122 switch (ctx->signalg) { 122 switch (ctx->signalg) {
123 case SGN_ALG_DES_MAC_MD5: 123 case SGN_ALG_DES_MAC_MD5:
diff --git a/net/sunrpc/auth_gss/gss_krb5_unseal.c b/net/sunrpc/auth_gss/gss_krb5_unseal.c
index 19eba3df6607..c3d6d1bc100c 100644
--- a/net/sunrpc/auth_gss/gss_krb5_unseal.c
+++ b/net/sunrpc/auth_gss/gss_krb5_unseal.c
@@ -136,7 +136,7 @@ krb5_read_token(struct krb5_ctx *ctx,
136 switch (signalg) { 136 switch (signalg) {
137 case SGN_ALG_DES_MAC_MD5: 137 case SGN_ALG_DES_MAC_MD5:
138 ret = make_checksum(checksum_type, ptr - 2, 8, 138 ret = make_checksum(checksum_type, ptr - 2, 8,
139 message_buffer, &md5cksum); 139 message_buffer, 0, &md5cksum);
140 if (ret) 140 if (ret)
141 goto out; 141 goto out;
142 142
diff --git a/net/sunrpc/auth_gss/gss_krb5_wrap.c b/net/sunrpc/auth_gss/gss_krb5_wrap.c
new file mode 100644
index 000000000000..ddcde6e42b23
--- /dev/null
+++ b/net/sunrpc/auth_gss/gss_krb5_wrap.c
@@ -0,0 +1,370 @@
1#include <linux/types.h>
2#include <linux/slab.h>
3#include <linux/jiffies.h>
4#include <linux/sunrpc/gss_krb5.h>
5#include <linux/random.h>
6#include <linux/pagemap.h>
7#include <asm/scatterlist.h>
8#include <linux/crypto.h>
9
10#ifdef RPC_DEBUG
11# define RPCDBG_FACILITY RPCDBG_AUTH
12#endif
13
14static inline int
15gss_krb5_padding(int blocksize, int length)
16{
17 /* Most of the code is block-size independent but currently we
18 * use only 8: */
19 BUG_ON(blocksize != 8);
20 return 8 - (length & 7);
21}
22
23static inline void
24gss_krb5_add_padding(struct xdr_buf *buf, int offset, int blocksize)
25{
26 int padding = gss_krb5_padding(blocksize, buf->len - offset);
27 char *p;
28 struct kvec *iov;
29
30 if (buf->page_len || buf->tail[0].iov_len)
31 iov = &buf->tail[0];
32 else
33 iov = &buf->head[0];
34 p = iov->iov_base + iov->iov_len;
35 iov->iov_len += padding;
36 buf->len += padding;
37 memset(p, padding, padding);
38}
39
40static inline int
41gss_krb5_remove_padding(struct xdr_buf *buf, int blocksize)
42{
43 u8 *ptr;
44 u8 pad;
45 int len = buf->len;
46
47 if (len <= buf->head[0].iov_len) {
48 pad = *(u8 *)(buf->head[0].iov_base + len - 1);
49 if (pad > buf->head[0].iov_len)
50 return -EINVAL;
51 buf->head[0].iov_len -= pad;
52 goto out;
53 } else
54 len -= buf->head[0].iov_len;
55 if (len <= buf->page_len) {
56 int last = (buf->page_base + len - 1)
57 >>PAGE_CACHE_SHIFT;
58 int offset = (buf->page_base + len - 1)
59 & (PAGE_CACHE_SIZE - 1);
60 ptr = kmap_atomic(buf->pages[last], KM_SKB_SUNRPC_DATA);
61 pad = *(ptr + offset);
62 kunmap_atomic(ptr, KM_SKB_SUNRPC_DATA);
63 goto out;
64 } else
65 len -= buf->page_len;
66 BUG_ON(len > buf->tail[0].iov_len);
67 pad = *(u8 *)(buf->tail[0].iov_base + len - 1);
68out:
69 /* XXX: NOTE: we do not adjust the page lengths--they represent
70 * a range of data in the real filesystem page cache, and we need
71 * to know that range so the xdr code can properly place read data.
72 * However adjusting the head length, as we do above, is harmless.
73 * In the case of a request that fits into a single page, the server
74 * also uses length and head length together to determine the original
75 * start of the request to copy the request for deferal; so it's
76 * easier on the server if we adjust head and tail length in tandem.
77 * It's not really a problem that we don't fool with the page and
78 * tail lengths, though--at worst badly formed xdr might lead the
79 * server to attempt to parse the padding.
80 * XXX: Document all these weird requirements for gss mechanism
81 * wrap/unwrap functions. */
82 if (pad > blocksize)
83 return -EINVAL;
84 if (buf->len > pad)
85 buf->len -= pad;
86 else
87 return -EINVAL;
88 return 0;
89}
90
91static inline void
92make_confounder(char *p, int blocksize)
93{
94 static u64 i = 0;
95 u64 *q = (u64 *)p;
96
97 /* rfc1964 claims this should be "random". But all that's really
98 * necessary is that it be unique. And not even that is necessary in
99 * our case since our "gssapi" implementation exists only to support
100 * rpcsec_gss, so we know that the only buffers we will ever encrypt
101 * already begin with a unique sequence number. Just to hedge my bets
102 * I'll make a half-hearted attempt at something unique, but ensuring
103 * uniqueness would mean worrying about atomicity and rollover, and I
104 * don't care enough. */
105
106 BUG_ON(blocksize != 8);
107 *q = i++;
108}
109
110/* Assumptions: the head and tail of inbuf are ours to play with.
111 * The pages, however, may be real pages in the page cache and we replace
112 * them with scratch pages from **pages before writing to them. */
113/* XXX: obviously the above should be documentation of wrap interface,
114 * and shouldn't be in this kerberos-specific file. */
115
116/* XXX factor out common code with seal/unseal. */
117
118u32
119gss_wrap_kerberos(struct gss_ctx *ctx, u32 qop, int offset,
120 struct xdr_buf *buf, struct page **pages)
121{
122 struct krb5_ctx *kctx = ctx->internal_ctx_id;
123 s32 checksum_type;
124 struct xdr_netobj md5cksum = {.len = 0, .data = NULL};
125 int blocksize = 0, plainlen;
126 unsigned char *ptr, *krb5_hdr, *msg_start;
127 s32 now;
128 int headlen;
129 struct page **tmp_pages;
130
131 dprintk("RPC: gss_wrap_kerberos\n");
132
133 now = get_seconds();
134
135 if (qop != 0)
136 goto out_err;
137
138 switch (kctx->signalg) {
139 case SGN_ALG_DES_MAC_MD5:
140 checksum_type = CKSUMTYPE_RSA_MD5;
141 break;
142 default:
143 dprintk("RPC: gss_krb5_seal: kctx->signalg %d not"
144 " supported\n", kctx->signalg);
145 goto out_err;
146 }
147 if (kctx->sealalg != SEAL_ALG_NONE && kctx->sealalg != SEAL_ALG_DES) {
148 dprintk("RPC: gss_krb5_seal: kctx->sealalg %d not supported\n",
149 kctx->sealalg);
150 goto out_err;
151 }
152
153 blocksize = crypto_tfm_alg_blocksize(kctx->enc);
154 gss_krb5_add_padding(buf, offset, blocksize);
155 BUG_ON((buf->len - offset) % blocksize);
156 plainlen = blocksize + buf->len - offset;
157
158 headlen = g_token_size(&kctx->mech_used, 22 + plainlen) -
159 (buf->len - offset);
160
161 ptr = buf->head[0].iov_base + offset;
162 /* shift data to make room for header. */
163 /* XXX Would be cleverer to encrypt while copying. */
164 /* XXX bounds checking, slack, etc. */
165 memmove(ptr + headlen, ptr, buf->head[0].iov_len - offset);
166 buf->head[0].iov_len += headlen;
167 buf->len += headlen;
168 BUG_ON((buf->len - offset - headlen) % blocksize);
169
170 g_make_token_header(&kctx->mech_used, 22 + plainlen, &ptr);
171
172
173 *ptr++ = (unsigned char) ((KG_TOK_WRAP_MSG>>8)&0xff);
174 *ptr++ = (unsigned char) (KG_TOK_WRAP_MSG&0xff);
175
176 /* ptr now at byte 2 of header described in rfc 1964, section 1.2.1: */
177 krb5_hdr = ptr - 2;
178 msg_start = krb5_hdr + 24;
179 /* XXXJBF: */ BUG_ON(buf->head[0].iov_base + offset + headlen != msg_start + blocksize);
180
181 *(u16 *)(krb5_hdr + 2) = htons(kctx->signalg);
182 memset(krb5_hdr + 4, 0xff, 4);
183 *(u16 *)(krb5_hdr + 4) = htons(kctx->sealalg);
184
185 make_confounder(msg_start, blocksize);
186
187 /* XXXJBF: UGH!: */
188 tmp_pages = buf->pages;
189 buf->pages = pages;
190 if (make_checksum(checksum_type, krb5_hdr, 8, buf,
191 offset + headlen - blocksize, &md5cksum))
192 goto out_err;
193 buf->pages = tmp_pages;
194
195 switch (kctx->signalg) {
196 case SGN_ALG_DES_MAC_MD5:
197 if (krb5_encrypt(kctx->seq, NULL, md5cksum.data,
198 md5cksum.data, md5cksum.len))
199 goto out_err;
200 memcpy(krb5_hdr + 16,
201 md5cksum.data + md5cksum.len - KRB5_CKSUM_LENGTH,
202 KRB5_CKSUM_LENGTH);
203
204 dprintk("RPC: make_seal_token: cksum data: \n");
205 print_hexl((u32 *) (krb5_hdr + 16), KRB5_CKSUM_LENGTH, 0);
206 break;
207 default:
208 BUG();
209 }
210
211 kfree(md5cksum.data);
212
213 /* XXX would probably be more efficient to compute checksum
214 * and encrypt at the same time: */
215 if ((krb5_make_seq_num(kctx->seq, kctx->initiate ? 0 : 0xff,
216 kctx->seq_send, krb5_hdr + 16, krb5_hdr + 8)))
217 goto out_err;
218
219 if (gss_encrypt_xdr_buf(kctx->enc, buf, offset + headlen - blocksize,
220 pages))
221 goto out_err;
222
223 kctx->seq_send++;
224
225 return ((kctx->endtime < now) ? GSS_S_CONTEXT_EXPIRED : GSS_S_COMPLETE);
226out_err:
227 if (md5cksum.data) kfree(md5cksum.data);
228 return GSS_S_FAILURE;
229}
230
231u32
232gss_unwrap_kerberos(struct gss_ctx *ctx, u32 *qop, int offset,
233 struct xdr_buf *buf)
234{
235 struct krb5_ctx *kctx = ctx->internal_ctx_id;
236 int signalg;
237 int sealalg;
238 s32 checksum_type;
239 struct xdr_netobj md5cksum = {.len = 0, .data = NULL};
240 s32 now;
241 int direction;
242 s32 seqnum;
243 unsigned char *ptr;
244 int bodysize;
245 u32 ret = GSS_S_DEFECTIVE_TOKEN;
246 void *data_start, *orig_start;
247 int data_len;
248 int blocksize;
249
250 dprintk("RPC: gss_unwrap_kerberos\n");
251
252 ptr = (u8 *)buf->head[0].iov_base + offset;
253 if (g_verify_token_header(&kctx->mech_used, &bodysize, &ptr,
254 buf->len - offset))
255 goto out;
256
257 if ((*ptr++ != ((KG_TOK_WRAP_MSG>>8)&0xff)) ||
258 (*ptr++ != (KG_TOK_WRAP_MSG &0xff)) )
259 goto out;
260
261 /* XXX sanity-check bodysize?? */
262
263 /* get the sign and seal algorithms */
264
265 signalg = ptr[0] + (ptr[1] << 8);
266 sealalg = ptr[2] + (ptr[3] << 8);
267
268 /* Sanity checks */
269
270 if ((ptr[4] != 0xff) || (ptr[5] != 0xff))
271 goto out;
272
273 if (sealalg == 0xffff)
274 goto out;
275
276 /* in the current spec, there is only one valid seal algorithm per
277 key type, so a simple comparison is ok */
278
279 if (sealalg != kctx->sealalg)
280 goto out;
281
282 /* there are several mappings of seal algorithms to sign algorithms,
283 but few enough that we can try them all. */
284
285 if ((kctx->sealalg == SEAL_ALG_NONE && signalg > 1) ||
286 (kctx->sealalg == SEAL_ALG_1 && signalg != SGN_ALG_3) ||
287 (kctx->sealalg == SEAL_ALG_DES3KD &&
288 signalg != SGN_ALG_HMAC_SHA1_DES3_KD))
289 goto out;
290
291 if (gss_decrypt_xdr_buf(kctx->enc, buf,
292 ptr + 22 - (unsigned char *)buf->head[0].iov_base))
293 goto out;
294
295 /* compute the checksum of the message */
296
297 /* initialize the the cksum */
298 switch (signalg) {
299 case SGN_ALG_DES_MAC_MD5:
300 checksum_type = CKSUMTYPE_RSA_MD5;
301 break;
302 default:
303 ret = GSS_S_DEFECTIVE_TOKEN;
304 goto out;
305 }
306
307 switch (signalg) {
308 case SGN_ALG_DES_MAC_MD5:
309 ret = make_checksum(checksum_type, ptr - 2, 8, buf,
310 ptr + 22 - (unsigned char *)buf->head[0].iov_base, &md5cksum);
311 if (ret)
312 goto out;
313
314 ret = krb5_encrypt(kctx->seq, NULL, md5cksum.data,
315 md5cksum.data, md5cksum.len);
316 if (ret)
317 goto out;
318
319 if (memcmp(md5cksum.data + 8, ptr + 14, 8)) {
320 ret = GSS_S_BAD_SIG;
321 goto out;
322 }
323 break;
324 default:
325 ret = GSS_S_DEFECTIVE_TOKEN;
326 goto out;
327 }
328
329 /* it got through unscathed. Make sure the context is unexpired */
330
331 if (qop)
332 *qop = GSS_C_QOP_DEFAULT;
333
334 now = get_seconds();
335
336 ret = GSS_S_CONTEXT_EXPIRED;
337 if (now > kctx->endtime)
338 goto out;
339
340 /* do sequencing checks */
341
342 ret = GSS_S_BAD_SIG;
343 if ((ret = krb5_get_seq_num(kctx->seq, ptr + 14, ptr + 6, &direction,
344 &seqnum)))
345 goto out;
346
347 if ((kctx->initiate && direction != 0xff) ||
348 (!kctx->initiate && direction != 0))
349 goto out;
350
351 /* Copy the data back to the right position. XXX: Would probably be
352 * better to copy and encrypt at the same time. */
353
354 blocksize = crypto_tfm_alg_blocksize(kctx->enc);
355 data_start = ptr + 22 + blocksize;
356 orig_start = buf->head[0].iov_base + offset;
357 data_len = (buf->head[0].iov_base + buf->head[0].iov_len) - data_start;
358 memmove(orig_start, data_start, data_len);
359 buf->head[0].iov_len -= (data_start - orig_start);
360 buf->len -= (data_start - orig_start);
361
362 ret = GSS_S_DEFECTIVE_TOKEN;
363 if (gss_krb5_remove_padding(buf, blocksize))
364 goto out;
365
366 ret = GSS_S_COMPLETE;
367out:
368 if (md5cksum.data) kfree(md5cksum.data);
369 return ret;
370}