diff options
| author | J. Bruce Fields <bfields@fieldses.org> | 2005-10-13 16:55:13 -0400 |
|---|---|---|
| committer | Trond Myklebust <Trond.Myklebust@netapp.com> | 2005-10-19 02:19:46 -0400 |
| commit | 14ae162c24d985593d5b19437d7f3d8fd0062b59 (patch) | |
| tree | 750fbc08e6a6e0cb00bfad7c871144a757ac43de /net/sunrpc/auth_gss/gss_krb5_wrap.c | |
| parent | bfa91516b57483fc9c81d8d90325fd2c3c16ac48 (diff) | |
RPCSEC_GSS: Add support for privacy to krb5 rpcsec_gss mechanism.
Add support for privacy to the krb5 rpcsec_gss mechanism.
Signed-off-by: J. Bruce Fields <bfields@citi.umich.edu>
Signed-off-by: Trond Myklebust <Trond.Myklebust@netapp.com>
Diffstat (limited to 'net/sunrpc/auth_gss/gss_krb5_wrap.c')
| -rw-r--r-- | net/sunrpc/auth_gss/gss_krb5_wrap.c | 370 |
1 files changed, 370 insertions, 0 deletions
diff --git a/net/sunrpc/auth_gss/gss_krb5_wrap.c b/net/sunrpc/auth_gss/gss_krb5_wrap.c new file mode 100644 index 000000000000..ddcde6e42b23 --- /dev/null +++ b/net/sunrpc/auth_gss/gss_krb5_wrap.c | |||
| @@ -0,0 +1,370 @@ | |||
| 1 | #include <linux/types.h> | ||
| 2 | #include <linux/slab.h> | ||
| 3 | #include <linux/jiffies.h> | ||
| 4 | #include <linux/sunrpc/gss_krb5.h> | ||
| 5 | #include <linux/random.h> | ||
| 6 | #include <linux/pagemap.h> | ||
| 7 | #include <asm/scatterlist.h> | ||
| 8 | #include <linux/crypto.h> | ||
| 9 | |||
| 10 | #ifdef RPC_DEBUG | ||
| 11 | # define RPCDBG_FACILITY RPCDBG_AUTH | ||
| 12 | #endif | ||
| 13 | |||
| 14 | static inline int | ||
| 15 | gss_krb5_padding(int blocksize, int length) | ||
| 16 | { | ||
| 17 | /* Most of the code is block-size independent but currently we | ||
| 18 | * use only 8: */ | ||
| 19 | BUG_ON(blocksize != 8); | ||
| 20 | return 8 - (length & 7); | ||
| 21 | } | ||
| 22 | |||
| 23 | static inline void | ||
| 24 | gss_krb5_add_padding(struct xdr_buf *buf, int offset, int blocksize) | ||
| 25 | { | ||
| 26 | int padding = gss_krb5_padding(blocksize, buf->len - offset); | ||
| 27 | char *p; | ||
| 28 | struct kvec *iov; | ||
| 29 | |||
| 30 | if (buf->page_len || buf->tail[0].iov_len) | ||
| 31 | iov = &buf->tail[0]; | ||
| 32 | else | ||
| 33 | iov = &buf->head[0]; | ||
| 34 | p = iov->iov_base + iov->iov_len; | ||
| 35 | iov->iov_len += padding; | ||
| 36 | buf->len += padding; | ||
| 37 | memset(p, padding, padding); | ||
| 38 | } | ||
| 39 | |||
| 40 | static inline int | ||
| 41 | gss_krb5_remove_padding(struct xdr_buf *buf, int blocksize) | ||
| 42 | { | ||
| 43 | u8 *ptr; | ||
| 44 | u8 pad; | ||
| 45 | int len = buf->len; | ||
| 46 | |||
| 47 | if (len <= buf->head[0].iov_len) { | ||
| 48 | pad = *(u8 *)(buf->head[0].iov_base + len - 1); | ||
| 49 | if (pad > buf->head[0].iov_len) | ||
| 50 | return -EINVAL; | ||
| 51 | buf->head[0].iov_len -= pad; | ||
| 52 | goto out; | ||
| 53 | } else | ||
| 54 | len -= buf->head[0].iov_len; | ||
| 55 | if (len <= buf->page_len) { | ||
| 56 | int last = (buf->page_base + len - 1) | ||
| 57 | >>PAGE_CACHE_SHIFT; | ||
| 58 | int offset = (buf->page_base + len - 1) | ||
| 59 | & (PAGE_CACHE_SIZE - 1); | ||
| 60 | ptr = kmap_atomic(buf->pages[last], KM_SKB_SUNRPC_DATA); | ||
| 61 | pad = *(ptr + offset); | ||
| 62 | kunmap_atomic(ptr, KM_SKB_SUNRPC_DATA); | ||
| 63 | goto out; | ||
| 64 | } else | ||
| 65 | len -= buf->page_len; | ||
| 66 | BUG_ON(len > buf->tail[0].iov_len); | ||
| 67 | pad = *(u8 *)(buf->tail[0].iov_base + len - 1); | ||
| 68 | out: | ||
| 69 | /* XXX: NOTE: we do not adjust the page lengths--they represent | ||
| 70 | * a range of data in the real filesystem page cache, and we need | ||
| 71 | * to know that range so the xdr code can properly place read data. | ||
| 72 | * However adjusting the head length, as we do above, is harmless. | ||
| 73 | * In the case of a request that fits into a single page, the server | ||
| 74 | * also uses length and head length together to determine the original | ||
| 75 | * start of the request to copy the request for deferal; so it's | ||
| 76 | * easier on the server if we adjust head and tail length in tandem. | ||
| 77 | * It's not really a problem that we don't fool with the page and | ||
| 78 | * tail lengths, though--at worst badly formed xdr might lead the | ||
| 79 | * server to attempt to parse the padding. | ||
| 80 | * XXX: Document all these weird requirements for gss mechanism | ||
| 81 | * wrap/unwrap functions. */ | ||
| 82 | if (pad > blocksize) | ||
| 83 | return -EINVAL; | ||
| 84 | if (buf->len > pad) | ||
| 85 | buf->len -= pad; | ||
| 86 | else | ||
| 87 | return -EINVAL; | ||
| 88 | return 0; | ||
| 89 | } | ||
| 90 | |||
| 91 | static inline void | ||
| 92 | make_confounder(char *p, int blocksize) | ||
| 93 | { | ||
| 94 | static u64 i = 0; | ||
| 95 | u64 *q = (u64 *)p; | ||
| 96 | |||
| 97 | /* rfc1964 claims this should be "random". But all that's really | ||
| 98 | * necessary is that it be unique. And not even that is necessary in | ||
| 99 | * our case since our "gssapi" implementation exists only to support | ||
| 100 | * rpcsec_gss, so we know that the only buffers we will ever encrypt | ||
| 101 | * already begin with a unique sequence number. Just to hedge my bets | ||
| 102 | * I'll make a half-hearted attempt at something unique, but ensuring | ||
| 103 | * uniqueness would mean worrying about atomicity and rollover, and I | ||
| 104 | * don't care enough. */ | ||
| 105 | |||
| 106 | BUG_ON(blocksize != 8); | ||
| 107 | *q = i++; | ||
| 108 | } | ||
| 109 | |||
| 110 | /* Assumptions: the head and tail of inbuf are ours to play with. | ||
| 111 | * The pages, however, may be real pages in the page cache and we replace | ||
| 112 | * them with scratch pages from **pages before writing to them. */ | ||
| 113 | /* XXX: obviously the above should be documentation of wrap interface, | ||
| 114 | * and shouldn't be in this kerberos-specific file. */ | ||
| 115 | |||
| 116 | /* XXX factor out common code with seal/unseal. */ | ||
| 117 | |||
| 118 | u32 | ||
| 119 | gss_wrap_kerberos(struct gss_ctx *ctx, u32 qop, int offset, | ||
| 120 | struct xdr_buf *buf, struct page **pages) | ||
| 121 | { | ||
| 122 | struct krb5_ctx *kctx = ctx->internal_ctx_id; | ||
| 123 | s32 checksum_type; | ||
| 124 | struct xdr_netobj md5cksum = {.len = 0, .data = NULL}; | ||
| 125 | int blocksize = 0, plainlen; | ||
| 126 | unsigned char *ptr, *krb5_hdr, *msg_start; | ||
| 127 | s32 now; | ||
| 128 | int headlen; | ||
| 129 | struct page **tmp_pages; | ||
| 130 | |||
| 131 | dprintk("RPC: gss_wrap_kerberos\n"); | ||
| 132 | |||
| 133 | now = get_seconds(); | ||
| 134 | |||
| 135 | if (qop != 0) | ||
| 136 | goto out_err; | ||
| 137 | |||
| 138 | switch (kctx->signalg) { | ||
| 139 | case SGN_ALG_DES_MAC_MD5: | ||
| 140 | checksum_type = CKSUMTYPE_RSA_MD5; | ||
| 141 | break; | ||
| 142 | default: | ||
| 143 | dprintk("RPC: gss_krb5_seal: kctx->signalg %d not" | ||
| 144 | " supported\n", kctx->signalg); | ||
| 145 | goto out_err; | ||
| 146 | } | ||
| 147 | if (kctx->sealalg != SEAL_ALG_NONE && kctx->sealalg != SEAL_ALG_DES) { | ||
| 148 | dprintk("RPC: gss_krb5_seal: kctx->sealalg %d not supported\n", | ||
| 149 | kctx->sealalg); | ||
| 150 | goto out_err; | ||
| 151 | } | ||
| 152 | |||
| 153 | blocksize = crypto_tfm_alg_blocksize(kctx->enc); | ||
| 154 | gss_krb5_add_padding(buf, offset, blocksize); | ||
| 155 | BUG_ON((buf->len - offset) % blocksize); | ||
| 156 | plainlen = blocksize + buf->len - offset; | ||
| 157 | |||
| 158 | headlen = g_token_size(&kctx->mech_used, 22 + plainlen) - | ||
| 159 | (buf->len - offset); | ||
| 160 | |||
| 161 | ptr = buf->head[0].iov_base + offset; | ||
| 162 | /* shift data to make room for header. */ | ||
| 163 | /* XXX Would be cleverer to encrypt while copying. */ | ||
| 164 | /* XXX bounds checking, slack, etc. */ | ||
| 165 | memmove(ptr + headlen, ptr, buf->head[0].iov_len - offset); | ||
| 166 | buf->head[0].iov_len += headlen; | ||
| 167 | buf->len += headlen; | ||
| 168 | BUG_ON((buf->len - offset - headlen) % blocksize); | ||
| 169 | |||
| 170 | g_make_token_header(&kctx->mech_used, 22 + plainlen, &ptr); | ||
| 171 | |||
| 172 | |||
| 173 | *ptr++ = (unsigned char) ((KG_TOK_WRAP_MSG>>8)&0xff); | ||
| 174 | *ptr++ = (unsigned char) (KG_TOK_WRAP_MSG&0xff); | ||
| 175 | |||
| 176 | /* ptr now at byte 2 of header described in rfc 1964, section 1.2.1: */ | ||
| 177 | krb5_hdr = ptr - 2; | ||
| 178 | msg_start = krb5_hdr + 24; | ||
| 179 | /* XXXJBF: */ BUG_ON(buf->head[0].iov_base + offset + headlen != msg_start + blocksize); | ||
| 180 | |||
| 181 | *(u16 *)(krb5_hdr + 2) = htons(kctx->signalg); | ||
| 182 | memset(krb5_hdr + 4, 0xff, 4); | ||
| 183 | *(u16 *)(krb5_hdr + 4) = htons(kctx->sealalg); | ||
| 184 | |||
| 185 | make_confounder(msg_start, blocksize); | ||
| 186 | |||
| 187 | /* XXXJBF: UGH!: */ | ||
| 188 | tmp_pages = buf->pages; | ||
| 189 | buf->pages = pages; | ||
| 190 | if (make_checksum(checksum_type, krb5_hdr, 8, buf, | ||
| 191 | offset + headlen - blocksize, &md5cksum)) | ||
| 192 | goto out_err; | ||
| 193 | buf->pages = tmp_pages; | ||
| 194 | |||
| 195 | switch (kctx->signalg) { | ||
| 196 | case SGN_ALG_DES_MAC_MD5: | ||
| 197 | if (krb5_encrypt(kctx->seq, NULL, md5cksum.data, | ||
| 198 | md5cksum.data, md5cksum.len)) | ||
| 199 | goto out_err; | ||
| 200 | memcpy(krb5_hdr + 16, | ||
| 201 | md5cksum.data + md5cksum.len - KRB5_CKSUM_LENGTH, | ||
| 202 | KRB5_CKSUM_LENGTH); | ||
| 203 | |||
| 204 | dprintk("RPC: make_seal_token: cksum data: \n"); | ||
| 205 | print_hexl((u32 *) (krb5_hdr + 16), KRB5_CKSUM_LENGTH, 0); | ||
| 206 | break; | ||
| 207 | default: | ||
| 208 | BUG(); | ||
| 209 | } | ||
| 210 | |||
| 211 | kfree(md5cksum.data); | ||
| 212 | |||
| 213 | /* XXX would probably be more efficient to compute checksum | ||
| 214 | * and encrypt at the same time: */ | ||
| 215 | if ((krb5_make_seq_num(kctx->seq, kctx->initiate ? 0 : 0xff, | ||
| 216 | kctx->seq_send, krb5_hdr + 16, krb5_hdr + 8))) | ||
| 217 | goto out_err; | ||
| 218 | |||
| 219 | if (gss_encrypt_xdr_buf(kctx->enc, buf, offset + headlen - blocksize, | ||
| 220 | pages)) | ||
| 221 | goto out_err; | ||
| 222 | |||
| 223 | kctx->seq_send++; | ||
| 224 | |||
| 225 | return ((kctx->endtime < now) ? GSS_S_CONTEXT_EXPIRED : GSS_S_COMPLETE); | ||
| 226 | out_err: | ||
| 227 | if (md5cksum.data) kfree(md5cksum.data); | ||
| 228 | return GSS_S_FAILURE; | ||
| 229 | } | ||
| 230 | |||
| 231 | u32 | ||
| 232 | gss_unwrap_kerberos(struct gss_ctx *ctx, u32 *qop, int offset, | ||
| 233 | struct xdr_buf *buf) | ||
| 234 | { | ||
| 235 | struct krb5_ctx *kctx = ctx->internal_ctx_id; | ||
| 236 | int signalg; | ||
| 237 | int sealalg; | ||
| 238 | s32 checksum_type; | ||
| 239 | struct xdr_netobj md5cksum = {.len = 0, .data = NULL}; | ||
| 240 | s32 now; | ||
| 241 | int direction; | ||
| 242 | s32 seqnum; | ||
| 243 | unsigned char *ptr; | ||
| 244 | int bodysize; | ||
| 245 | u32 ret = GSS_S_DEFECTIVE_TOKEN; | ||
| 246 | void *data_start, *orig_start; | ||
| 247 | int data_len; | ||
| 248 | int blocksize; | ||
| 249 | |||
| 250 | dprintk("RPC: gss_unwrap_kerberos\n"); | ||
| 251 | |||
| 252 | ptr = (u8 *)buf->head[0].iov_base + offset; | ||
| 253 | if (g_verify_token_header(&kctx->mech_used, &bodysize, &ptr, | ||
| 254 | buf->len - offset)) | ||
| 255 | goto out; | ||
| 256 | |||
| 257 | if ((*ptr++ != ((KG_TOK_WRAP_MSG>>8)&0xff)) || | ||
| 258 | (*ptr++ != (KG_TOK_WRAP_MSG &0xff)) ) | ||
| 259 | goto out; | ||
| 260 | |||
| 261 | /* XXX sanity-check bodysize?? */ | ||
| 262 | |||
| 263 | /* get the sign and seal algorithms */ | ||
| 264 | |||
| 265 | signalg = ptr[0] + (ptr[1] << 8); | ||
| 266 | sealalg = ptr[2] + (ptr[3] << 8); | ||
| 267 | |||
| 268 | /* Sanity checks */ | ||
| 269 | |||
| 270 | if ((ptr[4] != 0xff) || (ptr[5] != 0xff)) | ||
| 271 | goto out; | ||
| 272 | |||
| 273 | if (sealalg == 0xffff) | ||
| 274 | goto out; | ||
| 275 | |||
| 276 | /* in the current spec, there is only one valid seal algorithm per | ||
| 277 | key type, so a simple comparison is ok */ | ||
| 278 | |||
| 279 | if (sealalg != kctx->sealalg) | ||
| 280 | goto out; | ||
| 281 | |||
| 282 | /* there are several mappings of seal algorithms to sign algorithms, | ||
| 283 | but few enough that we can try them all. */ | ||
| 284 | |||
| 285 | if ((kctx->sealalg == SEAL_ALG_NONE && signalg > 1) || | ||
| 286 | (kctx->sealalg == SEAL_ALG_1 && signalg != SGN_ALG_3) || | ||
| 287 | (kctx->sealalg == SEAL_ALG_DES3KD && | ||
| 288 | signalg != SGN_ALG_HMAC_SHA1_DES3_KD)) | ||
| 289 | goto out; | ||
| 290 | |||
| 291 | if (gss_decrypt_xdr_buf(kctx->enc, buf, | ||
| 292 | ptr + 22 - (unsigned char *)buf->head[0].iov_base)) | ||
| 293 | goto out; | ||
| 294 | |||
| 295 | /* compute the checksum of the message */ | ||
| 296 | |||
| 297 | /* initialize the the cksum */ | ||
| 298 | switch (signalg) { | ||
| 299 | case SGN_ALG_DES_MAC_MD5: | ||
| 300 | checksum_type = CKSUMTYPE_RSA_MD5; | ||
| 301 | break; | ||
| 302 | default: | ||
| 303 | ret = GSS_S_DEFECTIVE_TOKEN; | ||
| 304 | goto out; | ||
| 305 | } | ||
| 306 | |||
| 307 | switch (signalg) { | ||
| 308 | case SGN_ALG_DES_MAC_MD5: | ||
| 309 | ret = make_checksum(checksum_type, ptr - 2, 8, buf, | ||
| 310 | ptr + 22 - (unsigned char *)buf->head[0].iov_base, &md5cksum); | ||
| 311 | if (ret) | ||
| 312 | goto out; | ||
| 313 | |||
| 314 | ret = krb5_encrypt(kctx->seq, NULL, md5cksum.data, | ||
| 315 | md5cksum.data, md5cksum.len); | ||
| 316 | if (ret) | ||
| 317 | goto out; | ||
| 318 | |||
| 319 | if (memcmp(md5cksum.data + 8, ptr + 14, 8)) { | ||
| 320 | ret = GSS_S_BAD_SIG; | ||
| 321 | goto out; | ||
| 322 | } | ||
| 323 | break; | ||
| 324 | default: | ||
| 325 | ret = GSS_S_DEFECTIVE_TOKEN; | ||
| 326 | goto out; | ||
| 327 | } | ||
| 328 | |||
| 329 | /* it got through unscathed. Make sure the context is unexpired */ | ||
| 330 | |||
| 331 | if (qop) | ||
| 332 | *qop = GSS_C_QOP_DEFAULT; | ||
| 333 | |||
| 334 | now = get_seconds(); | ||
| 335 | |||
| 336 | ret = GSS_S_CONTEXT_EXPIRED; | ||
| 337 | if (now > kctx->endtime) | ||
| 338 | goto out; | ||
| 339 | |||
| 340 | /* do sequencing checks */ | ||
| 341 | |||
| 342 | ret = GSS_S_BAD_SIG; | ||
| 343 | if ((ret = krb5_get_seq_num(kctx->seq, ptr + 14, ptr + 6, &direction, | ||
| 344 | &seqnum))) | ||
| 345 | goto out; | ||
| 346 | |||
| 347 | if ((kctx->initiate && direction != 0xff) || | ||
| 348 | (!kctx->initiate && direction != 0)) | ||
| 349 | goto out; | ||
| 350 | |||
| 351 | /* Copy the data back to the right position. XXX: Would probably be | ||
| 352 | * better to copy and encrypt at the same time. */ | ||
| 353 | |||
| 354 | blocksize = crypto_tfm_alg_blocksize(kctx->enc); | ||
| 355 | data_start = ptr + 22 + blocksize; | ||
| 356 | orig_start = buf->head[0].iov_base + offset; | ||
| 357 | data_len = (buf->head[0].iov_base + buf->head[0].iov_len) - data_start; | ||
| 358 | memmove(orig_start, data_start, data_len); | ||
| 359 | buf->head[0].iov_len -= (data_start - orig_start); | ||
| 360 | buf->len -= (data_start - orig_start); | ||
| 361 | |||
| 362 | ret = GSS_S_DEFECTIVE_TOKEN; | ||
| 363 | if (gss_krb5_remove_padding(buf, blocksize)) | ||
| 364 | goto out; | ||
| 365 | |||
| 366 | ret = GSS_S_COMPLETE; | ||
| 367 | out: | ||
| 368 | if (md5cksum.data) kfree(md5cksum.data); | ||
| 369 | return ret; | ||
| 370 | } | ||