RPCSEC_GSS: Add support for privacy to krb5 rpcsec_gss mechanism.

Add support for privacy to the krb5 rpcsec_gss mechanism. Signed-off-by: J. Bruce Fields <bfields@citi.umich.edu> Signed-off-by: Trond Myklebust <Trond.Myklebust@netapp.com>
author: J. Bruce Fields <bfields@fieldses.org> 2005-10-13 16:55:13 -0400
committer: Trond Myklebust <Trond.Myklebust@netapp.com> 2005-10-19 02:19:46 -0400
commit: 14ae162c24d985593d5b19437d7f3d8fd0062b59 (patch)
tree: 750fbc08e6a6e0cb00bfad7c871144a757ac43de /net/sunrpc/auth_gss
parent: bfa91516b57483fc9c81d8d90325fd2c3c16ac48 (diff)
6 files changed, 535 insertions, 6 deletions
diff --git a/net/sunrpc/auth_gss/Makefile b/net/sunrpc/auth_gss/Makefile
index fe1b874084bc..f3431a7e33da 100644
--- a/net/sunrpc/auth_gss/Makefile
+++ b/net/sunrpc/auth_gss/Makefile
@@ -10,7 +10,7 @@ auth_rpcgss-objs := auth_gss.o gss_generic_token.o \
 obj-$(CONFIG_RPCSEC_GSS_KRB5) += rpcsec_gss_krb5.o
 rpcsec_gss_krb5-objs := gss_krb5_mech.o gss_krb5_seal.o gss_krb5_unseal.o \
-        gss_krb5_seqnum.o
+        gss_krb5_seqnum.o gss_krb5_wrap.o
 obj-$(CONFIG_RPCSEC_GSS_SPKM3) += rpcsec_gss_spkm3.o
diff --git a/net/sunrpc/auth_gss/gss_krb5_crypto.c b/net/sunrpc/auth_gss/gss_krb5_crypto.c
index 2baf93f8b8f5..3f3d5437f02d 100644
--- a/net/sunrpc/auth_gss/gss_krb5_crypto.c
+++ b/net/sunrpc/auth_gss/gss_krb5_crypto.c
@@ -218,7 +218,7 @@ checksummer(struct scatterlist *sg, void *data)
 /* checksum the plaintext data and hdrlen bytes of the token header */
 s32
 make_checksum(s32 cksumtype, char *header, int hdrlen, struct xdr_buf *body,
-                   struct xdr_netobj *cksum)
+                   int body_offset, struct xdr_netobj *cksum)
 {
        char                            *cksumname;
        struct crypto_tfm               *tfm = NULL; /* XXX add to ctx? */
@@ -243,7 +243,8 @@ make_checksum(s32 cksumtype, char *header, int hdrlen, struct xdr_buf *body,
        crypto_digest_init(tfm);
        buf_to_sg(sg, header, hdrlen);
        crypto_digest_update(tfm, sg, 1);
-        process_xdr_buf(body, 0, body->len, checksummer, tfm);
+        process_xdr_buf(body, body_offset, body->len - body_offset,
+                        checksummer, tfm);
        crypto_digest_final(tfm, cksum->data);
        code = 0;
 out:
@@ -252,3 +253,154 @@ out:
 }
 EXPORT_SYMBOL(make_checksum);
+struct encryptor_desc {
+        u8 iv[8]; /* XXX hard-coded blocksize */
+        struct crypto_tfm *tfm;
+        int pos;
+        struct xdr_buf *outbuf;
+        struct page **pages;
+        struct scatterlist infrags[4];
+        struct scatterlist outfrags[4];
+        int fragno;
+        int fraglen;
+};
+static int
+encryptor(struct scatterlist *sg, void *data)
+{
+        struct encryptor_desc *desc = data;
+        struct xdr_buf *outbuf = desc->outbuf;
+        struct page *in_page;
+        int thislen = desc->fraglen + sg->length;
+        int fraglen, ret;
+        int page_pos;
+        /* Worst case is 4 fragments: head, end of page 1, start
+         * of page 2, tail.  Anything more is a bug. */
+        BUG_ON(desc->fragno > 3);
+        desc->infrags[desc->fragno] = *sg;
+        desc->outfrags[desc->fragno] = *sg;
+        page_pos = desc->pos - outbuf->head[0].iov_len;
+        if (page_pos >= 0 && page_pos < outbuf->page_len) {
+                /* pages are not in place: */
+                int i = (page_pos + outbuf->page_base) >> PAGE_CACHE_SHIFT;
+                in_page = desc->pages[i];
+        } else {
+                in_page = sg->page;
+        }
+        desc->infrags[desc->fragno].page = in_page;
+        desc->fragno++;
+        desc->fraglen += sg->length;
+        desc->pos += sg->length;
+        fraglen = thislen & 7; /* XXX hardcoded blocksize */
+        thislen -= fraglen;
+        if (thislen == 0)
+                return 0;
+        ret = crypto_cipher_encrypt_iv(desc->tfm, desc->outfrags, desc->infrags,
+                                        thislen, desc->iv);
+        if (ret)
+                return ret;
+        if (fraglen) {
+                desc->outfrags[0].page = sg->page;
+                desc->outfrags[0].offset = sg->offset + sg->length - fraglen;
+                desc->outfrags[0].length = fraglen;
+                desc->infrags[0] = desc->outfrags[0];
+                desc->infrags[0].page = in_page;
+                desc->fragno = 1;
+                desc->fraglen = fraglen;
+        } else {
+                desc->fragno = 0;
+                desc->fraglen = 0;
+        }
+        return 0;
+}
+int
+gss_encrypt_xdr_buf(struct crypto_tfm *tfm, struct xdr_buf *buf, int offset,
+                struct page **pages)
+{
+        int ret;
+        struct encryptor_desc desc;
+        BUG_ON((buf->len - offset) % crypto_tfm_alg_blocksize(tfm) != 0);
+        memset(desc.iv, 0, sizeof(desc.iv));
+        desc.tfm = tfm;
+        desc.pos = offset;
+        desc.outbuf = buf;
+        desc.pages = pages;
+        desc.fragno = 0;
+        desc.fraglen = 0;
+        ret = process_xdr_buf(buf, offset, buf->len - offset, encryptor, &desc);
+        return ret;
+}
+EXPORT_SYMBOL(gss_encrypt_xdr_buf);
+struct decryptor_desc {
+        u8 iv[8]; /* XXX hard-coded blocksize */
+        struct crypto_tfm *tfm;
+        struct scatterlist frags[4];
+        int fragno;
+        int fraglen;
+};
+static int
+decryptor(struct scatterlist *sg, void *data)
+{
+        struct decryptor_desc *desc = data;
+        int thislen = desc->fraglen + sg->length;
+        int fraglen, ret;
+        /* Worst case is 4 fragments: head, end of page 1, start
+         * of page 2, tail.  Anything more is a bug. */
+        BUG_ON(desc->fragno > 3);
+        desc->frags[desc->fragno] = *sg;
+        desc->fragno++;
+        desc->fraglen += sg->length;
+        fraglen = thislen & 7; /* XXX hardcoded blocksize */
+        thislen -= fraglen;
+        if (thislen == 0)
+                return 0;
+        ret = crypto_cipher_decrypt_iv(desc->tfm, desc->frags, desc->frags,
+                                        thislen, desc->iv);
+        if (ret)
+                return ret;
+        if (fraglen) {
+                desc->frags[0].page = sg->page;
+                desc->frags[0].offset = sg->offset + sg->length - fraglen;
+                desc->frags[0].length = fraglen;
+                desc->fragno = 1;
+                desc->fraglen = fraglen;
+        } else {
+                desc->fragno = 0;
+                desc->fraglen = 0;
+        }
+        return 0;
+}
+int
+gss_decrypt_xdr_buf(struct crypto_tfm *tfm, struct xdr_buf *buf, int offset)
+{
+        struct decryptor_desc desc;
+        /* XXXJBF: */
+        BUG_ON((buf->len - offset) % crypto_tfm_alg_blocksize(tfm) != 0);
+        memset(desc.iv, 0, sizeof(desc.iv));
+        desc.tfm = tfm;
+        desc.fragno = 0;
+        desc.fraglen = 0;
+        return process_xdr_buf(buf, offset, buf->len - offset, decryptor, &desc);
+}
+EXPORT_SYMBOL(gss_decrypt_xdr_buf);
diff --git a/net/sunrpc/auth_gss/gss_krb5_mech.c b/net/sunrpc/auth_gss/gss_krb5_mech.c
index 8b9066fdfda5..37a9ad97ccd4 100644
--- a/net/sunrpc/auth_gss/gss_krb5_mech.c
+++ b/net/sunrpc/auth_gss/gss_krb5_mech.c
@@ -226,6 +226,8 @@ static struct gss_api_ops gss_kerberos_ops = {
        .gss_import_sec_context = gss_import_sec_context_kerberos,
        .gss_get_mic            = gss_get_mic_kerberos,
        .gss_verify_mic         = gss_verify_mic_kerberos,
+        .gss_wrap               = gss_wrap_kerberos,
+        .gss_unwrap             = gss_unwrap_kerberos,
        .gss_delete_sec_context = gss_delete_sec_context_kerberos,
 };
@@ -240,6 +242,11 @@ static struct pf_desc gss_kerberos_pfs[] = {
                .service = RPC_GSS_SVC_INTEGRITY,
                .name = "krb5i",
        },
+        [2] = {
+                .pseudoflavor = RPC_AUTH_GSS_KRB5P,
+                .service = RPC_GSS_SVC_PRIVACY,
+                .name = "krb5p",
+        },
 };
 static struct gss_api_mech gss_kerberos_mech = {
diff --git a/net/sunrpc/auth_gss/gss_krb5_seal.c b/net/sunrpc/auth_gss/gss_krb5_seal.c
index 2511834e6e52..fb852d9ab06f 100644
--- a/net/sunrpc/auth_gss/gss_krb5_seal.c
+++ b/net/sunrpc/auth_gss/gss_krb5_seal.c
@@ -116,8 +116,8 @@ krb5_make_token(struct krb5_ctx *ctx, int qop_req,
        *(u16 *)(krb5_hdr + 2) = htons(ctx->signalg);
        memset(krb5_hdr + 4, 0xff, 4);
-        if (make_checksum(checksum_type, krb5_hdr, 8, text, &md5cksum))
+        if (make_checksum(checksum_type, krb5_hdr, 8, text, 0, &md5cksum))
-                goto out_err;
+                        goto out_err;
        switch (ctx->signalg) {
        case SGN_ALG_DES_MAC_MD5:
diff --git a/net/sunrpc/auth_gss/gss_krb5_unseal.c b/net/sunrpc/auth_gss/gss_krb5_unseal.c
index 19eba3df6607..c3d6d1bc100c 100644
--- a/net/sunrpc/auth_gss/gss_krb5_unseal.c
+++ b/net/sunrpc/auth_gss/gss_krb5_unseal.c
@@ -136,7 +136,7 @@ krb5_read_token(struct krb5_ctx *ctx,
        switch (signalg) {
        case SGN_ALG_DES_MAC_MD5:
                ret = make_checksum(checksum_type, ptr - 2, 8,
-                                         message_buffer, &md5cksum);
+                                         message_buffer, 0, &md5cksum);
                if (ret)
                        goto out;
diff --git a/net/sunrpc/auth_gss/gss_krb5_wrap.c b/net/sunrpc/auth_gss/gss_krb5_wrap.c
new file mode 100644
index 000000000000..ddcde6e42b23
--- /dev/null
+++ b/net/sunrpc/auth_gss/gss_krb5_wrap.c
@@ -0,0 +1,370 @@
+#include <linux/types.h>
+#include <linux/slab.h>
+#include <linux/jiffies.h>
+#include <linux/sunrpc/gss_krb5.h>
+#include <linux/random.h>
+#include <linux/pagemap.h>
+#include <asm/scatterlist.h>
+#include <linux/crypto.h>
+#ifdef RPC_DEBUG
+# define RPCDBG_FACILITY        RPCDBG_AUTH
+#endif
+static inline int
+gss_krb5_padding(int blocksize, int length)
+{
+        /* Most of the code is block-size independent but currently we
+         * use only 8: */
+        BUG_ON(blocksize != 8);
+        return 8 - (length & 7);
+}
+static inline void
+gss_krb5_add_padding(struct xdr_buf *buf, int offset, int blocksize)
+{
+        int padding = gss_krb5_padding(blocksize, buf->len - offset);
+        char *p;
+        struct kvec *iov;
+        if (buf->page_len || buf->tail[0].iov_len)
+                iov = &buf->tail[0];
+        else
+                iov = &buf->head[0];
+        p = iov->iov_base + iov->iov_len;
+        iov->iov_len += padding;
+        buf->len += padding;
+        memset(p, padding, padding);
+}
+static inline int
+gss_krb5_remove_padding(struct xdr_buf *buf, int blocksize)
+{
+        u8 *ptr;
+        u8 pad;
+        int len = buf->len;
+        if (len <= buf->head[0].iov_len) {
+                pad = *(u8 *)(buf->head[0].iov_base + len - 1);
+                if (pad > buf->head[0].iov_len)
+                        return -EINVAL;
+                buf->head[0].iov_len -= pad;
+                goto out;
+        } else
+                len -= buf->head[0].iov_len;
+        if (len <= buf->page_len) {
+                int last = (buf->page_base + len - 1)
+                                        >>PAGE_CACHE_SHIFT;
+                int offset = (buf->page_base + len - 1)
+                                        & (PAGE_CACHE_SIZE - 1);
+                ptr = kmap_atomic(buf->pages[last], KM_SKB_SUNRPC_DATA);
+                pad = *(ptr + offset);
+                kunmap_atomic(ptr, KM_SKB_SUNRPC_DATA);
+                goto out;
+        } else
+                len -= buf->page_len;
+        BUG_ON(len > buf->tail[0].iov_len);
+        pad = *(u8 *)(buf->tail[0].iov_base + len - 1);
+out:
+        /* XXX: NOTE: we do not adjust the page lengths--they represent
+         * a range of data in the real filesystem page cache, and we need
+         * to know that range so the xdr code can properly place read data.
+         * However adjusting the head length, as we do above, is harmless.
+         * In the case of a request that fits into a single page, the server
+         * also uses length and head length together to determine the original
+         * start of the request to copy the request for deferal; so it's
+         * easier on the server if we adjust head and tail length in tandem.
+         * It's not really a problem that we don't fool with the page and
+         * tail lengths, though--at worst badly formed xdr might lead the
+         * server to attempt to parse the padding.
+         * XXX: Document all these weird requirements for gss mechanism
+         * wrap/unwrap functions. */
+        if (pad > blocksize)
+                return -EINVAL;
+        if (buf->len > pad)
+                buf->len -= pad;
+        else
+                return -EINVAL;
+        return 0;
+}
+static inline void
+make_confounder(char *p, int blocksize)
+{
+        static u64 i = 0;
+        u64 *q = (u64 *)p;
+        /* rfc1964 claims this should be "random".  But all that's really
+         * necessary is that it be unique.  And not even that is necessary in
+         * our case since our "gssapi" implementation exists only to support
+         * rpcsec_gss, so we know that the only buffers we will ever encrypt
+         * already begin with a unique sequence number.  Just to hedge my bets
+         * I'll make a half-hearted attempt at something unique, but ensuring
+         * uniqueness would mean worrying about atomicity and rollover, and I
+         * don't care enough. */
+        BUG_ON(blocksize != 8);
+        *q = i++;
+}
+/* Assumptions: the head and tail of inbuf are ours to play with.
+ * The pages, however, may be real pages in the page cache and we replace
+ * them with scratch pages from **pages before writing to them. */
+/* XXX: obviously the above should be documentation of wrap interface,
+ * and shouldn't be in this kerberos-specific file. */
+/* XXX factor out common code with seal/unseal. */
+u32
+gss_wrap_kerberos(struct gss_ctx *ctx, u32 qop, int offset,
+                struct xdr_buf *buf, struct page **pages)
+{
+        struct krb5_ctx         *kctx = ctx->internal_ctx_id;
+        s32                     checksum_type;
+        struct xdr_netobj       md5cksum = {.len = 0, .data = NULL};
+        int                     blocksize = 0, plainlen;
+        unsigned char           *ptr, *krb5_hdr, *msg_start;
+        s32                     now;
+        int                     headlen;
+        struct page             **tmp_pages;
+        dprintk("RPC:     gss_wrap_kerberos\n");
+        now = get_seconds();
+        if (qop != 0)
+                goto out_err;
+        switch (kctx->signalg) {
+                case SGN_ALG_DES_MAC_MD5:
+                        checksum_type = CKSUMTYPE_RSA_MD5;
+                        break;
+                default:
+                        dprintk("RPC:      gss_krb5_seal: kctx->signalg %d not"
+                                " supported\n", kctx->signalg);
+                        goto out_err;
+        }
+        if (kctx->sealalg != SEAL_ALG_NONE && kctx->sealalg != SEAL_ALG_DES) {
+                dprintk("RPC:      gss_krb5_seal: kctx->sealalg %d not supported\n",
+                        kctx->sealalg);
+                goto out_err;
+        }
+        blocksize = crypto_tfm_alg_blocksize(kctx->enc);
+        gss_krb5_add_padding(buf, offset, blocksize);
+        BUG_ON((buf->len - offset) % blocksize);
+        plainlen = blocksize + buf->len - offset;
+        headlen = g_token_size(&kctx->mech_used, 22 + plainlen) -
+                                                (buf->len - offset);
+        ptr = buf->head[0].iov_base + offset;
+        /* shift data to make room for header. */
+        /* XXX Would be cleverer to encrypt while copying. */
+        /* XXX bounds checking, slack, etc. */
+        memmove(ptr + headlen, ptr, buf->head[0].iov_len - offset);
+        buf->head[0].iov_len += headlen;
+        buf->len += headlen;
+        BUG_ON((buf->len - offset - headlen) % blocksize);
+        g_make_token_header(&kctx->mech_used, 22 + plainlen, &ptr);
+        *ptr++ = (unsigned char) ((KG_TOK_WRAP_MSG>>8)&0xff);
+        *ptr++ = (unsigned char) (KG_TOK_WRAP_MSG&0xff);
+        /* ptr now at byte 2 of header described in rfc 1964, section 1.2.1: */
+        krb5_hdr = ptr - 2;
+        msg_start = krb5_hdr + 24;
+        /* XXXJBF: */ BUG_ON(buf->head[0].iov_base + offset + headlen != msg_start + blocksize);
+        *(u16 *)(krb5_hdr + 2) = htons(kctx->signalg);
+        memset(krb5_hdr + 4, 0xff, 4);
+        *(u16 *)(krb5_hdr + 4) = htons(kctx->sealalg);
+        make_confounder(msg_start, blocksize);
+        /* XXXJBF: UGH!: */
+        tmp_pages = buf->pages;
+        buf->pages = pages;
+        if (make_checksum(checksum_type, krb5_hdr, 8, buf,
+                                offset + headlen - blocksize, &md5cksum))
+                goto out_err;
+        buf->pages = tmp_pages;
+        switch (kctx->signalg) {
+        case SGN_ALG_DES_MAC_MD5:
+                if (krb5_encrypt(kctx->seq, NULL, md5cksum.data,
+                                  md5cksum.data, md5cksum.len))
+                        goto out_err;
+                memcpy(krb5_hdr + 16,
+                       md5cksum.data + md5cksum.len - KRB5_CKSUM_LENGTH,
+                       KRB5_CKSUM_LENGTH);
+                dprintk("RPC:      make_seal_token: cksum data: \n");
+                print_hexl((u32 *) (krb5_hdr + 16), KRB5_CKSUM_LENGTH, 0);
+                break;
+        default:
+                BUG();
+        }
+        kfree(md5cksum.data);
+        /* XXX would probably be more efficient to compute checksum
+         * and encrypt at the same time: */
+        if ((krb5_make_seq_num(kctx->seq, kctx->initiate ? 0 : 0xff,
+                               kctx->seq_send, krb5_hdr + 16, krb5_hdr + 8)))
+                goto out_err;
+        if (gss_encrypt_xdr_buf(kctx->enc, buf, offset + headlen - blocksize,
+                                                                        pages))
+                goto out_err;
+        kctx->seq_send++;
+        return ((kctx->endtime < now) ? GSS_S_CONTEXT_EXPIRED : GSS_S_COMPLETE);
+out_err:
+        if (md5cksum.data) kfree(md5cksum.data);
+        return GSS_S_FAILURE;
+}
+u32
+gss_unwrap_kerberos(struct gss_ctx *ctx, u32 *qop, int offset,
+                        struct xdr_buf *buf)
+{
+        struct krb5_ctx         *kctx = ctx->internal_ctx_id;
+        int                     signalg;
+        int                     sealalg;
+        s32                     checksum_type;
+        struct xdr_netobj       md5cksum = {.len = 0, .data = NULL};
+        s32                     now;
+        int                     direction;
+        s32                     seqnum;
+        unsigned char           *ptr;
+        int                     bodysize;
+        u32                     ret = GSS_S_DEFECTIVE_TOKEN;
+        void                    *data_start, *orig_start;
+        int                     data_len;
+        int                     blocksize;
+        dprintk("RPC:      gss_unwrap_kerberos\n");
+        ptr = (u8 *)buf->head[0].iov_base + offset;
+        if (g_verify_token_header(&kctx->mech_used, &bodysize, &ptr,
+                                        buf->len - offset))
+                goto out;
+        if ((*ptr++ != ((KG_TOK_WRAP_MSG>>8)&0xff)) ||
+            (*ptr++ !=  (KG_TOK_WRAP_MSG    &0xff))   )
+                goto out;
+        /* XXX sanity-check bodysize?? */
+        /* get the sign and seal algorithms */
+        signalg = ptr[0] + (ptr[1] << 8);
+        sealalg = ptr[2] + (ptr[3] << 8);
+        /* Sanity checks */
+        if ((ptr[4] != 0xff) || (ptr[5] != 0xff))
+                goto out;
+        if (sealalg == 0xffff)
+                goto out;
+        /* in the current spec, there is only one valid seal algorithm per
+           key type, so a simple comparison is ok */
+        if (sealalg != kctx->sealalg)
+                goto out;
+        /* there are several mappings of seal algorithms to sign algorithms,
+           but few enough that we can try them all. */
+        if ((kctx->sealalg == SEAL_ALG_NONE && signalg > 1) ||
+            (kctx->sealalg == SEAL_ALG_1 && signalg != SGN_ALG_3) ||
+            (kctx->sealalg == SEAL_ALG_DES3KD &&
+             signalg != SGN_ALG_HMAC_SHA1_DES3_KD))
+                goto out;
+        if (gss_decrypt_xdr_buf(kctx->enc, buf,
+                        ptr + 22 - (unsigned char *)buf->head[0].iov_base))
+                goto out;
+        /* compute the checksum of the message */
+        /* initialize the the cksum */
+        switch (signalg) {
+        case SGN_ALG_DES_MAC_MD5:
+                checksum_type = CKSUMTYPE_RSA_MD5;
+                break;
+        default:
+                ret = GSS_S_DEFECTIVE_TOKEN;
+                goto out;
+        }
+        switch (signalg) {
+        case SGN_ALG_DES_MAC_MD5:
+                ret = make_checksum(checksum_type, ptr - 2, 8, buf,
+                         ptr + 22 - (unsigned char *)buf->head[0].iov_base, &md5cksum);
+                if (ret)
+                        goto out;
+                ret = krb5_encrypt(kctx->seq, NULL, md5cksum.data,
+                                   md5cksum.data, md5cksum.len);
+                if (ret)
+                        goto out;
+                if (memcmp(md5cksum.data + 8, ptr + 14, 8)) {
+                        ret = GSS_S_BAD_SIG;
+                        goto out;
+                }
+                break;
+        default:
+                ret = GSS_S_DEFECTIVE_TOKEN;
+                goto out;
+        }
+        /* it got through unscathed.  Make sure the context is unexpired */
+        if (qop)
+                *qop = GSS_C_QOP_DEFAULT;
+        now = get_seconds();
+        ret = GSS_S_CONTEXT_EXPIRED;
+        if (now > kctx->endtime)
+                goto out;
+        /* do sequencing checks */
+        ret = GSS_S_BAD_SIG;
+        if ((ret = krb5_get_seq_num(kctx->seq, ptr + 14, ptr + 6, &direction,
+                                    &seqnum)))
+                goto out;
+        if ((kctx->initiate && direction != 0xff) ||
+            (!kctx->initiate && direction != 0))
+                goto out;
+        /* Copy the data back to the right position.  XXX: Would probably be
+         * better to copy and encrypt at the same time. */
+        blocksize = crypto_tfm_alg_blocksize(kctx->enc);
+        data_start = ptr + 22 + blocksize;
+        orig_start = buf->head[0].iov_base + offset;
+        data_len = (buf->head[0].iov_base + buf->head[0].iov_len) - data_start;
+        memmove(orig_start, data_start, data_len);
+        buf->head[0].iov_len -= (data_start - orig_start);
+        buf->len -= (data_start - orig_start);
+        ret = GSS_S_DEFECTIVE_TOKEN;
+        if (gss_krb5_remove_padding(buf, blocksize))
+                goto out;
+        ret = GSS_S_COMPLETE;
+out:
+        if (md5cksum.data) kfree(md5cksum.data);
+        return ret;
+}
author	J. Bruce Fields <bfields@fieldses.org>	2005-10-13 16:55:13 -0400
committer	Trond Myklebust <Trond.Myklebust@netapp.com>	2005-10-19 02:19:46 -0400
commit	14ae162c24d985593d5b19437d7f3d8fd0062b59 (patch)
tree	750fbc08e6a6e0cb00bfad7c871144a757ac43de /net/sunrpc/auth_gss
parent	bfa91516b57483fc9c81d8d90325fd2c3c16ac48 (diff)

diff --git a/net/sunrpc/auth_gss/Makefile b/net/sunrpc/auth_gss/Makefile index fe1b874084bc..f3431a7e33da 100644 --- a/net/sunrpc/auth_gss/Makefile +++ b/net/sunrpc/auth_gss/Makefile
@@ -10,7 +10,7 @@ auth_rpcgss-objs := auth_gss.o gss_generic_token.o \
10	obj-$(CONFIG_RPCSEC_GSS_KRB5) += rpcsec_gss_krb5.o	10	obj-$(CONFIG_RPCSEC_GSS_KRB5) += rpcsec_gss_krb5.o
11		11
12	rpcsec_gss_krb5-objs := gss_krb5_mech.o gss_krb5_seal.o gss_krb5_unseal.o \	12	rpcsec_gss_krb5-objs := gss_krb5_mech.o gss_krb5_seal.o gss_krb5_unseal.o \
13	gss_krb5_seqnum.o	13	gss_krb5_seqnum.o gss_krb5_wrap.o
14		14
15	obj-$(CONFIG_RPCSEC_GSS_SPKM3) += rpcsec_gss_spkm3.o	15	obj-$(CONFIG_RPCSEC_GSS_SPKM3) += rpcsec_gss_spkm3.o
16		16


diff --git a/net/sunrpc/auth_gss/gss_krb5_crypto.c b/net/sunrpc/auth_gss/gss_krb5_crypto.c index 2baf93f8b8f5..3f3d5437f02d 100644 --- a/net/sunrpc/auth_gss/gss_krb5_crypto.c +++ b/net/sunrpc/auth_gss/gss_krb5_crypto.c
@@ -218,7 +218,7 @@ checksummer(struct scatterlist sg, void data)
218	/* checksum the plaintext data and hdrlen bytes of the token header */	218	/* checksum the plaintext data and hdrlen bytes of the token header */
219	s32	219	s32
220	make_checksum(s32 cksumtype, char header, int hdrlen, struct xdr_buf body,	220	make_checksum(s32 cksumtype, char header, int hdrlen, struct xdr_buf body,
221	struct xdr_netobj *cksum)	221	int body_offset, struct xdr_netobj *cksum)
222	{	222	{
223	char *cksumname;	223	char *cksumname;
224	struct crypto_tfm tfm = NULL; / XXX add to ctx? */	224	struct crypto_tfm tfm = NULL; / XXX add to ctx? */
@@ -243,7 +243,8 @@ make_checksum(s32 cksumtype, char header, int hdrlen, struct xdr_buf body,
243	crypto_digest_init(tfm);	243	crypto_digest_init(tfm);
244	buf_to_sg(sg, header, hdrlen);	244	buf_to_sg(sg, header, hdrlen);
245	crypto_digest_update(tfm, sg, 1);	245	crypto_digest_update(tfm, sg, 1);
246	process_xdr_buf(body, 0, body->len, checksummer, tfm);	246	process_xdr_buf(body, body_offset, body->len - body_offset,
		247	checksummer, tfm);
247	crypto_digest_final(tfm, cksum->data);	248	crypto_digest_final(tfm, cksum->data);
248	code = 0;	249	code = 0;
249	out:	250	out:
@@ -252,3 +253,154 @@ out:
252	}	253	}
253		254
254	EXPORT_SYMBOL(make_checksum);	255	EXPORT_SYMBOL(make_checksum);
		256
		257	struct encryptor_desc {
		258	u8 iv[8]; /* XXX hard-coded blocksize */
		259	struct crypto_tfm *tfm;
		260	int pos;
		261	struct xdr_buf *outbuf;
		262	struct page **pages;
		263	struct scatterlist infrags[4];
		264	struct scatterlist outfrags[4];
		265	int fragno;
		266	int fraglen;
		267	};
		268
		269	static int
		270	encryptor(struct scatterlist sg, void data)
		271	{
		272	struct encryptor_desc *desc = data;
		273	struct xdr_buf *outbuf = desc->outbuf;
		274	struct page *in_page;
		275	int thislen = desc->fraglen + sg->length;
		276	int fraglen, ret;
		277	int page_pos;
		278
		279	/* Worst case is 4 fragments: head, end of page 1, start
		280	* of page 2, tail. Anything more is a bug. */
		281	BUG_ON(desc->fragno > 3);
		282	desc->infrags[desc->fragno] = *sg;
		283	desc->outfrags[desc->fragno] = *sg;
		284
		285	page_pos = desc->pos - outbuf->head[0].iov_len;
		286	if (page_pos >= 0 && page_pos < outbuf->page_len) {
		287	/* pages are not in place: */
		288	int i = (page_pos + outbuf->page_base) >> PAGE_CACHE_SHIFT;
		289	in_page = desc->pages[i];
		290	} else {
		291	in_page = sg->page;
		292	}
		293	desc->infrags[desc->fragno].page = in_page;
		294	desc->fragno++;
		295	desc->fraglen += sg->length;
		296	desc->pos += sg->length;
		297
		298	fraglen = thislen & 7; /* XXX hardcoded blocksize */
		299	thislen -= fraglen;
		300
		301	if (thislen == 0)
		302	return 0;
		303
		304	ret = crypto_cipher_encrypt_iv(desc->tfm, desc->outfrags, desc->infrags,
		305	thislen, desc->iv);
		306	if (ret)
		307	return ret;
		308	if (fraglen) {
		309	desc->outfrags[0].page = sg->page;
		310	desc->outfrags[0].offset = sg->offset + sg->length - fraglen;
		311	desc->outfrags[0].length = fraglen;
		312	desc->infrags[0] = desc->outfrags[0];
		313	desc->infrags[0].page = in_page;
		314	desc->fragno = 1;
		315	desc->fraglen = fraglen;
		316	} else {
		317	desc->fragno = 0;
		318	desc->fraglen = 0;
		319	}
		320	return 0;
		321	}
		322
		323	int
		324	gss_encrypt_xdr_buf(struct crypto_tfm tfm, struct xdr_buf buf, int offset,
		325	struct page **pages)
		326	{
		327	int ret;
		328	struct encryptor_desc desc;
		329
		330	BUG_ON((buf->len - offset) % crypto_tfm_alg_blocksize(tfm) != 0);
		331
		332	memset(desc.iv, 0, sizeof(desc.iv));
		333	desc.tfm = tfm;
		334	desc.pos = offset;
		335	desc.outbuf = buf;
		336	desc.pages = pages;
		337	desc.fragno = 0;
		338	desc.fraglen = 0;
		339
		340	ret = process_xdr_buf(buf, offset, buf->len - offset, encryptor, &desc);
		341	return ret;
		342	}
		343
		344	EXPORT_SYMBOL(gss_encrypt_xdr_buf);
		345
		346	struct decryptor_desc {
		347	u8 iv[8]; /* XXX hard-coded blocksize */
		348	struct crypto_tfm *tfm;
		349	struct scatterlist frags[4];
		350	int fragno;
		351	int fraglen;
		352	};
		353
		354	static int
		355	decryptor(struct scatterlist sg, void data)
		356	{
		357	struct decryptor_desc *desc = data;
		358	int thislen = desc->fraglen + sg->length;
		359	int fraglen, ret;
		360
		361	/* Worst case is 4 fragments: head, end of page 1, start
		362	* of page 2, tail. Anything more is a bug. */
		363	BUG_ON(desc->fragno > 3);
		364	desc->frags[desc->fragno] = *sg;
		365	desc->fragno++;
		366	desc->fraglen += sg->length;
		367
		368	fraglen = thislen & 7; /* XXX hardcoded blocksize */
		369	thislen -= fraglen;
		370
		371	if (thislen == 0)
		372	return 0;
		373
		374	ret = crypto_cipher_decrypt_iv(desc->tfm, desc->frags, desc->frags,
		375	thislen, desc->iv);
		376	if (ret)
		377	return ret;
		378	if (fraglen) {
		379	desc->frags[0].page = sg->page;
		380	desc->frags[0].offset = sg->offset + sg->length - fraglen;
		381	desc->frags[0].length = fraglen;
		382	desc->fragno = 1;
		383	desc->fraglen = fraglen;
		384	} else {
		385	desc->fragno = 0;
		386	desc->fraglen = 0;
		387	}
		388	return 0;
		389	}
		390
		391	int
		392	gss_decrypt_xdr_buf(struct crypto_tfm tfm, struct xdr_buf buf, int offset)
		393	{
		394	struct decryptor_desc desc;
		395
		396	/* XXXJBF: */
		397	BUG_ON((buf->len - offset) % crypto_tfm_alg_blocksize(tfm) != 0);
		398
		399	memset(desc.iv, 0, sizeof(desc.iv));
		400	desc.tfm = tfm;
		401	desc.fragno = 0;
		402	desc.fraglen = 0;
		403	return process_xdr_buf(buf, offset, buf->len - offset, decryptor, &desc);
		404	}
		405
		406	EXPORT_SYMBOL(gss_decrypt_xdr_buf);


diff --git a/net/sunrpc/auth_gss/gss_krb5_mech.c b/net/sunrpc/auth_gss/gss_krb5_mech.c index 8b9066fdfda5..37a9ad97ccd4 100644 --- a/net/sunrpc/auth_gss/gss_krb5_mech.c +++ b/net/sunrpc/auth_gss/gss_krb5_mech.c
@@ -226,6 +226,8 @@ static struct gss_api_ops gss_kerberos_ops = {
226	.gss_import_sec_context = gss_import_sec_context_kerberos,	226	.gss_import_sec_context = gss_import_sec_context_kerberos,
227	.gss_get_mic = gss_get_mic_kerberos,	227	.gss_get_mic = gss_get_mic_kerberos,
228	.gss_verify_mic = gss_verify_mic_kerberos,	228	.gss_verify_mic = gss_verify_mic_kerberos,
		229	.gss_wrap = gss_wrap_kerberos,
		230	.gss_unwrap = gss_unwrap_kerberos,
229	.gss_delete_sec_context = gss_delete_sec_context_kerberos,	231	.gss_delete_sec_context = gss_delete_sec_context_kerberos,
230	};	232	};
231		233
@@ -240,6 +242,11 @@ static struct pf_desc gss_kerberos_pfs[] = {
240	.service = RPC_GSS_SVC_INTEGRITY,	242	.service = RPC_GSS_SVC_INTEGRITY,
241	.name = "krb5i",	243	.name = "krb5i",
242	},	244	},
		245	[2] = {
		246	.pseudoflavor = RPC_AUTH_GSS_KRB5P,
		247	.service = RPC_GSS_SVC_PRIVACY,
		248	.name = "krb5p",
		249	},
243	};	250	};
244		251
245	static struct gss_api_mech gss_kerberos_mech = {	252	static struct gss_api_mech gss_kerberos_mech = {


diff --git a/net/sunrpc/auth_gss/gss_krb5_seal.c b/net/sunrpc/auth_gss/gss_krb5_seal.c index 2511834e6e52..fb852d9ab06f 100644 --- a/net/sunrpc/auth_gss/gss_krb5_seal.c +++ b/net/sunrpc/auth_gss/gss_krb5_seal.c
@@ -116,8 +116,8 @@ krb5_make_token(struct krb5_ctx *ctx, int qop_req,
116	(u16 )(krb5_hdr + 2) = htons(ctx->signalg);	116	(u16 )(krb5_hdr + 2) = htons(ctx->signalg);
117	memset(krb5_hdr + 4, 0xff, 4);	117	memset(krb5_hdr + 4, 0xff, 4);
118		118
119	if (make_checksum(checksum_type, krb5_hdr, 8, text, &md5cksum))	119	if (make_checksum(checksum_type, krb5_hdr, 8, text, 0, &md5cksum))
120	goto out_err;	120	goto out_err;
121		121
122	switch (ctx->signalg) {	122	switch (ctx->signalg) {
123	case SGN_ALG_DES_MAC_MD5:	123	case SGN_ALG_DES_MAC_MD5:


diff --git a/net/sunrpc/auth_gss/gss_krb5_unseal.c b/net/sunrpc/auth_gss/gss_krb5_unseal.c index 19eba3df6607..c3d6d1bc100c 100644 --- a/net/sunrpc/auth_gss/gss_krb5_unseal.c +++ b/net/sunrpc/auth_gss/gss_krb5_unseal.c
@@ -136,7 +136,7 @@ krb5_read_token(struct krb5_ctx *ctx,
136	switch (signalg) {	136	switch (signalg) {
137	case SGN_ALG_DES_MAC_MD5:	137	case SGN_ALG_DES_MAC_MD5:
138	ret = make_checksum(checksum_type, ptr - 2, 8,	138	ret = make_checksum(checksum_type, ptr - 2, 8,
139	message_buffer, &md5cksum);	139	message_buffer, 0, &md5cksum);
140	if (ret)	140	if (ret)
141	goto out;	141	goto out;
142		142


diff --git a/net/sunrpc/auth_gss/gss_krb5_wrap.c b/net/sunrpc/auth_gss/gss_krb5_wrap.c new file mode 100644 index 000000000000..ddcde6e42b23 --- /dev/null +++ b/net/sunrpc/auth_gss/gss_krb5_wrap.c
@@ -0,0 +1,370 @@
		1	#include <linux/types.h>
		2	#include <linux/slab.h>
		3	#include <linux/jiffies.h>
		4	#include <linux/sunrpc/gss_krb5.h>
		5	#include <linux/random.h>
		6	#include <linux/pagemap.h>
		7	#include <asm/scatterlist.h>
		8	#include <linux/crypto.h>
		9
		10	#ifdef RPC_DEBUG
		11	# define RPCDBG_FACILITY RPCDBG_AUTH
		12	#endif
		13
		14	static inline int
		15	gss_krb5_padding(int blocksize, int length)
		16	{
		17	/* Most of the code is block-size independent but currently we
		18	* use only 8: */
		19	BUG_ON(blocksize != 8);
		20	return 8 - (length & 7);
		21	}
		22
		23	static inline void
		24	gss_krb5_add_padding(struct xdr_buf *buf, int offset, int blocksize)
		25	{
		26	int padding = gss_krb5_padding(blocksize, buf->len - offset);
		27	char *p;
		28	struct kvec *iov;
		29
		30	if (buf->page_len \|\| buf->tail[0].iov_len)
		31	iov = &buf->tail[0];
		32	else
		33	iov = &buf->head[0];
		34	p = iov->iov_base + iov->iov_len;
		35	iov->iov_len += padding;
		36	buf->len += padding;
		37	memset(p, padding, padding);
		38	}
		39
		40	static inline int
		41	gss_krb5_remove_padding(struct xdr_buf *buf, int blocksize)
		42	{
		43	u8 *ptr;
		44	u8 pad;
		45	int len = buf->len;
		46
		47	if (len <= buf->head[0].iov_len) {
		48	pad = (u8 )(buf->head[0].iov_base + len - 1);
		49	if (pad > buf->head[0].iov_len)
		50	return -EINVAL;
		51	buf->head[0].iov_len -= pad;
		52	goto out;
		53	} else
		54	len -= buf->head[0].iov_len;
		55	if (len <= buf->page_len) {
		56	int last = (buf->page_base + len - 1)
		57	>>PAGE_CACHE_SHIFT;
		58	int offset = (buf->page_base + len - 1)
		59	& (PAGE_CACHE_SIZE - 1);
		60	ptr = kmap_atomic(buf->pages[last], KM_SKB_SUNRPC_DATA);
		61	pad = *(ptr + offset);
		62	kunmap_atomic(ptr, KM_SKB_SUNRPC_DATA);
		63	goto out;
		64	} else
		65	len -= buf->page_len;
		66	BUG_ON(len > buf->tail[0].iov_len);
		67	pad = (u8 )(buf->tail[0].iov_base + len - 1);
		68	out:
		69	/* XXX: NOTE: we do not adjust the page lengths--they represent
		70	* a range of data in the real filesystem page cache, and we need
		71	* to know that range so the xdr code can properly place read data.
		72	* However adjusting the head length, as we do above, is harmless.
		73	* In the case of a request that fits into a single page, the server
		74	* also uses length and head length together to determine the original
		75	* start of the request to copy the request for deferal; so it's
		76	* easier on the server if we adjust head and tail length in tandem.
		77	* It's not really a problem that we don't fool with the page and
		78	* tail lengths, though--at worst badly formed xdr might lead the
		79	* server to attempt to parse the padding.
		80	* XXX: Document all these weird requirements for gss mechanism
		81	* wrap/unwrap functions. */
		82	if (pad > blocksize)
		83	return -EINVAL;
		84	if (buf->len > pad)
		85	buf->len -= pad;
		86	else
		87	return -EINVAL;
		88	return 0;
		89	}
		90
		91	static inline void
		92	make_confounder(char *p, int blocksize)
		93	{
		94	static u64 i = 0;
		95	u64 q = (u64 )p;
		96
		97	/* rfc1964 claims this should be "random". But all that's really
		98	* necessary is that it be unique. And not even that is necessary in
		99	* our case since our "gssapi" implementation exists only to support
		100	* rpcsec_gss, so we know that the only buffers we will ever encrypt
		101	* already begin with a unique sequence number. Just to hedge my bets
		102	* I'll make a half-hearted attempt at something unique, but ensuring
		103	* uniqueness would mean worrying about atomicity and rollover, and I
		104	* don't care enough. */
		105
		106	BUG_ON(blocksize != 8);
		107	*q = i++;
		108	}
		109
		110	/* Assumptions: the head and tail of inbuf are ours to play with.
		111	* The pages, however, may be real pages in the page cache and we replace
		112	* them with scratch pages from *pages before writing to them. /
		113	/* XXX: obviously the above should be documentation of wrap interface,
		114	* and shouldn't be in this kerberos-specific file. */
		115
		116	/* XXX factor out common code with seal/unseal. */
		117
		118	u32
		119	gss_wrap_kerberos(struct gss_ctx *ctx, u32 qop, int offset,
		120	struct xdr_buf buf, struct page *pages)
		121	{
		122	struct krb5_ctx *kctx = ctx->internal_ctx_id;
		123	s32 checksum_type;
		124	struct xdr_netobj md5cksum = {.len = 0, .data = NULL};
		125	int blocksize = 0, plainlen;
		126	unsigned char ptr, krb5_hdr, *msg_start;
		127	s32 now;
		128	int headlen;
		129	struct page **tmp_pages;
		130
		131	dprintk("RPC: gss_wrap_kerberos\n");
		132
		133	now = get_seconds();
		134
		135	if (qop != 0)
		136	goto out_err;
		137
		138	switch (kctx->signalg) {
		139	case SGN_ALG_DES_MAC_MD5:
		140	checksum_type = CKSUMTYPE_RSA_MD5;
		141	break;
		142	default:
		143	dprintk("RPC: gss_krb5_seal: kctx->signalg %d not"
		144	" supported\n", kctx->signalg);
		145	goto out_err;
		146	}
		147	if (kctx->sealalg != SEAL_ALG_NONE && kctx->sealalg != SEAL_ALG_DES) {
		148	dprintk("RPC: gss_krb5_seal: kctx->sealalg %d not supported\n",
		149	kctx->sealalg);
		150	goto out_err;
		151	}
		152
		153	blocksize = crypto_tfm_alg_blocksize(kctx->enc);
		154	gss_krb5_add_padding(buf, offset, blocksize);
		155	BUG_ON((buf->len - offset) % blocksize);
		156	plainlen = blocksize + buf->len - offset;
		157
		158	headlen = g_token_size(&kctx->mech_used, 22 + plainlen) -
		159	(buf->len - offset);
		160
		161	ptr = buf->head[0].iov_base + offset;
		162	/* shift data to make room for header. */
		163	/* XXX Would be cleverer to encrypt while copying. */
		164	/* XXX bounds checking, slack, etc. */
		165	memmove(ptr + headlen, ptr, buf->head[0].iov_len - offset);
		166	buf->head[0].iov_len += headlen;
		167	buf->len += headlen;
		168	BUG_ON((buf->len - offset - headlen) % blocksize);
		169
		170	g_make_token_header(&kctx->mech_used, 22 + plainlen, &ptr);
		171
		172
		173	*ptr++ = (unsigned char) ((KG_TOK_WRAP_MSG>>8)&0xff);
		174	*ptr++ = (unsigned char) (KG_TOK_WRAP_MSG&0xff);
		175
		176	/* ptr now at byte 2 of header described in rfc 1964, section 1.2.1: */
		177	krb5_hdr = ptr - 2;
		178	msg_start = krb5_hdr + 24;
		179	/* XXXJBF: */ BUG_ON(buf->head[0].iov_base + offset + headlen != msg_start + blocksize);
		180
		181	(u16 )(krb5_hdr + 2) = htons(kctx->signalg);
		182	memset(krb5_hdr + 4, 0xff, 4);
		183	(u16 )(krb5_hdr + 4) = htons(kctx->sealalg);
		184
		185	make_confounder(msg_start, blocksize);
		186
		187	/* XXXJBF: UGH!: */
		188	tmp_pages = buf->pages;
		189	buf->pages = pages;
		190	if (make_checksum(checksum_type, krb5_hdr, 8, buf,
		191	offset + headlen - blocksize, &md5cksum))
		192	goto out_err;
		193	buf->pages = tmp_pages;
		194
		195	switch (kctx->signalg) {
		196	case SGN_ALG_DES_MAC_MD5:
		197	if (krb5_encrypt(kctx->seq, NULL, md5cksum.data,
		198	md5cksum.data, md5cksum.len))
		199	goto out_err;
		200	memcpy(krb5_hdr + 16,
		201	md5cksum.data + md5cksum.len - KRB5_CKSUM_LENGTH,
		202	KRB5_CKSUM_LENGTH);
		203
		204	dprintk("RPC: make_seal_token: cksum data: \n");
		205	print_hexl((u32 *) (krb5_hdr + 16), KRB5_CKSUM_LENGTH, 0);
		206	break;
		207	default:
		208	BUG();
		209	}
		210
		211	kfree(md5cksum.data);
		212
		213	/* XXX would probably be more efficient to compute checksum
		214	* and encrypt at the same time: */
		215	if ((krb5_make_seq_num(kctx->seq, kctx->initiate ? 0 : 0xff,
		216	kctx->seq_send, krb5_hdr + 16, krb5_hdr + 8)))
		217	goto out_err;
		218
		219	if (gss_encrypt_xdr_buf(kctx->enc, buf, offset + headlen - blocksize,
		220	pages))
		221	goto out_err;
		222
		223	kctx->seq_send++;
		224
		225	return ((kctx->endtime < now) ? GSS_S_CONTEXT_EXPIRED : GSS_S_COMPLETE);
		226	out_err:
		227	if (md5cksum.data) kfree(md5cksum.data);
		228	return GSS_S_FAILURE;
		229	}
		230
		231	u32
		232	gss_unwrap_kerberos(struct gss_ctx ctx, u32 qop, int offset,
		233	struct xdr_buf *buf)
		234	{
		235	struct krb5_ctx *kctx = ctx->internal_ctx_id;
		236	int signalg;
		237	int sealalg;
		238	s32 checksum_type;
		239	struct xdr_netobj md5cksum = {.len = 0, .data = NULL};
		240	s32 now;
		241	int direction;
		242	s32 seqnum;
		243	unsigned char *ptr;
		244	int bodysize;
		245	u32 ret = GSS_S_DEFECTIVE_TOKEN;
		246	void data_start, orig_start;
		247	int data_len;
		248	int blocksize;
		249
		250	dprintk("RPC: gss_unwrap_kerberos\n");
		251
		252	ptr = (u8 *)buf->head[0].iov_base + offset;
		253	if (g_verify_token_header(&kctx->mech_used, &bodysize, &ptr,
		254	buf->len - offset))
		255	goto out;
		256
		257	if ((*ptr++ != ((KG_TOK_WRAP_MSG>>8)&0xff)) \|\|
		258	(*ptr++ != (KG_TOK_WRAP_MSG &0xff)) )
		259	goto out;
		260
		261	/* XXX sanity-check bodysize?? */
		262
		263	/* get the sign and seal algorithms */
		264
		265	signalg = ptr[0] + (ptr[1] << 8);
		266	sealalg = ptr[2] + (ptr[3] << 8);
		267
		268	/* Sanity checks */
		269
		270	if ((ptr[4] != 0xff) \|\| (ptr[5] != 0xff))
		271	goto out;
		272
		273	if (sealalg == 0xffff)
		274	goto out;
		275
		276	/* in the current spec, there is only one valid seal algorithm per
		277	key type, so a simple comparison is ok */
		278
		279	if (sealalg != kctx->sealalg)
		280	goto out;
		281
		282	/* there are several mappings of seal algorithms to sign algorithms,
		283	but few enough that we can try them all. */
		284
		285	if ((kctx->sealalg == SEAL_ALG_NONE && signalg > 1) \|\|
		286	(kctx->sealalg == SEAL_ALG_1 && signalg != SGN_ALG_3) \|\|
		287	(kctx->sealalg == SEAL_ALG_DES3KD &&
		288	signalg != SGN_ALG_HMAC_SHA1_DES3_KD))
		289	goto out;
		290
		291	if (gss_decrypt_xdr_buf(kctx->enc, buf,
		292	ptr + 22 - (unsigned char *)buf->head[0].iov_base))
		293	goto out;
		294
		295	/* compute the checksum of the message */
		296
		297	/* initialize the the cksum */
		298	switch (signalg) {
		299	case SGN_ALG_DES_MAC_MD5:
		300	checksum_type = CKSUMTYPE_RSA_MD5;
		301	break;
		302	default:
		303	ret = GSS_S_DEFECTIVE_TOKEN;
		304	goto out;
		305	}
		306
		307	switch (signalg) {
		308	case SGN_ALG_DES_MAC_MD5:
		309	ret = make_checksum(checksum_type, ptr - 2, 8, buf,
		310	ptr + 22 - (unsigned char *)buf->head[0].iov_base, &md5cksum);
		311	if (ret)
		312	goto out;
		313
		314	ret = krb5_encrypt(kctx->seq, NULL, md5cksum.data,
		315	md5cksum.data, md5cksum.len);
		316	if (ret)
		317	goto out;
		318
		319	if (memcmp(md5cksum.data + 8, ptr + 14, 8)) {
		320	ret = GSS_S_BAD_SIG;
		321	goto out;
		322	}
		323	break;
		324	default:
		325	ret = GSS_S_DEFECTIVE_TOKEN;
		326	goto out;
		327	}
		328
		329	/* it got through unscathed. Make sure the context is unexpired */
		330
		331	if (qop)
		332	*qop = GSS_C_QOP_DEFAULT;
		333
		334	now = get_seconds();
		335
		336	ret = GSS_S_CONTEXT_EXPIRED;
		337	if (now > kctx->endtime)
		338	goto out;
		339
		340	/* do sequencing checks */
		341
		342	ret = GSS_S_BAD_SIG;
		343	if ((ret = krb5_get_seq_num(kctx->seq, ptr + 14, ptr + 6, &direction,
		344	&seqnum)))
		345	goto out;
		346
		347	if ((kctx->initiate && direction != 0xff) \|\|
		348	(!kctx->initiate && direction != 0))
		349	goto out;
		350
		351	/* Copy the data back to the right position. XXX: Would probably be
		352	* better to copy and encrypt at the same time. */
		353
		354	blocksize = crypto_tfm_alg_blocksize(kctx->enc);
		355	data_start = ptr + 22 + blocksize;
		356	orig_start = buf->head[0].iov_base + offset;
		357	data_len = (buf->head[0].iov_base + buf->head[0].iov_len) - data_start;
		358	memmove(orig_start, data_start, data_len);
		359	buf->head[0].iov_len -= (data_start - orig_start);
		360	buf->len -= (data_start - orig_start);
		361
		362	ret = GSS_S_DEFECTIVE_TOKEN;
		363	if (gss_krb5_remove_padding(buf, blocksize))
		364	goto out;
		365
		366	ret = GSS_S_COMPLETE;
		367	out:
		368	if (md5cksum.data) kfree(md5cksum.data);
		369	return ret;
		370	}