[deliverable/linux.git] / net / sunrpc / auth_gss / gss_krb5_wrap.c

/*
 * COPYRIGHT (c) 2008
 * The Regents of the University of Michigan
 * ALL RIGHTS RESERVED
 *
 * Permission is granted to use, copy, create derivative works
 * and redistribute this software and such derivative works
 * for any purpose, so long as the name of The University of
 * Michigan is not used in any advertising or publicity
 * pertaining to the use of distribution of this software
 * without specific, written prior authorization.  If the
 * above copyright notice or any other identification of the
 * University of Michigan is included in any copy of any
 * portion of this software, then the disclaimer below must
 * also be included.
 *
 * THIS SOFTWARE IS PROVIDED AS IS, WITHOUT REPRESENTATION
 * FROM THE UNIVERSITY OF MICHIGAN AS TO ITS FITNESS FOR ANY
 * PURPOSE, AND WITHOUT WARRANTY BY THE UNIVERSITY OF
 * MICHIGAN OF ANY KIND, EITHER EXPRESS OR IMPLIED, INCLUDING
 * WITHOUT LIMITATION THE IMPLIED WARRANTIES OF
 * MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. THE
 * REGENTS OF THE UNIVERSITY OF MICHIGAN SHALL NOT BE LIABLE
 * FOR ANY DAMAGES, INCLUDING SPECIAL, INDIRECT, INCIDENTAL, OR
 * CONSEQUENTIAL DAMAGES, WITH RESPECT TO ANY CLAIM ARISING
 * OUT OF OR IN CONNECTION WITH THE USE OF THE SOFTWARE, EVEN
 * IF IT HAS BEEN OR IS HEREAFTER ADVISED OF THE POSSIBILITY OF
 * SUCH DAMAGES.
 */

#include <linux/types.h>
#include <linux/jiffies.h>
#include <linux/sunrpc/gss_krb5.h>
#include <linux/random.h>
#include <linux/pagemap.h>
#include <linux/crypto.h>

#ifdef RPC_DEBUG
# define RPCDBG_FACILITY	RPCDBG_AUTH
#endif

static inline int
gss_krb5_padding(int blocksize, int length)
{
	return blocksize - (length % blocksize);
}

static inline void
gss_krb5_add_padding(struct xdr_buf *buf, int offset, int blocksize)
{
	int padding = gss_krb5_padding(blocksize, buf->len - offset);
	char *p;
	struct kvec *iov;

	if (buf->page_len || buf->tail[0].iov_len)
		iov = &buf->tail[0];
	else
		iov = &buf->head[0];
	p = iov->iov_base + iov->iov_len;
	iov->iov_len += padding;
	buf->len += padding;
	memset(p, padding, padding);
}

static inline int
gss_krb5_remove_padding(struct xdr_buf *buf, int blocksize)
{
	u8 *ptr;
	u8 pad;
	size_t len = buf->len;

	if (len <= buf->head[0].iov_len) {
		pad = *(u8 *)(buf->head[0].iov_base + len - 1);
		if (pad > buf->head[0].iov_len)
			return -EINVAL;
		buf->head[0].iov_len -= pad;
		goto out;
	} else
		len -= buf->head[0].iov_len;
	if (len <= buf->page_len) {
		unsigned int last = (buf->page_base + len - 1)
					>>PAGE_CACHE_SHIFT;
		unsigned int offset = (buf->page_base + len - 1)
					& (PAGE_CACHE_SIZE - 1);
		ptr = kmap_atomic(buf->pages[last], KM_USER0);
		pad = *(ptr + offset);
		kunmap_atomic(ptr, KM_USER0);
		goto out;
	} else
		len -= buf->page_len;
	BUG_ON(len > buf->tail[0].iov_len);
	pad = *(u8 *)(buf->tail[0].iov_base + len - 1);
out:
	/* XXX: NOTE: we do not adjust the page lengths--they represent
	 * a range of data in the real filesystem page cache, and we need
	 * to know that range so the xdr code can properly place read data.
	 * However adjusting the head length, as we do above, is harmless.
	 * In the case of a request that fits into a single page, the server
	 * also uses length and head length together to determine the original
	 * start of the request to copy the request for deferal; so it's
	 * easier on the server if we adjust head and tail length in tandem.
	 * It's not really a problem that we don't fool with the page and
	 * tail lengths, though--at worst badly formed xdr might lead the
	 * server to attempt to parse the padding.
	 * XXX: Document all these weird requirements for gss mechanism
	 * wrap/unwrap functions. */
	if (pad > blocksize)
		return -EINVAL;
	if (buf->len > pad)
		buf->len -= pad;
	else
		return -EINVAL;
	return 0;
}

static void
make_confounder(char *p, u32 conflen)
{
	static u64 i = 0;
	u64 *q = (u64 *)p;

	/* rfc1964 claims this should be "random".  But all that's really
	 * necessary is that it be unique.  And not even that is necessary in
	 * our case since our "gssapi" implementation exists only to support
	 * rpcsec_gss, so we know that the only buffers we will ever encrypt
	 * already begin with a unique sequence number.  Just to hedge my bets
	 * I'll make a half-hearted attempt at something unique, but ensuring
	 * uniqueness would mean worrying about atomicity and rollover, and I
	 * don't care enough. */

	/* initialize to random value */
	if (i == 0) {
		i = random32();
		i = (i << 32) | random32();
	}

	switch (conflen) {
	case 16:
		*q++ = i++;
		/* fall through */
	case 8:
		*q++ = i++;
		break;
	default:
		BUG();
	}
}

/* Assumptions: the head and tail of inbuf are ours to play with.
 * The pages, however, may be real pages in the page cache and we replace
 * them with scratch pages from **pages before writing to them. */
/* XXX: obviously the above should be documentation of wrap interface,
 * and shouldn't be in this kerberos-specific file. */

/* XXX factor out common code with seal/unseal. */

static u32
gss_wrap_kerberos_v1(struct krb5_ctx *kctx, int offset,
		struct xdr_buf *buf, struct page **pages)
{
	char			cksumdata[GSS_KRB5_MAX_CKSUM_LEN];
	struct xdr_netobj	md5cksum = {.len = sizeof(cksumdata),
					    .data = cksumdata};
	int			blocksize = 0, plainlen;
	unsigned char		*ptr, *msg_start;
	s32			now;
	int			headlen;
	struct page		**tmp_pages;
	u32			seq_send;

	dprintk("RPC:       %s\n", __func__);

	now = get_seconds();

	blocksize = crypto_blkcipher_blocksize(kctx->enc);
	gss_krb5_add_padding(buf, offset, blocksize);
	BUG_ON((buf->len - offset) % blocksize);
	plainlen = blocksize + buf->len - offset;

	headlen = g_token_size(&kctx->mech_used,
		GSS_KRB5_TOK_HDR_LEN + kctx->gk5e->cksumlength + plainlen) -
		(buf->len - offset);

	ptr = buf->head[0].iov_base + offset;
	/* shift data to make room for header. */
	xdr_extend_head(buf, offset, headlen);

	/* XXX Would be cleverer to encrypt while copying. */
	BUG_ON((buf->len - offset - headlen) % blocksize);

	g_make_token_header(&kctx->mech_used,
				GSS_KRB5_TOK_HDR_LEN +
				kctx->gk5e->cksumlength + plainlen, &ptr);


	/* ptr now at header described in rfc 1964, section 1.2.1: */
	ptr[0] = (unsigned char) ((KG_TOK_WRAP_MSG >> 8) & 0xff);
	ptr[1] = (unsigned char) (KG_TOK_WRAP_MSG & 0xff);

	msg_start = ptr + GSS_KRB5_TOK_HDR_LEN + kctx->gk5e->cksumlength;

	*(__be16 *)(ptr + 2) = cpu_to_le16(kctx->gk5e->signalg);
	memset(ptr + 4, 0xff, 4);
	*(__be16 *)(ptr + 4) = cpu_to_le16(kctx->gk5e->sealalg);

	make_confounder(msg_start, blocksize);

	/* XXXJBF: UGH!: */
	tmp_pages = buf->pages;
	buf->pages = pages;
	if (make_checksum((char *)kctx->gk5e->cksum_name, ptr, 8, buf,
				offset + headlen - blocksize, &md5cksum))
		return GSS_S_FAILURE;
	buf->pages = tmp_pages;

	if (krb5_encrypt(kctx->seq, NULL, md5cksum.data,
			  md5cksum.data, md5cksum.len))
		return GSS_S_FAILURE;
	memcpy(ptr + GSS_KRB5_TOK_HDR_LEN, md5cksum.data + md5cksum.len - 8, 8);

	spin_lock(&krb5_seq_lock);
	seq_send = kctx->seq_send++;
	spin_unlock(&krb5_seq_lock);

	/* XXX would probably be more efficient to compute checksum
	 * and encrypt at the same time: */
	if ((krb5_make_seq_num(kctx->seq, kctx->initiate ? 0 : 0xff,
			       seq_send, ptr + GSS_KRB5_TOK_HDR_LEN, ptr + 8)))
		return GSS_S_FAILURE;

	if (gss_encrypt_xdr_buf(kctx->enc, buf, offset + headlen - blocksize,
									pages))
		return GSS_S_FAILURE;

	return (kctx->endtime < now) ? GSS_S_CONTEXT_EXPIRED : GSS_S_COMPLETE;
}

static u32
gss_unwrap_kerberos_v1(struct krb5_ctx *kctx, int offset, struct xdr_buf *buf)
{
	int			signalg;
	int			sealalg;
	char			cksumdata[GSS_KRB5_MAX_CKSUM_LEN];
	struct xdr_netobj	md5cksum = {.len = sizeof(cksumdata),
					    .data = cksumdata};
	s32			now;
	int			direction;
	s32			seqnum;
	unsigned char		*ptr;
	int			bodysize;
	void			*data_start, *orig_start;
	int			data_len;
	int			blocksize;
	int			crypt_offset;

	dprintk("RPC:       gss_unwrap_kerberos\n");

	ptr = (u8 *)buf->head[0].iov_base + offset;
	if (g_verify_token_header(&kctx->mech_used, &bodysize, &ptr,
					buf->len - offset))
		return GSS_S_DEFECTIVE_TOKEN;

	if ((ptr[0] != ((KG_TOK_WRAP_MSG >> 8) & 0xff)) ||
	    (ptr[1] !=  (KG_TOK_WRAP_MSG & 0xff)))
		return GSS_S_DEFECTIVE_TOKEN;

	/* XXX sanity-check bodysize?? */

	/* get the sign and seal algorithms */

	signalg = ptr[2] + (ptr[3] << 8);
	if (signalg != kctx->gk5e->signalg)
		return GSS_S_DEFECTIVE_TOKEN;

	sealalg = ptr[4] + (ptr[5] << 8);
	if (sealalg != kctx->gk5e->sealalg)
		return GSS_S_DEFECTIVE_TOKEN;

	if ((ptr[6] != 0xff) || (ptr[7] != 0xff))
		return GSS_S_DEFECTIVE_TOKEN;

	/*
	 * Data starts after token header and checksum.  ptr points
	 * to the beginning of the token header
	 */
	crypt_offset = ptr + (GSS_KRB5_TOK_HDR_LEN + kctx->gk5e->cksumlength) -
					(unsigned char *)buf->head[0].iov_base;
	if (gss_decrypt_xdr_buf(kctx->enc, buf, crypt_offset))
		return GSS_S_DEFECTIVE_TOKEN;

	if (make_checksum((char *)kctx->gk5e->cksum_name, ptr, 8, buf,
						crypt_offset, &md5cksum))
		return GSS_S_FAILURE;

	if (krb5_encrypt(kctx->seq, NULL, md5cksum.data,
			   md5cksum.data, md5cksum.len))
		return GSS_S_FAILURE;

	if (memcmp(md5cksum.data + 8, ptr + GSS_KRB5_TOK_HDR_LEN, 8))
		return GSS_S_BAD_SIG;

	/* it got through unscathed.  Make sure the context is unexpired */

	now = get_seconds();

	if (now > kctx->endtime)
		return GSS_S_CONTEXT_EXPIRED;

	/* do sequencing checks */

	if (krb5_get_seq_num(kctx->seq, ptr + GSS_KRB5_TOK_HDR_LEN, ptr + 8,
				    &direction, &seqnum))
		return GSS_S_BAD_SIG;

	if ((kctx->initiate && direction != 0xff) ||
	    (!kctx->initiate && direction != 0))
		return GSS_S_BAD_SIG;

	/* Copy the data back to the right position.  XXX: Would probably be
	 * better to copy and encrypt at the same time. */

	blocksize = crypto_blkcipher_blocksize(kctx->enc);
	data_start = ptr + (GSS_KRB5_TOK_HDR_LEN + kctx->gk5e->cksumlength) +
					blocksize;
	orig_start = buf->head[0].iov_base + offset;
	data_len = (buf->head[0].iov_base + buf->head[0].iov_len) - data_start;
	memmove(orig_start, data_start, data_len);
	buf->head[0].iov_len -= (data_start - orig_start);
	buf->len -= (data_start - orig_start);

	if (gss_krb5_remove_padding(buf, blocksize))
		return GSS_S_DEFECTIVE_TOKEN;

	return GSS_S_COMPLETE;
}

u32
gss_wrap_kerberos(struct gss_ctx *gctx, int offset,
		  struct xdr_buf *buf, struct page **pages)
{
	struct krb5_ctx	*kctx = gctx->internal_ctx_id;

	switch (kctx->enctype) {
	default:
		BUG();
	case ENCTYPE_DES_CBC_RAW:
		return gss_wrap_kerberos_v1(kctx, offset, buf, pages);
	}
}

u32
gss_unwrap_kerberos(struct gss_ctx *gctx, int offset, struct xdr_buf *buf)
{
	struct krb5_ctx	*kctx = gctx->internal_ctx_id;

	switch (kctx->enctype) {
	default:
		BUG();
	case ENCTYPE_DES_CBC_RAW:
		return gss_unwrap_kerberos_v1(kctx, offset, buf);
	}
}
Commit	Line	Data
81d4a433 KC	1	/*
	2	* COPYRIGHT (c) 2008
	3	* The Regents of the University of Michigan
	4	* ALL RIGHTS RESERVED
	5	*
	6	* Permission is granted to use, copy, create derivative works
	7	* and redistribute this software and such derivative works
	8	* for any purpose, so long as the name of The University of
	9	* Michigan is not used in any advertising or publicity
	10	* pertaining to the use of distribution of this software
	11	* without specific, written prior authorization. If the
	12	* above copyright notice or any other identification of the
	13	* University of Michigan is included in any copy of any
	14	* portion of this software, then the disclaimer below must
	15	* also be included.
	16	*
	17	* THIS SOFTWARE IS PROVIDED AS IS, WITHOUT REPRESENTATION
	18	* FROM THE UNIVERSITY OF MICHIGAN AS TO ITS FITNESS FOR ANY
	19	* PURPOSE, AND WITHOUT WARRANTY BY THE UNIVERSITY OF
	20	* MICHIGAN OF ANY KIND, EITHER EXPRESS OR IMPLIED, INCLUDING
	21	* WITHOUT LIMITATION THE IMPLIED WARRANTIES OF
	22	* MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. THE
	23	* REGENTS OF THE UNIVERSITY OF MICHIGAN SHALL NOT BE LIABLE
	24	* FOR ANY DAMAGES, INCLUDING SPECIAL, INDIRECT, INCIDENTAL, OR
	25	* CONSEQUENTIAL DAMAGES, WITH RESPECT TO ANY CLAIM ARISING
	26	* OUT OF OR IN CONNECTION WITH THE USE OF THE SOFTWARE, EVEN
	27	* IF IT HAS BEEN OR IS HEREAFTER ADVISED OF THE POSSIBILITY OF
	28	* SUCH DAMAGES.
	29	*/
	30
14ae162c	31	#include <linux/types.h>
14ae162c BF	32	#include <linux/jiffies.h>
	33	#include <linux/sunrpc/gss_krb5.h>
	34	#include <linux/random.h>
	35	#include <linux/pagemap.h>
14ae162c BF	36	#include <linux/crypto.h>
	37
	38	#ifdef RPC_DEBUG
	39	# define RPCDBG_FACILITY RPCDBG_AUTH
	40	#endif
	41
	42	static inline int
	43	gss_krb5_padding(int blocksize, int length)
	44	{
54ec3d46	45	return blocksize - (length % blocksize);
14ae162c BF	46	}
	47
	48	static inline void
	49	gss_krb5_add_padding(struct xdr_buf *buf, int offset, int blocksize)
	50	{
	51	int padding = gss_krb5_padding(blocksize, buf->len - offset);
	52	char *p;
	53	struct kvec *iov;
	54
	55	if (buf->page_len \|\| buf->tail[0].iov_len)
	56	iov = &buf->tail[0];
	57	else
	58	iov = &buf->head[0];
	59	p = iov->iov_base + iov->iov_len;
	60	iov->iov_len += padding;
	61	buf->len += padding;
	62	memset(p, padding, padding);
	63	}
	64
	65	static inline int
	66	gss_krb5_remove_padding(struct xdr_buf *buf, int blocksize)
	67	{
	68	u8 *ptr;
	69	u8 pad;
67f97d83	70	size_t len = buf->len;
14ae162c BF	71
	72	if (len <= buf->head[0].iov_len) {
	73	pad = (u8 )(buf->head[0].iov_base + len - 1);
	74	if (pad > buf->head[0].iov_len)
	75	return -EINVAL;
	76	buf->head[0].iov_len -= pad;
	77	goto out;
	78	} else
	79	len -= buf->head[0].iov_len;
	80	if (len <= buf->page_len) {
67f97d83	81	unsigned int last = (buf->page_base + len - 1)
14ae162c	82	>>PAGE_CACHE_SHIFT;
67f97d83	83	unsigned int offset = (buf->page_base + len - 1)
14ae162c	84	& (PAGE_CACHE_SIZE - 1);
87d918d6	85	ptr = kmap_atomic(buf->pages[last], KM_USER0);
14ae162c	86	pad = *(ptr + offset);
87d918d6	87	kunmap_atomic(ptr, KM_USER0);
14ae162c BF	88	goto out;
	89	} else
	90	len -= buf->page_len;
	91	BUG_ON(len > buf->tail[0].iov_len);
	92	pad = (u8 )(buf->tail[0].iov_base + len - 1);
	93	out:
	94	/* XXX: NOTE: we do not adjust the page lengths--they represent
	95	* a range of data in the real filesystem page cache, and we need
	96	* to know that range so the xdr code can properly place read data.
	97	* However adjusting the head length, as we do above, is harmless.
	98	* In the case of a request that fits into a single page, the server
	99	* also uses length and head length together to determine the original
	100	* start of the request to copy the request for deferal; so it's
	101	* easier on the server if we adjust head and tail length in tandem.
	102	* It's not really a problem that we don't fool with the page and
	103	* tail lengths, though--at worst badly formed xdr might lead the
	104	* server to attempt to parse the padding.
	105	* XXX: Document all these weird requirements for gss mechanism
	106	* wrap/unwrap functions. */
	107	if (pad > blocksize)
	108	return -EINVAL;
	109	if (buf->len > pad)
	110	buf->len -= pad;
	111	else
	112	return -EINVAL;
	113	return 0;
	114	}
	115
863a2488 KC	116	static void
863a2488 KC	117	make_confounder(char *p, u32 conflen)
14ae162c BF	118	{
	119	static u64 i = 0;
	120	u64 q = (u64 )p;
	121
	122	/* rfc1964 claims this should be "random". But all that's really
	123	* necessary is that it be unique. And not even that is necessary in
	124	* our case since our "gssapi" implementation exists only to support
	125	* rpcsec_gss, so we know that the only buffers we will ever encrypt
	126	* already begin with a unique sequence number. Just to hedge my bets
	127	* I'll make a half-hearted attempt at something unique, but ensuring
	128	* uniqueness would mean worrying about atomicity and rollover, and I
	129	* don't care enough. */
	130
863a2488 KC	131	/* initialize to random value */
	132	if (i == 0) {
	133	i = random32();
	134	i = (i << 32) \| random32();
	135	}
	136
	137	switch (conflen) {
	138	case 16:
	139	*q++ = i++;
	140	/* fall through */
	141	case 8:
	142	*q++ = i++;
	143	break;
	144	default:
	145	BUG();
	146	}
14ae162c BF	147	}
	148
	149	/* Assumptions: the head and tail of inbuf are ours to play with.
	150	* The pages, however, may be real pages in the page cache and we replace
	151	* them with scratch pages from *pages before writing to them. /
	152	/* XXX: obviously the above should be documentation of wrap interface,
	153	* and shouldn't be in this kerberos-specific file. */
	154
	155	/* XXX factor out common code with seal/unseal. */
	156
1ac3719a KC	157	static u32
1ac3719a KC	158	gss_wrap_kerberos_v1(struct krb5_ctx *kctx, int offset,
14ae162c BF	159	struct xdr_buf buf, struct page *pages)
14ae162c BF	160	{
81d4a433 KC	161	char cksumdata[GSS_KRB5_MAX_CKSUM_LEN];
	162	struct xdr_netobj md5cksum = {.len = sizeof(cksumdata),
	163	.data = cksumdata};
14ae162c	164	int blocksize = 0, plainlen;
d00953a5	165	unsigned char ptr, msg_start;
14ae162c BF	166	s32 now;
	167	int headlen;
	168	struct page **tmp_pages;
eaa82edf	169	u32 seq_send;
14ae162c	170
81d4a433	171	dprintk("RPC: %s\n", __func__);
14ae162c BF	172
	173	now = get_seconds();
	174
378c6697	175	blocksize = crypto_blkcipher_blocksize(kctx->enc);
14ae162c BF	176	gss_krb5_add_padding(buf, offset, blocksize);
	177	BUG_ON((buf->len - offset) % blocksize);
	178	plainlen = blocksize + buf->len - offset;
	179
81d4a433 KC	180	headlen = g_token_size(&kctx->mech_used,
	181	GSS_KRB5_TOK_HDR_LEN + kctx->gk5e->cksumlength + plainlen) -
	182	(buf->len - offset);
14ae162c BF	183
	184	ptr = buf->head[0].iov_base + offset;
	185	/* shift data to make room for header. */
725f2865 KC	186	xdr_extend_head(buf, offset, headlen);
725f2865 KC	187
14ae162c	188	/* XXX Would be cleverer to encrypt while copying. */
14ae162c BF	189	BUG_ON((buf->len - offset - headlen) % blocksize);
14ae162c BF	190
d00953a5	191	g_make_token_header(&kctx->mech_used,
81d4a433 KC	192	GSS_KRB5_TOK_HDR_LEN +
81d4a433 KC	193	kctx->gk5e->cksumlength + plainlen, &ptr);
14ae162c BF	194
14ae162c BF	195
d00953a5 KC	196	/* ptr now at header described in rfc 1964, section 1.2.1: */
	197	ptr[0] = (unsigned char) ((KG_TOK_WRAP_MSG >> 8) & 0xff);
	198	ptr[1] = (unsigned char) (KG_TOK_WRAP_MSG & 0xff);
14ae162c	199
81d4a433	200	msg_start = ptr + GSS_KRB5_TOK_HDR_LEN + kctx->gk5e->cksumlength;
14ae162c	201
81d4a433	202	(__be16 )(ptr + 2) = cpu_to_le16(kctx->gk5e->signalg);
d00953a5	203	memset(ptr + 4, 0xff, 4);
81d4a433	204	(__be16 )(ptr + 4) = cpu_to_le16(kctx->gk5e->sealalg);
14ae162c BF	205
	206	make_confounder(msg_start, blocksize);
	207
	208	/* XXXJBF: UGH!: */
	209	tmp_pages = buf->pages;
	210	buf->pages = pages;
81d4a433	211	if (make_checksum((char *)kctx->gk5e->cksum_name, ptr, 8, buf,
14ae162c	212	offset + headlen - blocksize, &md5cksum))
39a21dd1	213	return GSS_S_FAILURE;
14ae162c BF	214	buf->pages = tmp_pages;
14ae162c BF	215
e678e06b BF	216	if (krb5_encrypt(kctx->seq, NULL, md5cksum.data,
e678e06b BF	217	md5cksum.data, md5cksum.len))
39a21dd1	218	return GSS_S_FAILURE;
d00953a5	219	memcpy(ptr + GSS_KRB5_TOK_HDR_LEN, md5cksum.data + md5cksum.len - 8, 8);
14ae162c	220
eaa82edf BF	221	spin_lock(&krb5_seq_lock);
	222	seq_send = kctx->seq_send++;
	223	spin_unlock(&krb5_seq_lock);
	224
14ae162c BF	225	/* XXX would probably be more efficient to compute checksum
	226	* and encrypt at the same time: */
	227	if ((krb5_make_seq_num(kctx->seq, kctx->initiate ? 0 : 0xff,
d00953a5	228	seq_send, ptr + GSS_KRB5_TOK_HDR_LEN, ptr + 8)))
39a21dd1	229	return GSS_S_FAILURE;
14ae162c BF	230
	231	if (gss_encrypt_xdr_buf(kctx->enc, buf, offset + headlen - blocksize,
	232	pages))
39a21dd1	233	return GSS_S_FAILURE;
14ae162c	234
94efa934	235	return (kctx->endtime < now) ? GSS_S_CONTEXT_EXPIRED : GSS_S_COMPLETE;
14ae162c BF	236	}
14ae162c BF	237
1ac3719a KC	238	static u32
1ac3719a KC	239	gss_unwrap_kerberos_v1(struct krb5_ctx kctx, int offset, struct xdr_buf buf)
14ae162c	240	{
14ae162c BF	241	int signalg;
14ae162c BF	242	int sealalg;
81d4a433 KC	243	char cksumdata[GSS_KRB5_MAX_CKSUM_LEN];
	244	struct xdr_netobj md5cksum = {.len = sizeof(cksumdata),
	245	.data = cksumdata};
14ae162c BF	246	s32 now;
	247	int direction;
	248	s32 seqnum;
	249	unsigned char *ptr;
	250	int bodysize;
14ae162c BF	251	void data_start, orig_start;
	252	int data_len;
	253	int blocksize;
81d4a433	254	int crypt_offset;
14ae162c	255
8885cb36	256	dprintk("RPC: gss_unwrap_kerberos\n");
14ae162c BF	257
	258	ptr = (u8 *)buf->head[0].iov_base + offset;
	259	if (g_verify_token_header(&kctx->mech_used, &bodysize, &ptr,
	260	buf->len - offset))
39a21dd1	261	return GSS_S_DEFECTIVE_TOKEN;
14ae162c	262
d00953a5 KC	263	if ((ptr[0] != ((KG_TOK_WRAP_MSG >> 8) & 0xff)) \|\|
d00953a5 KC	264	(ptr[1] != (KG_TOK_WRAP_MSG & 0xff)))
39a21dd1	265	return GSS_S_DEFECTIVE_TOKEN;
14ae162c BF	266
	267	/* XXX sanity-check bodysize?? */
	268
	269	/* get the sign and seal algorithms */
	270
d00953a5	271	signalg = ptr[2] + (ptr[3] << 8);
81d4a433	272	if (signalg != kctx->gk5e->signalg)
39a21dd1	273	return GSS_S_DEFECTIVE_TOKEN;
14ae162c	274
d00953a5	275	sealalg = ptr[4] + (ptr[5] << 8);
81d4a433	276	if (sealalg != kctx->gk5e->sealalg)
39a21dd1	277	return GSS_S_DEFECTIVE_TOKEN;
94efa934	278
d00953a5	279	if ((ptr[6] != 0xff) \|\| (ptr[7] != 0xff))
39a21dd1	280	return GSS_S_DEFECTIVE_TOKEN;
14ae162c	281
81d4a433 KC	282	/*
	283	* Data starts after token header and checksum. ptr points
	284	* to the beginning of the token header
	285	*/
	286	crypt_offset = ptr + (GSS_KRB5_TOK_HDR_LEN + kctx->gk5e->cksumlength) -
	287	(unsigned char *)buf->head[0].iov_base;
	288	if (gss_decrypt_xdr_buf(kctx->enc, buf, crypt_offset))
39a21dd1	289	return GSS_S_DEFECTIVE_TOKEN;
14ae162c	290
81d4a433 KC	291	if (make_checksum((char *)kctx->gk5e->cksum_name, ptr, 8, buf,
81d4a433 KC	292	crypt_offset, &md5cksum))
39a21dd1	293	return GSS_S_FAILURE;
5eb064f9	294
39a21dd1 BF	295	if (krb5_encrypt(kctx->seq, NULL, md5cksum.data,
	296	md5cksum.data, md5cksum.len))
	297	return GSS_S_FAILURE;
14ae162c	298
d00953a5	299	if (memcmp(md5cksum.data + 8, ptr + GSS_KRB5_TOK_HDR_LEN, 8))
39a21dd1	300	return GSS_S_BAD_SIG;
14ae162c BF	301
	302	/* it got through unscathed. Make sure the context is unexpired */
	303
14ae162c BF	304	now = get_seconds();
14ae162c BF	305
14ae162c	306	if (now > kctx->endtime)
39a21dd1	307	return GSS_S_CONTEXT_EXPIRED;
14ae162c BF	308
	309	/* do sequencing checks */
	310
d00953a5 KC	311	if (krb5_get_seq_num(kctx->seq, ptr + GSS_KRB5_TOK_HDR_LEN, ptr + 8,
d00953a5 KC	312	&direction, &seqnum))
39a21dd1	313	return GSS_S_BAD_SIG;
14ae162c BF	314
	315	if ((kctx->initiate && direction != 0xff) \|\|
	316	(!kctx->initiate && direction != 0))
39a21dd1	317	return GSS_S_BAD_SIG;
14ae162c BF	318
	319	/* Copy the data back to the right position. XXX: Would probably be
	320	* better to copy and encrypt at the same time. */
	321
378c6697	322	blocksize = crypto_blkcipher_blocksize(kctx->enc);
81d4a433 KC	323	data_start = ptr + (GSS_KRB5_TOK_HDR_LEN + kctx->gk5e->cksumlength) +
81d4a433 KC	324	blocksize;
14ae162c BF	325	orig_start = buf->head[0].iov_base + offset;
	326	data_len = (buf->head[0].iov_base + buf->head[0].iov_len) - data_start;
	327	memmove(orig_start, data_start, data_len);
	328	buf->head[0].iov_len -= (data_start - orig_start);
	329	buf->len -= (data_start - orig_start);
	330
14ae162c	331	if (gss_krb5_remove_padding(buf, blocksize))
39a21dd1	332	return GSS_S_DEFECTIVE_TOKEN;
14ae162c	333
39a21dd1	334	return GSS_S_COMPLETE;
14ae162c	335	}
1ac3719a KC	336
	337	u32
	338	gss_wrap_kerberos(struct gss_ctx *gctx, int offset,
	339	struct xdr_buf buf, struct page *pages)
	340	{
	341	struct krb5_ctx *kctx = gctx->internal_ctx_id;
	342
	343	switch (kctx->enctype) {
	344	default:
	345	BUG();
	346	case ENCTYPE_DES_CBC_RAW:
	347	return gss_wrap_kerberos_v1(kctx, offset, buf, pages);
	348	}
	349	}
	350
	351	u32
	352	gss_unwrap_kerberos(struct gss_ctx gctx, int offset, struct xdr_buf buf)
	353	{
	354	struct krb5_ctx *kctx = gctx->internal_ctx_id;
	355
	356	switch (kctx->enctype) {
	357	default:
	358	BUG();
	359	case ENCTYPE_DES_CBC_RAW:
	360	return gss_unwrap_kerberos_v1(kctx, offset, buf);
	361	}
	362	}
	363