1/*
2 * linux/net/sunrpc/gss_krb5_seal.c
3 *
4 * Adapted from MIT Kerberos 5-1.2.1 lib/gssapi/krb5/k5seal.c
5 *
6 * Copyright (c) 2000-2008 The Regents of the University of Michigan.
7 * All rights reserved.
8 *
9 * Andy Adamson <andros@umich.edu>
10 * J. Bruce Fields <bfields@umich.edu>
11 */
12
13/*
14 * Copyright 1993 by OpenVision Technologies, Inc.
15 *
16 * Permission to use, copy, modify, distribute, and sell this software
17 * and its documentation for any purpose is hereby granted without fee,
18 * provided that the above copyright notice appears in all copies and
19 * that both that copyright notice and this permission notice appear in
20 * supporting documentation, and that the name of OpenVision not be used
21 * in advertising or publicity pertaining to distribution of the software
22 * without specific, written prior permission. OpenVision makes no
23 * representations about the suitability of this software for any
24 * purpose. It is provided "as is" without express or implied warranty.
25 *
26 * OPENVISION DISCLAIMS ALL WARRANTIES WITH REGARD TO THIS SOFTWARE,
27 * INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS, IN NO
28 * EVENT SHALL OPENVISION BE LIABLE FOR ANY SPECIAL, INDIRECT OR
29 * CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM LOSS OF
30 * USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE OR
31 * OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
32 * PERFORMANCE OF THIS SOFTWARE.
33 */
34
35/*
36 * Copyright (C) 1998 by the FundsXpress, INC.
37 *
38 * All rights reserved.
39 *
40 * Export of this software from the United States of America may require
41 * a specific license from the United States Government. It is the
42 * responsibility of any person or organization contemplating export to
43 * obtain such a license before exporting.
44 *
45 * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and
46 * distribute this software and its documentation for any purpose and
47 * without fee is hereby granted, provided that the above copyright
48 * notice appear in all copies and that both that copyright notice and
49 * this permission notice appear in supporting documentation, and that
50 * the name of FundsXpress. not be used in advertising or publicity pertaining
51 * to distribution of the software without specific, written prior
52 * permission. FundsXpress makes no representations about the suitability of
53 * this software for any purpose. It is provided "as is" without express
54 * or implied warranty.
55 *
56 * THIS SOFTWARE IS PROVIDED ``AS IS'' AND WITHOUT ANY EXPRESS OR
57 * IMPLIED WARRANTIES, INCLUDING, WITHOUT LIMITATION, THE IMPLIED
58 * WARRANTIES OF MERCHANTIBILITY AND FITNESS FOR A PARTICULAR PURPOSE.
59 */
60
61#include <linux/types.h>
62#include <linux/jiffies.h>
63#include <linux/sunrpc/gss_krb5.h>
64#include <linux/random.h>
65#include <linux/crypto.h>
66#include <linux/atomic.h>
67
68#include "gss_krb5_internal.h"
69
70#if IS_ENABLED(CONFIG_SUNRPC_DEBUG)
71# define RPCDBG_FACILITY RPCDBG_AUTH
72#endif
73
74static void *
75setup_token_v2(struct krb5_ctx *ctx, struct xdr_netobj *token)
76{
77 u16 *ptr;
78 void *krb5_hdr;
79 u8 *p, flags = 0x00;
80
81 if ((ctx->flags & KRB5_CTX_FLAG_INITIATOR) == 0)
82 flags |= 0x01;
83 if (ctx->flags & KRB5_CTX_FLAG_ACCEPTOR_SUBKEY)
84 flags |= 0x04;
85
86 /* Per rfc 4121, sec 4.2.6.1, there is no header,
87 * just start the token.
88 */
89 krb5_hdr = (u16 *)token->data;
90 ptr = krb5_hdr;
91
92 *ptr++ = KG2_TOK_MIC;
93 p = (u8 *)ptr;
94 *p++ = flags;
95 *p++ = 0xff;
96 ptr = (u16 *)p;
97 *ptr++ = 0xffff;
98 *ptr = 0xffff;
99
100 token->len = GSS_KRB5_TOK_HDR_LEN + ctx->gk5e->cksumlength;
101 return krb5_hdr;
102}
103
104u32
105gss_krb5_get_mic_v2(struct krb5_ctx *ctx, struct xdr_buf *text,
106 struct xdr_netobj *token)
107{
108 struct crypto_ahash *tfm = ctx->initiate ?
109 ctx->initiator_sign : ctx->acceptor_sign;
110 struct xdr_netobj cksumobj = {
111 .len = ctx->gk5e->cksumlength,
112 };
113 __be64 seq_send_be64;
114 void *krb5_hdr;
115 time64_t now;
116
117 dprintk("RPC: %s\n", __func__);
118
119 krb5_hdr = setup_token_v2(ctx, token);
120
121 /* Set up the sequence number. Now 64-bits in clear
122 * text and w/o direction indicator */
123 seq_send_be64 = cpu_to_be64(atomic64_fetch_inc(&ctx->seq_send64));
124 memcpy(krb5_hdr + 8, (char *) &seq_send_be64, 8);
125
126 cksumobj.data = krb5_hdr + GSS_KRB5_TOK_HDR_LEN;
127 if (gss_krb5_checksum(tfm, header: krb5_hdr, GSS_KRB5_TOK_HDR_LEN,
128 body: text, body_offset: 0, cksumout: &cksumobj))
129 return GSS_S_FAILURE;
130
131 now = ktime_get_real_seconds();
132 return (ctx->endtime < now) ? GSS_S_CONTEXT_EXPIRED : GSS_S_COMPLETE;
133}
134

source code of linux/net/sunrpc/auth_gss/gss_krb5_seal.c