1 | /* |
2 | * linux/net/sunrpc/gss_krb5_seal.c |
3 | * |
4 | * Adapted from MIT Kerberos 5-1.2.1 lib/gssapi/krb5/k5seal.c |
5 | * |
6 | * Copyright (c) 2000-2008 The Regents of the University of Michigan. |
7 | * All rights reserved. |
8 | * |
9 | * Andy Adamson <andros@umich.edu> |
10 | * J. Bruce Fields <bfields@umich.edu> |
11 | */ |
12 | |
13 | /* |
14 | * Copyright 1993 by OpenVision Technologies, Inc. |
15 | * |
16 | * Permission to use, copy, modify, distribute, and sell this software |
17 | * and its documentation for any purpose is hereby granted without fee, |
18 | * provided that the above copyright notice appears in all copies and |
19 | * that both that copyright notice and this permission notice appear in |
20 | * supporting documentation, and that the name of OpenVision not be used |
21 | * in advertising or publicity pertaining to distribution of the software |
22 | * without specific, written prior permission. OpenVision makes no |
23 | * representations about the suitability of this software for any |
24 | * purpose. It is provided "as is" without express or implied warranty. |
25 | * |
26 | * OPENVISION DISCLAIMS ALL WARRANTIES WITH REGARD TO THIS SOFTWARE, |
27 | * INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS, IN NO |
28 | * EVENT SHALL OPENVISION BE LIABLE FOR ANY SPECIAL, INDIRECT OR |
29 | * CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM LOSS OF |
30 | * USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE OR |
31 | * OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR |
32 | * PERFORMANCE OF THIS SOFTWARE. |
33 | */ |
34 | |
35 | /* |
36 | * Copyright (C) 1998 by the FundsXpress, INC. |
37 | * |
38 | * All rights reserved. |
39 | * |
40 | * Export of this software from the United States of America may require |
41 | * a specific license from the United States Government. It is the |
42 | * responsibility of any person or organization contemplating export to |
43 | * obtain such a license before exporting. |
44 | * |
45 | * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and |
46 | * distribute this software and its documentation for any purpose and |
47 | * without fee is hereby granted, provided that the above copyright |
48 | * notice appear in all copies and that both that copyright notice and |
49 | * this permission notice appear in supporting documentation, and that |
50 | * the name of FundsXpress. not be used in advertising or publicity pertaining |
51 | * to distribution of the software without specific, written prior |
52 | * permission. FundsXpress makes no representations about the suitability of |
53 | * this software for any purpose. It is provided "as is" without express |
54 | * or implied warranty. |
55 | * |
56 | * THIS SOFTWARE IS PROVIDED ``AS IS'' AND WITHOUT ANY EXPRESS OR |
57 | * IMPLIED WARRANTIES, INCLUDING, WITHOUT LIMITATION, THE IMPLIED |
58 | * WARRANTIES OF MERCHANTIBILITY AND FITNESS FOR A PARTICULAR PURPOSE. |
59 | */ |
60 | |
61 | #include <linux/types.h> |
62 | #include <linux/jiffies.h> |
63 | #include <linux/sunrpc/gss_krb5.h> |
64 | #include <linux/random.h> |
65 | #include <linux/crypto.h> |
66 | #include <linux/atomic.h> |
67 | |
68 | #include "gss_krb5_internal.h" |
69 | |
70 | #if IS_ENABLED(CONFIG_SUNRPC_DEBUG) |
71 | # define RPCDBG_FACILITY RPCDBG_AUTH |
72 | #endif |
73 | |
74 | static void * |
75 | setup_token_v2(struct krb5_ctx *ctx, struct xdr_netobj *token) |
76 | { |
77 | u16 *ptr; |
78 | void *krb5_hdr; |
79 | u8 *p, flags = 0x00; |
80 | |
81 | if ((ctx->flags & KRB5_CTX_FLAG_INITIATOR) == 0) |
82 | flags |= 0x01; |
83 | if (ctx->flags & KRB5_CTX_FLAG_ACCEPTOR_SUBKEY) |
84 | flags |= 0x04; |
85 | |
86 | /* Per rfc 4121, sec 4.2.6.1, there is no header, |
87 | * just start the token. |
88 | */ |
89 | krb5_hdr = (u16 *)token->data; |
90 | ptr = krb5_hdr; |
91 | |
92 | *ptr++ = KG2_TOK_MIC; |
93 | p = (u8 *)ptr; |
94 | *p++ = flags; |
95 | *p++ = 0xff; |
96 | ptr = (u16 *)p; |
97 | *ptr++ = 0xffff; |
98 | *ptr = 0xffff; |
99 | |
100 | token->len = GSS_KRB5_TOK_HDR_LEN + ctx->gk5e->cksumlength; |
101 | return krb5_hdr; |
102 | } |
103 | |
104 | u32 |
105 | gss_krb5_get_mic_v2(struct krb5_ctx *ctx, struct xdr_buf *text, |
106 | struct xdr_netobj *token) |
107 | { |
108 | struct crypto_ahash *tfm = ctx->initiate ? |
109 | ctx->initiator_sign : ctx->acceptor_sign; |
110 | struct xdr_netobj cksumobj = { |
111 | .len = ctx->gk5e->cksumlength, |
112 | }; |
113 | __be64 seq_send_be64; |
114 | void *krb5_hdr; |
115 | time64_t now; |
116 | |
117 | dprintk("RPC: %s\n" , __func__); |
118 | |
119 | krb5_hdr = setup_token_v2(ctx, token); |
120 | |
121 | /* Set up the sequence number. Now 64-bits in clear |
122 | * text and w/o direction indicator */ |
123 | seq_send_be64 = cpu_to_be64(atomic64_fetch_inc(&ctx->seq_send64)); |
124 | memcpy(krb5_hdr + 8, (char *) &seq_send_be64, 8); |
125 | |
126 | cksumobj.data = krb5_hdr + GSS_KRB5_TOK_HDR_LEN; |
127 | if (gss_krb5_checksum(tfm, header: krb5_hdr, GSS_KRB5_TOK_HDR_LEN, |
128 | body: text, body_offset: 0, cksumout: &cksumobj)) |
129 | return GSS_S_FAILURE; |
130 | |
131 | now = ktime_get_real_seconds(); |
132 | return (ctx->endtime < now) ? GSS_S_CONTEXT_EXPIRED : GSS_S_COMPLETE; |
133 | } |
134 | |