3 * The Regents of the University of Michigan
6 * Permission is granted to use, copy, create derivative works
7 * and redistribute this software and such derivative works
8 * for any purpose, so long as the name of The University of
9 * Michigan is not used in any advertising or publicity
10 * pertaining to the use of distribution of this software
11 * without specific, written prior authorization. If the
12 * above copyright notice or any other identification of the
13 * University of Michigan is included in any copy of any
14 * portion of this software, then the disclaimer below must
17 * THIS SOFTWARE IS PROVIDED AS IS, WITHOUT REPRESENTATION
18 * FROM THE UNIVERSITY OF MICHIGAN AS TO ITS FITNESS FOR ANY
19 * PURPOSE, AND WITHOUT WARRANTY BY THE UNIVERSITY OF
20 * MICHIGAN OF ANY KIND, EITHER EXPRESS OR IMPLIED, INCLUDING
21 * WITHOUT LIMITATION THE IMPLIED WARRANTIES OF
22 * MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. THE
23 * REGENTS OF THE UNIVERSITY OF MICHIGAN SHALL NOT BE LIABLE
24 * FOR ANY DAMAGES, INCLUDING SPECIAL, INDIRECT, INCIDENTAL, OR
25 * CONSEQUENTIAL DAMAGES, WITH RESPECT TO ANY CLAIM ARISING
26 * OUT OF OR IN CONNECTION WITH THE USE OF THE SOFTWARE, EVEN
27 * IF IT HAS BEEN OR IS HEREAFTER ADVISED OF THE POSSIBILITY OF
31 #include <crypto/skcipher.h>
32 #include <linux/types.h>
33 #include <linux/jiffies.h>
34 #include <linux/sunrpc/gss_krb5.h>
35 #include <linux/random.h>
36 #include <linux/pagemap.h>
38 #if IS_ENABLED(CONFIG_SUNRPC_DEBUG)
39 # define RPCDBG_FACILITY RPCDBG_AUTH
43 gss_krb5_padding(int blocksize
, int length
)
45 return blocksize
- (length
% blocksize
);
49 gss_krb5_add_padding(struct xdr_buf
*buf
, int offset
, int blocksize
)
51 int padding
= gss_krb5_padding(blocksize
, buf
->len
- offset
);
55 if (buf
->page_len
|| buf
->tail
[0].iov_len
)
59 p
= iov
->iov_base
+ iov
->iov_len
;
60 iov
->iov_len
+= padding
;
62 memset(p
, padding
, padding
);
66 gss_krb5_remove_padding(struct xdr_buf
*buf
, int blocksize
)
70 size_t len
= buf
->len
;
72 if (len
<= buf
->head
[0].iov_len
) {
73 pad
= *(u8
*)(buf
->head
[0].iov_base
+ len
- 1);
74 if (pad
> buf
->head
[0].iov_len
)
76 buf
->head
[0].iov_len
-= pad
;
79 len
-= buf
->head
[0].iov_len
;
80 if (len
<= buf
->page_len
) {
81 unsigned int last
= (buf
->page_base
+ len
- 1)
83 unsigned int offset
= (buf
->page_base
+ len
- 1)
85 ptr
= kmap_atomic(buf
->pages
[last
]);
86 pad
= *(ptr
+ offset
);
91 BUG_ON(len
> buf
->tail
[0].iov_len
);
92 pad
= *(u8
*)(buf
->tail
[0].iov_base
+ len
- 1);
94 /* XXX: NOTE: we do not adjust the page lengths--they represent
95 * a range of data in the real filesystem page cache, and we need
96 * to know that range so the xdr code can properly place read data.
97 * However adjusting the head length, as we do above, is harmless.
98 * In the case of a request that fits into a single page, the server
99 * also uses length and head length together to determine the original
100 * start of the request to copy the request for deferal; so it's
101 * easier on the server if we adjust head and tail length in tandem.
102 * It's not really a problem that we don't fool with the page and
103 * tail lengths, though--at worst badly formed xdr might lead the
104 * server to attempt to parse the padding.
105 * XXX: Document all these weird requirements for gss mechanism
106 * wrap/unwrap functions. */
117 gss_krb5_make_confounder(char *p
, u32 conflen
)
122 /* rfc1964 claims this should be "random". But all that's really
123 * necessary is that it be unique. And not even that is necessary in
124 * our case since our "gssapi" implementation exists only to support
125 * rpcsec_gss, so we know that the only buffers we will ever encrypt
126 * already begin with a unique sequence number. Just to hedge my bets
127 * I'll make a half-hearted attempt at something unique, but ensuring
128 * uniqueness would mean worrying about atomicity and rollover, and I
129 * don't care enough. */
131 /* initialize to random value */
134 i
= (i
<< 32) | prandom_u32();
149 /* Assumptions: the head and tail of inbuf are ours to play with.
150 * The pages, however, may be real pages in the page cache and we replace
151 * them with scratch pages from **pages before writing to them. */
152 /* XXX: obviously the above should be documentation of wrap interface,
153 * and shouldn't be in this kerberos-specific file. */
155 /* XXX factor out common code with seal/unseal. */
158 gss_wrap_kerberos_v1(struct krb5_ctx
*kctx
, int offset
,
159 struct xdr_buf
*buf
, struct page
**pages
)
161 char cksumdata
[GSS_KRB5_MAX_CKSUM_LEN
];
162 struct xdr_netobj md5cksum
= {.len
= sizeof(cksumdata
),
164 int blocksize
= 0, plainlen
;
165 unsigned char *ptr
, *msg_start
;
168 struct page
**tmp_pages
;
171 u32 conflen
= kctx
->gk5e
->conflen
;
173 dprintk("RPC: %s\n", __func__
);
175 now
= ktime_get_real_seconds();
177 blocksize
= crypto_sync_skcipher_blocksize(kctx
->enc
);
178 gss_krb5_add_padding(buf
, offset
, blocksize
);
179 BUG_ON((buf
->len
- offset
) % blocksize
);
180 plainlen
= conflen
+ buf
->len
- offset
;
182 headlen
= g_token_size(&kctx
->mech_used
,
183 GSS_KRB5_TOK_HDR_LEN
+ kctx
->gk5e
->cksumlength
+ plainlen
) -
186 ptr
= buf
->head
[0].iov_base
+ offset
;
187 /* shift data to make room for header. */
188 xdr_extend_head(buf
, offset
, headlen
);
190 /* XXX Would be cleverer to encrypt while copying. */
191 BUG_ON((buf
->len
- offset
- headlen
) % blocksize
);
193 g_make_token_header(&kctx
->mech_used
,
194 GSS_KRB5_TOK_HDR_LEN
+
195 kctx
->gk5e
->cksumlength
+ plainlen
, &ptr
);
198 /* ptr now at header described in rfc 1964, section 1.2.1: */
199 ptr
[0] = (unsigned char) ((KG_TOK_WRAP_MSG
>> 8) & 0xff);
200 ptr
[1] = (unsigned char) (KG_TOK_WRAP_MSG
& 0xff);
202 msg_start
= ptr
+ GSS_KRB5_TOK_HDR_LEN
+ kctx
->gk5e
->cksumlength
;
205 * signalg and sealalg are stored as if they were converted from LE
206 * to host endian, even though they're opaque pairs of bytes according
209 *(__le16
*)(ptr
+ 2) = cpu_to_le16(kctx
->gk5e
->signalg
);
210 *(__le16
*)(ptr
+ 4) = cpu_to_le16(kctx
->gk5e
->sealalg
);
214 gss_krb5_make_confounder(msg_start
, conflen
);
216 if (kctx
->gk5e
->keyed_cksum
)
217 cksumkey
= kctx
->cksum
;
222 tmp_pages
= buf
->pages
;
224 if (make_checksum(kctx
, ptr
, 8, buf
, offset
+ headlen
- conflen
,
225 cksumkey
, KG_USAGE_SEAL
, &md5cksum
))
226 return GSS_S_FAILURE
;
227 buf
->pages
= tmp_pages
;
229 memcpy(ptr
+ GSS_KRB5_TOK_HDR_LEN
, md5cksum
.data
, md5cksum
.len
);
231 seq_send
= atomic_fetch_inc(&kctx
->seq_send
);
233 /* XXX would probably be more efficient to compute checksum
234 * and encrypt at the same time: */
235 if ((krb5_make_seq_num(kctx
, kctx
->seq
, kctx
->initiate
? 0 : 0xff,
236 seq_send
, ptr
+ GSS_KRB5_TOK_HDR_LEN
, ptr
+ 8)))
237 return GSS_S_FAILURE
;
239 if (kctx
->enctype
== ENCTYPE_ARCFOUR_HMAC
) {
240 struct crypto_sync_skcipher
*cipher
;
242 cipher
= crypto_alloc_sync_skcipher(kctx
->gk5e
->encrypt_name
,
245 return GSS_S_FAILURE
;
247 krb5_rc4_setup_enc_key(kctx
, cipher
, seq_send
);
249 err
= gss_encrypt_xdr_buf(cipher
, buf
,
250 offset
+ headlen
- conflen
, pages
);
251 crypto_free_sync_skcipher(cipher
);
253 return GSS_S_FAILURE
;
255 if (gss_encrypt_xdr_buf(kctx
->enc
, buf
,
256 offset
+ headlen
- conflen
, pages
))
257 return GSS_S_FAILURE
;
260 return (kctx
->endtime
< now
) ? GSS_S_CONTEXT_EXPIRED
: GSS_S_COMPLETE
;
264 gss_unwrap_kerberos_v1(struct krb5_ctx
*kctx
, int offset
, int len
,
265 struct xdr_buf
*buf
, unsigned int *slack
,
270 char cksumdata
[GSS_KRB5_MAX_CKSUM_LEN
];
271 struct xdr_netobj md5cksum
= {.len
= sizeof(cksumdata
),
278 void *data_start
, *orig_start
;
281 u32 conflen
= kctx
->gk5e
->conflen
;
284 unsigned int saved_len
= buf
->len
;
286 dprintk("RPC: gss_unwrap_kerberos\n");
288 ptr
= (u8
*)buf
->head
[0].iov_base
+ offset
;
289 if (g_verify_token_header(&kctx
->mech_used
, &bodysize
, &ptr
,
291 return GSS_S_DEFECTIVE_TOKEN
;
293 if ((ptr
[0] != ((KG_TOK_WRAP_MSG
>> 8) & 0xff)) ||
294 (ptr
[1] != (KG_TOK_WRAP_MSG
& 0xff)))
295 return GSS_S_DEFECTIVE_TOKEN
;
297 /* XXX sanity-check bodysize?? */
299 /* get the sign and seal algorithms */
301 signalg
= ptr
[2] + (ptr
[3] << 8);
302 if (signalg
!= kctx
->gk5e
->signalg
)
303 return GSS_S_DEFECTIVE_TOKEN
;
305 sealalg
= ptr
[4] + (ptr
[5] << 8);
306 if (sealalg
!= kctx
->gk5e
->sealalg
)
307 return GSS_S_DEFECTIVE_TOKEN
;
309 if ((ptr
[6] != 0xff) || (ptr
[7] != 0xff))
310 return GSS_S_DEFECTIVE_TOKEN
;
313 * Data starts after token header and checksum. ptr points
314 * to the beginning of the token header
316 crypt_offset
= ptr
+ (GSS_KRB5_TOK_HDR_LEN
+ kctx
->gk5e
->cksumlength
) -
317 (unsigned char *)buf
->head
[0].iov_base
;
320 * Need plaintext seqnum to derive encryption key for arcfour-hmac
322 if (krb5_get_seq_num(kctx
, ptr
+ GSS_KRB5_TOK_HDR_LEN
,
323 ptr
+ 8, &direction
, &seqnum
))
324 return GSS_S_BAD_SIG
;
326 if ((kctx
->initiate
&& direction
!= 0xff) ||
327 (!kctx
->initiate
&& direction
!= 0))
328 return GSS_S_BAD_SIG
;
331 if (kctx
->enctype
== ENCTYPE_ARCFOUR_HMAC
) {
332 struct crypto_sync_skcipher
*cipher
;
335 cipher
= crypto_alloc_sync_skcipher(kctx
->gk5e
->encrypt_name
,
338 return GSS_S_FAILURE
;
340 krb5_rc4_setup_enc_key(kctx
, cipher
, seqnum
);
342 err
= gss_decrypt_xdr_buf(cipher
, buf
, crypt_offset
);
343 crypto_free_sync_skcipher(cipher
);
345 return GSS_S_DEFECTIVE_TOKEN
;
347 if (gss_decrypt_xdr_buf(kctx
->enc
, buf
, crypt_offset
))
348 return GSS_S_DEFECTIVE_TOKEN
;
351 if (kctx
->gk5e
->keyed_cksum
)
352 cksumkey
= kctx
->cksum
;
356 if (make_checksum(kctx
, ptr
, 8, buf
, crypt_offset
,
357 cksumkey
, KG_USAGE_SEAL
, &md5cksum
))
358 return GSS_S_FAILURE
;
360 if (memcmp(md5cksum
.data
, ptr
+ GSS_KRB5_TOK_HDR_LEN
,
361 kctx
->gk5e
->cksumlength
))
362 return GSS_S_BAD_SIG
;
364 /* it got through unscathed. Make sure the context is unexpired */
366 now
= ktime_get_real_seconds();
368 if (now
> kctx
->endtime
)
369 return GSS_S_CONTEXT_EXPIRED
;
371 /* do sequencing checks */
373 /* Copy the data back to the right position. XXX: Would probably be
374 * better to copy and encrypt at the same time. */
376 blocksize
= crypto_sync_skcipher_blocksize(kctx
->enc
);
377 data_start
= ptr
+ (GSS_KRB5_TOK_HDR_LEN
+ kctx
->gk5e
->cksumlength
) +
379 orig_start
= buf
->head
[0].iov_base
+ offset
;
380 data_len
= (buf
->head
[0].iov_base
+ buf
->head
[0].iov_len
) - data_start
;
381 memmove(orig_start
, data_start
, data_len
);
382 buf
->head
[0].iov_len
-= (data_start
- orig_start
);
383 buf
->len
= len
- (data_start
- orig_start
);
385 if (gss_krb5_remove_padding(buf
, blocksize
))
386 return GSS_S_DEFECTIVE_TOKEN
;
388 /* slack must include room for krb5 padding */
389 *slack
= XDR_QUADLEN(saved_len
- buf
->len
);
390 /* The GSS blob always precedes the RPC message payload */
392 return GSS_S_COMPLETE
;
396 * We can shift data by up to LOCAL_BUF_LEN bytes in a pass. If we need
397 * to do more than that, we shift repeatedly. Kevin Coffman reports
398 * seeing 28 bytes as the value used by Microsoft clients and servers
399 * with AES, so this constant is chosen to allow handling 28 in one pass
400 * without using too much stack space.
402 * If that proves to a problem perhaps we could use a more clever
405 #define LOCAL_BUF_LEN 32u
407 static void rotate_buf_a_little(struct xdr_buf
*buf
, unsigned int shift
)
409 char head
[LOCAL_BUF_LEN
];
410 char tmp
[LOCAL_BUF_LEN
];
411 unsigned int this_len
, i
;
413 BUG_ON(shift
> LOCAL_BUF_LEN
);
415 read_bytes_from_xdr_buf(buf
, 0, head
, shift
);
416 for (i
= 0; i
+ shift
< buf
->len
; i
+= LOCAL_BUF_LEN
) {
417 this_len
= min(LOCAL_BUF_LEN
, buf
->len
- (i
+ shift
));
418 read_bytes_from_xdr_buf(buf
, i
+shift
, tmp
, this_len
);
419 write_bytes_to_xdr_buf(buf
, i
, tmp
, this_len
);
421 write_bytes_to_xdr_buf(buf
, buf
->len
- shift
, head
, shift
);
424 static void _rotate_left(struct xdr_buf
*buf
, unsigned int shift
)
430 while (shifted
< shift
) {
431 this_shift
= min(shift
- shifted
, LOCAL_BUF_LEN
);
432 rotate_buf_a_little(buf
, this_shift
);
433 shifted
+= this_shift
;
437 static void rotate_left(u32 base
, struct xdr_buf
*buf
, unsigned int shift
)
439 struct xdr_buf subbuf
;
441 xdr_buf_subsegment(buf
, &subbuf
, base
, buf
->len
- base
);
442 _rotate_left(&subbuf
, shift
);
446 gss_wrap_kerberos_v2(struct krb5_ctx
*kctx
, u32 offset
,
447 struct xdr_buf
*buf
, struct page
**pages
)
456 dprintk("RPC: %s\n", __func__
);
458 if (kctx
->gk5e
->encrypt_v2
== NULL
)
459 return GSS_S_FAILURE
;
461 /* make room for gss token header */
462 if (xdr_extend_head(buf
, offset
, GSS_KRB5_TOK_HDR_LEN
))
463 return GSS_S_FAILURE
;
465 /* construct gss token header */
466 ptr
= plainhdr
= buf
->head
[0].iov_base
+ offset
;
467 *ptr
++ = (unsigned char) ((KG2_TOK_WRAP
>>8) & 0xff);
468 *ptr
++ = (unsigned char) (KG2_TOK_WRAP
& 0xff);
470 if ((kctx
->flags
& KRB5_CTX_FLAG_INITIATOR
) == 0)
471 flags
|= KG2_TOKEN_FLAG_SENTBYACCEPTOR
;
472 if ((kctx
->flags
& KRB5_CTX_FLAG_ACCEPTOR_SUBKEY
) != 0)
473 flags
|= KG2_TOKEN_FLAG_ACCEPTORSUBKEY
;
474 /* We always do confidentiality in wrap tokens */
475 flags
|= KG2_TOKEN_FLAG_SEALED
;
479 be16ptr
= (__be16
*)ptr
;
482 /* "inner" token header always uses 0 for RRC */
485 be64ptr
= (__be64
*)be16ptr
;
486 *be64ptr
= cpu_to_be64(atomic64_fetch_inc(&kctx
->seq_send64
));
488 err
= (*kctx
->gk5e
->encrypt_v2
)(kctx
, offset
, buf
, pages
);
492 now
= ktime_get_real_seconds();
493 return (kctx
->endtime
< now
) ? GSS_S_CONTEXT_EXPIRED
: GSS_S_COMPLETE
;
497 gss_unwrap_kerberos_v2(struct krb5_ctx
*kctx
, int offset
, int len
,
498 struct xdr_buf
*buf
, unsigned int *slack
,
506 u32 headskip
, tailskip
;
507 u8 decrypted_hdr
[GSS_KRB5_TOK_HDR_LEN
];
508 unsigned int movelen
;
511 dprintk("RPC: %s\n", __func__
);
513 if (kctx
->gk5e
->decrypt_v2
== NULL
)
514 return GSS_S_FAILURE
;
516 ptr
= buf
->head
[0].iov_base
+ offset
;
518 if (be16_to_cpu(*((__be16
*)ptr
)) != KG2_TOK_WRAP
)
519 return GSS_S_DEFECTIVE_TOKEN
;
522 if ((!kctx
->initiate
&& (flags
& KG2_TOKEN_FLAG_SENTBYACCEPTOR
)) ||
523 (kctx
->initiate
&& !(flags
& KG2_TOKEN_FLAG_SENTBYACCEPTOR
)))
524 return GSS_S_BAD_SIG
;
526 if ((flags
& KG2_TOKEN_FLAG_SEALED
) == 0) {
527 dprintk("%s: token missing expected sealed flag\n", __func__
);
528 return GSS_S_DEFECTIVE_TOKEN
;
532 return GSS_S_DEFECTIVE_TOKEN
;
534 ec
= be16_to_cpup((__be16
*)(ptr
+ 4));
535 rrc
= be16_to_cpup((__be16
*)(ptr
+ 6));
538 * NOTE: the sequence number at ptr + 8 is skipped, rpcsec_gss
539 * doesn't want it checked; see page 6 of rfc 2203.
543 rotate_left(offset
+ 16, buf
, rrc
);
545 err
= (*kctx
->gk5e
->decrypt_v2
)(kctx
, offset
, len
, buf
,
546 &headskip
, &tailskip
);
548 return GSS_S_FAILURE
;
551 * Retrieve the decrypted gss token header and verify
552 * it against the original
554 err
= read_bytes_from_xdr_buf(buf
,
555 len
- GSS_KRB5_TOK_HDR_LEN
- tailskip
,
556 decrypted_hdr
, GSS_KRB5_TOK_HDR_LEN
);
558 dprintk("%s: error %u getting decrypted_hdr\n", __func__
, err
);
559 return GSS_S_FAILURE
;
561 if (memcmp(ptr
, decrypted_hdr
, 6)
562 || memcmp(ptr
+ 8, decrypted_hdr
+ 8, 8)) {
563 dprintk("%s: token hdr, plaintext hdr mismatch!\n", __func__
);
564 return GSS_S_FAILURE
;
567 /* do sequencing checks */
569 /* it got through unscathed. Make sure the context is unexpired */
570 now
= ktime_get_real_seconds();
571 if (now
> kctx
->endtime
)
572 return GSS_S_CONTEXT_EXPIRED
;
575 * Move the head data back to the right position in xdr_buf.
576 * We ignore any "ec" data since it might be in the head or
577 * the tail, and we really don't need to deal with it.
578 * Note that buf->head[0].iov_len may indicate the available
579 * head buffer space rather than that actually occupied.
581 movelen
= min_t(unsigned int, buf
->head
[0].iov_len
, len
);
582 movelen
-= offset
+ GSS_KRB5_TOK_HDR_LEN
+ headskip
;
583 BUG_ON(offset
+ GSS_KRB5_TOK_HDR_LEN
+ headskip
+ movelen
>
584 buf
->head
[0].iov_len
);
585 memmove(ptr
, ptr
+ GSS_KRB5_TOK_HDR_LEN
+ headskip
, movelen
);
586 buf
->head
[0].iov_len
-= GSS_KRB5_TOK_HDR_LEN
+ headskip
;
587 buf
->len
= len
- GSS_KRB5_TOK_HDR_LEN
+ headskip
;
589 /* Trim off the trailing "extra count" and checksum blob */
590 xdr_buf_trim(buf
, ec
+ GSS_KRB5_TOK_HDR_LEN
+ tailskip
);
592 *align
= XDR_QUADLEN(GSS_KRB5_TOK_HDR_LEN
+ headskip
);
593 *slack
= *align
+ XDR_QUADLEN(ec
+ GSS_KRB5_TOK_HDR_LEN
+ tailskip
);
594 return GSS_S_COMPLETE
;
598 gss_wrap_kerberos(struct gss_ctx
*gctx
, int offset
,
599 struct xdr_buf
*buf
, struct page
**pages
)
601 struct krb5_ctx
*kctx
= gctx
->internal_ctx_id
;
603 switch (kctx
->enctype
) {
606 case ENCTYPE_DES_CBC_RAW
:
607 case ENCTYPE_DES3_CBC_RAW
:
608 case ENCTYPE_ARCFOUR_HMAC
:
609 return gss_wrap_kerberos_v1(kctx
, offset
, buf
, pages
);
610 case ENCTYPE_AES128_CTS_HMAC_SHA1_96
:
611 case ENCTYPE_AES256_CTS_HMAC_SHA1_96
:
612 return gss_wrap_kerberos_v2(kctx
, offset
, buf
, pages
);
617 gss_unwrap_kerberos(struct gss_ctx
*gctx
, int offset
,
618 int len
, struct xdr_buf
*buf
)
620 struct krb5_ctx
*kctx
= gctx
->internal_ctx_id
;
622 switch (kctx
->enctype
) {
625 case ENCTYPE_DES_CBC_RAW
:
626 case ENCTYPE_DES3_CBC_RAW
:
627 case ENCTYPE_ARCFOUR_HMAC
:
628 return gss_unwrap_kerberos_v1(kctx
, offset
, len
, buf
,
629 &gctx
->slack
, &gctx
->align
);
630 case ENCTYPE_AES128_CTS_HMAC_SHA1_96
:
631 case ENCTYPE_AES256_CTS_HMAC_SHA1_96
:
632 return gss_unwrap_kerberos_v2(kctx
, offset
, len
, buf
,
633 &gctx
->slack
, &gctx
->align
);