gss_krb5_unseal.c 4.3 KB

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126
  1. /*
  2. * linux/net/sunrpc/gss_krb5_unseal.c
  3. *
  4. * Adapted from MIT Kerberos 5-1.2.1 lib/gssapi/krb5/k5unseal.c
  5. *
  6. * Copyright (c) 2000-2008 The Regents of the University of Michigan.
  7. * All rights reserved.
  8. *
  9. * Andy Adamson <andros@umich.edu>
  10. */
  11. /*
  12. * Copyright 1993 by OpenVision Technologies, Inc.
  13. *
  14. * Permission to use, copy, modify, distribute, and sell this software
  15. * and its documentation for any purpose is hereby granted without fee,
  16. * provided that the above copyright notice appears in all copies and
  17. * that both that copyright notice and this permission notice appear in
  18. * supporting documentation, and that the name of OpenVision not be used
  19. * in advertising or publicity pertaining to distribution of the software
  20. * without specific, written prior permission. OpenVision makes no
  21. * representations about the suitability of this software for any
  22. * purpose. It is provided "as is" without express or implied warranty.
  23. *
  24. * OPENVISION DISCLAIMS ALL WARRANTIES WITH REGARD TO THIS SOFTWARE,
  25. * INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS, IN NO
  26. * EVENT SHALL OPENVISION BE LIABLE FOR ANY SPECIAL, INDIRECT OR
  27. * CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM LOSS OF
  28. * USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE OR
  29. * OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
  30. * PERFORMANCE OF THIS SOFTWARE.
  31. */
  32. /*
  33. * Copyright (C) 1998 by the FundsXpress, INC.
  34. *
  35. * All rights reserved.
  36. *
  37. * Export of this software from the United States of America may require
  38. * a specific license from the United States Government. It is the
  39. * responsibility of any person or organization contemplating export to
  40. * obtain such a license before exporting.
  41. *
  42. * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and
  43. * distribute this software and its documentation for any purpose and
  44. * without fee is hereby granted, provided that the above copyright
  45. * notice appear in all copies and that both that copyright notice and
  46. * this permission notice appear in supporting documentation, and that
  47. * the name of FundsXpress. not be used in advertising or publicity pertaining
  48. * to distribution of the software without specific, written prior
  49. * permission. FundsXpress makes no representations about the suitability of
  50. * this software for any purpose. It is provided "as is" without express
  51. * or implied warranty.
  52. *
  53. * THIS SOFTWARE IS PROVIDED ``AS IS'' AND WITHOUT ANY EXPRESS OR
  54. * IMPLIED WARRANTIES, INCLUDING, WITHOUT LIMITATION, THE IMPLIED
  55. * WARRANTIES OF MERCHANTIBILITY AND FITNESS FOR A PARTICULAR PURPOSE.
  56. */
  57. #include <linux/types.h>
  58. #include <linux/jiffies.h>
  59. #include <linux/sunrpc/gss_krb5.h>
  60. #include "gss_krb5_internal.h"
  61. #if IS_ENABLED(CONFIG_SUNRPC_DEBUG)
  62. # define RPCDBG_FACILITY RPCDBG_AUTH
  63. #endif
  64. u32
  65. gss_krb5_verify_mic_v2(struct krb5_ctx *ctx, struct xdr_buf *message_buffer,
  66. struct xdr_netobj *read_token)
  67. {
  68. struct crypto_ahash *tfm = ctx->initiate ?
  69. ctx->acceptor_sign : ctx->initiator_sign;
  70. char cksumdata[GSS_KRB5_MAX_CKSUM_LEN];
  71. struct xdr_netobj cksumobj = {
  72. .len = ctx->gk5e->cksumlength,
  73. .data = cksumdata,
  74. };
  75. u8 *ptr = read_token->data;
  76. __be16 be16_ptr;
  77. time64_t now;
  78. u8 flags;
  79. int i;
  80. dprintk("RPC: %s\n", __func__);
  81. memcpy(&be16_ptr, (char *) ptr, 2);
  82. if (be16_to_cpu(be16_ptr) != KG2_TOK_MIC)
  83. return GSS_S_DEFECTIVE_TOKEN;
  84. flags = ptr[2];
  85. if ((!ctx->initiate && (flags & KG2_TOKEN_FLAG_SENTBYACCEPTOR)) ||
  86. (ctx->initiate && !(flags & KG2_TOKEN_FLAG_SENTBYACCEPTOR)))
  87. return GSS_S_BAD_SIG;
  88. if (flags & KG2_TOKEN_FLAG_SEALED) {
  89. dprintk("%s: token has unexpected sealed flag\n", __func__);
  90. return GSS_S_FAILURE;
  91. }
  92. for (i = 3; i < 8; i++)
  93. if (ptr[i] != 0xff)
  94. return GSS_S_DEFECTIVE_TOKEN;
  95. if (gss_krb5_checksum(tfm, ptr, GSS_KRB5_TOK_HDR_LEN,
  96. message_buffer, 0, &cksumobj))
  97. return GSS_S_FAILURE;
  98. if (memcmp(cksumobj.data, ptr + GSS_KRB5_TOK_HDR_LEN,
  99. ctx->gk5e->cksumlength))
  100. return GSS_S_BAD_SIG;
  101. /* it got through unscathed. Make sure the context is unexpired */
  102. now = ktime_get_real_seconds();
  103. if (now > ctx->endtime)
  104. return GSS_S_CONTEXT_EXPIRED;
  105. /*
  106. * NOTE: the sequence number at ptr + 8 is skipped, rpcsec_gss
  107. * doesn't want it checked; see page 6 of rfc 2203.
  108. */
  109. return GSS_S_COMPLETE;
  110. }