1 /*
2  *  linux/net/sunrpc/gss_krb5_crypto.c
3  *
4  *  Copyright (c) 2000-2008 The Regents of the University of Michigan.
5  *  All rights reserved.
6  *
7  *  Andy Adamson   <andros@umich.edu>
8  *  Bruce Fields   <bfields@umich.edu>
9  */
10 
11 /*
12  * Copyright (C) 1998 by the FundsXpress, INC.
13  *
14  * All rights reserved.
15  *
16  * Export of this software from the United States of America may require
17  * a specific license from the United States Government.  It is the
18  * responsibility of any person or organization contemplating export to
19  * obtain such a license before exporting.
20  *
21  * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and
22  * distribute this software and its documentation for any purpose and
23  * without fee is hereby granted, provided that the above copyright
24  * notice appear in all copies and that both that copyright notice and
25  * this permission notice appear in supporting documentation, and that
26  * the name of FundsXpress. not be used in advertising or publicity pertaining
27  * to distribution of the software without specific, written prior
28  * permission.  FundsXpress makes no representations about the suitability of
29  * this software for any purpose.  It is provided "as is" without express
30  * or implied warranty.
31  *
32  * THIS SOFTWARE IS PROVIDED ``AS IS'' AND WITHOUT ANY EXPRESS OR
33  * IMPLIED WARRANTIES, INCLUDING, WITHOUT LIMITATION, THE IMPLIED
34  * WARRANTIES OF MERCHANTIBILITY AND FITNESS FOR A PARTICULAR PURPOSE.
35  */
36 
37 #include <crypto/algapi.h>
38 #include <crypto/hash.h>
39 #include <crypto/skcipher.h>
40 #include <linux/err.h>
41 #include <linux/types.h>
42 #include <linux/mm.h>
43 #include <linux/scatterlist.h>
44 #include <linux/highmem.h>
45 #include <linux/pagemap.h>
46 #include <linux/random.h>
47 #include <linux/sunrpc/gss_krb5.h>
48 #include <linux/sunrpc/xdr.h>
49 
50 #if IS_ENABLED(CONFIG_SUNRPC_DEBUG)
51 # define RPCDBG_FACILITY        RPCDBG_AUTH
52 #endif
53 
54 u32
55 krb5_encrypt(
56 	struct crypto_sync_skcipher *tfm,
57 	void * iv,
58 	void * in,
59 	void * out,
60 	int length)
61 {
62 	u32 ret = -EINVAL;
63 	struct scatterlist sg[1];
64 	u8 local_iv[GSS_KRB5_MAX_BLOCKSIZE] = {0};
65 	SYNC_SKCIPHER_REQUEST_ON_STACK(req, tfm);
66 
67 	if (length % crypto_sync_skcipher_blocksize(tfm) != 0)
68 		goto out;
69 
70 	if (crypto_sync_skcipher_ivsize(tfm) > GSS_KRB5_MAX_BLOCKSIZE) {
71 		dprintk("RPC:       gss_k5encrypt: tfm iv size too large %d\n",
72 			crypto_sync_skcipher_ivsize(tfm));
73 		goto out;
74 	}
75 
76 	if (iv)
77 		memcpy(local_iv, iv, crypto_sync_skcipher_ivsize(tfm));
78 
79 	memcpy(out, in, length);
80 	sg_init_one(sg, out, length);
81 
82 	skcipher_request_set_sync_tfm(req, tfm);
83 	skcipher_request_set_callback(req, 0, NULL, NULL);
84 	skcipher_request_set_crypt(req, sg, sg, length, local_iv);
85 
86 	ret = crypto_skcipher_encrypt(req);
87 	skcipher_request_zero(req);
88 out:
89 	dprintk("RPC:       krb5_encrypt returns %d\n", ret);
90 	return ret;
91 }
92 
93 u32
94 krb5_decrypt(
95      struct crypto_sync_skcipher *tfm,
96      void * iv,
97      void * in,
98      void * out,
99      int length)
100 {
101 	u32 ret = -EINVAL;
102 	struct scatterlist sg[1];
103 	u8 local_iv[GSS_KRB5_MAX_BLOCKSIZE] = {0};
104 	SYNC_SKCIPHER_REQUEST_ON_STACK(req, tfm);
105 
106 	if (length % crypto_sync_skcipher_blocksize(tfm) != 0)
107 		goto out;
108 
109 	if (crypto_sync_skcipher_ivsize(tfm) > GSS_KRB5_MAX_BLOCKSIZE) {
110 		dprintk("RPC:       gss_k5decrypt: tfm iv size too large %d\n",
111 			crypto_sync_skcipher_ivsize(tfm));
112 		goto out;
113 	}
114 	if (iv)
115 		memcpy(local_iv, iv, crypto_sync_skcipher_ivsize(tfm));
116 
117 	memcpy(out, in, length);
118 	sg_init_one(sg, out, length);
119 
120 	skcipher_request_set_sync_tfm(req, tfm);
121 	skcipher_request_set_callback(req, 0, NULL, NULL);
122 	skcipher_request_set_crypt(req, sg, sg, length, local_iv);
123 
124 	ret = crypto_skcipher_decrypt(req);
125 	skcipher_request_zero(req);
126 out:
127 	dprintk("RPC:       gss_k5decrypt returns %d\n",ret);
128 	return ret;
129 }
130 
131 static int
132 checksummer(struct scatterlist *sg, void *data)
133 {
134 	struct ahash_request *req = data;
135 
136 	ahash_request_set_crypt(req, sg, NULL, sg->length);
137 
138 	return crypto_ahash_update(req);
139 }
140 
141 /*
142  * checksum the plaintext data and hdrlen bytes of the token header
143  * The checksum is performed over the first 8 bytes of the
144  * gss token header and then over the data body
145  */
146 u32
147 make_checksum(struct krb5_ctx *kctx, char *header, int hdrlen,
148 	      struct xdr_buf *body, int body_offset, u8 *cksumkey,
149 	      unsigned int usage, struct xdr_netobj *cksumout)
150 {
151 	struct crypto_ahash *tfm;
152 	struct ahash_request *req;
153 	struct scatterlist              sg[1];
154 	int err = -1;
155 	u8 *checksumdata;
156 	unsigned int checksumlen;
157 
158 	if (cksumout->len < kctx->gk5e->cksumlength) {
159 		dprintk("%s: checksum buffer length, %u, too small for %s\n",
160 			__func__, cksumout->len, kctx->gk5e->name);
161 		return GSS_S_FAILURE;
162 	}
163 
164 	checksumdata = kmalloc(GSS_KRB5_MAX_CKSUM_LEN, GFP_KERNEL);
165 	if (checksumdata == NULL)
166 		return GSS_S_FAILURE;
167 
168 	tfm = crypto_alloc_ahash(kctx->gk5e->cksum_name, 0, CRYPTO_ALG_ASYNC);
169 	if (IS_ERR(tfm))
170 		goto out_free_cksum;
171 
172 	req = ahash_request_alloc(tfm, GFP_KERNEL);
173 	if (!req)
174 		goto out_free_ahash;
175 
176 	ahash_request_set_callback(req, CRYPTO_TFM_REQ_MAY_SLEEP, NULL, NULL);
177 
178 	checksumlen = crypto_ahash_digestsize(tfm);
179 
180 	if (cksumkey != NULL) {
181 		err = crypto_ahash_setkey(tfm, cksumkey,
182 					  kctx->gk5e->keylength);
183 		if (err)
184 			goto out;
185 	}
186 
187 	err = crypto_ahash_init(req);
188 	if (err)
189 		goto out;
190 	sg_init_one(sg, header, hdrlen);
191 	ahash_request_set_crypt(req, sg, NULL, hdrlen);
192 	err = crypto_ahash_update(req);
193 	if (err)
194 		goto out;
195 	err = xdr_process_buf(body, body_offset, body->len - body_offset,
196 			      checksummer, req);
197 	if (err)
198 		goto out;
199 	ahash_request_set_crypt(req, NULL, checksumdata, 0);
200 	err = crypto_ahash_final(req);
201 	if (err)
202 		goto out;
203 
204 	switch (kctx->gk5e->ctype) {
205 	case CKSUMTYPE_RSA_MD5:
206 		err = kctx->gk5e->encrypt(kctx->seq, NULL, checksumdata,
207 					  checksumdata, checksumlen);
208 		if (err)
209 			goto out;
210 		memcpy(cksumout->data,
211 		       checksumdata + checksumlen - kctx->gk5e->cksumlength,
212 		       kctx->gk5e->cksumlength);
213 		break;
214 	case CKSUMTYPE_HMAC_SHA1_DES3:
215 		memcpy(cksumout->data, checksumdata, kctx->gk5e->cksumlength);
216 		break;
217 	default:
218 		BUG();
219 		break;
220 	}
221 	cksumout->len = kctx->gk5e->cksumlength;
222 out:
223 	ahash_request_free(req);
224 out_free_ahash:
225 	crypto_free_ahash(tfm);
226 out_free_cksum:
227 	kfree(checksumdata);
228 	return err ? GSS_S_FAILURE : 0;
229 }
230 
231 /*
232  * checksum the plaintext data and hdrlen bytes of the token header
233  * Per rfc4121, sec. 4.2.4, the checksum is performed over the data
234  * body then over the first 16 octets of the MIC token
235  * Inclusion of the header data in the calculation of the
236  * checksum is optional.
237  */
238 u32
239 make_checksum_v2(struct krb5_ctx *kctx, char *header, int hdrlen,
240 		 struct xdr_buf *body, int body_offset, u8 *cksumkey,
241 		 unsigned int usage, struct xdr_netobj *cksumout)
242 {
243 	struct crypto_ahash *tfm;
244 	struct ahash_request *req;
245 	struct scatterlist sg[1];
246 	int err = -1;
247 	u8 *checksumdata;
248 
249 	if (kctx->gk5e->keyed_cksum == 0) {
250 		dprintk("%s: expected keyed hash for %s\n",
251 			__func__, kctx->gk5e->name);
252 		return GSS_S_FAILURE;
253 	}
254 	if (cksumkey == NULL) {
255 		dprintk("%s: no key supplied for %s\n",
256 			__func__, kctx->gk5e->name);
257 		return GSS_S_FAILURE;
258 	}
259 
260 	checksumdata = kmalloc(GSS_KRB5_MAX_CKSUM_LEN, GFP_KERNEL);
261 	if (!checksumdata)
262 		return GSS_S_FAILURE;
263 
264 	tfm = crypto_alloc_ahash(kctx->gk5e->cksum_name, 0, CRYPTO_ALG_ASYNC);
265 	if (IS_ERR(tfm))
266 		goto out_free_cksum;
267 
268 	req = ahash_request_alloc(tfm, GFP_KERNEL);
269 	if (!req)
270 		goto out_free_ahash;
271 
272 	ahash_request_set_callback(req, CRYPTO_TFM_REQ_MAY_SLEEP, NULL, NULL);
273 
274 	err = crypto_ahash_setkey(tfm, cksumkey, kctx->gk5e->keylength);
275 	if (err)
276 		goto out;
277 
278 	err = crypto_ahash_init(req);
279 	if (err)
280 		goto out;
281 	err = xdr_process_buf(body, body_offset, body->len - body_offset,
282 			      checksummer, req);
283 	if (err)
284 		goto out;
285 	if (header != NULL) {
286 		sg_init_one(sg, header, hdrlen);
287 		ahash_request_set_crypt(req, sg, NULL, hdrlen);
288 		err = crypto_ahash_update(req);
289 		if (err)
290 			goto out;
291 	}
292 	ahash_request_set_crypt(req, NULL, checksumdata, 0);
293 	err = crypto_ahash_final(req);
294 	if (err)
295 		goto out;
296 
297 	cksumout->len = kctx->gk5e->cksumlength;
298 
299 	switch (kctx->gk5e->ctype) {
300 	case CKSUMTYPE_HMAC_SHA1_96_AES128:
301 	case CKSUMTYPE_HMAC_SHA1_96_AES256:
302 		/* note that this truncates the hash */
303 		memcpy(cksumout->data, checksumdata, kctx->gk5e->cksumlength);
304 		break;
305 	default:
306 		BUG();
307 		break;
308 	}
309 out:
310 	ahash_request_free(req);
311 out_free_ahash:
312 	crypto_free_ahash(tfm);
313 out_free_cksum:
314 	kfree(checksumdata);
315 	return err ? GSS_S_FAILURE : 0;
316 }
317 
318 struct encryptor_desc {
319 	u8 iv[GSS_KRB5_MAX_BLOCKSIZE];
320 	struct skcipher_request *req;
321 	int pos;
322 	struct xdr_buf *outbuf;
323 	struct page **pages;
324 	struct scatterlist infrags[4];
325 	struct scatterlist outfrags[4];
326 	int fragno;
327 	int fraglen;
328 };
329 
330 static int
331 encryptor(struct scatterlist *sg, void *data)
332 {
333 	struct encryptor_desc *desc = data;
334 	struct xdr_buf *outbuf = desc->outbuf;
335 	struct crypto_sync_skcipher *tfm =
336 		crypto_sync_skcipher_reqtfm(desc->req);
337 	struct page *in_page;
338 	int thislen = desc->fraglen + sg->length;
339 	int fraglen, ret;
340 	int page_pos;
341 
342 	/* Worst case is 4 fragments: head, end of page 1, start
343 	 * of page 2, tail.  Anything more is a bug. */
344 	BUG_ON(desc->fragno > 3);
345 
346 	page_pos = desc->pos - outbuf->head[0].iov_len;
347 	if (page_pos >= 0 && page_pos < outbuf->page_len) {
348 		/* pages are not in place: */
349 		int i = (page_pos + outbuf->page_base) >> PAGE_SHIFT;
350 		in_page = desc->pages[i];
351 	} else {
352 		in_page = sg_page(sg);
353 	}
354 	sg_set_page(&desc->infrags[desc->fragno], in_page, sg->length,
355 		    sg->offset);
356 	sg_set_page(&desc->outfrags[desc->fragno], sg_page(sg), sg->length,
357 		    sg->offset);
358 	desc->fragno++;
359 	desc->fraglen += sg->length;
360 	desc->pos += sg->length;
361 
362 	fraglen = thislen & (crypto_sync_skcipher_blocksize(tfm) - 1);
363 	thislen -= fraglen;
364 
365 	if (thislen == 0)
366 		return 0;
367 
368 	sg_mark_end(&desc->infrags[desc->fragno - 1]);
369 	sg_mark_end(&desc->outfrags[desc->fragno - 1]);
370 
371 	skcipher_request_set_crypt(desc->req, desc->infrags, desc->outfrags,
372 				   thislen, desc->iv);
373 
374 	ret = crypto_skcipher_encrypt(desc->req);
375 	if (ret)
376 		return ret;
377 
378 	sg_init_table(desc->infrags, 4);
379 	sg_init_table(desc->outfrags, 4);
380 
381 	if (fraglen) {
382 		sg_set_page(&desc->outfrags[0], sg_page(sg), fraglen,
383 				sg->offset + sg->length - fraglen);
384 		desc->infrags[0] = desc->outfrags[0];
385 		sg_assign_page(&desc->infrags[0], in_page);
386 		desc->fragno = 1;
387 		desc->fraglen = fraglen;
388 	} else {
389 		desc->fragno = 0;
390 		desc->fraglen = 0;
391 	}
392 	return 0;
393 }
394 
395 int
396 gss_encrypt_xdr_buf(struct crypto_sync_skcipher *tfm, struct xdr_buf *buf,
397 		    int offset, struct page **pages)
398 {
399 	int ret;
400 	struct encryptor_desc desc;
401 	SYNC_SKCIPHER_REQUEST_ON_STACK(req, tfm);
402 
403 	BUG_ON((buf->len - offset) % crypto_sync_skcipher_blocksize(tfm) != 0);
404 
405 	skcipher_request_set_sync_tfm(req, tfm);
406 	skcipher_request_set_callback(req, 0, NULL, NULL);
407 
408 	memset(desc.iv, 0, sizeof(desc.iv));
409 	desc.req = req;
410 	desc.pos = offset;
411 	desc.outbuf = buf;
412 	desc.pages = pages;
413 	desc.fragno = 0;
414 	desc.fraglen = 0;
415 
416 	sg_init_table(desc.infrags, 4);
417 	sg_init_table(desc.outfrags, 4);
418 
419 	ret = xdr_process_buf(buf, offset, buf->len - offset, encryptor, &desc);
420 	skcipher_request_zero(req);
421 	return ret;
422 }
423 
424 struct decryptor_desc {
425 	u8 iv[GSS_KRB5_MAX_BLOCKSIZE];
426 	struct skcipher_request *req;
427 	struct scatterlist frags[4];
428 	int fragno;
429 	int fraglen;
430 };
431 
432 static int
433 decryptor(struct scatterlist *sg, void *data)
434 {
435 	struct decryptor_desc *desc = data;
436 	int thislen = desc->fraglen + sg->length;
437 	struct crypto_sync_skcipher *tfm =
438 		crypto_sync_skcipher_reqtfm(desc->req);
439 	int fraglen, ret;
440 
441 	/* Worst case is 4 fragments: head, end of page 1, start
442 	 * of page 2, tail.  Anything more is a bug. */
443 	BUG_ON(desc->fragno > 3);
444 	sg_set_page(&desc->frags[desc->fragno], sg_page(sg), sg->length,
445 		    sg->offset);
446 	desc->fragno++;
447 	desc->fraglen += sg->length;
448 
449 	fraglen = thislen & (crypto_sync_skcipher_blocksize(tfm) - 1);
450 	thislen -= fraglen;
451 
452 	if (thislen == 0)
453 		return 0;
454 
455 	sg_mark_end(&desc->frags[desc->fragno - 1]);
456 
457 	skcipher_request_set_crypt(desc->req, desc->frags, desc->frags,
458 				   thislen, desc->iv);
459 
460 	ret = crypto_skcipher_decrypt(desc->req);
461 	if (ret)
462 		return ret;
463 
464 	sg_init_table(desc->frags, 4);
465 
466 	if (fraglen) {
467 		sg_set_page(&desc->frags[0], sg_page(sg), fraglen,
468 				sg->offset + sg->length - fraglen);
469 		desc->fragno = 1;
470 		desc->fraglen = fraglen;
471 	} else {
472 		desc->fragno = 0;
473 		desc->fraglen = 0;
474 	}
475 	return 0;
476 }
477 
478 int
479 gss_decrypt_xdr_buf(struct crypto_sync_skcipher *tfm, struct xdr_buf *buf,
480 		    int offset)
481 {
482 	int ret;
483 	struct decryptor_desc desc;
484 	SYNC_SKCIPHER_REQUEST_ON_STACK(req, tfm);
485 
486 	/* XXXJBF: */
487 	BUG_ON((buf->len - offset) % crypto_sync_skcipher_blocksize(tfm) != 0);
488 
489 	skcipher_request_set_sync_tfm(req, tfm);
490 	skcipher_request_set_callback(req, 0, NULL, NULL);
491 
492 	memset(desc.iv, 0, sizeof(desc.iv));
493 	desc.req = req;
494 	desc.fragno = 0;
495 	desc.fraglen = 0;
496 
497 	sg_init_table(desc.frags, 4);
498 
499 	ret = xdr_process_buf(buf, offset, buf->len - offset, decryptor, &desc);
500 	skcipher_request_zero(req);
501 	return ret;
502 }
503 
504 /*
505  * This function makes the assumption that it was ultimately called
506  * from gss_wrap().
507  *
508  * The client auth_gss code moves any existing tail data into a
509  * separate page before calling gss_wrap.
510  * The server svcauth_gss code ensures that both the head and the
511  * tail have slack space of RPC_MAX_AUTH_SIZE before calling gss_wrap.
512  *
513  * Even with that guarantee, this function may be called more than
514  * once in the processing of gss_wrap().  The best we can do is
515  * verify at compile-time (see GSS_KRB5_SLACK_CHECK) that the
516  * largest expected shift will fit within RPC_MAX_AUTH_SIZE.
517  * At run-time we can verify that a single invocation of this
518  * function doesn't attempt to use more the RPC_MAX_AUTH_SIZE.
519  */
520 
521 int
522 xdr_extend_head(struct xdr_buf *buf, unsigned int base, unsigned int shiftlen)
523 {
524 	u8 *p;
525 
526 	if (shiftlen == 0)
527 		return 0;
528 
529 	BUILD_BUG_ON(GSS_KRB5_MAX_SLACK_NEEDED > RPC_MAX_AUTH_SIZE);
530 	BUG_ON(shiftlen > RPC_MAX_AUTH_SIZE);
531 
532 	p = buf->head[0].iov_base + base;
533 
534 	memmove(p + shiftlen, p, buf->head[0].iov_len - base);
535 
536 	buf->head[0].iov_len += shiftlen;
537 	buf->len += shiftlen;
538 
539 	return 0;
540 }
541 
542 static u32
543 gss_krb5_cts_crypt(struct crypto_sync_skcipher *cipher, struct xdr_buf *buf,
544 		   u32 offset, u8 *iv, struct page **pages, int encrypt)
545 {
546 	u32 ret;
547 	struct scatterlist sg[1];
548 	SYNC_SKCIPHER_REQUEST_ON_STACK(req, cipher);
549 	u8 *data;
550 	struct page **save_pages;
551 	u32 len = buf->len - offset;
552 
553 	if (len > GSS_KRB5_MAX_BLOCKSIZE * 2) {
554 		WARN_ON(0);
555 		return -ENOMEM;
556 	}
557 	data = kmalloc(GSS_KRB5_MAX_BLOCKSIZE * 2, GFP_KERNEL);
558 	if (!data)
559 		return -ENOMEM;
560 
561 	/*
562 	 * For encryption, we want to read from the cleartext
563 	 * page cache pages, and write the encrypted data to
564 	 * the supplied xdr_buf pages.
565 	 */
566 	save_pages = buf->pages;
567 	if (encrypt)
568 		buf->pages = pages;
569 
570 	ret = read_bytes_from_xdr_buf(buf, offset, data, len);
571 	buf->pages = save_pages;
572 	if (ret)
573 		goto out;
574 
575 	sg_init_one(sg, data, len);
576 
577 	skcipher_request_set_sync_tfm(req, cipher);
578 	skcipher_request_set_callback(req, 0, NULL, NULL);
579 	skcipher_request_set_crypt(req, sg, sg, len, iv);
580 
581 	if (encrypt)
582 		ret = crypto_skcipher_encrypt(req);
583 	else
584 		ret = crypto_skcipher_decrypt(req);
585 
586 	skcipher_request_zero(req);
587 
588 	if (ret)
589 		goto out;
590 
591 	ret = write_bytes_to_xdr_buf(buf, offset, data, len);
592 
593 out:
594 	kfree(data);
595 	return ret;
596 }
597 
598 u32
599 gss_krb5_aes_encrypt(struct krb5_ctx *kctx, u32 offset,
600 		     struct xdr_buf *buf, struct page **pages)
601 {
602 	u32 err;
603 	struct xdr_netobj hmac;
604 	u8 *cksumkey;
605 	u8 *ecptr;
606 	struct crypto_sync_skcipher *cipher, *aux_cipher;
607 	int blocksize;
608 	struct page **save_pages;
609 	int nblocks, nbytes;
610 	struct encryptor_desc desc;
611 	u32 cbcbytes;
612 	unsigned int usage;
613 
614 	if (kctx->initiate) {
615 		cipher = kctx->initiator_enc;
616 		aux_cipher = kctx->initiator_enc_aux;
617 		cksumkey = kctx->initiator_integ;
618 		usage = KG_USAGE_INITIATOR_SEAL;
619 	} else {
620 		cipher = kctx->acceptor_enc;
621 		aux_cipher = kctx->acceptor_enc_aux;
622 		cksumkey = kctx->acceptor_integ;
623 		usage = KG_USAGE_ACCEPTOR_SEAL;
624 	}
625 	blocksize = crypto_sync_skcipher_blocksize(cipher);
626 
627 	/* hide the gss token header and insert the confounder */
628 	offset += GSS_KRB5_TOK_HDR_LEN;
629 	if (xdr_extend_head(buf, offset, kctx->gk5e->conflen))
630 		return GSS_S_FAILURE;
631 	gss_krb5_make_confounder(buf->head[0].iov_base + offset, kctx->gk5e->conflen);
632 	offset -= GSS_KRB5_TOK_HDR_LEN;
633 
634 	if (buf->tail[0].iov_base != NULL) {
635 		ecptr = buf->tail[0].iov_base + buf->tail[0].iov_len;
636 	} else {
637 		buf->tail[0].iov_base = buf->head[0].iov_base
638 							+ buf->head[0].iov_len;
639 		buf->tail[0].iov_len = 0;
640 		ecptr = buf->tail[0].iov_base;
641 	}
642 
643 	/* copy plaintext gss token header after filler (if any) */
644 	memcpy(ecptr, buf->head[0].iov_base + offset, GSS_KRB5_TOK_HDR_LEN);
645 	buf->tail[0].iov_len += GSS_KRB5_TOK_HDR_LEN;
646 	buf->len += GSS_KRB5_TOK_HDR_LEN;
647 
648 	/* Do the HMAC */
649 	hmac.len = GSS_KRB5_MAX_CKSUM_LEN;
650 	hmac.data = buf->tail[0].iov_base + buf->tail[0].iov_len;
651 
652 	/*
653 	 * When we are called, pages points to the real page cache
654 	 * data -- which we can't go and encrypt!  buf->pages points
655 	 * to scratch pages which we are going to send off to the
656 	 * client/server.  Swap in the plaintext pages to calculate
657 	 * the hmac.
658 	 */
659 	save_pages = buf->pages;
660 	buf->pages = pages;
661 
662 	err = make_checksum_v2(kctx, NULL, 0, buf,
663 			       offset + GSS_KRB5_TOK_HDR_LEN,
664 			       cksumkey, usage, &hmac);
665 	buf->pages = save_pages;
666 	if (err)
667 		return GSS_S_FAILURE;
668 
669 	nbytes = buf->len - offset - GSS_KRB5_TOK_HDR_LEN;
670 	nblocks = (nbytes + blocksize - 1) / blocksize;
671 	cbcbytes = 0;
672 	if (nblocks > 2)
673 		cbcbytes = (nblocks - 2) * blocksize;
674 
675 	memset(desc.iv, 0, sizeof(desc.iv));
676 
677 	if (cbcbytes) {
678 		SYNC_SKCIPHER_REQUEST_ON_STACK(req, aux_cipher);
679 
680 		desc.pos = offset + GSS_KRB5_TOK_HDR_LEN;
681 		desc.fragno = 0;
682 		desc.fraglen = 0;
683 		desc.pages = pages;
684 		desc.outbuf = buf;
685 		desc.req = req;
686 
687 		skcipher_request_set_sync_tfm(req, aux_cipher);
688 		skcipher_request_set_callback(req, 0, NULL, NULL);
689 
690 		sg_init_table(desc.infrags, 4);
691 		sg_init_table(desc.outfrags, 4);
692 
693 		err = xdr_process_buf(buf, offset + GSS_KRB5_TOK_HDR_LEN,
694 				      cbcbytes, encryptor, &desc);
695 		skcipher_request_zero(req);
696 		if (err)
697 			goto out_err;
698 	}
699 
700 	/* Make sure IV carries forward from any CBC results. */
701 	err = gss_krb5_cts_crypt(cipher, buf,
702 				 offset + GSS_KRB5_TOK_HDR_LEN + cbcbytes,
703 				 desc.iv, pages, 1);
704 	if (err) {
705 		err = GSS_S_FAILURE;
706 		goto out_err;
707 	}
708 
709 	/* Now update buf to account for HMAC */
710 	buf->tail[0].iov_len += kctx->gk5e->cksumlength;
711 	buf->len += kctx->gk5e->cksumlength;
712 
713 out_err:
714 	if (err)
715 		err = GSS_S_FAILURE;
716 	return err;
717 }
718 
719 u32
720 gss_krb5_aes_decrypt(struct krb5_ctx *kctx, u32 offset, u32 len,
721 		     struct xdr_buf *buf, u32 *headskip, u32 *tailskip)
722 {
723 	struct xdr_buf subbuf;
724 	u32 ret = 0;
725 	u8 *cksum_key;
726 	struct crypto_sync_skcipher *cipher, *aux_cipher;
727 	struct xdr_netobj our_hmac_obj;
728 	u8 our_hmac[GSS_KRB5_MAX_CKSUM_LEN];
729 	u8 pkt_hmac[GSS_KRB5_MAX_CKSUM_LEN];
730 	int nblocks, blocksize, cbcbytes;
731 	struct decryptor_desc desc;
732 	unsigned int usage;
733 
734 	if (kctx->initiate) {
735 		cipher = kctx->acceptor_enc;
736 		aux_cipher = kctx->acceptor_enc_aux;
737 		cksum_key = kctx->acceptor_integ;
738 		usage = KG_USAGE_ACCEPTOR_SEAL;
739 	} else {
740 		cipher = kctx->initiator_enc;
741 		aux_cipher = kctx->initiator_enc_aux;
742 		cksum_key = kctx->initiator_integ;
743 		usage = KG_USAGE_INITIATOR_SEAL;
744 	}
745 	blocksize = crypto_sync_skcipher_blocksize(cipher);
746 
747 
748 	/* create a segment skipping the header and leaving out the checksum */
749 	xdr_buf_subsegment(buf, &subbuf, offset + GSS_KRB5_TOK_HDR_LEN,
750 				    (len - offset - GSS_KRB5_TOK_HDR_LEN -
751 				     kctx->gk5e->cksumlength));
752 
753 	nblocks = (subbuf.len + blocksize - 1) / blocksize;
754 
755 	cbcbytes = 0;
756 	if (nblocks > 2)
757 		cbcbytes = (nblocks - 2) * blocksize;
758 
759 	memset(desc.iv, 0, sizeof(desc.iv));
760 
761 	if (cbcbytes) {
762 		SYNC_SKCIPHER_REQUEST_ON_STACK(req, aux_cipher);
763 
764 		desc.fragno = 0;
765 		desc.fraglen = 0;
766 		desc.req = req;
767 
768 		skcipher_request_set_sync_tfm(req, aux_cipher);
769 		skcipher_request_set_callback(req, 0, NULL, NULL);
770 
771 		sg_init_table(desc.frags, 4);
772 
773 		ret = xdr_process_buf(&subbuf, 0, cbcbytes, decryptor, &desc);
774 		skcipher_request_zero(req);
775 		if (ret)
776 			goto out_err;
777 	}
778 
779 	/* Make sure IV carries forward from any CBC results. */
780 	ret = gss_krb5_cts_crypt(cipher, &subbuf, cbcbytes, desc.iv, NULL, 0);
781 	if (ret)
782 		goto out_err;
783 
784 
785 	/* Calculate our hmac over the plaintext data */
786 	our_hmac_obj.len = sizeof(our_hmac);
787 	our_hmac_obj.data = our_hmac;
788 
789 	ret = make_checksum_v2(kctx, NULL, 0, &subbuf, 0,
790 			       cksum_key, usage, &our_hmac_obj);
791 	if (ret)
792 		goto out_err;
793 
794 	/* Get the packet's hmac value */
795 	ret = read_bytes_from_xdr_buf(buf, len - kctx->gk5e->cksumlength,
796 				      pkt_hmac, kctx->gk5e->cksumlength);
797 	if (ret)
798 		goto out_err;
799 
800 	if (crypto_memneq(pkt_hmac, our_hmac, kctx->gk5e->cksumlength) != 0) {
801 		ret = GSS_S_BAD_SIG;
802 		goto out_err;
803 	}
804 	*headskip = kctx->gk5e->conflen;
805 	*tailskip = kctx->gk5e->cksumlength;
806 out_err:
807 	if (ret && ret != GSS_S_BAD_SIG)
808 		ret = GSS_S_FAILURE;
809 	return ret;
810 }
811