/*
 * linux/net/sunrpc/svcauth_des.c
 *
 * Server-side AUTH_DES handling.
 * 
 * Copyright (C) 1996, 1997 Olaf Kirch <okir@monad.swb.de>
 */

#include <linux/types.h>
#include <linux/sched.h>
#include <linux/sunrpc/types.h>
#include <linux/sunrpc/xdr.h>
#include <linux/sunrpc/svcauth.h>
#include <linux/sunrpc/svcsock.h>

#define RPCDBG_FACILITY RPCDBG_AUTH

/*
 * DES cedential cache.
 * The cache is indexed by fullname/key to allow for multiple sessions
 * by the same user from different hosts.
 * It would be tempting to use the client's IP address rather than the
 * conversation key as an index, but that could become problematic for
 * multi-homed hosts that distribute traffic across their interfaces.
 */
struct des_cred {
        struct des_cred *       dc_next;
        char *                  dc_fullname;
        u32                     dc_nickname;
        des_cblock              dc_key;         /* conversation key */
        des_cblock              dc_xkey;        /* encrypted conv. key */
        des_key_schedule        dc_keysched;
};

#define ADN_FULLNAME            0
#define ADN_NICKNAME            1

/*
 * The default slack allowed when checking for replayed credentials
 * (in milliseconds).
 */
#define DES_REPLAY_SLACK        2000

/*
 * Make sure we don't place more than one call to the key server at
 * a time.
 */
static int                      in_keycall = 0;

#define FAIL(err) \
        { if (data) put_cred(data);                     \
          *authp = rpc_autherr_##err;                   \
          return;                                       \
        }

void
svcauth_des(struct svc_rqst *rqstp, u32 *statp, u32 *authp)
{
        struct svc_buf  *argp = &rqstp->rq_argbuf;
        struct svc_buf  *resp = &rqstp->rq_resbuf;
        struct svc_cred *cred = &rqstp->rq_cred;
        struct des_cred *data = NULL;
        u32             cryptkey[2];
        u32             cryptbuf[4];
        u32             *p = argp->buf;
        int             len   = argp->len, slen, i;

        *authp = rpc_auth_ok;

        if ((argp->len -= 3) < 0) {
                *statp = rpc_garbage_args;
                return;
        }

        p++;                                    /* skip length field */
        namekind = ntohl(*p++);                 /* fullname/nickname */

        /* Get the credentials */
        if (namekind == ADN_NICKNAME) {
                /* If we can't find the cached session key, initiate a
                 * new session. */
                if (!(data = get_cred_bynick(*p++)))
                        FAIL(rejectedcred);
        } else if (namekind == ADN_FULLNAME) {
                p = xdr_decode_string(p, &fullname, &len, RPC_MAXNETNAMELEN);
                if (p == NULL)
                        FAIL(badcred);
                cryptkey[0] = *p++;             /* get the encrypted key */
                cryptkey[1] = *p++;
                cryptbuf[2] = *p++;             /* get the encrypted window */
        } else {
                FAIL(badcred);
        }

        /* If we're just updating the key, silently discard the request. */
        if (data && data->dc_locked) {
                *authp = rpc_autherr_dropit;
                _put_cred(data);        /* release but don't unlock */
                return;
        }

        /* Get the verifier flavor and length */
        if (ntohl(*p++) != RPC_AUTH_DES && ntohl(*p++) != 12)
                FAIL(badverf);

        cryptbuf[0] = *p++;                     /* encrypted time stamp */
        cryptbuf[1] = *p++;
        cryptbuf[3] = *p++;                     /* 0 or window - 1 */

        if (namekind == ADN_NICKNAME) {
                status = des_ecb_encrypt((des_block *) cryptbuf,
                                         (des_block *) cryptbuf,
                                         data->dc_keysched, DES_DECRYPT);
        } else {
                /* We first have to decrypt the new session key and
                 * fill in the UNIX creds. */
                if (!(data = get_cred_byname(rqstp, authp, fullname, cryptkey)))
                        return;
                status = des_cbc_encrypt((des_cblock *) cryptbuf,
                                         (des_cblock *) cryptbuf, 16,
                                         data->dc_keysched,
                                         (des_cblock *) &ivec,
                                         DES_DECRYPT);
        }
        if (status) {
                printk("svcauth_des: DES decryption failed (status %d)\n",
                                status);
                FAIL(badverf);
        }

        /* Now check the whole lot */
        if (namekind == ADN_FULLNAME) {
                unsigned long   winverf;

                data->dc_window = ntohl(cryptbuf[2]);
                winverf = ntohl(cryptbuf[2]);
                if (window != winverf - 1) {
                        printk("svcauth_des: bad window verifier!\n");
                        FAIL(badverf);
                }
        }

        /* XDR the decrypted timestamp */
        cryptbuf[0] = ntohl(cryptbuf[0]);
        cryptbuf[1] = ntohl(cryptbuf[1]);
        if (cryptbuf[1] > 1000000) {
                dprintk("svcauth_des: bad usec value %u\n", cryptbuf[1]);
                if (namekind == ADN_NICKNAME)
                        FAIL(rejectedverf);
                FAIL(badverf);
        }
        
        /*
         * Check for replayed credentials. We must allow for reordering
         * of requests by the network, and the OS scheduler, hence we
         * cannot expect timestamps to be increasing monotonically.
         * This opens a small security hole, therefore the replay_slack
         * value shouldn't be too large.
         */
        if ((delta = cryptbuf[0] - data->dc_timestamp[0]) <= 0) {
                switch (delta) {
                case -1:        
                        delta = -1000000;
                case 0:
                        delta += cryptbuf[1] - data->dc_timestamp[1];
                        break;
                default:
                        delta = -1000000;
                }
                if (delta < DES_REPLAY_SLACK)
                        FAIL(rejectedverf);
#ifdef STRICT_REPLAY_CHECKS
                /* TODO: compare time stamp to last five timestamps cached
                 * and reject (drop?) request if a match is found. */
#endif
        }

        now = xtime;
        now.tv_secs -= data->dc_window;
        if (now.tv_secs < cryptbuf[0] ||
            (now.tv_secs == cryptbuf[0] && now.tv_usec < cryptbuf[1]))
                FAIL(rejectedverf);

        /* Okay, we're done. Update the lot */
        if (namekind == ADN_FULLNAME)
                data->dc_valid = 1;
        data->dc_timestamp[0] = cryptbuf[0];
        data->dc_timestamp[1] = cryptbuf[1];

        put_cred(data);
        return;
garbage:
        *statp = rpc_garbage_args;
        return;
}

/*
 * Call the keyserver to obtain the decrypted conversation key and
 * UNIX creds. We use a Linux-specific keycall extension that does
 * both things in one go.
 */
static struct des_cred *
get_cred_byname(struct svc_rqst *rqstp, u32 *authp, char *fullname, u32 *cryptkey)
{
        static int      in_keycall = 0;
        struct des_cred *cred;

        if (in_keycall) {
                *authp = rpc_autherr_dropit;
                return NULL;
        }
        in_keycall = 1;
        in_keycall = 0;
        return cred;
}