/*
 * COPYRIGHT (c) 2011
 * The Regents of the University of Michigan
 * ALL RIGHTS RESERVED
 *
 * Permission is granted to use, copy, create derivative works
 * and redistribute this software and such derivative works
 * for any purpose, so long as the name of The University of
 * Michigan is not used in any advertising or publicity
 * pertaining to the use of distribution of this software
 * without specific, written prior authorization.  If the
 * above copyright notice or any other identification of the
 * University of Michigan is included in any copy of any
 * portion of this software, then the disclaimer below must
 * also be included.
 *
 * THIS SOFTWARE IS PROVIDED AS IS, WITHOUT REPRESENTATION
 * FROM THE UNIVERSITY OF MICHIGAN AS TO ITS FITNESS FOR ANY
 * PURPOSE, AND WITHOUT WARRANTY BY THE UNIVERSITY OF
 * MICHIGAN OF ANY KIND, EITHER EXPRESS OR IMPLIED, INCLUDING
 * WITHOUT LIMITATION THE IMPLIED WARRANTIES OF
 * MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. THE
 * REGENTS OF THE UNIVERSITY OF MICHIGAN SHALL NOT BE LIABLE
 * FOR ANY DAMAGES, INCLUDING SPECIAL, INDIRECT, INCIDENTAL, OR
 * CONSEQUENTIAL DAMAGES, WITH RESPECT TO ANY CLAIM ARISING
 * OUT OF OR IN CONNECTION WITH THE USE OF THE SOFTWARE, EVEN
 * IF IT HAS BEEN OR IS HEREAFTER ADVISED OF THE POSSIBILITY OF
 * SUCH DAMAGES.
 */

#ifdef HAVE_CONFIG_H
#include <config.h>
#endif	/* HAVE_CONFIG_H */

#ifndef _GNU_SOURCE
#define _GNU_SOURCE
#endif

#include <stdio.h>
#include <errno.h>
#include <ctype.h>
#include <gssapi/gssapi.h>
#include <krb5.h>

#include "gss_util.h"
#include "gss_oids.h"
#include "err_util.h"
#include "svcgssd_krb5.h"
#include "../mount/version.h"

#define MYBUFLEN 1024

char *supported_enctypes_filename = "/proc/fs/nfsd/supported_krb5_enctypes";
int parsed_num_enctypes = 0;
krb5_enctype *parsed_enctypes = NULL;
char *cached_enctypes = NULL;

/*==========================*/
/*===  Internal routines ===*/
/*==========================*/

/*
 * Parse the supported encryption type information
 */
static int
parse_enctypes(char *enctypes)
{
	int n = 0;
	char *curr, *comma;
	int i;

	/* Don't parse the same string over and over... */
	if (cached_enctypes && strcmp(cached_enctypes, enctypes) == 0)
		return 0;

	/* Free any existing cached_enctypes */
	free(cached_enctypes);

	if (parsed_enctypes != NULL) {
		free(parsed_enctypes);
		parsed_enctypes = NULL;
		parsed_num_enctypes = 0;
	}

	/* count the number of commas */
	for (curr = enctypes; curr && *curr != '\0'; curr = ++comma) {
		comma = strchr(curr, ',');
		if (comma != NULL)
			n++;
		else
			break;
	}

	/* If no more commas and we're not at the end, there's one more value */
	if (*curr != '\0')
		n++;

	/* Empty string, return an error */
	if (n == 0)
		return ENOENT;

	/* Skip pass any non digits */
	while (*enctypes && isdigit(*enctypes) == 0)
		enctypes++;
	if (*enctypes == '\0')
		return EINVAL;

	/* Allocate space for enctypes array */
	if ((parsed_enctypes = (int *) calloc(n, sizeof(int))) == NULL) {
		return ENOMEM;
	}

	/* Now parse each value into the array */
	for (curr = enctypes, i = 0; curr && *curr != '\0'; curr = ++comma) {
		parsed_enctypes[i++] = atoi(curr);
		comma = strchr(curr, ',');
		if (comma == NULL)
			break;
	}

	parsed_num_enctypes = n;
	if ((cached_enctypes = malloc(strlen(enctypes)+1)))
		strcpy(cached_enctypes, enctypes);

	return 0;
}

static void
get_kernel_supported_enctypes(void)
{
	FILE *s_e;
	int ret;
	char buffer[MYBUFLEN + 1];

	memset(buffer, '\0', sizeof(buffer));

	s_e = fopen(supported_enctypes_filename, "r");
	if (s_e == NULL)
		goto out_clean_parsed;

	ret = fread(buffer, 1, MYBUFLEN, s_e);
	if (ret < 0) {
		fclose(s_e);
		goto out_clean_parsed;
	}
	fclose(s_e);
	if (parse_enctypes(buffer)) {
		goto out_clean_parsed;
	}
out:
	return;

out_clean_parsed:
	if (parsed_enctypes != NULL) {
		free(parsed_enctypes);
		parsed_num_enctypes = 0;
	}
	goto out;
}

/*==========================*/
/*===  External routines ===*/
/*==========================*/

/*
 * Get encryption types supported by the kernel, and then
 * call gss_krb5_set_allowable_enctypes() to limit the
 * encryption types negotiated.
 *
 * Returns:
 *	0 => all went well
 *     -1 => there was an error
 */

int
svcgssd_limit_krb5_enctypes(void)
{
#ifdef HAVE_SET_ALLOWABLE_ENCTYPES
	u_int maj_stat, min_stat;
	krb5_enctype old_kernel_enctypes[] = {
		ENCTYPE_DES_CBC_CRC,
		ENCTYPE_DES_CBC_MD5,
		ENCTYPE_DES_CBC_MD4 };
	krb5_enctype new_kernel_enctypes[] = {
		ENCTYPE_AES256_CTS_HMAC_SHA1_96,
		ENCTYPE_AES128_CTS_HMAC_SHA1_96,
		ENCTYPE_DES3_CBC_SHA1,
		ENCTYPE_ARCFOUR_HMAC,
		ENCTYPE_DES_CBC_CRC,
		ENCTYPE_DES_CBC_MD5,
		ENCTYPE_DES_CBC_MD4 };
	krb5_enctype *default_enctypes, *enctypes;
	int default_num_enctypes, num_enctypes;


	if (linux_version_code() < MAKE_VERSION(2, 6, 35)) {
		default_enctypes = old_kernel_enctypes;
		default_num_enctypes =
			sizeof(old_kernel_enctypes) / sizeof(old_kernel_enctypes[0]);
	} else {
		default_enctypes = new_kernel_enctypes;
		default_num_enctypes =
			sizeof(new_kernel_enctypes) / sizeof(new_kernel_enctypes[0]);
	}

	get_kernel_supported_enctypes();

	if (parsed_enctypes != NULL) {
		enctypes = parsed_enctypes;
		num_enctypes = parsed_num_enctypes;
		printerr(2, "%s: Calling gss_set_allowable_enctypes with %d "
			"enctypes from the kernel\n", __func__, num_enctypes);
	} else {
		enctypes = default_enctypes;
		num_enctypes = default_num_enctypes;
		printerr(2, "%s: Calling gss_set_allowable_enctypes with %d "
			"enctypes from defaults\n", __func__, num_enctypes);
	}

	maj_stat = gss_set_allowable_enctypes(&min_stat, gssd_creds,
			&krb5oid, num_enctypes, enctypes);
	if (maj_stat != GSS_S_COMPLETE) {
		printerr(1, "WARNING: gss_set_allowable_enctypes failed\n");
		pgsserr("svcgssd_limit_krb5_enctypes: gss_set_allowable_enctypes",
			maj_stat, min_stat, &krb5oid);
		return -1;
	}
#endif
	return 0;
}