}
EXPORT_SYMBOL_IF_KUNIT(krb5_cbc_cts_decrypt);
-u32
-gss_krb5_aes_encrypt(struct krb5_ctx *kctx, u32 offset,
- struct xdr_buf *buf, struct page **pages)
-{
- u32 err;
- struct xdr_netobj hmac;
- u8 *ecptr;
- struct crypto_sync_skcipher *cipher, *aux_cipher;
- struct crypto_ahash *ahash;
- struct page **save_pages;
- unsigned int conflen;
-
- if (kctx->initiate) {
- cipher = kctx->initiator_enc;
- aux_cipher = kctx->initiator_enc_aux;
- ahash = kctx->initiator_integ;
- } else {
- cipher = kctx->acceptor_enc;
- aux_cipher = kctx->acceptor_enc_aux;
- ahash = kctx->acceptor_integ;
- }
- conflen = crypto_sync_skcipher_blocksize(cipher);
-
- /* hide the gss token header and insert the confounder */
- offset += GSS_KRB5_TOK_HDR_LEN;
- if (xdr_extend_head(buf, offset, conflen))
- return GSS_S_FAILURE;
- krb5_make_confounder(buf->head[0].iov_base + offset, conflen);
- offset -= GSS_KRB5_TOK_HDR_LEN;
-
- if (buf->tail[0].iov_base != NULL) {
- ecptr = buf->tail[0].iov_base + buf->tail[0].iov_len;
- } else {
- buf->tail[0].iov_base = buf->head[0].iov_base
- + buf->head[0].iov_len;
- buf->tail[0].iov_len = 0;
- ecptr = buf->tail[0].iov_base;
- }
-
- /* copy plaintext gss token header after filler (if any) */
- memcpy(ecptr, buf->head[0].iov_base + offset, GSS_KRB5_TOK_HDR_LEN);
- buf->tail[0].iov_len += GSS_KRB5_TOK_HDR_LEN;
- buf->len += GSS_KRB5_TOK_HDR_LEN;
-
- hmac.len = kctx->gk5e->cksumlength;
- hmac.data = buf->tail[0].iov_base + buf->tail[0].iov_len;
-
- /*
- * When we are called, pages points to the real page cache
- * data -- which we can't go and encrypt! buf->pages points
- * to scratch pages which we are going to send off to the
- * client/server. Swap in the plaintext pages to calculate
- * the hmac.
- */
- save_pages = buf->pages;
- buf->pages = pages;
-
- err = gss_krb5_checksum(ahash, NULL, 0, buf,
- offset + GSS_KRB5_TOK_HDR_LEN, &hmac);
- buf->pages = save_pages;
- if (err)
- return GSS_S_FAILURE;
-
- err = krb5_cbc_cts_encrypt(cipher, aux_cipher,
- offset + GSS_KRB5_TOK_HDR_LEN,
- buf, pages, NULL, 0);
- if (err)
- return GSS_S_FAILURE;
-
- /* Now update buf to account for HMAC */
- buf->tail[0].iov_len += kctx->gk5e->cksumlength;
- buf->len += kctx->gk5e->cksumlength;
-
- return GSS_S_COMPLETE;
-}
-
-u32
-gss_krb5_aes_decrypt(struct krb5_ctx *kctx, u32 offset, u32 len,
- struct xdr_buf *buf, u32 *headskip, u32 *tailskip)
-{
- struct crypto_sync_skcipher *cipher, *aux_cipher;
- struct crypto_ahash *ahash;
- struct xdr_netobj our_hmac_obj;
- u8 our_hmac[GSS_KRB5_MAX_CKSUM_LEN];
- u8 pkt_hmac[GSS_KRB5_MAX_CKSUM_LEN];
- struct xdr_buf subbuf;
- u32 ret = 0;
-
- if (kctx->initiate) {
- cipher = kctx->acceptor_enc;
- aux_cipher = kctx->acceptor_enc_aux;
- ahash = kctx->acceptor_integ;
- } else {
- cipher = kctx->initiator_enc;
- aux_cipher = kctx->initiator_enc_aux;
- ahash = kctx->initiator_integ;
- }
-
- /* create a segment skipping the header and leaving out the checksum */
- xdr_buf_subsegment(buf, &subbuf, offset + GSS_KRB5_TOK_HDR_LEN,
- (len - offset - GSS_KRB5_TOK_HDR_LEN -
- kctx->gk5e->cksumlength));
-
- ret = krb5_cbc_cts_decrypt(cipher, aux_cipher, 0, &subbuf);
- if (ret)
- goto out_err;
-
- our_hmac_obj.len = kctx->gk5e->cksumlength;
- our_hmac_obj.data = our_hmac;
- ret = gss_krb5_checksum(ahash, NULL, 0, &subbuf, 0, &our_hmac_obj);
- if (ret)
- goto out_err;
-
- /* Get the packet's hmac value */
- ret = read_bytes_from_xdr_buf(buf, len - kctx->gk5e->cksumlength,
- pkt_hmac, kctx->gk5e->cksumlength);
- if (ret)
- goto out_err;
-
- if (crypto_memneq(pkt_hmac, our_hmac, kctx->gk5e->cksumlength) != 0) {
- ret = GSS_S_BAD_SIG;
- goto out_err;
- }
- *headskip = crypto_sync_skcipher_blocksize(cipher);
- *tailskip = kctx->gk5e->cksumlength;
-out_err:
- if (ret && ret != GSS_S_BAD_SIG)
- ret = GSS_S_FAILURE;
- return ret;
-}
-
/**
* krb5_etm_checksum - Compute a MAC for a GSS Wrap token
* @cipher: an initialized cipher transform
}
EXPORT_SYMBOL_IF_KUNIT(krb5_etm_checksum);
-/**
- * krb5_etm_encrypt - Encrypt using the RFC 8009 rules
- * @kctx: Kerberos context
- * @offset: starting offset of the payload, in bytes
- * @buf: OUT: send buffer to contain the encrypted payload
- * @pages: plaintext payload
- *
- * The main difference with aes_encrypt is that "The HMAC is
- * calculated over the cipher state concatenated with the AES
- * output, instead of being calculated over the confounder and
- * plaintext. This allows the message receiver to verify the
- * integrity of the message before decrypting the message."
- *
- * RFC 8009 Section 5:
- *
- * encryption function: as follows, where E() is AES encryption in
- * CBC-CS3 mode, and h is the size of truncated HMAC (128 bits or
- * 192 bits as described above).
- *
- * N = random value of length 128 bits (the AES block size)
- * IV = cipher state
- * C = E(Ke, N | plaintext, IV)
- * H = HMAC(Ki, IV | C)
- * ciphertext = C | H[1..h]
- *
- * This encryption formula provides AEAD EtM with key separation.
- *
- * Return values:
- * %GSS_S_COMPLETE: Encryption successful
- * %GSS_S_FAILURE: Encryption failed
- */
-u32
-krb5_etm_encrypt(struct krb5_ctx *kctx, u32 offset,
- struct xdr_buf *buf, struct page **pages)
-{
- struct crypto_sync_skcipher *cipher, *aux_cipher;
- struct crypto_ahash *ahash;
- struct xdr_netobj hmac;
- unsigned int conflen;
- u8 *ecptr;
- u32 err;
-
- if (kctx->initiate) {
- cipher = kctx->initiator_enc;
- aux_cipher = kctx->initiator_enc_aux;
- ahash = kctx->initiator_integ;
- } else {
- cipher = kctx->acceptor_enc;
- aux_cipher = kctx->acceptor_enc_aux;
- ahash = kctx->acceptor_integ;
- }
- conflen = crypto_sync_skcipher_blocksize(cipher);
-
- offset += GSS_KRB5_TOK_HDR_LEN;
- if (xdr_extend_head(buf, offset, conflen))
- return GSS_S_FAILURE;
- krb5_make_confounder(buf->head[0].iov_base + offset, conflen);
- offset -= GSS_KRB5_TOK_HDR_LEN;
-
- if (buf->tail[0].iov_base) {
- ecptr = buf->tail[0].iov_base + buf->tail[0].iov_len;
- } else {
- buf->tail[0].iov_base = buf->head[0].iov_base
- + buf->head[0].iov_len;
- buf->tail[0].iov_len = 0;
- ecptr = buf->tail[0].iov_base;
- }
-
- memcpy(ecptr, buf->head[0].iov_base + offset, GSS_KRB5_TOK_HDR_LEN);
- buf->tail[0].iov_len += GSS_KRB5_TOK_HDR_LEN;
- buf->len += GSS_KRB5_TOK_HDR_LEN;
-
- err = krb5_cbc_cts_encrypt(cipher, aux_cipher,
- offset + GSS_KRB5_TOK_HDR_LEN,
- buf, pages, NULL, 0);
- if (err)
- return GSS_S_FAILURE;
-
- hmac.data = buf->tail[0].iov_base + buf->tail[0].iov_len;
- hmac.len = kctx->gk5e->cksumlength;
- err = krb5_etm_checksum(cipher, ahash,
- buf, offset + GSS_KRB5_TOK_HDR_LEN, &hmac);
- if (err)
- goto out_err;
- buf->tail[0].iov_len += kctx->gk5e->cksumlength;
- buf->len += kctx->gk5e->cksumlength;
-
- return GSS_S_COMPLETE;
-
-out_err:
- return GSS_S_FAILURE;
-}
-
-/**
- * krb5_etm_decrypt - Decrypt using the RFC 8009 rules
- * @kctx: Kerberos context
- * @offset: starting offset of the ciphertext, in bytes
- * @len: size of ciphertext to unwrap
- * @buf: ciphertext to unwrap
- * @headskip: OUT: the enctype's confounder length, in octets
- * @tailskip: OUT: the enctype's HMAC length, in octets
- *
- * RFC 8009 Section 5:
- *
- * decryption function: as follows, where D() is AES decryption in
- * CBC-CS3 mode, and h is the size of truncated HMAC.
- *
- * (C, H) = ciphertext
- * (Note: H is the last h bits of the ciphertext.)
- * IV = cipher state
- * if H != HMAC(Ki, IV | C)[1..h]
- * stop, report error
- * (N, P) = D(Ke, C, IV)
- *
- * Return values:
- * %GSS_S_COMPLETE: Decryption successful
- * %GSS_S_BAD_SIG: computed HMAC != received HMAC
- * %GSS_S_FAILURE: Decryption failed
- */
-u32
-krb5_etm_decrypt(struct krb5_ctx *kctx, u32 offset, u32 len,
- struct xdr_buf *buf, u32 *headskip, u32 *tailskip)
-{
- struct crypto_sync_skcipher *cipher, *aux_cipher;
- u8 our_hmac[GSS_KRB5_MAX_CKSUM_LEN];
- u8 pkt_hmac[GSS_KRB5_MAX_CKSUM_LEN];
- struct xdr_netobj our_hmac_obj;
- struct crypto_ahash *ahash;
- struct xdr_buf subbuf;
- u32 ret = 0;
-
- if (kctx->initiate) {
- cipher = kctx->acceptor_enc;
- aux_cipher = kctx->acceptor_enc_aux;
- ahash = kctx->acceptor_integ;
- } else {
- cipher = kctx->initiator_enc;
- aux_cipher = kctx->initiator_enc_aux;
- ahash = kctx->initiator_integ;
- }
-
- /* Extract the ciphertext into @subbuf. */
- xdr_buf_subsegment(buf, &subbuf, offset + GSS_KRB5_TOK_HDR_LEN,
- (len - offset - GSS_KRB5_TOK_HDR_LEN -
- kctx->gk5e->cksumlength));
-
- our_hmac_obj.data = our_hmac;
- our_hmac_obj.len = kctx->gk5e->cksumlength;
- ret = krb5_etm_checksum(cipher, ahash, &subbuf, 0, &our_hmac_obj);
- if (ret)
- goto out_err;
- ret = read_bytes_from_xdr_buf(buf, len - kctx->gk5e->cksumlength,
- pkt_hmac, kctx->gk5e->cksumlength);
- if (ret)
- goto out_err;
- if (crypto_memneq(pkt_hmac, our_hmac, kctx->gk5e->cksumlength) != 0) {
- ret = GSS_S_BAD_SIG;
- goto out_err;
- }
-
- ret = krb5_cbc_cts_decrypt(cipher, aux_cipher, 0, &subbuf);
- if (ret) {
- ret = GSS_S_FAILURE;
- goto out_err;
- }
-
- *headskip = crypto_sync_skcipher_blocksize(cipher);
- *tailskip = kctx->gk5e->cksumlength;
- return GSS_S_COMPLETE;
-
-out_err:
- if (ret != GSS_S_BAD_SIG)
- ret = GSS_S_FAILURE;
- return ret;
-}
-
/**
* gss_krb5_aead_encrypt - Encrypt a wrap token using crypto/krb5
* @kctx: Kerberos context
struct crypto_aead *acceptor_enc_aead;
struct crypto_shash *initiator_sign_shash;
struct crypto_shash *acceptor_sign_shash;
- struct crypto_sync_skcipher *enc;
- struct crypto_sync_skcipher *seq;
- struct crypto_sync_skcipher *acceptor_enc;
- struct crypto_sync_skcipher *initiator_enc;
- struct crypto_sync_skcipher *acceptor_enc_aux;
- struct crypto_sync_skcipher *initiator_enc_aux;
- struct crypto_ahash *acceptor_sign;
- struct crypto_ahash *initiator_sign;
- struct crypto_ahash *initiator_integ;
- struct crypto_ahash *acceptor_integ;
u8 Ksess[GSS_KRB5_MAX_KEYLEN]; /* session key */
u8 cksum[GSS_KRB5_MAX_KEYLEN];
atomic_t seq_send;
const struct xdr_netobj *in_constant,
gfp_t gfp_mask);
-/**
- * krb5_derive_key - Derive a subkey from a protocol key
- * @kctx: Kerberos 5 context
- * @inkey: base protocol key
- * @outkey: OUT: derived key
- * @usage: key usage value
- * @seed: key usage seed (one octet)
- * @gfp_mask: memory allocation control flags
- *
- * Caller sets @outkey->len to the desired length of the derived key.
- *
- * On success, returns 0 and fills in @outkey. A negative errno value
- * is returned on failure.
- */
-static inline int krb5_derive_key(struct krb5_ctx *kctx,
- const struct xdr_netobj *inkey,
- struct xdr_netobj *outkey,
- u32 usage, u8 seed, gfp_t gfp_mask)
-{
- const struct gss_krb5_enctype *gk5e = kctx->gk5e;
- u8 label_data[GSS_KRB5_K5CLENGTH];
- struct xdr_netobj label = {
- .len = sizeof(label_data),
- .data = label_data,
- };
- __be32 *p = (__be32 *)label_data;
-
- *p = cpu_to_be32(usage);
- label_data[4] = seed;
- return gk5e->derive_key(gk5e, inkey, outkey, &label, gfp_mask);
-}
-
void krb5_make_confounder(u8 *p, int conflen);
u32 gss_krb5_checksum(struct crypto_ahash *tfm, char *header, int hdrlen,
int xdr_extend_head(struct xdr_buf *buf, unsigned int base,
unsigned int shiftlen);
-u32 gss_krb5_aes_encrypt(struct krb5_ctx *kctx, u32 offset,
- struct xdr_buf *buf, struct page **pages);
-
-u32 gss_krb5_aes_decrypt(struct krb5_ctx *kctx, u32 offset, u32 len,
- struct xdr_buf *buf, u32 *plainoffset, u32 *plainlen);
-
-u32 krb5_etm_encrypt(struct krb5_ctx *kctx, u32 offset, struct xdr_buf *buf,
- struct page **pages);
-
-u32 krb5_etm_decrypt(struct krb5_ctx *kctx, u32 offset, u32 len,
- struct xdr_buf *buf, u32 *headskip, u32 *tailskip);
-
u32 gss_krb5_errno_to_status(int err);
int gss_krb5_mic_build_sg(const struct xdr_buf *body,
* J. Bruce Fields <bfields@umich.edu>
*/
-#include <crypto/hash.h>
-#include <crypto/skcipher.h>
#include <linux/err.h>
#include <linux/module.h>
#include <linux/init.h>
}
EXPORT_SYMBOL_IF_KUNIT(gss_krb5_lookup_enctype);
-static struct crypto_sync_skcipher *
-gss_krb5_alloc_cipher_v2(const char *cname, const struct xdr_netobj *key)
-{
- struct crypto_sync_skcipher *tfm;
-
- tfm = crypto_alloc_sync_skcipher(cname, 0, 0);
- if (IS_ERR(tfm))
- return NULL;
- if (crypto_sync_skcipher_setkey(tfm, key->data, key->len)) {
- crypto_free_sync_skcipher(tfm);
- return NULL;
- }
- return tfm;
-}
-
-static struct crypto_ahash *
-gss_krb5_alloc_hash_v2(struct krb5_ctx *kctx, const struct xdr_netobj *key)
-{
- struct crypto_ahash *tfm;
-
- tfm = crypto_alloc_ahash(kctx->gk5e->cksum_name, 0, CRYPTO_ALG_ASYNC);
- if (IS_ERR(tfm))
- return NULL;
- if (crypto_ahash_setkey(tfm, key->data, key->len)) {
- crypto_free_ahash(tfm);
- return NULL;
- }
- return tfm;
-}
-
static int
gss_krb5_import_ctx_v2(struct krb5_ctx *ctx, gfp_t gfp_mask)
{
- struct xdr_netobj keyin = {
- .len = ctx->gk5e->keylength,
- .data = ctx->Ksess,
- };
struct krb5_buffer TK = {
.len = ctx->gk5e->keylength,
.data = ctx->Ksess,
};
- struct xdr_netobj keyout;
- int ret = -EINVAL;
-
- keyout.data = kmalloc(GSS_KRB5_MAX_KEYLEN, gfp_mask);
- if (!keyout.data)
- return -ENOMEM;
-
- /* initiator seal encryption */
- keyout.len = ctx->gk5e->Ke_length;
- if (krb5_derive_key(ctx, &keyin, &keyout, KG_USAGE_INITIATOR_SEAL,
- KEY_USAGE_SEED_ENCRYPTION, gfp_mask))
- goto out;
- ctx->initiator_enc = gss_krb5_alloc_cipher_v2(ctx->gk5e->encrypt_name,
- &keyout);
- if (ctx->initiator_enc == NULL)
- goto out;
- if (ctx->gk5e->aux_cipher) {
- ctx->initiator_enc_aux =
- gss_krb5_alloc_cipher_v2(ctx->gk5e->aux_cipher,
- &keyout);
- if (ctx->initiator_enc_aux == NULL)
- goto out_free;
- }
-
- /* acceptor seal encryption */
- if (krb5_derive_key(ctx, &keyin, &keyout, KG_USAGE_ACCEPTOR_SEAL,
- KEY_USAGE_SEED_ENCRYPTION, gfp_mask))
- goto out_free;
- ctx->acceptor_enc = gss_krb5_alloc_cipher_v2(ctx->gk5e->encrypt_name,
- &keyout);
- if (ctx->acceptor_enc == NULL)
- goto out_free;
- if (ctx->gk5e->aux_cipher) {
- ctx->acceptor_enc_aux =
- gss_krb5_alloc_cipher_v2(ctx->gk5e->aux_cipher,
- &keyout);
- if (ctx->acceptor_enc_aux == NULL)
- goto out_free;
- }
-
- /* initiator sign checksum */
- keyout.len = ctx->gk5e->Kc_length;
- if (krb5_derive_key(ctx, &keyin, &keyout, KG_USAGE_INITIATOR_SIGN,
- KEY_USAGE_SEED_CHECKSUM, gfp_mask))
- goto out_free;
- ctx->initiator_sign = gss_krb5_alloc_hash_v2(ctx, &keyout);
- if (ctx->initiator_sign == NULL)
- goto out_free;
-
- /* acceptor sign checksum */
- if (krb5_derive_key(ctx, &keyin, &keyout, KG_USAGE_ACCEPTOR_SIGN,
- KEY_USAGE_SEED_CHECKSUM, gfp_mask))
- goto out_free;
- ctx->acceptor_sign = gss_krb5_alloc_hash_v2(ctx, &keyout);
- if (ctx->acceptor_sign == NULL)
- goto out_free;
-
- /* initiator seal integrity */
- keyout.len = ctx->gk5e->Ki_length;
- if (krb5_derive_key(ctx, &keyin, &keyout, KG_USAGE_INITIATOR_SEAL,
- KEY_USAGE_SEED_INTEGRITY, gfp_mask))
- goto out_free;
- ctx->initiator_integ = gss_krb5_alloc_hash_v2(ctx, &keyout);
- if (ctx->initiator_integ == NULL)
- goto out_free;
-
- /* acceptor seal integrity */
- if (krb5_derive_key(ctx, &keyin, &keyout, KG_USAGE_ACCEPTOR_SEAL,
- KEY_USAGE_SEED_INTEGRITY, gfp_mask))
- goto out_free;
- ctx->acceptor_integ = gss_krb5_alloc_hash_v2(ctx, &keyout);
- if (ctx->acceptor_integ == NULL)
- goto out_free;
+ int ret;
ctx->initiator_enc_aead =
crypto_krb5_prepare_encryption(ctx->krb5e, &TK,
goto out_free;
}
- ret = 0;
-out:
- kfree_sensitive(keyout.data);
- return ret;
+ return 0;
out_free:
crypto_free_shash(ctx->acceptor_sign_shash);
crypto_free_shash(ctx->initiator_sign_shash);
crypto_free_aead(ctx->acceptor_enc_aead);
crypto_free_aead(ctx->initiator_enc_aead);
- crypto_free_ahash(ctx->acceptor_integ);
- crypto_free_ahash(ctx->initiator_integ);
- crypto_free_ahash(ctx->acceptor_sign);
- crypto_free_ahash(ctx->initiator_sign);
- crypto_free_sync_skcipher(ctx->acceptor_enc_aux);
- crypto_free_sync_skcipher(ctx->acceptor_enc);
- crypto_free_sync_skcipher(ctx->initiator_enc_aux);
- crypto_free_sync_skcipher(ctx->initiator_enc);
- goto out;
+ return ret;
}
static int
crypto_free_shash(kctx->initiator_sign_shash);
crypto_free_aead(kctx->acceptor_enc_aead);
crypto_free_aead(kctx->initiator_enc_aead);
- crypto_free_sync_skcipher(kctx->seq);
- crypto_free_sync_skcipher(kctx->enc);
- crypto_free_sync_skcipher(kctx->acceptor_enc);
- crypto_free_sync_skcipher(kctx->initiator_enc);
- crypto_free_sync_skcipher(kctx->acceptor_enc_aux);
- crypto_free_sync_skcipher(kctx->initiator_enc_aux);
- crypto_free_ahash(kctx->acceptor_sign);
- crypto_free_ahash(kctx->initiator_sign);
- crypto_free_ahash(kctx->acceptor_integ);
- crypto_free_ahash(kctx->initiator_integ);
kfree(kctx->mech_used.data);
kfree(kctx);
}
projects / thirdparty / kernel / linux.git / commitdiff
