210 lines
7.1 KiB
C
210 lines
7.1 KiB
C
/* SPDX-License-Identifier: GPL-2.0 or BSD-3-Clause */
|
|
/*
|
|
* SunRPC GSS Kerberos 5 mechanism internal definitions
|
|
*
|
|
* Copyright (c) 2022 Oracle and/or its affiliates.
|
|
*/
|
|
|
|
#ifndef _NET_SUNRPC_AUTH_GSS_KRB5_INTERNAL_H
|
|
#define _NET_SUNRPC_AUTH_GSS_KRB5_INTERNAL_H
|
|
|
|
/*
|
|
* The RFCs often specify payload lengths in bits. This helper
|
|
* converts a specified bit-length to the number of octets/bytes.
|
|
*/
|
|
#define BITS2OCTETS(x) ((x) / 8)
|
|
|
|
struct krb5_ctx;
|
|
|
|
struct gss_krb5_enctype {
|
|
const u32 etype; /* encryption (key) type */
|
|
const u32 ctype; /* checksum type */
|
|
const char *name; /* "friendly" name */
|
|
const char *encrypt_name; /* crypto encrypt name */
|
|
const char *aux_cipher; /* aux encrypt cipher name */
|
|
const char *cksum_name; /* crypto checksum name */
|
|
const u16 signalg; /* signing algorithm */
|
|
const u16 sealalg; /* sealing algorithm */
|
|
const u32 cksumlength; /* checksum length */
|
|
const u32 keyed_cksum; /* is it a keyed cksum? */
|
|
const u32 keybytes; /* raw key len, in bytes */
|
|
const u32 keylength; /* protocol key length, in octets */
|
|
const u32 Kc_length; /* checksum subkey length, in octets */
|
|
const u32 Ke_length; /* encryption subkey length, in octets */
|
|
const u32 Ki_length; /* integrity subkey length, in octets */
|
|
|
|
int (*derive_key)(const struct gss_krb5_enctype *gk5e,
|
|
const struct xdr_netobj *in,
|
|
struct xdr_netobj *out,
|
|
const struct xdr_netobj *label,
|
|
gfp_t gfp_mask);
|
|
u32 (*encrypt)(struct krb5_ctx *kctx, u32 offset,
|
|
struct xdr_buf *buf, struct page **pages);
|
|
u32 (*decrypt)(struct krb5_ctx *kctx, u32 offset, u32 len,
|
|
struct xdr_buf *buf, u32 *headskip, u32 *tailskip);
|
|
u32 (*get_mic)(struct krb5_ctx *kctx, struct xdr_buf *text,
|
|
struct xdr_netobj *token);
|
|
u32 (*verify_mic)(struct krb5_ctx *kctx, struct xdr_buf *message_buffer,
|
|
struct xdr_netobj *read_token);
|
|
u32 (*wrap)(struct krb5_ctx *kctx, int offset,
|
|
struct xdr_buf *buf, struct page **pages);
|
|
u32 (*unwrap)(struct krb5_ctx *kctx, int offset, int len,
|
|
struct xdr_buf *buf, unsigned int *slack,
|
|
unsigned int *align);
|
|
};
|
|
|
|
/* krb5_ctx flags definitions */
|
|
#define KRB5_CTX_FLAG_INITIATOR 0x00000001
|
|
#define KRB5_CTX_FLAG_ACCEPTOR_SUBKEY 0x00000004
|
|
|
|
struct krb5_ctx {
|
|
int initiate; /* 1 = initiating, 0 = accepting */
|
|
u32 enctype;
|
|
u32 flags;
|
|
const struct gss_krb5_enctype *gk5e; /* enctype-specific info */
|
|
struct crypto_sync_skcipher *enc;
|
|
struct crypto_sync_skcipher *seq;
|
|
struct crypto_sync_skcipher *acceptor_enc;
|
|
struct crypto_sync_skcipher *initiator_enc;
|
|
struct crypto_sync_skcipher *acceptor_enc_aux;
|
|
struct crypto_sync_skcipher *initiator_enc_aux;
|
|
struct crypto_ahash *acceptor_sign;
|
|
struct crypto_ahash *initiator_sign;
|
|
struct crypto_ahash *initiator_integ;
|
|
struct crypto_ahash *acceptor_integ;
|
|
u8 Ksess[GSS_KRB5_MAX_KEYLEN]; /* session key */
|
|
u8 cksum[GSS_KRB5_MAX_KEYLEN];
|
|
atomic_t seq_send;
|
|
atomic64_t seq_send64;
|
|
time64_t endtime;
|
|
struct xdr_netobj mech_used;
|
|
};
|
|
|
|
/*
|
|
* GSS Kerberos 5 mechanism Per-Message calls.
|
|
*/
|
|
|
|
u32 gss_krb5_get_mic_v2(struct krb5_ctx *ctx, struct xdr_buf *text,
|
|
struct xdr_netobj *token);
|
|
|
|
u32 gss_krb5_verify_mic_v2(struct krb5_ctx *ctx, struct xdr_buf *message_buffer,
|
|
struct xdr_netobj *read_token);
|
|
|
|
u32 gss_krb5_wrap_v2(struct krb5_ctx *kctx, int offset,
|
|
struct xdr_buf *buf, struct page **pages);
|
|
|
|
u32 gss_krb5_unwrap_v2(struct krb5_ctx *kctx, int offset, int len,
|
|
struct xdr_buf *buf, unsigned int *slack,
|
|
unsigned int *align);
|
|
|
|
/*
|
|
* Implementation internal functions
|
|
*/
|
|
|
|
/* Key Derivation Functions */
|
|
|
|
int krb5_derive_key_v2(const struct gss_krb5_enctype *gk5e,
|
|
const struct xdr_netobj *inkey,
|
|
struct xdr_netobj *outkey,
|
|
const struct xdr_netobj *label,
|
|
gfp_t gfp_mask);
|
|
|
|
int krb5_kdf_hmac_sha2(const struct gss_krb5_enctype *gk5e,
|
|
const struct xdr_netobj *inkey,
|
|
struct xdr_netobj *outkey,
|
|
const struct xdr_netobj *in_constant,
|
|
gfp_t gfp_mask);
|
|
|
|
int krb5_kdf_feedback_cmac(const struct gss_krb5_enctype *gk5e,
|
|
const struct xdr_netobj *inkey,
|
|
struct xdr_netobj *outkey,
|
|
const struct xdr_netobj *in_constant,
|
|
gfp_t gfp_mask);
|
|
|
|
/**
|
|
* krb5_derive_key - Derive a subkey from a protocol key
|
|
* @kctx: Kerberos 5 context
|
|
* @inkey: base protocol key
|
|
* @outkey: OUT: derived key
|
|
* @usage: key usage value
|
|
* @seed: key usage seed (one octet)
|
|
* @gfp_mask: memory allocation control flags
|
|
*
|
|
* Caller sets @outkey->len to the desired length of the derived key.
|
|
*
|
|
* On success, returns 0 and fills in @outkey. A negative errno value
|
|
* is returned on failure.
|
|
*/
|
|
static inline int krb5_derive_key(struct krb5_ctx *kctx,
|
|
const struct xdr_netobj *inkey,
|
|
struct xdr_netobj *outkey,
|
|
u32 usage, u8 seed, gfp_t gfp_mask)
|
|
{
|
|
const struct gss_krb5_enctype *gk5e = kctx->gk5e;
|
|
u8 label_data[GSS_KRB5_K5CLENGTH];
|
|
struct xdr_netobj label = {
|
|
.len = sizeof(label_data),
|
|
.data = label_data,
|
|
};
|
|
__be32 *p = (__be32 *)label_data;
|
|
|
|
*p = cpu_to_be32(usage);
|
|
label_data[4] = seed;
|
|
return gk5e->derive_key(gk5e, inkey, outkey, &label, gfp_mask);
|
|
}
|
|
|
|
void krb5_make_confounder(u8 *p, int conflen);
|
|
|
|
u32 make_checksum(struct krb5_ctx *kctx, char *header, int hdrlen,
|
|
struct xdr_buf *body, int body_offset, u8 *cksumkey,
|
|
unsigned int usage, struct xdr_netobj *cksumout);
|
|
|
|
u32 gss_krb5_checksum(struct crypto_ahash *tfm, char *header, int hdrlen,
|
|
const struct xdr_buf *body, int body_offset,
|
|
struct xdr_netobj *cksumout);
|
|
|
|
u32 krb5_encrypt(struct crypto_sync_skcipher *key, void *iv, void *in,
|
|
void *out, int length);
|
|
|
|
u32 krb5_decrypt(struct crypto_sync_skcipher *key, void *iv, void *in,
|
|
void *out, int length);
|
|
|
|
int xdr_extend_head(struct xdr_buf *buf, unsigned int base,
|
|
unsigned int shiftlen);
|
|
|
|
int gss_encrypt_xdr_buf(struct crypto_sync_skcipher *tfm,
|
|
struct xdr_buf *outbuf, int offset,
|
|
struct page **pages);
|
|
|
|
int gss_decrypt_xdr_buf(struct crypto_sync_skcipher *tfm,
|
|
struct xdr_buf *inbuf, int offset);
|
|
|
|
u32 gss_krb5_aes_encrypt(struct krb5_ctx *kctx, u32 offset,
|
|
struct xdr_buf *buf, struct page **pages);
|
|
|
|
u32 gss_krb5_aes_decrypt(struct krb5_ctx *kctx, u32 offset, u32 len,
|
|
struct xdr_buf *buf, u32 *plainoffset, u32 *plainlen);
|
|
|
|
u32 krb5_etm_encrypt(struct krb5_ctx *kctx, u32 offset, struct xdr_buf *buf,
|
|
struct page **pages);
|
|
|
|
u32 krb5_etm_decrypt(struct krb5_ctx *kctx, u32 offset, u32 len,
|
|
struct xdr_buf *buf, u32 *headskip, u32 *tailskip);
|
|
|
|
#if IS_ENABLED(CONFIG_KUNIT)
|
|
void krb5_nfold(u32 inbits, const u8 *in, u32 outbits, u8 *out);
|
|
const struct gss_krb5_enctype *gss_krb5_lookup_enctype(u32 etype);
|
|
int krb5_cbc_cts_encrypt(struct crypto_sync_skcipher *cts_tfm,
|
|
struct crypto_sync_skcipher *cbc_tfm, u32 offset,
|
|
struct xdr_buf *buf, struct page **pages,
|
|
u8 *iv, unsigned int ivsize);
|
|
int krb5_cbc_cts_decrypt(struct crypto_sync_skcipher *cts_tfm,
|
|
struct crypto_sync_skcipher *cbc_tfm,
|
|
u32 offset, struct xdr_buf *buf);
|
|
u32 krb5_etm_checksum(struct crypto_sync_skcipher *cipher,
|
|
struct crypto_ahash *tfm, const struct xdr_buf *body,
|
|
int body_offset, struct xdr_netobj *cksumout);
|
|
#endif
|
|
|
|
#endif /* _NET_SUNRPC_AUTH_GSS_KRB5_INTERNAL_H */
|