| 1 | /* SPDX-License-Identifier: GPL-2.0 or BSD-3-Clause */ |
|---|---|
| 2 | /* |
| 3 | * SunRPC GSS Kerberos 5 mechanism internal definitions |
| 4 | * |
| 5 | * Copyright (c) 2022 Oracle and/or its affiliates. |
| 6 | */ |
| 7 | |
| 8 | #ifndef _NET_SUNRPC_AUTH_GSS_KRB5_INTERNAL_H |
| 9 | #define _NET_SUNRPC_AUTH_GSS_KRB5_INTERNAL_H |
| 10 | |
| 11 | /* |
| 12 | * The RFCs often specify payload lengths in bits. This helper |
| 13 | * converts a specified bit-length to the number of octets/bytes. |
| 14 | */ |
| 15 | #define BITS2OCTETS(x) ((x) / 8) |
| 16 | |
| 17 | struct krb5_ctx; |
| 18 | |
| 19 | struct gss_krb5_enctype { |
| 20 | const u32 etype; /* encryption (key) type */ |
| 21 | const u32 ctype; /* checksum type */ |
| 22 | const char *name; /* "friendly" name */ |
| 23 | const char *encrypt_name; /* crypto encrypt name */ |
| 24 | const char *aux_cipher; /* aux encrypt cipher name */ |
| 25 | const char *cksum_name; /* crypto checksum name */ |
| 26 | const u16 signalg; /* signing algorithm */ |
| 27 | const u16 sealalg; /* sealing algorithm */ |
| 28 | const u32 cksumlength; /* checksum length */ |
| 29 | const u32 keyed_cksum; /* is it a keyed cksum? */ |
| 30 | const u32 keybytes; /* raw key len, in bytes */ |
| 31 | const u32 keylength; /* protocol key length, in octets */ |
| 32 | const u32 Kc_length; /* checksum subkey length, in octets */ |
| 33 | const u32 Ke_length; /* encryption subkey length, in octets */ |
| 34 | const u32 Ki_length; /* integrity subkey length, in octets */ |
| 35 | |
| 36 | int (*derive_key)(const struct gss_krb5_enctype *gk5e, |
| 37 | const struct xdr_netobj *in, |
| 38 | struct xdr_netobj *out, |
| 39 | const struct xdr_netobj *label, |
| 40 | gfp_t gfp_mask); |
| 41 | u32 (*encrypt)(struct krb5_ctx *kctx, u32 offset, |
| 42 | struct xdr_buf *buf, struct page **pages); |
| 43 | u32 (*decrypt)(struct krb5_ctx *kctx, u32 offset, u32 len, |
| 44 | struct xdr_buf *buf, u32 *headskip, u32 *tailskip); |
| 45 | u32 (*get_mic)(struct krb5_ctx *kctx, struct xdr_buf *text, |
| 46 | struct xdr_netobj *token); |
| 47 | u32 (*verify_mic)(struct krb5_ctx *kctx, struct xdr_buf *message_buffer, |
| 48 | struct xdr_netobj *read_token); |
| 49 | u32 (*wrap)(struct krb5_ctx *kctx, int offset, |
| 50 | struct xdr_buf *buf, struct page **pages); |
| 51 | u32 (*unwrap)(struct krb5_ctx *kctx, int offset, int len, |
| 52 | struct xdr_buf *buf, unsigned int *slack, |
| 53 | unsigned int *align); |
| 54 | }; |
| 55 | |
| 56 | /* krb5_ctx flags definitions */ |
| 57 | #define KRB5_CTX_FLAG_INITIATOR 0x00000001 |
| 58 | #define KRB5_CTX_FLAG_ACCEPTOR_SUBKEY 0x00000004 |
| 59 | |
| 60 | struct krb5_ctx { |
| 61 | int initiate; /* 1 = initiating, 0 = accepting */ |
| 62 | u32 enctype; |
| 63 | u32 flags; |
| 64 | const struct gss_krb5_enctype *gk5e; /* enctype-specific info */ |
| 65 | struct crypto_sync_skcipher *enc; |
| 66 | struct crypto_sync_skcipher *seq; |
| 67 | struct crypto_sync_skcipher *acceptor_enc; |
| 68 | struct crypto_sync_skcipher *initiator_enc; |
| 69 | struct crypto_sync_skcipher *acceptor_enc_aux; |
| 70 | struct crypto_sync_skcipher *initiator_enc_aux; |
| 71 | struct crypto_ahash *acceptor_sign; |
| 72 | struct crypto_ahash *initiator_sign; |
| 73 | struct crypto_ahash *initiator_integ; |
| 74 | struct crypto_ahash *acceptor_integ; |
| 75 | u8 Ksess[GSS_KRB5_MAX_KEYLEN]; /* session key */ |
| 76 | u8 cksum[GSS_KRB5_MAX_KEYLEN]; |
| 77 | atomic_t seq_send; |
| 78 | atomic64_t seq_send64; |
| 79 | time64_t endtime; |
| 80 | struct xdr_netobj mech_used; |
| 81 | }; |
| 82 | |
| 83 | /* |
| 84 | * GSS Kerberos 5 mechanism Per-Message calls. |
| 85 | */ |
| 86 | |
| 87 | u32 gss_krb5_get_mic_v2(struct krb5_ctx *ctx, struct xdr_buf *text, |
| 88 | struct xdr_netobj *token); |
| 89 | |
| 90 | u32 gss_krb5_verify_mic_v2(struct krb5_ctx *ctx, struct xdr_buf *message_buffer, |
| 91 | struct xdr_netobj *read_token); |
| 92 | |
| 93 | u32 gss_krb5_wrap_v2(struct krb5_ctx *kctx, int offset, |
| 94 | struct xdr_buf *buf, struct page **pages); |
| 95 | |
| 96 | u32 gss_krb5_unwrap_v2(struct krb5_ctx *kctx, int offset, int len, |
| 97 | struct xdr_buf *buf, unsigned int *slack, |
| 98 | unsigned int *align); |
| 99 | |
| 100 | /* |
| 101 | * Implementation internal functions |
| 102 | */ |
| 103 | |
| 104 | /* Key Derivation Functions */ |
| 105 | |
| 106 | int krb5_derive_key_v2(const struct gss_krb5_enctype *gk5e, |
| 107 | const struct xdr_netobj *inkey, |
| 108 | struct xdr_netobj *outkey, |
| 109 | const struct xdr_netobj *label, |
| 110 | gfp_t gfp_mask); |
| 111 | |
| 112 | int krb5_kdf_hmac_sha2(const struct gss_krb5_enctype *gk5e, |
| 113 | const struct xdr_netobj *inkey, |
| 114 | struct xdr_netobj *outkey, |
| 115 | const struct xdr_netobj *in_constant, |
| 116 | gfp_t gfp_mask); |
| 117 | |
| 118 | int krb5_kdf_feedback_cmac(const struct gss_krb5_enctype *gk5e, |
| 119 | const struct xdr_netobj *inkey, |
| 120 | struct xdr_netobj *outkey, |
| 121 | const struct xdr_netobj *in_constant, |
| 122 | gfp_t gfp_mask); |
| 123 | |
| 124 | /** |
| 125 | * krb5_derive_key - Derive a subkey from a protocol key |
| 126 | * @kctx: Kerberos 5 context |
| 127 | * @inkey: base protocol key |
| 128 | * @outkey: OUT: derived key |
| 129 | * @usage: key usage value |
| 130 | * @seed: key usage seed (one octet) |
| 131 | * @gfp_mask: memory allocation control flags |
| 132 | * |
| 133 | * Caller sets @outkey->len to the desired length of the derived key. |
| 134 | * |
| 135 | * On success, returns 0 and fills in @outkey. A negative errno value |
| 136 | * is returned on failure. |
| 137 | */ |
| 138 | static inline int krb5_derive_key(struct krb5_ctx *kctx, |
| 139 | const struct xdr_netobj *inkey, |
| 140 | struct xdr_netobj *outkey, |
| 141 | u32 usage, u8 seed, gfp_t gfp_mask) |
| 142 | { |
| 143 | const struct gss_krb5_enctype *gk5e = kctx->gk5e; |
| 144 | u8 label_data[GSS_KRB5_K5CLENGTH]; |
| 145 | struct xdr_netobj label = { |
| 146 | .len = sizeof(label_data), |
| 147 | .data = label_data, |
| 148 | }; |
| 149 | __be32 *p = (__be32 *)label_data; |
| 150 | |
| 151 | *p = cpu_to_be32(usage); |
| 152 | label_data[4] = seed; |
| 153 | return gk5e->derive_key(gk5e, inkey, outkey, &label, gfp_mask); |
| 154 | } |
| 155 | |
| 156 | void krb5_make_confounder(u8 *p, int conflen); |
| 157 | |
| 158 | u32 gss_krb5_checksum(struct crypto_ahash *tfm, char *header, int hdrlen, |
| 159 | const struct xdr_buf *body, int body_offset, |
| 160 | struct xdr_netobj *cksumout); |
| 161 | |
| 162 | u32 krb5_encrypt(struct crypto_sync_skcipher *key, void *iv, void *in, |
| 163 | void *out, int length); |
| 164 | |
| 165 | int xdr_extend_head(struct xdr_buf *buf, unsigned int base, |
| 166 | unsigned int shiftlen); |
| 167 | |
| 168 | u32 gss_krb5_aes_encrypt(struct krb5_ctx *kctx, u32 offset, |
| 169 | struct xdr_buf *buf, struct page **pages); |
| 170 | |
| 171 | u32 gss_krb5_aes_decrypt(struct krb5_ctx *kctx, u32 offset, u32 len, |
| 172 | struct xdr_buf *buf, u32 *plainoffset, u32 *plainlen); |
| 173 | |
| 174 | u32 krb5_etm_encrypt(struct krb5_ctx *kctx, u32 offset, struct xdr_buf *buf, |
| 175 | struct page **pages); |
| 176 | |
| 177 | u32 krb5_etm_decrypt(struct krb5_ctx *kctx, u32 offset, u32 len, |
| 178 | struct xdr_buf *buf, u32 *headskip, u32 *tailskip); |
| 179 | |
| 180 | #if IS_ENABLED(CONFIG_KUNIT) |
| 181 | void krb5_nfold(u32 inbits, const u8 *in, u32 outbits, u8 *out); |
| 182 | const struct gss_krb5_enctype *gss_krb5_lookup_enctype(u32 etype); |
| 183 | int krb5_cbc_cts_encrypt(struct crypto_sync_skcipher *cts_tfm, |
| 184 | struct crypto_sync_skcipher *cbc_tfm, u32 offset, |
| 185 | struct xdr_buf *buf, struct page **pages, |
| 186 | u8 *iv, unsigned int ivsize); |
| 187 | int krb5_cbc_cts_decrypt(struct crypto_sync_skcipher *cts_tfm, |
| 188 | struct crypto_sync_skcipher *cbc_tfm, |
| 189 | u32 offset, struct xdr_buf *buf); |
| 190 | u32 krb5_etm_checksum(struct crypto_sync_skcipher *cipher, |
| 191 | struct crypto_ahash *tfm, const struct xdr_buf *body, |
| 192 | int body_offset, struct xdr_netobj *cksumout); |
| 193 | #endif |
| 194 | |
| 195 | #endif /* _NET_SUNRPC_AUTH_GSS_KRB5_INTERNAL_H */ |
| 196 |
Generated while processing Linux/net/sunrpc/auth_gss/gss_krb5_crypto.c
Generated on 2025-Oct-12 from project Linux revision 6.17.0 (67029a49db6c)
Powered by 
Code Browser 2.1
Generator usage only permitted with license.