2 * linux/net/sunrpc/gss_krb5_crypto.c
4 * Copyright (c) 2000-2008 The Regents of the University of Michigan.
7 * Andy Adamson <andros@umich.edu>
8 * Bruce Fields <bfields@umich.edu>
12 * Copyright (C) 1998 by the FundsXpress, INC.
14 * All rights reserved.
16 * Export of this software from the United States of America may require
17 * a specific license from the United States Government. It is the
18 * responsibility of any person or organization contemplating export to
19 * obtain such a license before exporting.
21 * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and
22 * distribute this software and its documentation for any purpose and
23 * without fee is hereby granted, provided that the above copyright
24 * notice appear in all copies and that both that copyright notice and
25 * this permission notice appear in supporting documentation, and that
26 * the name of FundsXpress. not be used in advertising or publicity pertaining
27 * to distribution of the software without specific, written prior
28 * permission. FundsXpress makes no representations about the suitability of
29 * this software for any purpose. It is provided "as is" without express
30 * or implied warranty.
32 * THIS SOFTWARE IS PROVIDED ``AS IS'' AND WITHOUT ANY EXPRESS OR
33 * IMPLIED WARRANTIES, INCLUDING, WITHOUT LIMITATION, THE IMPLIED
34 * WARRANTIES OF MERCHANTIBILITY AND FITNESS FOR A PARTICULAR PURPOSE.
37 #include <crypto/hash.h>
38 #include <crypto/skcipher.h>
39 #include <linux/err.h>
40 #include <linux/types.h>
42 #include <linux/scatterlist.h>
43 #include <linux/highmem.h>
44 #include <linux/pagemap.h>
45 #include <linux/random.h>
46 #include <linux/sunrpc/gss_krb5.h>
47 #include <linux/sunrpc/xdr.h>
49 #if IS_ENABLED(CONFIG_SUNRPC_DEBUG)
50 # define RPCDBG_FACILITY RPCDBG_AUTH
55 struct crypto_skcipher
*tfm
,
62 struct scatterlist sg
[1];
63 u8 local_iv
[GSS_KRB5_MAX_BLOCKSIZE
] = {0};
64 SKCIPHER_REQUEST_ON_STACK(req
, tfm
);
66 if (length
% crypto_skcipher_blocksize(tfm
) != 0)
69 if (crypto_skcipher_ivsize(tfm
) > GSS_KRB5_MAX_BLOCKSIZE
) {
70 dprintk("RPC: gss_k5encrypt: tfm iv size too large %d\n",
71 crypto_skcipher_ivsize(tfm
));
76 memcpy(local_iv
, iv
, crypto_skcipher_ivsize(tfm
));
78 memcpy(out
, in
, length
);
79 sg_init_one(sg
, out
, length
);
81 skcipher_request_set_callback(req
, 0, NULL
, NULL
);
82 skcipher_request_set_crypt(req
, sg
, sg
, length
, local_iv
);
84 ret
= crypto_skcipher_encrypt(req
);
85 skcipher_request_zero(req
);
87 dprintk("RPC: krb5_encrypt returns %d\n", ret
);
93 struct crypto_skcipher
*tfm
,
100 struct scatterlist sg
[1];
101 u8 local_iv
[GSS_KRB5_MAX_BLOCKSIZE
] = {0};
102 SKCIPHER_REQUEST_ON_STACK(req
, tfm
);
104 if (length
% crypto_skcipher_blocksize(tfm
) != 0)
107 if (crypto_skcipher_ivsize(tfm
) > GSS_KRB5_MAX_BLOCKSIZE
) {
108 dprintk("RPC: gss_k5decrypt: tfm iv size too large %d\n",
109 crypto_skcipher_ivsize(tfm
));
113 memcpy(local_iv
,iv
, crypto_skcipher_ivsize(tfm
));
115 memcpy(out
, in
, length
);
116 sg_init_one(sg
, out
, length
);
118 skcipher_request_set_callback(req
, 0, NULL
, NULL
);
119 skcipher_request_set_crypt(req
, sg
, sg
, length
, local_iv
);
121 ret
= crypto_skcipher_decrypt(req
);
122 skcipher_request_zero(req
);
124 dprintk("RPC: gss_k5decrypt returns %d\n",ret
);
129 checksummer(struct scatterlist
*sg
, void *data
)
131 struct ahash_request
*req
= data
;
133 ahash_request_set_crypt(req
, sg
, NULL
, sg
->length
);
135 return crypto_ahash_update(req
);
139 arcfour_hmac_md5_usage_to_salt(unsigned int usage
, u8 salt
[4])
141 unsigned int ms_usage
;
153 salt
[0] = (ms_usage
>> 0) & 0xff;
154 salt
[1] = (ms_usage
>> 8) & 0xff;
155 salt
[2] = (ms_usage
>> 16) & 0xff;
156 salt
[3] = (ms_usage
>> 24) & 0xff;
162 make_checksum_hmac_md5(struct krb5_ctx
*kctx
, char *header
, int hdrlen
,
163 struct xdr_buf
*body
, int body_offset
, u8
*cksumkey
,
164 unsigned int usage
, struct xdr_netobj
*cksumout
)
166 struct scatterlist sg
[1];
168 u8 checksumdata
[GSS_KRB5_MAX_CKSUM_LEN
];
170 struct crypto_ahash
*md5
;
171 struct crypto_ahash
*hmac_md5
;
172 struct ahash_request
*req
;
174 if (cksumkey
== NULL
)
175 return GSS_S_FAILURE
;
177 if (cksumout
->len
< kctx
->gk5e
->cksumlength
) {
178 dprintk("%s: checksum buffer length, %u, too small for %s\n",
179 __func__
, cksumout
->len
, kctx
->gk5e
->name
);
180 return GSS_S_FAILURE
;
183 if (arcfour_hmac_md5_usage_to_salt(usage
, rc4salt
)) {
184 dprintk("%s: invalid usage value %u\n", __func__
, usage
);
185 return GSS_S_FAILURE
;
188 md5
= crypto_alloc_ahash("md5", 0, CRYPTO_ALG_ASYNC
);
190 return GSS_S_FAILURE
;
192 hmac_md5
= crypto_alloc_ahash(kctx
->gk5e
->cksum_name
, 0,
194 if (IS_ERR(hmac_md5
)) {
195 crypto_free_ahash(md5
);
196 return GSS_S_FAILURE
;
199 req
= ahash_request_alloc(md5
, GFP_KERNEL
);
201 crypto_free_ahash(hmac_md5
);
202 crypto_free_ahash(md5
);
203 return GSS_S_FAILURE
;
206 ahash_request_set_callback(req
, CRYPTO_TFM_REQ_MAY_SLEEP
, NULL
, NULL
);
208 err
= crypto_ahash_init(req
);
211 sg_init_one(sg
, rc4salt
, 4);
212 ahash_request_set_crypt(req
, sg
, NULL
, 4);
213 err
= crypto_ahash_update(req
);
217 sg_init_one(sg
, header
, hdrlen
);
218 ahash_request_set_crypt(req
, sg
, NULL
, hdrlen
);
219 err
= crypto_ahash_update(req
);
222 err
= xdr_process_buf(body
, body_offset
, body
->len
- body_offset
,
226 ahash_request_set_crypt(req
, NULL
, checksumdata
, 0);
227 err
= crypto_ahash_final(req
);
231 ahash_request_free(req
);
232 req
= ahash_request_alloc(hmac_md5
, GFP_KERNEL
);
234 crypto_free_ahash(hmac_md5
);
235 crypto_free_ahash(md5
);
236 return GSS_S_FAILURE
;
239 ahash_request_set_callback(req
, CRYPTO_TFM_REQ_MAY_SLEEP
, NULL
, NULL
);
241 err
= crypto_ahash_init(req
);
244 err
= crypto_ahash_setkey(hmac_md5
, cksumkey
, kctx
->gk5e
->keylength
);
248 sg_init_one(sg
, checksumdata
, crypto_ahash_digestsize(md5
));
249 ahash_request_set_crypt(req
, sg
, checksumdata
,
250 crypto_ahash_digestsize(md5
));
251 err
= crypto_ahash_digest(req
);
255 memcpy(cksumout
->data
, checksumdata
, kctx
->gk5e
->cksumlength
);
256 cksumout
->len
= kctx
->gk5e
->cksumlength
;
258 ahash_request_free(req
);
259 crypto_free_ahash(md5
);
260 crypto_free_ahash(hmac_md5
);
261 return err
? GSS_S_FAILURE
: 0;
265 * checksum the plaintext data and hdrlen bytes of the token header
266 * The checksum is performed over the first 8 bytes of the
267 * gss token header and then over the data body
270 make_checksum(struct krb5_ctx
*kctx
, char *header
, int hdrlen
,
271 struct xdr_buf
*body
, int body_offset
, u8
*cksumkey
,
272 unsigned int usage
, struct xdr_netobj
*cksumout
)
274 struct crypto_ahash
*tfm
;
275 struct ahash_request
*req
;
276 struct scatterlist sg
[1];
278 u8 checksumdata
[GSS_KRB5_MAX_CKSUM_LEN
];
279 unsigned int checksumlen
;
281 if (kctx
->gk5e
->ctype
== CKSUMTYPE_HMAC_MD5_ARCFOUR
)
282 return make_checksum_hmac_md5(kctx
, header
, hdrlen
,
284 cksumkey
, usage
, cksumout
);
286 if (cksumout
->len
< kctx
->gk5e
->cksumlength
) {
287 dprintk("%s: checksum buffer length, %u, too small for %s\n",
288 __func__
, cksumout
->len
, kctx
->gk5e
->name
);
289 return GSS_S_FAILURE
;
292 tfm
= crypto_alloc_ahash(kctx
->gk5e
->cksum_name
, 0, CRYPTO_ALG_ASYNC
);
294 return GSS_S_FAILURE
;
296 req
= ahash_request_alloc(tfm
, GFP_KERNEL
);
298 crypto_free_ahash(tfm
);
299 return GSS_S_FAILURE
;
302 ahash_request_set_callback(req
, CRYPTO_TFM_REQ_MAY_SLEEP
, NULL
, NULL
);
304 checksumlen
= crypto_ahash_digestsize(tfm
);
306 if (cksumkey
!= NULL
) {
307 err
= crypto_ahash_setkey(tfm
, cksumkey
,
308 kctx
->gk5e
->keylength
);
313 err
= crypto_ahash_init(req
);
316 sg_init_one(sg
, header
, hdrlen
);
317 ahash_request_set_crypt(req
, sg
, NULL
, hdrlen
);
318 err
= crypto_ahash_update(req
);
321 err
= xdr_process_buf(body
, body_offset
, body
->len
- body_offset
,
325 ahash_request_set_crypt(req
, NULL
, checksumdata
, 0);
326 err
= crypto_ahash_final(req
);
330 switch (kctx
->gk5e
->ctype
) {
331 case CKSUMTYPE_RSA_MD5
:
332 err
= kctx
->gk5e
->encrypt(kctx
->seq
, NULL
, checksumdata
,
333 checksumdata
, checksumlen
);
336 memcpy(cksumout
->data
,
337 checksumdata
+ checksumlen
- kctx
->gk5e
->cksumlength
,
338 kctx
->gk5e
->cksumlength
);
340 case CKSUMTYPE_HMAC_SHA1_DES3
:
341 memcpy(cksumout
->data
, checksumdata
, kctx
->gk5e
->cksumlength
);
347 cksumout
->len
= kctx
->gk5e
->cksumlength
;
349 ahash_request_free(req
);
350 crypto_free_ahash(tfm
);
351 return err
? GSS_S_FAILURE
: 0;
355 * checksum the plaintext data and hdrlen bytes of the token header
356 * Per rfc4121, sec. 4.2.4, the checksum is performed over the data
357 * body then over the first 16 octets of the MIC token
358 * Inclusion of the header data in the calculation of the
359 * checksum is optional.
362 make_checksum_v2(struct krb5_ctx
*kctx
, char *header
, int hdrlen
,
363 struct xdr_buf
*body
, int body_offset
, u8
*cksumkey
,
364 unsigned int usage
, struct xdr_netobj
*cksumout
)
366 struct crypto_ahash
*tfm
;
367 struct ahash_request
*req
;
368 struct scatterlist sg
[1];
370 u8 checksumdata
[GSS_KRB5_MAX_CKSUM_LEN
];
371 unsigned int checksumlen
;
373 if (kctx
->gk5e
->keyed_cksum
== 0) {
374 dprintk("%s: expected keyed hash for %s\n",
375 __func__
, kctx
->gk5e
->name
);
376 return GSS_S_FAILURE
;
378 if (cksumkey
== NULL
) {
379 dprintk("%s: no key supplied for %s\n",
380 __func__
, kctx
->gk5e
->name
);
381 return GSS_S_FAILURE
;
384 tfm
= crypto_alloc_ahash(kctx
->gk5e
->cksum_name
, 0, CRYPTO_ALG_ASYNC
);
386 return GSS_S_FAILURE
;
387 checksumlen
= crypto_ahash_digestsize(tfm
);
389 req
= ahash_request_alloc(tfm
, GFP_KERNEL
);
391 crypto_free_ahash(tfm
);
392 return GSS_S_FAILURE
;
395 ahash_request_set_callback(req
, CRYPTO_TFM_REQ_MAY_SLEEP
, NULL
, NULL
);
397 err
= crypto_ahash_setkey(tfm
, cksumkey
, kctx
->gk5e
->keylength
);
401 err
= crypto_ahash_init(req
);
404 err
= xdr_process_buf(body
, body_offset
, body
->len
- body_offset
,
408 if (header
!= NULL
) {
409 sg_init_one(sg
, header
, hdrlen
);
410 ahash_request_set_crypt(req
, sg
, NULL
, hdrlen
);
411 err
= crypto_ahash_update(req
);
415 ahash_request_set_crypt(req
, NULL
, checksumdata
, 0);
416 err
= crypto_ahash_final(req
);
420 cksumout
->len
= kctx
->gk5e
->cksumlength
;
422 switch (kctx
->gk5e
->ctype
) {
423 case CKSUMTYPE_HMAC_SHA1_96_AES128
:
424 case CKSUMTYPE_HMAC_SHA1_96_AES256
:
425 /* note that this truncates the hash */
426 memcpy(cksumout
->data
, checksumdata
, kctx
->gk5e
->cksumlength
);
433 ahash_request_free(req
);
434 crypto_free_ahash(tfm
);
435 return err
? GSS_S_FAILURE
: 0;
438 struct encryptor_desc
{
439 u8 iv
[GSS_KRB5_MAX_BLOCKSIZE
];
440 struct skcipher_request
*req
;
442 struct xdr_buf
*outbuf
;
444 struct scatterlist infrags
[4];
445 struct scatterlist outfrags
[4];
451 encryptor(struct scatterlist
*sg
, void *data
)
453 struct encryptor_desc
*desc
= data
;
454 struct xdr_buf
*outbuf
= desc
->outbuf
;
455 struct crypto_skcipher
*tfm
= crypto_skcipher_reqtfm(desc
->req
);
456 struct page
*in_page
;
457 int thislen
= desc
->fraglen
+ sg
->length
;
461 /* Worst case is 4 fragments: head, end of page 1, start
462 * of page 2, tail. Anything more is a bug. */
463 BUG_ON(desc
->fragno
> 3);
465 page_pos
= desc
->pos
- outbuf
->head
[0].iov_len
;
466 if (page_pos
>= 0 && page_pos
< outbuf
->page_len
) {
467 /* pages are not in place: */
468 int i
= (page_pos
+ outbuf
->page_base
) >> PAGE_CACHE_SHIFT
;
469 in_page
= desc
->pages
[i
];
471 in_page
= sg_page(sg
);
473 sg_set_page(&desc
->infrags
[desc
->fragno
], in_page
, sg
->length
,
475 sg_set_page(&desc
->outfrags
[desc
->fragno
], sg_page(sg
), sg
->length
,
478 desc
->fraglen
+= sg
->length
;
479 desc
->pos
+= sg
->length
;
481 fraglen
= thislen
& (crypto_skcipher_blocksize(tfm
) - 1);
487 sg_mark_end(&desc
->infrags
[desc
->fragno
- 1]);
488 sg_mark_end(&desc
->outfrags
[desc
->fragno
- 1]);
490 skcipher_request_set_crypt(desc
->req
, desc
->infrags
, desc
->outfrags
,
493 ret
= crypto_skcipher_encrypt(desc
->req
);
497 sg_init_table(desc
->infrags
, 4);
498 sg_init_table(desc
->outfrags
, 4);
501 sg_set_page(&desc
->outfrags
[0], sg_page(sg
), fraglen
,
502 sg
->offset
+ sg
->length
- fraglen
);
503 desc
->infrags
[0] = desc
->outfrags
[0];
504 sg_assign_page(&desc
->infrags
[0], in_page
);
506 desc
->fraglen
= fraglen
;
515 gss_encrypt_xdr_buf(struct crypto_skcipher
*tfm
, struct xdr_buf
*buf
,
516 int offset
, struct page
**pages
)
519 struct encryptor_desc desc
;
520 SKCIPHER_REQUEST_ON_STACK(req
, tfm
);
522 BUG_ON((buf
->len
- offset
) % crypto_skcipher_blocksize(tfm
) != 0);
524 skcipher_request_set_tfm(req
, tfm
);
525 skcipher_request_set_callback(req
, 0, NULL
, NULL
);
527 memset(desc
.iv
, 0, sizeof(desc
.iv
));
535 sg_init_table(desc
.infrags
, 4);
536 sg_init_table(desc
.outfrags
, 4);
538 ret
= xdr_process_buf(buf
, offset
, buf
->len
- offset
, encryptor
, &desc
);
539 skcipher_request_zero(req
);
543 struct decryptor_desc
{
544 u8 iv
[GSS_KRB5_MAX_BLOCKSIZE
];
545 struct skcipher_request
*req
;
546 struct scatterlist frags
[4];
552 decryptor(struct scatterlist
*sg
, void *data
)
554 struct decryptor_desc
*desc
= data
;
555 int thislen
= desc
->fraglen
+ sg
->length
;
556 struct crypto_skcipher
*tfm
= crypto_skcipher_reqtfm(desc
->req
);
559 /* Worst case is 4 fragments: head, end of page 1, start
560 * of page 2, tail. Anything more is a bug. */
561 BUG_ON(desc
->fragno
> 3);
562 sg_set_page(&desc
->frags
[desc
->fragno
], sg_page(sg
), sg
->length
,
565 desc
->fraglen
+= sg
->length
;
567 fraglen
= thislen
& (crypto_skcipher_blocksize(tfm
) - 1);
573 sg_mark_end(&desc
->frags
[desc
->fragno
- 1]);
575 skcipher_request_set_crypt(desc
->req
, desc
->frags
, desc
->frags
,
578 ret
= crypto_skcipher_decrypt(desc
->req
);
582 sg_init_table(desc
->frags
, 4);
585 sg_set_page(&desc
->frags
[0], sg_page(sg
), fraglen
,
586 sg
->offset
+ sg
->length
- fraglen
);
588 desc
->fraglen
= fraglen
;
597 gss_decrypt_xdr_buf(struct crypto_skcipher
*tfm
, struct xdr_buf
*buf
,
601 struct decryptor_desc desc
;
602 SKCIPHER_REQUEST_ON_STACK(req
, tfm
);
605 BUG_ON((buf
->len
- offset
) % crypto_skcipher_blocksize(tfm
) != 0);
607 skcipher_request_set_tfm(req
, tfm
);
608 skcipher_request_set_callback(req
, 0, NULL
, NULL
);
610 memset(desc
.iv
, 0, sizeof(desc
.iv
));
615 sg_init_table(desc
.frags
, 4);
617 ret
= xdr_process_buf(buf
, offset
, buf
->len
- offset
, decryptor
, &desc
);
618 skcipher_request_zero(req
);
623 * This function makes the assumption that it was ultimately called
626 * The client auth_gss code moves any existing tail data into a
627 * separate page before calling gss_wrap.
628 * The server svcauth_gss code ensures that both the head and the
629 * tail have slack space of RPC_MAX_AUTH_SIZE before calling gss_wrap.
631 * Even with that guarantee, this function may be called more than
632 * once in the processing of gss_wrap(). The best we can do is
633 * verify at compile-time (see GSS_KRB5_SLACK_CHECK) that the
634 * largest expected shift will fit within RPC_MAX_AUTH_SIZE.
635 * At run-time we can verify that a single invocation of this
636 * function doesn't attempt to use more the RPC_MAX_AUTH_SIZE.
640 xdr_extend_head(struct xdr_buf
*buf
, unsigned int base
, unsigned int shiftlen
)
647 BUILD_BUG_ON(GSS_KRB5_MAX_SLACK_NEEDED
> RPC_MAX_AUTH_SIZE
);
648 BUG_ON(shiftlen
> RPC_MAX_AUTH_SIZE
);
650 p
= buf
->head
[0].iov_base
+ base
;
652 memmove(p
+ shiftlen
, p
, buf
->head
[0].iov_len
- base
);
654 buf
->head
[0].iov_len
+= shiftlen
;
655 buf
->len
+= shiftlen
;
661 gss_krb5_cts_crypt(struct crypto_skcipher
*cipher
, struct xdr_buf
*buf
,
662 u32 offset
, u8
*iv
, struct page
**pages
, int encrypt
)
665 struct scatterlist sg
[1];
666 SKCIPHER_REQUEST_ON_STACK(req
, cipher
);
667 u8 data
[GSS_KRB5_MAX_BLOCKSIZE
* 2];
668 struct page
**save_pages
;
669 u32 len
= buf
->len
- offset
;
671 if (len
> ARRAY_SIZE(data
)) {
677 * For encryption, we want to read from the cleartext
678 * page cache pages, and write the encrypted data to
679 * the supplied xdr_buf pages.
681 save_pages
= buf
->pages
;
685 ret
= read_bytes_from_xdr_buf(buf
, offset
, data
, len
);
686 buf
->pages
= save_pages
;
690 sg_init_one(sg
, data
, len
);
692 skcipher_request_set_tfm(req
, cipher
);
693 skcipher_request_set_callback(req
, 0, NULL
, NULL
);
694 skcipher_request_set_crypt(req
, sg
, sg
, len
, iv
);
697 ret
= crypto_skcipher_encrypt(req
);
699 ret
= crypto_skcipher_decrypt(req
);
701 skcipher_request_zero(req
);
706 ret
= write_bytes_to_xdr_buf(buf
, offset
, data
, len
);
713 gss_krb5_aes_encrypt(struct krb5_ctx
*kctx
, u32 offset
,
714 struct xdr_buf
*buf
, struct page
**pages
)
717 struct xdr_netobj hmac
;
720 struct crypto_skcipher
*cipher
, *aux_cipher
;
722 struct page
**save_pages
;
724 struct encryptor_desc desc
;
728 if (kctx
->initiate
) {
729 cipher
= kctx
->initiator_enc
;
730 aux_cipher
= kctx
->initiator_enc_aux
;
731 cksumkey
= kctx
->initiator_integ
;
732 usage
= KG_USAGE_INITIATOR_SEAL
;
734 cipher
= kctx
->acceptor_enc
;
735 aux_cipher
= kctx
->acceptor_enc_aux
;
736 cksumkey
= kctx
->acceptor_integ
;
737 usage
= KG_USAGE_ACCEPTOR_SEAL
;
739 blocksize
= crypto_skcipher_blocksize(cipher
);
741 /* hide the gss token header and insert the confounder */
742 offset
+= GSS_KRB5_TOK_HDR_LEN
;
743 if (xdr_extend_head(buf
, offset
, kctx
->gk5e
->conflen
))
744 return GSS_S_FAILURE
;
745 gss_krb5_make_confounder(buf
->head
[0].iov_base
+ offset
, kctx
->gk5e
->conflen
);
746 offset
-= GSS_KRB5_TOK_HDR_LEN
;
748 if (buf
->tail
[0].iov_base
!= NULL
) {
749 ecptr
= buf
->tail
[0].iov_base
+ buf
->tail
[0].iov_len
;
751 buf
->tail
[0].iov_base
= buf
->head
[0].iov_base
752 + buf
->head
[0].iov_len
;
753 buf
->tail
[0].iov_len
= 0;
754 ecptr
= buf
->tail
[0].iov_base
;
757 /* copy plaintext gss token header after filler (if any) */
758 memcpy(ecptr
, buf
->head
[0].iov_base
+ offset
, GSS_KRB5_TOK_HDR_LEN
);
759 buf
->tail
[0].iov_len
+= GSS_KRB5_TOK_HDR_LEN
;
760 buf
->len
+= GSS_KRB5_TOK_HDR_LEN
;
763 hmac
.len
= GSS_KRB5_MAX_CKSUM_LEN
;
764 hmac
.data
= buf
->tail
[0].iov_base
+ buf
->tail
[0].iov_len
;
767 * When we are called, pages points to the real page cache
768 * data -- which we can't go and encrypt! buf->pages points
769 * to scratch pages which we are going to send off to the
770 * client/server. Swap in the plaintext pages to calculate
773 save_pages
= buf
->pages
;
776 err
= make_checksum_v2(kctx
, NULL
, 0, buf
,
777 offset
+ GSS_KRB5_TOK_HDR_LEN
,
778 cksumkey
, usage
, &hmac
);
779 buf
->pages
= save_pages
;
781 return GSS_S_FAILURE
;
783 nbytes
= buf
->len
- offset
- GSS_KRB5_TOK_HDR_LEN
;
784 nblocks
= (nbytes
+ blocksize
- 1) / blocksize
;
787 cbcbytes
= (nblocks
- 2) * blocksize
;
789 memset(desc
.iv
, 0, sizeof(desc
.iv
));
792 SKCIPHER_REQUEST_ON_STACK(req
, aux_cipher
);
794 desc
.pos
= offset
+ GSS_KRB5_TOK_HDR_LEN
;
801 skcipher_request_set_tfm(req
, aux_cipher
);
802 skcipher_request_set_callback(req
, 0, NULL
, NULL
);
804 sg_init_table(desc
.infrags
, 4);
805 sg_init_table(desc
.outfrags
, 4);
807 err
= xdr_process_buf(buf
, offset
+ GSS_KRB5_TOK_HDR_LEN
,
808 cbcbytes
, encryptor
, &desc
);
809 skcipher_request_zero(req
);
814 /* Make sure IV carries forward from any CBC results. */
815 err
= gss_krb5_cts_crypt(cipher
, buf
,
816 offset
+ GSS_KRB5_TOK_HDR_LEN
+ cbcbytes
,
823 /* Now update buf to account for HMAC */
824 buf
->tail
[0].iov_len
+= kctx
->gk5e
->cksumlength
;
825 buf
->len
+= kctx
->gk5e
->cksumlength
;
834 gss_krb5_aes_decrypt(struct krb5_ctx
*kctx
, u32 offset
, struct xdr_buf
*buf
,
835 u32
*headskip
, u32
*tailskip
)
837 struct xdr_buf subbuf
;
840 struct crypto_skcipher
*cipher
, *aux_cipher
;
841 struct xdr_netobj our_hmac_obj
;
842 u8 our_hmac
[GSS_KRB5_MAX_CKSUM_LEN
];
843 u8 pkt_hmac
[GSS_KRB5_MAX_CKSUM_LEN
];
844 int nblocks
, blocksize
, cbcbytes
;
845 struct decryptor_desc desc
;
848 if (kctx
->initiate
) {
849 cipher
= kctx
->acceptor_enc
;
850 aux_cipher
= kctx
->acceptor_enc_aux
;
851 cksum_key
= kctx
->acceptor_integ
;
852 usage
= KG_USAGE_ACCEPTOR_SEAL
;
854 cipher
= kctx
->initiator_enc
;
855 aux_cipher
= kctx
->initiator_enc_aux
;
856 cksum_key
= kctx
->initiator_integ
;
857 usage
= KG_USAGE_INITIATOR_SEAL
;
859 blocksize
= crypto_skcipher_blocksize(cipher
);
862 /* create a segment skipping the header and leaving out the checksum */
863 xdr_buf_subsegment(buf
, &subbuf
, offset
+ GSS_KRB5_TOK_HDR_LEN
,
864 (buf
->len
- offset
- GSS_KRB5_TOK_HDR_LEN
-
865 kctx
->gk5e
->cksumlength
));
867 nblocks
= (subbuf
.len
+ blocksize
- 1) / blocksize
;
871 cbcbytes
= (nblocks
- 2) * blocksize
;
873 memset(desc
.iv
, 0, sizeof(desc
.iv
));
876 SKCIPHER_REQUEST_ON_STACK(req
, aux_cipher
);
882 skcipher_request_set_tfm(req
, aux_cipher
);
883 skcipher_request_set_callback(req
, 0, NULL
, NULL
);
885 sg_init_table(desc
.frags
, 4);
887 ret
= xdr_process_buf(&subbuf
, 0, cbcbytes
, decryptor
, &desc
);
888 skcipher_request_zero(req
);
893 /* Make sure IV carries forward from any CBC results. */
894 ret
= gss_krb5_cts_crypt(cipher
, &subbuf
, cbcbytes
, desc
.iv
, NULL
, 0);
899 /* Calculate our hmac over the plaintext data */
900 our_hmac_obj
.len
= sizeof(our_hmac
);
901 our_hmac_obj
.data
= our_hmac
;
903 ret
= make_checksum_v2(kctx
, NULL
, 0, &subbuf
, 0,
904 cksum_key
, usage
, &our_hmac_obj
);
908 /* Get the packet's hmac value */
909 ret
= read_bytes_from_xdr_buf(buf
, buf
->len
- kctx
->gk5e
->cksumlength
,
910 pkt_hmac
, kctx
->gk5e
->cksumlength
);
914 if (memcmp(pkt_hmac
, our_hmac
, kctx
->gk5e
->cksumlength
) != 0) {
918 *headskip
= kctx
->gk5e
->conflen
;
919 *tailskip
= kctx
->gk5e
->cksumlength
;
921 if (ret
&& ret
!= GSS_S_BAD_SIG
)
927 * Compute Kseq given the initial session key and the checksum.
928 * Set the key of the given cipher.
931 krb5_rc4_setup_seq_key(struct krb5_ctx
*kctx
, struct crypto_skcipher
*cipher
,
932 unsigned char *cksum
)
934 struct crypto_shash
*hmac
;
935 struct shash_desc
*desc
;
936 u8 Kseq
[GSS_KRB5_MAX_KEYLEN
];
937 u32 zeroconstant
= 0;
940 dprintk("%s: entered\n", __func__
);
942 hmac
= crypto_alloc_shash(kctx
->gk5e
->cksum_name
, 0, 0);
944 dprintk("%s: error %ld, allocating hash '%s'\n",
945 __func__
, PTR_ERR(hmac
), kctx
->gk5e
->cksum_name
);
946 return PTR_ERR(hmac
);
949 desc
= kmalloc(sizeof(*desc
), GFP_KERNEL
);
951 dprintk("%s: failed to allocate shash descriptor for '%s'\n",
952 __func__
, kctx
->gk5e
->cksum_name
);
953 crypto_free_shash(hmac
);
960 /* Compute intermediate Kseq from session key */
961 err
= crypto_shash_setkey(hmac
, kctx
->Ksess
, kctx
->gk5e
->keylength
);
965 err
= crypto_shash_digest(desc
, (u8
*)&zeroconstant
, 4, Kseq
);
969 /* Compute final Kseq from the checksum and intermediate Kseq */
970 err
= crypto_shash_setkey(hmac
, Kseq
, kctx
->gk5e
->keylength
);
974 err
= crypto_shash_digest(desc
, cksum
, 8, Kseq
);
978 err
= crypto_skcipher_setkey(cipher
, Kseq
, kctx
->gk5e
->keylength
);
986 crypto_free_shash(hmac
);
987 dprintk("%s: returning %d\n", __func__
, err
);
992 * Compute Kcrypt given the initial session key and the plaintext seqnum.
993 * Set the key of cipher kctx->enc.
996 krb5_rc4_setup_enc_key(struct krb5_ctx
*kctx
, struct crypto_skcipher
*cipher
,
999 struct crypto_shash
*hmac
;
1000 struct shash_desc
*desc
;
1001 u8 Kcrypt
[GSS_KRB5_MAX_KEYLEN
];
1002 u8 zeroconstant
[4] = {0};
1006 dprintk("%s: entered, seqnum %u\n", __func__
, seqnum
);
1008 hmac
= crypto_alloc_shash(kctx
->gk5e
->cksum_name
, 0, 0);
1010 dprintk("%s: error %ld, allocating hash '%s'\n",
1011 __func__
, PTR_ERR(hmac
), kctx
->gk5e
->cksum_name
);
1012 return PTR_ERR(hmac
);
1015 desc
= kmalloc(sizeof(*desc
), GFP_KERNEL
);
1017 dprintk("%s: failed to allocate shash descriptor for '%s'\n",
1018 __func__
, kctx
->gk5e
->cksum_name
);
1019 crypto_free_shash(hmac
);
1026 /* Compute intermediate Kcrypt from session key */
1027 for (i
= 0; i
< kctx
->gk5e
->keylength
; i
++)
1028 Kcrypt
[i
] = kctx
->Ksess
[i
] ^ 0xf0;
1030 err
= crypto_shash_setkey(hmac
, Kcrypt
, kctx
->gk5e
->keylength
);
1034 err
= crypto_shash_digest(desc
, zeroconstant
, 4, Kcrypt
);
1038 /* Compute final Kcrypt from the seqnum and intermediate Kcrypt */
1039 err
= crypto_shash_setkey(hmac
, Kcrypt
, kctx
->gk5e
->keylength
);
1043 seqnumarray
[0] = (unsigned char) ((seqnum
>> 24) & 0xff);
1044 seqnumarray
[1] = (unsigned char) ((seqnum
>> 16) & 0xff);
1045 seqnumarray
[2] = (unsigned char) ((seqnum
>> 8) & 0xff);
1046 seqnumarray
[3] = (unsigned char) ((seqnum
>> 0) & 0xff);
1048 err
= crypto_shash_digest(desc
, seqnumarray
, 4, Kcrypt
);
1052 err
= crypto_skcipher_setkey(cipher
, Kcrypt
, kctx
->gk5e
->keylength
);
1060 crypto_free_shash(hmac
);
1061 dprintk("%s: returning %d\n", __func__
, err
);