/* * linux/net/sunrpc/gss_krb5_crypto.c * * Copyright (c) 2000-2008 The Regents of the University of Michigan. * All rights reserved. * * Andy Adamson <[email protected]> * Bruce Fields <[email protected]> */ /* * Copyright (C) 1998 by the FundsXpress, INC. * * All rights reserved. * * Export of this software from the United States of America may require * a specific license from the United States Government. It is the * responsibility of any person or organization contemplating export to * obtain such a license before exporting. * * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and * distribute this software and its documentation for any purpose and * without fee is hereby granted, provided that the above copyright * notice appear in all copies and that both that copyright notice and * this permission notice appear in supporting documentation, and that * the name of FundsXpress. not be used in advertising or publicity pertaining * to distribution of the software without specific, written prior * permission. FundsXpress makes no representations about the suitability of * this software for any purpose. It is provided "as is" without express * or implied warranty. * * THIS SOFTWARE IS PROVIDED ``AS IS'' AND WITHOUT ANY EXPRESS OR * IMPLIED WARRANTIES, INCLUDING, WITHOUT LIMITATION, THE IMPLIED * WARRANTIES OF MERCHANTIBILITY AND FITNESS FOR A PARTICULAR PURPOSE. */ #include <crypto/hash.h> #include <crypto/skcipher.h> #include <crypto/utils.h> #include <linux/err.h> #include <linux/types.h> #include <linux/mm.h> #include <linux/scatterlist.h> #include <linux/highmem.h> #include <linux/pagemap.h> #include <linux/random.h> #include <linux/sunrpc/gss_krb5.h> #include <linux/sunrpc/xdr.h> #include <kunit/visibility.h> #include "gss_krb5_internal.h" #if IS_ENABLED(CONFIG_SUNRPC_DEBUG) #define RPCDBG_FACILITY … #endif /** * krb5_make_confounder - Generate a confounder string * @p: memory location into which to write the string * @conflen: string length to write, in octets * * RFCs 1964 and 3961 mention only "a random confounder" without going * into detail about its function or cryptographic requirements. The * assumed purpose is to prevent repeated encryption of a plaintext with * the same key from generating the same ciphertext. It is also used to * pad minimum plaintext length to at least a single cipher block. * * However, in situations like the GSS Kerberos 5 mechanism, where the * encryption IV is always all zeroes, the confounder also effectively * functions like an IV. Thus, not only must it be unique from message * to message, but it must also be difficult to predict. Otherwise an * attacker can correlate the confounder to previous or future values, * making the encryption easier to break. * * Given that the primary consumer of this encryption mechanism is a * network storage protocol, a type of traffic that often carries * predictable payloads (eg, all zeroes when reading unallocated blocks * from a file), our confounder generation has to be cryptographically * strong. */ void krb5_make_confounder(u8 *p, int conflen) { … } /** * krb5_encrypt - simple encryption of an RPCSEC GSS payload * @tfm: initialized cipher transform * @iv: pointer to an IV * @in: plaintext to encrypt * @out: OUT: ciphertext * @length: length of input and output buffers, in bytes * * @iv may be NULL to force the use of an all-zero IV. * The buffer containing the IV must be as large as the * cipher's ivsize. * * Return values: * %0: @in successfully encrypted into @out * negative errno: @in not encrypted */ u32 krb5_encrypt( struct crypto_sync_skcipher *tfm, void * iv, void * in, void * out, int length) { … } /** * krb5_decrypt - simple decryption of an RPCSEC GSS payload * @tfm: initialized cipher transform * @iv: pointer to an IV * @in: ciphertext to decrypt * @out: OUT: plaintext * @length: length of input and output buffers, in bytes * * @iv may be NULL to force the use of an all-zero IV. * The buffer containing the IV must be as large as the * cipher's ivsize. * * Return values: * %0: @in successfully decrypted into @out * negative errno: @in not decrypted */ u32 krb5_decrypt( struct crypto_sync_skcipher *tfm, void * iv, void * in, void * out, int length) { … } static int checksummer(struct scatterlist *sg, void *data) { … } /* * checksum the plaintext data and hdrlen bytes of the token header * The checksum is performed over the first 8 bytes of the * gss token header and then over the data body */ u32 make_checksum(struct krb5_ctx *kctx, char *header, int hdrlen, struct xdr_buf *body, int body_offset, u8 *cksumkey, unsigned int usage, struct xdr_netobj *cksumout) { … } /** * gss_krb5_checksum - Compute the MAC for a GSS Wrap or MIC token * @tfm: an initialized hash transform * @header: pointer to a buffer containing the token header, or NULL * @hdrlen: number of octets in @header * @body: xdr_buf containing an RPC message (body.len is the message length) * @body_offset: byte offset into @body to start checksumming * @cksumout: OUT: a buffer to be filled in with the computed HMAC * * Usually expressed as H = HMAC(K, message)[1..h] . * * Caller provides the truncation length of the output token (h) in * cksumout.len. * * Return values: * %GSS_S_COMPLETE: Digest computed, @cksumout filled in * %GSS_S_FAILURE: Call failed */ u32 gss_krb5_checksum(struct crypto_ahash *tfm, char *header, int hdrlen, const struct xdr_buf *body, int body_offset, struct xdr_netobj *cksumout) { … } EXPORT_SYMBOL_IF_KUNIT(…); struct encryptor_desc { … }; static int encryptor(struct scatterlist *sg, void *data) { … } int gss_encrypt_xdr_buf(struct crypto_sync_skcipher *tfm, struct xdr_buf *buf, int offset, struct page **pages) { … } struct decryptor_desc { … }; static int decryptor(struct scatterlist *sg, void *data) { … } int gss_decrypt_xdr_buf(struct crypto_sync_skcipher *tfm, struct xdr_buf *buf, int offset) { … } /* * This function makes the assumption that it was ultimately called * from gss_wrap(). * * The client auth_gss code moves any existing tail data into a * separate page before calling gss_wrap. * The server svcauth_gss code ensures that both the head and the * tail have slack space of RPC_MAX_AUTH_SIZE before calling gss_wrap. * * Even with that guarantee, this function may be called more than * once in the processing of gss_wrap(). The best we can do is * verify at compile-time (see GSS_KRB5_SLACK_CHECK) that the * largest expected shift will fit within RPC_MAX_AUTH_SIZE. * At run-time we can verify that a single invocation of this * function doesn't attempt to use more the RPC_MAX_AUTH_SIZE. */ int xdr_extend_head(struct xdr_buf *buf, unsigned int base, unsigned int shiftlen) { … } static u32 gss_krb5_cts_crypt(struct crypto_sync_skcipher *cipher, struct xdr_buf *buf, u32 offset, u8 *iv, struct page **pages, int encrypt) { … } /** * krb5_cbc_cts_encrypt - encrypt in CBC mode with CTS * @cts_tfm: CBC cipher with CTS * @cbc_tfm: base CBC cipher * @offset: starting byte offset for plaintext * @buf: OUT: output buffer * @pages: plaintext * @iv: output CBC initialization vector, or NULL * @ivsize: size of @iv, in octets * * To provide confidentiality, encrypt using cipher block chaining * with ciphertext stealing. Message integrity is handled separately. * * Return values: * %0: encryption successful * negative errno: encryption could not be completed */ VISIBLE_IF_KUNIT int krb5_cbc_cts_encrypt(struct crypto_sync_skcipher *cts_tfm, struct crypto_sync_skcipher *cbc_tfm, u32 offset, struct xdr_buf *buf, struct page **pages, u8 *iv, unsigned int ivsize) { … } EXPORT_SYMBOL_IF_KUNIT(…); /** * krb5_cbc_cts_decrypt - decrypt in CBC mode with CTS * @cts_tfm: CBC cipher with CTS * @cbc_tfm: base CBC cipher * @offset: starting byte offset for plaintext * @buf: OUT: output buffer * * Return values: * %0: decryption successful * negative errno: decryption could not be completed */ VISIBLE_IF_KUNIT int krb5_cbc_cts_decrypt(struct crypto_sync_skcipher *cts_tfm, struct crypto_sync_skcipher *cbc_tfm, u32 offset, struct xdr_buf *buf) { … } EXPORT_SYMBOL_IF_KUNIT(…); u32 gss_krb5_aes_encrypt(struct krb5_ctx *kctx, u32 offset, struct xdr_buf *buf, struct page **pages) { … } u32 gss_krb5_aes_decrypt(struct krb5_ctx *kctx, u32 offset, u32 len, struct xdr_buf *buf, u32 *headskip, u32 *tailskip) { … } /** * krb5_etm_checksum - Compute a MAC for a GSS Wrap token * @cipher: an initialized cipher transform * @tfm: an initialized hash transform * @body: xdr_buf containing an RPC message (body.len is the message length) * @body_offset: byte offset into @body to start checksumming * @cksumout: OUT: a buffer to be filled in with the computed HMAC * * Usually expressed as H = HMAC(K, IV | ciphertext)[1..h] . * * Caller provides the truncation length of the output token (h) in * cksumout.len. * * Return values: * %GSS_S_COMPLETE: Digest computed, @cksumout filled in * %GSS_S_FAILURE: Call failed */ VISIBLE_IF_KUNIT u32 krb5_etm_checksum(struct crypto_sync_skcipher *cipher, struct crypto_ahash *tfm, const struct xdr_buf *body, int body_offset, struct xdr_netobj *cksumout) { … } EXPORT_SYMBOL_IF_KUNIT(…); /** * krb5_etm_encrypt - Encrypt using the RFC 8009 rules * @kctx: Kerberos context * @offset: starting offset of the payload, in bytes * @buf: OUT: send buffer to contain the encrypted payload * @pages: plaintext payload * * The main difference with aes_encrypt is that "The HMAC is * calculated over the cipher state concatenated with the AES * output, instead of being calculated over the confounder and * plaintext. This allows the message receiver to verify the * integrity of the message before decrypting the message." * * RFC 8009 Section 5: * * encryption function: as follows, where E() is AES encryption in * CBC-CS3 mode, and h is the size of truncated HMAC (128 bits or * 192 bits as described above). * * N = random value of length 128 bits (the AES block size) * IV = cipher state * C = E(Ke, N | plaintext, IV) * H = HMAC(Ki, IV | C) * ciphertext = C | H[1..h] * * This encryption formula provides AEAD EtM with key separation. * * Return values: * %GSS_S_COMPLETE: Encryption successful * %GSS_S_FAILURE: Encryption failed */ u32 krb5_etm_encrypt(struct krb5_ctx *kctx, u32 offset, struct xdr_buf *buf, struct page **pages) { … } /** * krb5_etm_decrypt - Decrypt using the RFC 8009 rules * @kctx: Kerberos context * @offset: starting offset of the ciphertext, in bytes * @len: * @buf: * @headskip: OUT: the enctype's confounder length, in octets * @tailskip: OUT: the enctype's HMAC length, in octets * * RFC 8009 Section 5: * * decryption function: as follows, where D() is AES decryption in * CBC-CS3 mode, and h is the size of truncated HMAC. * * (C, H) = ciphertext * (Note: H is the last h bits of the ciphertext.) * IV = cipher state * if H != HMAC(Ki, IV | C)[1..h] * stop, report error * (N, P) = D(Ke, C, IV) * * Return values: * %GSS_S_COMPLETE: Decryption successful * %GSS_S_BAD_SIG: computed HMAC != received HMAC * %GSS_S_FAILURE: Decryption failed */ u32 krb5_etm_decrypt(struct krb5_ctx *kctx, u32 offset, u32 len, struct xdr_buf *buf, u32 *headskip, u32 *tailskip) { … }
Codebase Browser
linux