net/sunrpc/auth_gss/gss_krb5_internal.h at v6.5-rc2

tjh.dev / kernel
fork
Linux kernel mirror (for testing) git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git
kernel os linux
fork
kernel / net / sunrpc / auth_gss / gss_krb5_internal.h
at v6.5-rc2 232 lines 8.3 kB view raw
wrap content
  1/* SPDX-License-Identifier: GPL-2.0 or BSD-3-Clause */
  2/*
  3 * SunRPC GSS Kerberos 5 mechanism internal definitions
  4 *
  5 * Copyright (c) 2022 Oracle and/or its affiliates.
  6 */
  7
  8#ifndef _NET_SUNRPC_AUTH_GSS_KRB5_INTERNAL_H
  9#define _NET_SUNRPC_AUTH_GSS_KRB5_INTERNAL_H
 10
 11/*
 12 * The RFCs often specify payload lengths in bits. This helper
 13 * converts a specified bit-length to the number of octets/bytes.
 14 */
 15#define BITS2OCTETS(x)	((x) / 8)
 16
 17struct krb5_ctx;
 18
 19struct gss_krb5_enctype {
 20	const u32		etype;		/* encryption (key) type */
 21	const u32		ctype;		/* checksum type */
 22	const char		*name;		/* "friendly" name */
 23	const char		*encrypt_name;	/* crypto encrypt name */
 24	const char		*aux_cipher;	/* aux encrypt cipher name */
 25	const char		*cksum_name;	/* crypto checksum name */
 26	const u16		signalg;	/* signing algorithm */
 27	const u16		sealalg;	/* sealing algorithm */
 28	const u32		cksumlength;	/* checksum length */
 29	const u32		keyed_cksum;	/* is it a keyed cksum? */
 30	const u32		keybytes;	/* raw key len, in bytes */
 31	const u32		keylength;	/* protocol key length, in octets */
 32	const u32		Kc_length;	/* checksum subkey length, in octets */
 33	const u32		Ke_length;	/* encryption subkey length, in octets */
 34	const u32		Ki_length;	/* integrity subkey length, in octets */
 35
 36	int (*import_ctx)(struct krb5_ctx *ctx, gfp_t gfp_mask);
 37	int (*derive_key)(const struct gss_krb5_enctype *gk5e,
 38			  const struct xdr_netobj *in,
 39			  struct xdr_netobj *out,
 40			  const struct xdr_netobj *label,
 41			  gfp_t gfp_mask);
 42	u32 (*encrypt)(struct krb5_ctx *kctx, u32 offset,
 43		       struct xdr_buf *buf, struct page **pages);
 44	u32 (*decrypt)(struct krb5_ctx *kctx, u32 offset, u32 len,
 45		       struct xdr_buf *buf, u32 *headskip, u32 *tailskip);
 46	u32 (*get_mic)(struct krb5_ctx *kctx, struct xdr_buf *text,
 47		       struct xdr_netobj *token);
 48	u32 (*verify_mic)(struct krb5_ctx *kctx, struct xdr_buf *message_buffer,
 49			  struct xdr_netobj *read_token);
 50	u32 (*wrap)(struct krb5_ctx *kctx, int offset,
 51		    struct xdr_buf *buf, struct page **pages);
 52	u32 (*unwrap)(struct krb5_ctx *kctx, int offset, int len,
 53		      struct xdr_buf *buf, unsigned int *slack,
 54		      unsigned int *align);
 55};
 56
 57/* krb5_ctx flags definitions */
 58#define KRB5_CTX_FLAG_INITIATOR         0x00000001
 59#define KRB5_CTX_FLAG_ACCEPTOR_SUBKEY   0x00000004
 60
 61struct krb5_ctx {
 62	int			initiate; /* 1 = initiating, 0 = accepting */
 63	u32			enctype;
 64	u32			flags;
 65	const struct gss_krb5_enctype *gk5e; /* enctype-specific info */
 66	struct crypto_sync_skcipher *enc;
 67	struct crypto_sync_skcipher *seq;
 68	struct crypto_sync_skcipher *acceptor_enc;
 69	struct crypto_sync_skcipher *initiator_enc;
 70	struct crypto_sync_skcipher *acceptor_enc_aux;
 71	struct crypto_sync_skcipher *initiator_enc_aux;
 72	struct crypto_ahash	*acceptor_sign;
 73	struct crypto_ahash	*initiator_sign;
 74	struct crypto_ahash	*initiator_integ;
 75	struct crypto_ahash	*acceptor_integ;
 76	u8			Ksess[GSS_KRB5_MAX_KEYLEN]; /* session key */
 77	u8			cksum[GSS_KRB5_MAX_KEYLEN];
 78	atomic_t		seq_send;
 79	atomic64_t		seq_send64;
 80	time64_t		endtime;
 81	struct xdr_netobj	mech_used;
 82};
 83
 84/*
 85 * GSS Kerberos 5 mechanism Per-Message calls.
 86 */
 87
 88u32 gss_krb5_get_mic_v1(struct krb5_ctx *ctx, struct xdr_buf *text,
 89			struct xdr_netobj *token);
 90u32 gss_krb5_get_mic_v2(struct krb5_ctx *ctx, struct xdr_buf *text,
 91			struct xdr_netobj *token);
 92
 93u32 gss_krb5_verify_mic_v1(struct krb5_ctx *ctx, struct xdr_buf *message_buffer,
 94			   struct xdr_netobj *read_token);
 95u32 gss_krb5_verify_mic_v2(struct krb5_ctx *ctx, struct xdr_buf *message_buffer,
 96			   struct xdr_netobj *read_token);
 97
 98u32 gss_krb5_wrap_v1(struct krb5_ctx *kctx, int offset,
 99		     struct xdr_buf *buf, struct page **pages);
100u32 gss_krb5_wrap_v2(struct krb5_ctx *kctx, int offset,
101		     struct xdr_buf *buf, struct page **pages);
102
103u32 gss_krb5_unwrap_v1(struct krb5_ctx *kctx, int offset, int len,
104		       struct xdr_buf *buf, unsigned int *slack,
105		       unsigned int *align);
106u32 gss_krb5_unwrap_v2(struct krb5_ctx *kctx, int offset, int len,
107		       struct xdr_buf *buf, unsigned int *slack,
108		       unsigned int *align);
109
110/*
111 * Implementation internal functions
112 */
113
114/* Key Derivation Functions */
115
116int krb5_derive_key_v1(const struct gss_krb5_enctype *gk5e,
117		       const struct xdr_netobj *inkey,
118		       struct xdr_netobj *outkey,
119		       const struct xdr_netobj *label,
120		       gfp_t gfp_mask);
121
122int krb5_derive_key_v2(const struct gss_krb5_enctype *gk5e,
123		       const struct xdr_netobj *inkey,
124		       struct xdr_netobj *outkey,
125		       const struct xdr_netobj *label,
126		       gfp_t gfp_mask);
127
128int krb5_kdf_hmac_sha2(const struct gss_krb5_enctype *gk5e,
129		       const struct xdr_netobj *inkey,
130		       struct xdr_netobj *outkey,
131		       const struct xdr_netobj *in_constant,
132		       gfp_t gfp_mask);
133
134int krb5_kdf_feedback_cmac(const struct gss_krb5_enctype *gk5e,
135			   const struct xdr_netobj *inkey,
136			   struct xdr_netobj *outkey,
137			   const struct xdr_netobj *in_constant,
138			   gfp_t gfp_mask);
139
140/**
141 * krb5_derive_key - Derive a subkey from a protocol key
142 * @kctx: Kerberos 5 context
143 * @inkey: base protocol key
144 * @outkey: OUT: derived key
145 * @usage: key usage value
146 * @seed: key usage seed (one octet)
147 * @gfp_mask: memory allocation control flags
148 *
149 * Caller sets @outkey->len to the desired length of the derived key.
150 *
151 * On success, returns 0 and fills in @outkey. A negative errno value
152 * is returned on failure.
153 */
154static inline int krb5_derive_key(struct krb5_ctx *kctx,
155				  const struct xdr_netobj *inkey,
156				  struct xdr_netobj *outkey,
157				  u32 usage, u8 seed, gfp_t gfp_mask)
158{
159	const struct gss_krb5_enctype *gk5e = kctx->gk5e;
160	u8 label_data[GSS_KRB5_K5CLENGTH];
161	struct xdr_netobj label = {
162		.len	= sizeof(label_data),
163		.data	= label_data,
164	};
165	__be32 *p = (__be32 *)label_data;
166
167	*p = cpu_to_be32(usage);
168	label_data[4] = seed;
169	return gk5e->derive_key(gk5e, inkey, outkey, &label, gfp_mask);
170}
171
172s32 krb5_make_seq_num(struct krb5_ctx *kctx, struct crypto_sync_skcipher *key,
173		      int direction, u32 seqnum, unsigned char *cksum,
174		      unsigned char *buf);
175
176s32 krb5_get_seq_num(struct krb5_ctx *kctx, unsigned char *cksum,
177		     unsigned char *buf, int *direction, u32 *seqnum);
178
179void krb5_make_confounder(u8 *p, int conflen);
180
181u32 make_checksum(struct krb5_ctx *kctx, char *header, int hdrlen,
182		  struct xdr_buf *body, int body_offset, u8 *cksumkey,
183		  unsigned int usage, struct xdr_netobj *cksumout);
184
185u32 gss_krb5_checksum(struct crypto_ahash *tfm, char *header, int hdrlen,
186		      const struct xdr_buf *body, int body_offset,
187		      struct xdr_netobj *cksumout);
188
189u32 krb5_encrypt(struct crypto_sync_skcipher *key, void *iv, void *in,
190		 void *out, int length);
191
192u32 krb5_decrypt(struct crypto_sync_skcipher *key, void *iv, void *in,
193		 void *out, int length);
194
195int xdr_extend_head(struct xdr_buf *buf, unsigned int base,
196		    unsigned int shiftlen);
197
198int gss_encrypt_xdr_buf(struct crypto_sync_skcipher *tfm,
199			struct xdr_buf *outbuf, int offset,
200			struct page **pages);
201
202int gss_decrypt_xdr_buf(struct crypto_sync_skcipher *tfm,
203			struct xdr_buf *inbuf, int offset);
204
205u32 gss_krb5_aes_encrypt(struct krb5_ctx *kctx, u32 offset,
206			 struct xdr_buf *buf, struct page **pages);
207
208u32 gss_krb5_aes_decrypt(struct krb5_ctx *kctx, u32 offset, u32 len,
209			 struct xdr_buf *buf, u32 *plainoffset, u32 *plainlen);
210
211u32 krb5_etm_encrypt(struct krb5_ctx *kctx, u32 offset, struct xdr_buf *buf,
212		     struct page **pages);
213
214u32 krb5_etm_decrypt(struct krb5_ctx *kctx, u32 offset, u32 len,
215		     struct xdr_buf *buf, u32 *headskip, u32 *tailskip);
216
217#if IS_ENABLED(CONFIG_KUNIT)
218void krb5_nfold(u32 inbits, const u8 *in, u32 outbits, u8 *out);
219const struct gss_krb5_enctype *gss_krb5_lookup_enctype(u32 etype);
220int krb5_cbc_cts_encrypt(struct crypto_sync_skcipher *cts_tfm,
221			 struct crypto_sync_skcipher *cbc_tfm, u32 offset,
222			 struct xdr_buf *buf, struct page **pages,
223			 u8 *iv, unsigned int ivsize);
224int krb5_cbc_cts_decrypt(struct crypto_sync_skcipher *cts_tfm,
225			 struct crypto_sync_skcipher *cbc_tfm,
226			 u32 offset, struct xdr_buf *buf);
227u32 krb5_etm_checksum(struct crypto_sync_skcipher *cipher,
228		      struct crypto_ahash *tfm, const struct xdr_buf *body,
229		      int body_offset, struct xdr_netobj *cksumout);
230#endif
231
232#endif /* _NET_SUNRPC_AUTH_GSS_KRB5_INTERNAL_H */
Configure Feed

Configure Feed
