tjh.dev / kernel
Linux kernel mirror (for testing) git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git
kernel os linux
fork atom

crypto/krb5: Implement the AES enctypes from rfc8009

Implement the aes128-cts-hmac-sha256-128 and aes256-cts-hmac-sha384-192
enctypes from rfc8009, overriding the rfc3961 kerberos 5 simplified crypto
scheme.

Signed-off-by: David Howells <dhowells@redhat.com>
cc: Herbert Xu <herbert@gondor.apana.org.au>
cc: "David S. Miller" <davem@davemloft.net>
cc: Chuck Lever <chuck.lever@oracle.com>
cc: Marc Dionne <marc.dionne@auristor.com>
cc: Eric Dumazet <edumazet@google.com>
cc: Jakub Kicinski <kuba@kernel.org>
cc: Paolo Abeni <pabeni@redhat.com>
cc: Simon Horman <horms@kernel.org>
cc: linux-afs@lists.infradead.org
cc: linux-nfs@vger.kernel.org
cc: linux-crypto@vger.kernel.org
cc: netdev@vger.kernel.org

David Howells 6c3c0e86 7c164b66

+378 -1
+2
crypto/krb5/Kconfig
··· 7 7 select CRYPTO_HASH_INFO 8 8 select CRYPTO_HMAC 9 9 select CRYPTO_SHA1 10 + select CRYPTO_SHA256 11 + select CRYPTO_SHA512 10 12 select CRYPTO_CBC 11 13 select CRYPTO_CTS 12 14 select CRYPTO_AES
+2 -1
crypto/krb5/Makefile
··· 7 7 krb5_kdf.o \ 8 8 krb5_api.o \ 9 9 rfc3961_simplified.o \ 10 - rfc3962_aes.o 10 + rfc3962_aes.o \ 11 + rfc8009_aes2.o 11 12 12 13 obj-$(CONFIG_CRYPTO_KRB5) += krb5.o
+6
crypto/krb5/internal.h
··· 185 185 */ 186 186 extern const struct krb5_enctype krb5_aes128_cts_hmac_sha1_96; 187 187 extern const struct krb5_enctype krb5_aes256_cts_hmac_sha1_96; 188 + 189 + /* 190 + * rfc8009_aes2.c 191 + */ 192 + extern const struct krb5_enctype krb5_aes128_cts_hmac_sha256_128; 193 + extern const struct krb5_enctype krb5_aes256_cts_hmac_sha384_192;
+2
crypto/krb5/krb5_api.c
··· 19 19 static const struct krb5_enctype *const krb5_supported_enctypes[] = { 20 20 &krb5_aes128_cts_hmac_sha1_96, 21 21 &krb5_aes256_cts_hmac_sha1_96, 22 + &krb5_aes128_cts_hmac_sha256_128, 23 + &krb5_aes256_cts_hmac_sha384_192, 22 24 }; 23 25 24 26 /**
+362
crypto/krb5/rfc8009_aes2.c
··· 1 + // SPDX-License-Identifier: GPL-2.0-or-later 2 + /* rfc8009 AES Encryption with HMAC-SHA2 for Kerberos 5 3 + * 4 + * Copyright (C) 2025 Red Hat, Inc. All Rights Reserved. 5 + * Written by David Howells (dhowells@redhat.com) 6 + */ 7 + 8 + #define pr_fmt(fmt) KBUILD_MODNAME ": " fmt 9 + 10 + #include <linux/slab.h> 11 + #include <crypto/authenc.h> 12 + #include "internal.h" 13 + 14 + static const struct krb5_buffer rfc8009_no_context = { .len = 0, .data = "" }; 15 + 16 + /* 17 + * Calculate the key derivation function KDF-HMAC-SHA2(key, label, [context,] k) 18 + * 19 + * KDF-HMAC-SHA2(key, label, [context,] k) = k-truncate(K1) 20 + * 21 + * Using the appropriate one of: 22 + * K1 = HMAC-SHA-256(key, 0x00000001 | label | 0x00 | k) 23 + * K1 = HMAC-SHA-384(key, 0x00000001 | label | 0x00 | k) 24 + * K1 = HMAC-SHA-256(key, 0x00000001 | label | 0x00 | context | k) 25 + * K1 = HMAC-SHA-384(key, 0x00000001 | label | 0x00 | context | k) 26 + * [rfc8009 sec 3] 27 + */ 28 + static int rfc8009_calc_KDF_HMAC_SHA2(const struct krb5_enctype *krb5, 29 + const struct krb5_buffer *key, 30 + const struct krb5_buffer *label, 31 + const struct krb5_buffer *context, 32 + unsigned int k, 33 + struct krb5_buffer *result, 34 + gfp_t gfp) 35 + { 36 + struct crypto_shash *shash; 37 + struct krb5_buffer K1, data; 38 + struct shash_desc *desc; 39 + __be32 tmp; 40 + size_t bsize; 41 + void *buffer; 42 + u8 *p; 43 + int ret = -ENOMEM; 44 + 45 + if (WARN_ON(result->len != k / 8)) 46 + return -EINVAL; 47 + 48 + shash = crypto_alloc_shash(krb5->cksum_name, 0, 0); 49 + if (IS_ERR(shash)) 50 + return (PTR_ERR(shash) == -ENOENT) ? -ENOPKG : PTR_ERR(shash); 51 + ret = crypto_shash_setkey(shash, key->data, key->len); 52 + if (ret < 0) 53 + goto error_shash; 54 + 55 + ret = -EINVAL; 56 + if (WARN_ON(crypto_shash_digestsize(shash) * 8 < k)) 57 + goto error_shash; 58 + 59 + ret = -ENOMEM; 60 + data.len = 4 + label->len + 1 + context->len + 4; 61 + bsize = krb5_shash_size(shash) + 62 + krb5_digest_size(shash) + 63 + crypto_roundup(data.len); 64 + buffer = kzalloc(bsize, GFP_NOFS); 65 + if (!buffer) 66 + goto error_shash; 67 + 68 + desc = buffer; 69 + desc->tfm = shash; 70 + ret = crypto_shash_init(desc); 71 + if (ret < 0) 72 + goto error; 73 + 74 + p = data.data = buffer + 75 + krb5_shash_size(shash) + 76 + krb5_digest_size(shash); 77 + *(__be32 *)p = htonl(0x00000001); 78 + p += 4; 79 + memcpy(p, label->data, label->len); 80 + p += label->len; 81 + *p++ = 0; 82 + memcpy(p, context->data, context->len); 83 + p += context->len; 84 + tmp = htonl(k); 85 + memcpy(p, &tmp, 4); 86 + p += 4; 87 + 88 + ret = -EINVAL; 89 + if (WARN_ON(p - (u8 *)data.data != data.len)) 90 + goto error; 91 + 92 + K1.len = crypto_shash_digestsize(shash); 93 + K1.data = buffer + 94 + krb5_shash_size(shash); 95 + 96 + ret = crypto_shash_finup(desc, data.data, data.len, K1.data); 97 + if (ret < 0) 98 + goto error; 99 + 100 + memcpy(result->data, K1.data, result->len); 101 + 102 + error: 103 + kfree_sensitive(buffer); 104 + error_shash: 105 + crypto_free_shash(shash); 106 + return ret; 107 + } 108 + 109 + /* 110 + * Calculate the pseudo-random function, PRF(). 111 + * 112 + * PRF = KDF-HMAC-SHA2(input-key, "prf", octet-string, 256) 113 + * PRF = KDF-HMAC-SHA2(input-key, "prf", octet-string, 384) 114 + * 115 + * The "prfconstant" used in the PRF operation is the three-octet string 116 + * "prf". 117 + * [rfc8009 sec 5] 118 + */ 119 + static int rfc8009_calc_PRF(const struct krb5_enctype *krb5, 120 + const struct krb5_buffer *input_key, 121 + const struct krb5_buffer *octet_string, 122 + struct krb5_buffer *result, 123 + gfp_t gfp) 124 + { 125 + static const struct krb5_buffer prfconstant = { 3, "prf" }; 126 + 127 + return rfc8009_calc_KDF_HMAC_SHA2(krb5, input_key, &prfconstant, 128 + octet_string, krb5->prf_len * 8, 129 + result, gfp); 130 + } 131 + 132 + /* 133 + * Derive Ke. 134 + * Ke = KDF-HMAC-SHA2(base-key, usage | 0xAA, 128) 135 + * Ke = KDF-HMAC-SHA2(base-key, usage | 0xAA, 256) 136 + * [rfc8009 sec 5] 137 + */ 138 + static int rfc8009_calc_Ke(const struct krb5_enctype *krb5, 139 + const struct krb5_buffer *base_key, 140 + const struct krb5_buffer *usage_constant, 141 + struct krb5_buffer *result, 142 + gfp_t gfp) 143 + { 144 + return rfc8009_calc_KDF_HMAC_SHA2(krb5, base_key, usage_constant, 145 + &rfc8009_no_context, krb5->key_bytes * 8, 146 + result, gfp); 147 + } 148 + 149 + /* 150 + * Derive Kc/Ki 151 + * Kc = KDF-HMAC-SHA2(base-key, usage | 0x99, 128) 152 + * Ki = KDF-HMAC-SHA2(base-key, usage | 0x55, 128) 153 + * Kc = KDF-HMAC-SHA2(base-key, usage | 0x99, 192) 154 + * Ki = KDF-HMAC-SHA2(base-key, usage | 0x55, 192) 155 + * [rfc8009 sec 5] 156 + */ 157 + static int rfc8009_calc_Ki(const struct krb5_enctype *krb5, 158 + const struct krb5_buffer *base_key, 159 + const struct krb5_buffer *usage_constant, 160 + struct krb5_buffer *result, 161 + gfp_t gfp) 162 + { 163 + return rfc8009_calc_KDF_HMAC_SHA2(krb5, base_key, usage_constant, 164 + &rfc8009_no_context, krb5->cksum_len * 8, 165 + result, gfp); 166 + } 167 + 168 + /* 169 + * Apply encryption and checksumming functions to a message. Unlike for 170 + * RFC3961, for RFC8009, we have to chuck the starting IV into the hash first. 171 + */ 172 + static ssize_t rfc8009_encrypt(const struct krb5_enctype *krb5, 173 + struct crypto_aead *aead, 174 + struct scatterlist *sg, unsigned int nr_sg, size_t sg_len, 175 + size_t data_offset, size_t data_len, 176 + bool preconfounded) 177 + { 178 + struct aead_request *req; 179 + struct scatterlist bsg[2]; 180 + ssize_t ret, done; 181 + size_t bsize, base_len, secure_offset, secure_len, pad_len, cksum_offset; 182 + void *buffer; 183 + u8 *iv, *ad; 184 + 185 + if (WARN_ON(data_offset != krb5->conf_len)) 186 + return -EINVAL; /* Data is in wrong place */ 187 + 188 + secure_offset = 0; 189 + base_len = krb5->conf_len + data_len; 190 + pad_len = 0; 191 + secure_len = base_len + pad_len; 192 + cksum_offset = secure_len; 193 + if (WARN_ON(cksum_offset + krb5->cksum_len > sg_len)) 194 + return -EFAULT; 195 + 196 + bsize = krb5_aead_size(aead) + 197 + krb5_aead_ivsize(aead) * 2; 198 + buffer = kzalloc(bsize, GFP_NOFS); 199 + if (!buffer) 200 + return -ENOMEM; 201 + 202 + req = buffer; 203 + iv = buffer + krb5_aead_size(aead); 204 + ad = buffer + krb5_aead_size(aead) + krb5_aead_ivsize(aead); 205 + 206 + /* Insert the confounder into the buffer */ 207 + ret = -EFAULT; 208 + if (!preconfounded) { 209 + get_random_bytes(buffer, krb5->conf_len); 210 + done = sg_pcopy_from_buffer(sg, nr_sg, buffer, krb5->conf_len, 211 + secure_offset); 212 + if (done != krb5->conf_len) 213 + goto error; 214 + } 215 + 216 + /* We may need to pad out to the crypto blocksize. */ 217 + if (pad_len) { 218 + done = sg_zero_buffer(sg, nr_sg, pad_len, data_offset + data_len); 219 + if (done != pad_len) 220 + goto error; 221 + } 222 + 223 + /* We need to include the starting IV in the hash. */ 224 + sg_init_table(bsg, 2); 225 + sg_set_buf(&bsg[0], ad, krb5_aead_ivsize(aead)); 226 + sg_chain(bsg, 2, sg); 227 + 228 + /* Hash and encrypt the message. */ 229 + aead_request_set_tfm(req, aead); 230 + aead_request_set_callback(req, 0, NULL, NULL); 231 + aead_request_set_ad(req, krb5_aead_ivsize(aead)); 232 + aead_request_set_crypt(req, bsg, bsg, secure_len, iv); 233 + ret = crypto_aead_encrypt(req); 234 + if (ret < 0) 235 + goto error; 236 + 237 + ret = secure_len + krb5->cksum_len; 238 + 239 + error: 240 + kfree_sensitive(buffer); 241 + return ret; 242 + } 243 + 244 + /* 245 + * Apply decryption and checksumming functions to a message. Unlike for 246 + * RFC3961, for RFC8009, we have to chuck the starting IV into the hash first. 247 + * 248 + * The offset and length are updated to reflect the actual content of the 249 + * encrypted region. 250 + */ 251 + static int rfc8009_decrypt(const struct krb5_enctype *krb5, 252 + struct crypto_aead *aead, 253 + struct scatterlist *sg, unsigned int nr_sg, 254 + size_t *_offset, size_t *_len) 255 + { 256 + struct aead_request *req; 257 + struct scatterlist bsg[2]; 258 + size_t bsize; 259 + void *buffer; 260 + int ret; 261 + u8 *iv, *ad; 262 + 263 + if (WARN_ON(*_offset != 0)) 264 + return -EINVAL; /* Can't set offset on aead */ 265 + 266 + if (*_len < krb5->conf_len + krb5->cksum_len) 267 + return -EPROTO; 268 + 269 + bsize = krb5_aead_size(aead) + 270 + krb5_aead_ivsize(aead) * 2; 271 + buffer = kzalloc(bsize, GFP_NOFS); 272 + if (!buffer) 273 + return -ENOMEM; 274 + 275 + req = buffer; 276 + iv = buffer + krb5_aead_size(aead); 277 + ad = buffer + krb5_aead_size(aead) + krb5_aead_ivsize(aead); 278 + 279 + /* We need to include the starting IV in the hash. */ 280 + sg_init_table(bsg, 2); 281 + sg_set_buf(&bsg[0], ad, krb5_aead_ivsize(aead)); 282 + sg_chain(bsg, 2, sg); 283 + 284 + /* Decrypt the message and verify its checksum. */ 285 + aead_request_set_tfm(req, aead); 286 + aead_request_set_callback(req, 0, NULL, NULL); 287 + aead_request_set_ad(req, krb5_aead_ivsize(aead)); 288 + aead_request_set_crypt(req, bsg, bsg, *_len, iv); 289 + ret = crypto_aead_decrypt(req); 290 + if (ret < 0) 291 + goto error; 292 + 293 + /* Adjust the boundaries of the data. */ 294 + *_offset += krb5->conf_len; 295 + *_len -= krb5->conf_len + krb5->cksum_len; 296 + ret = 0; 297 + 298 + error: 299 + kfree_sensitive(buffer); 300 + return ret; 301 + } 302 + 303 + static const struct krb5_crypto_profile rfc8009_crypto_profile = { 304 + .calc_PRF = rfc8009_calc_PRF, 305 + .calc_Kc = rfc8009_calc_Ki, 306 + .calc_Ke = rfc8009_calc_Ke, 307 + .calc_Ki = rfc8009_calc_Ki, 308 + .derive_encrypt_keys = authenc_derive_encrypt_keys, 309 + .load_encrypt_keys = authenc_load_encrypt_keys, 310 + .derive_checksum_key = rfc3961_derive_checksum_key, 311 + .load_checksum_key = rfc3961_load_checksum_key, 312 + .encrypt = rfc8009_encrypt, 313 + .decrypt = rfc8009_decrypt, 314 + .get_mic = rfc3961_get_mic, 315 + .verify_mic = rfc3961_verify_mic, 316 + }; 317 + 318 + const struct krb5_enctype krb5_aes128_cts_hmac_sha256_128 = { 319 + .etype = KRB5_ENCTYPE_AES128_CTS_HMAC_SHA256_128, 320 + .ctype = KRB5_CKSUMTYPE_HMAC_SHA256_128_AES128, 321 + .name = "aes128-cts-hmac-sha256-128", 322 + .encrypt_name = "authenc(hmac(sha256),cts(cbc(aes)))", 323 + .cksum_name = "hmac(sha256)", 324 + .hash_name = "sha256", 325 + .derivation_enc = "cts(cbc(aes))", 326 + .key_bytes = 16, 327 + .key_len = 16, 328 + .Kc_len = 16, 329 + .Ke_len = 16, 330 + .Ki_len = 16, 331 + .block_len = 16, 332 + .conf_len = 16, 333 + .cksum_len = 16, 334 + .hash_len = 20, 335 + .prf_len = 32, 336 + .keyed_cksum = true, 337 + .random_to_key = NULL, /* Identity */ 338 + .profile = &rfc8009_crypto_profile, 339 + }; 340 + 341 + const struct krb5_enctype krb5_aes256_cts_hmac_sha384_192 = { 342 + .etype = KRB5_ENCTYPE_AES256_CTS_HMAC_SHA384_192, 343 + .ctype = KRB5_CKSUMTYPE_HMAC_SHA384_192_AES256, 344 + .name = "aes256-cts-hmac-sha384-192", 345 + .encrypt_name = "authenc(hmac(sha384),cts(cbc(aes)))", 346 + .cksum_name = "hmac(sha384)", 347 + .hash_name = "sha384", 348 + .derivation_enc = "cts(cbc(aes))", 349 + .key_bytes = 32, 350 + .key_len = 32, 351 + .Kc_len = 24, 352 + .Ke_len = 32, 353 + .Ki_len = 24, 354 + .block_len = 16, 355 + .conf_len = 16, 356 + .cksum_len = 24, 357 + .hash_len = 20, 358 + .prf_len = 48, 359 + .keyed_cksum = true, 360 + .random_to_key = NULL, /* Identity */ 361 + .profile = &rfc8009_crypto_profile, 362 + };
+4
include/crypto/krb5.h
··· 31 31 #define KRB5_ENCTYPE_DES3_CBC_SHA1 0x0010 32 32 #define KRB5_ENCTYPE_AES128_CTS_HMAC_SHA1_96 0x0011 33 33 #define KRB5_ENCTYPE_AES256_CTS_HMAC_SHA1_96 0x0012 34 + #define KRB5_ENCTYPE_AES128_CTS_HMAC_SHA256_128 0x0013 35 + #define KRB5_ENCTYPE_AES256_CTS_HMAC_SHA384_192 0x0014 34 36 #define KRB5_ENCTYPE_ARCFOUR_HMAC 0x0017 35 37 #define KRB5_ENCTYPE_ARCFOUR_HMAC_EXP 0x0018 36 38 #define KRB5_ENCTYPE_UNKNOWN 0x01ff ··· 47 45 #define KRB5_CKSUMTYPE_HMAC_SHA1_DES3 0x000c 48 46 #define KRB5_CKSUMTYPE_HMAC_SHA1_96_AES128 0x000f 49 47 #define KRB5_CKSUMTYPE_HMAC_SHA1_96_AES256 0x0010 48 + #define KRB5_CKSUMTYPE_HMAC_SHA256_128_AES128 0x0013 49 + #define KRB5_CKSUMTYPE_HMAC_SHA384_192_AES256 0x0014 50 50 #define KRB5_CKSUMTYPE_HMAC_MD5_ARCFOUR -138 /* Microsoft md5 hmac cksumtype */ 51 51 52 52 /*