tjh.dev / kernel
Linux kernel mirror (for testing) git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git
kernel os linux
fork atom

SUNRPC: Move remaining internal definitions to gss_krb5_internal.h

The goal is to leave only protocol-defined items in gss_krb5.h so
that it can be easily replaced by a generic header. Implementation
specific items are moved to the new internal header.

Tested-by: Scott Mayhew <smayhew@redhat.com>
Reviewed-by: Simo Sorce <simo@redhat.com>
Signed-off-by: Chuck Lever <chuck.lever@oracle.com>

Chuck Lever 6e460c23 6e6d9eee

+111 -118
-117
include/linux/sunrpc/gss_krb5.h
··· 42 42 #include <linux/sunrpc/gss_err.h> 43 43 #include <linux/sunrpc/gss_asn1.h> 44 44 45 - /* 46 - * The RFCs often specify payload lengths in bits. This helper 47 - * converts a specified bit-length to the number of octets/bytes. 48 - */ 49 - #define BITS2OCTETS(x) ((x) / 8) 50 - 51 45 /* Length of constant used in key derivation */ 52 46 #define GSS_KRB5_K5CLENGTH (5) 53 47 ··· 53 59 54 60 /* Maximum blocksize for the supported crypto algorithms */ 55 61 #define GSS_KRB5_MAX_BLOCKSIZE (16) 56 - 57 - struct krb5_ctx; 58 - 59 - struct gss_krb5_enctype { 60 - const u32 etype; /* encryption (key) type */ 61 - const u32 ctype; /* checksum type */ 62 - const char *name; /* "friendly" name */ 63 - const char *encrypt_name; /* crypto encrypt name */ 64 - const char *aux_cipher; /* aux encrypt cipher name */ 65 - const char *cksum_name; /* crypto checksum name */ 66 - const u16 signalg; /* signing algorithm */ 67 - const u16 sealalg; /* sealing algorithm */ 68 - const u32 cksumlength; /* checksum length */ 69 - const u32 keyed_cksum; /* is it a keyed cksum? */ 70 - const u32 keybytes; /* raw key len, in bytes */ 71 - const u32 keylength; /* protocol key length, in octets */ 72 - const u32 Kc_length; /* checksum subkey length, in octets */ 73 - const u32 Ke_length; /* encryption subkey length, in octets */ 74 - const u32 Ki_length; /* integrity subkey length, in octets */ 75 - 76 - int (*import_ctx)(struct krb5_ctx *ctx, gfp_t gfp_mask); 77 - int (*derive_key)(const struct gss_krb5_enctype *gk5e, 78 - const struct xdr_netobj *in, 79 - struct xdr_netobj *out, 80 - const struct xdr_netobj *label, 81 - gfp_t gfp_mask); 82 - u32 (*encrypt)(struct krb5_ctx *kctx, u32 offset, 83 - struct xdr_buf *buf, struct page **pages); 84 - u32 (*decrypt)(struct krb5_ctx *kctx, u32 offset, u32 len, 85 - struct xdr_buf *buf, u32 *headskip, u32 *tailskip); 86 - u32 (*get_mic)(struct krb5_ctx *kctx, struct xdr_buf *text, 87 - struct xdr_netobj *token); 88 - u32 (*verify_mic)(struct krb5_ctx *kctx, struct xdr_buf *message_buffer, 89 - struct xdr_netobj *read_token); 90 - u32 (*wrap)(struct krb5_ctx *kctx, int offset, 91 - struct xdr_buf *buf, struct page **pages); 92 - u32 (*unwrap)(struct krb5_ctx *kctx, int offset, int len, 93 - struct xdr_buf *buf, unsigned int *slack, 94 - unsigned int *align); 95 - }; 96 - 97 - /* krb5_ctx flags definitions */ 98 - #define KRB5_CTX_FLAG_INITIATOR 0x00000001 99 - #define KRB5_CTX_FLAG_CFX 0x00000002 100 - #define KRB5_CTX_FLAG_ACCEPTOR_SUBKEY 0x00000004 101 - 102 - struct krb5_ctx { 103 - int initiate; /* 1 = initiating, 0 = accepting */ 104 - u32 enctype; 105 - u32 flags; 106 - const struct gss_krb5_enctype *gk5e; /* enctype-specific info */ 107 - struct crypto_sync_skcipher *enc; 108 - struct crypto_sync_skcipher *seq; 109 - struct crypto_sync_skcipher *acceptor_enc; 110 - struct crypto_sync_skcipher *initiator_enc; 111 - struct crypto_sync_skcipher *acceptor_enc_aux; 112 - struct crypto_sync_skcipher *initiator_enc_aux; 113 - struct crypto_ahash *acceptor_sign; 114 - struct crypto_ahash *initiator_sign; 115 - struct crypto_ahash *initiator_integ; 116 - struct crypto_ahash *acceptor_integ; 117 - u8 Ksess[GSS_KRB5_MAX_KEYLEN]; /* session key */ 118 - u8 cksum[GSS_KRB5_MAX_KEYLEN]; 119 - atomic_t seq_send; 120 - atomic64_t seq_send64; 121 - time64_t endtime; 122 - struct xdr_netobj mech_used; 123 - }; 124 62 125 63 /* The length of the Kerberos GSS token header */ 126 64 #define GSS_KRB5_TOK_HDR_LEN (16) ··· 170 244 #define KG_USAGE_ACCEPTOR_SIGN (23) 171 245 #define KG_USAGE_INITIATOR_SEAL (24) 172 246 #define KG_USAGE_INITIATOR_SIGN (25) 173 - 174 - /* 175 - * This compile-time check verifies that we will not exceed the 176 - * slack space allotted by the client and server auth_gss code 177 - * before they call gss_wrap(). 178 - */ 179 - #define GSS_KRB5_MAX_SLACK_NEEDED \ 180 - (GSS_KRB5_TOK_HDR_LEN /* gss token header */ \ 181 - + GSS_KRB5_MAX_CKSUM_LEN /* gss token checksum */ \ 182 - + GSS_KRB5_MAX_BLOCKSIZE /* confounder */ \ 183 - + GSS_KRB5_MAX_BLOCKSIZE /* possible padding */ \ 184 - + GSS_KRB5_TOK_HDR_LEN /* encrypted hdr in v2 token */\ 185 - + GSS_KRB5_MAX_CKSUM_LEN /* encryption hmac */ \ 186 - + 4 + 4 /* RPC verifier */ \ 187 - + GSS_KRB5_TOK_HDR_LEN \ 188 - + GSS_KRB5_MAX_CKSUM_LEN) 189 - 190 - u32 191 - make_checksum(struct krb5_ctx *kctx, char *header, int hdrlen, 192 - struct xdr_buf *body, int body_offset, u8 *cksumkey, 193 - unsigned int usage, struct xdr_netobj *cksumout); 194 - 195 - int 196 - gss_encrypt_xdr_buf(struct crypto_sync_skcipher *tfm, struct xdr_buf *outbuf, 197 - int offset, struct page **pages); 198 - 199 - int 200 - gss_decrypt_xdr_buf(struct crypto_sync_skcipher *tfm, struct xdr_buf *inbuf, 201 - int offset); 202 - 203 - s32 204 - krb5_make_seq_num(struct krb5_ctx *kctx, 205 - struct crypto_sync_skcipher *key, 206 - int direction, 207 - u32 seqnum, unsigned char *cksum, unsigned char *buf); 208 - 209 - s32 210 - krb5_get_seq_num(struct krb5_ctx *kctx, 211 - unsigned char *cksum, 212 - unsigned char *buf, int *direction, u32 *seqnum); 213 - 214 - int 215 - xdr_extend_head(struct xdr_buf *buf, unsigned int base, unsigned int shiftlen); 216 247 217 248 #endif /* _LINUX_SUNRPC_GSS_KRB5_H */
+17
net/sunrpc/auth_gss/auth_gss.c
··· 49 49 # define RPCDBG_FACILITY RPCDBG_AUTH 50 50 #endif 51 51 52 + /* 53 + * This compile-time check verifies that we will not exceed the 54 + * slack space allotted by the client and server auth_gss code 55 + * before they call gss_wrap(). 56 + */ 57 + #define GSS_KRB5_MAX_SLACK_NEEDED \ 58 + (GSS_KRB5_TOK_HDR_LEN /* gss token header */ \ 59 + + GSS_KRB5_MAX_CKSUM_LEN /* gss token checksum */ \ 60 + + GSS_KRB5_MAX_BLOCKSIZE /* confounder */ \ 61 + + GSS_KRB5_MAX_BLOCKSIZE /* possible padding */ \ 62 + + GSS_KRB5_TOK_HDR_LEN /* encrypted hdr in v2 token */ \ 63 + + GSS_KRB5_MAX_CKSUM_LEN /* encryption hmac */ \ 64 + + XDR_UNIT * 2 /* RPC verifier */ \ 65 + + GSS_KRB5_TOK_HDR_LEN \ 66 + + GSS_KRB5_MAX_CKSUM_LEN) 67 + 52 68 #define GSS_CRED_SLACK (RPC_MAX_AUTH_SIZE * 2) 53 69 /* length of a krb5 verifier (48), plus data added before arguments when 54 70 * using integrity (two 4-byte integers): */ ··· 1058 1042 goto err_put_mech; 1059 1043 auth = &gss_auth->rpc_auth; 1060 1044 auth->au_cslack = GSS_CRED_SLACK >> 2; 1045 + BUILD_BUG_ON(GSS_KRB5_MAX_SLACK_NEEDED > RPC_MAX_AUTH_SIZE); 1061 1046 auth->au_rslack = GSS_KRB5_MAX_SLACK_NEEDED >> 2; 1062 1047 auth->au_verfsize = GSS_VERF_SLACK >> 2; 1063 1048 auth->au_ralign = GSS_VERF_SLACK >> 2;
-1
net/sunrpc/auth_gss/gss_krb5_crypto.c
··· 572 572 if (shiftlen == 0) 573 573 return 0; 574 574 575 - BUILD_BUG_ON(GSS_KRB5_MAX_SLACK_NEEDED > RPC_MAX_AUTH_SIZE); 576 575 BUG_ON(shiftlen > RPC_MAX_AUTH_SIZE); 577 576 578 577 p = buf->head[0].iov_base + base;
+94
net/sunrpc/auth_gss/gss_krb5_internal.h
··· 9 9 #define _NET_SUNRPC_AUTH_GSS_KRB5_INTERNAL_H 10 10 11 11 /* 12 + * The RFCs often specify payload lengths in bits. This helper 13 + * converts a specified bit-length to the number of octets/bytes. 14 + */ 15 + #define BITS2OCTETS(x) ((x) / 8) 16 + 17 + struct krb5_ctx; 18 + 19 + struct gss_krb5_enctype { 20 + const u32 etype; /* encryption (key) type */ 21 + const u32 ctype; /* checksum type */ 22 + const char *name; /* "friendly" name */ 23 + const char *encrypt_name; /* crypto encrypt name */ 24 + const char *aux_cipher; /* aux encrypt cipher name */ 25 + const char *cksum_name; /* crypto checksum name */ 26 + const u16 signalg; /* signing algorithm */ 27 + const u16 sealalg; /* sealing algorithm */ 28 + const u32 cksumlength; /* checksum length */ 29 + const u32 keyed_cksum; /* is it a keyed cksum? */ 30 + const u32 keybytes; /* raw key len, in bytes */ 31 + const u32 keylength; /* protocol key length, in octets */ 32 + const u32 Kc_length; /* checksum subkey length, in octets */ 33 + const u32 Ke_length; /* encryption subkey length, in octets */ 34 + const u32 Ki_length; /* integrity subkey length, in octets */ 35 + 36 + int (*import_ctx)(struct krb5_ctx *ctx, gfp_t gfp_mask); 37 + int (*derive_key)(const struct gss_krb5_enctype *gk5e, 38 + const struct xdr_netobj *in, 39 + struct xdr_netobj *out, 40 + const struct xdr_netobj *label, 41 + gfp_t gfp_mask); 42 + u32 (*encrypt)(struct krb5_ctx *kctx, u32 offset, 43 + struct xdr_buf *buf, struct page **pages); 44 + u32 (*decrypt)(struct krb5_ctx *kctx, u32 offset, u32 len, 45 + struct xdr_buf *buf, u32 *headskip, u32 *tailskip); 46 + u32 (*get_mic)(struct krb5_ctx *kctx, struct xdr_buf *text, 47 + struct xdr_netobj *token); 48 + u32 (*verify_mic)(struct krb5_ctx *kctx, struct xdr_buf *message_buffer, 49 + struct xdr_netobj *read_token); 50 + u32 (*wrap)(struct krb5_ctx *kctx, int offset, 51 + struct xdr_buf *buf, struct page **pages); 52 + u32 (*unwrap)(struct krb5_ctx *kctx, int offset, int len, 53 + struct xdr_buf *buf, unsigned int *slack, 54 + unsigned int *align); 55 + }; 56 + 57 + /* krb5_ctx flags definitions */ 58 + #define KRB5_CTX_FLAG_INITIATOR 0x00000001 59 + #define KRB5_CTX_FLAG_ACCEPTOR_SUBKEY 0x00000004 60 + 61 + struct krb5_ctx { 62 + int initiate; /* 1 = initiating, 0 = accepting */ 63 + u32 enctype; 64 + u32 flags; 65 + const struct gss_krb5_enctype *gk5e; /* enctype-specific info */ 66 + struct crypto_sync_skcipher *enc; 67 + struct crypto_sync_skcipher *seq; 68 + struct crypto_sync_skcipher *acceptor_enc; 69 + struct crypto_sync_skcipher *initiator_enc; 70 + struct crypto_sync_skcipher *acceptor_enc_aux; 71 + struct crypto_sync_skcipher *initiator_enc_aux; 72 + struct crypto_ahash *acceptor_sign; 73 + struct crypto_ahash *initiator_sign; 74 + struct crypto_ahash *initiator_integ; 75 + struct crypto_ahash *acceptor_integ; 76 + u8 Ksess[GSS_KRB5_MAX_KEYLEN]; /* session key */ 77 + u8 cksum[GSS_KRB5_MAX_KEYLEN]; 78 + atomic_t seq_send; 79 + atomic64_t seq_send64; 80 + time64_t endtime; 81 + struct xdr_netobj mech_used; 82 + }; 83 + 84 + /* 12 85 * GSS Kerberos 5 mechanism Per-Message calls. 13 86 */ 14 87 ··· 169 96 return gk5e->derive_key(gk5e, inkey, outkey, &label, gfp_mask); 170 97 } 171 98 99 + s32 krb5_make_seq_num(struct krb5_ctx *kctx, struct crypto_sync_skcipher *key, 100 + int direction, u32 seqnum, unsigned char *cksum, 101 + unsigned char *buf); 102 + 103 + s32 krb5_get_seq_num(struct krb5_ctx *kctx, unsigned char *cksum, 104 + unsigned char *buf, int *direction, u32 *seqnum); 105 + 172 106 void krb5_make_confounder(u8 *p, int conflen); 107 + 108 + u32 make_checksum(struct krb5_ctx *kctx, char *header, int hdrlen, 109 + struct xdr_buf *body, int body_offset, u8 *cksumkey, 110 + unsigned int usage, struct xdr_netobj *cksumout); 173 111 174 112 u32 gss_krb5_checksum(struct crypto_ahash *tfm, char *header, int hdrlen, 175 113 const struct xdr_buf *body, int body_offset, ··· 191 107 192 108 u32 krb5_decrypt(struct crypto_sync_skcipher *key, void *iv, void *in, 193 109 void *out, int length); 110 + 111 + int xdr_extend_head(struct xdr_buf *buf, unsigned int base, 112 + unsigned int shiftlen); 113 + 114 + int gss_encrypt_xdr_buf(struct crypto_sync_skcipher *tfm, 115 + struct xdr_buf *outbuf, int offset, 116 + struct page **pages); 117 + 118 + int gss_decrypt_xdr_buf(struct crypto_sync_skcipher *tfm, 119 + struct xdr_buf *inbuf, int offset); 194 120 195 121 u32 gss_krb5_aes_encrypt(struct krb5_ctx *kctx, u32 offset, 196 122 struct xdr_buf *buf, struct page **pages);