root/net/sunrpc/auth_gss/gss_krb5_crypto.c

/* [<][>][^][v][top][bottom][index][help] */

DEFINITIONS

This source file includes following definitions.
  1. krb5_encrypt
  2. krb5_decrypt
  3. checksummer
  4. arcfour_hmac_md5_usage_to_salt
  5. make_checksum_hmac_md5
  6. make_checksum
  7. make_checksum_v2
  8. encryptor
  9. gss_encrypt_xdr_buf
  10. decryptor
  11. gss_decrypt_xdr_buf
  12. xdr_extend_head
  13. gss_krb5_cts_crypt
  14. gss_krb5_aes_encrypt
  15. gss_krb5_aes_decrypt
  16. krb5_rc4_setup_seq_key
  17. krb5_rc4_setup_enc_key

   1 /*
   2  *  linux/net/sunrpc/gss_krb5_crypto.c
   3  *
   4  *  Copyright (c) 2000-2008 The Regents of the University of Michigan.
   5  *  All rights reserved.
   6  *
   7  *  Andy Adamson   <andros@umich.edu>
   8  *  Bruce Fields   <bfields@umich.edu>
   9  */
  10 
  11 /*
  12  * Copyright (C) 1998 by the FundsXpress, INC.
  13  *
  14  * All rights reserved.
  15  *
  16  * Export of this software from the United States of America may require
  17  * a specific license from the United States Government.  It is the
  18  * responsibility of any person or organization contemplating export to
  19  * obtain such a license before exporting.
  20  *
  21  * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and
  22  * distribute this software and its documentation for any purpose and
  23  * without fee is hereby granted, provided that the above copyright
  24  * notice appear in all copies and that both that copyright notice and
  25  * this permission notice appear in supporting documentation, and that
  26  * the name of FundsXpress. not be used in advertising or publicity pertaining
  27  * to distribution of the software without specific, written prior
  28  * permission.  FundsXpress makes no representations about the suitability of
  29  * this software for any purpose.  It is provided "as is" without express
  30  * or implied warranty.
  31  *
  32  * THIS SOFTWARE IS PROVIDED ``AS IS'' AND WITHOUT ANY EXPRESS OR
  33  * IMPLIED WARRANTIES, INCLUDING, WITHOUT LIMITATION, THE IMPLIED
  34  * WARRANTIES OF MERCHANTIBILITY AND FITNESS FOR A PARTICULAR PURPOSE.
  35  */
  36 
  37 #include <crypto/algapi.h>
  38 #include <crypto/hash.h>
  39 #include <crypto/skcipher.h>
  40 #include <linux/err.h>
  41 #include <linux/types.h>
  42 #include <linux/mm.h>
  43 #include <linux/scatterlist.h>
  44 #include <linux/highmem.h>
  45 #include <linux/pagemap.h>
  46 #include <linux/random.h>
  47 #include <linux/sunrpc/gss_krb5.h>
  48 #include <linux/sunrpc/xdr.h>
  49 
  50 #if IS_ENABLED(CONFIG_SUNRPC_DEBUG)
  51 # define RPCDBG_FACILITY        RPCDBG_AUTH
  52 #endif
  53 
  54 u32
  55 krb5_encrypt(
  56         struct crypto_sync_skcipher *tfm,
  57         void * iv,
  58         void * in,
  59         void * out,
  60         int length)
  61 {
  62         u32 ret = -EINVAL;
  63         struct scatterlist sg[1];
  64         u8 local_iv[GSS_KRB5_MAX_BLOCKSIZE] = {0};
  65         SYNC_SKCIPHER_REQUEST_ON_STACK(req, tfm);
  66 
  67         if (length % crypto_sync_skcipher_blocksize(tfm) != 0)
  68                 goto out;
  69 
  70         if (crypto_sync_skcipher_ivsize(tfm) > GSS_KRB5_MAX_BLOCKSIZE) {
  71                 dprintk("RPC:       gss_k5encrypt: tfm iv size too large %d\n",
  72                         crypto_sync_skcipher_ivsize(tfm));
  73                 goto out;
  74         }
  75 
  76         if (iv)
  77                 memcpy(local_iv, iv, crypto_sync_skcipher_ivsize(tfm));
  78 
  79         memcpy(out, in, length);
  80         sg_init_one(sg, out, length);
  81 
  82         skcipher_request_set_sync_tfm(req, tfm);
  83         skcipher_request_set_callback(req, 0, NULL, NULL);
  84         skcipher_request_set_crypt(req, sg, sg, length, local_iv);
  85 
  86         ret = crypto_skcipher_encrypt(req);
  87         skcipher_request_zero(req);
  88 out:
  89         dprintk("RPC:       krb5_encrypt returns %d\n", ret);
  90         return ret;
  91 }
  92 
  93 u32
  94 krb5_decrypt(
  95      struct crypto_sync_skcipher *tfm,
  96      void * iv,
  97      void * in,
  98      void * out,
  99      int length)
 100 {
 101         u32 ret = -EINVAL;
 102         struct scatterlist sg[1];
 103         u8 local_iv[GSS_KRB5_MAX_BLOCKSIZE] = {0};
 104         SYNC_SKCIPHER_REQUEST_ON_STACK(req, tfm);
 105 
 106         if (length % crypto_sync_skcipher_blocksize(tfm) != 0)
 107                 goto out;
 108 
 109         if (crypto_sync_skcipher_ivsize(tfm) > GSS_KRB5_MAX_BLOCKSIZE) {
 110                 dprintk("RPC:       gss_k5decrypt: tfm iv size too large %d\n",
 111                         crypto_sync_skcipher_ivsize(tfm));
 112                 goto out;
 113         }
 114         if (iv)
 115                 memcpy(local_iv, iv, crypto_sync_skcipher_ivsize(tfm));
 116 
 117         memcpy(out, in, length);
 118         sg_init_one(sg, out, length);
 119 
 120         skcipher_request_set_sync_tfm(req, tfm);
 121         skcipher_request_set_callback(req, 0, NULL, NULL);
 122         skcipher_request_set_crypt(req, sg, sg, length, local_iv);
 123 
 124         ret = crypto_skcipher_decrypt(req);
 125         skcipher_request_zero(req);
 126 out:
 127         dprintk("RPC:       gss_k5decrypt returns %d\n",ret);
 128         return ret;
 129 }
 130 
 131 static int
 132 checksummer(struct scatterlist *sg, void *data)
 133 {
 134         struct ahash_request *req = data;
 135 
 136         ahash_request_set_crypt(req, sg, NULL, sg->length);
 137 
 138         return crypto_ahash_update(req);
 139 }
 140 
 141 static int
 142 arcfour_hmac_md5_usage_to_salt(unsigned int usage, u8 salt[4])
 143 {
 144         unsigned int ms_usage;
 145 
 146         switch (usage) {
 147         case KG_USAGE_SIGN:
 148                 ms_usage = 15;
 149                 break;
 150         case KG_USAGE_SEAL:
 151                 ms_usage = 13;
 152                 break;
 153         default:
 154                 return -EINVAL;
 155         }
 156         salt[0] = (ms_usage >> 0) & 0xff;
 157         salt[1] = (ms_usage >> 8) & 0xff;
 158         salt[2] = (ms_usage >> 16) & 0xff;
 159         salt[3] = (ms_usage >> 24) & 0xff;
 160 
 161         return 0;
 162 }
 163 
 164 static u32
 165 make_checksum_hmac_md5(struct krb5_ctx *kctx, char *header, int hdrlen,
 166                        struct xdr_buf *body, int body_offset, u8 *cksumkey,
 167                        unsigned int usage, struct xdr_netobj *cksumout)
 168 {
 169         struct scatterlist              sg[1];
 170         int err = -1;
 171         u8 *checksumdata;
 172         u8 *rc4salt;
 173         struct crypto_ahash *md5;
 174         struct crypto_ahash *hmac_md5;
 175         struct ahash_request *req;
 176 
 177         if (cksumkey == NULL)
 178                 return GSS_S_FAILURE;
 179 
 180         if (cksumout->len < kctx->gk5e->cksumlength) {
 181                 dprintk("%s: checksum buffer length, %u, too small for %s\n",
 182                         __func__, cksumout->len, kctx->gk5e->name);
 183                 return GSS_S_FAILURE;
 184         }
 185 
 186         rc4salt = kmalloc_array(4, sizeof(*rc4salt), GFP_NOFS);
 187         if (!rc4salt)
 188                 return GSS_S_FAILURE;
 189 
 190         if (arcfour_hmac_md5_usage_to_salt(usage, rc4salt)) {
 191                 dprintk("%s: invalid usage value %u\n", __func__, usage);
 192                 goto out_free_rc4salt;
 193         }
 194 
 195         checksumdata = kmalloc(GSS_KRB5_MAX_CKSUM_LEN, GFP_NOFS);
 196         if (!checksumdata)
 197                 goto out_free_rc4salt;
 198 
 199         md5 = crypto_alloc_ahash("md5", 0, CRYPTO_ALG_ASYNC);
 200         if (IS_ERR(md5))
 201                 goto out_free_cksum;
 202 
 203         hmac_md5 = crypto_alloc_ahash(kctx->gk5e->cksum_name, 0,
 204                                       CRYPTO_ALG_ASYNC);
 205         if (IS_ERR(hmac_md5))
 206                 goto out_free_md5;
 207 
 208         req = ahash_request_alloc(md5, GFP_NOFS);
 209         if (!req)
 210                 goto out_free_hmac_md5;
 211 
 212         ahash_request_set_callback(req, CRYPTO_TFM_REQ_MAY_SLEEP, NULL, NULL);
 213 
 214         err = crypto_ahash_init(req);
 215         if (err)
 216                 goto out;
 217         sg_init_one(sg, rc4salt, 4);
 218         ahash_request_set_crypt(req, sg, NULL, 4);
 219         err = crypto_ahash_update(req);
 220         if (err)
 221                 goto out;
 222 
 223         sg_init_one(sg, header, hdrlen);
 224         ahash_request_set_crypt(req, sg, NULL, hdrlen);
 225         err = crypto_ahash_update(req);
 226         if (err)
 227                 goto out;
 228         err = xdr_process_buf(body, body_offset, body->len - body_offset,
 229                               checksummer, req);
 230         if (err)
 231                 goto out;
 232         ahash_request_set_crypt(req, NULL, checksumdata, 0);
 233         err = crypto_ahash_final(req);
 234         if (err)
 235                 goto out;
 236 
 237         ahash_request_free(req);
 238         req = ahash_request_alloc(hmac_md5, GFP_NOFS);
 239         if (!req)
 240                 goto out_free_hmac_md5;
 241 
 242         ahash_request_set_callback(req, CRYPTO_TFM_REQ_MAY_SLEEP, NULL, NULL);
 243 
 244         err = crypto_ahash_setkey(hmac_md5, cksumkey, kctx->gk5e->keylength);
 245         if (err)
 246                 goto out;
 247 
 248         sg_init_one(sg, checksumdata, crypto_ahash_digestsize(md5));
 249         ahash_request_set_crypt(req, sg, checksumdata,
 250                                 crypto_ahash_digestsize(md5));
 251         err = crypto_ahash_digest(req);
 252         if (err)
 253                 goto out;
 254 
 255         memcpy(cksumout->data, checksumdata, kctx->gk5e->cksumlength);
 256         cksumout->len = kctx->gk5e->cksumlength;
 257 out:
 258         ahash_request_free(req);
 259 out_free_hmac_md5:
 260         crypto_free_ahash(hmac_md5);
 261 out_free_md5:
 262         crypto_free_ahash(md5);
 263 out_free_cksum:
 264         kfree(checksumdata);
 265 out_free_rc4salt:
 266         kfree(rc4salt);
 267         return err ? GSS_S_FAILURE : 0;
 268 }
 269 
 270 /*
 271  * checksum the plaintext data and hdrlen bytes of the token header
 272  * The checksum is performed over the first 8 bytes of the
 273  * gss token header and then over the data body
 274  */
 275 u32
 276 make_checksum(struct krb5_ctx *kctx, char *header, int hdrlen,
 277               struct xdr_buf *body, int body_offset, u8 *cksumkey,
 278               unsigned int usage, struct xdr_netobj *cksumout)
 279 {
 280         struct crypto_ahash *tfm;
 281         struct ahash_request *req;
 282         struct scatterlist              sg[1];
 283         int err = -1;
 284         u8 *checksumdata;
 285         unsigned int checksumlen;
 286 
 287         if (kctx->gk5e->ctype == CKSUMTYPE_HMAC_MD5_ARCFOUR)
 288                 return make_checksum_hmac_md5(kctx, header, hdrlen,
 289                                               body, body_offset,
 290                                               cksumkey, usage, cksumout);
 291 
 292         if (cksumout->len < kctx->gk5e->cksumlength) {
 293                 dprintk("%s: checksum buffer length, %u, too small for %s\n",
 294                         __func__, cksumout->len, kctx->gk5e->name);
 295                 return GSS_S_FAILURE;
 296         }
 297 
 298         checksumdata = kmalloc(GSS_KRB5_MAX_CKSUM_LEN, GFP_NOFS);
 299         if (checksumdata == NULL)
 300                 return GSS_S_FAILURE;
 301 
 302         tfm = crypto_alloc_ahash(kctx->gk5e->cksum_name, 0, CRYPTO_ALG_ASYNC);
 303         if (IS_ERR(tfm))
 304                 goto out_free_cksum;
 305 
 306         req = ahash_request_alloc(tfm, GFP_NOFS);
 307         if (!req)
 308                 goto out_free_ahash;
 309 
 310         ahash_request_set_callback(req, CRYPTO_TFM_REQ_MAY_SLEEP, NULL, NULL);
 311 
 312         checksumlen = crypto_ahash_digestsize(tfm);
 313 
 314         if (cksumkey != NULL) {
 315                 err = crypto_ahash_setkey(tfm, cksumkey,
 316                                           kctx->gk5e->keylength);
 317                 if (err)
 318                         goto out;
 319         }
 320 
 321         err = crypto_ahash_init(req);
 322         if (err)
 323                 goto out;
 324         sg_init_one(sg, header, hdrlen);
 325         ahash_request_set_crypt(req, sg, NULL, hdrlen);
 326         err = crypto_ahash_update(req);
 327         if (err)
 328                 goto out;
 329         err = xdr_process_buf(body, body_offset, body->len - body_offset,
 330                               checksummer, req);
 331         if (err)
 332                 goto out;
 333         ahash_request_set_crypt(req, NULL, checksumdata, 0);
 334         err = crypto_ahash_final(req);
 335         if (err)
 336                 goto out;
 337 
 338         switch (kctx->gk5e->ctype) {
 339         case CKSUMTYPE_RSA_MD5:
 340                 err = kctx->gk5e->encrypt(kctx->seq, NULL, checksumdata,
 341                                           checksumdata, checksumlen);
 342                 if (err)
 343                         goto out;
 344                 memcpy(cksumout->data,
 345                        checksumdata + checksumlen - kctx->gk5e->cksumlength,
 346                        kctx->gk5e->cksumlength);
 347                 break;
 348         case CKSUMTYPE_HMAC_SHA1_DES3:
 349                 memcpy(cksumout->data, checksumdata, kctx->gk5e->cksumlength);
 350                 break;
 351         default:
 352                 BUG();
 353                 break;
 354         }
 355         cksumout->len = kctx->gk5e->cksumlength;
 356 out:
 357         ahash_request_free(req);
 358 out_free_ahash:
 359         crypto_free_ahash(tfm);
 360 out_free_cksum:
 361         kfree(checksumdata);
 362         return err ? GSS_S_FAILURE : 0;
 363 }
 364 
 365 /*
 366  * checksum the plaintext data and hdrlen bytes of the token header
 367  * Per rfc4121, sec. 4.2.4, the checksum is performed over the data
 368  * body then over the first 16 octets of the MIC token
 369  * Inclusion of the header data in the calculation of the
 370  * checksum is optional.
 371  */
 372 u32
 373 make_checksum_v2(struct krb5_ctx *kctx, char *header, int hdrlen,
 374                  struct xdr_buf *body, int body_offset, u8 *cksumkey,
 375                  unsigned int usage, struct xdr_netobj *cksumout)
 376 {
 377         struct crypto_ahash *tfm;
 378         struct ahash_request *req;
 379         struct scatterlist sg[1];
 380         int err = -1;
 381         u8 *checksumdata;
 382 
 383         if (kctx->gk5e->keyed_cksum == 0) {
 384                 dprintk("%s: expected keyed hash for %s\n",
 385                         __func__, kctx->gk5e->name);
 386                 return GSS_S_FAILURE;
 387         }
 388         if (cksumkey == NULL) {
 389                 dprintk("%s: no key supplied for %s\n",
 390                         __func__, kctx->gk5e->name);
 391                 return GSS_S_FAILURE;
 392         }
 393 
 394         checksumdata = kmalloc(GSS_KRB5_MAX_CKSUM_LEN, GFP_NOFS);
 395         if (!checksumdata)
 396                 return GSS_S_FAILURE;
 397 
 398         tfm = crypto_alloc_ahash(kctx->gk5e->cksum_name, 0, CRYPTO_ALG_ASYNC);
 399         if (IS_ERR(tfm))
 400                 goto out_free_cksum;
 401 
 402         req = ahash_request_alloc(tfm, GFP_NOFS);
 403         if (!req)
 404                 goto out_free_ahash;
 405 
 406         ahash_request_set_callback(req, CRYPTO_TFM_REQ_MAY_SLEEP, NULL, NULL);
 407 
 408         err = crypto_ahash_setkey(tfm, cksumkey, kctx->gk5e->keylength);
 409         if (err)
 410                 goto out;
 411 
 412         err = crypto_ahash_init(req);
 413         if (err)
 414                 goto out;
 415         err = xdr_process_buf(body, body_offset, body->len - body_offset,
 416                               checksummer, req);
 417         if (err)
 418                 goto out;
 419         if (header != NULL) {
 420                 sg_init_one(sg, header, hdrlen);
 421                 ahash_request_set_crypt(req, sg, NULL, hdrlen);
 422                 err = crypto_ahash_update(req);
 423                 if (err)
 424                         goto out;
 425         }
 426         ahash_request_set_crypt(req, NULL, checksumdata, 0);
 427         err = crypto_ahash_final(req);
 428         if (err)
 429                 goto out;
 430 
 431         cksumout->len = kctx->gk5e->cksumlength;
 432 
 433         switch (kctx->gk5e->ctype) {
 434         case CKSUMTYPE_HMAC_SHA1_96_AES128:
 435         case CKSUMTYPE_HMAC_SHA1_96_AES256:
 436                 /* note that this truncates the hash */
 437                 memcpy(cksumout->data, checksumdata, kctx->gk5e->cksumlength);
 438                 break;
 439         default:
 440                 BUG();
 441                 break;
 442         }
 443 out:
 444         ahash_request_free(req);
 445 out_free_ahash:
 446         crypto_free_ahash(tfm);
 447 out_free_cksum:
 448         kfree(checksumdata);
 449         return err ? GSS_S_FAILURE : 0;
 450 }
 451 
 452 struct encryptor_desc {
 453         u8 iv[GSS_KRB5_MAX_BLOCKSIZE];
 454         struct skcipher_request *req;
 455         int pos;
 456         struct xdr_buf *outbuf;
 457         struct page **pages;
 458         struct scatterlist infrags[4];
 459         struct scatterlist outfrags[4];
 460         int fragno;
 461         int fraglen;
 462 };
 463 
 464 static int
 465 encryptor(struct scatterlist *sg, void *data)
 466 {
 467         struct encryptor_desc *desc = data;
 468         struct xdr_buf *outbuf = desc->outbuf;
 469         struct crypto_sync_skcipher *tfm =
 470                 crypto_sync_skcipher_reqtfm(desc->req);
 471         struct page *in_page;
 472         int thislen = desc->fraglen + sg->length;
 473         int fraglen, ret;
 474         int page_pos;
 475 
 476         /* Worst case is 4 fragments: head, end of page 1, start
 477          * of page 2, tail.  Anything more is a bug. */
 478         BUG_ON(desc->fragno > 3);
 479 
 480         page_pos = desc->pos - outbuf->head[0].iov_len;
 481         if (page_pos >= 0 && page_pos < outbuf->page_len) {
 482                 /* pages are not in place: */
 483                 int i = (page_pos + outbuf->page_base) >> PAGE_SHIFT;
 484                 in_page = desc->pages[i];
 485         } else {
 486                 in_page = sg_page(sg);
 487         }
 488         sg_set_page(&desc->infrags[desc->fragno], in_page, sg->length,
 489                     sg->offset);
 490         sg_set_page(&desc->outfrags[desc->fragno], sg_page(sg), sg->length,
 491                     sg->offset);
 492         desc->fragno++;
 493         desc->fraglen += sg->length;
 494         desc->pos += sg->length;
 495 
 496         fraglen = thislen & (crypto_sync_skcipher_blocksize(tfm) - 1);
 497         thislen -= fraglen;
 498 
 499         if (thislen == 0)
 500                 return 0;
 501 
 502         sg_mark_end(&desc->infrags[desc->fragno - 1]);
 503         sg_mark_end(&desc->outfrags[desc->fragno - 1]);
 504 
 505         skcipher_request_set_crypt(desc->req, desc->infrags, desc->outfrags,
 506                                    thislen, desc->iv);
 507 
 508         ret = crypto_skcipher_encrypt(desc->req);
 509         if (ret)
 510                 return ret;
 511 
 512         sg_init_table(desc->infrags, 4);
 513         sg_init_table(desc->outfrags, 4);
 514 
 515         if (fraglen) {
 516                 sg_set_page(&desc->outfrags[0], sg_page(sg), fraglen,
 517                                 sg->offset + sg->length - fraglen);
 518                 desc->infrags[0] = desc->outfrags[0];
 519                 sg_assign_page(&desc->infrags[0], in_page);
 520                 desc->fragno = 1;
 521                 desc->fraglen = fraglen;
 522         } else {
 523                 desc->fragno = 0;
 524                 desc->fraglen = 0;
 525         }
 526         return 0;
 527 }
 528 
 529 int
 530 gss_encrypt_xdr_buf(struct crypto_sync_skcipher *tfm, struct xdr_buf *buf,
 531                     int offset, struct page **pages)
 532 {
 533         int ret;
 534         struct encryptor_desc desc;
 535         SYNC_SKCIPHER_REQUEST_ON_STACK(req, tfm);
 536 
 537         BUG_ON((buf->len - offset) % crypto_sync_skcipher_blocksize(tfm) != 0);
 538 
 539         skcipher_request_set_sync_tfm(req, tfm);
 540         skcipher_request_set_callback(req, 0, NULL, NULL);
 541 
 542         memset(desc.iv, 0, sizeof(desc.iv));
 543         desc.req = req;
 544         desc.pos = offset;
 545         desc.outbuf = buf;
 546         desc.pages = pages;
 547         desc.fragno = 0;
 548         desc.fraglen = 0;
 549 
 550         sg_init_table(desc.infrags, 4);
 551         sg_init_table(desc.outfrags, 4);
 552 
 553         ret = xdr_process_buf(buf, offset, buf->len - offset, encryptor, &desc);
 554         skcipher_request_zero(req);
 555         return ret;
 556 }
 557 
 558 struct decryptor_desc {
 559         u8 iv[GSS_KRB5_MAX_BLOCKSIZE];
 560         struct skcipher_request *req;
 561         struct scatterlist frags[4];
 562         int fragno;
 563         int fraglen;
 564 };
 565 
 566 static int
 567 decryptor(struct scatterlist *sg, void *data)
 568 {
 569         struct decryptor_desc *desc = data;
 570         int thislen = desc->fraglen + sg->length;
 571         struct crypto_sync_skcipher *tfm =
 572                 crypto_sync_skcipher_reqtfm(desc->req);
 573         int fraglen, ret;
 574 
 575         /* Worst case is 4 fragments: head, end of page 1, start
 576          * of page 2, tail.  Anything more is a bug. */
 577         BUG_ON(desc->fragno > 3);
 578         sg_set_page(&desc->frags[desc->fragno], sg_page(sg), sg->length,
 579                     sg->offset);
 580         desc->fragno++;
 581         desc->fraglen += sg->length;
 582 
 583         fraglen = thislen & (crypto_sync_skcipher_blocksize(tfm) - 1);
 584         thislen -= fraglen;
 585 
 586         if (thislen == 0)
 587                 return 0;
 588 
 589         sg_mark_end(&desc->frags[desc->fragno - 1]);
 590 
 591         skcipher_request_set_crypt(desc->req, desc->frags, desc->frags,
 592                                    thislen, desc->iv);
 593 
 594         ret = crypto_skcipher_decrypt(desc->req);
 595         if (ret)
 596                 return ret;
 597 
 598         sg_init_table(desc->frags, 4);
 599 
 600         if (fraglen) {
 601                 sg_set_page(&desc->frags[0], sg_page(sg), fraglen,
 602                                 sg->offset + sg->length - fraglen);
 603                 desc->fragno = 1;
 604                 desc->fraglen = fraglen;
 605         } else {
 606                 desc->fragno = 0;
 607                 desc->fraglen = 0;
 608         }
 609         return 0;
 610 }
 611 
 612 int
 613 gss_decrypt_xdr_buf(struct crypto_sync_skcipher *tfm, struct xdr_buf *buf,
 614                     int offset)
 615 {
 616         int ret;
 617         struct decryptor_desc desc;
 618         SYNC_SKCIPHER_REQUEST_ON_STACK(req, tfm);
 619 
 620         /* XXXJBF: */
 621         BUG_ON((buf->len - offset) % crypto_sync_skcipher_blocksize(tfm) != 0);
 622 
 623         skcipher_request_set_sync_tfm(req, tfm);
 624         skcipher_request_set_callback(req, 0, NULL, NULL);
 625 
 626         memset(desc.iv, 0, sizeof(desc.iv));
 627         desc.req = req;
 628         desc.fragno = 0;
 629         desc.fraglen = 0;
 630 
 631         sg_init_table(desc.frags, 4);
 632 
 633         ret = xdr_process_buf(buf, offset, buf->len - offset, decryptor, &desc);
 634         skcipher_request_zero(req);
 635         return ret;
 636 }
 637 
 638 /*
 639  * This function makes the assumption that it was ultimately called
 640  * from gss_wrap().
 641  *
 642  * The client auth_gss code moves any existing tail data into a
 643  * separate page before calling gss_wrap.
 644  * The server svcauth_gss code ensures that both the head and the
 645  * tail have slack space of RPC_MAX_AUTH_SIZE before calling gss_wrap.
 646  *
 647  * Even with that guarantee, this function may be called more than
 648  * once in the processing of gss_wrap().  The best we can do is
 649  * verify at compile-time (see GSS_KRB5_SLACK_CHECK) that the
 650  * largest expected shift will fit within RPC_MAX_AUTH_SIZE.
 651  * At run-time we can verify that a single invocation of this
 652  * function doesn't attempt to use more the RPC_MAX_AUTH_SIZE.
 653  */
 654 
 655 int
 656 xdr_extend_head(struct xdr_buf *buf, unsigned int base, unsigned int shiftlen)
 657 {
 658         u8 *p;
 659 
 660         if (shiftlen == 0)
 661                 return 0;
 662 
 663         BUILD_BUG_ON(GSS_KRB5_MAX_SLACK_NEEDED > RPC_MAX_AUTH_SIZE);
 664         BUG_ON(shiftlen > RPC_MAX_AUTH_SIZE);
 665 
 666         p = buf->head[0].iov_base + base;
 667 
 668         memmove(p + shiftlen, p, buf->head[0].iov_len - base);
 669 
 670         buf->head[0].iov_len += shiftlen;
 671         buf->len += shiftlen;
 672 
 673         return 0;
 674 }
 675 
 676 static u32
 677 gss_krb5_cts_crypt(struct crypto_sync_skcipher *cipher, struct xdr_buf *buf,
 678                    u32 offset, u8 *iv, struct page **pages, int encrypt)
 679 {
 680         u32 ret;
 681         struct scatterlist sg[1];
 682         SYNC_SKCIPHER_REQUEST_ON_STACK(req, cipher);
 683         u8 *data;
 684         struct page **save_pages;
 685         u32 len = buf->len - offset;
 686 
 687         if (len > GSS_KRB5_MAX_BLOCKSIZE * 2) {
 688                 WARN_ON(0);
 689                 return -ENOMEM;
 690         }
 691         data = kmalloc(GSS_KRB5_MAX_BLOCKSIZE * 2, GFP_NOFS);
 692         if (!data)
 693                 return -ENOMEM;
 694 
 695         /*
 696          * For encryption, we want to read from the cleartext
 697          * page cache pages, and write the encrypted data to
 698          * the supplied xdr_buf pages.
 699          */
 700         save_pages = buf->pages;
 701         if (encrypt)
 702                 buf->pages = pages;
 703 
 704         ret = read_bytes_from_xdr_buf(buf, offset, data, len);
 705         buf->pages = save_pages;
 706         if (ret)
 707                 goto out;
 708 
 709         sg_init_one(sg, data, len);
 710 
 711         skcipher_request_set_sync_tfm(req, cipher);
 712         skcipher_request_set_callback(req, 0, NULL, NULL);
 713         skcipher_request_set_crypt(req, sg, sg, len, iv);
 714 
 715         if (encrypt)
 716                 ret = crypto_skcipher_encrypt(req);
 717         else
 718                 ret = crypto_skcipher_decrypt(req);
 719 
 720         skcipher_request_zero(req);
 721 
 722         if (ret)
 723                 goto out;
 724 
 725         ret = write_bytes_to_xdr_buf(buf, offset, data, len);
 726 
 727 out:
 728         kfree(data);
 729         return ret;
 730 }
 731 
 732 u32
 733 gss_krb5_aes_encrypt(struct krb5_ctx *kctx, u32 offset,
 734                      struct xdr_buf *buf, struct page **pages)
 735 {
 736         u32 err;
 737         struct xdr_netobj hmac;
 738         u8 *cksumkey;
 739         u8 *ecptr;
 740         struct crypto_sync_skcipher *cipher, *aux_cipher;
 741         int blocksize;
 742         struct page **save_pages;
 743         int nblocks, nbytes;
 744         struct encryptor_desc desc;
 745         u32 cbcbytes;
 746         unsigned int usage;
 747 
 748         if (kctx->initiate) {
 749                 cipher = kctx->initiator_enc;
 750                 aux_cipher = kctx->initiator_enc_aux;
 751                 cksumkey = kctx->initiator_integ;
 752                 usage = KG_USAGE_INITIATOR_SEAL;
 753         } else {
 754                 cipher = kctx->acceptor_enc;
 755                 aux_cipher = kctx->acceptor_enc_aux;
 756                 cksumkey = kctx->acceptor_integ;
 757                 usage = KG_USAGE_ACCEPTOR_SEAL;
 758         }
 759         blocksize = crypto_sync_skcipher_blocksize(cipher);
 760 
 761         /* hide the gss token header and insert the confounder */
 762         offset += GSS_KRB5_TOK_HDR_LEN;
 763         if (xdr_extend_head(buf, offset, kctx->gk5e->conflen))
 764                 return GSS_S_FAILURE;
 765         gss_krb5_make_confounder(buf->head[0].iov_base + offset, kctx->gk5e->conflen);
 766         offset -= GSS_KRB5_TOK_HDR_LEN;
 767 
 768         if (buf->tail[0].iov_base != NULL) {
 769                 ecptr = buf->tail[0].iov_base + buf->tail[0].iov_len;
 770         } else {
 771                 buf->tail[0].iov_base = buf->head[0].iov_base
 772                                                         + buf->head[0].iov_len;
 773                 buf->tail[0].iov_len = 0;
 774                 ecptr = buf->tail[0].iov_base;
 775         }
 776 
 777         /* copy plaintext gss token header after filler (if any) */
 778         memcpy(ecptr, buf->head[0].iov_base + offset, GSS_KRB5_TOK_HDR_LEN);
 779         buf->tail[0].iov_len += GSS_KRB5_TOK_HDR_LEN;
 780         buf->len += GSS_KRB5_TOK_HDR_LEN;
 781 
 782         /* Do the HMAC */
 783         hmac.len = GSS_KRB5_MAX_CKSUM_LEN;
 784         hmac.data = buf->tail[0].iov_base + buf->tail[0].iov_len;
 785 
 786         /*
 787          * When we are called, pages points to the real page cache
 788          * data -- which we can't go and encrypt!  buf->pages points
 789          * to scratch pages which we are going to send off to the
 790          * client/server.  Swap in the plaintext pages to calculate
 791          * the hmac.
 792          */
 793         save_pages = buf->pages;
 794         buf->pages = pages;
 795 
 796         err = make_checksum_v2(kctx, NULL, 0, buf,
 797                                offset + GSS_KRB5_TOK_HDR_LEN,
 798                                cksumkey, usage, &hmac);
 799         buf->pages = save_pages;
 800         if (err)
 801                 return GSS_S_FAILURE;
 802 
 803         nbytes = buf->len - offset - GSS_KRB5_TOK_HDR_LEN;
 804         nblocks = (nbytes + blocksize - 1) / blocksize;
 805         cbcbytes = 0;
 806         if (nblocks > 2)
 807                 cbcbytes = (nblocks - 2) * blocksize;
 808 
 809         memset(desc.iv, 0, sizeof(desc.iv));
 810 
 811         if (cbcbytes) {
 812                 SYNC_SKCIPHER_REQUEST_ON_STACK(req, aux_cipher);
 813 
 814                 desc.pos = offset + GSS_KRB5_TOK_HDR_LEN;
 815                 desc.fragno = 0;
 816                 desc.fraglen = 0;
 817                 desc.pages = pages;
 818                 desc.outbuf = buf;
 819                 desc.req = req;
 820 
 821                 skcipher_request_set_sync_tfm(req, aux_cipher);
 822                 skcipher_request_set_callback(req, 0, NULL, NULL);
 823 
 824                 sg_init_table(desc.infrags, 4);
 825                 sg_init_table(desc.outfrags, 4);
 826 
 827                 err = xdr_process_buf(buf, offset + GSS_KRB5_TOK_HDR_LEN,
 828                                       cbcbytes, encryptor, &desc);
 829                 skcipher_request_zero(req);
 830                 if (err)
 831                         goto out_err;
 832         }
 833 
 834         /* Make sure IV carries forward from any CBC results. */
 835         err = gss_krb5_cts_crypt(cipher, buf,
 836                                  offset + GSS_KRB5_TOK_HDR_LEN + cbcbytes,
 837                                  desc.iv, pages, 1);
 838         if (err) {
 839                 err = GSS_S_FAILURE;
 840                 goto out_err;
 841         }
 842 
 843         /* Now update buf to account for HMAC */
 844         buf->tail[0].iov_len += kctx->gk5e->cksumlength;
 845         buf->len += kctx->gk5e->cksumlength;
 846 
 847 out_err:
 848         if (err)
 849                 err = GSS_S_FAILURE;
 850         return err;
 851 }
 852 
 853 u32
 854 gss_krb5_aes_decrypt(struct krb5_ctx *kctx, u32 offset, u32 len,
 855                      struct xdr_buf *buf, u32 *headskip, u32 *tailskip)
 856 {
 857         struct xdr_buf subbuf;
 858         u32 ret = 0;
 859         u8 *cksum_key;
 860         struct crypto_sync_skcipher *cipher, *aux_cipher;
 861         struct xdr_netobj our_hmac_obj;
 862         u8 our_hmac[GSS_KRB5_MAX_CKSUM_LEN];
 863         u8 pkt_hmac[GSS_KRB5_MAX_CKSUM_LEN];
 864         int nblocks, blocksize, cbcbytes;
 865         struct decryptor_desc desc;
 866         unsigned int usage;
 867 
 868         if (kctx->initiate) {
 869                 cipher = kctx->acceptor_enc;
 870                 aux_cipher = kctx->acceptor_enc_aux;
 871                 cksum_key = kctx->acceptor_integ;
 872                 usage = KG_USAGE_ACCEPTOR_SEAL;
 873         } else {
 874                 cipher = kctx->initiator_enc;
 875                 aux_cipher = kctx->initiator_enc_aux;
 876                 cksum_key = kctx->initiator_integ;
 877                 usage = KG_USAGE_INITIATOR_SEAL;
 878         }
 879         blocksize = crypto_sync_skcipher_blocksize(cipher);
 880 
 881 
 882         /* create a segment skipping the header and leaving out the checksum */
 883         xdr_buf_subsegment(buf, &subbuf, offset + GSS_KRB5_TOK_HDR_LEN,
 884                                     (len - offset - GSS_KRB5_TOK_HDR_LEN -
 885                                      kctx->gk5e->cksumlength));
 886 
 887         nblocks = (subbuf.len + blocksize - 1) / blocksize;
 888 
 889         cbcbytes = 0;
 890         if (nblocks > 2)
 891                 cbcbytes = (nblocks - 2) * blocksize;
 892 
 893         memset(desc.iv, 0, sizeof(desc.iv));
 894 
 895         if (cbcbytes) {
 896                 SYNC_SKCIPHER_REQUEST_ON_STACK(req, aux_cipher);
 897 
 898                 desc.fragno = 0;
 899                 desc.fraglen = 0;
 900                 desc.req = req;
 901 
 902                 skcipher_request_set_sync_tfm(req, aux_cipher);
 903                 skcipher_request_set_callback(req, 0, NULL, NULL);
 904 
 905                 sg_init_table(desc.frags, 4);
 906 
 907                 ret = xdr_process_buf(&subbuf, 0, cbcbytes, decryptor, &desc);
 908                 skcipher_request_zero(req);
 909                 if (ret)
 910                         goto out_err;
 911         }
 912 
 913         /* Make sure IV carries forward from any CBC results. */
 914         ret = gss_krb5_cts_crypt(cipher, &subbuf, cbcbytes, desc.iv, NULL, 0);
 915         if (ret)
 916                 goto out_err;
 917 
 918 
 919         /* Calculate our hmac over the plaintext data */
 920         our_hmac_obj.len = sizeof(our_hmac);
 921         our_hmac_obj.data = our_hmac;
 922 
 923         ret = make_checksum_v2(kctx, NULL, 0, &subbuf, 0,
 924                                cksum_key, usage, &our_hmac_obj);
 925         if (ret)
 926                 goto out_err;
 927 
 928         /* Get the packet's hmac value */
 929         ret = read_bytes_from_xdr_buf(buf, len - kctx->gk5e->cksumlength,
 930                                       pkt_hmac, kctx->gk5e->cksumlength);
 931         if (ret)
 932                 goto out_err;
 933 
 934         if (crypto_memneq(pkt_hmac, our_hmac, kctx->gk5e->cksumlength) != 0) {
 935                 ret = GSS_S_BAD_SIG;
 936                 goto out_err;
 937         }
 938         *headskip = kctx->gk5e->conflen;
 939         *tailskip = kctx->gk5e->cksumlength;
 940 out_err:
 941         if (ret && ret != GSS_S_BAD_SIG)
 942                 ret = GSS_S_FAILURE;
 943         return ret;
 944 }
 945 
 946 /*
 947  * Compute Kseq given the initial session key and the checksum.
 948  * Set the key of the given cipher.
 949  */
 950 int
 951 krb5_rc4_setup_seq_key(struct krb5_ctx *kctx,
 952                        struct crypto_sync_skcipher *cipher,
 953                        unsigned char *cksum)
 954 {
 955         struct crypto_shash *hmac;
 956         struct shash_desc *desc;
 957         u8 Kseq[GSS_KRB5_MAX_KEYLEN];
 958         u32 zeroconstant = 0;
 959         int err;
 960 
 961         dprintk("%s: entered\n", __func__);
 962 
 963         hmac = crypto_alloc_shash(kctx->gk5e->cksum_name, 0, 0);
 964         if (IS_ERR(hmac)) {
 965                 dprintk("%s: error %ld, allocating hash '%s'\n",
 966                         __func__, PTR_ERR(hmac), kctx->gk5e->cksum_name);
 967                 return PTR_ERR(hmac);
 968         }
 969 
 970         desc = kmalloc(sizeof(*desc) + crypto_shash_descsize(hmac),
 971                        GFP_NOFS);
 972         if (!desc) {
 973                 dprintk("%s: failed to allocate shash descriptor for '%s'\n",
 974                         __func__, kctx->gk5e->cksum_name);
 975                 crypto_free_shash(hmac);
 976                 return -ENOMEM;
 977         }
 978 
 979         desc->tfm = hmac;
 980 
 981         /* Compute intermediate Kseq from session key */
 982         err = crypto_shash_setkey(hmac, kctx->Ksess, kctx->gk5e->keylength);
 983         if (err)
 984                 goto out_err;
 985 
 986         err = crypto_shash_digest(desc, (u8 *)&zeroconstant, 4, Kseq);
 987         if (err)
 988                 goto out_err;
 989 
 990         /* Compute final Kseq from the checksum and intermediate Kseq */
 991         err = crypto_shash_setkey(hmac, Kseq, kctx->gk5e->keylength);
 992         if (err)
 993                 goto out_err;
 994 
 995         err = crypto_shash_digest(desc, cksum, 8, Kseq);
 996         if (err)
 997                 goto out_err;
 998 
 999         err = crypto_sync_skcipher_setkey(cipher, Kseq, kctx->gk5e->keylength);
1000         if (err)
1001                 goto out_err;
1002 
1003         err = 0;
1004 
1005 out_err:
1006         kzfree(desc);
1007         crypto_free_shash(hmac);
1008         dprintk("%s: returning %d\n", __func__, err);
1009         return err;
1010 }
1011 
1012 /*
1013  * Compute Kcrypt given the initial session key and the plaintext seqnum.
1014  * Set the key of cipher kctx->enc.
1015  */
1016 int
1017 krb5_rc4_setup_enc_key(struct krb5_ctx *kctx,
1018                        struct crypto_sync_skcipher *cipher,
1019                        s32 seqnum)
1020 {
1021         struct crypto_shash *hmac;
1022         struct shash_desc *desc;
1023         u8 Kcrypt[GSS_KRB5_MAX_KEYLEN];
1024         u8 zeroconstant[4] = {0};
1025         u8 seqnumarray[4];
1026         int err, i;
1027 
1028         dprintk("%s: entered, seqnum %u\n", __func__, seqnum);
1029 
1030         hmac = crypto_alloc_shash(kctx->gk5e->cksum_name, 0, 0);
1031         if (IS_ERR(hmac)) {
1032                 dprintk("%s: error %ld, allocating hash '%s'\n",
1033                         __func__, PTR_ERR(hmac), kctx->gk5e->cksum_name);
1034                 return PTR_ERR(hmac);
1035         }
1036 
1037         desc = kmalloc(sizeof(*desc) + crypto_shash_descsize(hmac),
1038                        GFP_NOFS);
1039         if (!desc) {
1040                 dprintk("%s: failed to allocate shash descriptor for '%s'\n",
1041                         __func__, kctx->gk5e->cksum_name);
1042                 crypto_free_shash(hmac);
1043                 return -ENOMEM;
1044         }
1045 
1046         desc->tfm = hmac;
1047 
1048         /* Compute intermediate Kcrypt from session key */
1049         for (i = 0; i < kctx->gk5e->keylength; i++)
1050                 Kcrypt[i] = kctx->Ksess[i] ^ 0xf0;
1051 
1052         err = crypto_shash_setkey(hmac, Kcrypt, kctx->gk5e->keylength);
1053         if (err)
1054                 goto out_err;
1055 
1056         err = crypto_shash_digest(desc, zeroconstant, 4, Kcrypt);
1057         if (err)
1058                 goto out_err;
1059 
1060         /* Compute final Kcrypt from the seqnum and intermediate Kcrypt */
1061         err = crypto_shash_setkey(hmac, Kcrypt, kctx->gk5e->keylength);
1062         if (err)
1063                 goto out_err;
1064 
1065         seqnumarray[0] = (unsigned char) ((seqnum >> 24) & 0xff);
1066         seqnumarray[1] = (unsigned char) ((seqnum >> 16) & 0xff);
1067         seqnumarray[2] = (unsigned char) ((seqnum >> 8) & 0xff);
1068         seqnumarray[3] = (unsigned char) ((seqnum >> 0) & 0xff);
1069 
1070         err = crypto_shash_digest(desc, seqnumarray, 4, Kcrypt);
1071         if (err)
1072                 goto out_err;
1073 
1074         err = crypto_sync_skcipher_setkey(cipher, Kcrypt,
1075                                           kctx->gk5e->keylength);
1076         if (err)
1077                 goto out_err;
1078 
1079         err = 0;
1080 
1081 out_err:
1082         kzfree(desc);
1083         crypto_free_shash(hmac);
1084         dprintk("%s: returning %d\n", __func__, err);
1085         return err;
1086 }

/* [<][>][^][v][top][bottom][index][help] */