krb5enc.c 14 KB

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266267268269270271272273274275276277278279280281282283284285286287288289290291292293294295296297298299300301302303304305306307308309310311312313314315316317318319320321322323324325326327328329330331332333334335336337338339340341342343344345346347348349350351352353354355356357358359360361362363364365366367368369370371372373374375376377378379380381382383384385386387388389390391392393394395396397398399400401402403404405406407408409410411412413414415416417418419420421422423424425426427428429430431432433434435436437438439440441442443444445446447448449450451452453454455456457458459460461462463464465466467468469470471472473474475476477478479480481482483484485486487488489490491492493494495496497498499500501502503504
  1. // SPDX-License-Identifier: GPL-2.0-or-later
  2. /*
  3. * AEAD wrapper for Kerberos 5 RFC3961 simplified profile.
  4. *
  5. * Copyright (C) 2025 Red Hat, Inc. All Rights Reserved.
  6. * Written by David Howells (dhowells@redhat.com)
  7. *
  8. * Derived from authenc:
  9. * Copyright (c) 2007-2015 Herbert Xu <herbert@gondor.apana.org.au>
  10. */
  11. #include <crypto/internal/aead.h>
  12. #include <crypto/internal/hash.h>
  13. #include <crypto/internal/skcipher.h>
  14. #include <crypto/authenc.h>
  15. #include <crypto/scatterwalk.h>
  16. #include <linux/err.h>
  17. #include <linux/init.h>
  18. #include <linux/kernel.h>
  19. #include <linux/module.h>
  20. #include <linux/rtnetlink.h>
  21. #include <linux/slab.h>
  22. #include <linux/spinlock.h>
  23. struct krb5enc_instance_ctx {
  24. struct crypto_ahash_spawn auth;
  25. struct crypto_skcipher_spawn enc;
  26. unsigned int reqoff;
  27. };
  28. struct krb5enc_ctx {
  29. struct crypto_ahash *auth;
  30. struct crypto_skcipher *enc;
  31. };
  32. struct krb5enc_request_ctx {
  33. struct scatterlist src[2];
  34. struct scatterlist dst[2];
  35. char tail[];
  36. };
  37. static void krb5enc_request_complete(struct aead_request *req, int err)
  38. {
  39. if (err != -EINPROGRESS)
  40. aead_request_complete(req, err);
  41. }
  42. /**
  43. * crypto_krb5enc_extractkeys - Extract Ke and Ki keys from the key blob.
  44. * @keys: Where to put the key sizes and pointers
  45. * @key: Encoded key material
  46. * @keylen: Amount of key material
  47. *
  48. * Decode the key blob we're given. It starts with an rtattr that indicates
  49. * the format and the length. Format CRYPTO_AUTHENC_KEYA_PARAM is:
  50. *
  51. * rtattr || __be32 enckeylen || authkey || enckey
  52. *
  53. * Note that the rtattr is in cpu-endian form, unlike enckeylen. This must be
  54. * handled correctly in static testmgr data.
  55. */
  56. int crypto_krb5enc_extractkeys(struct crypto_authenc_keys *keys, const u8 *key,
  57. unsigned int keylen)
  58. {
  59. struct rtattr *rta = (struct rtattr *)key;
  60. struct crypto_authenc_key_param *param;
  61. if (!RTA_OK(rta, keylen))
  62. return -EINVAL;
  63. if (rta->rta_type != CRYPTO_AUTHENC_KEYA_PARAM)
  64. return -EINVAL;
  65. /*
  66. * RTA_OK() didn't align the rtattr's payload when validating that it
  67. * fits in the buffer. Yet, the keys should start on the next 4-byte
  68. * aligned boundary. To avoid confusion, require that the rtattr
  69. * payload be exactly the param struct, which has a 4-byte aligned size.
  70. */
  71. if (RTA_PAYLOAD(rta) != sizeof(*param))
  72. return -EINVAL;
  73. BUILD_BUG_ON(sizeof(*param) % RTA_ALIGNTO);
  74. param = RTA_DATA(rta);
  75. keys->enckeylen = be32_to_cpu(param->enckeylen);
  76. key += rta->rta_len;
  77. keylen -= rta->rta_len;
  78. if (keylen < keys->enckeylen)
  79. return -EINVAL;
  80. keys->authkeylen = keylen - keys->enckeylen;
  81. keys->authkey = key;
  82. keys->enckey = key + keys->authkeylen;
  83. return 0;
  84. }
  85. EXPORT_SYMBOL(crypto_krb5enc_extractkeys);
  86. static int krb5enc_setkey(struct crypto_aead *krb5enc, const u8 *key,
  87. unsigned int keylen)
  88. {
  89. struct crypto_authenc_keys keys;
  90. struct krb5enc_ctx *ctx = crypto_aead_ctx(krb5enc);
  91. struct crypto_skcipher *enc = ctx->enc;
  92. struct crypto_ahash *auth = ctx->auth;
  93. unsigned int flags = crypto_aead_get_flags(krb5enc);
  94. int err = -EINVAL;
  95. if (crypto_krb5enc_extractkeys(&keys, key, keylen) != 0)
  96. goto out;
  97. crypto_ahash_clear_flags(auth, CRYPTO_TFM_REQ_MASK);
  98. crypto_ahash_set_flags(auth, flags & CRYPTO_TFM_REQ_MASK);
  99. err = crypto_ahash_setkey(auth, keys.authkey, keys.authkeylen);
  100. if (err)
  101. goto out;
  102. crypto_skcipher_clear_flags(enc, CRYPTO_TFM_REQ_MASK);
  103. crypto_skcipher_set_flags(enc, flags & CRYPTO_TFM_REQ_MASK);
  104. err = crypto_skcipher_setkey(enc, keys.enckey, keys.enckeylen);
  105. out:
  106. memzero_explicit(&keys, sizeof(keys));
  107. return err;
  108. }
  109. static void krb5enc_encrypt_done(void *data, int err)
  110. {
  111. struct aead_request *req = data;
  112. krb5enc_request_complete(req, err);
  113. }
  114. /*
  115. * Start the encryption of the plaintext. We skip over the associated data as
  116. * that only gets included in the hash.
  117. */
  118. static int krb5enc_dispatch_encrypt(struct aead_request *req,
  119. unsigned int flags)
  120. {
  121. struct crypto_aead *krb5enc = crypto_aead_reqtfm(req);
  122. struct aead_instance *inst = aead_alg_instance(krb5enc);
  123. struct krb5enc_ctx *ctx = crypto_aead_ctx(krb5enc);
  124. struct krb5enc_instance_ctx *ictx = aead_instance_ctx(inst);
  125. struct krb5enc_request_ctx *areq_ctx = aead_request_ctx(req);
  126. struct crypto_skcipher *enc = ctx->enc;
  127. struct skcipher_request *skreq = (void *)(areq_ctx->tail +
  128. ictx->reqoff);
  129. struct scatterlist *src, *dst;
  130. src = scatterwalk_ffwd(areq_ctx->src, req->src, req->assoclen);
  131. if (req->src == req->dst)
  132. dst = src;
  133. else
  134. dst = scatterwalk_ffwd(areq_ctx->dst, req->dst, req->assoclen);
  135. skcipher_request_set_tfm(skreq, enc);
  136. skcipher_request_set_callback(skreq, aead_request_flags(req),
  137. krb5enc_encrypt_done, req);
  138. skcipher_request_set_crypt(skreq, src, dst, req->cryptlen, req->iv);
  139. return crypto_skcipher_encrypt(skreq);
  140. }
  141. /*
  142. * Insert the hash into the checksum field in the destination buffer directly
  143. * after the encrypted region.
  144. */
  145. static void krb5enc_insert_checksum(struct aead_request *req, u8 *hash)
  146. {
  147. struct crypto_aead *krb5enc = crypto_aead_reqtfm(req);
  148. scatterwalk_map_and_copy(hash, req->dst,
  149. req->assoclen + req->cryptlen,
  150. crypto_aead_authsize(krb5enc), 1);
  151. }
  152. /*
  153. * Upon completion of an asynchronous digest, transfer the hash to the checksum
  154. * field.
  155. */
  156. static void krb5enc_encrypt_ahash_done(void *data, int err)
  157. {
  158. struct aead_request *req = data;
  159. struct crypto_aead *krb5enc = crypto_aead_reqtfm(req);
  160. struct aead_instance *inst = aead_alg_instance(krb5enc);
  161. struct krb5enc_instance_ctx *ictx = aead_instance_ctx(inst);
  162. struct krb5enc_request_ctx *areq_ctx = aead_request_ctx(req);
  163. struct ahash_request *ahreq = (void *)(areq_ctx->tail + ictx->reqoff);
  164. if (err)
  165. return krb5enc_request_complete(req, err);
  166. krb5enc_insert_checksum(req, ahreq->result);
  167. err = krb5enc_dispatch_encrypt(req, 0);
  168. if (err != -EINPROGRESS)
  169. aead_request_complete(req, err);
  170. }
  171. /*
  172. * Start the digest of the plaintext for encryption. In theory, this could be
  173. * run in parallel with the encryption, provided the src and dst buffers don't
  174. * overlap.
  175. */
  176. static int krb5enc_dispatch_encrypt_hash(struct aead_request *req)
  177. {
  178. struct crypto_aead *krb5enc = crypto_aead_reqtfm(req);
  179. struct aead_instance *inst = aead_alg_instance(krb5enc);
  180. struct krb5enc_ctx *ctx = crypto_aead_ctx(krb5enc);
  181. struct krb5enc_instance_ctx *ictx = aead_instance_ctx(inst);
  182. struct crypto_ahash *auth = ctx->auth;
  183. struct krb5enc_request_ctx *areq_ctx = aead_request_ctx(req);
  184. struct ahash_request *ahreq = (void *)(areq_ctx->tail + ictx->reqoff);
  185. u8 *hash = areq_ctx->tail;
  186. int err;
  187. ahash_request_set_callback(ahreq, aead_request_flags(req),
  188. krb5enc_encrypt_ahash_done, req);
  189. ahash_request_set_tfm(ahreq, auth);
  190. ahash_request_set_crypt(ahreq, req->src, hash, req->assoclen + req->cryptlen);
  191. err = crypto_ahash_digest(ahreq);
  192. if (err)
  193. return err;
  194. krb5enc_insert_checksum(req, hash);
  195. return 0;
  196. }
  197. /*
  198. * Process an encryption operation. We can perform the cipher and the hash in
  199. * parallel, provided the src and dst buffers are separate.
  200. */
  201. static int krb5enc_encrypt(struct aead_request *req)
  202. {
  203. int err;
  204. err = krb5enc_dispatch_encrypt_hash(req);
  205. if (err < 0)
  206. return err;
  207. return krb5enc_dispatch_encrypt(req, aead_request_flags(req));
  208. }
  209. static int krb5enc_verify_hash(struct aead_request *req)
  210. {
  211. struct crypto_aead *krb5enc = crypto_aead_reqtfm(req);
  212. struct aead_instance *inst = aead_alg_instance(krb5enc);
  213. struct krb5enc_instance_ctx *ictx = aead_instance_ctx(inst);
  214. struct krb5enc_request_ctx *areq_ctx = aead_request_ctx(req);
  215. struct ahash_request *ahreq = (void *)(areq_ctx->tail + ictx->reqoff);
  216. unsigned int authsize = crypto_aead_authsize(krb5enc);
  217. u8 *calc_hash = areq_ctx->tail;
  218. u8 *msg_hash = areq_ctx->tail + authsize;
  219. scatterwalk_map_and_copy(msg_hash, req->src, ahreq->nbytes, authsize, 0);
  220. if (crypto_memneq(msg_hash, calc_hash, authsize))
  221. return -EBADMSG;
  222. return 0;
  223. }
  224. static void krb5enc_decrypt_hash_done(void *data, int err)
  225. {
  226. struct aead_request *req = data;
  227. if (err)
  228. return krb5enc_request_complete(req, err);
  229. err = krb5enc_verify_hash(req);
  230. krb5enc_request_complete(req, err);
  231. }
  232. /*
  233. * Dispatch the hashing of the plaintext after we've done the decryption.
  234. */
  235. static int krb5enc_dispatch_decrypt_hash(struct aead_request *req)
  236. {
  237. struct crypto_aead *krb5enc = crypto_aead_reqtfm(req);
  238. struct aead_instance *inst = aead_alg_instance(krb5enc);
  239. struct krb5enc_ctx *ctx = crypto_aead_ctx(krb5enc);
  240. struct krb5enc_instance_ctx *ictx = aead_instance_ctx(inst);
  241. struct krb5enc_request_ctx *areq_ctx = aead_request_ctx(req);
  242. struct ahash_request *ahreq = (void *)(areq_ctx->tail + ictx->reqoff);
  243. struct crypto_ahash *auth = ctx->auth;
  244. unsigned int authsize = crypto_aead_authsize(krb5enc);
  245. u8 *hash = areq_ctx->tail;
  246. int err;
  247. ahash_request_set_tfm(ahreq, auth);
  248. ahash_request_set_crypt(ahreq, req->dst, hash,
  249. req->assoclen + req->cryptlen - authsize);
  250. ahash_request_set_callback(ahreq, aead_request_flags(req),
  251. krb5enc_decrypt_hash_done, req);
  252. err = crypto_ahash_digest(ahreq);
  253. if (err < 0)
  254. return err;
  255. return krb5enc_verify_hash(req);
  256. }
  257. /*
  258. * Dispatch the decryption of the ciphertext.
  259. */
  260. static int krb5enc_dispatch_decrypt(struct aead_request *req)
  261. {
  262. struct crypto_aead *krb5enc = crypto_aead_reqtfm(req);
  263. struct aead_instance *inst = aead_alg_instance(krb5enc);
  264. struct krb5enc_ctx *ctx = crypto_aead_ctx(krb5enc);
  265. struct krb5enc_instance_ctx *ictx = aead_instance_ctx(inst);
  266. struct krb5enc_request_ctx *areq_ctx = aead_request_ctx(req);
  267. struct skcipher_request *skreq = (void *)(areq_ctx->tail +
  268. ictx->reqoff);
  269. unsigned int authsize = crypto_aead_authsize(krb5enc);
  270. struct scatterlist *src, *dst;
  271. src = scatterwalk_ffwd(areq_ctx->src, req->src, req->assoclen);
  272. dst = src;
  273. if (req->src != req->dst)
  274. dst = scatterwalk_ffwd(areq_ctx->dst, req->dst, req->assoclen);
  275. skcipher_request_set_tfm(skreq, ctx->enc);
  276. skcipher_request_set_callback(skreq, aead_request_flags(req),
  277. req->base.complete, req->base.data);
  278. skcipher_request_set_crypt(skreq, src, dst,
  279. req->cryptlen - authsize, req->iv);
  280. return crypto_skcipher_decrypt(skreq);
  281. }
  282. static int krb5enc_decrypt(struct aead_request *req)
  283. {
  284. int err;
  285. err = krb5enc_dispatch_decrypt(req);
  286. if (err < 0)
  287. return err;
  288. return krb5enc_dispatch_decrypt_hash(req);
  289. }
  290. static int krb5enc_init_tfm(struct crypto_aead *tfm)
  291. {
  292. struct aead_instance *inst = aead_alg_instance(tfm);
  293. struct krb5enc_instance_ctx *ictx = aead_instance_ctx(inst);
  294. struct krb5enc_ctx *ctx = crypto_aead_ctx(tfm);
  295. struct crypto_ahash *auth;
  296. struct crypto_skcipher *enc;
  297. int err;
  298. auth = crypto_spawn_ahash(&ictx->auth);
  299. if (IS_ERR(auth))
  300. return PTR_ERR(auth);
  301. enc = crypto_spawn_skcipher(&ictx->enc);
  302. err = PTR_ERR(enc);
  303. if (IS_ERR(enc))
  304. goto err_free_ahash;
  305. ctx->auth = auth;
  306. ctx->enc = enc;
  307. crypto_aead_set_reqsize(
  308. tfm,
  309. sizeof(struct krb5enc_request_ctx) +
  310. ictx->reqoff + /* Space for two checksums */
  311. umax(sizeof(struct ahash_request) + crypto_ahash_reqsize(auth),
  312. sizeof(struct skcipher_request) + crypto_skcipher_reqsize(enc)));
  313. return 0;
  314. err_free_ahash:
  315. crypto_free_ahash(auth);
  316. return err;
  317. }
  318. static void krb5enc_exit_tfm(struct crypto_aead *tfm)
  319. {
  320. struct krb5enc_ctx *ctx = crypto_aead_ctx(tfm);
  321. crypto_free_ahash(ctx->auth);
  322. crypto_free_skcipher(ctx->enc);
  323. }
  324. static void krb5enc_free(struct aead_instance *inst)
  325. {
  326. struct krb5enc_instance_ctx *ctx = aead_instance_ctx(inst);
  327. crypto_drop_skcipher(&ctx->enc);
  328. crypto_drop_ahash(&ctx->auth);
  329. kfree(inst);
  330. }
  331. /*
  332. * Create an instance of a template for a specific hash and cipher pair.
  333. */
  334. static int krb5enc_create(struct crypto_template *tmpl, struct rtattr **tb)
  335. {
  336. struct krb5enc_instance_ctx *ictx;
  337. struct skcipher_alg_common *enc;
  338. struct hash_alg_common *auth;
  339. struct aead_instance *inst;
  340. struct crypto_alg *auth_base;
  341. u32 mask;
  342. int err;
  343. err = crypto_check_attr_type(tb, CRYPTO_ALG_TYPE_AEAD, &mask);
  344. if (err) {
  345. pr_err("attr_type failed\n");
  346. return err;
  347. }
  348. inst = kzalloc(sizeof(*inst) + sizeof(*ictx), GFP_KERNEL);
  349. if (!inst)
  350. return -ENOMEM;
  351. ictx = aead_instance_ctx(inst);
  352. err = crypto_grab_ahash(&ictx->auth, aead_crypto_instance(inst),
  353. crypto_attr_alg_name(tb[1]), 0, mask);
  354. if (err) {
  355. pr_err("grab ahash failed\n");
  356. goto err_free_inst;
  357. }
  358. auth = crypto_spawn_ahash_alg(&ictx->auth);
  359. auth_base = &auth->base;
  360. err = crypto_grab_skcipher(&ictx->enc, aead_crypto_instance(inst),
  361. crypto_attr_alg_name(tb[2]), 0, mask);
  362. if (err) {
  363. pr_err("grab skcipher failed\n");
  364. goto err_free_inst;
  365. }
  366. enc = crypto_spawn_skcipher_alg_common(&ictx->enc);
  367. ictx->reqoff = 2 * auth->digestsize;
  368. err = -ENAMETOOLONG;
  369. if (snprintf(inst->alg.base.cra_name, CRYPTO_MAX_ALG_NAME,
  370. "krb5enc(%s,%s)", auth_base->cra_name,
  371. enc->base.cra_name) >=
  372. CRYPTO_MAX_ALG_NAME)
  373. goto err_free_inst;
  374. if (snprintf(inst->alg.base.cra_driver_name, CRYPTO_MAX_ALG_NAME,
  375. "krb5enc(%s,%s)", auth_base->cra_driver_name,
  376. enc->base.cra_driver_name) >= CRYPTO_MAX_ALG_NAME)
  377. goto err_free_inst;
  378. inst->alg.base.cra_priority = enc->base.cra_priority * 10 +
  379. auth_base->cra_priority;
  380. inst->alg.base.cra_blocksize = enc->base.cra_blocksize;
  381. inst->alg.base.cra_alignmask = enc->base.cra_alignmask;
  382. inst->alg.base.cra_ctxsize = sizeof(struct krb5enc_ctx);
  383. inst->alg.ivsize = enc->ivsize;
  384. inst->alg.chunksize = enc->chunksize;
  385. inst->alg.maxauthsize = auth->digestsize;
  386. inst->alg.init = krb5enc_init_tfm;
  387. inst->alg.exit = krb5enc_exit_tfm;
  388. inst->alg.setkey = krb5enc_setkey;
  389. inst->alg.encrypt = krb5enc_encrypt;
  390. inst->alg.decrypt = krb5enc_decrypt;
  391. inst->free = krb5enc_free;
  392. err = aead_register_instance(tmpl, inst);
  393. if (err) {
  394. pr_err("ref failed\n");
  395. goto err_free_inst;
  396. }
  397. return 0;
  398. err_free_inst:
  399. krb5enc_free(inst);
  400. return err;
  401. }
  402. static struct crypto_template crypto_krb5enc_tmpl = {
  403. .name = "krb5enc",
  404. .create = krb5enc_create,
  405. .module = THIS_MODULE,
  406. };
  407. static int __init crypto_krb5enc_module_init(void)
  408. {
  409. return crypto_register_template(&crypto_krb5enc_tmpl);
  410. }
  411. static void __exit crypto_krb5enc_module_exit(void)
  412. {
  413. crypto_unregister_template(&crypto_krb5enc_tmpl);
  414. }
  415. module_init(crypto_krb5enc_module_init);
  416. module_exit(crypto_krb5enc_module_exit);
  417. MODULE_LICENSE("GPL");
  418. MODULE_DESCRIPTION("Simple AEAD wrapper for Kerberos 5 RFC3961");
  419. MODULE_ALIAS_CRYPTO("krb5enc");