krb5.h 5.7 KB

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165
  1. /* SPDX-License-Identifier: GPL-2.0-or-later */
  2. /* Kerberos 5 crypto
  3. *
  4. * Copyright (C) 2025 Red Hat, Inc. All Rights Reserved.
  5. * Written by David Howells (dhowells@redhat.com)
  6. */
  7. #ifndef _CRYPTO_KRB5_H
  8. #define _CRYPTO_KRB5_H
  9. #include <linux/crypto.h>
  10. #include <crypto/aead.h>
  11. #include <crypto/hash.h>
  12. struct crypto_shash;
  13. struct scatterlist;
  14. /*
  15. * Per Kerberos v5 protocol spec crypto types from the wire. These get mapped
  16. * to linux kernel crypto routines.
  17. */
  18. #define KRB5_ENCTYPE_NULL 0x0000
  19. #define KRB5_ENCTYPE_DES_CBC_CRC 0x0001 /* DES cbc mode with CRC-32 */
  20. #define KRB5_ENCTYPE_DES_CBC_MD4 0x0002 /* DES cbc mode with RSA-MD4 */
  21. #define KRB5_ENCTYPE_DES_CBC_MD5 0x0003 /* DES cbc mode with RSA-MD5 */
  22. #define KRB5_ENCTYPE_DES_CBC_RAW 0x0004 /* DES cbc mode raw */
  23. /* XXX deprecated? */
  24. #define KRB5_ENCTYPE_DES3_CBC_SHA 0x0005 /* DES-3 cbc mode with NIST-SHA */
  25. #define KRB5_ENCTYPE_DES3_CBC_RAW 0x0006 /* DES-3 cbc mode raw */
  26. #define KRB5_ENCTYPE_DES_HMAC_SHA1 0x0008
  27. #define KRB5_ENCTYPE_DES3_CBC_SHA1 0x0010
  28. #define KRB5_ENCTYPE_AES128_CTS_HMAC_SHA1_96 0x0011
  29. #define KRB5_ENCTYPE_AES256_CTS_HMAC_SHA1_96 0x0012
  30. #define KRB5_ENCTYPE_AES128_CTS_HMAC_SHA256_128 0x0013
  31. #define KRB5_ENCTYPE_AES256_CTS_HMAC_SHA384_192 0x0014
  32. #define KRB5_ENCTYPE_ARCFOUR_HMAC 0x0017
  33. #define KRB5_ENCTYPE_ARCFOUR_HMAC_EXP 0x0018
  34. #define KRB5_ENCTYPE_CAMELLIA128_CTS_CMAC 0x0019
  35. #define KRB5_ENCTYPE_CAMELLIA256_CTS_CMAC 0x001a
  36. #define KRB5_ENCTYPE_UNKNOWN 0x01ff
  37. #define KRB5_CKSUMTYPE_CRC32 0x0001
  38. #define KRB5_CKSUMTYPE_RSA_MD4 0x0002
  39. #define KRB5_CKSUMTYPE_RSA_MD4_DES 0x0003
  40. #define KRB5_CKSUMTYPE_DESCBC 0x0004
  41. #define KRB5_CKSUMTYPE_RSA_MD5 0x0007
  42. #define KRB5_CKSUMTYPE_RSA_MD5_DES 0x0008
  43. #define KRB5_CKSUMTYPE_NIST_SHA 0x0009
  44. #define KRB5_CKSUMTYPE_HMAC_SHA1_DES3 0x000c
  45. #define KRB5_CKSUMTYPE_HMAC_SHA1_96_AES128 0x000f
  46. #define KRB5_CKSUMTYPE_HMAC_SHA1_96_AES256 0x0010
  47. #define KRB5_CKSUMTYPE_CMAC_CAMELLIA128 0x0011
  48. #define KRB5_CKSUMTYPE_CMAC_CAMELLIA256 0x0012
  49. #define KRB5_CKSUMTYPE_HMAC_SHA256_128_AES128 0x0013
  50. #define KRB5_CKSUMTYPE_HMAC_SHA384_192_AES256 0x0014
  51. #define KRB5_CKSUMTYPE_HMAC_MD5_ARCFOUR -138 /* Microsoft md5 hmac cksumtype */
  52. /*
  53. * Constants used for key derivation
  54. */
  55. /* from rfc3961 */
  56. #define KEY_USAGE_SEED_CHECKSUM (0x99)
  57. #define KEY_USAGE_SEED_ENCRYPTION (0xAA)
  58. #define KEY_USAGE_SEED_INTEGRITY (0x55)
  59. /*
  60. * Standard Kerberos error codes.
  61. */
  62. #define KRB5_PROG_KEYTYPE_NOSUPP -1765328233
  63. /*
  64. * Mode of operation.
  65. */
  66. enum krb5_crypto_mode {
  67. KRB5_CHECKSUM_MODE, /* Checksum only */
  68. KRB5_ENCRYPT_MODE, /* Fully encrypted, possibly with integrity checksum */
  69. };
  70. struct krb5_buffer {
  71. unsigned int len;
  72. void *data;
  73. };
  74. /*
  75. * Kerberos encoding type definition.
  76. */
  77. struct krb5_enctype {
  78. int etype; /* Encryption (key) type */
  79. int ctype; /* Checksum type */
  80. const char *name; /* "Friendly" name */
  81. const char *encrypt_name; /* Crypto encrypt+checksum name */
  82. const char *cksum_name; /* Crypto checksum name */
  83. const char *hash_name; /* Crypto hash name */
  84. const char *derivation_enc; /* Cipher used in key derivation */
  85. u16 block_len; /* Length of encryption block */
  86. u16 conf_len; /* Length of confounder (normally == block_len) */
  87. u16 cksum_len; /* Length of checksum */
  88. u16 key_bytes; /* Length of raw key, in bytes */
  89. u16 key_len; /* Length of final key, in bytes */
  90. u16 hash_len; /* Length of hash in bytes */
  91. u16 prf_len; /* Length of PRF() result in bytes */
  92. u16 Kc_len; /* Length of Kc in bytes */
  93. u16 Ke_len; /* Length of Ke in bytes */
  94. u16 Ki_len; /* Length of Ki in bytes */
  95. bool keyed_cksum; /* T if a keyed cksum */
  96. const struct krb5_crypto_profile *profile;
  97. int (*random_to_key)(const struct krb5_enctype *krb5,
  98. const struct krb5_buffer *in,
  99. struct krb5_buffer *out); /* complete key generation */
  100. };
  101. /*
  102. * krb5_api.c
  103. */
  104. const struct krb5_enctype *crypto_krb5_find_enctype(u32 enctype);
  105. size_t crypto_krb5_how_much_buffer(const struct krb5_enctype *krb5,
  106. enum krb5_crypto_mode mode,
  107. size_t data_size, size_t *_offset);
  108. size_t crypto_krb5_how_much_data(const struct krb5_enctype *krb5,
  109. enum krb5_crypto_mode mode,
  110. size_t *_buffer_size, size_t *_offset);
  111. void crypto_krb5_where_is_the_data(const struct krb5_enctype *krb5,
  112. enum krb5_crypto_mode mode,
  113. size_t *_offset, size_t *_len);
  114. struct crypto_aead *crypto_krb5_prepare_encryption(const struct krb5_enctype *krb5,
  115. const struct krb5_buffer *TK,
  116. u32 usage, gfp_t gfp);
  117. struct crypto_shash *crypto_krb5_prepare_checksum(const struct krb5_enctype *krb5,
  118. const struct krb5_buffer *TK,
  119. u32 usage, gfp_t gfp);
  120. ssize_t crypto_krb5_encrypt(const struct krb5_enctype *krb5,
  121. struct crypto_aead *aead,
  122. struct scatterlist *sg, unsigned int nr_sg,
  123. size_t sg_len,
  124. size_t data_offset, size_t data_len,
  125. bool preconfounded);
  126. int crypto_krb5_decrypt(const struct krb5_enctype *krb5,
  127. struct crypto_aead *aead,
  128. struct scatterlist *sg, unsigned int nr_sg,
  129. size_t *_offset, size_t *_len);
  130. ssize_t crypto_krb5_get_mic(const struct krb5_enctype *krb5,
  131. struct crypto_shash *shash,
  132. const struct krb5_buffer *metadata,
  133. struct scatterlist *sg, unsigned int nr_sg,
  134. size_t sg_len,
  135. size_t data_offset, size_t data_len);
  136. int crypto_krb5_verify_mic(const struct krb5_enctype *krb5,
  137. struct crypto_shash *shash,
  138. const struct krb5_buffer *metadata,
  139. struct scatterlist *sg, unsigned int nr_sg,
  140. size_t *_offset, size_t *_len);
  141. /*
  142. * krb5_kdf.c
  143. */
  144. int crypto_krb5_calc_PRFplus(const struct krb5_enctype *krb5,
  145. const struct krb5_buffer *K,
  146. unsigned int L,
  147. const struct krb5_buffer *S,
  148. struct krb5_buffer *result,
  149. gfp_t gfp);
  150. #endif /* _CRYPTO_KRB5_H */