gss_krb5_crypto.c 26 KB

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266267268269270271272273274275276277278279280281282283284285286287288289290291292293294295296297298299300301302303304305306307308309310311312313314315316317318319320321322323324325326327328329330331332333334335336337338339340341342343344345346347348349350351352353354355356357358359360361362363364365366367368369370371372373374375376377378379380381382383384385386387388389390391392393394395396397398399400401402403404405406407408409410411412413414415416417418419420421422423424425426427428429430431432433434435436437438439440441442443444445446447448449450451452453454455456457458459460461462463464465466467468469470471472473474475476477478479480481482483484485486487488489490491492493494495496497498499500501502503504505506507508509510511512513514515516517518519520521522523524525526527528529530531532533534535536537538539540541542543544545546547548549550551552553554555556557558559560561562563564565566567568569570571572573574575576577578579580581582583584585586587588589590591592593594595596597598599600601602603604605606607608609610611612613614615616617618619620621622623624625626627628629630631632633634635636637638639640641642643644645646647648649650651652653654655656657658659660661662663664665666667668669670671672673674675676677678679680681682683684685686687688689690691692693694695696697698699700701702703704705706707708709710711712713714715716717718719720721722723724725726727728729730731732733734735736737738739740741742743744745746747748749750751752753754755756757758759760761762763764765766767768769770771772773774775776777778779780781782783784785786787788789790791792793794795796797798799800801802803804805806807808809810811812813814815816817818819820821822823824825826827828829830831832833834835836837838839840841842843844845846847848849850851852853854855856857858859860861862863864865866867868869870871872873874875876877878879880881882883884885886887888889890891892893894895896897898899900901902903904905906907908909910911912913914915916917918919920921922923924925926927928929930931932933934935936937938939940941942943944945946947948949950951952953954955
  1. /*
  2. * linux/net/sunrpc/gss_krb5_crypto.c
  3. *
  4. * Copyright (c) 2000-2008 The Regents of the University of Michigan.
  5. * All rights reserved.
  6. *
  7. * Andy Adamson <andros@umich.edu>
  8. * Bruce Fields <bfields@umich.edu>
  9. */
  10. /*
  11. * Copyright (C) 1998 by the FundsXpress, INC.
  12. *
  13. * All rights reserved.
  14. *
  15. * Export of this software from the United States of America may require
  16. * a specific license from the United States Government. It is the
  17. * responsibility of any person or organization contemplating export to
  18. * obtain such a license before exporting.
  19. *
  20. * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and
  21. * distribute this software and its documentation for any purpose and
  22. * without fee is hereby granted, provided that the above copyright
  23. * notice appear in all copies and that both that copyright notice and
  24. * this permission notice appear in supporting documentation, and that
  25. * the name of FundsXpress. not be used in advertising or publicity pertaining
  26. * to distribution of the software without specific, written prior
  27. * permission. FundsXpress makes no representations about the suitability of
  28. * this software for any purpose. It is provided "as is" without express
  29. * or implied warranty.
  30. *
  31. * THIS SOFTWARE IS PROVIDED ``AS IS'' AND WITHOUT ANY EXPRESS OR
  32. * IMPLIED WARRANTIES, INCLUDING, WITHOUT LIMITATION, THE IMPLIED
  33. * WARRANTIES OF MERCHANTIBILITY AND FITNESS FOR A PARTICULAR PURPOSE.
  34. */
  35. #include <crypto/hash.h>
  36. #include <crypto/skcipher.h>
  37. #include <crypto/utils.h>
  38. #include <linux/err.h>
  39. #include <linux/types.h>
  40. #include <linux/mm.h>
  41. #include <linux/scatterlist.h>
  42. #include <linux/highmem.h>
  43. #include <linux/pagemap.h>
  44. #include <linux/random.h>
  45. #include <linux/sunrpc/gss_krb5.h>
  46. #include <linux/sunrpc/xdr.h>
  47. #include <kunit/visibility.h>
  48. #include "gss_krb5_internal.h"
  49. #if IS_ENABLED(CONFIG_SUNRPC_DEBUG)
  50. # define RPCDBG_FACILITY RPCDBG_AUTH
  51. #endif
  52. /**
  53. * krb5_make_confounder - Generate a confounder string
  54. * @p: memory location into which to write the string
  55. * @conflen: string length to write, in octets
  56. *
  57. * RFCs 1964 and 3961 mention only "a random confounder" without going
  58. * into detail about its function or cryptographic requirements. The
  59. * assumed purpose is to prevent repeated encryption of a plaintext with
  60. * the same key from generating the same ciphertext. It is also used to
  61. * pad minimum plaintext length to at least a single cipher block.
  62. *
  63. * However, in situations like the GSS Kerberos 5 mechanism, where the
  64. * encryption IV is always all zeroes, the confounder also effectively
  65. * functions like an IV. Thus, not only must it be unique from message
  66. * to message, but it must also be difficult to predict. Otherwise an
  67. * attacker can correlate the confounder to previous or future values,
  68. * making the encryption easier to break.
  69. *
  70. * Given that the primary consumer of this encryption mechanism is a
  71. * network storage protocol, a type of traffic that often carries
  72. * predictable payloads (eg, all zeroes when reading unallocated blocks
  73. * from a file), our confounder generation has to be cryptographically
  74. * strong.
  75. */
  76. void krb5_make_confounder(u8 *p, int conflen)
  77. {
  78. get_random_bytes(p, conflen);
  79. }
  80. /**
  81. * krb5_encrypt - simple encryption of an RPCSEC GSS payload
  82. * @tfm: initialized cipher transform
  83. * @iv: pointer to an IV
  84. * @in: plaintext to encrypt
  85. * @out: OUT: ciphertext
  86. * @length: length of input and output buffers, in bytes
  87. *
  88. * @iv may be NULL to force the use of an all-zero IV.
  89. * The buffer containing the IV must be as large as the
  90. * cipher's ivsize.
  91. *
  92. * Return values:
  93. * %0: @in successfully encrypted into @out
  94. * negative errno: @in not encrypted
  95. */
  96. u32
  97. krb5_encrypt(
  98. struct crypto_sync_skcipher *tfm,
  99. void * iv,
  100. void * in,
  101. void * out,
  102. int length)
  103. {
  104. u32 ret = -EINVAL;
  105. struct scatterlist sg[1];
  106. u8 local_iv[GSS_KRB5_MAX_BLOCKSIZE] = {0};
  107. SYNC_SKCIPHER_REQUEST_ON_STACK(req, tfm);
  108. if (length % crypto_sync_skcipher_blocksize(tfm) != 0)
  109. goto out;
  110. if (crypto_sync_skcipher_ivsize(tfm) > GSS_KRB5_MAX_BLOCKSIZE) {
  111. dprintk("RPC: gss_k5encrypt: tfm iv size too large %d\n",
  112. crypto_sync_skcipher_ivsize(tfm));
  113. goto out;
  114. }
  115. if (iv)
  116. memcpy(local_iv, iv, crypto_sync_skcipher_ivsize(tfm));
  117. memcpy(out, in, length);
  118. sg_init_one(sg, out, length);
  119. skcipher_request_set_sync_tfm(req, tfm);
  120. skcipher_request_set_callback(req, 0, NULL, NULL);
  121. skcipher_request_set_crypt(req, sg, sg, length, local_iv);
  122. ret = crypto_skcipher_encrypt(req);
  123. skcipher_request_zero(req);
  124. out:
  125. dprintk("RPC: krb5_encrypt returns %d\n", ret);
  126. return ret;
  127. }
  128. static int
  129. checksummer(struct scatterlist *sg, void *data)
  130. {
  131. struct ahash_request *req = data;
  132. ahash_request_set_crypt(req, sg, NULL, sg->length);
  133. return crypto_ahash_update(req);
  134. }
  135. /**
  136. * gss_krb5_checksum - Compute the MAC for a GSS Wrap or MIC token
  137. * @tfm: an initialized hash transform
  138. * @header: pointer to a buffer containing the token header, or NULL
  139. * @hdrlen: number of octets in @header
  140. * @body: xdr_buf containing an RPC message (body.len is the message length)
  141. * @body_offset: byte offset into @body to start checksumming
  142. * @cksumout: OUT: a buffer to be filled in with the computed HMAC
  143. *
  144. * Usually expressed as H = HMAC(K, message)[1..h] .
  145. *
  146. * Caller provides the truncation length of the output token (h) in
  147. * cksumout.len.
  148. *
  149. * Return values:
  150. * %GSS_S_COMPLETE: Digest computed, @cksumout filled in
  151. * %GSS_S_FAILURE: Call failed
  152. */
  153. u32
  154. gss_krb5_checksum(struct crypto_ahash *tfm, char *header, int hdrlen,
  155. const struct xdr_buf *body, int body_offset,
  156. struct xdr_netobj *cksumout)
  157. {
  158. struct ahash_request *req;
  159. int err = -ENOMEM;
  160. u8 *checksumdata;
  161. checksumdata = kmalloc(crypto_ahash_digestsize(tfm), GFP_KERNEL);
  162. if (!checksumdata)
  163. return GSS_S_FAILURE;
  164. req = ahash_request_alloc(tfm, GFP_KERNEL);
  165. if (!req)
  166. goto out_free_cksum;
  167. ahash_request_set_callback(req, CRYPTO_TFM_REQ_MAY_SLEEP, NULL, NULL);
  168. err = crypto_ahash_init(req);
  169. if (err)
  170. goto out_free_ahash;
  171. /*
  172. * Per RFC 4121 Section 4.2.4, the checksum is performed over the
  173. * data body first, then over the octets in "header".
  174. */
  175. err = xdr_process_buf(body, body_offset, body->len - body_offset,
  176. checksummer, req);
  177. if (err)
  178. goto out_free_ahash;
  179. if (header) {
  180. struct scatterlist sg[1];
  181. sg_init_one(sg, header, hdrlen);
  182. ahash_request_set_crypt(req, sg, NULL, hdrlen);
  183. err = crypto_ahash_update(req);
  184. if (err)
  185. goto out_free_ahash;
  186. }
  187. ahash_request_set_crypt(req, NULL, checksumdata, 0);
  188. err = crypto_ahash_final(req);
  189. if (err)
  190. goto out_free_ahash;
  191. memcpy(cksumout->data, checksumdata,
  192. min_t(int, cksumout->len, crypto_ahash_digestsize(tfm)));
  193. out_free_ahash:
  194. ahash_request_free(req);
  195. out_free_cksum:
  196. kfree_sensitive(checksumdata);
  197. return err ? GSS_S_FAILURE : GSS_S_COMPLETE;
  198. }
  199. EXPORT_SYMBOL_IF_KUNIT(gss_krb5_checksum);
  200. struct encryptor_desc {
  201. u8 iv[GSS_KRB5_MAX_BLOCKSIZE];
  202. struct skcipher_request *req;
  203. int pos;
  204. struct xdr_buf *outbuf;
  205. struct page **pages;
  206. struct scatterlist infrags[4];
  207. struct scatterlist outfrags[4];
  208. int fragno;
  209. int fraglen;
  210. };
  211. static int
  212. encryptor(struct scatterlist *sg, void *data)
  213. {
  214. struct encryptor_desc *desc = data;
  215. struct xdr_buf *outbuf = desc->outbuf;
  216. struct crypto_sync_skcipher *tfm =
  217. crypto_sync_skcipher_reqtfm(desc->req);
  218. struct page *in_page;
  219. int thislen = desc->fraglen + sg->length;
  220. int fraglen, ret;
  221. int page_pos;
  222. /* Worst case is 4 fragments: head, end of page 1, start
  223. * of page 2, tail. Anything more is a bug. */
  224. BUG_ON(desc->fragno > 3);
  225. page_pos = desc->pos - outbuf->head[0].iov_len;
  226. if (page_pos >= 0 && page_pos < outbuf->page_len) {
  227. /* pages are not in place: */
  228. int i = (page_pos + outbuf->page_base) >> PAGE_SHIFT;
  229. in_page = desc->pages[i];
  230. } else {
  231. in_page = sg_page(sg);
  232. }
  233. sg_set_page(&desc->infrags[desc->fragno], in_page, sg->length,
  234. sg->offset);
  235. sg_set_page(&desc->outfrags[desc->fragno], sg_page(sg), sg->length,
  236. sg->offset);
  237. desc->fragno++;
  238. desc->fraglen += sg->length;
  239. desc->pos += sg->length;
  240. fraglen = thislen & (crypto_sync_skcipher_blocksize(tfm) - 1);
  241. thislen -= fraglen;
  242. if (thislen == 0)
  243. return 0;
  244. sg_mark_end(&desc->infrags[desc->fragno - 1]);
  245. sg_mark_end(&desc->outfrags[desc->fragno - 1]);
  246. skcipher_request_set_crypt(desc->req, desc->infrags, desc->outfrags,
  247. thislen, desc->iv);
  248. ret = crypto_skcipher_encrypt(desc->req);
  249. if (ret)
  250. return ret;
  251. sg_init_table(desc->infrags, 4);
  252. sg_init_table(desc->outfrags, 4);
  253. if (fraglen) {
  254. sg_set_page(&desc->outfrags[0], sg_page(sg), fraglen,
  255. sg->offset + sg->length - fraglen);
  256. desc->infrags[0] = desc->outfrags[0];
  257. sg_assign_page(&desc->infrags[0], in_page);
  258. desc->fragno = 1;
  259. desc->fraglen = fraglen;
  260. } else {
  261. desc->fragno = 0;
  262. desc->fraglen = 0;
  263. }
  264. return 0;
  265. }
  266. struct decryptor_desc {
  267. u8 iv[GSS_KRB5_MAX_BLOCKSIZE];
  268. struct skcipher_request *req;
  269. struct scatterlist frags[4];
  270. int fragno;
  271. int fraglen;
  272. };
  273. static int
  274. decryptor(struct scatterlist *sg, void *data)
  275. {
  276. struct decryptor_desc *desc = data;
  277. int thislen = desc->fraglen + sg->length;
  278. struct crypto_sync_skcipher *tfm =
  279. crypto_sync_skcipher_reqtfm(desc->req);
  280. int fraglen, ret;
  281. /* Worst case is 4 fragments: head, end of page 1, start
  282. * of page 2, tail. Anything more is a bug. */
  283. BUG_ON(desc->fragno > 3);
  284. sg_set_page(&desc->frags[desc->fragno], sg_page(sg), sg->length,
  285. sg->offset);
  286. desc->fragno++;
  287. desc->fraglen += sg->length;
  288. fraglen = thislen & (crypto_sync_skcipher_blocksize(tfm) - 1);
  289. thislen -= fraglen;
  290. if (thislen == 0)
  291. return 0;
  292. sg_mark_end(&desc->frags[desc->fragno - 1]);
  293. skcipher_request_set_crypt(desc->req, desc->frags, desc->frags,
  294. thislen, desc->iv);
  295. ret = crypto_skcipher_decrypt(desc->req);
  296. if (ret)
  297. return ret;
  298. sg_init_table(desc->frags, 4);
  299. if (fraglen) {
  300. sg_set_page(&desc->frags[0], sg_page(sg), fraglen,
  301. sg->offset + sg->length - fraglen);
  302. desc->fragno = 1;
  303. desc->fraglen = fraglen;
  304. } else {
  305. desc->fragno = 0;
  306. desc->fraglen = 0;
  307. }
  308. return 0;
  309. }
  310. /*
  311. * This function makes the assumption that it was ultimately called
  312. * from gss_wrap().
  313. *
  314. * The client auth_gss code moves any existing tail data into a
  315. * separate page before calling gss_wrap.
  316. * The server svcauth_gss code ensures that both the head and the
  317. * tail have slack space of RPC_MAX_AUTH_SIZE before calling gss_wrap.
  318. *
  319. * Even with that guarantee, this function may be called more than
  320. * once in the processing of gss_wrap(). The best we can do is
  321. * verify at compile-time (see GSS_KRB5_SLACK_CHECK) that the
  322. * largest expected shift will fit within RPC_MAX_AUTH_SIZE.
  323. * At run-time we can verify that a single invocation of this
  324. * function doesn't attempt to use more the RPC_MAX_AUTH_SIZE.
  325. */
  326. int
  327. xdr_extend_head(struct xdr_buf *buf, unsigned int base, unsigned int shiftlen)
  328. {
  329. u8 *p;
  330. if (shiftlen == 0)
  331. return 0;
  332. BUG_ON(shiftlen > RPC_MAX_AUTH_SIZE);
  333. p = buf->head[0].iov_base + base;
  334. memmove(p + shiftlen, p, buf->head[0].iov_len - base);
  335. buf->head[0].iov_len += shiftlen;
  336. buf->len += shiftlen;
  337. return 0;
  338. }
  339. static u32
  340. gss_krb5_cts_crypt(struct crypto_sync_skcipher *cipher, struct xdr_buf *buf,
  341. u32 offset, u8 *iv, struct page **pages, int encrypt)
  342. {
  343. u32 ret;
  344. struct scatterlist sg[1];
  345. SYNC_SKCIPHER_REQUEST_ON_STACK(req, cipher);
  346. u8 *data;
  347. struct page **save_pages;
  348. u32 len = buf->len - offset;
  349. if (len > GSS_KRB5_MAX_BLOCKSIZE * 2) {
  350. WARN_ON(0);
  351. return -ENOMEM;
  352. }
  353. data = kmalloc(GSS_KRB5_MAX_BLOCKSIZE * 2, GFP_KERNEL);
  354. if (!data)
  355. return -ENOMEM;
  356. /*
  357. * For encryption, we want to read from the cleartext
  358. * page cache pages, and write the encrypted data to
  359. * the supplied xdr_buf pages.
  360. */
  361. save_pages = buf->pages;
  362. if (encrypt)
  363. buf->pages = pages;
  364. ret = read_bytes_from_xdr_buf(buf, offset, data, len);
  365. buf->pages = save_pages;
  366. if (ret)
  367. goto out;
  368. sg_init_one(sg, data, len);
  369. skcipher_request_set_sync_tfm(req, cipher);
  370. skcipher_request_set_callback(req, 0, NULL, NULL);
  371. skcipher_request_set_crypt(req, sg, sg, len, iv);
  372. if (encrypt)
  373. ret = crypto_skcipher_encrypt(req);
  374. else
  375. ret = crypto_skcipher_decrypt(req);
  376. skcipher_request_zero(req);
  377. if (ret)
  378. goto out;
  379. ret = write_bytes_to_xdr_buf(buf, offset, data, len);
  380. #if IS_ENABLED(CONFIG_KUNIT)
  381. /*
  382. * CBC-CTS does not define an output IV but RFC 3962 defines it as the
  383. * penultimate block of ciphertext, so copy that into the IV buffer
  384. * before returning.
  385. */
  386. if (encrypt)
  387. memcpy(iv, data, crypto_sync_skcipher_ivsize(cipher));
  388. #endif
  389. out:
  390. kfree(data);
  391. return ret;
  392. }
  393. /**
  394. * krb5_cbc_cts_encrypt - encrypt in CBC mode with CTS
  395. * @cts_tfm: CBC cipher with CTS
  396. * @cbc_tfm: base CBC cipher
  397. * @offset: starting byte offset for plaintext
  398. * @buf: OUT: output buffer
  399. * @pages: plaintext
  400. * @iv: output CBC initialization vector, or NULL
  401. * @ivsize: size of @iv, in octets
  402. *
  403. * To provide confidentiality, encrypt using cipher block chaining
  404. * with ciphertext stealing. Message integrity is handled separately.
  405. *
  406. * Return values:
  407. * %0: encryption successful
  408. * negative errno: encryption could not be completed
  409. */
  410. VISIBLE_IF_KUNIT
  411. int krb5_cbc_cts_encrypt(struct crypto_sync_skcipher *cts_tfm,
  412. struct crypto_sync_skcipher *cbc_tfm,
  413. u32 offset, struct xdr_buf *buf, struct page **pages,
  414. u8 *iv, unsigned int ivsize)
  415. {
  416. u32 blocksize, nbytes, nblocks, cbcbytes;
  417. struct encryptor_desc desc;
  418. int err;
  419. blocksize = crypto_sync_skcipher_blocksize(cts_tfm);
  420. nbytes = buf->len - offset;
  421. nblocks = (nbytes + blocksize - 1) / blocksize;
  422. cbcbytes = 0;
  423. if (nblocks > 2)
  424. cbcbytes = (nblocks - 2) * blocksize;
  425. memset(desc.iv, 0, sizeof(desc.iv));
  426. /* Handle block-sized chunks of plaintext with CBC. */
  427. if (cbcbytes) {
  428. SYNC_SKCIPHER_REQUEST_ON_STACK(req, cbc_tfm);
  429. desc.pos = offset;
  430. desc.fragno = 0;
  431. desc.fraglen = 0;
  432. desc.pages = pages;
  433. desc.outbuf = buf;
  434. desc.req = req;
  435. skcipher_request_set_sync_tfm(req, cbc_tfm);
  436. skcipher_request_set_callback(req, 0, NULL, NULL);
  437. sg_init_table(desc.infrags, 4);
  438. sg_init_table(desc.outfrags, 4);
  439. err = xdr_process_buf(buf, offset, cbcbytes, encryptor, &desc);
  440. skcipher_request_zero(req);
  441. if (err)
  442. return err;
  443. }
  444. /* Remaining plaintext is handled with CBC-CTS. */
  445. err = gss_krb5_cts_crypt(cts_tfm, buf, offset + cbcbytes,
  446. desc.iv, pages, 1);
  447. if (err)
  448. return err;
  449. if (unlikely(iv))
  450. memcpy(iv, desc.iv, ivsize);
  451. return 0;
  452. }
  453. EXPORT_SYMBOL_IF_KUNIT(krb5_cbc_cts_encrypt);
  454. /**
  455. * krb5_cbc_cts_decrypt - decrypt in CBC mode with CTS
  456. * @cts_tfm: CBC cipher with CTS
  457. * @cbc_tfm: base CBC cipher
  458. * @offset: starting byte offset for plaintext
  459. * @buf: OUT: output buffer
  460. *
  461. * Return values:
  462. * %0: decryption successful
  463. * negative errno: decryption could not be completed
  464. */
  465. VISIBLE_IF_KUNIT
  466. int krb5_cbc_cts_decrypt(struct crypto_sync_skcipher *cts_tfm,
  467. struct crypto_sync_skcipher *cbc_tfm,
  468. u32 offset, struct xdr_buf *buf)
  469. {
  470. u32 blocksize, nblocks, cbcbytes;
  471. struct decryptor_desc desc;
  472. int err;
  473. blocksize = crypto_sync_skcipher_blocksize(cts_tfm);
  474. nblocks = (buf->len + blocksize - 1) / blocksize;
  475. cbcbytes = 0;
  476. if (nblocks > 2)
  477. cbcbytes = (nblocks - 2) * blocksize;
  478. memset(desc.iv, 0, sizeof(desc.iv));
  479. /* Handle block-sized chunks of plaintext with CBC. */
  480. if (cbcbytes) {
  481. SYNC_SKCIPHER_REQUEST_ON_STACK(req, cbc_tfm);
  482. desc.fragno = 0;
  483. desc.fraglen = 0;
  484. desc.req = req;
  485. skcipher_request_set_sync_tfm(req, cbc_tfm);
  486. skcipher_request_set_callback(req, 0, NULL, NULL);
  487. sg_init_table(desc.frags, 4);
  488. err = xdr_process_buf(buf, 0, cbcbytes, decryptor, &desc);
  489. skcipher_request_zero(req);
  490. if (err)
  491. return err;
  492. }
  493. /* Remaining plaintext is handled with CBC-CTS. */
  494. return gss_krb5_cts_crypt(cts_tfm, buf, cbcbytes, desc.iv, NULL, 0);
  495. }
  496. EXPORT_SYMBOL_IF_KUNIT(krb5_cbc_cts_decrypt);
  497. u32
  498. gss_krb5_aes_encrypt(struct krb5_ctx *kctx, u32 offset,
  499. struct xdr_buf *buf, struct page **pages)
  500. {
  501. u32 err;
  502. struct xdr_netobj hmac;
  503. u8 *ecptr;
  504. struct crypto_sync_skcipher *cipher, *aux_cipher;
  505. struct crypto_ahash *ahash;
  506. struct page **save_pages;
  507. unsigned int conflen;
  508. if (kctx->initiate) {
  509. cipher = kctx->initiator_enc;
  510. aux_cipher = kctx->initiator_enc_aux;
  511. ahash = kctx->initiator_integ;
  512. } else {
  513. cipher = kctx->acceptor_enc;
  514. aux_cipher = kctx->acceptor_enc_aux;
  515. ahash = kctx->acceptor_integ;
  516. }
  517. conflen = crypto_sync_skcipher_blocksize(cipher);
  518. /* hide the gss token header and insert the confounder */
  519. offset += GSS_KRB5_TOK_HDR_LEN;
  520. if (xdr_extend_head(buf, offset, conflen))
  521. return GSS_S_FAILURE;
  522. krb5_make_confounder(buf->head[0].iov_base + offset, conflen);
  523. offset -= GSS_KRB5_TOK_HDR_LEN;
  524. if (buf->tail[0].iov_base != NULL) {
  525. ecptr = buf->tail[0].iov_base + buf->tail[0].iov_len;
  526. } else {
  527. buf->tail[0].iov_base = buf->head[0].iov_base
  528. + buf->head[0].iov_len;
  529. buf->tail[0].iov_len = 0;
  530. ecptr = buf->tail[0].iov_base;
  531. }
  532. /* copy plaintext gss token header after filler (if any) */
  533. memcpy(ecptr, buf->head[0].iov_base + offset, GSS_KRB5_TOK_HDR_LEN);
  534. buf->tail[0].iov_len += GSS_KRB5_TOK_HDR_LEN;
  535. buf->len += GSS_KRB5_TOK_HDR_LEN;
  536. hmac.len = kctx->gk5e->cksumlength;
  537. hmac.data = buf->tail[0].iov_base + buf->tail[0].iov_len;
  538. /*
  539. * When we are called, pages points to the real page cache
  540. * data -- which we can't go and encrypt! buf->pages points
  541. * to scratch pages which we are going to send off to the
  542. * client/server. Swap in the plaintext pages to calculate
  543. * the hmac.
  544. */
  545. save_pages = buf->pages;
  546. buf->pages = pages;
  547. err = gss_krb5_checksum(ahash, NULL, 0, buf,
  548. offset + GSS_KRB5_TOK_HDR_LEN, &hmac);
  549. buf->pages = save_pages;
  550. if (err)
  551. return GSS_S_FAILURE;
  552. err = krb5_cbc_cts_encrypt(cipher, aux_cipher,
  553. offset + GSS_KRB5_TOK_HDR_LEN,
  554. buf, pages, NULL, 0);
  555. if (err)
  556. return GSS_S_FAILURE;
  557. /* Now update buf to account for HMAC */
  558. buf->tail[0].iov_len += kctx->gk5e->cksumlength;
  559. buf->len += kctx->gk5e->cksumlength;
  560. return GSS_S_COMPLETE;
  561. }
  562. u32
  563. gss_krb5_aes_decrypt(struct krb5_ctx *kctx, u32 offset, u32 len,
  564. struct xdr_buf *buf, u32 *headskip, u32 *tailskip)
  565. {
  566. struct crypto_sync_skcipher *cipher, *aux_cipher;
  567. struct crypto_ahash *ahash;
  568. struct xdr_netobj our_hmac_obj;
  569. u8 our_hmac[GSS_KRB5_MAX_CKSUM_LEN];
  570. u8 pkt_hmac[GSS_KRB5_MAX_CKSUM_LEN];
  571. struct xdr_buf subbuf;
  572. u32 ret = 0;
  573. if (kctx->initiate) {
  574. cipher = kctx->acceptor_enc;
  575. aux_cipher = kctx->acceptor_enc_aux;
  576. ahash = kctx->acceptor_integ;
  577. } else {
  578. cipher = kctx->initiator_enc;
  579. aux_cipher = kctx->initiator_enc_aux;
  580. ahash = kctx->initiator_integ;
  581. }
  582. /* create a segment skipping the header and leaving out the checksum */
  583. xdr_buf_subsegment(buf, &subbuf, offset + GSS_KRB5_TOK_HDR_LEN,
  584. (len - offset - GSS_KRB5_TOK_HDR_LEN -
  585. kctx->gk5e->cksumlength));
  586. ret = krb5_cbc_cts_decrypt(cipher, aux_cipher, 0, &subbuf);
  587. if (ret)
  588. goto out_err;
  589. our_hmac_obj.len = kctx->gk5e->cksumlength;
  590. our_hmac_obj.data = our_hmac;
  591. ret = gss_krb5_checksum(ahash, NULL, 0, &subbuf, 0, &our_hmac_obj);
  592. if (ret)
  593. goto out_err;
  594. /* Get the packet's hmac value */
  595. ret = read_bytes_from_xdr_buf(buf, len - kctx->gk5e->cksumlength,
  596. pkt_hmac, kctx->gk5e->cksumlength);
  597. if (ret)
  598. goto out_err;
  599. if (crypto_memneq(pkt_hmac, our_hmac, kctx->gk5e->cksumlength) != 0) {
  600. ret = GSS_S_BAD_SIG;
  601. goto out_err;
  602. }
  603. *headskip = crypto_sync_skcipher_blocksize(cipher);
  604. *tailskip = kctx->gk5e->cksumlength;
  605. out_err:
  606. if (ret && ret != GSS_S_BAD_SIG)
  607. ret = GSS_S_FAILURE;
  608. return ret;
  609. }
  610. /**
  611. * krb5_etm_checksum - Compute a MAC for a GSS Wrap token
  612. * @cipher: an initialized cipher transform
  613. * @tfm: an initialized hash transform
  614. * @body: xdr_buf containing an RPC message (body.len is the message length)
  615. * @body_offset: byte offset into @body to start checksumming
  616. * @cksumout: OUT: a buffer to be filled in with the computed HMAC
  617. *
  618. * Usually expressed as H = HMAC(K, IV | ciphertext)[1..h] .
  619. *
  620. * Caller provides the truncation length of the output token (h) in
  621. * cksumout.len.
  622. *
  623. * Return values:
  624. * %GSS_S_COMPLETE: Digest computed, @cksumout filled in
  625. * %GSS_S_FAILURE: Call failed
  626. */
  627. VISIBLE_IF_KUNIT
  628. u32 krb5_etm_checksum(struct crypto_sync_skcipher *cipher,
  629. struct crypto_ahash *tfm, const struct xdr_buf *body,
  630. int body_offset, struct xdr_netobj *cksumout)
  631. {
  632. unsigned int ivsize = crypto_sync_skcipher_ivsize(cipher);
  633. struct ahash_request *req;
  634. struct scatterlist sg[1];
  635. u8 *iv, *checksumdata;
  636. int err = -ENOMEM;
  637. checksumdata = kmalloc(crypto_ahash_digestsize(tfm), GFP_KERNEL);
  638. if (!checksumdata)
  639. return GSS_S_FAILURE;
  640. /* For RPCSEC, the "initial cipher state" is always all zeroes. */
  641. iv = kzalloc(ivsize, GFP_KERNEL);
  642. if (!iv)
  643. goto out_free_mem;
  644. req = ahash_request_alloc(tfm, GFP_KERNEL);
  645. if (!req)
  646. goto out_free_mem;
  647. ahash_request_set_callback(req, CRYPTO_TFM_REQ_MAY_SLEEP, NULL, NULL);
  648. err = crypto_ahash_init(req);
  649. if (err)
  650. goto out_free_ahash;
  651. sg_init_one(sg, iv, ivsize);
  652. ahash_request_set_crypt(req, sg, NULL, ivsize);
  653. err = crypto_ahash_update(req);
  654. if (err)
  655. goto out_free_ahash;
  656. err = xdr_process_buf(body, body_offset, body->len - body_offset,
  657. checksummer, req);
  658. if (err)
  659. goto out_free_ahash;
  660. ahash_request_set_crypt(req, NULL, checksumdata, 0);
  661. err = crypto_ahash_final(req);
  662. if (err)
  663. goto out_free_ahash;
  664. memcpy(cksumout->data, checksumdata, cksumout->len);
  665. out_free_ahash:
  666. ahash_request_free(req);
  667. out_free_mem:
  668. kfree(iv);
  669. kfree_sensitive(checksumdata);
  670. return err ? GSS_S_FAILURE : GSS_S_COMPLETE;
  671. }
  672. EXPORT_SYMBOL_IF_KUNIT(krb5_etm_checksum);
  673. /**
  674. * krb5_etm_encrypt - Encrypt using the RFC 8009 rules
  675. * @kctx: Kerberos context
  676. * @offset: starting offset of the payload, in bytes
  677. * @buf: OUT: send buffer to contain the encrypted payload
  678. * @pages: plaintext payload
  679. *
  680. * The main difference with aes_encrypt is that "The HMAC is
  681. * calculated over the cipher state concatenated with the AES
  682. * output, instead of being calculated over the confounder and
  683. * plaintext. This allows the message receiver to verify the
  684. * integrity of the message before decrypting the message."
  685. *
  686. * RFC 8009 Section 5:
  687. *
  688. * encryption function: as follows, where E() is AES encryption in
  689. * CBC-CS3 mode, and h is the size of truncated HMAC (128 bits or
  690. * 192 bits as described above).
  691. *
  692. * N = random value of length 128 bits (the AES block size)
  693. * IV = cipher state
  694. * C = E(Ke, N | plaintext, IV)
  695. * H = HMAC(Ki, IV | C)
  696. * ciphertext = C | H[1..h]
  697. *
  698. * This encryption formula provides AEAD EtM with key separation.
  699. *
  700. * Return values:
  701. * %GSS_S_COMPLETE: Encryption successful
  702. * %GSS_S_FAILURE: Encryption failed
  703. */
  704. u32
  705. krb5_etm_encrypt(struct krb5_ctx *kctx, u32 offset,
  706. struct xdr_buf *buf, struct page **pages)
  707. {
  708. struct crypto_sync_skcipher *cipher, *aux_cipher;
  709. struct crypto_ahash *ahash;
  710. struct xdr_netobj hmac;
  711. unsigned int conflen;
  712. u8 *ecptr;
  713. u32 err;
  714. if (kctx->initiate) {
  715. cipher = kctx->initiator_enc;
  716. aux_cipher = kctx->initiator_enc_aux;
  717. ahash = kctx->initiator_integ;
  718. } else {
  719. cipher = kctx->acceptor_enc;
  720. aux_cipher = kctx->acceptor_enc_aux;
  721. ahash = kctx->acceptor_integ;
  722. }
  723. conflen = crypto_sync_skcipher_blocksize(cipher);
  724. offset += GSS_KRB5_TOK_HDR_LEN;
  725. if (xdr_extend_head(buf, offset, conflen))
  726. return GSS_S_FAILURE;
  727. krb5_make_confounder(buf->head[0].iov_base + offset, conflen);
  728. offset -= GSS_KRB5_TOK_HDR_LEN;
  729. if (buf->tail[0].iov_base) {
  730. ecptr = buf->tail[0].iov_base + buf->tail[0].iov_len;
  731. } else {
  732. buf->tail[0].iov_base = buf->head[0].iov_base
  733. + buf->head[0].iov_len;
  734. buf->tail[0].iov_len = 0;
  735. ecptr = buf->tail[0].iov_base;
  736. }
  737. memcpy(ecptr, buf->head[0].iov_base + offset, GSS_KRB5_TOK_HDR_LEN);
  738. buf->tail[0].iov_len += GSS_KRB5_TOK_HDR_LEN;
  739. buf->len += GSS_KRB5_TOK_HDR_LEN;
  740. err = krb5_cbc_cts_encrypt(cipher, aux_cipher,
  741. offset + GSS_KRB5_TOK_HDR_LEN,
  742. buf, pages, NULL, 0);
  743. if (err)
  744. return GSS_S_FAILURE;
  745. hmac.data = buf->tail[0].iov_base + buf->tail[0].iov_len;
  746. hmac.len = kctx->gk5e->cksumlength;
  747. err = krb5_etm_checksum(cipher, ahash,
  748. buf, offset + GSS_KRB5_TOK_HDR_LEN, &hmac);
  749. if (err)
  750. goto out_err;
  751. buf->tail[0].iov_len += kctx->gk5e->cksumlength;
  752. buf->len += kctx->gk5e->cksumlength;
  753. return GSS_S_COMPLETE;
  754. out_err:
  755. return GSS_S_FAILURE;
  756. }
  757. /**
  758. * krb5_etm_decrypt - Decrypt using the RFC 8009 rules
  759. * @kctx: Kerberos context
  760. * @offset: starting offset of the ciphertext, in bytes
  761. * @len: size of ciphertext to unwrap
  762. * @buf: ciphertext to unwrap
  763. * @headskip: OUT: the enctype's confounder length, in octets
  764. * @tailskip: OUT: the enctype's HMAC length, in octets
  765. *
  766. * RFC 8009 Section 5:
  767. *
  768. * decryption function: as follows, where D() is AES decryption in
  769. * CBC-CS3 mode, and h is the size of truncated HMAC.
  770. *
  771. * (C, H) = ciphertext
  772. * (Note: H is the last h bits of the ciphertext.)
  773. * IV = cipher state
  774. * if H != HMAC(Ki, IV | C)[1..h]
  775. * stop, report error
  776. * (N, P) = D(Ke, C, IV)
  777. *
  778. * Return values:
  779. * %GSS_S_COMPLETE: Decryption successful
  780. * %GSS_S_BAD_SIG: computed HMAC != received HMAC
  781. * %GSS_S_FAILURE: Decryption failed
  782. */
  783. u32
  784. krb5_etm_decrypt(struct krb5_ctx *kctx, u32 offset, u32 len,
  785. struct xdr_buf *buf, u32 *headskip, u32 *tailskip)
  786. {
  787. struct crypto_sync_skcipher *cipher, *aux_cipher;
  788. u8 our_hmac[GSS_KRB5_MAX_CKSUM_LEN];
  789. u8 pkt_hmac[GSS_KRB5_MAX_CKSUM_LEN];
  790. struct xdr_netobj our_hmac_obj;
  791. struct crypto_ahash *ahash;
  792. struct xdr_buf subbuf;
  793. u32 ret = 0;
  794. if (kctx->initiate) {
  795. cipher = kctx->acceptor_enc;
  796. aux_cipher = kctx->acceptor_enc_aux;
  797. ahash = kctx->acceptor_integ;
  798. } else {
  799. cipher = kctx->initiator_enc;
  800. aux_cipher = kctx->initiator_enc_aux;
  801. ahash = kctx->initiator_integ;
  802. }
  803. /* Extract the ciphertext into @subbuf. */
  804. xdr_buf_subsegment(buf, &subbuf, offset + GSS_KRB5_TOK_HDR_LEN,
  805. (len - offset - GSS_KRB5_TOK_HDR_LEN -
  806. kctx->gk5e->cksumlength));
  807. our_hmac_obj.data = our_hmac;
  808. our_hmac_obj.len = kctx->gk5e->cksumlength;
  809. ret = krb5_etm_checksum(cipher, ahash, &subbuf, 0, &our_hmac_obj);
  810. if (ret)
  811. goto out_err;
  812. ret = read_bytes_from_xdr_buf(buf, len - kctx->gk5e->cksumlength,
  813. pkt_hmac, kctx->gk5e->cksumlength);
  814. if (ret)
  815. goto out_err;
  816. if (crypto_memneq(pkt_hmac, our_hmac, kctx->gk5e->cksumlength) != 0) {
  817. ret = GSS_S_BAD_SIG;
  818. goto out_err;
  819. }
  820. ret = krb5_cbc_cts_decrypt(cipher, aux_cipher, 0, &subbuf);
  821. if (ret) {
  822. ret = GSS_S_FAILURE;
  823. goto out_err;
  824. }
  825. *headskip = crypto_sync_skcipher_blocksize(cipher);
  826. *tailskip = kctx->gk5e->cksumlength;
  827. return GSS_S_COMPLETE;
  828. out_err:
  829. if (ret != GSS_S_BAD_SIG)
  830. ret = GSS_S_FAILURE;
  831. return ret;
  832. }