1 /* 2 * linux/net/sunrpc/gss_krb5_crypto.c 3 * 4 * Copyright (c) 2000-2008 The Regents of the University of Michigan. 5 * All rights reserved. 6 * 7 * Andy Adamson <andros@umich.edu> 8 * Bruce Fields <bfields@umich.edu> 9 */ 10 11 /* 12 * Copyright (C) 1998 by the FundsXpress, INC. 13 * 14 * All rights reserved. 15 * 16 * Export of this software from the United States of America may require 17 * a specific license from the United States Government. It is the 18 * responsibility of any person or organization contemplating export to 19 * obtain such a license before exporting. 20 * 21 * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and 22 * distribute this software and its documentation for any purpose and 23 * without fee is hereby granted, provided that the above copyright 24 * notice appear in all copies and that both that copyright notice and 25 * this permission notice appear in supporting documentation, and that 26 * the name of FundsXpress. not be used in advertising or publicity pertaining 27 * to distribution of the software without specific, written prior 28 * permission. FundsXpress makes no representations about the suitability of 29 * this software for any purpose. It is provided "as is" without express 30 * or implied warranty. 31 * 32 * THIS SOFTWARE IS PROVIDED ``AS IS'' AND WITHOUT ANY EXPRESS OR 33 * IMPLIED WARRANTIES, INCLUDING, WITHOUT LIMITATION, THE IMPLIED 34 * WARRANTIES OF MERCHANTIBILITY AND FITNESS FOR A PARTICULAR PURPOSE. 35 */ 36 37 #include <crypto/algapi.h> 38 #include <crypto/hash.h> 39 #include <crypto/skcipher.h> 40 #include <linux/err.h> 41 #include <linux/types.h> 42 #include <linux/mm.h> 43 #include <linux/scatterlist.h> 44 #include <linux/highmem.h> 45 #include <linux/pagemap.h> 46 #include <linux/random.h> 47 #include <linux/sunrpc/gss_krb5.h> 48 #include <linux/sunrpc/xdr.h> 49 50 #if IS_ENABLED(CONFIG_SUNRPC_DEBUG) 51 # define RPCDBG_FACILITY RPCDBG_AUTH 52 #endif 53 54 u32 55 krb5_encrypt( 56 struct crypto_skcipher *tfm, 57 void * iv, 58 void * in, 59 void * out, 60 int length) 61 { 62 u32 ret = -EINVAL; 63 struct scatterlist sg[1]; 64 u8 local_iv[GSS_KRB5_MAX_BLOCKSIZE] = {0}; 65 SKCIPHER_REQUEST_ON_STACK(req, tfm); 66 67 if (length % crypto_skcipher_blocksize(tfm) != 0) 68 goto out; 69 70 if (crypto_skcipher_ivsize(tfm) > GSS_KRB5_MAX_BLOCKSIZE) { 71 dprintk("RPC: gss_k5encrypt: tfm iv size too large %d\n", 72 crypto_skcipher_ivsize(tfm)); 73 goto out; 74 } 75 76 if (iv) 77 memcpy(local_iv, iv, crypto_skcipher_ivsize(tfm)); 78 79 memcpy(out, in, length); 80 sg_init_one(sg, out, length); 81 82 skcipher_request_set_tfm(req, tfm); 83 skcipher_request_set_callback(req, 0, NULL, NULL); 84 skcipher_request_set_crypt(req, sg, sg, length, local_iv); 85 86 ret = crypto_skcipher_encrypt(req); 87 skcipher_request_zero(req); 88 out: 89 dprintk("RPC: krb5_encrypt returns %d\n", ret); 90 return ret; 91 } 92 93 u32 94 krb5_decrypt( 95 struct crypto_skcipher *tfm, 96 void * iv, 97 void * in, 98 void * out, 99 int length) 100 { 101 u32 ret = -EINVAL; 102 struct scatterlist sg[1]; 103 u8 local_iv[GSS_KRB5_MAX_BLOCKSIZE] = {0}; 104 SKCIPHER_REQUEST_ON_STACK(req, tfm); 105 106 if (length % crypto_skcipher_blocksize(tfm) != 0) 107 goto out; 108 109 if (crypto_skcipher_ivsize(tfm) > GSS_KRB5_MAX_BLOCKSIZE) { 110 dprintk("RPC: gss_k5decrypt: tfm iv size too large %d\n", 111 crypto_skcipher_ivsize(tfm)); 112 goto out; 113 } 114 if (iv) 115 memcpy(local_iv,iv, crypto_skcipher_ivsize(tfm)); 116 117 memcpy(out, in, length); 118 sg_init_one(sg, out, length); 119 120 skcipher_request_set_tfm(req, tfm); 121 skcipher_request_set_callback(req, 0, NULL, NULL); 122 skcipher_request_set_crypt(req, sg, sg, length, local_iv); 123 124 ret = crypto_skcipher_decrypt(req); 125 skcipher_request_zero(req); 126 out: 127 dprintk("RPC: gss_k5decrypt returns %d\n",ret); 128 return ret; 129 } 130 131 static int 132 checksummer(struct scatterlist *sg, void *data) 133 { 134 struct ahash_request *req = data; 135 136 ahash_request_set_crypt(req, sg, NULL, sg->length); 137 138 return crypto_ahash_update(req); 139 } 140 141 static int 142 arcfour_hmac_md5_usage_to_salt(unsigned int usage, u8 salt[4]) 143 { 144 unsigned int ms_usage; 145 146 switch (usage) { 147 case KG_USAGE_SIGN: 148 ms_usage = 15; 149 break; 150 case KG_USAGE_SEAL: 151 ms_usage = 13; 152 break; 153 default: 154 return -EINVAL; 155 } 156 salt[0] = (ms_usage >> 0) & 0xff; 157 salt[1] = (ms_usage >> 8) & 0xff; 158 salt[2] = (ms_usage >> 16) & 0xff; 159 salt[3] = (ms_usage >> 24) & 0xff; 160 161 return 0; 162 } 163 164 static u32 165 make_checksum_hmac_md5(struct krb5_ctx *kctx, char *header, int hdrlen, 166 struct xdr_buf *body, int body_offset, u8 *cksumkey, 167 unsigned int usage, struct xdr_netobj *cksumout) 168 { 169 struct scatterlist sg[1]; 170 int err = -1; 171 u8 *checksumdata; 172 u8 rc4salt[4]; 173 struct crypto_ahash *md5; 174 struct crypto_ahash *hmac_md5; 175 struct ahash_request *req; 176 177 if (cksumkey == NULL) 178 return GSS_S_FAILURE; 179 180 if (cksumout->len < kctx->gk5e->cksumlength) { 181 dprintk("%s: checksum buffer length, %u, too small for %s\n", 182 __func__, cksumout->len, kctx->gk5e->name); 183 return GSS_S_FAILURE; 184 } 185 186 if (arcfour_hmac_md5_usage_to_salt(usage, rc4salt)) { 187 dprintk("%s: invalid usage value %u\n", __func__, usage); 188 return GSS_S_FAILURE; 189 } 190 191 checksumdata = kmalloc(GSS_KRB5_MAX_CKSUM_LEN, GFP_NOFS); 192 if (!checksumdata) 193 return GSS_S_FAILURE; 194 195 md5 = crypto_alloc_ahash("md5", 0, CRYPTO_ALG_ASYNC); 196 if (IS_ERR(md5)) 197 goto out_free_cksum; 198 199 hmac_md5 = crypto_alloc_ahash(kctx->gk5e->cksum_name, 0, 200 CRYPTO_ALG_ASYNC); 201 if (IS_ERR(hmac_md5)) 202 goto out_free_md5; 203 204 req = ahash_request_alloc(md5, GFP_NOFS); 205 if (!req) 206 goto out_free_hmac_md5; 207 208 ahash_request_set_callback(req, CRYPTO_TFM_REQ_MAY_SLEEP, NULL, NULL); 209 210 err = crypto_ahash_init(req); 211 if (err) 212 goto out; 213 sg_init_one(sg, rc4salt, 4); 214 ahash_request_set_crypt(req, sg, NULL, 4); 215 err = crypto_ahash_update(req); 216 if (err) 217 goto out; 218 219 sg_init_one(sg, header, hdrlen); 220 ahash_request_set_crypt(req, sg, NULL, hdrlen); 221 err = crypto_ahash_update(req); 222 if (err) 223 goto out; 224 err = xdr_process_buf(body, body_offset, body->len - body_offset, 225 checksummer, req); 226 if (err) 227 goto out; 228 ahash_request_set_crypt(req, NULL, checksumdata, 0); 229 err = crypto_ahash_final(req); 230 if (err) 231 goto out; 232 233 ahash_request_free(req); 234 req = ahash_request_alloc(hmac_md5, GFP_NOFS); 235 if (!req) 236 goto out_free_hmac_md5; 237 238 ahash_request_set_callback(req, CRYPTO_TFM_REQ_MAY_SLEEP, NULL, NULL); 239 240 err = crypto_ahash_init(req); 241 if (err) 242 goto out; 243 err = crypto_ahash_setkey(hmac_md5, cksumkey, kctx->gk5e->keylength); 244 if (err) 245 goto out; 246 247 sg_init_one(sg, checksumdata, crypto_ahash_digestsize(md5)); 248 ahash_request_set_crypt(req, sg, checksumdata, 249 crypto_ahash_digestsize(md5)); 250 err = crypto_ahash_digest(req); 251 if (err) 252 goto out; 253 254 memcpy(cksumout->data, checksumdata, kctx->gk5e->cksumlength); 255 cksumout->len = kctx->gk5e->cksumlength; 256 out: 257 ahash_request_free(req); 258 out_free_hmac_md5: 259 crypto_free_ahash(hmac_md5); 260 out_free_md5: 261 crypto_free_ahash(md5); 262 out_free_cksum: 263 kfree(checksumdata); 264 return err ? GSS_S_FAILURE : 0; 265 } 266 267 /* 268 * checksum the plaintext data and hdrlen bytes of the token header 269 * The checksum is performed over the first 8 bytes of the 270 * gss token header and then over the data body 271 */ 272 u32 273 make_checksum(struct krb5_ctx *kctx, char *header, int hdrlen, 274 struct xdr_buf *body, int body_offset, u8 *cksumkey, 275 unsigned int usage, struct xdr_netobj *cksumout) 276 { 277 struct crypto_ahash *tfm; 278 struct ahash_request *req; 279 struct scatterlist sg[1]; 280 int err = -1; 281 u8 *checksumdata; 282 unsigned int checksumlen; 283 284 if (kctx->gk5e->ctype == CKSUMTYPE_HMAC_MD5_ARCFOUR) 285 return make_checksum_hmac_md5(kctx, header, hdrlen, 286 body, body_offset, 287 cksumkey, usage, cksumout); 288 289 if (cksumout->len < kctx->gk5e->cksumlength) { 290 dprintk("%s: checksum buffer length, %u, too small for %s\n", 291 __func__, cksumout->len, kctx->gk5e->name); 292 return GSS_S_FAILURE; 293 } 294 295 checksumdata = kmalloc(GSS_KRB5_MAX_CKSUM_LEN, GFP_NOFS); 296 if (checksumdata == NULL) 297 return GSS_S_FAILURE; 298 299 tfm = crypto_alloc_ahash(kctx->gk5e->cksum_name, 0, CRYPTO_ALG_ASYNC); 300 if (IS_ERR(tfm)) 301 goto out_free_cksum; 302 303 req = ahash_request_alloc(tfm, GFP_NOFS); 304 if (!req) 305 goto out_free_ahash; 306 307 ahash_request_set_callback(req, CRYPTO_TFM_REQ_MAY_SLEEP, NULL, NULL); 308 309 checksumlen = crypto_ahash_digestsize(tfm); 310 311 if (cksumkey != NULL) { 312 err = crypto_ahash_setkey(tfm, cksumkey, 313 kctx->gk5e->keylength); 314 if (err) 315 goto out; 316 } 317 318 err = crypto_ahash_init(req); 319 if (err) 320 goto out; 321 sg_init_one(sg, header, hdrlen); 322 ahash_request_set_crypt(req, sg, NULL, hdrlen); 323 err = crypto_ahash_update(req); 324 if (err) 325 goto out; 326 err = xdr_process_buf(body, body_offset, body->len - body_offset, 327 checksummer, req); 328 if (err) 329 goto out; 330 ahash_request_set_crypt(req, NULL, checksumdata, 0); 331 err = crypto_ahash_final(req); 332 if (err) 333 goto out; 334 335 switch (kctx->gk5e->ctype) { 336 case CKSUMTYPE_RSA_MD5: 337 err = kctx->gk5e->encrypt(kctx->seq, NULL, checksumdata, 338 checksumdata, checksumlen); 339 if (err) 340 goto out; 341 memcpy(cksumout->data, 342 checksumdata + checksumlen - kctx->gk5e->cksumlength, 343 kctx->gk5e->cksumlength); 344 break; 345 case CKSUMTYPE_HMAC_SHA1_DES3: 346 memcpy(cksumout->data, checksumdata, kctx->gk5e->cksumlength); 347 break; 348 default: 349 BUG(); 350 break; 351 } 352 cksumout->len = kctx->gk5e->cksumlength; 353 out: 354 ahash_request_free(req); 355 out_free_ahash: 356 crypto_free_ahash(tfm); 357 out_free_cksum: 358 kfree(checksumdata); 359 return err ? GSS_S_FAILURE : 0; 360 } 361 362 /* 363 * checksum the plaintext data and hdrlen bytes of the token header 364 * Per rfc4121, sec. 4.2.4, the checksum is performed over the data 365 * body then over the first 16 octets of the MIC token 366 * Inclusion of the header data in the calculation of the 367 * checksum is optional. 368 */ 369 u32 370 make_checksum_v2(struct krb5_ctx *kctx, char *header, int hdrlen, 371 struct xdr_buf *body, int body_offset, u8 *cksumkey, 372 unsigned int usage, struct xdr_netobj *cksumout) 373 { 374 struct crypto_ahash *tfm; 375 struct ahash_request *req; 376 struct scatterlist sg[1]; 377 int err = -1; 378 u8 *checksumdata; 379 unsigned int checksumlen; 380 381 if (kctx->gk5e->keyed_cksum == 0) { 382 dprintk("%s: expected keyed hash for %s\n", 383 __func__, kctx->gk5e->name); 384 return GSS_S_FAILURE; 385 } 386 if (cksumkey == NULL) { 387 dprintk("%s: no key supplied for %s\n", 388 __func__, kctx->gk5e->name); 389 return GSS_S_FAILURE; 390 } 391 392 checksumdata = kmalloc(GSS_KRB5_MAX_CKSUM_LEN, GFP_NOFS); 393 if (!checksumdata) 394 return GSS_S_FAILURE; 395 396 tfm = crypto_alloc_ahash(kctx->gk5e->cksum_name, 0, CRYPTO_ALG_ASYNC); 397 if (IS_ERR(tfm)) 398 goto out_free_cksum; 399 checksumlen = crypto_ahash_digestsize(tfm); 400 401 req = ahash_request_alloc(tfm, GFP_NOFS); 402 if (!req) 403 goto out_free_ahash; 404 405 ahash_request_set_callback(req, CRYPTO_TFM_REQ_MAY_SLEEP, NULL, NULL); 406 407 err = crypto_ahash_setkey(tfm, cksumkey, kctx->gk5e->keylength); 408 if (err) 409 goto out; 410 411 err = crypto_ahash_init(req); 412 if (err) 413 goto out; 414 err = xdr_process_buf(body, body_offset, body->len - body_offset, 415 checksummer, req); 416 if (err) 417 goto out; 418 if (header != NULL) { 419 sg_init_one(sg, header, hdrlen); 420 ahash_request_set_crypt(req, sg, NULL, hdrlen); 421 err = crypto_ahash_update(req); 422 if (err) 423 goto out; 424 } 425 ahash_request_set_crypt(req, NULL, checksumdata, 0); 426 err = crypto_ahash_final(req); 427 if (err) 428 goto out; 429 430 cksumout->len = kctx->gk5e->cksumlength; 431 432 switch (kctx->gk5e->ctype) { 433 case CKSUMTYPE_HMAC_SHA1_96_AES128: 434 case CKSUMTYPE_HMAC_SHA1_96_AES256: 435 /* note that this truncates the hash */ 436 memcpy(cksumout->data, checksumdata, kctx->gk5e->cksumlength); 437 break; 438 default: 439 BUG(); 440 break; 441 } 442 out: 443 ahash_request_free(req); 444 out_free_ahash: 445 crypto_free_ahash(tfm); 446 out_free_cksum: 447 kfree(checksumdata); 448 return err ? GSS_S_FAILURE : 0; 449 } 450 451 struct encryptor_desc { 452 u8 iv[GSS_KRB5_MAX_BLOCKSIZE]; 453 struct skcipher_request *req; 454 int pos; 455 struct xdr_buf *outbuf; 456 struct page **pages; 457 struct scatterlist infrags[4]; 458 struct scatterlist outfrags[4]; 459 int fragno; 460 int fraglen; 461 }; 462 463 static int 464 encryptor(struct scatterlist *sg, void *data) 465 { 466 struct encryptor_desc *desc = data; 467 struct xdr_buf *outbuf = desc->outbuf; 468 struct crypto_skcipher *tfm = crypto_skcipher_reqtfm(desc->req); 469 struct page *in_page; 470 int thislen = desc->fraglen + sg->length; 471 int fraglen, ret; 472 int page_pos; 473 474 /* Worst case is 4 fragments: head, end of page 1, start 475 * of page 2, tail. Anything more is a bug. */ 476 BUG_ON(desc->fragno > 3); 477 478 page_pos = desc->pos - outbuf->head[0].iov_len; 479 if (page_pos >= 0 && page_pos < outbuf->page_len) { 480 /* pages are not in place: */ 481 int i = (page_pos + outbuf->page_base) >> PAGE_SHIFT; 482 in_page = desc->pages[i]; 483 } else { 484 in_page = sg_page(sg); 485 } 486 sg_set_page(&desc->infrags[desc->fragno], in_page, sg->length, 487 sg->offset); 488 sg_set_page(&desc->outfrags[desc->fragno], sg_page(sg), sg->length, 489 sg->offset); 490 desc->fragno++; 491 desc->fraglen += sg->length; 492 desc->pos += sg->length; 493 494 fraglen = thislen & (crypto_skcipher_blocksize(tfm) - 1); 495 thislen -= fraglen; 496 497 if (thislen == 0) 498 return 0; 499 500 sg_mark_end(&desc->infrags[desc->fragno - 1]); 501 sg_mark_end(&desc->outfrags[desc->fragno - 1]); 502 503 skcipher_request_set_crypt(desc->req, desc->infrags, desc->outfrags, 504 thislen, desc->iv); 505 506 ret = crypto_skcipher_encrypt(desc->req); 507 if (ret) 508 return ret; 509 510 sg_init_table(desc->infrags, 4); 511 sg_init_table(desc->outfrags, 4); 512 513 if (fraglen) { 514 sg_set_page(&desc->outfrags[0], sg_page(sg), fraglen, 515 sg->offset + sg->length - fraglen); 516 desc->infrags[0] = desc->outfrags[0]; 517 sg_assign_page(&desc->infrags[0], in_page); 518 desc->fragno = 1; 519 desc->fraglen = fraglen; 520 } else { 521 desc->fragno = 0; 522 desc->fraglen = 0; 523 } 524 return 0; 525 } 526 527 int 528 gss_encrypt_xdr_buf(struct crypto_skcipher *tfm, struct xdr_buf *buf, 529 int offset, struct page **pages) 530 { 531 int ret; 532 struct encryptor_desc desc; 533 SKCIPHER_REQUEST_ON_STACK(req, tfm); 534 535 BUG_ON((buf->len - offset) % crypto_skcipher_blocksize(tfm) != 0); 536 537 skcipher_request_set_tfm(req, tfm); 538 skcipher_request_set_callback(req, 0, NULL, NULL); 539 540 memset(desc.iv, 0, sizeof(desc.iv)); 541 desc.req = req; 542 desc.pos = offset; 543 desc.outbuf = buf; 544 desc.pages = pages; 545 desc.fragno = 0; 546 desc.fraglen = 0; 547 548 sg_init_table(desc.infrags, 4); 549 sg_init_table(desc.outfrags, 4); 550 551 ret = xdr_process_buf(buf, offset, buf->len - offset, encryptor, &desc); 552 skcipher_request_zero(req); 553 return ret; 554 } 555 556 struct decryptor_desc { 557 u8 iv[GSS_KRB5_MAX_BLOCKSIZE]; 558 struct skcipher_request *req; 559 struct scatterlist frags[4]; 560 int fragno; 561 int fraglen; 562 }; 563 564 static int 565 decryptor(struct scatterlist *sg, void *data) 566 { 567 struct decryptor_desc *desc = data; 568 int thislen = desc->fraglen + sg->length; 569 struct crypto_skcipher *tfm = crypto_skcipher_reqtfm(desc->req); 570 int fraglen, ret; 571 572 /* Worst case is 4 fragments: head, end of page 1, start 573 * of page 2, tail. Anything more is a bug. */ 574 BUG_ON(desc->fragno > 3); 575 sg_set_page(&desc->frags[desc->fragno], sg_page(sg), sg->length, 576 sg->offset); 577 desc->fragno++; 578 desc->fraglen += sg->length; 579 580 fraglen = thislen & (crypto_skcipher_blocksize(tfm) - 1); 581 thislen -= fraglen; 582 583 if (thislen == 0) 584 return 0; 585 586 sg_mark_end(&desc->frags[desc->fragno - 1]); 587 588 skcipher_request_set_crypt(desc->req, desc->frags, desc->frags, 589 thislen, desc->iv); 590 591 ret = crypto_skcipher_decrypt(desc->req); 592 if (ret) 593 return ret; 594 595 sg_init_table(desc->frags, 4); 596 597 if (fraglen) { 598 sg_set_page(&desc->frags[0], sg_page(sg), fraglen, 599 sg->offset + sg->length - fraglen); 600 desc->fragno = 1; 601 desc->fraglen = fraglen; 602 } else { 603 desc->fragno = 0; 604 desc->fraglen = 0; 605 } 606 return 0; 607 } 608 609 int 610 gss_decrypt_xdr_buf(struct crypto_skcipher *tfm, struct xdr_buf *buf, 611 int offset) 612 { 613 int ret; 614 struct decryptor_desc desc; 615 SKCIPHER_REQUEST_ON_STACK(req, tfm); 616 617 /* XXXJBF: */ 618 BUG_ON((buf->len - offset) % crypto_skcipher_blocksize(tfm) != 0); 619 620 skcipher_request_set_tfm(req, tfm); 621 skcipher_request_set_callback(req, 0, NULL, NULL); 622 623 memset(desc.iv, 0, sizeof(desc.iv)); 624 desc.req = req; 625 desc.fragno = 0; 626 desc.fraglen = 0; 627 628 sg_init_table(desc.frags, 4); 629 630 ret = xdr_process_buf(buf, offset, buf->len - offset, decryptor, &desc); 631 skcipher_request_zero(req); 632 return ret; 633 } 634 635 /* 636 * This function makes the assumption that it was ultimately called 637 * from gss_wrap(). 638 * 639 * The client auth_gss code moves any existing tail data into a 640 * separate page before calling gss_wrap. 641 * The server svcauth_gss code ensures that both the head and the 642 * tail have slack space of RPC_MAX_AUTH_SIZE before calling gss_wrap. 643 * 644 * Even with that guarantee, this function may be called more than 645 * once in the processing of gss_wrap(). The best we can do is 646 * verify at compile-time (see GSS_KRB5_SLACK_CHECK) that the 647 * largest expected shift will fit within RPC_MAX_AUTH_SIZE. 648 * At run-time we can verify that a single invocation of this 649 * function doesn't attempt to use more the RPC_MAX_AUTH_SIZE. 650 */ 651 652 int 653 xdr_extend_head(struct xdr_buf *buf, unsigned int base, unsigned int shiftlen) 654 { 655 u8 *p; 656 657 if (shiftlen == 0) 658 return 0; 659 660 BUILD_BUG_ON(GSS_KRB5_MAX_SLACK_NEEDED > RPC_MAX_AUTH_SIZE); 661 BUG_ON(shiftlen > RPC_MAX_AUTH_SIZE); 662 663 p = buf->head[0].iov_base + base; 664 665 memmove(p + shiftlen, p, buf->head[0].iov_len - base); 666 667 buf->head[0].iov_len += shiftlen; 668 buf->len += shiftlen; 669 670 return 0; 671 } 672 673 static u32 674 gss_krb5_cts_crypt(struct crypto_skcipher *cipher, struct xdr_buf *buf, 675 u32 offset, u8 *iv, struct page **pages, int encrypt) 676 { 677 u32 ret; 678 struct scatterlist sg[1]; 679 SKCIPHER_REQUEST_ON_STACK(req, cipher); 680 u8 *data; 681 struct page **save_pages; 682 u32 len = buf->len - offset; 683 684 if (len > GSS_KRB5_MAX_BLOCKSIZE * 2) { 685 WARN_ON(0); 686 return -ENOMEM; 687 } 688 data = kmalloc(GSS_KRB5_MAX_BLOCKSIZE * 2, GFP_NOFS); 689 if (!data) 690 return -ENOMEM; 691 692 /* 693 * For encryption, we want to read from the cleartext 694 * page cache pages, and write the encrypted data to 695 * the supplied xdr_buf pages. 696 */ 697 save_pages = buf->pages; 698 if (encrypt) 699 buf->pages = pages; 700 701 ret = read_bytes_from_xdr_buf(buf, offset, data, len); 702 buf->pages = save_pages; 703 if (ret) 704 goto out; 705 706 sg_init_one(sg, data, len); 707 708 skcipher_request_set_tfm(req, cipher); 709 skcipher_request_set_callback(req, 0, NULL, NULL); 710 skcipher_request_set_crypt(req, sg, sg, len, iv); 711 712 if (encrypt) 713 ret = crypto_skcipher_encrypt(req); 714 else 715 ret = crypto_skcipher_decrypt(req); 716 717 skcipher_request_zero(req); 718 719 if (ret) 720 goto out; 721 722 ret = write_bytes_to_xdr_buf(buf, offset, data, len); 723 724 out: 725 kfree(data); 726 return ret; 727 } 728 729 u32 730 gss_krb5_aes_encrypt(struct krb5_ctx *kctx, u32 offset, 731 struct xdr_buf *buf, struct page **pages) 732 { 733 u32 err; 734 struct xdr_netobj hmac; 735 u8 *cksumkey; 736 u8 *ecptr; 737 struct crypto_skcipher *cipher, *aux_cipher; 738 int blocksize; 739 struct page **save_pages; 740 int nblocks, nbytes; 741 struct encryptor_desc desc; 742 u32 cbcbytes; 743 unsigned int usage; 744 745 if (kctx->initiate) { 746 cipher = kctx->initiator_enc; 747 aux_cipher = kctx->initiator_enc_aux; 748 cksumkey = kctx->initiator_integ; 749 usage = KG_USAGE_INITIATOR_SEAL; 750 } else { 751 cipher = kctx->acceptor_enc; 752 aux_cipher = kctx->acceptor_enc_aux; 753 cksumkey = kctx->acceptor_integ; 754 usage = KG_USAGE_ACCEPTOR_SEAL; 755 } 756 blocksize = crypto_skcipher_blocksize(cipher); 757 758 /* hide the gss token header and insert the confounder */ 759 offset += GSS_KRB5_TOK_HDR_LEN; 760 if (xdr_extend_head(buf, offset, kctx->gk5e->conflen)) 761 return GSS_S_FAILURE; 762 gss_krb5_make_confounder(buf->head[0].iov_base + offset, kctx->gk5e->conflen); 763 offset -= GSS_KRB5_TOK_HDR_LEN; 764 765 if (buf->tail[0].iov_base != NULL) { 766 ecptr = buf->tail[0].iov_base + buf->tail[0].iov_len; 767 } else { 768 buf->tail[0].iov_base = buf->head[0].iov_base 769 + buf->head[0].iov_len; 770 buf->tail[0].iov_len = 0; 771 ecptr = buf->tail[0].iov_base; 772 } 773 774 /* copy plaintext gss token header after filler (if any) */ 775 memcpy(ecptr, buf->head[0].iov_base + offset, GSS_KRB5_TOK_HDR_LEN); 776 buf->tail[0].iov_len += GSS_KRB5_TOK_HDR_LEN; 777 buf->len += GSS_KRB5_TOK_HDR_LEN; 778 779 /* Do the HMAC */ 780 hmac.len = GSS_KRB5_MAX_CKSUM_LEN; 781 hmac.data = buf->tail[0].iov_base + buf->tail[0].iov_len; 782 783 /* 784 * When we are called, pages points to the real page cache 785 * data -- which we can't go and encrypt! buf->pages points 786 * to scratch pages which we are going to send off to the 787 * client/server. Swap in the plaintext pages to calculate 788 * the hmac. 789 */ 790 save_pages = buf->pages; 791 buf->pages = pages; 792 793 err = make_checksum_v2(kctx, NULL, 0, buf, 794 offset + GSS_KRB5_TOK_HDR_LEN, 795 cksumkey, usage, &hmac); 796 buf->pages = save_pages; 797 if (err) 798 return GSS_S_FAILURE; 799 800 nbytes = buf->len - offset - GSS_KRB5_TOK_HDR_LEN; 801 nblocks = (nbytes + blocksize - 1) / blocksize; 802 cbcbytes = 0; 803 if (nblocks > 2) 804 cbcbytes = (nblocks - 2) * blocksize; 805 806 memset(desc.iv, 0, sizeof(desc.iv)); 807 808 if (cbcbytes) { 809 SKCIPHER_REQUEST_ON_STACK(req, aux_cipher); 810 811 desc.pos = offset + GSS_KRB5_TOK_HDR_LEN; 812 desc.fragno = 0; 813 desc.fraglen = 0; 814 desc.pages = pages; 815 desc.outbuf = buf; 816 desc.req = req; 817 818 skcipher_request_set_tfm(req, aux_cipher); 819 skcipher_request_set_callback(req, 0, NULL, NULL); 820 821 sg_init_table(desc.infrags, 4); 822 sg_init_table(desc.outfrags, 4); 823 824 err = xdr_process_buf(buf, offset + GSS_KRB5_TOK_HDR_LEN, 825 cbcbytes, encryptor, &desc); 826 skcipher_request_zero(req); 827 if (err) 828 goto out_err; 829 } 830 831 /* Make sure IV carries forward from any CBC results. */ 832 err = gss_krb5_cts_crypt(cipher, buf, 833 offset + GSS_KRB5_TOK_HDR_LEN + cbcbytes, 834 desc.iv, pages, 1); 835 if (err) { 836 err = GSS_S_FAILURE; 837 goto out_err; 838 } 839 840 /* Now update buf to account for HMAC */ 841 buf->tail[0].iov_len += kctx->gk5e->cksumlength; 842 buf->len += kctx->gk5e->cksumlength; 843 844 out_err: 845 if (err) 846 err = GSS_S_FAILURE; 847 return err; 848 } 849 850 u32 851 gss_krb5_aes_decrypt(struct krb5_ctx *kctx, u32 offset, struct xdr_buf *buf, 852 u32 *headskip, u32 *tailskip) 853 { 854 struct xdr_buf subbuf; 855 u32 ret = 0; 856 u8 *cksum_key; 857 struct crypto_skcipher *cipher, *aux_cipher; 858 struct xdr_netobj our_hmac_obj; 859 u8 our_hmac[GSS_KRB5_MAX_CKSUM_LEN]; 860 u8 pkt_hmac[GSS_KRB5_MAX_CKSUM_LEN]; 861 int nblocks, blocksize, cbcbytes; 862 struct decryptor_desc desc; 863 unsigned int usage; 864 865 if (kctx->initiate) { 866 cipher = kctx->acceptor_enc; 867 aux_cipher = kctx->acceptor_enc_aux; 868 cksum_key = kctx->acceptor_integ; 869 usage = KG_USAGE_ACCEPTOR_SEAL; 870 } else { 871 cipher = kctx->initiator_enc; 872 aux_cipher = kctx->initiator_enc_aux; 873 cksum_key = kctx->initiator_integ; 874 usage = KG_USAGE_INITIATOR_SEAL; 875 } 876 blocksize = crypto_skcipher_blocksize(cipher); 877 878 879 /* create a segment skipping the header and leaving out the checksum */ 880 xdr_buf_subsegment(buf, &subbuf, offset + GSS_KRB5_TOK_HDR_LEN, 881 (buf->len - offset - GSS_KRB5_TOK_HDR_LEN - 882 kctx->gk5e->cksumlength)); 883 884 nblocks = (subbuf.len + blocksize - 1) / blocksize; 885 886 cbcbytes = 0; 887 if (nblocks > 2) 888 cbcbytes = (nblocks - 2) * blocksize; 889 890 memset(desc.iv, 0, sizeof(desc.iv)); 891 892 if (cbcbytes) { 893 SKCIPHER_REQUEST_ON_STACK(req, aux_cipher); 894 895 desc.fragno = 0; 896 desc.fraglen = 0; 897 desc.req = req; 898 899 skcipher_request_set_tfm(req, aux_cipher); 900 skcipher_request_set_callback(req, 0, NULL, NULL); 901 902 sg_init_table(desc.frags, 4); 903 904 ret = xdr_process_buf(&subbuf, 0, cbcbytes, decryptor, &desc); 905 skcipher_request_zero(req); 906 if (ret) 907 goto out_err; 908 } 909 910 /* Make sure IV carries forward from any CBC results. */ 911 ret = gss_krb5_cts_crypt(cipher, &subbuf, cbcbytes, desc.iv, NULL, 0); 912 if (ret) 913 goto out_err; 914 915 916 /* Calculate our hmac over the plaintext data */ 917 our_hmac_obj.len = sizeof(our_hmac); 918 our_hmac_obj.data = our_hmac; 919 920 ret = make_checksum_v2(kctx, NULL, 0, &subbuf, 0, 921 cksum_key, usage, &our_hmac_obj); 922 if (ret) 923 goto out_err; 924 925 /* Get the packet's hmac value */ 926 ret = read_bytes_from_xdr_buf(buf, buf->len - kctx->gk5e->cksumlength, 927 pkt_hmac, kctx->gk5e->cksumlength); 928 if (ret) 929 goto out_err; 930 931 if (crypto_memneq(pkt_hmac, our_hmac, kctx->gk5e->cksumlength) != 0) { 932 ret = GSS_S_BAD_SIG; 933 goto out_err; 934 } 935 *headskip = kctx->gk5e->conflen; 936 *tailskip = kctx->gk5e->cksumlength; 937 out_err: 938 if (ret && ret != GSS_S_BAD_SIG) 939 ret = GSS_S_FAILURE; 940 return ret; 941 } 942 943 /* 944 * Compute Kseq given the initial session key and the checksum. 945 * Set the key of the given cipher. 946 */ 947 int 948 krb5_rc4_setup_seq_key(struct krb5_ctx *kctx, struct crypto_skcipher *cipher, 949 unsigned char *cksum) 950 { 951 struct crypto_shash *hmac; 952 struct shash_desc *desc; 953 u8 Kseq[GSS_KRB5_MAX_KEYLEN]; 954 u32 zeroconstant = 0; 955 int err; 956 957 dprintk("%s: entered\n", __func__); 958 959 hmac = crypto_alloc_shash(kctx->gk5e->cksum_name, 0, 0); 960 if (IS_ERR(hmac)) { 961 dprintk("%s: error %ld, allocating hash '%s'\n", 962 __func__, PTR_ERR(hmac), kctx->gk5e->cksum_name); 963 return PTR_ERR(hmac); 964 } 965 966 desc = kmalloc(sizeof(*desc) + crypto_shash_descsize(hmac), 967 GFP_NOFS); 968 if (!desc) { 969 dprintk("%s: failed to allocate shash descriptor for '%s'\n", 970 __func__, kctx->gk5e->cksum_name); 971 crypto_free_shash(hmac); 972 return -ENOMEM; 973 } 974 975 desc->tfm = hmac; 976 desc->flags = 0; 977 978 /* Compute intermediate Kseq from session key */ 979 err = crypto_shash_setkey(hmac, kctx->Ksess, kctx->gk5e->keylength); 980 if (err) 981 goto out_err; 982 983 err = crypto_shash_digest(desc, (u8 *)&zeroconstant, 4, Kseq); 984 if (err) 985 goto out_err; 986 987 /* Compute final Kseq from the checksum and intermediate Kseq */ 988 err = crypto_shash_setkey(hmac, Kseq, kctx->gk5e->keylength); 989 if (err) 990 goto out_err; 991 992 err = crypto_shash_digest(desc, cksum, 8, Kseq); 993 if (err) 994 goto out_err; 995 996 err = crypto_skcipher_setkey(cipher, Kseq, kctx->gk5e->keylength); 997 if (err) 998 goto out_err; 999 1000 err = 0; 1001 1002 out_err: 1003 kzfree(desc); 1004 crypto_free_shash(hmac); 1005 dprintk("%s: returning %d\n", __func__, err); 1006 return err; 1007 } 1008 1009 /* 1010 * Compute Kcrypt given the initial session key and the plaintext seqnum. 1011 * Set the key of cipher kctx->enc. 1012 */ 1013 int 1014 krb5_rc4_setup_enc_key(struct krb5_ctx *kctx, struct crypto_skcipher *cipher, 1015 s32 seqnum) 1016 { 1017 struct crypto_shash *hmac; 1018 struct shash_desc *desc; 1019 u8 Kcrypt[GSS_KRB5_MAX_KEYLEN]; 1020 u8 zeroconstant[4] = {0}; 1021 u8 seqnumarray[4]; 1022 int err, i; 1023 1024 dprintk("%s: entered, seqnum %u\n", __func__, seqnum); 1025 1026 hmac = crypto_alloc_shash(kctx->gk5e->cksum_name, 0, 0); 1027 if (IS_ERR(hmac)) { 1028 dprintk("%s: error %ld, allocating hash '%s'\n", 1029 __func__, PTR_ERR(hmac), kctx->gk5e->cksum_name); 1030 return PTR_ERR(hmac); 1031 } 1032 1033 desc = kmalloc(sizeof(*desc) + crypto_shash_descsize(hmac), 1034 GFP_NOFS); 1035 if (!desc) { 1036 dprintk("%s: failed to allocate shash descriptor for '%s'\n", 1037 __func__, kctx->gk5e->cksum_name); 1038 crypto_free_shash(hmac); 1039 return -ENOMEM; 1040 } 1041 1042 desc->tfm = hmac; 1043 desc->flags = 0; 1044 1045 /* Compute intermediate Kcrypt from session key */ 1046 for (i = 0; i < kctx->gk5e->keylength; i++) 1047 Kcrypt[i] = kctx->Ksess[i] ^ 0xf0; 1048 1049 err = crypto_shash_setkey(hmac, Kcrypt, kctx->gk5e->keylength); 1050 if (err) 1051 goto out_err; 1052 1053 err = crypto_shash_digest(desc, zeroconstant, 4, Kcrypt); 1054 if (err) 1055 goto out_err; 1056 1057 /* Compute final Kcrypt from the seqnum and intermediate Kcrypt */ 1058 err = crypto_shash_setkey(hmac, Kcrypt, kctx->gk5e->keylength); 1059 if (err) 1060 goto out_err; 1061 1062 seqnumarray[0] = (unsigned char) ((seqnum >> 24) & 0xff); 1063 seqnumarray[1] = (unsigned char) ((seqnum >> 16) & 0xff); 1064 seqnumarray[2] = (unsigned char) ((seqnum >> 8) & 0xff); 1065 seqnumarray[3] = (unsigned char) ((seqnum >> 0) & 0xff); 1066 1067 err = crypto_shash_digest(desc, seqnumarray, 4, Kcrypt); 1068 if (err) 1069 goto out_err; 1070 1071 err = crypto_skcipher_setkey(cipher, Kcrypt, kctx->gk5e->keylength); 1072 if (err) 1073 goto out_err; 1074 1075 err = 0; 1076 1077 out_err: 1078 kzfree(desc); 1079 crypto_free_shash(hmac); 1080 dprintk("%s: returning %d\n", __func__, err); 1081 return err; 1082 } 1083 1084