1 | /* |
2 | * linux/net/sunrpc/gss_krb5_crypto.c |
3 | * |
4 | * Copyright (c) 2000-2008 The Regents of the University of Michigan. |
5 | * All rights reserved. |
6 | * |
7 | * Andy Adamson <andros@umich.edu> |
8 | * Bruce Fields <bfields@umich.edu> |
9 | */ |
10 | |
11 | /* |
12 | * Copyright (C) 1998 by the FundsXpress, INC. |
13 | * |
14 | * All rights reserved. |
15 | * |
16 | * Export of this software from the United States of America may require |
17 | * a specific license from the United States Government. It is the |
18 | * responsibility of any person or organization contemplating export to |
19 | * obtain such a license before exporting. |
20 | * |
21 | * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and |
22 | * distribute this software and its documentation for any purpose and |
23 | * without fee is hereby granted, provided that the above copyright |
24 | * notice appear in all copies and that both that copyright notice and |
25 | * this permission notice appear in supporting documentation, and that |
26 | * the name of FundsXpress. not be used in advertising or publicity pertaining |
27 | * to distribution of the software without specific, written prior |
28 | * permission. FundsXpress makes no representations about the suitability of |
29 | * this software for any purpose. It is provided "as is" without express |
30 | * or implied warranty. |
31 | * |
32 | * THIS SOFTWARE IS PROVIDED ``AS IS'' AND WITHOUT ANY EXPRESS OR |
33 | * IMPLIED WARRANTIES, INCLUDING, WITHOUT LIMITATION, THE IMPLIED |
34 | * WARRANTIES OF MERCHANTIBILITY AND FITNESS FOR A PARTICULAR PURPOSE. |
35 | */ |
36 | |
37 | #include <crypto/hash.h> |
38 | #include <crypto/skcipher.h> |
39 | #include <crypto/utils.h> |
40 | #include <linux/err.h> |
41 | #include <linux/types.h> |
42 | #include <linux/mm.h> |
43 | #include <linux/scatterlist.h> |
44 | #include <linux/highmem.h> |
45 | #include <linux/pagemap.h> |
46 | #include <linux/random.h> |
47 | #include <linux/sunrpc/gss_krb5.h> |
48 | #include <linux/sunrpc/xdr.h> |
49 | #include <kunit/visibility.h> |
50 | |
51 | #include "gss_krb5_internal.h" |
52 | |
53 | #if IS_ENABLED(CONFIG_SUNRPC_DEBUG) |
54 | # define RPCDBG_FACILITY RPCDBG_AUTH |
55 | #endif |
56 | |
57 | /** |
58 | * krb5_make_confounder - Generate a confounder string |
59 | * @p: memory location into which to write the string |
60 | * @conflen: string length to write, in octets |
61 | * |
62 | * RFCs 1964 and 3961 mention only "a random confounder" without going |
63 | * into detail about its function or cryptographic requirements. The |
64 | * assumed purpose is to prevent repeated encryption of a plaintext with |
65 | * the same key from generating the same ciphertext. It is also used to |
66 | * pad minimum plaintext length to at least a single cipher block. |
67 | * |
68 | * However, in situations like the GSS Kerberos 5 mechanism, where the |
69 | * encryption IV is always all zeroes, the confounder also effectively |
70 | * functions like an IV. Thus, not only must it be unique from message |
71 | * to message, but it must also be difficult to predict. Otherwise an |
72 | * attacker can correlate the confounder to previous or future values, |
73 | * making the encryption easier to break. |
74 | * |
75 | * Given that the primary consumer of this encryption mechanism is a |
76 | * network storage protocol, a type of traffic that often carries |
77 | * predictable payloads (eg, all zeroes when reading unallocated blocks |
78 | * from a file), our confounder generation has to be cryptographically |
79 | * strong. |
80 | */ |
81 | void krb5_make_confounder(u8 *p, int conflen) |
82 | { |
83 | get_random_bytes(buf: p, len: conflen); |
84 | } |
85 | |
86 | /** |
87 | * krb5_encrypt - simple encryption of an RPCSEC GSS payload |
88 | * @tfm: initialized cipher transform |
89 | * @iv: pointer to an IV |
90 | * @in: plaintext to encrypt |
91 | * @out: OUT: ciphertext |
92 | * @length: length of input and output buffers, in bytes |
93 | * |
94 | * @iv may be NULL to force the use of an all-zero IV. |
95 | * The buffer containing the IV must be as large as the |
96 | * cipher's ivsize. |
97 | * |
98 | * Return values: |
99 | * %0: @in successfully encrypted into @out |
100 | * negative errno: @in not encrypted |
101 | */ |
102 | u32 |
103 | krb5_encrypt( |
104 | struct crypto_sync_skcipher *tfm, |
105 | void * iv, |
106 | void * in, |
107 | void * out, |
108 | int length) |
109 | { |
110 | u32 ret = -EINVAL; |
111 | struct scatterlist sg[1]; |
112 | u8 local_iv[GSS_KRB5_MAX_BLOCKSIZE] = {0}; |
113 | SYNC_SKCIPHER_REQUEST_ON_STACK(req, tfm); |
114 | |
115 | if (length % crypto_sync_skcipher_blocksize(tfm) != 0) |
116 | goto out; |
117 | |
118 | if (crypto_sync_skcipher_ivsize(tfm) > GSS_KRB5_MAX_BLOCKSIZE) { |
119 | dprintk("RPC: gss_k5encrypt: tfm iv size too large %d\n" , |
120 | crypto_sync_skcipher_ivsize(tfm)); |
121 | goto out; |
122 | } |
123 | |
124 | if (iv) |
125 | memcpy(local_iv, iv, crypto_sync_skcipher_ivsize(tfm)); |
126 | |
127 | memcpy(out, in, length); |
128 | sg_init_one(sg, out, length); |
129 | |
130 | skcipher_request_set_sync_tfm(req, tfm); |
131 | skcipher_request_set_callback(req, flags: 0, NULL, NULL); |
132 | skcipher_request_set_crypt(req, src: sg, dst: sg, cryptlen: length, iv: local_iv); |
133 | |
134 | ret = crypto_skcipher_encrypt(req); |
135 | skcipher_request_zero(req); |
136 | out: |
137 | dprintk("RPC: krb5_encrypt returns %d\n" , ret); |
138 | return ret; |
139 | } |
140 | |
141 | /** |
142 | * krb5_decrypt - simple decryption of an RPCSEC GSS payload |
143 | * @tfm: initialized cipher transform |
144 | * @iv: pointer to an IV |
145 | * @in: ciphertext to decrypt |
146 | * @out: OUT: plaintext |
147 | * @length: length of input and output buffers, in bytes |
148 | * |
149 | * @iv may be NULL to force the use of an all-zero IV. |
150 | * The buffer containing the IV must be as large as the |
151 | * cipher's ivsize. |
152 | * |
153 | * Return values: |
154 | * %0: @in successfully decrypted into @out |
155 | * negative errno: @in not decrypted |
156 | */ |
157 | u32 |
158 | krb5_decrypt( |
159 | struct crypto_sync_skcipher *tfm, |
160 | void * iv, |
161 | void * in, |
162 | void * out, |
163 | int length) |
164 | { |
165 | u32 ret = -EINVAL; |
166 | struct scatterlist sg[1]; |
167 | u8 local_iv[GSS_KRB5_MAX_BLOCKSIZE] = {0}; |
168 | SYNC_SKCIPHER_REQUEST_ON_STACK(req, tfm); |
169 | |
170 | if (length % crypto_sync_skcipher_blocksize(tfm) != 0) |
171 | goto out; |
172 | |
173 | if (crypto_sync_skcipher_ivsize(tfm) > GSS_KRB5_MAX_BLOCKSIZE) { |
174 | dprintk("RPC: gss_k5decrypt: tfm iv size too large %d\n" , |
175 | crypto_sync_skcipher_ivsize(tfm)); |
176 | goto out; |
177 | } |
178 | if (iv) |
179 | memcpy(local_iv, iv, crypto_sync_skcipher_ivsize(tfm)); |
180 | |
181 | memcpy(out, in, length); |
182 | sg_init_one(sg, out, length); |
183 | |
184 | skcipher_request_set_sync_tfm(req, tfm); |
185 | skcipher_request_set_callback(req, flags: 0, NULL, NULL); |
186 | skcipher_request_set_crypt(req, src: sg, dst: sg, cryptlen: length, iv: local_iv); |
187 | |
188 | ret = crypto_skcipher_decrypt(req); |
189 | skcipher_request_zero(req); |
190 | out: |
191 | dprintk("RPC: gss_k5decrypt returns %d\n" ,ret); |
192 | return ret; |
193 | } |
194 | |
195 | static int |
196 | checksummer(struct scatterlist *sg, void *data) |
197 | { |
198 | struct ahash_request *req = data; |
199 | |
200 | ahash_request_set_crypt(req, src: sg, NULL, nbytes: sg->length); |
201 | |
202 | return crypto_ahash_update(req); |
203 | } |
204 | |
205 | /* |
206 | * checksum the plaintext data and hdrlen bytes of the token header |
207 | * The checksum is performed over the first 8 bytes of the |
208 | * gss token header and then over the data body |
209 | */ |
210 | u32 |
211 | make_checksum(struct krb5_ctx *kctx, char *, int hdrlen, |
212 | struct xdr_buf *body, int body_offset, u8 *cksumkey, |
213 | unsigned int usage, struct xdr_netobj *cksumout) |
214 | { |
215 | struct crypto_ahash *tfm; |
216 | struct ahash_request *req; |
217 | struct scatterlist sg[1]; |
218 | int err = -1; |
219 | u8 *checksumdata; |
220 | unsigned int checksumlen; |
221 | |
222 | if (cksumout->len < kctx->gk5e->cksumlength) { |
223 | dprintk("%s: checksum buffer length, %u, too small for %s\n" , |
224 | __func__, cksumout->len, kctx->gk5e->name); |
225 | return GSS_S_FAILURE; |
226 | } |
227 | |
228 | checksumdata = kmalloc(GSS_KRB5_MAX_CKSUM_LEN, GFP_KERNEL); |
229 | if (checksumdata == NULL) |
230 | return GSS_S_FAILURE; |
231 | |
232 | tfm = crypto_alloc_ahash(alg_name: kctx->gk5e->cksum_name, type: 0, CRYPTO_ALG_ASYNC); |
233 | if (IS_ERR(ptr: tfm)) |
234 | goto out_free_cksum; |
235 | |
236 | req = ahash_request_alloc(tfm, GFP_KERNEL); |
237 | if (!req) |
238 | goto out_free_ahash; |
239 | |
240 | ahash_request_set_callback(req, CRYPTO_TFM_REQ_MAY_SLEEP, NULL, NULL); |
241 | |
242 | checksumlen = crypto_ahash_digestsize(tfm); |
243 | |
244 | if (cksumkey != NULL) { |
245 | err = crypto_ahash_setkey(tfm, key: cksumkey, |
246 | keylen: kctx->gk5e->keylength); |
247 | if (err) |
248 | goto out; |
249 | } |
250 | |
251 | err = crypto_ahash_init(req); |
252 | if (err) |
253 | goto out; |
254 | sg_init_one(sg, header, hdrlen); |
255 | ahash_request_set_crypt(req, src: sg, NULL, nbytes: hdrlen); |
256 | err = crypto_ahash_update(req); |
257 | if (err) |
258 | goto out; |
259 | err = xdr_process_buf(buf: body, offset: body_offset, len: body->len - body_offset, |
260 | actor: checksummer, data: req); |
261 | if (err) |
262 | goto out; |
263 | ahash_request_set_crypt(req, NULL, result: checksumdata, nbytes: 0); |
264 | err = crypto_ahash_final(req); |
265 | if (err) |
266 | goto out; |
267 | |
268 | switch (kctx->gk5e->ctype) { |
269 | case CKSUMTYPE_RSA_MD5: |
270 | err = krb5_encrypt(tfm: kctx->seq, NULL, in: checksumdata, |
271 | out: checksumdata, length: checksumlen); |
272 | if (err) |
273 | goto out; |
274 | memcpy(cksumout->data, |
275 | checksumdata + checksumlen - kctx->gk5e->cksumlength, |
276 | kctx->gk5e->cksumlength); |
277 | break; |
278 | case CKSUMTYPE_HMAC_SHA1_DES3: |
279 | memcpy(cksumout->data, checksumdata, kctx->gk5e->cksumlength); |
280 | break; |
281 | default: |
282 | BUG(); |
283 | break; |
284 | } |
285 | cksumout->len = kctx->gk5e->cksumlength; |
286 | out: |
287 | ahash_request_free(req); |
288 | out_free_ahash: |
289 | crypto_free_ahash(tfm); |
290 | out_free_cksum: |
291 | kfree(objp: checksumdata); |
292 | return err ? GSS_S_FAILURE : 0; |
293 | } |
294 | |
295 | /** |
296 | * gss_krb5_checksum - Compute the MAC for a GSS Wrap or MIC token |
297 | * @tfm: an initialized hash transform |
298 | * @header: pointer to a buffer containing the token header, or NULL |
299 | * @hdrlen: number of octets in @header |
300 | * @body: xdr_buf containing an RPC message (body.len is the message length) |
301 | * @body_offset: byte offset into @body to start checksumming |
302 | * @cksumout: OUT: a buffer to be filled in with the computed HMAC |
303 | * |
304 | * Usually expressed as H = HMAC(K, message)[1..h] . |
305 | * |
306 | * Caller provides the truncation length of the output token (h) in |
307 | * cksumout.len. |
308 | * |
309 | * Return values: |
310 | * %GSS_S_COMPLETE: Digest computed, @cksumout filled in |
311 | * %GSS_S_FAILURE: Call failed |
312 | */ |
313 | u32 |
314 | gss_krb5_checksum(struct crypto_ahash *tfm, char *, int hdrlen, |
315 | const struct xdr_buf *body, int body_offset, |
316 | struct xdr_netobj *cksumout) |
317 | { |
318 | struct ahash_request *req; |
319 | int err = -ENOMEM; |
320 | u8 *checksumdata; |
321 | |
322 | checksumdata = kmalloc(size: crypto_ahash_digestsize(tfm), GFP_KERNEL); |
323 | if (!checksumdata) |
324 | return GSS_S_FAILURE; |
325 | |
326 | req = ahash_request_alloc(tfm, GFP_KERNEL); |
327 | if (!req) |
328 | goto out_free_cksum; |
329 | ahash_request_set_callback(req, CRYPTO_TFM_REQ_MAY_SLEEP, NULL, NULL); |
330 | err = crypto_ahash_init(req); |
331 | if (err) |
332 | goto out_free_ahash; |
333 | |
334 | /* |
335 | * Per RFC 4121 Section 4.2.4, the checksum is performed over the |
336 | * data body first, then over the octets in "header". |
337 | */ |
338 | err = xdr_process_buf(buf: body, offset: body_offset, len: body->len - body_offset, |
339 | actor: checksummer, data: req); |
340 | if (err) |
341 | goto out_free_ahash; |
342 | if (header) { |
343 | struct scatterlist sg[1]; |
344 | |
345 | sg_init_one(sg, header, hdrlen); |
346 | ahash_request_set_crypt(req, src: sg, NULL, nbytes: hdrlen); |
347 | err = crypto_ahash_update(req); |
348 | if (err) |
349 | goto out_free_ahash; |
350 | } |
351 | |
352 | ahash_request_set_crypt(req, NULL, result: checksumdata, nbytes: 0); |
353 | err = crypto_ahash_final(req); |
354 | if (err) |
355 | goto out_free_ahash; |
356 | |
357 | memcpy(cksumout->data, checksumdata, |
358 | min_t(int, cksumout->len, crypto_ahash_digestsize(tfm))); |
359 | |
360 | out_free_ahash: |
361 | ahash_request_free(req); |
362 | out_free_cksum: |
363 | kfree_sensitive(objp: checksumdata); |
364 | return err ? GSS_S_FAILURE : GSS_S_COMPLETE; |
365 | } |
366 | EXPORT_SYMBOL_IF_KUNIT(gss_krb5_checksum); |
367 | |
368 | struct encryptor_desc { |
369 | u8 iv[GSS_KRB5_MAX_BLOCKSIZE]; |
370 | struct skcipher_request *req; |
371 | int pos; |
372 | struct xdr_buf *outbuf; |
373 | struct page **pages; |
374 | struct scatterlist infrags[4]; |
375 | struct scatterlist outfrags[4]; |
376 | int fragno; |
377 | int fraglen; |
378 | }; |
379 | |
380 | static int |
381 | encryptor(struct scatterlist *sg, void *data) |
382 | { |
383 | struct encryptor_desc *desc = data; |
384 | struct xdr_buf *outbuf = desc->outbuf; |
385 | struct crypto_sync_skcipher *tfm = |
386 | crypto_sync_skcipher_reqtfm(req: desc->req); |
387 | struct page *in_page; |
388 | int thislen = desc->fraglen + sg->length; |
389 | int fraglen, ret; |
390 | int page_pos; |
391 | |
392 | /* Worst case is 4 fragments: head, end of page 1, start |
393 | * of page 2, tail. Anything more is a bug. */ |
394 | BUG_ON(desc->fragno > 3); |
395 | |
396 | page_pos = desc->pos - outbuf->head[0].iov_len; |
397 | if (page_pos >= 0 && page_pos < outbuf->page_len) { |
398 | /* pages are not in place: */ |
399 | int i = (page_pos + outbuf->page_base) >> PAGE_SHIFT; |
400 | in_page = desc->pages[i]; |
401 | } else { |
402 | in_page = sg_page(sg); |
403 | } |
404 | sg_set_page(sg: &desc->infrags[desc->fragno], page: in_page, len: sg->length, |
405 | offset: sg->offset); |
406 | sg_set_page(sg: &desc->outfrags[desc->fragno], page: sg_page(sg), len: sg->length, |
407 | offset: sg->offset); |
408 | desc->fragno++; |
409 | desc->fraglen += sg->length; |
410 | desc->pos += sg->length; |
411 | |
412 | fraglen = thislen & (crypto_sync_skcipher_blocksize(tfm) - 1); |
413 | thislen -= fraglen; |
414 | |
415 | if (thislen == 0) |
416 | return 0; |
417 | |
418 | sg_mark_end(sg: &desc->infrags[desc->fragno - 1]); |
419 | sg_mark_end(sg: &desc->outfrags[desc->fragno - 1]); |
420 | |
421 | skcipher_request_set_crypt(req: desc->req, src: desc->infrags, dst: desc->outfrags, |
422 | cryptlen: thislen, iv: desc->iv); |
423 | |
424 | ret = crypto_skcipher_encrypt(req: desc->req); |
425 | if (ret) |
426 | return ret; |
427 | |
428 | sg_init_table(desc->infrags, 4); |
429 | sg_init_table(desc->outfrags, 4); |
430 | |
431 | if (fraglen) { |
432 | sg_set_page(sg: &desc->outfrags[0], page: sg_page(sg), len: fraglen, |
433 | offset: sg->offset + sg->length - fraglen); |
434 | desc->infrags[0] = desc->outfrags[0]; |
435 | sg_assign_page(sg: &desc->infrags[0], page: in_page); |
436 | desc->fragno = 1; |
437 | desc->fraglen = fraglen; |
438 | } else { |
439 | desc->fragno = 0; |
440 | desc->fraglen = 0; |
441 | } |
442 | return 0; |
443 | } |
444 | |
445 | int |
446 | gss_encrypt_xdr_buf(struct crypto_sync_skcipher *tfm, struct xdr_buf *buf, |
447 | int offset, struct page **pages) |
448 | { |
449 | int ret; |
450 | struct encryptor_desc desc; |
451 | SYNC_SKCIPHER_REQUEST_ON_STACK(req, tfm); |
452 | |
453 | BUG_ON((buf->len - offset) % crypto_sync_skcipher_blocksize(tfm) != 0); |
454 | |
455 | skcipher_request_set_sync_tfm(req, tfm); |
456 | skcipher_request_set_callback(req, flags: 0, NULL, NULL); |
457 | |
458 | memset(desc.iv, 0, sizeof(desc.iv)); |
459 | desc.req = req; |
460 | desc.pos = offset; |
461 | desc.outbuf = buf; |
462 | desc.pages = pages; |
463 | desc.fragno = 0; |
464 | desc.fraglen = 0; |
465 | |
466 | sg_init_table(desc.infrags, 4); |
467 | sg_init_table(desc.outfrags, 4); |
468 | |
469 | ret = xdr_process_buf(buf, offset, len: buf->len - offset, actor: encryptor, data: &desc); |
470 | skcipher_request_zero(req); |
471 | return ret; |
472 | } |
473 | |
474 | struct decryptor_desc { |
475 | u8 iv[GSS_KRB5_MAX_BLOCKSIZE]; |
476 | struct skcipher_request *req; |
477 | struct scatterlist frags[4]; |
478 | int fragno; |
479 | int fraglen; |
480 | }; |
481 | |
482 | static int |
483 | decryptor(struct scatterlist *sg, void *data) |
484 | { |
485 | struct decryptor_desc *desc = data; |
486 | int thislen = desc->fraglen + sg->length; |
487 | struct crypto_sync_skcipher *tfm = |
488 | crypto_sync_skcipher_reqtfm(req: desc->req); |
489 | int fraglen, ret; |
490 | |
491 | /* Worst case is 4 fragments: head, end of page 1, start |
492 | * of page 2, tail. Anything more is a bug. */ |
493 | BUG_ON(desc->fragno > 3); |
494 | sg_set_page(sg: &desc->frags[desc->fragno], page: sg_page(sg), len: sg->length, |
495 | offset: sg->offset); |
496 | desc->fragno++; |
497 | desc->fraglen += sg->length; |
498 | |
499 | fraglen = thislen & (crypto_sync_skcipher_blocksize(tfm) - 1); |
500 | thislen -= fraglen; |
501 | |
502 | if (thislen == 0) |
503 | return 0; |
504 | |
505 | sg_mark_end(sg: &desc->frags[desc->fragno - 1]); |
506 | |
507 | skcipher_request_set_crypt(req: desc->req, src: desc->frags, dst: desc->frags, |
508 | cryptlen: thislen, iv: desc->iv); |
509 | |
510 | ret = crypto_skcipher_decrypt(req: desc->req); |
511 | if (ret) |
512 | return ret; |
513 | |
514 | sg_init_table(desc->frags, 4); |
515 | |
516 | if (fraglen) { |
517 | sg_set_page(sg: &desc->frags[0], page: sg_page(sg), len: fraglen, |
518 | offset: sg->offset + sg->length - fraglen); |
519 | desc->fragno = 1; |
520 | desc->fraglen = fraglen; |
521 | } else { |
522 | desc->fragno = 0; |
523 | desc->fraglen = 0; |
524 | } |
525 | return 0; |
526 | } |
527 | |
528 | int |
529 | gss_decrypt_xdr_buf(struct crypto_sync_skcipher *tfm, struct xdr_buf *buf, |
530 | int offset) |
531 | { |
532 | int ret; |
533 | struct decryptor_desc desc; |
534 | SYNC_SKCIPHER_REQUEST_ON_STACK(req, tfm); |
535 | |
536 | /* XXXJBF: */ |
537 | BUG_ON((buf->len - offset) % crypto_sync_skcipher_blocksize(tfm) != 0); |
538 | |
539 | skcipher_request_set_sync_tfm(req, tfm); |
540 | skcipher_request_set_callback(req, flags: 0, NULL, NULL); |
541 | |
542 | memset(desc.iv, 0, sizeof(desc.iv)); |
543 | desc.req = req; |
544 | desc.fragno = 0; |
545 | desc.fraglen = 0; |
546 | |
547 | sg_init_table(desc.frags, 4); |
548 | |
549 | ret = xdr_process_buf(buf, offset, len: buf->len - offset, actor: decryptor, data: &desc); |
550 | skcipher_request_zero(req); |
551 | return ret; |
552 | } |
553 | |
554 | /* |
555 | * This function makes the assumption that it was ultimately called |
556 | * from gss_wrap(). |
557 | * |
558 | * The client auth_gss code moves any existing tail data into a |
559 | * separate page before calling gss_wrap. |
560 | * The server svcauth_gss code ensures that both the head and the |
561 | * tail have slack space of RPC_MAX_AUTH_SIZE before calling gss_wrap. |
562 | * |
563 | * Even with that guarantee, this function may be called more than |
564 | * once in the processing of gss_wrap(). The best we can do is |
565 | * verify at compile-time (see GSS_KRB5_SLACK_CHECK) that the |
566 | * largest expected shift will fit within RPC_MAX_AUTH_SIZE. |
567 | * At run-time we can verify that a single invocation of this |
568 | * function doesn't attempt to use more the RPC_MAX_AUTH_SIZE. |
569 | */ |
570 | |
571 | int |
572 | xdr_extend_head(struct xdr_buf *buf, unsigned int base, unsigned int shiftlen) |
573 | { |
574 | u8 *p; |
575 | |
576 | if (shiftlen == 0) |
577 | return 0; |
578 | |
579 | BUG_ON(shiftlen > RPC_MAX_AUTH_SIZE); |
580 | |
581 | p = buf->head[0].iov_base + base; |
582 | |
583 | memmove(p + shiftlen, p, buf->head[0].iov_len - base); |
584 | |
585 | buf->head[0].iov_len += shiftlen; |
586 | buf->len += shiftlen; |
587 | |
588 | return 0; |
589 | } |
590 | |
591 | static u32 |
592 | gss_krb5_cts_crypt(struct crypto_sync_skcipher *cipher, struct xdr_buf *buf, |
593 | u32 offset, u8 *iv, struct page **pages, int encrypt) |
594 | { |
595 | u32 ret; |
596 | struct scatterlist sg[1]; |
597 | SYNC_SKCIPHER_REQUEST_ON_STACK(req, cipher); |
598 | u8 *data; |
599 | struct page **save_pages; |
600 | u32 len = buf->len - offset; |
601 | |
602 | if (len > GSS_KRB5_MAX_BLOCKSIZE * 2) { |
603 | WARN_ON(0); |
604 | return -ENOMEM; |
605 | } |
606 | data = kmalloc(GSS_KRB5_MAX_BLOCKSIZE * 2, GFP_KERNEL); |
607 | if (!data) |
608 | return -ENOMEM; |
609 | |
610 | /* |
611 | * For encryption, we want to read from the cleartext |
612 | * page cache pages, and write the encrypted data to |
613 | * the supplied xdr_buf pages. |
614 | */ |
615 | save_pages = buf->pages; |
616 | if (encrypt) |
617 | buf->pages = pages; |
618 | |
619 | ret = read_bytes_from_xdr_buf(buf, offset, data, len); |
620 | buf->pages = save_pages; |
621 | if (ret) |
622 | goto out; |
623 | |
624 | sg_init_one(sg, data, len); |
625 | |
626 | skcipher_request_set_sync_tfm(req, tfm: cipher); |
627 | skcipher_request_set_callback(req, flags: 0, NULL, NULL); |
628 | skcipher_request_set_crypt(req, src: sg, dst: sg, cryptlen: len, iv); |
629 | |
630 | if (encrypt) |
631 | ret = crypto_skcipher_encrypt(req); |
632 | else |
633 | ret = crypto_skcipher_decrypt(req); |
634 | |
635 | skcipher_request_zero(req); |
636 | |
637 | if (ret) |
638 | goto out; |
639 | |
640 | ret = write_bytes_to_xdr_buf(buf, offset, data, len); |
641 | |
642 | #if IS_ENABLED(CONFIG_KUNIT) |
643 | /* |
644 | * CBC-CTS does not define an output IV but RFC 3962 defines it as the |
645 | * penultimate block of ciphertext, so copy that into the IV buffer |
646 | * before returning. |
647 | */ |
648 | if (encrypt) |
649 | memcpy(iv, data, crypto_sync_skcipher_ivsize(cipher)); |
650 | #endif |
651 | |
652 | out: |
653 | kfree(objp: data); |
654 | return ret; |
655 | } |
656 | |
657 | /** |
658 | * krb5_cbc_cts_encrypt - encrypt in CBC mode with CTS |
659 | * @cts_tfm: CBC cipher with CTS |
660 | * @cbc_tfm: base CBC cipher |
661 | * @offset: starting byte offset for plaintext |
662 | * @buf: OUT: output buffer |
663 | * @pages: plaintext |
664 | * @iv: output CBC initialization vector, or NULL |
665 | * @ivsize: size of @iv, in octets |
666 | * |
667 | * To provide confidentiality, encrypt using cipher block chaining |
668 | * with ciphertext stealing. Message integrity is handled separately. |
669 | * |
670 | * Return values: |
671 | * %0: encryption successful |
672 | * negative errno: encryption could not be completed |
673 | */ |
674 | VISIBLE_IF_KUNIT |
675 | int krb5_cbc_cts_encrypt(struct crypto_sync_skcipher *cts_tfm, |
676 | struct crypto_sync_skcipher *cbc_tfm, |
677 | u32 offset, struct xdr_buf *buf, struct page **pages, |
678 | u8 *iv, unsigned int ivsize) |
679 | { |
680 | u32 blocksize, nbytes, nblocks, cbcbytes; |
681 | struct encryptor_desc desc; |
682 | int err; |
683 | |
684 | blocksize = crypto_sync_skcipher_blocksize(tfm: cts_tfm); |
685 | nbytes = buf->len - offset; |
686 | nblocks = (nbytes + blocksize - 1) / blocksize; |
687 | cbcbytes = 0; |
688 | if (nblocks > 2) |
689 | cbcbytes = (nblocks - 2) * blocksize; |
690 | |
691 | memset(desc.iv, 0, sizeof(desc.iv)); |
692 | |
693 | /* Handle block-sized chunks of plaintext with CBC. */ |
694 | if (cbcbytes) { |
695 | SYNC_SKCIPHER_REQUEST_ON_STACK(req, cbc_tfm); |
696 | |
697 | desc.pos = offset; |
698 | desc.fragno = 0; |
699 | desc.fraglen = 0; |
700 | desc.pages = pages; |
701 | desc.outbuf = buf; |
702 | desc.req = req; |
703 | |
704 | skcipher_request_set_sync_tfm(req, tfm: cbc_tfm); |
705 | skcipher_request_set_callback(req, flags: 0, NULL, NULL); |
706 | |
707 | sg_init_table(desc.infrags, 4); |
708 | sg_init_table(desc.outfrags, 4); |
709 | |
710 | err = xdr_process_buf(buf, offset, len: cbcbytes, actor: encryptor, data: &desc); |
711 | skcipher_request_zero(req); |
712 | if (err) |
713 | return err; |
714 | } |
715 | |
716 | /* Remaining plaintext is handled with CBC-CTS. */ |
717 | err = gss_krb5_cts_crypt(cipher: cts_tfm, buf, offset: offset + cbcbytes, |
718 | iv: desc.iv, pages, encrypt: 1); |
719 | if (err) |
720 | return err; |
721 | |
722 | if (unlikely(iv)) |
723 | memcpy(iv, desc.iv, ivsize); |
724 | return 0; |
725 | } |
726 | EXPORT_SYMBOL_IF_KUNIT(krb5_cbc_cts_encrypt); |
727 | |
728 | /** |
729 | * krb5_cbc_cts_decrypt - decrypt in CBC mode with CTS |
730 | * @cts_tfm: CBC cipher with CTS |
731 | * @cbc_tfm: base CBC cipher |
732 | * @offset: starting byte offset for plaintext |
733 | * @buf: OUT: output buffer |
734 | * |
735 | * Return values: |
736 | * %0: decryption successful |
737 | * negative errno: decryption could not be completed |
738 | */ |
739 | VISIBLE_IF_KUNIT |
740 | int krb5_cbc_cts_decrypt(struct crypto_sync_skcipher *cts_tfm, |
741 | struct crypto_sync_skcipher *cbc_tfm, |
742 | u32 offset, struct xdr_buf *buf) |
743 | { |
744 | u32 blocksize, nblocks, cbcbytes; |
745 | struct decryptor_desc desc; |
746 | int err; |
747 | |
748 | blocksize = crypto_sync_skcipher_blocksize(tfm: cts_tfm); |
749 | nblocks = (buf->len + blocksize - 1) / blocksize; |
750 | cbcbytes = 0; |
751 | if (nblocks > 2) |
752 | cbcbytes = (nblocks - 2) * blocksize; |
753 | |
754 | memset(desc.iv, 0, sizeof(desc.iv)); |
755 | |
756 | /* Handle block-sized chunks of plaintext with CBC. */ |
757 | if (cbcbytes) { |
758 | SYNC_SKCIPHER_REQUEST_ON_STACK(req, cbc_tfm); |
759 | |
760 | desc.fragno = 0; |
761 | desc.fraglen = 0; |
762 | desc.req = req; |
763 | |
764 | skcipher_request_set_sync_tfm(req, tfm: cbc_tfm); |
765 | skcipher_request_set_callback(req, flags: 0, NULL, NULL); |
766 | |
767 | sg_init_table(desc.frags, 4); |
768 | |
769 | err = xdr_process_buf(buf, offset: 0, len: cbcbytes, actor: decryptor, data: &desc); |
770 | skcipher_request_zero(req); |
771 | if (err) |
772 | return err; |
773 | } |
774 | |
775 | /* Remaining plaintext is handled with CBC-CTS. */ |
776 | return gss_krb5_cts_crypt(cipher: cts_tfm, buf, offset: cbcbytes, iv: desc.iv, NULL, encrypt: 0); |
777 | } |
778 | EXPORT_SYMBOL_IF_KUNIT(krb5_cbc_cts_decrypt); |
779 | |
780 | u32 |
781 | gss_krb5_aes_encrypt(struct krb5_ctx *kctx, u32 offset, |
782 | struct xdr_buf *buf, struct page **pages) |
783 | { |
784 | u32 err; |
785 | struct xdr_netobj hmac; |
786 | u8 *ecptr; |
787 | struct crypto_sync_skcipher *cipher, *aux_cipher; |
788 | struct crypto_ahash *ahash; |
789 | struct page **save_pages; |
790 | unsigned int conflen; |
791 | |
792 | if (kctx->initiate) { |
793 | cipher = kctx->initiator_enc; |
794 | aux_cipher = kctx->initiator_enc_aux; |
795 | ahash = kctx->initiator_integ; |
796 | } else { |
797 | cipher = kctx->acceptor_enc; |
798 | aux_cipher = kctx->acceptor_enc_aux; |
799 | ahash = kctx->acceptor_integ; |
800 | } |
801 | conflen = crypto_sync_skcipher_blocksize(tfm: cipher); |
802 | |
803 | /* hide the gss token header and insert the confounder */ |
804 | offset += GSS_KRB5_TOK_HDR_LEN; |
805 | if (xdr_extend_head(buf, base: offset, shiftlen: conflen)) |
806 | return GSS_S_FAILURE; |
807 | krb5_make_confounder(p: buf->head[0].iov_base + offset, conflen); |
808 | offset -= GSS_KRB5_TOK_HDR_LEN; |
809 | |
810 | if (buf->tail[0].iov_base != NULL) { |
811 | ecptr = buf->tail[0].iov_base + buf->tail[0].iov_len; |
812 | } else { |
813 | buf->tail[0].iov_base = buf->head[0].iov_base |
814 | + buf->head[0].iov_len; |
815 | buf->tail[0].iov_len = 0; |
816 | ecptr = buf->tail[0].iov_base; |
817 | } |
818 | |
819 | /* copy plaintext gss token header after filler (if any) */ |
820 | memcpy(ecptr, buf->head[0].iov_base + offset, GSS_KRB5_TOK_HDR_LEN); |
821 | buf->tail[0].iov_len += GSS_KRB5_TOK_HDR_LEN; |
822 | buf->len += GSS_KRB5_TOK_HDR_LEN; |
823 | |
824 | hmac.len = kctx->gk5e->cksumlength; |
825 | hmac.data = buf->tail[0].iov_base + buf->tail[0].iov_len; |
826 | |
827 | /* |
828 | * When we are called, pages points to the real page cache |
829 | * data -- which we can't go and encrypt! buf->pages points |
830 | * to scratch pages which we are going to send off to the |
831 | * client/server. Swap in the plaintext pages to calculate |
832 | * the hmac. |
833 | */ |
834 | save_pages = buf->pages; |
835 | buf->pages = pages; |
836 | |
837 | err = gss_krb5_checksum(ahash, NULL, 0, buf, |
838 | offset + GSS_KRB5_TOK_HDR_LEN, &hmac); |
839 | buf->pages = save_pages; |
840 | if (err) |
841 | return GSS_S_FAILURE; |
842 | |
843 | err = krb5_cbc_cts_encrypt(cipher, aux_cipher, |
844 | offset + GSS_KRB5_TOK_HDR_LEN, |
845 | buf, pages, NULL, 0); |
846 | if (err) |
847 | return GSS_S_FAILURE; |
848 | |
849 | /* Now update buf to account for HMAC */ |
850 | buf->tail[0].iov_len += kctx->gk5e->cksumlength; |
851 | buf->len += kctx->gk5e->cksumlength; |
852 | |
853 | return GSS_S_COMPLETE; |
854 | } |
855 | |
856 | u32 |
857 | gss_krb5_aes_decrypt(struct krb5_ctx *kctx, u32 offset, u32 len, |
858 | struct xdr_buf *buf, u32 *headskip, u32 *tailskip) |
859 | { |
860 | struct crypto_sync_skcipher *cipher, *aux_cipher; |
861 | struct crypto_ahash *ahash; |
862 | struct xdr_netobj our_hmac_obj; |
863 | u8 our_hmac[GSS_KRB5_MAX_CKSUM_LEN]; |
864 | u8 pkt_hmac[GSS_KRB5_MAX_CKSUM_LEN]; |
865 | struct xdr_buf subbuf; |
866 | u32 ret = 0; |
867 | |
868 | if (kctx->initiate) { |
869 | cipher = kctx->acceptor_enc; |
870 | aux_cipher = kctx->acceptor_enc_aux; |
871 | ahash = kctx->acceptor_integ; |
872 | } else { |
873 | cipher = kctx->initiator_enc; |
874 | aux_cipher = kctx->initiator_enc_aux; |
875 | ahash = kctx->initiator_integ; |
876 | } |
877 | |
878 | /* create a segment skipping the header and leaving out the checksum */ |
879 | xdr_buf_subsegment(buf, &subbuf, offset + GSS_KRB5_TOK_HDR_LEN, |
880 | (len - offset - GSS_KRB5_TOK_HDR_LEN - |
881 | kctx->gk5e->cksumlength)); |
882 | |
883 | ret = krb5_cbc_cts_decrypt(cipher, aux_cipher, 0, &subbuf); |
884 | if (ret) |
885 | goto out_err; |
886 | |
887 | our_hmac_obj.len = kctx->gk5e->cksumlength; |
888 | our_hmac_obj.data = our_hmac; |
889 | ret = gss_krb5_checksum(ahash, NULL, 0, &subbuf, 0, &our_hmac_obj); |
890 | if (ret) |
891 | goto out_err; |
892 | |
893 | /* Get the packet's hmac value */ |
894 | ret = read_bytes_from_xdr_buf(buf, len - kctx->gk5e->cksumlength, |
895 | pkt_hmac, kctx->gk5e->cksumlength); |
896 | if (ret) |
897 | goto out_err; |
898 | |
899 | if (crypto_memneq(a: pkt_hmac, b: our_hmac, size: kctx->gk5e->cksumlength) != 0) { |
900 | ret = GSS_S_BAD_SIG; |
901 | goto out_err; |
902 | } |
903 | *headskip = crypto_sync_skcipher_blocksize(tfm: cipher); |
904 | *tailskip = kctx->gk5e->cksumlength; |
905 | out_err: |
906 | if (ret && ret != GSS_S_BAD_SIG) |
907 | ret = GSS_S_FAILURE; |
908 | return ret; |
909 | } |
910 | |
911 | /** |
912 | * krb5_etm_checksum - Compute a MAC for a GSS Wrap token |
913 | * @cipher: an initialized cipher transform |
914 | * @tfm: an initialized hash transform |
915 | * @body: xdr_buf containing an RPC message (body.len is the message length) |
916 | * @body_offset: byte offset into @body to start checksumming |
917 | * @cksumout: OUT: a buffer to be filled in with the computed HMAC |
918 | * |
919 | * Usually expressed as H = HMAC(K, IV | ciphertext)[1..h] . |
920 | * |
921 | * Caller provides the truncation length of the output token (h) in |
922 | * cksumout.len. |
923 | * |
924 | * Return values: |
925 | * %GSS_S_COMPLETE: Digest computed, @cksumout filled in |
926 | * %GSS_S_FAILURE: Call failed |
927 | */ |
928 | VISIBLE_IF_KUNIT |
929 | u32 krb5_etm_checksum(struct crypto_sync_skcipher *cipher, |
930 | struct crypto_ahash *tfm, const struct xdr_buf *body, |
931 | int body_offset, struct xdr_netobj *cksumout) |
932 | { |
933 | unsigned int ivsize = crypto_sync_skcipher_ivsize(tfm: cipher); |
934 | struct ahash_request *req; |
935 | struct scatterlist sg[1]; |
936 | u8 *iv, *checksumdata; |
937 | int err = -ENOMEM; |
938 | |
939 | checksumdata = kmalloc(size: crypto_ahash_digestsize(tfm), GFP_KERNEL); |
940 | if (!checksumdata) |
941 | return GSS_S_FAILURE; |
942 | /* For RPCSEC, the "initial cipher state" is always all zeroes. */ |
943 | iv = kzalloc(size: ivsize, GFP_KERNEL); |
944 | if (!iv) |
945 | goto out_free_mem; |
946 | |
947 | req = ahash_request_alloc(tfm, GFP_KERNEL); |
948 | if (!req) |
949 | goto out_free_mem; |
950 | ahash_request_set_callback(req, CRYPTO_TFM_REQ_MAY_SLEEP, NULL, NULL); |
951 | err = crypto_ahash_init(req); |
952 | if (err) |
953 | goto out_free_ahash; |
954 | |
955 | sg_init_one(sg, iv, ivsize); |
956 | ahash_request_set_crypt(req, src: sg, NULL, nbytes: ivsize); |
957 | err = crypto_ahash_update(req); |
958 | if (err) |
959 | goto out_free_ahash; |
960 | err = xdr_process_buf(buf: body, offset: body_offset, len: body->len - body_offset, |
961 | actor: checksummer, data: req); |
962 | if (err) |
963 | goto out_free_ahash; |
964 | |
965 | ahash_request_set_crypt(req, NULL, result: checksumdata, nbytes: 0); |
966 | err = crypto_ahash_final(req); |
967 | if (err) |
968 | goto out_free_ahash; |
969 | memcpy(cksumout->data, checksumdata, cksumout->len); |
970 | |
971 | out_free_ahash: |
972 | ahash_request_free(req); |
973 | out_free_mem: |
974 | kfree(objp: iv); |
975 | kfree_sensitive(objp: checksumdata); |
976 | return err ? GSS_S_FAILURE : GSS_S_COMPLETE; |
977 | } |
978 | EXPORT_SYMBOL_IF_KUNIT(krb5_etm_checksum); |
979 | |
980 | /** |
981 | * krb5_etm_encrypt - Encrypt using the RFC 8009 rules |
982 | * @kctx: Kerberos context |
983 | * @offset: starting offset of the payload, in bytes |
984 | * @buf: OUT: send buffer to contain the encrypted payload |
985 | * @pages: plaintext payload |
986 | * |
987 | * The main difference with aes_encrypt is that "The HMAC is |
988 | * calculated over the cipher state concatenated with the AES |
989 | * output, instead of being calculated over the confounder and |
990 | * plaintext. This allows the message receiver to verify the |
991 | * integrity of the message before decrypting the message." |
992 | * |
993 | * RFC 8009 Section 5: |
994 | * |
995 | * encryption function: as follows, where E() is AES encryption in |
996 | * CBC-CS3 mode, and h is the size of truncated HMAC (128 bits or |
997 | * 192 bits as described above). |
998 | * |
999 | * N = random value of length 128 bits (the AES block size) |
1000 | * IV = cipher state |
1001 | * C = E(Ke, N | plaintext, IV) |
1002 | * H = HMAC(Ki, IV | C) |
1003 | * ciphertext = C | H[1..h] |
1004 | * |
1005 | * This encryption formula provides AEAD EtM with key separation. |
1006 | * |
1007 | * Return values: |
1008 | * %GSS_S_COMPLETE: Encryption successful |
1009 | * %GSS_S_FAILURE: Encryption failed |
1010 | */ |
1011 | u32 |
1012 | krb5_etm_encrypt(struct krb5_ctx *kctx, u32 offset, |
1013 | struct xdr_buf *buf, struct page **pages) |
1014 | { |
1015 | struct crypto_sync_skcipher *cipher, *aux_cipher; |
1016 | struct crypto_ahash *ahash; |
1017 | struct xdr_netobj hmac; |
1018 | unsigned int conflen; |
1019 | u8 *ecptr; |
1020 | u32 err; |
1021 | |
1022 | if (kctx->initiate) { |
1023 | cipher = kctx->initiator_enc; |
1024 | aux_cipher = kctx->initiator_enc_aux; |
1025 | ahash = kctx->initiator_integ; |
1026 | } else { |
1027 | cipher = kctx->acceptor_enc; |
1028 | aux_cipher = kctx->acceptor_enc_aux; |
1029 | ahash = kctx->acceptor_integ; |
1030 | } |
1031 | conflen = crypto_sync_skcipher_blocksize(tfm: cipher); |
1032 | |
1033 | offset += GSS_KRB5_TOK_HDR_LEN; |
1034 | if (xdr_extend_head(buf, base: offset, shiftlen: conflen)) |
1035 | return GSS_S_FAILURE; |
1036 | krb5_make_confounder(p: buf->head[0].iov_base + offset, conflen); |
1037 | offset -= GSS_KRB5_TOK_HDR_LEN; |
1038 | |
1039 | if (buf->tail[0].iov_base) { |
1040 | ecptr = buf->tail[0].iov_base + buf->tail[0].iov_len; |
1041 | } else { |
1042 | buf->tail[0].iov_base = buf->head[0].iov_base |
1043 | + buf->head[0].iov_len; |
1044 | buf->tail[0].iov_len = 0; |
1045 | ecptr = buf->tail[0].iov_base; |
1046 | } |
1047 | |
1048 | memcpy(ecptr, buf->head[0].iov_base + offset, GSS_KRB5_TOK_HDR_LEN); |
1049 | buf->tail[0].iov_len += GSS_KRB5_TOK_HDR_LEN; |
1050 | buf->len += GSS_KRB5_TOK_HDR_LEN; |
1051 | |
1052 | err = krb5_cbc_cts_encrypt(cipher, aux_cipher, |
1053 | offset + GSS_KRB5_TOK_HDR_LEN, |
1054 | buf, pages, NULL, 0); |
1055 | if (err) |
1056 | return GSS_S_FAILURE; |
1057 | |
1058 | hmac.data = buf->tail[0].iov_base + buf->tail[0].iov_len; |
1059 | hmac.len = kctx->gk5e->cksumlength; |
1060 | err = krb5_etm_checksum(cipher, ahash, |
1061 | buf, offset + GSS_KRB5_TOK_HDR_LEN, &hmac); |
1062 | if (err) |
1063 | goto out_err; |
1064 | buf->tail[0].iov_len += kctx->gk5e->cksumlength; |
1065 | buf->len += kctx->gk5e->cksumlength; |
1066 | |
1067 | return GSS_S_COMPLETE; |
1068 | |
1069 | out_err: |
1070 | return GSS_S_FAILURE; |
1071 | } |
1072 | |
1073 | /** |
1074 | * krb5_etm_decrypt - Decrypt using the RFC 8009 rules |
1075 | * @kctx: Kerberos context |
1076 | * @offset: starting offset of the ciphertext, in bytes |
1077 | * @len: |
1078 | * @buf: |
1079 | * @headskip: OUT: the enctype's confounder length, in octets |
1080 | * @tailskip: OUT: the enctype's HMAC length, in octets |
1081 | * |
1082 | * RFC 8009 Section 5: |
1083 | * |
1084 | * decryption function: as follows, where D() is AES decryption in |
1085 | * CBC-CS3 mode, and h is the size of truncated HMAC. |
1086 | * |
1087 | * (C, H) = ciphertext |
1088 | * (Note: H is the last h bits of the ciphertext.) |
1089 | * IV = cipher state |
1090 | * if H != HMAC(Ki, IV | C)[1..h] |
1091 | * stop, report error |
1092 | * (N, P) = D(Ke, C, IV) |
1093 | * |
1094 | * Return values: |
1095 | * %GSS_S_COMPLETE: Decryption successful |
1096 | * %GSS_S_BAD_SIG: computed HMAC != received HMAC |
1097 | * %GSS_S_FAILURE: Decryption failed |
1098 | */ |
1099 | u32 |
1100 | krb5_etm_decrypt(struct krb5_ctx *kctx, u32 offset, u32 len, |
1101 | struct xdr_buf *buf, u32 *headskip, u32 *tailskip) |
1102 | { |
1103 | struct crypto_sync_skcipher *cipher, *aux_cipher; |
1104 | u8 our_hmac[GSS_KRB5_MAX_CKSUM_LEN]; |
1105 | u8 pkt_hmac[GSS_KRB5_MAX_CKSUM_LEN]; |
1106 | struct xdr_netobj our_hmac_obj; |
1107 | struct crypto_ahash *ahash; |
1108 | struct xdr_buf subbuf; |
1109 | u32 ret = 0; |
1110 | |
1111 | if (kctx->initiate) { |
1112 | cipher = kctx->acceptor_enc; |
1113 | aux_cipher = kctx->acceptor_enc_aux; |
1114 | ahash = kctx->acceptor_integ; |
1115 | } else { |
1116 | cipher = kctx->initiator_enc; |
1117 | aux_cipher = kctx->initiator_enc_aux; |
1118 | ahash = kctx->initiator_integ; |
1119 | } |
1120 | |
1121 | /* Extract the ciphertext into @subbuf. */ |
1122 | xdr_buf_subsegment(buf, &subbuf, offset + GSS_KRB5_TOK_HDR_LEN, |
1123 | (len - offset - GSS_KRB5_TOK_HDR_LEN - |
1124 | kctx->gk5e->cksumlength)); |
1125 | |
1126 | our_hmac_obj.data = our_hmac; |
1127 | our_hmac_obj.len = kctx->gk5e->cksumlength; |
1128 | ret = krb5_etm_checksum(cipher, ahash, &subbuf, 0, &our_hmac_obj); |
1129 | if (ret) |
1130 | goto out_err; |
1131 | ret = read_bytes_from_xdr_buf(buf, len - kctx->gk5e->cksumlength, |
1132 | pkt_hmac, kctx->gk5e->cksumlength); |
1133 | if (ret) |
1134 | goto out_err; |
1135 | if (crypto_memneq(a: pkt_hmac, b: our_hmac, size: kctx->gk5e->cksumlength) != 0) { |
1136 | ret = GSS_S_BAD_SIG; |
1137 | goto out_err; |
1138 | } |
1139 | |
1140 | ret = krb5_cbc_cts_decrypt(cipher, aux_cipher, 0, &subbuf); |
1141 | if (ret) { |
1142 | ret = GSS_S_FAILURE; |
1143 | goto out_err; |
1144 | } |
1145 | |
1146 | *headskip = crypto_sync_skcipher_blocksize(tfm: cipher); |
1147 | *tailskip = kctx->gk5e->cksumlength; |
1148 | return GSS_S_COMPLETE; |
1149 | |
1150 | out_err: |
1151 | if (ret != GSS_S_BAD_SIG) |
1152 | ret = GSS_S_FAILURE; |
1153 | return ret; |
1154 | } |
1155 | |