gss_krb5_crypto.c source code [linux/net/sunrpc/auth_gss/gss_krb5_crypto.c]

1	/*
2	* linux/net/sunrpc/gss_krb5_crypto.c
3	*
4	* Copyright (c) 2000-2008 The Regents of the University of Michigan.
5	* All rights reserved.
6	*
7	* Andy Adamson <andros@umich.edu>
8	* Bruce Fields <bfields@umich.edu>
9	*/
10
11	/*
12	* Copyright (C) 1998 by the FundsXpress, INC.
13	*
14	* All rights reserved.
15	*
16	* Export of this software from the United States of America may require
17	* a specific license from the United States Government. It is the
18	* responsibility of any person or organization contemplating export to
19	* obtain such a license before exporting.
20	*
21	* WITHIN THAT CONSTRAINT, permission to use, copy, modify, and
22	* distribute this software and its documentation for any purpose and
23	* without fee is hereby granted, provided that the above copyright
24	* notice appear in all copies and that both that copyright notice and
25	* this permission notice appear in supporting documentation, and that
26	* the name of FundsXpress. not be used in advertising or publicity pertaining
27	* to distribution of the software without specific, written prior
28	* permission. FundsXpress makes no representations about the suitability of
29	* this software for any purpose. It is provided "as is" without express
30	* or implied warranty.
31	*
32	* THIS SOFTWARE IS PROVIDED ``AS IS'' AND WITHOUT ANY EXPRESS OR
33	* IMPLIED WARRANTIES, INCLUDING, WITHOUT LIMITATION, THE IMPLIED
34	* WARRANTIES OF MERCHANTIBILITY AND FITNESS FOR A PARTICULAR PURPOSE.
35	*/
36
37	#include <crypto/hash.h>
38	#include <crypto/skcipher.h>
39	#include <crypto/utils.h>
40	#include <linux/err.h>
41	#include <linux/types.h>
42	#include <linux/mm.h>
43	#include <linux/scatterlist.h>
44	#include <linux/highmem.h>
45	#include <linux/pagemap.h>
46	#include <linux/random.h>
47	#include <linux/sunrpc/gss_krb5.h>
48	#include <linux/sunrpc/xdr.h>
49	#include <kunit/visibility.h>
50
51	#include "gss_krb5_internal.h"
52
53	#if IS_ENABLED(CONFIG_SUNRPC_DEBUG)
54	# define RPCDBG_FACILITY RPCDBG_AUTH
55	#endif
56
57	/**
58	* krb5_make_confounder - Generate a confounder string
59	* @p: memory location into which to write the string
60	* @conflen: string length to write, in octets
61	*
62	* RFCs 1964 and 3961 mention only "a random confounder" without going
63	* into detail about its function or cryptographic requirements. The
64	* assumed purpose is to prevent repeated encryption of a plaintext with
65	* the same key from generating the same ciphertext. It is also used to
66	* pad minimum plaintext length to at least a single cipher block.
67	*
68	* However, in situations like the GSS Kerberos 5 mechanism, where the
69	* encryption IV is always all zeroes, the confounder also effectively
70	* functions like an IV. Thus, not only must it be unique from message
71	* to message, but it must also be difficult to predict. Otherwise an
72	* attacker can correlate the confounder to previous or future values,
73	* making the encryption easier to break.
74	*
75	* Given that the primary consumer of this encryption mechanism is a
76	* network storage protocol, a type of traffic that often carries
77	* predictable payloads (eg, all zeroes when reading unallocated blocks
78	* from a file), our confounder generation has to be cryptographically
79	* strong.
80	*/
81	void krb5_make_confounder(u8 p, int* conflen)
82	{
83	get_random_bytes(buf: p, len: conflen);
84	}
85
86	/**
87	* krb5_encrypt - simple encryption of an RPCSEC GSS payload
88	* @tfm: initialized cipher transform
89	* @iv: pointer to an IV
90	* @in: plaintext to encrypt
91	* @out: OUT: ciphertext
92	* @length: length of input and output buffers, in bytes
93	*
94	* @iv may be NULL to force the use of an all-zero IV.
95	* The buffer containing the IV must be as large as the
96	* cipher's ivsize.
97	*
98	* Return values:
99	* %0: @in successfully encrypted into @out
100	* negative errno: @in not encrypted
101	*/
102	u32
103	krb5_encrypt(
104	struct crypto_sync_skcipher *tfm,
105	void * iv,
106	void * in,
107	void * out,
108	int length)
109	{
110	u32 ret = -EINVAL;
111	struct scatterlist sg[`1`];
112	u8 local_iv[GSS_KRB5_MAX_BLOCKSIZE] = {`0`};
113	SYNC_SKCIPHER_REQUEST_ON_STACK(req, tfm);
114
115	if (length % crypto_sync_skcipher_blocksize(tfm) != `0`)
116	goto out;
117
118	if (crypto_sync_skcipher_ivsize(tfm) > GSS_KRB5_MAX_BLOCKSIZE) {
119	dprintk("RPC: gss_k5encrypt: tfm iv size too large %d\n",
120	crypto_sync_skcipher_ivsize(tfm));
121	goto out;
122	}
123
124	if (iv)
125	memcpy(local_iv, iv, crypto_sync_skcipher_ivsize(tfm));
126
127	memcpy(out, in, length);
128	sg_init_one(sg, out, length);
129
130	skcipher_request_set_sync_tfm(req, tfm);
131	skcipher_request_set_callback(req, flags: `0`, NULL, NULL);
132	skcipher_request_set_crypt(req, src: sg, dst: sg, cryptlen: length, iv: local_iv);
133
134	ret = crypto_skcipher_encrypt(req);
135	skcipher_request_zero(req);
136	out:
137	dprintk("RPC: krb5_encrypt returns %d\n", ret);
138	return ret;
139	}
140
141	/**
142	* krb5_decrypt - simple decryption of an RPCSEC GSS payload
143	* @tfm: initialized cipher transform
144	* @iv: pointer to an IV
145	* @in: ciphertext to decrypt
146	* @out: OUT: plaintext
147	* @length: length of input and output buffers, in bytes
148	*
149	* @iv may be NULL to force the use of an all-zero IV.
150	* The buffer containing the IV must be as large as the
151	* cipher's ivsize.
152	*
153	* Return values:
154	* %0: @in successfully decrypted into @out
155	* negative errno: @in not decrypted
156	*/
157	u32
158	krb5_decrypt(
159	struct crypto_sync_skcipher *tfm,
160	void * iv,
161	void * in,
162	void * out,
163	int length)
164	{
165	u32 ret = -EINVAL;
166	struct scatterlist sg[`1`];
167	u8 local_iv[GSS_KRB5_MAX_BLOCKSIZE] = {`0`};
168	SYNC_SKCIPHER_REQUEST_ON_STACK(req, tfm);
169
170	if (length % crypto_sync_skcipher_blocksize(tfm) != `0`)
171	goto out;
172
173	if (crypto_sync_skcipher_ivsize(tfm) > GSS_KRB5_MAX_BLOCKSIZE) {
174	dprintk("RPC: gss_k5decrypt: tfm iv size too large %d\n",
175	crypto_sync_skcipher_ivsize(tfm));
176	goto out;
177	}
178	if (iv)
179	memcpy(local_iv, iv, crypto_sync_skcipher_ivsize(tfm));
180
181	memcpy(out, in, length);
182	sg_init_one(sg, out, length);
183
184	skcipher_request_set_sync_tfm(req, tfm);
185	skcipher_request_set_callback(req, flags: `0`, NULL, NULL);
186	skcipher_request_set_crypt(req, src: sg, dst: sg, cryptlen: length, iv: local_iv);
187
188	ret = crypto_skcipher_decrypt(req);
189	skcipher_request_zero(req);
190	out:
191	dprintk("RPC: gss_k5decrypt returns %d\n",ret);
192	return ret;
193	}
194
195	static int
196	checksummer(struct scatterlist sg, void* *data)
197	{
198	struct ahash_request *req = data;
199
200	ahash_request_set_crypt(req, src: sg, NULL, nbytes: sg->length);
201
202	return crypto_ahash_update(req);
203	}
204
205	/*
206	* checksum the plaintext data and hdrlen bytes of the token header
207	* The checksum is performed over the first 8 bytes of the
208	* gss token header and then over the data body
209	*/
210	u32
211	make_checksum(struct krb5_ctx kctx, char* header, int* hdrlen,
212	struct xdr_buf body, int* body_offset, u8 *cksumkey,
213	unsigned int usage, struct xdr_netobj *cksumout)
214	{
215	struct crypto_ahash *tfm;
216	struct ahash_request *req;
217	struct scatterlist sg[`1`];
218	int err = -`1`;
219	u8 *checksumdata;
220	unsigned int checksumlen;
221
222	if (cksumout->len < kctx->gk5e->cksumlength) {
223	dprintk("%s: checksum buffer length, %u, too small for %s\n",
224	__func__, cksumout->len, kctx->gk5e->name);
225	return GSS_S_FAILURE;
226	}
227
228	checksumdata = kmalloc(GSS_KRB5_MAX_CKSUM_LEN, GFP_KERNEL);
229	if (checksumdata == NULL)
230	return GSS_S_FAILURE;
231
232	tfm = crypto_alloc_ahash(alg_name: kctx->gk5e->cksum_name, type: `0`, CRYPTO_ALG_ASYNC);
233	if (IS_ERR(ptr: tfm))
234	goto out_free_cksum;
235
236	req = ahash_request_alloc(tfm, GFP_KERNEL);
237	if (!req)
238	goto out_free_ahash;
239
240	ahash_request_set_callback(req, CRYPTO_TFM_REQ_MAY_SLEEP, NULL, NULL);
241
242	checksumlen = crypto_ahash_digestsize(tfm);
243
244	if (cksumkey != NULL) {
245	err = crypto_ahash_setkey(tfm, key: cksumkey,
246	keylen: kctx->gk5e->keylength);
247	if (err)
248	goto out;
249	}
250
251	err = crypto_ahash_init(req);
252	if (err)
253	goto out;
254	sg_init_one(sg, header, hdrlen);
255	ahash_request_set_crypt(req, src: sg, NULL, nbytes: hdrlen);
256	err = crypto_ahash_update(req);
257	if (err)
258	goto out;
259	err = xdr_process_buf(buf: body, offset: body_offset, len: body->len - body_offset,
260	actor: checksummer, data: req);
261	if (err)
262	goto out;
263	ahash_request_set_crypt(req, NULL, result: checksumdata, nbytes: `0`);
264	err = crypto_ahash_final(req);
265	if (err)
266	goto out;
267
268	switch (kctx->gk5e->ctype) {
269	case CKSUMTYPE_RSA_MD5:
270	err = krb5_encrypt(tfm: kctx->seq, NULL, in: checksumdata,
271	out: checksumdata, length: checksumlen);
272	if (err)
273	goto out;
274	memcpy(cksumout->data,
275	checksumdata + checksumlen - kctx->gk5e->cksumlength,
276	kctx->gk5e->cksumlength);
277	break;
278	case CKSUMTYPE_HMAC_SHA1_DES3:
279	memcpy(cksumout->data, checksumdata, kctx->gk5e->cksumlength);
280	break;
281	default:
282	BUG();
283	break;
284	}
285	cksumout->len = kctx->gk5e->cksumlength;
286	out:
287	ahash_request_free(req);
288	out_free_ahash:
289	crypto_free_ahash(tfm);
290	out_free_cksum:
291	kfree(objp: checksumdata);
292	return err ? GSS_S_FAILURE : `0`;
293	}
294
295	/**
296	* gss_krb5_checksum - Compute the MAC for a GSS Wrap or MIC token
297	* @tfm: an initialized hash transform
298	* @header: pointer to a buffer containing the token header, or NULL
299	* @hdrlen: number of octets in @header
300	* @body: xdr_buf containing an RPC message (body.len is the message length)
301	* @body_offset: byte offset into @body to start checksumming
302	* @cksumout: OUT: a buffer to be filled in with the computed HMAC
303	*
304	* Usually expressed as H = HMAC(K, message)[1..h] .
305	*
306	* Caller provides the truncation length of the output token (h) in
307	* cksumout.len.
308	*
309	* Return values:
310	* %GSS_S_COMPLETE: Digest computed, @cksumout filled in
311	* %GSS_S_FAILURE: Call failed
312	*/
313	u32
314	gss_krb5_checksum(struct crypto_ahash tfm, char* header, int* hdrlen,
315	const struct xdr_buf body, int* body_offset,
316	struct xdr_netobj *cksumout)
317	{
318	struct ahash_request *req;
319	int err = -ENOMEM;
320	u8 *checksumdata;
321
322	checksumdata = kmalloc(size: crypto_ahash_digestsize(tfm), GFP_KERNEL);
323	if (!checksumdata)
324	return GSS_S_FAILURE;
325
326	req = ahash_request_alloc(tfm, GFP_KERNEL);
327	if (!req)
328	goto out_free_cksum;
329	ahash_request_set_callback(req, CRYPTO_TFM_REQ_MAY_SLEEP, NULL, NULL);
330	err = crypto_ahash_init(req);
331	if (err)
332	goto out_free_ahash;
333
334	/*
335	* Per RFC 4121 Section 4.2.4, the checksum is performed over the
336	* data body first, then over the octets in "header".
337	*/
338	err = xdr_process_buf(buf: body, offset: body_offset, len: body->len - body_offset,
339	actor: checksummer, data: req);
340	if (err)
341	goto out_free_ahash;
342	if (header) {
343	struct scatterlist sg[`1`];
344
345	sg_init_one(sg, header, hdrlen);
346	ahash_request_set_crypt(req, src: sg, NULL, nbytes: hdrlen);
347	err = crypto_ahash_update(req);
348	if (err)
349	goto out_free_ahash;
350	}
351
352	ahash_request_set_crypt(req, NULL, result: checksumdata, nbytes: `0`);
353	err = crypto_ahash_final(req);
354	if (err)
355	goto out_free_ahash;
356
357	memcpy(cksumout->data, checksumdata,
358	min_t(int, cksumout->len, crypto_ahash_digestsize(tfm)));
359
360	out_free_ahash:
361	ahash_request_free(req);
362	out_free_cksum:
363	kfree_sensitive(objp: checksumdata);
364	return err ? GSS_S_FAILURE : GSS_S_COMPLETE;
365	}
366	EXPORT_SYMBOL_IF_KUNIT(gss_krb5_checksum);
367
368	struct encryptor_desc {
369	u8 iv[GSS_KRB5_MAX_BLOCKSIZE];
370	struct skcipher_request *req;
371	int pos;
372	struct xdr_buf *outbuf;
373	struct page **pages;
374	struct scatterlist infrags[`4`];
375	struct scatterlist outfrags[`4`];
376	int fragno;
377	int fraglen;
378	};
379
380	static int
381	encryptor(struct scatterlist sg, void* *data)
382	{
383	struct encryptor_desc *desc = data;
384	struct xdr_buf *outbuf = desc->outbuf;
385	struct crypto_sync_skcipher *tfm =
386	crypto_sync_skcipher_reqtfm(req: desc->req);
387	struct page *in_page;
388	int thislen = desc->fraglen + sg->length;
389	int fraglen, ret;
390	int page_pos;
391
392	/ Worst case is 4 fragments: head, end of page 1, start*
393	* of page 2, tail. Anything more is a bug. */
394	BUG_ON(desc->fragno > `3`);
395
396	page_pos = desc->pos - outbuf->head[`0`].iov_len;
397	if (page_pos >= `0` && page_pos < outbuf->page_len) {
398	/ pages are not in place: /
399	int i = (page_pos + outbuf->page_base) >> PAGE_SHIFT;
400	in_page = desc->pages[i];
401	} else {
402	in_page = sg_page(sg);
403	}
404	sg_set_page(sg: &desc->infrags[desc->fragno], page: in_page, len: sg->length,
405	offset: sg->offset);
406	sg_set_page(sg: &desc->outfrags[desc->fragno], page: sg_page(sg), len: sg->length,
407	offset: sg->offset);
408	desc->fragno++;
409	desc->fraglen += sg->length;
410	desc->pos += sg->length;
411
412	fraglen = thislen & (crypto_sync_skcipher_blocksize(tfm) - `1`);
413	thislen -= fraglen;
414
415	if (thislen == `0`)
416	return `0`;
417
418	sg_mark_end(sg: &desc->infrags[desc->fragno - `1`]);
419	sg_mark_end(sg: &desc->outfrags[desc->fragno - `1`]);
420
421	skcipher_request_set_crypt(req: desc->req, src: desc->infrags, dst: desc->outfrags,
422	cryptlen: thislen, iv: desc->iv);
423
424	ret = crypto_skcipher_encrypt(req: desc->req);
425	if (ret)
426	return ret;
427
428	sg_init_table(desc->infrags, `4`);
429	sg_init_table(desc->outfrags, `4`);
430
431	if (fraglen) {
432	sg_set_page(sg: &desc->outfrags[`0`], page: sg_page(sg), len: fraglen,
433	offset: sg->offset + sg->length - fraglen);
434	desc->infrags[`0`] = desc->outfrags[`0`];
435	sg_assign_page(sg: &desc->infrags[`0`], page: in_page);
436	desc->fragno = `1`;
437	desc->fraglen = fraglen;
438	} else {
439	desc->fragno = `0`;
440	desc->fraglen = `0`;
441	}
442	return `0`;
443	}
444
445	int
446	gss_encrypt_xdr_buf(struct crypto_sync_skcipher tfm, struct* xdr_buf *buf,
447	int offset, struct page **pages)
448	{
449	int ret;
450	struct encryptor_desc desc;
451	SYNC_SKCIPHER_REQUEST_ON_STACK(req, tfm);
452
453	BUG_ON((buf->len - offset) % crypto_sync_skcipher_blocksize(tfm) != `0`);
454
455	skcipher_request_set_sync_tfm(req, tfm);
456	skcipher_request_set_callback(req, flags: `0`, NULL, NULL);
457
458	memset(desc.iv, `0`, sizeof(desc.iv));
459	desc.req = req;
460	desc.pos = offset;
461	desc.outbuf = buf;
462	desc.pages = pages;
463	desc.fragno = `0`;
464	desc.fraglen = `0`;
465
466	sg_init_table(desc.infrags, `4`);
467	sg_init_table(desc.outfrags, `4`);
468
469	ret = xdr_process_buf(buf, offset, len: buf->len - offset, actor: encryptor, data: &desc);
470	skcipher_request_zero(req);
471	return ret;
472	}
473
474	struct decryptor_desc {
475	u8 iv[GSS_KRB5_MAX_BLOCKSIZE];
476	struct skcipher_request *req;
477	struct scatterlist frags[`4`];
478	int fragno;
479	int fraglen;
480	};
481
482	static int
483	decryptor(struct scatterlist sg, void* *data)
484	{
485	struct decryptor_desc *desc = data;
486	int thislen = desc->fraglen + sg->length;
487	struct crypto_sync_skcipher *tfm =
488	crypto_sync_skcipher_reqtfm(req: desc->req);
489	int fraglen, ret;
490
491	/ Worst case is 4 fragments: head, end of page 1, start*
492	* of page 2, tail. Anything more is a bug. */
493	BUG_ON(desc->fragno > `3`);
494	sg_set_page(sg: &desc->frags[desc->fragno], page: sg_page(sg), len: sg->length,
495	offset: sg->offset);
496	desc->fragno++;
497	desc->fraglen += sg->length;
498
499	fraglen = thislen & (crypto_sync_skcipher_blocksize(tfm) - `1`);
500	thislen -= fraglen;
501
502	if (thislen == `0`)
503	return `0`;
504
505	sg_mark_end(sg: &desc->frags[desc->fragno - `1`]);
506
507	skcipher_request_set_crypt(req: desc->req, src: desc->frags, dst: desc->frags,
508	cryptlen: thislen, iv: desc->iv);
509
510	ret = crypto_skcipher_decrypt(req: desc->req);
511	if (ret)
512	return ret;
513
514	sg_init_table(desc->frags, `4`);
515
516	if (fraglen) {
517	sg_set_page(sg: &desc->frags[`0`], page: sg_page(sg), len: fraglen,
518	offset: sg->offset + sg->length - fraglen);
519	desc->fragno = `1`;
520	desc->fraglen = fraglen;
521	} else {
522	desc->fragno = `0`;
523	desc->fraglen = `0`;
524	}
525	return `0`;
526	}
527
528	int
529	gss_decrypt_xdr_buf(struct crypto_sync_skcipher tfm, struct* xdr_buf *buf,
530	int offset)
531	{
532	int ret;
533	struct decryptor_desc desc;
534	SYNC_SKCIPHER_REQUEST_ON_STACK(req, tfm);
535
536	/ XXXJBF: /
537	BUG_ON((buf->len - offset) % crypto_sync_skcipher_blocksize(tfm) != `0`);
538
539	skcipher_request_set_sync_tfm(req, tfm);
540	skcipher_request_set_callback(req, flags: `0`, NULL, NULL);
541
542	memset(desc.iv, `0`, sizeof(desc.iv));
543	desc.req = req;
544	desc.fragno = `0`;
545	desc.fraglen = `0`;
546
547	sg_init_table(desc.frags, `4`);
548
549	ret = xdr_process_buf(buf, offset, len: buf->len - offset, actor: decryptor, data: &desc);
550	skcipher_request_zero(req);
551	return ret;
552	}
553
554	/*
555	* This function makes the assumption that it was ultimately called
556	* from gss_wrap().
557	*
558	* The client auth_gss code moves any existing tail data into a
559	* separate page before calling gss_wrap.
560	* The server svcauth_gss code ensures that both the head and the
561	* tail have slack space of RPC_MAX_AUTH_SIZE before calling gss_wrap.
562	*
563	* Even with that guarantee, this function may be called more than
564	* once in the processing of gss_wrap(). The best we can do is
565	* verify at compile-time (see GSS_KRB5_SLACK_CHECK) that the
566	* largest expected shift will fit within RPC_MAX_AUTH_SIZE.
567	* At run-time we can verify that a single invocation of this
568	* function doesn't attempt to use more the RPC_MAX_AUTH_SIZE.
569	*/
570
571	int
572	xdr_extend_head(struct xdr_buf buf, unsigned* int base, unsigned int shiftlen)
573	{
574	u8 *p;
575
576	if (shiftlen == `0`)
577	return `0`;
578
579	BUG_ON(shiftlen > RPC_MAX_AUTH_SIZE);
580
581	p = buf->head[`0`].iov_base + base;
582
583	memmove(p + shiftlen, p, buf->head[`0`].iov_len - base);
584
585	buf->head[`0`].iov_len += shiftlen;
586	buf->len += shiftlen;
587
588	return `0`;
589	}
590
591	static u32
592	gss_krb5_cts_crypt(struct crypto_sync_skcipher cipher, struct* xdr_buf *buf,
593	u32 offset, u8 iv, struct* page *pages, int* encrypt)
594	{
595	u32 ret;
596	struct scatterlist sg[`1`];
597	SYNC_SKCIPHER_REQUEST_ON_STACK(req, cipher);
598	u8 *data;
599	struct page **save_pages;
600	u32 len = buf->len - offset;
601
602	if (len > GSS_KRB5_MAX_BLOCKSIZE * `2`) {
603	WARN_ON(`0`);
604	return -ENOMEM;
605	}
606	data = kmalloc(GSS_KRB5_MAX_BLOCKSIZE * `2`, GFP_KERNEL);
607	if (!data)
608	return -ENOMEM;
609
610	/*
611	* For encryption, we want to read from the cleartext
612	* page cache pages, and write the encrypted data to
613	* the supplied xdr_buf pages.
614	*/
615	save_pages = buf->pages;
616	if (encrypt)
617	buf->pages = pages;
618
619	ret = read_bytes_from_xdr_buf(buf, offset, data, len);
620	buf->pages = save_pages;
621	if (ret)
622	goto out;
623
624	sg_init_one(sg, data, len);
625
626	skcipher_request_set_sync_tfm(req, tfm: cipher);
627	skcipher_request_set_callback(req, flags: `0`, NULL, NULL);
628	skcipher_request_set_crypt(req, src: sg, dst: sg, cryptlen: len, iv);
629
630	if (encrypt)
631	ret = crypto_skcipher_encrypt(req);
632	else
633	ret = crypto_skcipher_decrypt(req);
634
635	skcipher_request_zero(req);
636
637	if (ret)
638	goto out;
639
640	ret = write_bytes_to_xdr_buf(buf, offset, data, len);
641
642	#if IS_ENABLED(CONFIG_KUNIT)
643	/*
644	* CBC-CTS does not define an output IV but RFC 3962 defines it as the
645	* penultimate block of ciphertext, so copy that into the IV buffer
646	* before returning.
647	*/
648	if (encrypt)
649	memcpy(iv, data, crypto_sync_skcipher_ivsize(cipher));
650	#endif
651
652	out:
653	kfree(objp: data);
654	return ret;
655	}
656
657	/**
658	* krb5_cbc_cts_encrypt - encrypt in CBC mode with CTS
659	* @cts_tfm: CBC cipher with CTS
660	* @cbc_tfm: base CBC cipher
661	* @offset: starting byte offset for plaintext
662	* @buf: OUT: output buffer
663	* @pages: plaintext
664	* @iv: output CBC initialization vector, or NULL
665	* @ivsize: size of @iv, in octets
666	*
667	* To provide confidentiality, encrypt using cipher block chaining
668	* with ciphertext stealing. Message integrity is handled separately.
669	*
670	* Return values:
671	* %0: encryption successful
672	* negative errno: encryption could not be completed
673	*/
674	VISIBLE_IF_KUNIT
675	int krb5_cbc_cts_encrypt(struct crypto_sync_skcipher *cts_tfm,
676	struct crypto_sync_skcipher *cbc_tfm,
677	u32 offset, struct xdr_buf buf, struct* page **pages,
678	u8 iv, unsigned* int ivsize)
679	{
680	u32 blocksize, nbytes, nblocks, cbcbytes;
681	struct encryptor_desc desc;
682	int err;
683
684	blocksize = crypto_sync_skcipher_blocksize(tfm: cts_tfm);
685	nbytes = buf->len - offset;
686	nblocks = (nbytes + blocksize - `1`) / blocksize;
687	cbcbytes = `0`;
688	if (nblocks > `2`)
689	cbcbytes = (nblocks - `2`) * blocksize;
690
691	memset(desc.iv, `0`, sizeof(desc.iv));
692
693	/ Handle block-sized chunks of plaintext with CBC. /
694	if (cbcbytes) {
695	SYNC_SKCIPHER_REQUEST_ON_STACK(req, cbc_tfm);
696
697	desc.pos = offset;
698	desc.fragno = `0`;
699	desc.fraglen = `0`;
700	desc.pages = pages;
701	desc.outbuf = buf;
702	desc.req = req;
703
704	skcipher_request_set_sync_tfm(req, tfm: cbc_tfm);
705	skcipher_request_set_callback(req, flags: `0`, NULL, NULL);
706
707	sg_init_table(desc.infrags, `4`);
708	sg_init_table(desc.outfrags, `4`);
709
710	err = xdr_process_buf(buf, offset, len: cbcbytes, actor: encryptor, data: &desc);
711	skcipher_request_zero(req);
712	if (err)
713	return err;
714	}
715
716	/ Remaining plaintext is handled with CBC-CTS. /
717	err = gss_krb5_cts_crypt(cipher: cts_tfm, buf, offset: offset + cbcbytes,
718	iv: desc.iv, pages, encrypt: `1`);
719	if (err)
720	return err;
721
722	if (unlikely(iv))
723	memcpy(iv, desc.iv, ivsize);
724	return `0`;
725	}
726	EXPORT_SYMBOL_IF_KUNIT(krb5_cbc_cts_encrypt);
727
728	/**
729	* krb5_cbc_cts_decrypt - decrypt in CBC mode with CTS
730	* @cts_tfm: CBC cipher with CTS
731	* @cbc_tfm: base CBC cipher
732	* @offset: starting byte offset for plaintext
733	* @buf: OUT: output buffer
734	*
735	* Return values:
736	* %0: decryption successful
737	* negative errno: decryption could not be completed
738	*/
739	VISIBLE_IF_KUNIT
740	int krb5_cbc_cts_decrypt(struct crypto_sync_skcipher *cts_tfm,
741	struct crypto_sync_skcipher *cbc_tfm,
742	u32 offset, struct xdr_buf *buf)
743	{
744	u32 blocksize, nblocks, cbcbytes;
745	struct decryptor_desc desc;
746	int err;
747
748	blocksize = crypto_sync_skcipher_blocksize(tfm: cts_tfm);
749	nblocks = (buf->len + blocksize - `1`) / blocksize;
750	cbcbytes = `0`;
751	if (nblocks > `2`)
752	cbcbytes = (nblocks - `2`) * blocksize;
753
754	memset(desc.iv, `0`, sizeof(desc.iv));
755
756	/ Handle block-sized chunks of plaintext with CBC. /
757	if (cbcbytes) {
758	SYNC_SKCIPHER_REQUEST_ON_STACK(req, cbc_tfm);
759
760	desc.fragno = `0`;
761	desc.fraglen = `0`;
762	desc.req = req;
763
764	skcipher_request_set_sync_tfm(req, tfm: cbc_tfm);
765	skcipher_request_set_callback(req, flags: `0`, NULL, NULL);
766
767	sg_init_table(desc.frags, `4`);
768
769	err = xdr_process_buf(buf, offset: `0`, len: cbcbytes, actor: decryptor, data: &desc);
770	skcipher_request_zero(req);
771	if (err)
772	return err;
773	}
774
775	/ Remaining plaintext is handled with CBC-CTS. /
776	return gss_krb5_cts_crypt(cipher: cts_tfm, buf, offset: cbcbytes, iv: desc.iv, NULL, encrypt: `0`);
777	}
778	EXPORT_SYMBOL_IF_KUNIT(krb5_cbc_cts_decrypt);
779
780	u32
781	gss_krb5_aes_encrypt(struct krb5_ctx *kctx, u32 offset,
782	struct xdr_buf buf, struct* page **pages)
783	{
784	u32 err;
785	struct xdr_netobj hmac;
786	u8 *ecptr;
787	struct crypto_sync_skcipher cipher, aux_cipher;
788	struct crypto_ahash *ahash;
789	struct page **save_pages;
790	unsigned int conflen;
791
792	if (kctx->initiate) {
793	cipher = kctx->initiator_enc;
794	aux_cipher = kctx->initiator_enc_aux;
795	ahash = kctx->initiator_integ;
796	} else {
797	cipher = kctx->acceptor_enc;
798	aux_cipher = kctx->acceptor_enc_aux;
799	ahash = kctx->acceptor_integ;
800	}
801	conflen = crypto_sync_skcipher_blocksize(tfm: cipher);
802
803	/ hide the gss token header and insert the confounder /
804	offset += GSS_KRB5_TOK_HDR_LEN;
805	if (xdr_extend_head(buf, base: offset, shiftlen: conflen))
806	return GSS_S_FAILURE;
807	krb5_make_confounder(p: buf->head[`0`].iov_base + offset, conflen);
808	offset -= GSS_KRB5_TOK_HDR_LEN;
809
810	if (buf->tail[`0`].iov_base != NULL) {
811	ecptr = buf->tail[`0`].iov_base + buf->tail[`0`].iov_len;
812	} else {
813	buf->tail[`0`].iov_base = buf->head[`0`].iov_base
814	+ buf->head[`0`].iov_len;
815	buf->tail[`0`].iov_len = `0`;
816	ecptr = buf->tail[`0`].iov_base;
817	}
818
819	/ copy plaintext gss token header after filler (if any) /
820	memcpy(ecptr, buf->head[`0`].iov_base + offset, GSS_KRB5_TOK_HDR_LEN);
821	buf->tail[`0`].iov_len += GSS_KRB5_TOK_HDR_LEN;
822	buf->len += GSS_KRB5_TOK_HDR_LEN;
823
824	hmac.len = kctx->gk5e->cksumlength;
825	hmac.data = buf->tail[`0`].iov_base + buf->tail[`0`].iov_len;
826
827	/*
828	* When we are called, pages points to the real page cache
829	* data -- which we can't go and encrypt! buf->pages points
830	* to scratch pages which we are going to send off to the
831	* client/server. Swap in the plaintext pages to calculate
832	* the hmac.
833	*/
834	save_pages = buf->pages;
835	buf->pages = pages;
836
837	err = gss_krb5_checksum(ahash, NULL, `0`, buf,
838	offset + GSS_KRB5_TOK_HDR_LEN, &hmac);
839	buf->pages = save_pages;
840	if (err)
841	return GSS_S_FAILURE;
842
843	err = krb5_cbc_cts_encrypt(cipher, aux_cipher,
844	offset + GSS_KRB5_TOK_HDR_LEN,
845	buf, pages, NULL, `0`);
846	if (err)
847	return GSS_S_FAILURE;
848
849	/ Now update buf to account for HMAC /
850	buf->tail[`0`].iov_len += kctx->gk5e->cksumlength;
851	buf->len += kctx->gk5e->cksumlength;
852
853	return GSS_S_COMPLETE;
854	}
855
856	u32
857	gss_krb5_aes_decrypt(struct krb5_ctx *kctx, u32 offset, u32 len,
858	struct xdr_buf buf, u32 headskip, u32 *tailskip)
859	{
860	struct crypto_sync_skcipher cipher, aux_cipher;
861	struct crypto_ahash *ahash;
862	struct xdr_netobj our_hmac_obj;
863	u8 our_hmac[GSS_KRB5_MAX_CKSUM_LEN];
864	u8 pkt_hmac[GSS_KRB5_MAX_CKSUM_LEN];
865	struct xdr_buf subbuf;
866	u32 ret = `0`;
867
868	if (kctx->initiate) {
869	cipher = kctx->acceptor_enc;
870	aux_cipher = kctx->acceptor_enc_aux;
871	ahash = kctx->acceptor_integ;
872	} else {
873	cipher = kctx->initiator_enc;
874	aux_cipher = kctx->initiator_enc_aux;
875	ahash = kctx->initiator_integ;
876	}
877
878	/ create a segment skipping the header and leaving out the checksum /
879	xdr_buf_subsegment(buf, &subbuf, offset + GSS_KRB5_TOK_HDR_LEN,
880	(len - offset - GSS_KRB5_TOK_HDR_LEN -
881	kctx->gk5e->cksumlength));
882
883	ret = krb5_cbc_cts_decrypt(cipher, aux_cipher, `0`, &subbuf);
884	if (ret)
885	goto out_err;
886
887	our_hmac_obj.len = kctx->gk5e->cksumlength;
888	our_hmac_obj.data = our_hmac;
889	ret = gss_krb5_checksum(ahash, NULL, `0`, &subbuf, `0`, &our_hmac_obj);
890	if (ret)
891	goto out_err;
892
893	/ Get the packet's hmac value /
894	ret = read_bytes_from_xdr_buf(buf, len - kctx->gk5e->cksumlength,
895	pkt_hmac, kctx->gk5e->cksumlength);
896	if (ret)
897	goto out_err;
898
899	if (crypto_memneq(a: pkt_hmac, b: our_hmac, size: kctx->gk5e->cksumlength) != `0`) {
900	ret = GSS_S_BAD_SIG;
901	goto out_err;
902	}
903	*headskip = crypto_sync_skcipher_blocksize(tfm: cipher);
904	*tailskip = kctx->gk5e->cksumlength;
905	out_err:
906	if (ret && ret != GSS_S_BAD_SIG)
907	ret = GSS_S_FAILURE;
908	return ret;
909	}
910
911	/**
912	* krb5_etm_checksum - Compute a MAC for a GSS Wrap token
913	* @cipher: an initialized cipher transform
914	* @tfm: an initialized hash transform
915	* @body: xdr_buf containing an RPC message (body.len is the message length)
916	* @body_offset: byte offset into @body to start checksumming
917	* @cksumout: OUT: a buffer to be filled in with the computed HMAC
918	*
919	* Usually expressed as H = HMAC(K, IV \| ciphertext)[1..h] .
920	*
921	* Caller provides the truncation length of the output token (h) in
922	* cksumout.len.
923	*
924	* Return values:
925	* %GSS_S_COMPLETE: Digest computed, @cksumout filled in
926	* %GSS_S_FAILURE: Call failed
927	*/
928	VISIBLE_IF_KUNIT
929	u32 krb5_etm_checksum(struct crypto_sync_skcipher *cipher,
930	struct crypto_ahash tfm, const* struct xdr_buf *body,
931	int body_offset, struct xdr_netobj *cksumout)
932	{
933	unsigned int ivsize = crypto_sync_skcipher_ivsize(tfm: cipher);
934	struct ahash_request *req;
935	struct scatterlist sg[`1`];
936	u8 iv, checksumdata;
937	int err = -ENOMEM;
938
939	checksumdata = kmalloc(size: crypto_ahash_digestsize(tfm), GFP_KERNEL);
940	if (!checksumdata)
941	return GSS_S_FAILURE;
942	/ For RPCSEC, the "initial cipher state" is always all zeroes. /
943	iv = kzalloc(size: ivsize, GFP_KERNEL);
944	if (!iv)
945	goto out_free_mem;
946
947	req = ahash_request_alloc(tfm, GFP_KERNEL);
948	if (!req)
949	goto out_free_mem;
950	ahash_request_set_callback(req, CRYPTO_TFM_REQ_MAY_SLEEP, NULL, NULL);
951	err = crypto_ahash_init(req);
952	if (err)
953	goto out_free_ahash;
954
955	sg_init_one(sg, iv, ivsize);
956	ahash_request_set_crypt(req, src: sg, NULL, nbytes: ivsize);
957	err = crypto_ahash_update(req);
958	if (err)
959	goto out_free_ahash;
960	err = xdr_process_buf(buf: body, offset: body_offset, len: body->len - body_offset,
961	actor: checksummer, data: req);
962	if (err)
963	goto out_free_ahash;
964
965	ahash_request_set_crypt(req, NULL, result: checksumdata, nbytes: `0`);
966	err = crypto_ahash_final(req);
967	if (err)
968	goto out_free_ahash;
969	memcpy(cksumout->data, checksumdata, cksumout->len);
970
971	out_free_ahash:
972	ahash_request_free(req);
973	out_free_mem:
974	kfree(objp: iv);
975	kfree_sensitive(objp: checksumdata);
976	return err ? GSS_S_FAILURE : GSS_S_COMPLETE;
977	}
978	EXPORT_SYMBOL_IF_KUNIT(krb5_etm_checksum);
979
980	/**
981	* krb5_etm_encrypt - Encrypt using the RFC 8009 rules
982	* @kctx: Kerberos context
983	* @offset: starting offset of the payload, in bytes
984	* @buf: OUT: send buffer to contain the encrypted payload
985	* @pages: plaintext payload
986	*
987	* The main difference with aes_encrypt is that "The HMAC is
988	* calculated over the cipher state concatenated with the AES
989	* output, instead of being calculated over the confounder and
990	* plaintext. This allows the message receiver to verify the
991	* integrity of the message before decrypting the message."
992	*
993	* RFC 8009 Section 5:
994	*
995	* encryption function: as follows, where E() is AES encryption in
996	* CBC-CS3 mode, and h is the size of truncated HMAC (128 bits or
997	* 192 bits as described above).
998	*
999	* N = random value of length 128 bits (the AES block size)
1000	* IV = cipher state
1001	* C = E(Ke, N \| plaintext, IV)
1002	* H = HMAC(Ki, IV \| C)
1003	* ciphertext = C \| H[1..h]
1004	*
1005	* This encryption formula provides AEAD EtM with key separation.
1006	*
1007	* Return values:
1008	* %GSS_S_COMPLETE: Encryption successful
1009	* %GSS_S_FAILURE: Encryption failed
1010	*/
1011	u32
1012	krb5_etm_encrypt(struct krb5_ctx *kctx, u32 offset,
1013	struct xdr_buf buf, struct* page **pages)
1014	{
1015	struct crypto_sync_skcipher cipher, aux_cipher;
1016	struct crypto_ahash *ahash;
1017	struct xdr_netobj hmac;
1018	unsigned int conflen;
1019	u8 *ecptr;
1020	u32 err;
1021
1022	if (kctx->initiate) {
1023	cipher = kctx->initiator_enc;
1024	aux_cipher = kctx->initiator_enc_aux;
1025	ahash = kctx->initiator_integ;
1026	} else {
1027	cipher = kctx->acceptor_enc;
1028	aux_cipher = kctx->acceptor_enc_aux;
1029	ahash = kctx->acceptor_integ;
1030	}
1031	conflen = crypto_sync_skcipher_blocksize(tfm: cipher);
1032
1033	offset += GSS_KRB5_TOK_HDR_LEN;
1034	if (xdr_extend_head(buf, base: offset, shiftlen: conflen))
1035	return GSS_S_FAILURE;
1036	krb5_make_confounder(p: buf->head[`0`].iov_base + offset, conflen);
1037	offset -= GSS_KRB5_TOK_HDR_LEN;
1038
1039	if (buf->tail[`0`].iov_base) {
1040	ecptr = buf->tail[`0`].iov_base + buf->tail[`0`].iov_len;
1041	} else {
1042	buf->tail[`0`].iov_base = buf->head[`0`].iov_base
1043	+ buf->head[`0`].iov_len;
1044	buf->tail[`0`].iov_len = `0`;
1045	ecptr = buf->tail[`0`].iov_base;
1046	}
1047
1048	memcpy(ecptr, buf->head[`0`].iov_base + offset, GSS_KRB5_TOK_HDR_LEN);
1049	buf->tail[`0`].iov_len += GSS_KRB5_TOK_HDR_LEN;
1050	buf->len += GSS_KRB5_TOK_HDR_LEN;
1051
1052	err = krb5_cbc_cts_encrypt(cipher, aux_cipher,
1053	offset + GSS_KRB5_TOK_HDR_LEN,
1054	buf, pages, NULL, `0`);
1055	if (err)
1056	return GSS_S_FAILURE;
1057
1058	hmac.data = buf->tail[`0`].iov_base + buf->tail[`0`].iov_len;
1059	hmac.len = kctx->gk5e->cksumlength;
1060	err = krb5_etm_checksum(cipher, ahash,
1061	buf, offset + GSS_KRB5_TOK_HDR_LEN, &hmac);
1062	if (err)
1063	goto out_err;
1064	buf->tail[`0`].iov_len += kctx->gk5e->cksumlength;
1065	buf->len += kctx->gk5e->cksumlength;
1066
1067	return GSS_S_COMPLETE;
1068
1069	out_err:
1070	return GSS_S_FAILURE;
1071	}
1072
1073	/**
1074	* krb5_etm_decrypt - Decrypt using the RFC 8009 rules
1075	* @kctx: Kerberos context
1076	* @offset: starting offset of the ciphertext, in bytes
1077	* @len:
1078	* @buf:
1079	* @headskip: OUT: the enctype's confounder length, in octets
1080	* @tailskip: OUT: the enctype's HMAC length, in octets
1081	*
1082	* RFC 8009 Section 5:
1083	*
1084	* decryption function: as follows, where D() is AES decryption in
1085	* CBC-CS3 mode, and h is the size of truncated HMAC.
1086	*
1087	* (C, H) = ciphertext
1088	* (Note: H is the last h bits of the ciphertext.)
1089	* IV = cipher state
1090	* if H != HMAC(Ki, IV \| C)[1..h]
1091	* stop, report error
1092	* (N, P) = D(Ke, C, IV)
1093	*
1094	* Return values:
1095	* %GSS_S_COMPLETE: Decryption successful
1096	* %GSS_S_BAD_SIG: computed HMAC != received HMAC
1097	* %GSS_S_FAILURE: Decryption failed
1098	*/
1099	u32
1100	krb5_etm_decrypt(struct krb5_ctx *kctx, u32 offset, u32 len,
1101	struct xdr_buf buf, u32 headskip, u32 *tailskip)
1102	{
1103	struct crypto_sync_skcipher cipher, aux_cipher;
1104	u8 our_hmac[GSS_KRB5_MAX_CKSUM_LEN];
1105	u8 pkt_hmac[GSS_KRB5_MAX_CKSUM_LEN];
1106	struct xdr_netobj our_hmac_obj;
1107	struct crypto_ahash *ahash;
1108	struct xdr_buf subbuf;
1109	u32 ret = `0`;
1110
1111	if (kctx->initiate) {
1112	cipher = kctx->acceptor_enc;
1113	aux_cipher = kctx->acceptor_enc_aux;
1114	ahash = kctx->acceptor_integ;
1115	} else {
1116	cipher = kctx->initiator_enc;
1117	aux_cipher = kctx->initiator_enc_aux;
1118	ahash = kctx->initiator_integ;
1119	}
1120
1121	/ Extract the ciphertext into @subbuf. /
1122	xdr_buf_subsegment(buf, &subbuf, offset + GSS_KRB5_TOK_HDR_LEN,
1123	(len - offset - GSS_KRB5_TOK_HDR_LEN -
1124	kctx->gk5e->cksumlength));
1125
1126	our_hmac_obj.data = our_hmac;
1127	our_hmac_obj.len = kctx->gk5e->cksumlength;
1128	ret = krb5_etm_checksum(cipher, ahash, &subbuf, `0`, &our_hmac_obj);
1129	if (ret)
1130	goto out_err;
1131	ret = read_bytes_from_xdr_buf(buf, len - kctx->gk5e->cksumlength,
1132	pkt_hmac, kctx->gk5e->cksumlength);
1133	if (ret)
1134	goto out_err;
1135	if (crypto_memneq(a: pkt_hmac, b: our_hmac, size: kctx->gk5e->cksumlength) != `0`) {
1136	ret = GSS_S_BAD_SIG;
1137	goto out_err;
1138	}
1139
1140	ret = krb5_cbc_cts_decrypt(cipher, aux_cipher, `0`, &subbuf);
1141	if (ret) {
1142	ret = GSS_S_FAILURE;
1143	goto out_err;
1144	}
1145
1146	*headskip = crypto_sync_skcipher_blocksize(tfm: cipher);
1147	*tailskip = kctx->gk5e->cksumlength;
1148	return GSS_S_COMPLETE;
1149
1150	out_err:
1151	if (ret != GSS_S_BAD_SIG)
1152	ret = GSS_S_FAILURE;
1153	return ret;
1154	}
1155

source code of linux/net/sunrpc/auth_gss/gss_krb5_crypto.c