SUNRPC: Move remaining internal definitions to gss_krb5_internal.h

The goal is to leave only protocol-defined items in gss_krb5.h so
that it can be easily replaced by a generic header. Implementation
specific items are moved to the new internal header.

Tested-by: Scott Mayhew <smayhew@redhat.com>
Reviewed-by: Simo Sorce <simo@redhat.com>
Signed-off-by: Chuck Lever <chuck.lever@oracle.com>
This commit is contained in:
Chuck Lever 2023-01-15 12:23:27 -05:00
parent 6e6d9eee0e
commit 6e460c230d
4 changed files with 111 additions and 118 deletions

View File

@ -42,12 +42,6 @@
#include <linux/sunrpc/gss_err.h> #include <linux/sunrpc/gss_err.h>
#include <linux/sunrpc/gss_asn1.h> #include <linux/sunrpc/gss_asn1.h>
/*
* The RFCs often specify payload lengths in bits. This helper
* converts a specified bit-length to the number of octets/bytes.
*/
#define BITS2OCTETS(x) ((x) / 8)
/* Length of constant used in key derivation */ /* Length of constant used in key derivation */
#define GSS_KRB5_K5CLENGTH (5) #define GSS_KRB5_K5CLENGTH (5)
@ -60,74 +54,6 @@
/* Maximum blocksize for the supported crypto algorithms */ /* Maximum blocksize for the supported crypto algorithms */
#define GSS_KRB5_MAX_BLOCKSIZE (16) #define GSS_KRB5_MAX_BLOCKSIZE (16)
struct krb5_ctx;
struct gss_krb5_enctype {
const u32 etype; /* encryption (key) type */
const u32 ctype; /* checksum type */
const char *name; /* "friendly" name */
const char *encrypt_name; /* crypto encrypt name */
const char *aux_cipher; /* aux encrypt cipher name */
const char *cksum_name; /* crypto checksum name */
const u16 signalg; /* signing algorithm */
const u16 sealalg; /* sealing algorithm */
const u32 cksumlength; /* checksum length */
const u32 keyed_cksum; /* is it a keyed cksum? */
const u32 keybytes; /* raw key len, in bytes */
const u32 keylength; /* protocol key length, in octets */
const u32 Kc_length; /* checksum subkey length, in octets */
const u32 Ke_length; /* encryption subkey length, in octets */
const u32 Ki_length; /* integrity subkey length, in octets */
int (*import_ctx)(struct krb5_ctx *ctx, gfp_t gfp_mask);
int (*derive_key)(const struct gss_krb5_enctype *gk5e,
const struct xdr_netobj *in,
struct xdr_netobj *out,
const struct xdr_netobj *label,
gfp_t gfp_mask);
u32 (*encrypt)(struct krb5_ctx *kctx, u32 offset,
struct xdr_buf *buf, struct page **pages);
u32 (*decrypt)(struct krb5_ctx *kctx, u32 offset, u32 len,
struct xdr_buf *buf, u32 *headskip, u32 *tailskip);
u32 (*get_mic)(struct krb5_ctx *kctx, struct xdr_buf *text,
struct xdr_netobj *token);
u32 (*verify_mic)(struct krb5_ctx *kctx, struct xdr_buf *message_buffer,
struct xdr_netobj *read_token);
u32 (*wrap)(struct krb5_ctx *kctx, int offset,
struct xdr_buf *buf, struct page **pages);
u32 (*unwrap)(struct krb5_ctx *kctx, int offset, int len,
struct xdr_buf *buf, unsigned int *slack,
unsigned int *align);
};
/* krb5_ctx flags definitions */
#define KRB5_CTX_FLAG_INITIATOR 0x00000001
#define KRB5_CTX_FLAG_CFX 0x00000002
#define KRB5_CTX_FLAG_ACCEPTOR_SUBKEY 0x00000004
struct krb5_ctx {
int initiate; /* 1 = initiating, 0 = accepting */
u32 enctype;
u32 flags;
const struct gss_krb5_enctype *gk5e; /* enctype-specific info */
struct crypto_sync_skcipher *enc;
struct crypto_sync_skcipher *seq;
struct crypto_sync_skcipher *acceptor_enc;
struct crypto_sync_skcipher *initiator_enc;
struct crypto_sync_skcipher *acceptor_enc_aux;
struct crypto_sync_skcipher *initiator_enc_aux;
struct crypto_ahash *acceptor_sign;
struct crypto_ahash *initiator_sign;
struct crypto_ahash *initiator_integ;
struct crypto_ahash *acceptor_integ;
u8 Ksess[GSS_KRB5_MAX_KEYLEN]; /* session key */
u8 cksum[GSS_KRB5_MAX_KEYLEN];
atomic_t seq_send;
atomic64_t seq_send64;
time64_t endtime;
struct xdr_netobj mech_used;
};
/* The length of the Kerberos GSS token header */ /* The length of the Kerberos GSS token header */
#define GSS_KRB5_TOK_HDR_LEN (16) #define GSS_KRB5_TOK_HDR_LEN (16)
@ -245,47 +171,4 @@ enum seal_alg {
#define KG_USAGE_INITIATOR_SEAL (24) #define KG_USAGE_INITIATOR_SEAL (24)
#define KG_USAGE_INITIATOR_SIGN (25) #define KG_USAGE_INITIATOR_SIGN (25)
/*
* This compile-time check verifies that we will not exceed the
* slack space allotted by the client and server auth_gss code
* before they call gss_wrap().
*/
#define GSS_KRB5_MAX_SLACK_NEEDED \
(GSS_KRB5_TOK_HDR_LEN /* gss token header */ \
+ GSS_KRB5_MAX_CKSUM_LEN /* gss token checksum */ \
+ GSS_KRB5_MAX_BLOCKSIZE /* confounder */ \
+ GSS_KRB5_MAX_BLOCKSIZE /* possible padding */ \
+ GSS_KRB5_TOK_HDR_LEN /* encrypted hdr in v2 token */\
+ GSS_KRB5_MAX_CKSUM_LEN /* encryption hmac */ \
+ 4 + 4 /* RPC verifier */ \
+ GSS_KRB5_TOK_HDR_LEN \
+ GSS_KRB5_MAX_CKSUM_LEN)
u32
make_checksum(struct krb5_ctx *kctx, char *header, int hdrlen,
struct xdr_buf *body, int body_offset, u8 *cksumkey,
unsigned int usage, struct xdr_netobj *cksumout);
int
gss_encrypt_xdr_buf(struct crypto_sync_skcipher *tfm, struct xdr_buf *outbuf,
int offset, struct page **pages);
int
gss_decrypt_xdr_buf(struct crypto_sync_skcipher *tfm, struct xdr_buf *inbuf,
int offset);
s32
krb5_make_seq_num(struct krb5_ctx *kctx,
struct crypto_sync_skcipher *key,
int direction,
u32 seqnum, unsigned char *cksum, unsigned char *buf);
s32
krb5_get_seq_num(struct krb5_ctx *kctx,
unsigned char *cksum,
unsigned char *buf, int *direction, u32 *seqnum);
int
xdr_extend_head(struct xdr_buf *buf, unsigned int base, unsigned int shiftlen);
#endif /* _LINUX_SUNRPC_GSS_KRB5_H */ #endif /* _LINUX_SUNRPC_GSS_KRB5_H */

View File

@ -49,6 +49,22 @@ static unsigned int gss_key_expire_timeo = GSS_KEY_EXPIRE_TIMEO;
# define RPCDBG_FACILITY RPCDBG_AUTH # define RPCDBG_FACILITY RPCDBG_AUTH
#endif #endif
/*
* This compile-time check verifies that we will not exceed the
* slack space allotted by the client and server auth_gss code
* before they call gss_wrap().
*/
#define GSS_KRB5_MAX_SLACK_NEEDED \
(GSS_KRB5_TOK_HDR_LEN /* gss token header */ \
+ GSS_KRB5_MAX_CKSUM_LEN /* gss token checksum */ \
+ GSS_KRB5_MAX_BLOCKSIZE /* confounder */ \
+ GSS_KRB5_MAX_BLOCKSIZE /* possible padding */ \
+ GSS_KRB5_TOK_HDR_LEN /* encrypted hdr in v2 token */ \
+ GSS_KRB5_MAX_CKSUM_LEN /* encryption hmac */ \
+ XDR_UNIT * 2 /* RPC verifier */ \
+ GSS_KRB5_TOK_HDR_LEN \
+ GSS_KRB5_MAX_CKSUM_LEN)
#define GSS_CRED_SLACK (RPC_MAX_AUTH_SIZE * 2) #define GSS_CRED_SLACK (RPC_MAX_AUTH_SIZE * 2)
/* length of a krb5 verifier (48), plus data added before arguments when /* length of a krb5 verifier (48), plus data added before arguments when
* using integrity (two 4-byte integers): */ * using integrity (two 4-byte integers): */
@ -1042,6 +1058,7 @@ gss_create_new(const struct rpc_auth_create_args *args, struct rpc_clnt *clnt)
goto err_put_mech; goto err_put_mech;
auth = &gss_auth->rpc_auth; auth = &gss_auth->rpc_auth;
auth->au_cslack = GSS_CRED_SLACK >> 2; auth->au_cslack = GSS_CRED_SLACK >> 2;
BUILD_BUG_ON(GSS_KRB5_MAX_SLACK_NEEDED > RPC_MAX_AUTH_SIZE);
auth->au_rslack = GSS_KRB5_MAX_SLACK_NEEDED >> 2; auth->au_rslack = GSS_KRB5_MAX_SLACK_NEEDED >> 2;
auth->au_verfsize = GSS_VERF_SLACK >> 2; auth->au_verfsize = GSS_VERF_SLACK >> 2;
auth->au_ralign = GSS_VERF_SLACK >> 2; auth->au_ralign = GSS_VERF_SLACK >> 2;

View File

@ -572,7 +572,6 @@ xdr_extend_head(struct xdr_buf *buf, unsigned int base, unsigned int shiftlen)
if (shiftlen == 0) if (shiftlen == 0)
return 0; return 0;
BUILD_BUG_ON(GSS_KRB5_MAX_SLACK_NEEDED > RPC_MAX_AUTH_SIZE);
BUG_ON(shiftlen > RPC_MAX_AUTH_SIZE); BUG_ON(shiftlen > RPC_MAX_AUTH_SIZE);
p = buf->head[0].iov_base + base; p = buf->head[0].iov_base + base;

View File

@ -8,6 +8,79 @@
#ifndef _NET_SUNRPC_AUTH_GSS_KRB5_INTERNAL_H #ifndef _NET_SUNRPC_AUTH_GSS_KRB5_INTERNAL_H
#define _NET_SUNRPC_AUTH_GSS_KRB5_INTERNAL_H #define _NET_SUNRPC_AUTH_GSS_KRB5_INTERNAL_H
/*
* The RFCs often specify payload lengths in bits. This helper
* converts a specified bit-length to the number of octets/bytes.
*/
#define BITS2OCTETS(x) ((x) / 8)
struct krb5_ctx;
struct gss_krb5_enctype {
const u32 etype; /* encryption (key) type */
const u32 ctype; /* checksum type */
const char *name; /* "friendly" name */
const char *encrypt_name; /* crypto encrypt name */
const char *aux_cipher; /* aux encrypt cipher name */
const char *cksum_name; /* crypto checksum name */
const u16 signalg; /* signing algorithm */
const u16 sealalg; /* sealing algorithm */
const u32 cksumlength; /* checksum length */
const u32 keyed_cksum; /* is it a keyed cksum? */
const u32 keybytes; /* raw key len, in bytes */
const u32 keylength; /* protocol key length, in octets */
const u32 Kc_length; /* checksum subkey length, in octets */
const u32 Ke_length; /* encryption subkey length, in octets */
const u32 Ki_length; /* integrity subkey length, in octets */
int (*import_ctx)(struct krb5_ctx *ctx, gfp_t gfp_mask);
int (*derive_key)(const struct gss_krb5_enctype *gk5e,
const struct xdr_netobj *in,
struct xdr_netobj *out,
const struct xdr_netobj *label,
gfp_t gfp_mask);
u32 (*encrypt)(struct krb5_ctx *kctx, u32 offset,
struct xdr_buf *buf, struct page **pages);
u32 (*decrypt)(struct krb5_ctx *kctx, u32 offset, u32 len,
struct xdr_buf *buf, u32 *headskip, u32 *tailskip);
u32 (*get_mic)(struct krb5_ctx *kctx, struct xdr_buf *text,
struct xdr_netobj *token);
u32 (*verify_mic)(struct krb5_ctx *kctx, struct xdr_buf *message_buffer,
struct xdr_netobj *read_token);
u32 (*wrap)(struct krb5_ctx *kctx, int offset,
struct xdr_buf *buf, struct page **pages);
u32 (*unwrap)(struct krb5_ctx *kctx, int offset, int len,
struct xdr_buf *buf, unsigned int *slack,
unsigned int *align);
};
/* krb5_ctx flags definitions */
#define KRB5_CTX_FLAG_INITIATOR 0x00000001
#define KRB5_CTX_FLAG_ACCEPTOR_SUBKEY 0x00000004
struct krb5_ctx {
int initiate; /* 1 = initiating, 0 = accepting */
u32 enctype;
u32 flags;
const struct gss_krb5_enctype *gk5e; /* enctype-specific info */
struct crypto_sync_skcipher *enc;
struct crypto_sync_skcipher *seq;
struct crypto_sync_skcipher *acceptor_enc;
struct crypto_sync_skcipher *initiator_enc;
struct crypto_sync_skcipher *acceptor_enc_aux;
struct crypto_sync_skcipher *initiator_enc_aux;
struct crypto_ahash *acceptor_sign;
struct crypto_ahash *initiator_sign;
struct crypto_ahash *initiator_integ;
struct crypto_ahash *acceptor_integ;
u8 Ksess[GSS_KRB5_MAX_KEYLEN]; /* session key */
u8 cksum[GSS_KRB5_MAX_KEYLEN];
atomic_t seq_send;
atomic64_t seq_send64;
time64_t endtime;
struct xdr_netobj mech_used;
};
/* /*
* GSS Kerberos 5 mechanism Per-Message calls. * GSS Kerberos 5 mechanism Per-Message calls.
*/ */
@ -96,8 +169,19 @@ static inline int krb5_derive_key(struct krb5_ctx *kctx,
return gk5e->derive_key(gk5e, inkey, outkey, &label, gfp_mask); return gk5e->derive_key(gk5e, inkey, outkey, &label, gfp_mask);
} }
s32 krb5_make_seq_num(struct krb5_ctx *kctx, struct crypto_sync_skcipher *key,
int direction, u32 seqnum, unsigned char *cksum,
unsigned char *buf);
s32 krb5_get_seq_num(struct krb5_ctx *kctx, unsigned char *cksum,
unsigned char *buf, int *direction, u32 *seqnum);
void krb5_make_confounder(u8 *p, int conflen); void krb5_make_confounder(u8 *p, int conflen);
u32 make_checksum(struct krb5_ctx *kctx, char *header, int hdrlen,
struct xdr_buf *body, int body_offset, u8 *cksumkey,
unsigned int usage, struct xdr_netobj *cksumout);
u32 gss_krb5_checksum(struct crypto_ahash *tfm, char *header, int hdrlen, u32 gss_krb5_checksum(struct crypto_ahash *tfm, char *header, int hdrlen,
const struct xdr_buf *body, int body_offset, const struct xdr_buf *body, int body_offset,
struct xdr_netobj *cksumout); struct xdr_netobj *cksumout);
@ -108,6 +192,16 @@ u32 krb5_encrypt(struct crypto_sync_skcipher *key, void *iv, void *in,
u32 krb5_decrypt(struct crypto_sync_skcipher *key, void *iv, void *in, u32 krb5_decrypt(struct crypto_sync_skcipher *key, void *iv, void *in,
void *out, int length); void *out, int length);
int xdr_extend_head(struct xdr_buf *buf, unsigned int base,
unsigned int shiftlen);
int gss_encrypt_xdr_buf(struct crypto_sync_skcipher *tfm,
struct xdr_buf *outbuf, int offset,
struct page **pages);
int gss_decrypt_xdr_buf(struct crypto_sync_skcipher *tfm,
struct xdr_buf *inbuf, int offset);
u32 gss_krb5_aes_encrypt(struct krb5_ctx *kctx, u32 offset, u32 gss_krb5_aes_encrypt(struct krb5_ctx *kctx, u32 offset,
struct xdr_buf *buf, struct page **pages); struct xdr_buf *buf, struct page **pages);