gss_krb5: import functionality to derive keys into the kernel

Import the code to derive Kerberos keys from a base key into the kernel. This will allow us to change the format of the context information sent down from gssd to include only a single key. Signed-off-by: Kevin Coffman <kwc@citi.umich.edu> Signed-off-by: Steve Dickson <steved@redhat.com> Signed-off-by: Trond Myklebust <Trond.Myklebust@netapp.com>
author: Kevin Coffman <kwc@citi.umich.edu> 2010-03-17 13:02:53 -0400
committer: Trond Myklebust <Trond.Myklebust@netapp.com> 2010-05-14 15:09:16 -0400
commit: 4891f2d008e4343eedea39ba1fe74864f1d32be0 (patch)
tree: 6fb4048a44cd1c91f818ddc372d5410e59108bdb /include/linux/sunrpc
parent: e1f6c07b1160ef28e8754d12e6c03288dd9d5ca8 (diff)
1 files changed, 31 insertions, 0 deletions
diff --git a/include/linux/sunrpc/gss_krb5.h b/include/linux/sunrpc/gss_krb5.h
index abf26efd44ac..d31ba0304d18 100644
--- a/include/linux/sunrpc/gss_krb5.h
+++ b/include/linux/sunrpc/gss_krb5.h
@@ -41,6 +41,9 @@
 #include <linux/sunrpc/gss_err.h>
 #include <linux/sunrpc/gss_asn1.h>
+/* Length of constant used in key derivation */
+#define GSS_KRB5_K5CLENGTH (5)
 /* Maximum key length (in bytes) for the supported crypto algorithms*/
 #define GSS_KRB5_MAX_KEYLEN (32)
@@ -69,6 +72,9 @@ struct gss_krb5_enctype {
        u32 (*decrypt) (struct crypto_blkcipher *tfm,
                        void *iv, void *in, void *out,
                        int length);            /* decryption function */
+        u32 (*mk_key) (struct gss_krb5_enctype *gk5e,
+                       struct xdr_netobj *in,
+                       struct xdr_netobj *out); /* complete key generation */
 };
 struct krb5_ctx {
@@ -148,6 +154,25 @@ enum seal_alg {
 #define ENCTYPE_UNKNOWN         0x01ff
 /*
+ * Constants used for key derivation
+ */
+/* for 3DES */
+#define KG_USAGE_SEAL (22)
+#define KG_USAGE_SIGN (23)
+#define KG_USAGE_SEQ  (24)
+/* from rfc3961 */
+#define KEY_USAGE_SEED_CHECKSUM         (0x99)
+#define KEY_USAGE_SEED_ENCRYPTION       (0xAA)
+#define KEY_USAGE_SEED_INTEGRITY        (0x55)
+/* from rfc4121 */
+#define KG_USAGE_ACCEPTOR_SEAL  (22)
+#define KG_USAGE_ACCEPTOR_SIGN  (23)
+#define KG_USAGE_INITIATOR_SEAL (24)
+#define KG_USAGE_INITIATOR_SIGN (25)
+/*
 * This compile-time check verifies that we will not exceed the
 * slack space allotted by the client and server auth_gss code
 * before they call gss_wrap().
@@ -211,3 +236,9 @@ krb5_get_seq_num(struct crypto_blkcipher *key,
 int
 xdr_extend_head(struct xdr_buf *buf, unsigned int base, unsigned int shiftlen);
+u32
+krb5_derive_key(struct gss_krb5_enctype *gk5e,
+                const struct xdr_netobj *inkey,
+                struct xdr_netobj *outkey,
+                const struct xdr_netobj *in_constant);
author	Kevin Coffman <kwc@citi.umich.edu>	2010-03-17 13:02:53 -0400
committer	Trond Myklebust <Trond.Myklebust@netapp.com>	2010-05-14 15:09:16 -0400
commit	4891f2d008e4343eedea39ba1fe74864f1d32be0 (patch)
tree	6fb4048a44cd1c91f818ddc372d5410e59108bdb /include/linux/sunrpc
parent	e1f6c07b1160ef28e8754d12e6c03288dd9d5ca8 (diff)

diff --git a/include/linux/sunrpc/gss_krb5.h b/include/linux/sunrpc/gss_krb5.h index abf26efd44ac..d31ba0304d18 100644 --- a/include/linux/sunrpc/gss_krb5.h +++ b/include/linux/sunrpc/gss_krb5.h
@@ -41,6 +41,9 @@
41	#include <linux/sunrpc/gss_err.h>	41	#include <linux/sunrpc/gss_err.h>
42	#include <linux/sunrpc/gss_asn1.h>	42	#include <linux/sunrpc/gss_asn1.h>
43		43
		44	/* Length of constant used in key derivation */
		45	#define GSS_KRB5_K5CLENGTH (5)
		46
44	/* Maximum key length (in bytes) for the supported crypto algorithms*/	47	/* Maximum key length (in bytes) for the supported crypto algorithms*/
45	#define GSS_KRB5_MAX_KEYLEN (32)	48	#define GSS_KRB5_MAX_KEYLEN (32)
46		49
@@ -69,6 +72,9 @@ struct gss_krb5_enctype {
69	u32 (decrypt) (struct crypto_blkcipher tfm,	72	u32 (decrypt) (struct crypto_blkcipher tfm,
70	void iv, void in, void *out,	73	void iv, void in, void *out,
71	int length); /* decryption function */	74	int length); /* decryption function */
		75	u32 (mk_key) (struct gss_krb5_enctype gk5e,
		76	struct xdr_netobj *in,
		77	struct xdr_netobj out); / complete key generation */
72	};	78	};
73		79
74	struct krb5_ctx {	80	struct krb5_ctx {
@@ -148,6 +154,25 @@ enum seal_alg {
148	#define ENCTYPE_UNKNOWN 0x01ff	154	#define ENCTYPE_UNKNOWN 0x01ff
149		155
150	/*	156	/*
		157	* Constants used for key derivation
		158	*/
		159	/* for 3DES */
		160	#define KG_USAGE_SEAL (22)
		161	#define KG_USAGE_SIGN (23)
		162	#define KG_USAGE_SEQ (24)
		163
		164	/* from rfc3961 */
		165	#define KEY_USAGE_SEED_CHECKSUM (0x99)
		166	#define KEY_USAGE_SEED_ENCRYPTION (0xAA)
		167	#define KEY_USAGE_SEED_INTEGRITY (0x55)
		168
		169	/* from rfc4121 */
		170	#define KG_USAGE_ACCEPTOR_SEAL (22)
		171	#define KG_USAGE_ACCEPTOR_SIGN (23)
		172	#define KG_USAGE_INITIATOR_SEAL (24)
		173	#define KG_USAGE_INITIATOR_SIGN (25)
		174
		175	/*
151	* This compile-time check verifies that we will not exceed the	176	* This compile-time check verifies that we will not exceed the
152	* slack space allotted by the client and server auth_gss code	177	* slack space allotted by the client and server auth_gss code
153	* before they call gss_wrap().	178	* before they call gss_wrap().
@@ -211,3 +236,9 @@ krb5_get_seq_num(struct crypto_blkcipher *key,
211		236
212	int	237	int
213	xdr_extend_head(struct xdr_buf *buf, unsigned int base, unsigned int shiftlen);	238	xdr_extend_head(struct xdr_buf *buf, unsigned int base, unsigned int shiftlen);
		239
		240	u32
		241	krb5_derive_key(struct gss_krb5_enctype *gk5e,
		242	const struct xdr_netobj *inkey,
		243	struct xdr_netobj *outkey,
		244	const struct xdr_netobj *in_constant);