aboutsummaryrefslogtreecommitdiffstats
path: root/net/sunrpc
diff options
context:
space:
mode:
authorKevin Coffman <kwc@citi.umich.edu>2010-03-17 13:02:55 -0400
committerTrond Myklebust <Trond.Myklebust@netapp.com>2010-05-14 15:09:17 -0400
commit958142e97e04d6c266ae093739bbbbd03afcd497 (patch)
treef945fcf7105663bfccc124c347441268dcf06367 /net/sunrpc
parent683ac6656cb05b6e83593770ffc049eee4a4d119 (diff)
gss_krb5: add support for triple-des encryption
Add the final pieces to support the triple-des encryption type. Signed-off-by: Kevin Coffman <kwc@citi.umich.edu> Signed-off-by: Steve Dickson <steved@redhat.com> Signed-off-by: Trond Myklebust <Trond.Myklebust@netapp.com>
Diffstat (limited to 'net/sunrpc')
-rw-r--r--net/sunrpc/auth_gss/gss_krb5_crypto.c3
-rw-r--r--net/sunrpc/auth_gss/gss_krb5_keys.c53
-rw-r--r--net/sunrpc/auth_gss/gss_krb5_mech.c23
-rw-r--r--net/sunrpc/auth_gss/gss_krb5_seal.c1
-rw-r--r--net/sunrpc/auth_gss/gss_krb5_unseal.c1
-rw-r--r--net/sunrpc/auth_gss/gss_krb5_wrap.c2
6 files changed, 83 insertions, 0 deletions
diff --git a/net/sunrpc/auth_gss/gss_krb5_crypto.c b/net/sunrpc/auth_gss/gss_krb5_crypto.c
index cae04d7a45a5..bb76873aa019 100644
--- a/net/sunrpc/auth_gss/gss_krb5_crypto.c
+++ b/net/sunrpc/auth_gss/gss_krb5_crypto.c
@@ -184,6 +184,9 @@ make_checksum(struct krb5_ctx *kctx, char *header, int hdrlen,
184 checksumdata + checksumlen - kctx->gk5e->cksumlength, 184 checksumdata + checksumlen - kctx->gk5e->cksumlength,
185 kctx->gk5e->cksumlength); 185 kctx->gk5e->cksumlength);
186 break; 186 break;
187 case CKSUMTYPE_HMAC_SHA1_DES3:
188 memcpy(cksumout->data, checksumdata, kctx->gk5e->cksumlength);
189 break;
187 default: 190 default:
188 BUG(); 191 BUG();
189 break; 192 break;
diff --git a/net/sunrpc/auth_gss/gss_krb5_keys.c b/net/sunrpc/auth_gss/gss_krb5_keys.c
index 253b4149584a..d54668790f0c 100644
--- a/net/sunrpc/auth_gss/gss_krb5_keys.c
+++ b/net/sunrpc/auth_gss/gss_krb5_keys.c
@@ -250,3 +250,56 @@ err_free_cipher:
250err_return: 250err_return:
251 return ret; 251 return ret;
252} 252}
253
254#define smask(step) ((1<<step)-1)
255#define pstep(x, step) (((x)&smask(step))^(((x)>>step)&smask(step)))
256#define parity_char(x) pstep(pstep(pstep((x), 4), 2), 1)
257
258static void mit_des_fixup_key_parity(u8 key[8])
259{
260 int i;
261 for (i = 0; i < 8; i++) {
262 key[i] &= 0xfe;
263 key[i] |= 1^parity_char(key[i]);
264 }
265}
266
267/*
268 * This is the des3 key derivation postprocess function
269 */
270u32 gss_krb5_des3_make_key(const struct gss_krb5_enctype *gk5e,
271 struct xdr_netobj *randombits,
272 struct xdr_netobj *key)
273{
274 int i;
275 u32 ret = EINVAL;
276
277 if (key->len != 24) {
278 dprintk("%s: key->len is %d\n", __func__, key->len);
279 goto err_out;
280 }
281 if (randombits->len != 21) {
282 dprintk("%s: randombits->len is %d\n",
283 __func__, randombits->len);
284 goto err_out;
285 }
286
287 /* take the seven bytes, move them around into the top 7 bits of the
288 8 key bytes, then compute the parity bits. Do this three times. */
289
290 for (i = 0; i < 3; i++) {
291 memcpy(key->data + i*8, randombits->data + i*7, 7);
292 key->data[i*8+7] = (((key->data[i*8]&1)<<1) |
293 ((key->data[i*8+1]&1)<<2) |
294 ((key->data[i*8+2]&1)<<3) |
295 ((key->data[i*8+3]&1)<<4) |
296 ((key->data[i*8+4]&1)<<5) |
297 ((key->data[i*8+5]&1)<<6) |
298 ((key->data[i*8+6]&1)<<7));
299
300 mit_des_fixup_key_parity(key->data + i*8);
301 }
302 ret = 0;
303err_out:
304 return ret;
305}
diff --git a/net/sunrpc/auth_gss/gss_krb5_mech.c b/net/sunrpc/auth_gss/gss_krb5_mech.c
index 03f1dcddbd29..7cebdf843266 100644
--- a/net/sunrpc/auth_gss/gss_krb5_mech.c
+++ b/net/sunrpc/auth_gss/gss_krb5_mech.c
@@ -71,6 +71,26 @@ static const struct gss_krb5_enctype supported_gss_krb5_enctypes[] = {
71 .cksumlength = 8, 71 .cksumlength = 8,
72 .keyed_cksum = 0, 72 .keyed_cksum = 0,
73 }, 73 },
74 /*
75 * 3DES
76 */
77 {
78 .etype = ENCTYPE_DES3_CBC_RAW,
79 .ctype = CKSUMTYPE_HMAC_SHA1_DES3,
80 .name = "des3-hmac-sha1",
81 .encrypt_name = "cbc(des3_ede)",
82 .cksum_name = "hmac(sha1)",
83 .encrypt = krb5_encrypt,
84 .decrypt = krb5_decrypt,
85 .mk_key = gss_krb5_des3_make_key,
86 .signalg = SGN_ALG_HMAC_SHA1_DES3_KD,
87 .sealalg = SEAL_ALG_DES3KD,
88 .keybytes = 21,
89 .keylength = 24,
90 .blocksize = 8,
91 .cksumlength = 20,
92 .keyed_cksum = 1,
93 },
74}; 94};
75 95
76static const int num_supported_enctypes = 96static const int num_supported_enctypes =
@@ -440,6 +460,9 @@ gss_import_v2_context(const void *p, const void *end, struct krb5_ctx *ctx)
440 p = simple_get_bytes(p, end, &ctx->enctype, sizeof(ctx->enctype)); 460 p = simple_get_bytes(p, end, &ctx->enctype, sizeof(ctx->enctype));
441 if (IS_ERR(p)) 461 if (IS_ERR(p))
442 goto out_err; 462 goto out_err;
463 /* Map ENCTYPE_DES3_CBC_SHA1 to ENCTYPE_DES3_CBC_RAW */
464 if (ctx->enctype == ENCTYPE_DES3_CBC_SHA1)
465 ctx->enctype = ENCTYPE_DES3_CBC_RAW;
443 ctx->gk5e = get_gss_krb5_enctype(ctx->enctype); 466 ctx->gk5e = get_gss_krb5_enctype(ctx->enctype);
444 if (ctx->gk5e == NULL) { 467 if (ctx->gk5e == NULL) {
445 dprintk("gss_kerberos_mech: unsupported krb5 enctype %u\n", 468 dprintk("gss_kerberos_mech: unsupported krb5 enctype %u\n",
diff --git a/net/sunrpc/auth_gss/gss_krb5_seal.c b/net/sunrpc/auth_gss/gss_krb5_seal.c
index cd512719092b..7ede900049a7 100644
--- a/net/sunrpc/auth_gss/gss_krb5_seal.c
+++ b/net/sunrpc/auth_gss/gss_krb5_seal.c
@@ -142,6 +142,7 @@ gss_get_mic_kerberos(struct gss_ctx *gss_ctx, struct xdr_buf *text,
142 default: 142 default:
143 BUG(); 143 BUG();
144 case ENCTYPE_DES_CBC_RAW: 144 case ENCTYPE_DES_CBC_RAW:
145 case ENCTYPE_DES3_CBC_RAW:
145 return gss_get_mic_v1(ctx, text, token); 146 return gss_get_mic_v1(ctx, text, token);
146 } 147 }
147} 148}
diff --git a/net/sunrpc/auth_gss/gss_krb5_unseal.c b/net/sunrpc/auth_gss/gss_krb5_unseal.c
index 7515bffddf15..3e15bdb5a9eb 100644
--- a/net/sunrpc/auth_gss/gss_krb5_unseal.c
+++ b/net/sunrpc/auth_gss/gss_krb5_unseal.c
@@ -152,6 +152,7 @@ gss_verify_mic_kerberos(struct gss_ctx *gss_ctx,
152 default: 152 default:
153 BUG(); 153 BUG();
154 case ENCTYPE_DES_CBC_RAW: 154 case ENCTYPE_DES_CBC_RAW:
155 case ENCTYPE_DES3_CBC_RAW:
155 return gss_verify_mic_v1(ctx, message_buffer, read_token); 156 return gss_verify_mic_v1(ctx, message_buffer, read_token);
156 } 157 }
157} 158}
diff --git a/net/sunrpc/auth_gss/gss_krb5_wrap.c b/net/sunrpc/auth_gss/gss_krb5_wrap.c
index 2eb3046a84ea..1c8ebd3dbd3c 100644
--- a/net/sunrpc/auth_gss/gss_krb5_wrap.c
+++ b/net/sunrpc/auth_gss/gss_krb5_wrap.c
@@ -350,6 +350,7 @@ gss_wrap_kerberos(struct gss_ctx *gctx, int offset,
350 default: 350 default:
351 BUG(); 351 BUG();
352 case ENCTYPE_DES_CBC_RAW: 352 case ENCTYPE_DES_CBC_RAW:
353 case ENCTYPE_DES3_CBC_RAW:
353 return gss_wrap_kerberos_v1(kctx, offset, buf, pages); 354 return gss_wrap_kerberos_v1(kctx, offset, buf, pages);
354 } 355 }
355} 356}
@@ -363,6 +364,7 @@ gss_unwrap_kerberos(struct gss_ctx *gctx, int offset, struct xdr_buf *buf)
363 default: 364 default:
364 BUG(); 365 BUG();
365 case ENCTYPE_DES_CBC_RAW: 366 case ENCTYPE_DES_CBC_RAW:
367 case ENCTYPE_DES3_CBC_RAW:
366 return gss_unwrap_kerberos_v1(kctx, offset, buf); 368 return gss_unwrap_kerberos_v1(kctx, offset, buf);
367 } 369 }
368} 370}