diff options
author | Kevin Coffman <kwc@citi.umich.edu> | 2010-03-17 13:02:55 -0400 |
---|---|---|
committer | Trond Myklebust <Trond.Myklebust@netapp.com> | 2010-05-14 15:09:17 -0400 |
commit | 958142e97e04d6c266ae093739bbbbd03afcd497 (patch) | |
tree | f945fcf7105663bfccc124c347441268dcf06367 /net/sunrpc | |
parent | 683ac6656cb05b6e83593770ffc049eee4a4d119 (diff) |
gss_krb5: add support for triple-des encryption
Add the final pieces to support the triple-des encryption type.
Signed-off-by: Kevin Coffman <kwc@citi.umich.edu>
Signed-off-by: Steve Dickson <steved@redhat.com>
Signed-off-by: Trond Myklebust <Trond.Myklebust@netapp.com>
Diffstat (limited to 'net/sunrpc')
-rw-r--r-- | net/sunrpc/auth_gss/gss_krb5_crypto.c | 3 | ||||
-rw-r--r-- | net/sunrpc/auth_gss/gss_krb5_keys.c | 53 | ||||
-rw-r--r-- | net/sunrpc/auth_gss/gss_krb5_mech.c | 23 | ||||
-rw-r--r-- | net/sunrpc/auth_gss/gss_krb5_seal.c | 1 | ||||
-rw-r--r-- | net/sunrpc/auth_gss/gss_krb5_unseal.c | 1 | ||||
-rw-r--r-- | net/sunrpc/auth_gss/gss_krb5_wrap.c | 2 |
6 files changed, 83 insertions, 0 deletions
diff --git a/net/sunrpc/auth_gss/gss_krb5_crypto.c b/net/sunrpc/auth_gss/gss_krb5_crypto.c index cae04d7a45a5..bb76873aa019 100644 --- a/net/sunrpc/auth_gss/gss_krb5_crypto.c +++ b/net/sunrpc/auth_gss/gss_krb5_crypto.c | |||
@@ -184,6 +184,9 @@ make_checksum(struct krb5_ctx *kctx, char *header, int hdrlen, | |||
184 | checksumdata + checksumlen - kctx->gk5e->cksumlength, | 184 | checksumdata + checksumlen - kctx->gk5e->cksumlength, |
185 | kctx->gk5e->cksumlength); | 185 | kctx->gk5e->cksumlength); |
186 | break; | 186 | break; |
187 | case CKSUMTYPE_HMAC_SHA1_DES3: | ||
188 | memcpy(cksumout->data, checksumdata, kctx->gk5e->cksumlength); | ||
189 | break; | ||
187 | default: | 190 | default: |
188 | BUG(); | 191 | BUG(); |
189 | break; | 192 | break; |
diff --git a/net/sunrpc/auth_gss/gss_krb5_keys.c b/net/sunrpc/auth_gss/gss_krb5_keys.c index 253b4149584a..d54668790f0c 100644 --- a/net/sunrpc/auth_gss/gss_krb5_keys.c +++ b/net/sunrpc/auth_gss/gss_krb5_keys.c | |||
@@ -250,3 +250,56 @@ err_free_cipher: | |||
250 | err_return: | 250 | err_return: |
251 | return ret; | 251 | return ret; |
252 | } | 252 | } |
253 | |||
254 | #define smask(step) ((1<<step)-1) | ||
255 | #define pstep(x, step) (((x)&smask(step))^(((x)>>step)&smask(step))) | ||
256 | #define parity_char(x) pstep(pstep(pstep((x), 4), 2), 1) | ||
257 | |||
258 | static void mit_des_fixup_key_parity(u8 key[8]) | ||
259 | { | ||
260 | int i; | ||
261 | for (i = 0; i < 8; i++) { | ||
262 | key[i] &= 0xfe; | ||
263 | key[i] |= 1^parity_char(key[i]); | ||
264 | } | ||
265 | } | ||
266 | |||
267 | /* | ||
268 | * This is the des3 key derivation postprocess function | ||
269 | */ | ||
270 | u32 gss_krb5_des3_make_key(const struct gss_krb5_enctype *gk5e, | ||
271 | struct xdr_netobj *randombits, | ||
272 | struct xdr_netobj *key) | ||
273 | { | ||
274 | int i; | ||
275 | u32 ret = EINVAL; | ||
276 | |||
277 | if (key->len != 24) { | ||
278 | dprintk("%s: key->len is %d\n", __func__, key->len); | ||
279 | goto err_out; | ||
280 | } | ||
281 | if (randombits->len != 21) { | ||
282 | dprintk("%s: randombits->len is %d\n", | ||
283 | __func__, randombits->len); | ||
284 | goto err_out; | ||
285 | } | ||
286 | |||
287 | /* take the seven bytes, move them around into the top 7 bits of the | ||
288 | 8 key bytes, then compute the parity bits. Do this three times. */ | ||
289 | |||
290 | for (i = 0; i < 3; i++) { | ||
291 | memcpy(key->data + i*8, randombits->data + i*7, 7); | ||
292 | key->data[i*8+7] = (((key->data[i*8]&1)<<1) | | ||
293 | ((key->data[i*8+1]&1)<<2) | | ||
294 | ((key->data[i*8+2]&1)<<3) | | ||
295 | ((key->data[i*8+3]&1)<<4) | | ||
296 | ((key->data[i*8+4]&1)<<5) | | ||
297 | ((key->data[i*8+5]&1)<<6) | | ||
298 | ((key->data[i*8+6]&1)<<7)); | ||
299 | |||
300 | mit_des_fixup_key_parity(key->data + i*8); | ||
301 | } | ||
302 | ret = 0; | ||
303 | err_out: | ||
304 | return ret; | ||
305 | } | ||
diff --git a/net/sunrpc/auth_gss/gss_krb5_mech.c b/net/sunrpc/auth_gss/gss_krb5_mech.c index 03f1dcddbd29..7cebdf843266 100644 --- a/net/sunrpc/auth_gss/gss_krb5_mech.c +++ b/net/sunrpc/auth_gss/gss_krb5_mech.c | |||
@@ -71,6 +71,26 @@ static const struct gss_krb5_enctype supported_gss_krb5_enctypes[] = { | |||
71 | .cksumlength = 8, | 71 | .cksumlength = 8, |
72 | .keyed_cksum = 0, | 72 | .keyed_cksum = 0, |
73 | }, | 73 | }, |
74 | /* | ||
75 | * 3DES | ||
76 | */ | ||
77 | { | ||
78 | .etype = ENCTYPE_DES3_CBC_RAW, | ||
79 | .ctype = CKSUMTYPE_HMAC_SHA1_DES3, | ||
80 | .name = "des3-hmac-sha1", | ||
81 | .encrypt_name = "cbc(des3_ede)", | ||
82 | .cksum_name = "hmac(sha1)", | ||
83 | .encrypt = krb5_encrypt, | ||
84 | .decrypt = krb5_decrypt, | ||
85 | .mk_key = gss_krb5_des3_make_key, | ||
86 | .signalg = SGN_ALG_HMAC_SHA1_DES3_KD, | ||
87 | .sealalg = SEAL_ALG_DES3KD, | ||
88 | .keybytes = 21, | ||
89 | .keylength = 24, | ||
90 | .blocksize = 8, | ||
91 | .cksumlength = 20, | ||
92 | .keyed_cksum = 1, | ||
93 | }, | ||
74 | }; | 94 | }; |
75 | 95 | ||
76 | static const int num_supported_enctypes = | 96 | static const int num_supported_enctypes = |
@@ -440,6 +460,9 @@ gss_import_v2_context(const void *p, const void *end, struct krb5_ctx *ctx) | |||
440 | p = simple_get_bytes(p, end, &ctx->enctype, sizeof(ctx->enctype)); | 460 | p = simple_get_bytes(p, end, &ctx->enctype, sizeof(ctx->enctype)); |
441 | if (IS_ERR(p)) | 461 | if (IS_ERR(p)) |
442 | goto out_err; | 462 | goto out_err; |
463 | /* Map ENCTYPE_DES3_CBC_SHA1 to ENCTYPE_DES3_CBC_RAW */ | ||
464 | if (ctx->enctype == ENCTYPE_DES3_CBC_SHA1) | ||
465 | ctx->enctype = ENCTYPE_DES3_CBC_RAW; | ||
443 | ctx->gk5e = get_gss_krb5_enctype(ctx->enctype); | 466 | ctx->gk5e = get_gss_krb5_enctype(ctx->enctype); |
444 | if (ctx->gk5e == NULL) { | 467 | if (ctx->gk5e == NULL) { |
445 | dprintk("gss_kerberos_mech: unsupported krb5 enctype %u\n", | 468 | dprintk("gss_kerberos_mech: unsupported krb5 enctype %u\n", |
diff --git a/net/sunrpc/auth_gss/gss_krb5_seal.c b/net/sunrpc/auth_gss/gss_krb5_seal.c index cd512719092b..7ede900049a7 100644 --- a/net/sunrpc/auth_gss/gss_krb5_seal.c +++ b/net/sunrpc/auth_gss/gss_krb5_seal.c | |||
@@ -142,6 +142,7 @@ gss_get_mic_kerberos(struct gss_ctx *gss_ctx, struct xdr_buf *text, | |||
142 | default: | 142 | default: |
143 | BUG(); | 143 | BUG(); |
144 | case ENCTYPE_DES_CBC_RAW: | 144 | case ENCTYPE_DES_CBC_RAW: |
145 | case ENCTYPE_DES3_CBC_RAW: | ||
145 | return gss_get_mic_v1(ctx, text, token); | 146 | return gss_get_mic_v1(ctx, text, token); |
146 | } | 147 | } |
147 | } | 148 | } |
diff --git a/net/sunrpc/auth_gss/gss_krb5_unseal.c b/net/sunrpc/auth_gss/gss_krb5_unseal.c index 7515bffddf15..3e15bdb5a9eb 100644 --- a/net/sunrpc/auth_gss/gss_krb5_unseal.c +++ b/net/sunrpc/auth_gss/gss_krb5_unseal.c | |||
@@ -152,6 +152,7 @@ gss_verify_mic_kerberos(struct gss_ctx *gss_ctx, | |||
152 | default: | 152 | default: |
153 | BUG(); | 153 | BUG(); |
154 | case ENCTYPE_DES_CBC_RAW: | 154 | case ENCTYPE_DES_CBC_RAW: |
155 | case ENCTYPE_DES3_CBC_RAW: | ||
155 | return gss_verify_mic_v1(ctx, message_buffer, read_token); | 156 | return gss_verify_mic_v1(ctx, message_buffer, read_token); |
156 | } | 157 | } |
157 | } | 158 | } |
diff --git a/net/sunrpc/auth_gss/gss_krb5_wrap.c b/net/sunrpc/auth_gss/gss_krb5_wrap.c index 2eb3046a84ea..1c8ebd3dbd3c 100644 --- a/net/sunrpc/auth_gss/gss_krb5_wrap.c +++ b/net/sunrpc/auth_gss/gss_krb5_wrap.c | |||
@@ -350,6 +350,7 @@ gss_wrap_kerberos(struct gss_ctx *gctx, int offset, | |||
350 | default: | 350 | default: |
351 | BUG(); | 351 | BUG(); |
352 | case ENCTYPE_DES_CBC_RAW: | 352 | case ENCTYPE_DES_CBC_RAW: |
353 | case ENCTYPE_DES3_CBC_RAW: | ||
353 | return gss_wrap_kerberos_v1(kctx, offset, buf, pages); | 354 | return gss_wrap_kerberos_v1(kctx, offset, buf, pages); |
354 | } | 355 | } |
355 | } | 356 | } |
@@ -363,6 +364,7 @@ gss_unwrap_kerberos(struct gss_ctx *gctx, int offset, struct xdr_buf *buf) | |||
363 | default: | 364 | default: |
364 | BUG(); | 365 | BUG(); |
365 | case ENCTYPE_DES_CBC_RAW: | 366 | case ENCTYPE_DES_CBC_RAW: |
367 | case ENCTYPE_DES3_CBC_RAW: | ||
366 | return gss_unwrap_kerberos_v1(kctx, offset, buf); | 368 | return gss_unwrap_kerberos_v1(kctx, offset, buf); |
367 | } | 369 | } |
368 | } | 370 | } |