gss_krb5: add support for triple-des encryption

Add the final pieces to support the triple-des encryption type. Signed-off-by: Kevin Coffman <kwc@citi.umich.edu> Signed-off-by: Steve Dickson <steved@redhat.com> Signed-off-by: Trond Myklebust <Trond.Myklebust@netapp.com>
author: Kevin Coffman <kwc@citi.umich.edu> 2010-03-17 13:02:55 -0400
committer: Trond Myklebust <Trond.Myklebust@netapp.com> 2010-05-14 15:09:17 -0400
commit: 958142e97e04d6c266ae093739bbbbd03afcd497 (patch)
tree: f945fcf7105663bfccc124c347441268dcf06367 /net/sunrpc
parent: 683ac6656cb05b6e83593770ffc049eee4a4d119 (diff)
6 files changed, 83 insertions, 0 deletions
diff --git a/net/sunrpc/auth_gss/gss_krb5_crypto.c b/net/sunrpc/auth_gss/gss_krb5_crypto.c
index cae04d7a45a5..bb76873aa019 100644
--- a/net/sunrpc/auth_gss/gss_krb5_crypto.c
+++ b/net/sunrpc/auth_gss/gss_krb5_crypto.c
@@ -184,6 +184,9 @@ make_checksum(struct krb5_ctx *kctx, char *header, int hdrlen,
                       checksumdata + checksumlen - kctx->gk5e->cksumlength,
                       kctx->gk5e->cksumlength);
                break;
+        case CKSUMTYPE_HMAC_SHA1_DES3:
+                memcpy(cksumout->data, checksumdata, kctx->gk5e->cksumlength);
+                break;
        default:
                BUG();
                break;
diff --git a/net/sunrpc/auth_gss/gss_krb5_keys.c b/net/sunrpc/auth_gss/gss_krb5_keys.c
index 253b4149584a..d54668790f0c 100644
--- a/net/sunrpc/auth_gss/gss_krb5_keys.c
+++ b/net/sunrpc/auth_gss/gss_krb5_keys.c
@@ -250,3 +250,56 @@ err_free_cipher:
 err_return:
        return ret;
 }
+#define smask(step) ((1<<step)-1)
+#define pstep(x, step) (((x)&smask(step))^(((x)>>step)&smask(step)))
+#define parity_char(x) pstep(pstep(pstep((x), 4), 2), 1)
+static void mit_des_fixup_key_parity(u8 key[8])
+{
+        int i;
+        for (i = 0; i < 8; i++) {
+                key[i] &= 0xfe;
+                key[i] |= 1^parity_char(key[i]);
+        }
+}
+/*
+ * This is the des3 key derivation postprocess function
+ */
+u32 gss_krb5_des3_make_key(const struct gss_krb5_enctype *gk5e,
+                           struct xdr_netobj *randombits,
+                           struct xdr_netobj *key)
+{
+        int i;
+        u32 ret = EINVAL;
+        if (key->len != 24) {
+                dprintk("%s: key->len is %d\n", __func__, key->len);
+                goto err_out;
+        }
+        if (randombits->len != 21) {
+                dprintk("%s: randombits->len is %d\n",
+                        __func__, randombits->len);
+                goto err_out;
+        }
+        /* take the seven bytes, move them around into the top 7 bits of the
+           8 key bytes, then compute the parity bits.  Do this three times. */
+        for (i = 0; i < 3; i++) {
+                memcpy(key->data + i*8, randombits->data + i*7, 7);
+                key->data[i*8+7] = (((key->data[i*8]&1)<<1) |
+                                    ((key->data[i*8+1]&1)<<2) |
+                                    ((key->data[i*8+2]&1)<<3) |
+                                    ((key->data[i*8+3]&1)<<4) |
+                                    ((key->data[i*8+4]&1)<<5) |
+                                    ((key->data[i*8+5]&1)<<6) |
+                                    ((key->data[i*8+6]&1)<<7));
+                mit_des_fixup_key_parity(key->data + i*8);
+        }
+        ret = 0;
+err_out:
+        return ret;
+}
diff --git a/net/sunrpc/auth_gss/gss_krb5_mech.c b/net/sunrpc/auth_gss/gss_krb5_mech.c
index 03f1dcddbd29..7cebdf843266 100644
--- a/net/sunrpc/auth_gss/gss_krb5_mech.c
+++ b/net/sunrpc/auth_gss/gss_krb5_mech.c
@@ -71,6 +71,26 @@ static const struct gss_krb5_enctype supported_gss_krb5_enctypes[] = {
          .cksumlength = 8,
          .keyed_cksum = 0,
        },
+        /*
+         * 3DES
+         */
+        {
+          .etype = ENCTYPE_DES3_CBC_RAW,
+          .ctype = CKSUMTYPE_HMAC_SHA1_DES3,
+          .name = "des3-hmac-sha1",
+          .encrypt_name = "cbc(des3_ede)",
+          .cksum_name = "hmac(sha1)",
+          .encrypt = krb5_encrypt,
+          .decrypt = krb5_decrypt,
+          .mk_key = gss_krb5_des3_make_key,
+          .signalg = SGN_ALG_HMAC_SHA1_DES3_KD,
+          .sealalg = SEAL_ALG_DES3KD,
+          .keybytes = 21,
+          .keylength = 24,
+          .blocksize = 8,
+          .cksumlength = 20,
+          .keyed_cksum = 1,
+        },
 };
 static const int num_supported_enctypes =
@@ -440,6 +460,9 @@ gss_import_v2_context(const void *p, const void *end, struct krb5_ctx *ctx)
        p = simple_get_bytes(p, end, &ctx->enctype, sizeof(ctx->enctype));
        if (IS_ERR(p))
                goto out_err;
+        /* Map ENCTYPE_DES3_CBC_SHA1 to ENCTYPE_DES3_CBC_RAW */
+        if (ctx->enctype == ENCTYPE_DES3_CBC_SHA1)
+                ctx->enctype = ENCTYPE_DES3_CBC_RAW;
        ctx->gk5e = get_gss_krb5_enctype(ctx->enctype);
        if (ctx->gk5e == NULL) {
                dprintk("gss_kerberos_mech: unsupported krb5 enctype %u\n",
diff --git a/net/sunrpc/auth_gss/gss_krb5_seal.c b/net/sunrpc/auth_gss/gss_krb5_seal.c
index cd512719092b..7ede900049a7 100644
--- a/net/sunrpc/auth_gss/gss_krb5_seal.c
+++ b/net/sunrpc/auth_gss/gss_krb5_seal.c
@@ -142,6 +142,7 @@ gss_get_mic_kerberos(struct gss_ctx *gss_ctx, struct xdr_buf *text,
        default:
                BUG();
        case ENCTYPE_DES_CBC_RAW:
+        case ENCTYPE_DES3_CBC_RAW:
                return gss_get_mic_v1(ctx, text, token);
        }
 }
diff --git a/net/sunrpc/auth_gss/gss_krb5_unseal.c b/net/sunrpc/auth_gss/gss_krb5_unseal.c
index 7515bffddf15..3e15bdb5a9eb 100644
--- a/net/sunrpc/auth_gss/gss_krb5_unseal.c
+++ b/net/sunrpc/auth_gss/gss_krb5_unseal.c
@@ -152,6 +152,7 @@ gss_verify_mic_kerberos(struct gss_ctx *gss_ctx,
        default:
                BUG();
        case ENCTYPE_DES_CBC_RAW:
+        case ENCTYPE_DES3_CBC_RAW:
                return gss_verify_mic_v1(ctx, message_buffer, read_token);
        }
 }
diff --git a/net/sunrpc/auth_gss/gss_krb5_wrap.c b/net/sunrpc/auth_gss/gss_krb5_wrap.c
index 2eb3046a84ea..1c8ebd3dbd3c 100644
--- a/net/sunrpc/auth_gss/gss_krb5_wrap.c
+++ b/net/sunrpc/auth_gss/gss_krb5_wrap.c
@@ -350,6 +350,7 @@ gss_wrap_kerberos(struct gss_ctx *gctx, int offset,
        default:
                BUG();
        case ENCTYPE_DES_CBC_RAW:
+        case ENCTYPE_DES3_CBC_RAW:
                return gss_wrap_kerberos_v1(kctx, offset, buf, pages);
        }
 }
@@ -363,6 +364,7 @@ gss_unwrap_kerberos(struct gss_ctx *gctx, int offset, struct xdr_buf *buf)
        default:
                BUG();
        case ENCTYPE_DES_CBC_RAW:
+        case ENCTYPE_DES3_CBC_RAW:
                return gss_unwrap_kerberos_v1(kctx, offset, buf);
        }
 }
author	Kevin Coffman <kwc@citi.umich.edu>	2010-03-17 13:02:55 -0400
committer	Trond Myklebust <Trond.Myklebust@netapp.com>	2010-05-14 15:09:17 -0400
commit	958142e97e04d6c266ae093739bbbbd03afcd497 (patch)
tree	f945fcf7105663bfccc124c347441268dcf06367 /net/sunrpc
parent	683ac6656cb05b6e83593770ffc049eee4a4d119 (diff)

diff --git a/net/sunrpc/auth_gss/gss_krb5_crypto.c b/net/sunrpc/auth_gss/gss_krb5_crypto.c index cae04d7a45a5..bb76873aa019 100644 --- a/net/sunrpc/auth_gss/gss_krb5_crypto.c +++ b/net/sunrpc/auth_gss/gss_krb5_crypto.c
@@ -184,6 +184,9 @@ make_checksum(struct krb5_ctx kctx, char header, int hdrlen,
184	checksumdata + checksumlen - kctx->gk5e->cksumlength,	184	checksumdata + checksumlen - kctx->gk5e->cksumlength,
185	kctx->gk5e->cksumlength);	185	kctx->gk5e->cksumlength);
186	break;	186	break;
		187	case CKSUMTYPE_HMAC_SHA1_DES3:
		188	memcpy(cksumout->data, checksumdata, kctx->gk5e->cksumlength);
		189	break;
187	default:	190	default:
188	BUG();	191	BUG();
189	break;	192	break;


diff --git a/net/sunrpc/auth_gss/gss_krb5_keys.c b/net/sunrpc/auth_gss/gss_krb5_keys.c index 253b4149584a..d54668790f0c 100644 --- a/net/sunrpc/auth_gss/gss_krb5_keys.c +++ b/net/sunrpc/auth_gss/gss_krb5_keys.c
@@ -250,3 +250,56 @@ err_free_cipher:
250	err_return:	250	err_return:
251	return ret;	251	return ret;
252	}	252	}
		253
		254	#define smask(step) ((1<<step)-1)
		255	#define pstep(x, step) (((x)&smask(step))^(((x)>>step)&smask(step)))
		256	#define parity_char(x) pstep(pstep(pstep((x), 4), 2), 1)
		257
		258	static void mit_des_fixup_key_parity(u8 key[8])
		259	{
		260	int i;
		261	for (i = 0; i < 8; i++) {
		262	key[i] &= 0xfe;
		263	key[i] \|= 1^parity_char(key[i]);
		264	}
		265	}
		266
		267	/*
		268	* This is the des3 key derivation postprocess function
		269	*/
		270	u32 gss_krb5_des3_make_key(const struct gss_krb5_enctype *gk5e,
		271	struct xdr_netobj *randombits,
		272	struct xdr_netobj *key)
		273	{
		274	int i;
		275	u32 ret = EINVAL;
		276
		277	if (key->len != 24) {
		278	dprintk("%s: key->len is %d\n", __func__, key->len);
		279	goto err_out;
		280	}
		281	if (randombits->len != 21) {
		282	dprintk("%s: randombits->len is %d\n",
		283	__func__, randombits->len);
		284	goto err_out;
		285	}
		286
		287	/* take the seven bytes, move them around into the top 7 bits of the
		288	8 key bytes, then compute the parity bits. Do this three times. */
		289
		290	for (i = 0; i < 3; i++) {
		291	memcpy(key->data + i8, randombits->data + i7, 7);
		292	key->data[i8+7] = (((key->data[i8]&1)<<1) \|
		293	((key->data[i*8+1]&1)<<2) \|
		294	((key->data[i*8+2]&1)<<3) \|
		295	((key->data[i*8+3]&1)<<4) \|
		296	((key->data[i*8+4]&1)<<5) \|
		297	((key->data[i*8+5]&1)<<6) \|
		298	((key->data[i*8+6]&1)<<7));
		299
		300	mit_des_fixup_key_parity(key->data + i*8);
		301	}
		302	ret = 0;
		303	err_out:
		304	return ret;
		305	}


diff --git a/net/sunrpc/auth_gss/gss_krb5_mech.c b/net/sunrpc/auth_gss/gss_krb5_mech.c index 03f1dcddbd29..7cebdf843266 100644 --- a/net/sunrpc/auth_gss/gss_krb5_mech.c +++ b/net/sunrpc/auth_gss/gss_krb5_mech.c
@@ -71,6 +71,26 @@ static const struct gss_krb5_enctype supported_gss_krb5_enctypes[] = {
71	.cksumlength = 8,	71	.cksumlength = 8,
72	.keyed_cksum = 0,	72	.keyed_cksum = 0,
73	},	73	},
		74	/*
		75	* 3DES
		76	*/
		77	{
		78	.etype = ENCTYPE_DES3_CBC_RAW,
		79	.ctype = CKSUMTYPE_HMAC_SHA1_DES3,
		80	.name = "des3-hmac-sha1",
		81	.encrypt_name = "cbc(des3_ede)",
		82	.cksum_name = "hmac(sha1)",
		83	.encrypt = krb5_encrypt,
		84	.decrypt = krb5_decrypt,
		85	.mk_key = gss_krb5_des3_make_key,
		86	.signalg = SGN_ALG_HMAC_SHA1_DES3_KD,
		87	.sealalg = SEAL_ALG_DES3KD,
		88	.keybytes = 21,
		89	.keylength = 24,
		90	.blocksize = 8,
		91	.cksumlength = 20,
		92	.keyed_cksum = 1,
		93	},
74	};	94	};
75		95
76	static const int num_supported_enctypes =	96	static const int num_supported_enctypes =
@@ -440,6 +460,9 @@ gss_import_v2_context(const void p, const void end, struct krb5_ctx *ctx)
440	p = simple_get_bytes(p, end, &ctx->enctype, sizeof(ctx->enctype));	460	p = simple_get_bytes(p, end, &ctx->enctype, sizeof(ctx->enctype));
441	if (IS_ERR(p))	461	if (IS_ERR(p))
442	goto out_err;	462	goto out_err;
		463	/* Map ENCTYPE_DES3_CBC_SHA1 to ENCTYPE_DES3_CBC_RAW */
		464	if (ctx->enctype == ENCTYPE_DES3_CBC_SHA1)
		465	ctx->enctype = ENCTYPE_DES3_CBC_RAW;
443	ctx->gk5e = get_gss_krb5_enctype(ctx->enctype);	466	ctx->gk5e = get_gss_krb5_enctype(ctx->enctype);
444	if (ctx->gk5e == NULL) {	467	if (ctx->gk5e == NULL) {
445	dprintk("gss_kerberos_mech: unsupported krb5 enctype %u\n",	468	dprintk("gss_kerberos_mech: unsupported krb5 enctype %u\n",


diff --git a/net/sunrpc/auth_gss/gss_krb5_seal.c b/net/sunrpc/auth_gss/gss_krb5_seal.c index cd512719092b..7ede900049a7 100644 --- a/net/sunrpc/auth_gss/gss_krb5_seal.c +++ b/net/sunrpc/auth_gss/gss_krb5_seal.c
@@ -142,6 +142,7 @@ gss_get_mic_kerberos(struct gss_ctx gss_ctx, struct xdr_buf text,
142	default:	142	default:
143	BUG();	143	BUG();
144	case ENCTYPE_DES_CBC_RAW:	144	case ENCTYPE_DES_CBC_RAW:
		145	case ENCTYPE_DES3_CBC_RAW:
145	return gss_get_mic_v1(ctx, text, token);	146	return gss_get_mic_v1(ctx, text, token);
146	}	147	}
147	}	148	}


diff --git a/net/sunrpc/auth_gss/gss_krb5_unseal.c b/net/sunrpc/auth_gss/gss_krb5_unseal.c index 7515bffddf15..3e15bdb5a9eb 100644 --- a/net/sunrpc/auth_gss/gss_krb5_unseal.c +++ b/net/sunrpc/auth_gss/gss_krb5_unseal.c
@@ -152,6 +152,7 @@ gss_verify_mic_kerberos(struct gss_ctx *gss_ctx,
152	default:	152	default:
153	BUG();	153	BUG();
154	case ENCTYPE_DES_CBC_RAW:	154	case ENCTYPE_DES_CBC_RAW:
		155	case ENCTYPE_DES3_CBC_RAW:
155	return gss_verify_mic_v1(ctx, message_buffer, read_token);	156	return gss_verify_mic_v1(ctx, message_buffer, read_token);
156	}	157	}
157	}	158	}


diff --git a/net/sunrpc/auth_gss/gss_krb5_wrap.c b/net/sunrpc/auth_gss/gss_krb5_wrap.c index 2eb3046a84ea..1c8ebd3dbd3c 100644 --- a/net/sunrpc/auth_gss/gss_krb5_wrap.c +++ b/net/sunrpc/auth_gss/gss_krb5_wrap.c
@@ -350,6 +350,7 @@ gss_wrap_kerberos(struct gss_ctx *gctx, int offset,
350	default:	350	default:
351	BUG();	351	BUG();
352	case ENCTYPE_DES_CBC_RAW:	352	case ENCTYPE_DES_CBC_RAW:
		353	case ENCTYPE_DES3_CBC_RAW:
353	return gss_wrap_kerberos_v1(kctx, offset, buf, pages);	354	return gss_wrap_kerberos_v1(kctx, offset, buf, pages);
354	}	355	}
355	}	356	}
@@ -363,6 +364,7 @@ gss_unwrap_kerberos(struct gss_ctx gctx, int offset, struct xdr_buf buf)
363	default:	364	default:
364	BUG();	365	BUG();
365	case ENCTYPE_DES_CBC_RAW:	366	case ENCTYPE_DES_CBC_RAW:
		367	case ENCTYPE_DES3_CBC_RAW:
366	return gss_unwrap_kerberos_v1(kctx, offset, buf);	368	return gss_unwrap_kerberos_v1(kctx, offset, buf);
367	}	369	}
368	}	370	}