[v1,09/41] SUNRPC: Obscure Kerberos integrity keys

Message ID	167362334479.8960.14337520339947064030.stgit@bazille.1015granger.net (mailing list archive)
State	New, archived
Headers	show Return-Path: <linux-nfs-owner@vger.kernel.org> Subject: [PATCH v1 09/41] SUNRPC: Obscure Kerberos integrity keys From: Chuck Lever <cel@kernel.org> To: linux-nfs@vger.kernel.org Cc: dhowells@redhat.com, simo@redhat.com Date: Fri, 13 Jan 2023 10:22:24 -0500 Message-ID: <167362334479.8960.14337520339947064030.stgit@bazille.1015granger.net> In-Reply-To: <167362164696.8960.16701168753472560115.stgit@bazille.1015granger.net> References: <167362164696.8960.16701168753472560115.stgit@bazille.1015granger.net> User-Agent: StGit/1.5 MIME-Version: 1.0 Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: 7bit Precedence: bulk
Series	RPCSEC GSS krb5 enhancements \| expand [v1,00/41] RPCSEC GSS krb5 enhancements [v1,01/41] SUNRPC: Add header ifdefs to linux/sunrpc/gss_krb5.h [v1,02/41] SUNRPC: Remove .blocksize field from struct gss_krb5_enctype [v1,03/41] SUNRPC: Remove .conflen field from struct gss_krb5_enctype [v1,04/41] SUNRPC: Improve Kerberos confounder generation [v1,05/41] SUNRPC: Obscure Kerberos session key [v1,06/41] SUNRPC: Refactor set-up for aux_cipher [v1,07/41] SUNRPC: Obscure Kerberos encryption keys [v1,08/41] SUNRPC: Obscure Kerberos signing keys [v1,09/41] SUNRPC: Obscure Kerberos integrity keys [v1,10/41] SUNRPC: Refactor the GSS-API Per Message calls in the Kerberos mechanism [v1,11/41] SUNRPC: Remove another switch on ctx->enctype [v1,12/41] SUNRPC: Add /proc/net/rpc/gss_krb5_enctypes file [v1,13/41] NFSD: Replace /proc/fs/nfsd/supported_krb5_enctypes with a symlink [v1,14/41] SUNRPC: Replace KRB5_SUPPORTED_ENCTYPES macro [v1,15/41] SUNRPC: Enable rpcsec_gss_krb5.ko to be built without CRYPTO_DES [v1,16/41] SUNRPC: Remove ->encrypt and ->decrypt methods from struct gss_krb5_enctype [v1,17/41] SUNRPC: Rename .encrypt_v2 and .decrypt_v2 methods [v1,18/41] SUNRPC: Hoist KDF into struct gss_krb5_enctype [v1,19/41] SUNRPC: Clean up cipher set up for v1 encryption types [v1,20/41] SUNRPC: Parametrize the key length passed to context_v2_alloc_cipher() [v1,21/41] SUNRPC: Add new subkey length fields [v1,22/41] SUNRPC: Refactor CBC with CTS into helpers [v1,23/41] SUNRPC: Add gk5e definitions for RFC 8009 encryption types [v1,24/41] SUNRPC: Add KDF-HMAC-SHA2 [v1,25/41] SUNRPC: Add RFC 8009 encryption and decryption functions [v1,26/41] SUNRPC: Advertise support for RFC 8009 encryption types [v1,27/41] SUNRPC: Support the Camellia enctypes [v1,28/41] SUNRPC: Add KDF_FEEDBACK_CMAC [v1,29/41] SUNRPC: Advertise support for the Camellia encryption types [v1,30/41] SUNRPC: Move remaining internal definitions to gss_krb5_internal.h [v1,31/41] SUNRPC: Add KUnit tests for rpcsec_krb5.ko [v1,32/41] SUNRPC: Export get_gss_krb5_enctype() [v1,33/41] SUNRPC: Add KUnit tests RFC 3961 Key Derivation [v1,34/41] SUNRPC: Add Kunit tests for RFC 3962-defined encryption/decryption [v1,35/41] SUNRPC: Add KDF KUnit tests for the RFC 6803 encryption types [v1,36/41] SUNRPC: Add checksum KUnit tests for the RFC 6803 encryption types [v1,37/41] SUNRPC: Add encryption KUnit tests for the RFC 6803 encryption types [v1,38/41] SUNRPC: Add KDF-HMAC-SHA2 Kunit tests [v1,39/41] SUNRPC: Add RFC 8009 checksum KUnit tests [v1,40/41] SUNRPC: Add RFC 8009 encryption KUnit tests [v1,41/41] SUNRPC: Add encryption self-tests

diff --git a/include/linux/sunrpc/gss_krb5.h b/include/linux/sunrpc/gss_krb5.h index a9b29401d6d1..65e3c0853a0b 100644 --- a/include/linux/sunrpc/gss_krb5.h +++ b/include/linux/sunrpc/gss_krb5.h @@ -106,6 +106,8 @@ struct krb5_ctx { struct crypto_sync_skcipher *initiator_enc_aux; struct crypto_ahash *acceptor_sign; struct crypto_ahash *initiator_sign; + struct crypto_ahash *initiator_integ; + struct crypto_ahash *acceptor_integ; u8 Ksess[GSS_KRB5_MAX_KEYLEN]; /* session key */ u8 cksum[GSS_KRB5_MAX_KEYLEN]; atomic_t seq_send; @@ -114,8 +116,6 @@ struct krb5_ctx { atomic64_t confounder; siphash_key_t confkey; struct xdr_netobj mech_used; - u8 initiator_integ[GSS_KRB5_MAX_KEYLEN]; - u8 acceptor_integ[GSS_KRB5_MAX_KEYLEN]; }; /* The length of the Kerberos GSS token header */ @@ -237,11 +237,6 @@ make_checksum(struct krb5_ctx *kctx, char *header, int hdrlen, struct xdr_buf *body, int body_offset, u8 *cksumkey, unsigned int usage, struct xdr_netobj *cksumout); -u32 -make_checksum_v2(struct krb5_ctx *, char *header, int hdrlen, - struct xdr_buf *body, int body_offset, u8 *key, - unsigned int usage, struct xdr_netobj *cksum); - u32 gss_get_mic_kerberos(struct gss_ctx *, struct xdr_buf *, struct xdr_netobj *); diff --git a/net/sunrpc/auth_gss/gss_krb5_crypto.c b/net/sunrpc/auth_gss/gss_krb5_crypto.c index 3fe16852ccd8..3ffe66779fb7 100644 --- a/net/sunrpc/auth_gss/gss_krb5_crypto.c +++ b/net/sunrpc/auth_gss/gss_krb5_crypto.c @@ -254,93 +254,6 @@ make_checksum(struct krb5_ctx *kctx, char *header, int hdrlen, return err ? GSS_S_FAILURE : 0; } -/* - * checksum the plaintext data and hdrlen bytes of the token header - * Per rfc4121, sec. 4.2.4, the checksum is performed over the data - * body then over the first 16 octets of the MIC token - * Inclusion of the header data in the calculation of the - * checksum is optional. - */ -u32 -make_checksum_v2(struct krb5_ctx *kctx, char *header, int hdrlen, - struct xdr_buf *body, int body_offset, u8 *cksumkey, - unsigned int usage, struct xdr_netobj *cksumout) -{ - struct crypto_ahash *tfm; - struct ahash_request *req; - struct scatterlist sg[1]; - int err = -1; - u8 *checksumdata; - - if (kctx->gk5e->keyed_cksum == 0) { - dprintk("%s: expected keyed hash for %s\n", - __func__, kctx->gk5e->name); - return GSS_S_FAILURE; - } - if (cksumkey == NULL) { - dprintk("%s: no key supplied for %s\n", - __func__, kctx->gk5e->name); - return GSS_S_FAILURE; - } - - checksumdata = kmalloc(GSS_KRB5_MAX_CKSUM_LEN, GFP_KERNEL); - if (!checksumdata) - return GSS_S_FAILURE; - - tfm = crypto_alloc_ahash(kctx->gk5e->cksum_name, 0, CRYPTO_ALG_ASYNC); - if (IS_ERR(tfm)) - goto out_free_cksum; - - req = ahash_request_alloc(tfm, GFP_KERNEL); - if (!req) - goto out_free_ahash; - - ahash_request_set_callback(req, CRYPTO_TFM_REQ_MAY_SLEEP, NULL, NULL); - - err = crypto_ahash_setkey(tfm, cksumkey, kctx->gk5e->keylength); - if (err) - goto out; - - err = crypto_ahash_init(req); - if (err) - goto out; - err = xdr_process_buf(body, body_offset, body->len - body_offset, - checksummer, req); - if (err) - goto out; - if (header != NULL) { - sg_init_one(sg, header, hdrlen); - ahash_request_set_crypt(req, sg, NULL, hdrlen); - err = crypto_ahash_update(req); - if (err) - goto out; - } - ahash_request_set_crypt(req, NULL, checksumdata, 0); - err = crypto_ahash_final(req); - if (err) - goto out; - - cksumout->len = kctx->gk5e->cksumlength; - - switch (kctx->gk5e->ctype) { - case CKSUMTYPE_HMAC_SHA1_96_AES128: - case CKSUMTYPE_HMAC_SHA1_96_AES256: - /* note that this truncates the hash */ - memcpy(cksumout->data, checksumdata, kctx->gk5e->cksumlength); - break; - default: - BUG(); - break; - } -out: - ahash_request_free(req); -out_free_ahash: - crypto_free_ahash(tfm); -out_free_cksum: - kfree(checksumdata); - return err ? GSS_S_FAILURE : 0; -} - /** * gss_krb5_checksum - Compute the MAC for a GSS Wrap or MIC token * @tfm: an initialized hash transform @@ -697,27 +610,24 @@ gss_krb5_aes_encrypt(struct krb5_ctx *kctx, u32 offset, { u32 err; struct xdr_netobj hmac; - u8 *cksumkey; u8 *ecptr; struct crypto_sync_skcipher *cipher, *aux_cipher; + struct crypto_ahash *ahash; int blocksize; struct page **save_pages; int nblocks, nbytes; struct encryptor_desc desc; u32 cbcbytes; - unsigned int usage; unsigned int conflen; if (kctx->initiate) { cipher = kctx->initiator_enc; aux_cipher = kctx->initiator_enc_aux; - cksumkey = kctx->initiator_integ; - usage = KG_USAGE_INITIATOR_SEAL; + ahash = kctx->initiator_integ; } else { cipher = kctx->acceptor_enc; aux_cipher = kctx->acceptor_enc_aux; - cksumkey = kctx->acceptor_integ; - usage = KG_USAGE_ACCEPTOR_SEAL; + ahash = kctx->acceptor_integ; } blocksize = crypto_sync_skcipher_blocksize(cipher); conflen = crypto_sync_skcipher_blocksize(cipher); @@ -757,9 +667,8 @@ gss_krb5_aes_encrypt(struct krb5_ctx *kctx, u32 offset, save_pages = buf->pages; buf->pages = pages; - err = make_checksum_v2(kctx, NULL, 0, buf, - offset + GSS_KRB5_TOK_HDR_LEN, - cksumkey, usage, &hmac); + err = gss_krb5_checksum(ahash, NULL, 0, buf, + offset + GSS_KRB5_TOK_HDR_LEN, &hmac); buf->pages = save_pages; if (err) return GSS_S_FAILURE; @@ -820,25 +729,22 @@ gss_krb5_aes_decrypt(struct krb5_ctx *kctx, u32 offset, u32 len, { struct xdr_buf subbuf; u32 ret = 0; - u8 *cksum_key; struct crypto_sync_skcipher *cipher, *aux_cipher; + struct crypto_ahash *ahash; struct xdr_netobj our_hmac_obj; u8 our_hmac[GSS_KRB5_MAX_CKSUM_LEN]; u8 pkt_hmac[GSS_KRB5_MAX_CKSUM_LEN]; int nblocks, blocksize, cbcbytes; struct decryptor_desc desc; - unsigned int usage; if (kctx->initiate) { cipher = kctx->acceptor_enc; aux_cipher = kctx->acceptor_enc_aux; - cksum_key = kctx->acceptor_integ; - usage = KG_USAGE_ACCEPTOR_SEAL; + ahash = kctx->acceptor_integ; } else { cipher = kctx->initiator_enc; aux_cipher = kctx->initiator_enc_aux; - cksum_key = kctx->initiator_integ; - usage = KG_USAGE_INITIATOR_SEAL; + ahash = kctx->initiator_integ; } blocksize = crypto_sync_skcipher_blocksize(cipher); @@ -878,13 +784,9 @@ gss_krb5_aes_decrypt(struct krb5_ctx *kctx, u32 offset, u32 len, if (ret) goto out_err; - - /* Calculate our hmac over the plaintext data */ our_hmac_obj.len = sizeof(our_hmac); our_hmac_obj.data = our_hmac; - - ret = make_checksum_v2(kctx, NULL, 0, &subbuf, 0, - cksum_key, usage, &our_hmac_obj); + ret = gss_krb5_checksum(ahash, NULL, 0, &subbuf, 0, &our_hmac_obj); if (ret) goto out_err; diff --git a/net/sunrpc/auth_gss/gss_krb5_mech.c b/net/sunrpc/auth_gss/gss_krb5_mech.c index 0b8ed365a7cb..d7307a267b20 100644 --- a/net/sunrpc/auth_gss/gss_krb5_mech.c +++ b/net/sunrpc/auth_gss/gss_krb5_mech.c @@ -447,23 +447,21 @@ context_derive_keys_new(struct krb5_ctx *ctx, gfp_t gfp_mask) /* initiator seal integrity */ set_cdata(cdata, KG_USAGE_INITIATOR_SEAL, KEY_USAGE_SEED_INTEGRITY); - keyout.data = ctx->initiator_integ; err = krb5_derive_key(ctx->gk5e, &keyin, &keyout, &c, gfp_mask); - if (err) { - dprintk("%s: Error %d deriving initiator_integ key\n", - __func__, err); + if (err) + goto out_free; + ctx->initiator_integ = gss_krb5_alloc_hash_v2(ctx, &keyout); + if (ctx->initiator_integ == NULL) goto out_free; - } /* acceptor seal integrity */ set_cdata(cdata, KG_USAGE_ACCEPTOR_SEAL, KEY_USAGE_SEED_INTEGRITY); - keyout.data = ctx->acceptor_integ; err = krb5_derive_key(ctx->gk5e, &keyin, &keyout, &c, gfp_mask); - if (err) { - dprintk("%s: Error %d deriving acceptor_integ key\n", - __func__, err); + if (err) + goto out_free; + ctx->acceptor_integ = gss_krb5_alloc_hash_v2(ctx, &keyout); + if (ctx->acceptor_integ == NULL) goto out_free; - } ret = 0; out: @@ -471,6 +469,8 @@ context_derive_keys_new(struct krb5_ctx *ctx, gfp_t gfp_mask) return ret; out_free: + crypto_free_ahash(ctx->acceptor_integ); + crypto_free_ahash(ctx->initiator_integ); crypto_free_ahash(ctx->acceptor_sign); crypto_free_ahash(ctx->initiator_sign); crypto_free_sync_skcipher(ctx->acceptor_enc_aux); @@ -600,6 +600,8 @@ gss_delete_sec_context_kerberos(void *internal_ctx) { crypto_free_sync_skcipher(kctx->initiator_enc_aux); crypto_free_ahash(kctx->acceptor_sign); crypto_free_ahash(kctx->initiator_sign); + crypto_free_ahash(kctx->acceptor_integ); + crypto_free_ahash(kctx->initiator_integ); kfree(kctx->mech_used.data); kfree(kctx); }

[v1,09/41] SUNRPC: Obscure Kerberos integrity keys

Commit Message

Patch