2019-02-11 16:25:15 +00:00
|
|
|
// SPDX-License-Identifier: BSD-3-Clause
|
2005-04-16 22:20:36 +00:00
|
|
|
/*
|
|
|
|
* linux/net/sunrpc/gss_krb5_mech.c
|
|
|
|
*
|
2010-03-17 17:02:51 +00:00
|
|
|
* Copyright (c) 2001-2008 The Regents of the University of Michigan.
|
2005-04-16 22:20:36 +00:00
|
|
|
* All rights reserved.
|
|
|
|
*
|
|
|
|
* Andy Adamson <andros@umich.edu>
|
|
|
|
* J. Bruce Fields <bfields@umich.edu>
|
|
|
|
*/
|
|
|
|
|
2016-01-24 13:17:59 +00:00
|
|
|
#include <crypto/hash.h>
|
|
|
|
#include <crypto/skcipher.h>
|
2006-08-22 10:33:54 +00:00
|
|
|
#include <linux/err.h>
|
2005-04-16 22:20:36 +00:00
|
|
|
#include <linux/module.h>
|
|
|
|
#include <linux/init.h>
|
|
|
|
#include <linux/types.h>
|
|
|
|
#include <linux/slab.h>
|
|
|
|
#include <linux/sunrpc/auth.h>
|
|
|
|
#include <linux/sunrpc/gss_krb5.h>
|
|
|
|
#include <linux/sunrpc/xdr.h>
|
2023-01-15 17:23:40 +00:00
|
|
|
#include <kunit/visibility.h>
|
2005-04-16 22:20:36 +00:00
|
|
|
|
2021-01-21 21:17:23 +00:00
|
|
|
#include "auth_gss_internal.h"
|
2023-01-15 17:21:20 +00:00
|
|
|
#include "gss_krb5_internal.h"
|
2021-01-21 21:17:23 +00:00
|
|
|
|
2014-11-17 21:58:04 +00:00
|
|
|
#if IS_ENABLED(CONFIG_SUNRPC_DEBUG)
|
2005-04-16 22:20:36 +00:00
|
|
|
# define RPCDBG_FACILITY RPCDBG_AUTH
|
|
|
|
#endif
|
|
|
|
|
2023-01-15 17:21:26 +00:00
|
|
|
static struct gss_api_mech gss_kerberos_mech;
|
2010-03-17 17:02:54 +00:00
|
|
|
|
2010-03-17 17:02:51 +00:00
|
|
|
static const struct gss_krb5_enctype supported_gss_krb5_enctypes[] = {
|
SUNRPC: Enable rpcsec_gss_krb5.ko to be built without CRYPTO_DES
Because the DES block cipher has been deprecated by Internet
standard, highly secure configurations might require that DES
support be blacklisted or not installed. NFS Kerberos should still
be able to work correctly with only the AES-based enctypes in that
situation.
Also note that MIT Kerberos has begun a deprecation process for DES
encryption types. Their README for 1.19.3 states:
> Beginning with the krb5-1.19 release, a warning will be issued
> if initial credentials are acquired using the des3-cbc-sha1
> encryption type. In future releases, this encryption type will
> be disabled by default and eventually removed.
>
> Beginning with the krb5-1.18 release, single-DES encryption
> types have been removed.
Aside from the CONFIG option name change, there are two important
policy changes:
1. The 'insecure enctype' group is now disabled by default.
Distributors have to take action to enable support for deprecated
enctypes. Implementation of these enctypes will be removed in a
future kernel release.
2. des3-cbc-sha1 is now considered part of the 'insecure enctype'
group, having been deprecated by RFC 8429, and is thus disabled
by default
After this patch is applied, SunRPC support can be built with
Kerberos 5 support but without CRYPTO_DES enabled in the kernel.
And, when these enctypes are disabled, the Linux kernel's SunRPC
RPCSEC GSS implementation fully complies with BCP 179 / RFC 6649
and BCP 218 / RFC 8429.
Tested-by: Scott Mayhew <smayhew@redhat.com>
Reviewed-by: Simo Sorce <simo@redhat.com>
Signed-off-by: Chuck Lever <chuck.lever@oracle.com>
2023-01-15 17:21:52 +00:00
|
|
|
#if defined(CONFIG_RPCSEC_GSS_KRB5_ENCTYPES_AES_SHA1)
|
2010-03-17 17:03:00 +00:00
|
|
|
/*
|
SUNRPC: Enable rpcsec_gss_krb5.ko to be built without CRYPTO_DES
Because the DES block cipher has been deprecated by Internet
standard, highly secure configurations might require that DES
support be blacklisted or not installed. NFS Kerberos should still
be able to work correctly with only the AES-based enctypes in that
situation.
Also note that MIT Kerberos has begun a deprecation process for DES
encryption types. Their README for 1.19.3 states:
> Beginning with the krb5-1.19 release, a warning will be issued
> if initial credentials are acquired using the des3-cbc-sha1
> encryption type. In future releases, this encryption type will
> be disabled by default and eventually removed.
>
> Beginning with the krb5-1.18 release, single-DES encryption
> types have been removed.
Aside from the CONFIG option name change, there are two important
policy changes:
1. The 'insecure enctype' group is now disabled by default.
Distributors have to take action to enable support for deprecated
enctypes. Implementation of these enctypes will be removed in a
future kernel release.
2. des3-cbc-sha1 is now considered part of the 'insecure enctype'
group, having been deprecated by RFC 8429, and is thus disabled
by default
After this patch is applied, SunRPC support can be built with
Kerberos 5 support but without CRYPTO_DES enabled in the kernel.
And, when these enctypes are disabled, the Linux kernel's SunRPC
RPCSEC GSS implementation fully complies with BCP 179 / RFC 6649
and BCP 218 / RFC 8429.
Tested-by: Scott Mayhew <smayhew@redhat.com>
Reviewed-by: Simo Sorce <simo@redhat.com>
Signed-off-by: Chuck Lever <chuck.lever@oracle.com>
2023-01-15 17:21:52 +00:00
|
|
|
* AES-128 with SHA-1 (RFC 3962)
|
2010-03-17 17:03:00 +00:00
|
|
|
*/
|
|
|
|
{
|
|
|
|
.etype = ENCTYPE_AES128_CTS_HMAC_SHA1_96,
|
|
|
|
.ctype = CKSUMTYPE_HMAC_SHA1_96_AES128,
|
|
|
|
.name = "aes128-cts",
|
|
|
|
.encrypt_name = "cts(cbc(aes))",
|
2023-01-15 17:20:54 +00:00
|
|
|
.aux_cipher = "cbc(aes)",
|
2010-03-17 17:03:00 +00:00
|
|
|
.cksum_name = "hmac(sha1)",
|
2023-01-15 17:22:11 +00:00
|
|
|
.derive_key = krb5_derive_key_v2,
|
2023-01-15 17:22:04 +00:00
|
|
|
.encrypt = gss_krb5_aes_encrypt,
|
|
|
|
.decrypt = gss_krb5_aes_decrypt,
|
2023-01-15 17:21:20 +00:00
|
|
|
|
|
|
|
.get_mic = gss_krb5_get_mic_v2,
|
|
|
|
.verify_mic = gss_krb5_verify_mic_v2,
|
|
|
|
.wrap = gss_krb5_wrap_v2,
|
|
|
|
.unwrap = gss_krb5_unwrap_v2,
|
|
|
|
|
2010-03-17 17:03:00 +00:00
|
|
|
.signalg = -1,
|
|
|
|
.sealalg = -1,
|
|
|
|
.keybytes = 16,
|
2023-01-15 17:22:30 +00:00
|
|
|
.keylength = BITS2OCTETS(128),
|
|
|
|
.Kc_length = BITS2OCTETS(128),
|
|
|
|
.Ke_length = BITS2OCTETS(128),
|
|
|
|
.Ki_length = BITS2OCTETS(128),
|
|
|
|
.cksumlength = BITS2OCTETS(96),
|
2010-03-17 17:03:00 +00:00
|
|
|
.keyed_cksum = 1,
|
|
|
|
},
|
|
|
|
/*
|
SUNRPC: Enable rpcsec_gss_krb5.ko to be built without CRYPTO_DES
Because the DES block cipher has been deprecated by Internet
standard, highly secure configurations might require that DES
support be blacklisted or not installed. NFS Kerberos should still
be able to work correctly with only the AES-based enctypes in that
situation.
Also note that MIT Kerberos has begun a deprecation process for DES
encryption types. Their README for 1.19.3 states:
> Beginning with the krb5-1.19 release, a warning will be issued
> if initial credentials are acquired using the des3-cbc-sha1
> encryption type. In future releases, this encryption type will
> be disabled by default and eventually removed.
>
> Beginning with the krb5-1.18 release, single-DES encryption
> types have been removed.
Aside from the CONFIG option name change, there are two important
policy changes:
1. The 'insecure enctype' group is now disabled by default.
Distributors have to take action to enable support for deprecated
enctypes. Implementation of these enctypes will be removed in a
future kernel release.
2. des3-cbc-sha1 is now considered part of the 'insecure enctype'
group, having been deprecated by RFC 8429, and is thus disabled
by default
After this patch is applied, SunRPC support can be built with
Kerberos 5 support but without CRYPTO_DES enabled in the kernel.
And, when these enctypes are disabled, the Linux kernel's SunRPC
RPCSEC GSS implementation fully complies with BCP 179 / RFC 6649
and BCP 218 / RFC 8429.
Tested-by: Scott Mayhew <smayhew@redhat.com>
Reviewed-by: Simo Sorce <simo@redhat.com>
Signed-off-by: Chuck Lever <chuck.lever@oracle.com>
2023-01-15 17:21:52 +00:00
|
|
|
* AES-256 with SHA-1 (RFC 3962)
|
2010-03-17 17:03:00 +00:00
|
|
|
*/
|
|
|
|
{
|
|
|
|
.etype = ENCTYPE_AES256_CTS_HMAC_SHA1_96,
|
|
|
|
.ctype = CKSUMTYPE_HMAC_SHA1_96_AES256,
|
|
|
|
.name = "aes256-cts",
|
|
|
|
.encrypt_name = "cts(cbc(aes))",
|
2023-01-15 17:20:54 +00:00
|
|
|
.aux_cipher = "cbc(aes)",
|
2010-03-17 17:03:00 +00:00
|
|
|
.cksum_name = "hmac(sha1)",
|
2023-01-15 17:22:11 +00:00
|
|
|
.derive_key = krb5_derive_key_v2,
|
2023-01-15 17:22:04 +00:00
|
|
|
.encrypt = gss_krb5_aes_encrypt,
|
|
|
|
.decrypt = gss_krb5_aes_decrypt,
|
2023-01-15 17:21:20 +00:00
|
|
|
|
|
|
|
.get_mic = gss_krb5_get_mic_v2,
|
|
|
|
.verify_mic = gss_krb5_verify_mic_v2,
|
|
|
|
.wrap = gss_krb5_wrap_v2,
|
|
|
|
.unwrap = gss_krb5_unwrap_v2,
|
|
|
|
|
2010-03-17 17:03:00 +00:00
|
|
|
.signalg = -1,
|
|
|
|
.sealalg = -1,
|
|
|
|
.keybytes = 32,
|
2023-01-15 17:22:30 +00:00
|
|
|
.keylength = BITS2OCTETS(256),
|
|
|
|
.Kc_length = BITS2OCTETS(256),
|
|
|
|
.Ke_length = BITS2OCTETS(256),
|
|
|
|
.Ki_length = BITS2OCTETS(256),
|
|
|
|
.cksumlength = BITS2OCTETS(96),
|
2010-03-17 17:03:00 +00:00
|
|
|
.keyed_cksum = 1,
|
|
|
|
},
|
SUNRPC: Enable rpcsec_gss_krb5.ko to be built without CRYPTO_DES
Because the DES block cipher has been deprecated by Internet
standard, highly secure configurations might require that DES
support be blacklisted or not installed. NFS Kerberos should still
be able to work correctly with only the AES-based enctypes in that
situation.
Also note that MIT Kerberos has begun a deprecation process for DES
encryption types. Their README for 1.19.3 states:
> Beginning with the krb5-1.19 release, a warning will be issued
> if initial credentials are acquired using the des3-cbc-sha1
> encryption type. In future releases, this encryption type will
> be disabled by default and eventually removed.
>
> Beginning with the krb5-1.18 release, single-DES encryption
> types have been removed.
Aside from the CONFIG option name change, there are two important
policy changes:
1. The 'insecure enctype' group is now disabled by default.
Distributors have to take action to enable support for deprecated
enctypes. Implementation of these enctypes will be removed in a
future kernel release.
2. des3-cbc-sha1 is now considered part of the 'insecure enctype'
group, having been deprecated by RFC 8429, and is thus disabled
by default
After this patch is applied, SunRPC support can be built with
Kerberos 5 support but without CRYPTO_DES enabled in the kernel.
And, when these enctypes are disabled, the Linux kernel's SunRPC
RPCSEC GSS implementation fully complies with BCP 179 / RFC 6649
and BCP 218 / RFC 8429.
Tested-by: Scott Mayhew <smayhew@redhat.com>
Reviewed-by: Simo Sorce <simo@redhat.com>
Signed-off-by: Chuck Lever <chuck.lever@oracle.com>
2023-01-15 17:21:52 +00:00
|
|
|
#endif
|
2023-01-15 17:22:43 +00:00
|
|
|
|
2023-01-15 17:23:08 +00:00
|
|
|
#if defined(CONFIG_RPCSEC_GSS_KRB5_ENCTYPES_CAMELLIA)
|
|
|
|
/*
|
|
|
|
* Camellia-128 with CMAC (RFC 6803)
|
|
|
|
*/
|
|
|
|
{
|
|
|
|
.etype = ENCTYPE_CAMELLIA128_CTS_CMAC,
|
|
|
|
.ctype = CKSUMTYPE_CMAC_CAMELLIA128,
|
|
|
|
.name = "camellia128-cts-cmac",
|
|
|
|
.encrypt_name = "cts(cbc(camellia))",
|
|
|
|
.aux_cipher = "cbc(camellia)",
|
|
|
|
.cksum_name = "cmac(camellia)",
|
|
|
|
.cksumlength = BITS2OCTETS(128),
|
|
|
|
.keyed_cksum = 1,
|
|
|
|
.keylength = BITS2OCTETS(128),
|
|
|
|
.Kc_length = BITS2OCTETS(128),
|
|
|
|
.Ke_length = BITS2OCTETS(128),
|
|
|
|
.Ki_length = BITS2OCTETS(128),
|
|
|
|
|
2023-01-15 17:23:15 +00:00
|
|
|
.derive_key = krb5_kdf_feedback_cmac,
|
2023-01-15 17:23:08 +00:00
|
|
|
.encrypt = gss_krb5_aes_encrypt,
|
|
|
|
.decrypt = gss_krb5_aes_decrypt,
|
|
|
|
|
|
|
|
.get_mic = gss_krb5_get_mic_v2,
|
|
|
|
.verify_mic = gss_krb5_verify_mic_v2,
|
|
|
|
.wrap = gss_krb5_wrap_v2,
|
|
|
|
.unwrap = gss_krb5_unwrap_v2,
|
|
|
|
},
|
|
|
|
/*
|
|
|
|
* Camellia-256 with CMAC (RFC 6803)
|
|
|
|
*/
|
|
|
|
{
|
|
|
|
.etype = ENCTYPE_CAMELLIA256_CTS_CMAC,
|
|
|
|
.ctype = CKSUMTYPE_CMAC_CAMELLIA256,
|
|
|
|
.name = "camellia256-cts-cmac",
|
|
|
|
.encrypt_name = "cts(cbc(camellia))",
|
|
|
|
.aux_cipher = "cbc(camellia)",
|
|
|
|
.cksum_name = "cmac(camellia)",
|
|
|
|
.cksumlength = BITS2OCTETS(128),
|
|
|
|
.keyed_cksum = 1,
|
|
|
|
.keylength = BITS2OCTETS(256),
|
|
|
|
.Kc_length = BITS2OCTETS(256),
|
|
|
|
.Ke_length = BITS2OCTETS(256),
|
|
|
|
.Ki_length = BITS2OCTETS(256),
|
|
|
|
|
2023-01-15 17:23:15 +00:00
|
|
|
.derive_key = krb5_kdf_feedback_cmac,
|
2023-01-15 17:23:08 +00:00
|
|
|
.encrypt = gss_krb5_aes_encrypt,
|
|
|
|
.decrypt = gss_krb5_aes_decrypt,
|
|
|
|
|
|
|
|
.get_mic = gss_krb5_get_mic_v2,
|
|
|
|
.verify_mic = gss_krb5_verify_mic_v2,
|
|
|
|
.wrap = gss_krb5_wrap_v2,
|
|
|
|
.unwrap = gss_krb5_unwrap_v2,
|
|
|
|
},
|
|
|
|
#endif
|
|
|
|
|
2023-01-15 17:22:43 +00:00
|
|
|
#if defined(CONFIG_RPCSEC_GSS_KRB5_ENCTYPES_AES_SHA2)
|
|
|
|
/*
|
|
|
|
* AES-128 with SHA-256 (RFC 8009)
|
|
|
|
*/
|
|
|
|
{
|
|
|
|
.etype = ENCTYPE_AES128_CTS_HMAC_SHA256_128,
|
|
|
|
.ctype = CKSUMTYPE_HMAC_SHA256_128_AES128,
|
|
|
|
.name = "aes128-cts-hmac-sha256-128",
|
|
|
|
.encrypt_name = "cts(cbc(aes))",
|
|
|
|
.aux_cipher = "cbc(aes)",
|
|
|
|
.cksum_name = "hmac(sha256)",
|
|
|
|
.cksumlength = BITS2OCTETS(128),
|
|
|
|
.keyed_cksum = 1,
|
|
|
|
.keylength = BITS2OCTETS(128),
|
|
|
|
.Kc_length = BITS2OCTETS(128),
|
|
|
|
.Ke_length = BITS2OCTETS(128),
|
|
|
|
.Ki_length = BITS2OCTETS(128),
|
|
|
|
|
2023-01-15 17:22:49 +00:00
|
|
|
.derive_key = krb5_kdf_hmac_sha2,
|
2023-01-15 17:22:56 +00:00
|
|
|
.encrypt = krb5_etm_encrypt,
|
|
|
|
.decrypt = krb5_etm_decrypt,
|
2023-01-15 17:22:43 +00:00
|
|
|
|
|
|
|
.get_mic = gss_krb5_get_mic_v2,
|
|
|
|
.verify_mic = gss_krb5_verify_mic_v2,
|
|
|
|
.wrap = gss_krb5_wrap_v2,
|
|
|
|
.unwrap = gss_krb5_unwrap_v2,
|
|
|
|
},
|
|
|
|
/*
|
|
|
|
* AES-256 with SHA-384 (RFC 8009)
|
|
|
|
*/
|
|
|
|
{
|
|
|
|
.etype = ENCTYPE_AES256_CTS_HMAC_SHA384_192,
|
|
|
|
.ctype = CKSUMTYPE_HMAC_SHA384_192_AES256,
|
|
|
|
.name = "aes256-cts-hmac-sha384-192",
|
|
|
|
.encrypt_name = "cts(cbc(aes))",
|
|
|
|
.aux_cipher = "cbc(aes)",
|
|
|
|
.cksum_name = "hmac(sha384)",
|
|
|
|
.cksumlength = BITS2OCTETS(192),
|
|
|
|
.keyed_cksum = 1,
|
|
|
|
.keylength = BITS2OCTETS(256),
|
|
|
|
.Kc_length = BITS2OCTETS(192),
|
|
|
|
.Ke_length = BITS2OCTETS(256),
|
|
|
|
.Ki_length = BITS2OCTETS(192),
|
|
|
|
|
2023-01-15 17:22:49 +00:00
|
|
|
.derive_key = krb5_kdf_hmac_sha2,
|
2023-01-15 17:22:56 +00:00
|
|
|
.encrypt = krb5_etm_encrypt,
|
|
|
|
.decrypt = krb5_etm_decrypt,
|
2023-01-15 17:22:43 +00:00
|
|
|
|
|
|
|
.get_mic = gss_krb5_get_mic_v2,
|
|
|
|
.verify_mic = gss_krb5_verify_mic_v2,
|
|
|
|
.wrap = gss_krb5_wrap_v2,
|
|
|
|
.unwrap = gss_krb5_unwrap_v2,
|
|
|
|
},
|
|
|
|
#endif
|
2010-03-17 17:02:51 +00:00
|
|
|
};
|
|
|
|
|
2023-01-15 17:21:45 +00:00
|
|
|
/*
|
|
|
|
* The list of advertised enctypes is specified in order of most
|
|
|
|
* preferred to least.
|
|
|
|
*/
|
|
|
|
static char gss_krb5_enctype_priority_list[64];
|
|
|
|
|
|
|
|
static void gss_krb5_prepare_enctype_priority_list(void)
|
|
|
|
{
|
|
|
|
static const u32 gss_krb5_enctypes[] = {
|
2023-01-15 17:23:02 +00:00
|
|
|
#if defined(CONFIG_RPCSEC_GSS_KRB5_ENCTYPES_AES_SHA2)
|
|
|
|
ENCTYPE_AES256_CTS_HMAC_SHA384_192,
|
|
|
|
ENCTYPE_AES128_CTS_HMAC_SHA256_128,
|
|
|
|
#endif
|
2023-01-15 17:23:21 +00:00
|
|
|
#if defined(CONFIG_RPCSEC_GSS_KRB5_ENCTYPES_CAMELLIA)
|
|
|
|
ENCTYPE_CAMELLIA256_CTS_CMAC,
|
|
|
|
ENCTYPE_CAMELLIA128_CTS_CMAC,
|
|
|
|
#endif
|
SUNRPC: Enable rpcsec_gss_krb5.ko to be built without CRYPTO_DES
Because the DES block cipher has been deprecated by Internet
standard, highly secure configurations might require that DES
support be blacklisted or not installed. NFS Kerberos should still
be able to work correctly with only the AES-based enctypes in that
situation.
Also note that MIT Kerberos has begun a deprecation process for DES
encryption types. Their README for 1.19.3 states:
> Beginning with the krb5-1.19 release, a warning will be issued
> if initial credentials are acquired using the des3-cbc-sha1
> encryption type. In future releases, this encryption type will
> be disabled by default and eventually removed.
>
> Beginning with the krb5-1.18 release, single-DES encryption
> types have been removed.
Aside from the CONFIG option name change, there are two important
policy changes:
1. The 'insecure enctype' group is now disabled by default.
Distributors have to take action to enable support for deprecated
enctypes. Implementation of these enctypes will be removed in a
future kernel release.
2. des3-cbc-sha1 is now considered part of the 'insecure enctype'
group, having been deprecated by RFC 8429, and is thus disabled
by default
After this patch is applied, SunRPC support can be built with
Kerberos 5 support but without CRYPTO_DES enabled in the kernel.
And, when these enctypes are disabled, the Linux kernel's SunRPC
RPCSEC GSS implementation fully complies with BCP 179 / RFC 6649
and BCP 218 / RFC 8429.
Tested-by: Scott Mayhew <smayhew@redhat.com>
Reviewed-by: Simo Sorce <simo@redhat.com>
Signed-off-by: Chuck Lever <chuck.lever@oracle.com>
2023-01-15 17:21:52 +00:00
|
|
|
#if defined(CONFIG_RPCSEC_GSS_KRB5_ENCTYPES_AES_SHA1)
|
2023-01-15 17:21:45 +00:00
|
|
|
ENCTYPE_AES256_CTS_HMAC_SHA1_96,
|
|
|
|
ENCTYPE_AES128_CTS_HMAC_SHA1_96,
|
|
|
|
#endif
|
|
|
|
};
|
|
|
|
size_t total, i;
|
|
|
|
char buf[16];
|
|
|
|
char *sep;
|
|
|
|
int n;
|
|
|
|
|
|
|
|
sep = "";
|
|
|
|
gss_krb5_enctype_priority_list[0] = '\0';
|
|
|
|
for (total = 0, i = 0; i < ARRAY_SIZE(gss_krb5_enctypes); i++) {
|
|
|
|
n = sprintf(buf, "%s%u", sep, gss_krb5_enctypes[i]);
|
|
|
|
if (n < 0)
|
|
|
|
break;
|
|
|
|
if (total + n >= sizeof(gss_krb5_enctype_priority_list))
|
|
|
|
break;
|
|
|
|
strcat(gss_krb5_enctype_priority_list, buf);
|
|
|
|
sep = ",";
|
|
|
|
total += n;
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
2023-01-15 17:23:40 +00:00
|
|
|
/**
|
|
|
|
* gss_krb5_lookup_enctype - Retrieve profile information for a given enctype
|
|
|
|
* @etype: ENCTYPE value
|
|
|
|
*
|
|
|
|
* Returns a pointer to a gss_krb5_enctype structure, or NULL if no
|
|
|
|
* matching etype is found.
|
|
|
|
*/
|
|
|
|
VISIBLE_IF_KUNIT
|
|
|
|
const struct gss_krb5_enctype *gss_krb5_lookup_enctype(u32 etype)
|
2010-03-17 17:02:51 +00:00
|
|
|
{
|
2023-01-15 17:23:40 +00:00
|
|
|
size_t i;
|
2010-03-17 17:02:51 +00:00
|
|
|
|
2023-01-15 17:23:40 +00:00
|
|
|
for (i = 0; i < ARRAY_SIZE(supported_gss_krb5_enctypes); i++)
|
2010-03-17 17:02:51 +00:00
|
|
|
if (supported_gss_krb5_enctypes[i].etype == etype)
|
|
|
|
return &supported_gss_krb5_enctypes[i];
|
|
|
|
return NULL;
|
|
|
|
}
|
2023-01-15 17:23:40 +00:00
|
|
|
EXPORT_SYMBOL_IF_KUNIT(gss_krb5_lookup_enctype);
|
2010-03-17 17:02:51 +00:00
|
|
|
|
2023-01-15 17:22:24 +00:00
|
|
|
static struct crypto_sync_skcipher *
|
|
|
|
gss_krb5_alloc_cipher_v2(const char *cname, const struct xdr_netobj *key)
|
|
|
|
{
|
|
|
|
struct crypto_sync_skcipher *tfm;
|
|
|
|
|
|
|
|
tfm = crypto_alloc_sync_skcipher(cname, 0, 0);
|
|
|
|
if (IS_ERR(tfm))
|
|
|
|
return NULL;
|
|
|
|
if (crypto_sync_skcipher_setkey(tfm, key->data, key->len)) {
|
|
|
|
crypto_free_sync_skcipher(tfm);
|
|
|
|
return NULL;
|
|
|
|
}
|
|
|
|
return tfm;
|
|
|
|
}
|
|
|
|
|
2023-01-15 17:21:07 +00:00
|
|
|
static struct crypto_ahash *
|
|
|
|
gss_krb5_alloc_hash_v2(struct krb5_ctx *kctx, const struct xdr_netobj *key)
|
|
|
|
{
|
|
|
|
struct crypto_ahash *tfm;
|
|
|
|
|
|
|
|
tfm = crypto_alloc_ahash(kctx->gk5e->cksum_name, 0, CRYPTO_ALG_ASYNC);
|
|
|
|
if (IS_ERR(tfm))
|
|
|
|
return NULL;
|
|
|
|
if (crypto_ahash_setkey(tfm, key->data, key->len)) {
|
|
|
|
crypto_free_ahash(tfm);
|
|
|
|
return NULL;
|
|
|
|
}
|
|
|
|
return tfm;
|
|
|
|
}
|
|
|
|
|
2010-03-17 17:02:54 +00:00
|
|
|
static int
|
2023-01-15 17:21:26 +00:00
|
|
|
gss_krb5_import_ctx_v2(struct krb5_ctx *ctx, gfp_t gfp_mask)
|
2010-03-17 17:02:54 +00:00
|
|
|
{
|
2023-01-15 17:21:01 +00:00
|
|
|
struct xdr_netobj keyin = {
|
|
|
|
.len = ctx->gk5e->keylength,
|
|
|
|
.data = ctx->Ksess,
|
|
|
|
};
|
|
|
|
struct xdr_netobj keyout;
|
|
|
|
int ret = -EINVAL;
|
2010-03-17 17:02:54 +00:00
|
|
|
|
2023-01-15 17:22:30 +00:00
|
|
|
keyout.data = kmalloc(GSS_KRB5_MAX_KEYLEN, gfp_mask);
|
2023-01-15 17:22:24 +00:00
|
|
|
if (!keyout.data)
|
2023-01-15 17:21:01 +00:00
|
|
|
return -ENOMEM;
|
2010-03-17 17:02:54 +00:00
|
|
|
|
|
|
|
/* initiator seal encryption */
|
2023-01-15 17:22:30 +00:00
|
|
|
keyout.len = ctx->gk5e->Ke_length;
|
2023-01-15 17:22:11 +00:00
|
|
|
if (krb5_derive_key(ctx, &keyin, &keyout, KG_USAGE_INITIATOR_SEAL,
|
|
|
|
KEY_USAGE_SEED_ENCRYPTION, gfp_mask))
|
2023-01-15 17:21:01 +00:00
|
|
|
goto out;
|
2023-01-15 17:22:24 +00:00
|
|
|
ctx->initiator_enc = gss_krb5_alloc_cipher_v2(ctx->gk5e->encrypt_name,
|
|
|
|
&keyout);
|
2010-03-17 17:02:54 +00:00
|
|
|
if (ctx->initiator_enc == NULL)
|
2023-01-15 17:21:01 +00:00
|
|
|
goto out;
|
2023-01-15 17:20:54 +00:00
|
|
|
if (ctx->gk5e->aux_cipher) {
|
|
|
|
ctx->initiator_enc_aux =
|
2023-01-15 17:22:24 +00:00
|
|
|
gss_krb5_alloc_cipher_v2(ctx->gk5e->aux_cipher,
|
|
|
|
&keyout);
|
2023-01-15 17:20:54 +00:00
|
|
|
if (ctx->initiator_enc_aux == NULL)
|
|
|
|
goto out_free;
|
|
|
|
}
|
2010-03-17 17:02:54 +00:00
|
|
|
|
|
|
|
/* acceptor seal encryption */
|
2023-01-15 17:22:11 +00:00
|
|
|
if (krb5_derive_key(ctx, &keyin, &keyout, KG_USAGE_ACCEPTOR_SEAL,
|
|
|
|
KEY_USAGE_SEED_ENCRYPTION, gfp_mask))
|
2023-01-15 17:20:54 +00:00
|
|
|
goto out_free;
|
2023-01-15 17:22:24 +00:00
|
|
|
ctx->acceptor_enc = gss_krb5_alloc_cipher_v2(ctx->gk5e->encrypt_name,
|
|
|
|
&keyout);
|
2010-03-17 17:02:54 +00:00
|
|
|
if (ctx->acceptor_enc == NULL)
|
2023-01-15 17:20:54 +00:00
|
|
|
goto out_free;
|
|
|
|
if (ctx->gk5e->aux_cipher) {
|
|
|
|
ctx->acceptor_enc_aux =
|
2023-01-15 17:22:24 +00:00
|
|
|
gss_krb5_alloc_cipher_v2(ctx->gk5e->aux_cipher,
|
|
|
|
&keyout);
|
2023-01-15 17:20:54 +00:00
|
|
|
if (ctx->acceptor_enc_aux == NULL)
|
|
|
|
goto out_free;
|
|
|
|
}
|
2010-03-17 17:02:54 +00:00
|
|
|
|
|
|
|
/* initiator sign checksum */
|
2023-01-15 17:22:30 +00:00
|
|
|
keyout.len = ctx->gk5e->Kc_length;
|
2023-01-15 17:22:11 +00:00
|
|
|
if (krb5_derive_key(ctx, &keyin, &keyout, KG_USAGE_INITIATOR_SIGN,
|
|
|
|
KEY_USAGE_SEED_CHECKSUM, gfp_mask))
|
2023-01-15 17:21:07 +00:00
|
|
|
goto out_free;
|
|
|
|
ctx->initiator_sign = gss_krb5_alloc_hash_v2(ctx, &keyout);
|
|
|
|
if (ctx->initiator_sign == NULL)
|
2023-01-15 17:20:54 +00:00
|
|
|
goto out_free;
|
2010-03-17 17:02:54 +00:00
|
|
|
|
|
|
|
/* acceptor sign checksum */
|
2023-01-15 17:22:11 +00:00
|
|
|
if (krb5_derive_key(ctx, &keyin, &keyout, KG_USAGE_ACCEPTOR_SIGN,
|
|
|
|
KEY_USAGE_SEED_CHECKSUM, gfp_mask))
|
2023-01-15 17:21:07 +00:00
|
|
|
goto out_free;
|
|
|
|
ctx->acceptor_sign = gss_krb5_alloc_hash_v2(ctx, &keyout);
|
|
|
|
if (ctx->acceptor_sign == NULL)
|
2023-01-15 17:20:54 +00:00
|
|
|
goto out_free;
|
2010-03-17 17:02:54 +00:00
|
|
|
|
|
|
|
/* initiator seal integrity */
|
2023-01-15 17:22:30 +00:00
|
|
|
keyout.len = ctx->gk5e->Ki_length;
|
2023-01-15 17:22:11 +00:00
|
|
|
if (krb5_derive_key(ctx, &keyin, &keyout, KG_USAGE_INITIATOR_SEAL,
|
|
|
|
KEY_USAGE_SEED_INTEGRITY, gfp_mask))
|
2023-01-15 17:21:13 +00:00
|
|
|
goto out_free;
|
|
|
|
ctx->initiator_integ = gss_krb5_alloc_hash_v2(ctx, &keyout);
|
|
|
|
if (ctx->initiator_integ == NULL)
|
2023-01-15 17:20:54 +00:00
|
|
|
goto out_free;
|
2010-03-17 17:02:54 +00:00
|
|
|
|
|
|
|
/* acceptor seal integrity */
|
2023-01-15 17:22:11 +00:00
|
|
|
if (krb5_derive_key(ctx, &keyin, &keyout, KG_USAGE_ACCEPTOR_SEAL,
|
|
|
|
KEY_USAGE_SEED_INTEGRITY, gfp_mask))
|
2023-01-15 17:21:13 +00:00
|
|
|
goto out_free;
|
|
|
|
ctx->acceptor_integ = gss_krb5_alloc_hash_v2(ctx, &keyout);
|
|
|
|
if (ctx->acceptor_integ == NULL)
|
2023-01-15 17:20:54 +00:00
|
|
|
goto out_free;
|
2010-03-17 17:03:00 +00:00
|
|
|
|
2023-01-15 17:21:01 +00:00
|
|
|
ret = 0;
|
|
|
|
out:
|
2023-01-15 17:22:24 +00:00
|
|
|
kfree_sensitive(keyout.data);
|
2023-01-15 17:21:01 +00:00
|
|
|
return ret;
|
2010-03-17 17:02:54 +00:00
|
|
|
|
2023-01-15 17:20:54 +00:00
|
|
|
out_free:
|
2023-01-15 17:21:13 +00:00
|
|
|
crypto_free_ahash(ctx->acceptor_integ);
|
|
|
|
crypto_free_ahash(ctx->initiator_integ);
|
2023-01-15 17:21:07 +00:00
|
|
|
crypto_free_ahash(ctx->acceptor_sign);
|
|
|
|
crypto_free_ahash(ctx->initiator_sign);
|
2023-01-15 17:20:54 +00:00
|
|
|
crypto_free_sync_skcipher(ctx->acceptor_enc_aux);
|
2018-09-19 02:10:39 +00:00
|
|
|
crypto_free_sync_skcipher(ctx->acceptor_enc);
|
2023-01-15 17:20:54 +00:00
|
|
|
crypto_free_sync_skcipher(ctx->initiator_enc_aux);
|
2018-09-19 02:10:39 +00:00
|
|
|
crypto_free_sync_skcipher(ctx->initiator_enc);
|
2023-01-15 17:21:01 +00:00
|
|
|
goto out;
|
2010-03-17 17:02:54 +00:00
|
|
|
}
|
|
|
|
|
|
|
|
static int
|
2010-05-13 16:51:02 +00:00
|
|
|
gss_import_v2_context(const void *p, const void *end, struct krb5_ctx *ctx,
|
|
|
|
gfp_t gfp_mask)
|
2010-03-17 17:02:54 +00:00
|
|
|
{
|
2018-11-01 17:51:34 +00:00
|
|
|
u64 seq_send64;
|
2010-03-17 17:02:54 +00:00
|
|
|
int keylen;
|
2018-06-07 15:02:50 +00:00
|
|
|
u32 time32;
|
2023-12-24 08:20:33 +00:00
|
|
|
int ret;
|
2010-03-17 17:02:54 +00:00
|
|
|
|
|
|
|
p = simple_get_bytes(p, end, &ctx->flags, sizeof(ctx->flags));
|
|
|
|
if (IS_ERR(p))
|
|
|
|
goto out_err;
|
|
|
|
ctx->initiate = ctx->flags & KRB5_CTX_FLAG_INITIATOR;
|
|
|
|
|
2018-06-07 15:02:50 +00:00
|
|
|
p = simple_get_bytes(p, end, &time32, sizeof(time32));
|
2010-03-17 17:02:54 +00:00
|
|
|
if (IS_ERR(p))
|
|
|
|
goto out_err;
|
2018-06-07 15:02:50 +00:00
|
|
|
/* unsigned 32-bit time overflows in year 2106 */
|
|
|
|
ctx->endtime = (time64_t)time32;
|
2018-11-01 17:51:34 +00:00
|
|
|
p = simple_get_bytes(p, end, &seq_send64, sizeof(seq_send64));
|
2010-03-17 17:02:54 +00:00
|
|
|
if (IS_ERR(p))
|
|
|
|
goto out_err;
|
2018-11-01 17:51:34 +00:00
|
|
|
atomic64_set(&ctx->seq_send64, seq_send64);
|
2010-03-17 17:02:54 +00:00
|
|
|
/* set seq_send for use by "older" enctypes */
|
2018-11-01 17:51:34 +00:00
|
|
|
atomic_set(&ctx->seq_send, seq_send64);
|
|
|
|
if (seq_send64 != atomic_read(&ctx->seq_send)) {
|
|
|
|
dprintk("%s: seq_send64 %llx, seq_send %x overflow?\n", __func__,
|
|
|
|
seq_send64, atomic_read(&ctx->seq_send));
|
2010-09-12 23:55:25 +00:00
|
|
|
p = ERR_PTR(-EINVAL);
|
2010-03-17 17:02:54 +00:00
|
|
|
goto out_err;
|
|
|
|
}
|
|
|
|
p = simple_get_bytes(p, end, &ctx->enctype, sizeof(ctx->enctype));
|
|
|
|
if (IS_ERR(p))
|
|
|
|
goto out_err;
|
2023-01-15 17:23:40 +00:00
|
|
|
ctx->gk5e = gss_krb5_lookup_enctype(ctx->enctype);
|
2010-03-17 17:02:54 +00:00
|
|
|
if (ctx->gk5e == NULL) {
|
|
|
|
dprintk("gss_kerberos_mech: unsupported krb5 enctype %u\n",
|
|
|
|
ctx->enctype);
|
|
|
|
p = ERR_PTR(-EINVAL);
|
|
|
|
goto out_err;
|
|
|
|
}
|
|
|
|
keylen = ctx->gk5e->keylength;
|
|
|
|
|
2010-03-17 17:03:03 +00:00
|
|
|
p = simple_get_bytes(p, end, ctx->Ksess, keylen);
|
2010-03-17 17:02:54 +00:00
|
|
|
if (IS_ERR(p))
|
|
|
|
goto out_err;
|
|
|
|
|
|
|
|
if (p != end) {
|
|
|
|
p = ERR_PTR(-EINVAL);
|
|
|
|
goto out_err;
|
|
|
|
}
|
|
|
|
|
|
|
|
ctx->mech_used.data = kmemdup(gss_kerberos_mech.gm_oid.data,
|
2010-05-13 16:51:02 +00:00
|
|
|
gss_kerberos_mech.gm_oid.len, gfp_mask);
|
2010-03-17 17:02:54 +00:00
|
|
|
if (unlikely(ctx->mech_used.data == NULL)) {
|
|
|
|
p = ERR_PTR(-ENOMEM);
|
|
|
|
goto out_err;
|
|
|
|
}
|
|
|
|
ctx->mech_used.len = gss_kerberos_mech.gm_oid.len;
|
|
|
|
|
2023-12-24 08:20:33 +00:00
|
|
|
ret = gss_krb5_import_ctx_v2(ctx, gfp_mask);
|
|
|
|
if (ret) {
|
|
|
|
p = ERR_PTR(ret);
|
|
|
|
goto out_free;
|
|
|
|
}
|
2010-03-17 17:02:54 +00:00
|
|
|
|
2023-12-24 08:20:33 +00:00
|
|
|
return 0;
|
|
|
|
|
|
|
|
out_free:
|
|
|
|
kfree(ctx->mech_used.data);
|
2010-03-17 17:02:54 +00:00
|
|
|
out_err:
|
|
|
|
return PTR_ERR(p);
|
|
|
|
}
|
|
|
|
|
2010-03-17 17:02:50 +00:00
|
|
|
static int
|
2023-01-15 17:21:20 +00:00
|
|
|
gss_krb5_import_sec_context(const void *p, size_t len, struct gss_ctx *ctx_id,
|
|
|
|
time64_t *endtime, gfp_t gfp_mask)
|
2010-03-17 17:02:50 +00:00
|
|
|
{
|
|
|
|
const void *end = (const void *)((const char *)p + len);
|
|
|
|
struct krb5_ctx *ctx;
|
|
|
|
int ret;
|
|
|
|
|
2010-05-13 16:51:02 +00:00
|
|
|
ctx = kzalloc(sizeof(*ctx), gfp_mask);
|
2010-03-17 17:02:50 +00:00
|
|
|
if (ctx == NULL)
|
|
|
|
return -ENOMEM;
|
|
|
|
|
2023-06-29 17:51:13 +00:00
|
|
|
ret = gss_import_v2_context(p, end, ctx, gfp_mask);
|
2023-01-15 17:20:48 +00:00
|
|
|
memzero_explicit(&ctx->Ksess, sizeof(ctx->Ksess));
|
2023-01-15 17:20:41 +00:00
|
|
|
if (ret) {
|
2010-03-17 17:02:50 +00:00
|
|
|
kfree(ctx);
|
2023-01-15 17:20:41 +00:00
|
|
|
return ret;
|
|
|
|
}
|
2010-03-17 17:02:50 +00:00
|
|
|
|
2023-01-15 17:20:41 +00:00
|
|
|
ctx_id->internal_ctx_id = ctx;
|
|
|
|
if (endtime)
|
|
|
|
*endtime = ctx->endtime;
|
|
|
|
return 0;
|
2010-03-17 17:02:50 +00:00
|
|
|
}
|
|
|
|
|
2005-04-16 22:20:36 +00:00
|
|
|
static void
|
2023-01-15 17:21:20 +00:00
|
|
|
gss_krb5_delete_sec_context(void *internal_ctx)
|
|
|
|
{
|
2005-04-16 22:20:36 +00:00
|
|
|
struct krb5_ctx *kctx = internal_ctx;
|
|
|
|
|
2018-09-19 02:10:39 +00:00
|
|
|
crypto_free_sync_skcipher(kctx->seq);
|
|
|
|
crypto_free_sync_skcipher(kctx->enc);
|
|
|
|
crypto_free_sync_skcipher(kctx->acceptor_enc);
|
|
|
|
crypto_free_sync_skcipher(kctx->initiator_enc);
|
|
|
|
crypto_free_sync_skcipher(kctx->acceptor_enc_aux);
|
|
|
|
crypto_free_sync_skcipher(kctx->initiator_enc_aux);
|
2023-01-15 17:21:07 +00:00
|
|
|
crypto_free_ahash(kctx->acceptor_sign);
|
|
|
|
crypto_free_ahash(kctx->initiator_sign);
|
2023-01-15 17:21:13 +00:00
|
|
|
crypto_free_ahash(kctx->acceptor_integ);
|
|
|
|
crypto_free_ahash(kctx->initiator_integ);
|
2005-09-02 00:44:29 +00:00
|
|
|
kfree(kctx->mech_used.data);
|
2005-04-16 22:20:36 +00:00
|
|
|
kfree(kctx);
|
|
|
|
}
|
|
|
|
|
2023-01-15 17:21:20 +00:00
|
|
|
/**
|
|
|
|
* gss_krb5_get_mic - get_mic for the Kerberos GSS mechanism
|
|
|
|
* @gctx: GSS context
|
|
|
|
* @text: plaintext to checksum
|
|
|
|
* @token: buffer into which to write the computed checksum
|
|
|
|
*
|
|
|
|
* Return values:
|
|
|
|
* %GSS_S_COMPLETE - success, and @token is filled in
|
|
|
|
* %GSS_S_FAILURE - checksum could not be generated
|
|
|
|
* %GSS_S_CONTEXT_EXPIRED - Kerberos context is no longer valid
|
|
|
|
*/
|
|
|
|
static u32 gss_krb5_get_mic(struct gss_ctx *gctx, struct xdr_buf *text,
|
|
|
|
struct xdr_netobj *token)
|
|
|
|
{
|
|
|
|
struct krb5_ctx *kctx = gctx->internal_ctx_id;
|
|
|
|
|
|
|
|
return kctx->gk5e->get_mic(kctx, text, token);
|
|
|
|
}
|
|
|
|
|
|
|
|
/**
|
|
|
|
* gss_krb5_verify_mic - verify_mic for the Kerberos GSS mechanism
|
|
|
|
* @gctx: GSS context
|
|
|
|
* @message_buffer: plaintext to check
|
|
|
|
* @read_token: received checksum to check
|
|
|
|
*
|
|
|
|
* Return values:
|
|
|
|
* %GSS_S_COMPLETE - computed and received checksums match
|
|
|
|
* %GSS_S_DEFECTIVE_TOKEN - received checksum is not valid
|
|
|
|
* %GSS_S_BAD_SIG - computed and received checksums do not match
|
|
|
|
* %GSS_S_FAILURE - received checksum could not be checked
|
|
|
|
* %GSS_S_CONTEXT_EXPIRED - Kerberos context is no longer valid
|
|
|
|
*/
|
|
|
|
static u32 gss_krb5_verify_mic(struct gss_ctx *gctx,
|
|
|
|
struct xdr_buf *message_buffer,
|
|
|
|
struct xdr_netobj *read_token)
|
|
|
|
{
|
|
|
|
struct krb5_ctx *kctx = gctx->internal_ctx_id;
|
|
|
|
|
|
|
|
return kctx->gk5e->verify_mic(kctx, message_buffer, read_token);
|
|
|
|
}
|
|
|
|
|
|
|
|
/**
|
|
|
|
* gss_krb5_wrap - gss_wrap for the Kerberos GSS mechanism
|
|
|
|
* @gctx: initialized GSS context
|
|
|
|
* @offset: byte offset in @buf to start writing the cipher text
|
|
|
|
* @buf: OUT: send buffer
|
|
|
|
* @pages: plaintext to wrap
|
|
|
|
*
|
|
|
|
* Return values:
|
|
|
|
* %GSS_S_COMPLETE - success, @buf has been updated
|
|
|
|
* %GSS_S_FAILURE - @buf could not be wrapped
|
|
|
|
* %GSS_S_CONTEXT_EXPIRED - Kerberos context is no longer valid
|
|
|
|
*/
|
|
|
|
static u32 gss_krb5_wrap(struct gss_ctx *gctx, int offset,
|
|
|
|
struct xdr_buf *buf, struct page **pages)
|
|
|
|
{
|
|
|
|
struct krb5_ctx *kctx = gctx->internal_ctx_id;
|
|
|
|
|
|
|
|
return kctx->gk5e->wrap(kctx, offset, buf, pages);
|
|
|
|
}
|
|
|
|
|
|
|
|
/**
|
|
|
|
* gss_krb5_unwrap - gss_unwrap for the Kerberos GSS mechanism
|
|
|
|
* @gctx: initialized GSS context
|
|
|
|
* @offset: starting byte offset into @buf
|
|
|
|
* @len: size of ciphertext to unwrap
|
|
|
|
* @buf: ciphertext to unwrap
|
|
|
|
*
|
|
|
|
* Return values:
|
|
|
|
* %GSS_S_COMPLETE - success, @buf has been updated
|
|
|
|
* %GSS_S_DEFECTIVE_TOKEN - received blob is not valid
|
|
|
|
* %GSS_S_BAD_SIG - computed and received checksums do not match
|
|
|
|
* %GSS_S_FAILURE - @buf could not be unwrapped
|
|
|
|
* %GSS_S_CONTEXT_EXPIRED - Kerberos context is no longer valid
|
|
|
|
*/
|
|
|
|
static u32 gss_krb5_unwrap(struct gss_ctx *gctx, int offset,
|
|
|
|
int len, struct xdr_buf *buf)
|
|
|
|
{
|
|
|
|
struct krb5_ctx *kctx = gctx->internal_ctx_id;
|
|
|
|
|
|
|
|
return kctx->gk5e->unwrap(kctx, offset, len, buf,
|
|
|
|
&gctx->slack, &gctx->align);
|
|
|
|
}
|
|
|
|
|
2007-06-24 00:17:58 +00:00
|
|
|
static const struct gss_api_ops gss_kerberos_ops = {
|
2023-01-15 17:21:20 +00:00
|
|
|
.gss_import_sec_context = gss_krb5_import_sec_context,
|
|
|
|
.gss_get_mic = gss_krb5_get_mic,
|
|
|
|
.gss_verify_mic = gss_krb5_verify_mic,
|
|
|
|
.gss_wrap = gss_krb5_wrap,
|
|
|
|
.gss_unwrap = gss_krb5_unwrap,
|
|
|
|
.gss_delete_sec_context = gss_krb5_delete_sec_context,
|
2005-04-16 22:20:36 +00:00
|
|
|
};
|
|
|
|
|
|
|
|
static struct pf_desc gss_kerberos_pfs[] = {
|
|
|
|
[0] = {
|
|
|
|
.pseudoflavor = RPC_AUTH_GSS_KRB5,
|
2013-03-16 19:55:01 +00:00
|
|
|
.qop = GSS_C_QOP_DEFAULT,
|
2005-04-16 22:20:36 +00:00
|
|
|
.service = RPC_GSS_SVC_NONE,
|
|
|
|
.name = "krb5",
|
|
|
|
},
|
|
|
|
[1] = {
|
|
|
|
.pseudoflavor = RPC_AUTH_GSS_KRB5I,
|
2013-03-16 19:55:01 +00:00
|
|
|
.qop = GSS_C_QOP_DEFAULT,
|
2005-04-16 22:20:36 +00:00
|
|
|
.service = RPC_GSS_SVC_INTEGRITY,
|
|
|
|
.name = "krb5i",
|
2016-06-29 17:55:06 +00:00
|
|
|
.datatouch = true,
|
2005-04-16 22:20:36 +00:00
|
|
|
},
|
2005-10-13 20:55:13 +00:00
|
|
|
[2] = {
|
|
|
|
.pseudoflavor = RPC_AUTH_GSS_KRB5P,
|
2013-03-16 19:55:01 +00:00
|
|
|
.qop = GSS_C_QOP_DEFAULT,
|
2005-10-13 20:55:13 +00:00
|
|
|
.service = RPC_GSS_SVC_PRIVACY,
|
|
|
|
.name = "krb5p",
|
2016-06-29 17:55:06 +00:00
|
|
|
.datatouch = true,
|
2005-10-13 20:55:13 +00:00
|
|
|
},
|
2005-04-16 22:20:36 +00:00
|
|
|
};
|
|
|
|
|
2011-06-22 14:50:08 +00:00
|
|
|
MODULE_ALIAS("rpc-auth-gss-krb5");
|
|
|
|
MODULE_ALIAS("rpc-auth-gss-krb5i");
|
|
|
|
MODULE_ALIAS("rpc-auth-gss-krb5p");
|
|
|
|
MODULE_ALIAS("rpc-auth-gss-390003");
|
|
|
|
MODULE_ALIAS("rpc-auth-gss-390004");
|
|
|
|
MODULE_ALIAS("rpc-auth-gss-390005");
|
2013-03-16 19:54:52 +00:00
|
|
|
MODULE_ALIAS("rpc-auth-gss-1.2.840.113554.1.2.2");
|
2011-06-22 14:50:08 +00:00
|
|
|
|
2005-04-16 22:20:36 +00:00
|
|
|
static struct gss_api_mech gss_kerberos_mech = {
|
|
|
|
.gm_name = "krb5",
|
|
|
|
.gm_owner = THIS_MODULE,
|
2013-03-16 19:54:34 +00:00
|
|
|
.gm_oid = { 9, "\x2a\x86\x48\x86\xf7\x12\x01\x02\x02" },
|
2005-04-16 22:20:36 +00:00
|
|
|
.gm_ops = &gss_kerberos_ops,
|
|
|
|
.gm_pf_num = ARRAY_SIZE(gss_kerberos_pfs),
|
|
|
|
.gm_pfs = gss_kerberos_pfs,
|
2023-01-15 17:21:45 +00:00
|
|
|
.gm_upcall_enctypes = gss_krb5_enctype_priority_list,
|
2005-04-16 22:20:36 +00:00
|
|
|
};
|
|
|
|
|
|
|
|
static int __init init_kerberos_module(void)
|
|
|
|
{
|
|
|
|
int status;
|
|
|
|
|
2023-01-15 17:21:45 +00:00
|
|
|
gss_krb5_prepare_enctype_priority_list();
|
2005-04-16 22:20:36 +00:00
|
|
|
status = gss_mech_register(&gss_kerberos_mech);
|
|
|
|
if (status)
|
|
|
|
printk("Failed to register kerberos gss mechanism!\n");
|
|
|
|
return status;
|
|
|
|
}
|
|
|
|
|
|
|
|
static void __exit cleanup_kerberos_module(void)
|
|
|
|
{
|
|
|
|
gss_mech_unregister(&gss_kerberos_mech);
|
|
|
|
}
|
|
|
|
|
2024-01-08 18:16:05 +00:00
|
|
|
MODULE_DESCRIPTION("Sun RPC Kerberos 5 module");
|
2005-04-16 22:20:36 +00:00
|
|
|
MODULE_LICENSE("GPL");
|
|
|
|
module_init(init_kerberos_module);
|
|
|
|
module_exit(cleanup_kerberos_module);
|