From: Chuck Lever <cel@kernel.org>
To: linux-nfs@vger.kernel.org
Cc: dhowells@redhat.com, simo@redhat.com, linux-kselftest@vger.kernel.org
Subject: [PATCH v2 09/41] SUNRPC: Obscure Kerberos integrity keys
Date: Sun, 15 Jan 2023 12:21:13 -0500 [thread overview]
Message-ID: <167380327383.10651.15753244229923642363.stgit@bazille.1015granger.net> (raw)
In-Reply-To: <167380196429.10651.4103075913257868035.stgit@bazille.1015granger.net>
From: Chuck Lever <chuck.lever@oracle.com>
There's no need to keep the integrity keys around if we instead
allocate and key a pair of ahashes and keep those. This not only
enables the subkeys to be destroyed immediately after deriving
them, but it makes the Kerberos integrity code path more efficient.
Tested-by: Scott Mayhew <smayhew@redhat.com>
Signed-off-by: Chuck Lever <chuck.lever@oracle.com>
---
include/linux/sunrpc/gss_krb5.h | 9 +--
net/sunrpc/auth_gss/gss_krb5_crypto.c | 116 +++------------------------------
net/sunrpc/auth_gss/gss_krb5_mech.c | 22 +++---
3 files changed, 23 insertions(+), 124 deletions(-)
diff --git a/include/linux/sunrpc/gss_krb5.h b/include/linux/sunrpc/gss_krb5.h
index 9d897f1ac85a..85e65232bb61 100644
--- a/include/linux/sunrpc/gss_krb5.h
+++ b/include/linux/sunrpc/gss_krb5.h
@@ -104,14 +104,14 @@ struct krb5_ctx {
struct crypto_sync_skcipher *initiator_enc_aux;
struct crypto_ahash *acceptor_sign;
struct crypto_ahash *initiator_sign;
+ struct crypto_ahash *initiator_integ;
+ struct crypto_ahash *acceptor_integ;
u8 Ksess[GSS_KRB5_MAX_KEYLEN]; /* session key */
u8 cksum[GSS_KRB5_MAX_KEYLEN];
atomic_t seq_send;
atomic64_t seq_send64;
time64_t endtime;
struct xdr_netobj mech_used;
- u8 initiator_integ[GSS_KRB5_MAX_KEYLEN];
- u8 acceptor_integ[GSS_KRB5_MAX_KEYLEN];
};
/* The length of the Kerberos GSS token header */
@@ -233,11 +233,6 @@ make_checksum(struct krb5_ctx *kctx, char *header, int hdrlen,
struct xdr_buf *body, int body_offset, u8 *cksumkey,
unsigned int usage, struct xdr_netobj *cksumout);
-u32
-make_checksum_v2(struct krb5_ctx *, char *header, int hdrlen,
- struct xdr_buf *body, int body_offset, u8 *key,
- unsigned int usage, struct xdr_netobj *cksum);
-
u32 gss_get_mic_kerberos(struct gss_ctx *, struct xdr_buf *,
struct xdr_netobj *);
diff --git a/net/sunrpc/auth_gss/gss_krb5_crypto.c b/net/sunrpc/auth_gss/gss_krb5_crypto.c
index 44dfcd5f6cbe..098faaf02fe6 100644
--- a/net/sunrpc/auth_gss/gss_krb5_crypto.c
+++ b/net/sunrpc/auth_gss/gss_krb5_crypto.c
@@ -259,93 +259,6 @@ make_checksum(struct krb5_ctx *kctx, char *header, int hdrlen,
return err ? GSS_S_FAILURE : 0;
}
-/*
- * checksum the plaintext data and hdrlen bytes of the token header
- * Per rfc4121, sec. 4.2.4, the checksum is performed over the data
- * body then over the first 16 octets of the MIC token
- * Inclusion of the header data in the calculation of the
- * checksum is optional.
- */
-u32
-make_checksum_v2(struct krb5_ctx *kctx, char *header, int hdrlen,
- struct xdr_buf *body, int body_offset, u8 *cksumkey,
- unsigned int usage, struct xdr_netobj *cksumout)
-{
- struct crypto_ahash *tfm;
- struct ahash_request *req;
- struct scatterlist sg[1];
- int err = -1;
- u8 *checksumdata;
-
- if (kctx->gk5e->keyed_cksum == 0) {
- dprintk("%s: expected keyed hash for %s\n",
- __func__, kctx->gk5e->name);
- return GSS_S_FAILURE;
- }
- if (cksumkey == NULL) {
- dprintk("%s: no key supplied for %s\n",
- __func__, kctx->gk5e->name);
- return GSS_S_FAILURE;
- }
-
- checksumdata = kmalloc(GSS_KRB5_MAX_CKSUM_LEN, GFP_KERNEL);
- if (!checksumdata)
- return GSS_S_FAILURE;
-
- tfm = crypto_alloc_ahash(kctx->gk5e->cksum_name, 0, CRYPTO_ALG_ASYNC);
- if (IS_ERR(tfm))
- goto out_free_cksum;
-
- req = ahash_request_alloc(tfm, GFP_KERNEL);
- if (!req)
- goto out_free_ahash;
-
- ahash_request_set_callback(req, CRYPTO_TFM_REQ_MAY_SLEEP, NULL, NULL);
-
- err = crypto_ahash_setkey(tfm, cksumkey, kctx->gk5e->keylength);
- if (err)
- goto out;
-
- err = crypto_ahash_init(req);
- if (err)
- goto out;
- err = xdr_process_buf(body, body_offset, body->len - body_offset,
- checksummer, req);
- if (err)
- goto out;
- if (header != NULL) {
- sg_init_one(sg, header, hdrlen);
- ahash_request_set_crypt(req, sg, NULL, hdrlen);
- err = crypto_ahash_update(req);
- if (err)
- goto out;
- }
- ahash_request_set_crypt(req, NULL, checksumdata, 0);
- err = crypto_ahash_final(req);
- if (err)
- goto out;
-
- cksumout->len = kctx->gk5e->cksumlength;
-
- switch (kctx->gk5e->ctype) {
- case CKSUMTYPE_HMAC_SHA1_96_AES128:
- case CKSUMTYPE_HMAC_SHA1_96_AES256:
- /* note that this truncates the hash */
- memcpy(cksumout->data, checksumdata, kctx->gk5e->cksumlength);
- break;
- default:
- BUG();
- break;
- }
-out:
- ahash_request_free(req);
-out_free_ahash:
- crypto_free_ahash(tfm);
-out_free_cksum:
- kfree(checksumdata);
- return err ? GSS_S_FAILURE : 0;
-}
-
/**
* gss_krb5_checksum - Compute the MAC for a GSS Wrap or MIC token
* @tfm: an initialized hash transform
@@ -702,27 +615,24 @@ gss_krb5_aes_encrypt(struct krb5_ctx *kctx, u32 offset,
{
u32 err;
struct xdr_netobj hmac;
- u8 *cksumkey;
u8 *ecptr;
struct crypto_sync_skcipher *cipher, *aux_cipher;
+ struct crypto_ahash *ahash;
int blocksize;
struct page **save_pages;
int nblocks, nbytes;
struct encryptor_desc desc;
u32 cbcbytes;
- unsigned int usage;
unsigned int conflen;
if (kctx->initiate) {
cipher = kctx->initiator_enc;
aux_cipher = kctx->initiator_enc_aux;
- cksumkey = kctx->initiator_integ;
- usage = KG_USAGE_INITIATOR_SEAL;
+ ahash = kctx->initiator_integ;
} else {
cipher = kctx->acceptor_enc;
aux_cipher = kctx->acceptor_enc_aux;
- cksumkey = kctx->acceptor_integ;
- usage = KG_USAGE_ACCEPTOR_SEAL;
+ ahash = kctx->acceptor_integ;
}
blocksize = crypto_sync_skcipher_blocksize(cipher);
conflen = crypto_sync_skcipher_blocksize(cipher);
@@ -762,9 +672,8 @@ gss_krb5_aes_encrypt(struct krb5_ctx *kctx, u32 offset,
save_pages = buf->pages;
buf->pages = pages;
- err = make_checksum_v2(kctx, NULL, 0, buf,
- offset + GSS_KRB5_TOK_HDR_LEN,
- cksumkey, usage, &hmac);
+ err = gss_krb5_checksum(ahash, NULL, 0, buf,
+ offset + GSS_KRB5_TOK_HDR_LEN, &hmac);
buf->pages = save_pages;
if (err)
return GSS_S_FAILURE;
@@ -825,25 +734,22 @@ gss_krb5_aes_decrypt(struct krb5_ctx *kctx, u32 offset, u32 len,
{
struct xdr_buf subbuf;
u32 ret = 0;
- u8 *cksum_key;
struct crypto_sync_skcipher *cipher, *aux_cipher;
+ struct crypto_ahash *ahash;
struct xdr_netobj our_hmac_obj;
u8 our_hmac[GSS_KRB5_MAX_CKSUM_LEN];
u8 pkt_hmac[GSS_KRB5_MAX_CKSUM_LEN];
int nblocks, blocksize, cbcbytes;
struct decryptor_desc desc;
- unsigned int usage;
if (kctx->initiate) {
cipher = kctx->acceptor_enc;
aux_cipher = kctx->acceptor_enc_aux;
- cksum_key = kctx->acceptor_integ;
- usage = KG_USAGE_ACCEPTOR_SEAL;
+ ahash = kctx->acceptor_integ;
} else {
cipher = kctx->initiator_enc;
aux_cipher = kctx->initiator_enc_aux;
- cksum_key = kctx->initiator_integ;
- usage = KG_USAGE_INITIATOR_SEAL;
+ ahash = kctx->initiator_integ;
}
blocksize = crypto_sync_skcipher_blocksize(cipher);
@@ -883,13 +789,9 @@ gss_krb5_aes_decrypt(struct krb5_ctx *kctx, u32 offset, u32 len,
if (ret)
goto out_err;
-
- /* Calculate our hmac over the plaintext data */
our_hmac_obj.len = sizeof(our_hmac);
our_hmac_obj.data = our_hmac;
-
- ret = make_checksum_v2(kctx, NULL, 0, &subbuf, 0,
- cksum_key, usage, &our_hmac_obj);
+ ret = gss_krb5_checksum(ahash, NULL, 0, &subbuf, 0, &our_hmac_obj);
if (ret)
goto out_err;
diff --git a/net/sunrpc/auth_gss/gss_krb5_mech.c b/net/sunrpc/auth_gss/gss_krb5_mech.c
index 5478f741287e..2237f640cef4 100644
--- a/net/sunrpc/auth_gss/gss_krb5_mech.c
+++ b/net/sunrpc/auth_gss/gss_krb5_mech.c
@@ -447,23 +447,21 @@ context_derive_keys_new(struct krb5_ctx *ctx, gfp_t gfp_mask)
/* initiator seal integrity */
set_cdata(cdata, KG_USAGE_INITIATOR_SEAL, KEY_USAGE_SEED_INTEGRITY);
- keyout.data = ctx->initiator_integ;
err = krb5_derive_key(ctx->gk5e, &keyin, &keyout, &c, gfp_mask);
- if (err) {
- dprintk("%s: Error %d deriving initiator_integ key\n",
- __func__, err);
+ if (err)
+ goto out_free;
+ ctx->initiator_integ = gss_krb5_alloc_hash_v2(ctx, &keyout);
+ if (ctx->initiator_integ == NULL)
goto out_free;
- }
/* acceptor seal integrity */
set_cdata(cdata, KG_USAGE_ACCEPTOR_SEAL, KEY_USAGE_SEED_INTEGRITY);
- keyout.data = ctx->acceptor_integ;
err = krb5_derive_key(ctx->gk5e, &keyin, &keyout, &c, gfp_mask);
- if (err) {
- dprintk("%s: Error %d deriving acceptor_integ key\n",
- __func__, err);
+ if (err)
+ goto out_free;
+ ctx->acceptor_integ = gss_krb5_alloc_hash_v2(ctx, &keyout);
+ if (ctx->acceptor_integ == NULL)
goto out_free;
- }
ret = 0;
out:
@@ -471,6 +469,8 @@ context_derive_keys_new(struct krb5_ctx *ctx, gfp_t gfp_mask)
return ret;
out_free:
+ crypto_free_ahash(ctx->acceptor_integ);
+ crypto_free_ahash(ctx->initiator_integ);
crypto_free_ahash(ctx->acceptor_sign);
crypto_free_ahash(ctx->initiator_sign);
crypto_free_sync_skcipher(ctx->acceptor_enc_aux);
@@ -598,6 +598,8 @@ gss_delete_sec_context_kerberos(void *internal_ctx) {
crypto_free_sync_skcipher(kctx->initiator_enc_aux);
crypto_free_ahash(kctx->acceptor_sign);
crypto_free_ahash(kctx->initiator_sign);
+ crypto_free_ahash(kctx->acceptor_integ);
+ crypto_free_ahash(kctx->initiator_integ);
kfree(kctx->mech_used.data);
kfree(kctx);
}
next prev parent reply other threads:[~2023-01-15 17:21 UTC|newest]
Thread overview: 65+ messages / expand[flat|nested] mbox.gz Atom feed top
2023-01-15 17:20 [PATCH v2 00/41] RPCSEC GSS krb5 enhancements Chuck Lever
2023-01-15 17:20 ` [PATCH v2 01/41] SUNRPC: Add header ifdefs to linux/sunrpc/gss_krb5.h Chuck Lever
2023-01-15 17:20 ` [PATCH v2 02/41] SUNRPC: Remove .blocksize field from struct gss_krb5_enctype Chuck Lever
2023-01-15 17:20 ` [PATCH v2 03/41] SUNRPC: Remove .conflen " Chuck Lever
2023-01-15 17:20 ` [PATCH v2 04/41] SUNRPC: Improve Kerberos confounder generation Chuck Lever
2023-01-15 17:20 ` [PATCH v2 05/41] SUNRPC: Obscure Kerberos session key Chuck Lever
2023-01-15 17:20 ` [PATCH v2 06/41] SUNRPC: Refactor set-up for aux_cipher Chuck Lever
2023-01-15 17:21 ` [PATCH v2 07/41] SUNRPC: Obscure Kerberos encryption keys Chuck Lever
2023-01-15 17:21 ` [PATCH v2 08/41] SUNRPC: Obscure Kerberos signing keys Chuck Lever
2023-01-15 17:21 ` Chuck Lever [this message]
2023-01-15 17:21 ` [PATCH v2 10/41] SUNRPC: Refactor the GSS-API Per Message calls in the Kerberos mechanism Chuck Lever
2023-01-15 17:21 ` [PATCH v2 11/41] SUNRPC: Remove another switch on ctx->enctype Chuck Lever
2023-01-15 17:21 ` [PATCH v2 12/41] SUNRPC: Add /proc/net/rpc/gss_krb5_enctypes file Chuck Lever
2023-01-15 17:21 ` [PATCH v2 13/41] NFSD: Replace /proc/fs/nfsd/supported_krb5_enctypes with a symlink Chuck Lever
2023-01-15 17:21 ` [PATCH v2 14/41] SUNRPC: Replace KRB5_SUPPORTED_ENCTYPES macro Chuck Lever
2023-01-15 17:21 ` [PATCH v2 15/41] SUNRPC: Enable rpcsec_gss_krb5.ko to be built without CRYPTO_DES Chuck Lever
2023-03-06 8:16 ` Geert Uytterhoeven
2023-03-06 16:17 ` Chuck Lever III
2023-03-06 18:01 ` Geert Uytterhoeven
2023-01-15 17:21 ` [PATCH v2 16/41] SUNRPC: Remove ->encrypt and ->decrypt methods from struct gss_krb5_enctype Chuck Lever
2023-01-15 17:22 ` [PATCH v2 17/41] SUNRPC: Rename .encrypt_v2 and .decrypt_v2 methods Chuck Lever
2023-01-15 17:22 ` [PATCH v2 18/41] SUNRPC: Hoist KDF into struct gss_krb5_enctype Chuck Lever
2023-01-15 17:22 ` [PATCH v2 19/41] SUNRPC: Clean up cipher set up for v1 encryption types Chuck Lever
2023-01-15 17:22 ` [PATCH v2 20/41] SUNRPC: Parametrize the key length passed to context_v2_alloc_cipher() Chuck Lever
2023-01-15 17:22 ` [PATCH v2 21/41] SUNRPC: Add new subkey length fields Chuck Lever
2023-01-15 17:22 ` [PATCH v2 22/41] SUNRPC: Refactor CBC with CTS into helpers Chuck Lever
2023-01-15 17:22 ` [PATCH v2 23/41] SUNRPC: Add gk5e definitions for RFC 8009 encryption types Chuck Lever
2023-03-22 15:49 ` Anna Schumaker
2023-03-22 16:30 ` Chuck Lever III
2023-03-22 17:06 ` Anna Schumaker
2023-03-22 17:18 ` Anna Schumaker
2023-01-15 17:22 ` [PATCH v2 24/41] SUNRPC: Add KDF-HMAC-SHA2 Chuck Lever
2023-01-15 17:22 ` [PATCH v2 25/41] SUNRPC: Add RFC 8009 encryption and decryption functions Chuck Lever
2023-01-15 17:23 ` [PATCH v2 26/41] SUNRPC: Advertise support for RFC 8009 encryption types Chuck Lever
2023-01-15 17:23 ` [PATCH v2 27/41] SUNRPC: Support the Camellia enctypes Chuck Lever
2023-01-15 17:23 ` [PATCH v2 28/41] SUNRPC: Add KDF_FEEDBACK_CMAC Chuck Lever
2023-01-15 17:23 ` [PATCH v2 29/41] SUNRPC: Advertise support for the Camellia encryption types Chuck Lever
2023-01-15 17:23 ` [PATCH v2 30/41] SUNRPC: Move remaining internal definitions to gss_krb5_internal.h Chuck Lever
2023-01-15 17:23 ` [PATCH v2 31/41] SUNRPC: Add KUnit tests for rpcsec_krb5.ko Chuck Lever
2023-01-15 17:23 ` [PATCH v2 32/41] SUNRPC: Export get_gss_krb5_enctype() Chuck Lever
2023-01-15 17:23 ` [PATCH v2 33/41] SUNRPC: Add KUnit tests RFC 3961 Key Derivation Chuck Lever
2023-01-15 17:23 ` [PATCH v2 34/41] SUNRPC: Add Kunit tests for RFC 3962-defined encryption/decryption Chuck Lever
2023-01-15 17:23 ` [PATCH v2 35/41] SUNRPC: Add KDF KUnit tests for the RFC 6803 encryption types Chuck Lever
2023-01-15 17:24 ` [PATCH v2 36/41] SUNRPC: Add checksum " Chuck Lever
2023-01-15 17:24 ` [PATCH v2 37/41] SUNRPC: Add encryption " Chuck Lever
2023-01-15 17:24 ` [PATCH v2 38/41] SUNRPC: Add KDF-HMAC-SHA2 Kunit tests Chuck Lever
2023-01-15 17:24 ` [PATCH v2 39/41] SUNRPC: Add RFC 8009 checksum KUnit tests Chuck Lever
2023-01-15 17:24 ` [PATCH v2 40/41] SUNRPC: Add RFC 8009 encryption " Chuck Lever
2023-01-15 17:24 ` [PATCH v2 41/41] SUNRPC: Add encryption self-tests Chuck Lever
2023-01-18 16:02 ` [PATCH v2 00/41] RPCSEC GSS krb5 enhancements Simo Sorce
2023-01-18 17:16 ` Chuck Lever III
2023-02-23 13:05 ` Geert Uytterhoeven
2023-02-23 14:00 ` Chuck Lever III
2023-02-23 15:16 ` Geert Uytterhoeven
2023-02-23 16:18 ` Chuck Lever III
2023-02-23 16:52 ` Geert Uytterhoeven
2023-02-23 19:32 ` Chuck Lever III
2023-02-27 9:51 ` Geert Uytterhoeven
2023-02-27 15:06 ` Chuck Lever III
2023-02-27 15:37 ` Geert Uytterhoeven
2023-02-23 17:57 ` Andreas Schwab
2023-02-23 18:19 ` Michael Schmitz
2023-02-23 21:46 ` Andreas Schwab
2023-02-23 22:17 ` Michael Schmitz
2023-02-23 18:28 ` Eero Tamminen
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=167380327383.10651.15753244229923642363.stgit@bazille.1015granger.net \
--to=cel@kernel.org \
--cc=dhowells@redhat.com \
--cc=linux-kselftest@vger.kernel.org \
--cc=linux-nfs@vger.kernel.org \
--cc=simo@redhat.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.