From: Anna Schumaker <schumaker.anna@gmail.com>
To: Chuck Lever <cel@kernel.org>
Cc: linux-nfs@vger.kernel.org, dhowells@redhat.com, simo@redhat.com,
linux-kselftest@vger.kernel.org
Subject: Re: [PATCH v2 23/41] SUNRPC: Add gk5e definitions for RFC 8009 encryption types
Date: Wed, 22 Mar 2023 11:49:01 -0400 [thread overview]
Message-ID: <CAFX2JfnXmHXPD46tN8oSBX40wh3qJXSDLWAcDGbsTTmTuuMpWw@mail.gmail.com> (raw)
In-Reply-To: <167380336323.10651.16305246945409527645.stgit@bazille.1015granger.net>
Hi Chuck
On Sun, Jan 15, 2023 at 12:23 PM Chuck Lever <cel@kernel.org> wrote:
>
> From: Chuck Lever <chuck.lever@oracle.com>
>
> Fill in entries in the supported_gss_krb5_enctypes array for the
> encryption types defined in RFC 8009. These new enctypes use the
> SHA-256 and SHA-384 message digest algorithms (as defined in
> FIPS-180) instead of the deprecated SHA-1 algorithm, and are thus
> more secure.
>
> Note that NIST has scheduled SHA-1 for deprecation:
>
> https://www.nist.gov/news-events/news/2022/12/nist-retires-sha-1-cryptographic-algorithm
>
> Thus these new encryption types are placed under a separate CONFIG
> option to enable distributors to separately introduce support for
> the AES-SHA2 enctypes and deprecate support for the current set of
> AES-SHA1 encryption types as their user space allows.
>
> As this implementation is still a "beta", the default is to not
> build it automatically.
>
> Tested-by: Scott Mayhew <smayhew@redhat.com>
> Signed-off-by: Chuck Lever <chuck.lever@oracle.com>
> ---
> include/linux/sunrpc/gss_krb5.h | 19 ++++++++++++-
> net/sunrpc/Kconfig | 14 ++++++++++
> net/sunrpc/auth_gss/gss_krb5_mech.c | 51 +++++++++++++++++++++++++++++++++++
> 3 files changed, 82 insertions(+), 2 deletions(-)
>
> diff --git a/include/linux/sunrpc/gss_krb5.h b/include/linux/sunrpc/gss_krb5.h
> index 3e97d2a7c87d..8ff397b5c04b 100644
> --- a/include/linux/sunrpc/gss_krb5.h
> +++ b/include/linux/sunrpc/gss_krb5.h
> @@ -54,8 +54,8 @@
> /* Maximum key length (in bytes) for the supported crypto algorithms */
> #define GSS_KRB5_MAX_KEYLEN (32)
>
> -/* Maximum checksum function output for the supported crypto algorithms */
> -#define GSS_KRB5_MAX_CKSUM_LEN (20)
> +/* Maximum checksum function output for the supported enctypes */
> +#define GSS_KRB5_MAX_CKSUM_LEN (24)
I'm having some problems that I bisected to this patch, specifically
this change to GSS_KRB5_MAX_CKSUM_LEN. KASAN reports it as a
slab-out-of-bounds in gss_krb5_checksum(), and it can cause my client
to panic when running cthon basic tests with krb5p. I was wondering if
you've seen this?
Anna
Here is what kasan tells me:
[ 35.725366] ==================================================================
[ 35.725373] BUG: KASAN: slab-out-of-bounds in
gss_krb5_checksum+0x4b6/0x630 [rpcsec_gss_krb5]
[ 35.725383] Read of size 24 at addr ffff888110cfc1a0 by task mount.nfs/853
[ 35.725390] CPU: 2 PID: 853 Comm: mount.nfs Not tainted
6.2.0-ga40cf7530d31+ #37820 4b7d53453529728aac4e973d4ba6a17952148f02
[ 35.725395] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009),
BIOS 0.0.0 02/06/2015
[ 35.725399] Call Trace:
[ 35.725401] <TASK>
[ 35.725404] dump_stack_lvl+0x48/0x60
[ 35.725409] print_report+0x184/0x4a8
[ 35.725414] ? memcpy+0x3c/0x60
[ 35.725419] ? gss_krb5_checksum+0x4b6/0x630 [rpcsec_gss_krb5
2fd8c249acfdf3162b23b30d5eb7af0425d84960]
[ 35.725426] kasan_report+0xc9/0x150
[ 35.725431] ? gss_krb5_checksum+0x4b6/0x630 [rpcsec_gss_krb5
2fd8c249acfdf3162b23b30d5eb7af0425d84960]
[ 35.725439] kasan_check_range+0x13e/0x1c0
[ 35.725447] memcpy+0x23/0x60
[ 35.725451] gss_krb5_checksum+0x4b6/0x630 [rpcsec_gss_krb5
2fd8c249acfdf3162b23b30d5eb7af0425d84960]
[ 35.725460] ? __pfx_gss_krb5_checksum+0x10/0x10 [rpcsec_gss_krb5
2fd8c249acfdf3162b23b30d5eb7af0425d84960]
[ 35.725467] ? memmove+0x3c/0x60
[ 35.725472] gss_krb5_aes_encrypt+0x388/0x7c0 [rpcsec_gss_krb5
2fd8c249acfdf3162b23b30d5eb7af0425d84960]
[ 35.725480] ? __pfx_gss_krb5_aes_encrypt+0x10/0x10
[rpcsec_gss_krb5 2fd8c249acfdf3162b23b30d5eb7af0425d84960]
[ 35.725487] ? memmove+0x3c/0x60
[ 35.725491] gss_krb5_wrap_v2+0x28e/0x3a0 [rpcsec_gss_krb5
2fd8c249acfdf3162b23b30d5eb7af0425d84960]
[ 35.725500] gss_wrap_req_priv+0x3d7/0x1090 [auth_rpcgss
9532107bdb7719d1a30fdcf239028e9e54e0c27c]
[ 35.725517] gss_wrap_req+0x1df/0x250 [auth_rpcgss
9532107bdb7719d1a30fdcf239028e9e54e0c27c]
[ 35.725572] call_encode+0x75a/0x1000 [sunrpc
807a235f89c5b6b32dbda9261e96d6b1ac9ed4f5]
[ 35.725626] ? __pfx_call_encode+0x10/0x10 [sunrpc
807a235f89c5b6b32dbda9261e96d6b1ac9ed4f5]
[ 35.725671] ? __kasan_kmalloc+0xad/0xb0
[ 35.725676] ? xprt_alloc_slot+0x1ca/0x590 [sunrpc
807a235f89c5b6b32dbda9261e96d6b1ac9ed4f5]
[ 35.725724] ? call_allocate+0x30d/0x6b0 [sunrpc
807a235f89c5b6b32dbda9261e96d6b1ac9ed4f5]
[ 35.725779] ? __pfx_call_encode+0x10/0x10 [sunrpc
807a235f89c5b6b32dbda9261e96d6b1ac9ed4f5]
[ 35.725829] __rpc_execute+0x29b/0xcf0 [sunrpc
807a235f89c5b6b32dbda9261e96d6b1ac9ed4f5]
[ 35.725885] ? __pfx___rpc_execute+0x10/0x10 [sunrpc
807a235f89c5b6b32dbda9261e96d6b1ac9ed4f5]
[ 35.725936] ? __pfx_wake_up_bit+0x10/0x10
[ 35.725941] ? _raw_spin_lock+0x85/0xe0
[ 35.725945] rpc_execute+0x21d/0x320 [sunrpc
807a235f89c5b6b32dbda9261e96d6b1ac9ed4f5]
[ 35.725997] rpc_run_task+0x467/0x650 [sunrpc
807a235f89c5b6b32dbda9261e96d6b1ac9ed4f5]
[ 35.726044] nfs4_call_sync_sequence+0x17e/0x2a0 [nfsv4
d67fe18359c6743dcd6788d44186185ed97423ee]
[ 35.726095] ? unwind_get_return_address+0x5e/0xa0
[ 35.726100] ? __pfx_nfs4_call_sync_sequence+0x10/0x10 [nfsv4
d67fe18359c6743dcd6788d44186185ed97423ee]
[ 35.726146] ? stack_trace_save+0x95/0xd0
[ 35.726151] ? __stack_depot_save+0x3f/0x4c0
[ 35.726157] _nfs4_lookup_root.isra.0+0x193/0x200 [nfsv4
d67fe18359c6743dcd6788d44186185ed97423ee]
[ 35.726202] ? __pfx__nfs4_lookup_root.isra.0+0x10/0x10 [nfsv4
d67fe18359c6743dcd6788d44186185ed97423ee]
[ 35.726246] ? kasan_save_stack+0x45/0x60
[ 35.726251] ? nfs_alloc_fattr+0x44/0x210 [nfs
1894ec9cbdec354be2bcab1be6e5e8ab9f92de62]
[ 35.726290] ? nfs4_get_rootfh+0x92/0x290 [nfsv4
d67fe18359c6743dcd6788d44186185ed97423ee]
[ 35.726341] ? nfs4_server_common_setup+0xa4/0x680 [nfsv4
d67fe18359c6743dcd6788d44186185ed97423ee]
[ 35.726391] ? nfs4_create_server+0x8d7/0xf00 [nfsv4
d67fe18359c6743dcd6788d44186185ed97423ee]
[ 35.726440] ? nfs4_try_get_tree+0xd1/0x250 [nfsv4
d67fe18359c6743dcd6788d44186185ed97423ee]
[ 35.726488] ? entry_SYSCALL_64_after_hwframe+0x72/0xdc
[ 35.726496] nfs4_lookup_root+0xeb/0x260 [nfsv4
d67fe18359c6743dcd6788d44186185ed97423ee]
[ 35.726542] ? __pfx_nfs4_lookup_root+0x10/0x10 [nfsv4
d67fe18359c6743dcd6788d44186185ed97423ee]
[ 35.726589] nfs4_proc_get_rootfh+0xdc/0x110 [nfsv4
d67fe18359c6743dcd6788d44186185ed97423ee]
[ 35.726636] nfs4_get_rootfh+0xb4/0x290 [nfsv4
d67fe18359c6743dcd6788d44186185ed97423ee]
[ 35.726685] ? __pfx_nfs4_get_rootfh+0x10/0x10 [nfsv4
d67fe18359c6743dcd6788d44186185ed97423ee]
[ 35.726733] ? nfs4_set_client+0x2d8/0x430 [nfsv4
d67fe18359c6743dcd6788d44186185ed97423ee]
[ 35.726785] nfs4_server_common_setup+0xa4/0x680 [nfsv4
d67fe18359c6743dcd6788d44186185ed97423ee]
[ 35.726834] nfs4_create_server+0x8d7/0xf00 [nfsv4
d67fe18359c6743dcd6788d44186185ed97423ee]
[ 35.726884] ? _raw_spin_lock+0x85/0xe0
[ 35.726888] ? __pfx_nfs4_create_server+0x10/0x10 [nfsv4
d67fe18359c6743dcd6788d44186185ed97423ee]
[ 35.726937] ? __module_get+0x31/0xf0
[ 35.726942] nfs4_try_get_tree+0xd1/0x250 [nfsv4
d67fe18359c6743dcd6788d44186185ed97423ee]
[ 35.726991] vfs_get_tree+0x84/0x2c0
[ 35.726996] path_mount+0xa9f/0x1a20
[ 35.727001] ? __pfx_path_mount+0x10/0x10
[ 35.727005] ? user_path_at_empty+0x44/0x60
[ 35.727008] ? kmem_cache_free+0x19e/0x320
[ 35.727013] __x64_sys_mount+0x214/0x280
[ 35.727017] ? __pfx___x64_sys_mount+0x10/0x10
[ 35.727020] ? _raw_spin_lock+0x85/0xe0
[ 35.727024] do_syscall_64+0x5c/0x90
[ 35.727029] ? syscall_exit_to_user_mode+0x1b/0x40
[ 35.727032] ? do_syscall_64+0x6b/0x90
[ 35.727036] entry_SYSCALL_64_after_hwframe+0x72/0xdc
[ 35.727040] RIP: 0033:0x7f1291a5afde
[ 35.727044] Code: 48 8b 0d 95 ed 0c 00 f7 d8 64 89 01 48 83 c8 ff
c3 66 2e 0f 1f 84 00 00 00 00 00 90 f3 0f 1e fa 49 89 ca b8 a5 00 00
00 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 8b 0d 62 ed 0c 00 f7 d8 64 89
01 48
[ 35.727047] RSP: 002b:00007ffd02e479e8 EFLAGS: 00000246 ORIG_RAX:
00000000000000a5
[ 35.727055] RAX: ffffffffffffffda RBX: 00007ffd02e47b90 RCX: 00007f1291a5afde
[ 35.727058] RDX: 00005565e507c3b0 RSI: 00005565e507b500 RDI: 00005565e507b550
[ 35.727060] RBP: 00005565e50824f0 R08: 00005565e50824f0 R09: 0000000000000060
[ 35.727062] R10: 0000000000000000 R11: 0000000000000246 R12: 00007ffd02e47b90
[ 35.727065] R13: 00005565e5082210 R14: 0000000000000003 R15: 00005565e42168f8
[ 35.727069] </TASK>
[ 35.727073] Allocated by task 853:
[ 35.727075] kasan_save_stack+0x33/0x60
[ 35.727079] kasan_set_track+0x25/0x30
[ 35.727082] __kasan_kmalloc+0xad/0xb0
[ 35.727086] __kmalloc+0x5e/0x160
[ 35.727088] gss_krb5_checksum+0xcf/0x630 [rpcsec_gss_krb5]
[ 35.727095] gss_krb5_aes_encrypt+0x388/0x7c0 [rpcsec_gss_krb5]
[ 35.727101] gss_krb5_wrap_v2+0x28e/0x3a0 [rpcsec_gss_krb5]
[ 35.727107] gss_wrap_req_priv+0x3d7/0x1090 [auth_rpcgss]
[ 35.727119] gss_wrap_req+0x1df/0x250 [auth_rpcgss]
[ 35.727131] call_encode+0x75a/0x1000 [sunrpc]
[ 35.727175] __rpc_execute+0x29b/0xcf0 [sunrpc]
[ 35.727227] rpc_execute+0x21d/0x320 [sunrpc]
[ 35.727277] rpc_run_task+0x467/0x650 [sunrpc]
[ 35.727321] nfs4_call_sync_sequence+0x17e/0x2a0 [nfsv4]
[ 35.727365] _nfs4_lookup_root.isra.0+0x193/0x200 [nfsv4]
[ 35.727408] nfs4_lookup_root+0xeb/0x260 [nfsv4]
[ 35.727453] nfs4_proc_get_rootfh+0xdc/0x110 [nfsv4]
[ 35.727498] nfs4_get_rootfh+0xb4/0x290 [nfsv4]
[ 35.727546] nfs4_server_common_setup+0xa4/0x680 [nfsv4]
[ 35.727595] nfs4_create_server+0x8d7/0xf00 [nfsv4]
[ 35.727643] nfs4_try_get_tree+0xd1/0x250 [nfsv4]
[ 35.727690] vfs_get_tree+0x84/0x2c0
[ 35.727694] path_mount+0xa9f/0x1a20
[ 35.727697] __x64_sys_mount+0x214/0x280
[ 35.727701] do_syscall_64+0x5c/0x90
[ 35.727704] entry_SYSCALL_64_after_hwframe+0x72/0xdc
[ 35.727709] The buggy address belongs to the object at ffff888110cfc1a0
which belongs to the cache kmalloc-32 of size 32
[ 35.727712] The buggy address is located 0 bytes inside of
32-byte region [ffff888110cfc1a0, ffff888110cfc1c0)
[ 35.727717] The buggy address belongs to the physical page:
[ 35.727721] page:ffffea0004433f00 refcount:1 mapcount:0
mapping:0000000000000000 index:0xffff888110cfce60 pfn:0x110cfc
[ 35.727726] flags: 0x2ffff0000000200(slab|node=0|zone=2|lastcpupid=0xffff)
[ 35.727731] raw: 02ffff0000000200 ffff888100042740 ffffea00044274d0
ffff888100040450
[ 35.727734] raw: ffff888110cfce60 0000000000150012 00000001ffffffff
0000000000000000
[ 35.727736] page dumped because: kasan: bad access detected
[ 35.727740] page_owner tracks the page as allocated
[ 35.727741] page last allocated via order 0, migratetype Unmovable,
gfp_mask 0x12c40(GFP_NOFS|__GFP_NOWARN|__GFP_NORETRY), pid 715, tgid
715 (test2), ts 24589446140, free_ts 24535345796
[ 35.727747] post_alloc_hook+0x118/0x250
[ 35.727750] get_page_from_freelist+0x11ef/0x3a20
[ 35.727754] __alloc_pages+0x1d5/0x440
[ 35.727757] allocate_slab+0x346/0x4a0
[ 35.727760] ___slab_alloc+0x39a/0x9a0
[ 35.727763] __kmem_cache_alloc_node+0x143/0x3d0
[ 35.727766] __kmalloc+0x4d/0x160
[ 35.727768] gss_krb5_checksum+0xcf/0x630 [rpcsec_gss_krb5]
[ 35.727775] gss_krb5_verify_mic_v2+0x2d2/0x4f0 [rpcsec_gss_krb5]
[ 35.727780] gss_validate+0x360/0x700 [auth_rpcgss]
[ 35.727792] rpc_decode_header+0x288/0xcb0 [sunrpc]
[ 35.727836] call_decode+0x3a7/0x780 [sunrpc]
[ 35.727880] __rpc_execute+0x29b/0xcf0 [sunrpc]
[ 35.727932] rpc_execute+0x21d/0x320 [sunrpc]
[ 35.727982] rpc_run_task+0x467/0x650 [sunrpc]
[ 35.728026] nfs4_call_sync_sequence+0x17e/0x2a0 [nfsv4]
[ 35.728070] page last free stack trace:
[ 35.728072] free_pcp_prepare+0x66c/0x10e0
[ 35.728075] free_unref_page+0x4e/0x3c0
[ 35.728078] tlb_remove_table_rcu+0x77/0xc0
[ 35.728081] rcu_do_batch+0x34c/0xd00
[ 35.728084] rcu_core+0x447/0xf20
[ 35.728086] __do_softirq+0x1d6/0x5ed
[ 35.728091] Memory state around the buggy address:
[ 35.728093] ffff888110cfc080: fc fc fc fc fc fc fc fc fc fc fc fc
fa fb fb fb
[ 35.728096] ffff888110cfc100: fc fc fc fc fc fc fc fc fc fc fc fc
fc fc fc fc
[ 35.728098] >ffff888110cfc180: fc fc fc fc 00 00 04 fc fc fc fc fc
fc fc fc fc
[ 35.728100] ^
[ 35.728102] ffff888110cfc200: fc fc fc fc fc fc fc fc fc fc fc fc
00 00 00 00
[ 35.728104] ffff888110cfc280: fc fc fc fc fc fc fc fc fc fc fc fc
fc fc fc fc
[ 35.728106] ==================================================================
>
> /* Maximum blocksize for the supported crypto algorithms */
> #define GSS_KRB5_MAX_BLOCKSIZE (16)
> @@ -160,6 +160,12 @@ enum seal_alg {
> SEAL_ALG_DES3KD = 0x0002
> };
>
> +/*
> + * These values are assigned by IANA and published via the
> + * subregistry at the link below:
> + *
> + * https://www.iana.org/assignments/kerberos-parameters/kerberos-parameters.xhtml#kerberos-parameters-2
> + */
> #define CKSUMTYPE_CRC32 0x0001
> #define CKSUMTYPE_RSA_MD4 0x0002
> #define CKSUMTYPE_RSA_MD4_DES 0x0003
> @@ -170,6 +176,8 @@ enum seal_alg {
> #define CKSUMTYPE_HMAC_SHA1_DES3 0x000c
> #define CKSUMTYPE_HMAC_SHA1_96_AES128 0x000f
> #define CKSUMTYPE_HMAC_SHA1_96_AES256 0x0010
> +#define CKSUMTYPE_HMAC_SHA256_128_AES128 0x0013
> +#define CKSUMTYPE_HMAC_SHA384_192_AES256 0x0014
> #define CKSUMTYPE_HMAC_MD5_ARCFOUR -138 /* Microsoft md5 hmac cksumtype */
>
> /* from gssapi_err_krb5.h */
> @@ -190,6 +198,11 @@ enum seal_alg {
>
> /* per Kerberos v5 protocol spec crypto types from the wire.
> * these get mapped to linux kernel crypto routines.
> + *
> + * These values are assigned by IANA and published via the
> + * subregistry at the link below:
> + *
> + * https://www.iana.org/assignments/kerberos-parameters/kerberos-parameters.xhtml#kerberos-parameters-1
> */
> #define ENCTYPE_NULL 0x0000
> #define ENCTYPE_DES_CBC_CRC 0x0001 /* DES cbc mode with CRC-32 */
> @@ -203,6 +216,8 @@ enum seal_alg {
> #define ENCTYPE_DES3_CBC_SHA1 0x0010
> #define ENCTYPE_AES128_CTS_HMAC_SHA1_96 0x0011
> #define ENCTYPE_AES256_CTS_HMAC_SHA1_96 0x0012
> +#define ENCTYPE_AES128_CTS_HMAC_SHA256_128 0x0013
> +#define ENCTYPE_AES256_CTS_HMAC_SHA384_192 0x0014
> #define ENCTYPE_ARCFOUR_HMAC 0x0017
> #define ENCTYPE_ARCFOUR_HMAC_EXP 0x0018
> #define ENCTYPE_UNKNOWN 0x01ff
> diff --git a/net/sunrpc/Kconfig b/net/sunrpc/Kconfig
> index 1135ff362132..b1aa2318e1dc 100644
> --- a/net/sunrpc/Kconfig
> +++ b/net/sunrpc/Kconfig
> @@ -76,6 +76,20 @@ config RPCSEC_GSS_KRB5_ENCTYPES_AES_SHA1
> SHA-1 digests. These include aes128-cts-hmac-sha1-96 and
> aes256-cts-hmac-sha1-96.
>
> +config RPCSEC_GSS_KRB5_ENCTYPES_AES_SHA2
> + bool "Enable Kerberos enctypes based on AES and SHA-2"
> + depends on RPCSEC_GSS_KRB5
> + depends on CRYPTO_CBC && CRYPTO_CTS
> + depends on CRYPTO_HMAC && CRYPTO_SHA256 && CRYPTO_SHA512
> + depends on CRYPTO_AES
> + default n
> + select RPCSEC_GSS_KRB5_CRYPTOSYSTEM
> + help
> + Choose Y to enable the use of Kerberos 5 encryption types
> + that utilize Advanced Encryption Standard (AES) ciphers and
> + SHA-2 digests. These include aes128-cts-hmac-sha256-128 and
> + aes256-cts-hmac-sha384-192.
> +
> config SUNRPC_DEBUG
> bool "RPC: Enable dprintk debugging"
> depends on SUNRPC && SYSCTL
> diff --git a/net/sunrpc/auth_gss/gss_krb5_mech.c b/net/sunrpc/auth_gss/gss_krb5_mech.c
> index ec3cca8fadc5..1951867f3fa8 100644
> --- a/net/sunrpc/auth_gss/gss_krb5_mech.c
> +++ b/net/sunrpc/auth_gss/gss_krb5_mech.c
> @@ -146,6 +146,57 @@ static const struct gss_krb5_enctype supported_gss_krb5_enctypes[] = {
> .keyed_cksum = 1,
> },
> #endif
> +
> +#if defined(CONFIG_RPCSEC_GSS_KRB5_ENCTYPES_AES_SHA2)
> + /*
> + * AES-128 with SHA-256 (RFC 8009)
> + */
> + {
> + .etype = ENCTYPE_AES128_CTS_HMAC_SHA256_128,
> + .ctype = CKSUMTYPE_HMAC_SHA256_128_AES128,
> + .name = "aes128-cts-hmac-sha256-128",
> + .encrypt_name = "cts(cbc(aes))",
> + .aux_cipher = "cbc(aes)",
> + .cksum_name = "hmac(sha256)",
> + .cksumlength = BITS2OCTETS(128),
> + .keyed_cksum = 1,
> + .keylength = BITS2OCTETS(128),
> + .Kc_length = BITS2OCTETS(128),
> + .Ke_length = BITS2OCTETS(128),
> + .Ki_length = BITS2OCTETS(128),
> +
> + .import_ctx = gss_krb5_import_ctx_v2,
> +
> + .get_mic = gss_krb5_get_mic_v2,
> + .verify_mic = gss_krb5_verify_mic_v2,
> + .wrap = gss_krb5_wrap_v2,
> + .unwrap = gss_krb5_unwrap_v2,
> + },
> + /*
> + * AES-256 with SHA-384 (RFC 8009)
> + */
> + {
> + .etype = ENCTYPE_AES256_CTS_HMAC_SHA384_192,
> + .ctype = CKSUMTYPE_HMAC_SHA384_192_AES256,
> + .name = "aes256-cts-hmac-sha384-192",
> + .encrypt_name = "cts(cbc(aes))",
> + .aux_cipher = "cbc(aes)",
> + .cksum_name = "hmac(sha384)",
> + .cksumlength = BITS2OCTETS(192),
> + .keyed_cksum = 1,
> + .keylength = BITS2OCTETS(256),
> + .Kc_length = BITS2OCTETS(192),
> + .Ke_length = BITS2OCTETS(256),
> + .Ki_length = BITS2OCTETS(192),
> +
> + .import_ctx = gss_krb5_import_ctx_v2,
> +
> + .get_mic = gss_krb5_get_mic_v2,
> + .verify_mic = gss_krb5_verify_mic_v2,
> + .wrap = gss_krb5_wrap_v2,
> + .unwrap = gss_krb5_unwrap_v2,
> + },
> +#endif
> };
>
> /*
>
>
next prev parent reply other threads:[~2023-03-22 15:49 UTC|newest]
Thread overview: 65+ messages / expand[flat|nested] mbox.gz Atom feed top
2023-01-15 17:20 [PATCH v2 00/41] RPCSEC GSS krb5 enhancements Chuck Lever
2023-01-15 17:20 ` [PATCH v2 01/41] SUNRPC: Add header ifdefs to linux/sunrpc/gss_krb5.h Chuck Lever
2023-01-15 17:20 ` [PATCH v2 02/41] SUNRPC: Remove .blocksize field from struct gss_krb5_enctype Chuck Lever
2023-01-15 17:20 ` [PATCH v2 03/41] SUNRPC: Remove .conflen " Chuck Lever
2023-01-15 17:20 ` [PATCH v2 04/41] SUNRPC: Improve Kerberos confounder generation Chuck Lever
2023-01-15 17:20 ` [PATCH v2 05/41] SUNRPC: Obscure Kerberos session key Chuck Lever
2023-01-15 17:20 ` [PATCH v2 06/41] SUNRPC: Refactor set-up for aux_cipher Chuck Lever
2023-01-15 17:21 ` [PATCH v2 07/41] SUNRPC: Obscure Kerberos encryption keys Chuck Lever
2023-01-15 17:21 ` [PATCH v2 08/41] SUNRPC: Obscure Kerberos signing keys Chuck Lever
2023-01-15 17:21 ` [PATCH v2 09/41] SUNRPC: Obscure Kerberos integrity keys Chuck Lever
2023-01-15 17:21 ` [PATCH v2 10/41] SUNRPC: Refactor the GSS-API Per Message calls in the Kerberos mechanism Chuck Lever
2023-01-15 17:21 ` [PATCH v2 11/41] SUNRPC: Remove another switch on ctx->enctype Chuck Lever
2023-01-15 17:21 ` [PATCH v2 12/41] SUNRPC: Add /proc/net/rpc/gss_krb5_enctypes file Chuck Lever
2023-01-15 17:21 ` [PATCH v2 13/41] NFSD: Replace /proc/fs/nfsd/supported_krb5_enctypes with a symlink Chuck Lever
2023-01-15 17:21 ` [PATCH v2 14/41] SUNRPC: Replace KRB5_SUPPORTED_ENCTYPES macro Chuck Lever
2023-01-15 17:21 ` [PATCH v2 15/41] SUNRPC: Enable rpcsec_gss_krb5.ko to be built without CRYPTO_DES Chuck Lever
2023-03-06 8:16 ` Geert Uytterhoeven
2023-03-06 16:17 ` Chuck Lever III
2023-03-06 18:01 ` Geert Uytterhoeven
2023-01-15 17:21 ` [PATCH v2 16/41] SUNRPC: Remove ->encrypt and ->decrypt methods from struct gss_krb5_enctype Chuck Lever
2023-01-15 17:22 ` [PATCH v2 17/41] SUNRPC: Rename .encrypt_v2 and .decrypt_v2 methods Chuck Lever
2023-01-15 17:22 ` [PATCH v2 18/41] SUNRPC: Hoist KDF into struct gss_krb5_enctype Chuck Lever
2023-01-15 17:22 ` [PATCH v2 19/41] SUNRPC: Clean up cipher set up for v1 encryption types Chuck Lever
2023-01-15 17:22 ` [PATCH v2 20/41] SUNRPC: Parametrize the key length passed to context_v2_alloc_cipher() Chuck Lever
2023-01-15 17:22 ` [PATCH v2 21/41] SUNRPC: Add new subkey length fields Chuck Lever
2023-01-15 17:22 ` [PATCH v2 22/41] SUNRPC: Refactor CBC with CTS into helpers Chuck Lever
2023-01-15 17:22 ` [PATCH v2 23/41] SUNRPC: Add gk5e definitions for RFC 8009 encryption types Chuck Lever
2023-03-22 15:49 ` Anna Schumaker [this message]
2023-03-22 16:30 ` Chuck Lever III
2023-03-22 17:06 ` Anna Schumaker
2023-03-22 17:18 ` Anna Schumaker
2023-01-15 17:22 ` [PATCH v2 24/41] SUNRPC: Add KDF-HMAC-SHA2 Chuck Lever
2023-01-15 17:22 ` [PATCH v2 25/41] SUNRPC: Add RFC 8009 encryption and decryption functions Chuck Lever
2023-01-15 17:23 ` [PATCH v2 26/41] SUNRPC: Advertise support for RFC 8009 encryption types Chuck Lever
2023-01-15 17:23 ` [PATCH v2 27/41] SUNRPC: Support the Camellia enctypes Chuck Lever
2023-01-15 17:23 ` [PATCH v2 28/41] SUNRPC: Add KDF_FEEDBACK_CMAC Chuck Lever
2023-01-15 17:23 ` [PATCH v2 29/41] SUNRPC: Advertise support for the Camellia encryption types Chuck Lever
2023-01-15 17:23 ` [PATCH v2 30/41] SUNRPC: Move remaining internal definitions to gss_krb5_internal.h Chuck Lever
2023-01-15 17:23 ` [PATCH v2 31/41] SUNRPC: Add KUnit tests for rpcsec_krb5.ko Chuck Lever
2023-01-15 17:23 ` [PATCH v2 32/41] SUNRPC: Export get_gss_krb5_enctype() Chuck Lever
2023-01-15 17:23 ` [PATCH v2 33/41] SUNRPC: Add KUnit tests RFC 3961 Key Derivation Chuck Lever
2023-01-15 17:23 ` [PATCH v2 34/41] SUNRPC: Add Kunit tests for RFC 3962-defined encryption/decryption Chuck Lever
2023-01-15 17:23 ` [PATCH v2 35/41] SUNRPC: Add KDF KUnit tests for the RFC 6803 encryption types Chuck Lever
2023-01-15 17:24 ` [PATCH v2 36/41] SUNRPC: Add checksum " Chuck Lever
2023-01-15 17:24 ` [PATCH v2 37/41] SUNRPC: Add encryption " Chuck Lever
2023-01-15 17:24 ` [PATCH v2 38/41] SUNRPC: Add KDF-HMAC-SHA2 Kunit tests Chuck Lever
2023-01-15 17:24 ` [PATCH v2 39/41] SUNRPC: Add RFC 8009 checksum KUnit tests Chuck Lever
2023-01-15 17:24 ` [PATCH v2 40/41] SUNRPC: Add RFC 8009 encryption " Chuck Lever
2023-01-15 17:24 ` [PATCH v2 41/41] SUNRPC: Add encryption self-tests Chuck Lever
2023-01-18 16:02 ` [PATCH v2 00/41] RPCSEC GSS krb5 enhancements Simo Sorce
2023-01-18 17:16 ` Chuck Lever III
2023-02-23 13:05 ` Geert Uytterhoeven
2023-02-23 14:00 ` Chuck Lever III
2023-02-23 15:16 ` Geert Uytterhoeven
2023-02-23 16:18 ` Chuck Lever III
2023-02-23 16:52 ` Geert Uytterhoeven
2023-02-23 19:32 ` Chuck Lever III
2023-02-27 9:51 ` Geert Uytterhoeven
2023-02-27 15:06 ` Chuck Lever III
2023-02-27 15:37 ` Geert Uytterhoeven
2023-02-23 17:57 ` Andreas Schwab
2023-02-23 18:19 ` Michael Schmitz
2023-02-23 21:46 ` Andreas Schwab
2023-02-23 22:17 ` Michael Schmitz
2023-02-23 18:28 ` Eero Tamminen
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=CAFX2JfnXmHXPD46tN8oSBX40wh3qJXSDLWAcDGbsTTmTuuMpWw@mail.gmail.com \
--to=schumaker.anna@gmail.com \
--cc=cel@kernel.org \
--cc=dhowells@redhat.com \
--cc=linux-kselftest@vger.kernel.org \
--cc=linux-nfs@vger.kernel.org \
--cc=simo@redhat.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).