* yet. this need to be fixed in the future.
*/
static struct krb5_enctype enctypes[] = {
- [ENCTYPE_DES_CBC_RAW] = { /* des-cbc-md5 */
- .ke_dispname = "des-cbc-md5",
- .ke_enc_name = "cbc(des)",
- .ke_hash_name = "md5",
- .ke_hash_size = 16,
- .ke_conf_size = 8,
- },
-#ifdef HAVE_DES3_SUPPORT
- [ENCTYPE_DES3_CBC_RAW] = { /* des3-hmac-sha1 */
- .ke_dispname = "des3-hmac-sha1",
- .ke_enc_name = "cbc(des3_ede)",
- .ke_hash_name = "sha1",
- .ke_hash_size = 20,
- .ke_conf_size = 8,
- .ke_hash_hmac = 1,
- },
-#endif
[ENCTYPE_AES128_CTS_HMAC_SHA1_96] = { /* aes128-cts */
.ke_dispname = "aes128-cts-hmac-sha1-96",
.ke_enc_name = "cbc(aes)",
.ke_conf_size = 16,
.ke_hash_hmac = 1,
},
- [ENCTYPE_ARCFOUR_HMAC] = { /* arcfour-hmac-md5 */
- .ke_dispname = "arcfour-hmac-md5",
- .ke_enc_name = "ecb(arc4)",
- .ke_hash_name = "md5",
- .ke_hash_size = 16,
- .ke_conf_size = 8,
- .ke_hash_hmac = 1,
- }
};
static const char * enctype2str(__u32 enctype)
ke = &enctypes[kctx->kc_enctype];
- /* tfm arc4 is stateful, user should alloc-use-free by his own */
- if (kctx->kc_enctype != ENCTYPE_ARCFOUR_HMAC &&
- gss_keyblock_init(&kctx->kc_keye, ke->ke_enc_name, ke->ke_enc_mode))
+ if (gss_keyblock_init(&kctx->kc_keye, ke->ke_enc_name, ke->ke_enc_mode))
return -1;
/* tfm hmac is stateful, user should alloc-use-free by his own */
/* generate confounder */
get_random_bytes(conf, ke->ke_conf_size);
- /* get encryption blocksize. note kc_keye might not associated with
- * a tfm, currently only for arcfour-hmac */
- if (kctx->kc_enctype == ENCTYPE_ARCFOUR_HMAC) {
- LASSERT(kctx->kc_keye.kb_tfm == NULL);
- blocksize = 1;
- } else {
- LASSERT(kctx->kc_keye.kb_tfm);
- blocksize = crypto_sync_skcipher_blocksize(
- kctx->kc_keye.kb_tfm);
- }
+ /* Get encryption blocksize. Note kc_keye might be associated with
+ * a tfm.
+ */
+ LASSERT(kctx->kc_keye.kb_tfm);
+ blocksize = crypto_sync_skcipher_blocksize(kctx->kc_keye.kb_tfm);
LASSERT(blocksize <= ke->ke_conf_size);
/* padding the message */
cipher.len = token->len - sizeof(*khdr);
LASSERT(cipher.len >= ke->ke_conf_size + msg->len + sizeof(*khdr));
- if (kctx->kc_enctype == ENCTYPE_ARCFOUR_HMAC) {
- rawobj_t arc4_keye = RAWOBJ_EMPTY;
- struct crypto_sync_skcipher *arc4_tfm;
-
- if (krb5_make_checksum(ENCTYPE_ARCFOUR_HMAC, &kctx->kc_keyi,
- NULL, 1, &cksum, 0, NULL, &arc4_keye,
- gctx->hash_func)) {
- CERROR("failed to obtain arc4 enc key\n");
- GOTO(arc4_out_key, rc = -EACCES);
- }
-
- arc4_tfm = crypto_alloc_sync_skcipher("ecb(arc4)", 0, 0);
- if (IS_ERR(arc4_tfm)) {
- CERROR("failed to alloc tfm arc4 in ECB mode\n");
- GOTO(arc4_out_key, rc = -EACCES);
- }
-
- if (crypto_sync_skcipher_setkey(arc4_tfm, arc4_keye.data,
- arc4_keye.len)) {
- CERROR("failed to set arc4 key, len %d\n",
- arc4_keye.len);
- GOTO(arc4_out_tfm, rc = -EACCES);
- }
-
- rc = gss_crypt_rawobjs(arc4_tfm, NULL, 3, data_desc,
- &cipher, 1);
-arc4_out_tfm:
- crypto_free_sync_skcipher(arc4_tfm);
-arc4_out_key:
- rawobj_free(&arc4_keye);
- } else {
- rc = gss_crypt_rawobjs(kctx->kc_keye.kb_tfm, local_iv, 3,
- data_desc, &cipher, 1);
- }
-
+ rc = gss_crypt_rawobjs(kctx->kc_keye.kb_tfm, local_iv, 3,
+ data_desc, &cipher, 1);
if (rc)
GOTO(out_free_cksum, major = GSS_S_FAILURE);
/* generate confounder */
get_random_bytes(conf, ke->ke_conf_size);
- /* get encryption blocksize. note kc_keye might not associated with
- * a tfm, currently only for arcfour-hmac */
- if (kctx->kc_enctype == ENCTYPE_ARCFOUR_HMAC) {
- LASSERT(kctx->kc_keye.kb_tfm == NULL);
- blocksz = 1;
- } else {
- LASSERT(kctx->kc_keye.kb_tfm);
- blocksz = crypto_sync_skcipher_blocksize(kctx->kc_keye.kb_tfm);
- }
+ /* Get encryption blocksize. Note kc_keye might be associated with
+ * a tfm.
+ */
+ LASSERT(kctx->kc_keye.kb_tfm);
+ blocksz = crypto_sync_skcipher_blocksize(kctx->kc_keye.kb_tfm);
/*
* we assume the size of krb5_header (16 bytes) must be n * blocksize.
cipher.data = (__u8 *)(khdr + 1);
cipher.len = blocksz + sizeof(*khdr);
- if (kctx->kc_enctype == ENCTYPE_ARCFOUR_HMAC) {
- LBUG();
- rc = 0;
- } else {
- rc = krb5_encrypt_bulk(kctx->kc_keye.kb_tfm, khdr,
- conf, desc, &cipher, adj_nob);
- }
+ rc = krb5_encrypt_bulk(kctx->kc_keye.kb_tfm, khdr,
+ conf, desc, &cipher, adj_nob);
if (rc)
GOTO(out_free_cksum, major = GSS_S_FAILURE);
}
/* block size */
- if (kctx->kc_enctype == ENCTYPE_ARCFOUR_HMAC) {
- LASSERT(kctx->kc_keye.kb_tfm == NULL);
- blocksz = 1;
- } else {
- LASSERT(kctx->kc_keye.kb_tfm);
- blocksz = crypto_sync_skcipher_blocksize(kctx->kc_keye.kb_tfm);
- }
+ LASSERT(kctx->kc_keye.kb_tfm);
+ blocksz = crypto_sync_skcipher_blocksize(kctx->kc_keye.kb_tfm);
/* expected token layout:
* ----------------------------------------
plain_out.data = tmpbuf;
plain_out.len = bodysize;
- if (kctx->kc_enctype == ENCTYPE_ARCFOUR_HMAC) {
- rawobj_t arc4_keye;
- struct crypto_sync_skcipher *arc4_tfm;
-
- cksum.data = token->data + token->len - ke->ke_hash_size;
- cksum.len = ke->ke_hash_size;
-
- if (krb5_make_checksum(ENCTYPE_ARCFOUR_HMAC, &kctx->kc_keyi,
- NULL, 1, &cksum, 0, NULL, &arc4_keye,
- gctx->hash_func)) {
- CERROR("failed to obtain arc4 enc key\n");
- GOTO(arc4_out, rc = -EACCES);
- }
-
- arc4_tfm = crypto_alloc_sync_skcipher("ecb(arc4)", 0, 0);
- if (IS_ERR(arc4_tfm)) {
- CERROR("failed to alloc tfm arc4 in ECB mode\n");
- GOTO(arc4_out_key, rc = -EACCES);
- }
-
- if (crypto_sync_skcipher_setkey(arc4_tfm, arc4_keye.data,
- arc4_keye.len)) {
- CERROR("failed to set arc4 key, len %d\n",
- arc4_keye.len);
- GOTO(arc4_out_tfm, rc = -EACCES);
- }
-
- rc = gss_crypt_rawobjs(arc4_tfm, NULL, 1, &cipher_in,
- &plain_out, 0);
-arc4_out_tfm:
- crypto_free_sync_skcipher(arc4_tfm);
-arc4_out_key:
- rawobj_free(&arc4_keye);
-arc4_out:
- cksum = RAWOBJ_EMPTY;
- } else {
- rc = gss_crypt_rawobjs(kctx->kc_keye.kb_tfm, local_iv, 1,
- &cipher_in, &plain_out, 0);
- }
-
+ rc = gss_crypt_rawobjs(kctx->kc_keye.kb_tfm, local_iv, 1,
+ &cipher_in, &plain_out, 0);
if (rc != 0) {
CERROR("error decrypt\n");
goto out_free;
}
/* block size */
- if (kctx->kc_enctype == ENCTYPE_ARCFOUR_HMAC) {
- LASSERT(kctx->kc_keye.kb_tfm == NULL);
- blocksz = 1;
- LBUG();
- } else {
- LASSERT(kctx->kc_keye.kb_tfm);
- blocksz = crypto_sync_skcipher_blocksize(kctx->kc_keye.kb_tfm);
- }
+ LASSERT(kctx->kc_keye.kb_tfm);
+ blocksz = crypto_sync_skcipher_blocksize(kctx->kc_keye.kb_tfm);
LASSERT(sizeof(*khdr) >= blocksz && sizeof(*khdr) % blocksz == 0);
/*
* We don't have "legal" access to these MIT-only
* structures located in libk5crypto
*/
-extern void *krb5int_enc_arcfour;
-#ifdef HAVE_DES3_SUPPORT
-extern void *krb5int_enc_des3;
-#endif
extern void *krb5int_enc_aes128;
extern void *krb5int_enc_aes256;
* values and structures located in libk5crypto
*/
switch (in->type) {
-#ifdef HAVE_DES3_SUPPORT
- case ENCTYPE_DES3_CBC_SHA1:
-#ifdef HAVE_KRB5
- case ENCTYPE_DES3_CBC_RAW:
-#endif
- keylength = 24;
-#ifdef HAVE_KRB5
- enc = &krb5int_enc_des3;
-#endif
- break;
-#endif
case ENCTYPE_AES128_CTS_HMAC_SHA1_96:
case ENCTYPE_AES128_CTS_HMAC_SHA256_128:
keylength = 16;
enc = &krb5int_enc_aes256;
#endif
break;
+ case ENCTYPE_DES_CBC_CRC:
+ case ENCTYPE_DES_CBC_MD4:
+ case ENCTYPE_DES_CBC_MD5:
+ case ENCTYPE_DES_CBC_RAW:
+ case ENCTYPE_DES3_CBC_SHA:
+ case ENCTYPE_DES3_CBC_RAW:
+ case ENCTYPE_DES_HMAC_SHA1:
+ case ENCTYPE_DES3_CBC_SHA1:
+ case ENCTYPE_ARCFOUR_HMAC:
+ case ENCTYPE_ARCFOUR_HMAC_EXP:
+ /* deprecated enc types */
+ printerr(0, "ERROR: %s: deprecated enc type %d\n",
+ __func__, in->type);
+ fallthrough;
default:
code = KRB5_BAD_ENCTYPE;
goto out;
printerr(3, "protocol %d\n", lctx->protocol);
if (lctx->protocol == 0) {
enctype = lctx->rfc1964_kd.ctx_key.type;
-#ifdef HAVE_HEIMDAL
- /*
- * The kernel gss code expects ENCTYPE_DES3_CBC_RAW (6) for
- * 3des keys, but Heimdal key has ENCTYPE_DES3_CBC_SHA1 (16).
- * Force the Heimdal enctype to 6.
- */
- if (enctype == ENCTYPE_DES3_CBC_SHA1) {
- printerr(2, "%s: overriding heimdal keytype (%d => %d)\n",
- __FUNCTION__, enctype, 6);
-
- enctype = 6;
- }
-#endif
keysize = lctx->rfc1964_kd.ctx_key.length;
numkeys = 3; /* XXX is always gonna be three? */
} else {
goto out_err;
/* Kc */
- /*
- * RC4 is special, it dosen't need key derivation. Actually
- * the Ke is based on plain text. Here we just let all three
- * key identical, kernel will handle everything. --ericm
- */
- if (lctx->rfc1964_kd.ctx_key.type == ENCTYPE_ARCFOUR_HMAC) {
- if (write_bytes(&p, end, lctx->rfc1964_kd.ctx_key.data,
- lctx->rfc1964_kd.ctx_key.length))
- goto out_err;
- } else {
- if (derive_key_lucid(&lctx->rfc1964_kd.ctx_key,
- &derived_key,
- KG_USAGE_SIGN, KEY_USAGE_SEED_CHECKSUM))
- goto out_err;
- if (write_bytes(&p, end, derived_key.data,
- derived_key.length))
- goto out_err;
- free(derived_key.data);
- }
+ if (derive_key_lucid(&lctx->rfc1964_kd.ctx_key, &derived_key,
+ KG_USAGE_SIGN, KEY_USAGE_SEED_CHECKSUM))
+ goto out_err;
+ if (write_bytes(&p, end, derived_key.data, derived_key.length))
+ goto out_err;
+ free(derived_key.data);
} else {
gss_krb5_lucid_key_t *keyptr;
uint32_t sign_usage, seal_usage;
git://git.whamcloud.com / fs / lustre-release.git / commitdiff