From: Sebastien Buisson <sbuisson@ddn.com>
Date: Mon, 23 Sep 2024 08:31:07 +0000 (+0200)
Subject: LU-18256 gss: support SHA2 enctypes
X-Git-Tag: 2.16.51~195
X-Git-Url: https://git.whamcloud.com/?a=commitdiff_plain;h=b0a616c9df14155ff5d6bd53683bad528c82ce1e;p=fs%2Flustre-release.git

LU-18256 gss: support SHA2 enctypes

Introduce support for ENCTYPE_AES128_CTS_HMAC_SHA256_128 and
ENCTYPE_AES256_CTS_HMAC_SHA384_192 encryption types that are used by
GSS code for authentication context.

Test-Parameters: trivial
Test-Parameters: testgroup=review-dne-selinux-ssk-part-1
Test-Parameters: testgroup=review-dne-selinux-ssk-part-2
Test-Parameters: kerberos=true testlist=sanity-krb5
Signed-off-by: Sebastien Buisson <sbuisson@ddn.com>
Change-Id: I42ab758b42b24c64647cd771887a2fd26bc55394
Reviewed-on: https://review.whamcloud.com/c/fs/lustre-release/+/56489
Reviewed-by: Andreas Dilger <adilger@whamcloud.com>
Reviewed-by: Aurelien Degremont <adegremont@nvidia.com>
Reviewed-by: Oleg Drokin <green@whamcloud.com>
Tested-by: jenkins <devops@whamcloud.com>
Tested-by: Maloo <maloo@whamcloud.com>
---

diff --git a/lustre/ptlrpc/gss/gss_krb5.h b/lustre/ptlrpc/gss/gss_krb5.h
index 6590a62..42827dd 100644
--- a/lustre/ptlrpc/gss/gss_krb5.h
+++ b/lustre/ptlrpc/gss/gss_krb5.h
@@ -138,8 +138,8 @@ enum seal_alg {
 #define KG_EMPTY_CCACHE                          (39756044L)
 #define KG_NO_CTYPES                             (39756045L)
 
-/* per Kerberos v5 protocol spec crypto types from the wire. 
- * these get mapped to linux kernel crypto routines.  
+/* per Kerberos v5 protocol spec crypto types from the wire.
+ * these get mapped to linux kernel crypto routines.
  */
 #define ENCTYPE_NULL            0x0000
 #define ENCTYPE_DES_CBC_CRC     0x0001        /* DES cbc mode with CRC-32 */
@@ -153,6 +153,8 @@ enum seal_alg {
 #define ENCTYPE_DES3_CBC_SHA1   0x0010
 #define ENCTYPE_AES128_CTS_HMAC_SHA1_96 0x0011
 #define ENCTYPE_AES256_CTS_HMAC_SHA1_96 0x0012
+#define ENCTYPE_AES128_CTS_HMAC_SHA256_128  0x0013
+#define ENCTYPE_AES256_CTS_HMAC_SHA384_192  0x0014
 #define ENCTYPE_ARCFOUR_HMAC    0x0017
 #define ENCTYPE_ARCFOUR_HMAC_EXP 0x0018
 #define ENCTYPE_UNKNOWN         0x01ff
diff --git a/lustre/ptlrpc/gss/gss_krb5_mech.c b/lustre/ptlrpc/gss/gss_krb5_mech.c
index a82b090..332810c 100644
--- a/lustre/ptlrpc/gss/gss_krb5_mech.c
+++ b/lustre/ptlrpc/gss/gss_krb5_mech.c
@@ -113,6 +113,14 @@ static struct krb5_enctype enctypes[] = {
 		.ke_conf_size	= 16,
 		.ke_hash_hmac	= 1,
 	},
+	[ENCTYPE_AES128_CTS_HMAC_SHA256_128] = { /* aes128-cts-hmac-sha2 */
+		.ke_dispname	= "aes128-cts-hmac-sha256-128",
+		.ke_enc_name	= "cbc(aes)",
+		.ke_hash_name	= "sha256",
+		.ke_hash_size	= 16,
+		.ke_conf_size	= 16,
+		.ke_hash_hmac	= 1,
+	},
 	[ENCTYPE_AES256_CTS_HMAC_SHA1_96] = {	/* aes256-cts */
 		.ke_dispname	= "aes256-cts-hmac-sha1-96",
 		.ke_enc_name	= "cbc(aes)",
@@ -121,6 +129,14 @@ static struct krb5_enctype enctypes[] = {
 		.ke_conf_size	= 16,
 		.ke_hash_hmac	= 1,
 	},
+	[ENCTYPE_AES256_CTS_HMAC_SHA384_192] = { /* aes256-cts-hmac-sha2 */
+		.ke_dispname	= "aes256-cts-hmac-sha384-192",
+		.ke_enc_name	= "cbc(aes)",
+		.ke_hash_name	= "sha384",
+		.ke_hash_size	= 24,
+		.ke_conf_size	= 16,
+		.ke_hash_hmac	= 1,
+	},
 	[ENCTYPE_ARCFOUR_HMAC] = {		/* arcfour-hmac-md5 */
 		.ke_dispname	= "arcfour-hmac-md5",
 		.ke_enc_name	= "ecb(arc4)",
diff --git a/lustre/utils/gss/context_lucid.c b/lustre/utils/gss/context_lucid.c
index ad45ef8..9c78ddd 100644
--- a/lustre/utils/gss/context_lucid.c
+++ b/lustre/utils/gss/context_lucid.c
@@ -288,12 +288,14 @@ derive_key_lucid(const gss_krb5_lucid_key_t *in, gss_krb5_lucid_key_t *out,
 		break;
 #endif
 	case ENCTYPE_AES128_CTS_HMAC_SHA1_96:
+	case ENCTYPE_AES128_CTS_HMAC_SHA256_128:
 		keylength = 16;
 #ifdef HAVE_KRB5
 		enc = &krb5int_enc_aes128;
 #endif
 		break;
 	case ENCTYPE_AES256_CTS_HMAC_SHA1_96:
+	case ENCTYPE_AES256_CTS_HMAC_SHA384_192:
 		keylength = 32;
 #ifdef HAVE_KRB5
 		enc = &krb5int_enc_aes256;