From: Trond Myklebust <trond.myklebust@fys.uio.no>
To: steved@redhat.com
Cc: linux-nfs@vger.kernel.org
Subject: Re: [PATCH 05/22] gss_krb5: introduce encryption type framework
Date: Mon, 15 Mar 2010 12:12:58 -0400 [thread overview]
Message-ID: <1268669578.2993.98.camel@localhost.localdomain> (raw)
In-Reply-To: <1268655627-18712-6-git-send-email-steved@redhat.com>
On Mon, 2010-03-15 at 08:20 -0400, steved@redhat.com wrote:
> From: Kevin Coffman <kwc@citi.umich.edu>
>
> Add enctype framework and change functions to use the generic
> values from it rather than the values hard-coded for des.
>
> Signed-off-by: Kevin Coffman <kwc@citi.umich.edu>
> Signed-off-by: Steve Dickson <steved@redhat.com>
> ---
> include/linux/sunrpc/gss_krb5.h | 25 +++++++++-
> net/sunrpc/auth_gss/gss_krb5_crypto.c | 18 ++++----
> net/sunrpc/auth_gss/gss_krb5_mech.c | 85 +++++++++++++++++++++++++++-----
> net/sunrpc/auth_gss/gss_krb5_seal.c | 49 ++++++++++++-------
> net/sunrpc/auth_gss/gss_krb5_unseal.c | 15 ++++--
> net/sunrpc/auth_gss/gss_krb5_wrap.c | 79 +++++++++++++++++++++++-------
> 6 files changed, 203 insertions(+), 68 deletions(-)
>
> diff --git a/include/linux/sunrpc/gss_krb5.h b/include/linux/sunrpc/gss_krb5.h
> index 12bd0dd..8d79c44 100644
> --- a/include/linux/sunrpc/gss_krb5.h
> +++ b/include/linux/sunrpc/gss_krb5.h
> @@ -4,7 +4,7 @@
> * Adapted from MIT Kerberos 5-1.2.1 lib/include/krb5.h,
> * lib/gssapi/krb5/gssapiP_krb5.h, and others
> *
> - * Copyright (c) 2000 The Regents of the University of Michigan.
> + * Copyright (c) 2000-2008 The Regents of the University of Michigan.
> * All rights reserved.
> *
> * Andy Adamson <andros@umich.edu>
> @@ -36,6 +36,7 @@
> *
> */
>
> +#include <linux/crypto.h>
> #include <linux/sunrpc/auth_gss.h>
> #include <linux/sunrpc/gss_err.h>
> #include <linux/sunrpc/gss_asn1.h>
> @@ -46,9 +47,31 @@
> /* Maximum blocksize for the supported crypto algorithms */
> #define GSS_KRB5_MAX_BLOCKSIZE (16)
>
> +struct gss_krb5_enctype {
> + const u32 etype; /* encryption (key) type */
> + const u32 ctype; /* checksum type */
> + const char *name; /* "friendly" name */
> + const char *encrypt_name; /* crypto encrypt name */
> + const char *cksum_name; /* crypto checksum name */
> + const u16 signalg; /* signing algorithm */
> + const u16 sealalg; /* sealing algorithm */
> + const u32 blocksize; /* encryption blocksize */
> + const u32 cksumlength; /* checksum length */
> + const u32 keyed_cksum; /* is it a keyed cksum? */
> + const u32 keybytes; /* raw key len, in bytes */
> + const u32 keylength; /* final key len, in bytes */
> + u32 (*encrypt) (struct crypto_blkcipher *tfm,
> + void *iv, void *in, void *out,
> + int length); /* encryption function */
> + u32 (*decrypt) (struct crypto_blkcipher *tfm,
> + void *iv, void *in, void *out,
> + int length); /* decryption function */
> +};
> +
> struct krb5_ctx {
> int initiate; /* 1 = initiating, 0 = accepting */
> u32 enctype;
> + struct gss_krb5_enctype *gk5e; /* enctype-specific info */
^^^^^^^^
Should that be a 'const struct gss_krb5_enctype *'?
> struct crypto_blkcipher *enc;
> struct crypto_blkcipher *seq;
> s32 endtime;
> diff --git a/net/sunrpc/auth_gss/gss_krb5_crypto.c b/net/sunrpc/auth_gss/gss_krb5_crypto.c
> index d0f3371..d3025aa 100644
> --- a/net/sunrpc/auth_gss/gss_krb5_crypto.c
> +++ b/net/sunrpc/auth_gss/gss_krb5_crypto.c
> @@ -1,7 +1,7 @@
> /*
> * linux/net/sunrpc/gss_krb5_crypto.c
> *
> - * Copyright (c) 2000 The Regents of the University of Michigan.
> + * Copyright (c) 2000-2008 The Regents of the University of Michigan.
> * All rights reserved.
> *
> * Andy Adamson <andros@umich.edu>
> @@ -59,13 +59,13 @@ krb5_encrypt(
> {
> u32 ret = -EINVAL;
> struct scatterlist sg[1];
> - u8 local_iv[16] = {0};
> + u8 local_iv[GSS_KRB5_MAX_BLOCKSIZE] = {0};
> struct blkcipher_desc desc = { .tfm = tfm, .info = local_iv };
>
> if (length % crypto_blkcipher_blocksize(tfm) != 0)
> goto out;
>
> - if (crypto_blkcipher_ivsize(tfm) > 16) {
> + if (crypto_blkcipher_ivsize(tfm) > GSS_KRB5_MAX_BLOCKSIZE) {
> dprintk("RPC: gss_k5encrypt: tfm iv size too large %d\n",
> crypto_blkcipher_ivsize(tfm));
> goto out;
> @@ -93,13 +93,13 @@ krb5_decrypt(
> {
> u32 ret = -EINVAL;
> struct scatterlist sg[1];
> - u8 local_iv[16] = {0};
> + u8 local_iv[GSS_KRB5_MAX_BLOCKSIZE] = {0};
> struct blkcipher_desc desc = { .tfm = tfm, .info = local_iv };
>
> if (length % crypto_blkcipher_blocksize(tfm) != 0)
> goto out;
>
> - if (crypto_blkcipher_ivsize(tfm) > 16) {
> + if (crypto_blkcipher_ivsize(tfm) > GSS_KRB5_MAX_BLOCKSIZE) {
> dprintk("RPC: gss_k5decrypt: tfm iv size too large %d\n",
> crypto_blkcipher_ivsize(tfm));
> goto out;
> @@ -158,7 +158,7 @@ out:
> }
>
> struct encryptor_desc {
> - u8 iv[8]; /* XXX hard-coded blocksize */
> + u8 iv[GSS_KRB5_MAX_BLOCKSIZE];
> struct blkcipher_desc desc;
> int pos;
> struct xdr_buf *outbuf;
> @@ -199,7 +199,7 @@ encryptor(struct scatterlist *sg, void *data)
> desc->fraglen += sg->length;
> desc->pos += sg->length;
>
> - fraglen = thislen & 7; /* XXX hardcoded blocksize */
> + fraglen = thislen & (crypto_blkcipher_blocksize(desc->desc.tfm) - 1);
> thislen -= fraglen;
>
> if (thislen == 0)
> @@ -257,7 +257,7 @@ gss_encrypt_xdr_buf(struct crypto_blkcipher *tfm, struct xdr_buf *buf,
> }
>
> struct decryptor_desc {
> - u8 iv[8]; /* XXX hard-coded blocksize */
> + u8 iv[GSS_KRB5_MAX_BLOCKSIZE];
> struct blkcipher_desc desc;
> struct scatterlist frags[4];
> int fragno;
> @@ -279,7 +279,7 @@ decryptor(struct scatterlist *sg, void *data)
> desc->fragno++;
> desc->fraglen += sg->length;
>
> - fraglen = thislen & 7; /* XXX hardcoded blocksize */
> + fraglen = thislen & (crypto_blkcipher_blocksize(desc->desc.tfm) - 1);
> thislen -= fraglen;
>
> if (thislen == 0)
> diff --git a/net/sunrpc/auth_gss/gss_krb5_mech.c b/net/sunrpc/auth_gss/gss_krb5_mech.c
> index cb01795..001cb6b 100644
> --- a/net/sunrpc/auth_gss/gss_krb5_mech.c
> +++ b/net/sunrpc/auth_gss/gss_krb5_mech.c
> @@ -1,7 +1,7 @@
> /*
> * linux/net/sunrpc/gss_krb5_mech.c
> *
> - * Copyright (c) 2001 The Regents of the University of Michigan.
> + * Copyright (c) 2001-2008 The Regents of the University of Michigan.
> * All rights reserved.
> *
> * Andy Adamson <andros@umich.edu>
> @@ -48,6 +48,49 @@
> # define RPCDBG_FACILITY RPCDBG_AUTH
> #endif
>
> +static struct gss_krb5_enctype supported_gss_krb5_enctypes[] = {
static const.... ?
> + /*
> + * DES (All DES enctypes are mapped to the same gss functionality)
> + */
> + {
> + .etype = ENCTYPE_DES_CBC_RAW,
> + .ctype = CKSUMTYPE_RSA_MD5,
> + .name = "des-cbc-crc",
> + .encrypt_name = "cbc(des)",
> + .cksum_name = "md5",
> + .encrypt = krb5_encrypt,
> + .decrypt = krb5_decrypt,
> + .signalg = SGN_ALG_DES_MAC_MD5,
> + .sealalg = SEAL_ALG_DES,
> + .keybytes = 7,
> + .keylength = 8,
> + .blocksize = 8,
> + .cksumlength = 8,
> + },
> +};
> +
> +static int num_supported_enctypes = ARRAY_SIZE(supported_gss_krb5_enctypes);
const...
> +
> +static int
> +supported_gss_krb5_enctype(int etype)
> +{
> + int i;
> + for (i = 0; i < num_supported_enctypes; i++)
> + if (supported_gss_krb5_enctypes[i].etype == etype)
> + return 1;
> + return 0;
> +}
> +
> +static struct gss_krb5_enctype *
> +get_gss_krb5_enctype(int etype)
> +{
> + int i;
> + for (i = 0; i < num_supported_enctypes; i++)
> + if (supported_gss_krb5_enctypes[i].etype == etype)
> + return &supported_gss_krb5_enctypes[i];
> + return NULL;
> +}
> +
> static const void *
> simple_get_bytes(const void *p, const void *end, void *res, int len)
> {
next prev parent reply other threads:[~2010-03-15 16:13 UTC|newest]
Thread overview: 38+ messages / expand[flat|nested] mbox.gz Atom feed top
2010-03-15 12:20 [PATCH 00/22] Add new enctypes for gss_krb5 (Round 4) steved
2010-03-15 12:20 ` [PATCH 01/22] gss_krb5: introduce encryption type framework steved
2010-03-15 15:58 ` Trond Myklebust
[not found] ` <1268668733.2993.90.camel-bi+AKbBUZKY6gyzm1THtWbp2dZbC/Bob@public.gmane.org>
2010-03-16 20:49 ` Steve Dickson
[not found] ` <4B9FEEE0.8040306-AfCzQyP5zfLQT0dZR+AlfA@public.gmane.org>
2010-03-16 21:14 ` Trond Myklebust
[not found] ` <1268774075.3098.56.camel-bi+AKbBUZKY6gyzm1THtWbp2dZbC/Bob@public.gmane.org>
2010-03-16 21:45 ` Kevin Coffman
2010-03-16 21:47 ` Steve Dickson
2010-03-15 12:20 ` [PATCH 02/22] Don't expect blocksize to always be 8 when calculating padding steved
2010-03-15 16:02 ` Trond Myklebust
[not found] ` <1268668930.2993.91.camel-bi+AKbBUZKY6gyzm1THtWbp2dZbC/Bob@public.gmane.org>
2010-03-15 23:38 ` J. Bruce Fields
2010-03-17 11:55 ` Steve Dickson
2010-03-15 12:20 ` [PATCH 03/22] gss_krb5: gss_krb5: split up functions in preparation of adding new enctypes steved
2010-03-15 12:20 ` [PATCH 04/22] gss_krb5: prepare for new context format steved
2010-03-15 12:20 ` [PATCH 05/22] gss_krb5: introduce encryption type framework steved
2010-03-15 16:12 ` Trond Myklebust [this message]
2010-03-15 12:20 ` [PATCH 06/22] gss_krb5: add ability to have a keyed checksum (hmac) steved
2010-03-15 12:20 ` [PATCH 07/22] gss_krb5: import functionality to derive keys into the kernel steved
2010-03-15 12:20 ` [PATCH 08/22] gss_krb5: handle new context format from gssd steved
2010-03-15 12:20 ` [PATCH 09/22] gss_krb5: add support for triple-des encryption steved
2010-03-15 12:20 ` [PATCH 10/22] Add new pipefs file indicating which Kerberos enctypes the kernel supports steved
2010-03-15 16:28 ` Trond Myklebust
[not found] ` <1268670503.2993.103.camel-bi+AKbBUZKY6gyzm1THtWbp2dZbC/Bob@public.gmane.org>
2010-03-15 16:36 ` Al Viro
2010-03-15 23:43 ` J. Bruce Fields
2010-03-15 12:20 ` [PATCH 11/22] Update " steved
2010-03-15 12:20 ` [PATCH 12/22] xdr: Add an export for the helper function write_bytes_to_xdr_buf() steved
2010-03-15 16:29 ` Trond Myklebust
2010-03-15 12:20 ` [PATCH 13/22] gss_krb5: add support for new token formats in rfc4121 steved
2010-03-15 16:34 ` Trond Myklebust
2010-03-15 12:20 ` [PATCH 14/22] gss_krb5: add remaining pieces to enable AES encryption support steved
2010-03-15 12:20 ` [PATCH 15/22] gss_krb5: Update pipefs file steved
2010-03-15 12:20 ` [PATCH 16/22] arcfour-hmac support steved
2010-03-15 12:20 ` [PATCH 17/22] Save the raw session key in the context steved
2010-03-15 12:20 ` [PATCH 18/22] More arcfour-hmac support steved
2010-03-15 16:41 ` Trond Myklebust
2010-03-15 12:20 ` [PATCH 19/22] Use confounder length in wrap code steved
2010-03-15 12:20 ` [PATCH 20/22] Add support for rc4-hmac encryption steved
2010-03-15 12:20 ` [PATCH 21/22] Update the pipefs file steved
2010-03-15 12:20 ` [PATCH 22/22] Fixed memory leak in gss_import_v1_context() steved
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=1268669578.2993.98.camel@localhost.localdomain \
--to=trond.myklebust@fys.uio.no \
--cc=linux-nfs@vger.kernel.org \
--cc=steved@redhat.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox