From: Chuck Lever <cel@kernel.org>
To: Trond Myklebust <trondmy@kernel.org>,
Anna Schumaker <anna@kernel.org>,
Chuck Lever <chuck.lever@oracle.com>,
Jeff Layton <jlayton@kernel.org>, NeilBrown <neil@brown.name>,
Olga Kornievskaia <okorniev@redhat.com>,
Dai Ngo <Dai.Ngo@oracle.com>, Tom Talpey <tom@talpey.com>,
"David S. Miller" <davem@davemloft.net>,
Eric Dumazet <edumazet@google.com>,
Jakub Kicinski <kuba@kernel.org>,
Paolo Abeni <pabeni@redhat.com>, Simon Horman <horms@kernel.org>
Cc: linux-nfs@vger.kernel.org, netdev@vger.kernel.org,
linux-kernel@vger.kernel.org,
Herbert Xu <herbert@gondor.apana.org.au>,
David Howells <dhowells@redhat.com>,
Simo Sorce <simo@redhat.com>
Subject: [PATCH 05/18] SUNRPC: Prepare crypto/krb5 encryption and checksum handles
Date: Mon, 27 Apr 2026 09:50:49 -0400 [thread overview]
Message-ID: <20260427-crypto-krb5-api-v1-5-1fc1253b64c0@oracle.com> (raw)
In-Reply-To: <20260427-crypto-krb5-api-v1-0-1fc1253b64c0@oracle.com>
From: Chuck Lever <chuck.lever@oracle.com>
Allocate crypto_aead handles for encryption (one per direction)
and crypto_shash handles for checksumming (one per direction)
using the crypto/krb5 library's key preparation functions.
These four handles derive their subkeys from the session key
and the RFC 4121 usage numbers and are ready for use in
encrypt, decrypt, get_mic, and verify_mic operations.
The existing crypto_sync_skcipher and crypto_ahash handles
remain in place for now; subsequent patches switch the
per-message operations to the new handles and then remove
the old ones.
Signed-off-by: Chuck Lever <chuck.lever@oracle.com>
---
net/sunrpc/auth_gss/gss_krb5_internal.h | 4 +++
net/sunrpc/auth_gss/gss_krb5_mech.c | 45 +++++++++++++++++++++++++++++++++
2 files changed, 49 insertions(+)
diff --git a/net/sunrpc/auth_gss/gss_krb5_internal.h b/net/sunrpc/auth_gss/gss_krb5_internal.h
index a3fe4be3b9ae..33d41d972bd1 100644
--- a/net/sunrpc/auth_gss/gss_krb5_internal.h
+++ b/net/sunrpc/auth_gss/gss_krb5_internal.h
@@ -65,6 +65,10 @@ struct krb5_ctx {
u32 flags;
const struct gss_krb5_enctype *gk5e; /* enctype-specific info */
const struct krb5_enctype *krb5e; /* crypto/krb5 enctype */
+ struct crypto_aead *initiator_enc_aead;
+ struct crypto_aead *acceptor_enc_aead;
+ struct crypto_shash *initiator_sign_shash;
+ struct crypto_shash *acceptor_sign_shash;
struct crypto_sync_skcipher *enc;
struct crypto_sync_skcipher *seq;
struct crypto_sync_skcipher *acceptor_enc;
diff --git a/net/sunrpc/auth_gss/gss_krb5_mech.c b/net/sunrpc/auth_gss/gss_krb5_mech.c
index 7606bbd7b8c4..35189c57fd0c 100644
--- a/net/sunrpc/auth_gss/gss_krb5_mech.c
+++ b/net/sunrpc/auth_gss/gss_krb5_mech.c
@@ -300,6 +300,10 @@ gss_krb5_import_ctx_v2(struct krb5_ctx *ctx, gfp_t gfp_mask)
.len = ctx->gk5e->keylength,
.data = ctx->Ksess,
};
+ struct krb5_buffer TK = {
+ .len = ctx->gk5e->keylength,
+ .data = ctx->Ksess,
+ };
struct xdr_netobj keyout;
int ret = -EINVAL;
@@ -374,12 +378,49 @@ gss_krb5_import_ctx_v2(struct krb5_ctx *ctx, gfp_t gfp_mask)
if (ctx->acceptor_integ == NULL)
goto out_free;
+ ctx->initiator_enc_aead =
+ crypto_krb5_prepare_encryption(ctx->krb5e, &TK,
+ KG_USAGE_INITIATOR_SEAL,
+ gfp_mask);
+ if (IS_ERR(ctx->initiator_enc_aead)) {
+ ret = PTR_ERR(ctx->initiator_enc_aead);
+ goto out_free;
+ }
+ ctx->acceptor_enc_aead =
+ crypto_krb5_prepare_encryption(ctx->krb5e, &TK,
+ KG_USAGE_ACCEPTOR_SEAL,
+ gfp_mask);
+ if (IS_ERR(ctx->acceptor_enc_aead)) {
+ ret = PTR_ERR(ctx->acceptor_enc_aead);
+ goto out_free;
+ }
+ ctx->initiator_sign_shash =
+ crypto_krb5_prepare_checksum(ctx->krb5e, &TK,
+ KG_USAGE_INITIATOR_SIGN,
+ gfp_mask);
+ if (IS_ERR(ctx->initiator_sign_shash)) {
+ ret = PTR_ERR(ctx->initiator_sign_shash);
+ goto out_free;
+ }
+ ctx->acceptor_sign_shash =
+ crypto_krb5_prepare_checksum(ctx->krb5e, &TK,
+ KG_USAGE_ACCEPTOR_SIGN,
+ gfp_mask);
+ if (IS_ERR(ctx->acceptor_sign_shash)) {
+ ret = PTR_ERR(ctx->acceptor_sign_shash);
+ goto out_free;
+ }
+
ret = 0;
out:
kfree_sensitive(keyout.data);
return ret;
out_free:
+ crypto_free_shash(ctx->acceptor_sign_shash);
+ crypto_free_shash(ctx->initiator_sign_shash);
+ crypto_free_aead(ctx->acceptor_enc_aead);
+ crypto_free_aead(ctx->initiator_enc_aead);
crypto_free_ahash(ctx->acceptor_integ);
crypto_free_ahash(ctx->initiator_integ);
crypto_free_ahash(ctx->acceptor_sign);
@@ -502,6 +543,10 @@ gss_krb5_delete_sec_context(void *internal_ctx)
{
struct krb5_ctx *kctx = internal_ctx;
+ crypto_free_shash(kctx->acceptor_sign_shash);
+ crypto_free_shash(kctx->initiator_sign_shash);
+ crypto_free_aead(kctx->acceptor_enc_aead);
+ crypto_free_aead(kctx->initiator_enc_aead);
crypto_free_sync_skcipher(kctx->seq);
crypto_free_sync_skcipher(kctx->enc);
crypto_free_sync_skcipher(kctx->acceptor_enc);
--
2.53.0
next prev parent reply other threads:[~2026-04-27 13:51 UTC|newest]
Thread overview: 21+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-04-27 13:50 [PATCH 00/18] Migrate rpcsec_gss_krb5 to the crypto/krb5 library Chuck Lever
2026-04-27 13:50 ` [PATCH 01/18] SUNRPC: Add Kconfig dependency on CRYPTO_KRB5 Chuck Lever
2026-04-27 13:50 ` [PATCH 02/18] SUNRPC: Add crypto/krb5 enctype lookup to krb5_ctx Chuck Lever
2026-04-27 13:50 ` [PATCH 03/18] SUNRPC: Add helpers to convert xdr_buf byte ranges to scatterlists Chuck Lever
2026-04-27 13:50 ` [PATCH 04/18] SUNRPC: Add errno-to-GSS status conversion helper Chuck Lever
2026-04-27 13:50 ` Chuck Lever [this message]
2026-04-27 13:50 ` [PATCH 06/18] SUNRPC: Switch wrap token encryption to crypto/krb5 Chuck Lever
2026-04-27 13:50 ` [PATCH 07/18] SUNRPC: Switch wrap token decryption " Chuck Lever
2026-04-27 13:50 ` [PATCH 08/18] SUNRPC: Switch Camellia decrypt " Chuck Lever
2026-04-27 13:50 ` [PATCH 09/18] SUNRPC: Switch MIC token generation " Chuck Lever
2026-04-27 13:50 ` [PATCH 10/18] SUNRPC: Switch MIC token verification " Chuck Lever
2026-04-27 13:50 ` [PATCH 11/18] SUNRPC: Remove get_mic/verify_mic function pointers from enctype table Chuck Lever
2026-04-27 13:50 ` [PATCH 12/18] SUNRPC: Remove wrap/unwrap " Chuck Lever
2026-04-27 13:50 ` [PATCH 13/18] SUNRPC: Remove encrypt/decrypt " Chuck Lever
2026-04-27 13:50 ` [PATCH 14/18] SUNRPC: Remove legacy skcipher/ahash handles from krb5_ctx Chuck Lever
2026-04-27 13:50 ` [PATCH 15/18] SUNRPC: Remove dead code from rpcsec_gss_krb5 Chuck Lever
2026-04-27 13:51 ` [PATCH 16/18] SUNRPC: Remove per-enctype Kconfig options Chuck Lever
2026-04-27 13:51 ` [PATCH 17/18] SUNRPC: Remove redundant crypto Kconfig dependencies Chuck Lever
2026-04-27 13:51 ` [PATCH 18/18] SUNRPC: Remove dead rpcsec_gss_krb5 definitions Chuck Lever
2026-04-29 6:39 ` [PATCH 00/18] Migrate rpcsec_gss_krb5 to the crypto/krb5 library Jeff Layton
2026-04-29 15:17 ` Chuck Lever
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20260427-crypto-krb5-api-v1-5-1fc1253b64c0@oracle.com \
--to=cel@kernel.org \
--cc=Dai.Ngo@oracle.com \
--cc=anna@kernel.org \
--cc=chuck.lever@oracle.com \
--cc=davem@davemloft.net \
--cc=dhowells@redhat.com \
--cc=edumazet@google.com \
--cc=herbert@gondor.apana.org.au \
--cc=horms@kernel.org \
--cc=jlayton@kernel.org \
--cc=kuba@kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-nfs@vger.kernel.org \
--cc=neil@brown.name \
--cc=netdev@vger.kernel.org \
--cc=okorniev@redhat.com \
--cc=pabeni@redhat.com \
--cc=simo@redhat.com \
--cc=tom@talpey.com \
--cc=trondmy@kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox