gss_krb5: add support for triple-des encryption (958142e9) · Commits · e / devices / android_kernel_xiaomi_markw

include/linux/sunrpc/gss_krb5.h

+5 −0

Original line number	Diff line number	Diff line
		@@ -261,3 +261,8 @@ krb5_derive_key(const struct gss_krb5_enctype *gk5e,
		const struct xdr_netobj *inkey,
		struct xdr_netobj *outkey,
		const struct xdr_netobj *in_constant);

		u32
		gss_krb5_des3_make_key(const struct gss_krb5_enctype *gk5e,
		struct xdr_netobj *randombits,
		struct xdr_netobj *key);

+3 −0

Original line number	Diff line number	Diff line
		@@ -184,6 +184,9 @@ make_checksum(struct krb5_ctx kctx, char header, int hdrlen,
		checksumdata + checksumlen - kctx->gk5e->cksumlength,
		kctx->gk5e->cksumlength);
		break;
		case CKSUMTYPE_HMAC_SHA1_DES3:
		memcpy(cksumout->data, checksumdata, kctx->gk5e->cksumlength);
		break;
		default:
		BUG();
		break;

+53 −0

Original line number	Diff line number	Diff line
		@@ -250,3 +250,56 @@ err_free_cipher:
		err_return:
		return ret;
		}

		#define smask(step) ((1<<step)-1)
		#define pstep(x, step) (((x)&smask(step))^(((x)>>step)&smask(step)))
		#define parity_char(x) pstep(pstep(pstep((x), 4), 2), 1)

		static void mit_des_fixup_key_parity(u8 key[8])
		{
		int i;
		for (i = 0; i < 8; i++) {
		key[i] &= 0xfe;
		key[i] \|= 1^parity_char(key[i]);
		}
		}

		/*
		* This is the des3 key derivation postprocess function
		*/
		u32 gss_krb5_des3_make_key(const struct gss_krb5_enctype *gk5e,
		struct xdr_netobj *randombits,
		struct xdr_netobj *key)
		{
		int i;
		u32 ret = EINVAL;

		if (key->len != 24) {
		dprintk("%s: key->len is %d\n", __func__, key->len);
		goto err_out;
		}
		if (randombits->len != 21) {
		dprintk("%s: randombits->len is %d\n",
		__func__, randombits->len);
		goto err_out;
		}

		/* take the seven bytes, move them around into the top 7 bits of the
		8 key bytes, then compute the parity bits. Do this three times. */

		for (i = 0; i < 3; i++) {
		memcpy(key->data + i8, randombits->data + i7, 7);
		key->data[i8+7] = (((key->data[i8]&1)<<1) \|
		((key->data[i*8+1]&1)<<2) \|
		((key->data[i*8+2]&1)<<3) \|
		((key->data[i*8+3]&1)<<4) \|
		((key->data[i*8+4]&1)<<5) \|
		((key->data[i*8+5]&1)<<6) \|
		((key->data[i*8+6]&1)<<7));

		mit_des_fixup_key_parity(key->data + i*8);
		}
		ret = 0;
		err_out:
		return ret;
		}

+23 −0

Original line number	Diff line number	Diff line
		@@ -71,6 +71,26 @@ static const struct gss_krb5_enctype supported_gss_krb5_enctypes[] = {
		.cksumlength = 8,
		.keyed_cksum = 0,
		},
		/*
		* 3DES
		*/
		{
		.etype = ENCTYPE_DES3_CBC_RAW,
		.ctype = CKSUMTYPE_HMAC_SHA1_DES3,
		.name = "des3-hmac-sha1",
		.encrypt_name = "cbc(des3_ede)",
		.cksum_name = "hmac(sha1)",
		.encrypt = krb5_encrypt,
		.decrypt = krb5_decrypt,
		.mk_key = gss_krb5_des3_make_key,
		.signalg = SGN_ALG_HMAC_SHA1_DES3_KD,
		.sealalg = SEAL_ALG_DES3KD,
		.keybytes = 21,
		.keylength = 24,
		.blocksize = 8,
		.cksumlength = 20,
		.keyed_cksum = 1,
		},
		};

		static const int num_supported_enctypes =
		@@ -440,6 +460,9 @@ gss_import_v2_context(const void p, const void end, struct krb5_ctx *ctx)
		p = simple_get_bytes(p, end, &ctx->enctype, sizeof(ctx->enctype));
		if (IS_ERR(p))
		goto out_err;
		/* Map ENCTYPE_DES3_CBC_SHA1 to ENCTYPE_DES3_CBC_RAW */
		if (ctx->enctype == ENCTYPE_DES3_CBC_SHA1)
		ctx->enctype = ENCTYPE_DES3_CBC_RAW;
		ctx->gk5e = get_gss_krb5_enctype(ctx->enctype);
		if (ctx->gk5e == NULL) {
		dprintk("gss_kerberos_mech: unsupported krb5 enctype %u\n",

+1 −0

Original line number	Diff line number	Diff line
		@@ -142,6 +142,7 @@ gss_get_mic_kerberos(struct gss_ctx gss_ctx, struct xdr_buf text,
		default:
		BUG();
		case ENCTYPE_DES_CBC_RAW:
		case ENCTYPE_DES3_CBC_RAW:
		return gss_get_mic_v1(ctx, text, token);
		}
		}