1 /* SPDX-License-Identifier: GPL-2.0-or-later */ 2 /* Kerberos 5 crypto 3 * 4 * Copyright (C) 2025 Red Hat, Inc. All Rights Reserved. 5 * Written by David Howells (dhowells@redhat.com) 6 */ 7 8 #ifndef _CRYPTO_KRB5_H 9 #define _CRYPTO_KRB5_H 10 11 #include <linux/crypto.h> 12 #include <crypto/aead.h> 13 14 struct crypto_shash; 15 struct scatterlist; 16 17 /* 18 * Per Kerberos v5 protocol spec crypto types from the wire. These get mapped 19 * to linux kernel crypto routines. 20 */ 21 #define KRB5_ENCTYPE_NULL 0x0000 22 #define KRB5_ENCTYPE_DES_CBC_CRC 0x0001 /* DES cbc mode with CRC-32 */ 23 #define KRB5_ENCTYPE_DES_CBC_MD4 0x0002 /* DES cbc mode with RSA-MD4 */ 24 #define KRB5_ENCTYPE_DES_CBC_MD5 0x0003 /* DES cbc mode with RSA-MD5 */ 25 #define KRB5_ENCTYPE_DES_CBC_RAW 0x0004 /* DES cbc mode raw */ 26 /* XXX deprecated? */ 27 #define KRB5_ENCTYPE_DES3_CBC_SHA 0x0005 /* DES-3 cbc mode with NIST-SHA */ 28 #define KRB5_ENCTYPE_DES3_CBC_RAW 0x0006 /* DES-3 cbc mode raw */ 29 #define KRB5_ENCTYPE_DES_HMAC_SHA1 0x0008 30 #define KRB5_ENCTYPE_DES3_CBC_SHA1 0x0010 31 #define KRB5_ENCTYPE_AES128_CTS_HMAC_SHA1_96 0x0011 32 #define KRB5_ENCTYPE_AES256_CTS_HMAC_SHA1_96 0x0012 33 #define KRB5_ENCTYPE_ARCFOUR_HMAC 0x0017 34 #define KRB5_ENCTYPE_ARCFOUR_HMAC_EXP 0x0018 35 #define KRB5_ENCTYPE_UNKNOWN 0x01ff 36 37 #define KRB5_CKSUMTYPE_CRC32 0x0001 38 #define KRB5_CKSUMTYPE_RSA_MD4 0x0002 39 #define KRB5_CKSUMTYPE_RSA_MD4_DES 0x0003 40 #define KRB5_CKSUMTYPE_DESCBC 0x0004 41 #define KRB5_CKSUMTYPE_RSA_MD5 0x0007 42 #define KRB5_CKSUMTYPE_RSA_MD5_DES 0x0008 43 #define KRB5_CKSUMTYPE_NIST_SHA 0x0009 44 #define KRB5_CKSUMTYPE_HMAC_SHA1_DES3 0x000c 45 #define KRB5_CKSUMTYPE_HMAC_SHA1_96_AES128 0x000f 46 #define KRB5_CKSUMTYPE_HMAC_SHA1_96_AES256 0x0010 47 #define KRB5_CKSUMTYPE_HMAC_MD5_ARCFOUR -138 /* Microsoft md5 hmac cksumtype */ 48 49 /* 50 * Constants used for key derivation 51 */ 52 /* from rfc3961 */ 53 #define KEY_USAGE_SEED_CHECKSUM (0x99) 54 #define KEY_USAGE_SEED_ENCRYPTION (0xAA) 55 #define KEY_USAGE_SEED_INTEGRITY (0x55) 56 57 /* 58 * Mode of operation. 59 */ 60 enum krb5_crypto_mode { 61 KRB5_CHECKSUM_MODE, /* Checksum only */ 62 KRB5_ENCRYPT_MODE, /* Fully encrypted, possibly with integrity checksum */ 63 }; 64 65 struct krb5_buffer { 66 unsigned int len; 67 void *data; 68 }; 69 70 /* 71 * Kerberos encoding type definition. 72 */ 73 struct krb5_enctype { 74 int etype; /* Encryption (key) type */ 75 int ctype; /* Checksum type */ 76 const char *name; /* "Friendly" name */ 77 const char *encrypt_name; /* Crypto encrypt+checksum name */ 78 const char *cksum_name; /* Crypto checksum name */ 79 const char *hash_name; /* Crypto hash name */ 80 const char *derivation_enc; /* Cipher used in key derivation */ 81 u16 block_len; /* Length of encryption block */ 82 u16 conf_len; /* Length of confounder (normally == block_len) */ 83 u16 cksum_len; /* Length of checksum */ 84 u16 key_bytes; /* Length of raw key, in bytes */ 85 u16 key_len; /* Length of final key, in bytes */ 86 u16 hash_len; /* Length of hash in bytes */ 87 u16 prf_len; /* Length of PRF() result in bytes */ 88 u16 Kc_len; /* Length of Kc in bytes */ 89 u16 Ke_len; /* Length of Ke in bytes */ 90 u16 Ki_len; /* Length of Ki in bytes */ 91 bool keyed_cksum; /* T if a keyed cksum */ 92 93 const struct krb5_crypto_profile *profile; 94 95 int (*random_to_key)(const struct krb5_enctype *krb5, 96 const struct krb5_buffer *in, 97 struct krb5_buffer *out); /* complete key generation */ 98 }; 99 100 /* 101 * krb5_api.c 102 */ 103 const struct krb5_enctype *crypto_krb5_find_enctype(u32 enctype); 104 size_t crypto_krb5_how_much_buffer(const struct krb5_enctype *krb5, 105 enum krb5_crypto_mode mode, 106 size_t data_size, size_t *_offset); 107 size_t crypto_krb5_how_much_data(const struct krb5_enctype *krb5, 108 enum krb5_crypto_mode mode, 109 size_t *_buffer_size, size_t *_offset); 110 void crypto_krb5_where_is_the_data(const struct krb5_enctype *krb5, 111 enum krb5_crypto_mode mode, 112 size_t *_offset, size_t *_len); 113 114 #endif /* _CRYPTO_KRB5_H */ 115