xref: /linux/include/crypto/krb5.h (revision 6c3c0e86c2acf53bf67c095c67335a0bec2a16af) 
1 /* SPDX-License-Identifier: GPL-2.0-or-later */
2 /* Kerberos 5 crypto
3  *
4  * Copyright (C) 2025 Red Hat, Inc. All Rights Reserved.
5  * Written by David Howells (dhowells@redhat.com)
6  */
7 
8 #ifndef _CRYPTO_KRB5_H
9 #define _CRYPTO_KRB5_H
10 
11 #include <linux/crypto.h>
12 #include <crypto/aead.h>
13 #include <crypto/hash.h>
14 
15 struct crypto_shash;
16 struct scatterlist;
17 
18 /*
19  * Per Kerberos v5 protocol spec crypto types from the wire.  These get mapped
20  * to linux kernel crypto routines.
21  */
22 #define KRB5_ENCTYPE_NULL			0x0000
23 #define KRB5_ENCTYPE_DES_CBC_CRC		0x0001	/* DES cbc mode with CRC-32 */
24 #define KRB5_ENCTYPE_DES_CBC_MD4		0x0002	/* DES cbc mode with RSA-MD4 */
25 #define KRB5_ENCTYPE_DES_CBC_MD5		0x0003	/* DES cbc mode with RSA-MD5 */
26 #define KRB5_ENCTYPE_DES_CBC_RAW		0x0004	/* DES cbc mode raw */
27 /* XXX deprecated? */
28 #define KRB5_ENCTYPE_DES3_CBC_SHA		0x0005	/* DES-3 cbc mode with NIST-SHA */
29 #define KRB5_ENCTYPE_DES3_CBC_RAW		0x0006	/* DES-3 cbc mode raw */
30 #define KRB5_ENCTYPE_DES_HMAC_SHA1		0x0008
31 #define KRB5_ENCTYPE_DES3_CBC_SHA1		0x0010
32 #define KRB5_ENCTYPE_AES128_CTS_HMAC_SHA1_96	0x0011
33 #define KRB5_ENCTYPE_AES256_CTS_HMAC_SHA1_96	0x0012
34 #define KRB5_ENCTYPE_AES128_CTS_HMAC_SHA256_128	0x0013
35 #define KRB5_ENCTYPE_AES256_CTS_HMAC_SHA384_192	0x0014
36 #define KRB5_ENCTYPE_ARCFOUR_HMAC		0x0017
37 #define KRB5_ENCTYPE_ARCFOUR_HMAC_EXP		0x0018
38 #define KRB5_ENCTYPE_UNKNOWN			0x01ff
39 
40 #define KRB5_CKSUMTYPE_CRC32			0x0001
41 #define KRB5_CKSUMTYPE_RSA_MD4			0x0002
42 #define KRB5_CKSUMTYPE_RSA_MD4_DES		0x0003
43 #define KRB5_CKSUMTYPE_DESCBC			0x0004
44 #define KRB5_CKSUMTYPE_RSA_MD5			0x0007
45 #define KRB5_CKSUMTYPE_RSA_MD5_DES		0x0008
46 #define KRB5_CKSUMTYPE_NIST_SHA			0x0009
47 #define KRB5_CKSUMTYPE_HMAC_SHA1_DES3		0x000c
48 #define KRB5_CKSUMTYPE_HMAC_SHA1_96_AES128	0x000f
49 #define KRB5_CKSUMTYPE_HMAC_SHA1_96_AES256	0x0010
50 #define KRB5_CKSUMTYPE_HMAC_SHA256_128_AES128	0x0013
51 #define KRB5_CKSUMTYPE_HMAC_SHA384_192_AES256	0x0014
52 #define KRB5_CKSUMTYPE_HMAC_MD5_ARCFOUR		-138 /* Microsoft md5 hmac cksumtype */
53 
54 /*
55  * Constants used for key derivation
56  */
57 /* from rfc3961 */
58 #define KEY_USAGE_SEED_CHECKSUM         (0x99)
59 #define KEY_USAGE_SEED_ENCRYPTION       (0xAA)
60 #define KEY_USAGE_SEED_INTEGRITY        (0x55)
61 
62 /*
63  * Mode of operation.
64  */
65 enum krb5_crypto_mode {
66 	KRB5_CHECKSUM_MODE,	/* Checksum only */
67 	KRB5_ENCRYPT_MODE,	/* Fully encrypted, possibly with integrity checksum */
68 };
69 
70 struct krb5_buffer {
71 	unsigned int	len;
72 	void		*data;
73 };
74 
75 /*
76  * Kerberos encoding type definition.
77  */
78 struct krb5_enctype {
79 	int		etype;		/* Encryption (key) type */
80 	int		ctype;		/* Checksum type */
81 	const char	*name;		/* "Friendly" name */
82 	const char	*encrypt_name;	/* Crypto encrypt+checksum name */
83 	const char	*cksum_name;	/* Crypto checksum name */
84 	const char	*hash_name;	/* Crypto hash name */
85 	const char	*derivation_enc; /* Cipher used in key derivation */
86 	u16		block_len;	/* Length of encryption block */
87 	u16		conf_len;	/* Length of confounder (normally == block_len) */
88 	u16		cksum_len;	/* Length of checksum */
89 	u16		key_bytes;	/* Length of raw key, in bytes */
90 	u16		key_len;	/* Length of final key, in bytes */
91 	u16		hash_len;	/* Length of hash in bytes */
92 	u16		prf_len;	/* Length of PRF() result in bytes */
93 	u16		Kc_len;		/* Length of Kc in bytes */
94 	u16		Ke_len;		/* Length of Ke in bytes */
95 	u16		Ki_len;		/* Length of Ki in bytes */
96 	bool		keyed_cksum;	/* T if a keyed cksum */
97 
98 	const struct krb5_crypto_profile *profile;
99 
100 	int (*random_to_key)(const struct krb5_enctype *krb5,
101 			     const struct krb5_buffer *in,
102 			     struct krb5_buffer *out);	/* complete key generation */
103 };
104 
105 /*
106  * krb5_api.c
107  */
108 const struct krb5_enctype *crypto_krb5_find_enctype(u32 enctype);
109 size_t crypto_krb5_how_much_buffer(const struct krb5_enctype *krb5,
110 				   enum krb5_crypto_mode mode,
111 				   size_t data_size, size_t *_offset);
112 size_t crypto_krb5_how_much_data(const struct krb5_enctype *krb5,
113 				 enum krb5_crypto_mode mode,
114 				 size_t *_buffer_size, size_t *_offset);
115 void crypto_krb5_where_is_the_data(const struct krb5_enctype *krb5,
116 				   enum krb5_crypto_mode mode,
117 				   size_t *_offset, size_t *_len);
118 struct crypto_aead *crypto_krb5_prepare_encryption(const struct krb5_enctype *krb5,
119 						   const struct krb5_buffer *TK,
120 						   u32 usage, gfp_t gfp);
121 struct crypto_shash *crypto_krb5_prepare_checksum(const struct krb5_enctype *krb5,
122 						  const struct krb5_buffer *TK,
123 						  u32 usage, gfp_t gfp);
124 ssize_t crypto_krb5_encrypt(const struct krb5_enctype *krb5,
125 			    struct crypto_aead *aead,
126 			    struct scatterlist *sg, unsigned int nr_sg,
127 			    size_t sg_len,
128 			    size_t data_offset, size_t data_len,
129 			    bool preconfounded);
130 int crypto_krb5_decrypt(const struct krb5_enctype *krb5,
131 			struct crypto_aead *aead,
132 			struct scatterlist *sg, unsigned int nr_sg,
133 			size_t *_offset, size_t *_len);
134 ssize_t crypto_krb5_get_mic(const struct krb5_enctype *krb5,
135 			    struct crypto_shash *shash,
136 			    const struct krb5_buffer *metadata,
137 			    struct scatterlist *sg, unsigned int nr_sg,
138 			    size_t sg_len,
139 			    size_t data_offset, size_t data_len);
140 int crypto_krb5_verify_mic(const struct krb5_enctype *krb5,
141 			   struct crypto_shash *shash,
142 			   const struct krb5_buffer *metadata,
143 			   struct scatterlist *sg, unsigned int nr_sg,
144 			   size_t *_offset, size_t *_len);
145 
146 /*
147  * krb5_kdf.c
148  */
149 int crypto_krb5_calc_PRFplus(const struct krb5_enctype *krb5,
150 			     const struct krb5_buffer *K,
151 			     unsigned int L,
152 			     const struct krb5_buffer *S,
153 			     struct krb5_buffer *result,
154 			     gfp_t gfp);
155 
156 #endif /* _CRYPTO_KRB5_H */
157