SUNRPC: Refactor set-up for aux_cipher

Hoist the name of the aux_cipher into struct gss_krb5_enctype to prepare for obscuring the encryption keys just after they are derived. Tested-by: Scott Mayhew <smayhew@redhat.com> Reviewed-by: Simo Sorce <simo@redhat.com> Signed-off-by: Chuck Lever <chuck.lever@oracle.com>
author: Chuck Lever <chuck.lever@oracle.com> 2023-01-15 12:20:54 -0500
committer: Chuck Lever <chuck.lever@oracle.com> 2023-02-20 09:20:34 -0500
commit: 7989a4f4ab5437ec82b0b59984594f848f12b36a (patch)
tree: 9ab495c7dc52dedac622c47f803e83330293f071 /net/sunrpc/auth_gss/gss_krb5_mech.c
parent: 01c4e326327a635e1fac75b1aedd2c2c1e8123b5 (diff)
download: linux-7989a4f4ab5437ec82b0b59984594f848f12b36a.tar.gz
1 files changed, 25 insertions, 25 deletions
diff --git a/net/sunrpc/auth_gss/gss_krb5_mech.c b/net/sunrpc/auth_gss/gss_krb5_mech.c
index b982c9d495f268..afa6a692ccddac 100644
--- a/net/sunrpc/auth_gss/gss_krb5_mech.c
+++ b/net/sunrpc/auth_gss/gss_krb5_mech.c
@@ -78,6 +78,7 @@ static const struct gss_krb5_enctype supported_gss_krb5_enctypes[] = {
 	  .ctype = CKSUMTYPE_HMAC_SHA1_96_AES128,
 	  .name = "aes128-cts",
 	  .encrypt_name = "cts(cbc(aes))",
+	  .aux_cipher = "cbc(aes)",
 	  .cksum_name = "hmac(sha1)",
 	  .encrypt = krb5_encrypt,
 	  .decrypt = krb5_decrypt,
@@ -99,6 +100,7 @@ static const struct gss_krb5_enctype supported_gss_krb5_enctypes[] = {
 	  .ctype = CKSUMTYPE_HMAC_SHA1_96_AES256,
 	  .name = "aes256-cts",
 	  .encrypt_name = "cts(cbc(aes))",
+	  .aux_cipher = "cbc(aes)",
 	  .cksum_name = "hmac(sha1)",
 	  .encrypt = krb5_encrypt,
 	  .decrypt = krb5_decrypt,
@@ -373,6 +375,13 @@ context_derive_keys_new(struct krb5_ctx *ctx, gfp_t gfp_mask)
 						     ctx->initiator_seal);
 	if (ctx->initiator_enc == NULL)
 		goto out_err;
+	if (ctx->gk5e->aux_cipher) {
+		ctx->initiator_enc_aux =
+			context_v2_alloc_cipher(ctx, ctx->gk5e->aux_cipher,
+						ctx->initiator_seal);
+		if (ctx->initiator_enc_aux == NULL)
+			goto out_free;
+	}
 
 	/* acceptor seal encryption */
 	set_cdata(cdata, KG_USAGE_ACCEPTOR_SEAL, KEY_USAGE_SEED_ENCRYPTION);
@@ -381,13 +390,20 @@ context_derive_keys_new(struct krb5_ctx *ctx, gfp_t gfp_mask)
 	if (err) {
 		dprintk("%s: Error %d deriving acceptor_seal key\n",
 			__func__, err);
-		goto out_free_initiator_enc;
+		goto out_free;
 	}
 	ctx->acceptor_enc = context_v2_alloc_cipher(ctx,
 						    ctx->gk5e->encrypt_name,
 						    ctx->acceptor_seal);
 	if (ctx->acceptor_enc == NULL)
-		goto out_free_initiator_enc;
+		goto out_free;
+	if (ctx->gk5e->aux_cipher) {
+		ctx->acceptor_enc_aux =
+			context_v2_alloc_cipher(ctx, ctx->gk5e->aux_cipher,
+						ctx->acceptor_seal);
+		if (ctx->acceptor_enc_aux == NULL)
+			goto out_free;
+	}
 
 	/* initiator sign checksum */
 	set_cdata(cdata, KG_USAGE_INITIATOR_SIGN, KEY_USAGE_SEED_CHECKSUM);
@@ -396,7 +412,7 @@ context_derive_keys_new(struct krb5_ctx *ctx, gfp_t gfp_mask)
 	if (err) {
 		dprintk("%s: Error %d deriving initiator_sign key\n",
 			__func__, err);
-		goto out_free_acceptor_enc;
+		goto out_free;
 	}
 
 	/* acceptor sign checksum */
@@ -406,7 +422,7 @@ context_derive_keys_new(struct krb5_ctx *ctx, gfp_t gfp_mask)
 	if (err) {
 		dprintk("%s: Error %d deriving acceptor_sign key\n",
 			__func__, err);
-		goto out_free_acceptor_enc;
+		goto out_free;
 	}
 
 	/* initiator seal integrity */
@@ -416,7 +432,7 @@ context_derive_keys_new(struct krb5_ctx *ctx, gfp_t gfp_mask)
 	if (err) {
 		dprintk("%s: Error %d deriving initiator_integ key\n",
 			__func__, err);
-		goto out_free_acceptor_enc;
+		goto out_free;
 	}
 
 	/* acceptor seal integrity */
@@ -426,31 +442,15 @@ context_derive_keys_new(struct krb5_ctx *ctx, gfp_t gfp_mask)
 	if (err) {
 		dprintk("%s: Error %d deriving acceptor_integ key\n",
 			__func__, err);
-		goto out_free_acceptor_enc;
-	}
-
-	switch (ctx->enctype) {
-	case ENCTYPE_AES128_CTS_HMAC_SHA1_96:
-	case ENCTYPE_AES256_CTS_HMAC_SHA1_96:
-		ctx->initiator_enc_aux =
-			context_v2_alloc_cipher(ctx, "cbc(aes)",
-						ctx->initiator_seal);
-		if (ctx->initiator_enc_aux == NULL)
-			goto out_free_acceptor_enc;
-		ctx->acceptor_enc_aux =
-			context_v2_alloc_cipher(ctx, "cbc(aes)",
-						ctx->acceptor_seal);
-		if (ctx->acceptor_enc_aux == NULL) {
-			crypto_free_sync_skcipher(ctx->initiator_enc_aux);
-			goto out_free_acceptor_enc;
-		}
+		goto out_free;
 	}
 
 	return 0;
 
-out_free_acceptor_enc:
+out_free:
+	crypto_free_sync_skcipher(ctx->acceptor_enc_aux);
 	crypto_free_sync_skcipher(ctx->acceptor_enc);
-out_free_initiator_enc:
+	crypto_free_sync_skcipher(ctx->initiator_enc_aux);
 	crypto_free_sync_skcipher(ctx->initiator_enc);
 out_err:
 	return -EINVAL;
author	Chuck Lever <chuck.lever@oracle.com>	2023-01-15 12:20:54 -0500
committer	Chuck Lever <chuck.lever@oracle.com>	2023-02-20 09:20:34 -0500
commit	7989a4f4ab5437ec82b0b59984594f848f12b36a (patch)
tree	9ab495c7dc52dedac622c47f803e83330293f071 /net/sunrpc/auth_gss/gss_krb5_mech.c
parent	01c4e326327a635e1fac75b1aedd2c2c1e8123b5 (diff)
download	linux-7989a4f4ab5437ec82b0b59984594f848f12b36a.tar.gz