mirror of
git://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git
synced 2026-03-23 07:56:50 +08:00
8356b4b110
The existing approach where ceph_x_challenge_blob is encrypted with the client's secret key and then the digest derived from the ciphertext is used for the test doesn't work with CEPH_CRYPTO_AES256KRB5 because the confounder randomizes the ciphertext: the client and the server get two different ciphertexts and therefore two different digests. msgr1 signatures are affected the same way: a digest derived from the ciphertext for the message's "sigblock" is what becomes a signature and the two sides disagree on the expected value. For CEPH_CRYPTO_AES256KRB5 (and potential future encryption schemes), switch to HMAC-SHA256 function keyed in the same way as the existing encryption. For CEPH_CRYPTO_AES, everything is preserved as is. Signed-off-by: Ilya Dryomov <idryomov@gmail.com>
54 lines
1.6 KiB
C
54 lines
1.6 KiB
C
/* SPDX-License-Identifier: GPL-2.0 */
|
|
#ifndef _FS_CEPH_CRYPTO_H
|
|
#define _FS_CEPH_CRYPTO_H
|
|
|
|
#include <crypto/sha2.h>
|
|
#include <linux/ceph/types.h>
|
|
#include <linux/ceph/buffer.h>
|
|
|
|
#define CEPH_MAX_KEY_LEN 32
|
|
#define CEPH_MAX_CON_SECRET_LEN 64
|
|
|
|
/*
|
|
* cryptographic secret
|
|
*/
|
|
struct ceph_crypto_key {
|
|
int type;
|
|
struct ceph_timespec created;
|
|
int len;
|
|
void *key;
|
|
|
|
union {
|
|
struct crypto_sync_skcipher *aes_tfm;
|
|
struct {
|
|
struct hmac_sha256_key hmac_key;
|
|
const struct krb5_enctype *krb5_type;
|
|
struct crypto_aead *krb5_tfms[3];
|
|
};
|
|
};
|
|
};
|
|
|
|
int ceph_crypto_key_prepare(struct ceph_crypto_key *key,
|
|
const u32 *key_usages, int key_usage_cnt);
|
|
int ceph_crypto_key_clone(struct ceph_crypto_key *dst,
|
|
const struct ceph_crypto_key *src);
|
|
int ceph_crypto_key_decode(struct ceph_crypto_key *key, void **p, void *end);
|
|
int ceph_crypto_key_unarmor(struct ceph_crypto_key *key, const char *in);
|
|
void ceph_crypto_key_destroy(struct ceph_crypto_key *key);
|
|
|
|
/* crypto.c */
|
|
int ceph_crypt(const struct ceph_crypto_key *key, int usage_slot, bool encrypt,
|
|
void *buf, int buf_len, int in_len, int *pout_len);
|
|
int ceph_crypt_data_offset(const struct ceph_crypto_key *key);
|
|
int ceph_crypt_buflen(const struct ceph_crypto_key *key, int data_len);
|
|
void ceph_hmac_sha256(const struct ceph_crypto_key *key, const void *buf,
|
|
int buf_len, u8 hmac[SHA256_DIGEST_SIZE]);
|
|
int ceph_crypto_init(void);
|
|
void ceph_crypto_shutdown(void);
|
|
|
|
/* armor.c */
|
|
int ceph_armor(char *dst, const char *src, const char *end);
|
|
int ceph_unarmor(char *dst, const char *src, const char *end);
|
|
|
|
#endif
|