diff options
author | Kevin Coffman <kwc@citi.umich.edu> | 2010-03-17 13:03:03 -0400 |
---|---|---|
committer | Trond Myklebust <Trond.Myklebust@netapp.com> | 2010-05-14 15:09:19 -0400 |
commit | fc263a917afad3bda7b823a6edc803a40e7f6015 (patch) | |
tree | c6773866431c48aea2b837f5ba06314ec21369b4 | |
parent | 8b23707612cffdba694dcd18aa8a018918aa86dc (diff) |
gss_krb5: Save the raw session key in the context
This is needed for deriving arcfour-hmac keys "on the fly"
using the sequence number or checksu
Signed-off-by: Kevin Coffman <kwc@citi.umich.edu>
Signed-off-by: Steve Dickson <steved@redhat.com>
Signed-off-by: Trond Myklebust <Trond.Myklebust@netapp.com>
-rw-r--r-- | include/linux/sunrpc/gss_krb5.h | 1 | ||||
-rw-r--r-- | net/sunrpc/auth_gss/gss_krb5_mech.c | 27 |
2 files changed, 14 insertions, 14 deletions
diff --git a/include/linux/sunrpc/gss_krb5.h b/include/linux/sunrpc/gss_krb5.h index 633f41f11a40..b0ab827add26 100644 --- a/include/linux/sunrpc/gss_krb5.h +++ b/include/linux/sunrpc/gss_krb5.h | |||
@@ -101,6 +101,7 @@ struct krb5_ctx { | |||
101 | struct crypto_blkcipher *initiator_enc; | 101 | struct crypto_blkcipher *initiator_enc; |
102 | struct crypto_blkcipher *acceptor_enc_aux; | 102 | struct crypto_blkcipher *acceptor_enc_aux; |
103 | struct crypto_blkcipher *initiator_enc_aux; | 103 | struct crypto_blkcipher *initiator_enc_aux; |
104 | u8 Ksess[GSS_KRB5_MAX_KEYLEN]; /* session key */ | ||
104 | u8 cksum[GSS_KRB5_MAX_KEYLEN]; | 105 | u8 cksum[GSS_KRB5_MAX_KEYLEN]; |
105 | s32 endtime; | 106 | s32 endtime; |
106 | u32 seq_send; | 107 | u32 seq_send; |
diff --git a/net/sunrpc/auth_gss/gss_krb5_mech.c b/net/sunrpc/auth_gss/gss_krb5_mech.c index 506a2e7d4fad..893fad71e306 100644 --- a/net/sunrpc/auth_gss/gss_krb5_mech.c +++ b/net/sunrpc/auth_gss/gss_krb5_mech.c | |||
@@ -344,7 +344,7 @@ set_cdata(u8 cdata[GSS_KRB5_K5CLENGTH], u32 usage, u8 seed) | |||
344 | } | 344 | } |
345 | 345 | ||
346 | static int | 346 | static int |
347 | context_derive_keys_des3(struct krb5_ctx *ctx, u8 *rawkey, u32 keylen) | 347 | context_derive_keys_des3(struct krb5_ctx *ctx) |
348 | { | 348 | { |
349 | struct xdr_netobj c, keyin, keyout; | 349 | struct xdr_netobj c, keyin, keyout; |
350 | u8 cdata[GSS_KRB5_K5CLENGTH]; | 350 | u8 cdata[GSS_KRB5_K5CLENGTH]; |
@@ -353,18 +353,18 @@ context_derive_keys_des3(struct krb5_ctx *ctx, u8 *rawkey, u32 keylen) | |||
353 | c.len = GSS_KRB5_K5CLENGTH; | 353 | c.len = GSS_KRB5_K5CLENGTH; |
354 | c.data = cdata; | 354 | c.data = cdata; |
355 | 355 | ||
356 | keyin.data = rawkey; | 356 | keyin.data = ctx->Ksess; |
357 | keyin.len = keylen; | 357 | keyin.len = ctx->gk5e->keylength; |
358 | keyout.len = keylen; | 358 | keyout.len = ctx->gk5e->keylength; |
359 | 359 | ||
360 | /* seq uses the raw key */ | 360 | /* seq uses the raw key */ |
361 | ctx->seq = context_v2_alloc_cipher(ctx, ctx->gk5e->encrypt_name, | 361 | ctx->seq = context_v2_alloc_cipher(ctx, ctx->gk5e->encrypt_name, |
362 | rawkey); | 362 | ctx->Ksess); |
363 | if (ctx->seq == NULL) | 363 | if (ctx->seq == NULL) |
364 | goto out_err; | 364 | goto out_err; |
365 | 365 | ||
366 | ctx->enc = context_v2_alloc_cipher(ctx, ctx->gk5e->encrypt_name, | 366 | ctx->enc = context_v2_alloc_cipher(ctx, ctx->gk5e->encrypt_name, |
367 | rawkey); | 367 | ctx->Ksess); |
368 | if (ctx->enc == NULL) | 368 | if (ctx->enc == NULL) |
369 | goto out_free_seq; | 369 | goto out_free_seq; |
370 | 370 | ||
@@ -389,7 +389,7 @@ out_err: | |||
389 | } | 389 | } |
390 | 390 | ||
391 | static int | 391 | static int |
392 | context_derive_keys_new(struct krb5_ctx *ctx, u8 *rawkey, u32 keylen) | 392 | context_derive_keys_new(struct krb5_ctx *ctx) |
393 | { | 393 | { |
394 | struct xdr_netobj c, keyin, keyout; | 394 | struct xdr_netobj c, keyin, keyout; |
395 | u8 cdata[GSS_KRB5_K5CLENGTH]; | 395 | u8 cdata[GSS_KRB5_K5CLENGTH]; |
@@ -398,9 +398,9 @@ context_derive_keys_new(struct krb5_ctx *ctx, u8 *rawkey, u32 keylen) | |||
398 | c.len = GSS_KRB5_K5CLENGTH; | 398 | c.len = GSS_KRB5_K5CLENGTH; |
399 | c.data = cdata; | 399 | c.data = cdata; |
400 | 400 | ||
401 | keyin.data = rawkey; | 401 | keyin.data = ctx->Ksess; |
402 | keyin.len = keylen; | 402 | keyin.len = ctx->gk5e->keylength; |
403 | keyout.len = keylen; | 403 | keyout.len = ctx->gk5e->keylength; |
404 | 404 | ||
405 | /* initiator seal encryption */ | 405 | /* initiator seal encryption */ |
406 | set_cdata(cdata, KG_USAGE_INITIATOR_SEAL, KEY_USAGE_SEED_ENCRYPTION); | 406 | set_cdata(cdata, KG_USAGE_INITIATOR_SEAL, KEY_USAGE_SEED_ENCRYPTION); |
@@ -502,7 +502,6 @@ out_err: | |||
502 | static int | 502 | static int |
503 | gss_import_v2_context(const void *p, const void *end, struct krb5_ctx *ctx) | 503 | gss_import_v2_context(const void *p, const void *end, struct krb5_ctx *ctx) |
504 | { | 504 | { |
505 | u8 rawkey[GSS_KRB5_MAX_KEYLEN]; | ||
506 | int keylen; | 505 | int keylen; |
507 | 506 | ||
508 | p = simple_get_bytes(p, end, &ctx->flags, sizeof(ctx->flags)); | 507 | p = simple_get_bytes(p, end, &ctx->flags, sizeof(ctx->flags)); |
@@ -538,7 +537,7 @@ gss_import_v2_context(const void *p, const void *end, struct krb5_ctx *ctx) | |||
538 | } | 537 | } |
539 | keylen = ctx->gk5e->keylength; | 538 | keylen = ctx->gk5e->keylength; |
540 | 539 | ||
541 | p = simple_get_bytes(p, end, rawkey, keylen); | 540 | p = simple_get_bytes(p, end, ctx->Ksess, keylen); |
542 | if (IS_ERR(p)) | 541 | if (IS_ERR(p)) |
543 | goto out_err; | 542 | goto out_err; |
544 | 543 | ||
@@ -557,10 +556,10 @@ gss_import_v2_context(const void *p, const void *end, struct krb5_ctx *ctx) | |||
557 | 556 | ||
558 | switch (ctx->enctype) { | 557 | switch (ctx->enctype) { |
559 | case ENCTYPE_DES3_CBC_RAW: | 558 | case ENCTYPE_DES3_CBC_RAW: |
560 | return context_derive_keys_des3(ctx, rawkey, keylen); | 559 | return context_derive_keys_des3(ctx); |
561 | case ENCTYPE_AES128_CTS_HMAC_SHA1_96: | 560 | case ENCTYPE_AES128_CTS_HMAC_SHA1_96: |
562 | case ENCTYPE_AES256_CTS_HMAC_SHA1_96: | 561 | case ENCTYPE_AES256_CTS_HMAC_SHA1_96: |
563 | return context_derive_keys_new(ctx, rawkey, keylen); | 562 | return context_derive_keys_new(ctx); |
564 | default: | 563 | default: |
565 | return -EINVAL; | 564 | return -EINVAL; |
566 | } | 565 | } |