diff options
author | Kevin Coffman <kwc@citi.umich.edu> | 2010-03-17 13:03:05 -0400 |
---|---|---|
committer | Trond Myklebust <Trond.Myklebust@netapp.com> | 2010-05-14 15:09:20 -0400 |
commit | 5af46547ec451918f3ba51efe59b317d33adf701 (patch) | |
tree | 0878529858a5ded9224e633dd13b431e6b69e28c | |
parent | 1dbd9029f3024d058da1cf6c6658c28aac2e4e1c (diff) |
gss_krb5: Use confounder length in wrap code
All encryption types use a confounder at the beginning of the
wrap token. In all encryption types except arcfour-hmac, the
confounder is the same as the blocksize. arcfour-hmac has a
blocksize of one, but uses an eight byte confounder.
Add an entry to the crypto framework definitions for the
confounder length and change the wrap/unwrap code to use
the confounder length rather than assuming it is always
the blocksize.
Signed-off-by: Kevin Coffman <kwc@citi.umich.edu>
Signed-off-by: Steve Dickson <steved@redhat.com>
Signed-off-by: Trond Myklebust <Trond.Myklebust@netapp.com>
-rw-r--r-- | include/linux/sunrpc/gss_krb5.h | 3 | ||||
-rw-r--r-- | net/sunrpc/auth_gss/gss_krb5_crypto.c | 6 | ||||
-rw-r--r-- | net/sunrpc/auth_gss/gss_krb5_mech.c | 4 | ||||
-rw-r--r-- | net/sunrpc/auth_gss/gss_krb5_wrap.c | 12 |
4 files changed, 17 insertions, 8 deletions
diff --git a/include/linux/sunrpc/gss_krb5.h b/include/linux/sunrpc/gss_krb5.h index d840856edecc..79f6ac2492f5 100644 --- a/include/linux/sunrpc/gss_krb5.h +++ b/include/linux/sunrpc/gss_krb5.h | |||
@@ -64,6 +64,9 @@ struct gss_krb5_enctype { | |||
64 | const u16 signalg; /* signing algorithm */ | 64 | const u16 signalg; /* signing algorithm */ |
65 | const u16 sealalg; /* sealing algorithm */ | 65 | const u16 sealalg; /* sealing algorithm */ |
66 | const u32 blocksize; /* encryption blocksize */ | 66 | const u32 blocksize; /* encryption blocksize */ |
67 | const u32 conflen; /* confounder length | ||
68 | (normally the same as | ||
69 | the blocksize) */ | ||
67 | const u32 cksumlength; /* checksum length */ | 70 | const u32 cksumlength; /* checksum length */ |
68 | const u32 keyed_cksum; /* is it a keyed cksum? */ | 71 | const u32 keyed_cksum; /* is it a keyed cksum? */ |
69 | const u32 keybytes; /* raw key len, in bytes */ | 72 | const u32 keybytes; /* raw key len, in bytes */ |
diff --git a/net/sunrpc/auth_gss/gss_krb5_crypto.c b/net/sunrpc/auth_gss/gss_krb5_crypto.c index 33ae7023cf3a..ed4106a3daf2 100644 --- a/net/sunrpc/auth_gss/gss_krb5_crypto.c +++ b/net/sunrpc/auth_gss/gss_krb5_crypto.c | |||
@@ -554,9 +554,9 @@ gss_krb5_aes_encrypt(struct krb5_ctx *kctx, u32 offset, | |||
554 | 554 | ||
555 | /* hide the gss token header and insert the confounder */ | 555 | /* hide the gss token header and insert the confounder */ |
556 | offset += GSS_KRB5_TOK_HDR_LEN; | 556 | offset += GSS_KRB5_TOK_HDR_LEN; |
557 | if (xdr_extend_head(buf, offset, blocksize)) | 557 | if (xdr_extend_head(buf, offset, kctx->gk5e->conflen)) |
558 | return GSS_S_FAILURE; | 558 | return GSS_S_FAILURE; |
559 | gss_krb5_make_confounder(buf->head[0].iov_base + offset, blocksize); | 559 | gss_krb5_make_confounder(buf->head[0].iov_base + offset, kctx->gk5e->conflen); |
560 | offset -= GSS_KRB5_TOK_HDR_LEN; | 560 | offset -= GSS_KRB5_TOK_HDR_LEN; |
561 | 561 | ||
562 | if (buf->tail[0].iov_base != NULL) { | 562 | if (buf->tail[0].iov_base != NULL) { |
@@ -726,7 +726,7 @@ gss_krb5_aes_decrypt(struct krb5_ctx *kctx, u32 offset, struct xdr_buf *buf, | |||
726 | ret = GSS_S_BAD_SIG; | 726 | ret = GSS_S_BAD_SIG; |
727 | goto out_err; | 727 | goto out_err; |
728 | } | 728 | } |
729 | *headskip = crypto_blkcipher_blocksize(cipher); | 729 | *headskip = kctx->gk5e->conflen; |
730 | *tailskip = kctx->gk5e->cksumlength; | 730 | *tailskip = kctx->gk5e->cksumlength; |
731 | out_err: | 731 | out_err: |
732 | if (ret && ret != GSS_S_BAD_SIG) | 732 | if (ret && ret != GSS_S_BAD_SIG) |
diff --git a/net/sunrpc/auth_gss/gss_krb5_mech.c b/net/sunrpc/auth_gss/gss_krb5_mech.c index 893fad71e306..ef6b31349046 100644 --- a/net/sunrpc/auth_gss/gss_krb5_mech.c +++ b/net/sunrpc/auth_gss/gss_krb5_mech.c | |||
@@ -68,6 +68,7 @@ static const struct gss_krb5_enctype supported_gss_krb5_enctypes[] = { | |||
68 | .keybytes = 7, | 68 | .keybytes = 7, |
69 | .keylength = 8, | 69 | .keylength = 8, |
70 | .blocksize = 8, | 70 | .blocksize = 8, |
71 | .conflen = 8, | ||
71 | .cksumlength = 8, | 72 | .cksumlength = 8, |
72 | .keyed_cksum = 0, | 73 | .keyed_cksum = 0, |
73 | }, | 74 | }, |
@@ -88,6 +89,7 @@ static const struct gss_krb5_enctype supported_gss_krb5_enctypes[] = { | |||
88 | .keybytes = 21, | 89 | .keybytes = 21, |
89 | .keylength = 24, | 90 | .keylength = 24, |
90 | .blocksize = 8, | 91 | .blocksize = 8, |
92 | .conflen = 8, | ||
91 | .cksumlength = 20, | 93 | .cksumlength = 20, |
92 | .keyed_cksum = 1, | 94 | .keyed_cksum = 1, |
93 | }, | 95 | }, |
@@ -110,6 +112,7 @@ static const struct gss_krb5_enctype supported_gss_krb5_enctypes[] = { | |||
110 | .keybytes = 16, | 112 | .keybytes = 16, |
111 | .keylength = 16, | 113 | .keylength = 16, |
112 | .blocksize = 16, | 114 | .blocksize = 16, |
115 | .conflen = 16, | ||
113 | .cksumlength = 12, | 116 | .cksumlength = 12, |
114 | .keyed_cksum = 1, | 117 | .keyed_cksum = 1, |
115 | }, | 118 | }, |
@@ -132,6 +135,7 @@ static const struct gss_krb5_enctype supported_gss_krb5_enctypes[] = { | |||
132 | .keybytes = 32, | 135 | .keybytes = 32, |
133 | .keylength = 32, | 136 | .keylength = 32, |
134 | .blocksize = 16, | 137 | .blocksize = 16, |
138 | .conflen = 16, | ||
135 | .cksumlength = 12, | 139 | .cksumlength = 12, |
136 | .keyed_cksum = 1, | 140 | .keyed_cksum = 1, |
137 | }, | 141 | }, |
diff --git a/net/sunrpc/auth_gss/gss_krb5_wrap.c b/net/sunrpc/auth_gss/gss_krb5_wrap.c index a95e7e0ac0e3..383db891c835 100644 --- a/net/sunrpc/auth_gss/gss_krb5_wrap.c +++ b/net/sunrpc/auth_gss/gss_krb5_wrap.c | |||
@@ -168,6 +168,7 @@ gss_wrap_kerberos_v1(struct krb5_ctx *kctx, int offset, | |||
168 | struct page **tmp_pages; | 168 | struct page **tmp_pages; |
169 | u32 seq_send; | 169 | u32 seq_send; |
170 | u8 *cksumkey; | 170 | u8 *cksumkey; |
171 | u32 conflen = kctx->gk5e->conflen; | ||
171 | 172 | ||
172 | dprintk("RPC: %s\n", __func__); | 173 | dprintk("RPC: %s\n", __func__); |
173 | 174 | ||
@@ -176,7 +177,7 @@ gss_wrap_kerberos_v1(struct krb5_ctx *kctx, int offset, | |||
176 | blocksize = crypto_blkcipher_blocksize(kctx->enc); | 177 | blocksize = crypto_blkcipher_blocksize(kctx->enc); |
177 | gss_krb5_add_padding(buf, offset, blocksize); | 178 | gss_krb5_add_padding(buf, offset, blocksize); |
178 | BUG_ON((buf->len - offset) % blocksize); | 179 | BUG_ON((buf->len - offset) % blocksize); |
179 | plainlen = blocksize + buf->len - offset; | 180 | plainlen = conflen + buf->len - offset; |
180 | 181 | ||
181 | headlen = g_token_size(&kctx->mech_used, | 182 | headlen = g_token_size(&kctx->mech_used, |
182 | GSS_KRB5_TOK_HDR_LEN + kctx->gk5e->cksumlength + plainlen) - | 183 | GSS_KRB5_TOK_HDR_LEN + kctx->gk5e->cksumlength + plainlen) - |
@@ -204,7 +205,7 @@ gss_wrap_kerberos_v1(struct krb5_ctx *kctx, int offset, | |||
204 | memset(ptr + 4, 0xff, 4); | 205 | memset(ptr + 4, 0xff, 4); |
205 | *(__be16 *)(ptr + 4) = cpu_to_le16(kctx->gk5e->sealalg); | 206 | *(__be16 *)(ptr + 4) = cpu_to_le16(kctx->gk5e->sealalg); |
206 | 207 | ||
207 | gss_krb5_make_confounder(msg_start, blocksize); | 208 | gss_krb5_make_confounder(msg_start, conflen); |
208 | 209 | ||
209 | if (kctx->gk5e->keyed_cksum) | 210 | if (kctx->gk5e->keyed_cksum) |
210 | cksumkey = kctx->cksum; | 211 | cksumkey = kctx->cksum; |
@@ -214,7 +215,7 @@ gss_wrap_kerberos_v1(struct krb5_ctx *kctx, int offset, | |||
214 | /* XXXJBF: UGH!: */ | 215 | /* XXXJBF: UGH!: */ |
215 | tmp_pages = buf->pages; | 216 | tmp_pages = buf->pages; |
216 | buf->pages = pages; | 217 | buf->pages = pages; |
217 | if (make_checksum(kctx, ptr, 8, buf, offset + headlen - blocksize, | 218 | if (make_checksum(kctx, ptr, 8, buf, offset + headlen - conflen, |
218 | cksumkey, KG_USAGE_SEAL, &md5cksum)) | 219 | cksumkey, KG_USAGE_SEAL, &md5cksum)) |
219 | return GSS_S_FAILURE; | 220 | return GSS_S_FAILURE; |
220 | buf->pages = tmp_pages; | 221 | buf->pages = tmp_pages; |
@@ -231,7 +232,7 @@ gss_wrap_kerberos_v1(struct krb5_ctx *kctx, int offset, | |||
231 | seq_send, ptr + GSS_KRB5_TOK_HDR_LEN, ptr + 8))) | 232 | seq_send, ptr + GSS_KRB5_TOK_HDR_LEN, ptr + 8))) |
232 | return GSS_S_FAILURE; | 233 | return GSS_S_FAILURE; |
233 | 234 | ||
234 | if (gss_encrypt_xdr_buf(kctx->enc, buf, offset + headlen - blocksize, | 235 | if (gss_encrypt_xdr_buf(kctx->enc, buf, offset + headlen - conflen, |
235 | pages)) | 236 | pages)) |
236 | return GSS_S_FAILURE; | 237 | return GSS_S_FAILURE; |
237 | 238 | ||
@@ -254,6 +255,7 @@ gss_unwrap_kerberos_v1(struct krb5_ctx *kctx, int offset, struct xdr_buf *buf) | |||
254 | void *data_start, *orig_start; | 255 | void *data_start, *orig_start; |
255 | int data_len; | 256 | int data_len; |
256 | int blocksize; | 257 | int blocksize; |
258 | u32 conflen = kctx->gk5e->conflen; | ||
257 | int crypt_offset; | 259 | int crypt_offset; |
258 | u8 *cksumkey; | 260 | u8 *cksumkey; |
259 | 261 | ||
@@ -327,7 +329,7 @@ gss_unwrap_kerberos_v1(struct krb5_ctx *kctx, int offset, struct xdr_buf *buf) | |||
327 | 329 | ||
328 | blocksize = crypto_blkcipher_blocksize(kctx->enc); | 330 | blocksize = crypto_blkcipher_blocksize(kctx->enc); |
329 | data_start = ptr + (GSS_KRB5_TOK_HDR_LEN + kctx->gk5e->cksumlength) + | 331 | data_start = ptr + (GSS_KRB5_TOK_HDR_LEN + kctx->gk5e->cksumlength) + |
330 | blocksize; | 332 | conflen; |
331 | orig_start = buf->head[0].iov_base + offset; | 333 | orig_start = buf->head[0].iov_base + offset; |
332 | data_len = (buf->head[0].iov_base + buf->head[0].iov_len) - data_start; | 334 | data_len = (buf->head[0].iov_base + buf->head[0].iov_len) - data_start; |
333 | memmove(orig_start, data_start, data_len); | 335 | memmove(orig_start, data_start, data_len); |