aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorKevin Coffman <kwc@citi.umich.edu>2010-03-17 13:03:02 -0400
committerTrond Myklebust <Trond.Myklebust@netapp.com>2010-05-14 15:09:19 -0400
commit8b23707612cffdba694dcd18aa8a018918aa86dc (patch)
tree3dd484658768c0a710b252a674c697124380b223
parentbf6d359c508cf83401c942262a9749752598394d (diff)
gssd_krb5: arcfour-hmac support
For arcfour-hmac support, the make_checksum function needs a usage field to correctly calculate the checksum differently for MIC and WRAP tokens. Signed-off-by: Kevin Coffman <kwc@citi.umich.edu> Signed-off-by: Steve Dickson <steved@redhat.com> Signed-off-by: Trond Myklebust <Trond.Myklebust@netapp.com>
-rw-r--r--include/linux/sunrpc/gss_krb5.h4
-rw-r--r--net/sunrpc/auth_gss/gss_krb5_crypto.c15
-rw-r--r--net/sunrpc/auth_gss/gss_krb5_seal.c13
-rw-r--r--net/sunrpc/auth_gss/gss_krb5_unseal.c12
-rw-r--r--net/sunrpc/auth_gss/gss_krb5_wrap.c4
5 files changed, 32 insertions, 16 deletions
diff --git a/include/linux/sunrpc/gss_krb5.h b/include/linux/sunrpc/gss_krb5.h
index 43148ec9a46c..633f41f11a40 100644
--- a/include/linux/sunrpc/gss_krb5.h
+++ b/include/linux/sunrpc/gss_krb5.h
@@ -235,12 +235,12 @@ enum seal_alg {
235u32 235u32
236make_checksum(struct krb5_ctx *kctx, char *header, int hdrlen, 236make_checksum(struct krb5_ctx *kctx, char *header, int hdrlen,
237 struct xdr_buf *body, int body_offset, u8 *cksumkey, 237 struct xdr_buf *body, int body_offset, u8 *cksumkey,
238 struct xdr_netobj *cksumout); 238 unsigned int usage, struct xdr_netobj *cksumout);
239 239
240u32 240u32
241make_checksum_v2(struct krb5_ctx *, char *header, int hdrlen, 241make_checksum_v2(struct krb5_ctx *, char *header, int hdrlen,
242 struct xdr_buf *body, int body_offset, u8 *key, 242 struct xdr_buf *body, int body_offset, u8 *key,
243 struct xdr_netobj *cksum); 243 unsigned int usage, struct xdr_netobj *cksum);
244 244
245u32 gss_get_mic_kerberos(struct gss_ctx *, struct xdr_buf *, 245u32 gss_get_mic_kerberos(struct gss_ctx *, struct xdr_buf *,
246 struct xdr_netobj *); 246 struct xdr_netobj *);
diff --git a/net/sunrpc/auth_gss/gss_krb5_crypto.c b/net/sunrpc/auth_gss/gss_krb5_crypto.c
index 967484a914f3..33ae7023cf3a 100644
--- a/net/sunrpc/auth_gss/gss_krb5_crypto.c
+++ b/net/sunrpc/auth_gss/gss_krb5_crypto.c
@@ -132,7 +132,7 @@ checksummer(struct scatterlist *sg, void *data)
132u32 132u32
133make_checksum(struct krb5_ctx *kctx, char *header, int hdrlen, 133make_checksum(struct krb5_ctx *kctx, char *header, int hdrlen,
134 struct xdr_buf *body, int body_offset, u8 *cksumkey, 134 struct xdr_buf *body, int body_offset, u8 *cksumkey,
135 struct xdr_netobj *cksumout) 135 unsigned int usage, struct xdr_netobj *cksumout)
136{ 136{
137 struct hash_desc desc; 137 struct hash_desc desc;
138 struct scatterlist sg[1]; 138 struct scatterlist sg[1];
@@ -208,7 +208,7 @@ out:
208u32 208u32
209make_checksum_v2(struct krb5_ctx *kctx, char *header, int hdrlen, 209make_checksum_v2(struct krb5_ctx *kctx, char *header, int hdrlen,
210 struct xdr_buf *body, int body_offset, u8 *cksumkey, 210 struct xdr_buf *body, int body_offset, u8 *cksumkey,
211 struct xdr_netobj *cksumout) 211 unsigned int usage, struct xdr_netobj *cksumout)
212{ 212{
213 struct hash_desc desc; 213 struct hash_desc desc;
214 struct scatterlist sg[1]; 214 struct scatterlist sg[1];
@@ -537,15 +537,18 @@ gss_krb5_aes_encrypt(struct krb5_ctx *kctx, u32 offset,
537 int nblocks, nbytes; 537 int nblocks, nbytes;
538 struct encryptor_desc desc; 538 struct encryptor_desc desc;
539 u32 cbcbytes; 539 u32 cbcbytes;
540 unsigned int usage;
540 541
541 if (kctx->initiate) { 542 if (kctx->initiate) {
542 cipher = kctx->initiator_enc; 543 cipher = kctx->initiator_enc;
543 aux_cipher = kctx->initiator_enc_aux; 544 aux_cipher = kctx->initiator_enc_aux;
544 cksumkey = kctx->initiator_integ; 545 cksumkey = kctx->initiator_integ;
546 usage = KG_USAGE_INITIATOR_SEAL;
545 } else { 547 } else {
546 cipher = kctx->acceptor_enc; 548 cipher = kctx->acceptor_enc;
547 aux_cipher = kctx->acceptor_enc_aux; 549 aux_cipher = kctx->acceptor_enc_aux;
548 cksumkey = kctx->acceptor_integ; 550 cksumkey = kctx->acceptor_integ;
551 usage = KG_USAGE_ACCEPTOR_SEAL;
549 } 552 }
550 blocksize = crypto_blkcipher_blocksize(cipher); 553 blocksize = crypto_blkcipher_blocksize(cipher);
551 554
@@ -590,7 +593,8 @@ gss_krb5_aes_encrypt(struct krb5_ctx *kctx, u32 offset,
590 buf->pages = pages; 593 buf->pages = pages;
591 594
592 err = make_checksum_v2(kctx, NULL, 0, buf, 595 err = make_checksum_v2(kctx, NULL, 0, buf,
593 offset + GSS_KRB5_TOK_HDR_LEN, cksumkey, &hmac); 596 offset + GSS_KRB5_TOK_HDR_LEN,
597 cksumkey, usage, &hmac);
594 buf->pages = save_pages; 598 buf->pages = save_pages;
595 if (err) 599 if (err)
596 return GSS_S_FAILURE; 600 return GSS_S_FAILURE;
@@ -654,15 +658,18 @@ gss_krb5_aes_decrypt(struct krb5_ctx *kctx, u32 offset, struct xdr_buf *buf,
654 u8 pkt_hmac[GSS_KRB5_MAX_CKSUM_LEN]; 658 u8 pkt_hmac[GSS_KRB5_MAX_CKSUM_LEN];
655 int nblocks, blocksize, cbcbytes; 659 int nblocks, blocksize, cbcbytes;
656 struct decryptor_desc desc; 660 struct decryptor_desc desc;
661 unsigned int usage;
657 662
658 if (kctx->initiate) { 663 if (kctx->initiate) {
659 cipher = kctx->acceptor_enc; 664 cipher = kctx->acceptor_enc;
660 aux_cipher = kctx->acceptor_enc_aux; 665 aux_cipher = kctx->acceptor_enc_aux;
661 cksum_key = kctx->acceptor_integ; 666 cksum_key = kctx->acceptor_integ;
667 usage = KG_USAGE_ACCEPTOR_SEAL;
662 } else { 668 } else {
663 cipher = kctx->initiator_enc; 669 cipher = kctx->initiator_enc;
664 aux_cipher = kctx->initiator_enc_aux; 670 aux_cipher = kctx->initiator_enc_aux;
665 cksum_key = kctx->initiator_integ; 671 cksum_key = kctx->initiator_integ;
672 usage = KG_USAGE_INITIATOR_SEAL;
666 } 673 }
667 blocksize = crypto_blkcipher_blocksize(cipher); 674 blocksize = crypto_blkcipher_blocksize(cipher);
668 675
@@ -705,7 +712,7 @@ gss_krb5_aes_decrypt(struct krb5_ctx *kctx, u32 offset, struct xdr_buf *buf,
705 our_hmac_obj.data = our_hmac; 712 our_hmac_obj.data = our_hmac;
706 713
707 ret = make_checksum_v2(kctx, NULL, 0, &subbuf, 0, 714 ret = make_checksum_v2(kctx, NULL, 0, &subbuf, 0,
708 cksum_key, &our_hmac_obj); 715 cksum_key, usage, &our_hmac_obj);
709 if (ret) 716 if (ret)
710 goto out_err; 717 goto out_err;
711 718
diff --git a/net/sunrpc/auth_gss/gss_krb5_seal.c b/net/sunrpc/auth_gss/gss_krb5_seal.c
index 477a546d19bb..e22fed3d9a1b 100644
--- a/net/sunrpc/auth_gss/gss_krb5_seal.c
+++ b/net/sunrpc/auth_gss/gss_krb5_seal.c
@@ -142,7 +142,8 @@ gss_get_mic_v1(struct krb5_ctx *ctx, struct xdr_buf *text,
142 else 142 else
143 cksumkey = NULL; 143 cksumkey = NULL;
144 144
145 if (make_checksum(ctx, ptr, 8, text, 0, cksumkey, &md5cksum)) 145 if (make_checksum(ctx, ptr, 8, text, 0, cksumkey,
146 KG_USAGE_SIGN, &md5cksum))
146 return GSS_S_FAILURE; 147 return GSS_S_FAILURE;
147 148
148 memcpy(ptr + GSS_KRB5_TOK_HDR_LEN, md5cksum.data, md5cksum.len); 149 memcpy(ptr + GSS_KRB5_TOK_HDR_LEN, md5cksum.data, md5cksum.len);
@@ -170,6 +171,7 @@ gss_get_mic_v2(struct krb5_ctx *ctx, struct xdr_buf *text,
170 s32 now; 171 s32 now;
171 u64 seq_send; 172 u64 seq_send;
172 u8 *cksumkey; 173 u8 *cksumkey;
174 unsigned int cksum_usage;
173 175
174 dprintk("RPC: %s\n", __func__); 176 dprintk("RPC: %s\n", __func__);
175 177
@@ -182,13 +184,16 @@ gss_get_mic_v2(struct krb5_ctx *ctx, struct xdr_buf *text,
182 spin_unlock(&krb5_seq_lock); 184 spin_unlock(&krb5_seq_lock);
183 *((u64 *)(krb5_hdr + 8)) = cpu_to_be64(seq_send); 185 *((u64 *)(krb5_hdr + 8)) = cpu_to_be64(seq_send);
184 186
185 if (ctx->initiate) 187 if (ctx->initiate) {
186 cksumkey = ctx->initiator_sign; 188 cksumkey = ctx->initiator_sign;
187 else 189 cksum_usage = KG_USAGE_INITIATOR_SIGN;
190 } else {
188 cksumkey = ctx->acceptor_sign; 191 cksumkey = ctx->acceptor_sign;
192 cksum_usage = KG_USAGE_ACCEPTOR_SIGN;
193 }
189 194
190 if (make_checksum_v2(ctx, krb5_hdr, GSS_KRB5_TOK_HDR_LEN, 195 if (make_checksum_v2(ctx, krb5_hdr, GSS_KRB5_TOK_HDR_LEN,
191 text, 0, cksumkey, &cksumobj)) 196 text, 0, cksumkey, cksum_usage, &cksumobj))
192 return GSS_S_FAILURE; 197 return GSS_S_FAILURE;
193 198
194 memcpy(krb5_hdr + GSS_KRB5_TOK_HDR_LEN, cksumobj.data, cksumobj.len); 199 memcpy(krb5_hdr + GSS_KRB5_TOK_HDR_LEN, cksumobj.data, cksumobj.len);
diff --git a/net/sunrpc/auth_gss/gss_krb5_unseal.c b/net/sunrpc/auth_gss/gss_krb5_unseal.c
index 4ede4cc4391f..ef91366e3dea 100644
--- a/net/sunrpc/auth_gss/gss_krb5_unseal.c
+++ b/net/sunrpc/auth_gss/gss_krb5_unseal.c
@@ -115,7 +115,7 @@ gss_verify_mic_v1(struct krb5_ctx *ctx,
115 cksumkey = NULL; 115 cksumkey = NULL;
116 116
117 if (make_checksum(ctx, ptr, 8, message_buffer, 0, 117 if (make_checksum(ctx, ptr, 8, message_buffer, 0,
118 cksumkey, &md5cksum)) 118 cksumkey, KG_USAGE_SIGN, &md5cksum))
119 return GSS_S_FAILURE; 119 return GSS_S_FAILURE;
120 120
121 if (memcmp(md5cksum.data, ptr + GSS_KRB5_TOK_HDR_LEN, 121 if (memcmp(md5cksum.data, ptr + GSS_KRB5_TOK_HDR_LEN,
@@ -154,6 +154,7 @@ gss_verify_mic_v2(struct krb5_ctx *ctx,
154 u8 *cksumkey; 154 u8 *cksumkey;
155 u8 flags; 155 u8 flags;
156 int i; 156 int i;
157 unsigned int cksum_usage;
157 158
158 dprintk("RPC: %s\n", __func__); 159 dprintk("RPC: %s\n", __func__);
159 160
@@ -174,13 +175,16 @@ gss_verify_mic_v2(struct krb5_ctx *ctx,
174 if (ptr[i] != 0xff) 175 if (ptr[i] != 0xff)
175 return GSS_S_DEFECTIVE_TOKEN; 176 return GSS_S_DEFECTIVE_TOKEN;
176 177
177 if (ctx->initiate) 178 if (ctx->initiate) {
178 cksumkey = ctx->acceptor_sign; 179 cksumkey = ctx->acceptor_sign;
179 else 180 cksum_usage = KG_USAGE_ACCEPTOR_SIGN;
181 } else {
180 cksumkey = ctx->initiator_sign; 182 cksumkey = ctx->initiator_sign;
183 cksum_usage = KG_USAGE_INITIATOR_SIGN;
184 }
181 185
182 if (make_checksum_v2(ctx, ptr, GSS_KRB5_TOK_HDR_LEN, message_buffer, 0, 186 if (make_checksum_v2(ctx, ptr, GSS_KRB5_TOK_HDR_LEN, message_buffer, 0,
183 cksumkey, &cksumobj)) 187 cksumkey, cksum_usage, &cksumobj))
184 return GSS_S_FAILURE; 188 return GSS_S_FAILURE;
185 189
186 if (memcmp(cksumobj.data, ptr + GSS_KRB5_TOK_HDR_LEN, 190 if (memcmp(cksumobj.data, ptr + GSS_KRB5_TOK_HDR_LEN,
diff --git a/net/sunrpc/auth_gss/gss_krb5_wrap.c b/net/sunrpc/auth_gss/gss_krb5_wrap.c
index a1a3585fa761..097cc27494cc 100644
--- a/net/sunrpc/auth_gss/gss_krb5_wrap.c
+++ b/net/sunrpc/auth_gss/gss_krb5_wrap.c
@@ -215,7 +215,7 @@ gss_wrap_kerberos_v1(struct krb5_ctx *kctx, int offset,
215 tmp_pages = buf->pages; 215 tmp_pages = buf->pages;
216 buf->pages = pages; 216 buf->pages = pages;
217 if (make_checksum(kctx, ptr, 8, buf, offset + headlen - blocksize, 217 if (make_checksum(kctx, ptr, 8, buf, offset + headlen - blocksize,
218 cksumkey, &md5cksum)) 218 cksumkey, KG_USAGE_SEAL, &md5cksum))
219 return GSS_S_FAILURE; 219 return GSS_S_FAILURE;
220 buf->pages = tmp_pages; 220 buf->pages = tmp_pages;
221 221
@@ -298,7 +298,7 @@ gss_unwrap_kerberos_v1(struct krb5_ctx *kctx, int offset, struct xdr_buf *buf)
298 cksumkey = NULL; 298 cksumkey = NULL;
299 299
300 if (make_checksum(kctx, ptr, 8, buf, crypt_offset, 300 if (make_checksum(kctx, ptr, 8, buf, crypt_offset,
301 cksumkey, &md5cksum)) 301 cksumkey, KG_USAGE_SEAL, &md5cksum))
302 return GSS_S_FAILURE; 302 return GSS_S_FAILURE;
303 303
304 if (memcmp(md5cksum.data, ptr + GSS_KRB5_TOK_HDR_LEN, 304 if (memcmp(md5cksum.data, ptr + GSS_KRB5_TOK_HDR_LEN,