aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorJ. Bruce Fields <bfields@fieldses.org>2006-12-04 20:22:35 -0500
committerTrond Myklebust <Trond.Myklebust@netapp.com>2006-12-06 10:46:44 -0500
commite678e06bf8fa25981a6fa1f08b979fd086d713f8 (patch)
tree1015c61bca28e960a62b52b5cc4045bcacebad6d
parentadeb8133dd57f380e70a389a89a2ea3ae227f9e2 (diff)
gss: krb5: remove signalg and sealalg
We designed the krb5 context import without completely understanding the context. Now it's clear that there are a number of fields that we ignore, or that we depend on having one single value. In particular, we only support one value of signalg currently; so let's check the signalg field in the downcall (in case we decide there's something else we could support here eventually), but ignore it otherwise. Signed-off-by: J. Bruce Fields <bfields@citi.umich.edu> Signed-off-by: Trond Myklebust <Trond.Myklebust@netapp.com>
-rw-r--r--include/linux/sunrpc/gss_krb5.h1
-rw-r--r--net/sunrpc/auth_gss/gss_krb5_mech.c5
-rw-r--r--net/sunrpc/auth_gss/gss_krb5_seal.c34
-rw-r--r--net/sunrpc/auth_gss/gss_krb5_wrap.c30
4 files changed, 22 insertions, 48 deletions
diff --git a/include/linux/sunrpc/gss_krb5.h b/include/linux/sunrpc/gss_krb5.h
index e30ba201910a..f680ed3b1b5e 100644
--- a/include/linux/sunrpc/gss_krb5.h
+++ b/include/linux/sunrpc/gss_krb5.h
@@ -44,7 +44,6 @@ struct krb5_ctx {
44 int initiate; /* 1 = initiating, 0 = accepting */ 44 int initiate; /* 1 = initiating, 0 = accepting */
45 int seed_init; 45 int seed_init;
46 unsigned char seed[16]; 46 unsigned char seed[16];
47 int signalg;
48 int sealalg; 47 int sealalg;
49 struct crypto_blkcipher *enc; 48 struct crypto_blkcipher *enc;
50 struct crypto_blkcipher *seq; 49 struct crypto_blkcipher *seq;
diff --git a/net/sunrpc/auth_gss/gss_krb5_mech.c b/net/sunrpc/auth_gss/gss_krb5_mech.c
index 754b8cd6439f..17587163fcae 100644
--- a/net/sunrpc/auth_gss/gss_krb5_mech.c
+++ b/net/sunrpc/auth_gss/gss_krb5_mech.c
@@ -129,6 +129,7 @@ gss_import_sec_context_kerberos(const void *p,
129{ 129{
130 const void *end = (const void *)((const char *)p + len); 130 const void *end = (const void *)((const char *)p + len);
131 struct krb5_ctx *ctx; 131 struct krb5_ctx *ctx;
132 int tmp;
132 133
133 if (!(ctx = kzalloc(sizeof(*ctx), GFP_KERNEL))) 134 if (!(ctx = kzalloc(sizeof(*ctx), GFP_KERNEL)))
134 goto out_err; 135 goto out_err;
@@ -142,9 +143,11 @@ gss_import_sec_context_kerberos(const void *p,
142 p = simple_get_bytes(p, end, ctx->seed, sizeof(ctx->seed)); 143 p = simple_get_bytes(p, end, ctx->seed, sizeof(ctx->seed));
143 if (IS_ERR(p)) 144 if (IS_ERR(p))
144 goto out_err_free_ctx; 145 goto out_err_free_ctx;
145 p = simple_get_bytes(p, end, &ctx->signalg, sizeof(ctx->signalg)); 146 p = simple_get_bytes(p, end, &tmp, sizeof(tmp));
146 if (IS_ERR(p)) 147 if (IS_ERR(p))
147 goto out_err_free_ctx; 148 goto out_err_free_ctx;
149 if (tmp != SGN_ALG_DES_MAC_MD5)
150 goto out_err_free_ctx;
148 p = simple_get_bytes(p, end, &ctx->sealalg, sizeof(ctx->sealalg)); 151 p = simple_get_bytes(p, end, &ctx->sealalg, sizeof(ctx->sealalg));
149 if (IS_ERR(p)) 152 if (IS_ERR(p))
150 goto out_err_free_ctx; 153 goto out_err_free_ctx;
diff --git a/net/sunrpc/auth_gss/gss_krb5_seal.c b/net/sunrpc/auth_gss/gss_krb5_seal.c
index dc58af0b8b4c..a496af585a08 100644
--- a/net/sunrpc/auth_gss/gss_krb5_seal.c
+++ b/net/sunrpc/auth_gss/gss_krb5_seal.c
@@ -88,15 +88,7 @@ gss_get_mic_kerberos(struct gss_ctx *gss_ctx, struct xdr_buf *text,
88 88
89 now = get_seconds(); 89 now = get_seconds();
90 90
91 switch (ctx->signalg) { 91 checksum_type = CKSUMTYPE_RSA_MD5;
92 case SGN_ALG_DES_MAC_MD5:
93 checksum_type = CKSUMTYPE_RSA_MD5;
94 break;
95 default:
96 dprintk("RPC: gss_krb5_seal: ctx->signalg %d not"
97 " supported\n", ctx->signalg);
98 goto out_err;
99 }
100 if (ctx->sealalg != SEAL_ALG_NONE && ctx->sealalg != SEAL_ALG_DES) { 92 if (ctx->sealalg != SEAL_ALG_NONE && ctx->sealalg != SEAL_ALG_DES) {
101 dprintk("RPC: gss_krb5_seal: ctx->sealalg %d not supported\n", 93 dprintk("RPC: gss_krb5_seal: ctx->sealalg %d not supported\n",
102 ctx->sealalg); 94 ctx->sealalg);
@@ -115,24 +107,18 @@ gss_get_mic_kerberos(struct gss_ctx *gss_ctx, struct xdr_buf *text,
115 krb5_hdr = ptr - 2; 107 krb5_hdr = ptr - 2;
116 msg_start = krb5_hdr + 24; 108 msg_start = krb5_hdr + 24;
117 109
118 *(__be16 *)(krb5_hdr + 2) = htons(ctx->signalg); 110 *(__be16 *)(krb5_hdr + 2) = htons(SGN_ALG_DES_MAC_MD5);
119 memset(krb5_hdr + 4, 0xff, 4); 111 memset(krb5_hdr + 4, 0xff, 4);
120 112
121 if (make_checksum(checksum_type, krb5_hdr, 8, text, 0, &md5cksum)) 113 if (make_checksum(checksum_type, krb5_hdr, 8, text, 0, &md5cksum))
122 goto out_err; 114 goto out_err;
123 115
124 switch (ctx->signalg) { 116 if (krb5_encrypt(ctx->seq, NULL, md5cksum.data,
125 case SGN_ALG_DES_MAC_MD5: 117 md5cksum.data, md5cksum.len))
126 if (krb5_encrypt(ctx->seq, NULL, md5cksum.data, 118 goto out_err;
127 md5cksum.data, md5cksum.len)) 119 memcpy(krb5_hdr + 16,
128 goto out_err; 120 md5cksum.data + md5cksum.len - KRB5_CKSUM_LENGTH,
129 memcpy(krb5_hdr + 16, 121 KRB5_CKSUM_LENGTH);
130 md5cksum.data + md5cksum.len - KRB5_CKSUM_LENGTH,
131 KRB5_CKSUM_LENGTH);
132 break;
133 default:
134 BUG();
135 }
136 122
137 spin_lock(&krb5_seq_lock); 123 spin_lock(&krb5_seq_lock);
138 seq_send = ctx->seq_send++; 124 seq_send = ctx->seq_send++;
diff --git a/net/sunrpc/auth_gss/gss_krb5_wrap.c b/net/sunrpc/auth_gss/gss_krb5_wrap.c
index ad243872f547..eee49f4c4c6a 100644
--- a/net/sunrpc/auth_gss/gss_krb5_wrap.c
+++ b/net/sunrpc/auth_gss/gss_krb5_wrap.c
@@ -134,15 +134,7 @@ gss_wrap_kerberos(struct gss_ctx *ctx, int offset,
134 134
135 now = get_seconds(); 135 now = get_seconds();
136 136
137 switch (kctx->signalg) { 137 checksum_type = CKSUMTYPE_RSA_MD5;
138 case SGN_ALG_DES_MAC_MD5:
139 checksum_type = CKSUMTYPE_RSA_MD5;
140 break;
141 default:
142 dprintk("RPC: gss_krb5_seal: kctx->signalg %d not"
143 " supported\n", kctx->signalg);
144 goto out_err;
145 }
146 if (kctx->sealalg != SEAL_ALG_NONE && kctx->sealalg != SEAL_ALG_DES) { 138 if (kctx->sealalg != SEAL_ALG_NONE && kctx->sealalg != SEAL_ALG_DES) {
147 dprintk("RPC: gss_krb5_seal: kctx->sealalg %d not supported\n", 139 dprintk("RPC: gss_krb5_seal: kctx->sealalg %d not supported\n",
148 kctx->sealalg); 140 kctx->sealalg);
@@ -177,7 +169,7 @@ gss_wrap_kerberos(struct gss_ctx *ctx, int offset,
177 msg_start = krb5_hdr + 24; 169 msg_start = krb5_hdr + 24;
178 /* XXXJBF: */ BUG_ON(buf->head[0].iov_base + offset + headlen != msg_start + blocksize); 170 /* XXXJBF: */ BUG_ON(buf->head[0].iov_base + offset + headlen != msg_start + blocksize);
179 171
180 *(__be16 *)(krb5_hdr + 2) = htons(kctx->signalg); 172 *(__be16 *)(krb5_hdr + 2) = htons(SGN_ALG_DES_MAC_MD5);
181 memset(krb5_hdr + 4, 0xff, 4); 173 memset(krb5_hdr + 4, 0xff, 4);
182 *(__be16 *)(krb5_hdr + 4) = htons(kctx->sealalg); 174 *(__be16 *)(krb5_hdr + 4) = htons(kctx->sealalg);
183 175
@@ -191,18 +183,12 @@ gss_wrap_kerberos(struct gss_ctx *ctx, int offset,
191 goto out_err; 183 goto out_err;
192 buf->pages = tmp_pages; 184 buf->pages = tmp_pages;
193 185
194 switch (kctx->signalg) { 186 if (krb5_encrypt(kctx->seq, NULL, md5cksum.data,
195 case SGN_ALG_DES_MAC_MD5: 187 md5cksum.data, md5cksum.len))
196 if (krb5_encrypt(kctx->seq, NULL, md5cksum.data, 188 goto out_err;
197 md5cksum.data, md5cksum.len)) 189 memcpy(krb5_hdr + 16,
198 goto out_err; 190 md5cksum.data + md5cksum.len - KRB5_CKSUM_LENGTH,
199 memcpy(krb5_hdr + 16, 191 KRB5_CKSUM_LENGTH);
200 md5cksum.data + md5cksum.len - KRB5_CKSUM_LENGTH,
201 KRB5_CKSUM_LENGTH);
202 break;
203 default:
204 BUG();
205 }
206 192
207 spin_lock(&krb5_seq_lock); 193 spin_lock(&krb5_seq_lock);
208 seq_send = kctx->seq_send++; 194 seq_send = kctx->seq_send++;