aboutsummaryrefslogtreecommitdiffstats
path: root/net/sunrpc/auth_gss
diff options
context:
space:
mode:
authorKevin Coffman <kwc@citi.umich.edu>2010-03-17 13:03:05 -0400
committerTrond Myklebust <Trond.Myklebust@netapp.com>2010-05-14 15:09:20 -0400
commit5af46547ec451918f3ba51efe59b317d33adf701 (patch)
tree0878529858a5ded9224e633dd13b431e6b69e28c /net/sunrpc/auth_gss
parent1dbd9029f3024d058da1cf6c6658c28aac2e4e1c (diff)
gss_krb5: Use confounder length in wrap code
All encryption types use a confounder at the beginning of the wrap token. In all encryption types except arcfour-hmac, the confounder is the same as the blocksize. arcfour-hmac has a blocksize of one, but uses an eight byte confounder. Add an entry to the crypto framework definitions for the confounder length and change the wrap/unwrap code to use the confounder length rather than assuming it is always the blocksize. Signed-off-by: Kevin Coffman <kwc@citi.umich.edu> Signed-off-by: Steve Dickson <steved@redhat.com> Signed-off-by: Trond Myklebust <Trond.Myklebust@netapp.com>
Diffstat (limited to 'net/sunrpc/auth_gss')
-rw-r--r--net/sunrpc/auth_gss/gss_krb5_crypto.c6
-rw-r--r--net/sunrpc/auth_gss/gss_krb5_mech.c4
-rw-r--r--net/sunrpc/auth_gss/gss_krb5_wrap.c12
3 files changed, 14 insertions, 8 deletions
diff --git a/net/sunrpc/auth_gss/gss_krb5_crypto.c b/net/sunrpc/auth_gss/gss_krb5_crypto.c
index 33ae7023cf3a..ed4106a3daf2 100644
--- a/net/sunrpc/auth_gss/gss_krb5_crypto.c
+++ b/net/sunrpc/auth_gss/gss_krb5_crypto.c
@@ -554,9 +554,9 @@ gss_krb5_aes_encrypt(struct krb5_ctx *kctx, u32 offset,
554 554
555 /* hide the gss token header and insert the confounder */ 555 /* hide the gss token header and insert the confounder */
556 offset += GSS_KRB5_TOK_HDR_LEN; 556 offset += GSS_KRB5_TOK_HDR_LEN;
557 if (xdr_extend_head(buf, offset, blocksize)) 557 if (xdr_extend_head(buf, offset, kctx->gk5e->conflen))
558 return GSS_S_FAILURE; 558 return GSS_S_FAILURE;
559 gss_krb5_make_confounder(buf->head[0].iov_base + offset, blocksize); 559 gss_krb5_make_confounder(buf->head[0].iov_base + offset, kctx->gk5e->conflen);
560 offset -= GSS_KRB5_TOK_HDR_LEN; 560 offset -= GSS_KRB5_TOK_HDR_LEN;
561 561
562 if (buf->tail[0].iov_base != NULL) { 562 if (buf->tail[0].iov_base != NULL) {
@@ -726,7 +726,7 @@ gss_krb5_aes_decrypt(struct krb5_ctx *kctx, u32 offset, struct xdr_buf *buf,
726 ret = GSS_S_BAD_SIG; 726 ret = GSS_S_BAD_SIG;
727 goto out_err; 727 goto out_err;
728 } 728 }
729 *headskip = crypto_blkcipher_blocksize(cipher); 729 *headskip = kctx->gk5e->conflen;
730 *tailskip = kctx->gk5e->cksumlength; 730 *tailskip = kctx->gk5e->cksumlength;
731out_err: 731out_err:
732 if (ret && ret != GSS_S_BAD_SIG) 732 if (ret && ret != GSS_S_BAD_SIG)
diff --git a/net/sunrpc/auth_gss/gss_krb5_mech.c b/net/sunrpc/auth_gss/gss_krb5_mech.c
index 893fad71e306..ef6b31349046 100644
--- a/net/sunrpc/auth_gss/gss_krb5_mech.c
+++ b/net/sunrpc/auth_gss/gss_krb5_mech.c
@@ -68,6 +68,7 @@ static const struct gss_krb5_enctype supported_gss_krb5_enctypes[] = {
68 .keybytes = 7, 68 .keybytes = 7,
69 .keylength = 8, 69 .keylength = 8,
70 .blocksize = 8, 70 .blocksize = 8,
71 .conflen = 8,
71 .cksumlength = 8, 72 .cksumlength = 8,
72 .keyed_cksum = 0, 73 .keyed_cksum = 0,
73 }, 74 },
@@ -88,6 +89,7 @@ static const struct gss_krb5_enctype supported_gss_krb5_enctypes[] = {
88 .keybytes = 21, 89 .keybytes = 21,
89 .keylength = 24, 90 .keylength = 24,
90 .blocksize = 8, 91 .blocksize = 8,
92 .conflen = 8,
91 .cksumlength = 20, 93 .cksumlength = 20,
92 .keyed_cksum = 1, 94 .keyed_cksum = 1,
93 }, 95 },
@@ -110,6 +112,7 @@ static const struct gss_krb5_enctype supported_gss_krb5_enctypes[] = {
110 .keybytes = 16, 112 .keybytes = 16,
111 .keylength = 16, 113 .keylength = 16,
112 .blocksize = 16, 114 .blocksize = 16,
115 .conflen = 16,
113 .cksumlength = 12, 116 .cksumlength = 12,
114 .keyed_cksum = 1, 117 .keyed_cksum = 1,
115 }, 118 },
@@ -132,6 +135,7 @@ static const struct gss_krb5_enctype supported_gss_krb5_enctypes[] = {
132 .keybytes = 32, 135 .keybytes = 32,
133 .keylength = 32, 136 .keylength = 32,
134 .blocksize = 16, 137 .blocksize = 16,
138 .conflen = 16,
135 .cksumlength = 12, 139 .cksumlength = 12,
136 .keyed_cksum = 1, 140 .keyed_cksum = 1,
137 }, 141 },
diff --git a/net/sunrpc/auth_gss/gss_krb5_wrap.c b/net/sunrpc/auth_gss/gss_krb5_wrap.c
index a95e7e0ac0e3..383db891c835 100644
--- a/net/sunrpc/auth_gss/gss_krb5_wrap.c
+++ b/net/sunrpc/auth_gss/gss_krb5_wrap.c
@@ -168,6 +168,7 @@ gss_wrap_kerberos_v1(struct krb5_ctx *kctx, int offset,
168 struct page **tmp_pages; 168 struct page **tmp_pages;
169 u32 seq_send; 169 u32 seq_send;
170 u8 *cksumkey; 170 u8 *cksumkey;
171 u32 conflen = kctx->gk5e->conflen;
171 172
172 dprintk("RPC: %s\n", __func__); 173 dprintk("RPC: %s\n", __func__);
173 174
@@ -176,7 +177,7 @@ gss_wrap_kerberos_v1(struct krb5_ctx *kctx, int offset,
176 blocksize = crypto_blkcipher_blocksize(kctx->enc); 177 blocksize = crypto_blkcipher_blocksize(kctx->enc);
177 gss_krb5_add_padding(buf, offset, blocksize); 178 gss_krb5_add_padding(buf, offset, blocksize);
178 BUG_ON((buf->len - offset) % blocksize); 179 BUG_ON((buf->len - offset) % blocksize);
179 plainlen = blocksize + buf->len - offset; 180 plainlen = conflen + buf->len - offset;
180 181
181 headlen = g_token_size(&kctx->mech_used, 182 headlen = g_token_size(&kctx->mech_used,
182 GSS_KRB5_TOK_HDR_LEN + kctx->gk5e->cksumlength + plainlen) - 183 GSS_KRB5_TOK_HDR_LEN + kctx->gk5e->cksumlength + plainlen) -
@@ -204,7 +205,7 @@ gss_wrap_kerberos_v1(struct krb5_ctx *kctx, int offset,
204 memset(ptr + 4, 0xff, 4); 205 memset(ptr + 4, 0xff, 4);
205 *(__be16 *)(ptr + 4) = cpu_to_le16(kctx->gk5e->sealalg); 206 *(__be16 *)(ptr + 4) = cpu_to_le16(kctx->gk5e->sealalg);
206 207
207 gss_krb5_make_confounder(msg_start, blocksize); 208 gss_krb5_make_confounder(msg_start, conflen);
208 209
209 if (kctx->gk5e->keyed_cksum) 210 if (kctx->gk5e->keyed_cksum)
210 cksumkey = kctx->cksum; 211 cksumkey = kctx->cksum;
@@ -214,7 +215,7 @@ gss_wrap_kerberos_v1(struct krb5_ctx *kctx, int offset,
214 /* XXXJBF: UGH!: */ 215 /* XXXJBF: UGH!: */
215 tmp_pages = buf->pages; 216 tmp_pages = buf->pages;
216 buf->pages = pages; 217 buf->pages = pages;
217 if (make_checksum(kctx, ptr, 8, buf, offset + headlen - blocksize, 218 if (make_checksum(kctx, ptr, 8, buf, offset + headlen - conflen,
218 cksumkey, KG_USAGE_SEAL, &md5cksum)) 219 cksumkey, KG_USAGE_SEAL, &md5cksum))
219 return GSS_S_FAILURE; 220 return GSS_S_FAILURE;
220 buf->pages = tmp_pages; 221 buf->pages = tmp_pages;
@@ -231,7 +232,7 @@ gss_wrap_kerberos_v1(struct krb5_ctx *kctx, int offset,
231 seq_send, ptr + GSS_KRB5_TOK_HDR_LEN, ptr + 8))) 232 seq_send, ptr + GSS_KRB5_TOK_HDR_LEN, ptr + 8)))
232 return GSS_S_FAILURE; 233 return GSS_S_FAILURE;
233 234
234 if (gss_encrypt_xdr_buf(kctx->enc, buf, offset + headlen - blocksize, 235 if (gss_encrypt_xdr_buf(kctx->enc, buf, offset + headlen - conflen,
235 pages)) 236 pages))
236 return GSS_S_FAILURE; 237 return GSS_S_FAILURE;
237 238
@@ -254,6 +255,7 @@ gss_unwrap_kerberos_v1(struct krb5_ctx *kctx, int offset, struct xdr_buf *buf)
254 void *data_start, *orig_start; 255 void *data_start, *orig_start;
255 int data_len; 256 int data_len;
256 int blocksize; 257 int blocksize;
258 u32 conflen = kctx->gk5e->conflen;
257 int crypt_offset; 259 int crypt_offset;
258 u8 *cksumkey; 260 u8 *cksumkey;
259 261
@@ -327,7 +329,7 @@ gss_unwrap_kerberos_v1(struct krb5_ctx *kctx, int offset, struct xdr_buf *buf)
327 329
328 blocksize = crypto_blkcipher_blocksize(kctx->enc); 330 blocksize = crypto_blkcipher_blocksize(kctx->enc);
329 data_start = ptr + (GSS_KRB5_TOK_HDR_LEN + kctx->gk5e->cksumlength) + 331 data_start = ptr + (GSS_KRB5_TOK_HDR_LEN + kctx->gk5e->cksumlength) +
330 blocksize; 332 conflen;
331 orig_start = buf->head[0].iov_base + offset; 333 orig_start = buf->head[0].iov_base + offset;
332 data_len = (buf->head[0].iov_base + buf->head[0].iov_len) - data_start; 334 data_len = (buf->head[0].iov_base + buf->head[0].iov_len) - data_start;
333 memmove(orig_start, data_start, data_len); 335 memmove(orig_start, data_start, data_len);