diff options
author | J. Bruce Fields <bfields@fieldses.org> | 2006-03-20 23:24:04 -0500 |
---|---|---|
committer | Trond Myklebust <Trond.Myklebust@netapp.com> | 2006-03-20 23:24:04 -0500 |
commit | eaa82edf20d738a7ae31f4b0a5f72f64c14a58df (patch) | |
tree | 57c3244912dc5d15ca7a738ba7358bbd2616b1d9 /net/sunrpc/auth_gss | |
parent | 096455a22acac06fb6d0d75f276170ab72d55ba6 (diff) |
SUNRPC,RPCSEC_GSS: fix krb5 sequence numbers.
Use a spinlock to ensure unique sequence numbers when creating krb5 gss tokens.
Signed-off-by: J. Bruce Fields <bfields@citi.umich.edu>
Signed-off-by: Trond Myklebust <Trond.Myklebust@netapp.com>
Diffstat (limited to 'net/sunrpc/auth_gss')
-rw-r--r-- | net/sunrpc/auth_gss/gss_krb5_seal.c | 11 | ||||
-rw-r--r-- | net/sunrpc/auth_gss/gss_krb5_wrap.c | 9 |
2 files changed, 14 insertions, 6 deletions
diff --git a/net/sunrpc/auth_gss/gss_krb5_seal.c b/net/sunrpc/auth_gss/gss_krb5_seal.c index 58f9721980e2..f43311221a72 100644 --- a/net/sunrpc/auth_gss/gss_krb5_seal.c +++ b/net/sunrpc/auth_gss/gss_krb5_seal.c | |||
@@ -70,6 +70,8 @@ | |||
70 | # define RPCDBG_FACILITY RPCDBG_AUTH | 70 | # define RPCDBG_FACILITY RPCDBG_AUTH |
71 | #endif | 71 | #endif |
72 | 72 | ||
73 | spinlock_t krb5_seq_lock = SPIN_LOCK_UNLOCKED; | ||
74 | |||
73 | u32 | 75 | u32 |
74 | gss_get_mic_kerberos(struct gss_ctx *gss_ctx, struct xdr_buf *text, | 76 | gss_get_mic_kerberos(struct gss_ctx *gss_ctx, struct xdr_buf *text, |
75 | struct xdr_netobj *token) | 77 | struct xdr_netobj *token) |
@@ -80,6 +82,7 @@ gss_get_mic_kerberos(struct gss_ctx *gss_ctx, struct xdr_buf *text, | |||
80 | struct xdr_netobj md5cksum = {.len = 0, .data = cksumdata}; | 82 | struct xdr_netobj md5cksum = {.len = 0, .data = cksumdata}; |
81 | unsigned char *ptr, *krb5_hdr, *msg_start; | 83 | unsigned char *ptr, *krb5_hdr, *msg_start; |
82 | s32 now; | 84 | s32 now; |
85 | u32 seq_send; | ||
83 | 86 | ||
84 | dprintk("RPC: gss_krb5_seal\n"); | 87 | dprintk("RPC: gss_krb5_seal\n"); |
85 | 88 | ||
@@ -134,12 +137,14 @@ gss_get_mic_kerberos(struct gss_ctx *gss_ctx, struct xdr_buf *text, | |||
134 | BUG(); | 137 | BUG(); |
135 | } | 138 | } |
136 | 139 | ||
140 | spin_lock(&krb5_seq_lock); | ||
141 | seq_send = ctx->seq_send++; | ||
142 | spin_unlock(&krb5_seq_lock); | ||
143 | |||
137 | if ((krb5_make_seq_num(ctx->seq, ctx->initiate ? 0 : 0xff, | 144 | if ((krb5_make_seq_num(ctx->seq, ctx->initiate ? 0 : 0xff, |
138 | ctx->seq_send, krb5_hdr + 16, krb5_hdr + 8))) | 145 | seq_send, krb5_hdr + 16, krb5_hdr + 8))) |
139 | goto out_err; | 146 | goto out_err; |
140 | 147 | ||
141 | ctx->seq_send++; | ||
142 | |||
143 | return ((ctx->endtime < now) ? GSS_S_CONTEXT_EXPIRED : GSS_S_COMPLETE); | 148 | return ((ctx->endtime < now) ? GSS_S_CONTEXT_EXPIRED : GSS_S_COMPLETE); |
144 | out_err: | 149 | out_err: |
145 | return GSS_S_FAILURE; | 150 | return GSS_S_FAILURE; |
diff --git a/net/sunrpc/auth_gss/gss_krb5_wrap.c b/net/sunrpc/auth_gss/gss_krb5_wrap.c index 346133e446cb..89d1f3e14128 100644 --- a/net/sunrpc/auth_gss/gss_krb5_wrap.c +++ b/net/sunrpc/auth_gss/gss_krb5_wrap.c | |||
@@ -128,6 +128,7 @@ gss_wrap_kerberos(struct gss_ctx *ctx, int offset, | |||
128 | s32 now; | 128 | s32 now; |
129 | int headlen; | 129 | int headlen; |
130 | struct page **tmp_pages; | 130 | struct page **tmp_pages; |
131 | u32 seq_send; | ||
131 | 132 | ||
132 | dprintk("RPC: gss_wrap_kerberos\n"); | 133 | dprintk("RPC: gss_wrap_kerberos\n"); |
133 | 134 | ||
@@ -206,18 +207,20 @@ gss_wrap_kerberos(struct gss_ctx *ctx, int offset, | |||
206 | BUG(); | 207 | BUG(); |
207 | } | 208 | } |
208 | 209 | ||
210 | spin_lock(&krb5_seq_lock); | ||
211 | seq_send = kctx->seq_send++; | ||
212 | spin_unlock(&krb5_seq_lock); | ||
213 | |||
209 | /* XXX would probably be more efficient to compute checksum | 214 | /* XXX would probably be more efficient to compute checksum |
210 | * and encrypt at the same time: */ | 215 | * and encrypt at the same time: */ |
211 | if ((krb5_make_seq_num(kctx->seq, kctx->initiate ? 0 : 0xff, | 216 | if ((krb5_make_seq_num(kctx->seq, kctx->initiate ? 0 : 0xff, |
212 | kctx->seq_send, krb5_hdr + 16, krb5_hdr + 8))) | 217 | seq_send, krb5_hdr + 16, krb5_hdr + 8))) |
213 | goto out_err; | 218 | goto out_err; |
214 | 219 | ||
215 | if (gss_encrypt_xdr_buf(kctx->enc, buf, offset + headlen - blocksize, | 220 | if (gss_encrypt_xdr_buf(kctx->enc, buf, offset + headlen - blocksize, |
216 | pages)) | 221 | pages)) |
217 | goto out_err; | 222 | goto out_err; |
218 | 223 | ||
219 | kctx->seq_send++; | ||
220 | |||
221 | return ((kctx->endtime < now) ? GSS_S_CONTEXT_EXPIRED : GSS_S_COMPLETE); | 224 | return ((kctx->endtime < now) ? GSS_S_CONTEXT_EXPIRED : GSS_S_COMPLETE); |
222 | out_err: | 225 | out_err: |
223 | return GSS_S_FAILURE; | 226 | return GSS_S_FAILURE; |