aboutsummaryrefslogtreecommitdiffstats
path: root/net/sunrpc/auth_gss
diff options
context:
space:
mode:
authorJ. Bruce Fields <bfields@fieldses.org>2006-03-20 23:24:04 -0500
committerTrond Myklebust <Trond.Myklebust@netapp.com>2006-03-20 23:24:04 -0500
commiteaa82edf20d738a7ae31f4b0a5f72f64c14a58df (patch)
tree57c3244912dc5d15ca7a738ba7358bbd2616b1d9 /net/sunrpc/auth_gss
parent096455a22acac06fb6d0d75f276170ab72d55ba6 (diff)
SUNRPC,RPCSEC_GSS: fix krb5 sequence numbers.
Use a spinlock to ensure unique sequence numbers when creating krb5 gss tokens. Signed-off-by: J. Bruce Fields <bfields@citi.umich.edu> Signed-off-by: Trond Myklebust <Trond.Myklebust@netapp.com>
Diffstat (limited to 'net/sunrpc/auth_gss')
-rw-r--r--net/sunrpc/auth_gss/gss_krb5_seal.c11
-rw-r--r--net/sunrpc/auth_gss/gss_krb5_wrap.c9
2 files changed, 14 insertions, 6 deletions
diff --git a/net/sunrpc/auth_gss/gss_krb5_seal.c b/net/sunrpc/auth_gss/gss_krb5_seal.c
index 58f9721980e2..f43311221a72 100644
--- a/net/sunrpc/auth_gss/gss_krb5_seal.c
+++ b/net/sunrpc/auth_gss/gss_krb5_seal.c
@@ -70,6 +70,8 @@
70# define RPCDBG_FACILITY RPCDBG_AUTH 70# define RPCDBG_FACILITY RPCDBG_AUTH
71#endif 71#endif
72 72
73spinlock_t krb5_seq_lock = SPIN_LOCK_UNLOCKED;
74
73u32 75u32
74gss_get_mic_kerberos(struct gss_ctx *gss_ctx, struct xdr_buf *text, 76gss_get_mic_kerberos(struct gss_ctx *gss_ctx, struct xdr_buf *text,
75 struct xdr_netobj *token) 77 struct xdr_netobj *token)
@@ -80,6 +82,7 @@ gss_get_mic_kerberos(struct gss_ctx *gss_ctx, struct xdr_buf *text,
80 struct xdr_netobj md5cksum = {.len = 0, .data = cksumdata}; 82 struct xdr_netobj md5cksum = {.len = 0, .data = cksumdata};
81 unsigned char *ptr, *krb5_hdr, *msg_start; 83 unsigned char *ptr, *krb5_hdr, *msg_start;
82 s32 now; 84 s32 now;
85 u32 seq_send;
83 86
84 dprintk("RPC: gss_krb5_seal\n"); 87 dprintk("RPC: gss_krb5_seal\n");
85 88
@@ -134,12 +137,14 @@ gss_get_mic_kerberos(struct gss_ctx *gss_ctx, struct xdr_buf *text,
134 BUG(); 137 BUG();
135 } 138 }
136 139
140 spin_lock(&krb5_seq_lock);
141 seq_send = ctx->seq_send++;
142 spin_unlock(&krb5_seq_lock);
143
137 if ((krb5_make_seq_num(ctx->seq, ctx->initiate ? 0 : 0xff, 144 if ((krb5_make_seq_num(ctx->seq, ctx->initiate ? 0 : 0xff,
138 ctx->seq_send, krb5_hdr + 16, krb5_hdr + 8))) 145 seq_send, krb5_hdr + 16, krb5_hdr + 8)))
139 goto out_err; 146 goto out_err;
140 147
141 ctx->seq_send++;
142
143 return ((ctx->endtime < now) ? GSS_S_CONTEXT_EXPIRED : GSS_S_COMPLETE); 148 return ((ctx->endtime < now) ? GSS_S_CONTEXT_EXPIRED : GSS_S_COMPLETE);
144out_err: 149out_err:
145 return GSS_S_FAILURE; 150 return GSS_S_FAILURE;
diff --git a/net/sunrpc/auth_gss/gss_krb5_wrap.c b/net/sunrpc/auth_gss/gss_krb5_wrap.c
index 346133e446cb..89d1f3e14128 100644
--- a/net/sunrpc/auth_gss/gss_krb5_wrap.c
+++ b/net/sunrpc/auth_gss/gss_krb5_wrap.c
@@ -128,6 +128,7 @@ gss_wrap_kerberos(struct gss_ctx *ctx, int offset,
128 s32 now; 128 s32 now;
129 int headlen; 129 int headlen;
130 struct page **tmp_pages; 130 struct page **tmp_pages;
131 u32 seq_send;
131 132
132 dprintk("RPC: gss_wrap_kerberos\n"); 133 dprintk("RPC: gss_wrap_kerberos\n");
133 134
@@ -206,18 +207,20 @@ gss_wrap_kerberos(struct gss_ctx *ctx, int offset,
206 BUG(); 207 BUG();
207 } 208 }
208 209
210 spin_lock(&krb5_seq_lock);
211 seq_send = kctx->seq_send++;
212 spin_unlock(&krb5_seq_lock);
213
209 /* XXX would probably be more efficient to compute checksum 214 /* XXX would probably be more efficient to compute checksum
210 * and encrypt at the same time: */ 215 * and encrypt at the same time: */
211 if ((krb5_make_seq_num(kctx->seq, kctx->initiate ? 0 : 0xff, 216 if ((krb5_make_seq_num(kctx->seq, kctx->initiate ? 0 : 0xff,
212 kctx->seq_send, krb5_hdr + 16, krb5_hdr + 8))) 217 seq_send, krb5_hdr + 16, krb5_hdr + 8)))
213 goto out_err; 218 goto out_err;
214 219
215 if (gss_encrypt_xdr_buf(kctx->enc, buf, offset + headlen - blocksize, 220 if (gss_encrypt_xdr_buf(kctx->enc, buf, offset + headlen - blocksize,
216 pages)) 221 pages))
217 goto out_err; 222 goto out_err;
218 223
219 kctx->seq_send++;
220
221 return ((kctx->endtime < now) ? GSS_S_CONTEXT_EXPIRED : GSS_S_COMPLETE); 224 return ((kctx->endtime < now) ? GSS_S_CONTEXT_EXPIRED : GSS_S_COMPLETE);
222out_err: 225out_err:
223 return GSS_S_FAILURE; 226 return GSS_S_FAILURE;