diff options
author | Kevin Coffman <kwc@citi.umich.edu> | 2010-03-17 13:03:02 -0400 |
---|---|---|
committer | Trond Myklebust <Trond.Myklebust@netapp.com> | 2010-05-14 15:09:19 -0400 |
commit | 8b23707612cffdba694dcd18aa8a018918aa86dc (patch) | |
tree | 3dd484658768c0a710b252a674c697124380b223 /net/sunrpc/auth_gss | |
parent | bf6d359c508cf83401c942262a9749752598394d (diff) |
gssd_krb5: arcfour-hmac support
For arcfour-hmac support, the make_checksum function needs a usage
field to correctly calculate the checksum differently for MIC and
WRAP tokens.
Signed-off-by: Kevin Coffman <kwc@citi.umich.edu>
Signed-off-by: Steve Dickson <steved@redhat.com>
Signed-off-by: Trond Myklebust <Trond.Myklebust@netapp.com>
Diffstat (limited to 'net/sunrpc/auth_gss')
-rw-r--r-- | net/sunrpc/auth_gss/gss_krb5_crypto.c | 15 | ||||
-rw-r--r-- | net/sunrpc/auth_gss/gss_krb5_seal.c | 13 | ||||
-rw-r--r-- | net/sunrpc/auth_gss/gss_krb5_unseal.c | 12 | ||||
-rw-r--r-- | net/sunrpc/auth_gss/gss_krb5_wrap.c | 4 |
4 files changed, 30 insertions, 14 deletions
diff --git a/net/sunrpc/auth_gss/gss_krb5_crypto.c b/net/sunrpc/auth_gss/gss_krb5_crypto.c index 967484a914f3..33ae7023cf3a 100644 --- a/net/sunrpc/auth_gss/gss_krb5_crypto.c +++ b/net/sunrpc/auth_gss/gss_krb5_crypto.c | |||
@@ -132,7 +132,7 @@ checksummer(struct scatterlist *sg, void *data) | |||
132 | u32 | 132 | u32 |
133 | make_checksum(struct krb5_ctx *kctx, char *header, int hdrlen, | 133 | make_checksum(struct krb5_ctx *kctx, char *header, int hdrlen, |
134 | struct xdr_buf *body, int body_offset, u8 *cksumkey, | 134 | struct xdr_buf *body, int body_offset, u8 *cksumkey, |
135 | struct xdr_netobj *cksumout) | 135 | unsigned int usage, struct xdr_netobj *cksumout) |
136 | { | 136 | { |
137 | struct hash_desc desc; | 137 | struct hash_desc desc; |
138 | struct scatterlist sg[1]; | 138 | struct scatterlist sg[1]; |
@@ -208,7 +208,7 @@ out: | |||
208 | u32 | 208 | u32 |
209 | make_checksum_v2(struct krb5_ctx *kctx, char *header, int hdrlen, | 209 | make_checksum_v2(struct krb5_ctx *kctx, char *header, int hdrlen, |
210 | struct xdr_buf *body, int body_offset, u8 *cksumkey, | 210 | struct xdr_buf *body, int body_offset, u8 *cksumkey, |
211 | struct xdr_netobj *cksumout) | 211 | unsigned int usage, struct xdr_netobj *cksumout) |
212 | { | 212 | { |
213 | struct hash_desc desc; | 213 | struct hash_desc desc; |
214 | struct scatterlist sg[1]; | 214 | struct scatterlist sg[1]; |
@@ -537,15 +537,18 @@ gss_krb5_aes_encrypt(struct krb5_ctx *kctx, u32 offset, | |||
537 | int nblocks, nbytes; | 537 | int nblocks, nbytes; |
538 | struct encryptor_desc desc; | 538 | struct encryptor_desc desc; |
539 | u32 cbcbytes; | 539 | u32 cbcbytes; |
540 | unsigned int usage; | ||
540 | 541 | ||
541 | if (kctx->initiate) { | 542 | if (kctx->initiate) { |
542 | cipher = kctx->initiator_enc; | 543 | cipher = kctx->initiator_enc; |
543 | aux_cipher = kctx->initiator_enc_aux; | 544 | aux_cipher = kctx->initiator_enc_aux; |
544 | cksumkey = kctx->initiator_integ; | 545 | cksumkey = kctx->initiator_integ; |
546 | usage = KG_USAGE_INITIATOR_SEAL; | ||
545 | } else { | 547 | } else { |
546 | cipher = kctx->acceptor_enc; | 548 | cipher = kctx->acceptor_enc; |
547 | aux_cipher = kctx->acceptor_enc_aux; | 549 | aux_cipher = kctx->acceptor_enc_aux; |
548 | cksumkey = kctx->acceptor_integ; | 550 | cksumkey = kctx->acceptor_integ; |
551 | usage = KG_USAGE_ACCEPTOR_SEAL; | ||
549 | } | 552 | } |
550 | blocksize = crypto_blkcipher_blocksize(cipher); | 553 | blocksize = crypto_blkcipher_blocksize(cipher); |
551 | 554 | ||
@@ -590,7 +593,8 @@ gss_krb5_aes_encrypt(struct krb5_ctx *kctx, u32 offset, | |||
590 | buf->pages = pages; | 593 | buf->pages = pages; |
591 | 594 | ||
592 | err = make_checksum_v2(kctx, NULL, 0, buf, | 595 | err = make_checksum_v2(kctx, NULL, 0, buf, |
593 | offset + GSS_KRB5_TOK_HDR_LEN, cksumkey, &hmac); | 596 | offset + GSS_KRB5_TOK_HDR_LEN, |
597 | cksumkey, usage, &hmac); | ||
594 | buf->pages = save_pages; | 598 | buf->pages = save_pages; |
595 | if (err) | 599 | if (err) |
596 | return GSS_S_FAILURE; | 600 | return GSS_S_FAILURE; |
@@ -654,15 +658,18 @@ gss_krb5_aes_decrypt(struct krb5_ctx *kctx, u32 offset, struct xdr_buf *buf, | |||
654 | u8 pkt_hmac[GSS_KRB5_MAX_CKSUM_LEN]; | 658 | u8 pkt_hmac[GSS_KRB5_MAX_CKSUM_LEN]; |
655 | int nblocks, blocksize, cbcbytes; | 659 | int nblocks, blocksize, cbcbytes; |
656 | struct decryptor_desc desc; | 660 | struct decryptor_desc desc; |
661 | unsigned int usage; | ||
657 | 662 | ||
658 | if (kctx->initiate) { | 663 | if (kctx->initiate) { |
659 | cipher = kctx->acceptor_enc; | 664 | cipher = kctx->acceptor_enc; |
660 | aux_cipher = kctx->acceptor_enc_aux; | 665 | aux_cipher = kctx->acceptor_enc_aux; |
661 | cksum_key = kctx->acceptor_integ; | 666 | cksum_key = kctx->acceptor_integ; |
667 | usage = KG_USAGE_ACCEPTOR_SEAL; | ||
662 | } else { | 668 | } else { |
663 | cipher = kctx->initiator_enc; | 669 | cipher = kctx->initiator_enc; |
664 | aux_cipher = kctx->initiator_enc_aux; | 670 | aux_cipher = kctx->initiator_enc_aux; |
665 | cksum_key = kctx->initiator_integ; | 671 | cksum_key = kctx->initiator_integ; |
672 | usage = KG_USAGE_INITIATOR_SEAL; | ||
666 | } | 673 | } |
667 | blocksize = crypto_blkcipher_blocksize(cipher); | 674 | blocksize = crypto_blkcipher_blocksize(cipher); |
668 | 675 | ||
@@ -705,7 +712,7 @@ gss_krb5_aes_decrypt(struct krb5_ctx *kctx, u32 offset, struct xdr_buf *buf, | |||
705 | our_hmac_obj.data = our_hmac; | 712 | our_hmac_obj.data = our_hmac; |
706 | 713 | ||
707 | ret = make_checksum_v2(kctx, NULL, 0, &subbuf, 0, | 714 | ret = make_checksum_v2(kctx, NULL, 0, &subbuf, 0, |
708 | cksum_key, &our_hmac_obj); | 715 | cksum_key, usage, &our_hmac_obj); |
709 | if (ret) | 716 | if (ret) |
710 | goto out_err; | 717 | goto out_err; |
711 | 718 | ||
diff --git a/net/sunrpc/auth_gss/gss_krb5_seal.c b/net/sunrpc/auth_gss/gss_krb5_seal.c index 477a546d19bb..e22fed3d9a1b 100644 --- a/net/sunrpc/auth_gss/gss_krb5_seal.c +++ b/net/sunrpc/auth_gss/gss_krb5_seal.c | |||
@@ -142,7 +142,8 @@ gss_get_mic_v1(struct krb5_ctx *ctx, struct xdr_buf *text, | |||
142 | else | 142 | else |
143 | cksumkey = NULL; | 143 | cksumkey = NULL; |
144 | 144 | ||
145 | if (make_checksum(ctx, ptr, 8, text, 0, cksumkey, &md5cksum)) | 145 | if (make_checksum(ctx, ptr, 8, text, 0, cksumkey, |
146 | KG_USAGE_SIGN, &md5cksum)) | ||
146 | return GSS_S_FAILURE; | 147 | return GSS_S_FAILURE; |
147 | 148 | ||
148 | memcpy(ptr + GSS_KRB5_TOK_HDR_LEN, md5cksum.data, md5cksum.len); | 149 | memcpy(ptr + GSS_KRB5_TOK_HDR_LEN, md5cksum.data, md5cksum.len); |
@@ -170,6 +171,7 @@ gss_get_mic_v2(struct krb5_ctx *ctx, struct xdr_buf *text, | |||
170 | s32 now; | 171 | s32 now; |
171 | u64 seq_send; | 172 | u64 seq_send; |
172 | u8 *cksumkey; | 173 | u8 *cksumkey; |
174 | unsigned int cksum_usage; | ||
173 | 175 | ||
174 | dprintk("RPC: %s\n", __func__); | 176 | dprintk("RPC: %s\n", __func__); |
175 | 177 | ||
@@ -182,13 +184,16 @@ gss_get_mic_v2(struct krb5_ctx *ctx, struct xdr_buf *text, | |||
182 | spin_unlock(&krb5_seq_lock); | 184 | spin_unlock(&krb5_seq_lock); |
183 | *((u64 *)(krb5_hdr + 8)) = cpu_to_be64(seq_send); | 185 | *((u64 *)(krb5_hdr + 8)) = cpu_to_be64(seq_send); |
184 | 186 | ||
185 | if (ctx->initiate) | 187 | if (ctx->initiate) { |
186 | cksumkey = ctx->initiator_sign; | 188 | cksumkey = ctx->initiator_sign; |
187 | else | 189 | cksum_usage = KG_USAGE_INITIATOR_SIGN; |
190 | } else { | ||
188 | cksumkey = ctx->acceptor_sign; | 191 | cksumkey = ctx->acceptor_sign; |
192 | cksum_usage = KG_USAGE_ACCEPTOR_SIGN; | ||
193 | } | ||
189 | 194 | ||
190 | if (make_checksum_v2(ctx, krb5_hdr, GSS_KRB5_TOK_HDR_LEN, | 195 | if (make_checksum_v2(ctx, krb5_hdr, GSS_KRB5_TOK_HDR_LEN, |
191 | text, 0, cksumkey, &cksumobj)) | 196 | text, 0, cksumkey, cksum_usage, &cksumobj)) |
192 | return GSS_S_FAILURE; | 197 | return GSS_S_FAILURE; |
193 | 198 | ||
194 | memcpy(krb5_hdr + GSS_KRB5_TOK_HDR_LEN, cksumobj.data, cksumobj.len); | 199 | memcpy(krb5_hdr + GSS_KRB5_TOK_HDR_LEN, cksumobj.data, cksumobj.len); |
diff --git a/net/sunrpc/auth_gss/gss_krb5_unseal.c b/net/sunrpc/auth_gss/gss_krb5_unseal.c index 4ede4cc4391f..ef91366e3dea 100644 --- a/net/sunrpc/auth_gss/gss_krb5_unseal.c +++ b/net/sunrpc/auth_gss/gss_krb5_unseal.c | |||
@@ -115,7 +115,7 @@ gss_verify_mic_v1(struct krb5_ctx *ctx, | |||
115 | cksumkey = NULL; | 115 | cksumkey = NULL; |
116 | 116 | ||
117 | if (make_checksum(ctx, ptr, 8, message_buffer, 0, | 117 | if (make_checksum(ctx, ptr, 8, message_buffer, 0, |
118 | cksumkey, &md5cksum)) | 118 | cksumkey, KG_USAGE_SIGN, &md5cksum)) |
119 | return GSS_S_FAILURE; | 119 | return GSS_S_FAILURE; |
120 | 120 | ||
121 | if (memcmp(md5cksum.data, ptr + GSS_KRB5_TOK_HDR_LEN, | 121 | if (memcmp(md5cksum.data, ptr + GSS_KRB5_TOK_HDR_LEN, |
@@ -154,6 +154,7 @@ gss_verify_mic_v2(struct krb5_ctx *ctx, | |||
154 | u8 *cksumkey; | 154 | u8 *cksumkey; |
155 | u8 flags; | 155 | u8 flags; |
156 | int i; | 156 | int i; |
157 | unsigned int cksum_usage; | ||
157 | 158 | ||
158 | dprintk("RPC: %s\n", __func__); | 159 | dprintk("RPC: %s\n", __func__); |
159 | 160 | ||
@@ -174,13 +175,16 @@ gss_verify_mic_v2(struct krb5_ctx *ctx, | |||
174 | if (ptr[i] != 0xff) | 175 | if (ptr[i] != 0xff) |
175 | return GSS_S_DEFECTIVE_TOKEN; | 176 | return GSS_S_DEFECTIVE_TOKEN; |
176 | 177 | ||
177 | if (ctx->initiate) | 178 | if (ctx->initiate) { |
178 | cksumkey = ctx->acceptor_sign; | 179 | cksumkey = ctx->acceptor_sign; |
179 | else | 180 | cksum_usage = KG_USAGE_ACCEPTOR_SIGN; |
181 | } else { | ||
180 | cksumkey = ctx->initiator_sign; | 182 | cksumkey = ctx->initiator_sign; |
183 | cksum_usage = KG_USAGE_INITIATOR_SIGN; | ||
184 | } | ||
181 | 185 | ||
182 | if (make_checksum_v2(ctx, ptr, GSS_KRB5_TOK_HDR_LEN, message_buffer, 0, | 186 | if (make_checksum_v2(ctx, ptr, GSS_KRB5_TOK_HDR_LEN, message_buffer, 0, |
183 | cksumkey, &cksumobj)) | 187 | cksumkey, cksum_usage, &cksumobj)) |
184 | return GSS_S_FAILURE; | 188 | return GSS_S_FAILURE; |
185 | 189 | ||
186 | if (memcmp(cksumobj.data, ptr + GSS_KRB5_TOK_HDR_LEN, | 190 | if (memcmp(cksumobj.data, ptr + GSS_KRB5_TOK_HDR_LEN, |
diff --git a/net/sunrpc/auth_gss/gss_krb5_wrap.c b/net/sunrpc/auth_gss/gss_krb5_wrap.c index a1a3585fa761..097cc27494cc 100644 --- a/net/sunrpc/auth_gss/gss_krb5_wrap.c +++ b/net/sunrpc/auth_gss/gss_krb5_wrap.c | |||
@@ -215,7 +215,7 @@ gss_wrap_kerberos_v1(struct krb5_ctx *kctx, int offset, | |||
215 | tmp_pages = buf->pages; | 215 | tmp_pages = buf->pages; |
216 | buf->pages = pages; | 216 | buf->pages = pages; |
217 | if (make_checksum(kctx, ptr, 8, buf, offset + headlen - blocksize, | 217 | if (make_checksum(kctx, ptr, 8, buf, offset + headlen - blocksize, |
218 | cksumkey, &md5cksum)) | 218 | cksumkey, KG_USAGE_SEAL, &md5cksum)) |
219 | return GSS_S_FAILURE; | 219 | return GSS_S_FAILURE; |
220 | buf->pages = tmp_pages; | 220 | buf->pages = tmp_pages; |
221 | 221 | ||
@@ -298,7 +298,7 @@ gss_unwrap_kerberos_v1(struct krb5_ctx *kctx, int offset, struct xdr_buf *buf) | |||
298 | cksumkey = NULL; | 298 | cksumkey = NULL; |
299 | 299 | ||
300 | if (make_checksum(kctx, ptr, 8, buf, crypt_offset, | 300 | if (make_checksum(kctx, ptr, 8, buf, crypt_offset, |
301 | cksumkey, &md5cksum)) | 301 | cksumkey, KG_USAGE_SEAL, &md5cksum)) |
302 | return GSS_S_FAILURE; | 302 | return GSS_S_FAILURE; |
303 | 303 | ||
304 | if (memcmp(md5cksum.data, ptr + GSS_KRB5_TOK_HDR_LEN, | 304 | if (memcmp(md5cksum.data, ptr + GSS_KRB5_TOK_HDR_LEN, |