diff options
author | J. Bruce Fields <bfields@fieldses.org> | 2006-12-04 20:22:35 -0500 |
---|---|---|
committer | Trond Myklebust <Trond.Myklebust@netapp.com> | 2006-12-06 10:46:44 -0500 |
commit | e678e06bf8fa25981a6fa1f08b979fd086d713f8 (patch) | |
tree | 1015c61bca28e960a62b52b5cc4045bcacebad6d /net/sunrpc/auth_gss | |
parent | adeb8133dd57f380e70a389a89a2ea3ae227f9e2 (diff) |
gss: krb5: remove signalg and sealalg
We designed the krb5 context import without completely understanding the
context. Now it's clear that there are a number of fields that we ignore,
or that we depend on having one single value.
In particular, we only support one value of signalg currently; so let's
check the signalg field in the downcall (in case we decide there's
something else we could support here eventually), but ignore it otherwise.
Signed-off-by: J. Bruce Fields <bfields@citi.umich.edu>
Signed-off-by: Trond Myklebust <Trond.Myklebust@netapp.com>
Diffstat (limited to 'net/sunrpc/auth_gss')
-rw-r--r-- | net/sunrpc/auth_gss/gss_krb5_mech.c | 5 | ||||
-rw-r--r-- | net/sunrpc/auth_gss/gss_krb5_seal.c | 34 | ||||
-rw-r--r-- | net/sunrpc/auth_gss/gss_krb5_wrap.c | 30 |
3 files changed, 22 insertions, 47 deletions
diff --git a/net/sunrpc/auth_gss/gss_krb5_mech.c b/net/sunrpc/auth_gss/gss_krb5_mech.c index 754b8cd6439f..17587163fcae 100644 --- a/net/sunrpc/auth_gss/gss_krb5_mech.c +++ b/net/sunrpc/auth_gss/gss_krb5_mech.c | |||
@@ -129,6 +129,7 @@ gss_import_sec_context_kerberos(const void *p, | |||
129 | { | 129 | { |
130 | const void *end = (const void *)((const char *)p + len); | 130 | const void *end = (const void *)((const char *)p + len); |
131 | struct krb5_ctx *ctx; | 131 | struct krb5_ctx *ctx; |
132 | int tmp; | ||
132 | 133 | ||
133 | if (!(ctx = kzalloc(sizeof(*ctx), GFP_KERNEL))) | 134 | if (!(ctx = kzalloc(sizeof(*ctx), GFP_KERNEL))) |
134 | goto out_err; | 135 | goto out_err; |
@@ -142,9 +143,11 @@ gss_import_sec_context_kerberos(const void *p, | |||
142 | p = simple_get_bytes(p, end, ctx->seed, sizeof(ctx->seed)); | 143 | p = simple_get_bytes(p, end, ctx->seed, sizeof(ctx->seed)); |
143 | if (IS_ERR(p)) | 144 | if (IS_ERR(p)) |
144 | goto out_err_free_ctx; | 145 | goto out_err_free_ctx; |
145 | p = simple_get_bytes(p, end, &ctx->signalg, sizeof(ctx->signalg)); | 146 | p = simple_get_bytes(p, end, &tmp, sizeof(tmp)); |
146 | if (IS_ERR(p)) | 147 | if (IS_ERR(p)) |
147 | goto out_err_free_ctx; | 148 | goto out_err_free_ctx; |
149 | if (tmp != SGN_ALG_DES_MAC_MD5) | ||
150 | goto out_err_free_ctx; | ||
148 | p = simple_get_bytes(p, end, &ctx->sealalg, sizeof(ctx->sealalg)); | 151 | p = simple_get_bytes(p, end, &ctx->sealalg, sizeof(ctx->sealalg)); |
149 | if (IS_ERR(p)) | 152 | if (IS_ERR(p)) |
150 | goto out_err_free_ctx; | 153 | goto out_err_free_ctx; |
diff --git a/net/sunrpc/auth_gss/gss_krb5_seal.c b/net/sunrpc/auth_gss/gss_krb5_seal.c index dc58af0b8b4c..a496af585a08 100644 --- a/net/sunrpc/auth_gss/gss_krb5_seal.c +++ b/net/sunrpc/auth_gss/gss_krb5_seal.c | |||
@@ -88,15 +88,7 @@ gss_get_mic_kerberos(struct gss_ctx *gss_ctx, struct xdr_buf *text, | |||
88 | 88 | ||
89 | now = get_seconds(); | 89 | now = get_seconds(); |
90 | 90 | ||
91 | switch (ctx->signalg) { | 91 | checksum_type = CKSUMTYPE_RSA_MD5; |
92 | case SGN_ALG_DES_MAC_MD5: | ||
93 | checksum_type = CKSUMTYPE_RSA_MD5; | ||
94 | break; | ||
95 | default: | ||
96 | dprintk("RPC: gss_krb5_seal: ctx->signalg %d not" | ||
97 | " supported\n", ctx->signalg); | ||
98 | goto out_err; | ||
99 | } | ||
100 | if (ctx->sealalg != SEAL_ALG_NONE && ctx->sealalg != SEAL_ALG_DES) { | 92 | if (ctx->sealalg != SEAL_ALG_NONE && ctx->sealalg != SEAL_ALG_DES) { |
101 | dprintk("RPC: gss_krb5_seal: ctx->sealalg %d not supported\n", | 93 | dprintk("RPC: gss_krb5_seal: ctx->sealalg %d not supported\n", |
102 | ctx->sealalg); | 94 | ctx->sealalg); |
@@ -115,24 +107,18 @@ gss_get_mic_kerberos(struct gss_ctx *gss_ctx, struct xdr_buf *text, | |||
115 | krb5_hdr = ptr - 2; | 107 | krb5_hdr = ptr - 2; |
116 | msg_start = krb5_hdr + 24; | 108 | msg_start = krb5_hdr + 24; |
117 | 109 | ||
118 | *(__be16 *)(krb5_hdr + 2) = htons(ctx->signalg); | 110 | *(__be16 *)(krb5_hdr + 2) = htons(SGN_ALG_DES_MAC_MD5); |
119 | memset(krb5_hdr + 4, 0xff, 4); | 111 | memset(krb5_hdr + 4, 0xff, 4); |
120 | 112 | ||
121 | if (make_checksum(checksum_type, krb5_hdr, 8, text, 0, &md5cksum)) | 113 | if (make_checksum(checksum_type, krb5_hdr, 8, text, 0, &md5cksum)) |
122 | goto out_err; | 114 | goto out_err; |
123 | 115 | ||
124 | switch (ctx->signalg) { | 116 | if (krb5_encrypt(ctx->seq, NULL, md5cksum.data, |
125 | case SGN_ALG_DES_MAC_MD5: | 117 | md5cksum.data, md5cksum.len)) |
126 | if (krb5_encrypt(ctx->seq, NULL, md5cksum.data, | 118 | goto out_err; |
127 | md5cksum.data, md5cksum.len)) | 119 | memcpy(krb5_hdr + 16, |
128 | goto out_err; | 120 | md5cksum.data + md5cksum.len - KRB5_CKSUM_LENGTH, |
129 | memcpy(krb5_hdr + 16, | 121 | KRB5_CKSUM_LENGTH); |
130 | md5cksum.data + md5cksum.len - KRB5_CKSUM_LENGTH, | ||
131 | KRB5_CKSUM_LENGTH); | ||
132 | break; | ||
133 | default: | ||
134 | BUG(); | ||
135 | } | ||
136 | 122 | ||
137 | spin_lock(&krb5_seq_lock); | 123 | spin_lock(&krb5_seq_lock); |
138 | seq_send = ctx->seq_send++; | 124 | seq_send = ctx->seq_send++; |
diff --git a/net/sunrpc/auth_gss/gss_krb5_wrap.c b/net/sunrpc/auth_gss/gss_krb5_wrap.c index ad243872f547..eee49f4c4c6a 100644 --- a/net/sunrpc/auth_gss/gss_krb5_wrap.c +++ b/net/sunrpc/auth_gss/gss_krb5_wrap.c | |||
@@ -134,15 +134,7 @@ gss_wrap_kerberos(struct gss_ctx *ctx, int offset, | |||
134 | 134 | ||
135 | now = get_seconds(); | 135 | now = get_seconds(); |
136 | 136 | ||
137 | switch (kctx->signalg) { | 137 | checksum_type = CKSUMTYPE_RSA_MD5; |
138 | case SGN_ALG_DES_MAC_MD5: | ||
139 | checksum_type = CKSUMTYPE_RSA_MD5; | ||
140 | break; | ||
141 | default: | ||
142 | dprintk("RPC: gss_krb5_seal: kctx->signalg %d not" | ||
143 | " supported\n", kctx->signalg); | ||
144 | goto out_err; | ||
145 | } | ||
146 | if (kctx->sealalg != SEAL_ALG_NONE && kctx->sealalg != SEAL_ALG_DES) { | 138 | if (kctx->sealalg != SEAL_ALG_NONE && kctx->sealalg != SEAL_ALG_DES) { |
147 | dprintk("RPC: gss_krb5_seal: kctx->sealalg %d not supported\n", | 139 | dprintk("RPC: gss_krb5_seal: kctx->sealalg %d not supported\n", |
148 | kctx->sealalg); | 140 | kctx->sealalg); |
@@ -177,7 +169,7 @@ gss_wrap_kerberos(struct gss_ctx *ctx, int offset, | |||
177 | msg_start = krb5_hdr + 24; | 169 | msg_start = krb5_hdr + 24; |
178 | /* XXXJBF: */ BUG_ON(buf->head[0].iov_base + offset + headlen != msg_start + blocksize); | 170 | /* XXXJBF: */ BUG_ON(buf->head[0].iov_base + offset + headlen != msg_start + blocksize); |
179 | 171 | ||
180 | *(__be16 *)(krb5_hdr + 2) = htons(kctx->signalg); | 172 | *(__be16 *)(krb5_hdr + 2) = htons(SGN_ALG_DES_MAC_MD5); |
181 | memset(krb5_hdr + 4, 0xff, 4); | 173 | memset(krb5_hdr + 4, 0xff, 4); |
182 | *(__be16 *)(krb5_hdr + 4) = htons(kctx->sealalg); | 174 | *(__be16 *)(krb5_hdr + 4) = htons(kctx->sealalg); |
183 | 175 | ||
@@ -191,18 +183,12 @@ gss_wrap_kerberos(struct gss_ctx *ctx, int offset, | |||
191 | goto out_err; | 183 | goto out_err; |
192 | buf->pages = tmp_pages; | 184 | buf->pages = tmp_pages; |
193 | 185 | ||
194 | switch (kctx->signalg) { | 186 | if (krb5_encrypt(kctx->seq, NULL, md5cksum.data, |
195 | case SGN_ALG_DES_MAC_MD5: | 187 | md5cksum.data, md5cksum.len)) |
196 | if (krb5_encrypt(kctx->seq, NULL, md5cksum.data, | 188 | goto out_err; |
197 | md5cksum.data, md5cksum.len)) | 189 | memcpy(krb5_hdr + 16, |
198 | goto out_err; | 190 | md5cksum.data + md5cksum.len - KRB5_CKSUM_LENGTH, |
199 | memcpy(krb5_hdr + 16, | 191 | KRB5_CKSUM_LENGTH); |
200 | md5cksum.data + md5cksum.len - KRB5_CKSUM_LENGTH, | ||
201 | KRB5_CKSUM_LENGTH); | ||
202 | break; | ||
203 | default: | ||
204 | BUG(); | ||
205 | } | ||
206 | 192 | ||
207 | spin_lock(&krb5_seq_lock); | 193 | spin_lock(&krb5_seq_lock); |
208 | seq_send = kctx->seq_send++; | 194 | seq_send = kctx->seq_send++; |