aboutsummaryrefslogtreecommitdiffstats
path: root/net
diff options
context:
space:
mode:
authorJ. Bruce Fields <bfields@fieldses.org>2005-10-13 16:55:08 -0400
committerTrond Myklebust <Trond.Myklebust@netapp.com>2005-10-19 02:19:45 -0400
commitbfa91516b57483fc9c81d8d90325fd2c3c16ac48 (patch)
treeed5c63ec1aa88152b0991370f4a1dbcfff0cd15a /net
parentf7b3af64c653c73feb060a9f94f2df9ab4bba4c3 (diff)
RPCSEC_GSS: krb5 pre-privacy cleanup
The code this was originally derived from processed wrap and mic tokens using the same functions. This required some contortions, and more would be required with the addition of xdr_buf's, so it's better to separate out the two code paths. In preparation for adding privacy support, remove the last vestiges of the old wrap token code. Signed-off-by: J. Bruce Fields <bfields@citi.umich.edu> Signed-off-by: Trond Myklebust <Trond.Myklebust@netapp.com>
Diffstat (limited to 'net')
-rw-r--r--net/sunrpc/auth_gss/gss_krb5_mech.c5
-rw-r--r--net/sunrpc/auth_gss/gss_krb5_seal.c38
-rw-r--r--net/sunrpc/auth_gss/gss_krb5_unseal.c30
3 files changed, 14 insertions, 59 deletions
diff --git a/net/sunrpc/auth_gss/gss_krb5_mech.c b/net/sunrpc/auth_gss/gss_krb5_mech.c
index 462c5b86b073..8b9066fdfda5 100644
--- a/net/sunrpc/auth_gss/gss_krb5_mech.c
+++ b/net/sunrpc/auth_gss/gss_krb5_mech.c
@@ -199,8 +199,7 @@ gss_verify_mic_kerberos(struct gss_ctx *ctx,
199 int qop_state; 199 int qop_state;
200 struct krb5_ctx *kctx = ctx->internal_ctx_id; 200 struct krb5_ctx *kctx = ctx->internal_ctx_id;
201 201
202 maj_stat = krb5_read_token(kctx, mic_token, message, &qop_state, 202 maj_stat = krb5_read_token(kctx, mic_token, message, &qop_state);
203 KG_TOK_MIC_MSG);
204 if (!maj_stat && qop_state) 203 if (!maj_stat && qop_state)
205 *qstate = qop_state; 204 *qstate = qop_state;
206 205
@@ -216,7 +215,7 @@ gss_get_mic_kerberos(struct gss_ctx *ctx,
216 u32 err = 0; 215 u32 err = 0;
217 struct krb5_ctx *kctx = ctx->internal_ctx_id; 216 struct krb5_ctx *kctx = ctx->internal_ctx_id;
218 217
219 err = krb5_make_token(kctx, qop, message, mic_token, KG_TOK_MIC_MSG); 218 err = krb5_make_token(kctx, qop, message, mic_token);
220 219
221 dprintk("RPC: gss_get_mic_kerberos returning %d\n",err); 220 dprintk("RPC: gss_get_mic_kerberos returning %d\n",err);
222 221
diff --git a/net/sunrpc/auth_gss/gss_krb5_seal.c b/net/sunrpc/auth_gss/gss_krb5_seal.c
index afeeb8715a77..2511834e6e52 100644
--- a/net/sunrpc/auth_gss/gss_krb5_seal.c
+++ b/net/sunrpc/auth_gss/gss_krb5_seal.c
@@ -70,22 +70,12 @@
70# define RPCDBG_FACILITY RPCDBG_AUTH 70# define RPCDBG_FACILITY RPCDBG_AUTH
71#endif 71#endif
72 72
73static inline int
74gss_krb5_padding(int blocksize, int length) {
75 /* Most of the code is block-size independent but in practice we
76 * use only 8: */
77 BUG_ON(blocksize != 8);
78 return 8 - (length & 7);
79}
80
81u32 73u32
82krb5_make_token(struct krb5_ctx *ctx, int qop_req, 74krb5_make_token(struct krb5_ctx *ctx, int qop_req,
83 struct xdr_buf *text, struct xdr_netobj *token, 75 struct xdr_buf *text, struct xdr_netobj *token)
84 int toktype)
85{ 76{
86 s32 checksum_type; 77 s32 checksum_type;
87 struct xdr_netobj md5cksum = {.len = 0, .data = NULL}; 78 struct xdr_netobj md5cksum = {.len = 0, .data = NULL};
88 int blocksize = 0, tmsglen;
89 unsigned char *ptr, *krb5_hdr, *msg_start; 79 unsigned char *ptr, *krb5_hdr, *msg_start;
90 s32 now; 80 s32 now;
91 81
@@ -111,21 +101,13 @@ krb5_make_token(struct krb5_ctx *ctx, int qop_req,
111 goto out_err; 101 goto out_err;
112 } 102 }
113 103
114 if (toktype == KG_TOK_WRAP_MSG) { 104 token->len = g_token_size(&ctx->mech_used, 22);
115 blocksize = crypto_tfm_alg_blocksize(ctx->enc);
116 tmsglen = blocksize + text->len
117 + gss_krb5_padding(blocksize, blocksize + text->len);
118 } else {
119 tmsglen = 0;
120 }
121
122 token->len = g_token_size(&ctx->mech_used, 22 + tmsglen);
123 105
124 ptr = token->data; 106 ptr = token->data;
125 g_make_token_header(&ctx->mech_used, 22 + tmsglen, &ptr); 107 g_make_token_header(&ctx->mech_used, 22, &ptr);
126 108
127 *ptr++ = (unsigned char) ((toktype>>8)&0xff); 109 *ptr++ = (unsigned char) ((KG_TOK_MIC_MSG>>8)&0xff);
128 *ptr++ = (unsigned char) (toktype&0xff); 110 *ptr++ = (unsigned char) (KG_TOK_MIC_MSG&0xff);
129 111
130 /* ptr now at byte 2 of header described in rfc 1964, section 1.2.1: */ 112 /* ptr now at byte 2 of header described in rfc 1964, section 1.2.1: */
131 krb5_hdr = ptr - 2; 113 krb5_hdr = ptr - 2;
@@ -133,17 +115,9 @@ krb5_make_token(struct krb5_ctx *ctx, int qop_req,
133 115
134 *(u16 *)(krb5_hdr + 2) = htons(ctx->signalg); 116 *(u16 *)(krb5_hdr + 2) = htons(ctx->signalg);
135 memset(krb5_hdr + 4, 0xff, 4); 117 memset(krb5_hdr + 4, 0xff, 4);
136 if (toktype == KG_TOK_WRAP_MSG)
137 *(u16 *)(krb5_hdr + 4) = htons(ctx->sealalg);
138 118
139 if (toktype == KG_TOK_WRAP_MSG) { 119 if (make_checksum(checksum_type, krb5_hdr, 8, text, &md5cksum))
140 /* XXX removing support for now */
141 goto out_err; 120 goto out_err;
142 } else { /* Sign only. */
143 if (make_checksum(checksum_type, krb5_hdr, 8, text,
144 &md5cksum))
145 goto out_err;
146 }
147 121
148 switch (ctx->signalg) { 122 switch (ctx->signalg) {
149 case SGN_ALG_DES_MAC_MD5: 123 case SGN_ALG_DES_MAC_MD5:
diff --git a/net/sunrpc/auth_gss/gss_krb5_unseal.c b/net/sunrpc/auth_gss/gss_krb5_unseal.c
index 8767fc53183d..19eba3df6607 100644
--- a/net/sunrpc/auth_gss/gss_krb5_unseal.c
+++ b/net/sunrpc/auth_gss/gss_krb5_unseal.c
@@ -68,20 +68,13 @@
68#endif 68#endif
69 69
70 70
71/* message_buffer is an input if toktype is MIC and an output if it is WRAP: 71/* read_token is a mic token, and message_buffer is the data that the mic was
72 * If toktype is MIC: read_token is a mic token, and message_buffer is the 72 * supposedly taken over. */
73 * data that the mic was supposedly taken over.
74 * If toktype is WRAP: read_token is a wrap token, and message_buffer is used
75 * to return the decrypted data.
76 */
77 73
78/* XXX will need to change prototype and/or just split into a separate function
79 * when we add privacy (because read_token will be in pages too). */
80u32 74u32
81krb5_read_token(struct krb5_ctx *ctx, 75krb5_read_token(struct krb5_ctx *ctx,
82 struct xdr_netobj *read_token, 76 struct xdr_netobj *read_token,
83 struct xdr_buf *message_buffer, 77 struct xdr_buf *message_buffer, int *qop_state)
84 int *qop_state, int toktype)
85{ 78{
86 int signalg; 79 int signalg;
87 int sealalg; 80 int sealalg;
@@ -100,16 +93,12 @@ krb5_read_token(struct krb5_ctx *ctx,
100 read_token->len)) 93 read_token->len))
101 goto out; 94 goto out;
102 95
103 if ((*ptr++ != ((toktype>>8)&0xff)) || (*ptr++ != (toktype&0xff))) 96 if ((*ptr++ != ((KG_TOK_MIC_MSG>>8)&0xff)) ||
97 (*ptr++ != ( KG_TOK_MIC_MSG &0xff)) )
104 goto out; 98 goto out;
105 99
106 /* XXX sanity-check bodysize?? */ 100 /* XXX sanity-check bodysize?? */
107 101
108 if (toktype == KG_TOK_WRAP_MSG) {
109 /* XXX gone */
110 goto out;
111 }
112
113 /* get the sign and seal algorithms */ 102 /* get the sign and seal algorithms */
114 103
115 signalg = ptr[0] + (ptr[1] << 8); 104 signalg = ptr[0] + (ptr[1] << 8);
@@ -120,14 +109,7 @@ krb5_read_token(struct krb5_ctx *ctx,
120 if ((ptr[4] != 0xff) || (ptr[5] != 0xff)) 109 if ((ptr[4] != 0xff) || (ptr[5] != 0xff))
121 goto out; 110 goto out;
122 111
123 if (((toktype != KG_TOK_WRAP_MSG) && (sealalg != 0xffff)) || 112 if (sealalg != 0xffff)
124 ((toktype == KG_TOK_WRAP_MSG) && (sealalg == 0xffff)))
125 goto out;
126
127 /* in the current spec, there is only one valid seal algorithm per
128 key type, so a simple comparison is ok */
129
130 if ((toktype == KG_TOK_WRAP_MSG) && !(sealalg == ctx->sealalg))
131 goto out; 113 goto out;
132 114
133 /* there are several mappings of seal algorithms to sign algorithms, 115 /* there are several mappings of seal algorithms to sign algorithms,