diff options
author | J. Bruce Fields <bfields@fieldses.org> | 2005-10-13 16:55:08 -0400 |
---|---|---|
committer | Trond Myklebust <Trond.Myklebust@netapp.com> | 2005-10-19 02:19:45 -0400 |
commit | bfa91516b57483fc9c81d8d90325fd2c3c16ac48 (patch) | |
tree | ed5c63ec1aa88152b0991370f4a1dbcfff0cd15a /net | |
parent | f7b3af64c653c73feb060a9f94f2df9ab4bba4c3 (diff) |
RPCSEC_GSS: krb5 pre-privacy cleanup
The code this was originally derived from processed wrap and mic tokens using
the same functions. This required some contortions, and more would be required
with the addition of xdr_buf's, so it's better to separate out the two code
paths.
In preparation for adding privacy support, remove the last vestiges of the
old wrap token code.
Signed-off-by: J. Bruce Fields <bfields@citi.umich.edu>
Signed-off-by: Trond Myklebust <Trond.Myklebust@netapp.com>
Diffstat (limited to 'net')
-rw-r--r-- | net/sunrpc/auth_gss/gss_krb5_mech.c | 5 | ||||
-rw-r--r-- | net/sunrpc/auth_gss/gss_krb5_seal.c | 38 | ||||
-rw-r--r-- | net/sunrpc/auth_gss/gss_krb5_unseal.c | 30 |
3 files changed, 14 insertions, 59 deletions
diff --git a/net/sunrpc/auth_gss/gss_krb5_mech.c b/net/sunrpc/auth_gss/gss_krb5_mech.c index 462c5b86b073..8b9066fdfda5 100644 --- a/net/sunrpc/auth_gss/gss_krb5_mech.c +++ b/net/sunrpc/auth_gss/gss_krb5_mech.c | |||
@@ -199,8 +199,7 @@ gss_verify_mic_kerberos(struct gss_ctx *ctx, | |||
199 | int qop_state; | 199 | int qop_state; |
200 | struct krb5_ctx *kctx = ctx->internal_ctx_id; | 200 | struct krb5_ctx *kctx = ctx->internal_ctx_id; |
201 | 201 | ||
202 | maj_stat = krb5_read_token(kctx, mic_token, message, &qop_state, | 202 | maj_stat = krb5_read_token(kctx, mic_token, message, &qop_state); |
203 | KG_TOK_MIC_MSG); | ||
204 | if (!maj_stat && qop_state) | 203 | if (!maj_stat && qop_state) |
205 | *qstate = qop_state; | 204 | *qstate = qop_state; |
206 | 205 | ||
@@ -216,7 +215,7 @@ gss_get_mic_kerberos(struct gss_ctx *ctx, | |||
216 | u32 err = 0; | 215 | u32 err = 0; |
217 | struct krb5_ctx *kctx = ctx->internal_ctx_id; | 216 | struct krb5_ctx *kctx = ctx->internal_ctx_id; |
218 | 217 | ||
219 | err = krb5_make_token(kctx, qop, message, mic_token, KG_TOK_MIC_MSG); | 218 | err = krb5_make_token(kctx, qop, message, mic_token); |
220 | 219 | ||
221 | dprintk("RPC: gss_get_mic_kerberos returning %d\n",err); | 220 | dprintk("RPC: gss_get_mic_kerberos returning %d\n",err); |
222 | 221 | ||
diff --git a/net/sunrpc/auth_gss/gss_krb5_seal.c b/net/sunrpc/auth_gss/gss_krb5_seal.c index afeeb8715a77..2511834e6e52 100644 --- a/net/sunrpc/auth_gss/gss_krb5_seal.c +++ b/net/sunrpc/auth_gss/gss_krb5_seal.c | |||
@@ -70,22 +70,12 @@ | |||
70 | # define RPCDBG_FACILITY RPCDBG_AUTH | 70 | # define RPCDBG_FACILITY RPCDBG_AUTH |
71 | #endif | 71 | #endif |
72 | 72 | ||
73 | static inline int | ||
74 | gss_krb5_padding(int blocksize, int length) { | ||
75 | /* Most of the code is block-size independent but in practice we | ||
76 | * use only 8: */ | ||
77 | BUG_ON(blocksize != 8); | ||
78 | return 8 - (length & 7); | ||
79 | } | ||
80 | |||
81 | u32 | 73 | u32 |
82 | krb5_make_token(struct krb5_ctx *ctx, int qop_req, | 74 | krb5_make_token(struct krb5_ctx *ctx, int qop_req, |
83 | struct xdr_buf *text, struct xdr_netobj *token, | 75 | struct xdr_buf *text, struct xdr_netobj *token) |
84 | int toktype) | ||
85 | { | 76 | { |
86 | s32 checksum_type; | 77 | s32 checksum_type; |
87 | struct xdr_netobj md5cksum = {.len = 0, .data = NULL}; | 78 | struct xdr_netobj md5cksum = {.len = 0, .data = NULL}; |
88 | int blocksize = 0, tmsglen; | ||
89 | unsigned char *ptr, *krb5_hdr, *msg_start; | 79 | unsigned char *ptr, *krb5_hdr, *msg_start; |
90 | s32 now; | 80 | s32 now; |
91 | 81 | ||
@@ -111,21 +101,13 @@ krb5_make_token(struct krb5_ctx *ctx, int qop_req, | |||
111 | goto out_err; | 101 | goto out_err; |
112 | } | 102 | } |
113 | 103 | ||
114 | if (toktype == KG_TOK_WRAP_MSG) { | 104 | token->len = g_token_size(&ctx->mech_used, 22); |
115 | blocksize = crypto_tfm_alg_blocksize(ctx->enc); | ||
116 | tmsglen = blocksize + text->len | ||
117 | + gss_krb5_padding(blocksize, blocksize + text->len); | ||
118 | } else { | ||
119 | tmsglen = 0; | ||
120 | } | ||
121 | |||
122 | token->len = g_token_size(&ctx->mech_used, 22 + tmsglen); | ||
123 | 105 | ||
124 | ptr = token->data; | 106 | ptr = token->data; |
125 | g_make_token_header(&ctx->mech_used, 22 + tmsglen, &ptr); | 107 | g_make_token_header(&ctx->mech_used, 22, &ptr); |
126 | 108 | ||
127 | *ptr++ = (unsigned char) ((toktype>>8)&0xff); | 109 | *ptr++ = (unsigned char) ((KG_TOK_MIC_MSG>>8)&0xff); |
128 | *ptr++ = (unsigned char) (toktype&0xff); | 110 | *ptr++ = (unsigned char) (KG_TOK_MIC_MSG&0xff); |
129 | 111 | ||
130 | /* ptr now at byte 2 of header described in rfc 1964, section 1.2.1: */ | 112 | /* ptr now at byte 2 of header described in rfc 1964, section 1.2.1: */ |
131 | krb5_hdr = ptr - 2; | 113 | krb5_hdr = ptr - 2; |
@@ -133,17 +115,9 @@ krb5_make_token(struct krb5_ctx *ctx, int qop_req, | |||
133 | 115 | ||
134 | *(u16 *)(krb5_hdr + 2) = htons(ctx->signalg); | 116 | *(u16 *)(krb5_hdr + 2) = htons(ctx->signalg); |
135 | memset(krb5_hdr + 4, 0xff, 4); | 117 | memset(krb5_hdr + 4, 0xff, 4); |
136 | if (toktype == KG_TOK_WRAP_MSG) | ||
137 | *(u16 *)(krb5_hdr + 4) = htons(ctx->sealalg); | ||
138 | 118 | ||
139 | if (toktype == KG_TOK_WRAP_MSG) { | 119 | if (make_checksum(checksum_type, krb5_hdr, 8, text, &md5cksum)) |
140 | /* XXX removing support for now */ | ||
141 | goto out_err; | 120 | goto out_err; |
142 | } else { /* Sign only. */ | ||
143 | if (make_checksum(checksum_type, krb5_hdr, 8, text, | ||
144 | &md5cksum)) | ||
145 | goto out_err; | ||
146 | } | ||
147 | 121 | ||
148 | switch (ctx->signalg) { | 122 | switch (ctx->signalg) { |
149 | case SGN_ALG_DES_MAC_MD5: | 123 | case SGN_ALG_DES_MAC_MD5: |
diff --git a/net/sunrpc/auth_gss/gss_krb5_unseal.c b/net/sunrpc/auth_gss/gss_krb5_unseal.c index 8767fc53183d..19eba3df6607 100644 --- a/net/sunrpc/auth_gss/gss_krb5_unseal.c +++ b/net/sunrpc/auth_gss/gss_krb5_unseal.c | |||
@@ -68,20 +68,13 @@ | |||
68 | #endif | 68 | #endif |
69 | 69 | ||
70 | 70 | ||
71 | /* message_buffer is an input if toktype is MIC and an output if it is WRAP: | 71 | /* read_token is a mic token, and message_buffer is the data that the mic was |
72 | * If toktype is MIC: read_token is a mic token, and message_buffer is the | 72 | * supposedly taken over. */ |
73 | * data that the mic was supposedly taken over. | ||
74 | * If toktype is WRAP: read_token is a wrap token, and message_buffer is used | ||
75 | * to return the decrypted data. | ||
76 | */ | ||
77 | 73 | ||
78 | /* XXX will need to change prototype and/or just split into a separate function | ||
79 | * when we add privacy (because read_token will be in pages too). */ | ||
80 | u32 | 74 | u32 |
81 | krb5_read_token(struct krb5_ctx *ctx, | 75 | krb5_read_token(struct krb5_ctx *ctx, |
82 | struct xdr_netobj *read_token, | 76 | struct xdr_netobj *read_token, |
83 | struct xdr_buf *message_buffer, | 77 | struct xdr_buf *message_buffer, int *qop_state) |
84 | int *qop_state, int toktype) | ||
85 | { | 78 | { |
86 | int signalg; | 79 | int signalg; |
87 | int sealalg; | 80 | int sealalg; |
@@ -100,16 +93,12 @@ krb5_read_token(struct krb5_ctx *ctx, | |||
100 | read_token->len)) | 93 | read_token->len)) |
101 | goto out; | 94 | goto out; |
102 | 95 | ||
103 | if ((*ptr++ != ((toktype>>8)&0xff)) || (*ptr++ != (toktype&0xff))) | 96 | if ((*ptr++ != ((KG_TOK_MIC_MSG>>8)&0xff)) || |
97 | (*ptr++ != ( KG_TOK_MIC_MSG &0xff)) ) | ||
104 | goto out; | 98 | goto out; |
105 | 99 | ||
106 | /* XXX sanity-check bodysize?? */ | 100 | /* XXX sanity-check bodysize?? */ |
107 | 101 | ||
108 | if (toktype == KG_TOK_WRAP_MSG) { | ||
109 | /* XXX gone */ | ||
110 | goto out; | ||
111 | } | ||
112 | |||
113 | /* get the sign and seal algorithms */ | 102 | /* get the sign and seal algorithms */ |
114 | 103 | ||
115 | signalg = ptr[0] + (ptr[1] << 8); | 104 | signalg = ptr[0] + (ptr[1] << 8); |
@@ -120,14 +109,7 @@ krb5_read_token(struct krb5_ctx *ctx, | |||
120 | if ((ptr[4] != 0xff) || (ptr[5] != 0xff)) | 109 | if ((ptr[4] != 0xff) || (ptr[5] != 0xff)) |
121 | goto out; | 110 | goto out; |
122 | 111 | ||
123 | if (((toktype != KG_TOK_WRAP_MSG) && (sealalg != 0xffff)) || | 112 | if (sealalg != 0xffff) |
124 | ((toktype == KG_TOK_WRAP_MSG) && (sealalg == 0xffff))) | ||
125 | goto out; | ||
126 | |||
127 | /* in the current spec, there is only one valid seal algorithm per | ||
128 | key type, so a simple comparison is ok */ | ||
129 | |||
130 | if ((toktype == KG_TOK_WRAP_MSG) && !(sealalg == ctx->sealalg)) | ||
131 | goto out; | 113 | goto out; |
132 | 114 | ||
133 | /* there are several mappings of seal algorithms to sign algorithms, | 115 | /* there are several mappings of seal algorithms to sign algorithms, |