aboutsummaryrefslogtreecommitdiffstats
path: root/net/sunrpc
diff options
context:
space:
mode:
Diffstat (limited to 'net/sunrpc')
-rw-r--r--net/sunrpc/auth_gss/gss_krb5_mech.c5
-rw-r--r--net/sunrpc/auth_gss/gss_krb5_seal.c38
-rw-r--r--net/sunrpc/auth_gss/gss_krb5_unseal.c30
3 files changed, 14 insertions, 59 deletions
diff --git a/net/sunrpc/auth_gss/gss_krb5_mech.c b/net/sunrpc/auth_gss/gss_krb5_mech.c
index 462c5b86b073..8b9066fdfda5 100644
--- a/net/sunrpc/auth_gss/gss_krb5_mech.c
+++ b/net/sunrpc/auth_gss/gss_krb5_mech.c
@@ -199,8 +199,7 @@ gss_verify_mic_kerberos(struct gss_ctx *ctx,
199 int qop_state; 199 int qop_state;
200 struct krb5_ctx *kctx = ctx->internal_ctx_id; 200 struct krb5_ctx *kctx = ctx->internal_ctx_id;
201 201
202 maj_stat = krb5_read_token(kctx, mic_token, message, &qop_state, 202 maj_stat = krb5_read_token(kctx, mic_token, message, &qop_state);
203 KG_TOK_MIC_MSG);
204 if (!maj_stat && qop_state) 203 if (!maj_stat && qop_state)
205 *qstate = qop_state; 204 *qstate = qop_state;
206 205
@@ -216,7 +215,7 @@ gss_get_mic_kerberos(struct gss_ctx *ctx,
216 u32 err = 0; 215 u32 err = 0;
217 struct krb5_ctx *kctx = ctx->internal_ctx_id; 216 struct krb5_ctx *kctx = ctx->internal_ctx_id;
218 217
219 err = krb5_make_token(kctx, qop, message, mic_token, KG_TOK_MIC_MSG); 218 err = krb5_make_token(kctx, qop, message, mic_token);
220 219
221 dprintk("RPC: gss_get_mic_kerberos returning %d\n",err); 220 dprintk("RPC: gss_get_mic_kerberos returning %d\n",err);
222 221
diff --git a/net/sunrpc/auth_gss/gss_krb5_seal.c b/net/sunrpc/auth_gss/gss_krb5_seal.c
index afeeb8715a77..2511834e6e52 100644
--- a/net/sunrpc/auth_gss/gss_krb5_seal.c
+++ b/net/sunrpc/auth_gss/gss_krb5_seal.c
@@ -70,22 +70,12 @@
70# define RPCDBG_FACILITY RPCDBG_AUTH 70# define RPCDBG_FACILITY RPCDBG_AUTH
71#endif 71#endif
72 72
73static inline int
74gss_krb5_padding(int blocksize, int length) {
75 /* Most of the code is block-size independent but in practice we
76 * use only 8: */
77 BUG_ON(blocksize != 8);
78 return 8 - (length & 7);
79}
80
81u32 73u32
82krb5_make_token(struct krb5_ctx *ctx, int qop_req, 74krb5_make_token(struct krb5_ctx *ctx, int qop_req,
83 struct xdr_buf *text, struct xdr_netobj *token, 75 struct xdr_buf *text, struct xdr_netobj *token)
84 int toktype)
85{ 76{
86 s32 checksum_type; 77 s32 checksum_type;
87 struct xdr_netobj md5cksum = {.len = 0, .data = NULL}; 78 struct xdr_netobj md5cksum = {.len = 0, .data = NULL};
88 int blocksize = 0, tmsglen;
89 unsigned char *ptr, *krb5_hdr, *msg_start; 79 unsigned char *ptr, *krb5_hdr, *msg_start;
90 s32 now; 80 s32 now;
91 81
@@ -111,21 +101,13 @@ krb5_make_token(struct krb5_ctx *ctx, int qop_req,
111 goto out_err; 101 goto out_err;
112 } 102 }
113 103
114 if (toktype == KG_TOK_WRAP_MSG) { 104 token->len = g_token_size(&ctx->mech_used, 22);
115 blocksize = crypto_tfm_alg_blocksize(ctx->enc);
116 tmsglen = blocksize + text->len
117 + gss_krb5_padding(blocksize, blocksize + text->len);
118 } else {
119 tmsglen = 0;
120 }
121
122 token->len = g_token_size(&ctx->mech_used, 22 + tmsglen);
123 105
124 ptr = token->data; 106 ptr = token->data;
125 g_make_token_header(&ctx->mech_used, 22 + tmsglen, &ptr); 107 g_make_token_header(&ctx->mech_used, 22, &ptr);
126 108
127 *ptr++ = (unsigned char) ((toktype>>8)&0xff); 109 *ptr++ = (unsigned char) ((KG_TOK_MIC_MSG>>8)&0xff);
128 *ptr++ = (unsigned char) (toktype&0xff); 110 *ptr++ = (unsigned char) (KG_TOK_MIC_MSG&0xff);
129 111
130 /* ptr now at byte 2 of header described in rfc 1964, section 1.2.1: */ 112 /* ptr now at byte 2 of header described in rfc 1964, section 1.2.1: */
131 krb5_hdr = ptr - 2; 113 krb5_hdr = ptr - 2;
@@ -133,17 +115,9 @@ krb5_make_token(struct krb5_ctx *ctx, int qop_req,
133 115
134 *(u16 *)(krb5_hdr + 2) = htons(ctx->signalg); 116 *(u16 *)(krb5_hdr + 2) = htons(ctx->signalg);
135 memset(krb5_hdr + 4, 0xff, 4); 117 memset(krb5_hdr + 4, 0xff, 4);
136 if (toktype == KG_TOK_WRAP_MSG)
137 *(u16 *)(krb5_hdr + 4) = htons(ctx->sealalg);
138 118
139 if (toktype == KG_TOK_WRAP_MSG) { 119 if (make_checksum(checksum_type, krb5_hdr, 8, text, &md5cksum))
140 /* XXX removing support for now */
141 goto out_err; 120 goto out_err;
142 } else { /* Sign only. */
143 if (make_checksum(checksum_type, krb5_hdr, 8, text,
144 &md5cksum))
145 goto out_err;
146 }
147 121
148 switch (ctx->signalg) { 122 switch (ctx->signalg) {
149 case SGN_ALG_DES_MAC_MD5: 123 case SGN_ALG_DES_MAC_MD5:
diff --git a/net/sunrpc/auth_gss/gss_krb5_unseal.c b/net/sunrpc/auth_gss/gss_krb5_unseal.c
index 8767fc53183d..19eba3df6607 100644
--- a/net/sunrpc/auth_gss/gss_krb5_unseal.c
+++ b/net/sunrpc/auth_gss/gss_krb5_unseal.c
@@ -68,20 +68,13 @@
68#endif 68#endif
69 69
70 70
71/* message_buffer is an input if toktype is MIC and an output if it is WRAP: 71/* read_token is a mic token, and message_buffer is the data that the mic was
72 * If toktype is MIC: read_token is a mic token, and message_buffer is the 72 * supposedly taken over. */
73 * data that the mic was supposedly taken over.
74 * If toktype is WRAP: read_token is a wrap token, and message_buffer is used
75 * to return the decrypted data.
76 */
77 73
78/* XXX will need to change prototype and/or just split into a separate function
79 * when we add privacy (because read_token will be in pages too). */
80u32 74u32
81krb5_read_token(struct krb5_ctx *ctx, 75krb5_read_token(struct krb5_ctx *ctx,
82 struct xdr_netobj *read_token, 76 struct xdr_netobj *read_token,
83 struct xdr_buf *message_buffer, 77 struct xdr_buf *message_buffer, int *qop_state)
84 int *qop_state, int toktype)
85{ 78{
86 int signalg; 79 int signalg;
87 int sealalg; 80 int sealalg;
@@ -100,16 +93,12 @@ krb5_read_token(struct krb5_ctx *ctx,
100 read_token->len)) 93 read_token->len))
101 goto out; 94 goto out;
102 95
103 if ((*ptr++ != ((toktype>>8)&0xff)) || (*ptr++ != (toktype&0xff))) 96 if ((*ptr++ != ((KG_TOK_MIC_MSG>>8)&0xff)) ||
97 (*ptr++ != ( KG_TOK_MIC_MSG &0xff)) )
104 goto out; 98 goto out;
105 99
106 /* XXX sanity-check bodysize?? */ 100 /* XXX sanity-check bodysize?? */
107 101
108 if (toktype == KG_TOK_WRAP_MSG) {
109 /* XXX gone */
110 goto out;
111 }
112
113 /* get the sign and seal algorithms */ 102 /* get the sign and seal algorithms */
114 103
115 signalg = ptr[0] + (ptr[1] << 8); 104 signalg = ptr[0] + (ptr[1] << 8);
@@ -120,14 +109,7 @@ krb5_read_token(struct krb5_ctx *ctx,
120 if ((ptr[4] != 0xff) || (ptr[5] != 0xff)) 109 if ((ptr[4] != 0xff) || (ptr[5] != 0xff))
121 goto out; 110 goto out;
122 111
123 if (((toktype != KG_TOK_WRAP_MSG) && (sealalg != 0xffff)) || 112 if (sealalg != 0xffff)
124 ((toktype == KG_TOK_WRAP_MSG) && (sealalg == 0xffff)))
125 goto out;
126
127 /* in the current spec, there is only one valid seal algorithm per
128 key type, so a simple comparison is ok */
129
130 if ((toktype == KG_TOK_WRAP_MSG) && !(sealalg == ctx->sealalg))
131 goto out; 113 goto out;
132 114
133 /* there are several mappings of seal algorithms to sign algorithms, 115 /* there are several mappings of seal algorithms to sign algorithms,
generated by cgit v1.2.2 (git 2.25.0) at 2025-01-02 17:43:26 -0500