Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit 8b237076 authored by Kevin Coffman's avatar Kevin Coffman Committed by Trond Myklebust
Browse files

gssd_krb5: arcfour-hmac support 



For arcfour-hmac support, the make_checksum function needs a usage
field to correctly calculate the checksum differently for MIC and
WRAP tokens.

Signed-off-by: default avatarKevin Coffman <kwc@citi.umich.edu>
Signed-off-by: default avatarSteve Dickson <steved@redhat.com>
Signed-off-by: default avatarTrond Myklebust <Trond.Myklebust@netapp.com>
parent bf6d359c

include/linux/sunrpc/gss_krb5.h

+2 −2
Original line number Diff line number Diff line
@@ -235,12 +235,12 @@ enum seal_alg { 
u32

make_checksum(struct krb5_ctx *kctx, char *header, int hdrlen,

		struct xdr_buf *body, int body_offset, u8 *cksumkey,

		struct xdr_netobj *cksumout);

		unsigned int usage, struct xdr_netobj *cksumout);



u32

make_checksum_v2(struct krb5_ctx *, char *header, int hdrlen,

		 struct xdr_buf *body, int body_offset, u8 *key,

		 struct xdr_netobj *cksum);

		 unsigned int usage, struct xdr_netobj *cksum);



u32 gss_get_mic_kerberos(struct gss_ctx *, struct xdr_buf *,

		struct xdr_netobj *);

net/sunrpc/auth_gss/gss_krb5_crypto.c

+11 −4
Original line number Diff line number Diff line
@@ -132,7 +132,7 @@ checksummer(struct scatterlist *sg, void *data) 
u32

make_checksum(struct krb5_ctx *kctx, char *header, int hdrlen,

	      struct xdr_buf *body, int body_offset, u8 *cksumkey,

	      struct xdr_netobj *cksumout)

	      unsigned int usage, struct xdr_netobj *cksumout)

{

	struct hash_desc                desc;

	struct scatterlist              sg[1];
@@ -208,7 +208,7 @@ out: 
u32

make_checksum_v2(struct krb5_ctx *kctx, char *header, int hdrlen,

		 struct xdr_buf *body, int body_offset, u8 *cksumkey,

		 struct xdr_netobj *cksumout)

		 unsigned int usage, struct xdr_netobj *cksumout)

{

	struct hash_desc desc;

	struct scatterlist sg[1];
@@ -537,15 +537,18 @@ gss_krb5_aes_encrypt(struct krb5_ctx *kctx, u32 offset, 
	int nblocks, nbytes;

	struct encryptor_desc desc;

	u32 cbcbytes;

	unsigned int usage;



	if (kctx->initiate) {

		cipher = kctx->initiator_enc;

		aux_cipher = kctx->initiator_enc_aux;

		cksumkey = kctx->initiator_integ;

		usage = KG_USAGE_INITIATOR_SEAL;

	} else {

		cipher = kctx->acceptor_enc;

		aux_cipher = kctx->acceptor_enc_aux;

		cksumkey = kctx->acceptor_integ;

		usage = KG_USAGE_ACCEPTOR_SEAL;

	}

	blocksize = crypto_blkcipher_blocksize(cipher);
@@ -590,7 +593,8 @@ gss_krb5_aes_encrypt(struct krb5_ctx *kctx, u32 offset, 
	buf->pages = pages;



	err = make_checksum_v2(kctx, NULL, 0, buf,

			       offset + GSS_KRB5_TOK_HDR_LEN, cksumkey, &hmac);

			       offset + GSS_KRB5_TOK_HDR_LEN,

			       cksumkey, usage, &hmac);

	buf->pages = save_pages;

	if (err)

		return GSS_S_FAILURE;
@@ -654,15 +658,18 @@ gss_krb5_aes_decrypt(struct krb5_ctx *kctx, u32 offset, struct xdr_buf *buf, 
	u8 pkt_hmac[GSS_KRB5_MAX_CKSUM_LEN];

	int nblocks, blocksize, cbcbytes;

	struct decryptor_desc desc;

	unsigned int usage;



	if (kctx->initiate) {

		cipher = kctx->acceptor_enc;

		aux_cipher = kctx->acceptor_enc_aux;

		cksum_key = kctx->acceptor_integ;

		usage = KG_USAGE_ACCEPTOR_SEAL;

	} else {

		cipher = kctx->initiator_enc;

		aux_cipher = kctx->initiator_enc_aux;

		cksum_key = kctx->initiator_integ;

		usage = KG_USAGE_INITIATOR_SEAL;

	}

	blocksize = crypto_blkcipher_blocksize(cipher);
@@ -705,7 +712,7 @@ gss_krb5_aes_decrypt(struct krb5_ctx *kctx, u32 offset, struct xdr_buf *buf, 
	our_hmac_obj.data = our_hmac;



	ret = make_checksum_v2(kctx, NULL, 0, &subbuf, 0,

			       cksum_key, &our_hmac_obj);

			       cksum_key, usage, &our_hmac_obj);

	if (ret)

		goto out_err;

net/sunrpc/auth_gss/gss_krb5_seal.c

+9 −4
Original line number Diff line number Diff line
@@ -142,7 +142,8 @@ gss_get_mic_v1(struct krb5_ctx *ctx, struct xdr_buf *text, 
	else

		cksumkey = NULL;



	if (make_checksum(ctx, ptr, 8, text, 0, cksumkey, &md5cksum))

	if (make_checksum(ctx, ptr, 8, text, 0, cksumkey,

			  KG_USAGE_SIGN, &md5cksum))

		return GSS_S_FAILURE;



	memcpy(ptr + GSS_KRB5_TOK_HDR_LEN, md5cksum.data, md5cksum.len);
@@ -170,6 +171,7 @@ gss_get_mic_v2(struct krb5_ctx *ctx, struct xdr_buf *text, 
	s32 now;

	u64 seq_send;

	u8 *cksumkey;

	unsigned int cksum_usage;



	dprintk("RPC:       %s\n", __func__);
@@ -182,13 +184,16 @@ gss_get_mic_v2(struct krb5_ctx *ctx, struct xdr_buf *text, 
	spin_unlock(&krb5_seq_lock);

	*((u64 *)(krb5_hdr + 8)) = cpu_to_be64(seq_send);



	if (ctx->initiate)

	if (ctx->initiate) {

		cksumkey = ctx->initiator_sign;

	else

		cksum_usage = KG_USAGE_INITIATOR_SIGN;

	} else {

		cksumkey = ctx->acceptor_sign;

		cksum_usage = KG_USAGE_ACCEPTOR_SIGN;

	}



	if (make_checksum_v2(ctx, krb5_hdr, GSS_KRB5_TOK_HDR_LEN,

			     text, 0, cksumkey, &cksumobj))

			     text, 0, cksumkey, cksum_usage, &cksumobj))

		return GSS_S_FAILURE;



	memcpy(krb5_hdr + GSS_KRB5_TOK_HDR_LEN, cksumobj.data, cksumobj.len);

net/sunrpc/auth_gss/gss_krb5_unseal.c

+8 −4
Original line number Diff line number Diff line
@@ -115,7 +115,7 @@ gss_verify_mic_v1(struct krb5_ctx *ctx, 
		cksumkey = NULL;



	if (make_checksum(ctx, ptr, 8, message_buffer, 0,

			  cksumkey, &md5cksum))

			  cksumkey, KG_USAGE_SIGN, &md5cksum))

		return GSS_S_FAILURE;



	if (memcmp(md5cksum.data, ptr + GSS_KRB5_TOK_HDR_LEN,
@@ -154,6 +154,7 @@ gss_verify_mic_v2(struct krb5_ctx *ctx, 
	u8 *cksumkey;

	u8 flags;

	int i;

	unsigned int cksum_usage;



	dprintk("RPC:       %s\n", __func__);
@@ -174,13 +175,16 @@ gss_verify_mic_v2(struct krb5_ctx *ctx, 
		if (ptr[i] != 0xff)

			return GSS_S_DEFECTIVE_TOKEN;



	if (ctx->initiate)

	if (ctx->initiate) {

		cksumkey = ctx->acceptor_sign;

	else

		cksum_usage = KG_USAGE_ACCEPTOR_SIGN;

	} else {

		cksumkey = ctx->initiator_sign;

		cksum_usage = KG_USAGE_INITIATOR_SIGN;

	}



	if (make_checksum_v2(ctx, ptr, GSS_KRB5_TOK_HDR_LEN, message_buffer, 0,

			     cksumkey, &cksumobj))

			     cksumkey, cksum_usage, &cksumobj))

		return GSS_S_FAILURE;



	if (memcmp(cksumobj.data, ptr + GSS_KRB5_TOK_HDR_LEN,

net/sunrpc/auth_gss/gss_krb5_wrap.c

+2 −2
Original line number Diff line number Diff line
@@ -215,7 +215,7 @@ gss_wrap_kerberos_v1(struct krb5_ctx *kctx, int offset, 
	tmp_pages = buf->pages;

	buf->pages = pages;

	if (make_checksum(kctx, ptr, 8, buf, offset + headlen - blocksize,

					cksumkey, &md5cksum))

					cksumkey, KG_USAGE_SEAL, &md5cksum))

		return GSS_S_FAILURE;

	buf->pages = tmp_pages;
@@ -298,7 +298,7 @@ gss_unwrap_kerberos_v1(struct krb5_ctx *kctx, int offset, struct xdr_buf *buf) 
		cksumkey = NULL;



	if (make_checksum(kctx, ptr, 8, buf, crypt_offset,

						cksumkey, &md5cksum))

					cksumkey, KG_USAGE_SEAL, &md5cksum))

		return GSS_S_FAILURE;



	if (memcmp(md5cksum.data, ptr + GSS_KRB5_TOK_HDR_LEN,