Commit eaa82edf authored by J. Bruce Fields's avatar J. Bruce Fields Committed by Trond Myklebust

SUNRPC,RPCSEC_GSS: fix krb5 sequence numbers.

Use a spinlock to ensure unique sequence numbers when creating krb5 gss tokens.
Signed-off-by: default avatarJ. Bruce Fields <bfields@citi.umich.edu>
Signed-off-by: default avatarTrond Myklebust <Trond.Myklebust@netapp.com>
parent 096455a2
...@@ -53,6 +53,8 @@ struct krb5_ctx { ...@@ -53,6 +53,8 @@ struct krb5_ctx {
struct xdr_netobj mech_used; struct xdr_netobj mech_used;
}; };
extern spinlock_t krb5_seq_lock;
#define KG_TOK_MIC_MSG 0x0101 #define KG_TOK_MIC_MSG 0x0101
#define KG_TOK_WRAP_MSG 0x0201 #define KG_TOK_WRAP_MSG 0x0201
......
...@@ -70,6 +70,8 @@ ...@@ -70,6 +70,8 @@
# define RPCDBG_FACILITY RPCDBG_AUTH # define RPCDBG_FACILITY RPCDBG_AUTH
#endif #endif
spinlock_t krb5_seq_lock = SPIN_LOCK_UNLOCKED;
u32 u32
gss_get_mic_kerberos(struct gss_ctx *gss_ctx, struct xdr_buf *text, gss_get_mic_kerberos(struct gss_ctx *gss_ctx, struct xdr_buf *text,
struct xdr_netobj *token) struct xdr_netobj *token)
...@@ -80,6 +82,7 @@ gss_get_mic_kerberos(struct gss_ctx *gss_ctx, struct xdr_buf *text, ...@@ -80,6 +82,7 @@ gss_get_mic_kerberos(struct gss_ctx *gss_ctx, struct xdr_buf *text,
struct xdr_netobj md5cksum = {.len = 0, .data = cksumdata}; struct xdr_netobj md5cksum = {.len = 0, .data = cksumdata};
unsigned char *ptr, *krb5_hdr, *msg_start; unsigned char *ptr, *krb5_hdr, *msg_start;
s32 now; s32 now;
u32 seq_send;
dprintk("RPC: gss_krb5_seal\n"); dprintk("RPC: gss_krb5_seal\n");
...@@ -134,12 +137,14 @@ gss_get_mic_kerberos(struct gss_ctx *gss_ctx, struct xdr_buf *text, ...@@ -134,12 +137,14 @@ gss_get_mic_kerberos(struct gss_ctx *gss_ctx, struct xdr_buf *text,
BUG(); BUG();
} }
spin_lock(&krb5_seq_lock);
seq_send = ctx->seq_send++;
spin_unlock(&krb5_seq_lock);
if ((krb5_make_seq_num(ctx->seq, ctx->initiate ? 0 : 0xff, if ((krb5_make_seq_num(ctx->seq, ctx->initiate ? 0 : 0xff,
ctx->seq_send, krb5_hdr + 16, krb5_hdr + 8))) seq_send, krb5_hdr + 16, krb5_hdr + 8)))
goto out_err; goto out_err;
ctx->seq_send++;
return ((ctx->endtime < now) ? GSS_S_CONTEXT_EXPIRED : GSS_S_COMPLETE); return ((ctx->endtime < now) ? GSS_S_CONTEXT_EXPIRED : GSS_S_COMPLETE);
out_err: out_err:
return GSS_S_FAILURE; return GSS_S_FAILURE;
......
...@@ -128,6 +128,7 @@ gss_wrap_kerberos(struct gss_ctx *ctx, int offset, ...@@ -128,6 +128,7 @@ gss_wrap_kerberos(struct gss_ctx *ctx, int offset,
s32 now; s32 now;
int headlen; int headlen;
struct page **tmp_pages; struct page **tmp_pages;
u32 seq_send;
dprintk("RPC: gss_wrap_kerberos\n"); dprintk("RPC: gss_wrap_kerberos\n");
...@@ -206,18 +207,20 @@ gss_wrap_kerberos(struct gss_ctx *ctx, int offset, ...@@ -206,18 +207,20 @@ gss_wrap_kerberos(struct gss_ctx *ctx, int offset,
BUG(); BUG();
} }
spin_lock(&krb5_seq_lock);
seq_send = kctx->seq_send++;
spin_unlock(&krb5_seq_lock);
/* XXX would probably be more efficient to compute checksum /* XXX would probably be more efficient to compute checksum
* and encrypt at the same time: */ * and encrypt at the same time: */
if ((krb5_make_seq_num(kctx->seq, kctx->initiate ? 0 : 0xff, if ((krb5_make_seq_num(kctx->seq, kctx->initiate ? 0 : 0xff,
kctx->seq_send, krb5_hdr + 16, krb5_hdr + 8))) seq_send, krb5_hdr + 16, krb5_hdr + 8)))
goto out_err; goto out_err;
if (gss_encrypt_xdr_buf(kctx->enc, buf, offset + headlen - blocksize, if (gss_encrypt_xdr_buf(kctx->enc, buf, offset + headlen - blocksize,
pages)) pages))
goto out_err; goto out_err;
kctx->seq_send++;
return ((kctx->endtime < now) ? GSS_S_CONTEXT_EXPIRED : GSS_S_COMPLETE); return ((kctx->endtime < now) ? GSS_S_CONTEXT_EXPIRED : GSS_S_COMPLETE);
out_err: out_err:
return GSS_S_FAILURE; return GSS_S_FAILURE;
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment