Commit e678e06b authored by J. Bruce Fields's avatar J. Bruce Fields Committed by Trond Myklebust

gss: krb5: remove signalg and sealalg

We designed the krb5 context import without completely understanding the
context.  Now it's clear that there are a number of fields that we ignore,
or that we depend on having one single value.

In particular, we only support one value of signalg currently; so let's
check the signalg field in the downcall (in case we decide there's
something else we could support here eventually), but ignore it otherwise.
Signed-off-by: default avatarJ. Bruce Fields <bfields@citi.umich.edu>
Signed-off-by: default avatarTrond Myklebust <Trond.Myklebust@netapp.com>
parent adeb8133
...@@ -44,7 +44,6 @@ struct krb5_ctx { ...@@ -44,7 +44,6 @@ struct krb5_ctx {
int initiate; /* 1 = initiating, 0 = accepting */ int initiate; /* 1 = initiating, 0 = accepting */
int seed_init; int seed_init;
unsigned char seed[16]; unsigned char seed[16];
int signalg;
int sealalg; int sealalg;
struct crypto_blkcipher *enc; struct crypto_blkcipher *enc;
struct crypto_blkcipher *seq; struct crypto_blkcipher *seq;
......
...@@ -129,6 +129,7 @@ gss_import_sec_context_kerberos(const void *p, ...@@ -129,6 +129,7 @@ gss_import_sec_context_kerberos(const void *p,
{ {
const void *end = (const void *)((const char *)p + len); const void *end = (const void *)((const char *)p + len);
struct krb5_ctx *ctx; struct krb5_ctx *ctx;
int tmp;
if (!(ctx = kzalloc(sizeof(*ctx), GFP_KERNEL))) if (!(ctx = kzalloc(sizeof(*ctx), GFP_KERNEL)))
goto out_err; goto out_err;
...@@ -142,9 +143,11 @@ gss_import_sec_context_kerberos(const void *p, ...@@ -142,9 +143,11 @@ gss_import_sec_context_kerberos(const void *p,
p = simple_get_bytes(p, end, ctx->seed, sizeof(ctx->seed)); p = simple_get_bytes(p, end, ctx->seed, sizeof(ctx->seed));
if (IS_ERR(p)) if (IS_ERR(p))
goto out_err_free_ctx; goto out_err_free_ctx;
p = simple_get_bytes(p, end, &ctx->signalg, sizeof(ctx->signalg)); p = simple_get_bytes(p, end, &tmp, sizeof(tmp));
if (IS_ERR(p)) if (IS_ERR(p))
goto out_err_free_ctx; goto out_err_free_ctx;
if (tmp != SGN_ALG_DES_MAC_MD5)
goto out_err_free_ctx;
p = simple_get_bytes(p, end, &ctx->sealalg, sizeof(ctx->sealalg)); p = simple_get_bytes(p, end, &ctx->sealalg, sizeof(ctx->sealalg));
if (IS_ERR(p)) if (IS_ERR(p))
goto out_err_free_ctx; goto out_err_free_ctx;
......
...@@ -88,15 +88,7 @@ gss_get_mic_kerberos(struct gss_ctx *gss_ctx, struct xdr_buf *text, ...@@ -88,15 +88,7 @@ gss_get_mic_kerberos(struct gss_ctx *gss_ctx, struct xdr_buf *text,
now = get_seconds(); now = get_seconds();
switch (ctx->signalg) { checksum_type = CKSUMTYPE_RSA_MD5;
case SGN_ALG_DES_MAC_MD5:
checksum_type = CKSUMTYPE_RSA_MD5;
break;
default:
dprintk("RPC: gss_krb5_seal: ctx->signalg %d not"
" supported\n", ctx->signalg);
goto out_err;
}
if (ctx->sealalg != SEAL_ALG_NONE && ctx->sealalg != SEAL_ALG_DES) { if (ctx->sealalg != SEAL_ALG_NONE && ctx->sealalg != SEAL_ALG_DES) {
dprintk("RPC: gss_krb5_seal: ctx->sealalg %d not supported\n", dprintk("RPC: gss_krb5_seal: ctx->sealalg %d not supported\n",
ctx->sealalg); ctx->sealalg);
...@@ -115,24 +107,18 @@ gss_get_mic_kerberos(struct gss_ctx *gss_ctx, struct xdr_buf *text, ...@@ -115,24 +107,18 @@ gss_get_mic_kerberos(struct gss_ctx *gss_ctx, struct xdr_buf *text,
krb5_hdr = ptr - 2; krb5_hdr = ptr - 2;
msg_start = krb5_hdr + 24; msg_start = krb5_hdr + 24;
*(__be16 *)(krb5_hdr + 2) = htons(ctx->signalg); *(__be16 *)(krb5_hdr + 2) = htons(SGN_ALG_DES_MAC_MD5);
memset(krb5_hdr + 4, 0xff, 4); memset(krb5_hdr + 4, 0xff, 4);
if (make_checksum(checksum_type, krb5_hdr, 8, text, 0, &md5cksum)) if (make_checksum(checksum_type, krb5_hdr, 8, text, 0, &md5cksum))
goto out_err; goto out_err;
switch (ctx->signalg) { if (krb5_encrypt(ctx->seq, NULL, md5cksum.data,
case SGN_ALG_DES_MAC_MD5: md5cksum.data, md5cksum.len))
if (krb5_encrypt(ctx->seq, NULL, md5cksum.data, goto out_err;
md5cksum.data, md5cksum.len)) memcpy(krb5_hdr + 16,
goto out_err; md5cksum.data + md5cksum.len - KRB5_CKSUM_LENGTH,
memcpy(krb5_hdr + 16, KRB5_CKSUM_LENGTH);
md5cksum.data + md5cksum.len - KRB5_CKSUM_LENGTH,
KRB5_CKSUM_LENGTH);
break;
default:
BUG();
}
spin_lock(&krb5_seq_lock); spin_lock(&krb5_seq_lock);
seq_send = ctx->seq_send++; seq_send = ctx->seq_send++;
......
...@@ -134,15 +134,7 @@ gss_wrap_kerberos(struct gss_ctx *ctx, int offset, ...@@ -134,15 +134,7 @@ gss_wrap_kerberos(struct gss_ctx *ctx, int offset,
now = get_seconds(); now = get_seconds();
switch (kctx->signalg) { checksum_type = CKSUMTYPE_RSA_MD5;
case SGN_ALG_DES_MAC_MD5:
checksum_type = CKSUMTYPE_RSA_MD5;
break;
default:
dprintk("RPC: gss_krb5_seal: kctx->signalg %d not"
" supported\n", kctx->signalg);
goto out_err;
}
if (kctx->sealalg != SEAL_ALG_NONE && kctx->sealalg != SEAL_ALG_DES) { if (kctx->sealalg != SEAL_ALG_NONE && kctx->sealalg != SEAL_ALG_DES) {
dprintk("RPC: gss_krb5_seal: kctx->sealalg %d not supported\n", dprintk("RPC: gss_krb5_seal: kctx->sealalg %d not supported\n",
kctx->sealalg); kctx->sealalg);
...@@ -177,7 +169,7 @@ gss_wrap_kerberos(struct gss_ctx *ctx, int offset, ...@@ -177,7 +169,7 @@ gss_wrap_kerberos(struct gss_ctx *ctx, int offset,
msg_start = krb5_hdr + 24; msg_start = krb5_hdr + 24;
/* XXXJBF: */ BUG_ON(buf->head[0].iov_base + offset + headlen != msg_start + blocksize); /* XXXJBF: */ BUG_ON(buf->head[0].iov_base + offset + headlen != msg_start + blocksize);
*(__be16 *)(krb5_hdr + 2) = htons(kctx->signalg); *(__be16 *)(krb5_hdr + 2) = htons(SGN_ALG_DES_MAC_MD5);
memset(krb5_hdr + 4, 0xff, 4); memset(krb5_hdr + 4, 0xff, 4);
*(__be16 *)(krb5_hdr + 4) = htons(kctx->sealalg); *(__be16 *)(krb5_hdr + 4) = htons(kctx->sealalg);
...@@ -191,18 +183,12 @@ gss_wrap_kerberos(struct gss_ctx *ctx, int offset, ...@@ -191,18 +183,12 @@ gss_wrap_kerberos(struct gss_ctx *ctx, int offset,
goto out_err; goto out_err;
buf->pages = tmp_pages; buf->pages = tmp_pages;
switch (kctx->signalg) { if (krb5_encrypt(kctx->seq, NULL, md5cksum.data,
case SGN_ALG_DES_MAC_MD5: md5cksum.data, md5cksum.len))
if (krb5_encrypt(kctx->seq, NULL, md5cksum.data, goto out_err;
md5cksum.data, md5cksum.len)) memcpy(krb5_hdr + 16,
goto out_err; md5cksum.data + md5cksum.len - KRB5_CKSUM_LENGTH,
memcpy(krb5_hdr + 16, KRB5_CKSUM_LENGTH);
md5cksum.data + md5cksum.len - KRB5_CKSUM_LENGTH,
KRB5_CKSUM_LENGTH);
break;
default:
BUG();
}
spin_lock(&krb5_seq_lock); spin_lock(&krb5_seq_lock);
seq_send = kctx->seq_send++; seq_send = kctx->seq_send++;
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment