Commit fc263a91 authored by Kevin Coffman's avatar Kevin Coffman Committed by Trond Myklebust

gss_krb5: Save the raw session key in the context

This is needed for deriving arcfour-hmac keys "on the fly"
using the sequence number or checksu
Signed-off-by: default avatarKevin Coffman <kwc@citi.umich.edu>
Signed-off-by: default avatarSteve Dickson <steved@redhat.com>
Signed-off-by: default avatarTrond Myklebust <Trond.Myklebust@netapp.com>
parent 8b237076
...@@ -101,6 +101,7 @@ struct krb5_ctx { ...@@ -101,6 +101,7 @@ struct krb5_ctx {
struct crypto_blkcipher *initiator_enc; struct crypto_blkcipher *initiator_enc;
struct crypto_blkcipher *acceptor_enc_aux; struct crypto_blkcipher *acceptor_enc_aux;
struct crypto_blkcipher *initiator_enc_aux; struct crypto_blkcipher *initiator_enc_aux;
u8 Ksess[GSS_KRB5_MAX_KEYLEN]; /* session key */
u8 cksum[GSS_KRB5_MAX_KEYLEN]; u8 cksum[GSS_KRB5_MAX_KEYLEN];
s32 endtime; s32 endtime;
u32 seq_send; u32 seq_send;
......
...@@ -344,7 +344,7 @@ set_cdata(u8 cdata[GSS_KRB5_K5CLENGTH], u32 usage, u8 seed) ...@@ -344,7 +344,7 @@ set_cdata(u8 cdata[GSS_KRB5_K5CLENGTH], u32 usage, u8 seed)
} }
static int static int
context_derive_keys_des3(struct krb5_ctx *ctx, u8 *rawkey, u32 keylen) context_derive_keys_des3(struct krb5_ctx *ctx)
{ {
struct xdr_netobj c, keyin, keyout; struct xdr_netobj c, keyin, keyout;
u8 cdata[GSS_KRB5_K5CLENGTH]; u8 cdata[GSS_KRB5_K5CLENGTH];
...@@ -353,18 +353,18 @@ context_derive_keys_des3(struct krb5_ctx *ctx, u8 *rawkey, u32 keylen) ...@@ -353,18 +353,18 @@ context_derive_keys_des3(struct krb5_ctx *ctx, u8 *rawkey, u32 keylen)
c.len = GSS_KRB5_K5CLENGTH; c.len = GSS_KRB5_K5CLENGTH;
c.data = cdata; c.data = cdata;
keyin.data = rawkey; keyin.data = ctx->Ksess;
keyin.len = keylen; keyin.len = ctx->gk5e->keylength;
keyout.len = keylen; keyout.len = ctx->gk5e->keylength;
/* seq uses the raw key */ /* seq uses the raw key */
ctx->seq = context_v2_alloc_cipher(ctx, ctx->gk5e->encrypt_name, ctx->seq = context_v2_alloc_cipher(ctx, ctx->gk5e->encrypt_name,
rawkey); ctx->Ksess);
if (ctx->seq == NULL) if (ctx->seq == NULL)
goto out_err; goto out_err;
ctx->enc = context_v2_alloc_cipher(ctx, ctx->gk5e->encrypt_name, ctx->enc = context_v2_alloc_cipher(ctx, ctx->gk5e->encrypt_name,
rawkey); ctx->Ksess);
if (ctx->enc == NULL) if (ctx->enc == NULL)
goto out_free_seq; goto out_free_seq;
...@@ -389,7 +389,7 @@ context_derive_keys_des3(struct krb5_ctx *ctx, u8 *rawkey, u32 keylen) ...@@ -389,7 +389,7 @@ context_derive_keys_des3(struct krb5_ctx *ctx, u8 *rawkey, u32 keylen)
} }
static int static int
context_derive_keys_new(struct krb5_ctx *ctx, u8 *rawkey, u32 keylen) context_derive_keys_new(struct krb5_ctx *ctx)
{ {
struct xdr_netobj c, keyin, keyout; struct xdr_netobj c, keyin, keyout;
u8 cdata[GSS_KRB5_K5CLENGTH]; u8 cdata[GSS_KRB5_K5CLENGTH];
...@@ -398,9 +398,9 @@ context_derive_keys_new(struct krb5_ctx *ctx, u8 *rawkey, u32 keylen) ...@@ -398,9 +398,9 @@ context_derive_keys_new(struct krb5_ctx *ctx, u8 *rawkey, u32 keylen)
c.len = GSS_KRB5_K5CLENGTH; c.len = GSS_KRB5_K5CLENGTH;
c.data = cdata; c.data = cdata;
keyin.data = rawkey; keyin.data = ctx->Ksess;
keyin.len = keylen; keyin.len = ctx->gk5e->keylength;
keyout.len = keylen; keyout.len = ctx->gk5e->keylength;
/* initiator seal encryption */ /* initiator seal encryption */
set_cdata(cdata, KG_USAGE_INITIATOR_SEAL, KEY_USAGE_SEED_ENCRYPTION); set_cdata(cdata, KG_USAGE_INITIATOR_SEAL, KEY_USAGE_SEED_ENCRYPTION);
...@@ -502,7 +502,6 @@ context_derive_keys_new(struct krb5_ctx *ctx, u8 *rawkey, u32 keylen) ...@@ -502,7 +502,6 @@ context_derive_keys_new(struct krb5_ctx *ctx, u8 *rawkey, u32 keylen)
static int static int
gss_import_v2_context(const void *p, const void *end, struct krb5_ctx *ctx) gss_import_v2_context(const void *p, const void *end, struct krb5_ctx *ctx)
{ {
u8 rawkey[GSS_KRB5_MAX_KEYLEN];
int keylen; int keylen;
p = simple_get_bytes(p, end, &ctx->flags, sizeof(ctx->flags)); p = simple_get_bytes(p, end, &ctx->flags, sizeof(ctx->flags));
...@@ -538,7 +537,7 @@ gss_import_v2_context(const void *p, const void *end, struct krb5_ctx *ctx) ...@@ -538,7 +537,7 @@ gss_import_v2_context(const void *p, const void *end, struct krb5_ctx *ctx)
} }
keylen = ctx->gk5e->keylength; keylen = ctx->gk5e->keylength;
p = simple_get_bytes(p, end, rawkey, keylen); p = simple_get_bytes(p, end, ctx->Ksess, keylen);
if (IS_ERR(p)) if (IS_ERR(p))
goto out_err; goto out_err;
...@@ -557,10 +556,10 @@ gss_import_v2_context(const void *p, const void *end, struct krb5_ctx *ctx) ...@@ -557,10 +556,10 @@ gss_import_v2_context(const void *p, const void *end, struct krb5_ctx *ctx)
switch (ctx->enctype) { switch (ctx->enctype) {
case ENCTYPE_DES3_CBC_RAW: case ENCTYPE_DES3_CBC_RAW:
return context_derive_keys_des3(ctx, rawkey, keylen); return context_derive_keys_des3(ctx);
case ENCTYPE_AES128_CTS_HMAC_SHA1_96: case ENCTYPE_AES128_CTS_HMAC_SHA1_96:
case ENCTYPE_AES256_CTS_HMAC_SHA1_96: case ENCTYPE_AES256_CTS_HMAC_SHA1_96:
return context_derive_keys_new(ctx, rawkey, keylen); return context_derive_keys_new(ctx);
default: default:
return -EINVAL; return -EINVAL;
} }
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment