From: Trond Myklebust <Trond.Myklebust@netapp.com>
To: linux-nfs@vger.kernel.org
Subject: [PATCH 04/22] gss_krb5: split up functions in preparation of adding new enctypes
Date: Wed, 14 Apr 2010 13:36:40 -0400 [thread overview]
Message-ID: <1271266618-26016-5-git-send-email-Trond.Myklebust@netapp.com> (raw)
In-Reply-To: <1271266618-26016-4-git-send-email-Trond.Myklebust@netapp.com>
From: Kevin Coffman <kwc@citi.umich.edu>
Add encryption type to the krb5 context structure and use it to switch
to the correct functions depending on the encryption type.
Signed-off-by: Kevin Coffman <kwc@citi.umich.edu>
Signed-off-by: Steve Dickson <steved@redhat.com>
Signed-off-by: Trond Myklebust <Trond.Myklebust@netapp.com>
---
include/linux/sunrpc/gss_krb5.h | 1 +
net/sunrpc/auth_gss/gss_krb5_mech.c | 1 +
net/sunrpc/auth_gss/gss_krb5_seal.c | 20 ++++++++++++++--
net/sunrpc/auth_gss/gss_krb5_unseal.c | 21 +++++++++++++++--
net/sunrpc/auth_gss/gss_krb5_wrap.c | 38 +++++++++++++++++++++++++++-----
5 files changed, 69 insertions(+), 12 deletions(-)
diff --git a/include/linux/sunrpc/gss_krb5.h b/include/linux/sunrpc/gss_krb5.h
index 31bb8a5..5378e45 100644
--- a/include/linux/sunrpc/gss_krb5.h
+++ b/include/linux/sunrpc/gss_krb5.h
@@ -48,6 +48,7 @@
struct krb5_ctx {
int initiate; /* 1 = initiating, 0 = accepting */
+ u32 enctype;
struct crypto_blkcipher *enc;
struct crypto_blkcipher *seq;
s32 endtime;
diff --git a/net/sunrpc/auth_gss/gss_krb5_mech.c b/net/sunrpc/auth_gss/gss_krb5_mech.c
index 2deb0ed..0cd940e 100644
--- a/net/sunrpc/auth_gss/gss_krb5_mech.c
+++ b/net/sunrpc/auth_gss/gss_krb5_mech.c
@@ -139,6 +139,7 @@ gss_import_sec_context_kerberos(const void *p,
p = simple_get_bytes(p, end, &ctx->initiate, sizeof(ctx->initiate));
if (IS_ERR(p))
goto out_err_free_ctx;
+ ctx->enctype = ENCTYPE_DES_CBC_RAW;
/* The downcall format was designed before we completely understood
* the uses of the context fields; so it includes some stuff we
* just give some minimal sanity-checking, and some we ignore
diff --git a/net/sunrpc/auth_gss/gss_krb5_seal.c b/net/sunrpc/auth_gss/gss_krb5_seal.c
index 88fe6e7..71c2014 100644
--- a/net/sunrpc/auth_gss/gss_krb5_seal.c
+++ b/net/sunrpc/auth_gss/gss_krb5_seal.c
@@ -70,11 +70,10 @@
DEFINE_SPINLOCK(krb5_seq_lock);
-u32
-gss_get_mic_kerberos(struct gss_ctx *gss_ctx, struct xdr_buf *text,
+static u32
+gss_get_mic_v1(struct krb5_ctx *ctx, struct xdr_buf *text,
struct xdr_netobj *token)
{
- struct krb5_ctx *ctx = gss_ctx->internal_ctx_id;
char cksumdata[16];
struct xdr_netobj md5cksum = {.len = 0, .data = cksumdata};
unsigned char *ptr, *msg_start;
@@ -120,3 +119,18 @@ gss_get_mic_kerberos(struct gss_ctx *gss_ctx, struct xdr_buf *text,
return (ctx->endtime < now) ? GSS_S_CONTEXT_EXPIRED : GSS_S_COMPLETE;
}
+
+u32
+gss_get_mic_kerberos(struct gss_ctx *gss_ctx, struct xdr_buf *text,
+ struct xdr_netobj *token)
+{
+ struct krb5_ctx *ctx = gss_ctx->internal_ctx_id;
+
+ switch (ctx->enctype) {
+ default:
+ BUG();
+ case ENCTYPE_DES_CBC_RAW:
+ return gss_get_mic_v1(ctx, text, token);
+ }
+}
+
diff --git a/net/sunrpc/auth_gss/gss_krb5_unseal.c b/net/sunrpc/auth_gss/gss_krb5_unseal.c
index ce6c247..069d4b5 100644
--- a/net/sunrpc/auth_gss/gss_krb5_unseal.c
+++ b/net/sunrpc/auth_gss/gss_krb5_unseal.c
@@ -70,11 +70,10 @@
/* read_token is a mic token, and message_buffer is the data that the mic was
* supposedly taken over. */
-u32
-gss_verify_mic_kerberos(struct gss_ctx *gss_ctx,
+static u32
+gss_verify_mic_v1(struct krb5_ctx *ctx,
struct xdr_buf *message_buffer, struct xdr_netobj *read_token)
{
- struct krb5_ctx *ctx = gss_ctx->internal_ctx_id;
int signalg;
int sealalg;
char cksumdata[16];
@@ -135,3 +134,19 @@ gss_verify_mic_kerberos(struct gss_ctx *gss_ctx,
return GSS_S_COMPLETE;
}
+
+u32
+gss_verify_mic_kerberos(struct gss_ctx *gss_ctx,
+ struct xdr_buf *message_buffer,
+ struct xdr_netobj *read_token)
+{
+ struct krb5_ctx *ctx = gss_ctx->internal_ctx_id;
+
+ switch (ctx->enctype) {
+ default:
+ BUG();
+ case ENCTYPE_DES_CBC_RAW:
+ return gss_verify_mic_v1(ctx, message_buffer, read_token);
+ }
+}
+
diff --git a/net/sunrpc/auth_gss/gss_krb5_wrap.c b/net/sunrpc/auth_gss/gss_krb5_wrap.c
index 5d6c3b1..b45b59b 100644
--- a/net/sunrpc/auth_gss/gss_krb5_wrap.c
+++ b/net/sunrpc/auth_gss/gss_krb5_wrap.c
@@ -124,11 +124,10 @@ make_confounder(char *p, u32 conflen)
/* XXX factor out common code with seal/unseal. */
-u32
-gss_wrap_kerberos(struct gss_ctx *ctx, int offset,
+static u32
+gss_wrap_kerberos_v1(struct krb5_ctx *kctx, int offset,
struct xdr_buf *buf, struct page **pages)
{
- struct krb5_ctx *kctx = ctx->internal_ctx_id;
char cksumdata[16];
struct xdr_netobj md5cksum = {.len = 0, .data = cksumdata};
int blocksize = 0, plainlen;
@@ -203,10 +202,9 @@ gss_wrap_kerberos(struct gss_ctx *ctx, int offset,
return (kctx->endtime < now) ? GSS_S_CONTEXT_EXPIRED : GSS_S_COMPLETE;
}
-u32
-gss_unwrap_kerberos(struct gss_ctx *ctx, int offset, struct xdr_buf *buf)
+static u32
+gss_unwrap_kerberos_v1(struct krb5_ctx *kctx, int offset, struct xdr_buf *buf)
{
- struct krb5_ctx *kctx = ctx->internal_ctx_id;
int signalg;
int sealalg;
char cksumdata[16];
@@ -294,3 +292,31 @@ gss_unwrap_kerberos(struct gss_ctx *ctx, int offset, struct xdr_buf *buf)
return GSS_S_COMPLETE;
}
+
+u32
+gss_wrap_kerberos(struct gss_ctx *gctx, int offset,
+ struct xdr_buf *buf, struct page **pages)
+{
+ struct krb5_ctx *kctx = gctx->internal_ctx_id;
+
+ switch (kctx->enctype) {
+ default:
+ BUG();
+ case ENCTYPE_DES_CBC_RAW:
+ return gss_wrap_kerberos_v1(kctx, offset, buf, pages);
+ }
+}
+
+u32
+gss_unwrap_kerberos(struct gss_ctx *gctx, int offset, struct xdr_buf *buf)
+{
+ struct krb5_ctx *kctx = gctx->internal_ctx_id;
+
+ switch (kctx->enctype) {
+ default:
+ BUG();
+ case ENCTYPE_DES_CBC_RAW:
+ return gss_unwrap_kerberos_v1(kctx, offset, buf);
+ }
+}
+
--
1.6.6.1
next prev parent reply other threads:[~2010-04-14 17:37 UTC|newest]
Thread overview: 36+ messages / expand[flat|nested] mbox.gz Atom feed top
2010-04-14 17:36 [PATCH 00/22] Add support for more RPCSEC_GSS/krb5 enctypes Trond Myklebust
2010-04-14 17:36 ` [PATCH 01/22] gss_krb5: Introduce encryption type framework Trond Myklebust
2010-04-14 17:36 ` [PATCH 02/22] gss_krb5: Added and improved code comments Trond Myklebust
2010-04-14 17:36 ` [PATCH 03/22] gss_krb5: Don't expect blocksize to always be 8 when calculating padding Trond Myklebust
2010-04-14 17:36 ` Trond Myklebust [this message]
2010-04-14 17:36 ` [PATCH 05/22] gss_krb5: prepare for new context format Trond Myklebust
2010-04-14 17:36 ` [PATCH 06/22] gss_krb5: introduce encryption type framework Trond Myklebust
2010-04-14 17:36 ` [PATCH 07/22] gss_krb5: add ability to have a keyed checksum (hmac) Trond Myklebust
2010-04-14 17:36 ` [PATCH 08/22] gss_krb5: import functionality to derive keys into the kernel Trond Myklebust
2010-04-14 17:36 ` [PATCH 09/22] gss_krb5: handle new context format from gssd Trond Myklebust
2010-04-14 17:36 ` [PATCH 10/22] gss_krb5: Add upcall info indicating supported kerberos enctypes Trond Myklebust
2010-04-14 17:36 ` [PATCH 11/22] gss_krb5: add support for triple-des encryption Trond Myklebust
2010-04-14 17:36 ` [PATCH 12/22] gss_krb5: Advertise triple-des enctype support in the rpcsec_gss/krb5 upcall Trond Myklebust
2010-04-14 17:36 ` [PATCH 13/22] xdr: Add an export for the helper function write_bytes_to_xdr_buf() Trond Myklebust
2010-04-14 17:36 ` [PATCH 14/22] gss_krb5: add support for new token formats in rfc4121 Trond Myklebust
2010-04-14 17:36 ` [PATCH 15/22] gss_krb5: add remaining pieces to enable AES encryption support Trond Myklebust
2010-04-14 17:36 ` [PATCH 16/22] gss_krb5: Advertise AES enctype support in the rpcsec_gss/krb5 upcall Trond Myklebust
2010-04-14 17:36 ` [PATCH 17/22] gssd_krb5: arcfour-hmac support Trond Myklebust
2010-04-14 17:36 ` [PATCH 18/22] gss_krb5: Save the raw session key in the context Trond Myklebust
2010-04-14 17:36 ` [PATCH 19/22] gssd_krb5: More arcfour-hmac support Trond Myklebust
2010-04-14 17:36 ` [PATCH 20/22] gss_krb5: Use confounder length in wrap code Trond Myklebust
2010-04-14 17:36 ` [PATCH 21/22] gss_krb5: Add support for rc4-hmac encryption Trond Myklebust
2010-04-14 17:36 ` [PATCH 22/22] gss_krb5: Advertise rc4-hmac enctype support in the rpcsec_gss/krb5 upcall Trond Myklebust
2010-04-14 18:30 ` [PATCH 10/22] gss_krb5: Add upcall info indicating supported kerberos enctypes Kevin Coffman
2010-04-14 18:37 ` Trond Myklebust
2010-04-14 18:51 ` Kevin Coffman
2010-04-14 19:32 ` Steve Dickson
2010-04-14 19:50 ` Kevin Coffman
2010-04-14 19:54 ` Steve Dickson
2010-04-15 11:34 ` Steve Dickson
2010-04-15 13:17 ` Kevin Coffman
2010-04-15 13:22 ` Trond Myklebust
2010-04-15 13:31 ` Trond Myklebust
2010-04-14 17:47 ` [PATCH 00/22] Add support for more RPCSEC_GSS/krb5 enctypes J. Bruce Fields
2010-04-14 17:54 ` Trond Myklebust
2010-04-14 19:36 ` Steve Dickson
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=1271266618-26016-5-git-send-email-Trond.Myklebust@netapp.com \
--to=trond.myklebust@netapp.com \
--cc=linux-nfs@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox