From: Trond Myklebust <Trond.Myklebust@netapp.com>
To: Kevin Coffman <kwc@citi.umich.edu>
Cc: linux-nfs@vger.kernel.org
Subject: Re: [PATCH 10/22] gss_krb5: Add upcall info indicating supported kerberos enctypes
Date: Wed, 14 Apr 2010 14:37:59 -0400 [thread overview]
Message-ID: <1271270279.22566.22.camel@localhost.localdomain> (raw)
In-Reply-To: <y2t4d569c331004141130z7525d001gcdb81db5b1ede42e@mail.gmail.com>
On Wed, 2010-04-14 at 14:30 -0400, Kevin Coffman wrote:
> On Wed, Apr 14, 2010 at 1:36 PM, Trond Myklebust
> <Trond.Myklebust@netapp.com> wrote:
> > The text based upcall now indicates which Kerberos encryption types are
> > supported by the kernel rpcsecgss code. This is used by gssd to
> > determine which encryption types it should attempt to negotiate
> > when creating a context with a server.
> >
> > The server principal's database and keytab encryption types are
> > what limits what it should negotiate. Therefore, its keytab
> > should be created with only the enctypes listed by this file.
> >
> > Currently we support des-cbc-crc, des-cbc-md4 and des-cbc-md5
> >
> > Signed-off-by: Trond Myklebust <Trond.Myklebust@netapp.com>
> > ---
> > include/linux/sunrpc/gss_api.h | 2 ++
> > net/sunrpc/auth_gss/auth_gss.c | 8 +++++++-
> > net/sunrpc/auth_gss/gss_krb5_mech.c | 1 +
> > 3 files changed, 10 insertions(+), 1 deletions(-)
> >
> > diff --git a/include/linux/sunrpc/gss_api.h b/include/linux/sunrpc/gss_api.h
> > index 03f3333..b22d7f1 100644
> > --- a/include/linux/sunrpc/gss_api.h
> > +++ b/include/linux/sunrpc/gss_api.h
> > @@ -80,6 +80,8 @@ struct gss_api_mech {
> > /* pseudoflavors supported by this mechanism: */
> > int gm_pf_num;
> > struct pf_desc * gm_pfs;
> > + /* Should the following be a callback operation instead? */
> > + const char *gm_upcall_enctypes;
> > };
> >
> > /* and must provide the following operations: */
> > diff --git a/net/sunrpc/auth_gss/auth_gss.c b/net/sunrpc/auth_gss/auth_gss.c
> > index d64a58b..6654c85 100644
> > --- a/net/sunrpc/auth_gss/auth_gss.c
> > +++ b/net/sunrpc/auth_gss/auth_gss.c
> > @@ -377,11 +377,12 @@ static void gss_encode_v0_msg(struct gss_upcall_msg *gss_msg)
> > static void gss_encode_v1_msg(struct gss_upcall_msg *gss_msg,
> > struct rpc_clnt *clnt, int machine_cred)
> > {
> > + struct gss_api_mech *mech = gss_msg->auth->mech;
> > char *p = gss_msg->databuf;
> > int len = 0;
> >
> > gss_msg->msg.len = sprintf(gss_msg->databuf, "mech=%s uid=%d ",
> > - gss_msg->auth->mech->gm_name,
> > + mech->gm_name,
> > gss_msg->uid);
> > p += gss_msg->msg.len;
> > if (clnt->cl_principal) {
> > @@ -398,6 +399,11 @@ static void gss_encode_v1_msg(struct gss_upcall_msg *gss_msg,
> > p += len;
> > gss_msg->msg.len += len;
> > }
> > + if (mech->gm_upcall_enctypes) {
> > + len = sprintf(p, mech->gm_upcall_enctypes);
> > + p += len;
> > + gss_msg->msg.len += len;
> > + }
> > len = sprintf(p, "\n");
> > gss_msg->msg.len += len;
> >
> > diff --git a/net/sunrpc/auth_gss/gss_krb5_mech.c b/net/sunrpc/auth_gss/gss_krb5_mech.c
> > index 8b612e7..d96d824 100644
> > --- a/net/sunrpc/auth_gss/gss_krb5_mech.c
> > +++ b/net/sunrpc/auth_gss/gss_krb5_mech.c
> > @@ -552,6 +552,7 @@ static struct gss_api_mech gss_kerberos_mech = {
> > .gm_ops = &gss_kerberos_ops,
> > .gm_pf_num = ARRAY_SIZE(gss_kerberos_pfs),
> > .gm_pfs = gss_kerberos_pfs,
> > + .gm_upcall_enctypes = "enctypes=1,2,3 ",
> > };
>
> Hi Trond,
> This list should be in preference order. It doesn't matter much with
> this one, but the preferred order for DES is usually "3,1,2".
>
> When adding 3DES, the list should be "16,3,1,2"
> When adding AES, it should be "18,17,16,3,1,2"
> When adding RC4, it should be "18,17,16,23,3,1,2"
>
> K.C.
Hi Kevin,
The decision to change the order was not mine. My first version of these
patches did indeed preserve your ordering as above. However, apparently
Steve's testing showed that the gss library routines prefer increasing
order.
More specifically, Steve identified that gss_set_allowable_enctypes()
apparently requires ordering by increasing value.
Cheers
Trond
next prev parent reply other threads:[~2010-04-14 18:38 UTC|newest]
Thread overview: 36+ messages / expand[flat|nested] mbox.gz Atom feed top
2010-04-14 17:36 [PATCH 00/22] Add support for more RPCSEC_GSS/krb5 enctypes Trond Myklebust
2010-04-14 17:36 ` [PATCH 01/22] gss_krb5: Introduce encryption type framework Trond Myklebust
2010-04-14 17:36 ` [PATCH 02/22] gss_krb5: Added and improved code comments Trond Myklebust
2010-04-14 17:36 ` [PATCH 03/22] gss_krb5: Don't expect blocksize to always be 8 when calculating padding Trond Myklebust
2010-04-14 17:36 ` [PATCH 04/22] gss_krb5: split up functions in preparation of adding new enctypes Trond Myklebust
2010-04-14 17:36 ` [PATCH 05/22] gss_krb5: prepare for new context format Trond Myklebust
2010-04-14 17:36 ` [PATCH 06/22] gss_krb5: introduce encryption type framework Trond Myklebust
2010-04-14 17:36 ` [PATCH 07/22] gss_krb5: add ability to have a keyed checksum (hmac) Trond Myklebust
2010-04-14 17:36 ` [PATCH 08/22] gss_krb5: import functionality to derive keys into the kernel Trond Myklebust
2010-04-14 17:36 ` [PATCH 09/22] gss_krb5: handle new context format from gssd Trond Myklebust
2010-04-14 17:36 ` [PATCH 10/22] gss_krb5: Add upcall info indicating supported kerberos enctypes Trond Myklebust
2010-04-14 17:36 ` [PATCH 11/22] gss_krb5: add support for triple-des encryption Trond Myklebust
2010-04-14 17:36 ` [PATCH 12/22] gss_krb5: Advertise triple-des enctype support in the rpcsec_gss/krb5 upcall Trond Myklebust
2010-04-14 17:36 ` [PATCH 13/22] xdr: Add an export for the helper function write_bytes_to_xdr_buf() Trond Myklebust
2010-04-14 17:36 ` [PATCH 14/22] gss_krb5: add support for new token formats in rfc4121 Trond Myklebust
2010-04-14 17:36 ` [PATCH 15/22] gss_krb5: add remaining pieces to enable AES encryption support Trond Myklebust
2010-04-14 17:36 ` [PATCH 16/22] gss_krb5: Advertise AES enctype support in the rpcsec_gss/krb5 upcall Trond Myklebust
2010-04-14 17:36 ` [PATCH 17/22] gssd_krb5: arcfour-hmac support Trond Myklebust
2010-04-14 17:36 ` [PATCH 18/22] gss_krb5: Save the raw session key in the context Trond Myklebust
2010-04-14 17:36 ` [PATCH 19/22] gssd_krb5: More arcfour-hmac support Trond Myklebust
2010-04-14 17:36 ` [PATCH 20/22] gss_krb5: Use confounder length in wrap code Trond Myklebust
2010-04-14 17:36 ` [PATCH 21/22] gss_krb5: Add support for rc4-hmac encryption Trond Myklebust
2010-04-14 17:36 ` [PATCH 22/22] gss_krb5: Advertise rc4-hmac enctype support in the rpcsec_gss/krb5 upcall Trond Myklebust
2010-04-14 18:30 ` [PATCH 10/22] gss_krb5: Add upcall info indicating supported kerberos enctypes Kevin Coffman
2010-04-14 18:37 ` Trond Myklebust [this message]
2010-04-14 18:51 ` Kevin Coffman
2010-04-14 19:32 ` Steve Dickson
2010-04-14 19:50 ` Kevin Coffman
2010-04-14 19:54 ` Steve Dickson
2010-04-15 11:34 ` Steve Dickson
2010-04-15 13:17 ` Kevin Coffman
2010-04-15 13:22 ` Trond Myklebust
2010-04-15 13:31 ` Trond Myklebust
2010-04-14 17:47 ` [PATCH 00/22] Add support for more RPCSEC_GSS/krb5 enctypes J. Bruce Fields
2010-04-14 17:54 ` Trond Myklebust
2010-04-14 19:36 ` Steve Dickson
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=1271270279.22566.22.camel@localhost.localdomain \
--to=trond.myklebust@netapp.com \
--cc=kwc@citi.umich.edu \
--cc=linux-nfs@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox