From: "J. Bruce Fields" <bfields@fieldses.org>
To: Kevin Coffman <kwc@citi.umich.edu>
Cc: linux-nfs@vger.kernel.org
Subject: Re: [enctypes round 2: PATCH 00/26] Implement more encryption for gss_krb5
Date: Fri, 2 May 2008 17:38:36 -0400 [thread overview]
Message-ID: <20080502213836.GL21918@fieldses.org> (raw)
In-Reply-To: <20080430164306.16010.44650.stgit-zTNJhAanYLVZN1qrTdtDg5Vzexx5G7lz@public.gmane.org>
On Wed, Apr 30, 2008 at 12:45:48PM -0400, Kevin Coffman wrote:
> This is round 2.
>
> This set of patches adds kernel support for triple-DES (des3-cbc-sha1),
> arcfour (rc4-hmac), and AES (aes128-cts, aes256-cts) encryption to the
> kernel's Kerberos rpcsec_gss code.
>
> These are currently based on Trond's tree as of 4/29/08 @ 17:15.
>
> Two issues remain:
>
> 1) The patch to add krb5_info will eventually be replaced with an
> updated upcall which will include the supported enctype information.
> I have split out these portions of the patches to (hopefully) make
> that transition easier.
OK, thanks. I think I'll delay looking at the rest until the new
upcall's done; I hope I can work on that after connectathon.
--b.
>
> 2) There is currently no code to handle the possiblity of rotated
> data in the version two tokens. I don't expect we'll see rotated
> data in normal operation, but this should be done eventually for
> completeness.
>
> There are two nfs-utils patches required with this. The first reads
> and parses the list of kernel supported enctypes. The second
> implements the new context format from user-land to kernel.
> I will include these in a new set of CITI nfs-utils patches RSN.
>
>
> ------------------
>
> Note: for AES support, the following patch for MIT Kerberos is needed
> to get the right key when there is an acceptor_subkey. [mea culpa]
>
> This fix is scheduled to be included in MIT release 1.6.4, currently
> in beta testing.
>
> This patch should also apply to releases 1.4.0 to 1.6.3.
>
> Index: src/lib/gssapi/krb5/lucid_context.c
> ===================================================================
> --- src/lib/gssapi/krb5/lucid_context.c (revision 20174)
> +++ src/lib/gssapi/krb5/lucid_context.c (revision 20175)
> @@ -231,7 +231,7 @@
> &lctx->cfx_kd.ctx_key)))
> goto error_out;
> if (gctx->have_acceptor_subkey) {
> - if ((retval = copy_keyblock_to_lucid_key(gctx->enc,
> + if ((retval = copy_keyblock_to_lucid_key(gctx->acceptor_subkey,
> &lctx->cfx_kd.acceptor_subkey)))
> goto error_out;
> lctx->cfx_kd.have_acceptor_subkey = 1;
>
prev parent reply other threads:[~2008-05-02 21:38 UTC|newest]
Thread overview: 35+ messages / expand[flat|nested] mbox.gz Atom feed top
2008-04-30 16:45 [enctypes round 2: PATCH 00/26] Implement more encryption for gss_krb5 Kevin Coffman
[not found] ` <20080430164306.16010.44650.stgit-zTNJhAanYLVZN1qrTdtDg5Vzexx5G7lz@public.gmane.org>
2008-04-30 16:45 ` [enctypes round 2: PATCH 01/26] gss_krb5: create a define for token header size and clean up ptr location Kevin Coffman
[not found] ` <20080430164553.16010.32928.stgit-zTNJhAanYLVZN1qrTdtDg5Vzexx5G7lz@public.gmane.org>
2008-05-02 20:15 ` J. Bruce Fields
2008-04-30 16:45 ` [enctypes round 2: PATCH 02/26] gss_krb5: move gss_krb5_crypto into the krb5 module Kevin Coffman
[not found] ` <20080430164558.16010.1610.stgit-zTNJhAanYLVZN1qrTdtDg5Vzexx5G7lz@public.gmane.org>
2008-05-02 20:15 ` J. Bruce Fields
2008-04-30 16:46 ` [enctypes round 2: PATCH 03/26] rpcauth: update and document available space in xdr_buf when doing privacy Kevin Coffman
[not found] ` <20080430164603.16010.25894.stgit-zTNJhAanYLVZN1qrTdtDg5Vzexx5G7lz@public.gmane.org>
2008-05-02 21:28 ` J. Bruce Fields
2008-04-30 16:46 ` [enctypes round 2: PATCH 04/26] gss_krb5: Use random value to initialize confounder Kevin Coffman
2008-04-30 16:46 ` [enctypes round 2: PATCH 05/26] rpc: gss: Add oid values to the gss_api mechanism structures Kevin Coffman
[not found] ` <20080430164613.16010.22760.stgit-zTNJhAanYLVZN1qrTdtDg5Vzexx5G7lz@public.gmane.org>
2008-05-02 21:36 ` J. Bruce Fields
2008-05-02 21:39 ` Trond Myklebust
[not found] ` <1209764379.26234.11.camel-rJ7iovZKK19ZJLDQqaL3InhyD016LWXt@public.gmane.org>
2008-05-05 14:28 ` Kevin Coffman
[not found] ` <4d569c330805050728yf7040f3lb55bc08d4046e85e-JsoAwUIsXosN+BqQ9rBEUg@public.gmane.org>
2008-05-05 15:22 ` J. Bruce Fields
2008-04-30 16:46 ` [enctypes round 2: PATCH 06/26] Don't expect blocksize to always be 8 when calculating padding Kevin Coffman
2008-04-30 16:46 ` [enctypes round 2: PATCH 07/26] gss_krb5: split up functions in preparation of adding new enctypes Kevin Coffman
2008-04-30 16:46 ` [enctypes round 2: PATCH 08/26] gss_krb5: prepare for new context format Kevin Coffman
2008-04-30 16:46 ` [enctypes round 2: PATCH 09/26] gss_krb5: introduce encryption type framework Kevin Coffman
2008-04-30 16:46 ` [enctypes round 2: PATCH 10/26] gss_krb5: add ability to have a keyed checksum (hmac) Kevin Coffman
2008-04-30 16:46 ` [enctypes round 2: PATCH 11/26] gss_krb5: import functionality to derive keys into the kernel Kevin Coffman
2008-04-30 16:46 ` [enctypes round 2: PATCH 12/26] gss_krb5: use a global static OID value for krb5 Kevin Coffman
2008-04-30 16:46 ` [enctypes round 2: PATCH 13/26] gss_krb5: handle new context format from gssd Kevin Coffman
2008-04-30 16:46 ` [enctypes round 2: PATCH 14/26] gss_krb5: add support for triple-des encryption Kevin Coffman
2008-04-30 16:47 ` [enctypes round 2: PATCH 15/26] Add new pipefs file indicating which Kerberos enctypes the kernel supports Kevin Coffman
2008-04-30 16:47 ` [enctypes round 2: PATCH 16/26] gss_krb5: add DES3 to the list of supported enctypes Kevin Coffman
2008-04-30 16:47 ` [enctypes round 2: PATCH 17/26] sunrpc: Export function write_bytes_to_xdr_buf Kevin Coffman
2008-04-30 16:47 ` [enctypes round 2: PATCH 18/26] gss_krb5: add support for new token formats in rfc4121 Kevin Coffman
2008-04-30 16:47 ` [enctypes round 2: PATCH 19/26] gss_krb5: add remaining pieces to enable AES encryption support Kevin Coffman
2008-04-30 16:47 ` [enctypes round 2: PATCH 20/26] gss_krb5: add AES to the list of supported enctypes Kevin Coffman
2008-04-30 16:47 ` [enctypes round 2: PATCH 21/26] gss_krb5: add a usage parameter to the make_checksum function Kevin Coffman
2008-04-30 16:47 ` [enctypes round 2: PATCH 22/26] gss_krb5: add "raw" session key to context to be used for deriving keys Kevin Coffman
2008-04-30 16:47 ` [enctypes round 2: PATCH 23/26] gss_krb5: pass struct krb5_ctx pointer to sequence number functions Kevin Coffman
2008-04-30 16:47 ` [enctypes round 2: PATCH 24/26] gss_krb5: add confounder length to kerberos enctype framework Kevin Coffman
2008-04-30 16:47 ` [enctypes round 2: PATCH 25/26] gss_krb5: Add support for rc4-hmac encryption type described in rfc4757 Kevin Coffman
2008-04-30 16:48 ` [enctypes round 2: PATCH 26/26] gss_krb5: add RC4 to the list of supported enctypes Kevin Coffman
2008-05-02 21:38 ` J. Bruce Fields [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20080502213836.GL21918@fieldses.org \
--to=bfields@fieldses.org \
--cc=kwc@citi.umich.edu \
--cc=linux-nfs@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox