#include <openssl/hmac.h>
#include <sys/types.h>
#include <sys/stat.h>
+#include <libcfs/util/string.h>
#include "sk_utils.h"
#include "write_bytes.h"
for (i = 0; i < MAX_MGSNIDS; i++)
config->skc_mgsnids[i] = htobe64(config->skc_mgsnids[i]);
-
- return;
}
/**
for (i = 0; i < MAX_MGSNIDS; i++)
config->skc_mgsnids[i] = be64toh(config->skc_mgsnids[i]);
-
- return;
}
/**
uint32_t sk_gen_params(struct sk_cred *skc)
{
uint32_t random;
+ BIGNUM *p, *g;
+ const BIGNUM *pub_key;
int rc;
/* Random value used by both the request and response as part of the
return GSS_S_FAILURE;
}
- skc->sc_params->p = BN_bin2bn(skc->sc_p.value, skc->sc_p.length, NULL);
- if (!skc->sc_params->p) {
+ p = BN_bin2bn(skc->sc_p.value, skc->sc_p.length, NULL);
+ if (!p) {
printerr(0, "Failed to convert binary to BIGNUM\n");
return GSS_S_FAILURE;
}
/* We use a static generator for shared key */
- skc->sc_params->g = BN_new();
- if (!skc->sc_params->g) {
+ g = BN_new();
+ if (!g) {
printerr(0, "Failed to allocate new BIGNUM\n");
return GSS_S_FAILURE;
}
- if (BN_set_word(skc->sc_params->g, SK_GENERATOR) != 1) {
+ if (BN_set_word(g, SK_GENERATOR) != 1) {
printerr(0, "Failed to set g value for DH params\n");
return GSS_S_FAILURE;
}
+ if (!DH_set0_pqg(skc->sc_params, p, NULL, g)) {
+ printerr(0, "Failed to set pqg\n");
+ return GSS_S_FAILURE;
+ }
+
/* Verify that we have a safe prime and valid generator */
if (DH_check(skc->sc_params, &rc) != 1) {
printerr(0, "DH_check() failed: %d\n", rc);
return GSS_S_FAILURE;
}
- skc->sc_pub_key.length = BN_num_bytes(skc->sc_params->pub_key);
+ DH_get0_key(skc->sc_params, &pub_key, NULL);
+ skc->sc_pub_key.length = BN_num_bytes(pub_key);
skc->sc_pub_key.value = malloc(skc->sc_pub_key.length);
if (!skc->sc_pub_key.value) {
printerr(0, "Failed to allocate memory for public key\n");
return GSS_S_FAILURE;
}
- BN_bn2bin(skc->sc_params->pub_key, skc->sc_pub_key.value);
+ BN_bn2bin(pub_key, skc->sc_pub_key.value);
return GSS_S_COMPLETE;
}
int sk_sign_bufs(gss_buffer_desc *key, gss_buffer_desc *bufs, const int numbufs,
const EVP_MD *hash_alg, gss_buffer_desc *hmac)
{
- HMAC_CTX hctx;
+ HMAC_CTX *hctx;
unsigned int hashlen = EVP_MD_size(hash_alg);
int i;
int rc = -1;
return -1;
}
- HMAC_CTX_init(&hctx);
+ hctx = HMAC_CTX_new();
hmac->length = hashlen;
hmac->value = malloc(hashlen);
goto out;
}
- if (HMAC_Init_ex(&hctx, key->value, key->length, hash_alg, NULL) != 1) {
+ if (HMAC_Init_ex(hctx, key->value, key->length, hash_alg, NULL) != 1) {
printerr(0, "Failed to init HMAC\n");
goto out;
}
for (i = 0; i < numbufs; i++) {
- if (HMAC_Update(&hctx, bufs[i].value, bufs[i].length) != 1) {
+ if (HMAC_Update(hctx, bufs[i].value, bufs[i].length) != 1) {
printerr(0, "Failed to update HMAC\n");
goto out;
}
}
/* The result gets populated in hmac */
- if (HMAC_Final(&hctx, hmac->value, &hashlen) != 1) {
+ if (HMAC_Final(hctx, hmac->value, &hashlen) != 1) {
printerr(0, "Failed to finalize HMAC\n");
goto out;
}
rc = 0;
out:
- HMAC_CTX_cleanup(&hctx);
+ HMAC_CTX_free(hctx);
return rc;
}
ERR_error_string(ERR_get_error(), NULL));
goto out_err;
} else if (status < dh_shared->length) {
- printerr(0, "DH_compute_key() returned a short key of %d "
- "bytes, expected: %zu\n", status, dh_shared->length);
- rc = GSS_S_DEFECTIVE_TOKEN;
- goto out_err;
+ /* there is around 1 chance out of 256 that the returned
+ * shared key is shorter than expected
+ */
+ if (status >= dh_shared->length - 2) {
+ int shift = dh_shared->length - status;
+ /* if the key is short by only 1 or 2 bytes, just
+ * prepend it with 0s
+ */
+ memmove((void *)(dh_shared->value + shift),
+ dh_shared->value, status);
+ memset(dh_shared->value, 0, shift);
+ } else {
+ /* if the key is really too short, return GSS_S_BAD_QOP
+ * so that the caller can retry to generate
+ */
+ printerr(0, "DH_compute_key() returned a short key of %d bytes, expected: %zu\n",
+ status, dh_shared->length);
+ rc = GSS_S_BAD_QOP;
+ goto out_err;
+ }
}
rc = GSS_S_COMPLETE;
ptr = ns->value;
for (i = 0; i < numbufs; i++) {
/* size */
- rc = snprintf((char *) ptr, size, "%zu:", bufs[i].length);
+ rc = scnprintf((char *) ptr, size, "%zu:", bufs[i].length);
ptr += rc;
/* contents */