X-Git-Url: https://git.whamcloud.com/?a=blobdiff_plain;f=lustre%2Futils%2Fgss%2Fsk_utils.c;h=d3cf5ff6637fc470d4ba63dca23f7a8ed9719d6c;hb=9918de22d8249d0eb183d807ec583ec89a03a0e0;hp=4b4a911d8f62a8b7ddaa6c11b695a36f78242b09;hpb=a21c13d4df4bea1bec0f5804136740ed53d5a57f;p=fs%2Flustre-release.git

diff --git a/lustre/utils/gss/sk_utils.c b/lustre/utils/gss/sk_utils.c
index 4b4a911..d3cf5ff 100644
--- a/lustre/utils/gss/sk_utils.c
+++ b/lustre/utils/gss/sk_utils.c
@@ -39,6 +39,7 @@
 #include <openssl/hmac.h>
 #include <sys/types.h>
 #include <sys/stat.h>
+#include <libcfs/util/string.h>
 
 #include "sk_utils.h"
 #include "write_bytes.h"
@@ -301,8 +302,6 @@ void sk_config_cpu_to_disk(struct sk_keyfile_config *config)
 
 	for (i = 0; i < MAX_MGSNIDS; i++)
 		config->skc_mgsnids[i] = htobe64(config->skc_mgsnids[i]);
-
-	return;
 }
 
 /**
@@ -326,8 +325,6 @@ void sk_config_disk_to_cpu(struct sk_keyfile_config *config)
 
 	for (i = 0; i < MAX_MGSNIDS; i++)
 		config->skc_mgsnids[i] = be64toh(config->skc_mgsnids[i]);
-
-	return;
 }
 
 /**
@@ -691,6 +688,8 @@ out_err:
 uint32_t sk_gen_params(struct sk_cred *skc)
 {
 	uint32_t random;
+	BIGNUM *p, *g;
+	const BIGNUM *pub_key;
 	int rc;
 
 	/* Random value used by both the request and response as part of the
@@ -716,23 +715,28 @@ uint32_t sk_gen_params(struct sk_cred *skc)
 		return GSS_S_FAILURE;
 	}
 
-	skc->sc_params->p = BN_bin2bn(skc->sc_p.value, skc->sc_p.length, NULL);
-	if (!skc->sc_params->p) {
+	p = BN_bin2bn(skc->sc_p.value, skc->sc_p.length, NULL);
+	if (!p) {
 		printerr(0, "Failed to convert binary to BIGNUM\n");
 		return GSS_S_FAILURE;
 	}
 
 	/* We use a static generator for shared key */
-	skc->sc_params->g = BN_new();
-	if (!skc->sc_params->g) {
+	g = BN_new();
+	if (!g) {
 		printerr(0, "Failed to allocate new BIGNUM\n");
 		return GSS_S_FAILURE;
 	}
-	if (BN_set_word(skc->sc_params->g, SK_GENERATOR) != 1) {
+	if (BN_set_word(g, SK_GENERATOR) != 1) {
 		printerr(0, "Failed to set g value for DH params\n");
 		return GSS_S_FAILURE;
 	}
 
+	if (!DH_set0_pqg(skc->sc_params, p, NULL, g)) {
+		printerr(0, "Failed to set pqg\n");
+		return GSS_S_FAILURE;
+	}
+
 	/* Verify that we have a safe prime and valid generator */
 	if (DH_check(skc->sc_params, &rc) != 1) {
 		printerr(0, "DH_check() failed: %d\n", rc);
@@ -748,14 +752,15 @@ uint32_t sk_gen_params(struct sk_cred *skc)
 		return GSS_S_FAILURE;
 	}
 
-	skc->sc_pub_key.length = BN_num_bytes(skc->sc_params->pub_key);
+	DH_get0_key(skc->sc_params, &pub_key, NULL);
+	skc->sc_pub_key.length = BN_num_bytes(pub_key);
 	skc->sc_pub_key.value = malloc(skc->sc_pub_key.length);
 	if (!skc->sc_pub_key.value) {
 		printerr(0, "Failed to allocate memory for public key\n");
 		return GSS_S_FAILURE;
 	}
 
-	BN_bn2bin(skc->sc_params->pub_key, skc->sc_pub_key.value);
+	BN_bn2bin(pub_key, skc->sc_pub_key.value);
 
 	return GSS_S_COMPLETE;
 }
@@ -797,7 +802,7 @@ static inline const EVP_MD *sk_hash_to_evp_md(enum cfs_crypto_hash_alg alg)
 int sk_sign_bufs(gss_buffer_desc *key, gss_buffer_desc *bufs, const int numbufs,
 		 const EVP_MD *hash_alg, gss_buffer_desc *hmac)
 {
-	HMAC_CTX hctx;
+	HMAC_CTX *hctx;
 	unsigned int hashlen = EVP_MD_size(hash_alg);
 	int i;
 	int rc = -1;
@@ -807,7 +812,7 @@ int sk_sign_bufs(gss_buffer_desc *key, gss_buffer_desc *bufs, const int numbufs,
 		return -1;
 	}
 
-	HMAC_CTX_init(&hctx);
+	hctx = HMAC_CTX_new();
 
 	hmac->length = hashlen;
 	hmac->value = malloc(hashlen);
@@ -816,20 +821,20 @@ int sk_sign_bufs(gss_buffer_desc *key, gss_buffer_desc *bufs, const int numbufs,
 		goto out;
 	}
 
-	if (HMAC_Init_ex(&hctx, key->value, key->length, hash_alg, NULL) != 1) {
+	if (HMAC_Init_ex(hctx, key->value, key->length, hash_alg, NULL) != 1) {
 		printerr(0, "Failed to init HMAC\n");
 		goto out;
 	}
 
 	for (i = 0; i < numbufs; i++) {
-		if (HMAC_Update(&hctx, bufs[i].value, bufs[i].length) != 1) {
+		if (HMAC_Update(hctx, bufs[i].value, bufs[i].length) != 1) {
 			printerr(0, "Failed to update HMAC\n");
 			goto out;
 		}
 	}
 
 	/* The result gets populated in hmac */
-	if (HMAC_Final(&hctx, hmac->value, &hashlen) != 1) {
+	if (HMAC_Final(hctx, hmac->value, &hashlen) != 1) {
 		printerr(0, "Failed to finalize HMAC\n");
 		goto out;
 	}
@@ -841,7 +846,7 @@ int sk_sign_bufs(gss_buffer_desc *key, gss_buffer_desc *bufs, const int numbufs,
 
 	rc = 0;
 out:
-	HMAC_CTX_cleanup(&hctx);
+	HMAC_CTX_free(hctx);
 	return rc;
 }
 
@@ -1157,10 +1162,26 @@ uint32_t sk_compute_dh_key(struct sk_cred *skc, const gss_buffer_desc *pub_key)
 			 ERR_error_string(ERR_get_error(), NULL));
 		goto out_err;
 	} else if (status < dh_shared->length) {
-		printerr(0, "DH_compute_key() returned a short key of %d "
-			 "bytes, expected: %zu\n", status, dh_shared->length);
-		rc = GSS_S_DEFECTIVE_TOKEN;
-		goto out_err;
+		/* there is around 1 chance out of 256 that the returned
+		 * shared key is shorter than expected
+		 */
+		if (status >= dh_shared->length - 2) {
+			int shift = dh_shared->length - status;
+			/* if the key is short by only 1 or 2 bytes, just
+			 * prepend it with 0s
+			 */
+			memmove((void *)(dh_shared->value + shift),
+				dh_shared->value, status);
+			memset(dh_shared->value, 0, shift);
+		} else {
+			/* if the key is really too short, return GSS_S_BAD_QOP
+			 * so that the caller can retry to generate
+			 */
+			printerr(0, "DH_compute_key() returned a short key of %d bytes, expected: %zu\n",
+				 status, dh_shared->length);
+			rc = GSS_S_BAD_QOP;
+			goto out_err;
+		}
 	}
 
 	rc = GSS_S_COMPLETE;
@@ -1324,7 +1345,7 @@ int sk_encode_netstring(gss_buffer_desc *bufs, int numbufs,
 	ptr = ns->value;
 	for (i = 0; i < numbufs; i++) {
 		/* size */
-		rc = snprintf((char *) ptr, size, "%zu:", bufs[i].length);
+		rc = scnprintf((char *) ptr, size, "%zu:", bufs[i].length);
 		ptr += rc;
 
 		/* contents */