/*
* linux/net/sunrpc/gss_krb5_mech.c
+ * linux/net/sunrpc/gss_krb5_crypto.c
+ * linux/net/sunrpc/gss_krb5_seal.c
+ * linux/net/sunrpc/gss_krb5_seqnum.c
+ * linux/net/sunrpc/gss_krb5_unseal.c
*
* Copyright (c) 2001 The Regents of the University of Michigan.
* All rights reserved.
struct krb5_enctype {
char *ke_dispname;
- int ke_hash_size;
- char *ke_hash_name;
- char *ke_enc_name;
- int ke_enc_mode;
- unsigned int ke_hash_hmac:1;
+ char *ke_enc_name; /* linux tfm name */
+ char *ke_hash_name; /* linux tfm name */
+ int ke_enc_mode; /* linux tfm mode */
+ int ke_hash_size; /* checksum size */
+ int ke_conf_size; /* confounder size */
+ unsigned int ke_hash_hmac:1; /* is hmac? */
};
/*
- * NOTE: for aes128-cts and aes256-cts, MIT implementation use CTS
- * encryption mode while we CBC with padding, because we already be able
- * to handle trailling bytes, and dosen't hurt security and simpler.
+ * NOTE: for aes128-cts and aes256-cts, MIT implementation use CTS encryption.
+ * but currently we simply CBC with padding, because linux doesn't support CTS
+ * yet. this need to be fixed in the future.
*/
static struct krb5_enctype enctypes[] = {
[ENCTYPE_DES_CBC_RAW] = { /* des-cbc-md5 */
"des-cbc-md5",
- 16,
- "md5",
"des",
+ "md5",
CRYPTO_TFM_MODE_CBC,
+ 16,
+ 8,
0,
},
[ENCTYPE_DES3_CBC_RAW] = { /* des3-hmac-sha1 */
- "des3-hmac-sha1",
- 20,
- "sha1",
+ "des-hmac-sha1",
"des3_ede",
+ "sha1",
CRYPTO_TFM_MODE_CBC,
+ 20,
+ 8,
1,
},
[ENCTYPE_AES128_CTS_HMAC_SHA1_96] = { /* aes128-cts */
"aes128-cts-hmac-sha1-96",
- 12,
- "sha1",
"aes",
+ "sha1",
CRYPTO_TFM_MODE_CBC,
+ 12,
+ 16,
1,
},
[ENCTYPE_AES256_CTS_HMAC_SHA1_96] = { /* aes256-cts */
"aes256-cts-hmac-sha1-96",
- 12,
- "sha1",
"aes",
+ "sha1",
CRYPTO_TFM_MODE_CBC,
+ 12,
+ 16,
+ 1,
+ },
+ [ENCTYPE_ARCFOUR_HMAC] = { /* arcfour-hmac-md5 */
+ "arcfour-hmac-md5",
+ "arc4",
+ "md5",
+ CRYPTO_TFM_MODE_ECB,
+ 16,
+ 8,
1,
},
};
ke = &enctypes[kctx->kc_enctype];
- if (keyblock_init(&kctx->kc_keye, ke->ke_enc_name, ke->ke_enc_mode))
+ /* tfm arc4 is stateful, user should alloc-use-free by his own */
+ if (kctx->kc_enctype != ENCTYPE_ARCFOUR_HMAC &&
+ keyblock_init(&kctx->kc_keye, ke->ke_enc_name, ke->ke_enc_mode))
return -1;
+
+ /* tfm hmac is stateful, user should alloc-use-free by his own */
if (ke->ke_hash_hmac == 0 &&
keyblock_init(&kctx->kc_keyi, ke->ke_enc_name, ke->ke_enc_mode))
return -1;
static
int get_rawobj(char **ptr, const char *end, rawobj_t *res)
{
- char *p, *q;
+ char *p, *q;
__u32 len;
p = *ptr;
#define KRB5_CTX_FLAG_ACCEPTOR_SUBKEY 0x00000004
static
-__u32 import_context_v2(struct krb5_ctx *kctx, char *p, char *end)
+__u32 import_context_rfc4121(struct krb5_ctx *kctx, char *p, char *end)
{
unsigned int tmp_uint, keysize;
kctx->kc_initiate = tmp_uint;
rc = import_context_rfc1964(kctx, p, end);
} else {
- rc = import_context_v2(kctx, p, end);
+ rc = import_context_rfc4121(kctx, p, end);
}
if (rc == 0)
return GSS_S_FAILURE;
knew->kc_initiate = kctx->kc_initiate ? 0 : 1;
+ knew->kc_cfx = kctx->kc_cfx;
knew->kc_seed_init = kctx->kc_seed_init;
- memcpy(knew->kc_seed, kctx->kc_seed, sizeof(kctx->kc_seed));
+ knew->kc_have_acceptor_subkey = kctx->kc_have_acceptor_subkey;
knew->kc_endtime = kctx->kc_endtime;
+ memcpy(knew->kc_seed, kctx->kc_seed, sizeof(kctx->kc_seed));
knew->kc_seq_send = kctx->kc_seq_recv;
knew->kc_seq_recv = kctx->kc_seq_send;
knew->kc_enctype = kctx->kc_enctype;
crypto_hmac_update(tfm, sg, 1);
}
- buf_to_sg(sg, (char *) khdr, sizeof(*khdr));
- crypto_hmac_update(tfm, sg, 1);
+ if (khdr) {
+ buf_to_sg(sg, (char *) khdr, sizeof(*khdr));
+ crypto_hmac_update(tfm, sg, 1);
+ }
crypto_hmac_final(tfm, key->data, &keylen, cksum->data);
return 0;
crypto_digest_update(tfm, sg, 1);
}
- buf_to_sg(sg, (char *) khdr, sizeof(*khdr));
- crypto_digest_update(tfm, sg, 1);
+ if (khdr) {
+ buf_to_sg(sg, (char *) khdr, sizeof(*khdr));
+ crypto_digest_update(tfm, sg, 1);
+ }
crypto_digest_final(tfm, cksum->data);
static
int krb5_encrypt_rawobjs(struct crypto_tfm *tfm,
+ int mode_ecb,
int inobj_cnt,
rawobj_t *inobjs,
rawobj_t *outobj,
buf_to_sg(&src, inobjs[i].data, inobjs[i].len);
buf_to_sg(&dst, buf, outobj->len - datalen);
- if (enc)
- rc = crypto_cipher_encrypt_iv(tfm, &dst, &src,
- src.length, local_iv);
- else
- rc = crypto_cipher_decrypt_iv(tfm, &dst, &src,
- src.length, local_iv);
+ if (mode_ecb) {
+ if (enc)
+ rc = crypto_cipher_encrypt(
+ tfm, &dst, &src, src.length);
+ else
+ rc = crypto_cipher_decrypt(
+ tfm, &dst, &src, src.length);
+ } else {
+ if (enc)
+ rc = crypto_cipher_encrypt_iv(
+ tfm, &dst, &src, src.length, local_iv);
+ else
+ rc = crypto_cipher_decrypt_iv(
+ tfm, &dst, &src, src.length, local_iv);
+ }
if (rc) {
CERROR("encrypt error %d\n", rc);
struct krb5_ctx *kctx = gctx->internal_ctx_id;
struct krb5_enctype *ke = &enctypes[kctx->kc_enctype];
struct krb5_header *khdr;
- unsigned char acceptor_flag = FLAG_WRAP_CONFIDENTIAL;
+ unsigned char acceptor_flag;
int blocksize;
rawobj_t cksum = RAWOBJ_EMPTY;
rawobj_t data_desc[3], cipher;
__u8 conf[GSS_MAX_CIPHER_BLOCK];
+ int enc_rc = 0;
+
+ LASSERT(ke);
+ LASSERT(ke->ke_conf_size <= GSS_MAX_CIPHER_BLOCK);
+ LASSERT(kctx->kc_keye.kb_tfm == NULL ||
+ ke->ke_conf_size >=
+ crypto_tfm_alg_blocksize(kctx->kc_keye.kb_tfm));
acceptor_flag = kctx->kc_initiate ? 0 : FLAG_SENDER_IS_ACCEPTOR;
khdr = (struct krb5_header *) token->data;
khdr->kh_tok_id = cpu_to_be16(KG_TOK_WRAP_MSG);
- khdr->kh_flags = acceptor_flag;
+ khdr->kh_flags = acceptor_flag | FLAG_WRAP_CONFIDENTIAL;
khdr->kh_filler = 0xff;
khdr->kh_ec = cpu_to_be16(0);
khdr->kh_rrc = cpu_to_be16(0);
spin_unlock(&krb5_seq_lock);
/* generate confounder */
- blocksize = crypto_tfm_alg_blocksize(kctx->kc_keye.kb_tfm);
- LASSERT(blocksize <= GSS_MAX_CIPHER_BLOCK);
- get_random_bytes(conf, blocksize);
+ get_random_bytes(conf, ke->ke_conf_size);
+
+ /* get encryption blocksize. note kc_keye might not associated with
+ * a tfm, currently only for arcfour-hmac
+ */
+ if (kctx->kc_enctype == ENCTYPE_ARCFOUR_HMAC) {
+ LASSERT(kctx->kc_keye.kb_tfm == NULL);
+ blocksize = 1;
+ } else {
+ LASSERT(kctx->kc_keye.kb_tfm);
+ blocksize = crypto_tfm_alg_blocksize(kctx->kc_keye.kb_tfm);
+ }
+ LASSERT(blocksize <= ke->ke_conf_size);
/* padding the message */
if (add_padding(msg, msg_buflen, blocksize))
return GSS_S_FAILURE;
- /* encryption:
+ /*
+ * clear text layout, same for both checksum & encryption:
* -----------------------------------------
* | confounder | clear msgs | krb5 header |
* -----------------------------------------
*/
data_desc[0].data = conf;
- data_desc[0].len = blocksize;
+ data_desc[0].len = ke->ke_conf_size;
data_desc[1].data = msg->data;
data_desc[1].len = msg->len;
data_desc[2].data = (__u8 *) khdr;
data_desc[2].len = sizeof(*khdr);
+ /* compute checksum */
+ if (krb5_make_checksum(kctx->kc_enctype, &kctx->kc_keyi,
+ khdr, 3, data_desc, &cksum))
+ return GSS_S_FAILURE;
+ LASSERT(cksum.len >= ke->ke_hash_size);
+
+ /* encrypting, cipher text will be directly inplace */
cipher.data = (__u8 *) (khdr + 1);
cipher.len = token->len - sizeof(*khdr);
- LASSERT(blocksize + msg->len + sizeof(*khdr) <= cipher.len);
+ LASSERT(cipher.len >= ke->ke_conf_size + msg->len + sizeof(*khdr));
- if (krb5_encrypt_rawobjs(kctx->kc_keye.kb_tfm, 3, data_desc,
- &cipher, 1))
- return GSS_S_FAILURE;
+ if (kctx->kc_enctype == ENCTYPE_ARCFOUR_HMAC) {
+ rawobj_t arc4_keye;
+ struct crypto_tfm *arc4_tfm;
- /* checksum:
- * -----------------------------------------
- * | confounder | clear msgs | krb5 header |
- * -----------------------------------------
- */
- data_desc[0].data = conf;
- data_desc[0].len = blocksize;
- data_desc[1].data = msg->data;
- data_desc[1].len = msg->len;
- data_desc[2].data = (__u8 *) khdr;
- data_desc[2].len = sizeof(*khdr);
+ if (krb5_make_checksum(ENCTYPE_ARCFOUR_HMAC, &kctx->kc_keyi,
+ NULL, 1, &cksum, &arc4_keye)) {
+ CERROR("failed to obtain arc4 enc key\n");
+ GOTO(arc4_out, enc_rc = -EACCES);
+ }
- if (krb5_make_checksum(kctx->kc_enctype, &kctx->kc_keyi,
- khdr, 3, data_desc, &cksum))
+ arc4_tfm = crypto_alloc_tfm("arc4", CRYPTO_TFM_MODE_ECB);
+ if (arc4_tfm == NULL) {
+ CERROR("failed to alloc tfm arc4 in ECB mode\n");
+ GOTO(arc4_out_key, enc_rc = -EACCES);
+ }
+
+ if (crypto_cipher_setkey(arc4_tfm,
+ arc4_keye.data, arc4_keye.len)) {
+ CERROR("failed to set arc4 key, len %d\n",
+ arc4_keye.len);
+ GOTO(arc4_out_tfm, enc_rc = -EACCES);
+ }
+
+ enc_rc = krb5_encrypt_rawobjs(arc4_tfm, 1,
+ 3, data_desc, &cipher, 1);
+arc4_out_tfm:
+ crypto_free_tfm(arc4_tfm);
+arc4_out_key:
+ rawobj_free(&arc4_keye);
+arc4_out:
+ do {} while(0); /* just to avoid compile warning */
+ } else {
+ enc_rc = krb5_encrypt_rawobjs(kctx->kc_keye.kb_tfm, 0,
+ 3, data_desc, &cipher, 1);
+ }
+
+ if (enc_rc != 0) {
+ rawobj_free(&cksum);
return GSS_S_FAILURE;
+ }
/* fill in checksum */
- LASSERT(cksum.len >= ke->ke_hash_size);
LASSERT(token->len >= sizeof(*khdr) + cipher.len + ke->ke_hash_size);
memcpy((char *)(khdr + 1) + cipher.len,
cksum.data + cksum.len - ke->ke_hash_size,
ke->ke_hash_size);
rawobj_free(&cksum);
+ /* final token length */
token->len = sizeof(*khdr) + cipher.len + ke->ke_hash_size;
return GSS_S_COMPLETE;
}
struct krb5_ctx *kctx = gctx->internal_ctx_id;
struct krb5_enctype *ke = &enctypes[kctx->kc_enctype];
struct krb5_header *khdr;
- unsigned char acceptor_flag = FLAG_WRAP_CONFIDENTIAL;
+ unsigned char acceptor_flag;
unsigned char *tmpbuf;
int blocksize, bodysize;
rawobj_t cksum = RAWOBJ_EMPTY;
rawobj_t cipher_in, plain_out;
- __u32 rc = GSS_S_FAILURE;
+ __u32 rc = GSS_S_FAILURE, enc_rc = 0;
+
+ LASSERT(ke);
acceptor_flag = kctx->kc_initiate ? FLAG_SENDER_IS_ACCEPTOR : 0;
CERROR("bad direction flag\n");
return GSS_S_BAD_SIG;
}
+ if ((khdr->kh_flags & FLAG_WRAP_CONFIDENTIAL) == 0) {
+ CERROR("missing confidential flag\n");
+ return GSS_S_BAD_SIG;
+ }
if (khdr->kh_filler != 0xff) {
CERROR("bad filler\n");
return GSS_S_DEFECTIVE_TOKEN;
return GSS_S_DEFECTIVE_TOKEN;
}
- blocksize = crypto_tfm_alg_blocksize(kctx->kc_keye.kb_tfm);
+ /* block size */
+ if (kctx->kc_enctype == ENCTYPE_ARCFOUR_HMAC) {
+ LASSERT(kctx->kc_keye.kb_tfm == NULL);
+ blocksize = 1;
+ } else {
+ LASSERT(kctx->kc_keye.kb_tfm);
+ blocksize = crypto_tfm_alg_blocksize(kctx->kc_keye.kb_tfm);
+ }
- /* token:
+ /* expected token layout:
* ----------------------------------------
* | krb5 header | cipher text | checksum |
* ----------------------------------------
return GSS_S_DEFECTIVE_TOKEN;
}
- if (bodysize <= blocksize + sizeof(*khdr)) {
+ if (bodysize <= ke->ke_conf_size + sizeof(*khdr)) {
CERROR("incomplete token: bodysize %d\n", bodysize);
return GSS_S_DEFECTIVE_TOKEN;
}
- if (msg->len < bodysize - blocksize - sizeof(*khdr)) {
+ if (msg->len < bodysize - ke->ke_conf_size - sizeof(*khdr)) {
CERROR("buffer too small: %u, require %d\n",
- msg->len, bodysize - blocksize);
+ msg->len, bodysize - ke->ke_conf_size);
return GSS_S_FAILURE;
}
plain_out.data = tmpbuf;
plain_out.len = bodysize;
- if (krb5_encrypt_rawobjs(kctx->kc_keye.kb_tfm, 1,
- &cipher_in, &plain_out, 0)) {
+ if (kctx->kc_enctype == ENCTYPE_ARCFOUR_HMAC) {
+ rawobj_t arc4_keye;
+ struct crypto_tfm *arc4_tfm;
+
+ cksum.data = token->data + token->len - ke->ke_hash_size;
+ cksum.len = ke->ke_hash_size;
+
+ if (krb5_make_checksum(ENCTYPE_ARCFOUR_HMAC, &kctx->kc_keyi,
+ NULL, 1, &cksum, &arc4_keye)) {
+ CERROR("failed to obtain arc4 enc key\n");
+ GOTO(arc4_out, enc_rc = -EACCES);
+ }
+
+ arc4_tfm = crypto_alloc_tfm("arc4", CRYPTO_TFM_MODE_ECB);
+ if (arc4_tfm == NULL) {
+ CERROR("failed to alloc tfm arc4 in ECB mode\n");
+ GOTO(arc4_out_key, enc_rc = -EACCES);
+ }
+
+ if (crypto_cipher_setkey(arc4_tfm,
+ arc4_keye.data, arc4_keye.len)) {
+ CERROR("failed to set arc4 key, len %d\n",
+ arc4_keye.len);
+ GOTO(arc4_out_tfm, enc_rc = -EACCES);
+ }
+
+ enc_rc = krb5_encrypt_rawobjs(arc4_tfm, 1,
+ 1, &cipher_in, &plain_out, 0);
+arc4_out_tfm:
+ crypto_free_tfm(arc4_tfm);
+arc4_out_key:
+ rawobj_free(&arc4_keye);
+arc4_out:
+ cksum = RAWOBJ_EMPTY;
+ } else {
+ enc_rc = krb5_encrypt_rawobjs(kctx->kc_keye.kb_tfm, 0,
+ 1, &cipher_in, &plain_out, 0);
+ }
+
+ if (enc_rc != 0) {
CERROR("error decrypt\n");
goto out_free;
}
LASSERT(plain_out.len == bodysize);
- /* clear text:
+ /* expected clear text layout:
* -----------------------------------------
* | confounder | clear msgs | krb5 header |
* -----------------------------------------
goto out_free;
}
- msg->len = bodysize - sizeof(*khdr) - blocksize;
- memcpy(msg->data, tmpbuf + blocksize, msg->len);
+ msg->len = bodysize - ke->ke_conf_size - sizeof(*khdr);
+ memcpy(msg->data, tmpbuf + ke->ke_conf_size, msg->len);
rc = GSS_S_COMPLETE;
out_free:
diff -rup nfs-utils-1.0.10.orig/configure.in nfs-utils-1.0.10/configure.in
--- nfs-utils-1.0.10.orig/configure.in 2006-11-15 21:26:08.000000000 -0700
-+++ nfs-utils-1.0.10/configure.in 2006-11-23 22:06:03.000000000 -0700
++++ nfs-utils-1.0.10/configure.in 2006-12-04 21:28:43.000000000 -0700
@@ -17,61 +17,14 @@ AC_ARG_WITH(release,
RELEASE=$withval,
RELEASE=1)
diff -rup nfs-utils-1.0.10.orig/Makefile.am nfs-utils-1.0.10/Makefile.am
--- nfs-utils-1.0.10.orig/Makefile.am 2006-11-15 21:26:08.000000000 -0700
-+++ nfs-utils-1.0.10/Makefile.am 2006-11-23 22:06:03.000000000 -0700
++++ nfs-utils-1.0.10/Makefile.am 2006-12-04 21:28:43.000000000 -0700
@@ -1,6 +1,6 @@
## Process this file with automake to produce Makefile.in
diff -rup nfs-utils-1.0.10.orig/utils/gssd/cacheio.c nfs-utils-1.0.10/utils/gssd/cacheio.c
--- nfs-utils-1.0.10.orig/utils/gssd/cacheio.c 2006-08-07 00:40:50.000000000 -0600
-+++ nfs-utils-1.0.10/utils/gssd/cacheio.c 2006-11-23 22:06:17.000000000 -0700
++++ nfs-utils-1.0.10/utils/gssd/cacheio.c 2006-12-04 21:29:29.000000000 -0700
@@ -227,7 +227,8 @@ int qword_get(char **bpp, char *dest, in
return -1;
while (*bp == ' ') bp++;
diff -rup nfs-utils-1.0.10.orig/utils/gssd/context.c nfs-utils-1.0.10/utils/gssd/context.c
--- nfs-utils-1.0.10.orig/utils/gssd/context.c 2006-08-07 00:40:50.000000000 -0600
-+++ nfs-utils-1.0.10/utils/gssd/context.c 2006-11-23 22:06:17.000000000 -0700
++++ nfs-utils-1.0.10/utils/gssd/context.c 2006-12-04 21:29:29.000000000 -0700
@@ -33,8 +33,6 @@
#include <syslog.h>
#include <string.h>
#include "err_util.h"
diff -rup nfs-utils-1.0.10.orig/utils/gssd/context.h nfs-utils-1.0.10/utils/gssd/context.h
--- nfs-utils-1.0.10.orig/utils/gssd/context.h 2006-11-15 21:26:08.000000000 -0700
-+++ nfs-utils-1.0.10/utils/gssd/context.h 2006-11-23 22:06:17.000000000 -0700
++++ nfs-utils-1.0.10/utils/gssd/context.h 2006-12-04 21:29:29.000000000 -0700
@@ -31,8 +31,6 @@
#ifndef _CONTEXT_H_
#define _CONTEXT_H_
diff -rup nfs-utils-1.0.10.orig/utils/gssd/context_lucid.c nfs-utils-1.0.10/utils/gssd/context_lucid.c
--- nfs-utils-1.0.10.orig/utils/gssd/context_lucid.c 2006-11-15 21:26:08.000000000 -0700
-+++ nfs-utils-1.0.10/utils/gssd/context_lucid.c 2006-11-23 22:06:17.000000000 -0700
++++ nfs-utils-1.0.10/utils/gssd/context_lucid.c 2006-12-04 21:29:29.000000000 -0700
@@ -41,11 +41,7 @@
#include <syslog.h>
#include <string.h>
static int
write_lucid_keyblock(char **p, char *end, gss_krb5_lucid_key_t *key)
{
-@@ -451,6 +452,7 @@ prepare_krb5_rfc4121_buffer(gss_krb5_luc
+@@ -354,6 +355,7 @@ static int
+ prepare_krb5_rfc4121_buffer(gss_krb5_lucid_context_v1_t *lctx,
+ gss_buffer_desc *buf)
+ {
++ static int constant_two = 2;
+ char *p, *end;
+ uint32_t v2_flags = 0;
+ gss_krb5_lucid_key_t enc_key;
+@@ -372,7 +374,7 @@ prepare_krb5_rfc4121_buffer(gss_krb5_luc
+ end = buf->value + MAX_CTX_LEN;
+
+ /* Version 2 */
+- if (WRITE_BYTES(&p, end, lctx->initiate)) goto out_err;
++ if (WRITE_BYTES(&p, end, constant_two)) goto out_err;
+ if (WRITE_BYTES(&p, end, lctx->endtime)) goto out_err;
+
+ if (lctx->initiate)
+@@ -434,14 +436,25 @@ prepare_krb5_rfc4121_buffer(gss_krb5_luc
+ goto out_err;
+
+ /* Kc */
+- if (derive_key_lucid(&lctx->rfc1964_kd.ctx_key,
+- &derived_key,
+- KG_USAGE_SIGN, KEY_USAGE_SEED_CHECKSUM))
+- goto out_err;
+- if (write_bytes(&p, end, derived_key.data,
+- derived_key.length))
+- goto out_err;
+- free(derived_key.data);
++ /*
++ * RC4 is special, it dosen't need key derivation. Actually
++ * the Ke is based on plain text. Here we just let all three
++ * key identical, kernel will handle everything. --ericm
++ */
++ if (lctx->rfc1964_kd.ctx_key.type == ENCTYPE_ARCFOUR_HMAC) {
++ if (write_bytes(&p, end, lctx->rfc1964_kd.ctx_key.data,
++ lctx->rfc1964_kd.ctx_key.length))
++ goto out_err;
++ } else {
++ if (derive_key_lucid(&lctx->rfc1964_kd.ctx_key,
++ &derived_key,
++ KG_USAGE_SIGN, KEY_USAGE_SEED_CHECKSUM))
++ goto out_err;
++ if (write_bytes(&p, end, derived_key.data,
++ derived_key.length))
++ goto out_err;
++ free(derived_key.data);
++ }
+ } else {
+ gss_krb5_lucid_key_t *keyptr;
+ uint32_t sign_usage, seal_usage;
+@@ -451,6 +464,7 @@ prepare_krb5_rfc4121_buffer(gss_krb5_luc
else
keyptr = &lctx->cfx_kd.ctx_key;
if (lctx->initiate == 1) {
sign_usage = KG_USAGE_INITIATOR_SIGN;
seal_usage = KG_USAGE_INITIATOR_SEAL;
-@@ -458,6 +460,19 @@ prepare_krb5_rfc4121_buffer(gss_krb5_luc
+@@ -458,6 +472,19 @@ prepare_krb5_rfc4121_buffer(gss_krb5_luc
sign_usage = KG_USAGE_ACCEPTOR_SIGN;
seal_usage = KG_USAGE_ACCEPTOR_SEAL;
}
diff -rup nfs-utils-1.0.10.orig/utils/gssd/context_mit.c nfs-utils-1.0.10/utils/gssd/context_mit.c
--- nfs-utils-1.0.10.orig/utils/gssd/context_mit.c 2006-11-15 21:26:08.000000000 -0700
-+++ nfs-utils-1.0.10/utils/gssd/context_mit.c 2006-11-23 22:06:17.000000000 -0700
++++ nfs-utils-1.0.10/utils/gssd/context_mit.c 2006-12-04 21:29:29.000000000 -0700
@@ -39,7 +39,6 @@
#include <errno.h>
#include <gssapi/gssapi.h>
/* Only applicable flag for this is initiator */
diff -rup nfs-utils-1.0.10.orig/utils/gssd/context_spkm3.c nfs-utils-1.0.10/utils/gssd/context_spkm3.c
--- nfs-utils-1.0.10.orig/utils/gssd/context_spkm3.c 2006-11-15 21:26:08.000000000 -0700
-+++ nfs-utils-1.0.10/utils/gssd/context_spkm3.c 2006-11-23 22:06:17.000000000 -0700
++++ nfs-utils-1.0.10/utils/gssd/context_spkm3.c 2006-12-04 21:29:29.000000000 -0700
@@ -33,8 +33,6 @@
#include <syslog.h>
#include <string.h>
#include "err_util.h"
diff -rup nfs-utils-1.0.10.orig/utils/gssd/err_util.c nfs-utils-1.0.10/utils/gssd/err_util.c
--- nfs-utils-1.0.10.orig/utils/gssd/err_util.c 2006-08-07 00:40:50.000000000 -0600
-+++ nfs-utils-1.0.10/utils/gssd/err_util.c 2006-11-23 22:06:17.000000000 -0700
++++ nfs-utils-1.0.10/utils/gssd/err_util.c 2006-12-04 21:29:29.000000000 -0700
@@ -32,6 +32,8 @@
#include <stdarg.h>
#include <syslog.h>
+
diff -rup nfs-utils-1.0.10.orig/utils/gssd/err_util.h nfs-utils-1.0.10/utils/gssd/err_util.h
--- nfs-utils-1.0.10.orig/utils/gssd/err_util.h 2006-08-07 00:40:50.000000000 -0600
-+++ nfs-utils-1.0.10/utils/gssd/err_util.h 2006-11-23 22:06:17.000000000 -0700
++++ nfs-utils-1.0.10/utils/gssd/err_util.h 2006-12-04 21:29:29.000000000 -0700
@@ -33,5 +33,6 @@
void initerr(char *progname, int verbosity, int fg);
#endif /* _ERR_UTIL_H_ */
diff -rup nfs-utils-1.0.10.orig/utils/gssd/gss_clnt_send_err.c nfs-utils-1.0.10/utils/gssd/gss_clnt_send_err.c
--- nfs-utils-1.0.10.orig/utils/gssd/gss_clnt_send_err.c 2006-08-07 00:40:50.000000000 -0600
-+++ nfs-utils-1.0.10/utils/gssd/gss_clnt_send_err.c 2006-11-23 22:06:17.000000000 -0700
++++ nfs-utils-1.0.10/utils/gssd/gss_clnt_send_err.c 2006-12-04 21:29:29.000000000 -0700
@@ -47,6 +47,7 @@
#include "gssd.h"
#include "write_bytes.h"
+#endif
diff -rup nfs-utils-1.0.10.orig/utils/gssd/gssd.c nfs-utils-1.0.10/utils/gssd/gssd.c
--- nfs-utils-1.0.10.orig/utils/gssd/gssd.c 2006-11-15 21:26:08.000000000 -0700
-+++ nfs-utils-1.0.10/utils/gssd/gssd.c 2006-11-23 22:06:17.000000000 -0700
++++ nfs-utils-1.0.10/utils/gssd/gssd.c 2006-12-04 21:29:29.000000000 -0700
@@ -38,9 +38,12 @@
#include "config.h"
}
diff -rup nfs-utils-1.0.10.orig/utils/gssd/gssd.h nfs-utils-1.0.10/utils/gssd/gssd.h
--- nfs-utils-1.0.10.orig/utils/gssd/gssd.h 2006-11-15 21:26:08.000000000 -0700
-+++ nfs-utils-1.0.10/utils/gssd/gssd.h 2006-11-23 22:06:17.000000000 -0700
++++ nfs-utils-1.0.10/utils/gssd/gssd.h 2006-12-04 21:29:29.000000000 -0700
@@ -48,8 +48,13 @@
#define GSSD_DEFAULT_CRED_PREFIX "krb5cc_"
#define GSSD_DEFAULT_MACHINE_CRED_SUFFIX "machine"
#endif /* _RPC_GSSD_H_ */
diff -rup nfs-utils-1.0.10.orig/utils/gssd/gssd_main_loop.c nfs-utils-1.0.10/utils/gssd/gssd_main_loop.c
--- nfs-utils-1.0.10.orig/utils/gssd/gssd_main_loop.c 2006-11-15 21:26:08.000000000 -0700
-+++ nfs-utils-1.0.10/utils/gssd/gssd_main_loop.c 2006-11-23 22:06:17.000000000 -0700
++++ nfs-utils-1.0.10/utils/gssd/gssd_main_loop.c 2006-12-04 21:29:29.000000000 -0700
@@ -94,11 +94,13 @@ scan_poll_results(int ret)
};
}
diff -rup nfs-utils-1.0.10.orig/utils/gssd/gssd_proc.c nfs-utils-1.0.10/utils/gssd/gssd_proc.c
--- nfs-utils-1.0.10.orig/utils/gssd/gssd_proc.c 2006-11-15 21:26:08.000000000 -0700
-+++ nfs-utils-1.0.10/utils/gssd/gssd_proc.c 2006-11-23 22:06:17.000000000 -0700
++++ nfs-utils-1.0.10/utils/gssd/gssd_proc.c 2006-12-04 21:29:29.000000000 -0700
@@ -43,7 +43,6 @@
#endif
#include "config.h"
}
diff -rup nfs-utils-1.0.10.orig/utils/gssd/gss_util.c nfs-utils-1.0.10/utils/gssd/gss_util.c
--- nfs-utils-1.0.10.orig/utils/gssd/gss_util.c 2006-08-07 00:40:50.000000000 -0600
-+++ nfs-utils-1.0.10/utils/gssd/gss_util.c 2006-11-23 22:06:17.000000000 -0700
++++ nfs-utils-1.0.10/utils/gssd/gss_util.c 2006-12-04 21:29:29.000000000 -0700
@@ -87,9 +87,16 @@
#ifdef HAVE_COM_ERR_H
#include <com_err.h>
int gssd_check_mechs(void)
diff -rup nfs-utils-1.0.10.orig/utils/gssd/gss_util.h nfs-utils-1.0.10/utils/gssd/gss_util.h
--- nfs-utils-1.0.10.orig/utils/gssd/gss_util.h 2006-08-07 00:40:50.000000000 -0600
-+++ nfs-utils-1.0.10/utils/gssd/gss_util.h 2006-11-23 22:06:17.000000000 -0700
++++ nfs-utils-1.0.10/utils/gssd/gss_util.h 2006-12-04 21:29:29.000000000 -0700
@@ -32,12 +32,10 @@
#define _GSS_UTIL_H_
int gssd_check_mechs(void);
diff -rup nfs-utils-1.0.10.orig/utils/gssd/krb5_util.c nfs-utils-1.0.10/utils/gssd/krb5_util.c
--- nfs-utils-1.0.10.orig/utils/gssd/krb5_util.c 2006-11-15 21:26:08.000000000 -0700
-+++ nfs-utils-1.0.10/utils/gssd/krb5_util.c 2006-11-23 22:06:17.000000000 -0700
++++ nfs-utils-1.0.10/utils/gssd/krb5_util.c 2006-12-04 21:29:29.000000000 -0700
@@ -99,12 +99,14 @@
#include <rpc/rpc.h>
#include <sys/types.h>
* Obtain supported enctypes from kernel.
diff -rup nfs-utils-1.0.10.orig/utils/gssd/krb5_util.h nfs-utils-1.0.10/utils/gssd/krb5_util.h
--- nfs-utils-1.0.10.orig/utils/gssd/krb5_util.h 2006-11-15 21:26:08.000000000 -0700
-+++ nfs-utils-1.0.10/utils/gssd/krb5_util.h 2006-11-23 22:06:17.000000000 -0700
++++ nfs-utils-1.0.10/utils/gssd/krb5_util.h 2006-12-04 21:29:29.000000000 -0700
@@ -10,13 +10,15 @@
struct gssd_k5_kt_princ {
struct gssd_k5_kt_princ *next;
+
#endif /* KRB5_UTIL_H */
-Only in nfs-utils-1.0.10/utils/gssd: l_idmap.c
diff -rup nfs-utils-1.0.10.orig/utils/gssd/lsupport.c nfs-utils-1.0.10/utils/gssd/lsupport.c
--- nfs-utils-1.0.10.orig/utils/gssd/lsupport.c 2006-11-15 21:41:25.000000000 -0700
-+++ nfs-utils-1.0.10/utils/gssd/lsupport.c 2006-11-23 22:06:17.000000000 -0700
++++ nfs-utils-1.0.10/utils/gssd/lsupport.c 2006-12-04 21:29:29.000000000 -0700
@@ -0,0 +1,782 @@
+/* -*- mode: c; c-basic-offset: 8; indent-tabs-mode: nil; -*-
+ * vim:expandtab:shiftwidth=8:tabstop=8:
+
diff -rup nfs-utils-1.0.10.orig/utils/gssd/lsupport.h nfs-utils-1.0.10/utils/gssd/lsupport.h
--- nfs-utils-1.0.10.orig/utils/gssd/lsupport.h 2006-11-15 21:41:23.000000000 -0700
-+++ nfs-utils-1.0.10/utils/gssd/lsupport.h 2006-11-23 22:06:17.000000000 -0700
++++ nfs-utils-1.0.10/utils/gssd/lsupport.h 2006-12-04 21:29:29.000000000 -0700
@@ -0,0 +1,89 @@
+/* -*- mode: c; c-basic-offset: 8; indent-tabs-mode: nil; -*-
+ * vim:expandtab:shiftwidth=8:tabstop=8:
+#endif /* __LIBCFS_H__ */
diff -rup nfs-utils-1.0.10.orig/utils/gssd/Makefile.am nfs-utils-1.0.10/utils/gssd/Makefile.am
--- nfs-utils-1.0.10.orig/utils/gssd/Makefile.am 2006-11-15 21:26:08.000000000 -0700
-+++ nfs-utils-1.0.10/utils/gssd/Makefile.am 2006-11-23 22:06:03.000000000 -0700
++++ nfs-utils-1.0.10/utils/gssd/Makefile.am 2006-12-04 21:28:43.000000000 -0700
@@ -1,17 +1,11 @@
## Process this file with automake to produce Makefile.in
-
diff -rup nfs-utils-1.0.10.orig/utils/gssd/svcgssd.c nfs-utils-1.0.10/utils/gssd/svcgssd.c
--- nfs-utils-1.0.10.orig/utils/gssd/svcgssd.c 2006-08-07 00:40:50.000000000 -0600
-+++ nfs-utils-1.0.10/utils/gssd/svcgssd.c 2006-11-23 22:06:17.000000000 -0700
++++ nfs-utils-1.0.10/utils/gssd/svcgssd.c 2006-12-04 21:29:29.000000000 -0700
@@ -43,7 +43,6 @@
#include <sys/types.h>
#include <sys/stat.h>
}
diff -rup nfs-utils-1.0.10.orig/utils/gssd/svcgssd.h nfs-utils-1.0.10/utils/gssd/svcgssd.h
--- nfs-utils-1.0.10.orig/utils/gssd/svcgssd.h 2006-08-07 00:40:50.000000000 -0600
-+++ nfs-utils-1.0.10/utils/gssd/svcgssd.h 2006-11-23 22:06:17.000000000 -0700
++++ nfs-utils-1.0.10/utils/gssd/svcgssd.h 2006-12-04 21:29:29.000000000 -0700
@@ -35,9 +35,20 @@
#include <sys/queue.h>
#include <gssapi/gssapi.h>
#endif /* _RPC_SVCGSSD_H_ */
diff -rup nfs-utils-1.0.10.orig/utils/gssd/svcgssd_main_loop.c nfs-utils-1.0.10/utils/gssd/svcgssd_main_loop.c
--- nfs-utils-1.0.10.orig/utils/gssd/svcgssd_main_loop.c 2006-08-07 00:40:50.000000000 -0600
-+++ nfs-utils-1.0.10/utils/gssd/svcgssd_main_loop.c 2006-11-23 22:06:17.000000000 -0700
++++ nfs-utils-1.0.10/utils/gssd/svcgssd_main_loop.c 2006-12-04 21:29:29.000000000 -0700
@@ -46,46 +46,66 @@
#include "svcgssd.h"
#include "err_util.h"
}
diff -rup nfs-utils-1.0.10.orig/utils/gssd/svcgssd_proc.c nfs-utils-1.0.10/utils/gssd/svcgssd_proc.c
--- nfs-utils-1.0.10.orig/utils/gssd/svcgssd_proc.c 2006-08-07 00:40:50.000000000 -0600
-+++ nfs-utils-1.0.10/utils/gssd/svcgssd_proc.c 2006-11-23 22:06:17.000000000 -0700
++++ nfs-utils-1.0.10/utils/gssd/svcgssd_proc.c 2006-12-04 21:29:29.000000000 -0700
@@ -35,7 +35,6 @@
#include <sys/param.h>
if (ctx != GSS_C_NO_CONTEXT)
diff -rup nfs-utils-1.0.10.orig/utils/Makefile.am nfs-utils-1.0.10/utils/Makefile.am
--- nfs-utils-1.0.10.orig/utils/Makefile.am 2006-08-07 00:40:50.000000000 -0600
-+++ nfs-utils-1.0.10/utils/Makefile.am 2006-11-23 22:06:03.000000000 -0700
++++ nfs-utils-1.0.10/utils/Makefile.am 2006-12-04 21:28:43.000000000 -0700
@@ -2,31 +2,6 @@
OPTDIRS =