From c05e1e8694309ba8c1c727f133427cd79e0820b7 Mon Sep 17 00:00:00 2001 From: ericm Date: Tue, 5 Dec 2006 03:52:27 +0000 Subject: [PATCH] branch: b_new_cmd port from b1_8_gss: support MIT Kerberos algorithm arcfour-hmac-md5. --- lustre/ptlrpc/gss/gss_internal.h | 3 +- lustre/ptlrpc/gss/gss_krb5_mech.c | 273 +++++++++++++++++++------- lustre/utils/gss/context_lucid.c | 27 ++- lustre/utils/gss/nfs-utils-1.0.10-lustre.diff | 110 ++++++++--- 4 files changed, 304 insertions(+), 109 deletions(-) diff --git a/lustre/ptlrpc/gss/gss_internal.h b/lustre/ptlrpc/gss/gss_internal.h index 9880588..8fd8014 100644 --- a/lustre/ptlrpc/gss/gss_internal.h +++ b/lustre/ptlrpc/gss/gss_internal.h @@ -96,8 +96,7 @@ unsigned long gss_round_imp_reconnect(unsigned long expiry) } /* - * Max encryption element in block cipher algorithms, most of which - * are 64 bits, here we choose 128 bits to be safe for future extension. + * Max encryption element in block cipher algorithms. */ #define GSS_MAX_CIPHER_BLOCK (16) diff --git a/lustre/ptlrpc/gss/gss_krb5_mech.c b/lustre/ptlrpc/gss/gss_krb5_mech.c index de969ff..29e15c3 100644 --- a/lustre/ptlrpc/gss/gss_krb5_mech.c +++ b/lustre/ptlrpc/gss/gss_krb5_mech.c @@ -9,6 +9,10 @@ /* * linux/net/sunrpc/gss_krb5_mech.c + * linux/net/sunrpc/gss_krb5_crypto.c + * linux/net/sunrpc/gss_krb5_seal.c + * linux/net/sunrpc/gss_krb5_seqnum.c + * linux/net/sunrpc/gss_krb5_unseal.c * * Copyright (c) 2001 The Regents of the University of Michigan. * All rights reserved. @@ -75,49 +79,63 @@ spinlock_t krb5_seq_lock = SPIN_LOCK_UNLOCKED; struct krb5_enctype { char *ke_dispname; - int ke_hash_size; - char *ke_hash_name; - char *ke_enc_name; - int ke_enc_mode; - unsigned int ke_hash_hmac:1; + char *ke_enc_name; /* linux tfm name */ + char *ke_hash_name; /* linux tfm name */ + int ke_enc_mode; /* linux tfm mode */ + int ke_hash_size; /* checksum size */ + int ke_conf_size; /* confounder size */ + unsigned int ke_hash_hmac:1; /* is hmac? */ }; /* - * NOTE: for aes128-cts and aes256-cts, MIT implementation use CTS - * encryption mode while we CBC with padding, because we already be able - * to handle trailling bytes, and dosen't hurt security and simpler. + * NOTE: for aes128-cts and aes256-cts, MIT implementation use CTS encryption. + * but currently we simply CBC with padding, because linux doesn't support CTS + * yet. this need to be fixed in the future. */ static struct krb5_enctype enctypes[] = { [ENCTYPE_DES_CBC_RAW] = { /* des-cbc-md5 */ "des-cbc-md5", - 16, - "md5", "des", + "md5", CRYPTO_TFM_MODE_CBC, + 16, + 8, 0, }, [ENCTYPE_DES3_CBC_RAW] = { /* des3-hmac-sha1 */ - "des3-hmac-sha1", - 20, - "sha1", + "des-hmac-sha1", "des3_ede", + "sha1", CRYPTO_TFM_MODE_CBC, + 20, + 8, 1, }, [ENCTYPE_AES128_CTS_HMAC_SHA1_96] = { /* aes128-cts */ "aes128-cts-hmac-sha1-96", - 12, - "sha1", "aes", + "sha1", CRYPTO_TFM_MODE_CBC, + 12, + 16, 1, }, [ENCTYPE_AES256_CTS_HMAC_SHA1_96] = { /* aes256-cts */ "aes256-cts-hmac-sha1-96", - 12, - "sha1", "aes", + "sha1", CRYPTO_TFM_MODE_CBC, + 12, + 16, + 1, + }, + [ENCTYPE_ARCFOUR_HMAC] = { /* arcfour-hmac-md5 */ + "arcfour-hmac-md5", + "arc4", + "md5", + CRYPTO_TFM_MODE_ECB, + 16, + 8, 1, }, }; @@ -164,8 +182,12 @@ int krb5_init_keys(struct krb5_ctx *kctx) ke = &enctypes[kctx->kc_enctype]; - if (keyblock_init(&kctx->kc_keye, ke->ke_enc_name, ke->ke_enc_mode)) + /* tfm arc4 is stateful, user should alloc-use-free by his own */ + if (kctx->kc_enctype != ENCTYPE_ARCFOUR_HMAC && + keyblock_init(&kctx->kc_keye, ke->ke_enc_name, ke->ke_enc_mode)) return -1; + + /* tfm hmac is stateful, user should alloc-use-free by his own */ if (ke->ke_hash_hmac == 0 && keyblock_init(&kctx->kc_keyi, ke->ke_enc_name, ke->ke_enc_mode)) return -1; @@ -206,7 +228,7 @@ int get_bytes(char **ptr, const char *end, void *res, int len) static int get_rawobj(char **ptr, const char *end, rawobj_t *res) { - char *p, *q; + char *p, *q; __u32 len; p = *ptr; @@ -337,7 +359,7 @@ out_err: #define KRB5_CTX_FLAG_ACCEPTOR_SUBKEY 0x00000004 static -__u32 import_context_v2(struct krb5_ctx *kctx, char *p, char *end) +__u32 import_context_rfc4121(struct krb5_ctx *kctx, char *p, char *end) { unsigned int tmp_uint, keysize; @@ -426,7 +448,7 @@ __u32 gss_import_sec_context_kerberos(rawobj_t *inbuf, kctx->kc_initiate = tmp_uint; rc = import_context_rfc1964(kctx, p, end); } else { - rc = import_context_v2(kctx, p, end); + rc = import_context_rfc4121(kctx, p, end); } if (rc == 0) @@ -455,9 +477,11 @@ __u32 gss_copy_reverse_context_kerberos(struct gss_ctx *gctx, return GSS_S_FAILURE; knew->kc_initiate = kctx->kc_initiate ? 0 : 1; + knew->kc_cfx = kctx->kc_cfx; knew->kc_seed_init = kctx->kc_seed_init; - memcpy(knew->kc_seed, kctx->kc_seed, sizeof(kctx->kc_seed)); + knew->kc_have_acceptor_subkey = kctx->kc_have_acceptor_subkey; knew->kc_endtime = kctx->kc_endtime; + memcpy(knew->kc_seed, kctx->kc_seed, sizeof(kctx->kc_seed)); knew->kc_seq_send = kctx->kc_seq_recv; knew->kc_seq_recv = kctx->kc_seq_send; knew->kc_enctype = kctx->kc_enctype; @@ -570,8 +594,10 @@ int krb5_digest_hmac(struct crypto_tfm *tfm, crypto_hmac_update(tfm, sg, 1); } - buf_to_sg(sg, (char *) khdr, sizeof(*khdr)); - crypto_hmac_update(tfm, sg, 1); + if (khdr) { + buf_to_sg(sg, (char *) khdr, sizeof(*khdr)); + crypto_hmac_update(tfm, sg, 1); + } crypto_hmac_final(tfm, key->data, &keylen, cksum->data); return 0; @@ -598,8 +624,10 @@ int krb5_digest_norm(struct crypto_tfm *tfm, crypto_digest_update(tfm, sg, 1); } - buf_to_sg(sg, (char *) khdr, sizeof(*khdr)); - crypto_digest_update(tfm, sg, 1); + if (khdr) { + buf_to_sg(sg, (char *) khdr, sizeof(*khdr)); + crypto_digest_update(tfm, sg, 1); + } crypto_digest_final(tfm, cksum->data); @@ -781,6 +809,7 @@ int add_padding(rawobj_t *msg, int msg_buflen, int blocksize) static int krb5_encrypt_rawobjs(struct crypto_tfm *tfm, + int mode_ecb, int inobj_cnt, rawobj_t *inobjs, rawobj_t *outobj, @@ -800,12 +829,21 @@ int krb5_encrypt_rawobjs(struct crypto_tfm *tfm, buf_to_sg(&src, inobjs[i].data, inobjs[i].len); buf_to_sg(&dst, buf, outobj->len - datalen); - if (enc) - rc = crypto_cipher_encrypt_iv(tfm, &dst, &src, - src.length, local_iv); - else - rc = crypto_cipher_decrypt_iv(tfm, &dst, &src, - src.length, local_iv); + if (mode_ecb) { + if (enc) + rc = crypto_cipher_encrypt( + tfm, &dst, &src, src.length); + else + rc = crypto_cipher_decrypt( + tfm, &dst, &src, src.length); + } else { + if (enc) + rc = crypto_cipher_encrypt_iv( + tfm, &dst, &src, src.length, local_iv); + else + rc = crypto_cipher_decrypt_iv( + tfm, &dst, &src, src.length, local_iv); + } if (rc) { CERROR("encrypt error %d\n", rc); @@ -829,11 +867,18 @@ __u32 gss_wrap_kerberos(struct gss_ctx *gctx, struct krb5_ctx *kctx = gctx->internal_ctx_id; struct krb5_enctype *ke = &enctypes[kctx->kc_enctype]; struct krb5_header *khdr; - unsigned char acceptor_flag = FLAG_WRAP_CONFIDENTIAL; + unsigned char acceptor_flag; int blocksize; rawobj_t cksum = RAWOBJ_EMPTY; rawobj_t data_desc[3], cipher; __u8 conf[GSS_MAX_CIPHER_BLOCK]; + int enc_rc = 0; + + LASSERT(ke); + LASSERT(ke->ke_conf_size <= GSS_MAX_CIPHER_BLOCK); + LASSERT(kctx->kc_keye.kb_tfm == NULL || + ke->ke_conf_size >= + crypto_tfm_alg_blocksize(kctx->kc_keye.kb_tfm)); acceptor_flag = kctx->kc_initiate ? 0 : FLAG_SENDER_IS_ACCEPTOR; @@ -842,7 +887,7 @@ __u32 gss_wrap_kerberos(struct gss_ctx *gctx, khdr = (struct krb5_header *) token->data; khdr->kh_tok_id = cpu_to_be16(KG_TOK_WRAP_MSG); - khdr->kh_flags = acceptor_flag; + khdr->kh_flags = acceptor_flag | FLAG_WRAP_CONFIDENTIAL; khdr->kh_filler = 0xff; khdr->kh_ec = cpu_to_be16(0); khdr->kh_rrc = cpu_to_be16(0); @@ -851,58 +896,97 @@ __u32 gss_wrap_kerberos(struct gss_ctx *gctx, spin_unlock(&krb5_seq_lock); /* generate confounder */ - blocksize = crypto_tfm_alg_blocksize(kctx->kc_keye.kb_tfm); - LASSERT(blocksize <= GSS_MAX_CIPHER_BLOCK); - get_random_bytes(conf, blocksize); + get_random_bytes(conf, ke->ke_conf_size); + + /* get encryption blocksize. note kc_keye might not associated with + * a tfm, currently only for arcfour-hmac + */ + if (kctx->kc_enctype == ENCTYPE_ARCFOUR_HMAC) { + LASSERT(kctx->kc_keye.kb_tfm == NULL); + blocksize = 1; + } else { + LASSERT(kctx->kc_keye.kb_tfm); + blocksize = crypto_tfm_alg_blocksize(kctx->kc_keye.kb_tfm); + } + LASSERT(blocksize <= ke->ke_conf_size); /* padding the message */ if (add_padding(msg, msg_buflen, blocksize)) return GSS_S_FAILURE; - /* encryption: + /* + * clear text layout, same for both checksum & encryption: * ----------------------------------------- * | confounder | clear msgs | krb5 header | * ----------------------------------------- */ data_desc[0].data = conf; - data_desc[0].len = blocksize; + data_desc[0].len = ke->ke_conf_size; data_desc[1].data = msg->data; data_desc[1].len = msg->len; data_desc[2].data = (__u8 *) khdr; data_desc[2].len = sizeof(*khdr); + /* compute checksum */ + if (krb5_make_checksum(kctx->kc_enctype, &kctx->kc_keyi, + khdr, 3, data_desc, &cksum)) + return GSS_S_FAILURE; + LASSERT(cksum.len >= ke->ke_hash_size); + + /* encrypting, cipher text will be directly inplace */ cipher.data = (__u8 *) (khdr + 1); cipher.len = token->len - sizeof(*khdr); - LASSERT(blocksize + msg->len + sizeof(*khdr) <= cipher.len); + LASSERT(cipher.len >= ke->ke_conf_size + msg->len + sizeof(*khdr)); - if (krb5_encrypt_rawobjs(kctx->kc_keye.kb_tfm, 3, data_desc, - &cipher, 1)) - return GSS_S_FAILURE; + if (kctx->kc_enctype == ENCTYPE_ARCFOUR_HMAC) { + rawobj_t arc4_keye; + struct crypto_tfm *arc4_tfm; - /* checksum: - * ----------------------------------------- - * | confounder | clear msgs | krb5 header | - * ----------------------------------------- - */ - data_desc[0].data = conf; - data_desc[0].len = blocksize; - data_desc[1].data = msg->data; - data_desc[1].len = msg->len; - data_desc[2].data = (__u8 *) khdr; - data_desc[2].len = sizeof(*khdr); + if (krb5_make_checksum(ENCTYPE_ARCFOUR_HMAC, &kctx->kc_keyi, + NULL, 1, &cksum, &arc4_keye)) { + CERROR("failed to obtain arc4 enc key\n"); + GOTO(arc4_out, enc_rc = -EACCES); + } - if (krb5_make_checksum(kctx->kc_enctype, &kctx->kc_keyi, - khdr, 3, data_desc, &cksum)) + arc4_tfm = crypto_alloc_tfm("arc4", CRYPTO_TFM_MODE_ECB); + if (arc4_tfm == NULL) { + CERROR("failed to alloc tfm arc4 in ECB mode\n"); + GOTO(arc4_out_key, enc_rc = -EACCES); + } + + if (crypto_cipher_setkey(arc4_tfm, + arc4_keye.data, arc4_keye.len)) { + CERROR("failed to set arc4 key, len %d\n", + arc4_keye.len); + GOTO(arc4_out_tfm, enc_rc = -EACCES); + } + + enc_rc = krb5_encrypt_rawobjs(arc4_tfm, 1, + 3, data_desc, &cipher, 1); +arc4_out_tfm: + crypto_free_tfm(arc4_tfm); +arc4_out_key: + rawobj_free(&arc4_keye); +arc4_out: + do {} while(0); /* just to avoid compile warning */ + } else { + enc_rc = krb5_encrypt_rawobjs(kctx->kc_keye.kb_tfm, 0, + 3, data_desc, &cipher, 1); + } + + if (enc_rc != 0) { + rawobj_free(&cksum); return GSS_S_FAILURE; + } /* fill in checksum */ - LASSERT(cksum.len >= ke->ke_hash_size); LASSERT(token->len >= sizeof(*khdr) + cipher.len + ke->ke_hash_size); memcpy((char *)(khdr + 1) + cipher.len, cksum.data + cksum.len - ke->ke_hash_size, ke->ke_hash_size); rawobj_free(&cksum); + /* final token length */ token->len = sizeof(*khdr) + cipher.len + ke->ke_hash_size; return GSS_S_COMPLETE; } @@ -915,12 +999,14 @@ __u32 gss_unwrap_kerberos(struct gss_ctx *gctx, struct krb5_ctx *kctx = gctx->internal_ctx_id; struct krb5_enctype *ke = &enctypes[kctx->kc_enctype]; struct krb5_header *khdr; - unsigned char acceptor_flag = FLAG_WRAP_CONFIDENTIAL; + unsigned char acceptor_flag; unsigned char *tmpbuf; int blocksize, bodysize; rawobj_t cksum = RAWOBJ_EMPTY; rawobj_t cipher_in, plain_out; - __u32 rc = GSS_S_FAILURE; + __u32 rc = GSS_S_FAILURE, enc_rc = 0; + + LASSERT(ke); acceptor_flag = kctx->kc_initiate ? FLAG_SENDER_IS_ACCEPTOR : 0; @@ -940,6 +1026,10 @@ __u32 gss_unwrap_kerberos(struct gss_ctx *gctx, CERROR("bad direction flag\n"); return GSS_S_BAD_SIG; } + if ((khdr->kh_flags & FLAG_WRAP_CONFIDENTIAL) == 0) { + CERROR("missing confidential flag\n"); + return GSS_S_BAD_SIG; + } if (khdr->kh_filler != 0xff) { CERROR("bad filler\n"); return GSS_S_DEFECTIVE_TOKEN; @@ -950,9 +1040,16 @@ __u32 gss_unwrap_kerberos(struct gss_ctx *gctx, return GSS_S_DEFECTIVE_TOKEN; } - blocksize = crypto_tfm_alg_blocksize(kctx->kc_keye.kb_tfm); + /* block size */ + if (kctx->kc_enctype == ENCTYPE_ARCFOUR_HMAC) { + LASSERT(kctx->kc_keye.kb_tfm == NULL); + blocksize = 1; + } else { + LASSERT(kctx->kc_keye.kb_tfm); + blocksize = crypto_tfm_alg_blocksize(kctx->kc_keye.kb_tfm); + } - /* token: + /* expected token layout: * ---------------------------------------- * | krb5 header | cipher text | checksum | * ---------------------------------------- @@ -964,14 +1061,14 @@ __u32 gss_unwrap_kerberos(struct gss_ctx *gctx, return GSS_S_DEFECTIVE_TOKEN; } - if (bodysize <= blocksize + sizeof(*khdr)) { + if (bodysize <= ke->ke_conf_size + sizeof(*khdr)) { CERROR("incomplete token: bodysize %d\n", bodysize); return GSS_S_DEFECTIVE_TOKEN; } - if (msg->len < bodysize - blocksize - sizeof(*khdr)) { + if (msg->len < bodysize - ke->ke_conf_size - sizeof(*khdr)) { CERROR("buffer too small: %u, require %d\n", - msg->len, bodysize - blocksize); + msg->len, bodysize - ke->ke_conf_size); return GSS_S_FAILURE; } @@ -985,14 +1082,52 @@ __u32 gss_unwrap_kerberos(struct gss_ctx *gctx, plain_out.data = tmpbuf; plain_out.len = bodysize; - if (krb5_encrypt_rawobjs(kctx->kc_keye.kb_tfm, 1, - &cipher_in, &plain_out, 0)) { + if (kctx->kc_enctype == ENCTYPE_ARCFOUR_HMAC) { + rawobj_t arc4_keye; + struct crypto_tfm *arc4_tfm; + + cksum.data = token->data + token->len - ke->ke_hash_size; + cksum.len = ke->ke_hash_size; + + if (krb5_make_checksum(ENCTYPE_ARCFOUR_HMAC, &kctx->kc_keyi, + NULL, 1, &cksum, &arc4_keye)) { + CERROR("failed to obtain arc4 enc key\n"); + GOTO(arc4_out, enc_rc = -EACCES); + } + + arc4_tfm = crypto_alloc_tfm("arc4", CRYPTO_TFM_MODE_ECB); + if (arc4_tfm == NULL) { + CERROR("failed to alloc tfm arc4 in ECB mode\n"); + GOTO(arc4_out_key, enc_rc = -EACCES); + } + + if (crypto_cipher_setkey(arc4_tfm, + arc4_keye.data, arc4_keye.len)) { + CERROR("failed to set arc4 key, len %d\n", + arc4_keye.len); + GOTO(arc4_out_tfm, enc_rc = -EACCES); + } + + enc_rc = krb5_encrypt_rawobjs(arc4_tfm, 1, + 1, &cipher_in, &plain_out, 0); +arc4_out_tfm: + crypto_free_tfm(arc4_tfm); +arc4_out_key: + rawobj_free(&arc4_keye); +arc4_out: + cksum = RAWOBJ_EMPTY; + } else { + enc_rc = krb5_encrypt_rawobjs(kctx->kc_keye.kb_tfm, 0, + 1, &cipher_in, &plain_out, 0); + } + + if (enc_rc != 0) { CERROR("error decrypt\n"); goto out_free; } LASSERT(plain_out.len == bodysize); - /* clear text: + /* expected clear text layout: * ----------------------------------------- * | confounder | clear msgs | krb5 header | * ----------------------------------------- @@ -1018,8 +1153,8 @@ __u32 gss_unwrap_kerberos(struct gss_ctx *gctx, goto out_free; } - msg->len = bodysize - sizeof(*khdr) - blocksize; - memcpy(msg->data, tmpbuf + blocksize, msg->len); + msg->len = bodysize - ke->ke_conf_size - sizeof(*khdr); + memcpy(msg->data, tmpbuf + ke->ke_conf_size, msg->len); rc = GSS_S_COMPLETE; out_free: diff --git a/lustre/utils/gss/context_lucid.c b/lustre/utils/gss/context_lucid.c index 965b123..2f802de 100644 --- a/lustre/utils/gss/context_lucid.c +++ b/lustre/utils/gss/context_lucid.c @@ -436,14 +436,25 @@ prepare_krb5_rfc4121_buffer(gss_krb5_lucid_context_v1_t *lctx, goto out_err; /* Kc */ - if (derive_key_lucid(&lctx->rfc1964_kd.ctx_key, - &derived_key, - KG_USAGE_SIGN, KEY_USAGE_SEED_CHECKSUM)) - goto out_err; - if (write_bytes(&p, end, derived_key.data, - derived_key.length)) - goto out_err; - free(derived_key.data); + /* + * RC4 is special, it dosen't need key derivation. Actually + * the Ke is based on plain text. Here we just let all three + * key identical, kernel will handle everything. --ericm + */ + if (lctx->rfc1964_kd.ctx_key.type == ENCTYPE_ARCFOUR_HMAC) { + if (write_bytes(&p, end, lctx->rfc1964_kd.ctx_key.data, + lctx->rfc1964_kd.ctx_key.length)) + goto out_err; + } else { + if (derive_key_lucid(&lctx->rfc1964_kd.ctx_key, + &derived_key, + KG_USAGE_SIGN, KEY_USAGE_SEED_CHECKSUM)) + goto out_err; + if (write_bytes(&p, end, derived_key.data, + derived_key.length)) + goto out_err; + free(derived_key.data); + } } else { gss_krb5_lucid_key_t *keyptr; uint32_t sign_usage, seal_usage; diff --git a/lustre/utils/gss/nfs-utils-1.0.10-lustre.diff b/lustre/utils/gss/nfs-utils-1.0.10-lustre.diff index 51ed636..95f5804 100644 --- a/lustre/utils/gss/nfs-utils-1.0.10-lustre.diff +++ b/lustre/utils/gss/nfs-utils-1.0.10-lustre.diff @@ -1,6 +1,6 @@ diff -rup nfs-utils-1.0.10.orig/configure.in nfs-utils-1.0.10/configure.in --- nfs-utils-1.0.10.orig/configure.in 2006-11-15 21:26:08.000000000 -0700 -+++ nfs-utils-1.0.10/configure.in 2006-11-23 22:06:03.000000000 -0700 ++++ nfs-utils-1.0.10/configure.in 2006-12-04 21:28:43.000000000 -0700 @@ -17,61 +17,14 @@ AC_ARG_WITH(release, RELEASE=$withval, RELEASE=1) @@ -191,7 +191,7 @@ diff -rup nfs-utils-1.0.10.orig/configure.in nfs-utils-1.0.10/configure.in diff -rup nfs-utils-1.0.10.orig/Makefile.am nfs-utils-1.0.10/Makefile.am --- nfs-utils-1.0.10.orig/Makefile.am 2006-11-15 21:26:08.000000000 -0700 -+++ nfs-utils-1.0.10/Makefile.am 2006-11-23 22:06:03.000000000 -0700 ++++ nfs-utils-1.0.10/Makefile.am 2006-12-04 21:28:43.000000000 -0700 @@ -1,6 +1,6 @@ ## Process this file with automake to produce Makefile.in @@ -202,7 +202,7 @@ diff -rup nfs-utils-1.0.10.orig/Makefile.am nfs-utils-1.0.10/Makefile.am diff -rup nfs-utils-1.0.10.orig/utils/gssd/cacheio.c nfs-utils-1.0.10/utils/gssd/cacheio.c --- nfs-utils-1.0.10.orig/utils/gssd/cacheio.c 2006-08-07 00:40:50.000000000 -0600 -+++ nfs-utils-1.0.10/utils/gssd/cacheio.c 2006-11-23 22:06:17.000000000 -0700 ++++ nfs-utils-1.0.10/utils/gssd/cacheio.c 2006-12-04 21:29:29.000000000 -0700 @@ -227,7 +227,8 @@ int qword_get(char **bpp, char *dest, in return -1; while (*bp == ' ') bp++; @@ -215,7 +215,7 @@ diff -rup nfs-utils-1.0.10.orig/utils/gssd/cacheio.c nfs-utils-1.0.10/utils/gssd diff -rup nfs-utils-1.0.10.orig/utils/gssd/context.c nfs-utils-1.0.10/utils/gssd/context.c --- nfs-utils-1.0.10.orig/utils/gssd/context.c 2006-08-07 00:40:50.000000000 -0600 -+++ nfs-utils-1.0.10/utils/gssd/context.c 2006-11-23 22:06:17.000000000 -0700 ++++ nfs-utils-1.0.10/utils/gssd/context.c 2006-12-04 21:29:29.000000000 -0700 @@ -33,8 +33,6 @@ #include #include @@ -227,7 +227,7 @@ diff -rup nfs-utils-1.0.10.orig/utils/gssd/context.c nfs-utils-1.0.10/utils/gssd #include "err_util.h" diff -rup nfs-utils-1.0.10.orig/utils/gssd/context.h nfs-utils-1.0.10/utils/gssd/context.h --- nfs-utils-1.0.10.orig/utils/gssd/context.h 2006-11-15 21:26:08.000000000 -0700 -+++ nfs-utils-1.0.10/utils/gssd/context.h 2006-11-23 22:06:17.000000000 -0700 ++++ nfs-utils-1.0.10/utils/gssd/context.h 2006-12-04 21:29:29.000000000 -0700 @@ -31,8 +31,6 @@ #ifndef _CONTEXT_H_ #define _CONTEXT_H_ @@ -239,7 +239,7 @@ diff -rup nfs-utils-1.0.10.orig/utils/gssd/context.h nfs-utils-1.0.10/utils/gssd diff -rup nfs-utils-1.0.10.orig/utils/gssd/context_lucid.c nfs-utils-1.0.10/utils/gssd/context_lucid.c --- nfs-utils-1.0.10.orig/utils/gssd/context_lucid.c 2006-11-15 21:26:08.000000000 -0700 -+++ nfs-utils-1.0.10/utils/gssd/context_lucid.c 2006-11-23 22:06:17.000000000 -0700 ++++ nfs-utils-1.0.10/utils/gssd/context_lucid.c 2006-12-04 21:29:29.000000000 -0700 @@ -41,11 +41,7 @@ #include #include @@ -265,7 +265,58 @@ diff -rup nfs-utils-1.0.10.orig/utils/gssd/context_lucid.c nfs-utils-1.0.10/util static int write_lucid_keyblock(char **p, char *end, gss_krb5_lucid_key_t *key) { -@@ -451,6 +452,7 @@ prepare_krb5_rfc4121_buffer(gss_krb5_luc +@@ -354,6 +355,7 @@ static int + prepare_krb5_rfc4121_buffer(gss_krb5_lucid_context_v1_t *lctx, + gss_buffer_desc *buf) + { ++ static int constant_two = 2; + char *p, *end; + uint32_t v2_flags = 0; + gss_krb5_lucid_key_t enc_key; +@@ -372,7 +374,7 @@ prepare_krb5_rfc4121_buffer(gss_krb5_luc + end = buf->value + MAX_CTX_LEN; + + /* Version 2 */ +- if (WRITE_BYTES(&p, end, lctx->initiate)) goto out_err; ++ if (WRITE_BYTES(&p, end, constant_two)) goto out_err; + if (WRITE_BYTES(&p, end, lctx->endtime)) goto out_err; + + if (lctx->initiate) +@@ -434,14 +436,25 @@ prepare_krb5_rfc4121_buffer(gss_krb5_luc + goto out_err; + + /* Kc */ +- if (derive_key_lucid(&lctx->rfc1964_kd.ctx_key, +- &derived_key, +- KG_USAGE_SIGN, KEY_USAGE_SEED_CHECKSUM)) +- goto out_err; +- if (write_bytes(&p, end, derived_key.data, +- derived_key.length)) +- goto out_err; +- free(derived_key.data); ++ /* ++ * RC4 is special, it dosen't need key derivation. Actually ++ * the Ke is based on plain text. Here we just let all three ++ * key identical, kernel will handle everything. --ericm ++ */ ++ if (lctx->rfc1964_kd.ctx_key.type == ENCTYPE_ARCFOUR_HMAC) { ++ if (write_bytes(&p, end, lctx->rfc1964_kd.ctx_key.data, ++ lctx->rfc1964_kd.ctx_key.length)) ++ goto out_err; ++ } else { ++ if (derive_key_lucid(&lctx->rfc1964_kd.ctx_key, ++ &derived_key, ++ KG_USAGE_SIGN, KEY_USAGE_SEED_CHECKSUM)) ++ goto out_err; ++ if (write_bytes(&p, end, derived_key.data, ++ derived_key.length)) ++ goto out_err; ++ free(derived_key.data); ++ } + } else { + gss_krb5_lucid_key_t *keyptr; + uint32_t sign_usage, seal_usage; +@@ -451,6 +464,7 @@ prepare_krb5_rfc4121_buffer(gss_krb5_luc else keyptr = &lctx->cfx_kd.ctx_key; @@ -273,7 +324,7 @@ diff -rup nfs-utils-1.0.10.orig/utils/gssd/context_lucid.c nfs-utils-1.0.10/util if (lctx->initiate == 1) { sign_usage = KG_USAGE_INITIATOR_SIGN; seal_usage = KG_USAGE_INITIATOR_SEAL; -@@ -458,6 +460,19 @@ prepare_krb5_rfc4121_buffer(gss_krb5_luc +@@ -458,6 +472,19 @@ prepare_krb5_rfc4121_buffer(gss_krb5_luc sign_usage = KG_USAGE_ACCEPTOR_SIGN; seal_usage = KG_USAGE_ACCEPTOR_SEAL; } @@ -295,7 +346,7 @@ diff -rup nfs-utils-1.0.10.orig/utils/gssd/context_lucid.c nfs-utils-1.0.10/util diff -rup nfs-utils-1.0.10.orig/utils/gssd/context_mit.c nfs-utils-1.0.10/utils/gssd/context_mit.c --- nfs-utils-1.0.10.orig/utils/gssd/context_mit.c 2006-11-15 21:26:08.000000000 -0700 -+++ nfs-utils-1.0.10/utils/gssd/context_mit.c 2006-11-23 22:06:17.000000000 -0700 ++++ nfs-utils-1.0.10/utils/gssd/context_mit.c 2006-12-04 21:29:29.000000000 -0700 @@ -39,7 +39,6 @@ #include #include @@ -320,7 +371,7 @@ diff -rup nfs-utils-1.0.10.orig/utils/gssd/context_mit.c nfs-utils-1.0.10/utils/ /* Only applicable flag for this is initiator */ diff -rup nfs-utils-1.0.10.orig/utils/gssd/context_spkm3.c nfs-utils-1.0.10/utils/gssd/context_spkm3.c --- nfs-utils-1.0.10.orig/utils/gssd/context_spkm3.c 2006-11-15 21:26:08.000000000 -0700 -+++ nfs-utils-1.0.10/utils/gssd/context_spkm3.c 2006-11-23 22:06:17.000000000 -0700 ++++ nfs-utils-1.0.10/utils/gssd/context_spkm3.c 2006-12-04 21:29:29.000000000 -0700 @@ -33,8 +33,6 @@ #include #include @@ -332,7 +383,7 @@ diff -rup nfs-utils-1.0.10.orig/utils/gssd/context_spkm3.c nfs-utils-1.0.10/util #include "err_util.h" diff -rup nfs-utils-1.0.10.orig/utils/gssd/err_util.c nfs-utils-1.0.10/utils/gssd/err_util.c --- nfs-utils-1.0.10.orig/utils/gssd/err_util.c 2006-08-07 00:40:50.000000000 -0600 -+++ nfs-utils-1.0.10/utils/gssd/err_util.c 2006-11-23 22:06:17.000000000 -0700 ++++ nfs-utils-1.0.10/utils/gssd/err_util.c 2006-12-04 21:29:29.000000000 -0700 @@ -32,6 +32,8 @@ #include #include @@ -385,7 +436,7 @@ diff -rup nfs-utils-1.0.10.orig/utils/gssd/err_util.c nfs-utils-1.0.10/utils/gss + diff -rup nfs-utils-1.0.10.orig/utils/gssd/err_util.h nfs-utils-1.0.10/utils/gssd/err_util.h --- nfs-utils-1.0.10.orig/utils/gssd/err_util.h 2006-08-07 00:40:50.000000000 -0600 -+++ nfs-utils-1.0.10/utils/gssd/err_util.h 2006-11-23 22:06:17.000000000 -0700 ++++ nfs-utils-1.0.10/utils/gssd/err_util.h 2006-12-04 21:29:29.000000000 -0700 @@ -33,5 +33,6 @@ void initerr(char *progname, int verbosity, int fg); @@ -395,7 +446,7 @@ diff -rup nfs-utils-1.0.10.orig/utils/gssd/err_util.h nfs-utils-1.0.10/utils/gss #endif /* _ERR_UTIL_H_ */ diff -rup nfs-utils-1.0.10.orig/utils/gssd/gss_clnt_send_err.c nfs-utils-1.0.10/utils/gssd/gss_clnt_send_err.c --- nfs-utils-1.0.10.orig/utils/gssd/gss_clnt_send_err.c 2006-08-07 00:40:50.000000000 -0600 -+++ nfs-utils-1.0.10/utils/gssd/gss_clnt_send_err.c 2006-11-23 22:06:17.000000000 -0700 ++++ nfs-utils-1.0.10/utils/gssd/gss_clnt_send_err.c 2006-12-04 21:29:29.000000000 -0700 @@ -47,6 +47,7 @@ #include "gssd.h" #include "write_bytes.h" @@ -411,7 +462,7 @@ diff -rup nfs-utils-1.0.10.orig/utils/gssd/gss_clnt_send_err.c nfs-utils-1.0.10/ +#endif diff -rup nfs-utils-1.0.10.orig/utils/gssd/gssd.c nfs-utils-1.0.10/utils/gssd/gssd.c --- nfs-utils-1.0.10.orig/utils/gssd/gssd.c 2006-11-15 21:26:08.000000000 -0700 -+++ nfs-utils-1.0.10/utils/gssd/gssd.c 2006-11-23 22:06:17.000000000 -0700 ++++ nfs-utils-1.0.10/utils/gssd/gssd.c 2006-12-04 21:29:29.000000000 -0700 @@ -38,9 +38,12 @@ #include "config.h" @@ -636,7 +687,7 @@ diff -rup nfs-utils-1.0.10.orig/utils/gssd/gssd.c nfs-utils-1.0.10/utils/gssd/gs } diff -rup nfs-utils-1.0.10.orig/utils/gssd/gssd.h nfs-utils-1.0.10/utils/gssd/gssd.h --- nfs-utils-1.0.10.orig/utils/gssd/gssd.h 2006-11-15 21:26:08.000000000 -0700 -+++ nfs-utils-1.0.10/utils/gssd/gssd.h 2006-11-23 22:06:17.000000000 -0700 ++++ nfs-utils-1.0.10/utils/gssd/gssd.h 2006-12-04 21:29:29.000000000 -0700 @@ -48,8 +48,13 @@ #define GSSD_DEFAULT_CRED_PREFIX "krb5cc_" #define GSSD_DEFAULT_MACHINE_CRED_SUFFIX "machine" @@ -694,7 +745,7 @@ diff -rup nfs-utils-1.0.10.orig/utils/gssd/gssd.h nfs-utils-1.0.10/utils/gssd/gs #endif /* _RPC_GSSD_H_ */ diff -rup nfs-utils-1.0.10.orig/utils/gssd/gssd_main_loop.c nfs-utils-1.0.10/utils/gssd/gssd_main_loop.c --- nfs-utils-1.0.10.orig/utils/gssd/gssd_main_loop.c 2006-11-15 21:26:08.000000000 -0700 -+++ nfs-utils-1.0.10/utils/gssd/gssd_main_loop.c 2006-11-23 22:06:17.000000000 -0700 ++++ nfs-utils-1.0.10/utils/gssd/gssd_main_loop.c 2006-12-04 21:29:29.000000000 -0700 @@ -94,11 +94,13 @@ scan_poll_results(int ret) }; @@ -766,7 +817,7 @@ diff -rup nfs-utils-1.0.10.orig/utils/gssd/gssd_main_loop.c nfs-utils-1.0.10/uti } diff -rup nfs-utils-1.0.10.orig/utils/gssd/gssd_proc.c nfs-utils-1.0.10/utils/gssd/gssd_proc.c --- nfs-utils-1.0.10.orig/utils/gssd/gssd_proc.c 2006-11-15 21:26:08.000000000 -0700 -+++ nfs-utils-1.0.10/utils/gssd/gssd_proc.c 2006-11-23 22:06:17.000000000 -0700 ++++ nfs-utils-1.0.10/utils/gssd/gssd_proc.c 2006-12-04 21:29:29.000000000 -0700 @@ -43,7 +43,6 @@ #endif #include "config.h" @@ -1570,7 +1621,7 @@ diff -rup nfs-utils-1.0.10.orig/utils/gssd/gssd_proc.c nfs-utils-1.0.10/utils/gs } diff -rup nfs-utils-1.0.10.orig/utils/gssd/gss_util.c nfs-utils-1.0.10/utils/gssd/gss_util.c --- nfs-utils-1.0.10.orig/utils/gssd/gss_util.c 2006-08-07 00:40:50.000000000 -0600 -+++ nfs-utils-1.0.10/utils/gssd/gss_util.c 2006-11-23 22:06:17.000000000 -0700 ++++ nfs-utils-1.0.10/utils/gssd/gss_util.c 2006-12-04 21:29:29.000000000 -0700 @@ -87,9 +87,16 @@ #ifdef HAVE_COM_ERR_H #include @@ -1736,7 +1787,7 @@ diff -rup nfs-utils-1.0.10.orig/utils/gssd/gss_util.c nfs-utils-1.0.10/utils/gss int gssd_check_mechs(void) diff -rup nfs-utils-1.0.10.orig/utils/gssd/gss_util.h nfs-utils-1.0.10/utils/gssd/gss_util.h --- nfs-utils-1.0.10.orig/utils/gssd/gss_util.h 2006-08-07 00:40:50.000000000 -0600 -+++ nfs-utils-1.0.10/utils/gssd/gss_util.h 2006-11-23 22:06:17.000000000 -0700 ++++ nfs-utils-1.0.10/utils/gssd/gss_util.h 2006-12-04 21:29:29.000000000 -0700 @@ -32,12 +32,10 @@ #define _GSS_UTIL_H_ @@ -1752,7 +1803,7 @@ diff -rup nfs-utils-1.0.10.orig/utils/gssd/gss_util.h nfs-utils-1.0.10/utils/gss int gssd_check_mechs(void); diff -rup nfs-utils-1.0.10.orig/utils/gssd/krb5_util.c nfs-utils-1.0.10/utils/gssd/krb5_util.c --- nfs-utils-1.0.10.orig/utils/gssd/krb5_util.c 2006-11-15 21:26:08.000000000 -0700 -+++ nfs-utils-1.0.10/utils/gssd/krb5_util.c 2006-11-23 22:06:17.000000000 -0700 ++++ nfs-utils-1.0.10/utils/gssd/krb5_util.c 2006-12-04 21:29:29.000000000 -0700 @@ -99,12 +99,14 @@ #include #include @@ -2235,7 +2286,7 @@ diff -rup nfs-utils-1.0.10.orig/utils/gssd/krb5_util.c nfs-utils-1.0.10/utils/gs * Obtain supported enctypes from kernel. diff -rup nfs-utils-1.0.10.orig/utils/gssd/krb5_util.h nfs-utils-1.0.10/utils/gssd/krb5_util.h --- nfs-utils-1.0.10.orig/utils/gssd/krb5_util.h 2006-11-15 21:26:08.000000000 -0700 -+++ nfs-utils-1.0.10/utils/gssd/krb5_util.h 2006-11-23 22:06:17.000000000 -0700 ++++ nfs-utils-1.0.10/utils/gssd/krb5_util.h 2006-12-04 21:29:29.000000000 -0700 @@ -10,13 +10,15 @@ struct gssd_k5_kt_princ { struct gssd_k5_kt_princ *next; @@ -2289,10 +2340,9 @@ diff -rup nfs-utils-1.0.10.orig/utils/gssd/krb5_util.h nfs-utils-1.0.10/utils/gs + #endif /* KRB5_UTIL_H */ -Only in nfs-utils-1.0.10/utils/gssd: l_idmap.c diff -rup nfs-utils-1.0.10.orig/utils/gssd/lsupport.c nfs-utils-1.0.10/utils/gssd/lsupport.c --- nfs-utils-1.0.10.orig/utils/gssd/lsupport.c 2006-11-15 21:41:25.000000000 -0700 -+++ nfs-utils-1.0.10/utils/gssd/lsupport.c 2006-11-23 22:06:17.000000000 -0700 ++++ nfs-utils-1.0.10/utils/gssd/lsupport.c 2006-12-04 21:29:29.000000000 -0700 @@ -0,0 +1,782 @@ +/* -*- mode: c; c-basic-offset: 8; indent-tabs-mode: nil; -*- + * vim:expandtab:shiftwidth=8:tabstop=8: @@ -3078,7 +3128,7 @@ diff -rup nfs-utils-1.0.10.orig/utils/gssd/lsupport.c nfs-utils-1.0.10/utils/gss + diff -rup nfs-utils-1.0.10.orig/utils/gssd/lsupport.h nfs-utils-1.0.10/utils/gssd/lsupport.h --- nfs-utils-1.0.10.orig/utils/gssd/lsupport.h 2006-11-15 21:41:23.000000000 -0700 -+++ nfs-utils-1.0.10/utils/gssd/lsupport.h 2006-11-23 22:06:17.000000000 -0700 ++++ nfs-utils-1.0.10/utils/gssd/lsupport.h 2006-12-04 21:29:29.000000000 -0700 @@ -0,0 +1,89 @@ +/* -*- mode: c; c-basic-offset: 8; indent-tabs-mode: nil; -*- + * vim:expandtab:shiftwidth=8:tabstop=8: @@ -3171,7 +3221,7 @@ diff -rup nfs-utils-1.0.10.orig/utils/gssd/lsupport.h nfs-utils-1.0.10/utils/gss +#endif /* __LIBCFS_H__ */ diff -rup nfs-utils-1.0.10.orig/utils/gssd/Makefile.am nfs-utils-1.0.10/utils/gssd/Makefile.am --- nfs-utils-1.0.10.orig/utils/gssd/Makefile.am 2006-11-15 21:26:08.000000000 -0700 -+++ nfs-utils-1.0.10/utils/gssd/Makefile.am 2006-11-23 22:06:03.000000000 -0700 ++++ nfs-utils-1.0.10/utils/gssd/Makefile.am 2006-12-04 21:28:43.000000000 -0700 @@ -1,17 +1,11 @@ ## Process this file with automake to produce Makefile.in @@ -3279,7 +3329,7 @@ diff -rup nfs-utils-1.0.10.orig/utils/gssd/Makefile.am nfs-utils-1.0.10/utils/gs - diff -rup nfs-utils-1.0.10.orig/utils/gssd/svcgssd.c nfs-utils-1.0.10/utils/gssd/svcgssd.c --- nfs-utils-1.0.10.orig/utils/gssd/svcgssd.c 2006-08-07 00:40:50.000000000 -0600 -+++ nfs-utils-1.0.10/utils/gssd/svcgssd.c 2006-11-23 22:06:17.000000000 -0700 ++++ nfs-utils-1.0.10/utils/gssd/svcgssd.c 2006-12-04 21:29:29.000000000 -0700 @@ -43,7 +43,6 @@ #include #include @@ -3400,7 +3450,7 @@ diff -rup nfs-utils-1.0.10.orig/utils/gssd/svcgssd.c nfs-utils-1.0.10/utils/gssd } diff -rup nfs-utils-1.0.10.orig/utils/gssd/svcgssd.h nfs-utils-1.0.10/utils/gssd/svcgssd.h --- nfs-utils-1.0.10.orig/utils/gssd/svcgssd.h 2006-08-07 00:40:50.000000000 -0600 -+++ nfs-utils-1.0.10/utils/gssd/svcgssd.h 2006-11-23 22:06:17.000000000 -0700 ++++ nfs-utils-1.0.10/utils/gssd/svcgssd.h 2006-12-04 21:29:29.000000000 -0700 @@ -35,9 +35,20 @@ #include #include @@ -3427,7 +3477,7 @@ diff -rup nfs-utils-1.0.10.orig/utils/gssd/svcgssd.h nfs-utils-1.0.10/utils/gssd #endif /* _RPC_SVCGSSD_H_ */ diff -rup nfs-utils-1.0.10.orig/utils/gssd/svcgssd_main_loop.c nfs-utils-1.0.10/utils/gssd/svcgssd_main_loop.c --- nfs-utils-1.0.10.orig/utils/gssd/svcgssd_main_loop.c 2006-08-07 00:40:50.000000000 -0600 -+++ nfs-utils-1.0.10/utils/gssd/svcgssd_main_loop.c 2006-11-23 22:06:17.000000000 -0700 ++++ nfs-utils-1.0.10/utils/gssd/svcgssd_main_loop.c 2006-12-04 21:29:29.000000000 -0700 @@ -46,46 +46,66 @@ #include "svcgssd.h" #include "err_util.h" @@ -3518,7 +3568,7 @@ diff -rup nfs-utils-1.0.10.orig/utils/gssd/svcgssd_main_loop.c nfs-utils-1.0.10/ } diff -rup nfs-utils-1.0.10.orig/utils/gssd/svcgssd_proc.c nfs-utils-1.0.10/utils/gssd/svcgssd_proc.c --- nfs-utils-1.0.10.orig/utils/gssd/svcgssd_proc.c 2006-08-07 00:40:50.000000000 -0600 -+++ nfs-utils-1.0.10/utils/gssd/svcgssd_proc.c 2006-11-23 22:06:17.000000000 -0700 ++++ nfs-utils-1.0.10/utils/gssd/svcgssd_proc.c 2006-12-04 21:29:29.000000000 -0700 @@ -35,7 +35,6 @@ #include @@ -3850,7 +3900,7 @@ diff -rup nfs-utils-1.0.10.orig/utils/gssd/svcgssd_proc.c nfs-utils-1.0.10/utils if (ctx != GSS_C_NO_CONTEXT) diff -rup nfs-utils-1.0.10.orig/utils/Makefile.am nfs-utils-1.0.10/utils/Makefile.am --- nfs-utils-1.0.10.orig/utils/Makefile.am 2006-08-07 00:40:50.000000000 -0600 -+++ nfs-utils-1.0.10/utils/Makefile.am 2006-11-23 22:06:03.000000000 -0700 ++++ nfs-utils-1.0.10/utils/Makefile.am 2006-12-04 21:28:43.000000000 -0700 @@ -2,31 +2,6 @@ OPTDIRS = -- 1.8.3.1