Whamcloud - gitweb
LU-12401 gss: fix checksum for Kerberos and SSK 99/35099/7
authorSebastien Buisson <sbuisson@ddn.com>
Fri, 7 Jun 2019 14:45:26 +0000 (23:45 +0900)
committerOleg Drokin <green@whamcloud.com>
Wed, 17 Jul 2019 06:21:40 +0000 (06:21 +0000)
When computing checksum for Kerberos, krb5 wire token header is
appended to the plain text. Make sure the actual header is appended
in gss_digest_hash().
For interop with older clients, introduce new server side tunable
'sptlrpc.gss.krb5_allow_old_client_csum'. When not set, servers refuse
Kerberos connection from older clients.

In gss_crypt_generic(), protect against an undefined behavior by
switching from memcpy to memmove.

When computing checksum for SSK, make sure the actual token is used
to store the checksum.

Fixes: a21c13d4df ("LU-8602 gss: Properly port gss to newer crypto api.")
Test-Parameters: envdefinitions=SHARED_KEY=true testlist=sanity,recovery-small,sanity-sec
Test-Parameters: envdefinitions=SHARED_KEY=true clientbuildno=6308 clientjob=lustre-reviews-patchless testlist=sanity,recovery-small,sanity-sec
Signed-off-by: Sebastien Buisson <sbuisson@ddn.com>
Change-Id: I0233ada481f132af112bf88c065f5421902c942e
Reviewed-on: https://review.whamcloud.com/35099
Reviewed-by: Andreas Dilger <adilger@whamcloud.com>
Reviewed-by: Jeremy Filizetti <jeremy.filizetti@gmail.com>
Tested-by: jenkins <devops@whamcloud.com>
Tested-by: Maloo <maloo@whamcloud.com>
Reviewed-by: Oleg Drokin <green@whamcloud.com>

No differences found