From 24dccbbdf7a2d8c411fe68ff6d8659750be7a421 Mon Sep 17 00:00:00 2001
From: Thomas Stibor <thomas@stibor.net>
Date: Mon, 26 Nov 2012 16:13:08 +0100
Subject: [PATCH 1/1] LU-2384 kerberos: Support for MIT-kerberos >=1.8.X is
 broken

Since version 1.8.X the function signature for deriving
cryptographic keys of the MIT-kerberos library:
krb5_derive_key(const struct krb5_enc_provider *enc,
                const krb5_keyblock *inkey,
                krb5_keyblock *outkey,
                const krb5_data *in_constant)
is changed in:
krb5int_derive_key(const struct krb5_enc_provider *enc,
                   krb5_key inkey, krb5_key *outkey,
                   const krb5_data *in_constant)
The kerberos support for lustre thus is not working anymore
with current linux distributions supporting MIT-kerberos
library >= 1.8.X.

Signed-off-by: Andrew Korty <ajk@iu.edu>
Change-Id: I35e85a15e7fd846df6d63d430d7ac98ec53d7c56
Reviewed-on: http://review.whamcloud.com/4672
Tested-by: Hudson
Reviewed-by: Andreas Dilger <andreas.dilger@intel.com>
Reviewed-by: Keith Mannthey <keith.mannthey@intel.com>
Tested-by: Maloo <whamcloud.maloo@gmail.com>
Reviewed-by: Fan Yong <fan.yong@intel.com>
---
 lustre/autoconf/kerberos5.m4     |  4 +++
 lustre/utils/gss/context.h       |  7 ++++++
 lustre/utils/gss/context_lucid.c | 53 ++++++++++++++++++++++++++++++++++------
 3 files changed, 57 insertions(+), 7 deletions(-)

diff --git a/lustre/autoconf/kerberos5.m4 b/lustre/autoconf/kerberos5.m4
index 05c2ee3..4aaffae 100644
--- a/lustre/autoconf/kerberos5.m4
+++ b/lustre/autoconf/kerberos5.m4
@@ -102,6 +102,10 @@ AC_DEFUN([AC_KERBEROS_V5],[
   AC_CHECK_LIB($gssapi_lib, krb5_get_init_creds_opt_set_addressless,
     AC_DEFINE(HAVE_KRB5_GET_INIT_CREDS_OPT_SET_ADDRESSLESS, 1, [Define this if the function krb5_get_init_creds_opt_set_addressless is available]), ,$KRBLIBS)
 
+  dnl Check for krb5int_derive_key
+  AC_CHECK_LIB($gssapi_lib, krb5int_derive_key,
+    AC_DEFINE(HAVE_KRB5INT_DERIVE_KEY, 1, [Define this if the function krb5int_derive_key is available]), ,$KRBLIBS)
+
   dnl If they specified a directory and it didn't work, give them a warning
   if test "x$krb5_with" != "x" -a "$krb5_with" != "$KRBDIR"; then
     AC_MSG_WARN(Using $KRBDIR instead of requested value of $krb5_with for Kerberos!)
diff --git a/lustre/utils/gss/context.h b/lustre/utils/gss/context.h
index 8243f5d..369cfea 100644
--- a/lustre/utils/gss/context.h
+++ b/lustre/utils/gss/context.h
@@ -39,6 +39,13 @@
 #define KRB5_CTX_FLAG_CFX               0x00000002
 #define KRB5_CTX_FLAG_ACCEPTOR_SUBKEY   0x00000004
 
+#if HAVE_KRB5INT_DERIVE_KEY
+extern int krb5int_derive_key();
+extern int krb5_k_create_key();
+#else /* !HAVE_KRB5INT_DERIVE_KEY */
+extern int krb5_derive_key();
+#endif
+
 int serialize_context_for_kernel(gss_ctx_id_t ctx, gss_buffer_desc *buf,
 				 gss_OID mech);
 int serialize_spkm3_ctx(gss_ctx_id_t ctx, gss_buffer_desc *buf);
diff --git a/lustre/utils/gss/context_lucid.c b/lustre/utils/gss/context_lucid.c
index 6c5e672..f64f49b 100644
--- a/lustre/utils/gss/context_lucid.c
+++ b/lustre/utils/gss/context_lucid.c
@@ -208,7 +208,15 @@ extern void krb5int_enc_arcfour;
 extern void krb5int_enc_des3;
 extern void krb5int_enc_aes128;
 extern void krb5int_enc_aes256;
-extern int krb5_derive_key();
+#if HAVE_KRB5INT_DERIVE_KEY
+/* Taken from crypto_int.h */
+enum deriv_alg {
+	DERIVE_RFC3961,		/* RFC 3961 section 5.1 */
+#ifdef CAMELLIA
+	DERIVE_SP800_108_CMAC,	/* NIST SP 800-108 with CMAC as PRF */
+#endif
+};
+#endif  /* HAVE_KRB5INT_DERIVE_KEY */
 
 static void
 key_lucid_to_krb5(const gss_krb5_lucid_key_t *lin, krb5_keyblock *kout)
@@ -257,8 +265,13 @@ derive_key_lucid(const gss_krb5_lucid_key_t *in, gss_krb5_lucid_key_t *out,
 	int keylength;
 	void *enc;
 	krb5_keyblock kin, kout;  /* must send krb5_keyblock, not lucid! */
-#ifdef HAVE_HEIMDAL
+#if defined(HAVE_HEIMDAL) || HAVE_KRB5INT_DERIVE_KEY
 	krb5_context kcontext;
+#endif
+#if HAVE_KRB5INT_DERIVE_KEY
+	krb5_key key_in, key_out;
+#endif
+#ifdef HAVE_HEIMDAL
 	krb5_keyblock *outkey;
 #endif
 
@@ -316,12 +329,35 @@ derive_key_lucid(const gss_krb5_lucid_key_t *in, gss_krb5_lucid_key_t *out,
 	((char *)(datain.data))[4] = (char) extra;
 
 #ifdef HAVE_KRB5
+#if HAVE_KRB5INT_DERIVE_KEY
+	code = krb5_init_context(&kcontext);
+	if (code) {
+		free(out->data);
+		out->data = NULL;
+		goto out;
+	}
+	code = krb5_k_create_key(kcontext, &kin, &key_in);
+	if (code) {
+		free(out->data);
+		out->data = NULL;
+		goto out;
+	}
+	code = krb5_k_create_key(kcontext, &kout, &key_out);
+	if (code) {
+		free(out->data);
+		out->data = NULL;
+		goto out;
+	}
+	code = krb5int_derive_key(enc, key_in, &key_out, &datain,
+				  DERIVE_RFC3961);
+#else  /* !HAVE_KRB5INT_DERIVE_KEY */
 	code = krb5_derive_key(enc, &kin, &kout, &datain);
-#else
+#endif	/* HAVE_KRB5INT_DERIVE_KEY */
+#else	/* !defined(HAVE_KRB5) */
 	if ((code = krb5_init_context(&kcontext))) {
 	}
 	code = krb5_derive_key(kcontext, &kin, in->type, constant_data, K5CLENGTH, &outkey);
-#endif
+#endif	/* defined(HAVE_KRB5) */
 	if (code) {
 		free(out->data);
 		out->data = NULL;
@@ -329,14 +365,17 @@ derive_key_lucid(const gss_krb5_lucid_key_t *in, gss_krb5_lucid_key_t *out,
 	}
 #ifdef HAVE_KRB5
 	key_krb5_to_lucid(&kout, out);
-#else
+#if HAVE_KRB5INT_DERIVE_KEY
+	krb5_free_context(kcontext);
+#endif	/* HAVE_KRB5INT_DERIVE_KEY */
+#else	/* !defined(HAVE_KRB5) */
 	key_krb5_to_lucid(outkey, out);
 	krb5_free_keyblock(kcontext, outkey);
 	krb5_free_context(kcontext);
-#endif
+#endif	/* defined(HAVE_KRB5) */
 
   out:
-  	if (code)
+	if (code)
 		printerr(0, "ERROR: %s: returning error %d (%s)\n",
 			 __FUNCTION__, code, error_message(code));
 	return (code);
-- 
1.8.3.1