gss_krb5: Save the raw session key in the context

This is needed for deriving arcfour-hmac keys "on the fly"
using the sequence number or checksu

Signed-off-by: Kevin Coffman <kwc@citi.umich.edu>
Signed-off-by: Steve Dickson <steved@redhat.com>
Signed-off-by: Trond Myklebust <Trond.Myklebust@netapp.com>

diff --git a/include/linux/sunrpc/gss_krb5.h b/include/linux/sunrpc/gss_krb5.h
index 633f41f..b0ab827 100644 (file)
--- a/include/linux/sunrpc/gss_krb5.h
+++ b/include/linux/sunrpc/gss_krb5.h
@@ -101,6 +101,7 @@ struct krb5_ctx {
        struct crypto_blkcipher *initiator_enc;
        struct crypto_blkcipher *acceptor_enc_aux;
        struct crypto_blkcipher *initiator_enc_aux;
+       u8                      Ksess[GSS_KRB5_MAX_KEYLEN]; /* session key */
        u8                      cksum[GSS_KRB5_MAX_KEYLEN];
        s32                     endtime;
        u32                     seq_send;

diff --git a/net/sunrpc/auth_gss/gss_krb5_mech.c b/net/sunrpc/auth_gss/gss_krb5_mech.c
index 506a2e7..893fad7 100644 (file)
--- a/net/sunrpc/auth_gss/gss_krb5_mech.c
+++ b/net/sunrpc/auth_gss/gss_krb5_mech.c
@@ -344,7 +344,7 @@ set_cdata(u8 cdata[GSS_KRB5_K5CLENGTH], u32 usage, u8 seed)
 }
 
 static int
-context_derive_keys_des3(struct krb5_ctx *ctx, u8 *rawkey, u32 keylen)
+context_derive_keys_des3(struct krb5_ctx *ctx)
 {
        struct xdr_netobj c, keyin, keyout;
        u8 cdata[GSS_KRB5_K5CLENGTH];
@@ -353,18 +353,18 @@ context_derive_keys_des3(struct krb5_ctx *ctx, u8 *rawkey, u32 keylen)
        c.len = GSS_KRB5_K5CLENGTH;
        c.data = cdata;
 
-       keyin.data = rawkey;
-       keyin.len = keylen;
-       keyout.len = keylen;
+       keyin.data = ctx->Ksess;
+       keyin.len = ctx->gk5e->keylength;
+       keyout.len = ctx->gk5e->keylength;
 
        /* seq uses the raw key */
        ctx->seq = context_v2_alloc_cipher(ctx, ctx->gk5e->encrypt_name,
-                                          rawkey);
+                                          ctx->Ksess);
        if (ctx->seq == NULL)
                goto out_err;
 
        ctx->enc = context_v2_alloc_cipher(ctx, ctx->gk5e->encrypt_name,
-                                          rawkey);
+                                          ctx->Ksess);
        if (ctx->enc == NULL)
                goto out_free_seq;
 
@@ -389,7 +389,7 @@ out_err:
 }
 
 static int
-context_derive_keys_new(struct krb5_ctx *ctx, u8 *rawkey, u32 keylen)
+context_derive_keys_new(struct krb5_ctx *ctx)
 {
        struct xdr_netobj c, keyin, keyout;
        u8 cdata[GSS_KRB5_K5CLENGTH];
@@ -398,9 +398,9 @@ context_derive_keys_new(struct krb5_ctx *ctx, u8 *rawkey, u32 keylen)
        c.len = GSS_KRB5_K5CLENGTH;
        c.data = cdata;
 
-       keyin.data = rawkey;
-       keyin.len = keylen;
-       keyout.len = keylen;
+       keyin.data = ctx->Ksess;
+       keyin.len = ctx->gk5e->keylength;
+       keyout.len = ctx->gk5e->keylength;
 
        /* initiator seal encryption */
        set_cdata(cdata, KG_USAGE_INITIATOR_SEAL, KEY_USAGE_SEED_ENCRYPTION);
@@ -502,7 +502,6 @@ out_err:
 static int
 gss_import_v2_context(const void *p, const void *end, struct krb5_ctx *ctx)
 {
-       u8 rawkey[GSS_KRB5_MAX_KEYLEN];
        int keylen;
 
        p = simple_get_bytes(p, end, &ctx->flags, sizeof(ctx->flags));
@@ -538,7 +537,7 @@ gss_import_v2_context(const void *p, const void *end, struct krb5_ctx *ctx)
        }
        keylen = ctx->gk5e->keylength;
 
-       p = simple_get_bytes(p, end, rawkey, keylen);
+       p = simple_get_bytes(p, end, ctx->Ksess, keylen);
        if (IS_ERR(p))
                goto out_err;
 
@@ -557,10 +556,10 @@ gss_import_v2_context(const void *p, const void *end, struct krb5_ctx *ctx)
 
        switch (ctx->enctype) {
        case ENCTYPE_DES3_CBC_RAW:
-               return context_derive_keys_des3(ctx, rawkey, keylen);
+               return context_derive_keys_des3(ctx);
        case ENCTYPE_AES128_CTS_HMAC_SHA1_96:
        case ENCTYPE_AES256_CTS_HMAC_SHA1_96:
-               return context_derive_keys_new(ctx, rawkey, keylen);
+               return context_derive_keys_new(ctx);
        default:
                return -EINVAL;
        }