SUNRPC,RPCSEC_GSS: fix krb5 sequence numbers.
Use a spinlock to ensure unique sequence numbers when creating krb5 gss tokens. Signed-off-by: J. Bruce Fields <bfields@citi.umich.edu> Signed-off-by: Trond Myklebust <Trond.Myklebust@netapp.com>
This commit is contained in:
J. Bruce Fields
Trond Myklebust
parent
096455a22a
commit
eaa82edf20
|
|
@ -53,6 +53,8 @@ struct krb5_ctx {
|
|||
struct xdr_netobj mech_used;
|
||||
};
|
||||
|
||||
extern spinlock_t krb5_seq_lock;
|
||||
|
||||
#define KG_TOK_MIC_MSG 0x0101
|
||||
#define KG_TOK_WRAP_MSG 0x0201
|
||||
|
||||
|
|
|
|||
|
|
@ -70,6 +70,8 @@
|
|||
# define RPCDBG_FACILITY RPCDBG_AUTH
|
||||
#endif
|
||||
|
||||
spinlock_t krb5_seq_lock = SPIN_LOCK_UNLOCKED;
|
||||
|
||||
u32
|
||||
gss_get_mic_kerberos(struct gss_ctx *gss_ctx, struct xdr_buf *text,
|
||||
struct xdr_netobj *token)
|
||||
|
|
@ -80,6 +82,7 @@ gss_get_mic_kerberos(struct gss_ctx *gss_ctx, struct xdr_buf *text,
|
|||
struct xdr_netobj md5cksum = {.len = 0, .data = cksumdata};
|
||||
unsigned char *ptr, *krb5_hdr, *msg_start;
|
||||
s32 now;
|
||||
u32 seq_send;
|
||||
|
||||
dprintk("RPC: gss_krb5_seal\n");
|
||||
|
||||
|
|
@ -134,11 +137,13 @@ gss_get_mic_kerberos(struct gss_ctx *gss_ctx, struct xdr_buf *text,
|
|||
BUG();
|
||||
}
|
||||
|
||||
if ((krb5_make_seq_num(ctx->seq, ctx->initiate ? 0 : 0xff,
|
||||
ctx->seq_send, krb5_hdr + 16, krb5_hdr + 8)))
|
||||
goto out_err;
|
||||
spin_lock(&krb5_seq_lock);
|
||||
seq_send = ctx->seq_send++;
|
||||
spin_unlock(&krb5_seq_lock);
|
||||
|
||||
ctx->seq_send++;
|
||||
if ((krb5_make_seq_num(ctx->seq, ctx->initiate ? 0 : 0xff,
|
||||
seq_send, krb5_hdr + 16, krb5_hdr + 8)))
|
||||
goto out_err;
|
||||
|
||||
return ((ctx->endtime < now) ? GSS_S_CONTEXT_EXPIRED : GSS_S_COMPLETE);
|
||||
out_err:
|
||||
|
|
|
|||
|
|
@ -128,6 +128,7 @@ gss_wrap_kerberos(struct gss_ctx *ctx, int offset,
|
|||
s32 now;
|
||||
int headlen;
|
||||
struct page **tmp_pages;
|
||||
u32 seq_send;
|
||||
|
||||
dprintk("RPC: gss_wrap_kerberos\n");
|
||||
|
||||
|
|
@ -206,18 +207,20 @@ gss_wrap_kerberos(struct gss_ctx *ctx, int offset,
|
|||
BUG();
|
||||
}
|
||||
|
||||
spin_lock(&krb5_seq_lock);
|
||||
seq_send = kctx->seq_send++;
|
||||
spin_unlock(&krb5_seq_lock);
|
||||
|
||||
/* XXX would probably be more efficient to compute checksum
|
||||
* and encrypt at the same time: */
|
||||
if ((krb5_make_seq_num(kctx->seq, kctx->initiate ? 0 : 0xff,
|
||||
kctx->seq_send, krb5_hdr + 16, krb5_hdr + 8)))
|
||||
seq_send, krb5_hdr + 16, krb5_hdr + 8)))
|
||||
goto out_err;
|
||||
|
||||
if (gss_encrypt_xdr_buf(kctx->enc, buf, offset + headlen - blocksize,
|
||||
pages))
|
||||
goto out_err;
|
||||
|
||||
kctx->seq_send++;
|
||||
|
||||
return ((kctx->endtime < now) ? GSS_S_CONTEXT_EXPIRED : GSS_S_COMPLETE);
|
||||
out_err:
|
||||
return GSS_S_FAILURE;
|
||||
|
|
|
|||
Loading…
Reference in a new issue