16 Jul, 2011
1 commit
-
Remove the need for an explicit modprobe of rpcsec_gss_krb5.
Signed-off-by: J. Bruce Fields
07 Jun, 2011
1 commit
-
Commit b0b0c0a26e84 "nfsd: add proc file listing kernel's gss_krb5
enctypes" added an nunnecessary dependency of nfsd on the auth_rpcgss
module.It's a little ad hoc, but since the only piece of information nfsd needs
from rpcsec_gss_krb5 is a single static string, one solution is just to
share it with an include file.Cc: stable@kernel.org
Reported-by: Michael Guntsche
Cc: Kevin Coffman
Signed-off-by: J. Bruce Fields
07 Apr, 2011
1 commit
-
This reverts commit 411b5e05617593efebc06241dbc56f42150f2abe.
Olga Kornievskaia reports:
Problem: linux client mounting linux server using rc4-hmac-md5
enctype. gssd fails with create a context after receiving a reply from
the server.Diagnose: putting printout statements in the server kernel and
kerberos libraries revealed that client and server derived different
integrity keys.Server kernel code was at fault due the the commit
[aglo@skydive linux-pnfs]$ git show 411b5e05617593efebc06241dbc56f42150f2abe
Trond: The problem is that since it relies on virt_to_page(), you cannot
call sg_set_buf() for data in the const section.Reported-by: Olga Kornievskaia
Signed-off-by: Trond Myklebust
Cc: stable@kernel.org [2.6.36+]
12 Mar, 2011
1 commit
-
Make the value in gm_upcall_enctypes just the enctype values.
This allows the values to be used more easily elsewhere.Signed-off-by: Kevin Coffman
Signed-off-by: Trond Myklebust
27 Oct, 2010
1 commit
-
* 'nfs-for-2.6.37' of git://git.linux-nfs.org/projects/trondmy/nfs-2.6:
net/sunrpc: Use static const char arrays
nfs4: fix channel attribute sanity-checks
NFSv4.1: Use more sensible names for 'initialize_mountpoint'
NFSv4.1: pnfs: filelayout: add driver's LAYOUTGET and GETDEVICEINFO infrastructure
NFSv4.1: pnfs: add LAYOUTGET and GETDEVICEINFO infrastructure
NFS: client needs to maintain list of inodes with active layouts
NFS: create and destroy inode's layout cache
NFSv4.1: pnfs: filelayout: introduce minimal file layout driver
NFSv4.1: pnfs: full mount/umount infrastructure
NFS: set layout driver
NFS: ask for layouttypes during v4 fsinfo call
NFS: change stateid to be a union
NFSv4.1: pnfsd, pnfs: protocol level pnfs constants
SUNRPC: define xdr_decode_opaque_fixed
NFSD: remove duplicate NFS4_STATEID_SIZE
26 Oct, 2010
1 commit
-
Signed-off-by: Joe Perches
Signed-off-by: Trond Myklebust
13 Sep, 2010
1 commit
-
krb5 miss returning error to up layer when import security context,
it may be return ok though it has failed to import security context.Signed-off-by: Bian Naimeng
Signed-off-by: Trond Myklebust
15 May, 2010
16 commits
-
Again, we can deadlock if the memory reclaim triggers a writeback that
requires a rpcsec_gss credential lookup.Signed-off-by: Trond Myklebust
-
Update the upcall info indicating which Kerberos enctypes
the kernel supportsSigned-off-by: Trond Myklebust
-
Add necessary changes to add kernel support for the rc4-hmac Kerberos
encryption type used by Microsoft and described in rfc4757.Signed-off-by: Kevin Coffman
Signed-off-by: Steve Dickson
Signed-off-by: Trond Myklebust -
All encryption types use a confounder at the beginning of the
wrap token. In all encryption types except arcfour-hmac, the
confounder is the same as the blocksize. arcfour-hmac has a
blocksize of one, but uses an eight byte confounder.Add an entry to the crypto framework definitions for the
confounder length and change the wrap/unwrap code to use
the confounder length rather than assuming it is always
the blocksize.Signed-off-by: Kevin Coffman
Signed-off-by: Steve Dickson
Signed-off-by: Trond Myklebust -
This is needed for deriving arcfour-hmac keys "on the fly"
using the sequence number or checksuSigned-off-by: Kevin Coffman
Signed-off-by: Steve Dickson
Signed-off-by: Trond Myklebust -
Update upcall info indicating which Kerberos enctypes
the kernel supportsSigned-off-by: Trond Myklebust
-
Add the remaining pieces to enable support for Kerberos AES
encryption types.Signed-off-by: Kevin Coffman
Signed-off-by: Steve Dickson
Signed-off-by: Trond Myklebust -
Update the upcall info indicating which Kerberos enctypes the kernel
supports.Signed-off-by: Trond Myklebust
-
Add the final pieces to support the triple-des encryption type.
Signed-off-by: Kevin Coffman
Signed-off-by: Steve Dickson
Signed-off-by: Trond Myklebust -
The text based upcall now indicates which Kerberos encryption types are
supported by the kernel rpcsecgss code. This is used by gssd to
determine which encryption types it should attempt to negotiate
when creating a context with a server.The server principal's database and keytab encryption types are
what limits what it should negotiate. Therefore, its keytab
should be created with only the enctypes listed by this file.Currently we support des-cbc-crc, des-cbc-md4 and des-cbc-md5
Signed-off-by: Trond Myklebust
-
For encryption types other than DES, gssd sends down context information
in a new format. This new format includes the information needed to
support the new Kerberos GSS-API tokens defined in rfc4121.Signed-off-by: Kevin Coffman
Signed-off-by: Steve Dickson
Signed-off-by: Trond Myklebust -
Import the code to derive Kerberos keys from a base key into the
kernel. This will allow us to change the format of the context
information sent down from gssd to include only a single key.Signed-off-by: Kevin Coffman
Signed-off-by: Steve Dickson
Signed-off-by: Trond Myklebust -
Encryption types besides DES may use a keyed checksum (hmac).
Modify the make_checksum() function to allow for a key
and take care of enctype-specific processing such as truncating
the resulting hash.Signed-off-by: Kevin Coffman
Signed-off-by: Steve Dickson
Signed-off-by: Trond Myklebust -
Add enctype framework and change functions to use the generic
values from it rather than the values hard-coded for des.Signed-off-by: Kevin Coffman
Signed-off-by: Steve Dickson
Signed-off-by: Trond Myklebust -
Prepare for new context format by splitting out the old "v1"
context processing functionSigned-off-by: Kevin Coffman
Signed-off-by: Steve Dickson
Signed-off-by: Trond Myklebust -
Add encryption type to the krb5 context structure and use it to switch
to the correct functions depending on the encryption type.Signed-off-by: Kevin Coffman
Signed-off-by: Steve Dickson
Signed-off-by: Trond Myklebust
19 Dec, 2009
1 commit
-
If the context allocation fails, the function currently returns a random
error code, since the variable 'p' still points to a valid memory location.Ensure that it returns ENOMEM...
Cc: stable@kernel.org
Signed-off-by: Trond Myklebust
10 Jul, 2008
1 commit
-
Since the credentials may be allocated during the call to rpc_new_task(),
which again may be called by a memory allocator...Signed-off-by: Trond Myklebust
18 Nov, 2007
1 commit
-
Return an error from gss_import_sec_context_kerberos if the
negotiated context contains encryption or checksum types not
supported by the kernel code.This fixes an Oops because success was assumed and later code found
no internal_ctx_id.Signed-off-by: Kevin Coffman
Signed-off-by: Trond Myklebust
18 Jul, 2007
1 commit
-
Adds oid values to the gss_api mechanism structures. On the NFSV4 server
side, these are required as part of the security triple (oid,qop,service)
information being sent in the response of the SECINFO operation.Signed-off-by: Usha Ketineni
Signed-off-by: "J. Bruce Fields"
Signed-off-by: Neil Brown
Signed-off-by: Andrew Morton
Signed-off-by: Linus Torvalds
11 Jul, 2007
1 commit
-
Also do the same for gss_api operation tables.
Signed-off-by: Trond Myklebust
04 Feb, 2007
1 commit
-
The tk_pid field is an unsigned short. The proper print format specifier for
that type is %5u, not %4d.Also clean up some miscellaneous print formatting nits.
Signed-off-by: Chuck Lever
Signed-off-by: Trond Myklebust
06 Dec, 2006
3 commits
-
We're currently not actually using seed or seed_init.
Signed-off-by: J. Bruce Fields
Signed-off-by: Trond Myklebust -
The sealalg is checked in several places, giving the impression it could be
either SEAL_ALG_NONE or SEAL_ALG_DES. But in fact SEAL_ALG_NONE seems to
be sufficient only for making mic's, and all the contexts we get must be
capable of wrapping as well. So the sealalg must be SEAL_ALG_DES. As
with signalg, just check for the right value on the downcall and ignore it
otherwise. Similarly, tighten expectations for the sealalg on incoming
tokens, in case we do support other values eventually.Signed-off-by: J. Bruce Fields
Signed-off-by: Trond Myklebust -
We designed the krb5 context import without completely understanding the
context. Now it's clear that there are a number of fields that we ignore,
or that we depend on having one single value.In particular, we only support one value of signalg currently; so let's
check the signalg field in the downcall (in case we decide there's
something else we could support here eventually), but ignore it otherwise.Signed-off-by: J. Bruce Fields
Signed-off-by: Trond Myklebust
03 Dec, 2006
1 commit
-
Signed-off-by: Arnaldo Carvalho de Melo
21 Sep, 2006
1 commit
-
This patch converts SUNRPC/GSS to use the new block cipher type where
applicable.Signed-off-by: Herbert Xu
22 Jul, 2006
1 commit
-
Signed-off-by: Panagiotis Issaris
Signed-off-by: David S. Miller
27 Jun, 2006
1 commit
-
acquired (aquired)
contiguous (contigious)
successful (succesful, succesfull)
surprise (suprise)
whether (weather)
some other misspellingsSigned-off-by: Andreas Mohr
Signed-off-by: Adrian Bunk
07 Jan, 2006
1 commit
-
Print messages when an unsupported encrytion algorthm is requested or
there is an error locating a supported algorthm.Signed-off-by: Kevin Coffman
Signed-off-by: J. Bruce Fields
Signed-off-by: Trond Myklebust
19 Oct, 2005
3 commits
-
Remove some senseless wrappers.
Signed-off-by: J. Bruce Fields
Signed-off-by: Trond Myklebust -
Not only are the qop parameters that are passed around throughout the gssapi
unused by any currently implemented mechanism, but there appears to be some
doubt as to whether they will ever be used. Let's just kill them off for now.Signed-off-by: J. Bruce Fields
Signed-off-by: Trond Myklebust -
Add support for privacy to the krb5 rpcsec_gss mechanism.
Signed-off-by: J. Bruce Fields
Signed-off-by: Trond Myklebust