[PATCH 00/28] New enctype support for gss_krb5
Kevin Coffman
kwc at citi.umich.edu
Mon Mar 31 10:30:53 EDT 2008
This set of patches adds kernel support for triple-DES (des3-cbc-sha1),
arcfour (rc4-hmac), and AES (aes128-cts, aes256-cts) encryption to the
kernel's Kerberos gss code.
These are currently built on 2.6.25-rc6, but I think they should apply
to the latest code as well.
The first patch adds a crypto cts wrapper to do the cts mode req'd by
AES. This has been accepted by Herbert Xu, and is queued up in his
linux-crypto patches.
The next couple have already been queued up in Bruce's tree.
The remaining issue is to implement the code necessary to handle the
possiblity of rotated data in the version two tokens. I don't expect
we'll see rotated data in normal operation, but this should be
done eventually for completeness.
There are two nfs-utils patches required with this. The first reads
and parses the list of kernel supported enctypes. The second
implements the new context format from user-land to kernel.
I will include these in a new set of CITI nfs-utils patches RSN.
------------------
Note: for AES support, the following patch for MIT Kerberos is needed
to get the right key when there is an acceptor_subkey. [mea culpa]
This fix is scheduled to be included in MIT release 1.6.4, currently
in beta testing.
This patch should also apply to releases 1.4.0 to 1.6.3.
Index: src/lib/gssapi/krb5/lucid_context.c
===================================================================
--- src/lib/gssapi/krb5/lucid_context.c (revision 20174)
+++ src/lib/gssapi/krb5/lucid_context.c (revision 20175)
@@ -231,7 +231,7 @@
&lctx->cfx_kd.ctx_key)))
goto error_out;
if (gctx->have_acceptor_subkey) {
- if ((retval = copy_keyblock_to_lucid_key(gctx->enc,
+ if ((retval = copy_keyblock_to_lucid_key(gctx->acceptor_subkey,
&lctx->cfx_kd.acceptor_subkey)))
goto error_out;
lctx->cfx_kd.have_acceptor_subkey = 1;
More information about the NFSv4
mailing list