From 94fa020709f2a0ec1dfb3628d8021716873f7e88 Mon Sep 17 00:00:00 2001 From: Jeremy Cline Date: Thu, 29 Mar 2018 09:43:31 -0400 Subject: [PATCH] Fix for NFS mounts with Kerberos (rhbz 1558977) --- kernel.spec | 6 +++ ...ncorrect-HMAC-request-initialization.patch | 54 +++++++++++++++++++ 2 files changed, 60 insertions(+) create mode 100644 sunrpc-remove-incorrect-HMAC-request-initialization.patch diff --git a/kernel.spec b/kernel.spec index 41a5d9bec..359142234 100644 --- a/kernel.spec +++ b/kernel.spec @@ -626,6 +626,9 @@ Patch502: input-rmi4-remove-the-need-for-artifical-IRQ.patch # rhbz 1509461 Patch503: v3-2-2-Input-synaptics---Lenovo-X1-Carbon-5-should-use-SMBUS-RMI.patch +# rhbz 1558977 +Patch504: sunrpc-remove-incorrect-HMAC-request-initialization.patch + # END OF PATCH DEFINITIONS %endif @@ -1875,6 +1878,9 @@ fi # # %changelog +* Thu Mar 29 2018 Jeremy Cline +- Fix for NFS mounts with Kerberos (rhbz 1558977) + * Mon Mar 26 2018 Jeremy Cline - 4.16.0-0.rc7.git0.1 - Linux v4.16-rc7 diff --git a/sunrpc-remove-incorrect-HMAC-request-initialization.patch b/sunrpc-remove-incorrect-HMAC-request-initialization.patch new file mode 100644 index 000000000..c31bb73bb --- /dev/null +++ b/sunrpc-remove-incorrect-HMAC-request-initialization.patch @@ -0,0 +1,54 @@ +From 5cdbcf4aa78b57c4f10892f20725174829cca191 Mon Sep 17 00:00:00 2001 +From: Eric Biggers +Date: Wed, 28 Mar 2018 10:57:22 -0700 +Subject: [PATCH] sunrpc: remove incorrect HMAC request initialization + +make_checksum_hmac_md5() is allocating an HMAC transform and doing +crypto API calls in the following order: + + crypto_ahash_init() + crypto_ahash_setkey() + crypto_ahash_digest() + +This is wrong because it makes no sense to init() the request before a +key has been set, given that the initial state depends on the key. And +digest() is short for init() + update() + final(), so in this case +there's no need to explicitly call init() at all. + +Before commit 9fa68f620041 ("crypto: hash - prevent using keyed hashes +without setting key") the extra init() had no real effect, at least for +the software HMAC implementation. (There are also hardware drivers that +implement HMAC-MD5, and it's not immediately obvious how gracefully they +handle init() before setkey().) But now the crypto API detects this +incorrect initialization and returns -ENOKEY. This is breaking NFS +mounts in some cases. + +Fix it by removing the incorrect call to crypto_ahash_init(). + +Reported-by: Michael Young +Fixes: 9fa68f620041 ("crypto: hash - prevent using keyed hashes without setting key") +Fixes: fffdaef2eb4a ("gss_krb5: Add support for rc4-hmac encryption") +Cc: stable@vger.kernel.org +Signed-off-by: Eric Biggers +Signed-off-by: Jeremy Cline +--- + net/sunrpc/auth_gss/gss_krb5_crypto.c | 3 --- + 1 file changed, 3 deletions(-) + +diff --git a/net/sunrpc/auth_gss/gss_krb5_crypto.c b/net/sunrpc/auth_gss/gss_krb5_crypto.c +index 12649c9fedab..8654494b4d0a 100644 +--- a/net/sunrpc/auth_gss/gss_krb5_crypto.c ++++ b/net/sunrpc/auth_gss/gss_krb5_crypto.c +@@ -237,9 +237,6 @@ make_checksum_hmac_md5(struct krb5_ctx *kctx, char *header, int hdrlen, + + ahash_request_set_callback(req, CRYPTO_TFM_REQ_MAY_SLEEP, NULL, NULL); + +- err = crypto_ahash_init(req); +- if (err) +- goto out; + err = crypto_ahash_setkey(hmac_md5, cksumkey, kctx->gk5e->keylength); + if (err) + goto out; +-- +2.16.2 +