Fix for NFS mounts with Kerberos (rhbz 1558977)

This commit is contained in:
Jeremy Cline 2018-03-29 09:43:31 -04:00
parent 0e8aa23324
commit 94fa020709
No known key found for this signature in database
GPG Key ID: 9223308FA9B246DB
2 changed files with 60 additions and 0 deletions

View File

@ -626,6 +626,9 @@ Patch502: input-rmi4-remove-the-need-for-artifical-IRQ.patch
# rhbz 1509461 # rhbz 1509461
Patch503: v3-2-2-Input-synaptics---Lenovo-X1-Carbon-5-should-use-SMBUS-RMI.patch Patch503: v3-2-2-Input-synaptics---Lenovo-X1-Carbon-5-should-use-SMBUS-RMI.patch
# rhbz 1558977
Patch504: sunrpc-remove-incorrect-HMAC-request-initialization.patch
# END OF PATCH DEFINITIONS # END OF PATCH DEFINITIONS
%endif %endif
@ -1875,6 +1878,9 @@ fi
# #
# #
%changelog %changelog
* Thu Mar 29 2018 Jeremy Cline <jeremy@jcline.org>
- Fix for NFS mounts with Kerberos (rhbz 1558977)
* Mon Mar 26 2018 Jeremy Cline <jeremy@jcline.org> - 4.16.0-0.rc7.git0.1 * Mon Mar 26 2018 Jeremy Cline <jeremy@jcline.org> - 4.16.0-0.rc7.git0.1
- Linux v4.16-rc7 - Linux v4.16-rc7

View File

@ -0,0 +1,54 @@
From 5cdbcf4aa78b57c4f10892f20725174829cca191 Mon Sep 17 00:00:00 2001
From: Eric Biggers <ebiggers@google.com>
Date: Wed, 28 Mar 2018 10:57:22 -0700
Subject: [PATCH] sunrpc: remove incorrect HMAC request initialization
make_checksum_hmac_md5() is allocating an HMAC transform and doing
crypto API calls in the following order:
crypto_ahash_init()
crypto_ahash_setkey()
crypto_ahash_digest()
This is wrong because it makes no sense to init() the request before a
key has been set, given that the initial state depends on the key. And
digest() is short for init() + update() + final(), so in this case
there's no need to explicitly call init() at all.
Before commit 9fa68f620041 ("crypto: hash - prevent using keyed hashes
without setting key") the extra init() had no real effect, at least for
the software HMAC implementation. (There are also hardware drivers that
implement HMAC-MD5, and it's not immediately obvious how gracefully they
handle init() before setkey().) But now the crypto API detects this
incorrect initialization and returns -ENOKEY. This is breaking NFS
mounts in some cases.
Fix it by removing the incorrect call to crypto_ahash_init().
Reported-by: Michael Young <m.a.young@durham.ac.uk>
Fixes: 9fa68f620041 ("crypto: hash - prevent using keyed hashes without setting key")
Fixes: fffdaef2eb4a ("gss_krb5: Add support for rc4-hmac encryption")
Cc: stable@vger.kernel.org
Signed-off-by: Eric Biggers <ebiggers@google.com>
Signed-off-by: Jeremy Cline <jeremy@jcline.org>
---
net/sunrpc/auth_gss/gss_krb5_crypto.c | 3 ---
1 file changed, 3 deletions(-)
diff --git a/net/sunrpc/auth_gss/gss_krb5_crypto.c b/net/sunrpc/auth_gss/gss_krb5_crypto.c
index 12649c9fedab..8654494b4d0a 100644
--- a/net/sunrpc/auth_gss/gss_krb5_crypto.c
+++ b/net/sunrpc/auth_gss/gss_krb5_crypto.c
@@ -237,9 +237,6 @@ make_checksum_hmac_md5(struct krb5_ctx *kctx, char *header, int hdrlen,
ahash_request_set_callback(req, CRYPTO_TFM_REQ_MAY_SLEEP, NULL, NULL);
- err = crypto_ahash_init(req);
- if (err)
- goto out;
err = crypto_ahash_setkey(hmac_md5, cksumkey, kctx->gk5e->keylength);
if (err)
goto out;
--
2.16.2