[PATCH v1 05/41] SUNRPC: Obscure Kerberos session key

[PATCH v1 00/41] RPCSEC GSS krb5 enhancements · Chuck Lever <cel@kernel.org> · 2023-01-13
[PATCH v1 01/41] SUNRPC: Add header ifdefs to linux/sunrpc/gss_krb5.h · Chuck Lever <cel@kernel.org> · 2023-01-13
[PATCH v1 03/41] SUNRPC: Remove .conflen field from struct gss_krb5_enctype · Chuck Lever <cel@kernel.org> · 2023-01-13
[PATCH v1 02/41] SUNRPC: Remove .blocksize field from struct gss_krb5_enctype · Chuck Lever <cel@kernel.org> · 2023-01-13
[PATCH v1 04/41] SUNRPC: Improve Kerberos confounder generation · Chuck Lever <cel@kernel.org> · 2023-01-13
Re: [PATCH v1 04/41] SUNRPC: Improve Kerberos confounder generation · Simo Sorce <hidden> · 2023-01-13
Re: [PATCH v1 04/41] SUNRPC: Improve Kerberos confounder generation · Chuck Lever III <chuck.lever@oracle.com> · 2023-01-13
[PATCH v1 05/41] SUNRPC: Obscure Kerberos session key · Chuck Lever <cel@kernel.org> · 2023-01-13
[PATCH v1 06/41] SUNRPC: Refactor set-up for aux_cipher · Chuck Lever <cel@kernel.org> · 2023-01-13
[PATCH v1 07/41] SUNRPC: Obscure Kerberos encryption keys · Chuck Lever <cel@kernel.org> · 2023-01-13
[PATCH v1 08/41] SUNRPC: Obscure Kerberos signing keys · Chuck Lever <cel@kernel.org> · 2023-01-13
[PATCH v1 09/41] SUNRPC: Obscure Kerberos integrity keys · Chuck Lever <cel@kernel.org> · 2023-01-13
[PATCH v1 10/41] SUNRPC: Refactor the GSS-API Per Message calls in the Kerberos mechanism · Chuck Lever <cel@kernel.org> · 2023-01-13
[PATCH v1 11/41] SUNRPC: Remove another switch on ctx->enctype · Chuck Lever <cel@kernel.org> · 2023-01-13
[PATCH v1 12/41] SUNRPC: Add /proc/net/rpc/gss_krb5_enctypes file · Chuck Lever <cel@kernel.org> · 2023-01-13
[PATCH v1 13/41] NFSD: Replace /proc/fs/nfsd/supported_krb5_enctypes with a symlink · Chuck Lever <cel@kernel.org> · 2023-01-13
[PATCH v1 14/41] SUNRPC: Replace KRB5_SUPPORTED_ENCTYPES macro · Chuck Lever <cel@kernel.org> · 2023-01-13
[PATCH v1 15/41] SUNRPC: Enable rpcsec_gss_krb5.ko to be built without CRYPTO_DES · Chuck Lever <cel@kernel.org> · 2023-01-13
[PATCH v1 16/41] SUNRPC: Remove ->encrypt and ->decrypt methods from struct gss_krb5_enctype · Chuck Lever <cel@kernel.org> · 2023-01-13
[PATCH v1 17/41] SUNRPC: Rename .encrypt_v2 and .decrypt_v2 methods · Chuck Lever <cel@kernel.org> · 2023-01-13
[PATCH v1 18/41] SUNRPC: Hoist KDF into struct gss_krb5_enctype · Chuck Lever <cel@kernel.org> · 2023-01-13
[PATCH v1 19/41] SUNRPC: Clean up cipher set up for v1 encryption types · Chuck Lever <cel@kernel.org> · 2023-01-13
[PATCH v1 20/41] SUNRPC: Parametrize the key length passed to context_v2_alloc_cipher() · Chuck Lever <cel@kernel.org> · 2023-01-13
[PATCH v1 21/41] SUNRPC: Add new subkey length fields · Chuck Lever <cel@kernel.org> · 2023-01-13
[PATCH v1 22/41] SUNRPC: Refactor CBC with CTS into helpers · Chuck Lever <cel@kernel.org> · 2023-01-13
[PATCH v1 23/41] SUNRPC: Add gk5e definitions for RFC 8009 encryption types · Chuck Lever <cel@kernel.org> · 2023-01-13
[PATCH v1 24/41] SUNRPC: Add KDF-HMAC-SHA2 · Chuck Lever <cel@kernel.org> · 2023-01-13
[PATCH v1 25/41] SUNRPC: Add RFC 8009 encryption and decryption functions · Chuck Lever <cel@kernel.org> · 2023-01-13
[PATCH v1 26/41] SUNRPC: Advertise support for RFC 8009 encryption types · Chuck Lever <cel@kernel.org> · 2023-01-13
[PATCH v1 27/41] SUNRPC: Support the Camellia enctypes · Chuck Lever <cel@kernel.org> · 2023-01-13
[PATCH v1 28/41] SUNRPC: Add KDF_FEEDBACK_CMAC · Chuck Lever <cel@kernel.org> · 2023-01-13
[PATCH v1 29/41] SUNRPC: Advertise support for the Camellia encryption types · Chuck Lever <cel@kernel.org> · 2023-01-13
[PATCH v1 30/41] SUNRPC: Move remaining internal definitions to gss_krb5_internal.h · Chuck Lever <cel@kernel.org> · 2023-01-13
[PATCH v1 31/41] SUNRPC: Add KUnit tests for rpcsec_krb5.ko · Chuck Lever <cel@kernel.org> · 2023-01-13
[PATCH v1 32/41] SUNRPC: Export get_gss_krb5_enctype() · Chuck Lever <cel@kernel.org> · 2023-01-13
[PATCH v1 33/41] SUNRPC: Add KUnit tests RFC 3961 Key Derivation · Chuck Lever <cel@kernel.org> · 2023-01-13
[PATCH v1 34/41] SUNRPC: Add Kunit tests for RFC 3962-defined encryption/decryption · Chuck Lever <cel@kernel.org> · 2023-01-13
[PATCH v1 37/41] SUNRPC: Add encryption KUnit tests for the RFC 6803 encryption types · Chuck Lever <cel@kernel.org> · 2023-01-13
[PATCH v1 36/41] SUNRPC: Add checksum KUnit tests for the RFC 6803 encryption types · Chuck Lever <cel@kernel.org> · 2023-01-13
[PATCH v1 35/41] SUNRPC: Add KDF KUnit tests for the RFC 6803 encryption types · Chuck Lever <cel@kernel.org> · 2023-01-13
[PATCH v1 38/41] SUNRPC: Add KDF-HMAC-SHA2 Kunit tests · Chuck Lever <cel@kernel.org> · 2023-01-13
[PATCH v1 39/41] SUNRPC: Add RFC 8009 checksum KUnit tests · Chuck Lever <cel@kernel.org> · 2023-01-13
[PATCH v1 40/41] SUNRPC: Add RFC 8009 encryption KUnit tests · Chuck Lever <cel@kernel.org> · 2023-01-13
[PATCH v1 41/41] SUNRPC: Add encryption self-tests · Chuck Lever <cel@kernel.org> · 2023-01-13

STALE1248d REVIEWED: 1 (0M)

Revisions (2)

2023-01-13 v1 current
2023-01-15 v2 [diff vs current]

From: Chuck Lever <cel@kernel.org>
Date: 2023-01-13 15:29:04
Subsystem: kernel nfsd, sunrpc, and lockd servers, networking [general], nfs, sunrpc, and lockd clients, the rest · Maintainers: Chuck Lever, Jeff Layton, "David S. Miller", Eric Dumazet, Jakub Kicinski, Paolo Abeni, Trond Myklebust, Anna Schumaker, Linus Torvalds

From: Chuck Lever <chuck.lever@oracle.com>

ctx->Ksess is never used after import has completed. Obscure it
immediately so it cannot be re-used or copied.

Tested-by: Scott Mayhew <redacted>
Signed-off-by: Chuck Lever <chuck.lever@oracle.com>
---
 net/sunrpc/auth_gss/gss_krb5_mech.c |    1 +
 1 file changed, 1 insertion(+)

diff --git a/net/sunrpc/auth_gss/gss_krb5_mech.c b/net/sunrpc/auth_gss/gss_krb5_mech.c
index 6d59794c9b69..9b489f7f2720 100644
--- a/net/sunrpc/auth_gss/gss_krb5_mech.c
+++ b/net/sunrpc/auth_gss/gss_krb5_mech.c

@@ -550,6 +550,7 @@ gss_import_sec_context_kerberos(const void *p, size_t len,
 		ret = gss_import_v1_context(p, end, ctx);
 	else
 		ret = gss_import_v2_context(p, end, ctx, gfp_mask);
+	memzero_explicit(&ctx->Ksess, sizeof(ctx->Ksess));
 	if (ret) {
 		kfree(ctx);
 		return ret;

`h`	back out one level
`j`	next message in thread
`k`	previous message in thread
`l`	drill in
`Esc`	close help / fold thread tree
`?`	toggle this help