]> git.proxmox.com Git - mirror_ubuntu-kernels.git/commit
SUNRPC: Improve Kerberos confounder generation
authorChuck Lever <chuck.lever@oracle.com>
Sun, 15 Jan 2023 17:20:41 +0000 (12:20 -0500)
committerChuck Lever <chuck.lever@oracle.com>
Mon, 20 Feb 2023 14:20:34 +0000 (09:20 -0500)
commit7f675ca7757bfeb70e19d187dc3be44deb836da8
treec996d445c3278bbc23e63ce02410c6e7ca77cdeb
parent4be416a5f2803d421c950cc48e8e0c1eaaa8c773
SUNRPC: Improve Kerberos confounder generation

Other common Kerberos implementations use a fully random confounder
for encryption. The reason for this is explained in the new comment
added by this patch. The current get_random_bytes() implementation
does not exhaust system entropy.

Since confounder generation is part of Kerberos itself rather than
the GSS-API Kerberos mechanism, the function is renamed and moved.

Note that light top-down analysis shows that the SHA-1 transform
is by far the most CPU-intensive part of encryption. Thus we do not
expect this change to result in a significant performance impact.
However, eventually it might be necessary to generate an independent
stream of confounders for each Kerberos context to help improve I/O
parallelism.

Reviewed-by: Simo Sorce <simo@redhat.com>
Signed-off-by: Chuck Lever <chuck.lever@oracle.com>
include/linux/sunrpc/gss_krb5.h
net/sunrpc/auth_gss/gss_krb5_crypto.c
net/sunrpc/auth_gss/gss_krb5_internal.h [new file with mode: 0644]
net/sunrpc/auth_gss/gss_krb5_mech.c
net/sunrpc/auth_gss/gss_krb5_wrap.c