git.proxmox.com Git - mirror_ubuntu-kernels.git/commit

author	Chuck Lever <chuck.lever@oracle.com>
	Sun, 15 Jan 2023 17:20:41 +0000 (12:20 -0500)
committer	Chuck Lever <chuck.lever@oracle.com>
	Mon, 20 Feb 2023 14:20:34 +0000 (09:20 -0500)
commit	7f675ca7757bfeb70e19d187dc3be44deb836da8
tree	c996d445c3278bbc23e63ce02410c6e7ca77cdeb	tree
parent	4be416a5f2803d421c950cc48e8e0c1eaaa8c773	commit \| diff

SUNRPC: Improve Kerberos confounder generation

Other common Kerberos implementations use a fully random confounder
for encryption. The reason for this is explained in the new comment
added by this patch. The current get_random_bytes() implementation
does not exhaust system entropy.

Since confounder generation is part of Kerberos itself rather than
the GSS-API Kerberos mechanism, the function is renamed and moved.

Note that light top-down analysis shows that the SHA-1 transform
is by far the most CPU-intensive part of encryption. Thus we do not
expect this change to result in a significant performance impact.
However, eventually it might be necessary to generate an independent
stream of confounders for each Kerberos context to help improve I/O
parallelism.

Reviewed-by: Simo Sorce <simo@redhat.com>
Signed-off-by: Chuck Lever <chuck.lever@oracle.com>

include/linux/sunrpc/gss_krb5.h		diff \| blob \| blame \| history
net/sunrpc/auth_gss/gss_krb5_crypto.c		diff \| blob \| blame \| history
net/sunrpc/auth_gss/gss_krb5_internal.h	[new file with mode: 0644]	blob
net/sunrpc/auth_gss/gss_krb5_mech.c		diff \| blob \| blame \| history
net/sunrpc/auth_gss/gss_krb5_wrap.c		diff \| blob \| blame \| history