diff options
| author | J. Bruce Fields <bfields@fieldses.org> | 2006-12-04 20:22:39 -0500 |
|---|---|---|
| committer | Trond Myklebust <Trond.Myklebust@netapp.com> | 2006-12-06 10:46:46 -0500 |
| commit | 39a21dd1b0eec3f5eac84ee42bda5ab4915098ae (patch) | |
| tree | 9dff827542f01a22fbb5742c367c5483e927a378 | |
| parent | ca54f896454852f0bc8d50e6e4c55d9defedbd0a (diff) | |
rpcgss: krb5: clean up some goto's, etc.
Remove some unnecessary goto labels; clean up some return values; etc.
Signed-off-by: J. Bruce Fields <bfields@citi.umich.edu>
Signed-off-by: Trond Myklebust <Trond.Myklebust@netapp.com>
| -rw-r--r-- | net/sunrpc/auth_gss/gss_krb5_seal.c | 10 | ||||
| -rw-r--r-- | net/sunrpc/auth_gss/gss_krb5_unseal.c | 45 | ||||
| -rw-r--r-- | net/sunrpc/auth_gss/gss_krb5_wrap.c | 68 |
3 files changed, 48 insertions, 75 deletions
diff --git a/net/sunrpc/auth_gss/gss_krb5_seal.c b/net/sunrpc/auth_gss/gss_krb5_seal.c index c187f7f1520f..f3f42a4465cf 100644 --- a/net/sunrpc/auth_gss/gss_krb5_seal.c +++ b/net/sunrpc/auth_gss/gss_krb5_seal.c | |||
| @@ -90,7 +90,7 @@ gss_get_mic_kerberos(struct gss_ctx *gss_ctx, struct xdr_buf *text, | |||
| 90 | if (ctx->sealalg != SEAL_ALG_NONE && ctx->sealalg != SEAL_ALG_DES) { | 90 | if (ctx->sealalg != SEAL_ALG_NONE && ctx->sealalg != SEAL_ALG_DES) { |
| 91 | dprintk("RPC: gss_krb5_seal: ctx->sealalg %d not supported\n", | 91 | dprintk("RPC: gss_krb5_seal: ctx->sealalg %d not supported\n", |
| 92 | ctx->sealalg); | 92 | ctx->sealalg); |
| 93 | goto out_err; | 93 | return GSS_S_FAILURE; |
| 94 | } | 94 | } |
| 95 | 95 | ||
| 96 | token->len = g_token_size(&ctx->mech_used, 22); | 96 | token->len = g_token_size(&ctx->mech_used, 22); |
| @@ -109,11 +109,11 @@ gss_get_mic_kerberos(struct gss_ctx *gss_ctx, struct xdr_buf *text, | |||
| 109 | memset(krb5_hdr + 4, 0xff, 4); | 109 | memset(krb5_hdr + 4, 0xff, 4); |
| 110 | 110 | ||
| 111 | if (make_checksum("md5", krb5_hdr, 8, text, 0, &md5cksum)) | 111 | if (make_checksum("md5", krb5_hdr, 8, text, 0, &md5cksum)) |
| 112 | goto out_err; | 112 | return GSS_S_FAILURE; |
| 113 | 113 | ||
| 114 | if (krb5_encrypt(ctx->seq, NULL, md5cksum.data, | 114 | if (krb5_encrypt(ctx->seq, NULL, md5cksum.data, |
| 115 | md5cksum.data, md5cksum.len)) | 115 | md5cksum.data, md5cksum.len)) |
| 116 | goto out_err; | 116 | return GSS_S_FAILURE; |
| 117 | memcpy(krb5_hdr + 16, | 117 | memcpy(krb5_hdr + 16, |
| 118 | md5cksum.data + md5cksum.len - KRB5_CKSUM_LENGTH, | 118 | md5cksum.data + md5cksum.len - KRB5_CKSUM_LENGTH, |
| 119 | KRB5_CKSUM_LENGTH); | 119 | KRB5_CKSUM_LENGTH); |
| @@ -124,9 +124,7 @@ gss_get_mic_kerberos(struct gss_ctx *gss_ctx, struct xdr_buf *text, | |||
| 124 | 124 | ||
| 125 | if ((krb5_make_seq_num(ctx->seq, ctx->initiate ? 0 : 0xff, | 125 | if ((krb5_make_seq_num(ctx->seq, ctx->initiate ? 0 : 0xff, |
| 126 | seq_send, krb5_hdr + 16, krb5_hdr + 8))) | 126 | seq_send, krb5_hdr + 16, krb5_hdr + 8))) |
| 127 | goto out_err; | 127 | return GSS_S_FAILURE; |
| 128 | 128 | ||
| 129 | return ((ctx->endtime < now) ? GSS_S_CONTEXT_EXPIRED : GSS_S_COMPLETE); | 129 | return ((ctx->endtime < now) ? GSS_S_CONTEXT_EXPIRED : GSS_S_COMPLETE); |
| 130 | out_err: | ||
| 131 | return GSS_S_FAILURE; | ||
| 132 | } | 130 | } |
diff --git a/net/sunrpc/auth_gss/gss_krb5_unseal.c b/net/sunrpc/auth_gss/gss_krb5_unseal.c index 62807ac1e2ca..75a75a6d1336 100644 --- a/net/sunrpc/auth_gss/gss_krb5_unseal.c +++ b/net/sunrpc/auth_gss/gss_krb5_unseal.c | |||
| @@ -85,69 +85,56 @@ gss_verify_mic_kerberos(struct gss_ctx *gss_ctx, | |||
| 85 | s32 seqnum; | 85 | s32 seqnum; |
| 86 | unsigned char *ptr = (unsigned char *)read_token->data; | 86 | unsigned char *ptr = (unsigned char *)read_token->data; |
| 87 | int bodysize; | 87 | int bodysize; |
| 88 | u32 ret = GSS_S_DEFECTIVE_TOKEN; | ||
| 89 | 88 | ||
| 90 | dprintk("RPC: krb5_read_token\n"); | 89 | dprintk("RPC: krb5_read_token\n"); |
| 91 | 90 | ||
| 92 | if (g_verify_token_header(&ctx->mech_used, &bodysize, &ptr, | 91 | if (g_verify_token_header(&ctx->mech_used, &bodysize, &ptr, |
| 93 | read_token->len)) | 92 | read_token->len)) |
| 94 | goto out; | 93 | return GSS_S_DEFECTIVE_TOKEN; |
| 95 | 94 | ||
| 96 | if ((*ptr++ != ((KG_TOK_MIC_MSG>>8)&0xff)) || | 95 | if ((*ptr++ != ((KG_TOK_MIC_MSG>>8)&0xff)) || |
| 97 | (*ptr++ != ( KG_TOK_MIC_MSG &0xff)) ) | 96 | (*ptr++ != ( KG_TOK_MIC_MSG &0xff)) ) |
| 98 | goto out; | 97 | return GSS_S_DEFECTIVE_TOKEN; |
| 99 | 98 | ||
| 100 | /* XXX sanity-check bodysize?? */ | 99 | /* XXX sanity-check bodysize?? */ |
| 101 | 100 | ||
| 102 | /* get the sign and seal algorithms */ | ||
| 103 | |||
| 104 | signalg = ptr[0] + (ptr[1] << 8); | 101 | signalg = ptr[0] + (ptr[1] << 8); |
| 105 | sealalg = ptr[2] + (ptr[3] << 8); | 102 | sealalg = ptr[2] + (ptr[3] << 8); |
| 106 | 103 | ||
| 107 | /* Sanity checks */ | 104 | /* Sanity checks */ |
| 108 | 105 | ||
| 109 | if ((ptr[4] != 0xff) || (ptr[5] != 0xff)) | 106 | if ((ptr[4] != 0xff) || (ptr[5] != 0xff)) |
| 110 | goto out; | 107 | return GSS_S_DEFECTIVE_TOKEN; |
| 111 | 108 | ||
| 112 | if (sealalg != 0xffff) | 109 | if (sealalg != 0xffff) |
| 113 | goto out; | 110 | return GSS_S_DEFECTIVE_TOKEN; |
| 114 | if (signalg != SGN_ALG_DES_MAC_MD5) | 111 | if (signalg != SGN_ALG_DES_MAC_MD5) |
| 115 | goto out; | 112 | return GSS_S_DEFECTIVE_TOKEN; |
| 116 | 113 | ||
| 117 | ret = make_checksum("md5", ptr - 2, 8, message_buffer, 0, &md5cksum); | 114 | if (make_checksum("md5", ptr - 2, 8, message_buffer, 0, &md5cksum)) |
| 118 | if (ret) | 115 | return GSS_S_FAILURE; |
| 119 | goto out; | ||
| 120 | 116 | ||
| 121 | ret = krb5_encrypt(ctx->seq, NULL, md5cksum.data, | 117 | if (krb5_encrypt(ctx->seq, NULL, md5cksum.data, md5cksum.data, 16)) |
| 122 | md5cksum.data, 16); | 118 | return GSS_S_FAILURE; |
| 123 | if (ret) | ||
| 124 | goto out; | ||
| 125 | 119 | ||
| 126 | if (memcmp(md5cksum.data + 8, ptr + 14, 8)) { | 120 | if (memcmp(md5cksum.data + 8, ptr + 14, 8)) |
| 127 | ret = GSS_S_BAD_SIG; | 121 | return GSS_S_BAD_SIG; |
| 128 | goto out; | ||
| 129 | } | ||
| 130 | 122 | ||
| 131 | /* it got through unscathed. Make sure the context is unexpired */ | 123 | /* it got through unscathed. Make sure the context is unexpired */ |
| 132 | 124 | ||
| 133 | now = get_seconds(); | 125 | now = get_seconds(); |
| 134 | 126 | ||
| 135 | ret = GSS_S_CONTEXT_EXPIRED; | ||
| 136 | if (now > ctx->endtime) | 127 | if (now > ctx->endtime) |
| 137 | goto out; | 128 | return GSS_S_CONTEXT_EXPIRED; |
| 138 | 129 | ||
| 139 | /* do sequencing checks */ | 130 | /* do sequencing checks */ |
| 140 | 131 | ||
| 141 | ret = GSS_S_BAD_SIG; | 132 | if (krb5_get_seq_num(ctx->seq, ptr + 14, ptr + 6, &direction, &seqnum)) |
| 142 | if ((ret = krb5_get_seq_num(ctx->seq, ptr + 14, ptr + 6, &direction, | 133 | return GSS_S_FAILURE; |
| 143 | &seqnum))) | ||
| 144 | goto out; | ||
| 145 | 134 | ||
| 146 | if ((ctx->initiate && direction != 0xff) || | 135 | if ((ctx->initiate && direction != 0xff) || |
| 147 | (!ctx->initiate && direction != 0)) | 136 | (!ctx->initiate && direction != 0)) |
| 148 | goto out; | 137 | return GSS_S_BAD_SIG; |
| 149 | 138 | ||
| 150 | ret = GSS_S_COMPLETE; | 139 | return GSS_S_COMPLETE; |
| 151 | out: | ||
| 152 | return ret; | ||
| 153 | } | 140 | } |
diff --git a/net/sunrpc/auth_gss/gss_krb5_wrap.c b/net/sunrpc/auth_gss/gss_krb5_wrap.c index 6d508d77adf9..63b06ee2d542 100644 --- a/net/sunrpc/auth_gss/gss_krb5_wrap.c +++ b/net/sunrpc/auth_gss/gss_krb5_wrap.c | |||
| @@ -136,7 +136,7 @@ gss_wrap_kerberos(struct gss_ctx *ctx, int offset, | |||
| 136 | if (kctx->sealalg != SEAL_ALG_NONE && kctx->sealalg != SEAL_ALG_DES) { | 136 | if (kctx->sealalg != SEAL_ALG_NONE && kctx->sealalg != SEAL_ALG_DES) { |
| 137 | dprintk("RPC: gss_krb5_seal: kctx->sealalg %d not supported\n", | 137 | dprintk("RPC: gss_krb5_seal: kctx->sealalg %d not supported\n", |
| 138 | kctx->sealalg); | 138 | kctx->sealalg); |
| 139 | goto out_err; | 139 | return GSS_S_FAILURE; |
| 140 | } | 140 | } |
| 141 | 141 | ||
| 142 | blocksize = crypto_blkcipher_blocksize(kctx->enc); | 142 | blocksize = crypto_blkcipher_blocksize(kctx->enc); |
| @@ -178,12 +178,12 @@ gss_wrap_kerberos(struct gss_ctx *ctx, int offset, | |||
| 178 | buf->pages = pages; | 178 | buf->pages = pages; |
| 179 | if (make_checksum("md5", krb5_hdr, 8, buf, | 179 | if (make_checksum("md5", krb5_hdr, 8, buf, |
| 180 | offset + headlen - blocksize, &md5cksum)) | 180 | offset + headlen - blocksize, &md5cksum)) |
| 181 | goto out_err; | 181 | return GSS_S_FAILURE; |
| 182 | buf->pages = tmp_pages; | 182 | buf->pages = tmp_pages; |
| 183 | 183 | ||
| 184 | if (krb5_encrypt(kctx->seq, NULL, md5cksum.data, | 184 | if (krb5_encrypt(kctx->seq, NULL, md5cksum.data, |
| 185 | md5cksum.data, md5cksum.len)) | 185 | md5cksum.data, md5cksum.len)) |
| 186 | goto out_err; | 186 | return GSS_S_FAILURE; |
| 187 | memcpy(krb5_hdr + 16, | 187 | memcpy(krb5_hdr + 16, |
| 188 | md5cksum.data + md5cksum.len - KRB5_CKSUM_LENGTH, | 188 | md5cksum.data + md5cksum.len - KRB5_CKSUM_LENGTH, |
| 189 | KRB5_CKSUM_LENGTH); | 189 | KRB5_CKSUM_LENGTH); |
| @@ -196,15 +196,13 @@ gss_wrap_kerberos(struct gss_ctx *ctx, int offset, | |||
| 196 | * and encrypt at the same time: */ | 196 | * and encrypt at the same time: */ |
| 197 | if ((krb5_make_seq_num(kctx->seq, kctx->initiate ? 0 : 0xff, | 197 | if ((krb5_make_seq_num(kctx->seq, kctx->initiate ? 0 : 0xff, |
| 198 | seq_send, krb5_hdr + 16, krb5_hdr + 8))) | 198 | seq_send, krb5_hdr + 16, krb5_hdr + 8))) |
| 199 | goto out_err; | 199 | return GSS_S_FAILURE; |
| 200 | 200 | ||
| 201 | if (gss_encrypt_xdr_buf(kctx->enc, buf, offset + headlen - blocksize, | 201 | if (gss_encrypt_xdr_buf(kctx->enc, buf, offset + headlen - blocksize, |
| 202 | pages)) | 202 | pages)) |
| 203 | goto out_err; | 203 | return GSS_S_FAILURE; |
| 204 | 204 | ||
| 205 | return ((kctx->endtime < now) ? GSS_S_CONTEXT_EXPIRED : GSS_S_COMPLETE); | 205 | return ((kctx->endtime < now) ? GSS_S_CONTEXT_EXPIRED : GSS_S_COMPLETE); |
| 206 | out_err: | ||
| 207 | return GSS_S_FAILURE; | ||
| 208 | } | 206 | } |
| 209 | 207 | ||
| 210 | u32 | 208 | u32 |
| @@ -220,7 +218,6 @@ gss_unwrap_kerberos(struct gss_ctx *ctx, int offset, struct xdr_buf *buf) | |||
| 220 | s32 seqnum; | 218 | s32 seqnum; |
| 221 | unsigned char *ptr; | 219 | unsigned char *ptr; |
| 222 | int bodysize; | 220 | int bodysize; |
| 223 | u32 ret = GSS_S_DEFECTIVE_TOKEN; | ||
| 224 | void *data_start, *orig_start; | 221 | void *data_start, *orig_start; |
| 225 | int data_len; | 222 | int data_len; |
| 226 | int blocksize; | 223 | int blocksize; |
| @@ -230,11 +227,11 @@ gss_unwrap_kerberos(struct gss_ctx *ctx, int offset, struct xdr_buf *buf) | |||
| 230 | ptr = (u8 *)buf->head[0].iov_base + offset; | 227 | ptr = (u8 *)buf->head[0].iov_base + offset; |
| 231 | if (g_verify_token_header(&kctx->mech_used, &bodysize, &ptr, | 228 | if (g_verify_token_header(&kctx->mech_used, &bodysize, &ptr, |
| 232 | buf->len - offset)) | 229 | buf->len - offset)) |
| 233 | goto out; | 230 | return GSS_S_DEFECTIVE_TOKEN; |
| 234 | 231 | ||
| 235 | if ((*ptr++ != ((KG_TOK_WRAP_MSG>>8)&0xff)) || | 232 | if ((*ptr++ != ((KG_TOK_WRAP_MSG>>8)&0xff)) || |
| 236 | (*ptr++ != (KG_TOK_WRAP_MSG &0xff)) ) | 233 | (*ptr++ != (KG_TOK_WRAP_MSG &0xff)) ) |
| 237 | goto out; | 234 | return GSS_S_DEFECTIVE_TOKEN; |
| 238 | 235 | ||
| 239 | /* XXX sanity-check bodysize?? */ | 236 | /* XXX sanity-check bodysize?? */ |
| 240 | 237 | ||
| @@ -246,18 +243,18 @@ gss_unwrap_kerberos(struct gss_ctx *ctx, int offset, struct xdr_buf *buf) | |||
| 246 | /* Sanity checks */ | 243 | /* Sanity checks */ |
| 247 | 244 | ||
| 248 | if ((ptr[4] != 0xff) || (ptr[5] != 0xff)) | 245 | if ((ptr[4] != 0xff) || (ptr[5] != 0xff)) |
| 249 | goto out; | 246 | return GSS_S_DEFECTIVE_TOKEN; |
| 250 | 247 | ||
| 251 | if (sealalg == 0xffff) | 248 | if (sealalg == 0xffff) |
| 252 | goto out; | 249 | return GSS_S_DEFECTIVE_TOKEN; |
| 253 | if (signalg != SGN_ALG_DES_MAC_MD5) | 250 | if (signalg != SGN_ALG_DES_MAC_MD5) |
| 254 | goto out; | 251 | return GSS_S_DEFECTIVE_TOKEN; |
| 255 | 252 | ||
| 256 | /* in the current spec, there is only one valid seal algorithm per | 253 | /* in the current spec, there is only one valid seal algorithm per |
| 257 | key type, so a simple comparison is ok */ | 254 | key type, so a simple comparison is ok */ |
| 258 | 255 | ||
| 259 | if (sealalg != kctx->sealalg) | 256 | if (sealalg != kctx->sealalg) |
| 260 | goto out; | 257 | return GSS_S_DEFECTIVE_TOKEN; |
| 261 | 258 | ||
| 262 | /* there are several mappings of seal algorithms to sign algorithms, | 259 | /* there are several mappings of seal algorithms to sign algorithms, |
| 263 | but few enough that we can try them all. */ | 260 | but few enough that we can try them all. */ |
| @@ -266,45 +263,39 @@ gss_unwrap_kerberos(struct gss_ctx *ctx, int offset, struct xdr_buf *buf) | |||
| 266 | (kctx->sealalg == SEAL_ALG_1 && signalg != SGN_ALG_3) || | 263 | (kctx->sealalg == SEAL_ALG_1 && signalg != SGN_ALG_3) || |
| 267 | (kctx->sealalg == SEAL_ALG_DES3KD && | 264 | (kctx->sealalg == SEAL_ALG_DES3KD && |
| 268 | signalg != SGN_ALG_HMAC_SHA1_DES3_KD)) | 265 | signalg != SGN_ALG_HMAC_SHA1_DES3_KD)) |
| 269 | goto out; | 266 | return GSS_S_DEFECTIVE_TOKEN; |
| 270 | 267 | ||
| 271 | if (gss_decrypt_xdr_buf(kctx->enc, buf, | 268 | if (gss_decrypt_xdr_buf(kctx->enc, buf, |
| 272 | ptr + 22 - (unsigned char *)buf->head[0].iov_base)) | 269 | ptr + 22 - (unsigned char *)buf->head[0].iov_base)) |
| 273 | goto out; | 270 | return GSS_S_DEFECTIVE_TOKEN; |
| 274 | 271 | ||
| 275 | ret = make_checksum("md5", ptr - 2, 8, buf, | 272 | if (make_checksum("md5", ptr - 2, 8, buf, |
| 276 | ptr + 22 - (unsigned char *)buf->head[0].iov_base, &md5cksum); | 273 | ptr + 22 - (unsigned char *)buf->head[0].iov_base, &md5cksum)) |
| 277 | if (ret) | 274 | return GSS_S_FAILURE; |
| 278 | goto out; | ||
| 279 | 275 | ||
| 280 | ret = krb5_encrypt(kctx->seq, NULL, md5cksum.data, | 276 | if (krb5_encrypt(kctx->seq, NULL, md5cksum.data, |
| 281 | md5cksum.data, md5cksum.len); | 277 | md5cksum.data, md5cksum.len)) |
| 282 | if (ret) | 278 | return GSS_S_FAILURE; |
| 283 | goto out; | ||
| 284 | 279 | ||
| 285 | if (memcmp(md5cksum.data + 8, ptr + 14, 8)) { | 280 | if (memcmp(md5cksum.data + 8, ptr + 14, 8)) |
| 286 | ret = GSS_S_BAD_SIG; | 281 | return GSS_S_BAD_SIG; |
| 287 | goto out; | ||
| 288 | } | ||
| 289 | 282 | ||
| 290 | /* it got through unscathed. Make sure the context is unexpired */ | 283 | /* it got through unscathed. Make sure the context is unexpired */ |
| 291 | 284 | ||
| 292 | now = get_seconds(); | 285 | now = get_seconds(); |
| 293 | 286 | ||
| 294 | ret = GSS_S_CONTEXT_EXPIRED; | ||
| 295 | if (now > kctx->endtime) | 287 | if (now > kctx->endtime) |
| 296 | goto out; | 288 | return GSS_S_CONTEXT_EXPIRED; |
| 297 | 289 | ||
| 298 | /* do sequencing checks */ | 290 | /* do sequencing checks */ |
| 299 | 291 | ||
| 300 | ret = GSS_S_BAD_SIG; | 292 | if (krb5_get_seq_num(kctx->seq, ptr + 14, ptr + 6, &direction, |
| 301 | if ((ret = krb5_get_seq_num(kctx->seq, ptr + 14, ptr + 6, &direction, | 293 | &seqnum)) |
| 302 | &seqnum))) | 294 | return GSS_S_BAD_SIG; |
| 303 | goto out; | ||
| 304 | 295 | ||
| 305 | if ((kctx->initiate && direction != 0xff) || | 296 | if ((kctx->initiate && direction != 0xff) || |
| 306 | (!kctx->initiate && direction != 0)) | 297 | (!kctx->initiate && direction != 0)) |
| 307 | goto out; | 298 | return GSS_S_BAD_SIG; |
| 308 | 299 | ||
| 309 | /* Copy the data back to the right position. XXX: Would probably be | 300 | /* Copy the data back to the right position. XXX: Would probably be |
| 310 | * better to copy and encrypt at the same time. */ | 301 | * better to copy and encrypt at the same time. */ |
| @@ -317,11 +308,8 @@ gss_unwrap_kerberos(struct gss_ctx *ctx, int offset, struct xdr_buf *buf) | |||
| 317 | buf->head[0].iov_len -= (data_start - orig_start); | 308 | buf->head[0].iov_len -= (data_start - orig_start); |
| 318 | buf->len -= (data_start - orig_start); | 309 | buf->len -= (data_start - orig_start); |
| 319 | 310 | ||
| 320 | ret = GSS_S_DEFECTIVE_TOKEN; | ||
| 321 | if (gss_krb5_remove_padding(buf, blocksize)) | 311 | if (gss_krb5_remove_padding(buf, blocksize)) |
| 322 | goto out; | 312 | return GSS_S_DEFECTIVE_TOKEN; |
| 323 | 313 | ||
| 324 | ret = GSS_S_COMPLETE; | 314 | return GSS_S_COMPLETE; |
| 325 | out: | ||
| 326 | return ret; | ||
| 327 | } | 315 | } |