gss_krb5: document that we ignore sequence number

A couple times recently somebody has noticed that we're ignoring a sequence number here and wondered whether there's a bug. In fact, there's not. Thanks to Andy Adamson for pointing out a useful explanation in rfc 2203. Add comments citing that rfc, and remove "seqnum" to prevent static checkers complaining about unused variables. Reported-by: Andi Kleen <andi@firstfloor.org> Signed-off-by: J. Bruce Fields <bfields@redhat.com>
author: J. Bruce Fields <bfields@redhat.com> 2013-10-09 15:59:29 -0400
committer: J. Bruce Fields <bfields@redhat.com> 2013-10-10 11:04:48 -0400
commit: 5d6baef9ab52d0d02b3106d8ccd1b05ec628e027 (patch)
tree: e983e2d40f2e1db8aaa04902d26208eb259a79d6
parent: b26ec9b11b309acd9f6bb15fcc9bb396091384e8 (diff)
2 files changed, 8 insertions, 6 deletions
diff --git a/net/sunrpc/auth_gss/gss_krb5_unseal.c b/net/sunrpc/auth_gss/gss_krb5_unseal.c
index 6cd930f3678f..6c981ddc19f8 100644
--- a/net/sunrpc/auth_gss/gss_krb5_unseal.c
+++ b/net/sunrpc/auth_gss/gss_krb5_unseal.c
@@ -150,7 +150,6 @@ gss_verify_mic_v2(struct krb5_ctx *ctx,
        struct xdr_netobj cksumobj = {.len = sizeof(cksumdata),
                                      .data = cksumdata};
        s32 now;
-        u64 seqnum;
        u8 *ptr = read_token->data;
        u8 *cksumkey;
        u8 flags;
@@ -197,9 +196,10 @@ gss_verify_mic_v2(struct krb5_ctx *ctx,
        if (now > ctx->endtime)
                return GSS_S_CONTEXT_EXPIRED;
-        /* do sequencing checks */
+        /*
+         * NOTE: the sequence number at ptr + 8 is skipped, rpcsec_gss
-        seqnum = be64_to_cpup((__be64 *)ptr + 8);
+         * doesn't want it checked; see page 6 of rfc 2203.
+         */
        return GSS_S_COMPLETE;
 }
diff --git a/net/sunrpc/auth_gss/gss_krb5_wrap.c b/net/sunrpc/auth_gss/gss_krb5_wrap.c
index 1da52d1406fc..5040a460f1d9 100644
--- a/net/sunrpc/auth_gss/gss_krb5_wrap.c
+++ b/net/sunrpc/auth_gss/gss_krb5_wrap.c
@@ -489,7 +489,6 @@ static u32
 gss_unwrap_kerberos_v2(struct krb5_ctx *kctx, int offset, struct xdr_buf *buf)
 {
        s32             now;
-        u64             seqnum;
        u8              *ptr;
        u8              flags = 0x00;
        u16             ec, rrc;
@@ -525,7 +524,10 @@ gss_unwrap_kerberos_v2(struct krb5_ctx *kctx, int offset, struct xdr_buf *buf)
        ec = be16_to_cpup((__be16 *)(ptr + 4));
        rrc = be16_to_cpup((__be16 *)(ptr + 6));
-        seqnum = be64_to_cpup((__be64 *)(ptr + 8));
+        /*
+         * NOTE: the sequence number at ptr + 8 is skipped, rpcsec_gss
+         * doesn't want it checked; see page 6 of rfc 2203.
+         */
        if (rrc != 0)
                rotate_left(offset + 16, buf, rrc);
author	J. Bruce Fields <bfields@redhat.com>	2013-10-09 15:59:29 -0400
committer	J. Bruce Fields <bfields@redhat.com>	2013-10-10 11:04:48 -0400
commit	5d6baef9ab52d0d02b3106d8ccd1b05ec628e027 (patch)
tree	e983e2d40f2e1db8aaa04902d26208eb259a79d6
parent	b26ec9b11b309acd9f6bb15fcc9bb396091384e8 (diff)

diff --git a/net/sunrpc/auth_gss/gss_krb5_unseal.c b/net/sunrpc/auth_gss/gss_krb5_unseal.c index 6cd930f3678f..6c981ddc19f8 100644 --- a/net/sunrpc/auth_gss/gss_krb5_unseal.c +++ b/net/sunrpc/auth_gss/gss_krb5_unseal.c
@@ -150,7 +150,6 @@ gss_verify_mic_v2(struct krb5_ctx *ctx,
150	struct xdr_netobj cksumobj = {.len = sizeof(cksumdata),	150	struct xdr_netobj cksumobj = {.len = sizeof(cksumdata),
151	.data = cksumdata};	151	.data = cksumdata};
152	s32 now;	152	s32 now;
153	u64 seqnum;
154	u8 *ptr = read_token->data;	153	u8 *ptr = read_token->data;
155	u8 *cksumkey;	154	u8 *cksumkey;
156	u8 flags;	155	u8 flags;
@@ -197,9 +196,10 @@ gss_verify_mic_v2(struct krb5_ctx *ctx,
197	if (now > ctx->endtime)	196	if (now > ctx->endtime)
198	return GSS_S_CONTEXT_EXPIRED;	197	return GSS_S_CONTEXT_EXPIRED;
199		198
200	/* do sequencing checks */	199	/*
201		200	* NOTE: the sequence number at ptr + 8 is skipped, rpcsec_gss
202	seqnum = be64_to_cpup((__be64 *)ptr + 8);	201	* doesn't want it checked; see page 6 of rfc 2203.
		202	*/
203		203
204	return GSS_S_COMPLETE;	204	return GSS_S_COMPLETE;
205	}	205	}


diff --git a/net/sunrpc/auth_gss/gss_krb5_wrap.c b/net/sunrpc/auth_gss/gss_krb5_wrap.c index 1da52d1406fc..5040a460f1d9 100644 --- a/net/sunrpc/auth_gss/gss_krb5_wrap.c +++ b/net/sunrpc/auth_gss/gss_krb5_wrap.c
@@ -489,7 +489,6 @@ static u32
489	gss_unwrap_kerberos_v2(struct krb5_ctx kctx, int offset, struct xdr_buf buf)	489	gss_unwrap_kerberos_v2(struct krb5_ctx kctx, int offset, struct xdr_buf buf)
490	{	490	{
491	s32 now;	491	s32 now;
492	u64 seqnum;
493	u8 *ptr;	492	u8 *ptr;
494	u8 flags = 0x00;	493	u8 flags = 0x00;
495	u16 ec, rrc;	494	u16 ec, rrc;
@@ -525,7 +524,10 @@ gss_unwrap_kerberos_v2(struct krb5_ctx kctx, int offset, struct xdr_buf buf)
525	ec = be16_to_cpup((__be16 *)(ptr + 4));	524	ec = be16_to_cpup((__be16 *)(ptr + 4));
526	rrc = be16_to_cpup((__be16 *)(ptr + 6));	525	rrc = be16_to_cpup((__be16 *)(ptr + 6));
527		526
528	seqnum = be64_to_cpup((__be64 *)(ptr + 8));	527	/*
		528	* NOTE: the sequence number at ptr + 8 is skipped, rpcsec_gss
		529	* doesn't want it checked; see page 6 of rfc 2203.
		530	*/
529		531
530	if (rrc != 0)	532	if (rrc != 0)
531	rotate_left(offset + 16, buf, rrc);	533	rotate_left(offset + 16, buf, rrc);