rpcgss: krb5: expect a constant signalg value

We also only ever receive one value of the signalg, so let's not pretend otherwise Signed-off-by: J. Bruce Fields <bfields@citi.umich.edu> Signed-off-by: Trond Myklebust <Trond.Myklebust@netapp.com>
author: J. Bruce Fields <bfields@fieldses.org> 2006-12-04 20:22:36 -0500
committer: Trond Myklebust <Trond.Myklebust@netapp.com> 2006-12-06 10:46:45 -0500
commit: 5eb064f93973def1ec2ab4a46929e94389a6283b (patch)
tree: ce51f825db0318ee1e5c75e64c9dd0f60f31fda0 /net/sunrpc/auth_gss
parent: e678e06bf8fa25981a6fa1f08b979fd086d713f8 (diff)
2 files changed, 27 insertions, 60 deletions
diff --git a/net/sunrpc/auth_gss/gss_krb5_unseal.c b/net/sunrpc/auth_gss/gss_krb5_unseal.c
index 0828cf64100f..23b509dedf97 100644
--- a/net/sunrpc/auth_gss/gss_krb5_unseal.c
+++ b/net/sunrpc/auth_gss/gss_krb5_unseal.c
@@ -112,47 +112,26 @@ gss_verify_mic_kerberos(struct gss_ctx *gss_ctx,
        if (sealalg != 0xffff)
                goto out;
+        if (signalg != SGN_ALG_DES_MAC_MD5)
-        /* there are several mappings of seal algorithms to sign algorithms,
-           but few enough that we can try them all. */
-        if ((ctx->sealalg == SEAL_ALG_NONE && signalg > 1) ||
-            (ctx->sealalg == SEAL_ALG_1 && signalg != SGN_ALG_3) ||
-            (ctx->sealalg == SEAL_ALG_DES3KD &&
-             signalg != SGN_ALG_HMAC_SHA1_DES3_KD))
                goto out;
        /* compute the checksum of the message */
        /* initialize the the cksum */
-        switch (signalg) {
+        checksum_type = CKSUMTYPE_RSA_MD5;
-        case SGN_ALG_DES_MAC_MD5:
-                checksum_type = CKSUMTYPE_RSA_MD5;
+        ret = make_checksum(checksum_type, ptr - 2, 8,
-                break;
+                                 message_buffer, 0, &md5cksum);
-        default:
+        if (ret)
-                ret = GSS_S_DEFECTIVE_TOKEN;
+                goto out;
+        ret = krb5_encrypt(ctx->seq, NULL, md5cksum.data,
+                           md5cksum.data, 16);
+        if (ret)
                goto out;
-        }
-        switch (signalg) {
+        if (memcmp(md5cksum.data + 8, ptr + 14, 8)) {
-        case SGN_ALG_DES_MAC_MD5:
+                ret = GSS_S_BAD_SIG;
-                ret = make_checksum(checksum_type, ptr - 2, 8,
-                                         message_buffer, 0, &md5cksum);
-                if (ret)
-                        goto out;
-                ret = krb5_encrypt(ctx->seq, NULL, md5cksum.data,
-                                   md5cksum.data, 16);
-                if (ret)
-                        goto out;
-                if (memcmp(md5cksum.data + 8, ptr + 14, 8)) {
-                        ret = GSS_S_BAD_SIG;
-                        goto out;
-                }
-                break;
-        default:
-                ret = GSS_S_DEFECTIVE_TOKEN;
                goto out;
        }
diff --git a/net/sunrpc/auth_gss/gss_krb5_wrap.c b/net/sunrpc/auth_gss/gss_krb5_wrap.c
index eee49f4c4c6a..a7d5c135139b 100644
--- a/net/sunrpc/auth_gss/gss_krb5_wrap.c
+++ b/net/sunrpc/auth_gss/gss_krb5_wrap.c
@@ -253,6 +253,8 @@ gss_unwrap_kerberos(struct gss_ctx *ctx, int offset, struct xdr_buf *buf)
        if (sealalg == 0xffff)
                goto out;
+        if (signalg != SGN_ALG_DES_MAC_MD5)
+                goto out;
        /* in the current spec, there is only one valid seal algorithm per
           key type, so a simple comparison is ok */
@@ -276,34 +278,20 @@ gss_unwrap_kerberos(struct gss_ctx *ctx, int offset, struct xdr_buf *buf)
        /* compute the checksum of the message */
        /* initialize the the cksum */
-        switch (signalg) {
+        checksum_type = CKSUMTYPE_RSA_MD5;
-        case SGN_ALG_DES_MAC_MD5:
-                checksum_type = CKSUMTYPE_RSA_MD5;
+        ret = make_checksum(checksum_type, ptr - 2, 8, buf,
-                break;
+                 ptr + 22 - (unsigned char *)buf->head[0].iov_base, &md5cksum);
-        default:
+        if (ret)
-                ret = GSS_S_DEFECTIVE_TOKEN;
+                goto out;
+        ret = krb5_encrypt(kctx->seq, NULL, md5cksum.data,
+                           md5cksum.data, md5cksum.len);
+        if (ret)
                goto out;
-        }
-        switch (signalg) {
+        if (memcmp(md5cksum.data + 8, ptr + 14, 8)) {
-        case SGN_ALG_DES_MAC_MD5:
+                ret = GSS_S_BAD_SIG;
-                ret = make_checksum(checksum_type, ptr - 2, 8, buf,
-                         ptr + 22 - (unsigned char *)buf->head[0].iov_base, &md5cksum);
-                if (ret)
-                        goto out;
-                ret = krb5_encrypt(kctx->seq, NULL, md5cksum.data,
-                                   md5cksum.data, md5cksum.len);
-                if (ret)
-                        goto out;
-                if (memcmp(md5cksum.data + 8, ptr + 14, 8)) {
-                        ret = GSS_S_BAD_SIG;
-                        goto out;
-                }
-                break;
-        default:
-                ret = GSS_S_DEFECTIVE_TOKEN;
                goto out;
        }
author	J. Bruce Fields <bfields@fieldses.org>	2006-12-04 20:22:36 -0500
committer	Trond Myklebust <Trond.Myklebust@netapp.com>	2006-12-06 10:46:45 -0500
commit	5eb064f93973def1ec2ab4a46929e94389a6283b (patch)
tree	ce51f825db0318ee1e5c75e64c9dd0f60f31fda0 /net/sunrpc/auth_gss
parent	e678e06bf8fa25981a6fa1f08b979fd086d713f8 (diff)

diff --git a/net/sunrpc/auth_gss/gss_krb5_unseal.c b/net/sunrpc/auth_gss/gss_krb5_unseal.c index 0828cf64100f..23b509dedf97 100644 --- a/net/sunrpc/auth_gss/gss_krb5_unseal.c +++ b/net/sunrpc/auth_gss/gss_krb5_unseal.c
@@ -112,47 +112,26 @@ gss_verify_mic_kerberos(struct gss_ctx *gss_ctx,
112		112
113	if (sealalg != 0xffff)	113	if (sealalg != 0xffff)
114	goto out;	114	goto out;
115		115	if (signalg != SGN_ALG_DES_MAC_MD5)
116	/* there are several mappings of seal algorithms to sign algorithms,
117	but few enough that we can try them all. */
118
119	if ((ctx->sealalg == SEAL_ALG_NONE && signalg > 1) \|\|
120	(ctx->sealalg == SEAL_ALG_1 && signalg != SGN_ALG_3) \|\|
121	(ctx->sealalg == SEAL_ALG_DES3KD &&
122	signalg != SGN_ALG_HMAC_SHA1_DES3_KD))
123	goto out;	116	goto out;
124		117
125	/* compute the checksum of the message */	118	/* compute the checksum of the message */
126		119
127	/* initialize the the cksum */	120	/* initialize the the cksum */
128	switch (signalg) {	121	checksum_type = CKSUMTYPE_RSA_MD5;
129	case SGN_ALG_DES_MAC_MD5:	122
130	checksum_type = CKSUMTYPE_RSA_MD5;	123	ret = make_checksum(checksum_type, ptr - 2, 8,
131	break;	124	message_buffer, 0, &md5cksum);
132	default:	125	if (ret)
133	ret = GSS_S_DEFECTIVE_TOKEN;	126	goto out;
		127
		128	ret = krb5_encrypt(ctx->seq, NULL, md5cksum.data,
		129	md5cksum.data, 16);
		130	if (ret)
134	goto out;	131	goto out;
135	}
136		132
137	switch (signalg) {	133	if (memcmp(md5cksum.data + 8, ptr + 14, 8)) {
138	case SGN_ALG_DES_MAC_MD5:	134	ret = GSS_S_BAD_SIG;
139	ret = make_checksum(checksum_type, ptr - 2, 8,
140	message_buffer, 0, &md5cksum);
141	if (ret)
142	goto out;
143
144	ret = krb5_encrypt(ctx->seq, NULL, md5cksum.data,
145	md5cksum.data, 16);
146	if (ret)
147	goto out;
148
149	if (memcmp(md5cksum.data + 8, ptr + 14, 8)) {
150	ret = GSS_S_BAD_SIG;
151	goto out;
152	}
153	break;
154	default:
155	ret = GSS_S_DEFECTIVE_TOKEN;
156	goto out;	135	goto out;
157	}	136	}
158		137


diff --git a/net/sunrpc/auth_gss/gss_krb5_wrap.c b/net/sunrpc/auth_gss/gss_krb5_wrap.c index eee49f4c4c6a..a7d5c135139b 100644 --- a/net/sunrpc/auth_gss/gss_krb5_wrap.c +++ b/net/sunrpc/auth_gss/gss_krb5_wrap.c
@@ -253,6 +253,8 @@ gss_unwrap_kerberos(struct gss_ctx ctx, int offset, struct xdr_buf buf)
253		253
254	if (sealalg == 0xffff)	254	if (sealalg == 0xffff)
255	goto out;	255	goto out;
		256	if (signalg != SGN_ALG_DES_MAC_MD5)
		257	goto out;
256		258
257	/* in the current spec, there is only one valid seal algorithm per	259	/* in the current spec, there is only one valid seal algorithm per
258	key type, so a simple comparison is ok */	260	key type, so a simple comparison is ok */
@@ -276,34 +278,20 @@ gss_unwrap_kerberos(struct gss_ctx ctx, int offset, struct xdr_buf buf)
276	/* compute the checksum of the message */	278	/* compute the checksum of the message */
277		279
278	/* initialize the the cksum */	280	/* initialize the the cksum */
279	switch (signalg) {	281	checksum_type = CKSUMTYPE_RSA_MD5;
280	case SGN_ALG_DES_MAC_MD5:	282
281	checksum_type = CKSUMTYPE_RSA_MD5;	283	ret = make_checksum(checksum_type, ptr - 2, 8, buf,
282	break;	284	ptr + 22 - (unsigned char *)buf->head[0].iov_base, &md5cksum);
283	default:	285	if (ret)
284	ret = GSS_S_DEFECTIVE_TOKEN;	286	goto out;
		287
		288	ret = krb5_encrypt(kctx->seq, NULL, md5cksum.data,
		289	md5cksum.data, md5cksum.len);
		290	if (ret)
285	goto out;	291	goto out;
286	}
287		292
288	switch (signalg) {	293	if (memcmp(md5cksum.data + 8, ptr + 14, 8)) {
289	case SGN_ALG_DES_MAC_MD5:	294	ret = GSS_S_BAD_SIG;
290	ret = make_checksum(checksum_type, ptr - 2, 8, buf,
291	ptr + 22 - (unsigned char *)buf->head[0].iov_base, &md5cksum);
292	if (ret)
293	goto out;
294
295	ret = krb5_encrypt(kctx->seq, NULL, md5cksum.data,
296	md5cksum.data, md5cksum.len);
297	if (ret)
298	goto out;
299
300	if (memcmp(md5cksum.data + 8, ptr + 14, 8)) {
301	ret = GSS_S_BAD_SIG;
302	goto out;
303	}
304	break;
305	default:
306	ret = GSS_S_DEFECTIVE_TOKEN;
307	goto out;	295	goto out;
308	}	296	}
309		297