aboutsummaryrefslogtreecommitdiffstats
path: root/net/sunrpc/auth_gss/gss_krb5_unseal.c
diff options
context:
space:
mode:
Diffstat (limited to 'net/sunrpc/auth_gss/gss_krb5_unseal.c')
-rw-r--r--net/sunrpc/auth_gss/gss_krb5_unseal.c39
1 files changed, 9 insertions, 30 deletions
diff --git a/net/sunrpc/auth_gss/gss_krb5_unseal.c b/net/sunrpc/auth_gss/gss_krb5_unseal.c
index 8767fc53183d..2030475d98ed 100644
--- a/net/sunrpc/auth_gss/gss_krb5_unseal.c
+++ b/net/sunrpc/auth_gss/gss_krb5_unseal.c
@@ -68,21 +68,14 @@
68#endif 68#endif
69 69
70 70
71/* message_buffer is an input if toktype is MIC and an output if it is WRAP: 71/* read_token is a mic token, and message_buffer is the data that the mic was
72 * If toktype is MIC: read_token is a mic token, and message_buffer is the 72 * supposedly taken over. */
73 * data that the mic was supposedly taken over.
74 * If toktype is WRAP: read_token is a wrap token, and message_buffer is used
75 * to return the decrypted data.
76 */
77 73
78/* XXX will need to change prototype and/or just split into a separate function
79 * when we add privacy (because read_token will be in pages too). */
80u32 74u32
81krb5_read_token(struct krb5_ctx *ctx, 75gss_verify_mic_kerberos(struct gss_ctx *gss_ctx,
82 struct xdr_netobj *read_token, 76 struct xdr_buf *message_buffer, struct xdr_netobj *read_token)
83 struct xdr_buf *message_buffer,
84 int *qop_state, int toktype)
85{ 77{
78 struct krb5_ctx *ctx = gss_ctx->internal_ctx_id;
86 int signalg; 79 int signalg;
87 int sealalg; 80 int sealalg;
88 s32 checksum_type; 81 s32 checksum_type;
@@ -100,16 +93,12 @@ krb5_read_token(struct krb5_ctx *ctx,
100 read_token->len)) 93 read_token->len))
101 goto out; 94 goto out;
102 95
103 if ((*ptr++ != ((toktype>>8)&0xff)) || (*ptr++ != (toktype&0xff))) 96 if ((*ptr++ != ((KG_TOK_MIC_MSG>>8)&0xff)) ||
97 (*ptr++ != ( KG_TOK_MIC_MSG &0xff)) )
104 goto out; 98 goto out;
105 99
106 /* XXX sanity-check bodysize?? */ 100 /* XXX sanity-check bodysize?? */
107 101
108 if (toktype == KG_TOK_WRAP_MSG) {
109 /* XXX gone */
110 goto out;
111 }
112
113 /* get the sign and seal algorithms */ 102 /* get the sign and seal algorithms */
114 103
115 signalg = ptr[0] + (ptr[1] << 8); 104 signalg = ptr[0] + (ptr[1] << 8);
@@ -120,14 +109,7 @@ krb5_read_token(struct krb5_ctx *ctx,
120 if ((ptr[4] != 0xff) || (ptr[5] != 0xff)) 109 if ((ptr[4] != 0xff) || (ptr[5] != 0xff))
121 goto out; 110 goto out;
122 111
123 if (((toktype != KG_TOK_WRAP_MSG) && (sealalg != 0xffff)) || 112 if (sealalg != 0xffff)
124 ((toktype == KG_TOK_WRAP_MSG) && (sealalg == 0xffff)))
125 goto out;
126
127 /* in the current spec, there is only one valid seal algorithm per
128 key type, so a simple comparison is ok */
129
130 if ((toktype == KG_TOK_WRAP_MSG) && !(sealalg == ctx->sealalg))
131 goto out; 113 goto out;
132 114
133 /* there are several mappings of seal algorithms to sign algorithms, 115 /* there are several mappings of seal algorithms to sign algorithms,
@@ -154,7 +136,7 @@ krb5_read_token(struct krb5_ctx *ctx,
154 switch (signalg) { 136 switch (signalg) {
155 case SGN_ALG_DES_MAC_MD5: 137 case SGN_ALG_DES_MAC_MD5:
156 ret = make_checksum(checksum_type, ptr - 2, 8, 138 ret = make_checksum(checksum_type, ptr - 2, 8,
157 message_buffer, &md5cksum); 139 message_buffer, 0, &md5cksum);
158 if (ret) 140 if (ret)
159 goto out; 141 goto out;
160 142
@@ -175,9 +157,6 @@ krb5_read_token(struct krb5_ctx *ctx,
175 157
176 /* it got through unscathed. Make sure the context is unexpired */ 158 /* it got through unscathed. Make sure the context is unexpired */
177 159
178 if (qop_state)
179 *qop_state = GSS_C_QOP_DEFAULT;
180
181 now = get_seconds(); 160 now = get_seconds();
182 161
183 ret = GSS_S_CONTEXT_EXPIRED; 162 ret = GSS_S_CONTEXT_EXPIRED;
generated by cgit v1.2.2 (git 2.25.0) at 2025-01-12 05:27:01 -0500