3 files changed, 5 insertions, 30 deletions

diff --git a/net/sunrpc/auth_gss/gss_krb5_mech.c b/net/sunrpc/auth_gss/gss_krb5_mech.c
index 17587163fcae..bf5435db8785 100644
--- a/net/sunrpc/auth_gss/gss_krb5_mech.c
+++ b/net/sunrpc/auth_gss/gss_krb5_mech.c
@@ -148,9 +148,11 @@ gss_import_sec_context_kerberos(const void *p,
                 goto out_err_free_ctx;
         if (tmp != SGN_ALG_DES_MAC_MD5)
                 goto out_err_free_ctx;
-        p = simple_get_bytes(p, end, &ctx->sealalg, sizeof(ctx->sealalg));
+        p = simple_get_bytes(p, end, &tmp, sizeof(tmp));
         if (IS_ERR(p))
                 goto out_err_free_ctx;
+        if (tmp != SEAL_ALG_DES)
+                goto out_err_free_ctx;
         p = simple_get_bytes(p, end, &ctx->endtime, sizeof(ctx->endtime));
         if (IS_ERR(p))
                 goto out_err_free_ctx;
diff --git a/net/sunrpc/auth_gss/gss_krb5_seal.c b/net/sunrpc/auth_gss/gss_krb5_seal.c
index f3f42a4465cf..f42e453e63ea 100644
--- a/net/sunrpc/auth_gss/gss_krb5_seal.c
+++ b/net/sunrpc/auth_gss/gss_krb5_seal.c
@@ -87,12 +87,6 @@ gss_get_mic_kerberos(struct gss_ctx *gss_ctx, struct xdr_buf *text,
 
         now = get_seconds();
 
-        if (ctx->sealalg != SEAL_ALG_NONE && ctx->sealalg != SEAL_ALG_DES) {
-                dprintk("RPC:      gss_krb5_seal: ctx->sealalg %d not supported\n",
-                        ctx->sealalg);
-                return GSS_S_FAILURE;
-        }
-
         token->len = g_token_size(&ctx->mech_used, 22);
 
         ptr = token->data;
diff --git a/net/sunrpc/auth_gss/gss_krb5_wrap.c b/net/sunrpc/auth_gss/gss_krb5_wrap.c
index 63b06ee2d542..bf25f4d9acd1 100644
--- a/net/sunrpc/auth_gss/gss_krb5_wrap.c
+++ b/net/sunrpc/auth_gss/gss_krb5_wrap.c
@@ -133,12 +133,6 @@ gss_wrap_kerberos(struct gss_ctx *ctx, int offset,
 
         now = get_seconds();
 
-        if (kctx->sealalg != SEAL_ALG_NONE && kctx->sealalg != SEAL_ALG_DES) {
-                dprintk("RPC:      gss_krb5_seal: kctx->sealalg %d not supported\n",
-                        kctx->sealalg);
-                return GSS_S_FAILURE;
-        }
-
         blocksize = crypto_blkcipher_blocksize(kctx->enc);
         gss_krb5_add_padding(buf, offset, blocksize);
         BUG_ON((buf->len - offset) % blocksize);
@@ -169,7 +163,7 @@ gss_wrap_kerberos(struct gss_ctx *ctx, int offset,
 
         *(__be16 *)(krb5_hdr + 2) = htons(SGN_ALG_DES_MAC_MD5);
         memset(krb5_hdr + 4, 0xff, 4);
-        *(__be16 *)(krb5_hdr + 4) = htons(kctx->sealalg);
+        *(__be16 *)(krb5_hdr + 4) = htons(SEAL_ALG_DES);
 
         make_confounder(msg_start, blocksize);
 
@@ -245,26 +239,11 @@ gss_unwrap_kerberos(struct gss_ctx *ctx, int offset, struct xdr_buf *buf)
         if ((ptr[4] != 0xff) || (ptr[5] != 0xff))
                 return GSS_S_DEFECTIVE_TOKEN;
 
-        if (sealalg == 0xffff)
+        if (sealalg != SEAL_ALG_DES)
                 return GSS_S_DEFECTIVE_TOKEN;
         if (signalg != SGN_ALG_DES_MAC_MD5)
                 return GSS_S_DEFECTIVE_TOKEN;
 
-        /* in the current spec, there is only one valid seal algorithm per
-           key type, so a simple comparison is ok */
-
-        if (sealalg != kctx->sealalg)
-                return GSS_S_DEFECTIVE_TOKEN;
-
-        /* there are several mappings of seal algorithms to sign algorithms,
-           but few enough that we can try them all. */
-
-        if ((kctx->sealalg == SEAL_ALG_NONE && signalg > 1) ||
-            (kctx->sealalg == SEAL_ALG_1 && signalg != SGN_ALG_3) ||
-            (kctx->sealalg == SEAL_ALG_DES3KD &&
-             signalg != SGN_ALG_HMAC_SHA1_DES3_KD))
-                return GSS_S_DEFECTIVE_TOKEN;
-
         if (gss_decrypt_xdr_buf(kctx->enc, buf,
                         ptr + 22 - (unsigned char *)buf->head[0].iov_base))
                 return GSS_S_DEFECTIVE_TOKEN;