summaryrefslogtreecommitdiffstats
path: root/net/sunrpc/auth_gss
diff options
context:
space:
mode:
authorJ. Bruce Fields <bfields@fieldses.org>2006-12-04 20:22:36 -0500
committerTrond Myklebust <Trond.Myklebust@netapp.com>2006-12-06 10:46:45 -0500
commit5eb064f93973def1ec2ab4a46929e94389a6283b (patch)
treece51f825db0318ee1e5c75e64c9dd0f60f31fda0 /net/sunrpc/auth_gss
parente678e06bf8fa25981a6fa1f08b979fd086d713f8 (diff)
rpcgss: krb5: expect a constant signalg value
We also only ever receive one value of the signalg, so let's not pretend otherwise Signed-off-by: J. Bruce Fields <bfields@citi.umich.edu> Signed-off-by: Trond Myklebust <Trond.Myklebust@netapp.com>
Diffstat (limited to 'net/sunrpc/auth_gss')
-rw-r--r--net/sunrpc/auth_gss/gss_krb5_unseal.c47
-rw-r--r--net/sunrpc/auth_gss/gss_krb5_wrap.c40
2 files changed, 27 insertions, 60 deletions
diff --git a/net/sunrpc/auth_gss/gss_krb5_unseal.c b/net/sunrpc/auth_gss/gss_krb5_unseal.c
index 0828cf64100..23b509dedf9 100644
--- a/net/sunrpc/auth_gss/gss_krb5_unseal.c
+++ b/net/sunrpc/auth_gss/gss_krb5_unseal.c
@@ -112,47 +112,26 @@ gss_verify_mic_kerberos(struct gss_ctx *gss_ctx,
if (sealalg != 0xffff)
goto out;
-
- /* there are several mappings of seal algorithms to sign algorithms,
- but few enough that we can try them all. */
-
- if ((ctx->sealalg == SEAL_ALG_NONE && signalg > 1) ||
- (ctx->sealalg == SEAL_ALG_1 && signalg != SGN_ALG_3) ||
- (ctx->sealalg == SEAL_ALG_DES3KD &&
- signalg != SGN_ALG_HMAC_SHA1_DES3_KD))
+ if (signalg != SGN_ALG_DES_MAC_MD5)
goto out;
/* compute the checksum of the message */
/* initialize the the cksum */
- switch (signalg) {
- case SGN_ALG_DES_MAC_MD5:
- checksum_type = CKSUMTYPE_RSA_MD5;
- break;
- default:
- ret = GSS_S_DEFECTIVE_TOKEN;
+ checksum_type = CKSUMTYPE_RSA_MD5;
+
+ ret = make_checksum(checksum_type, ptr - 2, 8,
+ message_buffer, 0, &md5cksum);
+ if (ret)
+ goto out;
+
+ ret = krb5_encrypt(ctx->seq, NULL, md5cksum.data,
+ md5cksum.data, 16);
+ if (ret)
goto out;
- }
- switch (signalg) {
- case SGN_ALG_DES_MAC_MD5:
- ret = make_checksum(checksum_type, ptr - 2, 8,
- message_buffer, 0, &md5cksum);
- if (ret)
- goto out;
-
- ret = krb5_encrypt(ctx->seq, NULL, md5cksum.data,
- md5cksum.data, 16);
- if (ret)
- goto out;
-
- if (memcmp(md5cksum.data + 8, ptr + 14, 8)) {
- ret = GSS_S_BAD_SIG;
- goto out;
- }
- break;
- default:
- ret = GSS_S_DEFECTIVE_TOKEN;
+ if (memcmp(md5cksum.data + 8, ptr + 14, 8)) {
+ ret = GSS_S_BAD_SIG;
goto out;
}
diff --git a/net/sunrpc/auth_gss/gss_krb5_wrap.c b/net/sunrpc/auth_gss/gss_krb5_wrap.c
index eee49f4c4c6..a7d5c135139 100644
--- a/net/sunrpc/auth_gss/gss_krb5_wrap.c
+++ b/net/sunrpc/auth_gss/gss_krb5_wrap.c
@@ -253,6 +253,8 @@ gss_unwrap_kerberos(struct gss_ctx *ctx, int offset, struct xdr_buf *buf)
if (sealalg == 0xffff)
goto out;
+ if (signalg != SGN_ALG_DES_MAC_MD5)
+ goto out;
/* in the current spec, there is only one valid seal algorithm per
key type, so a simple comparison is ok */
@@ -276,34 +278,20 @@ gss_unwrap_kerberos(struct gss_ctx *ctx, int offset, struct xdr_buf *buf)
/* compute the checksum of the message */
/* initialize the the cksum */
- switch (signalg) {
- case SGN_ALG_DES_MAC_MD5:
- checksum_type = CKSUMTYPE_RSA_MD5;
- break;
- default:
- ret = GSS_S_DEFECTIVE_TOKEN;
+ checksum_type = CKSUMTYPE_RSA_MD5;
+
+ ret = make_checksum(checksum_type, ptr - 2, 8, buf,
+ ptr + 22 - (unsigned char *)buf->head[0].iov_base, &md5cksum);
+ if (ret)
+ goto out;
+
+ ret = krb5_encrypt(kctx->seq, NULL, md5cksum.data,
+ md5cksum.data, md5cksum.len);
+ if (ret)
goto out;
- }
- switch (signalg) {
- case SGN_ALG_DES_MAC_MD5:
- ret = make_checksum(checksum_type, ptr - 2, 8, buf,
- ptr + 22 - (unsigned char *)buf->head[0].iov_base, &md5cksum);
- if (ret)
- goto out;
-
- ret = krb5_encrypt(kctx->seq, NULL, md5cksum.data,
- md5cksum.data, md5cksum.len);
- if (ret)
- goto out;
-
- if (memcmp(md5cksum.data + 8, ptr + 14, 8)) {
- ret = GSS_S_BAD_SIG;
- goto out;
- }
- break;
- default:
- ret = GSS_S_DEFECTIVE_TOKEN;
+ if (memcmp(md5cksum.data + 8, ptr + 14, 8)) {
+ ret = GSS_S_BAD_SIG;
goto out;
}