summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
-rw-r--r--include/linux/sunrpc/gss_krb5.h1
-rw-r--r--net/sunrpc/auth_gss/gss_krb5_mech.c4
-rw-r--r--net/sunrpc/auth_gss/gss_krb5_seal.c6
-rw-r--r--net/sunrpc/auth_gss/gss_krb5_wrap.c25
4 files changed, 5 insertions, 31 deletions
diff --git a/include/linux/sunrpc/gss_krb5.h b/include/linux/sunrpc/gss_krb5.h
index abfa1f32d91..01c5e431463 100644
--- a/include/linux/sunrpc/gss_krb5.h
+++ b/include/linux/sunrpc/gss_krb5.h
@@ -44,7 +44,6 @@ struct krb5_ctx {
int initiate; /* 1 = initiating, 0 = accepting */
int seed_init;
unsigned char seed[16];
- int sealalg;
struct crypto_blkcipher *enc;
struct crypto_blkcipher *seq;
s32 endtime;
diff --git a/net/sunrpc/auth_gss/gss_krb5_mech.c b/net/sunrpc/auth_gss/gss_krb5_mech.c
index 17587163fca..bf5435db878 100644
--- a/net/sunrpc/auth_gss/gss_krb5_mech.c
+++ b/net/sunrpc/auth_gss/gss_krb5_mech.c
@@ -148,9 +148,11 @@ gss_import_sec_context_kerberos(const void *p,
goto out_err_free_ctx;
if (tmp != SGN_ALG_DES_MAC_MD5)
goto out_err_free_ctx;
- p = simple_get_bytes(p, end, &ctx->sealalg, sizeof(ctx->sealalg));
+ p = simple_get_bytes(p, end, &tmp, sizeof(tmp));
if (IS_ERR(p))
goto out_err_free_ctx;
+ if (tmp != SEAL_ALG_DES)
+ goto out_err_free_ctx;
p = simple_get_bytes(p, end, &ctx->endtime, sizeof(ctx->endtime));
if (IS_ERR(p))
goto out_err_free_ctx;
diff --git a/net/sunrpc/auth_gss/gss_krb5_seal.c b/net/sunrpc/auth_gss/gss_krb5_seal.c
index f3f42a4465c..f42e453e63e 100644
--- a/net/sunrpc/auth_gss/gss_krb5_seal.c
+++ b/net/sunrpc/auth_gss/gss_krb5_seal.c
@@ -87,12 +87,6 @@ gss_get_mic_kerberos(struct gss_ctx *gss_ctx, struct xdr_buf *text,
now = get_seconds();
- if (ctx->sealalg != SEAL_ALG_NONE && ctx->sealalg != SEAL_ALG_DES) {
- dprintk("RPC: gss_krb5_seal: ctx->sealalg %d not supported\n",
- ctx->sealalg);
- return GSS_S_FAILURE;
- }
-
token->len = g_token_size(&ctx->mech_used, 22);
ptr = token->data;
diff --git a/net/sunrpc/auth_gss/gss_krb5_wrap.c b/net/sunrpc/auth_gss/gss_krb5_wrap.c
index 63b06ee2d54..bf25f4d9acd 100644
--- a/net/sunrpc/auth_gss/gss_krb5_wrap.c
+++ b/net/sunrpc/auth_gss/gss_krb5_wrap.c
@@ -133,12 +133,6 @@ gss_wrap_kerberos(struct gss_ctx *ctx, int offset,
now = get_seconds();
- if (kctx->sealalg != SEAL_ALG_NONE && kctx->sealalg != SEAL_ALG_DES) {
- dprintk("RPC: gss_krb5_seal: kctx->sealalg %d not supported\n",
- kctx->sealalg);
- return GSS_S_FAILURE;
- }
-
blocksize = crypto_blkcipher_blocksize(kctx->enc);
gss_krb5_add_padding(buf, offset, blocksize);
BUG_ON((buf->len - offset) % blocksize);
@@ -169,7 +163,7 @@ gss_wrap_kerberos(struct gss_ctx *ctx, int offset,
*(__be16 *)(krb5_hdr + 2) = htons(SGN_ALG_DES_MAC_MD5);
memset(krb5_hdr + 4, 0xff, 4);
- *(__be16 *)(krb5_hdr + 4) = htons(kctx->sealalg);
+ *(__be16 *)(krb5_hdr + 4) = htons(SEAL_ALG_DES);
make_confounder(msg_start, blocksize);
@@ -245,26 +239,11 @@ gss_unwrap_kerberos(struct gss_ctx *ctx, int offset, struct xdr_buf *buf)
if ((ptr[4] != 0xff) || (ptr[5] != 0xff))
return GSS_S_DEFECTIVE_TOKEN;
- if (sealalg == 0xffff)
+ if (sealalg != SEAL_ALG_DES)
return GSS_S_DEFECTIVE_TOKEN;
if (signalg != SGN_ALG_DES_MAC_MD5)
return GSS_S_DEFECTIVE_TOKEN;
- /* in the current spec, there is only one valid seal algorithm per
- key type, so a simple comparison is ok */
-
- if (sealalg != kctx->sealalg)
- return GSS_S_DEFECTIVE_TOKEN;
-
- /* there are several mappings of seal algorithms to sign algorithms,
- but few enough that we can try them all. */
-
- if ((kctx->sealalg == SEAL_ALG_NONE && signalg > 1) ||
- (kctx->sealalg == SEAL_ALG_1 && signalg != SGN_ALG_3) ||
- (kctx->sealalg == SEAL_ALG_DES3KD &&
- signalg != SGN_ALG_HMAC_SHA1_DES3_KD))
- return GSS_S_DEFECTIVE_TOKEN;
-
if (gss_decrypt_xdr_buf(kctx->enc, buf,
ptr + 22 - (unsigned char *)buf->head[0].iov_base))
return GSS_S_DEFECTIVE_TOKEN;