rpcgss: krb5: expect a constant signalg value
authorJ. Bruce Fields <bfields@fieldses.org>
Tue, 5 Dec 2006 01:22:36 +0000 (20:22 -0500)
committerTrond Myklebust <Trond.Myklebust@netapp.com>
Wed, 6 Dec 2006 15:46:45 +0000 (10:46 -0500)
We also only ever receive one value of the signalg, so let's not pretend
otherwise

Signed-off-by: J. Bruce Fields <bfields@citi.umich.edu>
Signed-off-by: Trond Myklebust <Trond.Myklebust@netapp.com>
net/sunrpc/auth_gss/gss_krb5_unseal.c
net/sunrpc/auth_gss/gss_krb5_wrap.c

index 0828cf64100f977d241dac71d393a0148aa8f09a..23b509dedf9781b88da0fb0317e1cd0006b93d68 100644 (file)
@@ -112,47 +112,26 @@ gss_verify_mic_kerberos(struct gss_ctx *gss_ctx,
 
        if (sealalg != 0xffff)
                goto out;
-
-       /* there are several mappings of seal algorithms to sign algorithms,
-          but few enough that we can try them all. */
-
-       if ((ctx->sealalg == SEAL_ALG_NONE && signalg > 1) ||
-           (ctx->sealalg == SEAL_ALG_1 && signalg != SGN_ALG_3) ||
-           (ctx->sealalg == SEAL_ALG_DES3KD &&
-            signalg != SGN_ALG_HMAC_SHA1_DES3_KD))
+       if (signalg != SGN_ALG_DES_MAC_MD5)
                goto out;
 
        /* compute the checksum of the message */
 
        /* initialize the the cksum */
-       switch (signalg) {
-       case SGN_ALG_DES_MAC_MD5:
-               checksum_type = CKSUMTYPE_RSA_MD5;
-               break;
-       default:
-               ret = GSS_S_DEFECTIVE_TOKEN;
+       checksum_type = CKSUMTYPE_RSA_MD5;
+
+       ret = make_checksum(checksum_type, ptr - 2, 8,
+                                message_buffer, 0, &md5cksum);
+       if (ret)
+               goto out;
+
+       ret = krb5_encrypt(ctx->seq, NULL, md5cksum.data,
+                          md5cksum.data, 16);
+       if (ret)
                goto out;
-       }
 
-       switch (signalg) {
-       case SGN_ALG_DES_MAC_MD5:
-               ret = make_checksum(checksum_type, ptr - 2, 8,
-                                        message_buffer, 0, &md5cksum);
-               if (ret)
-                       goto out;
-
-               ret = krb5_encrypt(ctx->seq, NULL, md5cksum.data,
-                                  md5cksum.data, 16);
-               if (ret)
-                       goto out;
-
-               if (memcmp(md5cksum.data + 8, ptr + 14, 8)) {
-                       ret = GSS_S_BAD_SIG;
-                       goto out;
-               }
-               break;
-       default:
-               ret = GSS_S_DEFECTIVE_TOKEN;
+       if (memcmp(md5cksum.data + 8, ptr + 14, 8)) {
+               ret = GSS_S_BAD_SIG;
                goto out;
        }
 
index eee49f4c4c6ae9bcb2a6c9ad3bd6ef24d5576355..a7d5c135139b858db57b6cb4befac8e8166ef523 100644 (file)
@@ -253,6 +253,8 @@ gss_unwrap_kerberos(struct gss_ctx *ctx, int offset, struct xdr_buf *buf)
 
        if (sealalg == 0xffff)
                goto out;
+       if (signalg != SGN_ALG_DES_MAC_MD5)
+               goto out;
 
        /* in the current spec, there is only one valid seal algorithm per
           key type, so a simple comparison is ok */
@@ -276,34 +278,20 @@ gss_unwrap_kerberos(struct gss_ctx *ctx, int offset, struct xdr_buf *buf)
        /* compute the checksum of the message */
 
        /* initialize the the cksum */
-       switch (signalg) {
-       case SGN_ALG_DES_MAC_MD5:
-               checksum_type = CKSUMTYPE_RSA_MD5;
-               break;
-       default:
-               ret = GSS_S_DEFECTIVE_TOKEN;
+       checksum_type = CKSUMTYPE_RSA_MD5;
+
+       ret = make_checksum(checksum_type, ptr - 2, 8, buf,
+                ptr + 22 - (unsigned char *)buf->head[0].iov_base, &md5cksum);
+       if (ret)
+               goto out;
+
+       ret = krb5_encrypt(kctx->seq, NULL, md5cksum.data,
+                          md5cksum.data, md5cksum.len);
+       if (ret)
                goto out;
-       }
 
-       switch (signalg) {
-       case SGN_ALG_DES_MAC_MD5:
-               ret = make_checksum(checksum_type, ptr - 2, 8, buf,
-                        ptr + 22 - (unsigned char *)buf->head[0].iov_base, &md5cksum);
-               if (ret)
-                       goto out;
-
-               ret = krb5_encrypt(kctx->seq, NULL, md5cksum.data,
-                                  md5cksum.data, md5cksum.len);
-               if (ret)
-                       goto out;
-
-               if (memcmp(md5cksum.data + 8, ptr + 14, 8)) {
-                       ret = GSS_S_BAD_SIG;
-                       goto out;
-               }
-               break;
-       default:
-               ret = GSS_S_DEFECTIVE_TOKEN;
+       if (memcmp(md5cksum.data + 8, ptr + 14, 8)) {
+               ret = GSS_S_BAD_SIG;
                goto out;
        }