mirror of
https://github.com/torvalds/linux.git
synced 2024-12-28 13:51:44 +00:00
rpcgss: krb5: expect a constant signalg value
We also only ever receive one value of the signalg, so let's not pretend otherwise Signed-off-by: J. Bruce Fields <bfields@citi.umich.edu> Signed-off-by: Trond Myklebust <Trond.Myklebust@netapp.com>
This commit is contained in:
parent
e678e06bf8
commit
5eb064f939
@ -112,47 +112,26 @@ gss_verify_mic_kerberos(struct gss_ctx *gss_ctx,
|
||||
|
||||
if (sealalg != 0xffff)
|
||||
goto out;
|
||||
|
||||
/* there are several mappings of seal algorithms to sign algorithms,
|
||||
but few enough that we can try them all. */
|
||||
|
||||
if ((ctx->sealalg == SEAL_ALG_NONE && signalg > 1) ||
|
||||
(ctx->sealalg == SEAL_ALG_1 && signalg != SGN_ALG_3) ||
|
||||
(ctx->sealalg == SEAL_ALG_DES3KD &&
|
||||
signalg != SGN_ALG_HMAC_SHA1_DES3_KD))
|
||||
if (signalg != SGN_ALG_DES_MAC_MD5)
|
||||
goto out;
|
||||
|
||||
/* compute the checksum of the message */
|
||||
|
||||
/* initialize the the cksum */
|
||||
switch (signalg) {
|
||||
case SGN_ALG_DES_MAC_MD5:
|
||||
checksum_type = CKSUMTYPE_RSA_MD5;
|
||||
break;
|
||||
default:
|
||||
ret = GSS_S_DEFECTIVE_TOKEN;
|
||||
checksum_type = CKSUMTYPE_RSA_MD5;
|
||||
|
||||
ret = make_checksum(checksum_type, ptr - 2, 8,
|
||||
message_buffer, 0, &md5cksum);
|
||||
if (ret)
|
||||
goto out;
|
||||
}
|
||||
|
||||
switch (signalg) {
|
||||
case SGN_ALG_DES_MAC_MD5:
|
||||
ret = make_checksum(checksum_type, ptr - 2, 8,
|
||||
message_buffer, 0, &md5cksum);
|
||||
if (ret)
|
||||
goto out;
|
||||
ret = krb5_encrypt(ctx->seq, NULL, md5cksum.data,
|
||||
md5cksum.data, 16);
|
||||
if (ret)
|
||||
goto out;
|
||||
|
||||
ret = krb5_encrypt(ctx->seq, NULL, md5cksum.data,
|
||||
md5cksum.data, 16);
|
||||
if (ret)
|
||||
goto out;
|
||||
|
||||
if (memcmp(md5cksum.data + 8, ptr + 14, 8)) {
|
||||
ret = GSS_S_BAD_SIG;
|
||||
goto out;
|
||||
}
|
||||
break;
|
||||
default:
|
||||
ret = GSS_S_DEFECTIVE_TOKEN;
|
||||
if (memcmp(md5cksum.data + 8, ptr + 14, 8)) {
|
||||
ret = GSS_S_BAD_SIG;
|
||||
goto out;
|
||||
}
|
||||
|
||||
|
@ -253,6 +253,8 @@ gss_unwrap_kerberos(struct gss_ctx *ctx, int offset, struct xdr_buf *buf)
|
||||
|
||||
if (sealalg == 0xffff)
|
||||
goto out;
|
||||
if (signalg != SGN_ALG_DES_MAC_MD5)
|
||||
goto out;
|
||||
|
||||
/* in the current spec, there is only one valid seal algorithm per
|
||||
key type, so a simple comparison is ok */
|
||||
@ -276,34 +278,20 @@ gss_unwrap_kerberos(struct gss_ctx *ctx, int offset, struct xdr_buf *buf)
|
||||
/* compute the checksum of the message */
|
||||
|
||||
/* initialize the the cksum */
|
||||
switch (signalg) {
|
||||
case SGN_ALG_DES_MAC_MD5:
|
||||
checksum_type = CKSUMTYPE_RSA_MD5;
|
||||
break;
|
||||
default:
|
||||
ret = GSS_S_DEFECTIVE_TOKEN;
|
||||
checksum_type = CKSUMTYPE_RSA_MD5;
|
||||
|
||||
ret = make_checksum(checksum_type, ptr - 2, 8, buf,
|
||||
ptr + 22 - (unsigned char *)buf->head[0].iov_base, &md5cksum);
|
||||
if (ret)
|
||||
goto out;
|
||||
}
|
||||
|
||||
switch (signalg) {
|
||||
case SGN_ALG_DES_MAC_MD5:
|
||||
ret = make_checksum(checksum_type, ptr - 2, 8, buf,
|
||||
ptr + 22 - (unsigned char *)buf->head[0].iov_base, &md5cksum);
|
||||
if (ret)
|
||||
goto out;
|
||||
ret = krb5_encrypt(kctx->seq, NULL, md5cksum.data,
|
||||
md5cksum.data, md5cksum.len);
|
||||
if (ret)
|
||||
goto out;
|
||||
|
||||
ret = krb5_encrypt(kctx->seq, NULL, md5cksum.data,
|
||||
md5cksum.data, md5cksum.len);
|
||||
if (ret)
|
||||
goto out;
|
||||
|
||||
if (memcmp(md5cksum.data + 8, ptr + 14, 8)) {
|
||||
ret = GSS_S_BAD_SIG;
|
||||
goto out;
|
||||
}
|
||||
break;
|
||||
default:
|
||||
ret = GSS_S_DEFECTIVE_TOKEN;
|
||||
if (memcmp(md5cksum.data + 8, ptr + 14, 8)) {
|
||||
ret = GSS_S_BAD_SIG;
|
||||
goto out;
|
||||
}
|
||||
|
||||
|
Loading…
Reference in New Issue
Block a user