Author: J. Bruce Fields <bfields@fieldses.org>
Date: Thu, 13 Oct 2005 16:55:08 -0400
RPCSEC_GSS: krb5 pre-privacy cleanup

 The code this was originally derived from processed wrap and mic tokens using
 the same functions.  This required some contortions, and more would be required
 with the addition of xdr_buf's, so it's better to separate out the two code
 paths.

 In preparation for adding privacy support, remove the last vestiges of the
 old wrap token code.

 Signed-off-by: J. Bruce Fields <bfields@citi.umich.edu>
 Signed-off-by: Trond Myklebust <Trond.Myklebust@netapp.com>
---
 include/linux/sunrpc/gss_krb5.h       |    5 +---
 net/sunrpc/auth_gss/gss_krb5_mech.c   |    5 +---
 net/sunrpc/auth_gss/gss_krb5_seal.c   |   38 +++++-----------------------------
 net/sunrpc/auth_gss/gss_krb5_unseal.c |   30 +++++---------------------
 4 files changed, 16 insertions(+), 62 deletions(-)

Index: linux-2.6/net/sunrpc/auth_gss/gss_krb5_seal.c
===================================================================
--- linux-2.6.orig/net/sunrpc/auth_gss/gss_krb5_seal.c
+++ linux-2.6/net/sunrpc/auth_gss/gss_krb5_seal.c
@@ -70,22 +70,12 @@
 # define RPCDBG_FACILITY        RPCDBG_AUTH
 #endif
 
-static inline int
-gss_krb5_padding(int blocksize, int length) {
-	/* Most of the code is block-size independent but in practice we
-	 * use only 8: */
-	BUG_ON(blocksize != 8);
-	return 8 - (length & 7);
-}
-
 u32
 krb5_make_token(struct krb5_ctx *ctx, int qop_req,
-		   struct xdr_buf *text, struct xdr_netobj *token,
-		   int toktype)
+		   struct xdr_buf *text, struct xdr_netobj *token)
 {
 	s32			checksum_type;
 	struct xdr_netobj	md5cksum = {.len = 0, .data = NULL};
-	int			blocksize = 0, tmsglen;
 	unsigned char		*ptr, *krb5_hdr, *msg_start;
 	s32			now;
 
@@ -111,21 +101,13 @@ krb5_make_token(struct krb5_ctx *ctx, in
 		goto out_err;
 	}
 
-	if (toktype == KG_TOK_WRAP_MSG) {
-		blocksize = crypto_tfm_alg_blocksize(ctx->enc);
-		tmsglen = blocksize + text->len
-			+ gss_krb5_padding(blocksize, blocksize + text->len);
-	} else {
-		tmsglen = 0;
-	}
-
-	token->len = g_token_size(&ctx->mech_used, 22 + tmsglen);
+	token->len = g_token_size(&ctx->mech_used, 22);
 
 	ptr = token->data;
-	g_make_token_header(&ctx->mech_used, 22 + tmsglen, &ptr);
+	g_make_token_header(&ctx->mech_used, 22, &ptr);
 
-	*ptr++ = (unsigned char) ((toktype>>8)&0xff);
-	*ptr++ = (unsigned char) (toktype&0xff);
+	*ptr++ = (unsigned char) ((KG_TOK_MIC_MSG>>8)&0xff);
+	*ptr++ = (unsigned char) (KG_TOK_MIC_MSG&0xff);
 
 	/* ptr now at byte 2 of header described in rfc 1964, section 1.2.1: */
 	krb5_hdr = ptr - 2;
@@ -133,17 +115,9 @@ krb5_make_token(struct krb5_ctx *ctx, in
 
 	*(u16 *)(krb5_hdr + 2) = htons(ctx->signalg);
 	memset(krb5_hdr + 4, 0xff, 4);
-	if (toktype == KG_TOK_WRAP_MSG)
-		*(u16 *)(krb5_hdr + 4) = htons(ctx->sealalg);
 
-	if (toktype == KG_TOK_WRAP_MSG) {
-		/* XXX removing support for now */
+	if (make_checksum(checksum_type, krb5_hdr, 8, text, &md5cksum))
 		goto out_err;
-	} else { /* Sign only.  */
-		if (make_checksum(checksum_type, krb5_hdr, 8, text,
-				       &md5cksum))
-			goto out_err;
-	}
 
 	switch (ctx->signalg) {
 	case SGN_ALG_DES_MAC_MD5:
Index: linux-2.6/include/linux/sunrpc/gss_krb5.h
===================================================================
--- linux-2.6.orig/include/linux/sunrpc/gss_krb5.h
+++ linux-2.6/include/linux/sunrpc/gss_krb5.h
@@ -121,13 +121,12 @@ make_checksum(s32 cksumtype, char *heade
 u32
 krb5_make_token(struct krb5_ctx *context_handle, int qop_req,
 	struct xdr_buf *input_message_buffer,
-	struct xdr_netobj *output_message_buffer, int toktype);
+	struct xdr_netobj *output_message_buffer);
 
 u32
 krb5_read_token(struct krb5_ctx *context_handle,
 	  struct xdr_netobj *input_token_buffer,
-	  struct xdr_buf *message_buffer,
-	  int *qop_state, int toktype);
+	  struct xdr_buf *message_buffer, int *qop_state);
 
 u32
 krb5_encrypt(struct crypto_tfm * key,
Index: linux-2.6/net/sunrpc/auth_gss/gss_krb5_unseal.c
===================================================================
--- linux-2.6.orig/net/sunrpc/auth_gss/gss_krb5_unseal.c
+++ linux-2.6/net/sunrpc/auth_gss/gss_krb5_unseal.c
@@ -68,20 +68,13 @@
 #endif
 
 
-/* message_buffer is an input if toktype is MIC and an output if it is WRAP:
- * If toktype is MIC: read_token is a mic token, and message_buffer is the
- *   data that the mic was supposedly taken over.
- * If toktype is WRAP: read_token is a wrap token, and message_buffer is used
- *   to return the decrypted data.
- */
+/* read_token is a mic token, and message_buffer is the data that the mic was
+ * supposedly taken over. */
 
-/* XXX will need to change prototype and/or just split into a separate function
- * when we add privacy (because read_token will be in pages too). */
 u32
 krb5_read_token(struct krb5_ctx *ctx,
 		struct xdr_netobj *read_token,
-		struct xdr_buf *message_buffer,
-		int *qop_state, int toktype)
+		struct xdr_buf *message_buffer, int *qop_state)
 {
 	int			signalg;
 	int			sealalg;
@@ -100,16 +93,12 @@ krb5_read_token(struct krb5_ctx *ctx,
 					read_token->len))
 		goto out;
 
-	if ((*ptr++ != ((toktype>>8)&0xff)) || (*ptr++ != (toktype&0xff)))
+	if ((*ptr++ != ((KG_TOK_MIC_MSG>>8)&0xff)) ||
+	    (*ptr++ != ( KG_TOK_MIC_MSG    &0xff))   )
 		goto out;
 
 	/* XXX sanity-check bodysize?? */
 
-	if (toktype == KG_TOK_WRAP_MSG) {
-		/* XXX gone */
-		goto out;
-	}
-
 	/* get the sign and seal algorithms */
 
 	signalg = ptr[0] + (ptr[1] << 8);
@@ -120,14 +109,7 @@ krb5_read_token(struct krb5_ctx *ctx,
 	if ((ptr[4] != 0xff) || (ptr[5] != 0xff))
 		goto out;
 
-	if (((toktype != KG_TOK_WRAP_MSG) && (sealalg != 0xffff)) ||
-	    ((toktype == KG_TOK_WRAP_MSG) && (sealalg == 0xffff)))
-		goto out;
-
-	/* in the current spec, there is only one valid seal algorithm per
-	   key type, so a simple comparison is ok */
-
-	if ((toktype == KG_TOK_WRAP_MSG) && !(sealalg == ctx->sealalg))
+	if (sealalg != 0xffff)
 		goto out;
 
 	/* there are several mappings of seal algorithms to sign algorithms,
Index: linux-2.6/net/sunrpc/auth_gss/gss_krb5_mech.c
===================================================================
--- linux-2.6.orig/net/sunrpc/auth_gss/gss_krb5_mech.c
+++ linux-2.6/net/sunrpc/auth_gss/gss_krb5_mech.c
@@ -199,8 +199,7 @@ gss_verify_mic_kerberos(struct gss_ctx		
 	int qop_state;
 	struct krb5_ctx *kctx = ctx->internal_ctx_id;
 
-	maj_stat = krb5_read_token(kctx, mic_token, message, &qop_state,
-				   KG_TOK_MIC_MSG);
+	maj_stat = krb5_read_token(kctx, mic_token, message, &qop_state);
 	if (!maj_stat && qop_state)
 	    *qstate = qop_state;
 
@@ -216,7 +215,7 @@ gss_get_mic_kerberos(struct gss_ctx	*ctx
 	u32 err = 0;
 	struct krb5_ctx *kctx = ctx->internal_ctx_id;
 
-	err = krb5_make_token(kctx, qop, message, mic_token, KG_TOK_MIC_MSG);
+	err = krb5_make_token(kctx, qop, message, mic_token);
 
 	dprintk("RPC:      gss_get_mic_kerberos returning %d\n",err);