On Mar 31, 2008, at 10:31 AM, Kevin Coffman wrote:
> Add encryption type to the krb5 context structure and use it to switch
> to the correct functions depending on the encryption type.
>
> Signed-off-by: Kevin Coffman <kwc at citi.umich.edu>
> ---
>
> include/linux/sunrpc/gss_krb5.h | 1 +
> net/sunrpc/auth_gss/gss_krb5_mech.c | 1 +
> net/sunrpc/auth_gss/gss_krb5_seal.c | 21 ++++++++++++++--
> net/sunrpc/auth_gss/gss_krb5_unseal.c | 22 ++++++++++++++---
> net/sunrpc/auth_gss/gss_krb5_wrap.c | 44 ++++++++++++++++++++++
> +++++++----
> 5 files changed, 77 insertions(+), 12 deletions(-)
>
> diff --git a/include/linux/sunrpc/gss_krb5.h b/include/linux/sunrpc/
> gss_krb5.h
> index 0d55934..973a3cc 100644
> --- a/include/linux/sunrpc/gss_krb5.h
> +++ b/include/linux/sunrpc/gss_krb5.h
> @@ -42,6 +42,7 @@
>
> struct krb5_ctx {
> int initiate; /* 1 = initiating, 0 = accepting */
> + u32 enctype;
> struct crypto_blkcipher *enc;
> struct crypto_blkcipher *seq;
> s32 endtime;
> diff --git a/net/sunrpc/auth_gss/gss_krb5_mech.c b/net/sunrpc/
> auth_gss/gss_krb5_mech.c
> index 3c070d0..477cf07 100644
> --- a/net/sunrpc/auth_gss/gss_krb5_mech.c
> +++ b/net/sunrpc/auth_gss/gss_krb5_mech.c
> @@ -137,6 +137,7 @@ gss_import_sec_context_kerberos(const void *p,
> p = simple_get_bytes(p, end, &ctx->initiate, sizeof(ctx->initiate));
> if (IS_ERR(p))
> goto out_err_free_ctx;
> + ctx->enctype = ENCTYPE_DES_CBC_RAW;
> /* The downcall format was designed before we completely understood
> * the uses of the context fields; so it includes some stuff we
> * just give some minimal sanity-checking, and some we ignore
> diff --git a/net/sunrpc/auth_gss/gss_krb5_seal.c b/net/sunrpc/
> auth_gss/gss_krb5_seal.c
> index 5f1d36d..6925737 100644
> --- a/net/sunrpc/auth_gss/gss_krb5_seal.c
> +++ b/net/sunrpc/auth_gss/gss_krb5_seal.c
> @@ -71,11 +71,10 @@
>
> DEFINE_SPINLOCK(krb5_seq_lock);
>
> -u32
> -gss_get_mic_kerberos(struct gss_ctx *gss_ctx, struct xdr_buf *text,
> +static u32
> +gss_get_mic_v1(struct krb5_ctx *ctx, struct xdr_buf *text,
> struct xdr_netobj *token)
> {
> - struct krb5_ctx *ctx = gss_ctx->internal_ctx_id;
> char cksumdata[16];
> struct xdr_netobj md5cksum = {.len = 0, .data = cksumdata};
> unsigned char *ptr, *krb5_hdr, *msg_start;
> @@ -121,3 +120,19 @@ gss_get_mic_kerberos(struct gss_ctx *gss_ctx,
> struct xdr_buf *text,
>
> return (ctx->endtime < now) ? GSS_S_CONTEXT_EXPIRED :
> GSS_S_COMPLETE;
> }
> +
> +u32
> +gss_get_mic_kerberos(struct gss_ctx *gss_ctx, struct xdr_buf *text,
> + struct xdr_netobj *token)
> +{
> + struct krb5_ctx *ctx = gss_ctx->internal_ctx_id;
> +
> + switch (ctx->enctype) {
> + case ENCTYPE_DES_CBC_RAW:
> + return gss_get_mic_v1(ctx, text, token);
> + default:
> + BUG();
> + }
> + return 0;
If the compiler is complaining about needing a return because the BUG
() doesn't have one, there are cleaner ways to do this.
> +}
> +
> diff --git a/net/sunrpc/auth_gss/gss_krb5_unseal.c b/net/sunrpc/
> auth_gss/gss_krb5_unseal.c
> index d91a5d0..eb6e349 100644
> --- a/net/sunrpc/auth_gss/gss_krb5_unseal.c
> +++ b/net/sunrpc/auth_gss/gss_krb5_unseal.c
> @@ -71,11 +71,10 @@
> /* read_token is a mic token, and message_buffer is the data that
> the mic was
> * supposedly taken over. */
>
> -u32
> -gss_verify_mic_kerberos(struct gss_ctx *gss_ctx,
> +static u32
> +gss_verify_mic_v1(struct krb5_ctx *ctx,
> struct xdr_buf *message_buffer, struct xdr_netobj *read_token)
> {
> - struct krb5_ctx *ctx = gss_ctx->internal_ctx_id;
> int signalg;
> int sealalg;
> char cksumdata[16];
> @@ -136,3 +135,20 @@ gss_verify_mic_kerberos(struct gss_ctx *gss_ctx,
>
> return GSS_S_COMPLETE;
> }
> +
> +u32
> +gss_verify_mic_kerberos(struct gss_ctx *gss_ctx,
> + struct xdr_buf *message_buffer,
> + struct xdr_netobj *read_token)
> +{
> + struct krb5_ctx *ctx = gss_ctx->internal_ctx_id;
> +
> + switch (ctx->enctype) {
> + case ENCTYPE_DES_CBC_RAW:
> + return gss_verify_mic_v1(ctx, message_buffer, read_token);
> + default:
> + BUG();
> + }
> + return 0;
> +}
Likewise.
> +
> diff --git a/net/sunrpc/auth_gss/gss_krb5_wrap.c b/net/sunrpc/
> auth_gss/gss_krb5_wrap.c
> index 14b35a3..1ee3f29 100644
> --- a/net/sunrpc/auth_gss/gss_krb5_wrap.c
> +++ b/net/sunrpc/auth_gss/gss_krb5_wrap.c
> @@ -122,11 +122,10 @@ make_confounder(char *p, int conflen)
>
> /* XXX factor out common code with seal/unseal. */
>
> -u32
> -gss_wrap_kerberos(struct gss_ctx *ctx, int offset,
> +static u32
> +gss_wrap_kerberos_v1(struct krb5_ctx *kctx, int offset,
> struct xdr_buf *buf, struct page **pages)
> {
> - struct krb5_ctx *kctx = ctx->internal_ctx_id;
> char cksumdata[16];
> struct xdr_netobj md5cksum = {.len = 0, .data = cksumdata};
> int blocksize = 0, plainlen;
> @@ -203,10 +202,9 @@ gss_wrap_kerberos(struct gss_ctx *ctx, int
> offset,
> return (kctx->endtime < now) ? GSS_S_CONTEXT_EXPIRED :
> GSS_S_COMPLETE;
> }
>
> -u32
> -gss_unwrap_kerberos(struct gss_ctx *ctx, int offset, struct
> xdr_buf *buf)
> +static u32
> +gss_unwrap_kerberos_v1(struct krb5_ctx *kctx, int offset, struct
> xdr_buf *buf)
> {
> - struct krb5_ctx *kctx = ctx->internal_ctx_id;
> int signalg;
> int sealalg;
> char cksumdata[16];
> @@ -294,3 +292,37 @@ gss_unwrap_kerberos(struct gss_ctx *ctx, int
> offset, struct xdr_buf *buf)
>
> return GSS_S_COMPLETE;
> }
> +
> +u32
> +gss_wrap_kerberos(struct gss_ctx *gctx, int offset,
> + struct xdr_buf *buf, struct page **pages)
> +{
> + struct krb5_ctx *kctx = gctx->internal_ctx_id;
> +
> + switch (kctx->enctype) {
> + case ENCTYPE_DES_CBC_RAW:
> + return gss_wrap_kerberos_v1(kctx, offset, buf, pages);
> + break;
> + default:
> + BUG();
> + break;
> + }
> + return 0;
> +}
> +
> +u32
> +gss_unwrap_kerberos(struct gss_ctx *gctx, int offset, struct
> xdr_buf *buf)
> +{
> + struct krb5_ctx *kctx = gctx->internal_ctx_id;
> +
> + switch (kctx->enctype) {
> + case ENCTYPE_DES_CBC_RAW:
> + return gss_unwrap_kerberos_v1(kctx, offset, buf);
> + break;
> + default:
> + BUG();
> + break;
> + }
> + return 0;
> +}
> +
>
"break" after "return" is pretty ugly.
--
Chuck Lever
chuck[dot]lever[at]oracle[dot]com