---

yaml
---
r: 42539
b: refs/heads/master
c: d922a84
h: refs/heads/master
i:
  42537: e00e9da
  42535: cce256a
v: v3

[refs]

@@ -1,2 +1,2 @@
 ---
-refs/heads/master: 39a21dd1b0eec3f5eac84ee42bda5ab4915098ae
+refs/heads/master: d922a84a8bf1d627810906d033223d4fa629fdbf

trunk/include/linux/sunrpc/gss_krb5.h

@@ -44,7 +44,6 @@ struct krb5_ctx {
 	int			initiate; /* 1 = initiating, 0 = accepting */
 	int			seed_init;
 	unsigned char		seed[16];
-	int			sealalg;
 	struct crypto_blkcipher	*enc;
 	struct crypto_blkcipher	*seq;
 	s32			endtime;

trunk/net/sunrpc/auth_gss/gss_krb5_mech.c

@@ -148,9 +148,11 @@ gss_import_sec_context_kerberos(const void *p,
 		goto out_err_free_ctx;
 	if (tmp != SGN_ALG_DES_MAC_MD5)
 		goto out_err_free_ctx;
-	p = simple_get_bytes(p, end, &ctx->sealalg, sizeof(ctx->sealalg));
+	p = simple_get_bytes(p, end, &tmp, sizeof(tmp));
 	if (IS_ERR(p))
 		goto out_err_free_ctx;
+	if (tmp != SEAL_ALG_DES)
+		goto out_err_free_ctx;
 	p = simple_get_bytes(p, end, &ctx->endtime, sizeof(ctx->endtime));
 	if (IS_ERR(p))
 		goto out_err_free_ctx;

trunk/net/sunrpc/auth_gss/gss_krb5_seal.c

@@ -87,12 +87,6 @@ gss_get_mic_kerberos(struct gss_ctx *gss_ctx, struct xdr_buf *text,
 
 	now = get_seconds();
 
-	if (ctx->sealalg != SEAL_ALG_NONE && ctx->sealalg != SEAL_ALG_DES) {
-		dprintk("RPC:      gss_krb5_seal: ctx->sealalg %d not supported\n",
-			ctx->sealalg);
-		return GSS_S_FAILURE;
-	}
-
 	token->len = g_token_size(&ctx->mech_used, 22);
 
 	ptr = token->data;

trunk/net/sunrpc/auth_gss/gss_krb5_wrap.c

@@ -133,12 +133,6 @@ gss_wrap_kerberos(struct gss_ctx *ctx, int offset,
 
 	now = get_seconds();
 
-	if (kctx->sealalg != SEAL_ALG_NONE && kctx->sealalg != SEAL_ALG_DES) {
-		dprintk("RPC:      gss_krb5_seal: kctx->sealalg %d not supported\n",
-			kctx->sealalg);
-		return GSS_S_FAILURE;
-	}
-
 	blocksize = crypto_blkcipher_blocksize(kctx->enc);
 	gss_krb5_add_padding(buf, offset, blocksize);
 	BUG_ON((buf->len - offset) % blocksize);
@@ -169,7 +163,7 @@ gss_wrap_kerberos(struct gss_ctx *ctx, int offset,
 
 	*(__be16 *)(krb5_hdr + 2) = htons(SGN_ALG_DES_MAC_MD5);
 	memset(krb5_hdr + 4, 0xff, 4);
-	*(__be16 *)(krb5_hdr + 4) = htons(kctx->sealalg);
+	*(__be16 *)(krb5_hdr + 4) = htons(SEAL_ALG_DES);
 
 	make_confounder(msg_start, blocksize);
 
@@ -245,26 +239,11 @@ gss_unwrap_kerberos(struct gss_ctx *ctx, int offset, struct xdr_buf *buf)
 	if ((ptr[4] != 0xff) || (ptr[5] != 0xff))
 		return GSS_S_DEFECTIVE_TOKEN;
 
-	if (sealalg == 0xffff)
+	if (sealalg != SEAL_ALG_DES)
 		return GSS_S_DEFECTIVE_TOKEN;
 	if (signalg != SGN_ALG_DES_MAC_MD5)
 		return GSS_S_DEFECTIVE_TOKEN;
 
-	/* in the current spec, there is only one valid seal algorithm per
-	   key type, so a simple comparison is ok */
-
-	if (sealalg != kctx->sealalg)
-		return GSS_S_DEFECTIVE_TOKEN;
-
-	/* there are several mappings of seal algorithms to sign algorithms,
-	   but few enough that we can try them all. */
-
-	if ((kctx->sealalg == SEAL_ALG_NONE && signalg > 1) ||
-	    (kctx->sealalg == SEAL_ALG_1 && signalg != SGN_ALG_3) ||
-	    (kctx->sealalg == SEAL_ALG_DES3KD &&
-	     signalg != SGN_ALG_HMAC_SHA1_DES3_KD))
-		return GSS_S_DEFECTIVE_TOKEN;
-
 	if (gss_decrypt_xdr_buf(kctx->enc, buf,
 			ptr + 22 - (unsigned char *)buf->head[0].iov_base))
 		return GSS_S_DEFECTIVE_TOKEN;