]> git.ipfire.org Git - thirdparty/linux.git/commit
SUNRPC: Switch MIC token verification to crypto/krb5
authorChuck Lever <chuck.lever@oracle.com>
Mon, 27 Apr 2026 13:50:54 +0000 (09:50 -0400)
committerChuck Lever <cel@kernel.org>
Tue, 9 Jun 2026 20:32:59 +0000 (16:32 -0400)
commitd4f6bd01c5bf7afbf4a3d07f2229e06c2236e8ed
tree48e43bb1052677fb57583b65545e43a6696da08b
parenta9b9eb085884cd50de41b8ecb8d0fb9d3268cdfb
SUNRPC: Switch MIC token verification to crypto/krb5

gss_krb5_verify_mic_v2() currently recomputes a checksum using
gss_krb5_checksum() and then compares it against the received
checksum with memcmp(). Replace this with a call to
crypto_krb5_verify_mic(), which performs the hash, comparison,
and offset/length adjustment in a single operation through the
crypto/krb5 library.

The scatterlist layout required by RFC 4121 Section 4.2.4 is
constructed via gss_krb5_mic_build_sg(), the shared helper
introduced in the preceding commit. The received checksum
occupies the first scatterlist entry, pointing directly into
the token buffer.

The errno result from crypto_krb5_verify_mic() is mapped to a
GSS major status code via gss_krb5_errno_to_status(), which
returns GSS_S_BAD_SIG for -EBADMSG (checksum mismatch).

Assisted-by: Claude:claude-opus-4-6
Reviewed-by: Jeff Layton <jlayton@kernel.org>
Acked-by: Anna Schumaker <anna.schumaker@hammerspace.com>
Signed-off-by: Chuck Lever <chuck.lever@oracle.com>
net/sunrpc/auth_gss/gss_krb5_unseal.c