SUNRPC: Remove encrypt/decrypt function pointers from enctype table

All enctypes now route through gss_krb5_aead_encrypt() and
gss_krb5_aead_decrypt(). The per-enctype .encrypt and .decrypt
function pointers served the same purpose as .get_mic and
.wrap before them: dispatching v1 versus v2 implementations.
With v1 support long removed and the Camellia decrypt path
migrated in a preceding patch, every table entry points to
the same pair of functions.

Call gss_krb5_aead_encrypt() and gss_krb5_aead_decrypt()
directly from gss_krb5_wrap_v2() and gss_krb5_unwrap_v2(),
and drop the function pointers from struct gss_krb5_enctype.

While here, propagate the GSS status code returned by
gss_krb5_aead_decrypt() instead of discarding it.
The old indirect call sites returned GSS_S_FAILURE
unconditionally, losing the distinction between an
integrity failure (GSS_S_BAD_SIG) and a structural
error (GSS_S_DEFECTIVE_TOKEN).

Assisted-by: Claude:claude-opus-4-6
Reviewed-by: Jeff Layton <jlayton@kernel.org>
Acked-by: Anna Schumaker <anna.schumaker@hammerspace.com>
Signed-off-by: Chuck Lever <chuck.lever@oracle.com>

diff --git a/net/sunrpc/auth_gss/gss_krb5_internal.h b/net/sunrpc/auth_gss/gss_krb5_internal.h
index 92b0baed920cea0211563a129c73a179e09433c9..8258e6862aa20470a96dbde752061f60d698b306 100644 (file)
--- a/net/sunrpc/auth_gss/gss_krb5_internal.h
+++ b/net/sunrpc/auth_gss/gss_krb5_internal.h
@@ -40,10 +40,6 @@ struct gss_krb5_enctype {
                          struct xdr_netobj *out,
                          const struct xdr_netobj *label,
                          gfp_t gfp_mask);
-       u32 (*encrypt)(struct krb5_ctx *kctx, u32 offset,
-                      struct xdr_buf *buf, struct page **pages);
-       u32 (*decrypt)(struct krb5_ctx *kctx, u32 offset, u32 len,
-                      struct xdr_buf *buf, u32 *headskip, u32 *tailskip);
 };
 
 /* krb5_ctx flags definitions */

diff --git a/net/sunrpc/auth_gss/gss_krb5_mech.c b/net/sunrpc/auth_gss/gss_krb5_mech.c
index d027ddab132f75b0484204bc953fa8e2b436c8e2..912821efc937adf60b12990844714782957d0d98 100644 (file)
--- a/net/sunrpc/auth_gss/gss_krb5_mech.c
+++ b/net/sunrpc/auth_gss/gss_krb5_mech.c
@@ -43,8 +43,6 @@ static const struct gss_krb5_enctype supported_gss_krb5_enctypes[] = {
          .aux_cipher = "cbc(aes)",
          .cksum_name = "hmac(sha1)",
          .derive_key = krb5_derive_key_v2,
-         .encrypt = gss_krb5_aead_encrypt,
-         .decrypt = gss_krb5_aead_decrypt,
 
          .signalg = -1,
          .sealalg = -1,
@@ -67,8 +65,6 @@ static const struct gss_krb5_enctype supported_gss_krb5_enctypes[] = {
          .aux_cipher = "cbc(aes)",
          .cksum_name = "hmac(sha1)",
          .derive_key = krb5_derive_key_v2,
-         .encrypt = gss_krb5_aead_encrypt,
-         .decrypt = gss_krb5_aead_decrypt,
 
          .signalg = -1,
          .sealalg = -1,
@@ -101,8 +97,6 @@ static const struct gss_krb5_enctype supported_gss_krb5_enctypes[] = {
                .Ki_length      = BITS2OCTETS(128),
 
                .derive_key     = krb5_kdf_feedback_cmac,
-               .encrypt        = gss_krb5_aead_encrypt,
-               .decrypt        = gss_krb5_aead_decrypt,
 
        },
        /*
@@ -123,8 +117,6 @@ static const struct gss_krb5_enctype supported_gss_krb5_enctypes[] = {
                .Ki_length      = BITS2OCTETS(256),
 
                .derive_key     = krb5_kdf_feedback_cmac,
-               .encrypt        = gss_krb5_aead_encrypt,
-               .decrypt        = gss_krb5_aead_decrypt,
 
        },
 #endif
@@ -148,8 +140,6 @@ static const struct gss_krb5_enctype supported_gss_krb5_enctypes[] = {
                .Ki_length      = BITS2OCTETS(128),
 
                .derive_key     = krb5_kdf_hmac_sha2,
-               .encrypt        = gss_krb5_aead_encrypt,
-               .decrypt        = gss_krb5_aead_decrypt,
 
        },
        /*
@@ -170,8 +160,6 @@ static const struct gss_krb5_enctype supported_gss_krb5_enctypes[] = {
                .Ki_length      = BITS2OCTETS(192),
 
                .derive_key     = krb5_kdf_hmac_sha2,
-               .encrypt        = gss_krb5_aead_encrypt,
-               .decrypt        = gss_krb5_aead_decrypt,
 
        },
 #endif

diff --git a/net/sunrpc/auth_gss/gss_krb5_wrap.c b/net/sunrpc/auth_gss/gss_krb5_wrap.c
index b3e1738ff6bfa5bbfc486e5962bba0174b961eb0..93aa7500d0320b2460487994ba2d75fec136c691 100644 (file)
--- a/net/sunrpc/auth_gss/gss_krb5_wrap.c
+++ b/net/sunrpc/auth_gss/gss_krb5_wrap.c
@@ -112,9 +112,9 @@ gss_krb5_wrap_v2(struct krb5_ctx *kctx, int offset,
        *ptr++ = (unsigned char) ((KG2_TOK_WRAP>>8) & 0xff);
        *ptr++ = (unsigned char) (KG2_TOK_WRAP & 0xff);
 
-       if ((kctx->flags & KRB5_CTX_FLAG_INITIATOR) == 0)
+       if (!kctx->initiate)
                flags |= KG2_TOKEN_FLAG_SENTBYACCEPTOR;
-       if ((kctx->flags & KRB5_CTX_FLAG_ACCEPTOR_SUBKEY) != 0)
+       if (kctx->flags & KRB5_CTX_FLAG_ACCEPTOR_SUBKEY)
                flags |= KG2_TOKEN_FLAG_ACCEPTORSUBKEY;
        /* We always do confidentiality in wrap tokens */
        flags |= KG2_TOKEN_FLAG_SEALED;
@@ -130,7 +130,7 @@ gss_krb5_wrap_v2(struct krb5_ctx *kctx, int offset,
        be64ptr = (__be64 *)be16ptr;
        *be64ptr = cpu_to_be64(atomic64_fetch_inc(&kctx->seq_send64));
 
-       err = (*kctx->gk5e->encrypt)(kctx, offset, buf, pages);
+       err = gss_krb5_aead_encrypt(kctx, offset, buf, pages);
        if (err)
                return err;
 
@@ -184,10 +184,10 @@ gss_krb5_unwrap_v2(struct krb5_ctx *kctx, int offset, int len,
        if (rrc != 0)
                rotate_left(offset + 16, buf, rrc);
 
-       err = (*kctx->gk5e->decrypt)(kctx, offset, len, buf,
-                                    &headskip, &tailskip);
+       err = gss_krb5_aead_decrypt(kctx, offset, len, buf,
+                                   &headskip, &tailskip);
        if (err)
-               return GSS_S_FAILURE;
+               return err;
 
        /*
         * Retrieve the decrypted gss token header and verify