From: Chuck Lever <chuck.lever@oracle.com>
Date: Mon, 27 Apr 2026 13:50:57 +0000 (-0400)
Subject: SUNRPC: Remove encrypt/decrypt function pointers from enctype table
X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=5f02e760614238dd826268429f340cfb80074f32;p=thirdparty%2Fkernel%2Flinux.git

SUNRPC: Remove encrypt/decrypt function pointers from enctype table

All enctypes now route through gss_krb5_aead_encrypt() and
gss_krb5_aead_decrypt(). The per-enctype .encrypt and .decrypt
function pointers served the same purpose as .get_mic and
.wrap before them: dispatching v1 versus v2 implementations.
With v1 support long removed and the Camellia decrypt path
migrated in a preceding patch, every table entry points to
the same pair of functions.

Call gss_krb5_aead_encrypt() and gss_krb5_aead_decrypt()
directly from gss_krb5_wrap_v2() and gss_krb5_unwrap_v2(),
and drop the function pointers from struct gss_krb5_enctype.

While here, propagate the GSS status code returned by
gss_krb5_aead_decrypt() instead of discarding it.
The old indirect call sites returned GSS_S_FAILURE
unconditionally, losing the distinction between an
integrity failure (GSS_S_BAD_SIG) and a structural
error (GSS_S_DEFECTIVE_TOKEN).

Assisted-by: Claude:claude-opus-4-6
Reviewed-by: Jeff Layton <jlayton@kernel.org>
Acked-by: Anna Schumaker <anna.schumaker@hammerspace.com>
Signed-off-by: Chuck Lever <chuck.lever@oracle.com>
---

diff --git a/net/sunrpc/auth_gss/gss_krb5_internal.h b/net/sunrpc/auth_gss/gss_krb5_internal.h
index 92b0baed920ce..8258e6862aa20 100644
--- a/net/sunrpc/auth_gss/gss_krb5_internal.h
+++ b/net/sunrpc/auth_gss/gss_krb5_internal.h
@@ -40,10 +40,6 @@ struct gss_krb5_enctype {
 			  struct xdr_netobj *out,
 			  const struct xdr_netobj *label,
 			  gfp_t gfp_mask);
-	u32 (*encrypt)(struct krb5_ctx *kctx, u32 offset,
-		       struct xdr_buf *buf, struct page **pages);
-	u32 (*decrypt)(struct krb5_ctx *kctx, u32 offset, u32 len,
-		       struct xdr_buf *buf, u32 *headskip, u32 *tailskip);
 };
 
 /* krb5_ctx flags definitions */
diff --git a/net/sunrpc/auth_gss/gss_krb5_mech.c b/net/sunrpc/auth_gss/gss_krb5_mech.c
index d027ddab132f7..912821efc937a 100644
--- a/net/sunrpc/auth_gss/gss_krb5_mech.c
+++ b/net/sunrpc/auth_gss/gss_krb5_mech.c
@@ -43,8 +43,6 @@ static const struct gss_krb5_enctype supported_gss_krb5_enctypes[] = {
 	  .aux_cipher = "cbc(aes)",
 	  .cksum_name = "hmac(sha1)",
 	  .derive_key = krb5_derive_key_v2,
-	  .encrypt = gss_krb5_aead_encrypt,
-	  .decrypt = gss_krb5_aead_decrypt,
 
 	  .signalg = -1,
 	  .sealalg = -1,
@@ -67,8 +65,6 @@ static const struct gss_krb5_enctype supported_gss_krb5_enctypes[] = {
 	  .aux_cipher = "cbc(aes)",
 	  .cksum_name = "hmac(sha1)",
 	  .derive_key = krb5_derive_key_v2,
-	  .encrypt = gss_krb5_aead_encrypt,
-	  .decrypt = gss_krb5_aead_decrypt,
 
 	  .signalg = -1,
 	  .sealalg = -1,
@@ -101,8 +97,6 @@ static const struct gss_krb5_enctype supported_gss_krb5_enctypes[] = {
 		.Ki_length	= BITS2OCTETS(128),
 
 		.derive_key	= krb5_kdf_feedback_cmac,
-		.encrypt	= gss_krb5_aead_encrypt,
-		.decrypt	= gss_krb5_aead_decrypt,
 
 	},
 	/*
@@ -123,8 +117,6 @@ static const struct gss_krb5_enctype supported_gss_krb5_enctypes[] = {
 		.Ki_length	= BITS2OCTETS(256),
 
 		.derive_key	= krb5_kdf_feedback_cmac,
-		.encrypt	= gss_krb5_aead_encrypt,
-		.decrypt	= gss_krb5_aead_decrypt,
 
 	},
 #endif
@@ -148,8 +140,6 @@ static const struct gss_krb5_enctype supported_gss_krb5_enctypes[] = {
 		.Ki_length	= BITS2OCTETS(128),
 
 		.derive_key	= krb5_kdf_hmac_sha2,
-		.encrypt	= gss_krb5_aead_encrypt,
-		.decrypt	= gss_krb5_aead_decrypt,
 
 	},
 	/*
@@ -170,8 +160,6 @@ static const struct gss_krb5_enctype supported_gss_krb5_enctypes[] = {
 		.Ki_length	= BITS2OCTETS(192),
 
 		.derive_key	= krb5_kdf_hmac_sha2,
-		.encrypt	= gss_krb5_aead_encrypt,
-		.decrypt	= gss_krb5_aead_decrypt,
 
 	},
 #endif
diff --git a/net/sunrpc/auth_gss/gss_krb5_wrap.c b/net/sunrpc/auth_gss/gss_krb5_wrap.c
index b3e1738ff6bfa..93aa7500d0320 100644
--- a/net/sunrpc/auth_gss/gss_krb5_wrap.c
+++ b/net/sunrpc/auth_gss/gss_krb5_wrap.c
@@ -112,9 +112,9 @@ gss_krb5_wrap_v2(struct krb5_ctx *kctx, int offset,
 	*ptr++ = (unsigned char) ((KG2_TOK_WRAP>>8) & 0xff);
 	*ptr++ = (unsigned char) (KG2_TOK_WRAP & 0xff);
 
-	if ((kctx->flags & KRB5_CTX_FLAG_INITIATOR) == 0)
+	if (!kctx->initiate)
 		flags |= KG2_TOKEN_FLAG_SENTBYACCEPTOR;
-	if ((kctx->flags & KRB5_CTX_FLAG_ACCEPTOR_SUBKEY) != 0)
+	if (kctx->flags & KRB5_CTX_FLAG_ACCEPTOR_SUBKEY)
 		flags |= KG2_TOKEN_FLAG_ACCEPTORSUBKEY;
 	/* We always do confidentiality in wrap tokens */
 	flags |= KG2_TOKEN_FLAG_SEALED;
@@ -130,7 +130,7 @@ gss_krb5_wrap_v2(struct krb5_ctx *kctx, int offset,
 	be64ptr = (__be64 *)be16ptr;
 	*be64ptr = cpu_to_be64(atomic64_fetch_inc(&kctx->seq_send64));
 
-	err = (*kctx->gk5e->encrypt)(kctx, offset, buf, pages);
+	err = gss_krb5_aead_encrypt(kctx, offset, buf, pages);
 	if (err)
 		return err;
 
@@ -184,10 +184,10 @@ gss_krb5_unwrap_v2(struct krb5_ctx *kctx, int offset, int len,
 	if (rrc != 0)
 		rotate_left(offset + 16, buf, rrc);
 
-	err = (*kctx->gk5e->decrypt)(kctx, offset, len, buf,
-				     &headskip, &tailskip);
+	err = gss_krb5_aead_decrypt(kctx, offset, len, buf,
+				    &headskip, &tailskip);
 	if (err)
-		return GSS_S_FAILURE;
+		return err;
 
 	/*
 	 * Retrieve the decrypted gss token header and verify