gss_krb5: add ability to have a keyed checksum (hmac)

[mv-sheeva.git] / net / sunrpc / auth_gss / gss_krb5_unseal.c

diff --git a/net/sunrpc/auth_gss/gss_krb5_unseal.c b/net/sunrpc/auth_gss/gss_krb5_unseal.c
index 10ee641a39d0e0aaabbb8cc6d65c25df98211ae6..7515bffddf1572a1aae29f49b832c1f0e76a26ac 100644 (file)
--- a/net/sunrpc/auth_gss/gss_krb5_unseal.c
+++ b/net/sunrpc/auth_gss/gss_krb5_unseal.c
@@ -84,6 +84,7 @@ gss_verify_mic_v1(struct krb5_ctx *ctx,
        u32                     seqnum;
        unsigned char           *ptr = (unsigned char *)read_token->data;
        int                     bodysize;
+       u8                      *cksumkey;
 
        dprintk("RPC:       krb5_read_token\n");
 
@@ -108,14 +109,16 @@ gss_verify_mic_v1(struct krb5_ctx *ctx,
        if ((ptr[6] != 0xff) || (ptr[7] != 0xff))
                return GSS_S_DEFECTIVE_TOKEN;
 
-       if (make_checksum((char *)ctx->gk5e->cksum_name, ptr, 8,
-                                       message_buffer, 0, &md5cksum))
-               return GSS_S_FAILURE;
+       if (ctx->gk5e->keyed_cksum)
+               cksumkey = ctx->cksum;
+       else
+               cksumkey = NULL;
 
-       if (krb5_encrypt(ctx->seq, NULL, md5cksum.data, md5cksum.data, 16))
+       if (make_checksum(ctx, ptr, 8, message_buffer, 0,
+                         cksumkey, &md5cksum))
                return GSS_S_FAILURE;
 
-       if (memcmp(md5cksum.data + 8, ptr + GSS_KRB5_TOK_HDR_LEN,
+       if (memcmp(md5cksum.data, ptr + GSS_KRB5_TOK_HDR_LEN,
                                        ctx->gk5e->cksumlength))
                return GSS_S_BAD_SIG;