rpcgss: krb5: clean up some goto's, etc.

	if (ctx->sealalg != SEAL_ALG_NONE && ctx->sealalg != SEAL_ALG_DES) {

		dprintk("RPC:      gss_krb5_seal: ctx->sealalg %d not supported\n",

			ctx->sealalg);

		goto out_err;

		return GSS_S_FAILURE;

	}

	token->len = g_token_size(&ctx->mech_used, 22);

	memset(krb5_hdr + 4, 0xff, 4);

	if (make_checksum("md5", krb5_hdr, 8, text, 0, &md5cksum))

		goto out_err;

		return GSS_S_FAILURE;

	if (krb5_encrypt(ctx->seq, NULL, md5cksum.data,

			  md5cksum.data, md5cksum.len))

		goto out_err;

		return GSS_S_FAILURE;

	memcpy(krb5_hdr + 16,

	       md5cksum.data + md5cksum.len - KRB5_CKSUM_LENGTH,

	       KRB5_CKSUM_LENGTH);

	if ((krb5_make_seq_num(ctx->seq, ctx->initiate ? 0 : 0xff,

			       seq_send, krb5_hdr + 16, krb5_hdr + 8)))

		goto out_err;

		return GSS_S_FAILURE;

	return ((ctx->endtime < now) ? GSS_S_CONTEXT_EXPIRED : GSS_S_COMPLETE);

out_err:

	return GSS_S_FAILURE;

}

	s32			seqnum;

	unsigned char		*ptr = (unsigned char *)read_token->data;

	int			bodysize;

	u32			ret = GSS_S_DEFECTIVE_TOKEN;

	dprintk("RPC:      krb5_read_token\n");

	if (g_verify_token_header(&ctx->mech_used, &bodysize, &ptr,

					read_token->len))

		goto out;

		return GSS_S_DEFECTIVE_TOKEN;

	if ((*ptr++ != ((KG_TOK_MIC_MSG>>8)&0xff)) ||

	    (*ptr++ != ( KG_TOK_MIC_MSG    &0xff))   )

		goto out;

		return GSS_S_DEFECTIVE_TOKEN;

	/* XXX sanity-check bodysize?? */

	/* get the sign and seal algorithms */

	signalg = ptr[0] + (ptr[1] << 8);

	sealalg = ptr[2] + (ptr[3] << 8);

	/* Sanity checks */

	if ((ptr[4] != 0xff) || (ptr[5] != 0xff))

		goto out;

		return GSS_S_DEFECTIVE_TOKEN;

	if (sealalg != 0xffff)

		goto out;

		return GSS_S_DEFECTIVE_TOKEN;

	if (signalg != SGN_ALG_DES_MAC_MD5)

		goto out;

		return GSS_S_DEFECTIVE_TOKEN;

	ret = make_checksum("md5", ptr - 2, 8, message_buffer, 0, &md5cksum);

	if (ret)

		goto out;

	if (make_checksum("md5", ptr - 2, 8, message_buffer, 0, &md5cksum))

		return GSS_S_FAILURE;

	ret = krb5_encrypt(ctx->seq, NULL, md5cksum.data,

			   md5cksum.data, 16);

	if (ret)

		goto out;

	if (krb5_encrypt(ctx->seq, NULL, md5cksum.data, md5cksum.data, 16))

		return GSS_S_FAILURE;

	if (memcmp(md5cksum.data + 8, ptr + 14, 8)) {

		ret = GSS_S_BAD_SIG;

		goto out;

	}

	if (memcmp(md5cksum.data + 8, ptr + 14, 8))

		return GSS_S_BAD_SIG;

	/* it got through unscathed.  Make sure the context is unexpired */

	now = get_seconds();

	ret = GSS_S_CONTEXT_EXPIRED;

	if (now > ctx->endtime)

		goto out;

		return GSS_S_CONTEXT_EXPIRED;

	/* do sequencing checks */

	ret = GSS_S_BAD_SIG;

	if ((ret = krb5_get_seq_num(ctx->seq, ptr + 14, ptr + 6, &direction,

				    &seqnum)))

		goto out;

	if (krb5_get_seq_num(ctx->seq, ptr + 14, ptr + 6, &direction, &seqnum))

		return GSS_S_FAILURE;

	if ((ctx->initiate && direction != 0xff) ||

	    (!ctx->initiate && direction != 0))

		goto out;

		return GSS_S_BAD_SIG;

	ret = GSS_S_COMPLETE;

out:

	return ret;

	return GSS_S_COMPLETE;

}

	if (kctx->sealalg != SEAL_ALG_NONE && kctx->sealalg != SEAL_ALG_DES) {

		dprintk("RPC:      gss_krb5_seal: kctx->sealalg %d not supported\n",

			kctx->sealalg);

		goto out_err;

		return GSS_S_FAILURE;

	}

	blocksize = crypto_blkcipher_blocksize(kctx->enc);

	buf->pages = pages;

	if (make_checksum("md5", krb5_hdr, 8, buf,

				offset + headlen - blocksize, &md5cksum))

		goto out_err;

		return GSS_S_FAILURE;

	buf->pages = tmp_pages;

	if (krb5_encrypt(kctx->seq, NULL, md5cksum.data,

			  md5cksum.data, md5cksum.len))

		goto out_err;

		return GSS_S_FAILURE;

	memcpy(krb5_hdr + 16,

	       md5cksum.data + md5cksum.len - KRB5_CKSUM_LENGTH,

	       KRB5_CKSUM_LENGTH);

	 * and encrypt at the same time: */

	if ((krb5_make_seq_num(kctx->seq, kctx->initiate ? 0 : 0xff,

			       seq_send, krb5_hdr + 16, krb5_hdr + 8)))

		goto out_err;

		return GSS_S_FAILURE;

	if (gss_encrypt_xdr_buf(kctx->enc, buf, offset + headlen - blocksize,

									pages))

		goto out_err;

		return GSS_S_FAILURE;

	return ((kctx->endtime < now) ? GSS_S_CONTEXT_EXPIRED : GSS_S_COMPLETE);

out_err:

	return GSS_S_FAILURE;

}

u32

	s32			seqnum;

	unsigned char		*ptr;

	int			bodysize;

	u32			ret = GSS_S_DEFECTIVE_TOKEN;

	void			*data_start, *orig_start;

	int			data_len;

	int			blocksize;

	ptr = (u8 *)buf->head[0].iov_base + offset;

	if (g_verify_token_header(&kctx->mech_used, &bodysize, &ptr,

					buf->len - offset))

		goto out;

		return GSS_S_DEFECTIVE_TOKEN;

	if ((*ptr++ != ((KG_TOK_WRAP_MSG>>8)&0xff)) ||

	    (*ptr++ !=  (KG_TOK_WRAP_MSG    &0xff))   )

		goto out;

		return GSS_S_DEFECTIVE_TOKEN;

	/* XXX sanity-check bodysize?? */

	/* Sanity checks */

	if ((ptr[4] != 0xff) || (ptr[5] != 0xff))

		goto out;

		return GSS_S_DEFECTIVE_TOKEN;

	if (sealalg == 0xffff)

		goto out;

		return GSS_S_DEFECTIVE_TOKEN;

	if (signalg != SGN_ALG_DES_MAC_MD5)

		goto out;

		return GSS_S_DEFECTIVE_TOKEN;

	/* in the current spec, there is only one valid seal algorithm per

	   key type, so a simple comparison is ok */

	if (sealalg != kctx->sealalg)

		goto out;

		return GSS_S_DEFECTIVE_TOKEN;

	/* there are several mappings of seal algorithms to sign algorithms,

	   but few enough that we can try them all. */

	    (kctx->sealalg == SEAL_ALG_1 && signalg != SGN_ALG_3) ||

	    (kctx->sealalg == SEAL_ALG_DES3KD &&

	     signalg != SGN_ALG_HMAC_SHA1_DES3_KD))

		goto out;

		return GSS_S_DEFECTIVE_TOKEN;

	if (gss_decrypt_xdr_buf(kctx->enc, buf,

			ptr + 22 - (unsigned char *)buf->head[0].iov_base))

		goto out;

		return GSS_S_DEFECTIVE_TOKEN;

	ret = make_checksum("md5", ptr - 2, 8, buf,

		 ptr + 22 - (unsigned char *)buf->head[0].iov_base, &md5cksum);

	if (ret)

		goto out;

	if (make_checksum("md5", ptr - 2, 8, buf,

		 ptr + 22 - (unsigned char *)buf->head[0].iov_base, &md5cksum))

		return GSS_S_FAILURE;

	ret = krb5_encrypt(kctx->seq, NULL, md5cksum.data,

			   md5cksum.data, md5cksum.len);

	if (ret)

		goto out;

	if (krb5_encrypt(kctx->seq, NULL, md5cksum.data,

			   md5cksum.data, md5cksum.len))

		return GSS_S_FAILURE;

	if (memcmp(md5cksum.data + 8, ptr + 14, 8)) {

		ret = GSS_S_BAD_SIG;

		goto out;

	}

	if (memcmp(md5cksum.data + 8, ptr + 14, 8))

		return GSS_S_BAD_SIG;

	/* it got through unscathed.  Make sure the context is unexpired */

	now = get_seconds();

	ret = GSS_S_CONTEXT_EXPIRED;

	if (now > kctx->endtime)

		goto out;

		return GSS_S_CONTEXT_EXPIRED;

	/* do sequencing checks */

	ret = GSS_S_BAD_SIG;

	if ((ret = krb5_get_seq_num(kctx->seq, ptr + 14, ptr + 6, &direction,

				    &seqnum)))

		goto out;

	if (krb5_get_seq_num(kctx->seq, ptr + 14, ptr + 6, &direction,

				    &seqnum))

		return GSS_S_BAD_SIG;

	if ((kctx->initiate && direction != 0xff) ||

	    (!kctx->initiate && direction != 0))

		goto out;

		return GSS_S_BAD_SIG;

	/* Copy the data back to the right position.  XXX: Would probably be

	 * better to copy and encrypt at the same time. */

	buf->head[0].iov_len -= (data_start - orig_start);

	buf->len -= (data_start - orig_start);

	ret = GSS_S_DEFECTIVE_TOKEN;

	if (gss_krb5_remove_padding(buf, blocksize))

		goto out;

		return GSS_S_DEFECTIVE_TOKEN;

	ret = GSS_S_COMPLETE;

out:

	return ret;

	return GSS_S_COMPLETE;

}