[PATCH 04/18] SUNRPC: Add errno-to-GSS status conversion helper
From: Chuck Lever
Date: Mon Apr 27 2026 - 09:55:01 EST
From: Chuck Lever <chuck.lever@xxxxxxxxxx>
The crypto/krb5 library returns standard negative errno values,
but the GSS mechanism layer reports results as GSS_S_* major
status codes. A translation is needed at each call site that
will be switched to the new library.
Rather than open-coding the mapping in every wrapper, provide a
single helper function.
Signed-off-by: Chuck Lever <chuck.lever@xxxxxxxxxx>
---
net/sunrpc/auth_gss/gss_krb5_internal.h | 2 ++
net/sunrpc/auth_gss/gss_krb5_mech.c | 24 ++++++++++++++++++++++++
2 files changed, 26 insertions(+)
diff --git a/net/sunrpc/auth_gss/gss_krb5_internal.h b/net/sunrpc/auth_gss/gss_krb5_internal.h
index 11402c3b4972..a3fe4be3b9ae 100644
--- a/net/sunrpc/auth_gss/gss_krb5_internal.h
+++ b/net/sunrpc/auth_gss/gss_krb5_internal.h
@@ -180,6 +180,8 @@ u32 krb5_etm_encrypt(struct krb5_ctx *kctx, u32 offset, struct xdr_buf *buf,
u32 krb5_etm_decrypt(struct krb5_ctx *kctx, u32 offset, u32 len,
struct xdr_buf *buf, u32 *headskip, u32 *tailskip);
+u32 gss_krb5_errno_to_status(int err);
+
#if IS_ENABLED(CONFIG_KUNIT)
void krb5_nfold(u32 inbits, const u8 *in, u32 outbits, u8 *out);
const struct gss_krb5_enctype *gss_krb5_lookup_enctype(u32 etype);
diff --git a/net/sunrpc/auth_gss/gss_krb5_mech.c b/net/sunrpc/auth_gss/gss_krb5_mech.c
index 060d8fc4358e..7606bbd7b8c4 100644
--- a/net/sunrpc/auth_gss/gss_krb5_mech.c
+++ b/net/sunrpc/auth_gss/gss_krb5_mech.c
@@ -516,6 +516,30 @@ gss_krb5_delete_sec_context(void *internal_ctx)
kfree(kctx);
}
+/**
+ * gss_krb5_errno_to_status - Map a negative errno to a GSS major status
+ * @err: negative errno value, or zero
+ *
+ * Returns:
+ * %GSS_S_COMPLETE if @err is zero
+ * %GSS_S_BAD_SIG if @err is -EBADMSG (integrity check failure)
+ * %GSS_S_DEFECTIVE_TOKEN if @err is -EPROTO (malformed token)
+ * %GSS_S_FAILURE for all other negative values
+ */
+u32 gss_krb5_errno_to_status(int err)
+{
+ switch (err) {
+ case 0:
+ return GSS_S_COMPLETE;
+ case -EBADMSG:
+ return GSS_S_BAD_SIG;
+ case -EPROTO:
+ return GSS_S_DEFECTIVE_TOKEN;
+ default:
+ return GSS_S_FAILURE;
+ }
+}
+
/**
* gss_krb5_get_mic - get_mic for the Kerberos GSS mechanism
* @gctx: GSS context
--
2.53.0