Whamcloud - gitweb
git://git.whamcloud.com / fs / lustre-release.git / blobdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | inline | side by side
LU-13229 ldlm: unlock request memory leak
[fs/lustre-release.git] / lustre / ptlrpc / gss / gss_krb5_mech.c
diff --git a/lustre/ptlrpc/gss/gss_krb5_mech.c b/lustre/ptlrpc/gss/gss_krb5_mech.c
index 289ab08..5ff7b3b 100644 (file)
--- a/lustre/ptlrpc/gss/gss_krb5_mech.c
+++ b/lustre/ptlrpc/gss/gss_krb5_mech.c
@@ -51,6 +51,7 @@
 #define DEBUG_SUBSYSTEM S_SEC
 #include <linux/init.h>
 #include <linux/module.h>
+#include <linux/random.h>
 #include <linux/slab.h>
 #include <linux/crypto.h>
 #include <linux/mutex.h>
@@ -58,7 +59,6 @@
 #include <obd.h>
 #include <obd_class.h>
 #include <obd_support.h>
-#include <lustre/lustre_idl.h>
 #include <lustre_net.h>
 #include <lustre_import.h>
 #include <lustre_sec.h>
@@ -68,8 +68,9 @@
 #include "gss_api.h"
 #include "gss_asn1.h"
 #include "gss_krb5.h"
+#include "gss_crypto.h"
 
-static spinlock_t krb5_seq_lock;
+static DEFINE_SPINLOCK(krb5_seq_lock);
 
 struct krb5_enctype {
         char           *ke_dispname;
@@ -87,264 +88,171 @@ struct krb5_enctype {
  * yet. this need to be fixed in the future.
  */
 static struct krb5_enctype enctypes[] = {
-        [ENCTYPE_DES_CBC_RAW] = {               /* des-cbc-md5 */
-                "des-cbc-md5",
-                "cbc(des)",
-                "md5",
-                0,
-                16,
-                8,
-                0,
-        },
-        [ENCTYPE_DES3_CBC_RAW] = {              /* des3-hmac-sha1 */
-                "des3-hmac-sha1",
-                "cbc(des3_ede)",
-                "hmac(sha1)",
-                0,
-                20,
-                8,
-                1,
-        },
-        [ENCTYPE_AES128_CTS_HMAC_SHA1_96] = {   /* aes128-cts */
-                "aes128-cts-hmac-sha1-96",
-                "cbc(aes)",
-                "hmac(sha1)",
-                0,
-                12,
-                16,
-                1,
-        },
-        [ENCTYPE_AES256_CTS_HMAC_SHA1_96] = {   /* aes256-cts */
-                "aes256-cts-hmac-sha1-96",
-                "cbc(aes)",
-                "hmac(sha1)",
-                0,
-                12,
-                16,
-                1,
-        },
-        [ENCTYPE_ARCFOUR_HMAC] = {              /* arcfour-hmac-md5 */
-                "arcfour-hmac-md5",
-                "ecb(arc4)",
-                "hmac(md5)",
-                0,
-                16,
-                8,
-                1,
-        },
+       [ENCTYPE_DES_CBC_RAW] = {               /* des-cbc-md5 */
+               .ke_dispname    = "des-cbc-md5",
+               .ke_enc_name    = "cbc(des)",
+               .ke_hash_name   = "md5",
+               .ke_hash_size   = 16,
+               .ke_conf_size   = 8,
+       },
+       [ENCTYPE_DES3_CBC_RAW] = {              /* des3-hmac-sha1 */
+               .ke_dispname    = "des3-hmac-sha1",
+               .ke_enc_name    = "cbc(des3_ede)",
+               .ke_hash_name   = "sha1",
+               .ke_hash_size   = 20,
+               .ke_conf_size   = 8,
+               .ke_hash_hmac   = 1,
+       },
+       [ENCTYPE_AES128_CTS_HMAC_SHA1_96] = {   /* aes128-cts */
+               .ke_dispname    = "aes128-cts-hmac-sha1-96",
+               .ke_enc_name    = "cbc(aes)",
+               .ke_hash_name   = "sha1",
+               .ke_hash_size   = 12,
+               .ke_conf_size   = 16,
+               .ke_hash_hmac   = 1,
+       },
+       [ENCTYPE_AES256_CTS_HMAC_SHA1_96] = {   /* aes256-cts */
+               .ke_dispname    = "aes256-cts-hmac-sha1-96",
+               .ke_enc_name    = "cbc(aes)",
+               .ke_hash_name   = "sha1",
+               .ke_hash_size   = 12,
+               .ke_conf_size   = 16,
+               .ke_hash_hmac   = 1,
+       },
+       [ENCTYPE_ARCFOUR_HMAC] = {              /* arcfour-hmac-md5 */
+               .ke_dispname    = "arcfour-hmac-md5",
+               .ke_enc_name    = "ecb(arc4)",
+               .ke_hash_name   = "md5",
+               .ke_hash_size   = 16,
+               .ke_conf_size   = 8,
+               .ke_hash_hmac   = 1,
+       }
 };
 
-#define MAX_ENCTYPES    sizeof(enctypes)/sizeof(struct krb5_enctype)
-
 static const char * enctype2str(__u32 enctype)
 {
-        if (enctype < MAX_ENCTYPES && enctypes[enctype].ke_dispname)
-                return enctypes[enctype].ke_dispname;
+       if (enctype < ARRAY_SIZE(enctypes) && enctypes[enctype].ke_dispname)
+               return enctypes[enctype].ke_dispname;
 
-        return "unknown";
-}
-
-static
-int keyblock_init(struct krb5_keyblock *kb, char *alg_name, int alg_mode)
-{
-       kb->kb_tfm = crypto_alloc_blkcipher(alg_name, alg_mode, 0);
-       if (IS_ERR(kb->kb_tfm)) {
-               CERROR("failed to alloc tfm: %s, mode %d\n",
-                      alg_name, alg_mode);
-               return -1;
-       }
-
-       if (crypto_blkcipher_setkey(kb->kb_tfm, kb->kb_key.data, kb->kb_key.len)) {
-                CERROR("failed to set %s key, len %d\n",
-                       alg_name, kb->kb_key.len);
-                return -1;
-        }
-
-        return 0;
+       return "unknown";
 }
 
 static
 int krb5_init_keys(struct krb5_ctx *kctx)
 {
-        struct krb5_enctype *ke;
+       struct krb5_enctype *ke;
 
-        if (kctx->kc_enctype >= MAX_ENCTYPES ||
-            enctypes[kctx->kc_enctype].ke_hash_size == 0) {
-                CERROR("unsupported enctype %x\n", kctx->kc_enctype);
-                return -1;
-        }
+       if (kctx->kc_enctype >= ARRAY_SIZE(enctypes) ||
+           enctypes[kctx->kc_enctype].ke_hash_size == 0) {
+               CERROR("unsupported enctype %x\n", kctx->kc_enctype);
+               return -1;
+       }
 
         ke = &enctypes[kctx->kc_enctype];
 
-        /* tfm arc4 is stateful, user should alloc-use-free by his own */
-        if (kctx->kc_enctype != ENCTYPE_ARCFOUR_HMAC &&
-            keyblock_init(&kctx->kc_keye, ke->ke_enc_name, ke->ke_enc_mode))
-                return -1;
-
-        /* tfm hmac is stateful, user should alloc-use-free by his own */
-        if (ke->ke_hash_hmac == 0 &&
-            keyblock_init(&kctx->kc_keyi, ke->ke_enc_name, ke->ke_enc_mode))
-                return -1;
-        if (ke->ke_hash_hmac == 0 &&
-            keyblock_init(&kctx->kc_keyc, ke->ke_enc_name, ke->ke_enc_mode))
-                return -1;
-
-        return 0;
-}
-
-static
-void keyblock_free(struct krb5_keyblock *kb)
-{
-        rawobj_free(&kb->kb_key);
-        if (kb->kb_tfm)
-               crypto_free_blkcipher(kb->kb_tfm);
-}
-
-static
-int keyblock_dup(struct krb5_keyblock *new, struct krb5_keyblock *kb)
-{
-        return rawobj_dup(&new->kb_key, &kb->kb_key);
-}
-
-static
-int get_bytes(char **ptr, const char *end, void *res, int len)
-{
-        char *p, *q;
-        p = *ptr;
-        q = p + len;
-        if (q > end || q < p)
-                return -1;
-        memcpy(res, p, len);
-        *ptr = q;
-        return 0;
-}
-
-static
-int get_rawobj(char **ptr, const char *end, rawobj_t *res)
-{
-        char   *p, *q;
-        __u32   len;
-
-        p = *ptr;
-        if (get_bytes(&p, end, &len, sizeof(len)))
-                return -1;
-
-        q = p + len;
-        if (q > end || q < p)
-                return -1;
-
-        OBD_ALLOC_LARGE(res->data, len);
-        if (!res->data)
-                return -1;
-
-        res->len = len;
-        memcpy(res->data, p, len);
-        *ptr = q;
-        return 0;
-}
-
-static
-int get_keyblock(char **ptr, const char *end,
-                 struct krb5_keyblock *kb, __u32 keysize)
-{
-        char *buf;
-
-        OBD_ALLOC_LARGE(buf, keysize);
-        if (buf == NULL)
-                return -1;
+       /* tfm arc4 is stateful, user should alloc-use-free by his own */
+       if (kctx->kc_enctype != ENCTYPE_ARCFOUR_HMAC &&
+           gss_keyblock_init(&kctx->kc_keye, ke->ke_enc_name, ke->ke_enc_mode))
+               return -1;
 
-        if (get_bytes(ptr, end, buf, keysize)) {
-                OBD_FREE_LARGE(buf, keysize);
-                return -1;
-        }
+       /* tfm hmac is stateful, user should alloc-use-free by his own */
+       if (ke->ke_hash_hmac == 0 &&
+           gss_keyblock_init(&kctx->kc_keyi, ke->ke_enc_name, ke->ke_enc_mode))
+               return -1;
+       if (ke->ke_hash_hmac == 0 &&
+           gss_keyblock_init(&kctx->kc_keyc, ke->ke_enc_name, ke->ke_enc_mode))
+               return -1;
 
-        kb->kb_key.len = keysize;
-        kb->kb_key.data = buf;
         return 0;
 }
 
 static
 void delete_context_kerberos(struct krb5_ctx *kctx)
 {
-        rawobj_free(&kctx->kc_mech_used);
+       rawobj_free(&kctx->kc_mech_used);
 
-        keyblock_free(&kctx->kc_keye);
-        keyblock_free(&kctx->kc_keyi);
-        keyblock_free(&kctx->kc_keyc);
+       gss_keyblock_free(&kctx->kc_keye);
+       gss_keyblock_free(&kctx->kc_keyi);
+       gss_keyblock_free(&kctx->kc_keyc);
 }
 
 static
 __u32 import_context_rfc1964(struct krb5_ctx *kctx, char *p, char *end)
 {
-        unsigned int    tmp_uint, keysize;
-
-        /* seed_init flag */
-        if (get_bytes(&p, end, &tmp_uint, sizeof(tmp_uint)))
-                goto out_err;
-        kctx->kc_seed_init = (tmp_uint != 0);
-
-        /* seed */
-        if (get_bytes(&p, end, kctx->kc_seed, sizeof(kctx->kc_seed)))
-                goto out_err;
-
-        /* sign/seal algorithm, not really used now */
-        if (get_bytes(&p, end, &tmp_uint, sizeof(tmp_uint)) ||
-            get_bytes(&p, end, &tmp_uint, sizeof(tmp_uint)))
-                goto out_err;
-
-        /* end time */
-        if (get_bytes(&p, end, &kctx->kc_endtime, sizeof(kctx->kc_endtime)))
-                goto out_err;
-
-        /* seq send */
-        if (get_bytes(&p, end, &tmp_uint, sizeof(tmp_uint)))
-                goto out_err;
-        kctx->kc_seq_send = tmp_uint;
-
-        /* mech oid */
-        if (get_rawobj(&p, end, &kctx->kc_mech_used))
-                goto out_err;
-
-        /* old style enc/seq keys in format:
-         *   - enctype (u32)
-         *   - keysize (u32)
-         *   - keydata
-         * we decompose them to fit into the new context
-         */
-
-        /* enc key */
-        if (get_bytes(&p, end, &kctx->kc_enctype, sizeof(kctx->kc_enctype)))
-                goto out_err;
-
-        if (get_bytes(&p, end, &keysize, sizeof(keysize)))
-                goto out_err;
-
-        if (get_keyblock(&p, end, &kctx->kc_keye, keysize))
-                goto out_err;
-
-        /* seq key */
-        if (get_bytes(&p, end, &tmp_uint, sizeof(tmp_uint)) ||
-            tmp_uint != kctx->kc_enctype)
-                goto out_err;
-
-        if (get_bytes(&p, end, &tmp_uint, sizeof(tmp_uint)) ||
-            tmp_uint != keysize)
-                goto out_err;
-
-        if (get_keyblock(&p, end, &kctx->kc_keyc, keysize))
-                goto out_err;
-
-        /* old style fallback */
-        if (keyblock_dup(&kctx->kc_keyi, &kctx->kc_keyc))
-                goto out_err;
-
-        if (p != end)
-                goto out_err;
+       unsigned int    tmp_uint, keysize;
+
+       /* seed_init flag */
+       if (gss_get_bytes(&p, end, &tmp_uint, sizeof(tmp_uint)))
+               goto out_err;
+       kctx->kc_seed_init = (tmp_uint != 0);
+
+       /* seed */
+       if (gss_get_bytes(&p, end, kctx->kc_seed, sizeof(kctx->kc_seed)))
+               goto out_err;
+
+       /* sign/seal algorithm, not really used now */
+       if (gss_get_bytes(&p, end, &tmp_uint, sizeof(tmp_uint)) ||
+           gss_get_bytes(&p, end, &tmp_uint, sizeof(tmp_uint)))
+               goto out_err;
+
+       /* end time. While kc_endtime might be 64 bit the krb5 API
+        * still uses 32 bits. To delay the 2038 bug see the incoming
+        * value as a u32 which give us until 2106. See the link for details:
+        *
+        * http://web.mit.edu/kerberos/www/krb5-current/doc/appdev/y2038.html
+        */
+       if (gss_get_bytes(&p, end, &kctx->kc_endtime, sizeof(u32)))
+               goto out_err;
+
+       /* seq send */
+       if (gss_get_bytes(&p, end, &tmp_uint, sizeof(tmp_uint)))
+               goto out_err;
+       kctx->kc_seq_send = tmp_uint;
+
+       /* mech oid */
+       if (gss_get_rawobj(&p, end, &kctx->kc_mech_used))
+               goto out_err;
+
+       /* old style enc/seq keys in format:
+        *   - enctype (u32)
+        *   - keysize (u32)
+        *   - keydata
+        * we decompose them to fit into the new context
+        */
+
+       /* enc key */
+       if (gss_get_bytes(&p, end, &kctx->kc_enctype, sizeof(kctx->kc_enctype)))
+               goto out_err;
+
+       if (gss_get_bytes(&p, end, &keysize, sizeof(keysize)))
+               goto out_err;
+
+       if (gss_get_keyblock(&p, end, &kctx->kc_keye, keysize))
+               goto out_err;
+
+       /* seq key */
+       if (gss_get_bytes(&p, end, &tmp_uint, sizeof(tmp_uint)) ||
+           tmp_uint != kctx->kc_enctype)
+               goto out_err;
+
+       if (gss_get_bytes(&p, end, &tmp_uint, sizeof(tmp_uint)) ||
+           tmp_uint != keysize)
+               goto out_err;
+
+       if (gss_get_keyblock(&p, end, &kctx->kc_keyc, keysize))
+               goto out_err;
+
+       /* old style fallback */
+       if (gss_keyblock_dup(&kctx->kc_keyi, &kctx->kc_keyc))
+               goto out_err;
+
+       if (p != end)
+               goto out_err;
 
        CDEBUG(D_SEC, "successfully imported rfc1964 context\n");
-        return 0;
+       return 0;
 out_err:
-        return GSS_S_FAILURE;
+       return GSS_S_FAILURE;
 }
 
 /* Flags for version 2 context flags */
@@ -355,58 +263,64 @@ out_err:
 static
 __u32 import_context_rfc4121(struct krb5_ctx *kctx, char *p, char *end)
 {
-        unsigned int    tmp_uint, keysize;
-
-        /* end time */
-        if (get_bytes(&p, end, &kctx->kc_endtime, sizeof(kctx->kc_endtime)))
-                goto out_err;
-
-        /* flags */
-        if (get_bytes(&p, end, &tmp_uint, sizeof(tmp_uint)))
-                goto out_err;
-
-        if (tmp_uint & KRB5_CTX_FLAG_INITIATOR)
-                kctx->kc_initiate = 1;
-        if (tmp_uint & KRB5_CTX_FLAG_CFX)
-                kctx->kc_cfx = 1;
-        if (tmp_uint & KRB5_CTX_FLAG_ACCEPTOR_SUBKEY)
-                kctx->kc_have_acceptor_subkey = 1;
-
-        /* seq send */
-        if (get_bytes(&p, end, &kctx->kc_seq_send, sizeof(kctx->kc_seq_send)))
-                goto out_err;
-
-        /* enctype */
-        if (get_bytes(&p, end, &kctx->kc_enctype, sizeof(kctx->kc_enctype)))
-                goto out_err;
-
-        /* size of each key */
-        if (get_bytes(&p, end, &keysize, sizeof(keysize)))
-                goto out_err;
-
-        /* number of keys - should always be 3 */
-        if (get_bytes(&p, end, &tmp_uint, sizeof(tmp_uint)))
-                goto out_err;
+       unsigned int    tmp_uint, keysize;
+
+       /* end time. While kc_endtime might be 64 bit the krb5 API
+        * still uses 32 bits. To delay the 2038 bug see the incoming
+        * value as a u32 which give us until 2106. See the link for details:
+        *
+        * http://web.mit.edu/kerberos/www/krb5-current/doc/appdev/y2038.html
+        */
+       if (gss_get_bytes(&p, end, &kctx->kc_endtime, sizeof(u32)))
+               goto out_err;
+
+       /* flags */
+       if (gss_get_bytes(&p, end, &tmp_uint, sizeof(tmp_uint)))
+               goto out_err;
+
+       if (tmp_uint & KRB5_CTX_FLAG_INITIATOR)
+               kctx->kc_initiate = 1;
+       if (tmp_uint & KRB5_CTX_FLAG_CFX)
+               kctx->kc_cfx = 1;
+       if (tmp_uint & KRB5_CTX_FLAG_ACCEPTOR_SUBKEY)
+               kctx->kc_have_acceptor_subkey = 1;
+
+       /* seq send */
+       if (gss_get_bytes(&p, end, &kctx->kc_seq_send,
+           sizeof(kctx->kc_seq_send)))
+               goto out_err;
+
+       /* enctype */
+       if (gss_get_bytes(&p, end, &kctx->kc_enctype, sizeof(kctx->kc_enctype)))
+               goto out_err;
+
+       /* size of each key */
+       if (gss_get_bytes(&p, end, &keysize, sizeof(keysize)))
+               goto out_err;
+
+       /* number of keys - should always be 3 */
+       if (gss_get_bytes(&p, end, &tmp_uint, sizeof(tmp_uint)))
+               goto out_err;
+
+       if (tmp_uint != 3) {
+               CERROR("Invalid number of keys: %u\n", tmp_uint);
+               goto out_err;
+       }
 
-        if (tmp_uint != 3) {
-                CERROR("Invalid number of keys: %u\n", tmp_uint);
-                goto out_err;
-        }
-
-        /* ke */
-        if (get_keyblock(&p, end, &kctx->kc_keye, keysize))
-                goto out_err;
-        /* ki */
-        if (get_keyblock(&p, end, &kctx->kc_keyi, keysize))
-                goto out_err;
-        /* ki */
-        if (get_keyblock(&p, end, &kctx->kc_keyc, keysize))
-                goto out_err;
+       /* ke */
+       if (gss_get_keyblock(&p, end, &kctx->kc_keye, keysize))
+               goto out_err;
+       /* ki */
+       if (gss_get_keyblock(&p, end, &kctx->kc_keyi, keysize))
+               goto out_err;
+       /* ki */
+       if (gss_get_keyblock(&p, end, &kctx->kc_keyc, keysize))
+               goto out_err;
 
        CDEBUG(D_SEC, "successfully imported v2 context\n");
-        return 0;
+       return 0;
 out_err:
-        return GSS_S_FAILURE;
+       return GSS_S_FAILURE;
 }
 
 /*
@@ -418,15 +332,15 @@ static
 __u32 gss_import_sec_context_kerberos(rawobj_t *inbuf,
                                       struct gss_ctx *gctx)
 {
-        struct krb5_ctx *kctx;
-        char            *p = (char *) inbuf->data;
-        char            *end = (char *) (inbuf->data + inbuf->len);
-        unsigned int     tmp_uint, rc;
+       struct krb5_ctx *kctx;
+       char *p = (char *)inbuf->data;
+       char *end = (char *)(inbuf->data + inbuf->len);
+       unsigned int tmp_uint, rc;
 
-        if (get_bytes(&p, end, &tmp_uint, sizeof(tmp_uint))) {
-                CERROR("Fail to read version\n");
-                return GSS_S_FAILURE;
-        }
+       if (gss_get_bytes(&p, end, &tmp_uint, sizeof(tmp_uint))) {
+               CERROR("Fail to read version\n");
+               return GSS_S_FAILURE;
+       }
 
         /* only support 0, 1 for the moment */
         if (tmp_uint > 2) {
@@ -484,12 +398,12 @@ __u32 gss_copy_reverse_context_kerberos(struct gss_ctx *gctx,
         if (rawobj_dup(&knew->kc_mech_used, &kctx->kc_mech_used))
                 goto out_err;
 
-        if (keyblock_dup(&knew->kc_keye, &kctx->kc_keye))
-                goto out_err;
-        if (keyblock_dup(&knew->kc_keyi, &kctx->kc_keyi))
-                goto out_err;
-        if (keyblock_dup(&knew->kc_keyc, &kctx->kc_keyc))
-                goto out_err;
+       if (gss_keyblock_dup(&knew->kc_keye, &kctx->kc_keye))
+               goto out_err;
+       if (gss_keyblock_dup(&knew->kc_keyi, &kctx->kc_keyi))
+               goto out_err;
+       if (gss_keyblock_dup(&knew->kc_keyc, &kctx->kc_keyc))
+               goto out_err;
         if (krb5_init_keys(knew))
                 goto out_err;
 
@@ -505,11 +419,11 @@ out_err:
 
 static
 __u32 gss_inquire_context_kerberos(struct gss_ctx *gctx,
-                                   unsigned long  *endtime)
+                                  time64_t *endtime)
 {
         struct krb5_ctx *kctx = gctx->internal_ctx_id;
 
-        *endtime = (unsigned long) ((__u32) kctx->kc_endtime);
+       *endtime = kctx->kc_endtime;
         return GSS_S_COMPLETE;
 }
 
@@ -523,281 +437,75 @@ void gss_delete_sec_context_kerberos(void *internal_ctx)
 }
 
 /*
- * Should be used for buffers allocated with k/vmalloc().
- *
- * Dispose of @sgt with teardown_sgtable().
- *
- * @prealloc_sg is to avoid memory allocation inside sg_alloc_table()
- * in cases where a single sg is sufficient.  No attempt to reduce the
- * number of sgs by squeezing physically contiguous pages together is
- * made though, for simplicity.
- *
- * This function is copied from the ceph filesystem code.
- */
-static int setup_sgtable(struct sg_table *sgt, struct scatterlist *prealloc_sg,
-                        const void *buf, unsigned int buf_len)
-{
-       struct scatterlist *sg;
-       const bool is_vmalloc = is_vmalloc_addr(buf);
-       unsigned int off = offset_in_page(buf);
-       unsigned int chunk_cnt = 1;
-       unsigned int chunk_len = PAGE_ALIGN(off + buf_len);
-       int i;
-       int ret;
-
-       if (buf_len == 0) {
-               memset(sgt, 0, sizeof(*sgt));
-               return -EINVAL;
-       }
-
-       if (is_vmalloc) {
-               chunk_cnt = chunk_len >> PAGE_SHIFT;
-               chunk_len = PAGE_SIZE;
-       }
-
-       if (chunk_cnt > 1) {
-               ret = sg_alloc_table(sgt, chunk_cnt, GFP_NOFS);
-               if (ret)
-                       return ret;
-       } else {
-               WARN_ON(chunk_cnt != 1);
-               sg_init_table(prealloc_sg, 1);
-               sgt->sgl = prealloc_sg;
-               sgt->nents = sgt->orig_nents = 1;
-       }
-
-       for_each_sg(sgt->sgl, sg, sgt->orig_nents, i) {
-               struct page *page;
-               unsigned int len = min(chunk_len - off, buf_len);
-
-               if (is_vmalloc)
-                       page = vmalloc_to_page(buf);
-               else
-                       page = virt_to_page(buf);
-
-               sg_set_page(sg, page, len, off);
-
-               off = 0;
-               buf += len;
-               buf_len -= len;
-       }
-
-       WARN_ON(buf_len != 0);
-
-       return 0;
-}
-
-static void teardown_sgtable(struct sg_table *sgt)
-{
-       if (sgt->orig_nents > 1)
-               sg_free_table(sgt);
-}
-
-static
-__u32 krb5_encrypt(struct crypto_blkcipher *tfm,
-                   int decrypt,
-                   void * iv,
-                   void * in,
-                   void * out,
-                   int length)
-{
-       struct sg_table sg_out;
-        struct blkcipher_desc desc;
-        struct scatterlist    sg;
-        __u8 local_iv[16] = {0};
-        __u32 ret = -EINVAL;
-
-        LASSERT(tfm);
-        desc.tfm  = tfm;
-        desc.info = local_iv;
-        desc.flags= 0;
-
-       if (length % crypto_blkcipher_blocksize(tfm) != 0) {
-                CERROR("output length %d mismatch blocksize %d\n",
-                      length, crypto_blkcipher_blocksize(tfm));
-                goto out;
-        }
-
-       if (crypto_blkcipher_ivsize(tfm) > 16) {
-               CERROR("iv size too large %d\n", crypto_blkcipher_ivsize(tfm));
-               goto out;
-       }
-
-       if (iv)
-               memcpy(local_iv, iv, crypto_blkcipher_ivsize(tfm));
-
-       memcpy(out, in, length);
-
-       ret = setup_sgtable(&sg_out, &sg, out, length);
-       if (ret != 0)
-               goto out;
-
-        if (decrypt)
-               ret = crypto_blkcipher_decrypt_iv(&desc, sg_out.sgl,
-                                                 sg_out.sgl, length);
-        else
-               ret = crypto_blkcipher_encrypt_iv(&desc, sg_out.sgl,
-                                                 sg_out.sgl, length);
-
-       teardown_sgtable(&sg_out);
-out:
-       return ret;
-}
-
-static inline
-int krb5_digest_hmac(struct crypto_hash *tfm,
-                     rawobj_t *key,
-                     struct krb5_header *khdr,
-                     int msgcnt, rawobj_t *msgs,
-                     int iovcnt, lnet_kiov_t *iovs,
-                     rawobj_t *cksum)
-{
-       struct hash_desc        desc;
-       struct sg_table         sgt;
-       struct scatterlist      sg[1];
-       int                     i, rc;
-
-       crypto_hash_setkey(tfm, key->data, key->len);
-        desc.tfm  = tfm;
-        desc.flags= 0;
-
-       crypto_hash_init(&desc);
-
-        for (i = 0; i < msgcnt; i++) {
-                if (msgs[i].len == 0)
-                        continue;
-
-               rc = setup_sgtable(&sgt, sg, msgs[i].data, msgs[i].len);
-               if (rc != 0)
-                       return rc;
-
-               crypto_hash_update(&desc, sgt.sgl, msgs[i].len);
-
-               teardown_sgtable(&sgt);
-        }
-
-        for (i = 0; i < iovcnt; i++) {
-                if (iovs[i].kiov_len == 0)
-                        continue;
-
-               sg_init_table(sg, 1);
-               sg_set_page(&sg[0], iovs[i].kiov_page, iovs[i].kiov_len,
-                           iovs[i].kiov_offset);
-               crypto_hash_update(&desc, sg, iovs[i].kiov_len);
-        }
-
-        if (khdr) {
-               rc = setup_sgtable(&sgt, sg, (char *) khdr, sizeof(*khdr));
-               if (rc != 0)
-                       return rc;
-
-               crypto_hash_update(&desc, sgt.sgl, sizeof(*khdr));
-
-               teardown_sgtable(&sgt);
-        }
-
-       return crypto_hash_final(&desc, cksum->data);
-}
-
-static inline
-int krb5_digest_norm(struct crypto_hash *tfm,
-                     struct krb5_keyblock *kb,
-                     struct krb5_header *khdr,
-                     int msgcnt, rawobj_t *msgs,
-                     int iovcnt, lnet_kiov_t *iovs,
-                     rawobj_t *cksum)
-{
-       struct hash_desc        desc;
-       struct scatterlist      sg[1];
-       struct sg_table         sgt;
-       int                     i, rc;
-
-        LASSERT(kb->kb_tfm);
-        desc.tfm  = tfm;
-        desc.flags= 0;
-
-       crypto_hash_init(&desc);
-
-        for (i = 0; i < msgcnt; i++) {
-                if (msgs[i].len == 0)
-                        continue;
-
-               rc = setup_sgtable(&sgt, sg, msgs[i].data, msgs[i].len);
-               if (rc != 0)
-                       return rc;
-
-               crypto_hash_update(&desc, sgt.sgl, msgs[i].len);
-
-               teardown_sgtable(&sgt);
-        }
-
-        for (i = 0; i < iovcnt; i++) {
-                if (iovs[i].kiov_len == 0)
-                        continue;
-
-               sg_init_table(sg, 1);
-               sg_set_page(&sg[0], iovs[i].kiov_page, iovs[i].kiov_len,
-                           iovs[i].kiov_offset);
-               crypto_hash_update(&desc, sg, iovs[i].kiov_len);
-        }
-
-        if (khdr) {
-               rc = setup_sgtable(&sgt, sg, (char *) khdr, sizeof(*khdr));
-               if (rc != 0)
-                       return rc;
-
-               crypto_hash_update(&desc, sgt.sgl, sizeof(*khdr));
-
-               teardown_sgtable(&sgt);
-       }
-
-       crypto_hash_final(&desc, cksum->data);
-
-        return krb5_encrypt(kb->kb_tfm, 0, NULL, cksum->data,
-                            cksum->data, cksum->len);
-}
-
-/*
  * compute (keyed/keyless) checksum against the plain text which appended
  * with krb5 wire token header.
  */
 static
 __s32 krb5_make_checksum(__u32 enctype,
-                         struct krb5_keyblock *kb,
-                         struct krb5_header *khdr,
-                         int msgcnt, rawobj_t *msgs,
-                         int iovcnt, lnet_kiov_t *iovs,
-                         rawobj_t *cksum)
+                        struct gss_keyblock *kb,
+                        struct krb5_header *khdr,
+                        int msgcnt, rawobj_t *msgs,
+                        int iovcnt, lnet_kiov_t *iovs,
+                        rawobj_t *cksum,
+                        digest_hash hash_func)
 {
-        struct krb5_enctype   *ke = &enctypes[enctype];
-       struct crypto_hash    *tfm;
-        __u32                  code = GSS_S_FAILURE;
-        int                    rc;
+       struct krb5_enctype *ke = &enctypes[enctype];
+       struct ahash_request *req = NULL;
+       enum cfs_crypto_hash_alg hash_algo;
+       rawobj_t hdr;
+       int rc;
+
+       hash_algo = cfs_crypto_hash_alg(ke->ke_hash_name);
+
+       /* For the cbc(des) case we want md5 instead of hmac(md5) */
+       if (strcmp(ke->ke_enc_name, "cbc(des)"))
+               req = cfs_crypto_hash_init(hash_algo, kb->kb_key.data,
+                                          kb->kb_key.len);
+       else
+               req = cfs_crypto_hash_init(hash_algo, NULL, 0);
+       if (IS_ERR(req)) {
+               rc = PTR_ERR(req);
+               CERROR("failed to alloc hash %s : rc = %d\n",
+                      ke->ke_hash_name, rc);
+               goto out_no_hash;
+       }
 
-       if (!(tfm = crypto_alloc_hash(ke->ke_hash_name, 0, 0))) {
-                CERROR("failed to alloc TFM: %s\n", ke->ke_hash_name);
-                return GSS_S_FAILURE;
-        }
+       cksum->len = cfs_crypto_hash_digestsize(hash_algo);
+       OBD_ALLOC_LARGE(cksum->data, cksum->len);
+       if (!cksum->data) {
+               cksum->len = 0;
+               rc = -ENOMEM;
+               goto out_free_hash;
+       }
 
-       cksum->len = crypto_hash_digestsize(tfm);
-        OBD_ALLOC_LARGE(cksum->data, cksum->len);
-        if (!cksum->data) {
-                cksum->len = 0;
-                goto out_tfm;
-        }
+       hdr.data = (__u8 *)khdr;
+       hdr.len = sizeof(*khdr);
 
-        if (ke->ke_hash_hmac)
-                rc = krb5_digest_hmac(tfm, &kb->kb_key,
-                                      khdr, msgcnt, msgs, iovcnt, iovs, cksum);
-        else
-                rc = krb5_digest_norm(tfm, kb,
-                                      khdr, msgcnt, msgs, iovcnt, iovs, cksum);
+       if (!hash_func) {
+               rc = -EPROTO;
+               CERROR("hash function for %s undefined\n",
+                      ke->ke_hash_name);
+               goto out_free_hash;
+       }
+       rc = hash_func(req, &hdr, msgcnt, msgs, iovcnt, iovs);
+       if (rc)
+               goto out_free_hash;
+
+       if (!ke->ke_hash_hmac) {
+               LASSERT(kb->kb_tfm);
+
+               cfs_crypto_hash_final(req, cksum->data, &cksum->len);
+               rc = gss_crypt_generic(kb->kb_tfm, 0, NULL,
+                                      cksum->data, cksum->data,
+                                      cksum->len);
+               goto out_no_hash;
+       }
 
-        if (rc == 0)
-                code = GSS_S_COMPLETE;
-out_tfm:
-       crypto_free_hash(tfm);
-        return code;
+out_free_hash:
+       if (req)
+               cfs_crypto_hash_final(req, cksum->data, &cksum->len);
+out_no_hash:
+       return rc ? GSS_S_FAILURE : GSS_S_COMPLETE;
 }
 
 static void fill_krb5_header(struct krb5_ctx *kctx,
@@ -870,181 +578,90 @@ static __u32 verify_krb5_header(struct krb5_ctx *kctx,
 
 static
 __u32 gss_get_mic_kerberos(struct gss_ctx *gctx,
-                           int msgcnt,
-                           rawobj_t *msgs,
-                           int iovcnt,
-                           lnet_kiov_t *iovs,
-                           rawobj_t *token)
+                          int msgcnt,
+                          rawobj_t *msgs,
+                          int iovcnt,
+                          lnet_kiov_t *iovs,
+                          rawobj_t *token)
 {
-        struct krb5_ctx     *kctx = gctx->internal_ctx_id;
-        struct krb5_enctype *ke = &enctypes[kctx->kc_enctype];
-        struct krb5_header  *khdr;
-        rawobj_t             cksum = RAWOBJ_EMPTY;
-
-        /* fill krb5 header */
-        LASSERT(token->len >= sizeof(*khdr));
-        khdr = (struct krb5_header *) token->data;
-        fill_krb5_header(kctx, khdr, 0);
-
-        /* checksum */
-        if (krb5_make_checksum(kctx->kc_enctype, &kctx->kc_keyc,
-                               khdr, msgcnt, msgs, iovcnt, iovs, &cksum))
-                return GSS_S_FAILURE;
-
-        LASSERT(cksum.len >= ke->ke_hash_size);
-        LASSERT(token->len >= sizeof(*khdr) + ke->ke_hash_size);
-        memcpy(khdr + 1, cksum.data + cksum.len - ke->ke_hash_size,
-               ke->ke_hash_size);
+       struct krb5_ctx     *kctx = gctx->internal_ctx_id;
+       struct krb5_enctype *ke = &enctypes[kctx->kc_enctype];
+       struct krb5_header  *khdr;
+       rawobj_t cksum = RAWOBJ_EMPTY;
+       u32 major;
+
+       /* fill krb5 header */
+       LASSERT(token->len >= sizeof(*khdr));
+       khdr = (struct krb5_header *)token->data;
+       fill_krb5_header(kctx, khdr, 0);
+
+       /* checksum */
+       if (krb5_make_checksum(kctx->kc_enctype, &kctx->kc_keyc, khdr,
+                              msgcnt, msgs, iovcnt, iovs, &cksum,
+                              gctx->hash_func))
+               GOTO(out_free_cksum, major = GSS_S_FAILURE);
 
-        token->len = sizeof(*khdr) + ke->ke_hash_size;
-        rawobj_free(&cksum);
-        return GSS_S_COMPLETE;
+       LASSERT(cksum.len >= ke->ke_hash_size);
+       LASSERT(token->len >= sizeof(*khdr) + ke->ke_hash_size);
+       memcpy(khdr + 1, cksum.data + cksum.len - ke->ke_hash_size,
+              ke->ke_hash_size);
+
+       token->len = sizeof(*khdr) + ke->ke_hash_size;
+       major = GSS_S_COMPLETE;
+out_free_cksum:
+       rawobj_free(&cksum);
+       return major;
 }
 
 static
 __u32 gss_verify_mic_kerberos(struct gss_ctx *gctx,
-                              int msgcnt,
-                              rawobj_t *msgs,
-                              int iovcnt,
-                              lnet_kiov_t *iovs,
-                              rawobj_t *token)
+                             int msgcnt,
+                             rawobj_t *msgs,
+                             int iovcnt,
+                             lnet_kiov_t *iovs,
+                             rawobj_t *token)
 {
-        struct krb5_ctx     *kctx = gctx->internal_ctx_id;
-        struct krb5_enctype *ke = &enctypes[kctx->kc_enctype];
-        struct krb5_header  *khdr;
-        rawobj_t             cksum = RAWOBJ_EMPTY;
-        __u32                major;
-
-        if (token->len < sizeof(*khdr)) {
-                CERROR("short signature: %u\n", token->len);
-                return GSS_S_DEFECTIVE_TOKEN;
-        }
-
-        khdr = (struct krb5_header *) token->data;
-
-        major = verify_krb5_header(kctx, khdr, 0);
-        if (major != GSS_S_COMPLETE) {
-                CERROR("bad krb5 header\n");
-                return major;
-        }
-
-        if (token->len < sizeof(*khdr) + ke->ke_hash_size) {
-                CERROR("short signature: %u, require %d\n",
-                       token->len, (int) sizeof(*khdr) + ke->ke_hash_size);
-                return GSS_S_FAILURE;
-        }
-
-        if (krb5_make_checksum(kctx->kc_enctype, &kctx->kc_keyc,
-                               khdr, msgcnt, msgs, iovcnt, iovs, &cksum)) {
-                CERROR("failed to make checksum\n");
-                return GSS_S_FAILURE;
-        }
-
-        LASSERT(cksum.len >= ke->ke_hash_size);
-        if (memcmp(khdr + 1, cksum.data + cksum.len - ke->ke_hash_size,
-                   ke->ke_hash_size)) {
-                CERROR("checksum mismatch\n");
-                rawobj_free(&cksum);
-                return GSS_S_BAD_SIG;
-        }
-
-        rawobj_free(&cksum);
-        return GSS_S_COMPLETE;
-}
-
-static
-int add_padding(rawobj_t *msg, int msg_buflen, int blocksize)
-{
-        int padding;
-
-        padding = (blocksize - (msg->len & (blocksize - 1))) &
-                  (blocksize - 1);
-        if (!padding)
-                return 0;
-
-        if (msg->len + padding > msg_buflen) {
-                CERROR("bufsize %u too small: datalen %u, padding %u\n",
-                        msg_buflen, msg->len, padding);
-                return -EINVAL;
-        }
-
-        memset(msg->data + msg->len, padding, padding);
-        msg->len += padding;
-        return 0;
-}
-
-static
-int krb5_encrypt_rawobjs(struct crypto_blkcipher *tfm,
-                         int mode_ecb,
-                         int inobj_cnt,
-                         rawobj_t *inobjs,
-                         rawobj_t *outobj,
-                         int enc)
-{
-        struct blkcipher_desc desc;
-        struct scatterlist    src, dst;
-       struct sg_table         sg_src, sg_dst;
-        __u8                  local_iv[16] = {0}, *buf;
-        __u32                 datalen = 0;
-        int                   i, rc;
-        ENTRY;
-
-        buf = outobj->data;
-        desc.tfm  = tfm;
-        desc.info = local_iv;
-        desc.flags = 0;
-
-        for (i = 0; i < inobj_cnt; i++) {
-               LASSERT(buf + inobjs[i].len <= outobj->data + outobj->len);
-
-               rc = setup_sgtable(&sg_src, &src, inobjs[i].data,
-                                  inobjs[i].len);
-               if (rc != 0)
-                       RETURN(rc);
-
-               rc = setup_sgtable(&sg_dst, &dst, buf,
-                                  outobj->len - datalen);
-               if (rc != 0) {
-                       teardown_sgtable(&sg_src);
-                       RETURN(rc);
-               }
+       struct krb5_ctx *kctx = gctx->internal_ctx_id;
+       struct krb5_enctype *ke = &enctypes[kctx->kc_enctype];
+       struct krb5_header *khdr;
+       rawobj_t cksum = RAWOBJ_EMPTY;
+       u32 major;
+
+       if (token->len < sizeof(*khdr)) {
+               CERROR("short signature: %u\n", token->len);
+               return GSS_S_DEFECTIVE_TOKEN;
+       }
 
-                if (mode_ecb) {
-                        if (enc)
-                               rc = crypto_blkcipher_encrypt(&desc, sg_dst.sgl,
-                                                             sg_src.sgl,
-                                                             inobjs[i].len);
-                        else
-                               rc = crypto_blkcipher_decrypt(&desc, sg_dst.sgl,
-                                                             sg_src.sgl,
-                                                             inobjs[i].len);
-                } else {
-                        if (enc)
-                               rc = crypto_blkcipher_encrypt_iv(&desc,
-                                                                sg_dst.sgl,
-                                                                sg_src.sgl,
-                                                                inobjs[i].len);
-                        else
-                               rc = crypto_blkcipher_decrypt_iv(&desc,
-                                                                sg_dst.sgl,
-                                                                sg_src.sgl,
-                                                                inobjs[i].len);
-                }
+       khdr = (struct krb5_header *)token->data;
 
-               teardown_sgtable(&sg_src);
-               teardown_sgtable(&sg_dst);
+       major = verify_krb5_header(kctx, khdr, 0);
+       if (major != GSS_S_COMPLETE) {
+               CERROR("bad krb5 header\n");
+               goto out;
+       }
 
-                if (rc) {
-                        CERROR("encrypt error %d\n", rc);
-                        RETURN(rc);
-                }
+       if (token->len < sizeof(*khdr) + ke->ke_hash_size) {
+               CERROR("short signature: %u, require %d\n",
+                      token->len, (int) sizeof(*khdr) + ke->ke_hash_size);
+               GOTO(out, major = GSS_S_FAILURE);
+       }
 
-                datalen += inobjs[i].len;
-                buf += inobjs[i].len;
-        }
+       if (krb5_make_checksum(kctx->kc_enctype, &kctx->kc_keyc,
+                              khdr, msgcnt, msgs, iovcnt, iovs, &cksum,
+                              gctx->hash_func))
+               GOTO(out_free_cksum, major = GSS_S_FAILURE);
 
-        outobj->len = datalen;
-        RETURN(0);
+       LASSERT(cksum.len >= ke->ke_hash_size);
+       if (memcmp(khdr + 1, cksum.data + cksum.len - ke->ke_hash_size,
+                  ke->ke_hash_size)) {
+               CERROR("checksum mismatch\n");
+               GOTO(out_free_cksum, major = GSS_S_BAD_SIG);
+       }
+       major = GSS_S_COMPLETE;
+out_free_cksum:
+       rawobj_free(&cksum);
+out:
+       return major;
 }
 
 /*
@@ -1064,7 +681,6 @@ int krb5_encrypt_bulk(struct crypto_blkcipher *tfm,
        struct sg_table         sg_src, sg_dst;
         int                     blocksize, i, rc, nob = 0;
 
-       LASSERT(ptlrpc_is_bulk_desc_kiov(desc->bd_type));
         LASSERT(desc->bd_iov_count);
        LASSERT(GET_ENC_KIOV(desc));
 
@@ -1077,21 +693,21 @@ int krb5_encrypt_bulk(struct crypto_blkcipher *tfm,
         ciph_desc.flags = 0;
 
         /* encrypt confounder */
-       rc = setup_sgtable(&sg_src, &src, confounder, blocksize);
+       rc = gss_setup_sgtable(&sg_src, &src, confounder, blocksize);
        if (rc != 0)
                return rc;
 
-       rc = setup_sgtable(&sg_dst, &dst, cipher->data, blocksize);
+       rc = gss_setup_sgtable(&sg_dst, &dst, cipher->data, blocksize);
        if (rc != 0) {
-               teardown_sgtable(&sg_src);
+               gss_teardown_sgtable(&sg_src);
                return rc;
        }
 
        rc = crypto_blkcipher_encrypt_iv(&ciph_desc, sg_dst.sgl,
                                         sg_src.sgl, blocksize);
 
-       teardown_sgtable(&sg_dst);
-       teardown_sgtable(&sg_src);
+       gss_teardown_sgtable(&sg_dst);
+       gss_teardown_sgtable(&sg_src);
 
         if (rc) {
                 CERROR("error to encrypt confounder: %d\n", rc);
@@ -1124,22 +740,22 @@ int krb5_encrypt_bulk(struct crypto_blkcipher *tfm,
         }
 
         /* encrypt krb5 header */
-       rc = setup_sgtable(&sg_src, &src, khdr, sizeof(*khdr));
+       rc = gss_setup_sgtable(&sg_src, &src, khdr, sizeof(*khdr));
        if (rc != 0)
                return rc;
 
-       rc = setup_sgtable(&sg_dst, &dst, cipher->data + blocksize,
+       rc = gss_setup_sgtable(&sg_dst, &dst, cipher->data + blocksize,
                           sizeof(*khdr));
        if (rc != 0) {
-               teardown_sgtable(&sg_src);
+               gss_teardown_sgtable(&sg_src);
                return rc;
        }
 
        rc = crypto_blkcipher_encrypt_iv(&ciph_desc, sg_dst.sgl, sg_src.sgl,
                                         sizeof(*khdr));
 
-       teardown_sgtable(&sg_dst);
-       teardown_sgtable(&sg_src);
+       gss_teardown_sgtable(&sg_dst);
+       gss_teardown_sgtable(&sg_src);
 
         if (rc) {
                 CERROR("error to encrypt krb5 header: %d\n", rc);
@@ -1185,7 +801,6 @@ int krb5_decrypt_bulk(struct crypto_blkcipher *tfm,
         int                     ct_nob = 0, pt_nob = 0;
         int                     blocksize, i, rc;
 
-       LASSERT(ptlrpc_is_bulk_desc_kiov(desc->bd_type));
         LASSERT(desc->bd_iov_count);
        LASSERT(GET_ENC_KIOV(desc));
         LASSERT(desc->bd_nob_transferred);
@@ -1204,21 +819,21 @@ int krb5_decrypt_bulk(struct crypto_blkcipher *tfm,
         }
 
         /* decrypt head (confounder) */
-       rc = setup_sgtable(&sg_src, &src, cipher->data, blocksize);
+       rc = gss_setup_sgtable(&sg_src, &src, cipher->data, blocksize);
        if (rc != 0)
                return rc;
 
-       rc = setup_sgtable(&sg_dst, &dst, plain->data, blocksize);
+       rc = gss_setup_sgtable(&sg_dst, &dst, plain->data, blocksize);
        if (rc != 0) {
-               teardown_sgtable(&sg_src);
+               gss_teardown_sgtable(&sg_src);
                return rc;
        }
 
        rc = crypto_blkcipher_decrypt_iv(&ciph_desc, sg_dst.sgl,
                                         sg_src.sgl, blocksize);
 
-       teardown_sgtable(&sg_dst);
-       teardown_sgtable(&sg_src);
+       gss_teardown_sgtable(&sg_dst);
+       gss_teardown_sgtable(&sg_src);
 
         if (rc) {
                 CERROR("error to decrypt confounder: %d\n", rc);
@@ -1309,23 +924,23 @@ int krb5_decrypt_bulk(struct crypto_blkcipher *tfm,
                        BD_GET_KIOV(desc, i++).kiov_len = 0;
 
         /* decrypt tail (krb5 header) */
-       rc = setup_sgtable(&sg_src, &src, cipher->data + blocksize,
-                          sizeof(*khdr));
+       rc = gss_setup_sgtable(&sg_src, &src, cipher->data + blocksize,
+                              sizeof(*khdr));
        if (rc != 0)
                return rc;
 
-       rc = setup_sgtable(&sg_dst, &dst, cipher->data + blocksize,
-                          sizeof(*khdr));
+       rc = gss_setup_sgtable(&sg_dst, &dst, cipher->data + blocksize,
+                              sizeof(*khdr));
        if (rc != 0) {
-               teardown_sgtable(&sg_src);
+               gss_teardown_sgtable(&sg_src);
                return rc;
        }
 
        rc = crypto_blkcipher_decrypt_iv(&ciph_desc, sg_dst.sgl, sg_src.sgl,
                                         sizeof(*khdr));
 
-       teardown_sgtable(&sg_src);
-       teardown_sgtable(&sg_dst);
+       gss_teardown_sgtable(&sg_src);
+       gss_teardown_sgtable(&sg_dst);
 
         if (rc) {
                 CERROR("error to decrypt tail: %d\n", rc);
@@ -1342,101 +957,105 @@ int krb5_decrypt_bulk(struct crypto_blkcipher *tfm,
 
 static
 __u32 gss_wrap_kerberos(struct gss_ctx *gctx,
-                        rawobj_t *gsshdr,
-                        rawobj_t *msg,
-                        int msg_buflen,
-                        rawobj_t *token)
+                       rawobj_t *gsshdr,
+                       rawobj_t *msg,
+                       int msg_buflen,
+                       rawobj_t *token)
 {
-        struct krb5_ctx     *kctx = gctx->internal_ctx_id;
-        struct krb5_enctype *ke = &enctypes[kctx->kc_enctype];
-        struct krb5_header  *khdr;
-        int                  blocksize;
-        rawobj_t             cksum = RAWOBJ_EMPTY;
-        rawobj_t             data_desc[3], cipher;
-        __u8                 conf[GSS_MAX_CIPHER_BLOCK];
-        int                  rc = 0;
-
-        LASSERT(ke);
-        LASSERT(ke->ke_conf_size <= GSS_MAX_CIPHER_BLOCK);
-        LASSERT(kctx->kc_keye.kb_tfm == NULL ||
-                ke->ke_conf_size >=
+       struct krb5_ctx     *kctx = gctx->internal_ctx_id;
+       struct krb5_enctype *ke = &enctypes[kctx->kc_enctype];
+       struct krb5_header  *khdr;
+       int                  blocksize;
+       rawobj_t             cksum = RAWOBJ_EMPTY;
+       rawobj_t             data_desc[3], cipher;
+       __u8                 conf[GSS_MAX_CIPHER_BLOCK];
+       __u8                 local_iv[16] = {0};
+       u32 major;
+       int                  rc = 0;
+
+       LASSERT(ke);
+       LASSERT(ke->ke_conf_size <= GSS_MAX_CIPHER_BLOCK);
+       LASSERT(kctx->kc_keye.kb_tfm == NULL ||
+               ke->ke_conf_size >=
                crypto_blkcipher_blocksize(kctx->kc_keye.kb_tfm));
 
-        /*
-         * final token format:
-         * ---------------------------------------------------
-         * | krb5 header | cipher text | checksum (16 bytes) |
-         * ---------------------------------------------------
-         */
-
-        /* fill krb5 header */
-        LASSERT(token->len >= sizeof(*khdr));
-        khdr = (struct krb5_header *) token->data;
-        fill_krb5_header(kctx, khdr, 1);
-
-        /* generate confounder */
-        cfs_get_random_bytes(conf, ke->ke_conf_size);
-
-        /* get encryption blocksize. note kc_keye might not associated with
-         * a tfm, currently only for arcfour-hmac */
-        if (kctx->kc_enctype == ENCTYPE_ARCFOUR_HMAC) {
-                LASSERT(kctx->kc_keye.kb_tfm == NULL);
-                blocksize = 1;
-        } else {
-                LASSERT(kctx->kc_keye.kb_tfm);
+       /*
+        * final token format:
+        * ---------------------------------------------------
+        * | krb5 header | cipher text | checksum (16 bytes) |
+        * ---------------------------------------------------
+        */
+
+       /* fill krb5 header */
+       LASSERT(token->len >= sizeof(*khdr));
+       khdr = (struct krb5_header *)token->data;
+       fill_krb5_header(kctx, khdr, 1);
+
+       /* generate confounder */
+       get_random_bytes(conf, ke->ke_conf_size);
+
+       /* get encryption blocksize. note kc_keye might not associated with
+        * a tfm, currently only for arcfour-hmac */
+       if (kctx->kc_enctype == ENCTYPE_ARCFOUR_HMAC) {
+               LASSERT(kctx->kc_keye.kb_tfm == NULL);
+               blocksize = 1;
+       } else {
+               LASSERT(kctx->kc_keye.kb_tfm);
                blocksize = crypto_blkcipher_blocksize(kctx->kc_keye.kb_tfm);
-        }
-        LASSERT(blocksize <= ke->ke_conf_size);
+       }
+       LASSERT(blocksize <= ke->ke_conf_size);
 
-        /* padding the message */
-        if (add_padding(msg, msg_buflen, blocksize))
-                return GSS_S_FAILURE;
+       /* padding the message */
+       if (gss_add_padding(msg, msg_buflen, blocksize))
+               return GSS_S_FAILURE;
 
-        /*
-         * clear text layout for checksum:
-         * ------------------------------------------------------
-         * | confounder | gss header | clear msgs | krb5 header |
-         * ------------------------------------------------------
-         */
-        data_desc[0].data = conf;
-        data_desc[0].len = ke->ke_conf_size;
-        data_desc[1].data = gsshdr->data;
-        data_desc[1].len = gsshdr->len;
-        data_desc[2].data = msg->data;
-        data_desc[2].len = msg->len;
-
-        /* compute checksum */
-        if (krb5_make_checksum(kctx->kc_enctype, &kctx->kc_keyi,
-                               khdr, 3, data_desc, 0, NULL, &cksum))
-                return GSS_S_FAILURE;
-        LASSERT(cksum.len >= ke->ke_hash_size);
-
-        /*
-         * clear text layout for encryption:
-         * -----------------------------------------
-         * | confounder | clear msgs | krb5 header |
-         * -----------------------------------------
-         */
-        data_desc[0].data = conf;
-        data_desc[0].len = ke->ke_conf_size;
-        data_desc[1].data = msg->data;
-        data_desc[1].len = msg->len;
-        data_desc[2].data = (__u8 *) khdr;
-        data_desc[2].len = sizeof(*khdr);
-
-        /* cipher text will be directly inplace */
-        cipher.data = (__u8 *) (khdr + 1);
-        cipher.len = token->len - sizeof(*khdr);
-        LASSERT(cipher.len >= ke->ke_conf_size + msg->len + sizeof(*khdr));
+       /*
+        * clear text layout for checksum:
+        * ------------------------------------------------------
+        * | confounder | gss header | clear msgs | krb5 header |
+        * ------------------------------------------------------
+        */
+       data_desc[0].data = conf;
+       data_desc[0].len = ke->ke_conf_size;
+       data_desc[1].data = gsshdr->data;
+       data_desc[1].len = gsshdr->len;
+       data_desc[2].data = msg->data;
+       data_desc[2].len = msg->len;
+
+       /* compute checksum */
+       if (krb5_make_checksum(kctx->kc_enctype, &kctx->kc_keyi,
+                              khdr, 3, data_desc, 0, NULL, &cksum,
+                              gctx->hash_func))
+               GOTO(out_free_cksum, major = GSS_S_FAILURE);
+       LASSERT(cksum.len >= ke->ke_hash_size);
+
+       /*
+        * clear text layout for encryption:
+        * -----------------------------------------
+        * | confounder | clear msgs | krb5 header |
+        * -----------------------------------------
+        */
+       data_desc[0].data = conf;
+       data_desc[0].len = ke->ke_conf_size;
+       data_desc[1].data = msg->data;
+       data_desc[1].len = msg->len;
+       data_desc[2].data = (__u8 *) khdr;
+       data_desc[2].len = sizeof(*khdr);
+
+       /* cipher text will be directly inplace */
+       cipher.data = (__u8 *)(khdr + 1);
+       cipher.len = token->len - sizeof(*khdr);
+       LASSERT(cipher.len >= ke->ke_conf_size + msg->len + sizeof(*khdr));
 
        if (kctx->kc_enctype == ENCTYPE_ARCFOUR_HMAC) {
-               rawobj_t                 arc4_keye;
+               rawobj_t arc4_keye = RAWOBJ_EMPTY;
                struct crypto_blkcipher *arc4_tfm;
 
                if (krb5_make_checksum(ENCTYPE_ARCFOUR_HMAC, &kctx->kc_keyi,
-                                      NULL, 1, &cksum, 0, NULL, &arc4_keye)) {
+                                      NULL, 1, &cksum, 0, NULL, &arc4_keye,
+                                      gctx->hash_func)) {
                        CERROR("failed to obtain arc4 enc key\n");
-                       GOTO(arc4_out, rc = -EACCES);
+                       GOTO(arc4_out_key, rc = -EACCES);
                }
 
                arc4_tfm = crypto_alloc_blkcipher("ecb(arc4)", 0, 0);
@@ -1446,40 +1065,38 @@ __u32 gss_wrap_kerberos(struct gss_ctx *gctx,
                }
 
                if (crypto_blkcipher_setkey(arc4_tfm, arc4_keye.data,
-                                               arc4_keye.len)) {
-                        CERROR("failed to set arc4 key, len %d\n",
-                               arc4_keye.len);
-                        GOTO(arc4_out_tfm, rc = -EACCES);
-                }
+                                           arc4_keye.len)) {
+                       CERROR("failed to set arc4 key, len %d\n",
+                              arc4_keye.len);
+                       GOTO(arc4_out_tfm, rc = -EACCES);
+               }
 
-                rc = krb5_encrypt_rawobjs(arc4_tfm, 1,
-                                          3, data_desc, &cipher, 1);
+               rc = gss_crypt_rawobjs(arc4_tfm, NULL, 3, data_desc,
+                                      &cipher, 1);
 arc4_out_tfm:
                crypto_free_blkcipher(arc4_tfm);
 arc4_out_key:
-                rawobj_free(&arc4_keye);
-arc4_out:
-                do {} while(0); /* just to avoid compile warning */
-        } else {
-                rc = krb5_encrypt_rawobjs(kctx->kc_keye.kb_tfm, 0,
-                                          3, data_desc, &cipher, 1);
-        }
-
-        if (rc != 0) {
-                rawobj_free(&cksum);
-                return GSS_S_FAILURE;
-        }
-
-        /* fill in checksum */
-        LASSERT(token->len >= sizeof(*khdr) + cipher.len + ke->ke_hash_size);
-        memcpy((char *)(khdr + 1) + cipher.len,
-               cksum.data + cksum.len - ke->ke_hash_size,
-               ke->ke_hash_size);
-        rawobj_free(&cksum);
+               rawobj_free(&arc4_keye);
+       } else {
+               rc = gss_crypt_rawobjs(kctx->kc_keye.kb_tfm, local_iv, 3,
+                                      data_desc, &cipher, 1);
+       }
 
-        /* final token length */
-        token->len = sizeof(*khdr) + cipher.len + ke->ke_hash_size;
-        return GSS_S_COMPLETE;
+       if (rc)
+               GOTO(out_free_cksum, major = GSS_S_FAILURE);
+
+       /* fill in checksum */
+       LASSERT(token->len >= sizeof(*khdr) + cipher.len + ke->ke_hash_size);
+       memcpy((char *)(khdr + 1) + cipher.len,
+              cksum.data + cksum.len - ke->ke_hash_size,
+              ke->ke_hash_size);
+
+       /* final token length */
+       token->len = sizeof(*khdr) + cipher.len + ke->ke_hash_size;
+       major = GSS_S_COMPLETE;
+out_free_cksum:
+       rawobj_free(&cksum);
+       return major;
 }
 
 static
@@ -1489,7 +1106,6 @@ __u32 gss_prep_bulk_kerberos(struct gss_ctx *gctx,
        struct krb5_ctx     *kctx = gctx->internal_ctx_id;
        int                  blocksize, i;
 
-       LASSERT(ptlrpc_is_bulk_desc_kiov(desc->bd_type));
        LASSERT(desc->bd_iov_count);
        LASSERT(GET_ENC_KIOV(desc));
        LASSERT(kctx->kc_keye.kb_tfm);
@@ -1520,191 +1136,191 @@ __u32 gss_prep_bulk_kerberos(struct gss_ctx *gctx,
 
 static
 __u32 gss_wrap_bulk_kerberos(struct gss_ctx *gctx,
-                             struct ptlrpc_bulk_desc *desc,
-                             rawobj_t *token, int adj_nob)
+                            struct ptlrpc_bulk_desc *desc,
+                            rawobj_t *token, int adj_nob)
 {
-        struct krb5_ctx     *kctx = gctx->internal_ctx_id;
-        struct krb5_enctype *ke = &enctypes[kctx->kc_enctype];
-        struct krb5_header  *khdr;
-        int                  blocksize;
-        rawobj_t             cksum = RAWOBJ_EMPTY;
-        rawobj_t             data_desc[1], cipher;
-        __u8                 conf[GSS_MAX_CIPHER_BLOCK];
-        int                  rc = 0;
-
-       LASSERT(ptlrpc_is_bulk_desc_kiov(desc->bd_type));
-        LASSERT(ke);
-        LASSERT(ke->ke_conf_size <= GSS_MAX_CIPHER_BLOCK);
-
-        /*
-         * final token format:
-         * --------------------------------------------------
-         * | krb5 header | head/tail cipher text | checksum |
-         * --------------------------------------------------
-         */
-
-        /* fill krb5 header */
-        LASSERT(token->len >= sizeof(*khdr));
-        khdr = (struct krb5_header *) token->data;
-        fill_krb5_header(kctx, khdr, 1);
-
-        /* generate confounder */
-        cfs_get_random_bytes(conf, ke->ke_conf_size);
-
-        /* get encryption blocksize. note kc_keye might not associated with
-         * a tfm, currently only for arcfour-hmac */
-        if (kctx->kc_enctype == ENCTYPE_ARCFOUR_HMAC) {
-                LASSERT(kctx->kc_keye.kb_tfm == NULL);
-                blocksize = 1;
-        } else {
-                LASSERT(kctx->kc_keye.kb_tfm);
+       struct krb5_ctx     *kctx = gctx->internal_ctx_id;
+       struct krb5_enctype *ke = &enctypes[kctx->kc_enctype];
+       struct krb5_header  *khdr;
+       int                  blocksize;
+       rawobj_t             cksum = RAWOBJ_EMPTY;
+       rawobj_t             data_desc[1], cipher;
+       __u8                 conf[GSS_MAX_CIPHER_BLOCK];
+       int rc = 0;
+       u32 major;
+
+       LASSERT(ke);
+       LASSERT(ke->ke_conf_size <= GSS_MAX_CIPHER_BLOCK);
+
+       /*
+        * final token format:
+        * --------------------------------------------------
+        * | krb5 header | head/tail cipher text | checksum |
+        * --------------------------------------------------
+        */
+
+       /* fill krb5 header */
+       LASSERT(token->len >= sizeof(*khdr));
+       khdr = (struct krb5_header *)token->data;
+       fill_krb5_header(kctx, khdr, 1);
+
+       /* generate confounder */
+       get_random_bytes(conf, ke->ke_conf_size);
+
+       /* get encryption blocksize. note kc_keye might not associated with
+        * a tfm, currently only for arcfour-hmac */
+       if (kctx->kc_enctype == ENCTYPE_ARCFOUR_HMAC) {
+               LASSERT(kctx->kc_keye.kb_tfm == NULL);
+               blocksize = 1;
+       } else {
+               LASSERT(kctx->kc_keye.kb_tfm);
                blocksize = crypto_blkcipher_blocksize(kctx->kc_keye.kb_tfm);
-        }
+       }
 
-        /*
-         * we assume the size of krb5_header (16 bytes) must be n * blocksize.
-         * the bulk token size would be exactly (sizeof(krb5_header) +
-         * blocksize + sizeof(krb5_header) + hashsize)
-         */
-        LASSERT(blocksize <= ke->ke_conf_size);
-        LASSERT(sizeof(*khdr) >= blocksize && sizeof(*khdr) % blocksize == 0);
-        LASSERT(token->len >= sizeof(*khdr) + blocksize + sizeof(*khdr) + 16);
-
-        /*
-         * clear text layout for checksum:
-         * ------------------------------------------
-         * | confounder | clear pages | krb5 header |
-         * ------------------------------------------
-         */
-        data_desc[0].data = conf;
-        data_desc[0].len = ke->ke_conf_size;
+       /*
+        * we assume the size of krb5_header (16 bytes) must be n * blocksize.
+        * the bulk token size would be exactly (sizeof(krb5_header) +
+        * blocksize + sizeof(krb5_header) + hashsize)
+        */
+       LASSERT(blocksize <= ke->ke_conf_size);
+       LASSERT(sizeof(*khdr) >= blocksize && sizeof(*khdr) % blocksize == 0);
+       LASSERT(token->len >= sizeof(*khdr) + blocksize + sizeof(*khdr) + 16);
+
+       /*
+        * clear text layout for checksum:
+        * ------------------------------------------
+        * | confounder | clear pages | krb5 header |
+        * ------------------------------------------
+        */
+       data_desc[0].data = conf;
+       data_desc[0].len = ke->ke_conf_size;
 
        /* compute checksum */
        if (krb5_make_checksum(kctx->kc_enctype, &kctx->kc_keyi,
                               khdr, 1, data_desc,
                               desc->bd_iov_count, GET_KIOV(desc),
-                              &cksum))
-               return GSS_S_FAILURE;
+                              &cksum, gctx->hash_func))
+               GOTO(out_free_cksum, major = GSS_S_FAILURE);
        LASSERT(cksum.len >= ke->ke_hash_size);
 
-        /*
-         * clear text layout for encryption:
-         * ------------------------------------------
-         * | confounder | clear pages | krb5 header |
-         * ------------------------------------------
-         *        |              |             |
-         *        ----------  (cipher pages)   |
-         * result token:   |                   |
-         * -------------------------------------------
-         * | krb5 header | cipher text | cipher text |
-         * -------------------------------------------
-         */
-        data_desc[0].data = conf;
-        data_desc[0].len = ke->ke_conf_size;
-
-        cipher.data = (__u8 *) (khdr + 1);
-        cipher.len = blocksize + sizeof(*khdr);
-
-        if (kctx->kc_enctype == ENCTYPE_ARCFOUR_HMAC) {
-                LBUG();
-                rc = 0;
-        } else {
-                rc = krb5_encrypt_bulk(kctx->kc_keye.kb_tfm, khdr,
-                                       conf, desc, &cipher, adj_nob);
-        }
+       /*
+        * clear text layout for encryption:
+        * ------------------------------------------
+        * | confounder | clear pages | krb5 header |
+        * ------------------------------------------
+        *        |              |             |
+        *        ----------  (cipher pages)   |
+        * result token:   |                   |
+        * -------------------------------------------
+        * | krb5 header | cipher text | cipher text |
+        * -------------------------------------------
+        */
+       data_desc[0].data = conf;
+       data_desc[0].len = ke->ke_conf_size;
+
+       cipher.data = (__u8 *)(khdr + 1);
+       cipher.len = blocksize + sizeof(*khdr);
 
-        if (rc != 0) {
-                rawobj_free(&cksum);
-                return GSS_S_FAILURE;
-        }
-
-        /* fill in checksum */
-        LASSERT(token->len >= sizeof(*khdr) + cipher.len + ke->ke_hash_size);
-        memcpy((char *)(khdr + 1) + cipher.len,
-               cksum.data + cksum.len - ke->ke_hash_size,
-               ke->ke_hash_size);
-        rawobj_free(&cksum);
-
-        /* final token length */
-        token->len = sizeof(*khdr) + cipher.len + ke->ke_hash_size;
-        return GSS_S_COMPLETE;
+       if (kctx->kc_enctype == ENCTYPE_ARCFOUR_HMAC) {
+               LBUG();
+               rc = 0;
+       } else {
+               rc = krb5_encrypt_bulk(kctx->kc_keye.kb_tfm, khdr,
+                                      conf, desc, &cipher, adj_nob);
+       }
+       if (rc)
+               GOTO(out_free_cksum, major = GSS_S_FAILURE);
+
+       /* fill in checksum */
+       LASSERT(token->len >= sizeof(*khdr) + cipher.len + ke->ke_hash_size);
+       memcpy((char *)(khdr + 1) + cipher.len,
+              cksum.data + cksum.len - ke->ke_hash_size,
+              ke->ke_hash_size);
+
+       /* final token length */
+       token->len = sizeof(*khdr) + cipher.len + ke->ke_hash_size;
+       major = GSS_S_COMPLETE;
+out_free_cksum:
+       rawobj_free(&cksum);
+       return major;
 }
 
 static
 __u32 gss_unwrap_kerberos(struct gss_ctx  *gctx,
-                          rawobj_t        *gsshdr,
-                          rawobj_t        *token,
-                          rawobj_t        *msg)
+                         rawobj_t        *gsshdr,
+                         rawobj_t        *token,
+                         rawobj_t        *msg)
 {
-        struct krb5_ctx     *kctx = gctx->internal_ctx_id;
-        struct krb5_enctype *ke = &enctypes[kctx->kc_enctype];
-        struct krb5_header  *khdr;
-        unsigned char       *tmpbuf;
-        int                  blocksize, bodysize;
-        rawobj_t             cksum = RAWOBJ_EMPTY;
-        rawobj_t             cipher_in, plain_out;
-        rawobj_t             hash_objs[3];
-        int                  rc = 0;
-        __u32                major;
-
-        LASSERT(ke);
-
-        if (token->len < sizeof(*khdr)) {
-                CERROR("short signature: %u\n", token->len);
-                return GSS_S_DEFECTIVE_TOKEN;
-        }
+       struct krb5_ctx     *kctx = gctx->internal_ctx_id;
+       struct krb5_enctype *ke = &enctypes[kctx->kc_enctype];
+       struct krb5_header  *khdr;
+       unsigned char       *tmpbuf;
+       int                  blocksize, bodysize;
+       rawobj_t             cksum = RAWOBJ_EMPTY;
+       rawobj_t             cipher_in, plain_out;
+       rawobj_t             hash_objs[3];
+       int                  rc = 0;
+       __u32                major;
+       __u8                 local_iv[16] = {0};
+
+       LASSERT(ke);
+
+       if (token->len < sizeof(*khdr)) {
+               CERROR("short signature: %u\n", token->len);
+               return GSS_S_DEFECTIVE_TOKEN;
+       }
 
-        khdr = (struct krb5_header *) token->data;
+       khdr = (struct krb5_header *)token->data;
 
-        major = verify_krb5_header(kctx, khdr, 1);
-        if (major != GSS_S_COMPLETE) {
-                CERROR("bad krb5 header\n");
-                return major;
-        }
+       major = verify_krb5_header(kctx, khdr, 1);
+       if (major != GSS_S_COMPLETE) {
+               CERROR("bad krb5 header\n");
+               return major;
+       }
 
-        /* block size */
-        if (kctx->kc_enctype == ENCTYPE_ARCFOUR_HMAC) {
-                LASSERT(kctx->kc_keye.kb_tfm == NULL);
-                blocksize = 1;
-        } else {
-                LASSERT(kctx->kc_keye.kb_tfm);
+       /* block size */
+       if (kctx->kc_enctype == ENCTYPE_ARCFOUR_HMAC) {
+               LASSERT(kctx->kc_keye.kb_tfm == NULL);
+               blocksize = 1;
+       } else {
+               LASSERT(kctx->kc_keye.kb_tfm);
                blocksize = crypto_blkcipher_blocksize(kctx->kc_keye.kb_tfm);
-        }
+       }
 
-        /* expected token layout:
-         * ----------------------------------------
-         * | krb5 header | cipher text | checksum |
-         * ----------------------------------------
-         */
-        bodysize = token->len - sizeof(*khdr) - ke->ke_hash_size;
+       /* expected token layout:
+        * ----------------------------------------
+        * | krb5 header | cipher text | checksum |
+        * ----------------------------------------
+        */
+       bodysize = token->len - sizeof(*khdr) - ke->ke_hash_size;
 
-        if (bodysize % blocksize) {
-                CERROR("odd bodysize %d\n", bodysize);
-                return GSS_S_DEFECTIVE_TOKEN;
-        }
+       if (bodysize % blocksize) {
+               CERROR("odd bodysize %d\n", bodysize);
+               return GSS_S_DEFECTIVE_TOKEN;
+       }
 
-        if (bodysize <= ke->ke_conf_size + sizeof(*khdr)) {
-                CERROR("incomplete token: bodysize %d\n", bodysize);
-                return GSS_S_DEFECTIVE_TOKEN;
-        }
+       if (bodysize <= ke->ke_conf_size + sizeof(*khdr)) {
+               CERROR("incomplete token: bodysize %d\n", bodysize);
+               return GSS_S_DEFECTIVE_TOKEN;
+       }
 
-        if (msg->len < bodysize - ke->ke_conf_size - sizeof(*khdr)) {
-                CERROR("buffer too small: %u, require %d\n",
-                       msg->len, bodysize - ke->ke_conf_size);
-                return GSS_S_FAILURE;
-        }
+       if (msg->len < bodysize - ke->ke_conf_size - sizeof(*khdr)) {
+               CERROR("buffer too small: %u, require %d\n",
+                      msg->len, bodysize - ke->ke_conf_size);
+               return GSS_S_FAILURE;
+       }
 
-        /* decrypting */
-        OBD_ALLOC_LARGE(tmpbuf, bodysize);
-        if (!tmpbuf)
-                return GSS_S_FAILURE;
+       /* decrypting */
+       OBD_ALLOC_LARGE(tmpbuf, bodysize);
+       if (!tmpbuf)
+               return GSS_S_FAILURE;
 
-        major = GSS_S_FAILURE;
+       major = GSS_S_FAILURE;
 
-        cipher_in.data = (__u8 *) (khdr + 1);
-        cipher_in.len = bodysize;
-        plain_out.data = tmpbuf;
-        plain_out.len = bodysize;
+       cipher_in.data = (__u8 *)(khdr + 1);
+       cipher_in.len = bodysize;
+       plain_out.data = tmpbuf;
+       plain_out.len = bodysize;
 
        if (kctx->kc_enctype == ENCTYPE_ARCFOUR_HMAC) {
                rawobj_t                 arc4_keye;
@@ -1714,7 +1330,8 @@ __u32 gss_unwrap_kerberos(struct gss_ctx  *gctx,
                cksum.len = ke->ke_hash_size;
 
                if (krb5_make_checksum(ENCTYPE_ARCFOUR_HMAC, &kctx->kc_keyi,
-                                      NULL, 1, &cksum, 0, NULL, &arc4_keye)) {
+                                      NULL, 1, &cksum, 0, NULL, &arc4_keye,
+                                      gctx->hash_func)) {
                        CERROR("failed to obtain arc4 enc key\n");
                        GOTO(arc4_out, rc = -EACCES);
                }
@@ -1726,168 +1343,168 @@ __u32 gss_unwrap_kerberos(struct gss_ctx  *gctx,
                }
 
                if (crypto_blkcipher_setkey(arc4_tfm,
-                                         arc4_keye.data, arc4_keye.len)) {
-                        CERROR("failed to set arc4 key, len %d\n",
-                               arc4_keye.len);
-                        GOTO(arc4_out_tfm, rc = -EACCES);
-                }
+                                           arc4_keye.data, arc4_keye.len)) {
+                       CERROR("failed to set arc4 key, len %d\n",
+                              arc4_keye.len);
+                       GOTO(arc4_out_tfm, rc = -EACCES);
+               }
 
-                rc = krb5_encrypt_rawobjs(arc4_tfm, 1,
-                                          1, &cipher_in, &plain_out, 0);
+               rc = gss_crypt_rawobjs(arc4_tfm, NULL, 1, &cipher_in,
+                                      &plain_out, 0);
 arc4_out_tfm:
                crypto_free_blkcipher(arc4_tfm);
 arc4_out_key:
-                rawobj_free(&arc4_keye);
+               rawobj_free(&arc4_keye);
 arc4_out:
-                cksum = RAWOBJ_EMPTY;
-        } else {
-                rc = krb5_encrypt_rawobjs(kctx->kc_keye.kb_tfm, 0,
-                                          1, &cipher_in, &plain_out, 0);
-        }
+               cksum = RAWOBJ_EMPTY;
+       } else {
+               rc = gss_crypt_rawobjs(kctx->kc_keye.kb_tfm, local_iv, 1,
+                                      &cipher_in, &plain_out, 0);
+       }
 
-        if (rc != 0) {
-                CERROR("error decrypt\n");
-                goto out_free;
-        }
-        LASSERT(plain_out.len == bodysize);
-
-        /* expected clear text layout:
-         * -----------------------------------------
-         * | confounder | clear msgs | krb5 header |
-         * -----------------------------------------
-         */
-
-        /* verify krb5 header in token is not modified */
-        if (memcmp(khdr, plain_out.data + plain_out.len - sizeof(*khdr),
-                   sizeof(*khdr))) {
-                CERROR("decrypted krb5 header mismatch\n");
-                goto out_free;
-        }
+       if (rc != 0) {
+               CERROR("error decrypt\n");
+               goto out_free;
+       }
+       LASSERT(plain_out.len == bodysize);
+
+       /* expected clear text layout:
+        * -----------------------------------------
+        * | confounder | clear msgs | krb5 header |
+        * -----------------------------------------
+        */
+
+       /* verify krb5 header in token is not modified */
+       if (memcmp(khdr, plain_out.data + plain_out.len - sizeof(*khdr),
+                  sizeof(*khdr))) {
+               CERROR("decrypted krb5 header mismatch\n");
+               goto out_free;
+       }
 
-        /* verify checksum, compose clear text as layout:
-         * ------------------------------------------------------
-         * | confounder | gss header | clear msgs | krb5 header |
-         * ------------------------------------------------------
-         */
-        hash_objs[0].len = ke->ke_conf_size;
-        hash_objs[0].data = plain_out.data;
-        hash_objs[1].len = gsshdr->len;
-        hash_objs[1].data = gsshdr->data;
-        hash_objs[2].len = plain_out.len - ke->ke_conf_size - sizeof(*khdr);
-        hash_objs[2].data = plain_out.data + ke->ke_conf_size;
-        if (krb5_make_checksum(kctx->kc_enctype, &kctx->kc_keyi,
-                               khdr, 3, hash_objs, 0, NULL, &cksum))
-                goto out_free;
-
-        LASSERT(cksum.len >= ke->ke_hash_size);
-        if (memcmp((char *)(khdr + 1) + bodysize,
-                   cksum.data + cksum.len - ke->ke_hash_size,
-                   ke->ke_hash_size)) {
-                CERROR("checksum mismatch\n");
-                goto out_free;
-        }
+       /* verify checksum, compose clear text as layout:
+        * ------------------------------------------------------
+        * | confounder | gss header | clear msgs | krb5 header |
+        * ------------------------------------------------------
+        */
+       hash_objs[0].len = ke->ke_conf_size;
+       hash_objs[0].data = plain_out.data;
+       hash_objs[1].len = gsshdr->len;
+       hash_objs[1].data = gsshdr->data;
+       hash_objs[2].len = plain_out.len - ke->ke_conf_size - sizeof(*khdr);
+       hash_objs[2].data = plain_out.data + ke->ke_conf_size;
+       if (krb5_make_checksum(kctx->kc_enctype, &kctx->kc_keyi,
+                              khdr, 3, hash_objs, 0, NULL, &cksum,
+                              gctx->hash_func))
+               goto out_free;
 
-        msg->len =  bodysize - ke->ke_conf_size - sizeof(*khdr);
-        memcpy(msg->data, tmpbuf + ke->ke_conf_size, msg->len);
+       LASSERT(cksum.len >= ke->ke_hash_size);
+       if (memcmp((char *)(khdr + 1) + bodysize,
+                  cksum.data + cksum.len - ke->ke_hash_size,
+                  ke->ke_hash_size)) {
+               CERROR("checksum mismatch\n");
+               goto out_free;
+       }
+
+       msg->len =  bodysize - ke->ke_conf_size - sizeof(*khdr);
+       memcpy(msg->data, tmpbuf + ke->ke_conf_size, msg->len);
 
-        major = GSS_S_COMPLETE;
+       major = GSS_S_COMPLETE;
 out_free:
-        OBD_FREE_LARGE(tmpbuf, bodysize);
-        rawobj_free(&cksum);
-        return major;
+       OBD_FREE_LARGE(tmpbuf, bodysize);
+       rawobj_free(&cksum);
+       return major;
 }
 
 static
 __u32 gss_unwrap_bulk_kerberos(struct gss_ctx *gctx,
-                               struct ptlrpc_bulk_desc *desc,
-                               rawobj_t *token, int adj_nob)
+                              struct ptlrpc_bulk_desc *desc,
+                              rawobj_t *token, int adj_nob)
 {
-        struct krb5_ctx     *kctx = gctx->internal_ctx_id;
-        struct krb5_enctype *ke = &enctypes[kctx->kc_enctype];
-        struct krb5_header  *khdr;
-        int                  blocksize;
-        rawobj_t             cksum = RAWOBJ_EMPTY;
-        rawobj_t             cipher, plain;
-        rawobj_t             data_desc[1];
-        int                  rc;
-        __u32                major;
-
-       LASSERT(ptlrpc_is_bulk_desc_kiov(desc->bd_type));
-        LASSERT(ke);
-
-        if (token->len < sizeof(*khdr)) {
-                CERROR("short signature: %u\n", token->len);
-                return GSS_S_DEFECTIVE_TOKEN;
-        }
+       struct krb5_ctx     *kctx = gctx->internal_ctx_id;
+       struct krb5_enctype *ke = &enctypes[kctx->kc_enctype];
+       struct krb5_header  *khdr;
+       int                  blocksize;
+       rawobj_t             cksum = RAWOBJ_EMPTY;
+       rawobj_t             cipher, plain;
+       rawobj_t             data_desc[1];
+       int                  rc;
+       __u32                major;
+
+       LASSERT(ke);
+
+       if (token->len < sizeof(*khdr)) {
+               CERROR("short signature: %u\n", token->len);
+               return GSS_S_DEFECTIVE_TOKEN;
+       }
 
-        khdr = (struct krb5_header *) token->data;
+       khdr = (struct krb5_header *)token->data;
 
-        major = verify_krb5_header(kctx, khdr, 1);
-        if (major != GSS_S_COMPLETE) {
-                CERROR("bad krb5 header\n");
-                return major;
-        }
+       major = verify_krb5_header(kctx, khdr, 1);
+       if (major != GSS_S_COMPLETE) {
+               CERROR("bad krb5 header\n");
+               return major;
+       }
 
-        /* block size */
-        if (kctx->kc_enctype == ENCTYPE_ARCFOUR_HMAC) {
-                LASSERT(kctx->kc_keye.kb_tfm == NULL);
-                blocksize = 1;
-                LBUG();
-        } else {
-                LASSERT(kctx->kc_keye.kb_tfm);
+       /* block size */
+       if (kctx->kc_enctype == ENCTYPE_ARCFOUR_HMAC) {
+               LASSERT(kctx->kc_keye.kb_tfm == NULL);
+               blocksize = 1;
+               LBUG();
+       } else {
+               LASSERT(kctx->kc_keye.kb_tfm);
                blocksize = crypto_blkcipher_blocksize(kctx->kc_keye.kb_tfm);
-        }
-        LASSERT(sizeof(*khdr) >= blocksize && sizeof(*khdr) % blocksize == 0);
-
-        /*
-         * token format is expected as:
-         * -----------------------------------------------
-         * | krb5 header | head/tail cipher text | cksum |
-         * -----------------------------------------------
-         */
-        if (token->len < sizeof(*khdr) + blocksize + sizeof(*khdr) +
-                         ke->ke_hash_size) {
-                CERROR("short token size: %u\n", token->len);
-                return GSS_S_DEFECTIVE_TOKEN;
-        }
-
-        cipher.data = (__u8 *) (khdr + 1);
-        cipher.len = blocksize + sizeof(*khdr);
-        plain.data = cipher.data;
-        plain.len = cipher.len;
-
-        rc = krb5_decrypt_bulk(kctx->kc_keye.kb_tfm, khdr,
-                               desc, &cipher, &plain, adj_nob);
-        if (rc)
-                return GSS_S_DEFECTIVE_TOKEN;
+       }
+       LASSERT(sizeof(*khdr) >= blocksize && sizeof(*khdr) % blocksize == 0);
+
+       /*
+        * token format is expected as:
+        * -----------------------------------------------
+        * | krb5 header | head/tail cipher text | cksum |
+        * -----------------------------------------------
+        */
+       if (token->len < sizeof(*khdr) + blocksize + sizeof(*khdr) +
+           ke->ke_hash_size) {
+               CERROR("short token size: %u\n", token->len);
+               return GSS_S_DEFECTIVE_TOKEN;
+       }
 
-        /*
-         * verify checksum, compose clear text as layout:
-         * ------------------------------------------
-         * | confounder | clear pages | krb5 header |
-         * ------------------------------------------
-         */
-        data_desc[0].data = plain.data;
-        data_desc[0].len = blocksize;
+       cipher.data = (__u8 *) (khdr + 1);
+       cipher.len = blocksize + sizeof(*khdr);
+       plain.data = cipher.data;
+       plain.len = cipher.len;
+
+       rc = krb5_decrypt_bulk(kctx->kc_keye.kb_tfm, khdr,
+                              desc, &cipher, &plain, adj_nob);
+       if (rc)
+               return GSS_S_DEFECTIVE_TOKEN;
+
+       /*
+        * verify checksum, compose clear text as layout:
+        * ------------------------------------------
+        * | confounder | clear pages | krb5 header |
+        * ------------------------------------------
+        */
+       data_desc[0].data = plain.data;
+       data_desc[0].len = blocksize;
 
        if (krb5_make_checksum(kctx->kc_enctype, &kctx->kc_keyi,
                               khdr, 1, data_desc,
                               desc->bd_iov_count,
                               GET_KIOV(desc),
-                              &cksum))
+                              &cksum, gctx->hash_func))
                return GSS_S_FAILURE;
        LASSERT(cksum.len >= ke->ke_hash_size);
 
-        if (memcmp(plain.data + blocksize + sizeof(*khdr),
-                   cksum.data + cksum.len - ke->ke_hash_size,
-                   ke->ke_hash_size)) {
-                CERROR("checksum mismatch\n");
-                rawobj_free(&cksum);
-                return GSS_S_BAD_SIG;
-        }
+       if (memcmp(plain.data + blocksize + sizeof(*khdr),
+                  cksum.data + cksum.len - ke->ke_hash_size,
+                  ke->ke_hash_size)) {
+               CERROR("checksum mismatch\n");
+               rawobj_free(&cksum);
+               return GSS_S_BAD_SIG;
+       }
 
-        rawobj_free(&cksum);
-        return GSS_S_COMPLETE;
+       rawobj_free(&cksum);
+       return GSS_S_COMPLETE;
 }
 
 int gss_display_kerberos(struct gss_ctx        *ctx,
@@ -1944,11 +1561,8 @@ static struct subflavor_desc gss_kerberos_sfs[] = {
         },
 };
 
-/*
- * currently we leave module owner NULL
- */
 static struct gss_api_mech gss_kerberos_mech = {
-        .gm_owner       = NULL, /*THIS_MODULE, */
+       /* .gm_owner uses default NULL value for THIS_MODULE */
         .gm_name        = "krb5",
         .gm_oid         = (rawobj_t)
                                 {9, "\052\206\110\206\367\022\001\002\002"},
@@ -1961,8 +1575,6 @@ int __init init_kerberos_module(void)
 {
        int status;
 
-       spin_lock_init(&krb5_seq_lock);
-
        status = lgss_mech_register(&gss_kerberos_mech);
        if (status)
                CERROR("Failed to register kerberos gss mechanism!\n");
Lustre primary development and releases