From patchwork Fri Dec 23 16:04:18 2016 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Andy Adamson X-Patchwork-Id: 9487561 Return-Path: Received: from mail.wl.linuxfoundation.org (pdx-wl-mail.web.codeaurora.org [172.30.200.125]) by pdx-korg-patchwork.web.codeaurora.org (Postfix) with ESMTP id BF8C062AAB for ; Fri, 23 Dec 2016 16:06:37 +0000 (UTC) Received: from mail.wl.linuxfoundation.org (localhost [127.0.0.1]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id B2C3326E82 for ; Fri, 23 Dec 2016 16:06:37 +0000 (UTC) Received: by mail.wl.linuxfoundation.org (Postfix, from userid 486) id A7867271CB; Fri, 23 Dec 2016 16:06:37 +0000 (UTC) X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on pdx-wl-mail.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-6.9 required=2.0 tests=BAYES_00,RCVD_IN_DNSWL_HI autolearn=ham version=3.3.1 Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id 3FB5A2711E for ; Fri, 23 Dec 2016 16:06:37 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1753059AbcLWQGg (ORCPT ); Fri, 23 Dec 2016 11:06:36 -0500 Received: from mx143.netapp.com ([216.240.21.24]:55848 "EHLO mx143.netapp.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1756224AbcLWQGb (ORCPT ); Fri, 23 Dec 2016 11:06:31 -0500 X-IronPort-AV: E=Sophos;i="5.33,393,1477983600"; d="scan'208";a="165484686" Received: from vmwexchts02-prd.hq.netapp.com ([10.122.105.23]) by mx143-out.netapp.com with ESMTP; 23 Dec 2016 08:02:57 -0800 Received: from smtp2.corp.netapp.com (10.57.159.114) by VMWEXCHTS02-PRD.hq.netapp.com (10.122.105.23) with Microsoft SMTP Server id 15.0.1210.3; Fri, 23 Dec 2016 08:06:19 -0800 Received: from rhel7-1ga.androsad.fake (dros-16.local.vpn.netapp.com [10.55.72.69]) by smtp2.corp.netapp.com (8.13.1/8.13.1/NTAP-1.6) with ESMTP id uBNG6EUp024091; Fri, 23 Dec 2016 08:06:19 -0800 (PST) From: To: CC: , , Andy Adamson Subject: [PATCH Version 3 06/16] SUNRPC AUTH_GSS gss3 reply verifier Date: Fri, 23 Dec 2016 11:04:18 -0500 Message-ID: <1482509068-24516-7-git-send-email-andros@netapp.com> X-Mailer: git-send-email 1.8.3.1 In-Reply-To: <1482509068-24516-1-git-send-email-andros@netapp.com> References: <1482509068-24516-1-git-send-email-andros@netapp.com> MIME-Version: 1.0 Sender: linux-nfs-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-nfs@vger.kernel.org X-Virus-Scanned: ClamAV using ClamSMTP From: Andy Adamson The new GSS Version 3 reply verifier is taken over the same data as the call verifier, caveat REPLY direction Verifier Data xid tk_rqstp->rq_xid direction REPLY (always a 1) RPC_REPLY rpcvers RPC_VERSION prog clnt->cl_prog vers clnt->cl_vers proc tk_msg.rpc_proc->p_proc credential flavor RPC_AUTH_GSS length cred_len is in gss_marshal (new gv_crlen) gss version ctx->gc_v gss proc ctx->gv_proc gss seq tk_rqstp->rq_seqno gss svc gss_cred->gc_service gss ctx len ctx->gc_wire_ctx gss ctx data ctx->gc_wire_ctx Signed-off-by: Andy Adamson --- net/sunrpc/auth_gss/auth_gss.c | 60 ++++++++++++++++++++++++++++++++++++++++-- 1 file changed, 58 insertions(+), 2 deletions(-) diff --git a/net/sunrpc/auth_gss/auth_gss.c b/net/sunrpc/auth_gss/auth_gss.c index 9288cc2..d11f421 100644 --- a/net/sunrpc/auth_gss/auth_gss.c +++ b/net/sunrpc/auth_gss/auth_gss.c @@ -1624,6 +1624,53 @@ static int gss_cred_is_negative_entry(struct rpc_cred *cred) return 0; } +/** + * gss3_reply_verifier: The new gssv3 verifier uses same data as call + * caveat REPLY direction - see rpc_encode_header + */ +static void * +gss3_reply_verifier(struct rpc_cred *cred, struct gss_cl_ctx *ctx, + struct rpc_task *task, __be32 *seq, struct kvec *iov) +{ + struct gss_cred *g_cred = container_of(cred, struct gss_cred, gc_base); + void *gss3_buf = NULL; + __be32 *crlen, *ptr = NULL; + int len; + + /* freed in gss_validate */ + len = (13 * 4) + ctx->gc_wire_ctx.len; + gss3_buf = kmalloc(len, GFP_NOFS); + if (!gss3_buf) { + gss3_buf = ERR_PTR(-EIO); + goto out; + } + ptr = (__be32 *)gss3_buf; + + *ptr++ = htonl(task->tk_rqstp->rq_xid); + *ptr++ = htonl(RPC_REPLY); + *ptr++ = htonl(RPC_VERSION); + *ptr++ = htonl(task->tk_client->cl_prog); + *ptr++ = htonl(task->tk_client->cl_vers); + *ptr++ = htonl(task->tk_msg.rpc_proc->p_proc); + *ptr++ = htonl(RPC_AUTH_GSS); + + /* credential */ + crlen = ptr++; + *ptr++ = htonl(ctx->gc_v); + *ptr++ = htonl(ctx->gc_proc); + *ptr++ = *seq; + *ptr++ = htonl(g_cred->gc_service); + ptr = xdr_encode_netobj(ptr, &ctx->gc_wire_ctx); + + /* backfill cred length */ + *crlen = htonl((ptr - (crlen + 1)) << 2); + + iov->iov_base = gss3_buf; + iov->iov_len = (ptr - (__be32 *)gss3_buf) << 2; +out: + return gss3_buf; +} + static __be32 * gss_validate(struct rpc_task *task, __be32 *p) { @@ -1633,6 +1680,7 @@ static int gss_cred_is_negative_entry(struct rpc_cred *cred) struct kvec iov; struct xdr_buf verf_buf; struct xdr_netobj mic; + void *g3_buf = NULL; u32 flav,len; u32 maj_stat; __be32 *ret = ERR_PTR(-EIO); @@ -1648,14 +1696,22 @@ static int gss_cred_is_negative_entry(struct rpc_cred *cred) if (!seq) goto out_bad; *seq = htonl(task->tk_rqstp->rq_seqno); - iov.iov_base = seq; - iov.iov_len = 4; + if (ctx->gc_v == RPC_GSS_VERSION) { + iov.iov_base = seq; + iov.iov_len = 4; + } + if (ctx->gc_v == RPC_GSS3_VERSION) { + g3_buf = gss3_reply_verifier(cred, ctx, task, seq, &iov); + if (IS_ERR(g3_buf)) + goto out_bad; + } xdr_buf_from_iov(&iov, &verf_buf); mic.data = (u8 *)p; mic.len = len; ret = ERR_PTR(-EACCES); maj_stat = gss_verify_mic(ctx->gc_gss_ctx, &verf_buf, &mic); + kfree(g3_buf); if (maj_stat == GSS_S_CONTEXT_EXPIRED) clear_bit(RPCAUTH_CRED_UPTODATE, &cred->cr_flags); if (maj_stat) {