From patchwork Fri Jul 28 20:21:50 2017 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Andy Adamson X-Patchwork-Id: 9869389 Return-Path: Received: from mail.wl.linuxfoundation.org (pdx-wl-mail.web.codeaurora.org [172.30.200.125]) by pdx-korg-patchwork.web.codeaurora.org (Postfix) with ESMTP id 64B6660382 for ; Fri, 28 Jul 2017 20:22:31 +0000 (UTC) Received: from mail.wl.linuxfoundation.org (localhost [127.0.0.1]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id 5AD5B28901 for ; Fri, 28 Jul 2017 20:22:31 +0000 (UTC) Received: by mail.wl.linuxfoundation.org (Postfix, from userid 486) id 4FD5E28908; Fri, 28 Jul 2017 20:22:31 +0000 (UTC) X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on pdx-wl-mail.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-6.9 required=2.0 tests=BAYES_00,RCVD_IN_DNSWL_HI autolearn=ham version=3.3.1 Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id C784B28901 for ; Fri, 28 Jul 2017 20:22:30 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1752648AbdG1UW3 (ORCPT ); Fri, 28 Jul 2017 16:22:29 -0400 Received: from mx142.netapp.com ([216.240.21.19]:52446 "EHLO mx142.netapp.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1752633AbdG1UW3 (ORCPT ); Fri, 28 Jul 2017 16:22:29 -0400 X-IronPort-AV: E=Sophos;i="5.40,427,1496127600"; d="scan'208";a="203129299" Received: from vmwexchts03-prd.hq.netapp.com ([10.122.105.31]) by mx142-out.netapp.com with ESMTP; 28 Jul 2017 13:00:22 -0700 Received: from smtp1.corp.netapp.com (10.57.156.124) by VMWEXCHTS03-PRD.hq.netapp.com (10.122.105.31) with Microsoft SMTP Server id 15.0.1210.3; Fri, 28 Jul 2017 13:22:06 -0700 Received: from localhost.localdomain.localdomain (dros-16.vpn.netapp.com [10.55.79.21]) by smtp1.corp.netapp.com (8.13.1/8.13.1/NTAP-1.6) with ESMTP id v6SKM1ld007987; Fri, 28 Jul 2017 13:22:06 -0700 (PDT) From: To: CC: , , , , Andy Adamson Subject: [PATCH Version 6 04/12] SUNRPC AUTH_GSS gss3 reply verifier Date: Fri, 28 Jul 2017 16:21:50 -0400 Message-ID: <1501273318-14200-5-git-send-email-andros@netapp.com> X-Mailer: git-send-email 1.8.3.1 In-Reply-To: <1501273318-14200-1-git-send-email-andros@netapp.com> References: <1501273318-14200-1-git-send-email-andros@netapp.com> MIME-Version: 1.0 Sender: linux-nfs-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-nfs@vger.kernel.org X-Virus-Scanned: ClamAV using ClamSMTP From: Andy Adamson The new GSS Version 3 reply verifier is taken over the same data as the call verifier, caveat REPLY direction Verifier Data xid tk_rqstp->rq_xid direction REPLY (always a 1) RPC_REPLY rpcvers RPC_VERSION prog clnt->cl_prog vers clnt->cl_vers proc tk_msg.rpc_proc->p_proc credential flavor RPC_AUTH_GSS length cred_len is in gss_marshal (new gv_crlen) gss version ctx->gc_v gss proc ctx->gv_proc gss seq tk_rqstp->rq_seqno gss svc gss_cred->gc_service gss ctx len ctx->gc_wire_ctx gss ctx data ctx->gc_wire_ctx Signed-off-by: Andy Adamson --- net/sunrpc/auth_gss/auth_gss.c | 59 ++++++++++++++++++++++++++++++++++++++++-- 1 file changed, 57 insertions(+), 2 deletions(-) diff --git a/net/sunrpc/auth_gss/auth_gss.c b/net/sunrpc/auth_gss/auth_gss.c index 3c7fa5d..28c5491 100644 --- a/net/sunrpc/auth_gss/auth_gss.c +++ b/net/sunrpc/auth_gss/auth_gss.c @@ -1629,6 +1629,53 @@ static int gss_cred_is_negative_entry(struct rpc_cred *cred) return 0; } +/** + * gss3_reply_verifier: The new gssv3 verifier uses same data as call + * caveat REPLY direction - see rpc_encode_header + */ +static void * +gss3_reply_verifier(struct rpc_cred *cred, struct gss_cl_ctx *ctx, + struct rpc_task *task, __be32 *seq, struct kvec *iov) +{ + struct gss_cred *g_cred = container_of(cred, struct gss_cred, gc_base); + void *gss3_buf = NULL; + __be32 *crlen, *ptr = NULL; + int len; + + /* freed in gss_validate */ + len = (13 * 4) + ctx->gc_wire_ctx.len; + gss3_buf = kmalloc(len, GFP_NOFS); + if (!gss3_buf) { + gss3_buf = ERR_PTR(-EIO); + goto out; + } + ptr = (__be32 *)gss3_buf; + + *ptr++ = htonl(task->tk_rqstp->rq_xid); + *ptr++ = htonl(RPC_REPLY); + *ptr++ = htonl(RPC_VERSION); + *ptr++ = htonl(task->tk_client->cl_prog); + *ptr++ = htonl(task->tk_client->cl_vers); + *ptr++ = htonl(task->tk_msg.rpc_proc->p_proc); + *ptr++ = htonl(RPC_AUTH_GSS); + + /* credential */ + crlen = ptr++; + *ptr++ = htonl(ctx->gc_v); + *ptr++ = htonl(ctx->gc_proc); + *ptr++ = *seq; + *ptr++ = htonl(g_cred->gc_service); + ptr = xdr_encode_netobj(ptr, &ctx->gc_wire_ctx); + + /* backfill cred length */ + *crlen = htonl((ptr - (crlen + 1)) << 2); + + iov->iov_base = gss3_buf; + iov->iov_len = (ptr - (__be32 *)gss3_buf) << 2; +out: + return gss3_buf; +} + static __be32 * gss_validate(struct rpc_task *task, __be32 *p) { @@ -1638,6 +1685,7 @@ static int gss_cred_is_negative_entry(struct rpc_cred *cred) struct kvec iov; struct xdr_buf verf_buf; struct xdr_netobj mic; + void *g3_buf = NULL; u32 flav,len; u32 maj_stat; __be32 *ret = ERR_PTR(-EIO); @@ -1653,14 +1701,21 @@ static int gss_cred_is_negative_entry(struct rpc_cred *cred) if (!seq) goto out_bad; *seq = htonl(task->tk_rqstp->rq_seqno); - iov.iov_base = seq; - iov.iov_len = 4; + if (ctx->gc_v == RPC_GSS_VERSION) { + iov.iov_base = seq; + iov.iov_len = 4; + } else if (ctx->gc_v == RPC_GSS3_VERSION) { + g3_buf = gss3_reply_verifier(cred, ctx, task, seq, &iov); + if (IS_ERR(g3_buf)) + goto out_bad; + } xdr_buf_from_iov(&iov, &verf_buf); mic.data = (u8 *)p; mic.len = len; ret = ERR_PTR(-EACCES); maj_stat = gss_verify_mic(ctx->gc_gss_ctx, &verf_buf, &mic); + kfree(g3_buf); if (maj_stat == GSS_S_CONTEXT_EXPIRED) clear_bit(RPCAUTH_CRED_UPTODATE, &cred->cr_flags); if (maj_stat) {