From patchwork Fri Feb 24 22:19:42 2017 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Andy Adamson X-Patchwork-Id: 9591305 Return-Path: Received: from mail.wl.linuxfoundation.org (pdx-wl-mail.web.codeaurora.org [172.30.200.125]) by pdx-korg-patchwork.web.codeaurora.org (Postfix) with ESMTP id 2711E6057F for ; Fri, 24 Feb 2017 22:20:19 +0000 (UTC) Received: from mail.wl.linuxfoundation.org (localhost [127.0.0.1]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id 05F5A287B6 for ; Fri, 24 Feb 2017 22:20:19 +0000 (UTC) Received: by mail.wl.linuxfoundation.org (Postfix, from userid 486) id EBAE828957; Fri, 24 Feb 2017 22:20:18 +0000 (UTC) X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on pdx-wl-mail.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-6.9 required=2.0 tests=BAYES_00,RCVD_IN_DNSWL_HI autolearn=ham version=3.3.1 Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id BC189287B6 for ; Fri, 24 Feb 2017 22:20:10 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1751435AbdBXWUJ (ORCPT ); Fri, 24 Feb 2017 17:20:09 -0500 Received: from mx142.netapp.com ([216.240.21.19]:52563 "EHLO mx142.netapp.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1751442AbdBXWUH (ORCPT ); Fri, 24 Feb 2017 17:20:07 -0500 X-IronPort-AV: E=Sophos;i="5.35,201,1484035200"; d="scan'208";a="173445341" Received: from vmwexchts01-prd.hq.netapp.com ([10.122.105.12]) by mx142-out.netapp.com with ESMTP; 24 Feb 2017 14:11:29 -0800 Received: from smtp2.corp.netapp.com (10.57.159.114) by VMWEXCHTS01-PRD.hq.netapp.com (10.122.105.12) with Microsoft SMTP Server id 15.0.1210.3; Fri, 24 Feb 2017 14:20:05 -0800 Received: from fc25-1.androsad.fake (dros-16.vpn.netapp.com [10.55.72.26]) by smtp2.corp.netapp.com (8.13.1/8.13.1/NTAP-1.6) with ESMTP id v1OMK0nU020915; Fri, 24 Feb 2017 14:20:05 -0800 (PST) From: To: CC: , , , Andy Adamson Subject: [PATCH Version 5 06/17] SUNRPC AUTH_GSS gss3 reply verifier Date: Fri, 24 Feb 2017 17:19:42 -0500 Message-ID: <20170224221953.5502-7-andros@netapp.com> X-Mailer: git-send-email 2.9.3 In-Reply-To: <20170224221953.5502-1-andros@netapp.com> References: <20170224221953.5502-1-andros@netapp.com> MIME-Version: 1.0 Sender: linux-nfs-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-nfs@vger.kernel.org X-Virus-Scanned: ClamAV using ClamSMTP From: Andy Adamson The new GSS Version 3 reply verifier is taken over the same data as the call verifier, caveat REPLY direction Verifier Data xid tk_rqstp->rq_xid direction REPLY (always a 1) RPC_REPLY rpcvers RPC_VERSION prog clnt->cl_prog vers clnt->cl_vers proc tk_msg.rpc_proc->p_proc credential flavor RPC_AUTH_GSS length cred_len is in gss_marshal (new gv_crlen) gss version ctx->gc_v gss proc ctx->gv_proc gss seq tk_rqstp->rq_seqno gss svc gss_cred->gc_service gss ctx len ctx->gc_wire_ctx gss ctx data ctx->gc_wire_ctx Signed-off-by: Andy Adamson --- net/sunrpc/auth_gss/auth_gss.c | 59 ++++++++++++++++++++++++++++++++++++++++-- 1 file changed, 57 insertions(+), 2 deletions(-) diff --git a/net/sunrpc/auth_gss/auth_gss.c b/net/sunrpc/auth_gss/auth_gss.c index 216a78e..499cf99 100644 --- a/net/sunrpc/auth_gss/auth_gss.c +++ b/net/sunrpc/auth_gss/auth_gss.c @@ -1624,6 +1624,53 @@ gss_refresh_null(struct rpc_task *task) return 0; } +/** + * gss3_reply_verifier: The new gssv3 verifier uses same data as call + * caveat REPLY direction - see rpc_encode_header + */ +static void * +gss3_reply_verifier(struct rpc_cred *cred, struct gss_cl_ctx *ctx, + struct rpc_task *task, __be32 *seq, struct kvec *iov) +{ + struct gss_cred *g_cred = container_of(cred, struct gss_cred, gc_base); + void *gss3_buf = NULL; + __be32 *crlen, *ptr = NULL; + int len; + + /* freed in gss_validate */ + len = (13 * 4) + ctx->gc_wire_ctx.len; + gss3_buf = kmalloc(len, GFP_NOFS); + if (!gss3_buf) { + gss3_buf = ERR_PTR(-EIO); + goto out; + } + ptr = (__be32 *)gss3_buf; + + *ptr++ = htonl(task->tk_rqstp->rq_xid); + *ptr++ = htonl(RPC_REPLY); + *ptr++ = htonl(RPC_VERSION); + *ptr++ = htonl(task->tk_client->cl_prog); + *ptr++ = htonl(task->tk_client->cl_vers); + *ptr++ = htonl(task->tk_msg.rpc_proc->p_proc); + *ptr++ = htonl(RPC_AUTH_GSS); + + /* credential */ + crlen = ptr++; + *ptr++ = htonl(ctx->gc_v); + *ptr++ = htonl(ctx->gc_proc); + *ptr++ = *seq; + *ptr++ = htonl(g_cred->gc_service); + ptr = xdr_encode_netobj(ptr, &ctx->gc_wire_ctx); + + /* backfill cred length */ + *crlen = htonl((ptr - (crlen + 1)) << 2); + + iov->iov_base = gss3_buf; + iov->iov_len = (ptr - (__be32 *)gss3_buf) << 2; +out: + return gss3_buf; +} + static __be32 * gss_validate(struct rpc_task *task, __be32 *p) { @@ -1633,6 +1680,7 @@ gss_validate(struct rpc_task *task, __be32 *p) struct kvec iov; struct xdr_buf verf_buf; struct xdr_netobj mic; + void *g3_buf = NULL; u32 flav,len; u32 maj_stat; __be32 *ret = ERR_PTR(-EIO); @@ -1648,14 +1696,21 @@ gss_validate(struct rpc_task *task, __be32 *p) if (!seq) goto out_bad; *seq = htonl(task->tk_rqstp->rq_seqno); - iov.iov_base = seq; - iov.iov_len = 4; + if (ctx->gc_v == RPC_GSS_VERSION) { + iov.iov_base = seq; + iov.iov_len = 4; + } else if (ctx->gc_v == RPC_GSS3_VERSION) { + g3_buf = gss3_reply_verifier(cred, ctx, task, seq, &iov); + if (IS_ERR(g3_buf)) + goto out_bad; + } xdr_buf_from_iov(&iov, &verf_buf); mic.data = (u8 *)p; mic.len = len; ret = ERR_PTR(-EACCES); maj_stat = gss_verify_mic(ctx->gc_gss_ctx, &verf_buf, &mic); + kfree(g3_buf); if (maj_stat == GSS_S_CONTEXT_EXPIRED) clear_bit(RPCAUTH_CRED_UPTODATE, &cred->cr_flags); if (maj_stat) {