1 | // SPDX-License-Identifier: GPL-2.0 |
2 | /* |
3 | * Neil Brown <neilb@cse.unsw.edu.au> |
4 | * J. Bruce Fields <bfields@umich.edu> |
5 | * Andy Adamson <andros@umich.edu> |
6 | * Dug Song <dugsong@monkey.org> |
7 | * |
8 | * RPCSEC_GSS server authentication. |
9 | * This implements RPCSEC_GSS as defined in rfc2203 (rpcsec_gss) and rfc2078 |
10 | * (gssapi) |
11 | * |
12 | * The RPCSEC_GSS involves three stages: |
13 | * 1/ context creation |
14 | * 2/ data exchange |
15 | * 3/ context destruction |
16 | * |
17 | * Context creation is handled largely by upcalls to user-space. |
18 | * In particular, GSS_Accept_sec_context is handled by an upcall |
19 | * Data exchange is handled entirely within the kernel |
20 | * In particular, GSS_GetMIC, GSS_VerifyMIC, GSS_Seal, GSS_Unseal are in-kernel. |
21 | * Context destruction is handled in-kernel |
22 | * GSS_Delete_sec_context is in-kernel |
23 | * |
24 | * Context creation is initiated by a RPCSEC_GSS_INIT request arriving. |
25 | * The context handle and gss_token are used as a key into the rpcsec_init cache. |
26 | * The content of this cache includes some of the outputs of GSS_Accept_sec_context, |
27 | * being major_status, minor_status, context_handle, reply_token. |
28 | * These are sent back to the client. |
29 | * Sequence window management is handled by the kernel. The window size if currently |
30 | * a compile time constant. |
31 | * |
32 | * When user-space is happy that a context is established, it places an entry |
33 | * in the rpcsec_context cache. The key for this cache is the context_handle. |
34 | * The content includes: |
35 | * uid/gidlist - for determining access rights |
36 | * mechanism type |
37 | * mechanism specific information, such as a key |
38 | * |
39 | */ |
40 | |
41 | #include <linux/slab.h> |
42 | #include <linux/types.h> |
43 | #include <linux/module.h> |
44 | #include <linux/pagemap.h> |
45 | #include <linux/user_namespace.h> |
46 | |
47 | #include <linux/sunrpc/auth_gss.h> |
48 | #include <linux/sunrpc/gss_err.h> |
49 | #include <linux/sunrpc/svcauth.h> |
50 | #include <linux/sunrpc/svcauth_gss.h> |
51 | #include <linux/sunrpc/cache.h> |
52 | #include <linux/sunrpc/gss_krb5.h> |
53 | |
54 | #include <trace/events/rpcgss.h> |
55 | |
56 | #include "gss_rpc_upcall.h" |
57 | |
58 | /* |
59 | * Unfortunately there isn't a maximum checksum size exported via the |
60 | * GSS API. Manufacture one based on GSS mechanisms supported by this |
61 | * implementation. |
62 | */ |
63 | #define GSS_MAX_CKSUMSIZE (GSS_KRB5_TOK_HDR_LEN + GSS_KRB5_MAX_CKSUM_LEN) |
64 | |
65 | /* |
66 | * This value may be increased in the future to accommodate other |
67 | * usage of the scratch buffer. |
68 | */ |
69 | #define GSS_SCRATCH_SIZE GSS_MAX_CKSUMSIZE |
70 | |
71 | struct gss_svc_data { |
72 | /* decoded gss client cred: */ |
73 | struct rpc_gss_wire_cred clcred; |
74 | u32 gsd_databody_offset; |
75 | struct rsc *rsci; |
76 | |
77 | /* for temporary results */ |
78 | __be32 gsd_seq_num; |
79 | u8 gsd_scratch[GSS_SCRATCH_SIZE]; |
80 | }; |
81 | |
82 | /* The rpcsec_init cache is used for mapping RPCSEC_GSS_{,CONT_}INIT requests |
83 | * into replies. |
84 | * |
85 | * Key is context handle (\x if empty) and gss_token. |
86 | * Content is major_status minor_status (integers) context_handle, reply_token. |
87 | * |
88 | */ |
89 | |
90 | static int netobj_equal(struct xdr_netobj *a, struct xdr_netobj *b) |
91 | { |
92 | return a->len == b->len && 0 == memcmp(p: a->data, q: b->data, size: a->len); |
93 | } |
94 | |
95 | #define RSI_HASHBITS 6 |
96 | #define RSI_HASHMAX (1<<RSI_HASHBITS) |
97 | |
98 | struct rsi { |
99 | struct cache_head h; |
100 | struct xdr_netobj in_handle, in_token; |
101 | struct xdr_netobj out_handle, out_token; |
102 | int major_status, minor_status; |
103 | struct rcu_head rcu_head; |
104 | }; |
105 | |
106 | static struct rsi *rsi_update(struct cache_detail *cd, struct rsi *new, struct rsi *old); |
107 | static struct rsi *rsi_lookup(struct cache_detail *cd, struct rsi *item); |
108 | |
109 | static void rsi_free(struct rsi *rsii) |
110 | { |
111 | kfree(objp: rsii->in_handle.data); |
112 | kfree(objp: rsii->in_token.data); |
113 | kfree(objp: rsii->out_handle.data); |
114 | kfree(objp: rsii->out_token.data); |
115 | } |
116 | |
117 | static void rsi_free_rcu(struct rcu_head *head) |
118 | { |
119 | struct rsi *rsii = container_of(head, struct rsi, rcu_head); |
120 | |
121 | rsi_free(rsii); |
122 | kfree(objp: rsii); |
123 | } |
124 | |
125 | static void rsi_put(struct kref *ref) |
126 | { |
127 | struct rsi *rsii = container_of(ref, struct rsi, h.ref); |
128 | |
129 | call_rcu(head: &rsii->rcu_head, func: rsi_free_rcu); |
130 | } |
131 | |
132 | static inline int rsi_hash(struct rsi *item) |
133 | { |
134 | return hash_mem(buf: item->in_handle.data, length: item->in_handle.len, RSI_HASHBITS) |
135 | ^ hash_mem(buf: item->in_token.data, length: item->in_token.len, RSI_HASHBITS); |
136 | } |
137 | |
138 | static int rsi_match(struct cache_head *a, struct cache_head *b) |
139 | { |
140 | struct rsi *item = container_of(a, struct rsi, h); |
141 | struct rsi *tmp = container_of(b, struct rsi, h); |
142 | return netobj_equal(a: &item->in_handle, b: &tmp->in_handle) && |
143 | netobj_equal(a: &item->in_token, b: &tmp->in_token); |
144 | } |
145 | |
146 | static int dup_to_netobj(struct xdr_netobj *dst, char *src, int len) |
147 | { |
148 | dst->len = len; |
149 | dst->data = (len ? kmemdup(p: src, size: len, GFP_KERNEL) : NULL); |
150 | if (len && !dst->data) |
151 | return -ENOMEM; |
152 | return 0; |
153 | } |
154 | |
155 | static inline int dup_netobj(struct xdr_netobj *dst, struct xdr_netobj *src) |
156 | { |
157 | return dup_to_netobj(dst, src: src->data, len: src->len); |
158 | } |
159 | |
160 | static void rsi_init(struct cache_head *cnew, struct cache_head *citem) |
161 | { |
162 | struct rsi *new = container_of(cnew, struct rsi, h); |
163 | struct rsi *item = container_of(citem, struct rsi, h); |
164 | |
165 | new->out_handle.data = NULL; |
166 | new->out_handle.len = 0; |
167 | new->out_token.data = NULL; |
168 | new->out_token.len = 0; |
169 | new->in_handle.len = item->in_handle.len; |
170 | item->in_handle.len = 0; |
171 | new->in_token.len = item->in_token.len; |
172 | item->in_token.len = 0; |
173 | new->in_handle.data = item->in_handle.data; |
174 | item->in_handle.data = NULL; |
175 | new->in_token.data = item->in_token.data; |
176 | item->in_token.data = NULL; |
177 | } |
178 | |
179 | static void update_rsi(struct cache_head *cnew, struct cache_head *citem) |
180 | { |
181 | struct rsi *new = container_of(cnew, struct rsi, h); |
182 | struct rsi *item = container_of(citem, struct rsi, h); |
183 | |
184 | BUG_ON(new->out_handle.data || new->out_token.data); |
185 | new->out_handle.len = item->out_handle.len; |
186 | item->out_handle.len = 0; |
187 | new->out_token.len = item->out_token.len; |
188 | item->out_token.len = 0; |
189 | new->out_handle.data = item->out_handle.data; |
190 | item->out_handle.data = NULL; |
191 | new->out_token.data = item->out_token.data; |
192 | item->out_token.data = NULL; |
193 | |
194 | new->major_status = item->major_status; |
195 | new->minor_status = item->minor_status; |
196 | } |
197 | |
198 | static struct cache_head *rsi_alloc(void) |
199 | { |
200 | struct rsi *rsii = kmalloc(size: sizeof(*rsii), GFP_KERNEL); |
201 | if (rsii) |
202 | return &rsii->h; |
203 | else |
204 | return NULL; |
205 | } |
206 | |
207 | static int rsi_upcall(struct cache_detail *cd, struct cache_head *h) |
208 | { |
209 | return sunrpc_cache_pipe_upcall_timeout(detail: cd, h); |
210 | } |
211 | |
212 | static void rsi_request(struct cache_detail *cd, |
213 | struct cache_head *h, |
214 | char **bpp, int *blen) |
215 | { |
216 | struct rsi *rsii = container_of(h, struct rsi, h); |
217 | |
218 | qword_addhex(bpp, lp: blen, buf: rsii->in_handle.data, blen: rsii->in_handle.len); |
219 | qword_addhex(bpp, lp: blen, buf: rsii->in_token.data, blen: rsii->in_token.len); |
220 | (*bpp)[-1] = '\n'; |
221 | WARN_ONCE(*blen < 0, |
222 | "RPCSEC/GSS credential too large - please use gssproxy\n" ); |
223 | } |
224 | |
225 | static int rsi_parse(struct cache_detail *cd, |
226 | char *mesg, int mlen) |
227 | { |
228 | /* context token expiry major minor context token */ |
229 | char *buf = mesg; |
230 | char *ep; |
231 | int len; |
232 | struct rsi rsii, *rsip = NULL; |
233 | time64_t expiry; |
234 | int status = -EINVAL; |
235 | |
236 | memset(&rsii, 0, sizeof(rsii)); |
237 | /* handle */ |
238 | len = qword_get(bpp: &mesg, dest: buf, bufsize: mlen); |
239 | if (len < 0) |
240 | goto out; |
241 | status = -ENOMEM; |
242 | if (dup_to_netobj(dst: &rsii.in_handle, src: buf, len)) |
243 | goto out; |
244 | |
245 | /* token */ |
246 | len = qword_get(bpp: &mesg, dest: buf, bufsize: mlen); |
247 | status = -EINVAL; |
248 | if (len < 0) |
249 | goto out; |
250 | status = -ENOMEM; |
251 | if (dup_to_netobj(dst: &rsii.in_token, src: buf, len)) |
252 | goto out; |
253 | |
254 | rsip = rsi_lookup(cd, item: &rsii); |
255 | if (!rsip) |
256 | goto out; |
257 | |
258 | rsii.h.flags = 0; |
259 | /* expiry */ |
260 | status = get_expiry(bpp: &mesg, rvp: &expiry); |
261 | if (status) |
262 | goto out; |
263 | |
264 | status = -EINVAL; |
265 | /* major/minor */ |
266 | len = qword_get(bpp: &mesg, dest: buf, bufsize: mlen); |
267 | if (len <= 0) |
268 | goto out; |
269 | rsii.major_status = simple_strtoul(buf, &ep, 10); |
270 | if (*ep) |
271 | goto out; |
272 | len = qword_get(bpp: &mesg, dest: buf, bufsize: mlen); |
273 | if (len <= 0) |
274 | goto out; |
275 | rsii.minor_status = simple_strtoul(buf, &ep, 10); |
276 | if (*ep) |
277 | goto out; |
278 | |
279 | /* out_handle */ |
280 | len = qword_get(bpp: &mesg, dest: buf, bufsize: mlen); |
281 | if (len < 0) |
282 | goto out; |
283 | status = -ENOMEM; |
284 | if (dup_to_netobj(dst: &rsii.out_handle, src: buf, len)) |
285 | goto out; |
286 | |
287 | /* out_token */ |
288 | len = qword_get(bpp: &mesg, dest: buf, bufsize: mlen); |
289 | status = -EINVAL; |
290 | if (len < 0) |
291 | goto out; |
292 | status = -ENOMEM; |
293 | if (dup_to_netobj(dst: &rsii.out_token, src: buf, len)) |
294 | goto out; |
295 | rsii.h.expiry_time = expiry; |
296 | rsip = rsi_update(cd, new: &rsii, old: rsip); |
297 | status = 0; |
298 | out: |
299 | rsi_free(rsii: &rsii); |
300 | if (rsip) |
301 | cache_put(h: &rsip->h, cd); |
302 | else |
303 | status = -ENOMEM; |
304 | return status; |
305 | } |
306 | |
307 | static const struct cache_detail rsi_cache_template = { |
308 | .owner = THIS_MODULE, |
309 | .hash_size = RSI_HASHMAX, |
310 | .name = "auth.rpcsec.init" , |
311 | .cache_put = rsi_put, |
312 | .cache_upcall = rsi_upcall, |
313 | .cache_request = rsi_request, |
314 | .cache_parse = rsi_parse, |
315 | .match = rsi_match, |
316 | .init = rsi_init, |
317 | .update = update_rsi, |
318 | .alloc = rsi_alloc, |
319 | }; |
320 | |
321 | static struct rsi *rsi_lookup(struct cache_detail *cd, struct rsi *item) |
322 | { |
323 | struct cache_head *ch; |
324 | int hash = rsi_hash(item); |
325 | |
326 | ch = sunrpc_cache_lookup_rcu(detail: cd, key: &item->h, hash); |
327 | if (ch) |
328 | return container_of(ch, struct rsi, h); |
329 | else |
330 | return NULL; |
331 | } |
332 | |
333 | static struct rsi *rsi_update(struct cache_detail *cd, struct rsi *new, struct rsi *old) |
334 | { |
335 | struct cache_head *ch; |
336 | int hash = rsi_hash(item: new); |
337 | |
338 | ch = sunrpc_cache_update(detail: cd, new: &new->h, |
339 | old: &old->h, hash); |
340 | if (ch) |
341 | return container_of(ch, struct rsi, h); |
342 | else |
343 | return NULL; |
344 | } |
345 | |
346 | |
347 | /* |
348 | * The rpcsec_context cache is used to store a context that is |
349 | * used in data exchange. |
350 | * The key is a context handle. The content is: |
351 | * uid, gidlist, mechanism, service-set, mech-specific-data |
352 | */ |
353 | |
354 | #define RSC_HASHBITS 10 |
355 | #define RSC_HASHMAX (1<<RSC_HASHBITS) |
356 | |
357 | #define GSS_SEQ_WIN 128 |
358 | |
359 | struct gss_svc_seq_data { |
360 | /* highest seq number seen so far: */ |
361 | u32 sd_max; |
362 | /* for i such that sd_max-GSS_SEQ_WIN < i <= sd_max, the i-th bit of |
363 | * sd_win is nonzero iff sequence number i has been seen already: */ |
364 | unsigned long sd_win[GSS_SEQ_WIN/BITS_PER_LONG]; |
365 | spinlock_t sd_lock; |
366 | }; |
367 | |
368 | struct rsc { |
369 | struct cache_head h; |
370 | struct xdr_netobj handle; |
371 | struct svc_cred cred; |
372 | struct gss_svc_seq_data seqdata; |
373 | struct gss_ctx *mechctx; |
374 | struct rcu_head rcu_head; |
375 | }; |
376 | |
377 | static struct rsc *rsc_update(struct cache_detail *cd, struct rsc *new, struct rsc *old); |
378 | static struct rsc *rsc_lookup(struct cache_detail *cd, struct rsc *item); |
379 | |
380 | static void rsc_free(struct rsc *rsci) |
381 | { |
382 | kfree(objp: rsci->handle.data); |
383 | if (rsci->mechctx) |
384 | gss_delete_sec_context(ctx_id: &rsci->mechctx); |
385 | free_svc_cred(cred: &rsci->cred); |
386 | } |
387 | |
388 | static void rsc_free_rcu(struct rcu_head *head) |
389 | { |
390 | struct rsc *rsci = container_of(head, struct rsc, rcu_head); |
391 | |
392 | kfree(objp: rsci->handle.data); |
393 | kfree(objp: rsci); |
394 | } |
395 | |
396 | static void rsc_put(struct kref *ref) |
397 | { |
398 | struct rsc *rsci = container_of(ref, struct rsc, h.ref); |
399 | |
400 | if (rsci->mechctx) |
401 | gss_delete_sec_context(ctx_id: &rsci->mechctx); |
402 | free_svc_cred(cred: &rsci->cred); |
403 | call_rcu(head: &rsci->rcu_head, func: rsc_free_rcu); |
404 | } |
405 | |
406 | static inline int |
407 | rsc_hash(struct rsc *rsci) |
408 | { |
409 | return hash_mem(buf: rsci->handle.data, length: rsci->handle.len, RSC_HASHBITS); |
410 | } |
411 | |
412 | static int |
413 | rsc_match(struct cache_head *a, struct cache_head *b) |
414 | { |
415 | struct rsc *new = container_of(a, struct rsc, h); |
416 | struct rsc *tmp = container_of(b, struct rsc, h); |
417 | |
418 | return netobj_equal(a: &new->handle, b: &tmp->handle); |
419 | } |
420 | |
421 | static void |
422 | rsc_init(struct cache_head *cnew, struct cache_head *ctmp) |
423 | { |
424 | struct rsc *new = container_of(cnew, struct rsc, h); |
425 | struct rsc *tmp = container_of(ctmp, struct rsc, h); |
426 | |
427 | new->handle.len = tmp->handle.len; |
428 | tmp->handle.len = 0; |
429 | new->handle.data = tmp->handle.data; |
430 | tmp->handle.data = NULL; |
431 | new->mechctx = NULL; |
432 | init_svc_cred(cred: &new->cred); |
433 | } |
434 | |
435 | static void |
436 | update_rsc(struct cache_head *cnew, struct cache_head *ctmp) |
437 | { |
438 | struct rsc *new = container_of(cnew, struct rsc, h); |
439 | struct rsc *tmp = container_of(ctmp, struct rsc, h); |
440 | |
441 | new->mechctx = tmp->mechctx; |
442 | tmp->mechctx = NULL; |
443 | memset(&new->seqdata, 0, sizeof(new->seqdata)); |
444 | spin_lock_init(&new->seqdata.sd_lock); |
445 | new->cred = tmp->cred; |
446 | init_svc_cred(cred: &tmp->cred); |
447 | } |
448 | |
449 | static struct cache_head * |
450 | rsc_alloc(void) |
451 | { |
452 | struct rsc *rsci = kmalloc(size: sizeof(*rsci), GFP_KERNEL); |
453 | if (rsci) |
454 | return &rsci->h; |
455 | else |
456 | return NULL; |
457 | } |
458 | |
459 | static int rsc_upcall(struct cache_detail *cd, struct cache_head *h) |
460 | { |
461 | return -EINVAL; |
462 | } |
463 | |
464 | static int rsc_parse(struct cache_detail *cd, |
465 | char *mesg, int mlen) |
466 | { |
467 | /* contexthandle expiry [ uid gid N <n gids> mechname ...mechdata... ] */ |
468 | char *buf = mesg; |
469 | int id; |
470 | int len, rv; |
471 | struct rsc rsci, *rscp = NULL; |
472 | time64_t expiry; |
473 | int status = -EINVAL; |
474 | struct gss_api_mech *gm = NULL; |
475 | |
476 | memset(&rsci, 0, sizeof(rsci)); |
477 | /* context handle */ |
478 | len = qword_get(bpp: &mesg, dest: buf, bufsize: mlen); |
479 | if (len < 0) goto out; |
480 | status = -ENOMEM; |
481 | if (dup_to_netobj(dst: &rsci.handle, src: buf, len)) |
482 | goto out; |
483 | |
484 | rsci.h.flags = 0; |
485 | /* expiry */ |
486 | status = get_expiry(bpp: &mesg, rvp: &expiry); |
487 | if (status) |
488 | goto out; |
489 | |
490 | status = -EINVAL; |
491 | rscp = rsc_lookup(cd, item: &rsci); |
492 | if (!rscp) |
493 | goto out; |
494 | |
495 | /* uid, or NEGATIVE */ |
496 | rv = get_int(bpp: &mesg, anint: &id); |
497 | if (rv == -EINVAL) |
498 | goto out; |
499 | if (rv == -ENOENT) |
500 | set_bit(nr: CACHE_NEGATIVE, addr: &rsci.h.flags); |
501 | else { |
502 | int N, i; |
503 | |
504 | /* |
505 | * NOTE: we skip uid_valid()/gid_valid() checks here: |
506 | * instead, * -1 id's are later mapped to the |
507 | * (export-specific) anonymous id by nfsd_setuser. |
508 | * |
509 | * (But supplementary gid's get no such special |
510 | * treatment so are checked for validity here.) |
511 | */ |
512 | /* uid */ |
513 | rsci.cred.cr_uid = make_kuid(current_user_ns(), uid: id); |
514 | |
515 | /* gid */ |
516 | if (get_int(bpp: &mesg, anint: &id)) |
517 | goto out; |
518 | rsci.cred.cr_gid = make_kgid(current_user_ns(), gid: id); |
519 | |
520 | /* number of additional gid's */ |
521 | if (get_int(bpp: &mesg, anint: &N)) |
522 | goto out; |
523 | if (N < 0 || N > NGROUPS_MAX) |
524 | goto out; |
525 | status = -ENOMEM; |
526 | rsci.cred.cr_group_info = groups_alloc(N); |
527 | if (rsci.cred.cr_group_info == NULL) |
528 | goto out; |
529 | |
530 | /* gid's */ |
531 | status = -EINVAL; |
532 | for (i=0; i<N; i++) { |
533 | kgid_t kgid; |
534 | if (get_int(bpp: &mesg, anint: &id)) |
535 | goto out; |
536 | kgid = make_kgid(current_user_ns(), gid: id); |
537 | if (!gid_valid(gid: kgid)) |
538 | goto out; |
539 | rsci.cred.cr_group_info->gid[i] = kgid; |
540 | } |
541 | groups_sort(rsci.cred.cr_group_info); |
542 | |
543 | /* mech name */ |
544 | len = qword_get(bpp: &mesg, dest: buf, bufsize: mlen); |
545 | if (len < 0) |
546 | goto out; |
547 | gm = rsci.cred.cr_gss_mech = gss_mech_get_by_name(buf); |
548 | status = -EOPNOTSUPP; |
549 | if (!gm) |
550 | goto out; |
551 | |
552 | status = -EINVAL; |
553 | /* mech-specific data: */ |
554 | len = qword_get(bpp: &mesg, dest: buf, bufsize: mlen); |
555 | if (len < 0) |
556 | goto out; |
557 | status = gss_import_sec_context(input_token: buf, bufsize: len, mech: gm, ctx_id: &rsci.mechctx, |
558 | NULL, GFP_KERNEL); |
559 | if (status) |
560 | goto out; |
561 | |
562 | /* get client name */ |
563 | len = qword_get(bpp: &mesg, dest: buf, bufsize: mlen); |
564 | if (len > 0) { |
565 | rsci.cred.cr_principal = kstrdup(s: buf, GFP_KERNEL); |
566 | if (!rsci.cred.cr_principal) { |
567 | status = -ENOMEM; |
568 | goto out; |
569 | } |
570 | } |
571 | |
572 | } |
573 | rsci.h.expiry_time = expiry; |
574 | rscp = rsc_update(cd, new: &rsci, old: rscp); |
575 | status = 0; |
576 | out: |
577 | rsc_free(rsci: &rsci); |
578 | if (rscp) |
579 | cache_put(h: &rscp->h, cd); |
580 | else |
581 | status = -ENOMEM; |
582 | return status; |
583 | } |
584 | |
585 | static const struct cache_detail rsc_cache_template = { |
586 | .owner = THIS_MODULE, |
587 | .hash_size = RSC_HASHMAX, |
588 | .name = "auth.rpcsec.context" , |
589 | .cache_put = rsc_put, |
590 | .cache_upcall = rsc_upcall, |
591 | .cache_parse = rsc_parse, |
592 | .match = rsc_match, |
593 | .init = rsc_init, |
594 | .update = update_rsc, |
595 | .alloc = rsc_alloc, |
596 | }; |
597 | |
598 | static struct rsc *rsc_lookup(struct cache_detail *cd, struct rsc *item) |
599 | { |
600 | struct cache_head *ch; |
601 | int hash = rsc_hash(rsci: item); |
602 | |
603 | ch = sunrpc_cache_lookup_rcu(detail: cd, key: &item->h, hash); |
604 | if (ch) |
605 | return container_of(ch, struct rsc, h); |
606 | else |
607 | return NULL; |
608 | } |
609 | |
610 | static struct rsc *rsc_update(struct cache_detail *cd, struct rsc *new, struct rsc *old) |
611 | { |
612 | struct cache_head *ch; |
613 | int hash = rsc_hash(rsci: new); |
614 | |
615 | ch = sunrpc_cache_update(detail: cd, new: &new->h, |
616 | old: &old->h, hash); |
617 | if (ch) |
618 | return container_of(ch, struct rsc, h); |
619 | else |
620 | return NULL; |
621 | } |
622 | |
623 | |
624 | static struct rsc * |
625 | gss_svc_searchbyctx(struct cache_detail *cd, struct xdr_netobj *handle) |
626 | { |
627 | struct rsc rsci; |
628 | struct rsc *found; |
629 | |
630 | memset(&rsci, 0, sizeof(rsci)); |
631 | if (dup_to_netobj(dst: &rsci.handle, src: handle->data, len: handle->len)) |
632 | return NULL; |
633 | found = rsc_lookup(cd, item: &rsci); |
634 | rsc_free(rsci: &rsci); |
635 | if (!found) |
636 | return NULL; |
637 | if (cache_check(detail: cd, h: &found->h, NULL)) |
638 | return NULL; |
639 | return found; |
640 | } |
641 | |
642 | /** |
643 | * gss_check_seq_num - GSS sequence number window check |
644 | * @rqstp: RPC Call to use when reporting errors |
645 | * @rsci: cached GSS context state (updated on return) |
646 | * @seq_num: sequence number to check |
647 | * |
648 | * Implements sequence number algorithm as specified in |
649 | * RFC 2203, Section 5.3.3.1. "Context Management". |
650 | * |
651 | * Return values: |
652 | * %true: @rqstp's GSS sequence number is inside the window |
653 | * %false: @rqstp's GSS sequence number is outside the window |
654 | */ |
655 | static bool gss_check_seq_num(const struct svc_rqst *rqstp, struct rsc *rsci, |
656 | u32 seq_num) |
657 | { |
658 | struct gss_svc_seq_data *sd = &rsci->seqdata; |
659 | bool result = false; |
660 | |
661 | spin_lock(lock: &sd->sd_lock); |
662 | if (seq_num > sd->sd_max) { |
663 | if (seq_num >= sd->sd_max + GSS_SEQ_WIN) { |
664 | memset(sd->sd_win, 0, sizeof(sd->sd_win)); |
665 | sd->sd_max = seq_num; |
666 | } else while (sd->sd_max < seq_num) { |
667 | sd->sd_max++; |
668 | __clear_bit(sd->sd_max % GSS_SEQ_WIN, sd->sd_win); |
669 | } |
670 | __set_bit(seq_num % GSS_SEQ_WIN, sd->sd_win); |
671 | goto ok; |
672 | } else if (seq_num + GSS_SEQ_WIN <= sd->sd_max) { |
673 | goto toolow; |
674 | } |
675 | if (__test_and_set_bit(seq_num % GSS_SEQ_WIN, sd->sd_win)) |
676 | goto alreadyseen; |
677 | |
678 | ok: |
679 | result = true; |
680 | out: |
681 | spin_unlock(lock: &sd->sd_lock); |
682 | return result; |
683 | |
684 | toolow: |
685 | trace_rpcgss_svc_seqno_low(rqstp, seqno: seq_num, |
686 | min: sd->sd_max - GSS_SEQ_WIN, |
687 | max: sd->sd_max); |
688 | goto out; |
689 | alreadyseen: |
690 | trace_rpcgss_svc_seqno_seen(rqstp, seqno: seq_num); |
691 | goto out; |
692 | } |
693 | |
694 | /* |
695 | * Decode and verify a Call's verifier field. For RPC_AUTH_GSS Calls, |
696 | * the body of this field contains a variable length checksum. |
697 | * |
698 | * GSS-specific auth_stat values are mandated by RFC 2203 Section |
699 | * 5.3.3.3. |
700 | */ |
701 | static int |
702 | (struct svc_rqst *rqstp, struct rsc *rsci, |
703 | __be32 *rpcstart, struct rpc_gss_wire_cred *gc) |
704 | { |
705 | struct xdr_stream *xdr = &rqstp->rq_arg_stream; |
706 | struct gss_ctx *ctx_id = rsci->mechctx; |
707 | u32 flavor, maj_stat; |
708 | struct xdr_buf rpchdr; |
709 | struct xdr_netobj checksum; |
710 | struct kvec iov; |
711 | |
712 | /* |
713 | * Compute the checksum of the incoming Call from the |
714 | * XID field to credential field: |
715 | */ |
716 | iov.iov_base = rpcstart; |
717 | iov.iov_len = (u8 *)xdr->p - (u8 *)rpcstart; |
718 | xdr_buf_from_iov(&iov, &rpchdr); |
719 | |
720 | /* Call's verf field: */ |
721 | if (xdr_stream_decode_opaque_auth(xdr, flavor: &flavor, |
722 | body: (void **)&checksum.data, |
723 | body_len: &checksum.len) < 0) { |
724 | rqstp->rq_auth_stat = rpc_autherr_badverf; |
725 | return SVC_DENIED; |
726 | } |
727 | if (flavor != RPC_AUTH_GSS) { |
728 | rqstp->rq_auth_stat = rpc_autherr_badverf; |
729 | return SVC_DENIED; |
730 | } |
731 | |
732 | if (rqstp->rq_deferred) |
733 | return SVC_OK; |
734 | maj_stat = gss_verify_mic(ctx_id, message: &rpchdr, mic_token: &checksum); |
735 | if (maj_stat != GSS_S_COMPLETE) { |
736 | trace_rpcgss_svc_mic(rqstp, maj_stat); |
737 | rqstp->rq_auth_stat = rpcsec_gsserr_credproblem; |
738 | return SVC_DENIED; |
739 | } |
740 | |
741 | if (gc->gc_seq > MAXSEQ) { |
742 | trace_rpcgss_svc_seqno_large(rqstp, seqno: gc->gc_seq); |
743 | rqstp->rq_auth_stat = rpcsec_gsserr_ctxproblem; |
744 | return SVC_DENIED; |
745 | } |
746 | if (!gss_check_seq_num(rqstp, rsci, seq_num: gc->gc_seq)) |
747 | return SVC_DROP; |
748 | return SVC_OK; |
749 | } |
750 | |
751 | /* |
752 | * Construct and encode a Reply's verifier field. The verifier's body |
753 | * field contains a variable-length checksum of the GSS sequence |
754 | * number. |
755 | */ |
756 | static bool |
757 | svcauth_gss_encode_verf(struct svc_rqst *rqstp, struct gss_ctx *ctx_id, u32 seq) |
758 | { |
759 | struct gss_svc_data *gsd = rqstp->rq_auth_data; |
760 | u32 maj_stat; |
761 | struct xdr_buf verf_data; |
762 | struct xdr_netobj checksum; |
763 | struct kvec iov; |
764 | |
765 | gsd->gsd_seq_num = cpu_to_be32(seq); |
766 | iov.iov_base = &gsd->gsd_seq_num; |
767 | iov.iov_len = XDR_UNIT; |
768 | xdr_buf_from_iov(&iov, &verf_data); |
769 | |
770 | checksum.data = gsd->gsd_scratch; |
771 | maj_stat = gss_get_mic(ctx_id, message: &verf_data, mic_token: &checksum); |
772 | if (maj_stat != GSS_S_COMPLETE) |
773 | goto bad_mic; |
774 | |
775 | return xdr_stream_encode_opaque_auth(xdr: &rqstp->rq_res_stream, flavor: RPC_AUTH_GSS, |
776 | body: checksum.data, body_len: checksum.len) > 0; |
777 | |
778 | bad_mic: |
779 | trace_rpcgss_svc_get_mic(rqstp, maj_stat); |
780 | return false; |
781 | } |
782 | |
783 | struct gss_domain { |
784 | struct auth_domain h; |
785 | u32 pseudoflavor; |
786 | }; |
787 | |
788 | static struct auth_domain * |
789 | find_gss_auth_domain(struct gss_ctx *ctx, u32 svc) |
790 | { |
791 | char *name; |
792 | |
793 | name = gss_service_to_auth_domain_name(ctx->mech_type, service: svc); |
794 | if (!name) |
795 | return NULL; |
796 | return auth_domain_find(name); |
797 | } |
798 | |
799 | static struct auth_ops svcauthops_gss; |
800 | |
801 | u32 svcauth_gss_flavor(struct auth_domain *dom) |
802 | { |
803 | struct gss_domain *gd = container_of(dom, struct gss_domain, h); |
804 | |
805 | return gd->pseudoflavor; |
806 | } |
807 | |
808 | EXPORT_SYMBOL_GPL(svcauth_gss_flavor); |
809 | |
810 | struct auth_domain * |
811 | svcauth_gss_register_pseudoflavor(u32 pseudoflavor, char * name) |
812 | { |
813 | struct gss_domain *new; |
814 | struct auth_domain *test; |
815 | int stat = -ENOMEM; |
816 | |
817 | new = kmalloc(size: sizeof(*new), GFP_KERNEL); |
818 | if (!new) |
819 | goto out; |
820 | kref_init(kref: &new->h.ref); |
821 | new->h.name = kstrdup(s: name, GFP_KERNEL); |
822 | if (!new->h.name) |
823 | goto out_free_dom; |
824 | new->h.flavour = &svcauthops_gss; |
825 | new->pseudoflavor = pseudoflavor; |
826 | |
827 | test = auth_domain_lookup(name, new: &new->h); |
828 | if (test != &new->h) { |
829 | pr_warn("svc: duplicate registration of gss pseudo flavour %s.\n" , |
830 | name); |
831 | stat = -EADDRINUSE; |
832 | auth_domain_put(item: test); |
833 | goto out_free_name; |
834 | } |
835 | return test; |
836 | |
837 | out_free_name: |
838 | kfree(objp: new->h.name); |
839 | out_free_dom: |
840 | kfree(objp: new); |
841 | out: |
842 | return ERR_PTR(error: stat); |
843 | } |
844 | EXPORT_SYMBOL_GPL(svcauth_gss_register_pseudoflavor); |
845 | |
846 | /* |
847 | * RFC 2203, Section 5.3.2.2 |
848 | * |
849 | * struct rpc_gss_integ_data { |
850 | * opaque databody_integ<>; |
851 | * opaque checksum<>; |
852 | * }; |
853 | * |
854 | * struct rpc_gss_data_t { |
855 | * unsigned int seq_num; |
856 | * proc_req_arg_t arg; |
857 | * }; |
858 | */ |
859 | static noinline_for_stack int |
860 | svcauth_gss_unwrap_integ(struct svc_rqst *rqstp, u32 seq, struct gss_ctx *ctx) |
861 | { |
862 | struct gss_svc_data *gsd = rqstp->rq_auth_data; |
863 | struct xdr_stream *xdr = &rqstp->rq_arg_stream; |
864 | u32 len, offset, seq_num, maj_stat; |
865 | struct xdr_buf *buf = xdr->buf; |
866 | struct xdr_buf databody_integ; |
867 | struct xdr_netobj checksum; |
868 | |
869 | /* Did we already verify the signature on the original pass through? */ |
870 | if (rqstp->rq_deferred) |
871 | return 0; |
872 | |
873 | if (xdr_stream_decode_u32(xdr, ptr: &len) < 0) |
874 | goto unwrap_failed; |
875 | if (len & 3) |
876 | goto unwrap_failed; |
877 | offset = xdr_stream_pos(xdr); |
878 | if (xdr_buf_subsegment(buf, &databody_integ, offset, len)) |
879 | goto unwrap_failed; |
880 | |
881 | /* |
882 | * The xdr_stream now points to the @seq_num field. The next |
883 | * XDR data item is the @arg field, which contains the clear |
884 | * text RPC program payload. The checksum, which follows the |
885 | * @arg field, is located and decoded without updating the |
886 | * xdr_stream. |
887 | */ |
888 | |
889 | offset += len; |
890 | if (xdr_decode_word(buf, offset, &checksum.len)) |
891 | goto unwrap_failed; |
892 | if (checksum.len > sizeof(gsd->gsd_scratch)) |
893 | goto unwrap_failed; |
894 | checksum.data = gsd->gsd_scratch; |
895 | if (read_bytes_from_xdr_buf(buf, offset + XDR_UNIT, checksum.data, |
896 | checksum.len)) |
897 | goto unwrap_failed; |
898 | |
899 | maj_stat = gss_verify_mic(ctx_id: ctx, message: &databody_integ, mic_token: &checksum); |
900 | if (maj_stat != GSS_S_COMPLETE) |
901 | goto bad_mic; |
902 | |
903 | /* The received seqno is protected by the checksum. */ |
904 | if (xdr_stream_decode_u32(xdr, ptr: &seq_num) < 0) |
905 | goto unwrap_failed; |
906 | if (seq_num != seq) |
907 | goto bad_seqno; |
908 | |
909 | xdr_truncate_decode(xdr, XDR_UNIT + checksum.len); |
910 | return 0; |
911 | |
912 | unwrap_failed: |
913 | trace_rpcgss_svc_unwrap_failed(rqstp); |
914 | return -EINVAL; |
915 | bad_seqno: |
916 | trace_rpcgss_svc_seqno_bad(rqstp, expected: seq, received: seq_num); |
917 | return -EINVAL; |
918 | bad_mic: |
919 | trace_rpcgss_svc_mic(rqstp, maj_stat); |
920 | return -EINVAL; |
921 | } |
922 | |
923 | /* |
924 | * RFC 2203, Section 5.3.2.3 |
925 | * |
926 | * struct rpc_gss_priv_data { |
927 | * opaque databody_priv<> |
928 | * }; |
929 | * |
930 | * struct rpc_gss_data_t { |
931 | * unsigned int seq_num; |
932 | * proc_req_arg_t arg; |
933 | * }; |
934 | */ |
935 | static noinline_for_stack int |
936 | svcauth_gss_unwrap_priv(struct svc_rqst *rqstp, u32 seq, struct gss_ctx *ctx) |
937 | { |
938 | struct xdr_stream *xdr = &rqstp->rq_arg_stream; |
939 | u32 len, maj_stat, seq_num, offset; |
940 | struct xdr_buf *buf = xdr->buf; |
941 | unsigned int saved_len; |
942 | |
943 | if (xdr_stream_decode_u32(xdr, ptr: &len) < 0) |
944 | goto unwrap_failed; |
945 | if (rqstp->rq_deferred) { |
946 | /* Already decrypted last time through! The sequence number |
947 | * check at out_seq is unnecessary but harmless: */ |
948 | goto out_seq; |
949 | } |
950 | if (len > xdr_stream_remaining(xdr)) |
951 | goto unwrap_failed; |
952 | offset = xdr_stream_pos(xdr); |
953 | |
954 | saved_len = buf->len; |
955 | maj_stat = gss_unwrap(ctx_id: ctx, offset, len: offset + len, inbuf: buf); |
956 | if (maj_stat != GSS_S_COMPLETE) |
957 | goto bad_unwrap; |
958 | xdr->nwords -= XDR_QUADLEN(saved_len - buf->len); |
959 | |
960 | out_seq: |
961 | /* gss_unwrap() decrypted the sequence number. */ |
962 | if (xdr_stream_decode_u32(xdr, ptr: &seq_num) < 0) |
963 | goto unwrap_failed; |
964 | if (seq_num != seq) |
965 | goto bad_seqno; |
966 | return 0; |
967 | |
968 | unwrap_failed: |
969 | trace_rpcgss_svc_unwrap_failed(rqstp); |
970 | return -EINVAL; |
971 | bad_seqno: |
972 | trace_rpcgss_svc_seqno_bad(rqstp, expected: seq, received: seq_num); |
973 | return -EINVAL; |
974 | bad_unwrap: |
975 | trace_rpcgss_svc_unwrap(rqstp, maj_stat); |
976 | return -EINVAL; |
977 | } |
978 | |
979 | static enum svc_auth_status |
980 | svcauth_gss_set_client(struct svc_rqst *rqstp) |
981 | { |
982 | struct gss_svc_data *svcdata = rqstp->rq_auth_data; |
983 | struct rsc *rsci = svcdata->rsci; |
984 | struct rpc_gss_wire_cred *gc = &svcdata->clcred; |
985 | int stat; |
986 | |
987 | rqstp->rq_auth_stat = rpc_autherr_badcred; |
988 | |
989 | /* |
990 | * A gss export can be specified either by: |
991 | * export *(sec=krb5,rw) |
992 | * or by |
993 | * export gss/krb5(rw) |
994 | * The latter is deprecated; but for backwards compatibility reasons |
995 | * the nfsd code will still fall back on trying it if the former |
996 | * doesn't work; so we try to make both available to nfsd, below. |
997 | */ |
998 | rqstp->rq_gssclient = find_gss_auth_domain(ctx: rsci->mechctx, svc: gc->gc_svc); |
999 | if (rqstp->rq_gssclient == NULL) |
1000 | return SVC_DENIED; |
1001 | stat = svcauth_unix_set_client(rqstp); |
1002 | if (stat == SVC_DROP || stat == SVC_CLOSE) |
1003 | return stat; |
1004 | |
1005 | rqstp->rq_auth_stat = rpc_auth_ok; |
1006 | return SVC_OK; |
1007 | } |
1008 | |
1009 | static bool |
1010 | svcauth_gss_proc_init_verf(struct cache_detail *cd, struct svc_rqst *rqstp, |
1011 | struct xdr_netobj *out_handle, int *major_status, |
1012 | u32 seq_num) |
1013 | { |
1014 | struct xdr_stream *xdr = &rqstp->rq_res_stream; |
1015 | struct rsc *rsci; |
1016 | bool rc; |
1017 | |
1018 | if (*major_status != GSS_S_COMPLETE) |
1019 | goto null_verifier; |
1020 | rsci = gss_svc_searchbyctx(cd, handle: out_handle); |
1021 | if (rsci == NULL) { |
1022 | *major_status = GSS_S_NO_CONTEXT; |
1023 | goto null_verifier; |
1024 | } |
1025 | |
1026 | rc = svcauth_gss_encode_verf(rqstp, ctx_id: rsci->mechctx, seq: seq_num); |
1027 | cache_put(h: &rsci->h, cd); |
1028 | return rc; |
1029 | |
1030 | null_verifier: |
1031 | return xdr_stream_encode_opaque_auth(xdr, flavor: RPC_AUTH_NULL, NULL, body_len: 0) > 0; |
1032 | } |
1033 | |
1034 | static void gss_free_in_token_pages(struct gssp_in_token *in_token) |
1035 | { |
1036 | u32 inlen; |
1037 | int i; |
1038 | |
1039 | i = 0; |
1040 | inlen = in_token->page_len; |
1041 | while (inlen) { |
1042 | if (in_token->pages[i]) |
1043 | put_page(page: in_token->pages[i]); |
1044 | inlen -= inlen > PAGE_SIZE ? PAGE_SIZE : inlen; |
1045 | } |
1046 | |
1047 | kfree(objp: in_token->pages); |
1048 | in_token->pages = NULL; |
1049 | } |
1050 | |
1051 | static int gss_read_proxy_verf(struct svc_rqst *rqstp, |
1052 | struct rpc_gss_wire_cred *gc, |
1053 | struct xdr_netobj *in_handle, |
1054 | struct gssp_in_token *in_token) |
1055 | { |
1056 | struct xdr_stream *xdr = &rqstp->rq_arg_stream; |
1057 | unsigned int length, pgto_offs, pgfrom_offs; |
1058 | int pages, i, pgto, pgfrom; |
1059 | size_t to_offs, from_offs; |
1060 | u32 inlen; |
1061 | |
1062 | if (dup_netobj(dst: in_handle, src: &gc->gc_ctx)) |
1063 | return SVC_CLOSE; |
1064 | |
1065 | /* |
1066 | * RFC 2203 Section 5.2.2 |
1067 | * |
1068 | * struct rpc_gss_init_arg { |
1069 | * opaque gss_token<>; |
1070 | * }; |
1071 | */ |
1072 | if (xdr_stream_decode_u32(xdr, ptr: &inlen) < 0) |
1073 | goto out_denied_free; |
1074 | if (inlen > xdr_stream_remaining(xdr)) |
1075 | goto out_denied_free; |
1076 | |
1077 | pages = DIV_ROUND_UP(inlen, PAGE_SIZE); |
1078 | in_token->pages = kcalloc(n: pages, size: sizeof(struct page *), GFP_KERNEL); |
1079 | if (!in_token->pages) |
1080 | goto out_denied_free; |
1081 | in_token->page_base = 0; |
1082 | in_token->page_len = inlen; |
1083 | for (i = 0; i < pages; i++) { |
1084 | in_token->pages[i] = alloc_page(GFP_KERNEL); |
1085 | if (!in_token->pages[i]) { |
1086 | gss_free_in_token_pages(in_token); |
1087 | goto out_denied_free; |
1088 | } |
1089 | } |
1090 | |
1091 | length = min_t(unsigned int, inlen, (char *)xdr->end - (char *)xdr->p); |
1092 | memcpy(page_address(in_token->pages[0]), xdr->p, length); |
1093 | inlen -= length; |
1094 | |
1095 | to_offs = length; |
1096 | from_offs = rqstp->rq_arg.page_base; |
1097 | while (inlen) { |
1098 | pgto = to_offs >> PAGE_SHIFT; |
1099 | pgfrom = from_offs >> PAGE_SHIFT; |
1100 | pgto_offs = to_offs & ~PAGE_MASK; |
1101 | pgfrom_offs = from_offs & ~PAGE_MASK; |
1102 | |
1103 | length = min_t(unsigned int, inlen, |
1104 | min_t(unsigned int, PAGE_SIZE - pgto_offs, |
1105 | PAGE_SIZE - pgfrom_offs)); |
1106 | memcpy(page_address(in_token->pages[pgto]) + pgto_offs, |
1107 | page_address(rqstp->rq_arg.pages[pgfrom]) + pgfrom_offs, |
1108 | length); |
1109 | |
1110 | to_offs += length; |
1111 | from_offs += length; |
1112 | inlen -= length; |
1113 | } |
1114 | return 0; |
1115 | |
1116 | out_denied_free: |
1117 | kfree(objp: in_handle->data); |
1118 | return SVC_DENIED; |
1119 | } |
1120 | |
1121 | /* |
1122 | * RFC 2203, Section 5.2.3.1. |
1123 | * |
1124 | * struct rpc_gss_init_res { |
1125 | * opaque handle<>; |
1126 | * unsigned int gss_major; |
1127 | * unsigned int gss_minor; |
1128 | * unsigned int seq_window; |
1129 | * opaque gss_token<>; |
1130 | * }; |
1131 | */ |
1132 | static bool |
1133 | svcxdr_encode_gss_init_res(struct xdr_stream *xdr, |
1134 | struct xdr_netobj *handle, |
1135 | struct xdr_netobj *gss_token, |
1136 | unsigned int major_status, |
1137 | unsigned int minor_status, u32 seq_num) |
1138 | { |
1139 | if (xdr_stream_encode_opaque(xdr, ptr: handle->data, len: handle->len) < 0) |
1140 | return false; |
1141 | if (xdr_stream_encode_u32(xdr, n: major_status) < 0) |
1142 | return false; |
1143 | if (xdr_stream_encode_u32(xdr, n: minor_status) < 0) |
1144 | return false; |
1145 | if (xdr_stream_encode_u32(xdr, n: seq_num) < 0) |
1146 | return false; |
1147 | if (xdr_stream_encode_opaque(xdr, ptr: gss_token->data, len: gss_token->len) < 0) |
1148 | return false; |
1149 | return true; |
1150 | } |
1151 | |
1152 | /* |
1153 | * Having read the cred already and found we're in the context |
1154 | * initiation case, read the verifier and initiate (or check the results |
1155 | * of) upcalls to userspace for help with context initiation. If |
1156 | * the upcall results are available, write the verifier and result. |
1157 | * Otherwise, drop the request pending an answer to the upcall. |
1158 | */ |
1159 | static int |
1160 | svcauth_gss_legacy_init(struct svc_rqst *rqstp, |
1161 | struct rpc_gss_wire_cred *gc) |
1162 | { |
1163 | struct xdr_stream *xdr = &rqstp->rq_arg_stream; |
1164 | struct rsi *rsip, rsikey; |
1165 | __be32 *p; |
1166 | u32 len; |
1167 | int ret; |
1168 | struct sunrpc_net *sn = net_generic(SVC_NET(rqstp), id: sunrpc_net_id); |
1169 | |
1170 | memset(&rsikey, 0, sizeof(rsikey)); |
1171 | if (dup_netobj(dst: &rsikey.in_handle, src: &gc->gc_ctx)) |
1172 | return SVC_CLOSE; |
1173 | |
1174 | /* |
1175 | * RFC 2203 Section 5.2.2 |
1176 | * |
1177 | * struct rpc_gss_init_arg { |
1178 | * opaque gss_token<>; |
1179 | * }; |
1180 | */ |
1181 | if (xdr_stream_decode_u32(xdr, ptr: &len) < 0) { |
1182 | kfree(objp: rsikey.in_handle.data); |
1183 | return SVC_DENIED; |
1184 | } |
1185 | p = xdr_inline_decode(xdr, nbytes: len); |
1186 | if (!p) { |
1187 | kfree(objp: rsikey.in_handle.data); |
1188 | return SVC_DENIED; |
1189 | } |
1190 | rsikey.in_token.data = kmalloc(size: len, GFP_KERNEL); |
1191 | if (ZERO_OR_NULL_PTR(rsikey.in_token.data)) { |
1192 | kfree(objp: rsikey.in_handle.data); |
1193 | return SVC_CLOSE; |
1194 | } |
1195 | memcpy(rsikey.in_token.data, p, len); |
1196 | rsikey.in_token.len = len; |
1197 | |
1198 | /* Perform upcall, or find upcall result: */ |
1199 | rsip = rsi_lookup(cd: sn->rsi_cache, item: &rsikey); |
1200 | rsi_free(rsii: &rsikey); |
1201 | if (!rsip) |
1202 | return SVC_CLOSE; |
1203 | if (cache_check(detail: sn->rsi_cache, h: &rsip->h, rqstp: &rqstp->rq_chandle) < 0) |
1204 | /* No upcall result: */ |
1205 | return SVC_CLOSE; |
1206 | |
1207 | ret = SVC_CLOSE; |
1208 | if (!svcauth_gss_proc_init_verf(cd: sn->rsc_cache, rqstp, out_handle: &rsip->out_handle, |
1209 | major_status: &rsip->major_status, GSS_SEQ_WIN)) |
1210 | goto out; |
1211 | if (!svcxdr_set_accept_stat(rqstp)) |
1212 | goto out; |
1213 | if (!svcxdr_encode_gss_init_res(xdr: &rqstp->rq_res_stream, handle: &rsip->out_handle, |
1214 | gss_token: &rsip->out_token, major_status: rsip->major_status, |
1215 | minor_status: rsip->minor_status, GSS_SEQ_WIN)) |
1216 | goto out; |
1217 | |
1218 | ret = SVC_COMPLETE; |
1219 | out: |
1220 | cache_put(h: &rsip->h, cd: sn->rsi_cache); |
1221 | return ret; |
1222 | } |
1223 | |
1224 | static int gss_proxy_save_rsc(struct cache_detail *cd, |
1225 | struct gssp_upcall_data *ud, |
1226 | uint64_t *handle) |
1227 | { |
1228 | struct rsc rsci, *rscp = NULL; |
1229 | static atomic64_t ctxhctr; |
1230 | long long ctxh; |
1231 | struct gss_api_mech *gm = NULL; |
1232 | time64_t expiry; |
1233 | int status; |
1234 | |
1235 | memset(&rsci, 0, sizeof(rsci)); |
1236 | /* context handle */ |
1237 | status = -ENOMEM; |
1238 | /* the handle needs to be just a unique id, |
1239 | * use a static counter */ |
1240 | ctxh = atomic64_inc_return(v: &ctxhctr); |
1241 | |
1242 | /* make a copy for the caller */ |
1243 | *handle = ctxh; |
1244 | |
1245 | /* make a copy for the rsc cache */ |
1246 | if (dup_to_netobj(dst: &rsci.handle, src: (char *)handle, len: sizeof(uint64_t))) |
1247 | goto out; |
1248 | rscp = rsc_lookup(cd, item: &rsci); |
1249 | if (!rscp) |
1250 | goto out; |
1251 | |
1252 | /* creds */ |
1253 | if (!ud->found_creds) { |
1254 | /* userspace seem buggy, we should always get at least a |
1255 | * mapping to nobody */ |
1256 | goto out; |
1257 | } else { |
1258 | struct timespec64 boot; |
1259 | |
1260 | /* steal creds */ |
1261 | rsci.cred = ud->creds; |
1262 | memset(&ud->creds, 0, sizeof(struct svc_cred)); |
1263 | |
1264 | status = -EOPNOTSUPP; |
1265 | /* get mech handle from OID */ |
1266 | gm = gss_mech_get_by_OID(&ud->mech_oid); |
1267 | if (!gm) |
1268 | goto out; |
1269 | rsci.cred.cr_gss_mech = gm; |
1270 | |
1271 | status = -EINVAL; |
1272 | /* mech-specific data: */ |
1273 | status = gss_import_sec_context(input_token: ud->out_handle.data, |
1274 | bufsize: ud->out_handle.len, |
1275 | mech: gm, ctx_id: &rsci.mechctx, |
1276 | endtime: &expiry, GFP_KERNEL); |
1277 | if (status) |
1278 | goto out; |
1279 | |
1280 | getboottime64(ts: &boot); |
1281 | expiry -= boot.tv_sec; |
1282 | } |
1283 | |
1284 | rsci.h.expiry_time = expiry; |
1285 | rscp = rsc_update(cd, new: &rsci, old: rscp); |
1286 | status = 0; |
1287 | out: |
1288 | rsc_free(rsci: &rsci); |
1289 | if (rscp) |
1290 | cache_put(h: &rscp->h, cd); |
1291 | else |
1292 | status = -ENOMEM; |
1293 | return status; |
1294 | } |
1295 | |
1296 | static int svcauth_gss_proxy_init(struct svc_rqst *rqstp, |
1297 | struct rpc_gss_wire_cred *gc) |
1298 | { |
1299 | struct xdr_netobj cli_handle; |
1300 | struct gssp_upcall_data ud; |
1301 | uint64_t handle; |
1302 | int status; |
1303 | int ret; |
1304 | struct net *net = SVC_NET(rqstp); |
1305 | struct sunrpc_net *sn = net_generic(net, id: sunrpc_net_id); |
1306 | |
1307 | memset(&ud, 0, sizeof(ud)); |
1308 | ret = gss_read_proxy_verf(rqstp, gc, in_handle: &ud.in_handle, in_token: &ud.in_token); |
1309 | if (ret) |
1310 | return ret; |
1311 | |
1312 | ret = SVC_CLOSE; |
1313 | |
1314 | /* Perform synchronous upcall to gss-proxy */ |
1315 | status = gssp_accept_sec_context_upcall(net, data: &ud); |
1316 | if (status) |
1317 | goto out; |
1318 | |
1319 | trace_rpcgss_svc_accept_upcall(rqstp, major_status: ud.major_status, minor_status: ud.minor_status); |
1320 | |
1321 | switch (ud.major_status) { |
1322 | case GSS_S_CONTINUE_NEEDED: |
1323 | cli_handle = ud.out_handle; |
1324 | break; |
1325 | case GSS_S_COMPLETE: |
1326 | status = gss_proxy_save_rsc(cd: sn->rsc_cache, ud: &ud, handle: &handle); |
1327 | if (status) |
1328 | goto out; |
1329 | cli_handle.data = (u8 *)&handle; |
1330 | cli_handle.len = sizeof(handle); |
1331 | break; |
1332 | default: |
1333 | goto out; |
1334 | } |
1335 | |
1336 | if (!svcauth_gss_proc_init_verf(cd: sn->rsc_cache, rqstp, out_handle: &cli_handle, |
1337 | major_status: &ud.major_status, GSS_SEQ_WIN)) |
1338 | goto out; |
1339 | if (!svcxdr_set_accept_stat(rqstp)) |
1340 | goto out; |
1341 | if (!svcxdr_encode_gss_init_res(xdr: &rqstp->rq_res_stream, handle: &cli_handle, |
1342 | gss_token: &ud.out_token, major_status: ud.major_status, |
1343 | minor_status: ud.minor_status, GSS_SEQ_WIN)) |
1344 | goto out; |
1345 | |
1346 | ret = SVC_COMPLETE; |
1347 | out: |
1348 | gss_free_in_token_pages(in_token: &ud.in_token); |
1349 | gssp_free_upcall_data(data: &ud); |
1350 | return ret; |
1351 | } |
1352 | |
1353 | /* |
1354 | * Try to set the sn->use_gss_proxy variable to a new value. We only allow |
1355 | * it to be changed if it's currently undefined (-1). If it's any other value |
1356 | * then return -EBUSY unless the type wouldn't have changed anyway. |
1357 | */ |
1358 | static int set_gss_proxy(struct net *net, int type) |
1359 | { |
1360 | struct sunrpc_net *sn = net_generic(net, id: sunrpc_net_id); |
1361 | int ret; |
1362 | |
1363 | WARN_ON_ONCE(type != 0 && type != 1); |
1364 | ret = cmpxchg(&sn->use_gss_proxy, -1, type); |
1365 | if (ret != -1 && ret != type) |
1366 | return -EBUSY; |
1367 | return 0; |
1368 | } |
1369 | |
1370 | static bool use_gss_proxy(struct net *net) |
1371 | { |
1372 | struct sunrpc_net *sn = net_generic(net, id: sunrpc_net_id); |
1373 | |
1374 | /* If use_gss_proxy is still undefined, then try to disable it */ |
1375 | if (sn->use_gss_proxy == -1) |
1376 | set_gss_proxy(net, type: 0); |
1377 | return sn->use_gss_proxy; |
1378 | } |
1379 | |
1380 | static noinline_for_stack int |
1381 | svcauth_gss_proc_init(struct svc_rqst *rqstp, struct rpc_gss_wire_cred *gc) |
1382 | { |
1383 | struct xdr_stream *xdr = &rqstp->rq_arg_stream; |
1384 | u32 flavor, len; |
1385 | void *body; |
1386 | |
1387 | /* Call's verf field: */ |
1388 | if (xdr_stream_decode_opaque_auth(xdr, flavor: &flavor, body: &body, body_len: &len) < 0) |
1389 | return SVC_GARBAGE; |
1390 | if (flavor != RPC_AUTH_NULL || len != 0) { |
1391 | rqstp->rq_auth_stat = rpc_autherr_badverf; |
1392 | return SVC_DENIED; |
1393 | } |
1394 | |
1395 | if (gc->gc_proc == RPC_GSS_PROC_INIT && gc->gc_ctx.len != 0) { |
1396 | rqstp->rq_auth_stat = rpc_autherr_badcred; |
1397 | return SVC_DENIED; |
1398 | } |
1399 | |
1400 | if (!use_gss_proxy(SVC_NET(rqstp))) |
1401 | return svcauth_gss_legacy_init(rqstp, gc); |
1402 | return svcauth_gss_proxy_init(rqstp, gc); |
1403 | } |
1404 | |
1405 | #ifdef CONFIG_PROC_FS |
1406 | |
1407 | static ssize_t write_gssp(struct file *file, const char __user *buf, |
1408 | size_t count, loff_t *ppos) |
1409 | { |
1410 | struct net *net = pde_data(inode: file_inode(f: file)); |
1411 | char tbuf[20]; |
1412 | unsigned long i; |
1413 | int res; |
1414 | |
1415 | if (*ppos || count > sizeof(tbuf)-1) |
1416 | return -EINVAL; |
1417 | if (copy_from_user(to: tbuf, from: buf, n: count)) |
1418 | return -EFAULT; |
1419 | |
1420 | tbuf[count] = 0; |
1421 | res = kstrtoul(s: tbuf, base: 0, res: &i); |
1422 | if (res) |
1423 | return res; |
1424 | if (i != 1) |
1425 | return -EINVAL; |
1426 | res = set_gssp_clnt(net); |
1427 | if (res) |
1428 | return res; |
1429 | res = set_gss_proxy(net, type: 1); |
1430 | if (res) |
1431 | return res; |
1432 | return count; |
1433 | } |
1434 | |
1435 | static ssize_t read_gssp(struct file *file, char __user *buf, |
1436 | size_t count, loff_t *ppos) |
1437 | { |
1438 | struct net *net = pde_data(inode: file_inode(f: file)); |
1439 | struct sunrpc_net *sn = net_generic(net, id: sunrpc_net_id); |
1440 | unsigned long p = *ppos; |
1441 | char tbuf[10]; |
1442 | size_t len; |
1443 | |
1444 | snprintf(buf: tbuf, size: sizeof(tbuf), fmt: "%d\n" , sn->use_gss_proxy); |
1445 | len = strlen(tbuf); |
1446 | if (p >= len) |
1447 | return 0; |
1448 | len -= p; |
1449 | if (len > count) |
1450 | len = count; |
1451 | if (copy_to_user(to: buf, from: (void *)(tbuf+p), n: len)) |
1452 | return -EFAULT; |
1453 | *ppos += len; |
1454 | return len; |
1455 | } |
1456 | |
1457 | static const struct proc_ops use_gss_proxy_proc_ops = { |
1458 | .proc_open = nonseekable_open, |
1459 | .proc_write = write_gssp, |
1460 | .proc_read = read_gssp, |
1461 | }; |
1462 | |
1463 | static int create_use_gss_proxy_proc_entry(struct net *net) |
1464 | { |
1465 | struct sunrpc_net *sn = net_generic(net, id: sunrpc_net_id); |
1466 | struct proc_dir_entry **p = &sn->use_gssp_proc; |
1467 | |
1468 | sn->use_gss_proxy = -1; |
1469 | *p = proc_create_data("use-gss-proxy" , S_IFREG | 0600, |
1470 | sn->proc_net_rpc, |
1471 | &use_gss_proxy_proc_ops, net); |
1472 | if (!*p) |
1473 | return -ENOMEM; |
1474 | init_gssp_clnt(sn); |
1475 | return 0; |
1476 | } |
1477 | |
1478 | static void destroy_use_gss_proxy_proc_entry(struct net *net) |
1479 | { |
1480 | struct sunrpc_net *sn = net_generic(net, id: sunrpc_net_id); |
1481 | |
1482 | if (sn->use_gssp_proc) { |
1483 | remove_proc_entry("use-gss-proxy" , sn->proc_net_rpc); |
1484 | clear_gssp_clnt(sn); |
1485 | } |
1486 | } |
1487 | |
1488 | static ssize_t read_gss_krb5_enctypes(struct file *file, char __user *buf, |
1489 | size_t count, loff_t *ppos) |
1490 | { |
1491 | struct rpcsec_gss_oid oid = { |
1492 | .len = 9, |
1493 | .data = "\x2a\x86\x48\x86\xf7\x12\x01\x02\x02" , |
1494 | }; |
1495 | struct gss_api_mech *mech; |
1496 | ssize_t ret; |
1497 | |
1498 | mech = gss_mech_get_by_OID(&oid); |
1499 | if (!mech) |
1500 | return 0; |
1501 | if (!mech->gm_upcall_enctypes) { |
1502 | gss_mech_put(mech); |
1503 | return 0; |
1504 | } |
1505 | |
1506 | ret = simple_read_from_buffer(to: buf, count, ppos, |
1507 | from: mech->gm_upcall_enctypes, |
1508 | strlen(mech->gm_upcall_enctypes)); |
1509 | gss_mech_put(mech); |
1510 | return ret; |
1511 | } |
1512 | |
1513 | static const struct proc_ops gss_krb5_enctypes_proc_ops = { |
1514 | .proc_open = nonseekable_open, |
1515 | .proc_read = read_gss_krb5_enctypes, |
1516 | }; |
1517 | |
1518 | static int create_krb5_enctypes_proc_entry(struct net *net) |
1519 | { |
1520 | struct sunrpc_net *sn = net_generic(net, id: sunrpc_net_id); |
1521 | |
1522 | sn->gss_krb5_enctypes = |
1523 | proc_create_data("gss_krb5_enctypes" , S_IFREG | 0444, |
1524 | sn->proc_net_rpc, &gss_krb5_enctypes_proc_ops, |
1525 | net); |
1526 | return sn->gss_krb5_enctypes ? 0 : -ENOMEM; |
1527 | } |
1528 | |
1529 | static void destroy_krb5_enctypes_proc_entry(struct net *net) |
1530 | { |
1531 | struct sunrpc_net *sn = net_generic(net, id: sunrpc_net_id); |
1532 | |
1533 | if (sn->gss_krb5_enctypes) |
1534 | remove_proc_entry("gss_krb5_enctypes" , sn->proc_net_rpc); |
1535 | } |
1536 | |
1537 | #else /* CONFIG_PROC_FS */ |
1538 | |
1539 | static int create_use_gss_proxy_proc_entry(struct net *net) |
1540 | { |
1541 | return 0; |
1542 | } |
1543 | |
1544 | static void destroy_use_gss_proxy_proc_entry(struct net *net) {} |
1545 | |
1546 | static int create_krb5_enctypes_proc_entry(struct net *net) |
1547 | { |
1548 | return 0; |
1549 | } |
1550 | |
1551 | static void destroy_krb5_enctypes_proc_entry(struct net *net) {} |
1552 | |
1553 | #endif /* CONFIG_PROC_FS */ |
1554 | |
1555 | /* |
1556 | * The Call's credential body should contain a struct rpc_gss_cred_t. |
1557 | * |
1558 | * RFC 2203 Section 5 |
1559 | * |
1560 | * struct rpc_gss_cred_t { |
1561 | * union switch (unsigned int version) { |
1562 | * case RPCSEC_GSS_VERS_1: |
1563 | * struct { |
1564 | * rpc_gss_proc_t gss_proc; |
1565 | * unsigned int seq_num; |
1566 | * rpc_gss_service_t service; |
1567 | * opaque handle<>; |
1568 | * } rpc_gss_cred_vers_1_t; |
1569 | * } |
1570 | * }; |
1571 | */ |
1572 | static bool |
1573 | svcauth_gss_decode_credbody(struct xdr_stream *xdr, |
1574 | struct rpc_gss_wire_cred *gc, |
1575 | __be32 **rpcstart) |
1576 | { |
1577 | ssize_t handle_len; |
1578 | u32 body_len; |
1579 | __be32 *p; |
1580 | |
1581 | p = xdr_inline_decode(xdr, XDR_UNIT); |
1582 | if (!p) |
1583 | return false; |
1584 | /* |
1585 | * start of rpc packet is 7 u32's back from here: |
1586 | * xid direction rpcversion prog vers proc flavour |
1587 | */ |
1588 | *rpcstart = p - 7; |
1589 | body_len = be32_to_cpup(p); |
1590 | if (body_len > RPC_MAX_AUTH_SIZE) |
1591 | return false; |
1592 | |
1593 | /* struct rpc_gss_cred_t */ |
1594 | if (xdr_stream_decode_u32(xdr, ptr: &gc->gc_v) < 0) |
1595 | return false; |
1596 | if (xdr_stream_decode_u32(xdr, ptr: &gc->gc_proc) < 0) |
1597 | return false; |
1598 | if (xdr_stream_decode_u32(xdr, ptr: &gc->gc_seq) < 0) |
1599 | return false; |
1600 | if (xdr_stream_decode_u32(xdr, ptr: &gc->gc_svc) < 0) |
1601 | return false; |
1602 | handle_len = xdr_stream_decode_opaque_inline(xdr, |
1603 | ptr: (void **)&gc->gc_ctx.data, |
1604 | maxlen: body_len); |
1605 | if (handle_len < 0) |
1606 | return false; |
1607 | if (body_len != XDR_UNIT * 5 + xdr_align_size(n: handle_len)) |
1608 | return false; |
1609 | |
1610 | gc->gc_ctx.len = handle_len; |
1611 | return true; |
1612 | } |
1613 | |
1614 | /** |
1615 | * svcauth_gss_accept - Decode and validate incoming RPC_AUTH_GSS credential |
1616 | * @rqstp: RPC transaction |
1617 | * |
1618 | * Return values: |
1619 | * %SVC_OK: Success |
1620 | * %SVC_COMPLETE: GSS context lifetime event |
1621 | * %SVC_DENIED: Credential or verifier is not valid |
1622 | * %SVC_GARBAGE: Failed to decode credential or verifier |
1623 | * %SVC_CLOSE: Temporary failure |
1624 | * |
1625 | * The rqstp->rq_auth_stat field is also set (see RFCs 2203 and 5531). |
1626 | */ |
1627 | static enum svc_auth_status |
1628 | svcauth_gss_accept(struct svc_rqst *rqstp) |
1629 | { |
1630 | struct gss_svc_data *svcdata = rqstp->rq_auth_data; |
1631 | __be32 *rpcstart; |
1632 | struct rpc_gss_wire_cred *gc; |
1633 | struct rsc *rsci = NULL; |
1634 | int ret; |
1635 | struct sunrpc_net *sn = net_generic(SVC_NET(rqstp), id: sunrpc_net_id); |
1636 | |
1637 | rqstp->rq_auth_stat = rpc_autherr_badcred; |
1638 | if (!svcdata) |
1639 | svcdata = kmalloc(size: sizeof(*svcdata), GFP_KERNEL); |
1640 | if (!svcdata) |
1641 | goto auth_err; |
1642 | rqstp->rq_auth_data = svcdata; |
1643 | svcdata->gsd_databody_offset = 0; |
1644 | svcdata->rsci = NULL; |
1645 | gc = &svcdata->clcred; |
1646 | |
1647 | if (!svcauth_gss_decode_credbody(xdr: &rqstp->rq_arg_stream, gc, rpcstart: &rpcstart)) |
1648 | goto auth_err; |
1649 | if (gc->gc_v != RPC_GSS_VERSION) |
1650 | goto auth_err; |
1651 | |
1652 | switch (gc->gc_proc) { |
1653 | case RPC_GSS_PROC_INIT: |
1654 | case RPC_GSS_PROC_CONTINUE_INIT: |
1655 | if (rqstp->rq_proc != 0) |
1656 | goto auth_err; |
1657 | return svcauth_gss_proc_init(rqstp, gc); |
1658 | case RPC_GSS_PROC_DESTROY: |
1659 | if (rqstp->rq_proc != 0) |
1660 | goto auth_err; |
1661 | fallthrough; |
1662 | case RPC_GSS_PROC_DATA: |
1663 | rqstp->rq_auth_stat = rpcsec_gsserr_credproblem; |
1664 | rsci = gss_svc_searchbyctx(cd: sn->rsc_cache, handle: &gc->gc_ctx); |
1665 | if (!rsci) |
1666 | goto auth_err; |
1667 | switch (svcauth_gss_verify_header(rqstp, rsci, rpcstart, gc)) { |
1668 | case SVC_OK: |
1669 | break; |
1670 | case SVC_DENIED: |
1671 | goto auth_err; |
1672 | case SVC_DROP: |
1673 | goto drop; |
1674 | } |
1675 | break; |
1676 | default: |
1677 | if (rqstp->rq_proc != 0) |
1678 | goto auth_err; |
1679 | rqstp->rq_auth_stat = rpc_autherr_rejectedcred; |
1680 | goto auth_err; |
1681 | } |
1682 | |
1683 | /* now act upon the command: */ |
1684 | switch (gc->gc_proc) { |
1685 | case RPC_GSS_PROC_DESTROY: |
1686 | if (!svcauth_gss_encode_verf(rqstp, ctx_id: rsci->mechctx, seq: gc->gc_seq)) |
1687 | goto auth_err; |
1688 | if (!svcxdr_set_accept_stat(rqstp)) |
1689 | goto auth_err; |
1690 | /* Delete the entry from the cache_list and call cache_put */ |
1691 | sunrpc_cache_unhash(sn->rsc_cache, &rsci->h); |
1692 | goto complete; |
1693 | case RPC_GSS_PROC_DATA: |
1694 | rqstp->rq_auth_stat = rpcsec_gsserr_ctxproblem; |
1695 | if (!svcauth_gss_encode_verf(rqstp, ctx_id: rsci->mechctx, seq: gc->gc_seq)) |
1696 | goto auth_err; |
1697 | if (!svcxdr_set_accept_stat(rqstp)) |
1698 | goto auth_err; |
1699 | svcdata->gsd_databody_offset = xdr_stream_pos(xdr: &rqstp->rq_res_stream); |
1700 | rqstp->rq_cred = rsci->cred; |
1701 | get_group_info(gi: rsci->cred.cr_group_info); |
1702 | rqstp->rq_auth_stat = rpc_autherr_badcred; |
1703 | switch (gc->gc_svc) { |
1704 | case RPC_GSS_SVC_NONE: |
1705 | break; |
1706 | case RPC_GSS_SVC_INTEGRITY: |
1707 | /* placeholders for body length and seq. number: */ |
1708 | xdr_reserve_space(xdr: &rqstp->rq_res_stream, XDR_UNIT * 2); |
1709 | if (svcauth_gss_unwrap_integ(rqstp, seq: gc->gc_seq, |
1710 | ctx: rsci->mechctx)) |
1711 | goto garbage_args; |
1712 | svcxdr_set_auth_slack(rqstp, RPC_MAX_AUTH_SIZE); |
1713 | break; |
1714 | case RPC_GSS_SVC_PRIVACY: |
1715 | /* placeholders for body length and seq. number: */ |
1716 | xdr_reserve_space(xdr: &rqstp->rq_res_stream, XDR_UNIT * 2); |
1717 | if (svcauth_gss_unwrap_priv(rqstp, seq: gc->gc_seq, |
1718 | ctx: rsci->mechctx)) |
1719 | goto garbage_args; |
1720 | svcxdr_set_auth_slack(rqstp, RPC_MAX_AUTH_SIZE * 2); |
1721 | break; |
1722 | default: |
1723 | goto auth_err; |
1724 | } |
1725 | svcdata->rsci = rsci; |
1726 | cache_get(h: &rsci->h); |
1727 | rqstp->rq_cred.cr_flavor = gss_svc_to_pseudoflavor( |
1728 | rsci->mechctx->mech_type, |
1729 | GSS_C_QOP_DEFAULT, |
1730 | service: gc->gc_svc); |
1731 | ret = SVC_OK; |
1732 | trace_rpcgss_svc_authenticate(rqstp, gc); |
1733 | goto out; |
1734 | } |
1735 | garbage_args: |
1736 | ret = SVC_GARBAGE; |
1737 | goto out; |
1738 | auth_err: |
1739 | xdr_truncate_encode(xdr: &rqstp->rq_res_stream, XDR_UNIT * 2); |
1740 | ret = SVC_DENIED; |
1741 | goto out; |
1742 | complete: |
1743 | ret = SVC_COMPLETE; |
1744 | goto out; |
1745 | drop: |
1746 | ret = SVC_CLOSE; |
1747 | out: |
1748 | if (rsci) |
1749 | cache_put(h: &rsci->h, cd: sn->rsc_cache); |
1750 | return ret; |
1751 | } |
1752 | |
1753 | static u32 |
1754 | svcauth_gss_prepare_to_wrap(struct svc_rqst *rqstp, struct gss_svc_data *gsd) |
1755 | { |
1756 | u32 offset; |
1757 | |
1758 | /* Release can be called twice, but we only wrap once. */ |
1759 | offset = gsd->gsd_databody_offset; |
1760 | gsd->gsd_databody_offset = 0; |
1761 | |
1762 | /* AUTH_ERROR replies are not wrapped. */ |
1763 | if (rqstp->rq_auth_stat != rpc_auth_ok) |
1764 | return 0; |
1765 | |
1766 | /* Also don't wrap if the accept_stat is nonzero: */ |
1767 | if (*rqstp->rq_accept_statp != rpc_success) |
1768 | return 0; |
1769 | |
1770 | return offset; |
1771 | } |
1772 | |
1773 | /* |
1774 | * RFC 2203, Section 5.3.2.2 |
1775 | * |
1776 | * struct rpc_gss_integ_data { |
1777 | * opaque databody_integ<>; |
1778 | * opaque checksum<>; |
1779 | * }; |
1780 | * |
1781 | * struct rpc_gss_data_t { |
1782 | * unsigned int seq_num; |
1783 | * proc_req_arg_t arg; |
1784 | * }; |
1785 | * |
1786 | * The RPC Reply message has already been XDR-encoded. rq_res_stream |
1787 | * is now positioned so that the checksum can be written just past |
1788 | * the RPC Reply message. |
1789 | */ |
1790 | static int svcauth_gss_wrap_integ(struct svc_rqst *rqstp) |
1791 | { |
1792 | struct gss_svc_data *gsd = rqstp->rq_auth_data; |
1793 | struct xdr_stream *xdr = &rqstp->rq_res_stream; |
1794 | struct rpc_gss_wire_cred *gc = &gsd->clcred; |
1795 | struct xdr_buf *buf = xdr->buf; |
1796 | struct xdr_buf databody_integ; |
1797 | struct xdr_netobj checksum; |
1798 | u32 offset, maj_stat; |
1799 | |
1800 | offset = svcauth_gss_prepare_to_wrap(rqstp, gsd); |
1801 | if (!offset) |
1802 | goto out; |
1803 | |
1804 | if (xdr_buf_subsegment(buf, &databody_integ, offset + XDR_UNIT, |
1805 | buf->len - offset - XDR_UNIT)) |
1806 | goto wrap_failed; |
1807 | /* Buffer space for these has already been reserved in |
1808 | * svcauth_gss_accept(). */ |
1809 | if (xdr_encode_word(buf, offset, databody_integ.len)) |
1810 | goto wrap_failed; |
1811 | if (xdr_encode_word(buf, offset + XDR_UNIT, gc->gc_seq)) |
1812 | goto wrap_failed; |
1813 | |
1814 | checksum.data = gsd->gsd_scratch; |
1815 | maj_stat = gss_get_mic(ctx_id: gsd->rsci->mechctx, message: &databody_integ, mic_token: &checksum); |
1816 | if (maj_stat != GSS_S_COMPLETE) |
1817 | goto bad_mic; |
1818 | |
1819 | if (xdr_stream_encode_opaque(xdr, ptr: checksum.data, len: checksum.len) < 0) |
1820 | goto wrap_failed; |
1821 | xdr_commit_encode(xdr); |
1822 | |
1823 | out: |
1824 | return 0; |
1825 | |
1826 | bad_mic: |
1827 | trace_rpcgss_svc_get_mic(rqstp, maj_stat); |
1828 | return -EINVAL; |
1829 | wrap_failed: |
1830 | trace_rpcgss_svc_wrap_failed(rqstp); |
1831 | return -EINVAL; |
1832 | } |
1833 | |
1834 | /* |
1835 | * RFC 2203, Section 5.3.2.3 |
1836 | * |
1837 | * struct rpc_gss_priv_data { |
1838 | * opaque databody_priv<> |
1839 | * }; |
1840 | * |
1841 | * struct rpc_gss_data_t { |
1842 | * unsigned int seq_num; |
1843 | * proc_req_arg_t arg; |
1844 | * }; |
1845 | * |
1846 | * gss_wrap() expands the size of the RPC message payload in the |
1847 | * response buffer. The main purpose of svcauth_gss_wrap_priv() |
1848 | * is to ensure there is adequate space in the response buffer to |
1849 | * avoid overflow during the wrap. |
1850 | */ |
1851 | static int svcauth_gss_wrap_priv(struct svc_rqst *rqstp) |
1852 | { |
1853 | struct gss_svc_data *gsd = rqstp->rq_auth_data; |
1854 | struct rpc_gss_wire_cred *gc = &gsd->clcred; |
1855 | struct xdr_buf *buf = &rqstp->rq_res; |
1856 | struct kvec *head = buf->head; |
1857 | struct kvec *tail = buf->tail; |
1858 | u32 offset, pad, maj_stat; |
1859 | __be32 *p; |
1860 | |
1861 | offset = svcauth_gss_prepare_to_wrap(rqstp, gsd); |
1862 | if (!offset) |
1863 | return 0; |
1864 | |
1865 | /* |
1866 | * Buffer space for this field has already been reserved |
1867 | * in svcauth_gss_accept(). Note that the GSS sequence |
1868 | * number is encrypted along with the RPC reply payload. |
1869 | */ |
1870 | if (xdr_encode_word(buf, offset + XDR_UNIT, gc->gc_seq)) |
1871 | goto wrap_failed; |
1872 | |
1873 | /* |
1874 | * If there is currently tail data, make sure there is |
1875 | * room for the head, tail, and 2 * RPC_MAX_AUTH_SIZE in |
1876 | * the page, and move the current tail data such that |
1877 | * there is RPC_MAX_AUTH_SIZE slack space available in |
1878 | * both the head and tail. |
1879 | */ |
1880 | if (tail->iov_base) { |
1881 | if (tail->iov_base >= head->iov_base + PAGE_SIZE) |
1882 | goto wrap_failed; |
1883 | if (tail->iov_base < head->iov_base) |
1884 | goto wrap_failed; |
1885 | if (tail->iov_len + head->iov_len |
1886 | + 2 * RPC_MAX_AUTH_SIZE > PAGE_SIZE) |
1887 | goto wrap_failed; |
1888 | memmove(tail->iov_base + RPC_MAX_AUTH_SIZE, tail->iov_base, |
1889 | tail->iov_len); |
1890 | tail->iov_base += RPC_MAX_AUTH_SIZE; |
1891 | } |
1892 | /* |
1893 | * If there is no current tail data, make sure there is |
1894 | * room for the head data, and 2 * RPC_MAX_AUTH_SIZE in the |
1895 | * allotted page, and set up tail information such that there |
1896 | * is RPC_MAX_AUTH_SIZE slack space available in both the |
1897 | * head and tail. |
1898 | */ |
1899 | if (!tail->iov_base) { |
1900 | if (head->iov_len + 2 * RPC_MAX_AUTH_SIZE > PAGE_SIZE) |
1901 | goto wrap_failed; |
1902 | tail->iov_base = head->iov_base |
1903 | + head->iov_len + RPC_MAX_AUTH_SIZE; |
1904 | tail->iov_len = 0; |
1905 | } |
1906 | |
1907 | maj_stat = gss_wrap(ctx_id: gsd->rsci->mechctx, offset: offset + XDR_UNIT, outbuf: buf, |
1908 | inpages: buf->pages); |
1909 | if (maj_stat != GSS_S_COMPLETE) |
1910 | goto bad_wrap; |
1911 | |
1912 | /* Wrapping can change the size of databody_priv. */ |
1913 | if (xdr_encode_word(buf, offset, buf->len - offset - XDR_UNIT)) |
1914 | goto wrap_failed; |
1915 | pad = xdr_pad_size(n: buf->len - offset - XDR_UNIT); |
1916 | p = (__be32 *)(tail->iov_base + tail->iov_len); |
1917 | memset(p, 0, pad); |
1918 | tail->iov_len += pad; |
1919 | buf->len += pad; |
1920 | |
1921 | return 0; |
1922 | wrap_failed: |
1923 | trace_rpcgss_svc_wrap_failed(rqstp); |
1924 | return -EINVAL; |
1925 | bad_wrap: |
1926 | trace_rpcgss_svc_wrap(rqstp, maj_stat); |
1927 | return -ENOMEM; |
1928 | } |
1929 | |
1930 | /** |
1931 | * svcauth_gss_release - Wrap payload and release resources |
1932 | * @rqstp: RPC transaction context |
1933 | * |
1934 | * Return values: |
1935 | * %0: the Reply is ready to be sent |
1936 | * %-ENOMEM: failed to allocate memory |
1937 | * %-EINVAL: encoding error |
1938 | */ |
1939 | static int |
1940 | svcauth_gss_release(struct svc_rqst *rqstp) |
1941 | { |
1942 | struct sunrpc_net *sn = net_generic(SVC_NET(rqstp), id: sunrpc_net_id); |
1943 | struct gss_svc_data *gsd = rqstp->rq_auth_data; |
1944 | struct rpc_gss_wire_cred *gc; |
1945 | int stat; |
1946 | |
1947 | if (!gsd) |
1948 | goto out; |
1949 | gc = &gsd->clcred; |
1950 | if (gc->gc_proc != RPC_GSS_PROC_DATA) |
1951 | goto out; |
1952 | |
1953 | switch (gc->gc_svc) { |
1954 | case RPC_GSS_SVC_NONE: |
1955 | break; |
1956 | case RPC_GSS_SVC_INTEGRITY: |
1957 | stat = svcauth_gss_wrap_integ(rqstp); |
1958 | if (stat) |
1959 | goto out_err; |
1960 | break; |
1961 | case RPC_GSS_SVC_PRIVACY: |
1962 | stat = svcauth_gss_wrap_priv(rqstp); |
1963 | if (stat) |
1964 | goto out_err; |
1965 | break; |
1966 | /* |
1967 | * For any other gc_svc value, svcauth_gss_accept() already set |
1968 | * the auth_error appropriately; just fall through: |
1969 | */ |
1970 | } |
1971 | |
1972 | out: |
1973 | stat = 0; |
1974 | out_err: |
1975 | if (rqstp->rq_client) |
1976 | auth_domain_put(item: rqstp->rq_client); |
1977 | rqstp->rq_client = NULL; |
1978 | if (rqstp->rq_gssclient) |
1979 | auth_domain_put(item: rqstp->rq_gssclient); |
1980 | rqstp->rq_gssclient = NULL; |
1981 | if (rqstp->rq_cred.cr_group_info) |
1982 | put_group_info(rqstp->rq_cred.cr_group_info); |
1983 | rqstp->rq_cred.cr_group_info = NULL; |
1984 | if (gsd && gsd->rsci) { |
1985 | cache_put(h: &gsd->rsci->h, cd: sn->rsc_cache); |
1986 | gsd->rsci = NULL; |
1987 | } |
1988 | return stat; |
1989 | } |
1990 | |
1991 | static void |
1992 | svcauth_gss_domain_release_rcu(struct rcu_head *head) |
1993 | { |
1994 | struct auth_domain *dom = container_of(head, struct auth_domain, rcu_head); |
1995 | struct gss_domain *gd = container_of(dom, struct gss_domain, h); |
1996 | |
1997 | kfree(objp: dom->name); |
1998 | kfree(objp: gd); |
1999 | } |
2000 | |
2001 | static void |
2002 | svcauth_gss_domain_release(struct auth_domain *dom) |
2003 | { |
2004 | call_rcu(head: &dom->rcu_head, func: svcauth_gss_domain_release_rcu); |
2005 | } |
2006 | |
2007 | static rpc_authflavor_t svcauth_gss_pseudoflavor(struct svc_rqst *rqstp) |
2008 | { |
2009 | return svcauth_gss_flavor(rqstp->rq_gssclient); |
2010 | } |
2011 | |
2012 | static struct auth_ops svcauthops_gss = { |
2013 | .name = "rpcsec_gss" , |
2014 | .owner = THIS_MODULE, |
2015 | .flavour = RPC_AUTH_GSS, |
2016 | .accept = svcauth_gss_accept, |
2017 | .release = svcauth_gss_release, |
2018 | .domain_release = svcauth_gss_domain_release, |
2019 | .set_client = svcauth_gss_set_client, |
2020 | .pseudoflavor = svcauth_gss_pseudoflavor, |
2021 | }; |
2022 | |
2023 | static int rsi_cache_create_net(struct net *net) |
2024 | { |
2025 | struct sunrpc_net *sn = net_generic(net, id: sunrpc_net_id); |
2026 | struct cache_detail *cd; |
2027 | int err; |
2028 | |
2029 | cd = cache_create_net(tmpl: &rsi_cache_template, net); |
2030 | if (IS_ERR(ptr: cd)) |
2031 | return PTR_ERR(ptr: cd); |
2032 | err = cache_register_net(cd, net); |
2033 | if (err) { |
2034 | cache_destroy_net(cd, net); |
2035 | return err; |
2036 | } |
2037 | sn->rsi_cache = cd; |
2038 | return 0; |
2039 | } |
2040 | |
2041 | static void rsi_cache_destroy_net(struct net *net) |
2042 | { |
2043 | struct sunrpc_net *sn = net_generic(net, id: sunrpc_net_id); |
2044 | struct cache_detail *cd = sn->rsi_cache; |
2045 | |
2046 | sn->rsi_cache = NULL; |
2047 | cache_purge(detail: cd); |
2048 | cache_unregister_net(cd, net); |
2049 | cache_destroy_net(cd, net); |
2050 | } |
2051 | |
2052 | static int rsc_cache_create_net(struct net *net) |
2053 | { |
2054 | struct sunrpc_net *sn = net_generic(net, id: sunrpc_net_id); |
2055 | struct cache_detail *cd; |
2056 | int err; |
2057 | |
2058 | cd = cache_create_net(tmpl: &rsc_cache_template, net); |
2059 | if (IS_ERR(ptr: cd)) |
2060 | return PTR_ERR(ptr: cd); |
2061 | err = cache_register_net(cd, net); |
2062 | if (err) { |
2063 | cache_destroy_net(cd, net); |
2064 | return err; |
2065 | } |
2066 | sn->rsc_cache = cd; |
2067 | return 0; |
2068 | } |
2069 | |
2070 | static void rsc_cache_destroy_net(struct net *net) |
2071 | { |
2072 | struct sunrpc_net *sn = net_generic(net, id: sunrpc_net_id); |
2073 | struct cache_detail *cd = sn->rsc_cache; |
2074 | |
2075 | sn->rsc_cache = NULL; |
2076 | cache_purge(detail: cd); |
2077 | cache_unregister_net(cd, net); |
2078 | cache_destroy_net(cd, net); |
2079 | } |
2080 | |
2081 | int |
2082 | gss_svc_init_net(struct net *net) |
2083 | { |
2084 | int rv; |
2085 | |
2086 | rv = rsc_cache_create_net(net); |
2087 | if (rv) |
2088 | return rv; |
2089 | rv = rsi_cache_create_net(net); |
2090 | if (rv) |
2091 | goto out1; |
2092 | rv = create_use_gss_proxy_proc_entry(net); |
2093 | if (rv) |
2094 | goto out2; |
2095 | |
2096 | rv = create_krb5_enctypes_proc_entry(net); |
2097 | if (rv) |
2098 | goto out3; |
2099 | |
2100 | return 0; |
2101 | |
2102 | out3: |
2103 | destroy_use_gss_proxy_proc_entry(net); |
2104 | out2: |
2105 | rsi_cache_destroy_net(net); |
2106 | out1: |
2107 | rsc_cache_destroy_net(net); |
2108 | return rv; |
2109 | } |
2110 | |
2111 | void |
2112 | gss_svc_shutdown_net(struct net *net) |
2113 | { |
2114 | destroy_krb5_enctypes_proc_entry(net); |
2115 | destroy_use_gss_proxy_proc_entry(net); |
2116 | rsi_cache_destroy_net(net); |
2117 | rsc_cache_destroy_net(net); |
2118 | } |
2119 | |
2120 | int |
2121 | gss_svc_init(void) |
2122 | { |
2123 | return svc_auth_register(flavor: RPC_AUTH_GSS, aops: &svcauthops_gss); |
2124 | } |
2125 | |
2126 | void |
2127 | gss_svc_shutdown(void) |
2128 | { |
2129 | svc_auth_unregister(flavor: RPC_AUTH_GSS); |
2130 | } |
2131 | |