svcauth_gss.c (50485B)
1// SPDX-License-Identifier: GPL-2.0 2/* 3 * Neil Brown <neilb@cse.unsw.edu.au> 4 * J. Bruce Fields <bfields@umich.edu> 5 * Andy Adamson <andros@umich.edu> 6 * Dug Song <dugsong@monkey.org> 7 * 8 * RPCSEC_GSS server authentication. 9 * This implements RPCSEC_GSS as defined in rfc2203 (rpcsec_gss) and rfc2078 10 * (gssapi) 11 * 12 * The RPCSEC_GSS involves three stages: 13 * 1/ context creation 14 * 2/ data exchange 15 * 3/ context destruction 16 * 17 * Context creation is handled largely by upcalls to user-space. 18 * In particular, GSS_Accept_sec_context is handled by an upcall 19 * Data exchange is handled entirely within the kernel 20 * In particular, GSS_GetMIC, GSS_VerifyMIC, GSS_Seal, GSS_Unseal are in-kernel. 21 * Context destruction is handled in-kernel 22 * GSS_Delete_sec_context is in-kernel 23 * 24 * Context creation is initiated by a RPCSEC_GSS_INIT request arriving. 25 * The context handle and gss_token are used as a key into the rpcsec_init cache. 26 * The content of this cache includes some of the outputs of GSS_Accept_sec_context, 27 * being major_status, minor_status, context_handle, reply_token. 28 * These are sent back to the client. 29 * Sequence window management is handled by the kernel. The window size if currently 30 * a compile time constant. 31 * 32 * When user-space is happy that a context is established, it places an entry 33 * in the rpcsec_context cache. The key for this cache is the context_handle. 34 * The content includes: 35 * uid/gidlist - for determining access rights 36 * mechanism type 37 * mechanism specific information, such as a key 38 * 39 */ 40 41#include <linux/slab.h> 42#include <linux/types.h> 43#include <linux/module.h> 44#include <linux/pagemap.h> 45#include <linux/user_namespace.h> 46 47#include <linux/sunrpc/auth_gss.h> 48#include <linux/sunrpc/gss_err.h> 49#include <linux/sunrpc/svcauth.h> 50#include <linux/sunrpc/svcauth_gss.h> 51#include <linux/sunrpc/cache.h> 52 53#include <trace/events/rpcgss.h> 54 55#include "gss_rpc_upcall.h" 56 57 58/* The rpcsec_init cache is used for mapping RPCSEC_GSS_{,CONT_}INIT requests 59 * into replies. 60 * 61 * Key is context handle (\x if empty) and gss_token. 62 * Content is major_status minor_status (integers) context_handle, reply_token. 63 * 64 */ 65 66static int netobj_equal(struct xdr_netobj *a, struct xdr_netobj *b) 67{ 68 return a->len == b->len && 0 == memcmp(a->data, b->data, a->len); 69} 70 71#define RSI_HASHBITS 6 72#define RSI_HASHMAX (1<<RSI_HASHBITS) 73 74struct rsi { 75 struct cache_head h; 76 struct xdr_netobj in_handle, in_token; 77 struct xdr_netobj out_handle, out_token; 78 int major_status, minor_status; 79 struct rcu_head rcu_head; 80}; 81 82static struct rsi *rsi_update(struct cache_detail *cd, struct rsi *new, struct rsi *old); 83static struct rsi *rsi_lookup(struct cache_detail *cd, struct rsi *item); 84 85static void rsi_free(struct rsi *rsii) 86{ 87 kfree(rsii->in_handle.data); 88 kfree(rsii->in_token.data); 89 kfree(rsii->out_handle.data); 90 kfree(rsii->out_token.data); 91} 92 93static void rsi_free_rcu(struct rcu_head *head) 94{ 95 struct rsi *rsii = container_of(head, struct rsi, rcu_head); 96 97 rsi_free(rsii); 98 kfree(rsii); 99} 100 101static void rsi_put(struct kref *ref) 102{ 103 struct rsi *rsii = container_of(ref, struct rsi, h.ref); 104 105 call_rcu(&rsii->rcu_head, rsi_free_rcu); 106} 107 108static inline int rsi_hash(struct rsi *item) 109{ 110 return hash_mem(item->in_handle.data, item->in_handle.len, RSI_HASHBITS) 111 ^ hash_mem(item->in_token.data, item->in_token.len, RSI_HASHBITS); 112} 113 114static int rsi_match(struct cache_head *a, struct cache_head *b) 115{ 116 struct rsi *item = container_of(a, struct rsi, h); 117 struct rsi *tmp = container_of(b, struct rsi, h); 118 return netobj_equal(&item->in_handle, &tmp->in_handle) && 119 netobj_equal(&item->in_token, &tmp->in_token); 120} 121 122static int dup_to_netobj(struct xdr_netobj *dst, char *src, int len) 123{ 124 dst->len = len; 125 dst->data = (len ? kmemdup(src, len, GFP_KERNEL) : NULL); 126 if (len && !dst->data) 127 return -ENOMEM; 128 return 0; 129} 130 131static inline int dup_netobj(struct xdr_netobj *dst, struct xdr_netobj *src) 132{ 133 return dup_to_netobj(dst, src->data, src->len); 134} 135 136static void rsi_init(struct cache_head *cnew, struct cache_head *citem) 137{ 138 struct rsi *new = container_of(cnew, struct rsi, h); 139 struct rsi *item = container_of(citem, struct rsi, h); 140 141 new->out_handle.data = NULL; 142 new->out_handle.len = 0; 143 new->out_token.data = NULL; 144 new->out_token.len = 0; 145 new->in_handle.len = item->in_handle.len; 146 item->in_handle.len = 0; 147 new->in_token.len = item->in_token.len; 148 item->in_token.len = 0; 149 new->in_handle.data = item->in_handle.data; 150 item->in_handle.data = NULL; 151 new->in_token.data = item->in_token.data; 152 item->in_token.data = NULL; 153} 154 155static void update_rsi(struct cache_head *cnew, struct cache_head *citem) 156{ 157 struct rsi *new = container_of(cnew, struct rsi, h); 158 struct rsi *item = container_of(citem, struct rsi, h); 159 160 BUG_ON(new->out_handle.data || new->out_token.data); 161 new->out_handle.len = item->out_handle.len; 162 item->out_handle.len = 0; 163 new->out_token.len = item->out_token.len; 164 item->out_token.len = 0; 165 new->out_handle.data = item->out_handle.data; 166 item->out_handle.data = NULL; 167 new->out_token.data = item->out_token.data; 168 item->out_token.data = NULL; 169 170 new->major_status = item->major_status; 171 new->minor_status = item->minor_status; 172} 173 174static struct cache_head *rsi_alloc(void) 175{ 176 struct rsi *rsii = kmalloc(sizeof(*rsii), GFP_KERNEL); 177 if (rsii) 178 return &rsii->h; 179 else 180 return NULL; 181} 182 183static int rsi_upcall(struct cache_detail *cd, struct cache_head *h) 184{ 185 return sunrpc_cache_pipe_upcall_timeout(cd, h); 186} 187 188static void rsi_request(struct cache_detail *cd, 189 struct cache_head *h, 190 char **bpp, int *blen) 191{ 192 struct rsi *rsii = container_of(h, struct rsi, h); 193 194 qword_addhex(bpp, blen, rsii->in_handle.data, rsii->in_handle.len); 195 qword_addhex(bpp, blen, rsii->in_token.data, rsii->in_token.len); 196 (*bpp)[-1] = '\n'; 197 WARN_ONCE(*blen < 0, 198 "RPCSEC/GSS credential too large - please use gssproxy\n"); 199} 200 201static int rsi_parse(struct cache_detail *cd, 202 char *mesg, int mlen) 203{ 204 /* context token expiry major minor context token */ 205 char *buf = mesg; 206 char *ep; 207 int len; 208 struct rsi rsii, *rsip = NULL; 209 time64_t expiry; 210 int status = -EINVAL; 211 212 memset(&rsii, 0, sizeof(rsii)); 213 /* handle */ 214 len = qword_get(&mesg, buf, mlen); 215 if (len < 0) 216 goto out; 217 status = -ENOMEM; 218 if (dup_to_netobj(&rsii.in_handle, buf, len)) 219 goto out; 220 221 /* token */ 222 len = qword_get(&mesg, buf, mlen); 223 status = -EINVAL; 224 if (len < 0) 225 goto out; 226 status = -ENOMEM; 227 if (dup_to_netobj(&rsii.in_token, buf, len)) 228 goto out; 229 230 rsip = rsi_lookup(cd, &rsii); 231 if (!rsip) 232 goto out; 233 234 rsii.h.flags = 0; 235 /* expiry */ 236 expiry = get_expiry(&mesg); 237 status = -EINVAL; 238 if (expiry == 0) 239 goto out; 240 241 /* major/minor */ 242 len = qword_get(&mesg, buf, mlen); 243 if (len <= 0) 244 goto out; 245 rsii.major_status = simple_strtoul(buf, &ep, 10); 246 if (*ep) 247 goto out; 248 len = qword_get(&mesg, buf, mlen); 249 if (len <= 0) 250 goto out; 251 rsii.minor_status = simple_strtoul(buf, &ep, 10); 252 if (*ep) 253 goto out; 254 255 /* out_handle */ 256 len = qword_get(&mesg, buf, mlen); 257 if (len < 0) 258 goto out; 259 status = -ENOMEM; 260 if (dup_to_netobj(&rsii.out_handle, buf, len)) 261 goto out; 262 263 /* out_token */ 264 len = qword_get(&mesg, buf, mlen); 265 status = -EINVAL; 266 if (len < 0) 267 goto out; 268 status = -ENOMEM; 269 if (dup_to_netobj(&rsii.out_token, buf, len)) 270 goto out; 271 rsii.h.expiry_time = expiry; 272 rsip = rsi_update(cd, &rsii, rsip); 273 status = 0; 274out: 275 rsi_free(&rsii); 276 if (rsip) 277 cache_put(&rsip->h, cd); 278 else 279 status = -ENOMEM; 280 return status; 281} 282 283static const struct cache_detail rsi_cache_template = { 284 .owner = THIS_MODULE, 285 .hash_size = RSI_HASHMAX, 286 .name = "auth.rpcsec.init", 287 .cache_put = rsi_put, 288 .cache_upcall = rsi_upcall, 289 .cache_request = rsi_request, 290 .cache_parse = rsi_parse, 291 .match = rsi_match, 292 .init = rsi_init, 293 .update = update_rsi, 294 .alloc = rsi_alloc, 295}; 296 297static struct rsi *rsi_lookup(struct cache_detail *cd, struct rsi *item) 298{ 299 struct cache_head *ch; 300 int hash = rsi_hash(item); 301 302 ch = sunrpc_cache_lookup_rcu(cd, &item->h, hash); 303 if (ch) 304 return container_of(ch, struct rsi, h); 305 else 306 return NULL; 307} 308 309static struct rsi *rsi_update(struct cache_detail *cd, struct rsi *new, struct rsi *old) 310{ 311 struct cache_head *ch; 312 int hash = rsi_hash(new); 313 314 ch = sunrpc_cache_update(cd, &new->h, 315 &old->h, hash); 316 if (ch) 317 return container_of(ch, struct rsi, h); 318 else 319 return NULL; 320} 321 322 323/* 324 * The rpcsec_context cache is used to store a context that is 325 * used in data exchange. 326 * The key is a context handle. The content is: 327 * uid, gidlist, mechanism, service-set, mech-specific-data 328 */ 329 330#define RSC_HASHBITS 10 331#define RSC_HASHMAX (1<<RSC_HASHBITS) 332 333#define GSS_SEQ_WIN 128 334 335struct gss_svc_seq_data { 336 /* highest seq number seen so far: */ 337 u32 sd_max; 338 /* for i such that sd_max-GSS_SEQ_WIN < i <= sd_max, the i-th bit of 339 * sd_win is nonzero iff sequence number i has been seen already: */ 340 unsigned long sd_win[GSS_SEQ_WIN/BITS_PER_LONG]; 341 spinlock_t sd_lock; 342}; 343 344struct rsc { 345 struct cache_head h; 346 struct xdr_netobj handle; 347 struct svc_cred cred; 348 struct gss_svc_seq_data seqdata; 349 struct gss_ctx *mechctx; 350 struct rcu_head rcu_head; 351}; 352 353static struct rsc *rsc_update(struct cache_detail *cd, struct rsc *new, struct rsc *old); 354static struct rsc *rsc_lookup(struct cache_detail *cd, struct rsc *item); 355 356static void rsc_free(struct rsc *rsci) 357{ 358 kfree(rsci->handle.data); 359 if (rsci->mechctx) 360 gss_delete_sec_context(&rsci->mechctx); 361 free_svc_cred(&rsci->cred); 362} 363 364static void rsc_free_rcu(struct rcu_head *head) 365{ 366 struct rsc *rsci = container_of(head, struct rsc, rcu_head); 367 368 kfree(rsci->handle.data); 369 kfree(rsci); 370} 371 372static void rsc_put(struct kref *ref) 373{ 374 struct rsc *rsci = container_of(ref, struct rsc, h.ref); 375 376 if (rsci->mechctx) 377 gss_delete_sec_context(&rsci->mechctx); 378 free_svc_cred(&rsci->cred); 379 call_rcu(&rsci->rcu_head, rsc_free_rcu); 380} 381 382static inline int 383rsc_hash(struct rsc *rsci) 384{ 385 return hash_mem(rsci->handle.data, rsci->handle.len, RSC_HASHBITS); 386} 387 388static int 389rsc_match(struct cache_head *a, struct cache_head *b) 390{ 391 struct rsc *new = container_of(a, struct rsc, h); 392 struct rsc *tmp = container_of(b, struct rsc, h); 393 394 return netobj_equal(&new->handle, &tmp->handle); 395} 396 397static void 398rsc_init(struct cache_head *cnew, struct cache_head *ctmp) 399{ 400 struct rsc *new = container_of(cnew, struct rsc, h); 401 struct rsc *tmp = container_of(ctmp, struct rsc, h); 402 403 new->handle.len = tmp->handle.len; 404 tmp->handle.len = 0; 405 new->handle.data = tmp->handle.data; 406 tmp->handle.data = NULL; 407 new->mechctx = NULL; 408 init_svc_cred(&new->cred); 409} 410 411static void 412update_rsc(struct cache_head *cnew, struct cache_head *ctmp) 413{ 414 struct rsc *new = container_of(cnew, struct rsc, h); 415 struct rsc *tmp = container_of(ctmp, struct rsc, h); 416 417 new->mechctx = tmp->mechctx; 418 tmp->mechctx = NULL; 419 memset(&new->seqdata, 0, sizeof(new->seqdata)); 420 spin_lock_init(&new->seqdata.sd_lock); 421 new->cred = tmp->cred; 422 init_svc_cred(&tmp->cred); 423} 424 425static struct cache_head * 426rsc_alloc(void) 427{ 428 struct rsc *rsci = kmalloc(sizeof(*rsci), GFP_KERNEL); 429 if (rsci) 430 return &rsci->h; 431 else 432 return NULL; 433} 434 435static int rsc_upcall(struct cache_detail *cd, struct cache_head *h) 436{ 437 return -EINVAL; 438} 439 440static int rsc_parse(struct cache_detail *cd, 441 char *mesg, int mlen) 442{ 443 /* contexthandle expiry [ uid gid N <n gids> mechname ...mechdata... ] */ 444 char *buf = mesg; 445 int id; 446 int len, rv; 447 struct rsc rsci, *rscp = NULL; 448 time64_t expiry; 449 int status = -EINVAL; 450 struct gss_api_mech *gm = NULL; 451 452 memset(&rsci, 0, sizeof(rsci)); 453 /* context handle */ 454 len = qword_get(&mesg, buf, mlen); 455 if (len < 0) goto out; 456 status = -ENOMEM; 457 if (dup_to_netobj(&rsci.handle, buf, len)) 458 goto out; 459 460 rsci.h.flags = 0; 461 /* expiry */ 462 expiry = get_expiry(&mesg); 463 status = -EINVAL; 464 if (expiry == 0) 465 goto out; 466 467 rscp = rsc_lookup(cd, &rsci); 468 if (!rscp) 469 goto out; 470 471 /* uid, or NEGATIVE */ 472 rv = get_int(&mesg, &id); 473 if (rv == -EINVAL) 474 goto out; 475 if (rv == -ENOENT) 476 set_bit(CACHE_NEGATIVE, &rsci.h.flags); 477 else { 478 int N, i; 479 480 /* 481 * NOTE: we skip uid_valid()/gid_valid() checks here: 482 * instead, * -1 id's are later mapped to the 483 * (export-specific) anonymous id by nfsd_setuser. 484 * 485 * (But supplementary gid's get no such special 486 * treatment so are checked for validity here.) 487 */ 488 /* uid */ 489 rsci.cred.cr_uid = make_kuid(current_user_ns(), id); 490 491 /* gid */ 492 if (get_int(&mesg, &id)) 493 goto out; 494 rsci.cred.cr_gid = make_kgid(current_user_ns(), id); 495 496 /* number of additional gid's */ 497 if (get_int(&mesg, &N)) 498 goto out; 499 if (N < 0 || N > NGROUPS_MAX) 500 goto out; 501 status = -ENOMEM; 502 rsci.cred.cr_group_info = groups_alloc(N); 503 if (rsci.cred.cr_group_info == NULL) 504 goto out; 505 506 /* gid's */ 507 status = -EINVAL; 508 for (i=0; i<N; i++) { 509 kgid_t kgid; 510 if (get_int(&mesg, &id)) 511 goto out; 512 kgid = make_kgid(current_user_ns(), id); 513 if (!gid_valid(kgid)) 514 goto out; 515 rsci.cred.cr_group_info->gid[i] = kgid; 516 } 517 groups_sort(rsci.cred.cr_group_info); 518 519 /* mech name */ 520 len = qword_get(&mesg, buf, mlen); 521 if (len < 0) 522 goto out; 523 gm = rsci.cred.cr_gss_mech = gss_mech_get_by_name(buf); 524 status = -EOPNOTSUPP; 525 if (!gm) 526 goto out; 527 528 status = -EINVAL; 529 /* mech-specific data: */ 530 len = qword_get(&mesg, buf, mlen); 531 if (len < 0) 532 goto out; 533 status = gss_import_sec_context(buf, len, gm, &rsci.mechctx, 534 NULL, GFP_KERNEL); 535 if (status) 536 goto out; 537 538 /* get client name */ 539 len = qword_get(&mesg, buf, mlen); 540 if (len > 0) { 541 rsci.cred.cr_principal = kstrdup(buf, GFP_KERNEL); 542 if (!rsci.cred.cr_principal) { 543 status = -ENOMEM; 544 goto out; 545 } 546 } 547 548 } 549 rsci.h.expiry_time = expiry; 550 rscp = rsc_update(cd, &rsci, rscp); 551 status = 0; 552out: 553 rsc_free(&rsci); 554 if (rscp) 555 cache_put(&rscp->h, cd); 556 else 557 status = -ENOMEM; 558 return status; 559} 560 561static const struct cache_detail rsc_cache_template = { 562 .owner = THIS_MODULE, 563 .hash_size = RSC_HASHMAX, 564 .name = "auth.rpcsec.context", 565 .cache_put = rsc_put, 566 .cache_upcall = rsc_upcall, 567 .cache_parse = rsc_parse, 568 .match = rsc_match, 569 .init = rsc_init, 570 .update = update_rsc, 571 .alloc = rsc_alloc, 572}; 573 574static struct rsc *rsc_lookup(struct cache_detail *cd, struct rsc *item) 575{ 576 struct cache_head *ch; 577 int hash = rsc_hash(item); 578 579 ch = sunrpc_cache_lookup_rcu(cd, &item->h, hash); 580 if (ch) 581 return container_of(ch, struct rsc, h); 582 else 583 return NULL; 584} 585 586static struct rsc *rsc_update(struct cache_detail *cd, struct rsc *new, struct rsc *old) 587{ 588 struct cache_head *ch; 589 int hash = rsc_hash(new); 590 591 ch = sunrpc_cache_update(cd, &new->h, 592 &old->h, hash); 593 if (ch) 594 return container_of(ch, struct rsc, h); 595 else 596 return NULL; 597} 598 599 600static struct rsc * 601gss_svc_searchbyctx(struct cache_detail *cd, struct xdr_netobj *handle) 602{ 603 struct rsc rsci; 604 struct rsc *found; 605 606 memset(&rsci, 0, sizeof(rsci)); 607 if (dup_to_netobj(&rsci.handle, handle->data, handle->len)) 608 return NULL; 609 found = rsc_lookup(cd, &rsci); 610 rsc_free(&rsci); 611 if (!found) 612 return NULL; 613 if (cache_check(cd, &found->h, NULL)) 614 return NULL; 615 return found; 616} 617 618/** 619 * gss_check_seq_num - GSS sequence number window check 620 * @rqstp: RPC Call to use when reporting errors 621 * @rsci: cached GSS context state (updated on return) 622 * @seq_num: sequence number to check 623 * 624 * Implements sequence number algorithm as specified in 625 * RFC 2203, Section 5.3.3.1. "Context Management". 626 * 627 * Return values: 628 * %true: @rqstp's GSS sequence number is inside the window 629 * %false: @rqstp's GSS sequence number is outside the window 630 */ 631static bool gss_check_seq_num(const struct svc_rqst *rqstp, struct rsc *rsci, 632 u32 seq_num) 633{ 634 struct gss_svc_seq_data *sd = &rsci->seqdata; 635 bool result = false; 636 637 spin_lock(&sd->sd_lock); 638 if (seq_num > sd->sd_max) { 639 if (seq_num >= sd->sd_max + GSS_SEQ_WIN) { 640 memset(sd->sd_win, 0, sizeof(sd->sd_win)); 641 sd->sd_max = seq_num; 642 } else while (sd->sd_max < seq_num) { 643 sd->sd_max++; 644 __clear_bit(sd->sd_max % GSS_SEQ_WIN, sd->sd_win); 645 } 646 __set_bit(seq_num % GSS_SEQ_WIN, sd->sd_win); 647 goto ok; 648 } else if (seq_num + GSS_SEQ_WIN <= sd->sd_max) { 649 goto toolow; 650 } 651 if (__test_and_set_bit(seq_num % GSS_SEQ_WIN, sd->sd_win)) 652 goto alreadyseen; 653 654ok: 655 result = true; 656out: 657 spin_unlock(&sd->sd_lock); 658 return result; 659 660toolow: 661 trace_rpcgss_svc_seqno_low(rqstp, seq_num, 662 sd->sd_max - GSS_SEQ_WIN, 663 sd->sd_max); 664 goto out; 665alreadyseen: 666 trace_rpcgss_svc_seqno_seen(rqstp, seq_num); 667 goto out; 668} 669 670static inline u32 round_up_to_quad(u32 i) 671{ 672 return (i + 3 ) & ~3; 673} 674 675static inline int 676svc_safe_getnetobj(struct kvec *argv, struct xdr_netobj *o) 677{ 678 int l; 679 680 if (argv->iov_len < 4) 681 return -1; 682 o->len = svc_getnl(argv); 683 l = round_up_to_quad(o->len); 684 if (argv->iov_len < l) 685 return -1; 686 o->data = argv->iov_base; 687 argv->iov_base += l; 688 argv->iov_len -= l; 689 return 0; 690} 691 692static inline int 693svc_safe_putnetobj(struct kvec *resv, struct xdr_netobj *o) 694{ 695 u8 *p; 696 697 if (resv->iov_len + 4 > PAGE_SIZE) 698 return -1; 699 svc_putnl(resv, o->len); 700 p = resv->iov_base + resv->iov_len; 701 resv->iov_len += round_up_to_quad(o->len); 702 if (resv->iov_len > PAGE_SIZE) 703 return -1; 704 memcpy(p, o->data, o->len); 705 memset(p + o->len, 0, round_up_to_quad(o->len) - o->len); 706 return 0; 707} 708 709/* 710 * Verify the checksum on the header and return SVC_OK on success. 711 * Otherwise, return SVC_DROP (in the case of a bad sequence number) 712 * or return SVC_DENIED and indicate error in rqstp->rq_auth_stat. 713 */ 714static int 715gss_verify_header(struct svc_rqst *rqstp, struct rsc *rsci, 716 __be32 *rpcstart, struct rpc_gss_wire_cred *gc) 717{ 718 struct gss_ctx *ctx_id = rsci->mechctx; 719 struct xdr_buf rpchdr; 720 struct xdr_netobj checksum; 721 u32 flavor = 0; 722 struct kvec *argv = &rqstp->rq_arg.head[0]; 723 struct kvec iov; 724 725 /* data to compute the checksum over: */ 726 iov.iov_base = rpcstart; 727 iov.iov_len = (u8 *)argv->iov_base - (u8 *)rpcstart; 728 xdr_buf_from_iov(&iov, &rpchdr); 729 730 rqstp->rq_auth_stat = rpc_autherr_badverf; 731 if (argv->iov_len < 4) 732 return SVC_DENIED; 733 flavor = svc_getnl(argv); 734 if (flavor != RPC_AUTH_GSS) 735 return SVC_DENIED; 736 if (svc_safe_getnetobj(argv, &checksum)) 737 return SVC_DENIED; 738 739 if (rqstp->rq_deferred) /* skip verification of revisited request */ 740 return SVC_OK; 741 if (gss_verify_mic(ctx_id, &rpchdr, &checksum) != GSS_S_COMPLETE) { 742 rqstp->rq_auth_stat = rpcsec_gsserr_credproblem; 743 return SVC_DENIED; 744 } 745 746 if (gc->gc_seq > MAXSEQ) { 747 trace_rpcgss_svc_seqno_large(rqstp, gc->gc_seq); 748 rqstp->rq_auth_stat = rpcsec_gsserr_ctxproblem; 749 return SVC_DENIED; 750 } 751 if (!gss_check_seq_num(rqstp, rsci, gc->gc_seq)) 752 return SVC_DROP; 753 return SVC_OK; 754} 755 756static int 757gss_write_null_verf(struct svc_rqst *rqstp) 758{ 759 __be32 *p; 760 761 svc_putnl(rqstp->rq_res.head, RPC_AUTH_NULL); 762 p = rqstp->rq_res.head->iov_base + rqstp->rq_res.head->iov_len; 763 /* don't really need to check if head->iov_len > PAGE_SIZE ... */ 764 *p++ = 0; 765 if (!xdr_ressize_check(rqstp, p)) 766 return -1; 767 return 0; 768} 769 770static int 771gss_write_verf(struct svc_rqst *rqstp, struct gss_ctx *ctx_id, u32 seq) 772{ 773 __be32 *xdr_seq; 774 u32 maj_stat; 775 struct xdr_buf verf_data; 776 struct xdr_netobj mic; 777 __be32 *p; 778 struct kvec iov; 779 int err = -1; 780 781 svc_putnl(rqstp->rq_res.head, RPC_AUTH_GSS); 782 xdr_seq = kmalloc(4, GFP_KERNEL); 783 if (!xdr_seq) 784 return -ENOMEM; 785 *xdr_seq = htonl(seq); 786 787 iov.iov_base = xdr_seq; 788 iov.iov_len = 4; 789 xdr_buf_from_iov(&iov, &verf_data); 790 p = rqstp->rq_res.head->iov_base + rqstp->rq_res.head->iov_len; 791 mic.data = (u8 *)(p + 1); 792 maj_stat = gss_get_mic(ctx_id, &verf_data, &mic); 793 if (maj_stat != GSS_S_COMPLETE) 794 goto out; 795 *p++ = htonl(mic.len); 796 memset((u8 *)p + mic.len, 0, round_up_to_quad(mic.len) - mic.len); 797 p += XDR_QUADLEN(mic.len); 798 if (!xdr_ressize_check(rqstp, p)) 799 goto out; 800 err = 0; 801out: 802 kfree(xdr_seq); 803 return err; 804} 805 806struct gss_domain { 807 struct auth_domain h; 808 u32 pseudoflavor; 809}; 810 811static struct auth_domain * 812find_gss_auth_domain(struct gss_ctx *ctx, u32 svc) 813{ 814 char *name; 815 816 name = gss_service_to_auth_domain_name(ctx->mech_type, svc); 817 if (!name) 818 return NULL; 819 return auth_domain_find(name); 820} 821 822static struct auth_ops svcauthops_gss; 823 824u32 svcauth_gss_flavor(struct auth_domain *dom) 825{ 826 struct gss_domain *gd = container_of(dom, struct gss_domain, h); 827 828 return gd->pseudoflavor; 829} 830 831EXPORT_SYMBOL_GPL(svcauth_gss_flavor); 832 833struct auth_domain * 834svcauth_gss_register_pseudoflavor(u32 pseudoflavor, char * name) 835{ 836 struct gss_domain *new; 837 struct auth_domain *test; 838 int stat = -ENOMEM; 839 840 new = kmalloc(sizeof(*new), GFP_KERNEL); 841 if (!new) 842 goto out; 843 kref_init(&new->h.ref); 844 new->h.name = kstrdup(name, GFP_KERNEL); 845 if (!new->h.name) 846 goto out_free_dom; 847 new->h.flavour = &svcauthops_gss; 848 new->pseudoflavor = pseudoflavor; 849 850 test = auth_domain_lookup(name, &new->h); 851 if (test != &new->h) { 852 pr_warn("svc: duplicate registration of gss pseudo flavour %s.\n", 853 name); 854 stat = -EADDRINUSE; 855 auth_domain_put(test); 856 goto out_free_name; 857 } 858 return test; 859 860out_free_name: 861 kfree(new->h.name); 862out_free_dom: 863 kfree(new); 864out: 865 return ERR_PTR(stat); 866} 867EXPORT_SYMBOL_GPL(svcauth_gss_register_pseudoflavor); 868 869static inline int 870read_u32_from_xdr_buf(struct xdr_buf *buf, int base, u32 *obj) 871{ 872 __be32 raw; 873 int status; 874 875 status = read_bytes_from_xdr_buf(buf, base, &raw, sizeof(*obj)); 876 if (status) 877 return status; 878 *obj = ntohl(raw); 879 return 0; 880} 881 882/* It would be nice if this bit of code could be shared with the client. 883 * Obstacles: 884 * The client shouldn't malloc(), would have to pass in own memory. 885 * The server uses base of head iovec as read pointer, while the 886 * client uses separate pointer. */ 887static int 888unwrap_integ_data(struct svc_rqst *rqstp, struct xdr_buf *buf, u32 seq, struct gss_ctx *ctx) 889{ 890 u32 integ_len, rseqno, maj_stat; 891 int stat = -EINVAL; 892 struct xdr_netobj mic; 893 struct xdr_buf integ_buf; 894 895 mic.data = NULL; 896 897 /* NFS READ normally uses splice to send data in-place. However 898 * the data in cache can change after the reply's MIC is computed 899 * but before the RPC reply is sent. To prevent the client from 900 * rejecting the server-computed MIC in this somewhat rare case, 901 * do not use splice with the GSS integrity service. 902 */ 903 __clear_bit(RQ_SPLICE_OK, &rqstp->rq_flags); 904 905 /* Did we already verify the signature on the original pass through? */ 906 if (rqstp->rq_deferred) 907 return 0; 908 909 integ_len = svc_getnl(&buf->head[0]); 910 if (integ_len & 3) 911 goto unwrap_failed; 912 if (integ_len > buf->len) 913 goto unwrap_failed; 914 if (xdr_buf_subsegment(buf, &integ_buf, 0, integ_len)) 915 goto unwrap_failed; 916 917 /* copy out mic... */ 918 if (read_u32_from_xdr_buf(buf, integ_len, &mic.len)) 919 goto unwrap_failed; 920 if (mic.len > RPC_MAX_AUTH_SIZE) 921 goto unwrap_failed; 922 mic.data = kmalloc(mic.len, GFP_KERNEL); 923 if (!mic.data) 924 goto unwrap_failed; 925 if (read_bytes_from_xdr_buf(buf, integ_len + 4, mic.data, mic.len)) 926 goto unwrap_failed; 927 maj_stat = gss_verify_mic(ctx, &integ_buf, &mic); 928 if (maj_stat != GSS_S_COMPLETE) 929 goto bad_mic; 930 rseqno = svc_getnl(&buf->head[0]); 931 if (rseqno != seq) 932 goto bad_seqno; 933 /* trim off the mic and padding at the end before returning */ 934 xdr_buf_trim(buf, round_up_to_quad(mic.len) + 4); 935 stat = 0; 936out: 937 kfree(mic.data); 938 return stat; 939 940unwrap_failed: 941 trace_rpcgss_svc_unwrap_failed(rqstp); 942 goto out; 943bad_seqno: 944 trace_rpcgss_svc_seqno_bad(rqstp, seq, rseqno); 945 goto out; 946bad_mic: 947 trace_rpcgss_svc_mic(rqstp, maj_stat); 948 goto out; 949} 950 951static inline int 952total_buf_len(struct xdr_buf *buf) 953{ 954 return buf->head[0].iov_len + buf->page_len + buf->tail[0].iov_len; 955} 956 957static void 958fix_priv_head(struct xdr_buf *buf, int pad) 959{ 960 if (buf->page_len == 0) { 961 /* We need to adjust head and buf->len in tandem in this 962 * case to make svc_defer() work--it finds the original 963 * buffer start using buf->len - buf->head[0].iov_len. */ 964 buf->head[0].iov_len -= pad; 965 } 966} 967 968static int 969unwrap_priv_data(struct svc_rqst *rqstp, struct xdr_buf *buf, u32 seq, struct gss_ctx *ctx) 970{ 971 u32 priv_len, maj_stat; 972 int pad, remaining_len, offset; 973 u32 rseqno; 974 975 __clear_bit(RQ_SPLICE_OK, &rqstp->rq_flags); 976 977 priv_len = svc_getnl(&buf->head[0]); 978 if (rqstp->rq_deferred) { 979 /* Already decrypted last time through! The sequence number 980 * check at out_seq is unnecessary but harmless: */ 981 goto out_seq; 982 } 983 /* buf->len is the number of bytes from the original start of the 984 * request to the end, where head[0].iov_len is just the bytes 985 * not yet read from the head, so these two values are different: */ 986 remaining_len = total_buf_len(buf); 987 if (priv_len > remaining_len) 988 goto unwrap_failed; 989 pad = remaining_len - priv_len; 990 buf->len -= pad; 991 fix_priv_head(buf, pad); 992 993 maj_stat = gss_unwrap(ctx, 0, priv_len, buf); 994 pad = priv_len - buf->len; 995 /* The upper layers assume the buffer is aligned on 4-byte boundaries. 996 * In the krb5p case, at least, the data ends up offset, so we need to 997 * move it around. */ 998 /* XXX: This is very inefficient. It would be better to either do 999 * this while we encrypt, or maybe in the receive code, if we can peak 1000 * ahead and work out the service and mechanism there. */ 1001 offset = xdr_pad_size(buf->head[0].iov_len); 1002 if (offset) { 1003 buf->buflen = RPCSVC_MAXPAYLOAD; 1004 xdr_shift_buf(buf, offset); 1005 fix_priv_head(buf, pad); 1006 } 1007 if (maj_stat != GSS_S_COMPLETE) 1008 goto bad_unwrap; 1009out_seq: 1010 rseqno = svc_getnl(&buf->head[0]); 1011 if (rseqno != seq) 1012 goto bad_seqno; 1013 return 0; 1014 1015unwrap_failed: 1016 trace_rpcgss_svc_unwrap_failed(rqstp); 1017 return -EINVAL; 1018bad_seqno: 1019 trace_rpcgss_svc_seqno_bad(rqstp, seq, rseqno); 1020 return -EINVAL; 1021bad_unwrap: 1022 trace_rpcgss_svc_unwrap(rqstp, maj_stat); 1023 return -EINVAL; 1024} 1025 1026struct gss_svc_data { 1027 /* decoded gss client cred: */ 1028 struct rpc_gss_wire_cred clcred; 1029 /* save a pointer to the beginning of the encoded verifier, 1030 * for use in encryption/checksumming in svcauth_gss_release: */ 1031 __be32 *verf_start; 1032 struct rsc *rsci; 1033}; 1034 1035static int 1036svcauth_gss_set_client(struct svc_rqst *rqstp) 1037{ 1038 struct gss_svc_data *svcdata = rqstp->rq_auth_data; 1039 struct rsc *rsci = svcdata->rsci; 1040 struct rpc_gss_wire_cred *gc = &svcdata->clcred; 1041 int stat; 1042 1043 rqstp->rq_auth_stat = rpc_autherr_badcred; 1044 1045 /* 1046 * A gss export can be specified either by: 1047 * export *(sec=krb5,rw) 1048 * or by 1049 * export gss/krb5(rw) 1050 * The latter is deprecated; but for backwards compatibility reasons 1051 * the nfsd code will still fall back on trying it if the former 1052 * doesn't work; so we try to make both available to nfsd, below. 1053 */ 1054 rqstp->rq_gssclient = find_gss_auth_domain(rsci->mechctx, gc->gc_svc); 1055 if (rqstp->rq_gssclient == NULL) 1056 return SVC_DENIED; 1057 stat = svcauth_unix_set_client(rqstp); 1058 if (stat == SVC_DROP || stat == SVC_CLOSE) 1059 return stat; 1060 1061 rqstp->rq_auth_stat = rpc_auth_ok; 1062 return SVC_OK; 1063} 1064 1065static inline int 1066gss_write_init_verf(struct cache_detail *cd, struct svc_rqst *rqstp, 1067 struct xdr_netobj *out_handle, int *major_status) 1068{ 1069 struct rsc *rsci; 1070 int rc; 1071 1072 if (*major_status != GSS_S_COMPLETE) 1073 return gss_write_null_verf(rqstp); 1074 rsci = gss_svc_searchbyctx(cd, out_handle); 1075 if (rsci == NULL) { 1076 *major_status = GSS_S_NO_CONTEXT; 1077 return gss_write_null_verf(rqstp); 1078 } 1079 rc = gss_write_verf(rqstp, rsci->mechctx, GSS_SEQ_WIN); 1080 cache_put(&rsci->h, cd); 1081 return rc; 1082} 1083 1084static inline int 1085gss_read_common_verf(struct rpc_gss_wire_cred *gc, 1086 struct kvec *argv, __be32 *authp, 1087 struct xdr_netobj *in_handle) 1088{ 1089 /* Read the verifier; should be NULL: */ 1090 *authp = rpc_autherr_badverf; 1091 if (argv->iov_len < 2 * 4) 1092 return SVC_DENIED; 1093 if (svc_getnl(argv) != RPC_AUTH_NULL) 1094 return SVC_DENIED; 1095 if (svc_getnl(argv) != 0) 1096 return SVC_DENIED; 1097 /* Martial context handle and token for upcall: */ 1098 *authp = rpc_autherr_badcred; 1099 if (gc->gc_proc == RPC_GSS_PROC_INIT && gc->gc_ctx.len != 0) 1100 return SVC_DENIED; 1101 if (dup_netobj(in_handle, &gc->gc_ctx)) 1102 return SVC_CLOSE; 1103 *authp = rpc_autherr_badverf; 1104 1105 return 0; 1106} 1107 1108static inline int 1109gss_read_verf(struct rpc_gss_wire_cred *gc, 1110 struct kvec *argv, __be32 *authp, 1111 struct xdr_netobj *in_handle, 1112 struct xdr_netobj *in_token) 1113{ 1114 struct xdr_netobj tmpobj; 1115 int res; 1116 1117 res = gss_read_common_verf(gc, argv, authp, in_handle); 1118 if (res) 1119 return res; 1120 1121 if (svc_safe_getnetobj(argv, &tmpobj)) { 1122 kfree(in_handle->data); 1123 return SVC_DENIED; 1124 } 1125 if (dup_netobj(in_token, &tmpobj)) { 1126 kfree(in_handle->data); 1127 return SVC_CLOSE; 1128 } 1129 1130 return 0; 1131} 1132 1133static void gss_free_in_token_pages(struct gssp_in_token *in_token) 1134{ 1135 u32 inlen; 1136 int i; 1137 1138 i = 0; 1139 inlen = in_token->page_len; 1140 while (inlen) { 1141 if (in_token->pages[i]) 1142 put_page(in_token->pages[i]); 1143 inlen -= inlen > PAGE_SIZE ? PAGE_SIZE : inlen; 1144 } 1145 1146 kfree(in_token->pages); 1147 in_token->pages = NULL; 1148} 1149 1150static int gss_read_proxy_verf(struct svc_rqst *rqstp, 1151 struct rpc_gss_wire_cred *gc, 1152 struct xdr_netobj *in_handle, 1153 struct gssp_in_token *in_token) 1154{ 1155 struct kvec *argv = &rqstp->rq_arg.head[0]; 1156 unsigned int length, pgto_offs, pgfrom_offs; 1157 int pages, i, res, pgto, pgfrom; 1158 size_t inlen, to_offs, from_offs; 1159 1160 res = gss_read_common_verf(gc, argv, &rqstp->rq_auth_stat, in_handle); 1161 if (res) 1162 return res; 1163 1164 inlen = svc_getnl(argv); 1165 if (inlen > (argv->iov_len + rqstp->rq_arg.page_len)) 1166 return SVC_DENIED; 1167 1168 pages = DIV_ROUND_UP(inlen, PAGE_SIZE); 1169 in_token->pages = kcalloc(pages, sizeof(struct page *), GFP_KERNEL); 1170 if (!in_token->pages) 1171 return SVC_DENIED; 1172 in_token->page_base = 0; 1173 in_token->page_len = inlen; 1174 for (i = 0; i < pages; i++) { 1175 in_token->pages[i] = alloc_page(GFP_KERNEL); 1176 if (!in_token->pages[i]) { 1177 gss_free_in_token_pages(in_token); 1178 return SVC_DENIED; 1179 } 1180 } 1181 1182 length = min_t(unsigned int, inlen, argv->iov_len); 1183 memcpy(page_address(in_token->pages[0]), argv->iov_base, length); 1184 inlen -= length; 1185 1186 to_offs = length; 1187 from_offs = rqstp->rq_arg.page_base; 1188 while (inlen) { 1189 pgto = to_offs >> PAGE_SHIFT; 1190 pgfrom = from_offs >> PAGE_SHIFT; 1191 pgto_offs = to_offs & ~PAGE_MASK; 1192 pgfrom_offs = from_offs & ~PAGE_MASK; 1193 1194 length = min_t(unsigned int, inlen, 1195 min_t(unsigned int, PAGE_SIZE - pgto_offs, 1196 PAGE_SIZE - pgfrom_offs)); 1197 memcpy(page_address(in_token->pages[pgto]) + pgto_offs, 1198 page_address(rqstp->rq_arg.pages[pgfrom]) + pgfrom_offs, 1199 length); 1200 1201 to_offs += length; 1202 from_offs += length; 1203 inlen -= length; 1204 } 1205 return 0; 1206} 1207 1208static inline int 1209gss_write_resv(struct kvec *resv, size_t size_limit, 1210 struct xdr_netobj *out_handle, struct xdr_netobj *out_token, 1211 int major_status, int minor_status) 1212{ 1213 if (resv->iov_len + 4 > size_limit) 1214 return -1; 1215 svc_putnl(resv, RPC_SUCCESS); 1216 if (svc_safe_putnetobj(resv, out_handle)) 1217 return -1; 1218 if (resv->iov_len + 3 * 4 > size_limit) 1219 return -1; 1220 svc_putnl(resv, major_status); 1221 svc_putnl(resv, minor_status); 1222 svc_putnl(resv, GSS_SEQ_WIN); 1223 if (svc_safe_putnetobj(resv, out_token)) 1224 return -1; 1225 return 0; 1226} 1227 1228/* 1229 * Having read the cred already and found we're in the context 1230 * initiation case, read the verifier and initiate (or check the results 1231 * of) upcalls to userspace for help with context initiation. If 1232 * the upcall results are available, write the verifier and result. 1233 * Otherwise, drop the request pending an answer to the upcall. 1234 */ 1235static int svcauth_gss_legacy_init(struct svc_rqst *rqstp, 1236 struct rpc_gss_wire_cred *gc) 1237{ 1238 struct kvec *argv = &rqstp->rq_arg.head[0]; 1239 struct kvec *resv = &rqstp->rq_res.head[0]; 1240 struct rsi *rsip, rsikey; 1241 int ret; 1242 struct sunrpc_net *sn = net_generic(SVC_NET(rqstp), sunrpc_net_id); 1243 1244 memset(&rsikey, 0, sizeof(rsikey)); 1245 ret = gss_read_verf(gc, argv, &rqstp->rq_auth_stat, 1246 &rsikey.in_handle, &rsikey.in_token); 1247 if (ret) 1248 return ret; 1249 1250 /* Perform upcall, or find upcall result: */ 1251 rsip = rsi_lookup(sn->rsi_cache, &rsikey); 1252 rsi_free(&rsikey); 1253 if (!rsip) 1254 return SVC_CLOSE; 1255 if (cache_check(sn->rsi_cache, &rsip->h, &rqstp->rq_chandle) < 0) 1256 /* No upcall result: */ 1257 return SVC_CLOSE; 1258 1259 ret = SVC_CLOSE; 1260 /* Got an answer to the upcall; use it: */ 1261 if (gss_write_init_verf(sn->rsc_cache, rqstp, 1262 &rsip->out_handle, &rsip->major_status)) 1263 goto out; 1264 if (gss_write_resv(resv, PAGE_SIZE, 1265 &rsip->out_handle, &rsip->out_token, 1266 rsip->major_status, rsip->minor_status)) 1267 goto out; 1268 1269 ret = SVC_COMPLETE; 1270out: 1271 cache_put(&rsip->h, sn->rsi_cache); 1272 return ret; 1273} 1274 1275static int gss_proxy_save_rsc(struct cache_detail *cd, 1276 struct gssp_upcall_data *ud, 1277 uint64_t *handle) 1278{ 1279 struct rsc rsci, *rscp = NULL; 1280 static atomic64_t ctxhctr; 1281 long long ctxh; 1282 struct gss_api_mech *gm = NULL; 1283 time64_t expiry; 1284 int status; 1285 1286 memset(&rsci, 0, sizeof(rsci)); 1287 /* context handle */ 1288 status = -ENOMEM; 1289 /* the handle needs to be just a unique id, 1290 * use a static counter */ 1291 ctxh = atomic64_inc_return(&ctxhctr); 1292 1293 /* make a copy for the caller */ 1294 *handle = ctxh; 1295 1296 /* make a copy for the rsc cache */ 1297 if (dup_to_netobj(&rsci.handle, (char *)handle, sizeof(uint64_t))) 1298 goto out; 1299 rscp = rsc_lookup(cd, &rsci); 1300 if (!rscp) 1301 goto out; 1302 1303 /* creds */ 1304 if (!ud->found_creds) { 1305 /* userspace seem buggy, we should always get at least a 1306 * mapping to nobody */ 1307 goto out; 1308 } else { 1309 struct timespec64 boot; 1310 1311 /* steal creds */ 1312 rsci.cred = ud->creds; 1313 memset(&ud->creds, 0, sizeof(struct svc_cred)); 1314 1315 status = -EOPNOTSUPP; 1316 /* get mech handle from OID */ 1317 gm = gss_mech_get_by_OID(&ud->mech_oid); 1318 if (!gm) 1319 goto out; 1320 rsci.cred.cr_gss_mech = gm; 1321 1322 status = -EINVAL; 1323 /* mech-specific data: */ 1324 status = gss_import_sec_context(ud->out_handle.data, 1325 ud->out_handle.len, 1326 gm, &rsci.mechctx, 1327 &expiry, GFP_KERNEL); 1328 if (status) 1329 goto out; 1330 1331 getboottime64(&boot); 1332 expiry -= boot.tv_sec; 1333 } 1334 1335 rsci.h.expiry_time = expiry; 1336 rscp = rsc_update(cd, &rsci, rscp); 1337 status = 0; 1338out: 1339 rsc_free(&rsci); 1340 if (rscp) 1341 cache_put(&rscp->h, cd); 1342 else 1343 status = -ENOMEM; 1344 return status; 1345} 1346 1347static int svcauth_gss_proxy_init(struct svc_rqst *rqstp, 1348 struct rpc_gss_wire_cred *gc) 1349{ 1350 struct kvec *resv = &rqstp->rq_res.head[0]; 1351 struct xdr_netobj cli_handle; 1352 struct gssp_upcall_data ud; 1353 uint64_t handle; 1354 int status; 1355 int ret; 1356 struct net *net = SVC_NET(rqstp); 1357 struct sunrpc_net *sn = net_generic(net, sunrpc_net_id); 1358 1359 memset(&ud, 0, sizeof(ud)); 1360 ret = gss_read_proxy_verf(rqstp, gc, &ud.in_handle, &ud.in_token); 1361 if (ret) 1362 return ret; 1363 1364 ret = SVC_CLOSE; 1365 1366 /* Perform synchronous upcall to gss-proxy */ 1367 status = gssp_accept_sec_context_upcall(net, &ud); 1368 if (status) 1369 goto out; 1370 1371 trace_rpcgss_svc_accept_upcall(rqstp, ud.major_status, ud.minor_status); 1372 1373 switch (ud.major_status) { 1374 case GSS_S_CONTINUE_NEEDED: 1375 cli_handle = ud.out_handle; 1376 break; 1377 case GSS_S_COMPLETE: 1378 status = gss_proxy_save_rsc(sn->rsc_cache, &ud, &handle); 1379 if (status) 1380 goto out; 1381 cli_handle.data = (u8 *)&handle; 1382 cli_handle.len = sizeof(handle); 1383 break; 1384 default: 1385 goto out; 1386 } 1387 1388 /* Got an answer to the upcall; use it: */ 1389 if (gss_write_init_verf(sn->rsc_cache, rqstp, 1390 &cli_handle, &ud.major_status)) 1391 goto out; 1392 if (gss_write_resv(resv, PAGE_SIZE, 1393 &cli_handle, &ud.out_token, 1394 ud.major_status, ud.minor_status)) 1395 goto out; 1396 1397 ret = SVC_COMPLETE; 1398out: 1399 gss_free_in_token_pages(&ud.in_token); 1400 gssp_free_upcall_data(&ud); 1401 return ret; 1402} 1403 1404/* 1405 * Try to set the sn->use_gss_proxy variable to a new value. We only allow 1406 * it to be changed if it's currently undefined (-1). If it's any other value 1407 * then return -EBUSY unless the type wouldn't have changed anyway. 1408 */ 1409static int set_gss_proxy(struct net *net, int type) 1410{ 1411 struct sunrpc_net *sn = net_generic(net, sunrpc_net_id); 1412 int ret; 1413 1414 WARN_ON_ONCE(type != 0 && type != 1); 1415 ret = cmpxchg(&sn->use_gss_proxy, -1, type); 1416 if (ret != -1 && ret != type) 1417 return -EBUSY; 1418 return 0; 1419} 1420 1421static bool use_gss_proxy(struct net *net) 1422{ 1423 struct sunrpc_net *sn = net_generic(net, sunrpc_net_id); 1424 1425 /* If use_gss_proxy is still undefined, then try to disable it */ 1426 if (sn->use_gss_proxy == -1) 1427 set_gss_proxy(net, 0); 1428 return sn->use_gss_proxy; 1429} 1430 1431#ifdef CONFIG_PROC_FS 1432 1433static ssize_t write_gssp(struct file *file, const char __user *buf, 1434 size_t count, loff_t *ppos) 1435{ 1436 struct net *net = pde_data(file_inode(file)); 1437 char tbuf[20]; 1438 unsigned long i; 1439 int res; 1440 1441 if (*ppos || count > sizeof(tbuf)-1) 1442 return -EINVAL; 1443 if (copy_from_user(tbuf, buf, count)) 1444 return -EFAULT; 1445 1446 tbuf[count] = 0; 1447 res = kstrtoul(tbuf, 0, &i); 1448 if (res) 1449 return res; 1450 if (i != 1) 1451 return -EINVAL; 1452 res = set_gssp_clnt(net); 1453 if (res) 1454 return res; 1455 res = set_gss_proxy(net, 1); 1456 if (res) 1457 return res; 1458 return count; 1459} 1460 1461static ssize_t read_gssp(struct file *file, char __user *buf, 1462 size_t count, loff_t *ppos) 1463{ 1464 struct net *net = pde_data(file_inode(file)); 1465 struct sunrpc_net *sn = net_generic(net, sunrpc_net_id); 1466 unsigned long p = *ppos; 1467 char tbuf[10]; 1468 size_t len; 1469 1470 snprintf(tbuf, sizeof(tbuf), "%d\n", sn->use_gss_proxy); 1471 len = strlen(tbuf); 1472 if (p >= len) 1473 return 0; 1474 len -= p; 1475 if (len > count) 1476 len = count; 1477 if (copy_to_user(buf, (void *)(tbuf+p), len)) 1478 return -EFAULT; 1479 *ppos += len; 1480 return len; 1481} 1482 1483static const struct proc_ops use_gss_proxy_proc_ops = { 1484 .proc_open = nonseekable_open, 1485 .proc_write = write_gssp, 1486 .proc_read = read_gssp, 1487}; 1488 1489static int create_use_gss_proxy_proc_entry(struct net *net) 1490{ 1491 struct sunrpc_net *sn = net_generic(net, sunrpc_net_id); 1492 struct proc_dir_entry **p = &sn->use_gssp_proc; 1493 1494 sn->use_gss_proxy = -1; 1495 *p = proc_create_data("use-gss-proxy", S_IFREG | 0600, 1496 sn->proc_net_rpc, 1497 &use_gss_proxy_proc_ops, net); 1498 if (!*p) 1499 return -ENOMEM; 1500 init_gssp_clnt(sn); 1501 return 0; 1502} 1503 1504static void destroy_use_gss_proxy_proc_entry(struct net *net) 1505{ 1506 struct sunrpc_net *sn = net_generic(net, sunrpc_net_id); 1507 1508 if (sn->use_gssp_proc) { 1509 remove_proc_entry("use-gss-proxy", sn->proc_net_rpc); 1510 clear_gssp_clnt(sn); 1511 } 1512} 1513#else /* CONFIG_PROC_FS */ 1514 1515static int create_use_gss_proxy_proc_entry(struct net *net) 1516{ 1517 return 0; 1518} 1519 1520static void destroy_use_gss_proxy_proc_entry(struct net *net) {} 1521 1522#endif /* CONFIG_PROC_FS */ 1523 1524/* 1525 * Accept an rpcsec packet. 1526 * If context establishment, punt to user space 1527 * If data exchange, verify/decrypt 1528 * If context destruction, handle here 1529 * In the context establishment and destruction case we encode 1530 * response here and return SVC_COMPLETE. 1531 */ 1532static int 1533svcauth_gss_accept(struct svc_rqst *rqstp) 1534{ 1535 struct kvec *argv = &rqstp->rq_arg.head[0]; 1536 struct kvec *resv = &rqstp->rq_res.head[0]; 1537 u32 crlen; 1538 struct gss_svc_data *svcdata = rqstp->rq_auth_data; 1539 struct rpc_gss_wire_cred *gc; 1540 struct rsc *rsci = NULL; 1541 __be32 *rpcstart; 1542 __be32 *reject_stat = resv->iov_base + resv->iov_len; 1543 int ret; 1544 struct sunrpc_net *sn = net_generic(SVC_NET(rqstp), sunrpc_net_id); 1545 1546 rqstp->rq_auth_stat = rpc_autherr_badcred; 1547 if (!svcdata) 1548 svcdata = kmalloc(sizeof(*svcdata), GFP_KERNEL); 1549 if (!svcdata) 1550 goto auth_err; 1551 rqstp->rq_auth_data = svcdata; 1552 svcdata->verf_start = NULL; 1553 svcdata->rsci = NULL; 1554 gc = &svcdata->clcred; 1555 1556 /* start of rpc packet is 7 u32's back from here: 1557 * xid direction rpcversion prog vers proc flavour 1558 */ 1559 rpcstart = argv->iov_base; 1560 rpcstart -= 7; 1561 1562 /* credential is: 1563 * version(==1), proc(0,1,2,3), seq, service (1,2,3), handle 1564 * at least 5 u32s, and is preceded by length, so that makes 6. 1565 */ 1566 1567 if (argv->iov_len < 5 * 4) 1568 goto auth_err; 1569 crlen = svc_getnl(argv); 1570 if (svc_getnl(argv) != RPC_GSS_VERSION) 1571 goto auth_err; 1572 gc->gc_proc = svc_getnl(argv); 1573 gc->gc_seq = svc_getnl(argv); 1574 gc->gc_svc = svc_getnl(argv); 1575 if (svc_safe_getnetobj(argv, &gc->gc_ctx)) 1576 goto auth_err; 1577 if (crlen != round_up_to_quad(gc->gc_ctx.len) + 5 * 4) 1578 goto auth_err; 1579 1580 if ((gc->gc_proc != RPC_GSS_PROC_DATA) && (rqstp->rq_proc != 0)) 1581 goto auth_err; 1582 1583 rqstp->rq_auth_stat = rpc_autherr_badverf; 1584 switch (gc->gc_proc) { 1585 case RPC_GSS_PROC_INIT: 1586 case RPC_GSS_PROC_CONTINUE_INIT: 1587 if (use_gss_proxy(SVC_NET(rqstp))) 1588 return svcauth_gss_proxy_init(rqstp, gc); 1589 else 1590 return svcauth_gss_legacy_init(rqstp, gc); 1591 case RPC_GSS_PROC_DATA: 1592 case RPC_GSS_PROC_DESTROY: 1593 /* Look up the context, and check the verifier: */ 1594 rqstp->rq_auth_stat = rpcsec_gsserr_credproblem; 1595 rsci = gss_svc_searchbyctx(sn->rsc_cache, &gc->gc_ctx); 1596 if (!rsci) 1597 goto auth_err; 1598 switch (gss_verify_header(rqstp, rsci, rpcstart, gc)) { 1599 case SVC_OK: 1600 break; 1601 case SVC_DENIED: 1602 goto auth_err; 1603 case SVC_DROP: 1604 goto drop; 1605 } 1606 break; 1607 default: 1608 rqstp->rq_auth_stat = rpc_autherr_rejectedcred; 1609 goto auth_err; 1610 } 1611 1612 /* now act upon the command: */ 1613 switch (gc->gc_proc) { 1614 case RPC_GSS_PROC_DESTROY: 1615 if (gss_write_verf(rqstp, rsci->mechctx, gc->gc_seq)) 1616 goto auth_err; 1617 /* Delete the entry from the cache_list and call cache_put */ 1618 sunrpc_cache_unhash(sn->rsc_cache, &rsci->h); 1619 if (resv->iov_len + 4 > PAGE_SIZE) 1620 goto drop; 1621 svc_putnl(resv, RPC_SUCCESS); 1622 goto complete; 1623 case RPC_GSS_PROC_DATA: 1624 rqstp->rq_auth_stat = rpcsec_gsserr_ctxproblem; 1625 svcdata->verf_start = resv->iov_base + resv->iov_len; 1626 if (gss_write_verf(rqstp, rsci->mechctx, gc->gc_seq)) 1627 goto auth_err; 1628 rqstp->rq_cred = rsci->cred; 1629 get_group_info(rsci->cred.cr_group_info); 1630 rqstp->rq_auth_stat = rpc_autherr_badcred; 1631 switch (gc->gc_svc) { 1632 case RPC_GSS_SVC_NONE: 1633 break; 1634 case RPC_GSS_SVC_INTEGRITY: 1635 /* placeholders for length and seq. number: */ 1636 svc_putnl(resv, 0); 1637 svc_putnl(resv, 0); 1638 if (unwrap_integ_data(rqstp, &rqstp->rq_arg, 1639 gc->gc_seq, rsci->mechctx)) 1640 goto garbage_args; 1641 rqstp->rq_auth_slack = RPC_MAX_AUTH_SIZE; 1642 break; 1643 case RPC_GSS_SVC_PRIVACY: 1644 /* placeholders for length and seq. number: */ 1645 svc_putnl(resv, 0); 1646 svc_putnl(resv, 0); 1647 if (unwrap_priv_data(rqstp, &rqstp->rq_arg, 1648 gc->gc_seq, rsci->mechctx)) 1649 goto garbage_args; 1650 rqstp->rq_auth_slack = RPC_MAX_AUTH_SIZE * 2; 1651 break; 1652 default: 1653 goto auth_err; 1654 } 1655 svcdata->rsci = rsci; 1656 cache_get(&rsci->h); 1657 rqstp->rq_cred.cr_flavor = gss_svc_to_pseudoflavor( 1658 rsci->mechctx->mech_type, 1659 GSS_C_QOP_DEFAULT, 1660 gc->gc_svc); 1661 ret = SVC_OK; 1662 trace_rpcgss_svc_authenticate(rqstp, gc); 1663 goto out; 1664 } 1665garbage_args: 1666 ret = SVC_GARBAGE; 1667 goto out; 1668auth_err: 1669 /* Restore write pointer to its original value: */ 1670 xdr_ressize_check(rqstp, reject_stat); 1671 ret = SVC_DENIED; 1672 goto out; 1673complete: 1674 ret = SVC_COMPLETE; 1675 goto out; 1676drop: 1677 ret = SVC_CLOSE; 1678out: 1679 if (rsci) 1680 cache_put(&rsci->h, sn->rsc_cache); 1681 return ret; 1682} 1683 1684static __be32 * 1685svcauth_gss_prepare_to_wrap(struct xdr_buf *resbuf, struct gss_svc_data *gsd) 1686{ 1687 __be32 *p; 1688 u32 verf_len; 1689 1690 p = gsd->verf_start; 1691 gsd->verf_start = NULL; 1692 1693 /* If the reply stat is nonzero, don't wrap: */ 1694 if (*(p-1) != rpc_success) 1695 return NULL; 1696 /* Skip the verifier: */ 1697 p += 1; 1698 verf_len = ntohl(*p++); 1699 p += XDR_QUADLEN(verf_len); 1700 /* move accept_stat to right place: */ 1701 memcpy(p, p + 2, 4); 1702 /* Also don't wrap if the accept stat is nonzero: */ 1703 if (*p != rpc_success) { 1704 resbuf->head[0].iov_len -= 2 * 4; 1705 return NULL; 1706 } 1707 p++; 1708 return p; 1709} 1710 1711static inline int 1712svcauth_gss_wrap_resp_integ(struct svc_rqst *rqstp) 1713{ 1714 struct gss_svc_data *gsd = (struct gss_svc_data *)rqstp->rq_auth_data; 1715 struct rpc_gss_wire_cred *gc = &gsd->clcred; 1716 struct xdr_buf *resbuf = &rqstp->rq_res; 1717 struct xdr_buf integ_buf; 1718 struct xdr_netobj mic; 1719 struct kvec *resv; 1720 __be32 *p; 1721 int integ_offset, integ_len; 1722 int stat = -EINVAL; 1723 1724 p = svcauth_gss_prepare_to_wrap(resbuf, gsd); 1725 if (p == NULL) 1726 goto out; 1727 integ_offset = (u8 *)(p + 1) - (u8 *)resbuf->head[0].iov_base; 1728 integ_len = resbuf->len - integ_offset; 1729 if (integ_len & 3) 1730 goto out; 1731 *p++ = htonl(integ_len); 1732 *p++ = htonl(gc->gc_seq); 1733 if (xdr_buf_subsegment(resbuf, &integ_buf, integ_offset, integ_len)) { 1734 WARN_ON_ONCE(1); 1735 goto out_err; 1736 } 1737 if (resbuf->tail[0].iov_base == NULL) { 1738 if (resbuf->head[0].iov_len + RPC_MAX_AUTH_SIZE > PAGE_SIZE) 1739 goto out_err; 1740 resbuf->tail[0].iov_base = resbuf->head[0].iov_base 1741 + resbuf->head[0].iov_len; 1742 resbuf->tail[0].iov_len = 0; 1743 } 1744 resv = &resbuf->tail[0]; 1745 mic.data = (u8 *)resv->iov_base + resv->iov_len + 4; 1746 if (gss_get_mic(gsd->rsci->mechctx, &integ_buf, &mic)) 1747 goto out_err; 1748 svc_putnl(resv, mic.len); 1749 memset(mic.data + mic.len, 0, 1750 round_up_to_quad(mic.len) - mic.len); 1751 resv->iov_len += XDR_QUADLEN(mic.len) << 2; 1752 /* not strictly required: */ 1753 resbuf->len += XDR_QUADLEN(mic.len) << 2; 1754 if (resv->iov_len > PAGE_SIZE) 1755 goto out_err; 1756out: 1757 stat = 0; 1758out_err: 1759 return stat; 1760} 1761 1762static inline int 1763svcauth_gss_wrap_resp_priv(struct svc_rqst *rqstp) 1764{ 1765 struct gss_svc_data *gsd = (struct gss_svc_data *)rqstp->rq_auth_data; 1766 struct rpc_gss_wire_cred *gc = &gsd->clcred; 1767 struct xdr_buf *resbuf = &rqstp->rq_res; 1768 struct page **inpages = NULL; 1769 __be32 *p, *len; 1770 int offset; 1771 int pad; 1772 1773 p = svcauth_gss_prepare_to_wrap(resbuf, gsd); 1774 if (p == NULL) 1775 return 0; 1776 len = p++; 1777 offset = (u8 *)p - (u8 *)resbuf->head[0].iov_base; 1778 *p++ = htonl(gc->gc_seq); 1779 inpages = resbuf->pages; 1780 /* XXX: Would be better to write some xdr helper functions for 1781 * nfs{2,3,4}xdr.c that place the data right, instead of copying: */ 1782 1783 /* 1784 * If there is currently tail data, make sure there is 1785 * room for the head, tail, and 2 * RPC_MAX_AUTH_SIZE in 1786 * the page, and move the current tail data such that 1787 * there is RPC_MAX_AUTH_SIZE slack space available in 1788 * both the head and tail. 1789 */ 1790 if (resbuf->tail[0].iov_base) { 1791 if (resbuf->tail[0].iov_base >= 1792 resbuf->head[0].iov_base + PAGE_SIZE) 1793 return -EINVAL; 1794 if (resbuf->tail[0].iov_base < resbuf->head[0].iov_base) 1795 return -EINVAL; 1796 if (resbuf->tail[0].iov_len + resbuf->head[0].iov_len 1797 + 2 * RPC_MAX_AUTH_SIZE > PAGE_SIZE) 1798 return -ENOMEM; 1799 memmove(resbuf->tail[0].iov_base + RPC_MAX_AUTH_SIZE, 1800 resbuf->tail[0].iov_base, 1801 resbuf->tail[0].iov_len); 1802 resbuf->tail[0].iov_base += RPC_MAX_AUTH_SIZE; 1803 } 1804 /* 1805 * If there is no current tail data, make sure there is 1806 * room for the head data, and 2 * RPC_MAX_AUTH_SIZE in the 1807 * allotted page, and set up tail information such that there 1808 * is RPC_MAX_AUTH_SIZE slack space available in both the 1809 * head and tail. 1810 */ 1811 if (resbuf->tail[0].iov_base == NULL) { 1812 if (resbuf->head[0].iov_len + 2*RPC_MAX_AUTH_SIZE > PAGE_SIZE) 1813 return -ENOMEM; 1814 resbuf->tail[0].iov_base = resbuf->head[0].iov_base 1815 + resbuf->head[0].iov_len + RPC_MAX_AUTH_SIZE; 1816 resbuf->tail[0].iov_len = 0; 1817 } 1818 if (gss_wrap(gsd->rsci->mechctx, offset, resbuf, inpages)) 1819 return -ENOMEM; 1820 *len = htonl(resbuf->len - offset); 1821 pad = 3 - ((resbuf->len - offset - 1)&3); 1822 p = (__be32 *)(resbuf->tail[0].iov_base + resbuf->tail[0].iov_len); 1823 memset(p, 0, pad); 1824 resbuf->tail[0].iov_len += pad; 1825 resbuf->len += pad; 1826 return 0; 1827} 1828 1829static int 1830svcauth_gss_release(struct svc_rqst *rqstp) 1831{ 1832 struct gss_svc_data *gsd = (struct gss_svc_data *)rqstp->rq_auth_data; 1833 struct rpc_gss_wire_cred *gc; 1834 struct xdr_buf *resbuf = &rqstp->rq_res; 1835 int stat = -EINVAL; 1836 struct sunrpc_net *sn = net_generic(SVC_NET(rqstp), sunrpc_net_id); 1837 1838 if (!gsd) 1839 goto out; 1840 gc = &gsd->clcred; 1841 if (gc->gc_proc != RPC_GSS_PROC_DATA) 1842 goto out; 1843 /* Release can be called twice, but we only wrap once. */ 1844 if (gsd->verf_start == NULL) 1845 goto out; 1846 /* normally not set till svc_send, but we need it here: */ 1847 /* XXX: what for? Do we mess it up the moment we call svc_putu32 1848 * or whatever? */ 1849 resbuf->len = total_buf_len(resbuf); 1850 switch (gc->gc_svc) { 1851 case RPC_GSS_SVC_NONE: 1852 break; 1853 case RPC_GSS_SVC_INTEGRITY: 1854 stat = svcauth_gss_wrap_resp_integ(rqstp); 1855 if (stat) 1856 goto out_err; 1857 break; 1858 case RPC_GSS_SVC_PRIVACY: 1859 stat = svcauth_gss_wrap_resp_priv(rqstp); 1860 if (stat) 1861 goto out_err; 1862 break; 1863 /* 1864 * For any other gc_svc value, svcauth_gss_accept() already set 1865 * the auth_error appropriately; just fall through: 1866 */ 1867 } 1868 1869out: 1870 stat = 0; 1871out_err: 1872 if (rqstp->rq_client) 1873 auth_domain_put(rqstp->rq_client); 1874 rqstp->rq_client = NULL; 1875 if (rqstp->rq_gssclient) 1876 auth_domain_put(rqstp->rq_gssclient); 1877 rqstp->rq_gssclient = NULL; 1878 if (rqstp->rq_cred.cr_group_info) 1879 put_group_info(rqstp->rq_cred.cr_group_info); 1880 rqstp->rq_cred.cr_group_info = NULL; 1881 if (gsd && gsd->rsci) { 1882 cache_put(&gsd->rsci->h, sn->rsc_cache); 1883 gsd->rsci = NULL; 1884 } 1885 return stat; 1886} 1887 1888static void 1889svcauth_gss_domain_release_rcu(struct rcu_head *head) 1890{ 1891 struct auth_domain *dom = container_of(head, struct auth_domain, rcu_head); 1892 struct gss_domain *gd = container_of(dom, struct gss_domain, h); 1893 1894 kfree(dom->name); 1895 kfree(gd); 1896} 1897 1898static void 1899svcauth_gss_domain_release(struct auth_domain *dom) 1900{ 1901 call_rcu(&dom->rcu_head, svcauth_gss_domain_release_rcu); 1902} 1903 1904static struct auth_ops svcauthops_gss = { 1905 .name = "rpcsec_gss", 1906 .owner = THIS_MODULE, 1907 .flavour = RPC_AUTH_GSS, 1908 .accept = svcauth_gss_accept, 1909 .release = svcauth_gss_release, 1910 .domain_release = svcauth_gss_domain_release, 1911 .set_client = svcauth_gss_set_client, 1912}; 1913 1914static int rsi_cache_create_net(struct net *net) 1915{ 1916 struct sunrpc_net *sn = net_generic(net, sunrpc_net_id); 1917 struct cache_detail *cd; 1918 int err; 1919 1920 cd = cache_create_net(&rsi_cache_template, net); 1921 if (IS_ERR(cd)) 1922 return PTR_ERR(cd); 1923 err = cache_register_net(cd, net); 1924 if (err) { 1925 cache_destroy_net(cd, net); 1926 return err; 1927 } 1928 sn->rsi_cache = cd; 1929 return 0; 1930} 1931 1932static void rsi_cache_destroy_net(struct net *net) 1933{ 1934 struct sunrpc_net *sn = net_generic(net, sunrpc_net_id); 1935 struct cache_detail *cd = sn->rsi_cache; 1936 1937 sn->rsi_cache = NULL; 1938 cache_purge(cd); 1939 cache_unregister_net(cd, net); 1940 cache_destroy_net(cd, net); 1941} 1942 1943static int rsc_cache_create_net(struct net *net) 1944{ 1945 struct sunrpc_net *sn = net_generic(net, sunrpc_net_id); 1946 struct cache_detail *cd; 1947 int err; 1948 1949 cd = cache_create_net(&rsc_cache_template, net); 1950 if (IS_ERR(cd)) 1951 return PTR_ERR(cd); 1952 err = cache_register_net(cd, net); 1953 if (err) { 1954 cache_destroy_net(cd, net); 1955 return err; 1956 } 1957 sn->rsc_cache = cd; 1958 return 0; 1959} 1960 1961static void rsc_cache_destroy_net(struct net *net) 1962{ 1963 struct sunrpc_net *sn = net_generic(net, sunrpc_net_id); 1964 struct cache_detail *cd = sn->rsc_cache; 1965 1966 sn->rsc_cache = NULL; 1967 cache_purge(cd); 1968 cache_unregister_net(cd, net); 1969 cache_destroy_net(cd, net); 1970} 1971 1972int 1973gss_svc_init_net(struct net *net) 1974{ 1975 int rv; 1976 1977 rv = rsc_cache_create_net(net); 1978 if (rv) 1979 return rv; 1980 rv = rsi_cache_create_net(net); 1981 if (rv) 1982 goto out1; 1983 rv = create_use_gss_proxy_proc_entry(net); 1984 if (rv) 1985 goto out2; 1986 return 0; 1987out2: 1988 rsi_cache_destroy_net(net); 1989out1: 1990 rsc_cache_destroy_net(net); 1991 return rv; 1992} 1993 1994void 1995gss_svc_shutdown_net(struct net *net) 1996{ 1997 destroy_use_gss_proxy_proc_entry(net); 1998 rsi_cache_destroy_net(net); 1999 rsc_cache_destroy_net(net); 2000} 2001 2002int 2003gss_svc_init(void) 2004{ 2005 return svc_auth_register(RPC_AUTH_GSS, &svcauthops_gss); 2006} 2007 2008void 2009gss_svc_shutdown(void) 2010{ 2011 svc_auth_unregister(RPC_AUTH_GSS); 2012}