1 // SPDX-License-Identifier: BSD-3-Clause 2 /* 3 * linux/net/sunrpc/auth_gss/auth_gss.c 4 * 5 * RPCSEC_GSS client authentication. 6 * 7 * Copyright (c) 2000 The Regents of the University of Michigan. 8 * All rights reserved. 9 * 10 * Dug Song <dugsong@monkey.org> 11 * Andy Adamson <andros@umich.edu> 12 */ 13 14 #include <linux/module.h> 15 #include <linux/init.h> 16 #include <linux/types.h> 17 #include <linux/slab.h> 18 #include <linux/sched.h> 19 #include <linux/pagemap.h> 20 #include <linux/sunrpc/clnt.h> 21 #include <linux/sunrpc/auth.h> 22 #include <linux/sunrpc/auth_gss.h> 23 #include <linux/sunrpc/gss_krb5.h> 24 #include <linux/sunrpc/svcauth_gss.h> 25 #include <linux/sunrpc/gss_err.h> 26 #include <linux/workqueue.h> 27 #include <linux/sunrpc/rpc_pipe_fs.h> 28 #include <linux/sunrpc/gss_api.h> 29 #include <linux/uaccess.h> 30 #include <linux/hashtable.h> 31 32 #include "auth_gss_internal.h" 33 #include "../netns.h" 34 35 #include <trace/events/rpcgss.h> 36 37 static const struct rpc_authops authgss_ops; 38 39 static const struct rpc_credops gss_credops; 40 static const struct rpc_credops gss_nullops; 41 42 static void gss_free_callback(struct kref *kref); 43 44 #define GSS_RETRY_EXPIRED 5 45 static unsigned int gss_expired_cred_retry_delay = GSS_RETRY_EXPIRED; 46 47 #define GSS_KEY_EXPIRE_TIMEO 240 48 static unsigned int gss_key_expire_timeo = GSS_KEY_EXPIRE_TIMEO; 49 50 #if IS_ENABLED(CONFIG_SUNRPC_DEBUG) 51 # define RPCDBG_FACILITY RPCDBG_AUTH 52 #endif 53 54 /* 55 * This compile-time check verifies that we will not exceed the 56 * slack space allotted by the client and server auth_gss code 57 * before they call gss_wrap(). 58 */ 59 #define GSS_KRB5_MAX_SLACK_NEEDED \ 60 (GSS_KRB5_TOK_HDR_LEN /* gss token header */ \ 61 + GSS_KRB5_MAX_CKSUM_LEN /* gss token checksum */ \ 62 + GSS_KRB5_MAX_BLOCKSIZE /* confounder */ \ 63 + GSS_KRB5_MAX_BLOCKSIZE /* possible padding */ \ 64 + GSS_KRB5_TOK_HDR_LEN /* encrypted hdr in v2 token */ \ 65 + GSS_KRB5_MAX_CKSUM_LEN /* encryption hmac */ \ 66 + XDR_UNIT * 2 /* RPC verifier */ \ 67 + GSS_KRB5_TOK_HDR_LEN \ 68 + GSS_KRB5_MAX_CKSUM_LEN) 69 70 #define GSS_CRED_SLACK (RPC_MAX_AUTH_SIZE * 2) 71 /* length of a krb5 verifier (48), plus data added before arguments when 72 * using integrity (two 4-byte integers): */ 73 #define GSS_VERF_SLACK 100 74 75 static DEFINE_HASHTABLE(gss_auth_hash_table, 4); 76 static DEFINE_SPINLOCK(gss_auth_hash_lock); 77 78 struct gss_pipe { 79 struct rpc_pipe_dir_object pdo; 80 struct rpc_pipe *pipe; 81 struct rpc_clnt *clnt; 82 const char *name; 83 struct kref kref; 84 }; 85 86 struct gss_auth { 87 struct kref kref; 88 struct hlist_node hash; 89 struct rpc_auth rpc_auth; 90 struct gss_api_mech *mech; 91 enum rpc_gss_svc service; 92 struct rpc_clnt *client; 93 struct net *net; 94 netns_tracker ns_tracker; 95 /* 96 * There are two upcall pipes; dentry[1], named "gssd", is used 97 * for the new text-based upcall; dentry[0] is named after the 98 * mechanism (for example, "krb5") and exists for 99 * backwards-compatibility with older gssd's. 100 */ 101 struct gss_pipe *gss_pipe[2]; 102 const char *target_name; 103 }; 104 105 /* pipe_version >= 0 if and only if someone has a pipe open. */ 106 static DEFINE_SPINLOCK(pipe_version_lock); 107 static struct rpc_wait_queue pipe_version_rpc_waitqueue; 108 static DECLARE_WAIT_QUEUE_HEAD(pipe_version_waitqueue); 109 static void gss_put_auth(struct gss_auth *gss_auth); 110 111 static void gss_free_ctx(struct gss_cl_ctx *); 112 static const struct rpc_pipe_ops gss_upcall_ops_v0; 113 static const struct rpc_pipe_ops gss_upcall_ops_v1; 114 115 static inline struct gss_cl_ctx * 116 gss_get_ctx(struct gss_cl_ctx *ctx) 117 { 118 refcount_inc(&ctx->count); 119 return ctx; 120 } 121 122 static inline void 123 gss_put_ctx(struct gss_cl_ctx *ctx) 124 { 125 if (refcount_dec_and_test(&ctx->count)) 126 gss_free_ctx(ctx); 127 } 128 129 /* gss_cred_set_ctx: 130 * called by gss_upcall_callback and gss_create_upcall in order 131 * to set the gss context. The actual exchange of an old context 132 * and a new one is protected by the pipe->lock. 133 */ 134 static void 135 gss_cred_set_ctx(struct rpc_cred *cred, struct gss_cl_ctx *ctx) 136 { 137 struct gss_cred *gss_cred = container_of(cred, struct gss_cred, gc_base); 138 139 if (!test_bit(RPCAUTH_CRED_NEW, &cred->cr_flags)) 140 return; 141 gss_get_ctx(ctx); 142 rcu_assign_pointer(gss_cred->gc_ctx, ctx); 143 set_bit(RPCAUTH_CRED_UPTODATE, &cred->cr_flags); 144 smp_mb__before_atomic(); 145 clear_bit(RPCAUTH_CRED_NEW, &cred->cr_flags); 146 } 147 148 static struct gss_cl_ctx * 149 gss_cred_get_ctx(struct rpc_cred *cred) 150 { 151 struct gss_cred *gss_cred = container_of(cred, struct gss_cred, gc_base); 152 struct gss_cl_ctx *ctx = NULL; 153 154 rcu_read_lock(); 155 ctx = rcu_dereference(gss_cred->gc_ctx); 156 if (ctx) 157 gss_get_ctx(ctx); 158 rcu_read_unlock(); 159 return ctx; 160 } 161 162 static struct gss_cl_ctx * 163 gss_alloc_context(void) 164 { 165 struct gss_cl_ctx *ctx; 166 167 ctx = kzalloc(sizeof(*ctx), GFP_KERNEL); 168 if (ctx != NULL) { 169 ctx->gc_proc = RPC_GSS_PROC_DATA; 170 ctx->gc_seq = 1; /* NetApp 6.4R1 doesn't accept seq. no. 0 */ 171 spin_lock_init(&ctx->gc_seq_lock); 172 refcount_set(&ctx->count,1); 173 } 174 return ctx; 175 } 176 177 #define GSSD_MIN_TIMEOUT (60 * 60) 178 static const void * 179 gss_fill_context(const void *p, const void *end, struct gss_cl_ctx *ctx, struct gss_api_mech *gm) 180 { 181 const void *q; 182 unsigned int seclen; 183 unsigned int timeout; 184 unsigned long now = jiffies; 185 u32 window_size; 186 int ret; 187 188 /* First unsigned int gives the remaining lifetime in seconds of the 189 * credential - e.g. the remaining TGT lifetime for Kerberos or 190 * the -t value passed to GSSD. 191 */ 192 p = simple_get_bytes(p, end, &timeout, sizeof(timeout)); 193 if (IS_ERR(p)) 194 goto err; 195 if (timeout == 0) 196 timeout = GSSD_MIN_TIMEOUT; 197 ctx->gc_expiry = now + ((unsigned long)timeout * HZ); 198 /* Sequence number window. Determines the maximum number of 199 * simultaneous requests 200 */ 201 p = simple_get_bytes(p, end, &window_size, sizeof(window_size)); 202 if (IS_ERR(p)) 203 goto err; 204 ctx->gc_win = window_size; 205 /* gssd signals an error by passing ctx->gc_win = 0: */ 206 if (ctx->gc_win == 0) { 207 /* 208 * in which case, p points to an error code. Anything other 209 * than -EKEYEXPIRED gets converted to -EACCES. 210 */ 211 p = simple_get_bytes(p, end, &ret, sizeof(ret)); 212 if (!IS_ERR(p)) 213 p = (ret == -EKEYEXPIRED) ? ERR_PTR(-EKEYEXPIRED) : 214 ERR_PTR(-EACCES); 215 goto err; 216 } 217 /* copy the opaque wire context */ 218 p = simple_get_netobj(p, end, &ctx->gc_wire_ctx); 219 if (IS_ERR(p)) 220 goto err; 221 /* import the opaque security context */ 222 p = simple_get_bytes(p, end, &seclen, sizeof(seclen)); 223 if (IS_ERR(p)) 224 goto err; 225 q = (const void *)((const char *)p + seclen); 226 if (unlikely(q > end || q < p)) { 227 p = ERR_PTR(-EFAULT); 228 goto err; 229 } 230 ret = gss_import_sec_context(p, seclen, gm, &ctx->gc_gss_ctx, NULL, GFP_KERNEL); 231 if (ret < 0) { 232 trace_rpcgss_import_ctx(ret); 233 p = ERR_PTR(ret); 234 goto err; 235 } 236 237 /* is there any trailing data? */ 238 if (q == end) { 239 p = q; 240 goto done; 241 } 242 243 /* pull in acceptor name (if there is one) */ 244 p = simple_get_netobj(q, end, &ctx->gc_acceptor); 245 if (IS_ERR(p)) 246 goto err; 247 done: 248 trace_rpcgss_context(window_size, ctx->gc_expiry, now, timeout, 249 ctx->gc_acceptor.len, ctx->gc_acceptor.data); 250 err: 251 return p; 252 } 253 254 /* XXX: Need some documentation about why UPCALL_BUF_LEN is so small. 255 * Is user space expecting no more than UPCALL_BUF_LEN bytes? 256 * Note that there are now _two_ NI_MAXHOST sized data items 257 * being passed in this string. 258 */ 259 #define UPCALL_BUF_LEN 256 260 261 struct gss_upcall_msg { 262 refcount_t count; 263 kuid_t uid; 264 const char *service_name; 265 struct rpc_pipe_msg msg; 266 struct list_head list; 267 struct gss_auth *auth; 268 struct rpc_pipe *pipe; 269 struct rpc_wait_queue rpc_waitqueue; 270 wait_queue_head_t waitqueue; 271 struct gss_cl_ctx *ctx; 272 char databuf[UPCALL_BUF_LEN]; 273 }; 274 275 static int get_pipe_version(struct net *net) 276 { 277 struct sunrpc_net *sn = net_generic(net, sunrpc_net_id); 278 int ret; 279 280 spin_lock(&pipe_version_lock); 281 if (sn->pipe_version >= 0) { 282 atomic_inc(&sn->pipe_users); 283 ret = sn->pipe_version; 284 } else 285 ret = -EAGAIN; 286 spin_unlock(&pipe_version_lock); 287 return ret; 288 } 289 290 static void put_pipe_version(struct net *net) 291 { 292 struct sunrpc_net *sn = net_generic(net, sunrpc_net_id); 293 294 if (atomic_dec_and_lock(&sn->pipe_users, &pipe_version_lock)) { 295 sn->pipe_version = -1; 296 spin_unlock(&pipe_version_lock); 297 } 298 } 299 300 static void 301 gss_release_msg(struct gss_upcall_msg *gss_msg) 302 { 303 struct net *net = gss_msg->auth->net; 304 if (!refcount_dec_and_test(&gss_msg->count)) 305 return; 306 put_pipe_version(net); 307 BUG_ON(!list_empty(&gss_msg->list)); 308 if (gss_msg->ctx != NULL) 309 gss_put_ctx(gss_msg->ctx); 310 rpc_destroy_wait_queue(&gss_msg->rpc_waitqueue); 311 gss_put_auth(gss_msg->auth); 312 kfree_const(gss_msg->service_name); 313 kfree(gss_msg); 314 } 315 316 static struct gss_upcall_msg * 317 __gss_find_upcall(struct rpc_pipe *pipe, kuid_t uid, const struct gss_auth *auth) 318 { 319 struct gss_upcall_msg *pos; 320 list_for_each_entry(pos, &pipe->in_downcall, list) { 321 if (!uid_eq(pos->uid, uid)) 322 continue; 323 if (pos->auth->service != auth->service) 324 continue; 325 refcount_inc(&pos->count); 326 return pos; 327 } 328 return NULL; 329 } 330 331 /* Try to add an upcall to the pipefs queue. 332 * If an upcall owned by our uid already exists, then we return a reference 333 * to that upcall instead of adding the new upcall. 334 */ 335 static inline struct gss_upcall_msg * 336 gss_add_msg(struct gss_upcall_msg *gss_msg) 337 { 338 struct rpc_pipe *pipe = gss_msg->pipe; 339 struct gss_upcall_msg *old; 340 341 spin_lock(&pipe->lock); 342 old = __gss_find_upcall(pipe, gss_msg->uid, gss_msg->auth); 343 if (old == NULL) { 344 refcount_inc(&gss_msg->count); 345 list_add(&gss_msg->list, &pipe->in_downcall); 346 } else 347 gss_msg = old; 348 spin_unlock(&pipe->lock); 349 return gss_msg; 350 } 351 352 static void 353 __gss_unhash_msg(struct gss_upcall_msg *gss_msg) 354 { 355 list_del_init(&gss_msg->list); 356 rpc_wake_up_status(&gss_msg->rpc_waitqueue, gss_msg->msg.errno); 357 wake_up_all(&gss_msg->waitqueue); 358 refcount_dec(&gss_msg->count); 359 } 360 361 static void 362 gss_unhash_msg(struct gss_upcall_msg *gss_msg) 363 { 364 struct rpc_pipe *pipe = gss_msg->pipe; 365 366 if (list_empty(&gss_msg->list)) 367 return; 368 spin_lock(&pipe->lock); 369 if (!list_empty(&gss_msg->list)) 370 __gss_unhash_msg(gss_msg); 371 spin_unlock(&pipe->lock); 372 } 373 374 static void 375 gss_handle_downcall_result(struct gss_cred *gss_cred, struct gss_upcall_msg *gss_msg) 376 { 377 switch (gss_msg->msg.errno) { 378 case 0: 379 if (gss_msg->ctx == NULL) 380 break; 381 clear_bit(RPCAUTH_CRED_NEGATIVE, &gss_cred->gc_base.cr_flags); 382 gss_cred_set_ctx(&gss_cred->gc_base, gss_msg->ctx); 383 break; 384 case -EKEYEXPIRED: 385 set_bit(RPCAUTH_CRED_NEGATIVE, &gss_cred->gc_base.cr_flags); 386 } 387 gss_cred->gc_upcall_timestamp = jiffies; 388 gss_cred->gc_upcall = NULL; 389 rpc_wake_up_status(&gss_msg->rpc_waitqueue, gss_msg->msg.errno); 390 } 391 392 static void 393 gss_upcall_callback(struct rpc_task *task) 394 { 395 struct gss_cred *gss_cred = container_of(task->tk_rqstp->rq_cred, 396 struct gss_cred, gc_base); 397 struct gss_upcall_msg *gss_msg = gss_cred->gc_upcall; 398 struct rpc_pipe *pipe = gss_msg->pipe; 399 400 spin_lock(&pipe->lock); 401 gss_handle_downcall_result(gss_cred, gss_msg); 402 spin_unlock(&pipe->lock); 403 task->tk_status = gss_msg->msg.errno; 404 gss_release_msg(gss_msg); 405 } 406 407 static void gss_encode_v0_msg(struct gss_upcall_msg *gss_msg, 408 const struct cred *cred) 409 { 410 struct user_namespace *userns = cred->user_ns; 411 412 uid_t uid = from_kuid_munged(userns, gss_msg->uid); 413 memcpy(gss_msg->databuf, &uid, sizeof(uid)); 414 gss_msg->msg.data = gss_msg->databuf; 415 gss_msg->msg.len = sizeof(uid); 416 417 BUILD_BUG_ON(sizeof(uid) > sizeof(gss_msg->databuf)); 418 } 419 420 static ssize_t 421 gss_v0_upcall(struct file *file, struct rpc_pipe_msg *msg, 422 char __user *buf, size_t buflen) 423 { 424 struct gss_upcall_msg *gss_msg = container_of(msg, 425 struct gss_upcall_msg, 426 msg); 427 if (msg->copied == 0) 428 gss_encode_v0_msg(gss_msg, file->f_cred); 429 return rpc_pipe_generic_upcall(file, msg, buf, buflen); 430 } 431 432 static int gss_encode_v1_msg(struct gss_upcall_msg *gss_msg, 433 const char *service_name, 434 const char *target_name, 435 const struct cred *cred) 436 { 437 struct user_namespace *userns = cred->user_ns; 438 struct gss_api_mech *mech = gss_msg->auth->mech; 439 char *p = gss_msg->databuf; 440 size_t buflen = sizeof(gss_msg->databuf); 441 int len; 442 443 len = scnprintf(p, buflen, "mech=%s uid=%d", mech->gm_name, 444 from_kuid_munged(userns, gss_msg->uid)); 445 buflen -= len; 446 p += len; 447 gss_msg->msg.len = len; 448 449 /* 450 * target= is a full service principal that names the remote 451 * identity that we are authenticating to. 452 */ 453 if (target_name) { 454 len = scnprintf(p, buflen, " target=%s", target_name); 455 buflen -= len; 456 p += len; 457 gss_msg->msg.len += len; 458 } 459 460 /* 461 * gssd uses service= and srchost= to select a matching key from 462 * the system's keytab to use as the source principal. 463 * 464 * service= is the service name part of the source principal, 465 * or "*" (meaning choose any). 466 * 467 * srchost= is the hostname part of the source principal. When 468 * not provided, gssd uses the local hostname. 469 */ 470 if (service_name) { 471 char *c = strchr(service_name, '@'); 472 473 if (!c) 474 len = scnprintf(p, buflen, " service=%s", 475 service_name); 476 else 477 len = scnprintf(p, buflen, 478 " service=%.*s srchost=%s", 479 (int)(c - service_name), 480 service_name, c + 1); 481 buflen -= len; 482 p += len; 483 gss_msg->msg.len += len; 484 } 485 486 if (mech->gm_upcall_enctypes) { 487 len = scnprintf(p, buflen, " enctypes=%s", 488 mech->gm_upcall_enctypes); 489 buflen -= len; 490 p += len; 491 gss_msg->msg.len += len; 492 } 493 trace_rpcgss_upcall_msg(gss_msg->databuf); 494 len = scnprintf(p, buflen, "\n"); 495 if (len == 0) 496 goto out_overflow; 497 gss_msg->msg.len += len; 498 gss_msg->msg.data = gss_msg->databuf; 499 return 0; 500 out_overflow: 501 WARN_ON_ONCE(1); 502 return -ENOMEM; 503 } 504 505 static ssize_t 506 gss_v1_upcall(struct file *file, struct rpc_pipe_msg *msg, 507 char __user *buf, size_t buflen) 508 { 509 struct gss_upcall_msg *gss_msg = container_of(msg, 510 struct gss_upcall_msg, 511 msg); 512 int err; 513 if (msg->copied == 0) { 514 err = gss_encode_v1_msg(gss_msg, 515 gss_msg->service_name, 516 gss_msg->auth->target_name, 517 file->f_cred); 518 if (err) 519 return err; 520 } 521 return rpc_pipe_generic_upcall(file, msg, buf, buflen); 522 } 523 524 static struct gss_upcall_msg * 525 gss_alloc_msg(struct gss_auth *gss_auth, 526 kuid_t uid, const char *service_name) 527 { 528 struct gss_upcall_msg *gss_msg; 529 int vers; 530 int err = -ENOMEM; 531 532 gss_msg = kzalloc(sizeof(*gss_msg), GFP_KERNEL); 533 if (gss_msg == NULL) 534 goto err; 535 vers = get_pipe_version(gss_auth->net); 536 err = vers; 537 if (err < 0) 538 goto err_free_msg; 539 gss_msg->pipe = gss_auth->gss_pipe[vers]->pipe; 540 INIT_LIST_HEAD(&gss_msg->list); 541 rpc_init_wait_queue(&gss_msg->rpc_waitqueue, "RPCSEC_GSS upcall waitq"); 542 init_waitqueue_head(&gss_msg->waitqueue); 543 refcount_set(&gss_msg->count, 1); 544 gss_msg->uid = uid; 545 gss_msg->auth = gss_auth; 546 kref_get(&gss_auth->kref); 547 if (service_name) { 548 gss_msg->service_name = kstrdup_const(service_name, GFP_KERNEL); 549 if (!gss_msg->service_name) { 550 err = -ENOMEM; 551 goto err_put_pipe_version; 552 } 553 } 554 return gss_msg; 555 err_put_pipe_version: 556 kref_put(&gss_auth->kref, gss_free_callback); 557 put_pipe_version(gss_auth->net); 558 err_free_msg: 559 kfree(gss_msg); 560 err: 561 return ERR_PTR(err); 562 } 563 564 static struct gss_upcall_msg * 565 gss_setup_upcall(struct gss_auth *gss_auth, struct rpc_cred *cred) 566 { 567 struct gss_cred *gss_cred = container_of(cred, 568 struct gss_cred, gc_base); 569 struct gss_upcall_msg *gss_new, *gss_msg; 570 kuid_t uid = cred->cr_cred->fsuid; 571 572 gss_new = gss_alloc_msg(gss_auth, uid, gss_cred->gc_principal); 573 if (IS_ERR(gss_new)) 574 return gss_new; 575 gss_msg = gss_add_msg(gss_new); 576 if (gss_msg == gss_new) { 577 int res; 578 refcount_inc(&gss_msg->count); 579 res = rpc_queue_upcall(gss_new->pipe, &gss_new->msg); 580 if (res) { 581 gss_unhash_msg(gss_new); 582 refcount_dec(&gss_msg->count); 583 gss_release_msg(gss_new); 584 gss_msg = ERR_PTR(res); 585 } 586 } else 587 gss_release_msg(gss_new); 588 return gss_msg; 589 } 590 591 static void warn_gssd(void) 592 { 593 dprintk("AUTH_GSS upcall failed. Please check user daemon is running.\n"); 594 } 595 596 static inline int 597 gss_refresh_upcall(struct rpc_task *task) 598 { 599 struct rpc_cred *cred = task->tk_rqstp->rq_cred; 600 struct gss_auth *gss_auth = container_of(cred->cr_auth, 601 struct gss_auth, rpc_auth); 602 struct gss_cred *gss_cred = container_of(cred, 603 struct gss_cred, gc_base); 604 struct gss_upcall_msg *gss_msg; 605 struct rpc_pipe *pipe; 606 int err = 0; 607 608 gss_msg = gss_setup_upcall(gss_auth, cred); 609 if (PTR_ERR(gss_msg) == -EAGAIN) { 610 /* XXX: warning on the first, under the assumption we 611 * shouldn't normally hit this case on a refresh. */ 612 warn_gssd(); 613 rpc_sleep_on_timeout(&pipe_version_rpc_waitqueue, 614 task, NULL, jiffies + (15 * HZ)); 615 err = -EAGAIN; 616 goto out; 617 } 618 if (IS_ERR(gss_msg)) { 619 err = PTR_ERR(gss_msg); 620 goto out; 621 } 622 pipe = gss_msg->pipe; 623 spin_lock(&pipe->lock); 624 if (gss_cred->gc_upcall != NULL) 625 rpc_sleep_on(&gss_cred->gc_upcall->rpc_waitqueue, task, NULL); 626 else if (gss_msg->ctx == NULL && gss_msg->msg.errno >= 0) { 627 gss_cred->gc_upcall = gss_msg; 628 /* gss_upcall_callback will release the reference to gss_upcall_msg */ 629 refcount_inc(&gss_msg->count); 630 rpc_sleep_on(&gss_msg->rpc_waitqueue, task, gss_upcall_callback); 631 } else { 632 gss_handle_downcall_result(gss_cred, gss_msg); 633 err = gss_msg->msg.errno; 634 } 635 spin_unlock(&pipe->lock); 636 gss_release_msg(gss_msg); 637 out: 638 trace_rpcgss_upcall_result(from_kuid(&init_user_ns, 639 cred->cr_cred->fsuid), err); 640 return err; 641 } 642 643 static inline int 644 gss_create_upcall(struct gss_auth *gss_auth, struct gss_cred *gss_cred) 645 { 646 struct net *net = gss_auth->net; 647 struct sunrpc_net *sn = net_generic(net, sunrpc_net_id); 648 struct rpc_pipe *pipe; 649 struct rpc_cred *cred = &gss_cred->gc_base; 650 struct gss_upcall_msg *gss_msg; 651 DEFINE_WAIT(wait); 652 int err; 653 654 retry: 655 err = 0; 656 /* if gssd is down, just skip upcalling altogether */ 657 if (!gssd_running(net)) { 658 warn_gssd(); 659 err = -EACCES; 660 goto out; 661 } 662 gss_msg = gss_setup_upcall(gss_auth, cred); 663 if (PTR_ERR(gss_msg) == -EAGAIN) { 664 err = wait_event_interruptible_timeout(pipe_version_waitqueue, 665 sn->pipe_version >= 0, 15 * HZ); 666 if (sn->pipe_version < 0) { 667 warn_gssd(); 668 err = -EACCES; 669 } 670 if (err < 0) 671 goto out; 672 goto retry; 673 } 674 if (IS_ERR(gss_msg)) { 675 err = PTR_ERR(gss_msg); 676 goto out; 677 } 678 pipe = gss_msg->pipe; 679 for (;;) { 680 prepare_to_wait(&gss_msg->waitqueue, &wait, TASK_KILLABLE); 681 spin_lock(&pipe->lock); 682 if (gss_msg->ctx != NULL || gss_msg->msg.errno < 0) { 683 break; 684 } 685 spin_unlock(&pipe->lock); 686 if (fatal_signal_pending(current)) { 687 err = -ERESTARTSYS; 688 goto out_intr; 689 } 690 schedule(); 691 } 692 if (gss_msg->ctx) { 693 trace_rpcgss_ctx_init(gss_cred); 694 gss_cred_set_ctx(cred, gss_msg->ctx); 695 } else { 696 err = gss_msg->msg.errno; 697 } 698 spin_unlock(&pipe->lock); 699 out_intr: 700 finish_wait(&gss_msg->waitqueue, &wait); 701 gss_release_msg(gss_msg); 702 out: 703 trace_rpcgss_upcall_result(from_kuid(&init_user_ns, 704 cred->cr_cred->fsuid), err); 705 return err; 706 } 707 708 static struct gss_upcall_msg * 709 gss_find_downcall(struct rpc_pipe *pipe, kuid_t uid) 710 { 711 struct gss_upcall_msg *pos; 712 list_for_each_entry(pos, &pipe->in_downcall, list) { 713 if (!uid_eq(pos->uid, uid)) 714 continue; 715 if (!rpc_msg_is_inflight(&pos->msg)) 716 continue; 717 refcount_inc(&pos->count); 718 return pos; 719 } 720 return NULL; 721 } 722 723 #define MSG_BUF_MAXSIZE 1024 724 725 static ssize_t 726 gss_pipe_downcall(struct file *filp, const char __user *src, size_t mlen) 727 { 728 const void *p, *end; 729 void *buf; 730 struct gss_upcall_msg *gss_msg; 731 struct rpc_pipe *pipe = RPC_I(file_inode(filp))->pipe; 732 struct gss_cl_ctx *ctx; 733 uid_t id; 734 kuid_t uid; 735 ssize_t err = -EFBIG; 736 737 if (mlen > MSG_BUF_MAXSIZE) 738 goto out; 739 err = -ENOMEM; 740 buf = kmalloc(mlen, GFP_KERNEL); 741 if (!buf) 742 goto out; 743 744 err = -EFAULT; 745 if (copy_from_user(buf, src, mlen)) 746 goto err; 747 748 end = (const void *)((char *)buf + mlen); 749 p = simple_get_bytes(buf, end, &id, sizeof(id)); 750 if (IS_ERR(p)) { 751 err = PTR_ERR(p); 752 goto err; 753 } 754 755 uid = make_kuid(current_user_ns(), id); 756 if (!uid_valid(uid)) { 757 err = -EINVAL; 758 goto err; 759 } 760 761 err = -ENOMEM; 762 ctx = gss_alloc_context(); 763 if (ctx == NULL) 764 goto err; 765 766 err = -ENOENT; 767 /* Find a matching upcall */ 768 spin_lock(&pipe->lock); 769 gss_msg = gss_find_downcall(pipe, uid); 770 if (gss_msg == NULL) { 771 spin_unlock(&pipe->lock); 772 goto err_put_ctx; 773 } 774 list_del_init(&gss_msg->list); 775 spin_unlock(&pipe->lock); 776 777 p = gss_fill_context(p, end, ctx, gss_msg->auth->mech); 778 if (IS_ERR(p)) { 779 err = PTR_ERR(p); 780 switch (err) { 781 case -EACCES: 782 case -EKEYEXPIRED: 783 gss_msg->msg.errno = err; 784 err = mlen; 785 break; 786 case -EFAULT: 787 case -ENOMEM: 788 case -EINVAL: 789 case -ENOSYS: 790 gss_msg->msg.errno = -EAGAIN; 791 break; 792 default: 793 printk(KERN_CRIT "%s: bad return from " 794 "gss_fill_context: %zd\n", __func__, err); 795 gss_msg->msg.errno = -EIO; 796 } 797 goto err_release_msg; 798 } 799 gss_msg->ctx = gss_get_ctx(ctx); 800 err = mlen; 801 802 err_release_msg: 803 spin_lock(&pipe->lock); 804 __gss_unhash_msg(gss_msg); 805 spin_unlock(&pipe->lock); 806 gss_release_msg(gss_msg); 807 err_put_ctx: 808 gss_put_ctx(ctx); 809 err: 810 kfree(buf); 811 out: 812 return err; 813 } 814 815 static int gss_pipe_open(struct inode *inode, int new_version) 816 { 817 struct net *net = inode->i_sb->s_fs_info; 818 struct sunrpc_net *sn = net_generic(net, sunrpc_net_id); 819 int ret = 0; 820 821 spin_lock(&pipe_version_lock); 822 if (sn->pipe_version < 0) { 823 /* First open of any gss pipe determines the version: */ 824 sn->pipe_version = new_version; 825 rpc_wake_up(&pipe_version_rpc_waitqueue); 826 wake_up(&pipe_version_waitqueue); 827 } else if (sn->pipe_version != new_version) { 828 /* Trying to open a pipe of a different version */ 829 ret = -EBUSY; 830 goto out; 831 } 832 atomic_inc(&sn->pipe_users); 833 out: 834 spin_unlock(&pipe_version_lock); 835 return ret; 836 837 } 838 839 static int gss_pipe_open_v0(struct inode *inode) 840 { 841 return gss_pipe_open(inode, 0); 842 } 843 844 static int gss_pipe_open_v1(struct inode *inode) 845 { 846 return gss_pipe_open(inode, 1); 847 } 848 849 static void 850 gss_pipe_release(struct inode *inode) 851 { 852 struct net *net = inode->i_sb->s_fs_info; 853 struct rpc_pipe *pipe = RPC_I(inode)->pipe; 854 struct gss_upcall_msg *gss_msg; 855 856 restart: 857 spin_lock(&pipe->lock); 858 list_for_each_entry(gss_msg, &pipe->in_downcall, list) { 859 860 if (!list_empty(&gss_msg->msg.list)) 861 continue; 862 gss_msg->msg.errno = -EPIPE; 863 refcount_inc(&gss_msg->count); 864 __gss_unhash_msg(gss_msg); 865 spin_unlock(&pipe->lock); 866 gss_release_msg(gss_msg); 867 goto restart; 868 } 869 spin_unlock(&pipe->lock); 870 871 put_pipe_version(net); 872 } 873 874 static void 875 gss_pipe_destroy_msg(struct rpc_pipe_msg *msg) 876 { 877 struct gss_upcall_msg *gss_msg = container_of(msg, struct gss_upcall_msg, msg); 878 879 if (msg->errno < 0) { 880 refcount_inc(&gss_msg->count); 881 gss_unhash_msg(gss_msg); 882 if (msg->errno == -ETIMEDOUT) 883 warn_gssd(); 884 gss_release_msg(gss_msg); 885 } 886 gss_release_msg(gss_msg); 887 } 888 889 static void gss_pipe_dentry_destroy(struct dentry *dir, 890 struct rpc_pipe_dir_object *pdo) 891 { 892 struct gss_pipe *gss_pipe = pdo->pdo_data; 893 894 rpc_unlink(gss_pipe->pipe); 895 } 896 897 static int gss_pipe_dentry_create(struct dentry *dir, 898 struct rpc_pipe_dir_object *pdo) 899 { 900 struct gss_pipe *p = pdo->pdo_data; 901 902 return rpc_mkpipe_dentry(dir, p->name, p->clnt, p->pipe); 903 } 904 905 static const struct rpc_pipe_dir_object_ops gss_pipe_dir_object_ops = { 906 .create = gss_pipe_dentry_create, 907 .destroy = gss_pipe_dentry_destroy, 908 }; 909 910 static struct gss_pipe *gss_pipe_alloc(struct rpc_clnt *clnt, 911 const char *name, 912 const struct rpc_pipe_ops *upcall_ops) 913 { 914 struct gss_pipe *p; 915 int err = -ENOMEM; 916 917 p = kmalloc(sizeof(*p), GFP_KERNEL); 918 if (p == NULL) 919 goto err; 920 p->pipe = rpc_mkpipe_data(upcall_ops, RPC_PIPE_WAIT_FOR_OPEN); 921 if (IS_ERR(p->pipe)) { 922 err = PTR_ERR(p->pipe); 923 goto err_free_gss_pipe; 924 } 925 p->name = name; 926 p->clnt = clnt; 927 kref_init(&p->kref); 928 rpc_init_pipe_dir_object(&p->pdo, 929 &gss_pipe_dir_object_ops, 930 p); 931 return p; 932 err_free_gss_pipe: 933 kfree(p); 934 err: 935 return ERR_PTR(err); 936 } 937 938 struct gss_alloc_pdo { 939 struct rpc_clnt *clnt; 940 const char *name; 941 const struct rpc_pipe_ops *upcall_ops; 942 }; 943 944 static int gss_pipe_match_pdo(struct rpc_pipe_dir_object *pdo, void *data) 945 { 946 struct gss_pipe *gss_pipe; 947 struct gss_alloc_pdo *args = data; 948 949 if (pdo->pdo_ops != &gss_pipe_dir_object_ops) 950 return 0; 951 gss_pipe = container_of(pdo, struct gss_pipe, pdo); 952 if (strcmp(gss_pipe->name, args->name) != 0) 953 return 0; 954 if (!kref_get_unless_zero(&gss_pipe->kref)) 955 return 0; 956 return 1; 957 } 958 959 static struct rpc_pipe_dir_object *gss_pipe_alloc_pdo(void *data) 960 { 961 struct gss_pipe *gss_pipe; 962 struct gss_alloc_pdo *args = data; 963 964 gss_pipe = gss_pipe_alloc(args->clnt, args->name, args->upcall_ops); 965 if (!IS_ERR(gss_pipe)) 966 return &gss_pipe->pdo; 967 return NULL; 968 } 969 970 static struct gss_pipe *gss_pipe_get(struct rpc_clnt *clnt, 971 const char *name, 972 const struct rpc_pipe_ops *upcall_ops) 973 { 974 struct net *net = rpc_net_ns(clnt); 975 struct rpc_pipe_dir_object *pdo; 976 struct gss_alloc_pdo args = { 977 .clnt = clnt, 978 .name = name, 979 .upcall_ops = upcall_ops, 980 }; 981 982 pdo = rpc_find_or_alloc_pipe_dir_object(net, 983 &clnt->cl_pipedir_objects, 984 gss_pipe_match_pdo, 985 gss_pipe_alloc_pdo, 986 &args); 987 if (pdo != NULL) 988 return container_of(pdo, struct gss_pipe, pdo); 989 return ERR_PTR(-ENOMEM); 990 } 991 992 static void __gss_pipe_free(struct gss_pipe *p) 993 { 994 struct rpc_clnt *clnt = p->clnt; 995 struct net *net = rpc_net_ns(clnt); 996 997 rpc_remove_pipe_dir_object(net, 998 &clnt->cl_pipedir_objects, 999 &p->pdo); 1000 rpc_destroy_pipe_data(p->pipe); 1001 kfree(p); 1002 } 1003 1004 static void __gss_pipe_release(struct kref *kref) 1005 { 1006 struct gss_pipe *p = container_of(kref, struct gss_pipe, kref); 1007 1008 __gss_pipe_free(p); 1009 } 1010 1011 static void gss_pipe_free(struct gss_pipe *p) 1012 { 1013 if (p != NULL) 1014 kref_put(&p->kref, __gss_pipe_release); 1015 } 1016 1017 /* 1018 * NOTE: we have the opportunity to use different 1019 * parameters based on the input flavor (which must be a pseudoflavor) 1020 */ 1021 static struct gss_auth * 1022 gss_create_new(const struct rpc_auth_create_args *args, struct rpc_clnt *clnt) 1023 { 1024 rpc_authflavor_t flavor = args->pseudoflavor; 1025 struct gss_auth *gss_auth; 1026 struct gss_pipe *gss_pipe; 1027 struct rpc_auth * auth; 1028 int err = -ENOMEM; /* XXX? */ 1029 1030 if (!try_module_get(THIS_MODULE)) 1031 return ERR_PTR(err); 1032 if (!(gss_auth = kmalloc(sizeof(*gss_auth), GFP_KERNEL))) 1033 goto out_dec; 1034 INIT_HLIST_NODE(&gss_auth->hash); 1035 gss_auth->target_name = NULL; 1036 if (args->target_name) { 1037 gss_auth->target_name = kstrdup(args->target_name, GFP_KERNEL); 1038 if (gss_auth->target_name == NULL) 1039 goto err_free; 1040 } 1041 gss_auth->client = clnt; 1042 gss_auth->net = get_net_track(rpc_net_ns(clnt), &gss_auth->ns_tracker, 1043 GFP_KERNEL); 1044 err = -EINVAL; 1045 gss_auth->mech = gss_mech_get_by_pseudoflavor(flavor); 1046 if (!gss_auth->mech) 1047 goto err_put_net; 1048 gss_auth->service = gss_pseudoflavor_to_service(gss_auth->mech, flavor); 1049 if (gss_auth->service == 0) 1050 goto err_put_mech; 1051 if (!gssd_running(gss_auth->net)) 1052 goto err_put_mech; 1053 auth = &gss_auth->rpc_auth; 1054 auth->au_cslack = GSS_CRED_SLACK >> 2; 1055 BUILD_BUG_ON(GSS_KRB5_MAX_SLACK_NEEDED > RPC_MAX_AUTH_SIZE); 1056 auth->au_rslack = GSS_KRB5_MAX_SLACK_NEEDED >> 2; 1057 auth->au_verfsize = GSS_VERF_SLACK >> 2; 1058 auth->au_ralign = GSS_VERF_SLACK >> 2; 1059 __set_bit(RPCAUTH_AUTH_UPDATE_SLACK, &auth->au_flags); 1060 auth->au_ops = &authgss_ops; 1061 auth->au_flavor = flavor; 1062 if (gss_pseudoflavor_to_datatouch(gss_auth->mech, flavor)) 1063 __set_bit(RPCAUTH_AUTH_DATATOUCH, &auth->au_flags); 1064 refcount_set(&auth->au_count, 1); 1065 kref_init(&gss_auth->kref); 1066 1067 err = rpcauth_init_credcache(auth); 1068 if (err) 1069 goto err_put_mech; 1070 /* 1071 * Note: if we created the old pipe first, then someone who 1072 * examined the directory at the right moment might conclude 1073 * that we supported only the old pipe. So we instead create 1074 * the new pipe first. 1075 */ 1076 gss_pipe = gss_pipe_get(clnt, "gssd", &gss_upcall_ops_v1); 1077 if (IS_ERR(gss_pipe)) { 1078 err = PTR_ERR(gss_pipe); 1079 goto err_destroy_credcache; 1080 } 1081 gss_auth->gss_pipe[1] = gss_pipe; 1082 1083 gss_pipe = gss_pipe_get(clnt, gss_auth->mech->gm_name, 1084 &gss_upcall_ops_v0); 1085 if (IS_ERR(gss_pipe)) { 1086 err = PTR_ERR(gss_pipe); 1087 goto err_destroy_pipe_1; 1088 } 1089 gss_auth->gss_pipe[0] = gss_pipe; 1090 1091 return gss_auth; 1092 err_destroy_pipe_1: 1093 gss_pipe_free(gss_auth->gss_pipe[1]); 1094 err_destroy_credcache: 1095 rpcauth_destroy_credcache(auth); 1096 err_put_mech: 1097 gss_mech_put(gss_auth->mech); 1098 err_put_net: 1099 put_net_track(gss_auth->net, &gss_auth->ns_tracker); 1100 err_free: 1101 kfree(gss_auth->target_name); 1102 kfree(gss_auth); 1103 out_dec: 1104 module_put(THIS_MODULE); 1105 trace_rpcgss_createauth(flavor, err); 1106 return ERR_PTR(err); 1107 } 1108 1109 static void 1110 gss_free(struct gss_auth *gss_auth) 1111 { 1112 gss_pipe_free(gss_auth->gss_pipe[0]); 1113 gss_pipe_free(gss_auth->gss_pipe[1]); 1114 gss_mech_put(gss_auth->mech); 1115 put_net_track(gss_auth->net, &gss_auth->ns_tracker); 1116 kfree(gss_auth->target_name); 1117 1118 kfree(gss_auth); 1119 module_put(THIS_MODULE); 1120 } 1121 1122 static void 1123 gss_free_callback(struct kref *kref) 1124 { 1125 struct gss_auth *gss_auth = container_of(kref, struct gss_auth, kref); 1126 1127 gss_free(gss_auth); 1128 } 1129 1130 static void 1131 gss_put_auth(struct gss_auth *gss_auth) 1132 { 1133 kref_put(&gss_auth->kref, gss_free_callback); 1134 } 1135 1136 static void 1137 gss_destroy(struct rpc_auth *auth) 1138 { 1139 struct gss_auth *gss_auth = container_of(auth, 1140 struct gss_auth, rpc_auth); 1141 1142 if (hash_hashed(&gss_auth->hash)) { 1143 spin_lock(&gss_auth_hash_lock); 1144 hash_del(&gss_auth->hash); 1145 spin_unlock(&gss_auth_hash_lock); 1146 } 1147 1148 gss_pipe_free(gss_auth->gss_pipe[0]); 1149 gss_auth->gss_pipe[0] = NULL; 1150 gss_pipe_free(gss_auth->gss_pipe[1]); 1151 gss_auth->gss_pipe[1] = NULL; 1152 rpcauth_destroy_credcache(auth); 1153 1154 gss_put_auth(gss_auth); 1155 } 1156 1157 /* 1158 * Auths may be shared between rpc clients that were cloned from a 1159 * common client with the same xprt, if they also share the flavor and 1160 * target_name. 1161 * 1162 * The auth is looked up from the oldest parent sharing the same 1163 * cl_xprt, and the auth itself references only that common parent 1164 * (which is guaranteed to last as long as any of its descendants). 1165 */ 1166 static struct gss_auth * 1167 gss_auth_find_or_add_hashed(const struct rpc_auth_create_args *args, 1168 struct rpc_clnt *clnt, 1169 struct gss_auth *new) 1170 { 1171 struct gss_auth *gss_auth; 1172 unsigned long hashval = (unsigned long)clnt; 1173 1174 spin_lock(&gss_auth_hash_lock); 1175 hash_for_each_possible(gss_auth_hash_table, 1176 gss_auth, 1177 hash, 1178 hashval) { 1179 if (gss_auth->client != clnt) 1180 continue; 1181 if (gss_auth->rpc_auth.au_flavor != args->pseudoflavor) 1182 continue; 1183 if (gss_auth->target_name != args->target_name) { 1184 if (gss_auth->target_name == NULL) 1185 continue; 1186 if (args->target_name == NULL) 1187 continue; 1188 if (strcmp(gss_auth->target_name, args->target_name)) 1189 continue; 1190 } 1191 if (!refcount_inc_not_zero(&gss_auth->rpc_auth.au_count)) 1192 continue; 1193 goto out; 1194 } 1195 if (new) 1196 hash_add(gss_auth_hash_table, &new->hash, hashval); 1197 gss_auth = new; 1198 out: 1199 spin_unlock(&gss_auth_hash_lock); 1200 return gss_auth; 1201 } 1202 1203 static struct gss_auth * 1204 gss_create_hashed(const struct rpc_auth_create_args *args, 1205 struct rpc_clnt *clnt) 1206 { 1207 struct gss_auth *gss_auth; 1208 struct gss_auth *new; 1209 1210 gss_auth = gss_auth_find_or_add_hashed(args, clnt, NULL); 1211 if (gss_auth != NULL) 1212 goto out; 1213 new = gss_create_new(args, clnt); 1214 if (IS_ERR(new)) 1215 return new; 1216 gss_auth = gss_auth_find_or_add_hashed(args, clnt, new); 1217 if (gss_auth != new) 1218 gss_destroy(&new->rpc_auth); 1219 out: 1220 return gss_auth; 1221 } 1222 1223 static struct rpc_auth * 1224 gss_create(const struct rpc_auth_create_args *args, struct rpc_clnt *clnt) 1225 { 1226 struct gss_auth *gss_auth; 1227 struct rpc_xprt_switch *xps = rcu_access_pointer(clnt->cl_xpi.xpi_xpswitch); 1228 1229 while (clnt != clnt->cl_parent) { 1230 struct rpc_clnt *parent = clnt->cl_parent; 1231 /* Find the original parent for this transport */ 1232 if (rcu_access_pointer(parent->cl_xpi.xpi_xpswitch) != xps) 1233 break; 1234 clnt = parent; 1235 } 1236 1237 gss_auth = gss_create_hashed(args, clnt); 1238 if (IS_ERR(gss_auth)) 1239 return ERR_CAST(gss_auth); 1240 return &gss_auth->rpc_auth; 1241 } 1242 1243 static struct gss_cred * 1244 gss_dup_cred(struct gss_auth *gss_auth, struct gss_cred *gss_cred) 1245 { 1246 struct gss_cred *new; 1247 1248 /* Make a copy of the cred so that we can reference count it */ 1249 new = kzalloc(sizeof(*gss_cred), GFP_KERNEL); 1250 if (new) { 1251 struct auth_cred acred = { 1252 .cred = gss_cred->gc_base.cr_cred, 1253 }; 1254 struct gss_cl_ctx *ctx = 1255 rcu_dereference_protected(gss_cred->gc_ctx, 1); 1256 1257 rpcauth_init_cred(&new->gc_base, &acred, 1258 &gss_auth->rpc_auth, 1259 &gss_nullops); 1260 new->gc_base.cr_flags = 1UL << RPCAUTH_CRED_UPTODATE; 1261 new->gc_service = gss_cred->gc_service; 1262 new->gc_principal = gss_cred->gc_principal; 1263 kref_get(&gss_auth->kref); 1264 rcu_assign_pointer(new->gc_ctx, ctx); 1265 gss_get_ctx(ctx); 1266 } 1267 return new; 1268 } 1269 1270 /* 1271 * gss_send_destroy_context will cause the RPCSEC_GSS to send a NULL RPC call 1272 * to the server with the GSS control procedure field set to 1273 * RPC_GSS_PROC_DESTROY. This should normally cause the server to release 1274 * all RPCSEC_GSS state associated with that context. 1275 */ 1276 static void 1277 gss_send_destroy_context(struct rpc_cred *cred) 1278 { 1279 struct gss_cred *gss_cred = container_of(cred, struct gss_cred, gc_base); 1280 struct gss_auth *gss_auth = container_of(cred->cr_auth, struct gss_auth, rpc_auth); 1281 struct gss_cl_ctx *ctx = rcu_dereference_protected(gss_cred->gc_ctx, 1); 1282 struct gss_cred *new; 1283 struct rpc_task *task; 1284 1285 new = gss_dup_cred(gss_auth, gss_cred); 1286 if (new) { 1287 ctx->gc_proc = RPC_GSS_PROC_DESTROY; 1288 1289 trace_rpcgss_ctx_destroy(gss_cred); 1290 task = rpc_call_null(gss_auth->client, &new->gc_base, 1291 RPC_TASK_ASYNC); 1292 if (!IS_ERR(task)) 1293 rpc_put_task(task); 1294 1295 put_rpccred(&new->gc_base); 1296 } 1297 } 1298 1299 /* gss_destroy_cred (and gss_free_ctx) are used to clean up after failure 1300 * to create a new cred or context, so they check that things have been 1301 * allocated before freeing them. */ 1302 static void 1303 gss_do_free_ctx(struct gss_cl_ctx *ctx) 1304 { 1305 gss_delete_sec_context(&ctx->gc_gss_ctx); 1306 kfree(ctx->gc_wire_ctx.data); 1307 kfree(ctx->gc_acceptor.data); 1308 kfree(ctx); 1309 } 1310 1311 static void 1312 gss_free_ctx_callback(struct rcu_head *head) 1313 { 1314 struct gss_cl_ctx *ctx = container_of(head, struct gss_cl_ctx, gc_rcu); 1315 gss_do_free_ctx(ctx); 1316 } 1317 1318 static void 1319 gss_free_ctx(struct gss_cl_ctx *ctx) 1320 { 1321 call_rcu(&ctx->gc_rcu, gss_free_ctx_callback); 1322 } 1323 1324 static void 1325 gss_free_cred(struct gss_cred *gss_cred) 1326 { 1327 kfree(gss_cred); 1328 } 1329 1330 static void 1331 gss_free_cred_callback(struct rcu_head *head) 1332 { 1333 struct gss_cred *gss_cred = container_of(head, struct gss_cred, gc_base.cr_rcu); 1334 gss_free_cred(gss_cred); 1335 } 1336 1337 static void 1338 gss_destroy_nullcred(struct rpc_cred *cred) 1339 { 1340 struct gss_cred *gss_cred = container_of(cred, struct gss_cred, gc_base); 1341 struct gss_auth *gss_auth = container_of(cred->cr_auth, struct gss_auth, rpc_auth); 1342 struct gss_cl_ctx *ctx = rcu_dereference_protected(gss_cred->gc_ctx, 1); 1343 1344 RCU_INIT_POINTER(gss_cred->gc_ctx, NULL); 1345 put_cred(cred->cr_cred); 1346 call_rcu(&cred->cr_rcu, gss_free_cred_callback); 1347 if (ctx) 1348 gss_put_ctx(ctx); 1349 gss_put_auth(gss_auth); 1350 } 1351 1352 static void 1353 gss_destroy_cred(struct rpc_cred *cred) 1354 { 1355 if (test_and_clear_bit(RPCAUTH_CRED_UPTODATE, &cred->cr_flags) != 0) 1356 gss_send_destroy_context(cred); 1357 gss_destroy_nullcred(cred); 1358 } 1359 1360 static int 1361 gss_hash_cred(struct auth_cred *acred, unsigned int hashbits) 1362 { 1363 return hash_64(from_kuid(&init_user_ns, acred->cred->fsuid), hashbits); 1364 } 1365 1366 /* 1367 * Lookup RPCSEC_GSS cred for the current process 1368 */ 1369 static struct rpc_cred *gss_lookup_cred(struct rpc_auth *auth, 1370 struct auth_cred *acred, int flags) 1371 { 1372 return rpcauth_lookup_credcache(auth, acred, flags, 1373 rpc_task_gfp_mask()); 1374 } 1375 1376 static struct rpc_cred * 1377 gss_create_cred(struct rpc_auth *auth, struct auth_cred *acred, int flags, gfp_t gfp) 1378 { 1379 struct gss_auth *gss_auth = container_of(auth, struct gss_auth, rpc_auth); 1380 struct gss_cred *cred = NULL; 1381 int err = -ENOMEM; 1382 1383 if (!(cred = kzalloc(sizeof(*cred), gfp))) 1384 goto out_err; 1385 1386 rpcauth_init_cred(&cred->gc_base, acred, auth, &gss_credops); 1387 /* 1388 * Note: in order to force a call to call_refresh(), we deliberately 1389 * fail to flag the credential as RPCAUTH_CRED_UPTODATE. 1390 */ 1391 cred->gc_base.cr_flags = 1UL << RPCAUTH_CRED_NEW; 1392 cred->gc_service = gss_auth->service; 1393 cred->gc_principal = acred->principal; 1394 kref_get(&gss_auth->kref); 1395 return &cred->gc_base; 1396 1397 out_err: 1398 return ERR_PTR(err); 1399 } 1400 1401 static int 1402 gss_cred_init(struct rpc_auth *auth, struct rpc_cred *cred) 1403 { 1404 struct gss_auth *gss_auth = container_of(auth, struct gss_auth, rpc_auth); 1405 struct gss_cred *gss_cred = container_of(cred,struct gss_cred, gc_base); 1406 int err; 1407 1408 do { 1409 err = gss_create_upcall(gss_auth, gss_cred); 1410 } while (err == -EAGAIN); 1411 return err; 1412 } 1413 1414 static char * 1415 gss_stringify_acceptor(struct rpc_cred *cred) 1416 { 1417 char *string = NULL; 1418 struct gss_cred *gss_cred = container_of(cred, struct gss_cred, gc_base); 1419 struct gss_cl_ctx *ctx; 1420 unsigned int len; 1421 struct xdr_netobj *acceptor; 1422 1423 rcu_read_lock(); 1424 ctx = rcu_dereference(gss_cred->gc_ctx); 1425 if (!ctx) 1426 goto out; 1427 1428 len = ctx->gc_acceptor.len; 1429 rcu_read_unlock(); 1430 1431 /* no point if there's no string */ 1432 if (!len) 1433 return NULL; 1434 realloc: 1435 string = kmalloc(len + 1, GFP_KERNEL); 1436 if (!string) 1437 return NULL; 1438 1439 rcu_read_lock(); 1440 ctx = rcu_dereference(gss_cred->gc_ctx); 1441 1442 /* did the ctx disappear or was it replaced by one with no acceptor? */ 1443 if (!ctx || !ctx->gc_acceptor.len) { 1444 kfree(string); 1445 string = NULL; 1446 goto out; 1447 } 1448 1449 acceptor = &ctx->gc_acceptor; 1450 1451 /* 1452 * Did we find a new acceptor that's longer than the original? Allocate 1453 * a longer buffer and try again. 1454 */ 1455 if (len < acceptor->len) { 1456 len = acceptor->len; 1457 rcu_read_unlock(); 1458 kfree(string); 1459 goto realloc; 1460 } 1461 1462 memcpy(string, acceptor->data, acceptor->len); 1463 string[acceptor->len] = '\0'; 1464 out: 1465 rcu_read_unlock(); 1466 return string; 1467 } 1468 1469 /* 1470 * Returns -EACCES if GSS context is NULL or will expire within the 1471 * timeout (miliseconds) 1472 */ 1473 static int 1474 gss_key_timeout(struct rpc_cred *rc) 1475 { 1476 struct gss_cred *gss_cred = container_of(rc, struct gss_cred, gc_base); 1477 struct gss_cl_ctx *ctx; 1478 unsigned long timeout = jiffies + (gss_key_expire_timeo * HZ); 1479 int ret = 0; 1480 1481 rcu_read_lock(); 1482 ctx = rcu_dereference(gss_cred->gc_ctx); 1483 if (!ctx || time_after(timeout, ctx->gc_expiry)) 1484 ret = -EACCES; 1485 rcu_read_unlock(); 1486 1487 return ret; 1488 } 1489 1490 static int 1491 gss_match(struct auth_cred *acred, struct rpc_cred *rc, int flags) 1492 { 1493 struct gss_cred *gss_cred = container_of(rc, struct gss_cred, gc_base); 1494 struct gss_cl_ctx *ctx; 1495 int ret; 1496 1497 if (test_bit(RPCAUTH_CRED_NEW, &rc->cr_flags)) 1498 goto out; 1499 /* Don't match with creds that have expired. */ 1500 rcu_read_lock(); 1501 ctx = rcu_dereference(gss_cred->gc_ctx); 1502 if (!ctx || time_after(jiffies, ctx->gc_expiry)) { 1503 rcu_read_unlock(); 1504 return 0; 1505 } 1506 rcu_read_unlock(); 1507 if (!test_bit(RPCAUTH_CRED_UPTODATE, &rc->cr_flags)) 1508 return 0; 1509 out: 1510 if (acred->principal != NULL) { 1511 if (gss_cred->gc_principal == NULL) 1512 return 0; 1513 ret = strcmp(acred->principal, gss_cred->gc_principal) == 0; 1514 } else { 1515 if (gss_cred->gc_principal != NULL) 1516 return 0; 1517 ret = uid_eq(rc->cr_cred->fsuid, acred->cred->fsuid); 1518 } 1519 return ret; 1520 } 1521 1522 /* 1523 * Marshal credentials. 1524 * 1525 * The expensive part is computing the verifier. We can't cache a 1526 * pre-computed version of the verifier because the seqno, which 1527 * is different every time, is included in the MIC. 1528 */ 1529 static int gss_marshal(struct rpc_task *task, struct xdr_stream *xdr) 1530 { 1531 struct rpc_rqst *req = task->tk_rqstp; 1532 struct rpc_cred *cred = req->rq_cred; 1533 struct gss_cred *gss_cred = container_of(cred, struct gss_cred, 1534 gc_base); 1535 struct gss_cl_ctx *ctx = gss_cred_get_ctx(cred); 1536 __be32 *p, *cred_len; 1537 u32 maj_stat = 0; 1538 struct xdr_netobj mic; 1539 struct kvec iov; 1540 struct xdr_buf verf_buf; 1541 int status; 1542 u32 seqno; 1543 1544 /* Credential */ 1545 1546 p = xdr_reserve_space(xdr, 7 * sizeof(*p) + 1547 ctx->gc_wire_ctx.len); 1548 if (!p) 1549 goto marshal_failed; 1550 *p++ = rpc_auth_gss; 1551 cred_len = p++; 1552 1553 spin_lock(&ctx->gc_seq_lock); 1554 seqno = (ctx->gc_seq < MAXSEQ) ? ctx->gc_seq++ : MAXSEQ; 1555 xprt_rqst_add_seqno(req, seqno); 1556 spin_unlock(&ctx->gc_seq_lock); 1557 if (*req->rq_seqnos == MAXSEQ) 1558 goto expired; 1559 trace_rpcgss_seqno(task); 1560 1561 *p++ = cpu_to_be32(RPC_GSS_VERSION); 1562 *p++ = cpu_to_be32(ctx->gc_proc); 1563 *p++ = cpu_to_be32(*req->rq_seqnos); 1564 *p++ = cpu_to_be32(gss_cred->gc_service); 1565 p = xdr_encode_netobj(p, &ctx->gc_wire_ctx); 1566 *cred_len = cpu_to_be32((p - (cred_len + 1)) << 2); 1567 1568 /* Verifier */ 1569 1570 /* We compute the checksum for the verifier over the xdr-encoded bytes 1571 * starting with the xid and ending at the end of the credential: */ 1572 iov.iov_base = req->rq_snd_buf.head[0].iov_base; 1573 iov.iov_len = (u8 *)p - (u8 *)iov.iov_base; 1574 xdr_buf_from_iov(&iov, &verf_buf); 1575 1576 p = xdr_reserve_space(xdr, sizeof(*p)); 1577 if (!p) 1578 goto marshal_failed; 1579 *p++ = rpc_auth_gss; 1580 mic.data = (u8 *)(p + 1); 1581 maj_stat = gss_get_mic(ctx->gc_gss_ctx, &verf_buf, &mic); 1582 if (maj_stat == GSS_S_CONTEXT_EXPIRED) 1583 goto expired; 1584 else if (maj_stat != 0) 1585 goto bad_mic; 1586 if (xdr_stream_encode_opaque_inline(xdr, (void **)&p, mic.len) < 0) 1587 goto marshal_failed; 1588 status = 0; 1589 out: 1590 gss_put_ctx(ctx); 1591 return status; 1592 expired: 1593 clear_bit(RPCAUTH_CRED_UPTODATE, &cred->cr_flags); 1594 status = -EKEYEXPIRED; 1595 goto out; 1596 marshal_failed: 1597 status = -EMSGSIZE; 1598 goto out; 1599 bad_mic: 1600 trace_rpcgss_get_mic(task, maj_stat); 1601 status = -EIO; 1602 goto out; 1603 } 1604 1605 static int gss_renew_cred(struct rpc_task *task) 1606 { 1607 struct rpc_cred *oldcred = task->tk_rqstp->rq_cred; 1608 struct gss_cred *gss_cred = container_of(oldcred, 1609 struct gss_cred, 1610 gc_base); 1611 struct rpc_auth *auth = oldcred->cr_auth; 1612 struct auth_cred acred = { 1613 .cred = oldcred->cr_cred, 1614 .principal = gss_cred->gc_principal, 1615 }; 1616 struct rpc_cred *new; 1617 1618 new = gss_lookup_cred(auth, &acred, RPCAUTH_LOOKUP_NEW); 1619 if (IS_ERR(new)) 1620 return PTR_ERR(new); 1621 1622 task->tk_rqstp->rq_cred = new; 1623 put_rpccred(oldcred); 1624 return 0; 1625 } 1626 1627 static int gss_cred_is_negative_entry(struct rpc_cred *cred) 1628 { 1629 if (test_bit(RPCAUTH_CRED_NEGATIVE, &cred->cr_flags)) { 1630 unsigned long now = jiffies; 1631 unsigned long begin, expire; 1632 struct gss_cred *gss_cred; 1633 1634 gss_cred = container_of(cred, struct gss_cred, gc_base); 1635 begin = gss_cred->gc_upcall_timestamp; 1636 expire = begin + gss_expired_cred_retry_delay * HZ; 1637 1638 if (time_in_range_open(now, begin, expire)) 1639 return 1; 1640 } 1641 return 0; 1642 } 1643 1644 /* 1645 * Refresh credentials. XXX - finish 1646 */ 1647 static int 1648 gss_refresh(struct rpc_task *task) 1649 { 1650 struct rpc_cred *cred = task->tk_rqstp->rq_cred; 1651 int ret = 0; 1652 1653 if (gss_cred_is_negative_entry(cred)) 1654 return -EKEYEXPIRED; 1655 1656 if (!test_bit(RPCAUTH_CRED_NEW, &cred->cr_flags) && 1657 !test_bit(RPCAUTH_CRED_UPTODATE, &cred->cr_flags)) { 1658 ret = gss_renew_cred(task); 1659 if (ret < 0) 1660 goto out; 1661 cred = task->tk_rqstp->rq_cred; 1662 } 1663 1664 if (test_bit(RPCAUTH_CRED_NEW, &cred->cr_flags)) 1665 ret = gss_refresh_upcall(task); 1666 out: 1667 return ret; 1668 } 1669 1670 /* Dummy refresh routine: used only when destroying the context */ 1671 static int 1672 gss_refresh_null(struct rpc_task *task) 1673 { 1674 return 0; 1675 } 1676 1677 static u32 1678 gss_validate_seqno_mic(struct gss_cl_ctx *ctx, u32 seqno, __be32 *seq, __be32 *p, u32 len) 1679 { 1680 struct kvec iov; 1681 struct xdr_buf verf_buf; 1682 struct xdr_netobj mic; 1683 1684 *seq = cpu_to_be32(seqno); 1685 iov.iov_base = seq; 1686 iov.iov_len = 4; 1687 xdr_buf_from_iov(&iov, &verf_buf); 1688 mic.data = (u8 *)p; 1689 mic.len = len; 1690 return gss_verify_mic(ctx->gc_gss_ctx, &verf_buf, &mic); 1691 } 1692 1693 static int 1694 gss_validate(struct rpc_task *task, struct xdr_stream *xdr) 1695 { 1696 struct rpc_cred *cred = task->tk_rqstp->rq_cred; 1697 struct gss_cl_ctx *ctx = gss_cred_get_ctx(cred); 1698 __be32 *p, *seq = NULL; 1699 u32 len, maj_stat; 1700 int status; 1701 int i = 1; /* don't recheck the first item */ 1702 1703 p = xdr_inline_decode(xdr, 2 * sizeof(*p)); 1704 if (!p) 1705 goto validate_failed; 1706 if (*p++ != rpc_auth_gss) 1707 goto validate_failed; 1708 len = be32_to_cpup(p); 1709 if (len > RPC_MAX_AUTH_SIZE) 1710 goto validate_failed; 1711 p = xdr_inline_decode(xdr, len); 1712 if (!p) 1713 goto validate_failed; 1714 1715 seq = kmalloc(4, GFP_KERNEL); 1716 if (!seq) 1717 goto validate_failed; 1718 maj_stat = gss_validate_seqno_mic(ctx, task->tk_rqstp->rq_seqnos[0], seq, p, len); 1719 /* RFC 2203 5.3.3.1 - compute the checksum of each sequence number in the cache */ 1720 while (unlikely(maj_stat == GSS_S_BAD_SIG && i < task->tk_rqstp->rq_seqno_count)) 1721 maj_stat = gss_validate_seqno_mic(ctx, task->tk_rqstp->rq_seqnos[i++], seq, p, len); 1722 if (maj_stat == GSS_S_CONTEXT_EXPIRED) 1723 clear_bit(RPCAUTH_CRED_UPTODATE, &cred->cr_flags); 1724 if (maj_stat) 1725 goto bad_mic; 1726 1727 /* We leave it to unwrap to calculate au_rslack. For now we just 1728 * calculate the length of the verifier: */ 1729 if (test_bit(RPCAUTH_AUTH_UPDATE_SLACK, &cred->cr_auth->au_flags)) 1730 cred->cr_auth->au_verfsize = XDR_QUADLEN(len) + 2; 1731 status = 0; 1732 out: 1733 gss_put_ctx(ctx); 1734 kfree(seq); 1735 return status; 1736 1737 validate_failed: 1738 status = -EIO; 1739 goto out; 1740 bad_mic: 1741 trace_rpcgss_verify_mic(task, maj_stat); 1742 status = -EACCES; 1743 goto out; 1744 } 1745 1746 static noinline_for_stack int 1747 gss_wrap_req_integ(struct rpc_cred *cred, struct gss_cl_ctx *ctx, 1748 struct rpc_task *task, struct xdr_stream *xdr) 1749 { 1750 struct rpc_rqst *rqstp = task->tk_rqstp; 1751 struct xdr_buf integ_buf, *snd_buf = &rqstp->rq_snd_buf; 1752 struct xdr_netobj mic; 1753 __be32 *p, *integ_len; 1754 u32 offset, maj_stat; 1755 1756 p = xdr_reserve_space(xdr, 2 * sizeof(*p)); 1757 if (!p) 1758 goto wrap_failed; 1759 integ_len = p++; 1760 *p = cpu_to_be32(*rqstp->rq_seqnos); 1761 1762 if (rpcauth_wrap_req_encode(task, xdr)) 1763 goto wrap_failed; 1764 1765 offset = (u8 *)p - (u8 *)snd_buf->head[0].iov_base; 1766 if (xdr_buf_subsegment(snd_buf, &integ_buf, 1767 offset, snd_buf->len - offset)) 1768 goto wrap_failed; 1769 *integ_len = cpu_to_be32(integ_buf.len); 1770 1771 p = xdr_reserve_space(xdr, 0); 1772 if (!p) 1773 goto wrap_failed; 1774 mic.data = (u8 *)(p + 1); 1775 maj_stat = gss_get_mic(ctx->gc_gss_ctx, &integ_buf, &mic); 1776 if (maj_stat == GSS_S_CONTEXT_EXPIRED) 1777 clear_bit(RPCAUTH_CRED_UPTODATE, &cred->cr_flags); 1778 else if (maj_stat) 1779 goto bad_mic; 1780 /* Check that the trailing MIC fit in the buffer, after the fact */ 1781 if (xdr_stream_encode_opaque_inline(xdr, (void **)&p, mic.len) < 0) 1782 goto wrap_failed; 1783 return 0; 1784 wrap_failed: 1785 return -EMSGSIZE; 1786 bad_mic: 1787 trace_rpcgss_get_mic(task, maj_stat); 1788 return -EIO; 1789 } 1790 1791 static void 1792 priv_release_snd_buf(struct rpc_rqst *rqstp) 1793 { 1794 int i; 1795 1796 for (i=0; i < rqstp->rq_enc_pages_num; i++) 1797 __free_page(rqstp->rq_enc_pages[i]); 1798 kfree(rqstp->rq_enc_pages); 1799 rqstp->rq_release_snd_buf = NULL; 1800 } 1801 1802 static int 1803 alloc_enc_pages(struct rpc_rqst *rqstp) 1804 { 1805 struct xdr_buf *snd_buf = &rqstp->rq_snd_buf; 1806 int first, last, i; 1807 1808 if (rqstp->rq_release_snd_buf) 1809 rqstp->rq_release_snd_buf(rqstp); 1810 1811 if (snd_buf->page_len == 0) { 1812 rqstp->rq_enc_pages_num = 0; 1813 return 0; 1814 } 1815 1816 first = snd_buf->page_base >> PAGE_SHIFT; 1817 last = (snd_buf->page_base + snd_buf->page_len - 1) >> PAGE_SHIFT; 1818 rqstp->rq_enc_pages_num = last - first + 1 + 1; 1819 rqstp->rq_enc_pages 1820 = kmalloc_array(rqstp->rq_enc_pages_num, 1821 sizeof(struct page *), 1822 GFP_KERNEL); 1823 if (!rqstp->rq_enc_pages) 1824 goto out; 1825 for (i=0; i < rqstp->rq_enc_pages_num; i++) { 1826 rqstp->rq_enc_pages[i] = alloc_page(GFP_KERNEL); 1827 if (rqstp->rq_enc_pages[i] == NULL) 1828 goto out_free; 1829 } 1830 rqstp->rq_release_snd_buf = priv_release_snd_buf; 1831 return 0; 1832 out_free: 1833 rqstp->rq_enc_pages_num = i; 1834 priv_release_snd_buf(rqstp); 1835 out: 1836 return -EAGAIN; 1837 } 1838 1839 static noinline_for_stack int 1840 gss_wrap_req_priv(struct rpc_cred *cred, struct gss_cl_ctx *ctx, 1841 struct rpc_task *task, struct xdr_stream *xdr) 1842 { 1843 struct rpc_rqst *rqstp = task->tk_rqstp; 1844 struct xdr_buf *snd_buf = &rqstp->rq_snd_buf; 1845 u32 pad, offset, maj_stat; 1846 int status; 1847 __be32 *p, *opaque_len; 1848 struct page **inpages; 1849 int first; 1850 struct kvec *iov; 1851 1852 status = -EIO; 1853 p = xdr_reserve_space(xdr, 2 * sizeof(*p)); 1854 if (!p) 1855 goto wrap_failed; 1856 opaque_len = p++; 1857 *p = cpu_to_be32(*rqstp->rq_seqnos); 1858 1859 if (rpcauth_wrap_req_encode(task, xdr)) 1860 goto wrap_failed; 1861 1862 status = alloc_enc_pages(rqstp); 1863 if (unlikely(status)) 1864 goto wrap_failed; 1865 first = snd_buf->page_base >> PAGE_SHIFT; 1866 inpages = snd_buf->pages + first; 1867 snd_buf->pages = rqstp->rq_enc_pages; 1868 snd_buf->page_base -= first << PAGE_SHIFT; 1869 /* 1870 * Move the tail into its own page, in case gss_wrap needs 1871 * more space in the head when wrapping. 1872 * 1873 * Still... Why can't gss_wrap just slide the tail down? 1874 */ 1875 if (snd_buf->page_len || snd_buf->tail[0].iov_len) { 1876 char *tmp; 1877 1878 tmp = page_address(rqstp->rq_enc_pages[rqstp->rq_enc_pages_num - 1]); 1879 memcpy(tmp, snd_buf->tail[0].iov_base, snd_buf->tail[0].iov_len); 1880 snd_buf->tail[0].iov_base = tmp; 1881 } 1882 offset = (u8 *)p - (u8 *)snd_buf->head[0].iov_base; 1883 maj_stat = gss_wrap(ctx->gc_gss_ctx, offset, snd_buf, inpages); 1884 /* slack space should prevent this ever happening: */ 1885 if (unlikely(snd_buf->len > snd_buf->buflen)) { 1886 status = -EIO; 1887 goto wrap_failed; 1888 } 1889 /* We're assuming that when GSS_S_CONTEXT_EXPIRED, the encryption was 1890 * done anyway, so it's safe to put the request on the wire: */ 1891 if (maj_stat == GSS_S_CONTEXT_EXPIRED) 1892 clear_bit(RPCAUTH_CRED_UPTODATE, &cred->cr_flags); 1893 else if (maj_stat) 1894 goto bad_wrap; 1895 1896 *opaque_len = cpu_to_be32(snd_buf->len - offset); 1897 /* guess whether the pad goes into the head or the tail: */ 1898 if (snd_buf->page_len || snd_buf->tail[0].iov_len) 1899 iov = snd_buf->tail; 1900 else 1901 iov = snd_buf->head; 1902 p = iov->iov_base + iov->iov_len; 1903 pad = xdr_pad_size(snd_buf->len - offset); 1904 memset(p, 0, pad); 1905 iov->iov_len += pad; 1906 snd_buf->len += pad; 1907 1908 return 0; 1909 wrap_failed: 1910 return status; 1911 bad_wrap: 1912 trace_rpcgss_wrap(task, maj_stat); 1913 return -EIO; 1914 } 1915 1916 static int gss_wrap_req(struct rpc_task *task, struct xdr_stream *xdr) 1917 { 1918 struct rpc_cred *cred = task->tk_rqstp->rq_cred; 1919 struct gss_cred *gss_cred = container_of(cred, struct gss_cred, 1920 gc_base); 1921 struct gss_cl_ctx *ctx = gss_cred_get_ctx(cred); 1922 int status; 1923 1924 status = -EIO; 1925 if (ctx->gc_proc != RPC_GSS_PROC_DATA) { 1926 /* The spec seems a little ambiguous here, but I think that not 1927 * wrapping context destruction requests makes the most sense. 1928 */ 1929 status = rpcauth_wrap_req_encode(task, xdr); 1930 goto out; 1931 } 1932 switch (gss_cred->gc_service) { 1933 case RPC_GSS_SVC_NONE: 1934 status = rpcauth_wrap_req_encode(task, xdr); 1935 break; 1936 case RPC_GSS_SVC_INTEGRITY: 1937 status = gss_wrap_req_integ(cred, ctx, task, xdr); 1938 break; 1939 case RPC_GSS_SVC_PRIVACY: 1940 status = gss_wrap_req_priv(cred, ctx, task, xdr); 1941 break; 1942 default: 1943 status = -EIO; 1944 } 1945 out: 1946 gss_put_ctx(ctx); 1947 return status; 1948 } 1949 1950 /** 1951 * gss_update_rslack - Possibly update RPC receive buffer size estimates 1952 * @task: rpc_task for incoming RPC Reply being unwrapped 1953 * @cred: controlling rpc_cred for @task 1954 * @before: XDR words needed before each RPC Reply message 1955 * @after: XDR words needed following each RPC Reply message 1956 * 1957 */ 1958 static void gss_update_rslack(struct rpc_task *task, struct rpc_cred *cred, 1959 unsigned int before, unsigned int after) 1960 { 1961 struct rpc_auth *auth = cred->cr_auth; 1962 1963 if (test_and_clear_bit(RPCAUTH_AUTH_UPDATE_SLACK, &auth->au_flags)) { 1964 auth->au_ralign = auth->au_verfsize + before; 1965 auth->au_rslack = auth->au_verfsize + after; 1966 trace_rpcgss_update_slack(task, auth); 1967 } 1968 } 1969 1970 static int 1971 gss_unwrap_resp_auth(struct rpc_task *task, struct rpc_cred *cred) 1972 { 1973 gss_update_rslack(task, cred, 0, 0); 1974 return 0; 1975 } 1976 1977 /* 1978 * RFC 2203, Section 5.3.2.2 1979 * 1980 * struct rpc_gss_integ_data { 1981 * opaque databody_integ<>; 1982 * opaque checksum<>; 1983 * }; 1984 * 1985 * struct rpc_gss_data_t { 1986 * unsigned int seq_num; 1987 * proc_req_arg_t arg; 1988 * }; 1989 */ 1990 static noinline_for_stack int 1991 gss_unwrap_resp_integ(struct rpc_task *task, struct rpc_cred *cred, 1992 struct gss_cl_ctx *ctx, struct rpc_rqst *rqstp, 1993 struct xdr_stream *xdr) 1994 { 1995 struct xdr_buf gss_data, *rcv_buf = &rqstp->rq_rcv_buf; 1996 u32 len, offset, seqno, maj_stat; 1997 struct xdr_netobj mic; 1998 int ret; 1999 2000 ret = -EIO; 2001 mic.data = NULL; 2002 2003 /* opaque databody_integ<>; */ 2004 if (xdr_stream_decode_u32(xdr, &len)) 2005 goto unwrap_failed; 2006 if (len & 3) 2007 goto unwrap_failed; 2008 offset = rcv_buf->len - xdr_stream_remaining(xdr); 2009 if (xdr_stream_decode_u32(xdr, &seqno)) 2010 goto unwrap_failed; 2011 if (seqno != *rqstp->rq_seqnos) 2012 goto bad_seqno; 2013 if (xdr_buf_subsegment(rcv_buf, &gss_data, offset, len)) 2014 goto unwrap_failed; 2015 2016 /* 2017 * The xdr_stream now points to the beginning of the 2018 * upper layer payload, to be passed below to 2019 * rpcauth_unwrap_resp_decode(). The checksum, which 2020 * follows the upper layer payload in @rcv_buf, is 2021 * located and parsed without updating the xdr_stream. 2022 */ 2023 2024 /* opaque checksum<>; */ 2025 offset += len; 2026 if (xdr_decode_word(rcv_buf, offset, &len)) 2027 goto unwrap_failed; 2028 offset += sizeof(__be32); 2029 if (offset + len > rcv_buf->len) 2030 goto unwrap_failed; 2031 mic.len = len; 2032 mic.data = kmalloc(len, GFP_KERNEL); 2033 if (ZERO_OR_NULL_PTR(mic.data)) 2034 goto unwrap_failed; 2035 if (read_bytes_from_xdr_buf(rcv_buf, offset, mic.data, mic.len)) 2036 goto unwrap_failed; 2037 2038 maj_stat = gss_verify_mic(ctx->gc_gss_ctx, &gss_data, &mic); 2039 if (maj_stat == GSS_S_CONTEXT_EXPIRED) 2040 clear_bit(RPCAUTH_CRED_UPTODATE, &cred->cr_flags); 2041 if (maj_stat != GSS_S_COMPLETE) 2042 goto bad_mic; 2043 2044 gss_update_rslack(task, cred, 2, 2 + 1 + XDR_QUADLEN(mic.len)); 2045 ret = 0; 2046 2047 out: 2048 kfree(mic.data); 2049 return ret; 2050 2051 unwrap_failed: 2052 trace_rpcgss_unwrap_failed(task); 2053 goto out; 2054 bad_seqno: 2055 trace_rpcgss_bad_seqno(task, *rqstp->rq_seqnos, seqno); 2056 goto out; 2057 bad_mic: 2058 trace_rpcgss_verify_mic(task, maj_stat); 2059 goto out; 2060 } 2061 2062 static noinline_for_stack int 2063 gss_unwrap_resp_priv(struct rpc_task *task, struct rpc_cred *cred, 2064 struct gss_cl_ctx *ctx, struct rpc_rqst *rqstp, 2065 struct xdr_stream *xdr) 2066 { 2067 struct xdr_buf *rcv_buf = &rqstp->rq_rcv_buf; 2068 struct kvec *head = rqstp->rq_rcv_buf.head; 2069 u32 offset, opaque_len, maj_stat; 2070 __be32 *p; 2071 2072 p = xdr_inline_decode(xdr, 2 * sizeof(*p)); 2073 if (unlikely(!p)) 2074 goto unwrap_failed; 2075 opaque_len = be32_to_cpup(p++); 2076 offset = (u8 *)(p) - (u8 *)head->iov_base; 2077 if (offset + opaque_len > rcv_buf->len) 2078 goto unwrap_failed; 2079 2080 maj_stat = gss_unwrap(ctx->gc_gss_ctx, offset, 2081 offset + opaque_len, rcv_buf); 2082 if (maj_stat == GSS_S_CONTEXT_EXPIRED) 2083 clear_bit(RPCAUTH_CRED_UPTODATE, &cred->cr_flags); 2084 if (maj_stat != GSS_S_COMPLETE) 2085 goto bad_unwrap; 2086 /* gss_unwrap decrypted the sequence number */ 2087 if (be32_to_cpup(p++) != *rqstp->rq_seqnos) 2088 goto bad_seqno; 2089 2090 /* gss_unwrap redacts the opaque blob from the head iovec. 2091 * rcv_buf has changed, thus the stream needs to be reset. 2092 */ 2093 xdr_init_decode(xdr, rcv_buf, p, rqstp); 2094 2095 gss_update_rslack(task, cred, 2 + ctx->gc_gss_ctx->align, 2096 2 + ctx->gc_gss_ctx->slack); 2097 2098 return 0; 2099 unwrap_failed: 2100 trace_rpcgss_unwrap_failed(task); 2101 return -EIO; 2102 bad_seqno: 2103 trace_rpcgss_bad_seqno(task, *rqstp->rq_seqnos, be32_to_cpup(--p)); 2104 return -EIO; 2105 bad_unwrap: 2106 trace_rpcgss_unwrap(task, maj_stat); 2107 return -EIO; 2108 } 2109 2110 static bool 2111 gss_seq_is_newer(u32 new, u32 old) 2112 { 2113 return (s32)(new - old) > 0; 2114 } 2115 2116 static bool 2117 gss_xmit_need_reencode(struct rpc_task *task) 2118 { 2119 struct rpc_rqst *req = task->tk_rqstp; 2120 struct rpc_cred *cred = req->rq_cred; 2121 struct gss_cl_ctx *ctx = gss_cred_get_ctx(cred); 2122 u32 win, seq_xmit = 0; 2123 bool ret = true; 2124 2125 if (!ctx) 2126 goto out; 2127 2128 if (gss_seq_is_newer(*req->rq_seqnos, READ_ONCE(ctx->gc_seq))) 2129 goto out_ctx; 2130 2131 seq_xmit = READ_ONCE(ctx->gc_seq_xmit); 2132 while (gss_seq_is_newer(*req->rq_seqnos, seq_xmit)) { 2133 u32 tmp = seq_xmit; 2134 2135 seq_xmit = cmpxchg(&ctx->gc_seq_xmit, tmp, *req->rq_seqnos); 2136 if (seq_xmit == tmp) { 2137 ret = false; 2138 goto out_ctx; 2139 } 2140 } 2141 2142 win = ctx->gc_win; 2143 if (win > 0) 2144 ret = !gss_seq_is_newer(*req->rq_seqnos, seq_xmit - win); 2145 2146 out_ctx: 2147 gss_put_ctx(ctx); 2148 out: 2149 trace_rpcgss_need_reencode(task, seq_xmit, ret); 2150 return ret; 2151 } 2152 2153 static int 2154 gss_unwrap_resp(struct rpc_task *task, struct xdr_stream *xdr) 2155 { 2156 struct rpc_rqst *rqstp = task->tk_rqstp; 2157 struct rpc_cred *cred = rqstp->rq_cred; 2158 struct gss_cred *gss_cred = container_of(cred, struct gss_cred, 2159 gc_base); 2160 struct gss_cl_ctx *ctx = gss_cred_get_ctx(cred); 2161 int status = -EIO; 2162 2163 if (ctx->gc_proc != RPC_GSS_PROC_DATA) 2164 goto out_decode; 2165 switch (gss_cred->gc_service) { 2166 case RPC_GSS_SVC_NONE: 2167 status = gss_unwrap_resp_auth(task, cred); 2168 break; 2169 case RPC_GSS_SVC_INTEGRITY: 2170 status = gss_unwrap_resp_integ(task, cred, ctx, rqstp, xdr); 2171 break; 2172 case RPC_GSS_SVC_PRIVACY: 2173 status = gss_unwrap_resp_priv(task, cred, ctx, rqstp, xdr); 2174 break; 2175 } 2176 if (status) 2177 goto out; 2178 2179 out_decode: 2180 status = rpcauth_unwrap_resp_decode(task, xdr); 2181 out: 2182 gss_put_ctx(ctx); 2183 return status; 2184 } 2185 2186 static const struct rpc_authops authgss_ops = { 2187 .owner = THIS_MODULE, 2188 .au_flavor = RPC_AUTH_GSS, 2189 .au_name = "RPCSEC_GSS", 2190 .create = gss_create, 2191 .destroy = gss_destroy, 2192 .hash_cred = gss_hash_cred, 2193 .lookup_cred = gss_lookup_cred, 2194 .crcreate = gss_create_cred, 2195 .info2flavor = gss_mech_info2flavor, 2196 .flavor2info = gss_mech_flavor2info, 2197 }; 2198 2199 static const struct rpc_credops gss_credops = { 2200 .cr_name = "AUTH_GSS", 2201 .crdestroy = gss_destroy_cred, 2202 .cr_init = gss_cred_init, 2203 .crmatch = gss_match, 2204 .crmarshal = gss_marshal, 2205 .crrefresh = gss_refresh, 2206 .crvalidate = gss_validate, 2207 .crwrap_req = gss_wrap_req, 2208 .crunwrap_resp = gss_unwrap_resp, 2209 .crkey_timeout = gss_key_timeout, 2210 .crstringify_acceptor = gss_stringify_acceptor, 2211 .crneed_reencode = gss_xmit_need_reencode, 2212 }; 2213 2214 static const struct rpc_credops gss_nullops = { 2215 .cr_name = "AUTH_GSS", 2216 .crdestroy = gss_destroy_nullcred, 2217 .crmatch = gss_match, 2218 .crmarshal = gss_marshal, 2219 .crrefresh = gss_refresh_null, 2220 .crvalidate = gss_validate, 2221 .crwrap_req = gss_wrap_req, 2222 .crunwrap_resp = gss_unwrap_resp, 2223 .crstringify_acceptor = gss_stringify_acceptor, 2224 }; 2225 2226 static const struct rpc_pipe_ops gss_upcall_ops_v0 = { 2227 .upcall = gss_v0_upcall, 2228 .downcall = gss_pipe_downcall, 2229 .destroy_msg = gss_pipe_destroy_msg, 2230 .open_pipe = gss_pipe_open_v0, 2231 .release_pipe = gss_pipe_release, 2232 }; 2233 2234 static const struct rpc_pipe_ops gss_upcall_ops_v1 = { 2235 .upcall = gss_v1_upcall, 2236 .downcall = gss_pipe_downcall, 2237 .destroy_msg = gss_pipe_destroy_msg, 2238 .open_pipe = gss_pipe_open_v1, 2239 .release_pipe = gss_pipe_release, 2240 }; 2241 2242 static __net_init int rpcsec_gss_init_net(struct net *net) 2243 { 2244 return gss_svc_init_net(net); 2245 } 2246 2247 static __net_exit void rpcsec_gss_exit_net(struct net *net) 2248 { 2249 gss_svc_shutdown_net(net); 2250 } 2251 2252 static struct pernet_operations rpcsec_gss_net_ops = { 2253 .init = rpcsec_gss_init_net, 2254 .exit = rpcsec_gss_exit_net, 2255 }; 2256 2257 /* 2258 * Initialize RPCSEC_GSS module 2259 */ 2260 static int __init init_rpcsec_gss(void) 2261 { 2262 int err = 0; 2263 2264 err = rpcauth_register(&authgss_ops); 2265 if (err) 2266 goto out; 2267 err = gss_svc_init(); 2268 if (err) 2269 goto out_unregister; 2270 err = register_pernet_subsys(&rpcsec_gss_net_ops); 2271 if (err) 2272 goto out_svc_exit; 2273 rpc_init_wait_queue(&pipe_version_rpc_waitqueue, "gss pipe version"); 2274 return 0; 2275 out_svc_exit: 2276 gss_svc_shutdown(); 2277 out_unregister: 2278 rpcauth_unregister(&authgss_ops); 2279 out: 2280 return err; 2281 } 2282 2283 static void __exit exit_rpcsec_gss(void) 2284 { 2285 unregister_pernet_subsys(&rpcsec_gss_net_ops); 2286 gss_svc_shutdown(); 2287 rpcauth_unregister(&authgss_ops); 2288 rcu_barrier(); /* Wait for completion of call_rcu()'s */ 2289 } 2290 2291 MODULE_ALIAS("rpc-auth-6"); 2292 MODULE_DESCRIPTION("Sun RPC Kerberos RPCSEC_GSS client authentication"); 2293 MODULE_LICENSE("GPL"); 2294 module_param_named(expired_cred_retry_delay, 2295 gss_expired_cred_retry_delay, 2296 uint, 0644); 2297 MODULE_PARM_DESC(expired_cred_retry_delay, "Timeout (in seconds) until " 2298 "the RPC engine retries an expired credential"); 2299 2300 module_param_named(key_expire_timeo, 2301 gss_key_expire_timeo, 2302 uint, 0644); 2303 MODULE_PARM_DESC(key_expire_timeo, "Time (in seconds) at the end of a " 2304 "credential keys lifetime where the NFS layer cleans up " 2305 "prior to key expiration"); 2306 2307 module_init(init_rpcsec_gss) 2308 module_exit(exit_rpcsec_gss) 2309