1 // SPDX-License-Identifier: BSD-3-Clause 2 /* 3 * linux/net/sunrpc/auth_gss/auth_gss.c 4 * 5 * RPCSEC_GSS client authentication. 6 * 7 * Copyright (c) 2000 The Regents of the University of Michigan. 8 * All rights reserved. 9 * 10 * Dug Song <dugsong@monkey.org> 11 * Andy Adamson <andros@umich.edu> 12 */ 13 14 #include <linux/module.h> 15 #include <linux/init.h> 16 #include <linux/types.h> 17 #include <linux/slab.h> 18 #include <linux/sched.h> 19 #include <linux/pagemap.h> 20 #include <linux/sunrpc/clnt.h> 21 #include <linux/sunrpc/auth.h> 22 #include <linux/sunrpc/auth_gss.h> 23 #include <linux/sunrpc/svcauth_gss.h> 24 #include <linux/sunrpc/gss_err.h> 25 #include <linux/workqueue.h> 26 #include <linux/sunrpc/rpc_pipe_fs.h> 27 #include <linux/sunrpc/gss_api.h> 28 #include <linux/uaccess.h> 29 #include <linux/hashtable.h> 30 31 #include "../netns.h" 32 33 #include <trace/events/rpcgss.h> 34 35 static const struct rpc_authops authgss_ops; 36 37 static const struct rpc_credops gss_credops; 38 static const struct rpc_credops gss_nullops; 39 40 #define GSS_RETRY_EXPIRED 5 41 static unsigned int gss_expired_cred_retry_delay = GSS_RETRY_EXPIRED; 42 43 #define GSS_KEY_EXPIRE_TIMEO 240 44 static unsigned int gss_key_expire_timeo = GSS_KEY_EXPIRE_TIMEO; 45 46 #if IS_ENABLED(CONFIG_SUNRPC_DEBUG) 47 # define RPCDBG_FACILITY RPCDBG_AUTH 48 #endif 49 50 #define GSS_CRED_SLACK (RPC_MAX_AUTH_SIZE * 2) 51 /* length of a krb5 verifier (48), plus data added before arguments when 52 * using integrity (two 4-byte integers): */ 53 #define GSS_VERF_SLACK 100 54 55 static DEFINE_HASHTABLE(gss_auth_hash_table, 4); 56 static DEFINE_SPINLOCK(gss_auth_hash_lock); 57 58 struct gss_pipe { 59 struct rpc_pipe_dir_object pdo; 60 struct rpc_pipe *pipe; 61 struct rpc_clnt *clnt; 62 const char *name; 63 struct kref kref; 64 }; 65 66 struct gss_auth { 67 struct kref kref; 68 struct hlist_node hash; 69 struct rpc_auth rpc_auth; 70 struct gss_api_mech *mech; 71 enum rpc_gss_svc service; 72 struct rpc_clnt *client; 73 struct net *net; 74 /* 75 * There are two upcall pipes; dentry[1], named "gssd", is used 76 * for the new text-based upcall; dentry[0] is named after the 77 * mechanism (for example, "krb5") and exists for 78 * backwards-compatibility with older gssd's. 79 */ 80 struct gss_pipe *gss_pipe[2]; 81 const char *target_name; 82 }; 83 84 /* pipe_version >= 0 if and only if someone has a pipe open. */ 85 static DEFINE_SPINLOCK(pipe_version_lock); 86 static struct rpc_wait_queue pipe_version_rpc_waitqueue; 87 static DECLARE_WAIT_QUEUE_HEAD(pipe_version_waitqueue); 88 static void gss_put_auth(struct gss_auth *gss_auth); 89 90 static void gss_free_ctx(struct gss_cl_ctx *); 91 static const struct rpc_pipe_ops gss_upcall_ops_v0; 92 static const struct rpc_pipe_ops gss_upcall_ops_v1; 93 94 static inline struct gss_cl_ctx * 95 gss_get_ctx(struct gss_cl_ctx *ctx) 96 { 97 refcount_inc(&ctx->count); 98 return ctx; 99 } 100 101 static inline void 102 gss_put_ctx(struct gss_cl_ctx *ctx) 103 { 104 if (refcount_dec_and_test(&ctx->count)) 105 gss_free_ctx(ctx); 106 } 107 108 /* gss_cred_set_ctx: 109 * called by gss_upcall_callback and gss_create_upcall in order 110 * to set the gss context. The actual exchange of an old context 111 * and a new one is protected by the pipe->lock. 112 */ 113 static void 114 gss_cred_set_ctx(struct rpc_cred *cred, struct gss_cl_ctx *ctx) 115 { 116 struct gss_cred *gss_cred = container_of(cred, struct gss_cred, gc_base); 117 118 if (!test_bit(RPCAUTH_CRED_NEW, &cred->cr_flags)) 119 return; 120 gss_get_ctx(ctx); 121 rcu_assign_pointer(gss_cred->gc_ctx, ctx); 122 set_bit(RPCAUTH_CRED_UPTODATE, &cred->cr_flags); 123 smp_mb__before_atomic(); 124 clear_bit(RPCAUTH_CRED_NEW, &cred->cr_flags); 125 } 126 127 static const void * 128 simple_get_bytes(const void *p, const void *end, void *res, size_t len) 129 { 130 const void *q = (const void *)((const char *)p + len); 131 if (unlikely(q > end || q < p)) 132 return ERR_PTR(-EFAULT); 133 memcpy(res, p, len); 134 return q; 135 } 136 137 static inline const void * 138 simple_get_netobj(const void *p, const void *end, struct xdr_netobj *dest) 139 { 140 const void *q; 141 unsigned int len; 142 143 p = simple_get_bytes(p, end, &len, sizeof(len)); 144 if (IS_ERR(p)) 145 return p; 146 q = (const void *)((const char *)p + len); 147 if (unlikely(q > end || q < p)) 148 return ERR_PTR(-EFAULT); 149 dest->data = kmemdup(p, len, GFP_NOFS); 150 if (unlikely(dest->data == NULL)) 151 return ERR_PTR(-ENOMEM); 152 dest->len = len; 153 return q; 154 } 155 156 static struct gss_cl_ctx * 157 gss_cred_get_ctx(struct rpc_cred *cred) 158 { 159 struct gss_cred *gss_cred = container_of(cred, struct gss_cred, gc_base); 160 struct gss_cl_ctx *ctx = NULL; 161 162 rcu_read_lock(); 163 ctx = rcu_dereference(gss_cred->gc_ctx); 164 if (ctx) 165 gss_get_ctx(ctx); 166 rcu_read_unlock(); 167 return ctx; 168 } 169 170 static struct gss_cl_ctx * 171 gss_alloc_context(void) 172 { 173 struct gss_cl_ctx *ctx; 174 175 ctx = kzalloc(sizeof(*ctx), GFP_NOFS); 176 if (ctx != NULL) { 177 ctx->gc_proc = RPC_GSS_PROC_DATA; 178 ctx->gc_seq = 1; /* NetApp 6.4R1 doesn't accept seq. no. 0 */ 179 spin_lock_init(&ctx->gc_seq_lock); 180 refcount_set(&ctx->count,1); 181 } 182 return ctx; 183 } 184 185 #define GSSD_MIN_TIMEOUT (60 * 60) 186 static const void * 187 gss_fill_context(const void *p, const void *end, struct gss_cl_ctx *ctx, struct gss_api_mech *gm) 188 { 189 const void *q; 190 unsigned int seclen; 191 unsigned int timeout; 192 unsigned long now = jiffies; 193 u32 window_size; 194 int ret; 195 196 /* First unsigned int gives the remaining lifetime in seconds of the 197 * credential - e.g. the remaining TGT lifetime for Kerberos or 198 * the -t value passed to GSSD. 199 */ 200 p = simple_get_bytes(p, end, &timeout, sizeof(timeout)); 201 if (IS_ERR(p)) 202 goto err; 203 if (timeout == 0) 204 timeout = GSSD_MIN_TIMEOUT; 205 ctx->gc_expiry = now + ((unsigned long)timeout * HZ); 206 /* Sequence number window. Determines the maximum number of 207 * simultaneous requests 208 */ 209 p = simple_get_bytes(p, end, &window_size, sizeof(window_size)); 210 if (IS_ERR(p)) 211 goto err; 212 ctx->gc_win = window_size; 213 /* gssd signals an error by passing ctx->gc_win = 0: */ 214 if (ctx->gc_win == 0) { 215 /* 216 * in which case, p points to an error code. Anything other 217 * than -EKEYEXPIRED gets converted to -EACCES. 218 */ 219 p = simple_get_bytes(p, end, &ret, sizeof(ret)); 220 if (!IS_ERR(p)) 221 p = (ret == -EKEYEXPIRED) ? ERR_PTR(-EKEYEXPIRED) : 222 ERR_PTR(-EACCES); 223 goto err; 224 } 225 /* copy the opaque wire context */ 226 p = simple_get_netobj(p, end, &ctx->gc_wire_ctx); 227 if (IS_ERR(p)) 228 goto err; 229 /* import the opaque security context */ 230 p = simple_get_bytes(p, end, &seclen, sizeof(seclen)); 231 if (IS_ERR(p)) 232 goto err; 233 q = (const void *)((const char *)p + seclen); 234 if (unlikely(q > end || q < p)) { 235 p = ERR_PTR(-EFAULT); 236 goto err; 237 } 238 ret = gss_import_sec_context(p, seclen, gm, &ctx->gc_gss_ctx, NULL, GFP_NOFS); 239 if (ret < 0) { 240 trace_rpcgss_import_ctx(ret); 241 p = ERR_PTR(ret); 242 goto err; 243 } 244 245 /* is there any trailing data? */ 246 if (q == end) { 247 p = q; 248 goto done; 249 } 250 251 /* pull in acceptor name (if there is one) */ 252 p = simple_get_netobj(q, end, &ctx->gc_acceptor); 253 if (IS_ERR(p)) 254 goto err; 255 done: 256 trace_rpcgss_context(ctx->gc_expiry, now, timeout, 257 ctx->gc_acceptor.len, ctx->gc_acceptor.data); 258 err: 259 return p; 260 } 261 262 /* XXX: Need some documentation about why UPCALL_BUF_LEN is so small. 263 * Is user space expecting no more than UPCALL_BUF_LEN bytes? 264 * Note that there are now _two_ NI_MAXHOST sized data items 265 * being passed in this string. 266 */ 267 #define UPCALL_BUF_LEN 256 268 269 struct gss_upcall_msg { 270 refcount_t count; 271 kuid_t uid; 272 struct rpc_pipe_msg msg; 273 struct list_head list; 274 struct gss_auth *auth; 275 struct rpc_pipe *pipe; 276 struct rpc_wait_queue rpc_waitqueue; 277 wait_queue_head_t waitqueue; 278 struct gss_cl_ctx *ctx; 279 char databuf[UPCALL_BUF_LEN]; 280 }; 281 282 static int get_pipe_version(struct net *net) 283 { 284 struct sunrpc_net *sn = net_generic(net, sunrpc_net_id); 285 int ret; 286 287 spin_lock(&pipe_version_lock); 288 if (sn->pipe_version >= 0) { 289 atomic_inc(&sn->pipe_users); 290 ret = sn->pipe_version; 291 } else 292 ret = -EAGAIN; 293 spin_unlock(&pipe_version_lock); 294 return ret; 295 } 296 297 static void put_pipe_version(struct net *net) 298 { 299 struct sunrpc_net *sn = net_generic(net, sunrpc_net_id); 300 301 if (atomic_dec_and_lock(&sn->pipe_users, &pipe_version_lock)) { 302 sn->pipe_version = -1; 303 spin_unlock(&pipe_version_lock); 304 } 305 } 306 307 static void 308 gss_release_msg(struct gss_upcall_msg *gss_msg) 309 { 310 struct net *net = gss_msg->auth->net; 311 if (!refcount_dec_and_test(&gss_msg->count)) 312 return; 313 put_pipe_version(net); 314 BUG_ON(!list_empty(&gss_msg->list)); 315 if (gss_msg->ctx != NULL) 316 gss_put_ctx(gss_msg->ctx); 317 rpc_destroy_wait_queue(&gss_msg->rpc_waitqueue); 318 gss_put_auth(gss_msg->auth); 319 kfree(gss_msg); 320 } 321 322 static struct gss_upcall_msg * 323 __gss_find_upcall(struct rpc_pipe *pipe, kuid_t uid, const struct gss_auth *auth) 324 { 325 struct gss_upcall_msg *pos; 326 list_for_each_entry(pos, &pipe->in_downcall, list) { 327 if (!uid_eq(pos->uid, uid)) 328 continue; 329 if (auth && pos->auth->service != auth->service) 330 continue; 331 refcount_inc(&pos->count); 332 return pos; 333 } 334 return NULL; 335 } 336 337 /* Try to add an upcall to the pipefs queue. 338 * If an upcall owned by our uid already exists, then we return a reference 339 * to that upcall instead of adding the new upcall. 340 */ 341 static inline struct gss_upcall_msg * 342 gss_add_msg(struct gss_upcall_msg *gss_msg) 343 { 344 struct rpc_pipe *pipe = gss_msg->pipe; 345 struct gss_upcall_msg *old; 346 347 spin_lock(&pipe->lock); 348 old = __gss_find_upcall(pipe, gss_msg->uid, gss_msg->auth); 349 if (old == NULL) { 350 refcount_inc(&gss_msg->count); 351 list_add(&gss_msg->list, &pipe->in_downcall); 352 } else 353 gss_msg = old; 354 spin_unlock(&pipe->lock); 355 return gss_msg; 356 } 357 358 static void 359 __gss_unhash_msg(struct gss_upcall_msg *gss_msg) 360 { 361 list_del_init(&gss_msg->list); 362 rpc_wake_up_status(&gss_msg->rpc_waitqueue, gss_msg->msg.errno); 363 wake_up_all(&gss_msg->waitqueue); 364 refcount_dec(&gss_msg->count); 365 } 366 367 static void 368 gss_unhash_msg(struct gss_upcall_msg *gss_msg) 369 { 370 struct rpc_pipe *pipe = gss_msg->pipe; 371 372 if (list_empty(&gss_msg->list)) 373 return; 374 spin_lock(&pipe->lock); 375 if (!list_empty(&gss_msg->list)) 376 __gss_unhash_msg(gss_msg); 377 spin_unlock(&pipe->lock); 378 } 379 380 static void 381 gss_handle_downcall_result(struct gss_cred *gss_cred, struct gss_upcall_msg *gss_msg) 382 { 383 switch (gss_msg->msg.errno) { 384 case 0: 385 if (gss_msg->ctx == NULL) 386 break; 387 clear_bit(RPCAUTH_CRED_NEGATIVE, &gss_cred->gc_base.cr_flags); 388 gss_cred_set_ctx(&gss_cred->gc_base, gss_msg->ctx); 389 break; 390 case -EKEYEXPIRED: 391 set_bit(RPCAUTH_CRED_NEGATIVE, &gss_cred->gc_base.cr_flags); 392 } 393 gss_cred->gc_upcall_timestamp = jiffies; 394 gss_cred->gc_upcall = NULL; 395 rpc_wake_up_status(&gss_msg->rpc_waitqueue, gss_msg->msg.errno); 396 } 397 398 static void 399 gss_upcall_callback(struct rpc_task *task) 400 { 401 struct gss_cred *gss_cred = container_of(task->tk_rqstp->rq_cred, 402 struct gss_cred, gc_base); 403 struct gss_upcall_msg *gss_msg = gss_cred->gc_upcall; 404 struct rpc_pipe *pipe = gss_msg->pipe; 405 406 spin_lock(&pipe->lock); 407 gss_handle_downcall_result(gss_cred, gss_msg); 408 spin_unlock(&pipe->lock); 409 task->tk_status = gss_msg->msg.errno; 410 gss_release_msg(gss_msg); 411 } 412 413 static void gss_encode_v0_msg(struct gss_upcall_msg *gss_msg) 414 { 415 uid_t uid = from_kuid(&init_user_ns, gss_msg->uid); 416 memcpy(gss_msg->databuf, &uid, sizeof(uid)); 417 gss_msg->msg.data = gss_msg->databuf; 418 gss_msg->msg.len = sizeof(uid); 419 420 BUILD_BUG_ON(sizeof(uid) > sizeof(gss_msg->databuf)); 421 } 422 423 static int gss_encode_v1_msg(struct gss_upcall_msg *gss_msg, 424 const char *service_name, 425 const char *target_name) 426 { 427 struct gss_api_mech *mech = gss_msg->auth->mech; 428 char *p = gss_msg->databuf; 429 size_t buflen = sizeof(gss_msg->databuf); 430 int len; 431 432 len = scnprintf(p, buflen, "mech=%s uid=%d", mech->gm_name, 433 from_kuid(&init_user_ns, gss_msg->uid)); 434 buflen -= len; 435 p += len; 436 gss_msg->msg.len = len; 437 438 /* 439 * target= is a full service principal that names the remote 440 * identity that we are authenticating to. 441 */ 442 if (target_name) { 443 len = scnprintf(p, buflen, " target=%s", target_name); 444 buflen -= len; 445 p += len; 446 gss_msg->msg.len += len; 447 } 448 449 /* 450 * gssd uses service= and srchost= to select a matching key from 451 * the system's keytab to use as the source principal. 452 * 453 * service= is the service name part of the source principal, 454 * or "*" (meaning choose any). 455 * 456 * srchost= is the hostname part of the source principal. When 457 * not provided, gssd uses the local hostname. 458 */ 459 if (service_name) { 460 char *c = strchr(service_name, '@'); 461 462 if (!c) 463 len = scnprintf(p, buflen, " service=%s", 464 service_name); 465 else 466 len = scnprintf(p, buflen, 467 " service=%.*s srchost=%s", 468 (int)(c - service_name), 469 service_name, c + 1); 470 buflen -= len; 471 p += len; 472 gss_msg->msg.len += len; 473 } 474 475 if (mech->gm_upcall_enctypes) { 476 len = scnprintf(p, buflen, " enctypes=%s", 477 mech->gm_upcall_enctypes); 478 buflen -= len; 479 p += len; 480 gss_msg->msg.len += len; 481 } 482 trace_rpcgss_upcall_msg(gss_msg->databuf); 483 len = scnprintf(p, buflen, "\n"); 484 if (len == 0) 485 goto out_overflow; 486 gss_msg->msg.len += len; 487 gss_msg->msg.data = gss_msg->databuf; 488 return 0; 489 out_overflow: 490 WARN_ON_ONCE(1); 491 return -ENOMEM; 492 } 493 494 static struct gss_upcall_msg * 495 gss_alloc_msg(struct gss_auth *gss_auth, 496 kuid_t uid, const char *service_name) 497 { 498 struct gss_upcall_msg *gss_msg; 499 int vers; 500 int err = -ENOMEM; 501 502 gss_msg = kzalloc(sizeof(*gss_msg), GFP_NOFS); 503 if (gss_msg == NULL) 504 goto err; 505 vers = get_pipe_version(gss_auth->net); 506 err = vers; 507 if (err < 0) 508 goto err_free_msg; 509 gss_msg->pipe = gss_auth->gss_pipe[vers]->pipe; 510 INIT_LIST_HEAD(&gss_msg->list); 511 rpc_init_wait_queue(&gss_msg->rpc_waitqueue, "RPCSEC_GSS upcall waitq"); 512 init_waitqueue_head(&gss_msg->waitqueue); 513 refcount_set(&gss_msg->count, 1); 514 gss_msg->uid = uid; 515 gss_msg->auth = gss_auth; 516 switch (vers) { 517 case 0: 518 gss_encode_v0_msg(gss_msg); 519 break; 520 default: 521 err = gss_encode_v1_msg(gss_msg, service_name, gss_auth->target_name); 522 if (err) 523 goto err_put_pipe_version; 524 } 525 kref_get(&gss_auth->kref); 526 return gss_msg; 527 err_put_pipe_version: 528 put_pipe_version(gss_auth->net); 529 err_free_msg: 530 kfree(gss_msg); 531 err: 532 return ERR_PTR(err); 533 } 534 535 static struct gss_upcall_msg * 536 gss_setup_upcall(struct gss_auth *gss_auth, struct rpc_cred *cred) 537 { 538 struct gss_cred *gss_cred = container_of(cred, 539 struct gss_cred, gc_base); 540 struct gss_upcall_msg *gss_new, *gss_msg; 541 kuid_t uid = cred->cr_cred->fsuid; 542 543 gss_new = gss_alloc_msg(gss_auth, uid, gss_cred->gc_principal); 544 if (IS_ERR(gss_new)) 545 return gss_new; 546 gss_msg = gss_add_msg(gss_new); 547 if (gss_msg == gss_new) { 548 int res; 549 refcount_inc(&gss_msg->count); 550 res = rpc_queue_upcall(gss_new->pipe, &gss_new->msg); 551 if (res) { 552 gss_unhash_msg(gss_new); 553 refcount_dec(&gss_msg->count); 554 gss_release_msg(gss_new); 555 gss_msg = ERR_PTR(res); 556 } 557 } else 558 gss_release_msg(gss_new); 559 return gss_msg; 560 } 561 562 static void warn_gssd(void) 563 { 564 dprintk("AUTH_GSS upcall failed. Please check user daemon is running.\n"); 565 } 566 567 static inline int 568 gss_refresh_upcall(struct rpc_task *task) 569 { 570 struct rpc_cred *cred = task->tk_rqstp->rq_cred; 571 struct gss_auth *gss_auth = container_of(cred->cr_auth, 572 struct gss_auth, rpc_auth); 573 struct gss_cred *gss_cred = container_of(cred, 574 struct gss_cred, gc_base); 575 struct gss_upcall_msg *gss_msg; 576 struct rpc_pipe *pipe; 577 int err = 0; 578 579 gss_msg = gss_setup_upcall(gss_auth, cred); 580 if (PTR_ERR(gss_msg) == -EAGAIN) { 581 /* XXX: warning on the first, under the assumption we 582 * shouldn't normally hit this case on a refresh. */ 583 warn_gssd(); 584 task->tk_timeout = 15*HZ; 585 rpc_sleep_on(&pipe_version_rpc_waitqueue, task, NULL); 586 err = -EAGAIN; 587 goto out; 588 } 589 if (IS_ERR(gss_msg)) { 590 err = PTR_ERR(gss_msg); 591 goto out; 592 } 593 pipe = gss_msg->pipe; 594 spin_lock(&pipe->lock); 595 if (gss_cred->gc_upcall != NULL) 596 rpc_sleep_on(&gss_cred->gc_upcall->rpc_waitqueue, task, NULL); 597 else if (gss_msg->ctx == NULL && gss_msg->msg.errno >= 0) { 598 task->tk_timeout = 0; 599 gss_cred->gc_upcall = gss_msg; 600 /* gss_upcall_callback will release the reference to gss_upcall_msg */ 601 refcount_inc(&gss_msg->count); 602 rpc_sleep_on(&gss_msg->rpc_waitqueue, task, gss_upcall_callback); 603 } else { 604 gss_handle_downcall_result(gss_cred, gss_msg); 605 err = gss_msg->msg.errno; 606 } 607 spin_unlock(&pipe->lock); 608 gss_release_msg(gss_msg); 609 out: 610 trace_rpcgss_upcall_result(from_kuid(&init_user_ns, 611 cred->cr_cred->fsuid), err); 612 return err; 613 } 614 615 static inline int 616 gss_create_upcall(struct gss_auth *gss_auth, struct gss_cred *gss_cred) 617 { 618 struct net *net = gss_auth->net; 619 struct sunrpc_net *sn = net_generic(net, sunrpc_net_id); 620 struct rpc_pipe *pipe; 621 struct rpc_cred *cred = &gss_cred->gc_base; 622 struct gss_upcall_msg *gss_msg; 623 DEFINE_WAIT(wait); 624 int err; 625 626 retry: 627 err = 0; 628 /* if gssd is down, just skip upcalling altogether */ 629 if (!gssd_running(net)) { 630 warn_gssd(); 631 err = -EACCES; 632 goto out; 633 } 634 gss_msg = gss_setup_upcall(gss_auth, cred); 635 if (PTR_ERR(gss_msg) == -EAGAIN) { 636 err = wait_event_interruptible_timeout(pipe_version_waitqueue, 637 sn->pipe_version >= 0, 15 * HZ); 638 if (sn->pipe_version < 0) { 639 warn_gssd(); 640 err = -EACCES; 641 } 642 if (err < 0) 643 goto out; 644 goto retry; 645 } 646 if (IS_ERR(gss_msg)) { 647 err = PTR_ERR(gss_msg); 648 goto out; 649 } 650 pipe = gss_msg->pipe; 651 for (;;) { 652 prepare_to_wait(&gss_msg->waitqueue, &wait, TASK_KILLABLE); 653 spin_lock(&pipe->lock); 654 if (gss_msg->ctx != NULL || gss_msg->msg.errno < 0) { 655 break; 656 } 657 spin_unlock(&pipe->lock); 658 if (fatal_signal_pending(current)) { 659 err = -ERESTARTSYS; 660 goto out_intr; 661 } 662 schedule(); 663 } 664 if (gss_msg->ctx) 665 gss_cred_set_ctx(cred, gss_msg->ctx); 666 else 667 err = gss_msg->msg.errno; 668 spin_unlock(&pipe->lock); 669 out_intr: 670 finish_wait(&gss_msg->waitqueue, &wait); 671 gss_release_msg(gss_msg); 672 out: 673 trace_rpcgss_upcall_result(from_kuid(&init_user_ns, 674 cred->cr_cred->fsuid), err); 675 return err; 676 } 677 678 #define MSG_BUF_MAXSIZE 1024 679 680 static ssize_t 681 gss_pipe_downcall(struct file *filp, const char __user *src, size_t mlen) 682 { 683 const void *p, *end; 684 void *buf; 685 struct gss_upcall_msg *gss_msg; 686 struct rpc_pipe *pipe = RPC_I(file_inode(filp))->pipe; 687 struct gss_cl_ctx *ctx; 688 uid_t id; 689 kuid_t uid; 690 ssize_t err = -EFBIG; 691 692 if (mlen > MSG_BUF_MAXSIZE) 693 goto out; 694 err = -ENOMEM; 695 buf = kmalloc(mlen, GFP_NOFS); 696 if (!buf) 697 goto out; 698 699 err = -EFAULT; 700 if (copy_from_user(buf, src, mlen)) 701 goto err; 702 703 end = (const void *)((char *)buf + mlen); 704 p = simple_get_bytes(buf, end, &id, sizeof(id)); 705 if (IS_ERR(p)) { 706 err = PTR_ERR(p); 707 goto err; 708 } 709 710 uid = make_kuid(&init_user_ns, id); 711 if (!uid_valid(uid)) { 712 err = -EINVAL; 713 goto err; 714 } 715 716 err = -ENOMEM; 717 ctx = gss_alloc_context(); 718 if (ctx == NULL) 719 goto err; 720 721 err = -ENOENT; 722 /* Find a matching upcall */ 723 spin_lock(&pipe->lock); 724 gss_msg = __gss_find_upcall(pipe, uid, NULL); 725 if (gss_msg == NULL) { 726 spin_unlock(&pipe->lock); 727 goto err_put_ctx; 728 } 729 list_del_init(&gss_msg->list); 730 spin_unlock(&pipe->lock); 731 732 p = gss_fill_context(p, end, ctx, gss_msg->auth->mech); 733 if (IS_ERR(p)) { 734 err = PTR_ERR(p); 735 switch (err) { 736 case -EACCES: 737 case -EKEYEXPIRED: 738 gss_msg->msg.errno = err; 739 err = mlen; 740 break; 741 case -EFAULT: 742 case -ENOMEM: 743 case -EINVAL: 744 case -ENOSYS: 745 gss_msg->msg.errno = -EAGAIN; 746 break; 747 default: 748 printk(KERN_CRIT "%s: bad return from " 749 "gss_fill_context: %zd\n", __func__, err); 750 gss_msg->msg.errno = -EIO; 751 } 752 goto err_release_msg; 753 } 754 gss_msg->ctx = gss_get_ctx(ctx); 755 err = mlen; 756 757 err_release_msg: 758 spin_lock(&pipe->lock); 759 __gss_unhash_msg(gss_msg); 760 spin_unlock(&pipe->lock); 761 gss_release_msg(gss_msg); 762 err_put_ctx: 763 gss_put_ctx(ctx); 764 err: 765 kfree(buf); 766 out: 767 return err; 768 } 769 770 static int gss_pipe_open(struct inode *inode, int new_version) 771 { 772 struct net *net = inode->i_sb->s_fs_info; 773 struct sunrpc_net *sn = net_generic(net, sunrpc_net_id); 774 int ret = 0; 775 776 spin_lock(&pipe_version_lock); 777 if (sn->pipe_version < 0) { 778 /* First open of any gss pipe determines the version: */ 779 sn->pipe_version = new_version; 780 rpc_wake_up(&pipe_version_rpc_waitqueue); 781 wake_up(&pipe_version_waitqueue); 782 } else if (sn->pipe_version != new_version) { 783 /* Trying to open a pipe of a different version */ 784 ret = -EBUSY; 785 goto out; 786 } 787 atomic_inc(&sn->pipe_users); 788 out: 789 spin_unlock(&pipe_version_lock); 790 return ret; 791 792 } 793 794 static int gss_pipe_open_v0(struct inode *inode) 795 { 796 return gss_pipe_open(inode, 0); 797 } 798 799 static int gss_pipe_open_v1(struct inode *inode) 800 { 801 return gss_pipe_open(inode, 1); 802 } 803 804 static void 805 gss_pipe_release(struct inode *inode) 806 { 807 struct net *net = inode->i_sb->s_fs_info; 808 struct rpc_pipe *pipe = RPC_I(inode)->pipe; 809 struct gss_upcall_msg *gss_msg; 810 811 restart: 812 spin_lock(&pipe->lock); 813 list_for_each_entry(gss_msg, &pipe->in_downcall, list) { 814 815 if (!list_empty(&gss_msg->msg.list)) 816 continue; 817 gss_msg->msg.errno = -EPIPE; 818 refcount_inc(&gss_msg->count); 819 __gss_unhash_msg(gss_msg); 820 spin_unlock(&pipe->lock); 821 gss_release_msg(gss_msg); 822 goto restart; 823 } 824 spin_unlock(&pipe->lock); 825 826 put_pipe_version(net); 827 } 828 829 static void 830 gss_pipe_destroy_msg(struct rpc_pipe_msg *msg) 831 { 832 struct gss_upcall_msg *gss_msg = container_of(msg, struct gss_upcall_msg, msg); 833 834 if (msg->errno < 0) { 835 refcount_inc(&gss_msg->count); 836 gss_unhash_msg(gss_msg); 837 if (msg->errno == -ETIMEDOUT) 838 warn_gssd(); 839 gss_release_msg(gss_msg); 840 } 841 gss_release_msg(gss_msg); 842 } 843 844 static void gss_pipe_dentry_destroy(struct dentry *dir, 845 struct rpc_pipe_dir_object *pdo) 846 { 847 struct gss_pipe *gss_pipe = pdo->pdo_data; 848 struct rpc_pipe *pipe = gss_pipe->pipe; 849 850 if (pipe->dentry != NULL) { 851 rpc_unlink(pipe->dentry); 852 pipe->dentry = NULL; 853 } 854 } 855 856 static int gss_pipe_dentry_create(struct dentry *dir, 857 struct rpc_pipe_dir_object *pdo) 858 { 859 struct gss_pipe *p = pdo->pdo_data; 860 struct dentry *dentry; 861 862 dentry = rpc_mkpipe_dentry(dir, p->name, p->clnt, p->pipe); 863 if (IS_ERR(dentry)) 864 return PTR_ERR(dentry); 865 p->pipe->dentry = dentry; 866 return 0; 867 } 868 869 static const struct rpc_pipe_dir_object_ops gss_pipe_dir_object_ops = { 870 .create = gss_pipe_dentry_create, 871 .destroy = gss_pipe_dentry_destroy, 872 }; 873 874 static struct gss_pipe *gss_pipe_alloc(struct rpc_clnt *clnt, 875 const char *name, 876 const struct rpc_pipe_ops *upcall_ops) 877 { 878 struct gss_pipe *p; 879 int err = -ENOMEM; 880 881 p = kmalloc(sizeof(*p), GFP_KERNEL); 882 if (p == NULL) 883 goto err; 884 p->pipe = rpc_mkpipe_data(upcall_ops, RPC_PIPE_WAIT_FOR_OPEN); 885 if (IS_ERR(p->pipe)) { 886 err = PTR_ERR(p->pipe); 887 goto err_free_gss_pipe; 888 } 889 p->name = name; 890 p->clnt = clnt; 891 kref_init(&p->kref); 892 rpc_init_pipe_dir_object(&p->pdo, 893 &gss_pipe_dir_object_ops, 894 p); 895 return p; 896 err_free_gss_pipe: 897 kfree(p); 898 err: 899 return ERR_PTR(err); 900 } 901 902 struct gss_alloc_pdo { 903 struct rpc_clnt *clnt; 904 const char *name; 905 const struct rpc_pipe_ops *upcall_ops; 906 }; 907 908 static int gss_pipe_match_pdo(struct rpc_pipe_dir_object *pdo, void *data) 909 { 910 struct gss_pipe *gss_pipe; 911 struct gss_alloc_pdo *args = data; 912 913 if (pdo->pdo_ops != &gss_pipe_dir_object_ops) 914 return 0; 915 gss_pipe = container_of(pdo, struct gss_pipe, pdo); 916 if (strcmp(gss_pipe->name, args->name) != 0) 917 return 0; 918 if (!kref_get_unless_zero(&gss_pipe->kref)) 919 return 0; 920 return 1; 921 } 922 923 static struct rpc_pipe_dir_object *gss_pipe_alloc_pdo(void *data) 924 { 925 struct gss_pipe *gss_pipe; 926 struct gss_alloc_pdo *args = data; 927 928 gss_pipe = gss_pipe_alloc(args->clnt, args->name, args->upcall_ops); 929 if (!IS_ERR(gss_pipe)) 930 return &gss_pipe->pdo; 931 return NULL; 932 } 933 934 static struct gss_pipe *gss_pipe_get(struct rpc_clnt *clnt, 935 const char *name, 936 const struct rpc_pipe_ops *upcall_ops) 937 { 938 struct net *net = rpc_net_ns(clnt); 939 struct rpc_pipe_dir_object *pdo; 940 struct gss_alloc_pdo args = { 941 .clnt = clnt, 942 .name = name, 943 .upcall_ops = upcall_ops, 944 }; 945 946 pdo = rpc_find_or_alloc_pipe_dir_object(net, 947 &clnt->cl_pipedir_objects, 948 gss_pipe_match_pdo, 949 gss_pipe_alloc_pdo, 950 &args); 951 if (pdo != NULL) 952 return container_of(pdo, struct gss_pipe, pdo); 953 return ERR_PTR(-ENOMEM); 954 } 955 956 static void __gss_pipe_free(struct gss_pipe *p) 957 { 958 struct rpc_clnt *clnt = p->clnt; 959 struct net *net = rpc_net_ns(clnt); 960 961 rpc_remove_pipe_dir_object(net, 962 &clnt->cl_pipedir_objects, 963 &p->pdo); 964 rpc_destroy_pipe_data(p->pipe); 965 kfree(p); 966 } 967 968 static void __gss_pipe_release(struct kref *kref) 969 { 970 struct gss_pipe *p = container_of(kref, struct gss_pipe, kref); 971 972 __gss_pipe_free(p); 973 } 974 975 static void gss_pipe_free(struct gss_pipe *p) 976 { 977 if (p != NULL) 978 kref_put(&p->kref, __gss_pipe_release); 979 } 980 981 /* 982 * NOTE: we have the opportunity to use different 983 * parameters based on the input flavor (which must be a pseudoflavor) 984 */ 985 static struct gss_auth * 986 gss_create_new(const struct rpc_auth_create_args *args, struct rpc_clnt *clnt) 987 { 988 rpc_authflavor_t flavor = args->pseudoflavor; 989 struct gss_auth *gss_auth; 990 struct gss_pipe *gss_pipe; 991 struct rpc_auth * auth; 992 int err = -ENOMEM; /* XXX? */ 993 994 if (!try_module_get(THIS_MODULE)) 995 return ERR_PTR(err); 996 if (!(gss_auth = kmalloc(sizeof(*gss_auth), GFP_KERNEL))) 997 goto out_dec; 998 INIT_HLIST_NODE(&gss_auth->hash); 999 gss_auth->target_name = NULL; 1000 if (args->target_name) { 1001 gss_auth->target_name = kstrdup(args->target_name, GFP_KERNEL); 1002 if (gss_auth->target_name == NULL) 1003 goto err_free; 1004 } 1005 gss_auth->client = clnt; 1006 gss_auth->net = get_net(rpc_net_ns(clnt)); 1007 err = -EINVAL; 1008 gss_auth->mech = gss_mech_get_by_pseudoflavor(flavor); 1009 if (!gss_auth->mech) 1010 goto err_put_net; 1011 gss_auth->service = gss_pseudoflavor_to_service(gss_auth->mech, flavor); 1012 if (gss_auth->service == 0) 1013 goto err_put_mech; 1014 if (!gssd_running(gss_auth->net)) 1015 goto err_put_mech; 1016 auth = &gss_auth->rpc_auth; 1017 auth->au_cslack = GSS_CRED_SLACK >> 2; 1018 auth->au_rslack = GSS_VERF_SLACK >> 2; 1019 auth->au_verfsize = GSS_VERF_SLACK >> 2; 1020 auth->au_ralign = GSS_VERF_SLACK >> 2; 1021 auth->au_flags = 0; 1022 auth->au_ops = &authgss_ops; 1023 auth->au_flavor = flavor; 1024 if (gss_pseudoflavor_to_datatouch(gss_auth->mech, flavor)) 1025 auth->au_flags |= RPCAUTH_AUTH_DATATOUCH; 1026 refcount_set(&auth->au_count, 1); 1027 kref_init(&gss_auth->kref); 1028 1029 err = rpcauth_init_credcache(auth); 1030 if (err) 1031 goto err_put_mech; 1032 /* 1033 * Note: if we created the old pipe first, then someone who 1034 * examined the directory at the right moment might conclude 1035 * that we supported only the old pipe. So we instead create 1036 * the new pipe first. 1037 */ 1038 gss_pipe = gss_pipe_get(clnt, "gssd", &gss_upcall_ops_v1); 1039 if (IS_ERR(gss_pipe)) { 1040 err = PTR_ERR(gss_pipe); 1041 goto err_destroy_credcache; 1042 } 1043 gss_auth->gss_pipe[1] = gss_pipe; 1044 1045 gss_pipe = gss_pipe_get(clnt, gss_auth->mech->gm_name, 1046 &gss_upcall_ops_v0); 1047 if (IS_ERR(gss_pipe)) { 1048 err = PTR_ERR(gss_pipe); 1049 goto err_destroy_pipe_1; 1050 } 1051 gss_auth->gss_pipe[0] = gss_pipe; 1052 1053 return gss_auth; 1054 err_destroy_pipe_1: 1055 gss_pipe_free(gss_auth->gss_pipe[1]); 1056 err_destroy_credcache: 1057 rpcauth_destroy_credcache(auth); 1058 err_put_mech: 1059 gss_mech_put(gss_auth->mech); 1060 err_put_net: 1061 put_net(gss_auth->net); 1062 err_free: 1063 kfree(gss_auth->target_name); 1064 kfree(gss_auth); 1065 out_dec: 1066 module_put(THIS_MODULE); 1067 trace_rpcgss_createauth(flavor, err); 1068 return ERR_PTR(err); 1069 } 1070 1071 static void 1072 gss_free(struct gss_auth *gss_auth) 1073 { 1074 gss_pipe_free(gss_auth->gss_pipe[0]); 1075 gss_pipe_free(gss_auth->gss_pipe[1]); 1076 gss_mech_put(gss_auth->mech); 1077 put_net(gss_auth->net); 1078 kfree(gss_auth->target_name); 1079 1080 kfree(gss_auth); 1081 module_put(THIS_MODULE); 1082 } 1083 1084 static void 1085 gss_free_callback(struct kref *kref) 1086 { 1087 struct gss_auth *gss_auth = container_of(kref, struct gss_auth, kref); 1088 1089 gss_free(gss_auth); 1090 } 1091 1092 static void 1093 gss_put_auth(struct gss_auth *gss_auth) 1094 { 1095 kref_put(&gss_auth->kref, gss_free_callback); 1096 } 1097 1098 static void 1099 gss_destroy(struct rpc_auth *auth) 1100 { 1101 struct gss_auth *gss_auth = container_of(auth, 1102 struct gss_auth, rpc_auth); 1103 1104 if (hash_hashed(&gss_auth->hash)) { 1105 spin_lock(&gss_auth_hash_lock); 1106 hash_del(&gss_auth->hash); 1107 spin_unlock(&gss_auth_hash_lock); 1108 } 1109 1110 gss_pipe_free(gss_auth->gss_pipe[0]); 1111 gss_auth->gss_pipe[0] = NULL; 1112 gss_pipe_free(gss_auth->gss_pipe[1]); 1113 gss_auth->gss_pipe[1] = NULL; 1114 rpcauth_destroy_credcache(auth); 1115 1116 gss_put_auth(gss_auth); 1117 } 1118 1119 /* 1120 * Auths may be shared between rpc clients that were cloned from a 1121 * common client with the same xprt, if they also share the flavor and 1122 * target_name. 1123 * 1124 * The auth is looked up from the oldest parent sharing the same 1125 * cl_xprt, and the auth itself references only that common parent 1126 * (which is guaranteed to last as long as any of its descendants). 1127 */ 1128 static struct gss_auth * 1129 gss_auth_find_or_add_hashed(const struct rpc_auth_create_args *args, 1130 struct rpc_clnt *clnt, 1131 struct gss_auth *new) 1132 { 1133 struct gss_auth *gss_auth; 1134 unsigned long hashval = (unsigned long)clnt; 1135 1136 spin_lock(&gss_auth_hash_lock); 1137 hash_for_each_possible(gss_auth_hash_table, 1138 gss_auth, 1139 hash, 1140 hashval) { 1141 if (gss_auth->client != clnt) 1142 continue; 1143 if (gss_auth->rpc_auth.au_flavor != args->pseudoflavor) 1144 continue; 1145 if (gss_auth->target_name != args->target_name) { 1146 if (gss_auth->target_name == NULL) 1147 continue; 1148 if (args->target_name == NULL) 1149 continue; 1150 if (strcmp(gss_auth->target_name, args->target_name)) 1151 continue; 1152 } 1153 if (!refcount_inc_not_zero(&gss_auth->rpc_auth.au_count)) 1154 continue; 1155 goto out; 1156 } 1157 if (new) 1158 hash_add(gss_auth_hash_table, &new->hash, hashval); 1159 gss_auth = new; 1160 out: 1161 spin_unlock(&gss_auth_hash_lock); 1162 return gss_auth; 1163 } 1164 1165 static struct gss_auth * 1166 gss_create_hashed(const struct rpc_auth_create_args *args, 1167 struct rpc_clnt *clnt) 1168 { 1169 struct gss_auth *gss_auth; 1170 struct gss_auth *new; 1171 1172 gss_auth = gss_auth_find_or_add_hashed(args, clnt, NULL); 1173 if (gss_auth != NULL) 1174 goto out; 1175 new = gss_create_new(args, clnt); 1176 if (IS_ERR(new)) 1177 return new; 1178 gss_auth = gss_auth_find_or_add_hashed(args, clnt, new); 1179 if (gss_auth != new) 1180 gss_destroy(&new->rpc_auth); 1181 out: 1182 return gss_auth; 1183 } 1184 1185 static struct rpc_auth * 1186 gss_create(const struct rpc_auth_create_args *args, struct rpc_clnt *clnt) 1187 { 1188 struct gss_auth *gss_auth; 1189 struct rpc_xprt_switch *xps = rcu_access_pointer(clnt->cl_xpi.xpi_xpswitch); 1190 1191 while (clnt != clnt->cl_parent) { 1192 struct rpc_clnt *parent = clnt->cl_parent; 1193 /* Find the original parent for this transport */ 1194 if (rcu_access_pointer(parent->cl_xpi.xpi_xpswitch) != xps) 1195 break; 1196 clnt = parent; 1197 } 1198 1199 gss_auth = gss_create_hashed(args, clnt); 1200 if (IS_ERR(gss_auth)) 1201 return ERR_CAST(gss_auth); 1202 return &gss_auth->rpc_auth; 1203 } 1204 1205 static struct gss_cred * 1206 gss_dup_cred(struct gss_auth *gss_auth, struct gss_cred *gss_cred) 1207 { 1208 struct gss_cred *new; 1209 1210 /* Make a copy of the cred so that we can reference count it */ 1211 new = kzalloc(sizeof(*gss_cred), GFP_NOFS); 1212 if (new) { 1213 struct auth_cred acred = { 1214 .cred = gss_cred->gc_base.cr_cred, 1215 }; 1216 struct gss_cl_ctx *ctx = 1217 rcu_dereference_protected(gss_cred->gc_ctx, 1); 1218 1219 rpcauth_init_cred(&new->gc_base, &acred, 1220 &gss_auth->rpc_auth, 1221 &gss_nullops); 1222 new->gc_base.cr_flags = 1UL << RPCAUTH_CRED_UPTODATE; 1223 new->gc_service = gss_cred->gc_service; 1224 new->gc_principal = gss_cred->gc_principal; 1225 kref_get(&gss_auth->kref); 1226 rcu_assign_pointer(new->gc_ctx, ctx); 1227 gss_get_ctx(ctx); 1228 } 1229 return new; 1230 } 1231 1232 /* 1233 * gss_send_destroy_context will cause the RPCSEC_GSS to send a NULL RPC call 1234 * to the server with the GSS control procedure field set to 1235 * RPC_GSS_PROC_DESTROY. This should normally cause the server to release 1236 * all RPCSEC_GSS state associated with that context. 1237 */ 1238 static void 1239 gss_send_destroy_context(struct rpc_cred *cred) 1240 { 1241 struct gss_cred *gss_cred = container_of(cred, struct gss_cred, gc_base); 1242 struct gss_auth *gss_auth = container_of(cred->cr_auth, struct gss_auth, rpc_auth); 1243 struct gss_cl_ctx *ctx = rcu_dereference_protected(gss_cred->gc_ctx, 1); 1244 struct gss_cred *new; 1245 struct rpc_task *task; 1246 1247 new = gss_dup_cred(gss_auth, gss_cred); 1248 if (new) { 1249 ctx->gc_proc = RPC_GSS_PROC_DESTROY; 1250 1251 task = rpc_call_null(gss_auth->client, &new->gc_base, 1252 RPC_TASK_ASYNC|RPC_TASK_SOFT); 1253 if (!IS_ERR(task)) 1254 rpc_put_task(task); 1255 1256 put_rpccred(&new->gc_base); 1257 } 1258 } 1259 1260 /* gss_destroy_cred (and gss_free_ctx) are used to clean up after failure 1261 * to create a new cred or context, so they check that things have been 1262 * allocated before freeing them. */ 1263 static void 1264 gss_do_free_ctx(struct gss_cl_ctx *ctx) 1265 { 1266 gss_delete_sec_context(&ctx->gc_gss_ctx); 1267 kfree(ctx->gc_wire_ctx.data); 1268 kfree(ctx->gc_acceptor.data); 1269 kfree(ctx); 1270 } 1271 1272 static void 1273 gss_free_ctx_callback(struct rcu_head *head) 1274 { 1275 struct gss_cl_ctx *ctx = container_of(head, struct gss_cl_ctx, gc_rcu); 1276 gss_do_free_ctx(ctx); 1277 } 1278 1279 static void 1280 gss_free_ctx(struct gss_cl_ctx *ctx) 1281 { 1282 call_rcu(&ctx->gc_rcu, gss_free_ctx_callback); 1283 } 1284 1285 static void 1286 gss_free_cred(struct gss_cred *gss_cred) 1287 { 1288 kfree(gss_cred); 1289 } 1290 1291 static void 1292 gss_free_cred_callback(struct rcu_head *head) 1293 { 1294 struct gss_cred *gss_cred = container_of(head, struct gss_cred, gc_base.cr_rcu); 1295 gss_free_cred(gss_cred); 1296 } 1297 1298 static void 1299 gss_destroy_nullcred(struct rpc_cred *cred) 1300 { 1301 struct gss_cred *gss_cred = container_of(cred, struct gss_cred, gc_base); 1302 struct gss_auth *gss_auth = container_of(cred->cr_auth, struct gss_auth, rpc_auth); 1303 struct gss_cl_ctx *ctx = rcu_dereference_protected(gss_cred->gc_ctx, 1); 1304 1305 RCU_INIT_POINTER(gss_cred->gc_ctx, NULL); 1306 put_cred(cred->cr_cred); 1307 call_rcu(&cred->cr_rcu, gss_free_cred_callback); 1308 if (ctx) 1309 gss_put_ctx(ctx); 1310 gss_put_auth(gss_auth); 1311 } 1312 1313 static void 1314 gss_destroy_cred(struct rpc_cred *cred) 1315 { 1316 1317 if (test_and_clear_bit(RPCAUTH_CRED_UPTODATE, &cred->cr_flags) != 0) 1318 gss_send_destroy_context(cred); 1319 gss_destroy_nullcred(cred); 1320 } 1321 1322 static int 1323 gss_hash_cred(struct auth_cred *acred, unsigned int hashbits) 1324 { 1325 return hash_64(from_kuid(&init_user_ns, acred->cred->fsuid), hashbits); 1326 } 1327 1328 /* 1329 * Lookup RPCSEC_GSS cred for the current process 1330 */ 1331 static struct rpc_cred * 1332 gss_lookup_cred(struct rpc_auth *auth, struct auth_cred *acred, int flags) 1333 { 1334 return rpcauth_lookup_credcache(auth, acred, flags, GFP_NOFS); 1335 } 1336 1337 static struct rpc_cred * 1338 gss_create_cred(struct rpc_auth *auth, struct auth_cred *acred, int flags, gfp_t gfp) 1339 { 1340 struct gss_auth *gss_auth = container_of(auth, struct gss_auth, rpc_auth); 1341 struct gss_cred *cred = NULL; 1342 int err = -ENOMEM; 1343 1344 if (!(cred = kzalloc(sizeof(*cred), gfp))) 1345 goto out_err; 1346 1347 rpcauth_init_cred(&cred->gc_base, acred, auth, &gss_credops); 1348 /* 1349 * Note: in order to force a call to call_refresh(), we deliberately 1350 * fail to flag the credential as RPCAUTH_CRED_UPTODATE. 1351 */ 1352 cred->gc_base.cr_flags = 1UL << RPCAUTH_CRED_NEW; 1353 cred->gc_service = gss_auth->service; 1354 cred->gc_principal = acred->principal; 1355 kref_get(&gss_auth->kref); 1356 return &cred->gc_base; 1357 1358 out_err: 1359 return ERR_PTR(err); 1360 } 1361 1362 static int 1363 gss_cred_init(struct rpc_auth *auth, struct rpc_cred *cred) 1364 { 1365 struct gss_auth *gss_auth = container_of(auth, struct gss_auth, rpc_auth); 1366 struct gss_cred *gss_cred = container_of(cred,struct gss_cred, gc_base); 1367 int err; 1368 1369 do { 1370 err = gss_create_upcall(gss_auth, gss_cred); 1371 } while (err == -EAGAIN); 1372 return err; 1373 } 1374 1375 static char * 1376 gss_stringify_acceptor(struct rpc_cred *cred) 1377 { 1378 char *string = NULL; 1379 struct gss_cred *gss_cred = container_of(cred, struct gss_cred, gc_base); 1380 struct gss_cl_ctx *ctx; 1381 unsigned int len; 1382 struct xdr_netobj *acceptor; 1383 1384 rcu_read_lock(); 1385 ctx = rcu_dereference(gss_cred->gc_ctx); 1386 if (!ctx) 1387 goto out; 1388 1389 len = ctx->gc_acceptor.len; 1390 rcu_read_unlock(); 1391 1392 /* no point if there's no string */ 1393 if (!len) 1394 return NULL; 1395 realloc: 1396 string = kmalloc(len + 1, GFP_KERNEL); 1397 if (!string) 1398 return NULL; 1399 1400 rcu_read_lock(); 1401 ctx = rcu_dereference(gss_cred->gc_ctx); 1402 1403 /* did the ctx disappear or was it replaced by one with no acceptor? */ 1404 if (!ctx || !ctx->gc_acceptor.len) { 1405 kfree(string); 1406 string = NULL; 1407 goto out; 1408 } 1409 1410 acceptor = &ctx->gc_acceptor; 1411 1412 /* 1413 * Did we find a new acceptor that's longer than the original? Allocate 1414 * a longer buffer and try again. 1415 */ 1416 if (len < acceptor->len) { 1417 len = acceptor->len; 1418 rcu_read_unlock(); 1419 kfree(string); 1420 goto realloc; 1421 } 1422 1423 memcpy(string, acceptor->data, acceptor->len); 1424 string[acceptor->len] = '\0'; 1425 out: 1426 rcu_read_unlock(); 1427 return string; 1428 } 1429 1430 /* 1431 * Returns -EACCES if GSS context is NULL or will expire within the 1432 * timeout (miliseconds) 1433 */ 1434 static int 1435 gss_key_timeout(struct rpc_cred *rc) 1436 { 1437 struct gss_cred *gss_cred = container_of(rc, struct gss_cred, gc_base); 1438 struct gss_cl_ctx *ctx; 1439 unsigned long timeout = jiffies + (gss_key_expire_timeo * HZ); 1440 int ret = 0; 1441 1442 rcu_read_lock(); 1443 ctx = rcu_dereference(gss_cred->gc_ctx); 1444 if (!ctx || time_after(timeout, ctx->gc_expiry)) 1445 ret = -EACCES; 1446 rcu_read_unlock(); 1447 1448 return ret; 1449 } 1450 1451 static int 1452 gss_match(struct auth_cred *acred, struct rpc_cred *rc, int flags) 1453 { 1454 struct gss_cred *gss_cred = container_of(rc, struct gss_cred, gc_base); 1455 struct gss_cl_ctx *ctx; 1456 int ret; 1457 1458 if (test_bit(RPCAUTH_CRED_NEW, &rc->cr_flags)) 1459 goto out; 1460 /* Don't match with creds that have expired. */ 1461 rcu_read_lock(); 1462 ctx = rcu_dereference(gss_cred->gc_ctx); 1463 if (!ctx || time_after(jiffies, ctx->gc_expiry)) { 1464 rcu_read_unlock(); 1465 return 0; 1466 } 1467 rcu_read_unlock(); 1468 if (!test_bit(RPCAUTH_CRED_UPTODATE, &rc->cr_flags)) 1469 return 0; 1470 out: 1471 if (acred->principal != NULL) { 1472 if (gss_cred->gc_principal == NULL) 1473 return 0; 1474 ret = strcmp(acred->principal, gss_cred->gc_principal) == 0; 1475 } else { 1476 if (gss_cred->gc_principal != NULL) 1477 return 0; 1478 ret = uid_eq(rc->cr_cred->fsuid, acred->cred->fsuid); 1479 } 1480 return ret; 1481 } 1482 1483 /* 1484 * Marshal credentials. 1485 * 1486 * The expensive part is computing the verifier. We can't cache a 1487 * pre-computed version of the verifier because the seqno, which 1488 * is different every time, is included in the MIC. 1489 */ 1490 static int gss_marshal(struct rpc_task *task, struct xdr_stream *xdr) 1491 { 1492 struct rpc_rqst *req = task->tk_rqstp; 1493 struct rpc_cred *cred = req->rq_cred; 1494 struct gss_cred *gss_cred = container_of(cred, struct gss_cred, 1495 gc_base); 1496 struct gss_cl_ctx *ctx = gss_cred_get_ctx(cred); 1497 __be32 *p, *cred_len; 1498 u32 maj_stat = 0; 1499 struct xdr_netobj mic; 1500 struct kvec iov; 1501 struct xdr_buf verf_buf; 1502 int status; 1503 1504 /* Credential */ 1505 1506 p = xdr_reserve_space(xdr, 7 * sizeof(*p) + 1507 ctx->gc_wire_ctx.len); 1508 if (!p) 1509 goto marshal_failed; 1510 *p++ = rpc_auth_gss; 1511 cred_len = p++; 1512 1513 spin_lock(&ctx->gc_seq_lock); 1514 req->rq_seqno = (ctx->gc_seq < MAXSEQ) ? ctx->gc_seq++ : MAXSEQ; 1515 spin_unlock(&ctx->gc_seq_lock); 1516 if (req->rq_seqno == MAXSEQ) 1517 goto expired; 1518 trace_rpcgss_seqno(task); 1519 1520 *p++ = cpu_to_be32(RPC_GSS_VERSION); 1521 *p++ = cpu_to_be32(ctx->gc_proc); 1522 *p++ = cpu_to_be32(req->rq_seqno); 1523 *p++ = cpu_to_be32(gss_cred->gc_service); 1524 p = xdr_encode_netobj(p, &ctx->gc_wire_ctx); 1525 *cred_len = cpu_to_be32((p - (cred_len + 1)) << 2); 1526 1527 /* Verifier */ 1528 1529 /* We compute the checksum for the verifier over the xdr-encoded bytes 1530 * starting with the xid and ending at the end of the credential: */ 1531 iov.iov_base = req->rq_snd_buf.head[0].iov_base; 1532 iov.iov_len = (u8 *)p - (u8 *)iov.iov_base; 1533 xdr_buf_from_iov(&iov, &verf_buf); 1534 1535 p = xdr_reserve_space(xdr, sizeof(*p)); 1536 if (!p) 1537 goto marshal_failed; 1538 *p++ = rpc_auth_gss; 1539 mic.data = (u8 *)(p + 1); 1540 maj_stat = gss_get_mic(ctx->gc_gss_ctx, &verf_buf, &mic); 1541 if (maj_stat == GSS_S_CONTEXT_EXPIRED) 1542 goto expired; 1543 else if (maj_stat != 0) 1544 goto bad_mic; 1545 if (xdr_stream_encode_opaque_inline(xdr, (void **)&p, mic.len) < 0) 1546 goto marshal_failed; 1547 status = 0; 1548 out: 1549 gss_put_ctx(ctx); 1550 return status; 1551 expired: 1552 clear_bit(RPCAUTH_CRED_UPTODATE, &cred->cr_flags); 1553 status = -EKEYEXPIRED; 1554 goto out; 1555 marshal_failed: 1556 status = -EMSGSIZE; 1557 goto out; 1558 bad_mic: 1559 trace_rpcgss_get_mic(task, maj_stat); 1560 status = -EIO; 1561 goto out; 1562 } 1563 1564 static int gss_renew_cred(struct rpc_task *task) 1565 { 1566 struct rpc_cred *oldcred = task->tk_rqstp->rq_cred; 1567 struct gss_cred *gss_cred = container_of(oldcred, 1568 struct gss_cred, 1569 gc_base); 1570 struct rpc_auth *auth = oldcred->cr_auth; 1571 struct auth_cred acred = { 1572 .cred = oldcred->cr_cred, 1573 .principal = gss_cred->gc_principal, 1574 }; 1575 struct rpc_cred *new; 1576 1577 new = gss_lookup_cred(auth, &acred, RPCAUTH_LOOKUP_NEW); 1578 if (IS_ERR(new)) 1579 return PTR_ERR(new); 1580 task->tk_rqstp->rq_cred = new; 1581 put_rpccred(oldcred); 1582 return 0; 1583 } 1584 1585 static int gss_cred_is_negative_entry(struct rpc_cred *cred) 1586 { 1587 if (test_bit(RPCAUTH_CRED_NEGATIVE, &cred->cr_flags)) { 1588 unsigned long now = jiffies; 1589 unsigned long begin, expire; 1590 struct gss_cred *gss_cred; 1591 1592 gss_cred = container_of(cred, struct gss_cred, gc_base); 1593 begin = gss_cred->gc_upcall_timestamp; 1594 expire = begin + gss_expired_cred_retry_delay * HZ; 1595 1596 if (time_in_range_open(now, begin, expire)) 1597 return 1; 1598 } 1599 return 0; 1600 } 1601 1602 /* 1603 * Refresh credentials. XXX - finish 1604 */ 1605 static int 1606 gss_refresh(struct rpc_task *task) 1607 { 1608 struct rpc_cred *cred = task->tk_rqstp->rq_cred; 1609 int ret = 0; 1610 1611 if (gss_cred_is_negative_entry(cred)) 1612 return -EKEYEXPIRED; 1613 1614 if (!test_bit(RPCAUTH_CRED_NEW, &cred->cr_flags) && 1615 !test_bit(RPCAUTH_CRED_UPTODATE, &cred->cr_flags)) { 1616 ret = gss_renew_cred(task); 1617 if (ret < 0) 1618 goto out; 1619 cred = task->tk_rqstp->rq_cred; 1620 } 1621 1622 if (test_bit(RPCAUTH_CRED_NEW, &cred->cr_flags)) 1623 ret = gss_refresh_upcall(task); 1624 out: 1625 return ret; 1626 } 1627 1628 /* Dummy refresh routine: used only when destroying the context */ 1629 static int 1630 gss_refresh_null(struct rpc_task *task) 1631 { 1632 return 0; 1633 } 1634 1635 static int 1636 gss_validate(struct rpc_task *task, struct xdr_stream *xdr) 1637 { 1638 struct rpc_cred *cred = task->tk_rqstp->rq_cred; 1639 struct gss_cl_ctx *ctx = gss_cred_get_ctx(cred); 1640 __be32 *p, *seq = NULL; 1641 struct kvec iov; 1642 struct xdr_buf verf_buf; 1643 struct xdr_netobj mic; 1644 u32 len, maj_stat; 1645 int status; 1646 1647 p = xdr_inline_decode(xdr, 2 * sizeof(*p)); 1648 if (!p) 1649 goto validate_failed; 1650 if (*p++ != rpc_auth_gss) 1651 goto validate_failed; 1652 len = be32_to_cpup(p); 1653 if (len > RPC_MAX_AUTH_SIZE) 1654 goto validate_failed; 1655 p = xdr_inline_decode(xdr, len); 1656 if (!p) 1657 goto validate_failed; 1658 1659 seq = kmalloc(4, GFP_NOFS); 1660 if (!seq) 1661 goto validate_failed; 1662 *seq = cpu_to_be32(task->tk_rqstp->rq_seqno); 1663 iov.iov_base = seq; 1664 iov.iov_len = 4; 1665 xdr_buf_from_iov(&iov, &verf_buf); 1666 mic.data = (u8 *)p; 1667 mic.len = len; 1668 maj_stat = gss_verify_mic(ctx->gc_gss_ctx, &verf_buf, &mic); 1669 if (maj_stat == GSS_S_CONTEXT_EXPIRED) 1670 clear_bit(RPCAUTH_CRED_UPTODATE, &cred->cr_flags); 1671 if (maj_stat) 1672 goto bad_mic; 1673 1674 /* We leave it to unwrap to calculate au_rslack. For now we just 1675 * calculate the length of the verifier: */ 1676 cred->cr_auth->au_verfsize = XDR_QUADLEN(len) + 2; 1677 status = 0; 1678 out: 1679 gss_put_ctx(ctx); 1680 kfree(seq); 1681 return status; 1682 1683 validate_failed: 1684 status = -EIO; 1685 goto out; 1686 bad_mic: 1687 trace_rpcgss_verify_mic(task, maj_stat); 1688 status = -EACCES; 1689 goto out; 1690 } 1691 1692 static int gss_wrap_req_integ(struct rpc_cred *cred, struct gss_cl_ctx *ctx, 1693 struct rpc_task *task, struct xdr_stream *xdr) 1694 { 1695 struct rpc_rqst *rqstp = task->tk_rqstp; 1696 struct xdr_buf integ_buf, *snd_buf = &rqstp->rq_snd_buf; 1697 struct xdr_netobj mic; 1698 __be32 *p, *integ_len; 1699 u32 offset, maj_stat; 1700 1701 p = xdr_reserve_space(xdr, 2 * sizeof(*p)); 1702 if (!p) 1703 goto wrap_failed; 1704 integ_len = p++; 1705 *p = cpu_to_be32(rqstp->rq_seqno); 1706 1707 if (rpcauth_wrap_req_encode(task, xdr)) 1708 goto wrap_failed; 1709 1710 offset = (u8 *)p - (u8 *)snd_buf->head[0].iov_base; 1711 if (xdr_buf_subsegment(snd_buf, &integ_buf, 1712 offset, snd_buf->len - offset)) 1713 goto wrap_failed; 1714 *integ_len = cpu_to_be32(integ_buf.len); 1715 1716 p = xdr_reserve_space(xdr, 0); 1717 if (!p) 1718 goto wrap_failed; 1719 mic.data = (u8 *)(p + 1); 1720 maj_stat = gss_get_mic(ctx->gc_gss_ctx, &integ_buf, &mic); 1721 if (maj_stat == GSS_S_CONTEXT_EXPIRED) 1722 clear_bit(RPCAUTH_CRED_UPTODATE, &cred->cr_flags); 1723 else if (maj_stat) 1724 goto bad_mic; 1725 /* Check that the trailing MIC fit in the buffer, after the fact */ 1726 if (xdr_stream_encode_opaque_inline(xdr, (void **)&p, mic.len) < 0) 1727 goto wrap_failed; 1728 return 0; 1729 wrap_failed: 1730 return -EMSGSIZE; 1731 bad_mic: 1732 trace_rpcgss_get_mic(task, maj_stat); 1733 return -EIO; 1734 } 1735 1736 static void 1737 priv_release_snd_buf(struct rpc_rqst *rqstp) 1738 { 1739 int i; 1740 1741 for (i=0; i < rqstp->rq_enc_pages_num; i++) 1742 __free_page(rqstp->rq_enc_pages[i]); 1743 kfree(rqstp->rq_enc_pages); 1744 rqstp->rq_release_snd_buf = NULL; 1745 } 1746 1747 static int 1748 alloc_enc_pages(struct rpc_rqst *rqstp) 1749 { 1750 struct xdr_buf *snd_buf = &rqstp->rq_snd_buf; 1751 int first, last, i; 1752 1753 if (rqstp->rq_release_snd_buf) 1754 rqstp->rq_release_snd_buf(rqstp); 1755 1756 if (snd_buf->page_len == 0) { 1757 rqstp->rq_enc_pages_num = 0; 1758 return 0; 1759 } 1760 1761 first = snd_buf->page_base >> PAGE_SHIFT; 1762 last = (snd_buf->page_base + snd_buf->page_len - 1) >> PAGE_SHIFT; 1763 rqstp->rq_enc_pages_num = last - first + 1 + 1; 1764 rqstp->rq_enc_pages 1765 = kmalloc_array(rqstp->rq_enc_pages_num, 1766 sizeof(struct page *), 1767 GFP_NOFS); 1768 if (!rqstp->rq_enc_pages) 1769 goto out; 1770 for (i=0; i < rqstp->rq_enc_pages_num; i++) { 1771 rqstp->rq_enc_pages[i] = alloc_page(GFP_NOFS); 1772 if (rqstp->rq_enc_pages[i] == NULL) 1773 goto out_free; 1774 } 1775 rqstp->rq_release_snd_buf = priv_release_snd_buf; 1776 return 0; 1777 out_free: 1778 rqstp->rq_enc_pages_num = i; 1779 priv_release_snd_buf(rqstp); 1780 out: 1781 return -EAGAIN; 1782 } 1783 1784 static int gss_wrap_req_priv(struct rpc_cred *cred, struct gss_cl_ctx *ctx, 1785 struct rpc_task *task, struct xdr_stream *xdr) 1786 { 1787 struct rpc_rqst *rqstp = task->tk_rqstp; 1788 struct xdr_buf *snd_buf = &rqstp->rq_snd_buf; 1789 u32 pad, offset, maj_stat; 1790 int status; 1791 __be32 *p, *opaque_len; 1792 struct page **inpages; 1793 int first; 1794 struct kvec *iov; 1795 1796 status = -EIO; 1797 p = xdr_reserve_space(xdr, 2 * sizeof(*p)); 1798 if (!p) 1799 goto wrap_failed; 1800 opaque_len = p++; 1801 *p = cpu_to_be32(rqstp->rq_seqno); 1802 1803 if (rpcauth_wrap_req_encode(task, xdr)) 1804 goto wrap_failed; 1805 1806 status = alloc_enc_pages(rqstp); 1807 if (unlikely(status)) 1808 goto wrap_failed; 1809 first = snd_buf->page_base >> PAGE_SHIFT; 1810 inpages = snd_buf->pages + first; 1811 snd_buf->pages = rqstp->rq_enc_pages; 1812 snd_buf->page_base -= first << PAGE_SHIFT; 1813 /* 1814 * Move the tail into its own page, in case gss_wrap needs 1815 * more space in the head when wrapping. 1816 * 1817 * Still... Why can't gss_wrap just slide the tail down? 1818 */ 1819 if (snd_buf->page_len || snd_buf->tail[0].iov_len) { 1820 char *tmp; 1821 1822 tmp = page_address(rqstp->rq_enc_pages[rqstp->rq_enc_pages_num - 1]); 1823 memcpy(tmp, snd_buf->tail[0].iov_base, snd_buf->tail[0].iov_len); 1824 snd_buf->tail[0].iov_base = tmp; 1825 } 1826 offset = (u8 *)p - (u8 *)snd_buf->head[0].iov_base; 1827 maj_stat = gss_wrap(ctx->gc_gss_ctx, offset, snd_buf, inpages); 1828 /* slack space should prevent this ever happening: */ 1829 if (unlikely(snd_buf->len > snd_buf->buflen)) 1830 goto wrap_failed; 1831 /* We're assuming that when GSS_S_CONTEXT_EXPIRED, the encryption was 1832 * done anyway, so it's safe to put the request on the wire: */ 1833 if (maj_stat == GSS_S_CONTEXT_EXPIRED) 1834 clear_bit(RPCAUTH_CRED_UPTODATE, &cred->cr_flags); 1835 else if (maj_stat) 1836 goto bad_wrap; 1837 1838 *opaque_len = cpu_to_be32(snd_buf->len - offset); 1839 /* guess whether the pad goes into the head or the tail: */ 1840 if (snd_buf->page_len || snd_buf->tail[0].iov_len) 1841 iov = snd_buf->tail; 1842 else 1843 iov = snd_buf->head; 1844 p = iov->iov_base + iov->iov_len; 1845 pad = 3 - ((snd_buf->len - offset - 1) & 3); 1846 memset(p, 0, pad); 1847 iov->iov_len += pad; 1848 snd_buf->len += pad; 1849 1850 return 0; 1851 wrap_failed: 1852 return status; 1853 bad_wrap: 1854 trace_rpcgss_wrap(task, maj_stat); 1855 return -EIO; 1856 } 1857 1858 static int gss_wrap_req(struct rpc_task *task, struct xdr_stream *xdr) 1859 { 1860 struct rpc_cred *cred = task->tk_rqstp->rq_cred; 1861 struct gss_cred *gss_cred = container_of(cred, struct gss_cred, 1862 gc_base); 1863 struct gss_cl_ctx *ctx = gss_cred_get_ctx(cred); 1864 int status; 1865 1866 status = -EIO; 1867 if (ctx->gc_proc != RPC_GSS_PROC_DATA) { 1868 /* The spec seems a little ambiguous here, but I think that not 1869 * wrapping context destruction requests makes the most sense. 1870 */ 1871 status = rpcauth_wrap_req_encode(task, xdr); 1872 goto out; 1873 } 1874 switch (gss_cred->gc_service) { 1875 case RPC_GSS_SVC_NONE: 1876 status = rpcauth_wrap_req_encode(task, xdr); 1877 break; 1878 case RPC_GSS_SVC_INTEGRITY: 1879 status = gss_wrap_req_integ(cred, ctx, task, xdr); 1880 break; 1881 case RPC_GSS_SVC_PRIVACY: 1882 status = gss_wrap_req_priv(cred, ctx, task, xdr); 1883 break; 1884 default: 1885 status = -EIO; 1886 } 1887 out: 1888 gss_put_ctx(ctx); 1889 return status; 1890 } 1891 1892 static int 1893 gss_unwrap_resp_auth(struct rpc_cred *cred) 1894 { 1895 struct rpc_auth *auth = cred->cr_auth; 1896 1897 auth->au_rslack = auth->au_verfsize; 1898 auth->au_ralign = auth->au_verfsize; 1899 return 0; 1900 } 1901 1902 static int 1903 gss_unwrap_resp_integ(struct rpc_task *task, struct rpc_cred *cred, 1904 struct gss_cl_ctx *ctx, struct rpc_rqst *rqstp, 1905 struct xdr_stream *xdr) 1906 { 1907 struct xdr_buf integ_buf, *rcv_buf = &rqstp->rq_rcv_buf; 1908 u32 data_offset, mic_offset, integ_len, maj_stat; 1909 struct rpc_auth *auth = cred->cr_auth; 1910 struct xdr_netobj mic; 1911 __be32 *p; 1912 1913 p = xdr_inline_decode(xdr, 2 * sizeof(*p)); 1914 if (unlikely(!p)) 1915 goto unwrap_failed; 1916 integ_len = be32_to_cpup(p++); 1917 if (integ_len & 3) 1918 goto unwrap_failed; 1919 data_offset = (u8 *)(p) - (u8 *)rcv_buf->head[0].iov_base; 1920 mic_offset = integ_len + data_offset; 1921 if (mic_offset > rcv_buf->len) 1922 goto unwrap_failed; 1923 if (be32_to_cpup(p) != rqstp->rq_seqno) 1924 goto bad_seqno; 1925 1926 if (xdr_buf_subsegment(rcv_buf, &integ_buf, data_offset, integ_len)) 1927 goto unwrap_failed; 1928 if (xdr_buf_read_netobj(rcv_buf, &mic, mic_offset)) 1929 goto unwrap_failed; 1930 maj_stat = gss_verify_mic(ctx->gc_gss_ctx, &integ_buf, &mic); 1931 if (maj_stat == GSS_S_CONTEXT_EXPIRED) 1932 clear_bit(RPCAUTH_CRED_UPTODATE, &cred->cr_flags); 1933 if (maj_stat != GSS_S_COMPLETE) 1934 goto bad_mic; 1935 1936 auth->au_rslack = auth->au_verfsize + 2 + 1 + XDR_QUADLEN(mic.len); 1937 auth->au_ralign = auth->au_verfsize + 2; 1938 return 0; 1939 unwrap_failed: 1940 trace_rpcgss_unwrap_failed(task); 1941 return -EIO; 1942 bad_seqno: 1943 trace_rpcgss_bad_seqno(task, rqstp->rq_seqno, be32_to_cpup(p)); 1944 return -EIO; 1945 bad_mic: 1946 trace_rpcgss_verify_mic(task, maj_stat); 1947 return -EIO; 1948 } 1949 1950 static int 1951 gss_unwrap_resp_priv(struct rpc_task *task, struct rpc_cred *cred, 1952 struct gss_cl_ctx *ctx, struct rpc_rqst *rqstp, 1953 struct xdr_stream *xdr) 1954 { 1955 struct xdr_buf *rcv_buf = &rqstp->rq_rcv_buf; 1956 struct kvec *head = rqstp->rq_rcv_buf.head; 1957 struct rpc_auth *auth = cred->cr_auth; 1958 unsigned int savedlen = rcv_buf->len; 1959 u32 offset, opaque_len, maj_stat; 1960 __be32 *p; 1961 1962 p = xdr_inline_decode(xdr, 2 * sizeof(*p)); 1963 if (unlikely(!p)) 1964 goto unwrap_failed; 1965 opaque_len = be32_to_cpup(p++); 1966 offset = (u8 *)(p) - (u8 *)head->iov_base; 1967 if (offset + opaque_len > rcv_buf->len) 1968 goto unwrap_failed; 1969 rcv_buf->len = offset + opaque_len; 1970 1971 maj_stat = gss_unwrap(ctx->gc_gss_ctx, offset, rcv_buf); 1972 if (maj_stat == GSS_S_CONTEXT_EXPIRED) 1973 clear_bit(RPCAUTH_CRED_UPTODATE, &cred->cr_flags); 1974 if (maj_stat != GSS_S_COMPLETE) 1975 goto bad_unwrap; 1976 /* gss_unwrap decrypted the sequence number */ 1977 if (be32_to_cpup(p++) != rqstp->rq_seqno) 1978 goto bad_seqno; 1979 1980 /* gss_unwrap redacts the opaque blob from the head iovec. 1981 * rcv_buf has changed, thus the stream needs to be reset. 1982 */ 1983 xdr_init_decode(xdr, rcv_buf, p, rqstp); 1984 1985 auth->au_rslack = auth->au_verfsize + 2 + 1986 XDR_QUADLEN(savedlen - rcv_buf->len); 1987 auth->au_ralign = auth->au_verfsize + 2 + 1988 XDR_QUADLEN(savedlen - rcv_buf->len); 1989 return 0; 1990 unwrap_failed: 1991 trace_rpcgss_unwrap_failed(task); 1992 return -EIO; 1993 bad_seqno: 1994 trace_rpcgss_bad_seqno(task, rqstp->rq_seqno, be32_to_cpup(--p)); 1995 return -EIO; 1996 bad_unwrap: 1997 trace_rpcgss_unwrap(task, maj_stat); 1998 return -EIO; 1999 } 2000 2001 static bool 2002 gss_seq_is_newer(u32 new, u32 old) 2003 { 2004 return (s32)(new - old) > 0; 2005 } 2006 2007 static bool 2008 gss_xmit_need_reencode(struct rpc_task *task) 2009 { 2010 struct rpc_rqst *req = task->tk_rqstp; 2011 struct rpc_cred *cred = req->rq_cred; 2012 struct gss_cl_ctx *ctx = gss_cred_get_ctx(cred); 2013 u32 win, seq_xmit = 0; 2014 bool ret = true; 2015 2016 if (!ctx) 2017 goto out; 2018 2019 if (gss_seq_is_newer(req->rq_seqno, READ_ONCE(ctx->gc_seq))) 2020 goto out_ctx; 2021 2022 seq_xmit = READ_ONCE(ctx->gc_seq_xmit); 2023 while (gss_seq_is_newer(req->rq_seqno, seq_xmit)) { 2024 u32 tmp = seq_xmit; 2025 2026 seq_xmit = cmpxchg(&ctx->gc_seq_xmit, tmp, req->rq_seqno); 2027 if (seq_xmit == tmp) { 2028 ret = false; 2029 goto out_ctx; 2030 } 2031 } 2032 2033 win = ctx->gc_win; 2034 if (win > 0) 2035 ret = !gss_seq_is_newer(req->rq_seqno, seq_xmit - win); 2036 2037 out_ctx: 2038 gss_put_ctx(ctx); 2039 out: 2040 trace_rpcgss_need_reencode(task, seq_xmit, ret); 2041 return ret; 2042 } 2043 2044 static int 2045 gss_unwrap_resp(struct rpc_task *task, struct xdr_stream *xdr) 2046 { 2047 struct rpc_rqst *rqstp = task->tk_rqstp; 2048 struct rpc_cred *cred = rqstp->rq_cred; 2049 struct gss_cred *gss_cred = container_of(cred, struct gss_cred, 2050 gc_base); 2051 struct gss_cl_ctx *ctx = gss_cred_get_ctx(cred); 2052 int status = -EIO; 2053 2054 if (ctx->gc_proc != RPC_GSS_PROC_DATA) 2055 goto out_decode; 2056 switch (gss_cred->gc_service) { 2057 case RPC_GSS_SVC_NONE: 2058 status = gss_unwrap_resp_auth(cred); 2059 break; 2060 case RPC_GSS_SVC_INTEGRITY: 2061 status = gss_unwrap_resp_integ(task, cred, ctx, rqstp, xdr); 2062 break; 2063 case RPC_GSS_SVC_PRIVACY: 2064 status = gss_unwrap_resp_priv(task, cred, ctx, rqstp, xdr); 2065 break; 2066 } 2067 if (status) 2068 goto out; 2069 2070 out_decode: 2071 status = rpcauth_unwrap_resp_decode(task, xdr); 2072 out: 2073 gss_put_ctx(ctx); 2074 return status; 2075 } 2076 2077 static const struct rpc_authops authgss_ops = { 2078 .owner = THIS_MODULE, 2079 .au_flavor = RPC_AUTH_GSS, 2080 .au_name = "RPCSEC_GSS", 2081 .create = gss_create, 2082 .destroy = gss_destroy, 2083 .hash_cred = gss_hash_cred, 2084 .lookup_cred = gss_lookup_cred, 2085 .crcreate = gss_create_cred, 2086 .list_pseudoflavors = gss_mech_list_pseudoflavors, 2087 .info2flavor = gss_mech_info2flavor, 2088 .flavor2info = gss_mech_flavor2info, 2089 }; 2090 2091 static const struct rpc_credops gss_credops = { 2092 .cr_name = "AUTH_GSS", 2093 .crdestroy = gss_destroy_cred, 2094 .cr_init = gss_cred_init, 2095 .crmatch = gss_match, 2096 .crmarshal = gss_marshal, 2097 .crrefresh = gss_refresh, 2098 .crvalidate = gss_validate, 2099 .crwrap_req = gss_wrap_req, 2100 .crunwrap_resp = gss_unwrap_resp, 2101 .crkey_timeout = gss_key_timeout, 2102 .crstringify_acceptor = gss_stringify_acceptor, 2103 .crneed_reencode = gss_xmit_need_reencode, 2104 }; 2105 2106 static const struct rpc_credops gss_nullops = { 2107 .cr_name = "AUTH_GSS", 2108 .crdestroy = gss_destroy_nullcred, 2109 .crmatch = gss_match, 2110 .crmarshal = gss_marshal, 2111 .crrefresh = gss_refresh_null, 2112 .crvalidate = gss_validate, 2113 .crwrap_req = gss_wrap_req, 2114 .crunwrap_resp = gss_unwrap_resp, 2115 .crstringify_acceptor = gss_stringify_acceptor, 2116 }; 2117 2118 static const struct rpc_pipe_ops gss_upcall_ops_v0 = { 2119 .upcall = rpc_pipe_generic_upcall, 2120 .downcall = gss_pipe_downcall, 2121 .destroy_msg = gss_pipe_destroy_msg, 2122 .open_pipe = gss_pipe_open_v0, 2123 .release_pipe = gss_pipe_release, 2124 }; 2125 2126 static const struct rpc_pipe_ops gss_upcall_ops_v1 = { 2127 .upcall = rpc_pipe_generic_upcall, 2128 .downcall = gss_pipe_downcall, 2129 .destroy_msg = gss_pipe_destroy_msg, 2130 .open_pipe = gss_pipe_open_v1, 2131 .release_pipe = gss_pipe_release, 2132 }; 2133 2134 static __net_init int rpcsec_gss_init_net(struct net *net) 2135 { 2136 return gss_svc_init_net(net); 2137 } 2138 2139 static __net_exit void rpcsec_gss_exit_net(struct net *net) 2140 { 2141 gss_svc_shutdown_net(net); 2142 } 2143 2144 static struct pernet_operations rpcsec_gss_net_ops = { 2145 .init = rpcsec_gss_init_net, 2146 .exit = rpcsec_gss_exit_net, 2147 }; 2148 2149 /* 2150 * Initialize RPCSEC_GSS module 2151 */ 2152 static int __init init_rpcsec_gss(void) 2153 { 2154 int err = 0; 2155 2156 err = rpcauth_register(&authgss_ops); 2157 if (err) 2158 goto out; 2159 err = gss_svc_init(); 2160 if (err) 2161 goto out_unregister; 2162 err = register_pernet_subsys(&rpcsec_gss_net_ops); 2163 if (err) 2164 goto out_svc_exit; 2165 rpc_init_wait_queue(&pipe_version_rpc_waitqueue, "gss pipe version"); 2166 return 0; 2167 out_svc_exit: 2168 gss_svc_shutdown(); 2169 out_unregister: 2170 rpcauth_unregister(&authgss_ops); 2171 out: 2172 return err; 2173 } 2174 2175 static void __exit exit_rpcsec_gss(void) 2176 { 2177 unregister_pernet_subsys(&rpcsec_gss_net_ops); 2178 gss_svc_shutdown(); 2179 rpcauth_unregister(&authgss_ops); 2180 rcu_barrier(); /* Wait for completion of call_rcu()'s */ 2181 } 2182 2183 MODULE_ALIAS("rpc-auth-6"); 2184 MODULE_LICENSE("GPL"); 2185 module_param_named(expired_cred_retry_delay, 2186 gss_expired_cred_retry_delay, 2187 uint, 0644); 2188 MODULE_PARM_DESC(expired_cred_retry_delay, "Timeout (in seconds) until " 2189 "the RPC engine retries an expired credential"); 2190 2191 module_param_named(key_expire_timeo, 2192 gss_key_expire_timeo, 2193 uint, 0644); 2194 MODULE_PARM_DESC(key_expire_timeo, "Time (in seconds) at the end of a " 2195 "credential keys lifetime where the NFS layer cleans up " 2196 "prior to key expiration"); 2197 2198 module_init(init_rpcsec_gss) 2199 module_exit(exit_rpcsec_gss) 2200