From: <andros@netapp.com>
To: <anna.schumaker@netapp.com>
Cc: <bfieldses.org@netapp.com>, <linux-nfs@vger.kernel.org>,
Andy Adamson <andros@netapp.com>
Subject: [PATCH Version 3 06/16] SUNRPC AUTH_GSS gss3 reply verifier
Date: Fri, 23 Dec 2016 11:04:18 -0500 [thread overview]
Message-ID: <1482509068-24516-7-git-send-email-andros@netapp.com> (raw)
In-Reply-To: <1482509068-24516-1-git-send-email-andros@netapp.com>
From: Andy Adamson <andros@netapp.com>
The new GSS Version 3 reply verifier is taken over the same data as
the call verifier, caveat REPLY direction
Verifier Data
xid tk_rqstp->rq_xid
direction REPLY (always a 1) RPC_REPLY
rpcvers RPC_VERSION
prog clnt->cl_prog
vers clnt->cl_vers
proc tk_msg.rpc_proc->p_proc
credential
flavor RPC_AUTH_GSS
length cred_len is in gss_marshal (new gv_crlen)
gss version ctx->gc_v
gss proc ctx->gv_proc
gss seq tk_rqstp->rq_seqno
gss svc gss_cred->gc_service
gss ctx len ctx->gc_wire_ctx
gss ctx data ctx->gc_wire_ctx
Signed-off-by: Andy Adamson <andros@netapp.com>
---
net/sunrpc/auth_gss/auth_gss.c | 60 ++++++++++++++++++++++++++++++++++++++++--
1 file changed, 58 insertions(+), 2 deletions(-)
diff --git a/net/sunrpc/auth_gss/auth_gss.c b/net/sunrpc/auth_gss/auth_gss.c
index 9288cc2..d11f421 100644
--- a/net/sunrpc/auth_gss/auth_gss.c
+++ b/net/sunrpc/auth_gss/auth_gss.c
@@ -1624,6 +1624,53 @@ static int gss_cred_is_negative_entry(struct rpc_cred *cred)
return 0;
}
+/**
+ * gss3_reply_verifier: The new gssv3 verifier uses same data as call
+ * caveat REPLY direction - see rpc_encode_header
+ */
+static void *
+gss3_reply_verifier(struct rpc_cred *cred, struct gss_cl_ctx *ctx,
+ struct rpc_task *task, __be32 *seq, struct kvec *iov)
+{
+ struct gss_cred *g_cred = container_of(cred, struct gss_cred, gc_base);
+ void *gss3_buf = NULL;
+ __be32 *crlen, *ptr = NULL;
+ int len;
+
+ /* freed in gss_validate */
+ len = (13 * 4) + ctx->gc_wire_ctx.len;
+ gss3_buf = kmalloc(len, GFP_NOFS);
+ if (!gss3_buf) {
+ gss3_buf = ERR_PTR(-EIO);
+ goto out;
+ }
+ ptr = (__be32 *)gss3_buf;
+
+ *ptr++ = htonl(task->tk_rqstp->rq_xid);
+ *ptr++ = htonl(RPC_REPLY);
+ *ptr++ = htonl(RPC_VERSION);
+ *ptr++ = htonl(task->tk_client->cl_prog);
+ *ptr++ = htonl(task->tk_client->cl_vers);
+ *ptr++ = htonl(task->tk_msg.rpc_proc->p_proc);
+ *ptr++ = htonl(RPC_AUTH_GSS);
+
+ /* credential */
+ crlen = ptr++;
+ *ptr++ = htonl(ctx->gc_v);
+ *ptr++ = htonl(ctx->gc_proc);
+ *ptr++ = *seq;
+ *ptr++ = htonl(g_cred->gc_service);
+ ptr = xdr_encode_netobj(ptr, &ctx->gc_wire_ctx);
+
+ /* backfill cred length */
+ *crlen = htonl((ptr - (crlen + 1)) << 2);
+
+ iov->iov_base = gss3_buf;
+ iov->iov_len = (ptr - (__be32 *)gss3_buf) << 2;
+out:
+ return gss3_buf;
+}
+
static __be32 *
gss_validate(struct rpc_task *task, __be32 *p)
{
@@ -1633,6 +1680,7 @@ static int gss_cred_is_negative_entry(struct rpc_cred *cred)
struct kvec iov;
struct xdr_buf verf_buf;
struct xdr_netobj mic;
+ void *g3_buf = NULL;
u32 flav,len;
u32 maj_stat;
__be32 *ret = ERR_PTR(-EIO);
@@ -1648,14 +1696,22 @@ static int gss_cred_is_negative_entry(struct rpc_cred *cred)
if (!seq)
goto out_bad;
*seq = htonl(task->tk_rqstp->rq_seqno);
- iov.iov_base = seq;
- iov.iov_len = 4;
+ if (ctx->gc_v == RPC_GSS_VERSION) {
+ iov.iov_base = seq;
+ iov.iov_len = 4;
+ }
+ if (ctx->gc_v == RPC_GSS3_VERSION) {
+ g3_buf = gss3_reply_verifier(cred, ctx, task, seq, &iov);
+ if (IS_ERR(g3_buf))
+ goto out_bad;
+ }
xdr_buf_from_iov(&iov, &verf_buf);
mic.data = (u8 *)p;
mic.len = len;
ret = ERR_PTR(-EACCES);
maj_stat = gss_verify_mic(ctx->gc_gss_ctx, &verf_buf, &mic);
+ kfree(g3_buf);
if (maj_stat == GSS_S_CONTEXT_EXPIRED)
clear_bit(RPCAUTH_CRED_UPTODATE, &cred->cr_flags);
if (maj_stat) {
--
1.8.3.1
next prev parent reply other threads:[~2016-12-23 16:06 UTC|newest]
Thread overview: 22+ messages / expand[flat|nested] mbox.gz Atom feed top
2016-12-23 16:04 [PATCH Version 3 00/16] RFC: RPCSEC_GSS Version 3 prototype: Full Mode MAC andros
2016-12-23 16:04 ` [PATCH Version 3 01/16] SUNRPC handle unsupported RPC_GSS_SVC_CHANNEL_PROT andros
2016-12-23 18:31 ` kbuild test robot
2017-01-04 21:11 ` Anna Schumaker
2016-12-23 16:04 ` [PATCH Version 3 02/16] SUNRPC: add a null call with payload GSSv3 andros
2016-12-23 16:04 ` [PATCH Version 3 03/16] SELINUX export security_current_sid_to_context andros
2016-12-23 16:04 ` [PATCH Version 3 04/16] SUNRPC GSSv3: base definitions andros
2016-12-23 16:04 ` [PATCH Version 3 05/16] SUNRPC AUTH_GSS get RPCSEC_GSS version from gssd downcall andros
2016-12-23 16:04 ` andros [this message]
2017-01-04 21:46 ` [PATCH Version 3 06/16] SUNRPC AUTH_GSS gss3 reply verifier Anna Schumaker
2016-12-23 16:04 ` [PATCH Version 3 07/16] SUNRPC AUTH_GSS RPCSEC_GSS_CREATE with label payload andros
2016-12-23 18:01 ` kbuild test robot
2017-01-04 21:51 ` Anna Schumaker
2016-12-23 16:04 ` [PATCH Version 3 08/16] SUNRPC AUTH_GSS store and use gss3 label assertion andros
2016-12-23 16:04 ` [PATCH Version 3 09/16] SUNRPC AUTH_GSS free assertions andros
2016-12-23 16:04 ` [PATCH Version 3 10/16] SUNRPC: AUTH_GSS add RPC_GSS_PROC_CREATE case for wrap and unwrap andros
2016-12-23 16:04 ` [PATCH Version 3 11/16] SUNRPC SVCAUTH_GSS reap the rsc cache entry on RPC_GSS_PROC_DESTROY andros
2016-12-23 16:04 ` [PATCH Version 3 12/16] SUNRPC SVCAUTH_GSS allow RPCSEC_GSS version 1 or 3 andros
2016-12-23 16:04 ` [PATCH Version 3 13/16] SUNRPC SVCAUTH_GSS gss3 reply verifier andros
2016-12-23 16:04 ` [PATCH Version 3 14/16] SUNRPC SVCAUTH_GSS gss3 create label andros
2016-12-23 16:04 ` [PATCH Version 3 15/16] SUNRPC SVCAUTH_GSS set gss3 label on nfsd thread andros
2016-12-23 16:04 ` [PATCH Version 3 16/16] SUNRPC SVCAUTH_gss store gss3 child handles in parent rsc andros
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=1482509068-24516-7-git-send-email-andros@netapp.com \
--to=andros@netapp.com \
--cc=anna.schumaker@netapp.com \
--cc=bfieldses.org@netapp.com \
--cc=linux-nfs@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.