From patchwork Fri Dec 23 16:04:24 2016 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Andy Adamson X-Patchwork-Id: 9487573 Return-Path: Received: from mail.wl.linuxfoundation.org (pdx-wl-mail.web.codeaurora.org [172.30.200.125]) by pdx-korg-patchwork.web.codeaurora.org (Postfix) with ESMTP id 797F062AAB for ; Fri, 23 Dec 2016 16:06:42 +0000 (UTC) Received: from mail.wl.linuxfoundation.org (localhost [127.0.0.1]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id 6CB1526246 for ; Fri, 23 Dec 2016 16:06:42 +0000 (UTC) Received: by mail.wl.linuxfoundation.org (Postfix, from userid 486) id 61E0B2711E; Fri, 23 Dec 2016 16:06:42 +0000 (UTC) X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on pdx-wl-mail.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-6.9 required=2.0 tests=BAYES_00,RCVD_IN_DNSWL_HI autolearn=ham version=3.3.1 Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id 06C2726E82 for ; Fri, 23 Dec 2016 16:06:42 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1753363AbcLWQGi (ORCPT ); Fri, 23 Dec 2016 11:06:38 -0500 Received: from mx143.netapp.com ([216.240.21.24]:55848 "EHLO mx143.netapp.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S966256AbcLWQGf (ORCPT ); Fri, 23 Dec 2016 11:06:35 -0500 X-IronPort-AV: E=Sophos;i="5.33,393,1477983600"; d="scan'208";a="165484703" Received: from vmwexchts02-prd.hq.netapp.com ([10.122.105.23]) by mx143-out.netapp.com with ESMTP; 23 Dec 2016 08:03:02 -0800 Received: from smtp2.corp.netapp.com (10.57.159.114) by VMWEXCHTS02-PRD.hq.netapp.com (10.122.105.23) with Microsoft SMTP Server id 15.0.1210.3; Fri, 23 Dec 2016 08:06:24 -0800 Received: from rhel7-1ga.androsad.fake (dros-16.local.vpn.netapp.com [10.55.72.69]) by smtp2.corp.netapp.com (8.13.1/8.13.1/NTAP-1.6) with ESMTP id uBNG6EUv024091; Fri, 23 Dec 2016 08:06:25 -0800 (PST) From: To: CC: , , Andy Adamson Subject: [PATCH Version 3 12/16] SUNRPC SVCAUTH_GSS allow RPCSEC_GSS version 1 or 3 Date: Fri, 23 Dec 2016 11:04:24 -0500 Message-ID: <1482509068-24516-13-git-send-email-andros@netapp.com> X-Mailer: git-send-email 1.8.3.1 In-Reply-To: <1482509068-24516-1-git-send-email-andros@netapp.com> References: <1482509068-24516-1-git-send-email-andros@netapp.com> MIME-Version: 1.0 Sender: linux-nfs-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-nfs@vger.kernel.org X-Virus-Scanned: ClamAV using ClamSMTP From: Andy Adamson Store the version used in the context INIT phase with the context. Check the incoming rpcsec gss version against the stored context version. Signed-off-by: Andy Adamson --- include/linux/sunrpc/gss_api.h | 1 + net/sunrpc/auth_gss/svcauth_gss.c | 20 ++++++++++++++------ 2 files changed, 15 insertions(+), 6 deletions(-) diff --git a/include/linux/sunrpc/gss_api.h b/include/linux/sunrpc/gss_api.h index bbcb100..2d99688 100644 --- a/include/linux/sunrpc/gss_api.h +++ b/include/linux/sunrpc/gss_api.h @@ -30,6 +30,7 @@ struct gss3_assert { /* The mechanism-independent gss-api context: */ struct gss_ctx { struct gss_api_mech *mech_type; + u32 gss_version; void *internal_ctx_id; }; diff --git a/net/sunrpc/auth_gss/svcauth_gss.c b/net/sunrpc/auth_gss/svcauth_gss.c index 5ac2503..1b6777d 100644 --- a/net/sunrpc/auth_gss/svcauth_gss.c +++ b/net/sunrpc/auth_gss/svcauth_gss.c @@ -976,8 +976,8 @@ struct gss_svc_data { } static inline int -gss_write_init_verf(struct cache_detail *cd, struct svc_rqst *rqstp, - struct xdr_netobj *out_handle, int *major_status) +gss_write_init_verf(struct cache_detail *cd, struct svc_rqst *rqstp, u32 gssv, + struct xdr_netobj *out_handle, int *major_status) { struct rsc *rsci; int rc; @@ -989,6 +989,8 @@ struct gss_svc_data { *major_status = GSS_S_NO_CONTEXT; return gss_write_null_verf(rqstp); } + /* set the RPCSEC_GSS version in the context */ + rsci->mechctx->gss_version = gssv; rc = gss_write_verf(rqstp, rsci->mechctx, GSS_SEQ_WIN); cache_put(&rsci->h, cd); return rc; @@ -1130,7 +1132,7 @@ static int svcauth_gss_legacy_init(struct svc_rqst *rqstp, ret = SVC_CLOSE; /* Got an answer to the upcall; use it: */ - if (gss_write_init_verf(sn->rsc_cache, rqstp, + if (gss_write_init_verf(sn->rsc_cache, rqstp, gc->gc_v, &rsip->out_handle, &rsip->major_status)) goto out; if (gss_write_resv(resv, PAGE_SIZE, @@ -1259,7 +1261,7 @@ static int svcauth_gss_proxy_init(struct svc_rqst *rqstp, } /* Got an answer to the upcall; use it: */ - if (gss_write_init_verf(sn->rsc_cache, rqstp, + if (gss_write_init_verf(sn->rsc_cache, rqstp, gc->gc_v, &cli_handle, &ud.major_status)) goto out; if (gss_write_resv(resv, PAGE_SIZE, @@ -1435,14 +1437,15 @@ static void destroy_use_gss_proxy_proc_entry(struct net *net) {} rpcstart -= 7; /* credential is: - * version(==1), proc(0,1,2,3), seq, service (1,2,3), handle + * version(==1 or 3), proc(0,1,2,3), seq, service (1,2,3), handle * at least 5 u32s, and is preceded by length, so that makes 6. */ if (argv->iov_len < 5 * 4) goto auth_err; crlen = svc_getnl(argv); - if (svc_getnl(argv) != RPC_GSS_VERSION) + gc->gc_v = svc_getnl(argv); + if ((gc->gc_v != RPC_GSS_VERSION) && (gc->gc_v != RPC_GSS3_VERSION)) goto auth_err; gc->gc_proc = svc_getnl(argv); gc->gc_seq = svc_getnl(argv); @@ -1470,6 +1473,11 @@ static void destroy_use_gss_proxy_proc_entry(struct net *net) {} rsci = gss_svc_searchbyctx(sn->rsc_cache, &gc->gc_ctx); if (!rsci) goto auth_err; + if (rsci->mechctx->gss_version != gc->gc_v) { + pr_warn("NFSD: RPCSEC_GSS version mismatch (%u:%u)\n", + rsci->mechctx->gss_version, gc->gc_v); + goto auth_err; + } switch (gss_verify_header(rqstp, rsci, rpcstart, gc, authp)) { case SVC_OK: break;