xref: /kernel/linux/linux-6.6/net/sunrpc/auth_gss/svcauth_gss.c

644  * @rqstp: RPC Call to use when reporting errors
652  *   %true: @rqstp's GSS sequence number is inside the window
653  *   %false: @rqstp's GSS sequence number is outside the window
655 static bool gss_check_seq_num(const struct svc_rqst *rqstp, struct rsc *rsci,
685 	trace_rpcgss_svc_seqno_low(rqstp, seq_num,
690 	trace_rpcgss_svc_seqno_seen(rqstp, seq_num);
702 svcauth_gss_verify_header(struct svc_rqst *rqstp, struct rsc *rsci,
705 	struct xdr_stream	*xdr = &rqstp->rq_arg_stream;
724 		rqstp->rq_auth_stat = rpc_autherr_badverf;
728 		rqstp->rq_auth_stat = rpc_autherr_badverf;
732 	if (rqstp->rq_deferred)
736 		trace_rpcgss_svc_mic(rqstp, maj_stat);
737 		rqstp->rq_auth_stat = rpcsec_gsserr_credproblem;
742 		trace_rpcgss_svc_seqno_large(rqstp, gc->gc_seq);
743 		rqstp->rq_auth_stat = rpcsec_gsserr_ctxproblem;
746 	if (!gss_check_seq_num(rqstp, rsci, gc->gc_seq))
757 svcauth_gss_encode_verf(struct svc_rqst *rqstp, struct gss_ctx *ctx_id, u32 seq)
759 	struct gss_svc_data	*gsd = rqstp->rq_auth_data;
775 	return xdr_stream_encode_opaque_auth(&rqstp->rq_res_stream, RPC_AUTH_GSS,
779 	trace_rpcgss_svc_get_mic(rqstp, maj_stat);
860 svcauth_gss_unwrap_integ(struct svc_rqst *rqstp, u32 seq, struct gss_ctx *ctx)
862 	struct gss_svc_data *gsd = rqstp->rq_auth_data;
863 	struct xdr_stream *xdr = &rqstp->rq_arg_stream;
875 	clear_bit(RQ_SPLICE_OK, &rqstp->rq_flags);
878 	if (rqstp->rq_deferred)
921 	trace_rpcgss_svc_unwrap_failed(rqstp);
924 	trace_rpcgss_svc_seqno_bad(rqstp, seq, seq_num);
927 	trace_rpcgss_svc_mic(rqstp, maj_stat);
944 svcauth_gss_unwrap_priv(struct svc_rqst *rqstp, u32 seq, struct gss_ctx *ctx)
946 	struct xdr_stream *xdr = &rqstp->rq_arg_stream;
951 	clear_bit(RQ_SPLICE_OK, &rqstp->rq_flags);
955 	if (rqstp->rq_deferred) {
979 	trace_rpcgss_svc_unwrap_failed(rqstp);
982 	trace_rpcgss_svc_seqno_bad(rqstp, seq, seq_num);
985 	trace_rpcgss_svc_unwrap(rqstp, maj_stat);
990 svcauth_gss_set_client(struct svc_rqst *rqstp)
992 	struct gss_svc_data *svcdata = rqstp->rq_auth_data;
997 	rqstp->rq_auth_stat = rpc_autherr_badcred;
1008 	rqstp->rq_gssclient = find_gss_auth_domain(rsci->mechctx, gc->gc_svc);
1009 	if (rqstp->rq_gssclient == NULL)
1011 	stat = svcauth_unix_set_client(rqstp);
1015 	rqstp->rq_auth_stat = rpc_auth_ok;
1020 svcauth_gss_proc_init_verf(struct cache_detail *cd, struct svc_rqst *rqstp,
1024 	struct xdr_stream *xdr = &rqstp->rq_res_stream;
1036 	rc = svcauth_gss_encode_verf(rqstp, rsci->mechctx, seq_num);
1061 static int gss_read_proxy_verf(struct svc_rqst *rqstp,
1066 	struct xdr_stream *xdr = &rqstp->rq_arg_stream;
1106 	from_offs = rqstp->rq_arg.page_base;
1117 		       page_address(rqstp->rq_arg.pages[pgfrom]) + pgfrom_offs,
1170 svcauth_gss_legacy_init(struct svc_rqst *rqstp,
1173 	struct xdr_stream *xdr = &rqstp->rq_arg_stream;
1178 	struct sunrpc_net *sn = net_generic(SVC_NET(rqstp), sunrpc_net_id);
1213 	if (cache_check(sn->rsi_cache, &rsip->h, &rqstp->rq_chandle) < 0)
1218 	if (!svcauth_gss_proc_init_verf(sn->rsc_cache, rqstp, &rsip->out_handle,
1221 	if (!svcxdr_set_accept_stat(rqstp))
1223 	if (!svcxdr_encode_gss_init_res(&rqstp->rq_res_stream, &rsip->out_handle,
1306 static int svcauth_gss_proxy_init(struct svc_rqst *rqstp,
1314 	struct net *net = SVC_NET(rqstp);
1318 	ret = gss_read_proxy_verf(rqstp, gc, &ud.in_handle, &ud.in_token);
1329 	trace_rpcgss_svc_accept_upcall(rqstp, ud.major_status, ud.minor_status);
1346 	if (!svcauth_gss_proc_init_verf(sn->rsc_cache, rqstp, &cli_handle,
1349 	if (!svcxdr_set_accept_stat(rqstp))
1351 	if (!svcxdr_encode_gss_init_res(&rqstp->rq_res_stream, &cli_handle,
1391 svcauth_gss_proc_init(struct svc_rqst *rqstp, struct rpc_gss_wire_cred *gc)
1393 	struct xdr_stream *xdr = &rqstp->rq_arg_stream;
1401 		rqstp->rq_auth_stat = rpc_autherr_badverf;
1406 		rqstp->rq_auth_stat = rpc_autherr_badcred;
1410 	if (!use_gss_proxy(SVC_NET(rqstp)))
1411 		return svcauth_gss_legacy_init(rqstp, gc);
1412 	return svcauth_gss_proxy_init(rqstp, gc);
1626  * @rqstp: RPC transaction
1635  * The rqstp->rq_auth_stat field is also set (see RFCs 2203 and 5531).
1638 svcauth_gss_accept(struct svc_rqst *rqstp)
1640 	struct gss_svc_data *svcdata = rqstp->rq_auth_data;
1645 	struct sunrpc_net *sn = net_generic(SVC_NET(rqstp), sunrpc_net_id);
1647 	rqstp->rq_auth_stat = rpc_autherr_badcred;
1652 	rqstp->rq_auth_data = svcdata;
1657 	if (!svcauth_gss_decode_credbody(&rqstp->rq_arg_stream, gc, &rpcstart))
1665 		if (rqstp->rq_proc != 0)
1667 		return svcauth_gss_proc_init(rqstp, gc);
1669 		if (rqstp->rq_proc != 0)
1673 		rqstp->rq_auth_stat = rpcsec_gsserr_credproblem;
1677 		switch (svcauth_gss_verify_header(rqstp, rsci, rpcstart, gc)) {
1687 		if (rqstp->rq_proc != 0)
1689 		rqstp->rq_auth_stat = rpc_autherr_rejectedcred;
1696 		if (!svcauth_gss_encode_verf(rqstp, rsci->mechctx, gc->gc_seq))
1698 		if (!svcxdr_set_accept_stat(rqstp))
1704 		rqstp->rq_auth_stat = rpcsec_gsserr_ctxproblem;
1705 		if (!svcauth_gss_encode_verf(rqstp, rsci->mechctx, gc->gc_seq))
1707 		if (!svcxdr_set_accept_stat(rqstp))
1709 		svcdata->gsd_databody_offset = xdr_stream_pos(&rqstp->rq_res_stream);
1710 		rqstp->rq_cred = rsci->cred;
1712 		rqstp->rq_auth_stat = rpc_autherr_badcred;
1718 			xdr_reserve_space(&rqstp->rq_res_stream, XDR_UNIT * 2);
1719 			if (svcauth_gss_unwrap_integ(rqstp, gc->gc_seq,
1722 			svcxdr_set_auth_slack(rqstp, RPC_MAX_AUTH_SIZE);
1726 			xdr_reserve_space(&rqstp->rq_res_stream, XDR_UNIT * 2);
1727 			if (svcauth_gss_unwrap_priv(rqstp, gc->gc_seq,
1730 			svcxdr_set_auth_slack(rqstp, RPC_MAX_AUTH_SIZE * 2);
1737 		rqstp->rq_cred.cr_flavor = gss_svc_to_pseudoflavor(
1742 		trace_rpcgss_svc_authenticate(rqstp, gc);
1749 	xdr_truncate_encode(&rqstp->rq_res_stream, XDR_UNIT * 2);
1764 svcauth_gss_prepare_to_wrap(struct svc_rqst *rqstp, struct gss_svc_data *gsd)
1773 	if (rqstp->rq_auth_stat != rpc_auth_ok)
1777 	if (*rqstp->rq_accept_statp != rpc_success)
1800 static int svcauth_gss_wrap_integ(struct svc_rqst *rqstp)
1802 	struct gss_svc_data *gsd = rqstp->rq_auth_data;
1803 	struct xdr_stream *xdr = &rqstp->rq_res_stream;
1810 	offset = svcauth_gss_prepare_to_wrap(rqstp, gsd);
1837 	trace_rpcgss_svc_get_mic(rqstp, maj_stat);
1840 	trace_rpcgss_svc_wrap_failed(rqstp);
1861 static int svcauth_gss_wrap_priv(struct svc_rqst *rqstp)
1863 	struct gss_svc_data *gsd = rqstp->rq_auth_data;
1865 	struct xdr_buf *buf = &rqstp->rq_res;
1871 	offset = svcauth_gss_prepare_to_wrap(rqstp, gsd);
1933 	trace_rpcgss_svc_wrap_failed(rqstp);
1936 	trace_rpcgss_svc_wrap(rqstp, maj_stat);
1942  * @rqstp: RPC transaction context
1950 svcauth_gss_release(struct svc_rqst *rqstp)
1952 	struct sunrpc_net *sn = net_generic(SVC_NET(rqstp), sunrpc_net_id);
1953 	struct gss_svc_data *gsd = rqstp->rq_auth_data;
1967 		stat = svcauth_gss_wrap_integ(rqstp);
1972 		stat = svcauth_gss_wrap_priv(rqstp);
1985 	if (rqstp->rq_client)
1986 		auth_domain_put(rqstp->rq_client);
1987 	rqstp->rq_client = NULL;
1988 	if (rqstp->rq_gssclient)
1989 		auth_domain_put(rqstp->rq_gssclient);
1990 	rqstp->rq_gssclient = NULL;
1991 	if (rqstp->rq_cred.cr_group_info)
1992 		put_group_info(rqstp->rq_cred.cr_group_info);
1993 	rqstp->rq_cred.cr_group_info = NULL;

Indexes created Thu Nov 07 10:32:03 CST 2024