/* * Neil Brown <neilb@cse.unsw.edu.au> * J. Bruce Fields <bfields@umich.edu> * Andy Adamson <andros@umich.edu> * Dug Song <dugsong@monkey.org> * * RPCSEC_GSS server authentication. * This implements RPCSEC_GSS as defined in rfc2203 (rpcsec_gss) and rfc2078 * (gssapi) * * The RPCSEC_GSS involves three stages: *  1/ context creation *  2/ data exchange *  3/ context destruction * * Context creation is handled largely by upcalls to user-space. *  In particular, GSS_Accept_sec_context is handled by an upcall * Data exchange is handled entirely within the kernel *  In particular, GSS_GetMIC, GSS_VerifyMIC, GSS_Seal, GSS_Unseal are in-kernel. * Context destruction is handled in-kernel *  GSS_Delete_sec_context is in-kernel * * Context creation is initiated by a RPCSEC_GSS_INIT request arriving. * The context handle and gss_token are used as a key into the rpcsec_init cache. * The content of this cache includes some of the outputs of GSS_Accept_sec_context, * being major_status, minor_status, context_handle, reply_token. * These are sent back to the client. * Sequence window management is handled by the kernel.  The window size if currently * a compile time constant. * * When user-space is happy that a context is established, it places an entry * in the rpcsec_context cache. The key for this cache is the context_handle. * The content includes: *   uid/gidlist - for determining access rights *   mechanism type *   mechanism specific information, such as a key * */#include <linux/types.h>#include <linux/module.h>#include <linux/pagemap.h>#include <linux/sunrpc/auth_gss.h>#include <linux/sunrpc/svcauth.h>#include <linux/sunrpc/gss_err.h>#include <linux/sunrpc/svcauth.h>#include <linux/sunrpc/svcauth_gss.h>#include <linux/sunrpc/cache.h>#ifdef RPC_DEBUG# define RPCDBG_FACILITY	RPCDBG_AUTH#endif/* The rpcsec_init cache is used for mapping RPCSEC_GSS_{,CONT_}INIT requests * into replies. * * Key is context handle (\x if empty) and gss_token. * Content is major_status minor_status (integers) context_handle, reply_token. * */static int netobj_equal(struct xdr_netobj *a, struct xdr_netobj *b){	return a->len == b->len && 0 == memcmp(a->data, b->data, a->len);}#define	RSI_HASHBITS	6#define	RSI_HASHMAX	(1<<RSI_HASHBITS)#define	RSI_HASHMASK	(RSI_HASHMAX-1)struct rsi {	struct cache_head	h;	struct xdr_netobj	in_handle, in_token;	struct xdr_netobj	out_handle, out_token;	int			major_status, minor_status;};static struct cache_head *rsi_table[RSI_HASHMAX];static struct cache_detail rsi_cache;static struct rsi *rsi_lookup(struct rsi *item, int set);static void rsi_free(struct rsi *rsii){	kfree(rsii->in_handle.data);	kfree(rsii->in_token.data);	kfree(rsii->out_handle.data);	kfree(rsii->out_token.data);}static void rsi_put(struct cache_head *item, struct cache_detail *cd){	struct rsi *rsii = container_of(item, struct rsi, h);	if (cache_put(item, cd)) {		rsi_free(rsii);		kfree(rsii);	}}static inline int rsi_hash(struct rsi *item){	return hash_mem(item->in_handle.data, item->in_handle.len, RSI_HASHBITS)	     ^ hash_mem(item->in_token.data, item->in_token.len, RSI_HASHBITS);}static inline int rsi_match(struct rsi *item, struct rsi *tmp){	return netobj_equal(&item->in_handle, &tmp->in_handle)		&& netobj_equal(&item->in_token, &tmp->in_token);}static int dup_to_netobj(struct xdr_netobj *dst, char *src, int len){	dst->len = len;	dst->data = (len ? kmalloc(len, GFP_KERNEL) : NULL);	if (dst->data)		memcpy(dst->data, src, len);	if (len && !dst->data)		return -ENOMEM;	return 0;}static inline int dup_netobj(struct xdr_netobj *dst, struct xdr_netobj *src){	return dup_to_netobj(dst, src->data, src->len);}static inline void rsi_init(struct rsi *new, struct rsi *item){	new->out_handle.data = NULL;	new->out_handle.len = 0;	new->out_token.data = NULL;	new->out_token.len = 0;	new->in_handle.len = item->in_handle.len;	item->in_handle.len = 0;	new->in_token.len = item->in_token.len;	item->in_token.len = 0;	new->in_handle.data = item->in_handle.data;	item->in_handle.data = NULL;	new->in_token.data = item->in_token.data;	item->in_token.data = NULL;}static inline void rsi_update(struct rsi *new, struct rsi *item){	BUG_ON(new->out_handle.data || new->out_token.data);	new->out_handle.len = item->out_handle.len;	item->out_handle.len = 0;	new->out_token.len = item->out_token.len;	item->out_token.len = 0;	new->out_handle.data = item->out_handle.data;	item->out_handle.data = NULL;	new->out_token.data = item->out_token.data;	item->out_token.data = NULL;	new->major_status = item->major_status;	new->minor_status = item->minor_status;}static void rsi_request(struct cache_detail *cd,                       struct cache_head *h,                       char **bpp, int *blen){	struct rsi *rsii = container_of(h, struct rsi, h);	qword_addhex(bpp, blen, rsii->in_handle.data, rsii->in_handle.len);	qword_addhex(bpp, blen, rsii->in_token.data, rsii->in_token.len);	(*bpp)[-1] = '\n';}static int rsi_parse(struct cache_detail *cd,                    char *mesg, int mlen){	/* context token expiry major minor context token */	char *buf = mesg;	char *ep;	int len;	struct rsi rsii, *rsip = NULL;	time_t expiry;	int status = -EINVAL;	memset(&rsii, 0, sizeof(rsii));	/* handle */	len = qword_get(&mesg, buf, mlen);	if (len < 0)		goto out;	status = -ENOMEM;	if (dup_to_netobj(&rsii.in_handle, buf, len))		goto out;	/* token */	len = qword_get(&mesg, buf, mlen);	status = -EINVAL;	if (len < 0)		goto out;	status = -ENOMEM;	if (dup_to_netobj(&rsii.in_token, buf, len))		goto out;	rsii.h.flags = 0;	/* expiry */	expiry = get_expiry(&mesg);	status = -EINVAL;	if (expiry == 0)		goto out;	/* major/minor */	len = qword_get(&mesg, buf, mlen);	if (len < 0)		goto out;	if (len == 0) {		goto out;	} else {		rsii.major_status = simple_strtoul(buf, &ep, 10);		if (*ep)			goto out;		len = qword_get(&mesg, buf, mlen);		if (len <= 0)			goto out;		rsii.minor_status = simple_strtoul(buf, &ep, 10);		if (*ep)			goto out;		/* out_handle */		len = qword_get(&mesg, buf, mlen);		if (len < 0)			goto out;		status = -ENOMEM;		if (dup_to_netobj(&rsii.out_handle, buf, len))			goto out;		/* out_token */		len = qword_get(&mesg, buf, mlen);		status = -EINVAL;		if (len < 0)			goto out;		status = -ENOMEM;		if (dup_to_netobj(&rsii.out_token, buf, len))			goto out;	}	rsii.h.expiry_time = expiry;	rsip = rsi_lookup(&rsii, 1);	status = 0;out:	rsi_free(&rsii);	if (rsip)		rsi_put(&rsip->h, &rsi_cache);	return status;}static struct cache_detail rsi_cache = {	.hash_size	= RSI_HASHMAX,	.hash_table     = rsi_table,	.name           = "auth.rpcsec.init",	.cache_put      = rsi_put,	.cache_request  = rsi_request,	.cache_parse    = rsi_parse,};static DefineSimpleCacheLookup(rsi, 0)/* * The rpcsec_context cache is used to store a context that is * used in data exchange. * The key is a context handle. The content is: *  uid, gidlist, mechanism, service-set, mech-specific-data */#define	RSC_HASHBITS	10#define	RSC_HASHMAX	(1<<RSC_HASHBITS)#define	RSC_HASHMASK	(RSC_HASHMAX-1)#define GSS_SEQ_WIN	128struct gss_svc_seq_data {	/* highest seq number seen so far: */	int			sd_max;	/* for i such that sd_max-GSS_SEQ_WIN < i <= sd_max, the i-th bit of	 * sd_win is nonzero iff sequence number i has been seen already: */	unsigned long		sd_win[GSS_SEQ_WIN/BITS_PER_LONG];	spinlock_t		sd_lock;};struct rsc {	struct cache_head	h;	struct xdr_netobj	handle;	struct svc_cred		cred;	struct gss_svc_seq_data	seqdata;	struct gss_ctx		*mechctx;};static struct cache_head *rsc_table[RSC_HASHMAX];static struct cache_detail rsc_cache;static struct rsc *rsc_lookup(struct rsc *item, int set);static void rsc_free(struct rsc *rsci){	kfree(rsci->handle.data);	if (rsci->mechctx)		gss_delete_sec_context(&rsci->mechctx);	if (rsci->cred.cr_group_info)		put_group_info(rsci->cred.cr_group_info);}static void rsc_put(struct cache_head *item, struct cache_detail *cd){	struct rsc *rsci = container_of(item, struct rsc, h);	if (cache_put(item, cd)) {		rsc_free(rsci);		kfree(rsci);	}}static inline intrsc_hash(struct rsc *rsci){	return hash_mem(rsci->handle.data, rsci->handle.len, RSC_HASHBITS);}static inline intrsc_match(struct rsc *new, struct rsc *tmp){	return netobj_equal(&new->handle, &tmp->handle);}static inline voidrsc_init(struct rsc *new, struct rsc *tmp){	new->handle.len = tmp->handle.len;	tmp->handle.len = 0;	new->handle.data = tmp->handle.data;	tmp->handle.data = NULL;	new->mechctx = NULL;	new->cred.cr_group_info = NULL;}static inline voidrsc_update(struct rsc *new, struct rsc *tmp){	new->mechctx = tmp->mechctx;	tmp->mechctx = NULL;	memset(&new->seqdata, 0, sizeof(new->seqdata));	spin_lock_init(&new->seqdata.sd_lock);	new->cred = tmp->cred;	tmp->cred.cr_group_info = NULL;}static int rsc_parse(struct cache_detail *cd,		     char *mesg, int mlen){	/* contexthandle expiry [ uid gid N <n gids> mechname ...mechdata... ] */	char *buf = mesg;	int len, rv;	struct rsc rsci, *rscp = NULL;	time_t expiry;	int status = -EINVAL;	memset(&rsci, 0, sizeof(rsci));	/* context handle */	len = qword_get(&mesg, buf, mlen);	if (len < 0) goto out;	status = -ENOMEM;	if (dup_to_netobj(&rsci.handle, buf, len))		goto out;	rsci.h.flags = 0;	/* expiry */	expiry = get_expiry(&mesg);	status = -EINVAL;	if (expiry == 0)		goto out;	/* uid, or NEGATIVE */	rv = get_int(&mesg, &rsci.cred.cr_uid);	if (rv == -EINVAL)		goto out;	if (rv == -ENOENT)		set_bit(CACHE_NEGATIVE, &rsci.h.flags);	else {		int N, i;		struct gss_api_mech *gm;		struct xdr_netobj tmp_buf;		/* gid */		if (get_int(&mesg, &rsci.cred.cr_gid))			goto out;		/* number of additional gid's */		if (get_int(&mesg, &N))			goto out;		status = -ENOMEM;		rsci.cred.cr_group_info = groups_alloc(N);		if (rsci.cred.cr_group_info == NULL)			goto out;		/* gid's */		status = -EINVAL;		for (i=0; i<N; i++) {			gid_t gid;			if (get_int(&mesg, &gid))				goto out;			GROUP_AT(rsci.cred.cr_group_info, i) = gid;		}		/* mech name */		len = qword_get(&mesg, buf, mlen);		if (len < 0)			goto out;		gm = gss_mech_get_by_name(buf);		status = -EOPNOTSUPP;		if (!gm)			goto out;		status = -EINVAL;		/* mech-specific data: */		len = qword_get(&mesg, buf, mlen);		if (len < 0) {			gss_mech_put(gm);			goto out;		}		tmp_buf.len = len;		tmp_buf.data = buf;		if (gss_import_sec_context(&tmp_buf, gm, &rsci.mechctx)) {			gss_mech_put(gm);			goto out;		}		gss_mech_put(gm);	}	rsci.h.expiry_time = expiry;	rscp = rsc_lookup(&rsci, 1);	status = 0;out:	rsc_free(&rsci);	if (rscp)		rsc_put(&rscp->h, &rsc_cache);	return status;}static struct cache_detail rsc_cache = {	.hash_size	= RSC_HASHMAX,	.hash_table	= rsc_table,	.name		= "auth.rpcsec.context",	.cache_put	= rsc_put,	.cache_parse	= rsc_parse,};static DefineSimpleCacheLookup(rsc, 0);struct rsc *gss_svc_searchbyctx(struct xdr_netobj *handle){	struct rsc rsci;	struct rsc *found;	memset(&rsci, 0, sizeof(rsci));	if (dup_to_netobj(&rsci.handle, handle->data, handle->len))		return NULL;	found = rsc_lookup(&rsci, 0);	rsc_free(&rsci);	if (!found)		return NULL;	if (cache_check(&rsc_cache, &found->h, NULL))		return NULL;	return found;}/* Implements sequence number algorithm as specified in RFC 2203. */static intgss_check_seq_num(struct rsc *rsci, int seq_num){	struct gss_svc_seq_data *sd = &rsci->seqdata;	spin_lock(&sd->sd_lock);	if (seq_num > sd->sd_max) {		if (seq_num >= sd->sd_max + GSS_SEQ_WIN) {			memset(sd->sd_win,0,sizeof(sd->sd_win));			sd->sd_max = seq_num;		} else while (sd->sd_max < seq_num) {			sd->sd_max++;			__clear_bit(sd->sd_max % GSS_SEQ_WIN, sd->sd_win);		}		__set_bit(seq_num % GSS_SEQ_WIN, sd->sd_win);		goto ok;	} else if (seq_num <= sd->sd_max - GSS_SEQ_WIN) {		goto drop;	}	/* sd_max - GSS_SEQ_WIN < seq_num <= sd_max */	if (__test_and_set_bit(seq_num % GSS_SEQ_WIN, sd->sd_win))		goto drop;ok:	spin_unlock(&sd->sd_lock);	return 1;drop:	spin_unlock(&sd->sd_lock);	return 0;}static inline u32 round_up_to_quad(u32 i){	return (i + 3 ) & ~3;}static inline intsvc_safe_getnetobj(struct kvec *argv, struct xdr_netobj *o){	int l;	if (argv->iov_len < 4)		return -1;	o->len = ntohl(svc_getu32(argv));	l = round_up_to_quad(o->len);	if (argv->iov_len < l)		return -1;	o->data = argv->iov_base;	argv->iov_base += l;	argv->iov_len -= l;	return 0;}static inline intsvc_safe_putnetobj(struct kvec *resv, struct xdr_netobj *o){	u32 *p;	if (resv->iov_len + 4 > PAGE_SIZE)		return -1;	svc_putu32(resv, htonl(o->len));	p = resv->iov_base + resv->iov_len;	resv->iov_len += round_up_to_quad(o->len);	if (resv->iov_len > PAGE_SIZE)		return -1;	memcpy(p, o->data, o->len);	memset((u8 *)p + o->len, 0, round_up_to_quad(o->len) - o->len);	return 0;}/* Verify the checksum on the header and return SVC_OK on success.