[PATCH] kNFSd: Add minimal server-side support for rpcsec_gss.

From: NeilBrown <neilb@cse.unsw.edu.au> From: "J. Bruce Fields" <bfields@fieldses.org> Note that the user (or exportfs, on the user's behalf) allows a gss pseudoflavor to be used to access an export by exporting to a special client named "gss/pseudoflavor-name", e.g., "gss/krb5" or "gss/lipkey-i".

[PATCH] kNFSd: Add minimal server-side support for rpcsec_gss.
From: NeilBrown <neilb@cse.unsw.edu.au> From: "J. Bruce Fields" <bfields@fieldses.org> Note that the user (or exportfs, on the user's behalf) allows a gss pseudoflavor to be used to access an export by exporting to a special client named "gss/pseudoflavor-name", e.g., "gss/krb5" or "gss/lipkey-i".
8c54e6b2 · Andrew Morton · Linus Torvalds · 5d573c6b · 8c54e6b2 · 8c54e6b2
Commit 8c54e6b2 authored Feb 26, 2004 by Andrew Morton Committed by Linus Torvalds Feb 26, 2004
13 changed files
--- a/include/linux/sunrpc/auth_gss.h
+++ b/include/linux/sunrpc/auth_gss.h
@@ -62,8 +62,6 @@ struct rpc_gss_init_res {
 	struct xdr_netobj	gr_token;	/* token */
 };

-#define GSS_SEQ_WIN	5
-
 /* The gss_cl_ctx struct holds all the information the rpcsec_gss client
 * code needs to know about a single security context.  In particular,
 * gc_gss_ctx is the context handle that is used to do gss-api calls, while

--- a/include/linux/sunrpc/gss_api.h
+++ b/include/linux/sunrpc/gss_api.h
@@ -120,6 +120,9 @@ int gss_mech_unregister_all(void);
 * reference count. */
 struct gss_api_mech * gss_mech_get_by_OID(struct xdr_netobj *);

+/* Similar, but get by name like "krb5", "spkm", etc., instead of OID. */
+struct gss_api_mech *gss_mech_get_by_name(char *);
+
 /* Just increments the mechanism's reference count and returns its input: */
 struct gss_api_mech * gss_mech_get(struct gss_api_mech *);


--- a/include/linux/sunrpc/svc.h
+++ b/include/linux/sunrpc/svc.h
@@ -135,6 +135,7 @@ struct svc_rqst {

 	void *			rq_argp;	/* decoded arguments */
 	void *			rq_resp;	/* xdr'd results */
+	void *			rq_auth_data;	/* flavor-specific data */

 	int			rq_reserved;	/* space on socket outq
 						 * reserved for this request

--- a/include/linux/sunrpc/svcauth.h
+++ b/include/linux/sunrpc/svcauth.h
@@ -66,6 +66,10 @@ struct auth_domain {
 *      GARBAGE - rpc garbage_args error
 *      SYSERR - rpc system_err error
 *      DENIED - authp holds reason for denial.
+ *      COMPLETE - the reply is encoded already and ready to be sent; no
+ *		further processing is necessary.  (This is used for processing
+ *		null procedure calls which are used to set up encryption
+ *		contexts.)
 *
 *   accept is passed the proc number so that it can accept NULL rpc requests
 *   even if it cannot authenticate the client (as is sometimes appropriate).
@@ -98,6 +102,7 @@ extern struct auth_ops	*authtab[RPC_AUTH_MAXFLAVOR];
 #define	SVC_DROP	6
 #define	SVC_DENIED	7
 #define	SVC_PENDING	8
+#define	SVC_COMPLETE	9


 extern int	svc_authenticate(struct svc_rqst *rqstp, u32 *authp);

--- a/include/linux/sunrpc/svcauth_gss.h
+++ b/include/linux/sunrpc/svcauth_gss.h
+/*
+ * linux/include/linux/svcauth_gss.h
+ *
+ * Bruce Fields <bfields@umich.edu>
+ * Copyright (c) 2002 The Regents of the Unviersity of Michigan
+ *
+ * $Id$
+ *
+ */
+
+#ifndef _LINUX_SUNRPC_SVCAUTH_GSS_H
+#define _LINUX_SUNRPC_SVCAUTH_GSS_H
+
+#ifdef __KERNEL__
+#include <linux/sched.h>
+#include <linux/sunrpc/types.h>
+#include <linux/sunrpc/xdr.h>
+#include <linux/sunrpc/svcauth.h>
+#include <linux/sunrpc/svcsock.h>
+#include <linux/sunrpc/auth_gss.h>
+
+int gss_svc_init(void);
+int svcauth_gss_register_pseudoflavor(u32 pseudoflavor, char * name);
+
+
+struct gss_svc_data {
+	/* decoded gss client cred: */
+	struct rpc_gss_wire_cred	clcred;
+	/* pointer to the beginning of the procedure-specific results, which
+	 * may be encrypted/checksummed in svcauth_gss_release: */
+	u32				*body_start;
+};
+
+#endif /* __KERNEL__ */
+#endif /* _LINUX_SUNRPC_SVCAUTH_GSS_H */
--- a/net/sunrpc/auth_gss/Makefile
+++ b/net/sunrpc/auth_gss/Makefile
@@ -5,7 +5,7 @@
 obj-$(CONFIG_SUNRPC_GSS) += auth_rpcgss.o

 auth_rpcgss-objs := auth_gss.o gss_pseudoflavors.o gss_generic_token.o \
-	sunrpcgss_syms.o gss_mech_switch.o
+	sunrpcgss_syms.o gss_mech_switch.o svcauth_gss.o

 obj-$(CONFIG_RPCSEC_GSS_KRB5) += rpcsec_gss_krb5.o


--- a/net/sunrpc/auth_gss/auth_gss.c
+++ b/net/sunrpc/auth_gss/auth_gss.c
@@ -48,6 +48,7 @@
 #include <linux/sunrpc/clnt.h>
 #include <linux/sunrpc/auth.h>
 #include <linux/sunrpc/auth_gss.h>
+#include <linux/sunrpc/svcauth_gss.h>
 #include <linux/sunrpc/gss_err.h>
 #include <linux/workqueue.h>
 #include <linux/sunrpc/rpc_pipe_fs.h>
@@ -972,6 +973,15 @@ static int __init init_rpcsec_gss(void)
 	int err = 0;

 	err = rpcauth_register(&authgss_ops);
+	if (err)
+		goto out;
+	err = gss_svc_init();
+	if (err)
+		goto out_unregister;
+	return 0;
+out_unregister:
+	rpcauth_unregister(&authgss_ops);
+out:
 	return err;
 }


--- a/net/sunrpc/auth_gss/gss_krb5_mech.c
+++ b/net/sunrpc/auth_gss/gss_krb5_mech.c
@@ -39,6 +39,8 @@
 #include <linux/types.h>
 #include <linux/slab.h>
 #include <linux/sunrpc/auth.h>
+#include <linux/in.h>
+#include <linux/sunrpc/svcauth_gss.h>
 #include <linux/sunrpc/gss_krb5.h>
 #include <linux/sunrpc/xdr.h>
 #include <linux/crypto.h>
@@ -232,6 +234,8 @@ static int __init init_kerberos_module(void)
 	gm = gss_mech_get_by_OID(&gss_mech_krb5_oid);
 	gss_register_triple(RPC_AUTH_GSS_KRB5 , gm, 0, RPC_GSS_SVC_NONE);
 	gss_register_triple(RPC_AUTH_GSS_KRB5I, gm, 0, RPC_GSS_SVC_INTEGRITY);
+	if (svcauth_gss_register_pseudoflavor(RPC_AUTH_GSS_KRB5, "krb5"))
+		printk("Failed to register %s with server!\n", "krb5");
 	gss_mech_put(gm);
 	return 0;
 }

--- a/net/sunrpc/auth_gss/gss_mech_switch.c
+++ b/net/sunrpc/auth_gss/gss_mech_switch.c
@@ -162,6 +162,23 @@ gss_mech_get_by_OID(struct xdr_netobj *mech_type)
 	return gm;
 }

+struct gss_api_mech *
+gss_mech_get_by_name(char *name)
+{
+	struct gss_api_mech	*pos, *gm = NULL;
+
+	spin_lock(&registered_mechs_lock);
+	list_for_each_entry(pos, &registered_mechs, gm_list) {
+		if (0 == strcmp(name, pos->gm_ops->name)) {
+			gm = gss_mech_get(pos);
+			break;
+		}
+	}
+	spin_unlock(&registered_mechs_lock);
+	return gm;
+
+}
+
 int
 gss_mech_put(struct gss_api_mech * gm)
 {

--- a/net/sunrpc/auth_gss/sunrpcgss_syms.c
+++ b/net/sunrpc/auth_gss/sunrpcgss_syms.c
@@ -8,6 +8,7 @@
 #include <linux/unistd.h>

 #include <linux/sunrpc/auth_gss.h>
+#include <linux/sunrpc/svcauth_gss.h>
 #include <linux/sunrpc/gss_asn1.h>

 /* sec_triples: */
@@ -17,6 +18,7 @@ EXPORT_SYMBOL(gss_cmp_triples);
 EXPORT_SYMBOL(gss_pseudoflavor_to_mechOID);
 EXPORT_SYMBOL(gss_pseudoflavor_supported);
 EXPORT_SYMBOL(gss_pseudoflavor_to_service);
+EXPORT_SYMBOL(svcauth_gss_register_pseudoflavor);

 /* registering gss mechanisms to the mech switching code: */
 EXPORT_SYMBOL(gss_mech_register);

--- a/net/sunrpc/auth_gss/svcauth_gss.c
+++ b/net/sunrpc/auth_gss/svcauth_gss.c
--- a/net/sunrpc/sunrpc_syms.c
+++ b/net/sunrpc/sunrpc_syms.c
@@ -85,6 +85,8 @@ EXPORT_SYMBOL(svc_recv);
 EXPORT_SYMBOL(svc_wake_up);
 EXPORT_SYMBOL(svc_makesock);
 EXPORT_SYMBOL(svc_reserve);
+EXPORT_SYMBOL(svc_auth_register);
+EXPORT_SYMBOL(auth_domain_lookup);

 /* RPC statistics */
 #ifdef CONFIG_PROC_FS

--- a/net/sunrpc/svc.c
+++ b/net/sunrpc/svc.c
@@ -198,6 +198,8 @@ svc_exit_thread(struct svc_rqst *rqstp)
 		kfree(rqstp->rq_resp);
 	if (rqstp->rq_argp)
 		kfree(rqstp->rq_argp);
+	if (rqstp->rq_auth_data)
+		kfree(rqstp->rq_auth_data);
 	kfree(rqstp);

 	/* Release the server */
@@ -320,6 +322,8 @@ svc_process(struct svc_serv *serv, struct svc_rqst *rqstp)
 		goto err_bad_auth;
 	case SVC_DROP:
 		goto dropit;
+	case SVC_COMPLETE:
+		goto sendit;
 	}
 		
 	progp = serv->sv_program;