1// SPDX-License-Identifier: GPL-2.0
   2/*
   3 * Neil Brown <neilb@cse.unsw.edu.au>
   4 * J. Bruce Fields <bfields@umich.edu>
   5 * Andy Adamson <andros@umich.edu>
   6 * Dug Song <dugsong@monkey.org>
   7 *
   8 * RPCSEC_GSS server authentication.
   9 * This implements RPCSEC_GSS as defined in rfc2203 (rpcsec_gss) and rfc2078
  10 * (gssapi)
  11 *
  12 * The RPCSEC_GSS involves three stages:
  13 *  1/ context creation
  14 *  2/ data exchange
  15 *  3/ context destruction
  16 *
  17 * Context creation is handled largely by upcalls to user-space.
  18 *  In particular, GSS_Accept_sec_context is handled by an upcall
  19 * Data exchange is handled entirely within the kernel
  20 *  In particular, GSS_GetMIC, GSS_VerifyMIC, GSS_Seal, GSS_Unseal are in-kernel.
  21 * Context destruction is handled in-kernel
  22 *  GSS_Delete_sec_context is in-kernel
  23 *
  24 * Context creation is initiated by a RPCSEC_GSS_INIT request arriving.
  25 * The context handle and gss_token are used as a key into the rpcsec_init cache.
  26 * The content of this cache includes some of the outputs of GSS_Accept_sec_context,
  27 * being major_status, minor_status, context_handle, reply_token.
  28 * These are sent back to the client.
  29 * Sequence window management is handled by the kernel.  The window size if currently
  30 * a compile time constant.
  31 *
  32 * When user-space is happy that a context is established, it places an entry
  33 * in the rpcsec_context cache. The key for this cache is the context_handle.
  34 * The content includes:
  35 *   uid/gidlist - for determining access rights
  36 *   mechanism type
  37 *   mechanism specific information, such as a key
  38 *
  39 */
  40
  41#include <linux/slab.h>
  42#include <linux/types.h>
  43#include <linux/module.h>
  44#include <linux/pagemap.h>
  45#include <linux/user_namespace.h>
  46
  47#include <linux/sunrpc/auth_gss.h>
  48#include <linux/sunrpc/gss_err.h>
  49#include <linux/sunrpc/svcauth.h>
  50#include <linux/sunrpc/svcauth_gss.h>
  51#include <linux/sunrpc/cache.h>
  52#include <linux/sunrpc/gss_krb5.h>
  53
  54#include <trace/events/rpcgss.h>
  55
  56#include "gss_rpc_upcall.h"
  57
  58/*
  59 * Unfortunately there isn't a maximum checksum size exported via the
  60 * GSS API. Manufacture one based on GSS mechanisms supported by this
  61 * implementation.
  62 */
  63#define GSS_MAX_CKSUMSIZE (GSS_KRB5_TOK_HDR_LEN + GSS_KRB5_MAX_CKSUM_LEN)
  64
  65/*
  66 * This value may be increased in the future to accommodate other
  67 * usage of the scratch buffer.
  68 */
  69#define GSS_SCRATCH_SIZE GSS_MAX_CKSUMSIZE
  70
  71struct gss_svc_data {
  72	/* decoded gss client cred: */
  73	struct rpc_gss_wire_cred	clcred;
  74	u32				gsd_databody_offset;
  75	struct rsc			*rsci;
  76
  77	/* for temporary results */
  78	__be32				gsd_seq_num;
  79	u8				gsd_scratch[GSS_SCRATCH_SIZE];
  80};
  81
  82/* The rpcsec_init cache is used for mapping RPCSEC_GSS_{,CONT_}INIT requests
  83 * into replies.
  84 *
  85 * Key is context handle (\x if empty) and gss_token.
  86 * Content is major_status minor_status (integers) context_handle, reply_token.
  87 *
  88 */
  89
  90static int netobj_equal(struct xdr_netobj *a, struct xdr_netobj *b)
  91{
  92	return a->len == b->len && 0 == memcmp(a->data, b->data, a->len);
  93}
  94
  95#define	RSI_HASHBITS	6
  96#define	RSI_HASHMAX	(1<<RSI_HASHBITS)
  97
  98struct rsi {
  99	struct cache_head	h;
 100	struct xdr_netobj	in_handle, in_token;
 101	struct xdr_netobj	out_handle, out_token;
 102	int			major_status, minor_status;
 103	struct rcu_head		rcu_head;
 104};
 105
 106static struct rsi *rsi_update(struct cache_detail *cd, struct rsi *new, struct rsi *old);
 107static struct rsi *rsi_lookup(struct cache_detail *cd, struct rsi *item);
 108
 109static void rsi_free(struct rsi *rsii)
 110{
 111	kfree(rsii->in_handle.data);
 112	kfree(rsii->in_token.data);
 113	kfree(rsii->out_handle.data);
 114	kfree(rsii->out_token.data);
 115}
 116
 117static void rsi_free_rcu(struct rcu_head *head)
 118{
 119	struct rsi *rsii = container_of(head, struct rsi, rcu_head);
 120
 121	rsi_free(rsii);
 122	kfree(rsii);
 123}
 124
 125static void rsi_put(struct kref *ref)
 126{
 127	struct rsi *rsii = container_of(ref, struct rsi, h.ref);
 128
 129	call_rcu(&rsii->rcu_head, rsi_free_rcu);
 130}
 131
 132static inline int rsi_hash(struct rsi *item)
 133{
 134	return hash_mem(item->in_handle.data, item->in_handle.len, RSI_HASHBITS)
 135	     ^ hash_mem(item->in_token.data, item->in_token.len, RSI_HASHBITS);
 136}
 137
 138static int rsi_match(struct cache_head *a, struct cache_head *b)
 139{
 140	struct rsi *item = container_of(a, struct rsi, h);
 141	struct rsi *tmp = container_of(b, struct rsi, h);
 142	return netobj_equal(&item->in_handle, &tmp->in_handle) &&
 143	       netobj_equal(&item->in_token, &tmp->in_token);
 144}
 145
 146static int dup_to_netobj(struct xdr_netobj *dst, char *src, int len)
 147{
 148	dst->len = len;
 149	dst->data = (len ? kmemdup(src, len, GFP_KERNEL) : NULL);
 150	if (len && !dst->data)
 151		return -ENOMEM;
 152	return 0;
 153}
 154
 155static inline int dup_netobj(struct xdr_netobj *dst, struct xdr_netobj *src)
 156{
 157	return dup_to_netobj(dst, src->data, src->len);
 158}
 159
 160static void rsi_init(struct cache_head *cnew, struct cache_head *citem)
 161{
 162	struct rsi *new = container_of(cnew, struct rsi, h);
 163	struct rsi *item = container_of(citem, struct rsi, h);
 164
 165	new->out_handle.data = NULL;
 166	new->out_handle.len = 0;
 167	new->out_token.data = NULL;
 168	new->out_token.len = 0;
 169	new->in_handle.len = item->in_handle.len;
 170	item->in_handle.len = 0;
 171	new->in_token.len = item->in_token.len;
 172	item->in_token.len = 0;
 173	new->in_handle.data = item->in_handle.data;
 174	item->in_handle.data = NULL;
 175	new->in_token.data = item->in_token.data;
 176	item->in_token.data = NULL;
 177}
 178
 179static void update_rsi(struct cache_head *cnew, struct cache_head *citem)
 180{
 181	struct rsi *new = container_of(cnew, struct rsi, h);
 182	struct rsi *item = container_of(citem, struct rsi, h);
 183
 184	BUG_ON(new->out_handle.data || new->out_token.data);
 185	new->out_handle.len = item->out_handle.len;
 186	item->out_handle.len = 0;
 187	new->out_token.len = item->out_token.len;
 188	item->out_token.len = 0;
 189	new->out_handle.data = item->out_handle.data;
 190	item->out_handle.data = NULL;
 191	new->out_token.data = item->out_token.data;
 192	item->out_token.data = NULL;
 193
 194	new->major_status = item->major_status;
 195	new->minor_status = item->minor_status;
 196}
 197
 198static struct cache_head *rsi_alloc(void)
 199{
 200	struct rsi *rsii = kmalloc(sizeof(*rsii), GFP_KERNEL);
 201	if (rsii)
 202		return &rsii->h;
 203	else
 204		return NULL;
 205}
 206
 207static int rsi_upcall(struct cache_detail *cd, struct cache_head *h)
 208{
 209	return sunrpc_cache_pipe_upcall_timeout(cd, h);
 210}
 211
 212static void rsi_request(struct cache_detail *cd,
 213		       struct cache_head *h,
 214		       char **bpp, int *blen)
 215{
 216	struct rsi *rsii = container_of(h, struct rsi, h);
 217
 218	qword_addhex(bpp, blen, rsii->in_handle.data, rsii->in_handle.len);
 219	qword_addhex(bpp, blen, rsii->in_token.data, rsii->in_token.len);
 220	(*bpp)[-1] = '\n';
 221	WARN_ONCE(*blen < 0,
 222		  "RPCSEC/GSS credential too large - please use gssproxy\n");
 223}
 224
 225static int rsi_parse(struct cache_detail *cd,
 226		    char *mesg, int mlen)
 227{
 228	/* context token expiry major minor context token */
 229	char *buf = mesg;
 230	char *ep;
 231	int len;
 232	struct rsi rsii, *rsip = NULL;
 233	time64_t expiry;
 234	int status = -EINVAL;
 235
 236	memset(&rsii, 0, sizeof(rsii));
 237	/* handle */
 238	len = qword_get(&mesg, buf, mlen);
 239	if (len < 0)
 240		goto out;
 241	status = -ENOMEM;
 242	if (dup_to_netobj(&rsii.in_handle, buf, len))
 243		goto out;
 244
 245	/* token */
 246	len = qword_get(&mesg, buf, mlen);
 247	status = -EINVAL;
 248	if (len < 0)
 249		goto out;
 250	status = -ENOMEM;
 251	if (dup_to_netobj(&rsii.in_token, buf, len))
 252		goto out;
 253
 254	rsip = rsi_lookup(cd, &rsii);
 255	if (!rsip)
 256		goto out;
 257
 258	rsii.h.flags = 0;
 259	/* expiry */
 260	status = get_expiry(&mesg, &expiry);
 261	if (status)
 262		goto out;
 263
 264	status = -EINVAL;
 265	/* major/minor */
 266	len = qword_get(&mesg, buf, mlen);
 267	if (len <= 0)
 268		goto out;
 269	rsii.major_status = simple_strtoul(buf, &ep, 10);
 270	if (*ep)
 271		goto out;
 272	len = qword_get(&mesg, buf, mlen);
 273	if (len <= 0)
 274		goto out;
 275	rsii.minor_status = simple_strtoul(buf, &ep, 10);
 276	if (*ep)
 277		goto out;
 278
 279	/* out_handle */
 280	len = qword_get(&mesg, buf, mlen);
 281	if (len < 0)
 282		goto out;
 283	status = -ENOMEM;
 284	if (dup_to_netobj(&rsii.out_handle, buf, len))
 285		goto out;
 286
 287	/* out_token */
 288	len = qword_get(&mesg, buf, mlen);
 289	status = -EINVAL;
 290	if (len < 0)
 291		goto out;
 292	status = -ENOMEM;
 293	if (dup_to_netobj(&rsii.out_token, buf, len))
 294		goto out;
 295	rsii.h.expiry_time = expiry;
 296	rsip = rsi_update(cd, &rsii, rsip);
 297	status = 0;
 298out:
 299	rsi_free(&rsii);
 300	if (rsip)
 301		cache_put(&rsip->h, cd);
 302	else
 303		status = -ENOMEM;
 304	return status;
 305}
 306
 307static const struct cache_detail rsi_cache_template = {
 308	.owner		= THIS_MODULE,
 309	.hash_size	= RSI_HASHMAX,
 310	.name           = "auth.rpcsec.init",
 311	.cache_put      = rsi_put,
 312	.cache_upcall	= rsi_upcall,
 313	.cache_request  = rsi_request,
 314	.cache_parse    = rsi_parse,
 315	.match		= rsi_match,
 316	.init		= rsi_init,
 317	.update		= update_rsi,
 318	.alloc		= rsi_alloc,
 319};
 320
 321static struct rsi *rsi_lookup(struct cache_detail *cd, struct rsi *item)
 322{
 323	struct cache_head *ch;
 324	int hash = rsi_hash(item);
 325
 326	ch = sunrpc_cache_lookup_rcu(cd, &item->h, hash);
 327	if (ch)
 328		return container_of(ch, struct rsi, h);
 329	else
 330		return NULL;
 331}
 332
 333static struct rsi *rsi_update(struct cache_detail *cd, struct rsi *new, struct rsi *old)
 334{
 335	struct cache_head *ch;
 336	int hash = rsi_hash(new);
 337
 338	ch = sunrpc_cache_update(cd, &new->h,
 339				 &old->h, hash);
 340	if (ch)
 341		return container_of(ch, struct rsi, h);
 342	else
 343		return NULL;
 344}
 345
 346
 347/*
 348 * The rpcsec_context cache is used to store a context that is
 349 * used in data exchange.
 350 * The key is a context handle. The content is:
 351 *  uid, gidlist, mechanism, service-set, mech-specific-data
 352 */
 353
 354#define	RSC_HASHBITS	10
 355#define	RSC_HASHMAX	(1<<RSC_HASHBITS)
 356
 357#define GSS_SEQ_WIN	128
 358
 359struct gss_svc_seq_data {
 360	/* highest seq number seen so far: */
 361	u32			sd_max;
 362	/* for i such that sd_max-GSS_SEQ_WIN < i <= sd_max, the i-th bit of
 363	 * sd_win is nonzero iff sequence number i has been seen already: */
 364	unsigned long		sd_win[GSS_SEQ_WIN/BITS_PER_LONG];
 365	spinlock_t		sd_lock;
 366};
 367
 368struct rsc {
 369	struct cache_head	h;
 370	struct xdr_netobj	handle;
 371	struct svc_cred		cred;
 372	struct gss_svc_seq_data	seqdata;
 373	struct gss_ctx		*mechctx;
 374	struct rcu_head		rcu_head;
 375};
 376
 377static struct rsc *rsc_update(struct cache_detail *cd, struct rsc *new, struct rsc *old);
 378static struct rsc *rsc_lookup(struct cache_detail *cd, struct rsc *item);
 379
 380static void rsc_free(struct rsc *rsci)
 381{
 382	kfree(rsci->handle.data);
 383	if (rsci->mechctx)
 384		gss_delete_sec_context(&rsci->mechctx);
 385	free_svc_cred(&rsci->cred);
 386}
 387
 388static void rsc_free_rcu(struct rcu_head *head)
 389{
 390	struct rsc *rsci = container_of(head, struct rsc, rcu_head);
 391
 392	kfree(rsci->handle.data);
 393	kfree(rsci);
 394}
 395
 396static void rsc_put(struct kref *ref)
 397{
 398	struct rsc *rsci = container_of(ref, struct rsc, h.ref);
 399
 400	if (rsci->mechctx)
 401		gss_delete_sec_context(&rsci->mechctx);
 402	free_svc_cred(&rsci->cred);
 403	call_rcu(&rsci->rcu_head, rsc_free_rcu);
 404}
 405
 406static inline int
 407rsc_hash(struct rsc *rsci)
 408{
 409	return hash_mem(rsci->handle.data, rsci->handle.len, RSC_HASHBITS);
 410}
 411
 412static int
 413rsc_match(struct cache_head *a, struct cache_head *b)
 414{
 415	struct rsc *new = container_of(a, struct rsc, h);
 416	struct rsc *tmp = container_of(b, struct rsc, h);
 417
 418	return netobj_equal(&new->handle, &tmp->handle);
 419}
 420
 421static void
 422rsc_init(struct cache_head *cnew, struct cache_head *ctmp)
 423{
 424	struct rsc *new = container_of(cnew, struct rsc, h);
 425	struct rsc *tmp = container_of(ctmp, struct rsc, h);
 426
 427	new->handle.len = tmp->handle.len;
 428	tmp->handle.len = 0;
 429	new->handle.data = tmp->handle.data;
 430	tmp->handle.data = NULL;
 431	new->mechctx = NULL;
 432	init_svc_cred(&new->cred);
 433}
 434
 435static void
 436update_rsc(struct cache_head *cnew, struct cache_head *ctmp)
 437{
 438	struct rsc *new = container_of(cnew, struct rsc, h);
 439	struct rsc *tmp = container_of(ctmp, struct rsc, h);
 440
 441	new->mechctx = tmp->mechctx;
 442	tmp->mechctx = NULL;
 443	memset(&new->seqdata, 0, sizeof(new->seqdata));
 444	spin_lock_init(&new->seqdata.sd_lock);
 445	new->cred = tmp->cred;
 446	init_svc_cred(&tmp->cred);
 447}
 448
 449static struct cache_head *
 450rsc_alloc(void)
 451{
 452	struct rsc *rsci = kmalloc(sizeof(*rsci), GFP_KERNEL);
 453	if (rsci)
 454		return &rsci->h;
 455	else
 456		return NULL;
 457}
 458
 459static int rsc_upcall(struct cache_detail *cd, struct cache_head *h)
 460{
 461	return -EINVAL;
 462}
 463
 464static int rsc_parse(struct cache_detail *cd,
 465		     char *mesg, int mlen)
 466{
 467	/* contexthandle expiry [ uid gid N <n gids> mechname ...mechdata... ] */
 468	char *buf = mesg;
 469	int id;
 470	int len, rv;
 471	struct rsc rsci, *rscp = NULL;
 472	time64_t expiry;
 473	int status = -EINVAL;
 474	struct gss_api_mech *gm = NULL;
 475
 476	memset(&rsci, 0, sizeof(rsci));
 477	/* context handle */
 478	len = qword_get(&mesg, buf, mlen);
 479	if (len < 0) goto out;
 480	status = -ENOMEM;
 481	if (dup_to_netobj(&rsci.handle, buf, len))
 482		goto out;
 483
 484	rsci.h.flags = 0;
 485	/* expiry */
 486	status = get_expiry(&mesg, &expiry);
 487	if (status)
 488		goto out;
 489
 490	status = -EINVAL;
 491	rscp = rsc_lookup(cd, &rsci);
 492	if (!rscp)
 493		goto out;
 494
 495	/* uid, or NEGATIVE */
 496	rv = get_int(&mesg, &id);
 497	if (rv == -EINVAL)
 498		goto out;
 499	if (rv == -ENOENT)
 500		set_bit(CACHE_NEGATIVE, &rsci.h.flags);
 501	else {
 502		int N, i;
 503
 504		/*
 505		 * NOTE: we skip uid_valid()/gid_valid() checks here:
 506		 * instead, * -1 id's are later mapped to the
 507		 * (export-specific) anonymous id by nfsd_setuser.
 508		 *
 509		 * (But supplementary gid's get no such special
 510		 * treatment so are checked for validity here.)
 511		 */
 512		/* uid */
 513		rsci.cred.cr_uid = make_kuid(current_user_ns(), id);
 514
 515		/* gid */
 516		if (get_int(&mesg, &id))
 517			goto out;
 518		rsci.cred.cr_gid = make_kgid(current_user_ns(), id);
 519
 520		/* number of additional gid's */
 521		if (get_int(&mesg, &N))
 522			goto out;
 523		if (N < 0 || N > NGROUPS_MAX)
 524			goto out;
 525		status = -ENOMEM;
 526		rsci.cred.cr_group_info = groups_alloc(N);
 527		if (rsci.cred.cr_group_info == NULL)
 528			goto out;
 529
 530		/* gid's */
 531		status = -EINVAL;
 532		for (i=0; i<N; i++) {
 533			kgid_t kgid;
 534			if (get_int(&mesg, &id))
 535				goto out;
 536			kgid = make_kgid(current_user_ns(), id);
 537			if (!gid_valid(kgid))
 538				goto out;
 539			rsci.cred.cr_group_info->gid[i] = kgid;
 540		}
 541		groups_sort(rsci.cred.cr_group_info);
 542
 543		/* mech name */
 544		len = qword_get(&mesg, buf, mlen);
 545		if (len < 0)
 546			goto out;
 547		gm = rsci.cred.cr_gss_mech = gss_mech_get_by_name(buf);
 548		status = -EOPNOTSUPP;
 549		if (!gm)
 550			goto out;
 551
 552		status = -EINVAL;
 553		/* mech-specific data: */
 554		len = qword_get(&mesg, buf, mlen);
 555		if (len < 0)
 556			goto out;
 557		status = gss_import_sec_context(buf, len, gm, &rsci.mechctx,
 558						NULL, GFP_KERNEL);
 559		if (status)
 560			goto out;
 561
 562		/* get client name */
 563		len = qword_get(&mesg, buf, mlen);
 564		if (len > 0) {
 565			rsci.cred.cr_principal = kstrdup(buf, GFP_KERNEL);
 566			if (!rsci.cred.cr_principal) {
 567				status = -ENOMEM;
 568				goto out;
 569			}
 570		}
 571
 572	}
 573	rsci.h.expiry_time = expiry;
 574	rscp = rsc_update(cd, &rsci, rscp);
 575	status = 0;
 576out:
 577	rsc_free(&rsci);
 578	if (rscp)
 579		cache_put(&rscp->h, cd);
 580	else
 581		status = -ENOMEM;
 582	return status;
 583}
 584
 585static const struct cache_detail rsc_cache_template = {
 586	.owner		= THIS_MODULE,
 587	.hash_size	= RSC_HASHMAX,
 588	.name		= "auth.rpcsec.context",
 589	.cache_put	= rsc_put,
 590	.cache_upcall	= rsc_upcall,
 591	.cache_parse	= rsc_parse,
 592	.match		= rsc_match,
 593	.init		= rsc_init,
 594	.update		= update_rsc,
 595	.alloc		= rsc_alloc,
 596};
 597
 598static struct rsc *rsc_lookup(struct cache_detail *cd, struct rsc *item)
 599{
 600	struct cache_head *ch;
 601	int hash = rsc_hash(item);
 602
 603	ch = sunrpc_cache_lookup_rcu(cd, &item->h, hash);
 604	if (ch)
 605		return container_of(ch, struct rsc, h);
 606	else
 607		return NULL;
 608}
 609
 610static struct rsc *rsc_update(struct cache_detail *cd, struct rsc *new, struct rsc *old)
 611{
 612	struct cache_head *ch;
 613	int hash = rsc_hash(new);
 614
 615	ch = sunrpc_cache_update(cd, &new->h,
 616				 &old->h, hash);
 617	if (ch)
 618		return container_of(ch, struct rsc, h);
 619	else
 620		return NULL;
 621}
 622
 623
 624static struct rsc *
 625gss_svc_searchbyctx(struct cache_detail *cd, struct xdr_netobj *handle)
 626{
 627	struct rsc rsci;
 628	struct rsc *found;
 629
 630	memset(&rsci, 0, sizeof(rsci));
 631	if (dup_to_netobj(&rsci.handle, handle->data, handle->len))
 632		return NULL;
 633	found = rsc_lookup(cd, &rsci);
 634	rsc_free(&rsci);
 635	if (!found)
 636		return NULL;
 637	if (cache_check(cd, &found->h, NULL))
 638		return NULL;
 639	return found;
 640}
 641
 642/**
 643 * gss_check_seq_num - GSS sequence number window check
 644 * @rqstp: RPC Call to use when reporting errors
 645 * @rsci: cached GSS context state (updated on return)
 646 * @seq_num: sequence number to check
 647 *
 648 * Implements sequence number algorithm as specified in
 649 * RFC 2203, Section 5.3.3.1. "Context Management".
 650 *
 651 * Return values:
 652 *   %true: @rqstp's GSS sequence number is inside the window
 653 *   %false: @rqstp's GSS sequence number is outside the window
 654 */
 655static bool gss_check_seq_num(const struct svc_rqst *rqstp, struct rsc *rsci,
 656			      u32 seq_num)
 657{
 658	struct gss_svc_seq_data *sd = &rsci->seqdata;
 659	bool result = false;
 660
 661	spin_lock(&sd->sd_lock);
 662	if (seq_num > sd->sd_max) {
 663		if (seq_num >= sd->sd_max + GSS_SEQ_WIN) {
 664			memset(sd->sd_win, 0, sizeof(sd->sd_win));
 665			sd->sd_max = seq_num;
 666		} else while (sd->sd_max < seq_num) {
 667			sd->sd_max++;
 668			__clear_bit(sd->sd_max % GSS_SEQ_WIN, sd->sd_win);
 669		}
 670		__set_bit(seq_num % GSS_SEQ_WIN, sd->sd_win);
 671		goto ok;
 672	} else if (seq_num + GSS_SEQ_WIN <= sd->sd_max) {
 673		goto toolow;
 674	}
 675	if (__test_and_set_bit(seq_num % GSS_SEQ_WIN, sd->sd_win))
 676		goto alreadyseen;
 677
 678ok:
 679	result = true;
 680out:
 681	spin_unlock(&sd->sd_lock);
 682	return result;
 683
 684toolow:
 685	trace_rpcgss_svc_seqno_low(rqstp, seq_num,
 686				   sd->sd_max - GSS_SEQ_WIN,
 687				   sd->sd_max);
 688	goto out;
 689alreadyseen:
 690	trace_rpcgss_svc_seqno_seen(rqstp, seq_num);
 691	goto out;
 692}
 693
 694/*
 695 * Decode and verify a Call's verifier field. For RPC_AUTH_GSS Calls,
 696 * the body of this field contains a variable length checksum.
 697 *
 698 * GSS-specific auth_stat values are mandated by RFC 2203 Section
 699 * 5.3.3.3.
 700 */
 701static int
 702svcauth_gss_verify_header(struct svc_rqst *rqstp, struct rsc *rsci,
 703			  __be32 *rpcstart, struct rpc_gss_wire_cred *gc)
 704{
 705	struct xdr_stream	*xdr = &rqstp->rq_arg_stream;
 706	struct gss_ctx		*ctx_id = rsci->mechctx;
 707	u32			flavor, maj_stat;
 708	struct xdr_buf		rpchdr;
 709	struct xdr_netobj	checksum;
 710	struct kvec		iov;
 711
 712	/*
 713	 * Compute the checksum of the incoming Call from the
 714	 * XID field to credential field:
 715	 */
 716	iov.iov_base = rpcstart;
 717	iov.iov_len = (u8 *)xdr->p - (u8 *)rpcstart;
 718	xdr_buf_from_iov(&iov, &rpchdr);
 719
 720	/* Call's verf field: */
 721	if (xdr_stream_decode_opaque_auth(xdr, &flavor,
 722					  (void **)&checksum.data,
 723					  &checksum.len) < 0) {
 724		rqstp->rq_auth_stat = rpc_autherr_badverf;
 725		return SVC_DENIED;
 726	}
 727	if (flavor != RPC_AUTH_GSS) {
 728		rqstp->rq_auth_stat = rpc_autherr_badverf;
 729		return SVC_DENIED;
 730	}
 731
 732	if (rqstp->rq_deferred)
 733		return SVC_OK;
 734	maj_stat = gss_verify_mic(ctx_id, &rpchdr, &checksum);
 735	if (maj_stat != GSS_S_COMPLETE) {
 736		trace_rpcgss_svc_mic(rqstp, maj_stat);
 737		rqstp->rq_auth_stat = rpcsec_gsserr_credproblem;
 738		return SVC_DENIED;
 739	}
 740
 741	if (gc->gc_seq > MAXSEQ) {
 742		trace_rpcgss_svc_seqno_large(rqstp, gc->gc_seq);
 743		rqstp->rq_auth_stat = rpcsec_gsserr_ctxproblem;
 744		return SVC_DENIED;
 745	}
 746	if (!gss_check_seq_num(rqstp, rsci, gc->gc_seq))
 747		return SVC_DROP;
 748	return SVC_OK;
 749}
 750
 751/*
 752 * Construct and encode a Reply's verifier field. The verifier's body
 753 * field contains a variable-length checksum of the GSS sequence
 754 * number.
 755 */
 756static bool
 757svcauth_gss_encode_verf(struct svc_rqst *rqstp, struct gss_ctx *ctx_id, u32 seq)
 758{
 759	struct gss_svc_data	*gsd = rqstp->rq_auth_data;
 760	u32			maj_stat;
 761	struct xdr_buf		verf_data;
 762	struct xdr_netobj	checksum;
 763	struct kvec		iov;
 764
 765	gsd->gsd_seq_num = cpu_to_be32(seq);
 766	iov.iov_base = &gsd->gsd_seq_num;
 767	iov.iov_len = XDR_UNIT;
 768	xdr_buf_from_iov(&iov, &verf_data);
 769
 770	checksum.data = gsd->gsd_scratch;
 771	maj_stat = gss_get_mic(ctx_id, &verf_data, &checksum);
 772	if (maj_stat != GSS_S_COMPLETE)
 773		goto bad_mic;
 774
 775	return xdr_stream_encode_opaque_auth(&rqstp->rq_res_stream, RPC_AUTH_GSS,
 776					     checksum.data, checksum.len) > 0;
 777
 778bad_mic:
 779	trace_rpcgss_svc_get_mic(rqstp, maj_stat);
 780	return false;
 781}
 782
 783struct gss_domain {
 784	struct auth_domain	h;
 785	u32			pseudoflavor;
 786};
 787
 788static struct auth_domain *
 789find_gss_auth_domain(struct gss_ctx *ctx, u32 svc)
 790{
 791	char *name;
 792
 793	name = gss_service_to_auth_domain_name(ctx->mech_type, svc);
 794	if (!name)
 795		return NULL;
 796	return auth_domain_find(name);
 797}
 798
 799static struct auth_ops svcauthops_gss;
 800
 801u32 svcauth_gss_flavor(struct auth_domain *dom)
 802{
 803	struct gss_domain *gd = container_of(dom, struct gss_domain, h);
 804
 805	return gd->pseudoflavor;
 806}
 807
 808EXPORT_SYMBOL_GPL(svcauth_gss_flavor);
 809
 810struct auth_domain *
 811svcauth_gss_register_pseudoflavor(u32 pseudoflavor, char * name)
 812{
 813	struct gss_domain	*new;
 814	struct auth_domain	*test;
 815	int			stat = -ENOMEM;
 816
 817	new = kmalloc(sizeof(*new), GFP_KERNEL);
 818	if (!new)
 819		goto out;
 820	kref_init(&new->h.ref);
 821	new->h.name = kstrdup(name, GFP_KERNEL);
 822	if (!new->h.name)
 823		goto out_free_dom;
 824	new->h.flavour = &svcauthops_gss;
 825	new->pseudoflavor = pseudoflavor;
 826
 827	test = auth_domain_lookup(name, &new->h);
 828	if (test != &new->h) {
 829		pr_warn("svc: duplicate registration of gss pseudo flavour %s.\n",
 830			name);
 831		stat = -EADDRINUSE;
 832		auth_domain_put(test);
 833		goto out_free_name;
 834	}
 835	return test;
 836
 837out_free_name:
 838	kfree(new->h.name);
 839out_free_dom:
 840	kfree(new);
 841out:
 842	return ERR_PTR(stat);
 843}
 844EXPORT_SYMBOL_GPL(svcauth_gss_register_pseudoflavor);
 845
 846/*
 847 * RFC 2203, Section 5.3.2.2
 848 *
 849 *	struct rpc_gss_integ_data {
 850 *		opaque databody_integ<>;
 851 *		opaque checksum<>;
 852 *	};
 853 *
 854 *	struct rpc_gss_data_t {
 855 *		unsigned int seq_num;
 856 *		proc_req_arg_t arg;
 857 *	};
 858 */
 859static noinline_for_stack int
 860svcauth_gss_unwrap_integ(struct svc_rqst *rqstp, u32 seq, struct gss_ctx *ctx)
 861{
 862	struct gss_svc_data *gsd = rqstp->rq_auth_data;
 863	struct xdr_stream *xdr = &rqstp->rq_arg_stream;
 864	u32 len, offset, seq_num, maj_stat;
 865	struct xdr_buf *buf = xdr->buf;
 866	struct xdr_buf databody_integ;
 867	struct xdr_netobj checksum;
 868
 869	/* Did we already verify the signature on the original pass through? */
 870	if (rqstp->rq_deferred)
 871		return 0;
 872
 873	if (xdr_stream_decode_u32(xdr, &len) < 0)
 874		goto unwrap_failed;
 875	if (len & 3)
 876		goto unwrap_failed;
 877	offset = xdr_stream_pos(xdr);
 878	if (xdr_buf_subsegment(buf, &databody_integ, offset, len))
 879		goto unwrap_failed;
 880
 881	/*
 882	 * The xdr_stream now points to the @seq_num field. The next
 883	 * XDR data item is the @arg field, which contains the clear
 884	 * text RPC program payload. The checksum, which follows the
 885	 * @arg field, is located and decoded without updating the
 886	 * xdr_stream.
 887	 */
 888
 889	offset += len;
 890	if (xdr_decode_word(buf, offset, &checksum.len))
 891		goto unwrap_failed;
 892	if (checksum.len > sizeof(gsd->gsd_scratch))
 893		goto unwrap_failed;
 894	checksum.data = gsd->gsd_scratch;
 895	if (read_bytes_from_xdr_buf(buf, offset + XDR_UNIT, checksum.data,
 896				    checksum.len))
 897		goto unwrap_failed;
 898
 899	maj_stat = gss_verify_mic(ctx, &databody_integ, &checksum);
 900	if (maj_stat != GSS_S_COMPLETE)
 901		goto bad_mic;
 902
 903	/* The received seqno is protected by the checksum. */
 904	if (xdr_stream_decode_u32(xdr, &seq_num) < 0)
 905		goto unwrap_failed;
 906	if (seq_num != seq)
 907		goto bad_seqno;
 908
 909	xdr_truncate_decode(xdr, XDR_UNIT + checksum.len);
 910	return 0;
 911
 912unwrap_failed:
 913	trace_rpcgss_svc_unwrap_failed(rqstp);
 914	return -EINVAL;
 915bad_seqno:
 916	trace_rpcgss_svc_seqno_bad(rqstp, seq, seq_num);
 917	return -EINVAL;
 918bad_mic:
 919	trace_rpcgss_svc_mic(rqstp, maj_stat);
 920	return -EINVAL;
 921}
 922
 923/*
 924 * RFC 2203, Section 5.3.2.3
 925 *
 926 *	struct rpc_gss_priv_data {
 927 *		opaque databody_priv<>
 928 *	};
 929 *
 930 *	struct rpc_gss_data_t {
 931 *		unsigned int seq_num;
 932 *		proc_req_arg_t arg;
 933 *	};
 934 */
 935static noinline_for_stack int
 936svcauth_gss_unwrap_priv(struct svc_rqst *rqstp, u32 seq, struct gss_ctx *ctx)
 937{
 938	struct xdr_stream *xdr = &rqstp->rq_arg_stream;
 939	u32 len, maj_stat, seq_num, offset;
 940	struct xdr_buf *buf = xdr->buf;
 941	unsigned int saved_len;
 942
 943	if (xdr_stream_decode_u32(xdr, &len) < 0)
 944		goto unwrap_failed;
 945	if (rqstp->rq_deferred) {
 946		/* Already decrypted last time through! The sequence number
 947		 * check at out_seq is unnecessary but harmless: */
 948		goto out_seq;
 949	}
 950	if (len > xdr_stream_remaining(xdr))
 951		goto unwrap_failed;
 952	offset = xdr_stream_pos(xdr);
 953
 954	saved_len = buf->len;
 955	maj_stat = gss_unwrap(ctx, offset, offset + len, buf);
 956	if (maj_stat != GSS_S_COMPLETE)
 957		goto bad_unwrap;
 958	xdr->nwords -= XDR_QUADLEN(saved_len - buf->len);
 959
 960out_seq:
 961	/* gss_unwrap() decrypted the sequence number. */
 962	if (xdr_stream_decode_u32(xdr, &seq_num) < 0)
 963		goto unwrap_failed;
 964	if (seq_num != seq)
 965		goto bad_seqno;
 966	return 0;
 967
 968unwrap_failed:
 969	trace_rpcgss_svc_unwrap_failed(rqstp);
 970	return -EINVAL;
 971bad_seqno:
 972	trace_rpcgss_svc_seqno_bad(rqstp, seq, seq_num);
 973	return -EINVAL;
 974bad_unwrap:
 975	trace_rpcgss_svc_unwrap(rqstp, maj_stat);
 976	return -EINVAL;
 977}
 978
 979static enum svc_auth_status
 980svcauth_gss_set_client(struct svc_rqst *rqstp)
 981{
 982	struct gss_svc_data *svcdata = rqstp->rq_auth_data;
 983	struct rsc *rsci = svcdata->rsci;
 984	struct rpc_gss_wire_cred *gc = &svcdata->clcred;
 985	int stat;
 986
 987	rqstp->rq_auth_stat = rpc_autherr_badcred;
 988
 989	/*
 990	 * A gss export can be specified either by:
 991	 * 	export	*(sec=krb5,rw)
 992	 * or by
 993	 * 	export gss/krb5(rw)
 994	 * The latter is deprecated; but for backwards compatibility reasons
 995	 * the nfsd code will still fall back on trying it if the former
 996	 * doesn't work; so we try to make both available to nfsd, below.
 997	 */
 998	rqstp->rq_gssclient = find_gss_auth_domain(rsci->mechctx, gc->gc_svc);
 999	if (rqstp->rq_gssclient == NULL)
1000		return SVC_DENIED;
1001	stat = svcauth_unix_set_client(rqstp);
1002	if (stat == SVC_DROP || stat == SVC_CLOSE)
1003		return stat;
1004
1005	rqstp->rq_auth_stat = rpc_auth_ok;
1006	return SVC_OK;
1007}
1008
1009static bool
1010svcauth_gss_proc_init_verf(struct cache_detail *cd, struct svc_rqst *rqstp,
1011			   struct xdr_netobj *out_handle, int *major_status,
1012			   u32 seq_num)
1013{
1014	struct xdr_stream *xdr = &rqstp->rq_res_stream;
1015	struct rsc *rsci;
1016	bool rc;
1017
1018	if (*major_status != GSS_S_COMPLETE)
1019		goto null_verifier;
1020	rsci = gss_svc_searchbyctx(cd, out_handle);
1021	if (rsci == NULL) {
1022		*major_status = GSS_S_NO_CONTEXT;
1023		goto null_verifier;
1024	}
1025
1026	rc = svcauth_gss_encode_verf(rqstp, rsci->mechctx, seq_num);
1027	cache_put(&rsci->h, cd);
1028	return rc;
1029
1030null_verifier:
1031	return xdr_stream_encode_opaque_auth(xdr, RPC_AUTH_NULL, NULL, 0) > 0;
1032}
1033
1034static void gss_free_in_token_pages(struct gssp_in_token *in_token)
1035{
1036	u32 inlen;
1037	int i;
1038
1039	i = 0;
1040	inlen = in_token->page_len;
1041	while (inlen) {
1042		if (in_token->pages[i])
1043			put_page(in_token->pages[i]);
1044		inlen -= inlen > PAGE_SIZE ? PAGE_SIZE : inlen;
1045	}
1046
1047	kfree(in_token->pages);
1048	in_token->pages = NULL;
1049}
1050
1051static int gss_read_proxy_verf(struct svc_rqst *rqstp,
1052			       struct rpc_gss_wire_cred *gc,
1053			       struct xdr_netobj *in_handle,
1054			       struct gssp_in_token *in_token)
1055{
1056	struct xdr_stream *xdr = &rqstp->rq_arg_stream;
1057	unsigned int length, pgto_offs, pgfrom_offs;
1058	int pages, i, pgto, pgfrom;
1059	size_t to_offs, from_offs;
1060	u32 inlen;
1061
1062	if (dup_netobj(in_handle, &gc->gc_ctx))
1063		return SVC_CLOSE;
1064
1065	/*
1066	 *  RFC 2203 Section 5.2.2
1067	 *
1068	 *	struct rpc_gss_init_arg {
1069	 *		opaque gss_token<>;
1070	 *	};
1071	 */
1072	if (xdr_stream_decode_u32(xdr, &inlen) < 0)
1073		goto out_denied_free;
1074	if (inlen > xdr_stream_remaining(xdr))
1075		goto out_denied_free;
1076
1077	pages = DIV_ROUND_UP(inlen, PAGE_SIZE);
1078	in_token->pages = kcalloc(pages, sizeof(struct page *), GFP_KERNEL);
1079	if (!in_token->pages)
1080		goto out_denied_free;
1081	in_token->page_base = 0;
1082	in_token->page_len = inlen;
1083	for (i = 0; i < pages; i++) {
1084		in_token->pages[i] = alloc_page(GFP_KERNEL);
1085		if (!in_token->pages[i]) {
1086			gss_free_in_token_pages(in_token);
1087			goto out_denied_free;
1088		}
1089	}
1090
1091	length = min_t(unsigned int, inlen, (char *)xdr->end - (char *)xdr->p);
1092	memcpy(page_address(in_token->pages[0]), xdr->p, length);
1093	inlen -= length;
1094
1095	to_offs = length;
1096	from_offs = rqstp->rq_arg.page_base;
1097	while (inlen) {
1098		pgto = to_offs >> PAGE_SHIFT;
1099		pgfrom = from_offs >> PAGE_SHIFT;
1100		pgto_offs = to_offs & ~PAGE_MASK;
1101		pgfrom_offs = from_offs & ~PAGE_MASK;
1102
1103		length = min_t(unsigned int, inlen,
1104			 min_t(unsigned int, PAGE_SIZE - pgto_offs,
1105			       PAGE_SIZE - pgfrom_offs));
1106		memcpy(page_address(in_token->pages[pgto]) + pgto_offs,
1107		       page_address(rqstp->rq_arg.pages[pgfrom]) + pgfrom_offs,
1108		       length);
1109
1110		to_offs += length;
1111		from_offs += length;
1112		inlen -= length;
1113	}
1114	return 0;
1115
1116out_denied_free:
1117	kfree(in_handle->data);
1118	return SVC_DENIED;
1119}
1120
1121/*
1122 * RFC 2203, Section 5.2.3.1.
1123 *
1124 *	struct rpc_gss_init_res {
1125 *		opaque handle<>;
1126 *		unsigned int gss_major;
1127 *		unsigned int gss_minor;
1128 *		unsigned int seq_window;
1129 *		opaque gss_token<>;
1130 *	};
1131 */
1132static bool
1133svcxdr_encode_gss_init_res(struct xdr_stream *xdr,
1134			   struct xdr_netobj *handle,
1135			   struct xdr_netobj *gss_token,
1136			   unsigned int major_status,
1137			   unsigned int minor_status, u32 seq_num)
1138{
1139	if (xdr_stream_encode_opaque(xdr, handle->data, handle->len) < 0)
1140		return false;
1141	if (xdr_stream_encode_u32(xdr, major_status) < 0)
1142		return false;
1143	if (xdr_stream_encode_u32(xdr, minor_status) < 0)
1144		return false;
1145	if (xdr_stream_encode_u32(xdr, seq_num) < 0)
1146		return false;
1147	if (xdr_stream_encode_opaque(xdr, gss_token->data, gss_token->len) < 0)
1148		return false;
1149	return true;
1150}
1151
1152/*
1153 * Having read the cred already and found we're in the context
1154 * initiation case, read the verifier and initiate (or check the results
1155 * of) upcalls to userspace for help with context initiation.  If
1156 * the upcall results are available, write the verifier and result.
1157 * Otherwise, drop the request pending an answer to the upcall.
1158 */
1159static int
1160svcauth_gss_legacy_init(struct svc_rqst *rqstp,
1161			struct rpc_gss_wire_cred *gc)
1162{
1163	struct xdr_stream *xdr = &rqstp->rq_arg_stream;
1164	struct rsi *rsip, rsikey;
1165	__be32 *p;
1166	u32 len;
1167	int ret;
1168	struct sunrpc_net *sn = net_generic(SVC_NET(rqstp), sunrpc_net_id);
1169
1170	memset(&rsikey, 0, sizeof(rsikey));
1171	if (dup_netobj(&rsikey.in_handle, &gc->gc_ctx))
1172		return SVC_CLOSE;
1173
1174	/*
1175	 *  RFC 2203 Section 5.2.2
1176	 *
1177	 *	struct rpc_gss_init_arg {
1178	 *		opaque gss_token<>;
1179	 *	};
1180	 */
1181	if (xdr_stream_decode_u32(xdr, &len) < 0) {
1182		kfree(rsikey.in_handle.data);
1183		return SVC_DENIED;
1184	}
1185	p = xdr_inline_decode(xdr, len);
1186	if (!p) {
1187		kfree(rsikey.in_handle.data);
1188		return SVC_DENIED;
1189	}
1190	rsikey.in_token.data = kmalloc(len, GFP_KERNEL);
1191	if (ZERO_OR_NULL_PTR(rsikey.in_token.data)) {
1192		kfree(rsikey.in_handle.data);
1193		return SVC_CLOSE;
1194	}
1195	memcpy(rsikey.in_token.data, p, len);
1196	rsikey.in_token.len = len;
1197
1198	/* Perform upcall, or find upcall result: */
1199	rsip = rsi_lookup(sn->rsi_cache, &rsikey);
1200	rsi_free(&rsikey);
1201	if (!rsip)
1202		return SVC_CLOSE;
1203	if (cache_check(sn->rsi_cache, &rsip->h, &rqstp->rq_chandle) < 0)
1204		/* No upcall result: */
1205		return SVC_CLOSE;
1206
1207	ret = SVC_CLOSE;
1208	if (!svcauth_gss_proc_init_verf(sn->rsc_cache, rqstp, &rsip->out_handle,
1209					&rsip->major_status, GSS_SEQ_WIN))
1210		goto out;
1211	if (!svcxdr_set_accept_stat(rqstp))
1212		goto out;
1213	if (!svcxdr_encode_gss_init_res(&rqstp->rq_res_stream, &rsip->out_handle,
1214					&rsip->out_token, rsip->major_status,
1215					rsip->minor_status, GSS_SEQ_WIN))
1216		goto out;
1217
1218	ret = SVC_COMPLETE;
1219out:
1220	cache_put(&rsip->h, sn->rsi_cache);
1221	return ret;
1222}
1223
1224static int gss_proxy_save_rsc(struct cache_detail *cd,
1225				struct gssp_upcall_data *ud,
1226				uint64_t *handle)
1227{
1228	struct rsc rsci, *rscp = NULL;
1229	static atomic64_t ctxhctr;
1230	long long ctxh;
1231	struct gss_api_mech *gm = NULL;
1232	time64_t expiry;
1233	int status;
1234
1235	memset(&rsci, 0, sizeof(rsci));
1236	/* context handle */
1237	status = -ENOMEM;
1238	/* the handle needs to be just a unique id,
1239	 * use a static counter */
1240	ctxh = atomic64_inc_return(&ctxhctr);
1241
1242	/* make a copy for the caller */
1243	*handle = ctxh;
1244
1245	/* make a copy for the rsc cache */
1246	if (dup_to_netobj(&rsci.handle, (char *)handle, sizeof(uint64_t)))
1247		goto out;
1248	rscp = rsc_lookup(cd, &rsci);
1249	if (!rscp)
1250		goto out;
1251
1252	/* creds */
1253	if (!ud->found_creds) {
1254		/* userspace seem buggy, we should always get at least a
1255		 * mapping to nobody */
1256		goto out;
1257	} else {
1258		struct timespec64 boot;
1259
1260		/* steal creds */
1261		rsci.cred = ud->creds;
1262		memset(&ud->creds, 0, sizeof(struct svc_cred));
1263
1264		status = -EOPNOTSUPP;
1265		/* get mech handle from OID */
1266		gm = gss_mech_get_by_OID(&ud->mech_oid);
1267		if (!gm)
1268			goto out;
1269		rsci.cred.cr_gss_mech = gm;
1270
1271		status = -EINVAL;
1272		/* mech-specific data: */
1273		status = gss_import_sec_context(ud->out_handle.data,
1274						ud->out_handle.len,
1275						gm, &rsci.mechctx,
1276						&expiry, GFP_KERNEL);
1277		if (status)
1278			goto out;
1279
1280		getboottime64(&boot);
1281		expiry -= boot.tv_sec;
1282	}
1283
1284	rsci.h.expiry_time = expiry;
1285	rscp = rsc_update(cd, &rsci, rscp);
1286	status = 0;
1287out:
1288	rsc_free(&rsci);
1289	if (rscp)
1290		cache_put(&rscp->h, cd);
1291	else
1292		status = -ENOMEM;
1293	return status;
1294}
1295
1296static int svcauth_gss_proxy_init(struct svc_rqst *rqstp,
1297				  struct rpc_gss_wire_cred *gc)
1298{
1299	struct xdr_netobj cli_handle;
1300	struct gssp_upcall_data ud;
1301	uint64_t handle;
1302	int status;
1303	int ret;
1304	struct net *net = SVC_NET(rqstp);
1305	struct sunrpc_net *sn = net_generic(net, sunrpc_net_id);
1306
1307	memset(&ud, 0, sizeof(ud));
1308	ret = gss_read_proxy_verf(rqstp, gc, &ud.in_handle, &ud.in_token);
1309	if (ret)
1310		return ret;
1311
1312	ret = SVC_CLOSE;
1313
1314	/* Perform synchronous upcall to gss-proxy */
1315	status = gssp_accept_sec_context_upcall(net, &ud);
1316	if (status)
1317		goto out;
1318
1319	trace_rpcgss_svc_accept_upcall(rqstp, ud.major_status, ud.minor_status);
1320
1321	switch (ud.major_status) {
1322	case GSS_S_CONTINUE_NEEDED:
1323		cli_handle = ud.out_handle;
1324		break;
1325	case GSS_S_COMPLETE:
1326		status = gss_proxy_save_rsc(sn->rsc_cache, &ud, &handle);
1327		if (status)
1328			goto out;
1329		cli_handle.data = (u8 *)&handle;
1330		cli_handle.len = sizeof(handle);
1331		break;
1332	default:
1333		goto out;
1334	}
1335
1336	if (!svcauth_gss_proc_init_verf(sn->rsc_cache, rqstp, &cli_handle,
1337					&ud.major_status, GSS_SEQ_WIN))
1338		goto out;
1339	if (!svcxdr_set_accept_stat(rqstp))
1340		goto out;
1341	if (!svcxdr_encode_gss_init_res(&rqstp->rq_res_stream, &cli_handle,
1342					&ud.out_token, ud.major_status,
1343					ud.minor_status, GSS_SEQ_WIN))
1344		goto out;
1345
1346	ret = SVC_COMPLETE;
1347out:
1348	gss_free_in_token_pages(&ud.in_token);
1349	gssp_free_upcall_data(&ud);
1350	return ret;
1351}
1352
1353/*
1354 * Try to set the sn->use_gss_proxy variable to a new value. We only allow
1355 * it to be changed if it's currently undefined (-1). If it's any other value
1356 * then return -EBUSY unless the type wouldn't have changed anyway.
1357 */
1358static int set_gss_proxy(struct net *net, int type)
1359{
1360	struct sunrpc_net *sn = net_generic(net, sunrpc_net_id);
1361	int ret;
1362
1363	WARN_ON_ONCE(type != 0 && type != 1);
1364	ret = cmpxchg(&sn->use_gss_proxy, -1, type);
1365	if (ret != -1 && ret != type)
1366		return -EBUSY;
1367	return 0;
1368}
1369
1370static bool use_gss_proxy(struct net *net)
1371{
1372	struct sunrpc_net *sn = net_generic(net, sunrpc_net_id);
1373
1374	/* If use_gss_proxy is still undefined, then try to disable it */
1375	if (sn->use_gss_proxy == -1)
1376		set_gss_proxy(net, 0);
1377	return sn->use_gss_proxy;
1378}
1379
1380static noinline_for_stack int
1381svcauth_gss_proc_init(struct svc_rqst *rqstp, struct rpc_gss_wire_cred *gc)
1382{
1383	struct xdr_stream *xdr = &rqstp->rq_arg_stream;
1384	u32 flavor, len;
1385	void *body;
1386
1387	/* Call's verf field: */
1388	if (xdr_stream_decode_opaque_auth(xdr, &flavor, &body, &len) < 0)
1389		return SVC_GARBAGE;
1390	if (flavor != RPC_AUTH_NULL || len != 0) {
1391		rqstp->rq_auth_stat = rpc_autherr_badverf;
1392		return SVC_DENIED;
1393	}
1394
1395	if (gc->gc_proc == RPC_GSS_PROC_INIT && gc->gc_ctx.len != 0) {
1396		rqstp->rq_auth_stat = rpc_autherr_badcred;
1397		return SVC_DENIED;
1398	}
1399
1400	if (!use_gss_proxy(SVC_NET(rqstp)))
1401		return svcauth_gss_legacy_init(rqstp, gc);
1402	return svcauth_gss_proxy_init(rqstp, gc);
1403}
1404
1405#ifdef CONFIG_PROC_FS
1406
1407static ssize_t write_gssp(struct file *file, const char __user *buf,
1408			 size_t count, loff_t *ppos)
1409{
1410	struct net *net = pde_data(file_inode(file));
1411	char tbuf[20];
1412	unsigned long i;
1413	int res;
1414
1415	if (*ppos || count > sizeof(tbuf)-1)
1416		return -EINVAL;
1417	if (copy_from_user(tbuf, buf, count))
1418		return -EFAULT;
1419
1420	tbuf[count] = 0;
1421	res = kstrtoul(tbuf, 0, &i);
1422	if (res)
1423		return res;
1424	if (i != 1)
1425		return -EINVAL;
1426	res = set_gssp_clnt(net);
1427	if (res)
1428		return res;
1429	res = set_gss_proxy(net, 1);
1430	if (res)
1431		return res;
1432	return count;
1433}
1434
1435static ssize_t read_gssp(struct file *file, char __user *buf,
1436			 size_t count, loff_t *ppos)
1437{
1438	struct net *net = pde_data(file_inode(file));
1439	struct sunrpc_net *sn = net_generic(net, sunrpc_net_id);
1440	unsigned long p = *ppos;
1441	char tbuf[10];
1442	size_t len;
1443
1444	snprintf(tbuf, sizeof(tbuf), "%d\n", sn->use_gss_proxy);
1445	len = strlen(tbuf);
1446	if (p >= len)
1447		return 0;
1448	len -= p;
1449	if (len > count)
1450		len = count;
1451	if (copy_to_user(buf, (void *)(tbuf+p), len))
1452		return -EFAULT;
1453	*ppos += len;
1454	return len;
1455}
1456
1457static const struct proc_ops use_gss_proxy_proc_ops = {
1458	.proc_open	= nonseekable_open,
1459	.proc_write	= write_gssp,
1460	.proc_read	= read_gssp,
1461};
1462
1463static int create_use_gss_proxy_proc_entry(struct net *net)
1464{
1465	struct sunrpc_net *sn = net_generic(net, sunrpc_net_id);
1466	struct proc_dir_entry **p = &sn->use_gssp_proc;
1467
1468	sn->use_gss_proxy = -1;
1469	*p = proc_create_data("use-gss-proxy", S_IFREG | 0600,
1470			      sn->proc_net_rpc,
1471			      &use_gss_proxy_proc_ops, net);
1472	if (!*p)
1473		return -ENOMEM;
1474	init_gssp_clnt(sn);
1475	return 0;
1476}
1477
1478static void destroy_use_gss_proxy_proc_entry(struct net *net)
1479{
1480	struct sunrpc_net *sn = net_generic(net, sunrpc_net_id);
1481
1482	if (sn->use_gssp_proc) {
1483		remove_proc_entry("use-gss-proxy", sn->proc_net_rpc);
1484		clear_gssp_clnt(sn);
1485	}
1486}
1487
1488static ssize_t read_gss_krb5_enctypes(struct file *file, char __user *buf,
1489				      size_t count, loff_t *ppos)
1490{
1491	struct rpcsec_gss_oid oid = {
1492		.len	= 9,
1493		.data	= "\x2a\x86\x48\x86\xf7\x12\x01\x02\x02",
1494	};
1495	struct gss_api_mech *mech;
1496	ssize_t ret;
1497
1498	mech = gss_mech_get_by_OID(&oid);
1499	if (!mech)
1500		return 0;
1501	if (!mech->gm_upcall_enctypes) {
1502		gss_mech_put(mech);
1503		return 0;
1504	}
1505
1506	ret = simple_read_from_buffer(buf, count, ppos,
1507				      mech->gm_upcall_enctypes,
1508				      strlen(mech->gm_upcall_enctypes));
1509	gss_mech_put(mech);
1510	return ret;
1511}
1512
1513static const struct proc_ops gss_krb5_enctypes_proc_ops = {
1514	.proc_open	= nonseekable_open,
1515	.proc_read	= read_gss_krb5_enctypes,
1516};
1517
1518static int create_krb5_enctypes_proc_entry(struct net *net)
1519{
1520	struct sunrpc_net *sn = net_generic(net, sunrpc_net_id);
1521
1522	sn->gss_krb5_enctypes =
1523		proc_create_data("gss_krb5_enctypes", S_IFREG | 0444,
1524				 sn->proc_net_rpc, &gss_krb5_enctypes_proc_ops,
1525				 net);
1526	return sn->gss_krb5_enctypes ? 0 : -ENOMEM;
1527}
1528
1529static void destroy_krb5_enctypes_proc_entry(struct net *net)
1530{
1531	struct sunrpc_net *sn = net_generic(net, sunrpc_net_id);
1532
1533	if (sn->gss_krb5_enctypes)
1534		remove_proc_entry("gss_krb5_enctypes", sn->proc_net_rpc);
1535}
1536
1537#else /* CONFIG_PROC_FS */
1538
1539static int create_use_gss_proxy_proc_entry(struct net *net)
1540{
1541	return 0;
1542}
1543
1544static void destroy_use_gss_proxy_proc_entry(struct net *net) {}
1545
1546static int create_krb5_enctypes_proc_entry(struct net *net)
1547{
1548	return 0;
1549}
1550
1551static void destroy_krb5_enctypes_proc_entry(struct net *net) {}
1552
1553#endif /* CONFIG_PROC_FS */
1554
1555/*
1556 * The Call's credential body should contain a struct rpc_gss_cred_t.
1557 *
1558 * RFC 2203 Section 5
1559 *
1560 *	struct rpc_gss_cred_t {
1561 *		union switch (unsigned int version) {
1562 *		case RPCSEC_GSS_VERS_1:
1563 *			struct {
1564 *				rpc_gss_proc_t gss_proc;
1565 *				unsigned int seq_num;
1566 *				rpc_gss_service_t service;
1567 *				opaque handle<>;
1568 *			} rpc_gss_cred_vers_1_t;
1569 *		}
1570 *	};
1571 */
1572static bool
1573svcauth_gss_decode_credbody(struct xdr_stream *xdr,
1574			    struct rpc_gss_wire_cred *gc,
1575			    __be32 **rpcstart)
1576{
1577	ssize_t handle_len;
1578	u32 body_len;
1579	__be32 *p;
1580
1581	p = xdr_inline_decode(xdr, XDR_UNIT);
1582	if (!p)
1583		return false;
1584	/*
1585	 * start of rpc packet is 7 u32's back from here:
1586	 * xid direction rpcversion prog vers proc flavour
1587	 */
1588	*rpcstart = p - 7;
1589	body_len = be32_to_cpup(p);
1590	if (body_len > RPC_MAX_AUTH_SIZE)
1591		return false;
1592
1593	/* struct rpc_gss_cred_t */
1594	if (xdr_stream_decode_u32(xdr, &gc->gc_v) < 0)
1595		return false;
1596	if (xdr_stream_decode_u32(xdr, &gc->gc_proc) < 0)
1597		return false;
1598	if (xdr_stream_decode_u32(xdr, &gc->gc_seq) < 0)
1599		return false;
1600	if (xdr_stream_decode_u32(xdr, &gc->gc_svc) < 0)
1601		return false;
1602	handle_len = xdr_stream_decode_opaque_inline(xdr,
1603						     (void **)&gc->gc_ctx.data,
1604						     body_len);
1605	if (handle_len < 0)
1606		return false;
1607	if (body_len != XDR_UNIT * 5 + xdr_align_size(handle_len))
1608		return false;
1609
1610	gc->gc_ctx.len = handle_len;
1611	return true;
1612}
1613
1614/**
1615 * svcauth_gss_accept - Decode and validate incoming RPC_AUTH_GSS credential
1616 * @rqstp: RPC transaction
1617 *
1618 * Return values:
1619 *   %SVC_OK: Success
1620 *   %SVC_COMPLETE: GSS context lifetime event
1621 *   %SVC_DENIED: Credential or verifier is not valid
1622 *   %SVC_GARBAGE: Failed to decode credential or verifier
1623 *   %SVC_CLOSE: Temporary failure
1624 *
1625 * The rqstp->rq_auth_stat field is also set (see RFCs 2203 and 5531).
1626 */
1627static enum svc_auth_status
1628svcauth_gss_accept(struct svc_rqst *rqstp)
1629{
1630	struct gss_svc_data *svcdata = rqstp->rq_auth_data;
1631	__be32		*rpcstart;
1632	struct rpc_gss_wire_cred *gc;
1633	struct rsc	*rsci = NULL;
1634	int		ret;
1635	struct sunrpc_net *sn = net_generic(SVC_NET(rqstp), sunrpc_net_id);
1636
1637	rqstp->rq_auth_stat = rpc_autherr_badcred;
1638	if (!svcdata)
1639		svcdata = kmalloc(sizeof(*svcdata), GFP_KERNEL);
1640	if (!svcdata)
1641		goto auth_err;
1642	rqstp->rq_auth_data = svcdata;
1643	svcdata->gsd_databody_offset = 0;
1644	svcdata->rsci = NULL;
1645	gc = &svcdata->clcred;
1646
1647	if (!svcauth_gss_decode_credbody(&rqstp->rq_arg_stream, gc, &rpcstart))
1648		goto auth_err;
1649	if (gc->gc_v != RPC_GSS_VERSION)
1650		goto auth_err;
1651
1652	switch (gc->gc_proc) {
1653	case RPC_GSS_PROC_INIT:
1654	case RPC_GSS_PROC_CONTINUE_INIT:
1655		if (rqstp->rq_proc != 0)
1656			goto auth_err;
1657		return svcauth_gss_proc_init(rqstp, gc);
1658	case RPC_GSS_PROC_DESTROY:
1659		if (rqstp->rq_proc != 0)
1660			goto auth_err;
1661		fallthrough;
1662	case RPC_GSS_PROC_DATA:
1663		rqstp->rq_auth_stat = rpcsec_gsserr_credproblem;
1664		rsci = gss_svc_searchbyctx(sn->rsc_cache, &gc->gc_ctx);
1665		if (!rsci)
1666			goto auth_err;
1667		switch (svcauth_gss_verify_header(rqstp, rsci, rpcstart, gc)) {
1668		case SVC_OK:
1669			break;
1670		case SVC_DENIED:
1671			goto auth_err;
1672		case SVC_DROP:
1673			goto drop;
1674		}
1675		break;
1676	default:
1677		if (rqstp->rq_proc != 0)
1678			goto auth_err;
1679		rqstp->rq_auth_stat = rpc_autherr_rejectedcred;
1680		goto auth_err;
1681	}
1682
1683	/* now act upon the command: */
1684	switch (gc->gc_proc) {
1685	case RPC_GSS_PROC_DESTROY:
1686		if (!svcauth_gss_encode_verf(rqstp, rsci->mechctx, gc->gc_seq))
1687			goto auth_err;
1688		if (!svcxdr_set_accept_stat(rqstp))
1689			goto auth_err;
1690		/* Delete the entry from the cache_list and call cache_put */
1691		sunrpc_cache_unhash(sn->rsc_cache, &rsci->h);
1692		goto complete;
1693	case RPC_GSS_PROC_DATA:
1694		rqstp->rq_auth_stat = rpcsec_gsserr_ctxproblem;
1695		if (!svcauth_gss_encode_verf(rqstp, rsci->mechctx, gc->gc_seq))
1696			goto auth_err;
1697		if (!svcxdr_set_accept_stat(rqstp))
1698			goto auth_err;
1699		svcdata->gsd_databody_offset = xdr_stream_pos(&rqstp->rq_res_stream);
1700		rqstp->rq_cred = rsci->cred;
1701		get_group_info(rsci->cred.cr_group_info);
1702		rqstp->rq_auth_stat = rpc_autherr_badcred;
1703		switch (gc->gc_svc) {
1704		case RPC_GSS_SVC_NONE:
1705			break;
1706		case RPC_GSS_SVC_INTEGRITY:
1707			/* placeholders for body length and seq. number: */
1708			xdr_reserve_space(&rqstp->rq_res_stream, XDR_UNIT * 2);
1709			if (svcauth_gss_unwrap_integ(rqstp, gc->gc_seq,
1710						     rsci->mechctx))
1711				goto garbage_args;
1712			svcxdr_set_auth_slack(rqstp, RPC_MAX_AUTH_SIZE);
1713			break;
1714		case RPC_GSS_SVC_PRIVACY:
1715			/* placeholders for body length and seq. number: */
1716			xdr_reserve_space(&rqstp->rq_res_stream, XDR_UNIT * 2);
1717			if (svcauth_gss_unwrap_priv(rqstp, gc->gc_seq,
1718						    rsci->mechctx))
1719				goto garbage_args;
1720			svcxdr_set_auth_slack(rqstp, RPC_MAX_AUTH_SIZE * 2);
1721			break;
1722		default:
1723			goto auth_err;
1724		}
1725		svcdata->rsci = rsci;
1726		cache_get(&rsci->h);
1727		rqstp->rq_cred.cr_flavor = gss_svc_to_pseudoflavor(
1728					rsci->mechctx->mech_type,
1729					GSS_C_QOP_DEFAULT,
1730					gc->gc_svc);
1731		ret = SVC_OK;
1732		trace_rpcgss_svc_authenticate(rqstp, gc);
1733		goto out;
1734	}
1735garbage_args:
1736	ret = SVC_GARBAGE;
1737	goto out;
1738auth_err:
1739	xdr_truncate_encode(&rqstp->rq_res_stream, XDR_UNIT * 2);
1740	ret = SVC_DENIED;
1741	goto out;
1742complete:
1743	ret = SVC_COMPLETE;
1744	goto out;
1745drop:
1746	ret = SVC_CLOSE;
1747out:
1748	if (rsci)
1749		cache_put(&rsci->h, sn->rsc_cache);
1750	return ret;
1751}
1752
1753static u32
1754svcauth_gss_prepare_to_wrap(struct svc_rqst *rqstp, struct gss_svc_data *gsd)
1755{
1756	u32 offset;
1757
1758	/* Release can be called twice, but we only wrap once. */
1759	offset = gsd->gsd_databody_offset;
1760	gsd->gsd_databody_offset = 0;
1761
1762	/* AUTH_ERROR replies are not wrapped. */
1763	if (rqstp->rq_auth_stat != rpc_auth_ok)
1764		return 0;
1765
1766	/* Also don't wrap if the accept_stat is nonzero: */
1767	if (*rqstp->rq_accept_statp != rpc_success)
1768		return 0;
1769
1770	return offset;
1771}
1772
1773/*
1774 * RFC 2203, Section 5.3.2.2
1775 *
1776 *	struct rpc_gss_integ_data {
1777 *		opaque databody_integ<>;
1778 *		opaque checksum<>;
1779 *	};
1780 *
1781 *	struct rpc_gss_data_t {
1782 *		unsigned int seq_num;
1783 *		proc_req_arg_t arg;
1784 *	};
1785 *
1786 * The RPC Reply message has already been XDR-encoded. rq_res_stream
1787 * is now positioned so that the checksum can be written just past
1788 * the RPC Reply message.
1789 */
1790static int svcauth_gss_wrap_integ(struct svc_rqst *rqstp)
1791{
1792	struct gss_svc_data *gsd = rqstp->rq_auth_data;
1793	struct xdr_stream *xdr = &rqstp->rq_res_stream;
1794	struct rpc_gss_wire_cred *gc = &gsd->clcred;
1795	struct xdr_buf *buf = xdr->buf;
1796	struct xdr_buf databody_integ;
1797	struct xdr_netobj checksum;
1798	u32 offset, maj_stat;
1799
1800	offset = svcauth_gss_prepare_to_wrap(rqstp, gsd);
1801	if (!offset)
1802		goto out;
1803
1804	if (xdr_buf_subsegment(buf, &databody_integ, offset + XDR_UNIT,
1805			       buf->len - offset - XDR_UNIT))
1806		goto wrap_failed;
1807	/* Buffer space for these has already been reserved in
1808	 * svcauth_gss_accept(). */
1809	if (xdr_encode_word(buf, offset, databody_integ.len))
1810		goto wrap_failed;
1811	if (xdr_encode_word(buf, offset + XDR_UNIT, gc->gc_seq))
1812		goto wrap_failed;
1813
1814	checksum.data = gsd->gsd_scratch;
1815	maj_stat = gss_get_mic(gsd->rsci->mechctx, &databody_integ, &checksum);
1816	if (maj_stat != GSS_S_COMPLETE)
1817		goto bad_mic;
1818
1819	if (xdr_stream_encode_opaque(xdr, checksum.data, checksum.len) < 0)
1820		goto wrap_failed;
1821	xdr_commit_encode(xdr);
1822
1823out:
1824	return 0;
1825
1826bad_mic:
1827	trace_rpcgss_svc_get_mic(rqstp, maj_stat);
1828	return -EINVAL;
1829wrap_failed:
1830	trace_rpcgss_svc_wrap_failed(rqstp);
1831	return -EINVAL;
1832}
1833
1834/*
1835 * RFC 2203, Section 5.3.2.3
1836 *
1837 *	struct rpc_gss_priv_data {
1838 *		opaque databody_priv<>
1839 *	};
1840 *
1841 *	struct rpc_gss_data_t {
1842 *		unsigned int seq_num;
1843 *		proc_req_arg_t arg;
1844 *	};
1845 *
1846 * gss_wrap() expands the size of the RPC message payload in the
1847 * response buffer. The main purpose of svcauth_gss_wrap_priv()
1848 * is to ensure there is adequate space in the response buffer to
1849 * avoid overflow during the wrap.
1850 */
1851static int svcauth_gss_wrap_priv(struct svc_rqst *rqstp)
1852{
1853	struct gss_svc_data *gsd = rqstp->rq_auth_data;
1854	struct rpc_gss_wire_cred *gc = &gsd->clcred;
1855	struct xdr_buf *buf = &rqstp->rq_res;
1856	struct kvec *head = buf->head;
1857	struct kvec *tail = buf->tail;
1858	u32 offset, pad, maj_stat;
1859	__be32 *p;
1860
1861	offset = svcauth_gss_prepare_to_wrap(rqstp, gsd);
1862	if (!offset)
1863		return 0;
1864
1865	/*
1866	 * Buffer space for this field has already been reserved
1867	 * in svcauth_gss_accept(). Note that the GSS sequence
1868	 * number is encrypted along with the RPC reply payload.
1869	 */
1870	if (xdr_encode_word(buf, offset + XDR_UNIT, gc->gc_seq))
1871		goto wrap_failed;
1872
1873	/*
1874	 * If there is currently tail data, make sure there is
1875	 * room for the head, tail, and 2 * RPC_MAX_AUTH_SIZE in
1876	 * the page, and move the current tail data such that
1877	 * there is RPC_MAX_AUTH_SIZE slack space available in
1878	 * both the head and tail.
1879	 */
1880	if (tail->iov_base) {
1881		if (tail->iov_base >= head->iov_base + PAGE_SIZE)
1882			goto wrap_failed;
1883		if (tail->iov_base < head->iov_base)
1884			goto wrap_failed;
1885		if (tail->iov_len + head->iov_len
1886				+ 2 * RPC_MAX_AUTH_SIZE > PAGE_SIZE)
1887			goto wrap_failed;
1888		memmove(tail->iov_base + RPC_MAX_AUTH_SIZE, tail->iov_base,
1889			tail->iov_len);
1890		tail->iov_base += RPC_MAX_AUTH_SIZE;
1891	}
1892	/*
1893	 * If there is no current tail data, make sure there is
1894	 * room for the head data, and 2 * RPC_MAX_AUTH_SIZE in the
1895	 * allotted page, and set up tail information such that there
1896	 * is RPC_MAX_AUTH_SIZE slack space available in both the
1897	 * head and tail.
1898	 */
1899	if (!tail->iov_base) {
1900		if (head->iov_len + 2 * RPC_MAX_AUTH_SIZE > PAGE_SIZE)
1901			goto wrap_failed;
1902		tail->iov_base = head->iov_base
1903			+ head->iov_len + RPC_MAX_AUTH_SIZE;
1904		tail->iov_len = 0;
1905	}
1906
1907	maj_stat = gss_wrap(gsd->rsci->mechctx, offset + XDR_UNIT, buf,
1908			    buf->pages);
1909	if (maj_stat != GSS_S_COMPLETE)
1910		goto bad_wrap;
1911
1912	/* Wrapping can change the size of databody_priv. */
1913	if (xdr_encode_word(buf, offset, buf->len - offset - XDR_UNIT))
1914		goto wrap_failed;
1915	pad = xdr_pad_size(buf->len - offset - XDR_UNIT);
1916	p = (__be32 *)(tail->iov_base + tail->iov_len);
1917	memset(p, 0, pad);
1918	tail->iov_len += pad;
1919	buf->len += pad;
1920
1921	return 0;
1922wrap_failed:
1923	trace_rpcgss_svc_wrap_failed(rqstp);
1924	return -EINVAL;
1925bad_wrap:
1926	trace_rpcgss_svc_wrap(rqstp, maj_stat);
1927	return -ENOMEM;
1928}
1929
1930/**
1931 * svcauth_gss_release - Wrap payload and release resources
1932 * @rqstp: RPC transaction context
1933 *
1934 * Return values:
1935 *    %0: the Reply is ready to be sent
1936 *    %-ENOMEM: failed to allocate memory
1937 *    %-EINVAL: encoding error
1938 */
1939static int
1940svcauth_gss_release(struct svc_rqst *rqstp)
1941{
1942	struct sunrpc_net *sn = net_generic(SVC_NET(rqstp), sunrpc_net_id);
1943	struct gss_svc_data *gsd = rqstp->rq_auth_data;
1944	struct rpc_gss_wire_cred *gc;
1945	int stat;
1946
1947	if (!gsd)
1948		goto out;
1949	gc = &gsd->clcred;
1950	if (gc->gc_proc != RPC_GSS_PROC_DATA)
1951		goto out;
1952
1953	switch (gc->gc_svc) {
1954	case RPC_GSS_SVC_NONE:
1955		break;
1956	case RPC_GSS_SVC_INTEGRITY:
1957		stat = svcauth_gss_wrap_integ(rqstp);
1958		if (stat)
1959			goto out_err;
1960		break;
1961	case RPC_GSS_SVC_PRIVACY:
1962		stat = svcauth_gss_wrap_priv(rqstp);
1963		if (stat)
1964			goto out_err;
1965		break;
1966	/*
1967	 * For any other gc_svc value, svcauth_gss_accept() already set
1968	 * the auth_error appropriately; just fall through:
1969	 */
1970	}
1971
1972out:
1973	stat = 0;
1974out_err:
1975	if (rqstp->rq_client)
1976		auth_domain_put(rqstp->rq_client);
1977	rqstp->rq_client = NULL;
1978	if (rqstp->rq_gssclient)
1979		auth_domain_put(rqstp->rq_gssclient);
1980	rqstp->rq_gssclient = NULL;
1981	if (rqstp->rq_cred.cr_group_info)
1982		put_group_info(rqstp->rq_cred.cr_group_info);
1983	rqstp->rq_cred.cr_group_info = NULL;
1984	if (gsd && gsd->rsci) {
1985		cache_put(&gsd->rsci->h, sn->rsc_cache);
1986		gsd->rsci = NULL;
1987	}
1988	return stat;
1989}
1990
1991static void
1992svcauth_gss_domain_release_rcu(struct rcu_head *head)
1993{
1994	struct auth_domain *dom = container_of(head, struct auth_domain, rcu_head);
1995	struct gss_domain *gd = container_of(dom, struct gss_domain, h);
1996
1997	kfree(dom->name);
1998	kfree(gd);
1999}
2000
2001static void
2002svcauth_gss_domain_release(struct auth_domain *dom)
2003{
2004	call_rcu(&dom->rcu_head, svcauth_gss_domain_release_rcu);
2005}
2006
2007static rpc_authflavor_t svcauth_gss_pseudoflavor(struct svc_rqst *rqstp)
2008{
2009	return svcauth_gss_flavor(rqstp->rq_gssclient);
2010}
2011
2012static struct auth_ops svcauthops_gss = {
2013	.name		= "rpcsec_gss",
2014	.owner		= THIS_MODULE,
2015	.flavour	= RPC_AUTH_GSS,
2016	.accept		= svcauth_gss_accept,
2017	.release	= svcauth_gss_release,
2018	.domain_release = svcauth_gss_domain_release,
2019	.set_client	= svcauth_gss_set_client,
2020	.pseudoflavor	= svcauth_gss_pseudoflavor,
2021};
2022
2023static int rsi_cache_create_net(struct net *net)
2024{
2025	struct sunrpc_net *sn = net_generic(net, sunrpc_net_id);
2026	struct cache_detail *cd;
2027	int err;
2028
2029	cd = cache_create_net(&rsi_cache_template, net);
2030	if (IS_ERR(cd))
2031		return PTR_ERR(cd);
2032	err = cache_register_net(cd, net);
2033	if (err) {
2034		cache_destroy_net(cd, net);
2035		return err;
2036	}
2037	sn->rsi_cache = cd;
2038	return 0;
2039}
2040
2041static void rsi_cache_destroy_net(struct net *net)
2042{
2043	struct sunrpc_net *sn = net_generic(net, sunrpc_net_id);
2044	struct cache_detail *cd = sn->rsi_cache;
2045
2046	sn->rsi_cache = NULL;
2047	cache_purge(cd);
2048	cache_unregister_net(cd, net);
2049	cache_destroy_net(cd, net);
2050}
2051
2052static int rsc_cache_create_net(struct net *net)
2053{
2054	struct sunrpc_net *sn = net_generic(net, sunrpc_net_id);
2055	struct cache_detail *cd;
2056	int err;
2057
2058	cd = cache_create_net(&rsc_cache_template, net);
2059	if (IS_ERR(cd))
2060		return PTR_ERR(cd);
2061	err = cache_register_net(cd, net);
2062	if (err) {
2063		cache_destroy_net(cd, net);
2064		return err;
2065	}
2066	sn->rsc_cache = cd;
2067	return 0;
2068}
2069
2070static void rsc_cache_destroy_net(struct net *net)
2071{
2072	struct sunrpc_net *sn = net_generic(net, sunrpc_net_id);
2073	struct cache_detail *cd = sn->rsc_cache;
2074
2075	sn->rsc_cache = NULL;
2076	cache_purge(cd);
2077	cache_unregister_net(cd, net);
2078	cache_destroy_net(cd, net);
2079}
2080
2081int
2082gss_svc_init_net(struct net *net)
2083{
2084	int rv;
2085
2086	rv = rsc_cache_create_net(net);
2087	if (rv)
2088		return rv;
2089	rv = rsi_cache_create_net(net);
2090	if (rv)
2091		goto out1;
2092	rv = create_use_gss_proxy_proc_entry(net);
2093	if (rv)
2094		goto out2;
2095
2096	rv = create_krb5_enctypes_proc_entry(net);
2097	if (rv)
2098		goto out3;
2099
2100	return 0;
2101
2102out3:
2103	destroy_use_gss_proxy_proc_entry(net);
2104out2:
2105	rsi_cache_destroy_net(net);
2106out1:
2107	rsc_cache_destroy_net(net);
2108	return rv;
2109}
2110
2111void
2112gss_svc_shutdown_net(struct net *net)
2113{
2114	destroy_krb5_enctypes_proc_entry(net);
2115	destroy_use_gss_proxy_proc_entry(net);
2116	rsi_cache_destroy_net(net);
2117	rsc_cache_destroy_net(net);
2118}
2119
2120int
2121gss_svc_init(void)
2122{
2123	return svc_auth_register(RPC_AUTH_GSS, &svcauthops_gss);
2124}
2125
2126void
2127gss_svc_shutdown(void)
2128{
2129	svc_auth_unregister(RPC_AUTH_GSS);
2130}