SUNRPC: The transmitted message must lie in the RPCSEC window of validity
authorTrond Myklebust <trond.myklebust@hammerspace.com>
Tue, 14 Aug 2018 17:50:21 +0000 (13:50 -0400)
committerTrond Myklebust <trond.myklebust@hammerspace.com>
Sun, 30 Sep 2018 19:35:13 +0000 (15:35 -0400)
If a message has been encoded using RPCSEC_GSS, the server is
maintaining a window of sequence numbers that it considers valid.
The client should normally be tracking that window, and needs to
verify that the sequence number used by the message being transmitted
still lies inside the window of validity.

So far, we've been able to assume this condition would be realised
automatically, since the client has been encoding the message only
after taking the socket lock. Once we change that condition, we
will need the explicit check.

Signed-off-by: Trond Myklebust <trond.myklebust@hammerspace.com>
include/linux/sunrpc/auth.h
include/linux/sunrpc/auth_gss.h
net/sunrpc/auth.c
net/sunrpc/auth_gss/auth_gss.c
net/sunrpc/clnt.c
net/sunrpc/xprt.c

index 58a6765c1c5e880f5efa2ef1948868e9d3ef2732..2c97a3933ef902d3e77502112ac9a696841ef7ee 100644 (file)
@@ -157,6 +157,7 @@ struct rpc_credops {
        int                     (*crkey_timeout)(struct rpc_cred *);
        bool                    (*crkey_to_expire)(struct rpc_cred *);
        char *                  (*crstringify_acceptor)(struct rpc_cred *);
+       bool                    (*crneed_reencode)(struct rpc_task *);
 };
 
 extern const struct rpc_authops        authunix_ops;
@@ -192,6 +193,7 @@ __be32 *            rpcauth_marshcred(struct rpc_task *, __be32 *);
 __be32 *               rpcauth_checkverf(struct rpc_task *, __be32 *);
 int                    rpcauth_wrap_req(struct rpc_task *task, kxdreproc_t encode, void *rqstp, __be32 *data, void *obj);
 int                    rpcauth_unwrap_resp(struct rpc_task *task, kxdrdproc_t decode, void *rqstp, __be32 *data, void *obj);
+bool                   rpcauth_xmit_need_reencode(struct rpc_task *task);
 int                    rpcauth_refreshcred(struct rpc_task *);
 void                   rpcauth_invalcred(struct rpc_task *);
 int                    rpcauth_uptodatecred(struct rpc_task *);
index 0c9eac351aabab4364be9f3dcc3f6a0bd57fc3d0..30427b729070b76cc528b9c5929e2a66b9d60cc4 100644 (file)
@@ -70,6 +70,7 @@ struct gss_cl_ctx {
        refcount_t              count;
        enum rpc_gss_proc       gc_proc;
        u32                     gc_seq;
+       u32                     gc_seq_xmit;
        spinlock_t              gc_seq_lock;
        struct gss_ctx          *gc_gss_ctx;
        struct xdr_netobj       gc_wire_ctx;
index 305ecea9217071208147ed84755c745b6299606e..59df5cdba0ac0a2183350a22cfee6eb87098c009 100644 (file)
@@ -817,6 +817,16 @@ rpcauth_unwrap_resp(struct rpc_task *task, kxdrdproc_t decode, void *rqstp,
        return rpcauth_unwrap_req_decode(decode, rqstp, data, obj);
 }
 
+bool
+rpcauth_xmit_need_reencode(struct rpc_task *task)
+{
+       struct rpc_cred *cred = task->tk_rqstp->rq_cred;
+
+       if (!cred || !cred->cr_ops->crneed_reencode)
+               return false;
+       return cred->cr_ops->crneed_reencode(task);
+}
+
 int
 rpcauth_refreshcred(struct rpc_task *task)
 {
index 21c0aa0a0d1d4fde901aed91a51fc65481f72b7b..c898a7c75e846f770a9ffa1b77f7249c417d5101 100644 (file)
@@ -1984,6 +1984,46 @@ gss_unwrap_req_decode(kxdrdproc_t decode, struct rpc_rqst *rqstp,
        return decode(rqstp, &xdr, obj);
 }
 
+static bool
+gss_seq_is_newer(u32 new, u32 old)
+{
+       return (s32)(new - old) > 0;
+}
+
+static bool
+gss_xmit_need_reencode(struct rpc_task *task)
+{
+       struct rpc_rqst *req = task->tk_rqstp;
+       struct rpc_cred *cred = req->rq_cred;
+       struct gss_cl_ctx *ctx = gss_cred_get_ctx(cred);
+       u32 win, seq_xmit;
+       bool ret = true;
+
+       if (!ctx)
+               return true;
+
+       if (gss_seq_is_newer(req->rq_seqno, READ_ONCE(ctx->gc_seq)))
+               goto out;
+
+       seq_xmit = READ_ONCE(ctx->gc_seq_xmit);
+       while (gss_seq_is_newer(req->rq_seqno, seq_xmit)) {
+               u32 tmp = seq_xmit;
+
+               seq_xmit = cmpxchg(&ctx->gc_seq_xmit, tmp, req->rq_seqno);
+               if (seq_xmit == tmp) {
+                       ret = false;
+                       goto out;
+               }
+       }
+
+       win = ctx->gc_win;
+       if (win > 0)
+               ret = !gss_seq_is_newer(req->rq_seqno, seq_xmit - win);
+out:
+       gss_put_ctx(ctx);
+       return ret;
+}
+
 static int
 gss_unwrap_resp(struct rpc_task *task,
                kxdrdproc_t decode, void *rqstp, __be32 *p, void *obj)
@@ -2052,6 +2092,7 @@ static const struct rpc_credops gss_credops = {
        .crunwrap_resp          = gss_unwrap_resp,
        .crkey_timeout          = gss_key_timeout,
        .crstringify_acceptor   = gss_stringify_acceptor,
+       .crneed_reencode        = gss_xmit_need_reencode,
 };
 
 static const struct rpc_credops gss_nullops = {
index 4f1ec8013332aaedfa79b4d1575cac7324ed21e9..d41b5ac1d4e8b5519249d4e54d1e67d40a684b8d 100644 (file)
@@ -2184,6 +2184,9 @@ call_status(struct rpc_task *task)
                /* shutdown or soft timeout */
                rpc_exit(task, status);
                break;
+       case -EBADMSG:
+               task->tk_action = call_transmit;
+               break;
        default:
                if (clnt->cl_chatty)
                        printk("%s: RPC call returned error %d\n",
index 6aa09edc95670f200b9ba1e7d80062196a5272aa..3973e10ea2bdd8df94e2baaeca64b6bb30824288 100644 (file)
@@ -1014,6 +1014,13 @@ void xprt_transmit(struct rpc_task *task)
        dprintk("RPC: %5u xprt_transmit(%u)\n", task->tk_pid, req->rq_slen);
 
        if (!req->rq_reply_bytes_recvd) {
+
+               /* Verify that our message lies in the RPCSEC_GSS window */
+               if (!req->rq_bytes_sent && rpcauth_xmit_need_reencode(task)) {
+                       task->tk_status = -EBADMSG;
+                       return;
+               }
+
                if (list_empty(&req->rq_list) && rpc_reply_expected(task)) {
                        /*
                         * Add to the list only if we're expecting a reply