From: Sasha Levin <sashal@kernel.org>
To: linux-kernel@vger.kernel.org, stable@vger.kernel.org
Cc: Olga Kornievskaia <olga.kornievskaia@gmail.com>,
Olga Kornievskaia <kolga@netapp.com>,
Chuck Lever <chuck.lever@oracle.com>,
Trond Myklebust <trond.myklebust@hammerspace.com>,
Sasha Levin <sashal@kernel.org>,
linux-nfs@vger.kernel.org, netdev@vger.kernel.org
Subject: [PATCH AUTOSEL 5.5 090/106] SUNRPC: fix krb5p mount to provide large enough buffer in rq_rcvsize
Date: Wed, 15 Apr 2020 07:42:10 -0400 [thread overview]
Message-ID: <20200415114226.13103-90-sashal@kernel.org> (raw)
In-Reply-To: <20200415114226.13103-1-sashal@kernel.org>
From: Olga Kornievskaia <olga.kornievskaia@gmail.com>
[ Upstream commit df513a7711712758b9cb1a48d86712e7e1ee03f4 ]
Ever since commit 2c94b8eca1a2 ("SUNRPC: Use au_rslack when computing
reply buffer size"). It changed how "req->rq_rcvsize" is calculated. It
used to use au_cslack value which was nice and large and changed it to
au_rslack value which turns out to be too small.
Since 5.1, v3 mount with sec=krb5p fails against an Ontap server
because client's receive buffer it too small.
For gss krb5p, we need to account for the mic token in the verifier,
and the wrap token in the wrap token.
RFC 4121 defines:
mic token
Octet no Name Description
--------------------------------------------------------------
0..1 TOK_ID Identification field. Tokens emitted by
GSS_GetMIC() contain the hex value 04 04
expressed in big-endian order in this
field.
2 Flags Attributes field, as described in section
4.2.2.
3..7 Filler Contains five octets of hex value FF.
8..15 SND_SEQ Sequence number field in clear text,
expressed in big-endian order.
16..last SGN_CKSUM Checksum of the "to-be-signed" data and
octet 0..15, as described in section 4.2.4.
that's 16bytes (GSS_KRB5_TOK_HDR_LEN) + chksum
wrap token
Octet no Name Description
--------------------------------------------------------------
0..1 TOK_ID Identification field. Tokens emitted by
GSS_Wrap() contain the hex value 05 04
expressed in big-endian order in this
field.
2 Flags Attributes field, as described in section
4.2.2.
3 Filler Contains the hex value FF.
4..5 EC Contains the "extra count" field, in big-
endian order as described in section 4.2.3.
6..7 RRC Contains the "right rotation count" in big-
endian order, as described in section
4.2.5.
8..15 SND_SEQ Sequence number field in clear text,
expressed in big-endian order.
16..last Data Encrypted data for Wrap tokens with
confidentiality, or plaintext data followed
by the checksum for Wrap tokens without
confidentiality, as described in section
4.2.4.
Also 16bytes of header (GSS_KRB5_TOK_HDR_LEN), encrypted data, and cksum
(other things like padding)
RFC 3961 defines known cksum sizes:
Checksum type sumtype checksum section or
value size reference
---------------------------------------------------------------------
CRC32 1 4 6.1.3
rsa-md4 2 16 6.1.2
rsa-md4-des 3 24 6.2.5
des-mac 4 16 6.2.7
des-mac-k 5 8 6.2.8
rsa-md4-des-k 6 16 6.2.6
rsa-md5 7 16 6.1.1
rsa-md5-des 8 24 6.2.4
rsa-md5-des3 9 24 ??
sha1 (unkeyed) 10 20 ??
hmac-sha1-des3-kd 12 20 6.3
hmac-sha1-des3 13 20 ??
sha1 (unkeyed) 14 20 ??
hmac-sha1-96-aes128 15 20 [KRB5-AES]
hmac-sha1-96-aes256 16 20 [KRB5-AES]
[reserved] 0x8003 ? [GSS-KRB5]
Linux kernel now mainly supports type 15,16 so max cksum size is 20bytes.
(GSS_KRB5_MAX_CKSUM_LEN)
Re-use already existing define of GSS_KRB5_MAX_SLACK_NEEDED that's used
for encoding the gss_wrap tokens (same tokens are used in reply).
Fixes: 2c94b8eca1a2 ("SUNRPC: Use au_rslack when computing reply buffer size")
Signed-off-by: Olga Kornievskaia <kolga@netapp.com>
Reviewed-by: Chuck Lever <chuck.lever@oracle.com>
Signed-off-by: Trond Myklebust <trond.myklebust@hammerspace.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
net/sunrpc/auth_gss/auth_gss.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/net/sunrpc/auth_gss/auth_gss.c b/net/sunrpc/auth_gss/auth_gss.c
index d75fddca44c94..f9e1a7e61eda0 100644
--- a/net/sunrpc/auth_gss/auth_gss.c
+++ b/net/sunrpc/auth_gss/auth_gss.c
@@ -20,6 +20,7 @@
#include <linux/sunrpc/clnt.h>
#include <linux/sunrpc/auth.h>
#include <linux/sunrpc/auth_gss.h>
+#include <linux/sunrpc/gss_krb5.h>
#include <linux/sunrpc/svcauth_gss.h>
#include <linux/sunrpc/gss_err.h>
#include <linux/workqueue.h>
@@ -1050,7 +1051,7 @@ gss_create_new(const struct rpc_auth_create_args *args, struct rpc_clnt *clnt)
goto err_put_mech;
auth = &gss_auth->rpc_auth;
auth->au_cslack = GSS_CRED_SLACK >> 2;
- auth->au_rslack = GSS_VERF_SLACK >> 2;
+ auth->au_rslack = GSS_KRB5_MAX_SLACK_NEEDED >> 2;
auth->au_verfsize = GSS_VERF_SLACK >> 2;
auth->au_ralign = GSS_VERF_SLACK >> 2;
auth->au_flags = 0;
--
2.20.1
next prev parent reply other threads:[~2020-04-15 12:33 UTC|newest]
Thread overview: 20+ messages / expand[flat|nested] mbox.gz Atom feed top
[not found] <20200415114226.13103-1-sashal@kernel.org>
2020-04-15 11:40 ` [PATCH AUTOSEL 5.5 006/106] net/mlx5e: Enforce setting of a single FEC mode Sasha Levin
2020-04-18 19:52 ` Or Gerlitz
2020-04-18 21:20 ` Sasha Levin
2020-04-19 9:05 ` Or Gerlitz
2020-04-15 11:40 ` [PATCH AUTOSEL 5.5 009/106] bpf: Reliably preserve btf_trace_xxx types Sasha Levin
2020-04-15 11:41 ` [PATCH AUTOSEL 5.5 055/106] net: phy: at803x: fix clock sink configuration on ATH8030 and ATH8035 Sasha Levin
2020-04-15 11:41 ` [PATCH AUTOSEL 5.5 056/106] cxgb4: fix MPS index overwrite when setting MAC address Sasha Levin
2020-04-15 11:41 ` [PATCH AUTOSEL 5.5 057/106] slcan: Don't transmit uninitialized stack data in padding Sasha Levin
2020-04-15 11:41 ` [PATCH AUTOSEL 5.5 058/106] net: qualcomm: rmnet: Allow configuration updates to existing devices Sasha Levin
2020-04-15 11:41 ` [PATCH AUTOSEL 5.5 060/106] net: stmmac: dwmac1000: fix out-of-bounds mac address reg setting Sasha Levin
2020-04-15 11:41 ` [PATCH AUTOSEL 5.5 061/106] net: dsa: mt7530: fix null pointer dereferencing in port5 setup Sasha Levin
2020-04-15 11:41 ` [PATCH AUTOSEL 5.5 062/106] tun: Don't put_page() for all negative return values from XDP program Sasha Levin
2020-04-15 11:41 ` [PATCH AUTOSEL 5.5 063/106] mlxsw: spectrum_flower: Do not stop at FLOW_ACTION_VLAN_MANGLE Sasha Levin
2020-04-15 11:41 ` [PATCH AUTOSEL 5.5 064/106] net: dsa: bcm_sf2: Do not register slave MDIO bus with OF Sasha Levin
2020-04-15 11:41 ` [PATCH AUTOSEL 5.5 074/106] net: dsa: bcm_sf2: Ensure correct sub-node is parsed Sasha Levin
2020-04-15 11:41 ` [PATCH AUTOSEL 5.5 076/106] net: phy: micrel: kszphy_resume(): add delay after genphy_resume() before accessing PHY registers Sasha Levin
2020-04-15 11:41 ` [PATCH AUTOSEL 5.5 078/106] net: stmmac: xgmac: Fix VLAN register handling Sasha Levin
2020-04-15 11:42 ` [PATCH AUTOSEL 5.5 080/106] cxgb4: free MQPRIO resources in shutdown path Sasha Levin
2020-04-15 11:42 ` Sasha Levin [this message]
2020-04-15 11:42 ` [PATCH AUTOSEL 5.5 098/106] sunrpc: Fix gss_unwrap_resp_integ() again Sasha Levin
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20200415114226.13103-90-sashal@kernel.org \
--to=sashal@kernel.org \
--cc=chuck.lever@oracle.com \
--cc=kolga@netapp.com \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-nfs@vger.kernel.org \
--cc=netdev@vger.kernel.org \
--cc=olga.kornievskaia@gmail.com \
--cc=stable@vger.kernel.org \
--cc=trond.myklebust@hammerspace.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).