linux/net/sunrpc
Olga Kornievskaia df513a7711 SUNRPC: fix krb5p mount to provide large enough buffer in rq_rcvsize
Ever since commit 2c94b8eca1 ("SUNRPC: Use au_rslack when computing
reply buffer size"). It changed how "req->rq_rcvsize" is calculated. It
used to use au_cslack value which was nice and large and changed it to
au_rslack value which turns out to be too small.

Since 5.1, v3 mount with sec=krb5p fails against an Ontap server
because client's receive buffer it too small.

For gss krb5p, we need to account for the mic token in the verifier,
and the wrap token in the wrap token.

RFC 4121 defines:
mic token
Octet no   Name        Description
         --------------------------------------------------------------
         0..1     TOK_ID     Identification field.  Tokens emitted by
                             GSS_GetMIC() contain the hex value 04 04
                             expressed in big-endian order in this
                             field.
         2        Flags      Attributes field, as described in section
                             4.2.2.
         3..7     Filler     Contains five octets of hex value FF.
         8..15    SND_SEQ    Sequence number field in clear text,
                             expressed in big-endian order.
         16..last SGN_CKSUM  Checksum of the "to-be-signed" data and
                             octet 0..15, as described in section 4.2.4.

that's 16bytes (GSS_KRB5_TOK_HDR_LEN) + chksum

wrap token
Octet no   Name        Description
         --------------------------------------------------------------
          0..1     TOK_ID    Identification field.  Tokens emitted by
                             GSS_Wrap() contain the hex value 05 04
                             expressed in big-endian order in this
                             field.
          2        Flags     Attributes field, as described in section
                             4.2.2.
          3        Filler    Contains the hex value FF.
          4..5     EC        Contains the "extra count" field, in big-
                             endian order as described in section 4.2.3.
          6..7     RRC       Contains the "right rotation count" in big-
                             endian order, as described in section
                             4.2.5.
          8..15    SND_SEQ   Sequence number field in clear text,
                             expressed in big-endian order.
          16..last Data      Encrypted data for Wrap tokens with
                             confidentiality, or plaintext data followed
                             by the checksum for Wrap tokens without
                             confidentiality, as described in section
                             4.2.4.

Also 16bytes of header (GSS_KRB5_TOK_HDR_LEN), encrypted data, and cksum
(other things like padding)

RFC 3961 defines known cksum sizes:
Checksum type              sumtype        checksum         section or
                                value            size         reference
   ---------------------------------------------------------------------
   CRC32                            1               4           6.1.3
   rsa-md4                          2              16           6.1.2
   rsa-md4-des                      3              24           6.2.5
   des-mac                          4              16           6.2.7
   des-mac-k                        5               8           6.2.8
   rsa-md4-des-k                    6              16           6.2.6
   rsa-md5                          7              16           6.1.1
   rsa-md5-des                      8              24           6.2.4
   rsa-md5-des3                     9              24             ??
   sha1 (unkeyed)                  10              20             ??
   hmac-sha1-des3-kd               12              20            6.3
   hmac-sha1-des3                  13              20             ??
   sha1 (unkeyed)                  14              20             ??
   hmac-sha1-96-aes128             15              20         [KRB5-AES]
   hmac-sha1-96-aes256             16              20         [KRB5-AES]
   [reserved]                  0x8003               ?         [GSS-KRB5]

Linux kernel now mainly supports type 15,16 so max cksum size is 20bytes.
(GSS_KRB5_MAX_CKSUM_LEN)

Re-use already existing define of GSS_KRB5_MAX_SLACK_NEEDED that's used
for encoding the gss_wrap tokens (same tokens are used in reply).

Fixes: 2c94b8eca1 ("SUNRPC: Use au_rslack when computing reply buffer size")
Signed-off-by: Olga Kornievskaia <kolga@netapp.com>
Reviewed-by: Chuck Lever <chuck.lever@oracle.com>
Signed-off-by: Trond Myklebust <trond.myklebust@hammerspace.com>
2020-03-26 10:51:01 -04:00
..
auth_gss SUNRPC: fix krb5p mount to provide large enough buffer in rq_rcvsize 2020-03-26 10:51:01 -04:00
xprtrdma xprtrdma: Fix DMA scatter-gather list mapping imbalance 2020-02-13 15:35:33 -05:00
addr.c SUNRPC: Use kmemdup_nul() in rpc_parse_scope_id() 2020-02-03 16:35:07 -05:00
auth_null.c SUNRPC: Add rpc_auth::au_ralign field 2019-02-14 11:48:36 -05:00
auth_unix.c SUNRPC: Use the client user namespace when encoding creds 2019-04-26 16:24:32 -04:00
auth.c SUNRPC: Remove broken gss_mech_list_pseudoflavors() 2020-01-15 10:54:32 -05:00
backchannel_rqst.c SUNRPC: Destroy the back channel when we destroy the host transport 2019-10-30 12:04:35 -04:00
cache.c Highlights: 2020-02-07 17:50:21 -08:00
clnt.c SUNRPC: Don't take a reference to the cred on synchronous tasks 2020-03-16 08:34:29 -04:00
debugfs.c NFS client updates for Linux 5.3 2019-07-18 14:32:33 -07:00
Kconfig SUNRPC: Drop redundant CONFIG_ from CONFIG_SUNRPC_DISABLE_INSECURE_ENCTYPES 2019-07-06 14:54:53 -04:00
Makefile SUNRPC: remove generic cred code. 2018-12-19 13:52:46 -05:00
netns.h License cleanup: add SPDX GPL-2.0 license identifier to files with no license 2017-11-02 11:10:55 +01:00
rpc_pipe.c kernel/notifier.c: remove blocking_notifier_chain_cond_register() 2019-12-04 19:44:12 -08:00
rpcb_clnt.c treewide: Add SPDX license identifier for missed files 2019-05-21 10:50:45 +02:00
sched.c SUNRPC: Add a flag to avoid reference counts on credentials 2020-03-16 08:34:28 -04:00
socklib.c treewide: Add SPDX license identifier for missed files 2019-05-21 10:50:45 +02:00
stats.c proc: convert everything to "struct proc_ops" 2020-02-04 03:05:26 +00:00
sunrpc_syms.c treewide: Add SPDX license identifier for more missed files 2019-05-21 10:50:45 +02:00
sunrpc.h sunrpc: whitespace fixes 2018-07-31 12:53:40 -04:00
svc_xprt.c nfs: fix out-of-date connectathon talk URL 2019-07-03 17:52:09 -04:00
svc.c SUNRPC: Trace gssproxy upcall results 2019-10-30 16:32:07 -04:00
svcauth_unix.c nfs: use time64_t internally 2019-12-18 18:07:32 +01:00
svcauth.c SUNRPC: Trace gssproxy upcall results 2019-10-30 16:32:07 -04:00
svcsock.c treewide: Add SPDX license identifier for missed files 2019-05-21 10:50:45 +02:00
sysctl.c treewide: Add SPDX license identifier for missed files 2019-05-21 10:50:45 +02:00
timer.c treewide: Add SPDX license identifier for missed files 2019-05-21 10:50:45 +02:00
xdr.c SUNRPC: Remove xdr_buf_read_mic() 2020-03-16 10:18:45 -04:00
xprt.c NFSoRDMA Client Updates for Linux 5.5 2019-11-18 10:55:55 +01:00
xprtmultipath.c SUNRPC: Optimise transport balancing code 2019-07-18 14:43:52 -04:00
xprtsock.c SUNRPC: remove redundant assignments to variable status 2020-03-16 10:10:36 -04:00