Received: by 2002:a05:6358:a55:b0:ec:fcf4:3ecf with SMTP id 21csp2112372rwb;
        Sun, 15 Jan 2023 09:22:04 -0800 (PST)
X-Google-Smtp-Source: AMrXdXtWDwRdfd3bs9nZe0GysFyKlAc3nnrk6DsgNECfqkXkNsbKysB7IWLBLL5vTO/NMZL8AktU
X-Received: by 2002:a17:902:a50c:b0:192:6c8a:6b81 with SMTP id s12-20020a170902a50c00b001926c8a6b81mr73285129plq.31.1673803324607;
        Sun, 15 Jan 2023 09:22:04 -0800 (PST)
ARC-Seal: i=1; a=rsa-sha256; t=1673803324; cv=none;
        d=google.com; s=arc-20160816;
        b=vc6BI8QpxmcGzD/U867UjYLXpuV7By6z73QNaOWxPUKIdOGzqZudkmg+UrprasKXuD
         dGAiHKbQqHJQmppx06HCgB6Y62TbqPI5NlHD5O0szmQGc3TJ90R/kkRU/1erUqphfqYA
         T7fKnMRFsmnIF4L9eyFvbQQ5Z2Q260GurlPTrokR+Qg3kBYbHhES0Slsvjku3IVYtDf9
         VZxKJkiUvPvG9EgRDrOYoQ+m6PZMYmh2hqWPfsqXeaPzkqjbWXgR9II309+roIPjSTg1
         8E/K3eW5XuJMIKhTsGWdALySOSRq4X/CSLIBvB4k4RfJ1eMLQsu3p1Fy6keGHmlr3DgV
         swHw==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=list-id:precedence:content-transfer-encoding:mime-version
         :user-agent:references:in-reply-to:message-id:date:cc:to:from
         :subject:dkim-signature;
        bh=K63M+zU4RafTbu8qKWHTdFP3VmUbtnJrHFJEp2uE9rM=;
        b=bUmSf3lteajA3xA0rQ+Necxx3cdOGkpr40yA8oO4fJ1Q/J1CdxNVSosQh8ETx5jANi
         rSADkmSX8Z7PwQEIBUP7b85C2wT345dDrLw6KkMr9jHRNHibua2llY3L6PizfUXWvNjY
         G+1XGmwgvsW59GEgxikANFnDj9fCJEtCPXjlX7NlT5BYBLWf1osBVWM6HYoVghSls0M3
         gUo4NAe1hjKog4c3it5YXi2kp9KfZESQy6+yA3v7bpb8fQka+fpgN9eGSfLuO+3eUJep
         9eyMsrROfcXsgFEvBUkrhXBNyqZhkW0DEn9BLUETtiPAw9B4PjO1ipwr4YEEvbokRWC2
         0MMg==
ARC-Authentication-Results: i=1; mx.google.com;
       dkim=pass header.i=@kernel.org header.s=k20201202 header.b="RObZ/SIg";
       spf=pass (google.com: domain of linux-nfs-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-nfs-owner@vger.kernel.org;
       dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=kernel.org
Return-Path: <linux-nfs-owner@vger.kernel.org>
Received: from out1.vger.email (out1.vger.email. [2620:137:e000::1:20])
        by mx.google.com with ESMTP id c5-20020a170902724500b001910b27870esi25378739pll.512.2023.01.15.09.21.53;
        Sun, 15 Jan 2023 09:22:04 -0800 (PST)
Received-SPF: pass (google.com: domain of linux-nfs-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) client-ip=2620:137:e000::1:20;
Authentication-Results: mx.google.com;
       dkim=pass header.i=@kernel.org header.s=k20201202 header.b="RObZ/SIg";
       spf=pass (google.com: domain of linux-nfs-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-nfs-owner@vger.kernel.org;
       dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=kernel.org
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S231459AbjAORVk (ORCPT <rfc822;rick.macklem@gmail.com>
        + 99 others); Sun, 15 Jan 2023 12:21:40 -0500
Received: from lindbergh.monkeyblade.net ([23.128.96.19]:54884 "EHLO
        lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
        with ESMTP id S231269AbjAORVh (ORCPT
        <rfc822;linux-nfs@vger.kernel.org>); Sun, 15 Jan 2023 12:21:37 -0500
Received: from ams.source.kernel.org (ams.source.kernel.org [IPv6:2604:1380:4601:e00::1])
        by lindbergh.monkeyblade.net (Postfix) with ESMTPS id DA29776BB;
        Sun, 15 Jan 2023 09:21:36 -0800 (PST)
Received: from smtp.kernel.org (relay.kernel.org [52.25.139.140])
        (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
        (No client certificate requested)
        by ams.source.kernel.org (Postfix) with ESMTPS id 90C2CB80B8E;
        Sun, 15 Jan 2023 17:21:35 +0000 (UTC)
Received: by smtp.kernel.org (Postfix) with ESMTPSA id EBCC9C433EF;
        Sun, 15 Jan 2023 17:21:33 +0000 (UTC)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org;
        s=k20201202; t=1673803294;
        bh=AAKF2h49CkAzEC5hAJhxvkm51RZupkaiVZQfgHEyap8=;
        h=Subject:From:To:Cc:Date:In-Reply-To:References:From;
        b=RObZ/SIgKV54VciJ7sc6k8vLTbNEbVXpkcq6Cpftp5iavd2aqliZCYrdYyb9Tpc81
         4dE9JhXH5CALoqDfNdh2yo+vdHO5hs3zD1YCifBg4Bet8BXMCR2O9heFVk9xG+cG3Y
         hsQDgZaQJmzKN20QQvWSOQ6/68egV12im4u1cgl2NZ8A77GLPcT+vpPFzQpRzlQxhz
         Xb2mVbJyxwW4RN3X4VDFtUuNpItXMya0N9gngvWa/YJCEuwolhnNbb2ZQjDvOp2hAd
         x3oSKj05aC2WaB495IuuVhqMr2zgun/vRDS+K/3bI1qmNX4TEQ3JH2ZLvwvbfBVJah
         WFF4382CftRjA==
Subject: [PATCH v2 12/41] SUNRPC: Add /proc/net/rpc/gss_krb5_enctypes file
From:   Chuck Lever <cel@kernel.org>
To:     linux-nfs@vger.kernel.org
Cc:     dhowells@redhat.com, simo@redhat.com,
        linux-kselftest@vger.kernel.org
Date:   Sun, 15 Jan 2023 12:21:33 -0500
Message-ID: <167380329307.10651.6781049993772779774.stgit@bazille.1015granger.net>
In-Reply-To: <167380196429.10651.4103075913257868035.stgit@bazille.1015granger.net>
References: <167380196429.10651.4103075913257868035.stgit@bazille.1015granger.net>
User-Agent: StGit/1.5
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: 7bit
X-Spam-Status: No, score=-7.1 required=5.0 tests=BAYES_00,DKIMWL_WL_HIGH,
        DKIM_SIGNED,DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,RCVD_IN_DNSWL_HI,
        SPF_HELO_NONE,SPF_PASS autolearn=ham autolearn_force=no version=3.4.6
X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on
        lindbergh.monkeyblade.net
Precedence: bulk
List-ID: <linux-nfs.vger.kernel.org>
X-Mailing-List: linux-nfs@vger.kernel.org

From: Chuck Lever <chuck.lever@oracle.com>

I would like to replace the KRB5_SUPPORTED_ENCTYPES macro so that
there is finer granularity about what enctype support is built in
to the kernel and then advertised by it.

The /proc/fs/nfsd/supported_krb5_enctypes file is a legacy API
that advertises supported enctypes to rpc.svcgssd (I think?). It
simply prints the value of the KRB5_SUPPORTED_ENCTYPES macro, so it
will need to be replaced with something that can instead display
exactly which enctypes are configured and built into the SunRPC
layer.

Completely decommissioning such APIs is hard. Instead, add a file
that is managed by SunRPC's GSS Kerberos mechanism, which is
authoritative about enctype support status. A subsequent patch will
replace /proc/fs/nfsd/supported_krb5_enctypes with a symlink to this
new file.

Tested-by: Scott Mayhew <smayhew@redhat.com>
Signed-off-by: Chuck Lever <chuck.lever@oracle.com>
---
 net/sunrpc/auth_gss/svcauth_gss.c |   65 +++++++++++++++++++++++++++++++++++++
 1 file changed, 65 insertions(+)

diff --git a/net/sunrpc/auth_gss/svcauth_gss.c b/net/sunrpc/auth_gss/svcauth_gss.c
index 28e977c89a5a..19f0190a0b97 100644
--- a/net/sunrpc/auth_gss/svcauth_gss.c
+++ b/net/sunrpc/auth_gss/svcauth_gss.c
@@ -1494,6 +1494,55 @@ static void destroy_use_gss_proxy_proc_entry(struct net *net)
 		clear_gssp_clnt(sn);
 	}
 }
+
+static ssize_t read_gss_krb5_enctypes(struct file *file, char __user *buf,
+				      size_t count, loff_t *ppos)
+{
+	struct rpcsec_gss_oid oid = {
+		.len	= 9,
+		.data	= "\x2a\x86\x48\x86\xf7\x12\x01\x02\x02",
+	};
+	struct gss_api_mech *mech;
+	ssize_t ret;
+
+	mech = gss_mech_get_by_OID(&oid);
+	if (!mech)
+		return 0;
+	if (!mech->gm_upcall_enctypes) {
+		gss_mech_put(mech);
+		return 0;
+	}
+
+	ret = simple_read_from_buffer(buf, count, ppos,
+				      mech->gm_upcall_enctypes,
+				      strlen(mech->gm_upcall_enctypes));
+	gss_mech_put(mech);
+	return ret;
+}
+
+static const struct proc_ops gss_krb5_enctypes_proc_ops = {
+	.proc_open	= nonseekable_open,
+	.proc_read	= read_gss_krb5_enctypes,
+};
+
+static int create_krb5_enctypes_proc_entry(struct net *net)
+{
+	struct sunrpc_net *sn = net_generic(net, sunrpc_net_id);
+
+	if (!proc_create_data("gss_krb5_enctypes", S_IFREG | 0444,
+			      sn->proc_net_rpc,
+			      &gss_krb5_enctypes_proc_ops, net))
+		return -ENOMEM;
+	return 0;
+}
+
+static void destroy_krb5_enctypes_proc_entry(struct net *net)
+{
+	struct sunrpc_net *sn = net_generic(net, sunrpc_net_id);
+
+	remove_proc_entry("gss_krb5_enctypes", sn->proc_net_rpc);
+}
+
 #else /* CONFIG_PROC_FS */
 
 static int create_use_gss_proxy_proc_entry(struct net *net)
@@ -1503,6 +1552,13 @@ static int create_use_gss_proxy_proc_entry(struct net *net)
 
 static void destroy_use_gss_proxy_proc_entry(struct net *net) {}
 
+static int create_krb5_enctypes_proc_entry(struct net *net)
+{
+	return 0;
+}
+
+static void destroy_krb5_enctypes_proc_entry(struct net *net) {}
+
 #endif /* CONFIG_PROC_FS */
 
 /*
@@ -2042,7 +2098,15 @@ gss_svc_init_net(struct net *net)
 	rv = create_use_gss_proxy_proc_entry(net);
 	if (rv)
 		goto out2;
+
+	rv = create_krb5_enctypes_proc_entry(net);
+	if (rv)
+		goto out3;
+
 	return 0;
+
+out3:
+	destroy_use_gss_proxy_proc_entry(net);
 out2:
 	rsi_cache_destroy_net(net);
 out1:
@@ -2053,6 +2117,7 @@ gss_svc_init_net(struct net *net)
 void
 gss_svc_shutdown_net(struct net *net)
 {
+	destroy_krb5_enctypes_proc_entry(net);
 	destroy_use_gss_proxy_proc_entry(net);
 	rsi_cache_destroy_net(net);
 	rsc_cache_destroy_net(net);