], [
enable_gss="no"
])
+
+ enable_ssk=$enable_gss
])
]) # LC_CONFIG_GSS
-# LC_HAVE_VOID_OPENSSL_HMAC_FUNCS
+# LC_OPENSSL_SSK
#
-# OpenSSL 1.0+ return int for HMAC functions but previous versions do not
-AC_DEFUN([LC_HAVE_VOID_OPENSSL_HMAC_FUNCS], [
+# OpenSSL 1.0+ return int for HMAC functions but older SLES11 versions do not
+AC_DEFUN([LC_OPENSSL_SSK], [
+AC_MSG_CHECKING([whether OpenSSL has functions needed for SSK])
+AS_IF([test "x$enable_ssk" != xno], [
AC_COMPILE_IFELSE([AC_LANG_SOURCE([
#include <openssl/hmac.h>
#include <openssl/evp.h>
HMAC_CTX_init(&ctx);
rc = HMAC_Init_ex(&ctx, "test", 4, EVP_md_null(), NULL);
}
-])],[],[AC_DEFINE(HAVE_VOID_OPENSSL_HMAC_FUNCS, 1,
- [OpenSSL HMAC functions return void instead of int])
+])],[AC_DEFINE(HAVE_OPENSSL_SSK, 1,
+ [OpenSSL HMAC functions needed for SSK])],
+ [enable_ssk="no"])
])
-]) # LC_HAVE_VOID_OPENSSL_HMAC_FUNCS
+AC_MSG_RESULT([$enable_ssk])
+]) # LC_OPENSSL_SSK
# LC_INODE_PERMISION_2ARGS
#
LC_GLIBC_SUPPORT_FHANDLES
LC_CONFIG_GSS
- LC_HAVE_VOID_OPENSSL_HMAC_FUNCS
+ LC_OPENSSL_SSK
# 2.6.32
LC_BLK_QUEUE_MAX_SEGMENTS
AM_CONDITIONAL(GSS, test x$enable_gss = xyes)
AM_CONDITIONAL(GSS_KEYRING, test x$enable_gss_keyring = xyes)
AM_CONDITIONAL(GSS_PIPEFS, test x$enable_gss_pipefs = xyes)
+AM_CONDITIONAL(GSS_SSK, test x$enable_ssk = xyes)
AM_CONDITIONAL(LIBPTHREAD, test x$enable_libpthread = xyes)
AM_CONDITIONAL(LLITE_LLOOP, test x$enable_llite_lloop_module = xyes)
]) # LC_CONDITIONALS
ptlrpc_gss-objs := sec_gss.o gss_bulk.o gss_cli_upcall.o gss_svc_upcall.o \
gss_rawobj.o lproc_gss.o \
gss_generic_token.o gss_mech_switch.o gss_krb5_mech.o \
- gss_null_mech.o gss_sk_mech.o gss_crypto.o
+ gss_null_mech.o gss_crypto.o
+@GSS_SSK_TRUE@ptlrpc_gss-objs += gss_sk_mech.o
@GSS_KEYRING_TRUE@ptlrpc_gss-objs += gss_keyring.o
@GSS_PIPEFS_TRUE@ptlrpc_gss-objs += gss_pipefs.o
void cleanup_kerberos_module(void);
/* gss_sk_mech.c */
+#ifdef HAVE_OPENSSL_SSK
int __init init_sk_module(void);
void cleanup_sk_module(void);
+#else
+static inline int init_sk_module(void) { return 0; }
+static inline void cleanup_sk_module(void) { return; }
+#endif /* HAVE_OPENSSL_SSK */
/* debug */
static inline
if GSS
SUBDIRS = gss
-GSSSRC = gss/sk_utils.c gss/sk_utils.h gss/err_util.c gss/err_util.h
+GSSSRC = gss/err_util.c gss/err_util.h
+if GSS_SSK
+GSSSRC += gss/sk_utils.c gss/sk_utils.h
+endif
GSSLIB = -lcrypto -lssl -lkeyutils -lm
else
GSSSRC =
sbin_PROGRAMS = lsvcgssd l_idmap
if GSS_KEYRING
-sbin_PROGRAMS += lgss_keyring lgss_sk
+sbin_PROGRAMS += lgss_keyring
+if GSS_SSK
+sbin_PROGRAMS += lgss_sk
+endif
endif
if GSS_PIPEFS
context_heimdal.c \
context_spkm3.c \
gss_util.c \
- sk_utils.c \
gss_oids.c \
err_util.c \
lsupport.c \
sk_utils.h \
lsupport.h
+if GSS_SSK
+COMMON_SRCS += sk_utils.c
+endif
+
lgssd_SOURCES = \
$(COMMON_SRCS) \
gssd.c \
context_heimdal.c \
lgss_krb5_utils.c \
lgss_null_utils.c \
- lgss_sk_utils.c \
lgss_utils.c \
lsupport.c \
err_util.c \
- sk_utils.c \
lgss_krb5_utils.h \
lgss_utils.h \
- sk_utils.h \
err_util.h \
lsupport.h
lgss_keyring_LDFLAGS = $(KRBLDFLAGS)
lgss_keyring_DEPENDENCIES = $(LIBCFS)
+if GSS_SSK
+lgss_keyring_SOURCES += sk_utils.c sk_utils.h lgss_sk_utils.c
+
lgss_sk_SOURCES = \
lgss_sk.c \
err_util.c \
lgss_sk_LDADD = $(LIBCFS) $(GSSAPI_LIBS) $(KRBLIBS) -lcrypto -lssl -lm -lkeyutils
lgss_sk_LDFLAGS = $(KRBLDFLAGS)
lgss_sk_DEPENDENCIES = $(LIBCFS)
+endif
EXTRA_DIST =
case LGSS_MECH_NULL:
lnd->lnd_mech = (gss_OID)&nulloid;
break;
+#ifdef HAVE_OPENSSL_SSK
case LGSS_MECH_SK:
lnd->lnd_mech = (gss_OID)&skoid;
lnd->lnd_req_flags = GSS_C_MUTUAL_FLAG;
break;
+#endif
default:
logmsg(LL_ERR, "invalid mech: %d\n", mech);
lnd->lnd_rpc_err = -EACCES;
#include "lgss_utils.h"
extern struct lgss_mech_type lgss_mech_null;
-extern struct lgss_mech_type lgss_mech_sk;
extern struct lgss_mech_type lgss_mech_krb5;
+extern struct lgss_mech_type lgss_mech_sk;
/*
* convenient macros, these perhaps need further cleanup
.length = 12,
.elements = "\053\006\001\004\001\311\146\215\126\001\000\000"
};
+#ifdef HAVE_OPENSSL_SSK
gss_OID_desc skoid = {
.length = 12,
.elements = "\053\006\001\004\001\311\146\215\126\001\000\001"
};
+#endif
/****************************************
* log facilities *
return &lgss_mech_krb5;
if (strcmp(mech_name, "gssnull") == 0)
return &lgss_mech_null;
+#ifdef HAVE_OPENSSL_SSK
if (strcmp(mech_name, "sk") == 0)
return &lgss_mech_sk;
+#endif
return NULL;
}
goto out;
}
-#ifdef HAVE_VOID_OPENSSL_HMAC_FUNCS
- HMAC_Init_ex(&hctx, key->value, key->length, hash_alg, NULL);
- for (i = 0; i < numbufs; i++)
- HMAC_Update(&hctx, bufs[i].value, bufs[i].length);
- HMAC_Final(&hctx, hmac->value, &hashlen);
-#else
if (HMAC_Init_ex(&hctx, key->value, key->length, hash_alg, NULL) != 1) {
printerr(0, "Failed to init HMAC\n");
goto out;
printerr(0, "Failed to finalize HMAC\n");
goto out;
}
-#endif
if (hmac->length != hashlen) {
printerr(0, "HMAC size does not match expected\n");
fprintf(stderr, "-o - Service OSS\n");
fprintf(stderr, "-g - Service MGS\n");
fprintf(stderr, "-k - Enable kerberos support\n");
+#ifdef HAVE_OPENSSL_SSK
fprintf(stderr, "-s - Enable shared key support\n");
+#endif
fprintf(stderr, "-z - Enable gssnull support\n");
exit(1);
usage(stdout, argv[0]);
break;
case 's':
+#ifdef HAVE_OPENSSL_SSK
sk_enabled = 1;
+#else
+ printerr(0, "ERROR: Request for sk but service "
+ "support not enabled\n");
+#endif
break;
case 'z':
null_enabled = 1;
int handle_sk(struct svc_nego_data *snd)
{
+#ifdef HAVE_OPENSSL_SSK
struct sk_cred *skc = NULL;
struct svc_cred cred;
gss_buffer_desc bufs[7];
if (skc)
sk_free_cred(skc);
printerr(3, "sk returning failure\n");
+#else /* !HAVE_OPENSSL_SSK */
+ printerr(0, "ERROR: shared key subflavour is not enabled\n");
+#endif /* HAVE_OPENSSL_SSK */
return -1;
}
snd.mech = &nulloid;
break;
case LGSS_MECH_SK:
+#ifdef HAVE_OPENSSL_SSK
if (!sk_enabled) {
printerr(1, "WARNING: Request for sk but service "
"support not enabled\n");
goto ignore;
}
snd.mech = &skoid;
+#else
+ printerr(1, "ERROR: Request for sk but service "
+ "support not enabled\n");
+#endif
break;
default:
printerr(0, "WARNING: invalid mechanism recevied: %d\n",
return rc;
}
}
-#endif
+#endif /* HAVE_GSS */
if (!mop.mo_fake) {
/* flags and target get to lustre_get_sb(), but not
}
#ifdef HAVE_GSS
+#ifdef HAVE_OPENSSL_SSK
int load_shared_keys(struct mount_opts *mop)
{
DIR *dir;
return rc;
}
-#endif
+#endif /* HAVE_OPENSSL_SSK */
+#endif /* HAVE_GSS */
struct module_backfs_ops *load_backfs_module(enum ldd_mount_type mount_type);
void unload_backfs_ops(struct module_backfs_ops *ops);
+#ifdef HAVE_OPENSSL_SSK
int load_shared_keys(struct mount_opts *mop);
+#else
+static inline int load_shared_keys(struct mount_opts *mop)
+{
+ return EOPNOTSUPP;
+}
+#endif
#endif
git://git.whamcloud.com / fs / lustre-release.git / commitdiff