2 * Modified from NFSv4 project for Lustre
4 * Copyright (c) 2007, 2010, Oracle and/or its affiliates. All rights reserved.
6 * Copyright (c) 2012, 2016, Intel Corporation.
8 * Author: Eric Mei <ericm@clusterfs.com>
11 #ifndef __PTLRPC_GSS_GSS_INTERNAL_H_
12 #define __PTLRPC_GSS_GSS_INTERNAL_H_
14 #include <crypto/hash.h>
15 #include <libcfs/libcfs_crypto.h>
16 #include <lustre_sec.h>
17 #include <upcall_cache.h>
22 #define NETOBJ_EMPTY ((netobj_t) { 0 })
23 #define RAWOBJ_EMPTY ((rawobj_t) { 0, NULL })
25 typedef struct rawobj_buf_s {
32 int rawobj_empty(rawobj_t *obj);
33 int rawobj_alloc(rawobj_t *obj, char *buf, int len);
34 void rawobj_free(rawobj_t *obj);
35 int rawobj_equal(rawobj_t *a, rawobj_t *b);
36 int rawobj_dup(rawobj_t *dest, rawobj_t *src);
37 int rawobj_serialize(rawobj_t *obj, __u32 **buf, __u32 *buflen);
38 int rawobj_extract(rawobj_t *obj, __u32 **buf, __u32 *buflen);
39 int rawobj_extract_alloc(rawobj_t *obj, __u32 **buf, __u32 *buflen);
40 int rawobj_extract_local(rawobj_t *obj, __u32 **buf, __u32 *buflen);
41 int rawobj_extract_local_alloc(rawobj_t *obj, __u32 **buf, __u32 *buflen);
42 int rawobj_from_netobj(rawobj_t *rawobj, netobj_t *netobj);
43 int rawobj_from_netobj_alloc(rawobj_t *obj, netobj_t *netobj);
45 int buffer_extract_bytes(const void **buf, __u32 *buflen,
46 void *res, __u32 reslen);
49 * several timeout values. client refresh upcall timeout
51 #define __TIMEOUT_DELTA (10)
57 #define GSS_GC_INTERVAL (60 * 60) /* 60 minutes */
59 static inline time64_t gss_round_ctx_expiry(time64_t expiry,
60 unsigned long sec_flags)
62 if (sec_flags & PTLRPC_SEC_FL_REVERSE)
65 if (ktime_get_real_seconds() + __TIMEOUT_DELTA <= expiry)
66 return expiry - __TIMEOUT_DELTA;
72 * Max encryption element in block cipher algorithms.
74 #define GSS_MAX_CIPHER_BLOCK (16)
77 * XXX make it visible of kernel and lgssd/lsvcgssd
80 GSSD_INTERFACE_VERSION_V1 = 1,
81 GSSD_INTERFACE_VERSION_V2 = 2,
82 GSSD_INTERFACE_VERSION = GSSD_INTERFACE_VERSION_V2,
85 #define PTLRPC_GSS_VERSION (1)
88 enum ptlrpc_gss_proc {
89 PTLRPC_GSS_PROC_DATA = 0,
90 PTLRPC_GSS_PROC_INIT = 1,
91 PTLRPC_GSS_PROC_CONTINUE_INIT = 2,
92 PTLRPC_GSS_PROC_DESTROY = 3,
93 PTLRPC_GSS_PROC_ERR = 4,
97 LUSTRE_GSS_TGT_MGS = 0,
98 LUSTRE_GSS_TGT_MDS = 1,
99 LUSTRE_GSS_TGT_OSS = 2,
102 enum ptlrpc_gss_header_flags {
103 LUSTRE_GSS_PACK_BULK = 1,
104 LUSTRE_GSS_PACK_USER = 2,
105 LUSTRE_GSS_PACK_KCSUM = 4,
109 __u32 import_to_gss_svc(struct obd_import *imp)
111 int cl_sp_to = LUSTRE_SP_ANY;
114 cl_sp_to = imp->imp_obd->u.cli.cl_sp_to;
118 return LUSTRE_GSS_TGT_MDS;
120 return LUSTRE_GSS_TGT_OSS;
123 return LUSTRE_GSS_TGT_MGS;
131 #define PTLRPC_GSS_MAX_HANDLE_SIZE (8)
132 #define PTLRPC_GSS_HEADER_SIZE (sizeof(struct gss_header) + \
133 PTLRPC_GSS_MAX_HANDLE_SIZE)
136 static inline __u64 gss_handle_to_u64(rawobj_t *handle)
138 if (handle->len != PTLRPC_GSS_MAX_HANDLE_SIZE)
140 return *((__u64 *) handle->data);
143 struct gss_svc_reqctx {
144 struct ptlrpc_svc_ctx src_base;
148 struct gss_wire_ctx src_wirectx;
149 struct gss_svc_ctx *src_ctx;
151 * record place of bulk_sec_desc in request/reply buffer
153 struct ptlrpc_bulk_sec_desc *src_reqbsd;
155 struct ptlrpc_bulk_sec_desc *src_repbsd;
160 unsigned int src_init:1,
167 struct ptlrpc_cli_ctx gc_base;
173 struct gss_ctx *gc_mechctx;
174 /* handle for the buddy svc ctx */
175 rawobj_t gc_svc_handle;
178 struct gss_cli_ctx_keyring {
179 struct gss_cli_ctx gck_base;
181 struct timer_list gck_timer;
185 struct ptlrpc_sec gs_base;
186 struct gss_api_mech *gs_mech;
192 * FIXME cleanup the keyring upcall mutexes
194 #define HAVE_KEYRING_UPCALL_SERIALIZED 1
196 struct gss_sec_keyring {
197 struct gss_sec gsk_base;
199 * all contexts listed here. access is protected by sec spinlock.
201 struct hlist_head gsk_clist;
203 * specially point to root ctx (only one at a time). access is
204 * protected by sec spinlock.
206 struct ptlrpc_cli_ctx *gsk_root_ctx;
208 * specially serialize upcalls for root context.
210 struct mutex gsk_root_uc_lock;
212 #ifdef HAVE_KEYRING_UPCALL_SERIALIZED
213 struct mutex gsk_uc_lock; /* serialize upcalls */
217 static inline struct gss_cli_ctx *ctx2gctx(struct ptlrpc_cli_ctx *ctx)
219 return container_of(ctx, struct gss_cli_ctx, gc_base);
223 struct gss_cli_ctx_keyring *ctx2gctx_keyring(struct ptlrpc_cli_ctx *ctx)
225 return container_of(ctx2gctx(ctx),
226 struct gss_cli_ctx_keyring, gck_base);
229 static inline struct gss_sec *sec2gsec(struct ptlrpc_sec *sec)
231 return container_of(sec, struct gss_sec, gs_base);
234 static inline struct gss_sec_keyring *sec2gsec_keyring(struct ptlrpc_sec *sec)
236 return container_of(sec2gsec(sec), struct gss_sec_keyring, gsk_base);
239 #ifdef HAVE_CACHE_HASH_SPINLOCK
240 # define sunrpc_cache_lookup(c, i, h) sunrpc_cache_lookup_rcu((c), (i), (h))
241 # define cache_read_lock(cdetail) spin_lock(&((cdetail)->hash_lock))
242 # define cache_read_unlock(cdetail) spin_unlock(&((cdetail)->hash_lock))
243 #else /* ! HAVE_CACHE_HASH_SPINLOCK */
244 # define cache_read_lock(cdetail) read_lock(&((cdetail)->hash_lock))
245 # define cache_read_unlock(cdetail) read_unlock(&((cdetail)->hash_lock))
248 #define GSS_CTX_INIT_MAX_LEN (16384)
251 * This only guaranteed be enough for current krb5 des-cbc-crc . We might
252 * adjust this when new enc type or mech added in.
254 #define GSS_PRIVBUF_PREFIX_LEN (32)
255 #define GSS_PRIVBUF_SUFFIX_LEN (32)
258 struct gss_svc_reqctx *gss_svc_ctx2reqctx(struct ptlrpc_svc_ctx *ctx)
261 return container_of(ctx, struct gss_svc_reqctx, src_base);
265 struct gss_svc_ctx *gss_svc_ctx2gssctx(struct ptlrpc_svc_ctx *ctx)
268 return gss_svc_ctx2reqctx(ctx)->src_ctx;
272 int gss_cli_ctx_match(struct ptlrpc_cli_ctx *ctx, struct vfs_cred *vcred);
273 int gss_cli_ctx_display(struct ptlrpc_cli_ctx *ctx, char *buf, int bufsize);
274 int gss_cli_ctx_sign(struct ptlrpc_cli_ctx *ctx, struct ptlrpc_request *req);
275 int gss_cli_ctx_verify(struct ptlrpc_cli_ctx *ctx, struct ptlrpc_request *req);
276 int gss_cli_ctx_seal(struct ptlrpc_cli_ctx *ctx, struct ptlrpc_request *req);
277 int gss_cli_ctx_unseal(struct ptlrpc_cli_ctx *ctx, struct ptlrpc_request *req);
279 int gss_sec_install_rctx(struct obd_import *imp, struct ptlrpc_sec *sec,
280 struct ptlrpc_cli_ctx *ctx);
281 int gss_alloc_reqbuf(struct ptlrpc_sec *sec, struct ptlrpc_request *req,
283 void gss_free_reqbuf(struct ptlrpc_sec *sec, struct ptlrpc_request *req);
284 int gss_alloc_repbuf(struct ptlrpc_sec *sec, struct ptlrpc_request *req,
286 void gss_free_repbuf(struct ptlrpc_sec *sec, struct ptlrpc_request *req);
287 int gss_enlarge_reqbuf(struct ptlrpc_sec *sec, struct ptlrpc_request *req,
288 int segment, int newsize);
290 int gss_svc_accept(struct ptlrpc_sec_policy *policy,
291 struct ptlrpc_request *req);
292 void gss_svc_invalidate_ctx(struct ptlrpc_svc_ctx *svc_ctx);
293 int gss_svc_alloc_rs(struct ptlrpc_request *req, int msglen);
294 int gss_svc_authorize(struct ptlrpc_request *req);
295 void gss_svc_free_rs(struct ptlrpc_reply_state *rs);
296 void gss_svc_free_ctx(struct ptlrpc_svc_ctx *ctx);
298 int cli_ctx_expire(struct ptlrpc_cli_ctx *ctx);
299 int cli_ctx_check_death(struct ptlrpc_cli_ctx *ctx);
301 int gss_copy_rvc_cli_ctx(struct ptlrpc_cli_ctx *cli_ctx,
302 struct ptlrpc_svc_ctx *svc_ctx);
304 struct gss_header *gss_swab_header(struct lustre_msg *msg, int segment,
306 netobj_t *gss_swab_netobj(struct lustre_msg *msg, int segment);
308 void gss_cli_ctx_uptodate(struct gss_cli_ctx *gctx);
309 int gss_pack_err_notify(struct ptlrpc_request *req, __u32 major, __u32 minor);
310 int gss_check_seq_num(struct gss_svc_seq_data *sd, __u32 seq_num, int set);
312 int gss_sec_create_common(struct gss_sec *gsec,
313 struct ptlrpc_sec_policy *policy,
314 struct obd_import *imp,
315 struct ptlrpc_svc_ctx *ctx,
316 struct sptlrpc_flavor *sf);
317 void gss_sec_destroy_common(struct gss_sec *gsec);
318 void gss_sec_kill(struct ptlrpc_sec *sec);
320 int gss_cli_ctx_init_common(struct ptlrpc_sec *sec,
321 struct ptlrpc_cli_ctx *ctx,
322 struct ptlrpc_ctx_ops *ctxops,
323 struct vfs_cred *vcred);
324 int gss_cli_ctx_fini_common(struct ptlrpc_sec *sec,
325 struct ptlrpc_cli_ctx *ctx);
327 void gss_cli_ctx_flags2str(unsigned long flags, char *buf, int bufsize);
330 #ifndef HAVE_GSS_KEYRING
331 static inline int __init gss_init_keyring(void) { return 0; }
332 static inline void __exit gss_exit_keyring(void) { return; }
334 int __init gss_init_keyring(void);
335 void __exit gss_exit_keyring(void);
337 extern unsigned int gss_check_upcall_ns;
340 int gss_cli_prep_bulk(struct ptlrpc_request *req,
341 struct ptlrpc_bulk_desc *desc);
342 int gss_cli_ctx_wrap_bulk(struct ptlrpc_cli_ctx *ctx,
343 struct ptlrpc_request *req,
344 struct ptlrpc_bulk_desc *desc);
345 int gss_cli_ctx_unwrap_bulk(struct ptlrpc_cli_ctx *ctx,
346 struct ptlrpc_request *req,
347 struct ptlrpc_bulk_desc *desc);
348 int gss_svc_prep_bulk(struct ptlrpc_request *req,
349 struct ptlrpc_bulk_desc *desc);
350 int gss_svc_unwrap_bulk(struct ptlrpc_request *req,
351 struct ptlrpc_bulk_desc *desc);
352 int gss_svc_wrap_bulk(struct ptlrpc_request *req,
353 struct ptlrpc_bulk_desc *desc);
355 /* gss_generic_token.c */
356 int g_token_size(rawobj_t *mech, unsigned int body_size);
357 void g_make_token_header(rawobj_t *mech, int body_size, unsigned char **buf);
358 __u32 g_verify_token_header(rawobj_t *mech, int *body_size,
359 unsigned char **buf_in, int toksize);
362 /* gss_cli_upcall.c */
363 int gss_do_ctx_init_rpc(char __user *buffer, unsigned long count);
364 int gss_do_ctx_fini_rpc(struct gss_cli_ctx *gctx);
366 int __init gss_init_cli_upcall(void);
367 void gss_exit_cli_upcall(void);
369 /* gss_svc_upcall.c */
370 __u64 gss_get_next_ctx_index(void);
371 int gss_svc_upcall_install_rvs_ctx(struct obd_import *imp,
372 struct gss_sec *gsec,
373 struct gss_cli_ctx *gctx);
374 int gss_svc_upcall_expire_rvs_ctx(rawobj_t *handle);
375 int gss_svc_upcall_dup_handle(rawobj_t *handle, struct gss_svc_ctx *ctx);
376 int gss_svc_upcall_update_sequence(rawobj_t *handle, __u32 seq);
377 int gss_svc_upcall_handle_init(struct ptlrpc_request *req,
378 struct gss_svc_reqctx *grctx,
379 struct gss_wire_ctx *gw,
380 struct obd_device *target,
384 struct gss_svc_ctx *gss_svc_upcall_get_ctx(struct ptlrpc_request *req,
385 struct gss_wire_ctx *gw);
386 void gss_svc_upcall_put_ctx(struct gss_svc_ctx *ctx);
387 void gss_svc_upcall_destroy_ctx(struct gss_svc_ctx *ctx);
389 int __init gss_init_svc_upcall(void);
390 void gss_exit_svc_upcall(void);
391 extern unsigned int krb5_allow_old_client_csum;
394 void gss_stat_oos_record_cli(int behind);
395 void gss_stat_oos_record_svc(int phase, int replay);
397 int __init gss_init_tunables(void);
398 void gss_exit_tunables(void);
400 /* gss_null_mech.c */
401 int __init init_null_module(void);
402 void cleanup_null_module(void);
404 /* gss_krb5_mech.c */
405 int __init init_kerberos_module(void);
406 void cleanup_kerberos_module(void);
409 #ifdef HAVE_OPENSSL_SSK
410 int __init init_sk_module(void);
411 void cleanup_sk_module(void);
413 static inline int init_sk_module(void) { return 0; }
414 static inline void cleanup_sk_module(void) { return; }
415 #endif /* HAVE_OPENSSL_SSK */
419 void __dbg_memdump(char *name, void *ptr, int size)
421 char *buf, *p = (char *) ptr;
422 int bufsize = size * 2 + 1, i;
424 OBD_ALLOC(buf, bufsize);
426 CDEBUG(D_ERROR, "DUMP ERROR: can't alloc %d bytes\n", bufsize);
430 for (i = 0; i < size; i++)
431 sprintf(&buf[i+i], "%02x", (__u8) p[i]);
432 buf[size + size] = '\0';
433 LCONSOLE_INFO("DUMP %s@%p(%d): %s\n", name, ptr, size, buf);
434 OBD_FREE(buf, bufsize);
437 static inline unsigned int ll_read_key_usage(struct key *key)
439 #ifdef HAVE_KEY_USAGE_REFCOUNT
440 return refcount_read(&key->usage);
442 return atomic_read(&key->usage);
446 #define RSI_UPCALL_PATH "/usr/sbin/l_getauth"
447 #define UC_RSICACHE_HASH_SIZE 64
448 extern struct upcall_cache_ops rsi_upcall_cache_ops;
449 extern struct upcall_cache *rsicache;
450 struct gss_rsi *rsi_entry_get(struct upcall_cache *cache, struct gss_rsi *rsi);
451 void rsi_entry_put(struct upcall_cache *cache, struct gss_rsi *rsi);
452 void rsi_flush(struct upcall_cache *cache, int hash);
453 #define RSC_UPCALL_PATH "NONE"
454 #define UC_RSCCACHE_HASH_SIZE 1024
455 extern struct upcall_cache_ops rsc_upcall_cache_ops;
456 extern struct upcall_cache *rsccache;
457 struct gss_rsc *rsc_entry_get(struct upcall_cache *cache, struct gss_rsc *rsc);
458 void rsc_entry_put(struct upcall_cache *cache, struct gss_rsc *rsc);
459 void rsc_flush(struct upcall_cache *cache, int hash);
460 void __rsc_free(struct gss_rsc *rsc);
462 #endif /* __PTLRPC_GSS_GSS_INTERNAL_H_ */