1 /* -*- mode: c; c-basic-offset: 8; indent-tabs-mode: nil; -*-
2 * vim:expandtab:shiftwidth=8:tabstop=8:
4 * Modifications for Lustre
5 * Copyright 2004 - 2006, Cluster File Systems, Inc.
7 * Author: Eric Mei <ericm@clusterfs.com>
11 * linux/net/sunrpc/auth_gss.c
13 * RPCSEC_GSS client authentication.
15 * Copyright (c) 2000 The Regents of the University of Michigan.
16 * All rights reserved.
18 * Dug Song <dugsong@monkey.org>
19 * Andy Adamson <andros@umich.edu>
21 * Redistribution and use in source and binary forms, with or without
22 * modification, are permitted provided that the following conditions
25 * 1. Redistributions of source code must retain the above copyright
26 * notice, this list of conditions and the following disclaimer.
27 * 2. Redistributions in binary form must reproduce the above copyright
28 * notice, this list of conditions and the following disclaimer in the
29 * documentation and/or other materials provided with the distribution.
30 * 3. Neither the name of the University nor the names of its
31 * contributors may be used to endorse or promote products derived
32 * from this software without specific prior written permission.
34 * THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED
35 * WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF
36 * MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
37 * DISCLAIMED. IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE
38 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
39 * CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
40 * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR
41 * BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF
42 * LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING
43 * NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS
44 * SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
49 # define EXPORT_SYMTAB
51 #define DEBUG_SUBSYSTEM S_SEC
53 #include <linux/init.h>
54 #include <linux/module.h>
55 #include <linux/slab.h>
56 #include <linux/dcache.h>
58 #include <linux/random.h>
59 #include <asm/atomic.h>
61 #include <liblustre.h>
65 #include <obd_class.h>
66 #include <obd_support.h>
67 #include <lustre/lustre_idl.h>
68 #include <lustre_net.h>
69 #include <lustre_import.h>
70 #include <lustre_sec.h>
73 #include "gss_internal.h"
76 #include <linux/crypto.h>
79 static struct ptlrpc_sec_policy gss_policy;
80 static struct ptlrpc_cli_ctx * gss_sec_create_ctx(struct ptlrpc_sec *sec,
81 struct vfs_cred *vcred);
82 static void gss_sec_destroy_ctx(struct ptlrpc_sec *sec,
83 struct ptlrpc_cli_ctx *ctx);
84 /********************************************
86 ********************************************/
89 void gss_header_swabber(struct gss_header *ghdr)
91 __swab32s(&ghdr->gh_version);
92 __swab32s(&ghdr->gh_flags);
93 __swab32s(&ghdr->gh_proc);
94 __swab32s(&ghdr->gh_seq);
95 __swab32s(&ghdr->gh_svc);
96 __swab32s(&ghdr->gh_pad1);
97 __swab32s(&ghdr->gh_pad2);
98 __swab32s(&ghdr->gh_pad3);
99 __swab32s(&ghdr->gh_handle.len);
102 struct gss_header *gss_swab_header(struct lustre_msg *msg, int segment)
104 struct gss_header *ghdr;
106 ghdr = lustre_swab_buf(msg, segment, sizeof(*ghdr),
110 sizeof(*ghdr) + ghdr->gh_handle.len > msg->lm_buflens[segment]) {
111 CERROR("gss header require length %d, now %d received\n",
112 sizeof(*ghdr) + ghdr->gh_handle.len,
113 msg->lm_buflens[segment]);
121 void gss_netobj_swabber(netobj_t *obj)
123 __swab32s(&obj->len);
126 netobj_t *gss_swab_netobj(struct lustre_msg *msg, int segment)
130 obj = lustre_swab_buf(msg, segment, sizeof(*obj), gss_netobj_swabber);
131 if (obj && sizeof(*obj) + obj->len > msg->lm_buflens[segment]) {
132 CERROR("netobj require length %d but only %d received\n",
133 sizeof(*obj) + obj->len, msg->lm_buflens[segment]);
141 * payload should be obtained from mechanism. but currently since we
142 * only support kerberos, we could simply use fixed value.
146 #define GSS_KRB5_INTEG_MAX_PAYLOAD (40)
149 int gss_estimate_payload(struct gss_ctx *mechctx, int msgsize, int privacy)
152 /* we suppose max cipher block size is 16 bytes. here we
153 * add 16 for confounder and 16 for padding.
155 return GSS_KRB5_INTEG_MAX_PAYLOAD + msgsize + 16 + 16 + 16;
157 return GSS_KRB5_INTEG_MAX_PAYLOAD;
162 * return signature size, otherwise < 0 to indicate error
165 int gss_sign_msg(struct lustre_msg *msg,
166 struct gss_ctx *mechctx,
167 __u32 proc, __u32 seq,
170 struct gss_header *ghdr;
171 rawobj_t text[3], mic;
172 int textcnt, mic_idx = msg->lm_bufcount - 1;
175 LASSERT(msg->lm_bufcount >= 3);
178 LASSERT(msg->lm_buflens[0] >=
179 sizeof(*ghdr) + (handle ? handle->len : 0));
180 ghdr = lustre_msg_buf(msg, 0, 0);
182 ghdr->gh_version = PTLRPC_GSS_VERSION;
184 ghdr->gh_proc = proc;
186 ghdr->gh_svc = PTLRPC_GSS_SVC_INTEGRITY;
188 /* fill in a fake one */
189 ghdr->gh_handle.len = 0;
191 ghdr->gh_handle.len = handle->len;
192 memcpy(ghdr->gh_handle.data, handle->data, handle->len);
196 for (textcnt = 0; textcnt < mic_idx; textcnt++) {
197 text[textcnt].len = msg->lm_buflens[textcnt];
198 text[textcnt].data = lustre_msg_buf(msg, textcnt, 0);
201 mic.len = msg->lm_buflens[mic_idx];
202 mic.data = lustre_msg_buf(msg, mic_idx, 0);
204 major = lgss_get_mic(mechctx, textcnt, text, &mic);
205 if (major != GSS_S_COMPLETE) {
206 CERROR("fail to generate MIC: %08x\n", major);
209 LASSERT(mic.len <= msg->lm_buflens[mic_idx]);
211 return lustre_shrink_msg(msg, mic_idx, mic.len, 0);
218 __u32 gss_verify_msg(struct lustre_msg *msg,
219 struct gss_ctx *mechctx)
223 int textcnt, mic_idx = msg->lm_bufcount - 1;
226 for (textcnt = 0; textcnt < mic_idx; textcnt++) {
227 text[textcnt].len = msg->lm_buflens[textcnt];
228 text[textcnt].data = lustre_msg_buf(msg, textcnt, 0);
231 mic.len = msg->lm_buflens[mic_idx];
232 mic.data = lustre_msg_buf(msg, mic_idx, 0);
234 major = lgss_verify_mic(mechctx, textcnt, text, &mic);
235 if (major != GSS_S_COMPLETE)
236 CERROR("mic verify error: %08x\n", major);
242 * return gss error code
245 __u32 gss_unseal_msg(struct gss_ctx *mechctx,
246 struct lustre_msg *msgbuf,
247 int *msg_len, int msgbuf_len)
249 rawobj_t clear_obj, micobj, msgobj, token;
255 if (msgbuf->lm_bufcount != 3) {
256 CERROR("invalid bufcount %d\n", msgbuf->lm_bufcount);
257 RETURN(GSS_S_FAILURE);
260 /* verify gss header */
261 msgobj.len = msgbuf->lm_buflens[0];
262 msgobj.data = lustre_msg_buf(msgbuf, 0, 0);
263 micobj.len = msgbuf->lm_buflens[1];
264 micobj.data = lustre_msg_buf(msgbuf, 1, 0);
266 major = lgss_verify_mic(mechctx, 1, &msgobj, &micobj);
267 if (major != GSS_S_COMPLETE) {
268 CERROR("priv: mic verify error: %08x\n", major);
272 /* temporary clear text buffer */
273 clear_buflen = msgbuf->lm_buflens[2];
274 OBD_ALLOC(clear_buf, clear_buflen);
276 RETURN(GSS_S_FAILURE);
278 token.len = msgbuf->lm_buflens[2];
279 token.data = lustre_msg_buf(msgbuf, 2, 0);
281 clear_obj.len = clear_buflen;
282 clear_obj.data = clear_buf;
284 major = lgss_unwrap(mechctx, &token, &clear_obj);
285 if (major != GSS_S_COMPLETE) {
286 CERROR("priv: unwrap message error: %08x\n", major);
287 GOTO(out_free, major = GSS_S_FAILURE);
289 LASSERT(clear_obj.len <= clear_buflen);
291 /* now the decrypted message */
292 memcpy(msgbuf, clear_obj.data, clear_obj.len);
293 *msg_len = clear_obj.len;
295 major = GSS_S_COMPLETE;
297 OBD_FREE(clear_buf, clear_buflen);
301 /********************************************
302 * gss client context manipulation helpers *
303 ********************************************/
305 void gss_cli_ctx_uptodate(struct gss_cli_ctx *gctx)
307 struct ptlrpc_cli_ctx *ctx = &gctx->gc_base;
308 unsigned long ctx_expiry;
310 if (lgss_inquire_context(gctx->gc_mechctx, &ctx_expiry)) {
311 CERROR("ctx %p(%u): unable to inquire, expire it now\n",
312 gctx, ctx->cc_vcred.vc_uid);
313 ctx_expiry = 1; /* make it expired now */
316 ctx->cc_expire = gss_round_ctx_expiry(ctx_expiry,
317 ctx->cc_sec->ps_flags);
319 /* At this point this ctx might have been marked as dead by
320 * someone else, in which case nobody will make further use
321 * of it. we don't care, and mark it UPTODATE will help
322 * destroying server side context when it be destroied.
324 set_bit(PTLRPC_CTX_UPTODATE_BIT, &ctx->cc_flags);
326 CWARN("%s ctx %p(%u->%s), will expire at %lu(%lds lifetime)\n",
327 (ctx->cc_sec->ps_flags & PTLRPC_SEC_FL_REVERSE ?
328 "server installed reverse" : "client refreshed"),
329 ctx, ctx->cc_vcred.vc_uid, sec2target_str(ctx->cc_sec),
330 ctx->cc_expire, (long) (ctx->cc_expire - get_seconds()));
334 void gss_cli_ctx_finalize(struct gss_cli_ctx *gctx)
336 if (gctx->gc_mechctx)
337 lgss_delete_sec_context(&gctx->gc_mechctx);
339 rawobj_free(&gctx->gc_handle);
343 * Based on sequence number algorithm as specified in RFC 2203.
345 * modified for our own problem: arriving request has valid sequence number,
346 * but unwrapping request might cost a long time, after that its sequence
347 * are not valid anymore (fall behind the window). It rarely happen, mostly
348 * under extreme load.
350 * note we should not check sequence before verify the integrity of incoming
351 * request, because just one attacking request with high sequence number might
352 * cause all following request be dropped.
354 * so here we use a multi-phase approach: prepare 2 sequence windows,
355 * "main window" for normal sequence and "back window" for fall behind sequence.
356 * and 3-phase checking mechanism:
357 * 0 - before integrity verification, perform a initial sequence checking in
358 * main window, which only try and don't actually set any bits. if the
359 * sequence is high above the window or fit in the window and the bit
360 * is 0, then accept and proceed to integrity verification. otherwise
361 * reject this sequence.
362 * 1 - after integrity verification, check in main window again. if this
363 * sequence is high above the window or fit in the window and the bit
364 * is 0, then set the bit and accept; if it fit in the window but bit
365 * already set, then reject; if it fall behind the window, then proceed
367 * 2 - check in back window. if it is high above the window or fit in the
368 * window and the bit is 0, then set the bit and accept. otherwise reject.
371 * 1: looks like a replay
375 * note phase 0 is necessary, because otherwise replay attacking request of
376 * sequence which between the 2 windows can't be detected.
378 * this mechanism can't totally solve the problem, but could help much less
379 * number of valid requests be dropped.
382 int gss_do_check_seq(unsigned long *window, __u32 win_size, __u32 *max_seq,
383 __u32 seq_num, int phase)
385 LASSERT(phase >= 0 && phase <= 2);
387 if (seq_num > *max_seq) {
389 * 1. high above the window
394 if (seq_num >= *max_seq + win_size) {
395 memset(window, 0, win_size / 8);
398 while(*max_seq < seq_num) {
400 __clear_bit((*max_seq) % win_size, window);
403 __set_bit(seq_num % win_size, window);
404 } else if (seq_num + win_size <= *max_seq) {
406 * 2. low behind the window
408 if (phase == 0 || phase == 2)
411 CWARN("seq %u is %u behind (size %d), check backup window\n",
412 seq_num, *max_seq - win_size - seq_num, win_size);
416 * 3. fit into the window
420 if (test_bit(seq_num % win_size, window))
425 if (__test_and_set_bit(seq_num % win_size, window))
434 CERROR("seq %u (%s %s window) is a replay: max %u, winsize %d\n",
436 seq_num + win_size > *max_seq ? "in" : "behind",
437 phase == 2 ? "backup " : "main",
443 * Based on sequence number algorithm as specified in RFC 2203.
445 * if @set == 0: initial check, don't set any bit in window
446 * if @sec == 1: final check, set bit in window
448 int gss_check_seq_num(struct gss_svc_seq_data *ssd, __u32 seq_num, int set)
452 spin_lock(&ssd->ssd_lock);
458 rc = gss_do_check_seq(ssd->ssd_win_main, GSS_SEQ_WIN_MAIN,
459 &ssd->ssd_max_main, seq_num, 0);
461 gss_stat_oos_record_svc(0, 1);
464 * phase 1 checking main window
466 rc = gss_do_check_seq(ssd->ssd_win_main, GSS_SEQ_WIN_MAIN,
467 &ssd->ssd_max_main, seq_num, 1);
470 gss_stat_oos_record_svc(1, 1);
476 * phase 2 checking back window
478 rc = gss_do_check_seq(ssd->ssd_win_back, GSS_SEQ_WIN_BACK,
479 &ssd->ssd_max_back, seq_num, 2);
481 gss_stat_oos_record_svc(2, 1);
483 gss_stat_oos_record_svc(2, 0);
486 spin_unlock(&ssd->ssd_lock);
490 /***************************************
492 ***************************************/
495 int gss_cli_payload(struct ptlrpc_cli_ctx *ctx,
496 int msgsize, int privacy)
498 return gss_estimate_payload(NULL, msgsize, privacy);
502 int gss_cli_ctx_refresh(struct ptlrpc_cli_ctx *ctx)
504 /* if we are refreshing for root, also update the reverse
505 * handle index, do not confuse reverse contexts.
507 if (ctx->cc_vcred.vc_uid == 0) {
508 struct gss_sec *gsec;
510 gsec = container_of(ctx->cc_sec, struct gss_sec, gs_base);
511 gsec->gs_rvs_hdl = gss_get_next_ctx_index();
514 return gss_ctx_refresh_pipefs(ctx);
518 int gss_cli_ctx_match(struct ptlrpc_cli_ctx *ctx, struct vfs_cred *vcred)
520 return (ctx->cc_vcred.vc_uid == vcred->vc_uid);
524 void gss_cli_ctx_flags2str(unsigned long flags, char *buf, int bufsize)
528 if (flags & PTLRPC_CTX_UPTODATE)
529 strncat(buf, "uptodate,", bufsize);
530 if (flags & PTLRPC_CTX_DEAD)
531 strncat(buf, "dead,", bufsize);
532 if (flags & PTLRPC_CTX_ERROR)
533 strncat(buf, "error,", bufsize);
534 if (flags & PTLRPC_CTX_HASHED)
535 strncat(buf, "hashed,", bufsize);
536 if (flags & PTLRPC_CTX_ETERNAL)
537 strncat(buf, "eternal,", bufsize);
539 strncat(buf, "-,", bufsize);
541 buf[strlen(buf) - 1] = '\0';
545 int gss_cli_ctx_display(struct ptlrpc_cli_ctx *ctx, char *buf, int bufsize)
547 struct gss_cli_ctx *gctx;
551 gctx = container_of(ctx, struct gss_cli_ctx, gc_base);
553 gss_cli_ctx_flags2str(ctx->cc_flags, flags_str, sizeof(flags_str));
555 written = snprintf(buf, bufsize,
560 ctx->cc_vcred.vc_uid,
563 atomic_read(&gctx->gc_seq));
565 if (gctx->gc_mechctx) {
566 written += lgss_display(gctx->gc_mechctx,
567 buf + written, bufsize - written);
574 int gss_cli_ctx_sign(struct ptlrpc_cli_ctx *ctx,
575 struct ptlrpc_request *req)
577 struct gss_cli_ctx *gctx;
582 LASSERT(req->rq_reqbuf);
583 LASSERT(req->rq_reqbuf->lm_bufcount >= 3);
584 LASSERT(req->rq_cli_ctx == ctx);
586 /* nothing to do for context negotiation RPCs */
587 if (req->rq_ctx_init)
590 gctx = container_of(ctx, struct gss_cli_ctx, gc_base);
592 seq = atomic_inc_return(&gctx->gc_seq);
594 rc = gss_sign_msg(req->rq_reqbuf, gctx->gc_mechctx,
595 gctx->gc_proc, seq, &gctx->gc_handle);
599 /* gss_sign_msg() msg might take long time to finish, in which period
600 * more rpcs could be wrapped up and sent out. if we found too many
601 * of them we should repack this rpc, because sent it too late might
602 * lead to the sequence number fall behind the window on server and
603 * be dropped. also applies to gss_cli_ctx_seal().
605 if (atomic_read(&gctx->gc_seq) - seq > GSS_SEQ_REPACK_THRESHOLD) {
606 int behind = atomic_read(&gctx->gc_seq) - seq;
608 gss_stat_oos_record_cli(behind);
609 CWARN("req %p: %u behind, retry signing\n", req, behind);
613 req->rq_reqdata_len = rc;
618 int gss_cli_ctx_handle_err_notify(struct ptlrpc_cli_ctx *ctx,
619 struct ptlrpc_request *req,
620 struct gss_header *ghdr)
622 struct gss_err_header *errhdr;
625 LASSERT(ghdr->gh_proc == PTLRPC_GSS_PROC_ERR);
627 errhdr = (struct gss_err_header *) ghdr;
629 /* server return NO_CONTEXT might be caused by context expire
630 * or server reboot/failover. we refresh the cred transparently
632 * In some cases, our gss handle is possible to be incidentally
633 * identical to another handle since the handle itself is not
634 * fully random. In krb5 case, the GSS_S_BAD_SIG will be
635 * returned, maybe other gss error for other mechanism.
637 * if we add new mechanism, make sure the correct error are
638 * returned in this case.
640 * but in any cases, don't resend ctx destroying rpc, don't resend
643 if (req->rq_ctx_fini) {
644 CWARN("server respond error (%08x/%08x) for ctx fini\n",
645 errhdr->gh_major, errhdr->gh_minor);
647 } else if (ctx->cc_sec->ps_flags & PTLRPC_SEC_FL_REVERSE) {
648 CWARN("reverse server respond error (%08x/%08x)\n",
649 errhdr->gh_major, errhdr->gh_minor);
651 } else if (errhdr->gh_major == GSS_S_NO_CONTEXT ||
652 errhdr->gh_major == GSS_S_BAD_SIG) {
653 CWARN("req x"LPU64"/t"LPU64": server respond ctx %p(%u->%s) "
654 "%s, server might lost the context.\n",
655 req->rq_xid, req->rq_transno, ctx, ctx->cc_vcred.vc_uid,
656 sec2target_str(ctx->cc_sec),
657 errhdr->gh_major == GSS_S_NO_CONTEXT ?
658 "NO_CONTEXT" : "BAD_SIG");
660 sptlrpc_ctx_expire(ctx);
664 CERROR("req %p: server report gss error (%x/%x)\n",
665 req, errhdr->gh_major, errhdr->gh_minor);
673 int gss_cli_ctx_verify(struct ptlrpc_cli_ctx *ctx,
674 struct ptlrpc_request *req)
676 struct gss_cli_ctx *gctx;
677 struct gss_header *ghdr, *reqhdr;
678 struct lustre_msg *msg = req->rq_repbuf;
683 LASSERT(req->rq_cli_ctx == ctx);
686 req->rq_repdata_len = req->rq_nob_received;
687 gctx = container_of(ctx, struct gss_cli_ctx, gc_base);
689 /* special case for context negotiation, rq_repmsg/rq_replen actually
690 * are not used currently.
692 if (req->rq_ctx_init) {
693 req->rq_repmsg = lustre_msg_buf(msg, 1, 0);
694 req->rq_replen = msg->lm_buflens[1];
698 if (msg->lm_bufcount < 3 || msg->lm_bufcount > 4) {
699 CERROR("unexpected bufcount %u\n", msg->lm_bufcount);
703 ghdr = gss_swab_header(msg, 0);
705 CERROR("can't decode gss header\n");
710 reqhdr = lustre_msg_buf(msg, 0, sizeof(*reqhdr));
713 if (ghdr->gh_version != reqhdr->gh_version) {
714 CERROR("gss version %u mismatch, expect %u\n",
715 ghdr->gh_version, reqhdr->gh_version);
719 switch (ghdr->gh_proc) {
720 case PTLRPC_GSS_PROC_DATA:
721 if (ghdr->gh_seq != reqhdr->gh_seq) {
722 CERROR("seqnum %u mismatch, expect %u\n",
723 ghdr->gh_seq, reqhdr->gh_seq);
727 if (ghdr->gh_svc != PTLRPC_GSS_SVC_INTEGRITY) {
728 CERROR("unexpected svc %d\n", ghdr->gh_svc);
732 if (lustre_msg_swabbed(msg))
733 gss_header_swabber(ghdr);
735 major = gss_verify_msg(msg, gctx->gc_mechctx);
736 if (major != GSS_S_COMPLETE)
739 req->rq_repmsg = lustre_msg_buf(msg, 1, 0);
740 req->rq_replen = msg->lm_buflens[1];
742 if (SEC_FLAVOR_HAS_BULK(req->rq_sec_flavor)) {
743 if (msg->lm_bufcount < 4) {
744 CERROR("Invalid reply bufcount %u\n",
749 /* bulk checksum is the second last segment */
750 rc = bulk_sec_desc_unpack(msg, msg->lm_bufcount - 2);
753 case PTLRPC_GSS_PROC_ERR:
754 rc = gss_cli_ctx_handle_err_notify(ctx, req, ghdr);
757 CERROR("unknown gss proc %d\n", ghdr->gh_proc);
765 int gss_cli_ctx_seal(struct ptlrpc_cli_ctx *ctx,
766 struct ptlrpc_request *req)
768 struct gss_cli_ctx *gctx;
769 rawobj_t msgobj, cipher_obj, micobj;
770 struct gss_header *ghdr;
771 int buflens[3], wiresize, rc;
775 LASSERT(req->rq_clrbuf);
776 LASSERT(req->rq_cli_ctx == ctx);
777 LASSERT(req->rq_reqlen);
779 gctx = container_of(ctx, struct gss_cli_ctx, gc_base);
781 /* close clear data length */
782 req->rq_clrdata_len = lustre_msg_size_v2(req->rq_clrbuf->lm_bufcount,
783 req->rq_clrbuf->lm_buflens);
785 /* calculate wire data length */
786 buflens[0] = PTLRPC_GSS_HEADER_SIZE;
787 buflens[1] = gss_cli_payload(&gctx->gc_base, buflens[0], 0);
788 buflens[2] = gss_cli_payload(&gctx->gc_base, req->rq_clrdata_len, 1);
789 wiresize = lustre_msg_size_v2(3, buflens);
791 /* allocate wire buffer */
794 LASSERT(req->rq_reqbuf);
795 LASSERT(req->rq_reqbuf != req->rq_clrbuf);
796 LASSERT(req->rq_reqbuf_len >= wiresize);
798 OBD_ALLOC(req->rq_reqbuf, wiresize);
801 req->rq_reqbuf_len = wiresize;
804 lustre_init_msg_v2(req->rq_reqbuf, 3, buflens, NULL);
805 req->rq_reqbuf->lm_secflvr = req->rq_sec_flavor;
808 ghdr = lustre_msg_buf(req->rq_reqbuf, 0, 0);
809 ghdr->gh_version = PTLRPC_GSS_VERSION;
811 ghdr->gh_proc = gctx->gc_proc;
812 ghdr->gh_seq = atomic_inc_return(&gctx->gc_seq);
813 ghdr->gh_svc = PTLRPC_GSS_SVC_PRIVACY;
814 ghdr->gh_handle.len = gctx->gc_handle.len;
815 memcpy(ghdr->gh_handle.data, gctx->gc_handle.data, gctx->gc_handle.len);
818 /* header signature */
819 msgobj.len = req->rq_reqbuf->lm_buflens[0];
820 msgobj.data = lustre_msg_buf(req->rq_reqbuf, 0, 0);
821 micobj.len = req->rq_reqbuf->lm_buflens[1];
822 micobj.data = lustre_msg_buf(req->rq_reqbuf, 1, 0);
824 major = lgss_get_mic(gctx->gc_mechctx, 1, &msgobj, &micobj);
825 if (major != GSS_S_COMPLETE) {
826 CERROR("priv: sign message error: %08x\n", major);
827 GOTO(err_free, rc = -EPERM);
829 /* perhaps shrink msg has potential problem in re-packing???
830 * ship a little bit more data is fine.
831 lustre_shrink_msg(req->rq_reqbuf, 1, micobj.len, 0);
835 msgobj.len = req->rq_clrdata_len;
836 msgobj.data = (__u8 *) req->rq_clrbuf;
839 cipher_obj.len = req->rq_reqbuf->lm_buflens[2];
840 cipher_obj.data = lustre_msg_buf(req->rq_reqbuf, 2, 0);
842 major = lgss_wrap(gctx->gc_mechctx, &msgobj, req->rq_clrbuf_len,
844 if (major != GSS_S_COMPLETE) {
845 CERROR("priv: wrap message error: %08x\n", major);
846 GOTO(err_free, rc = -EPERM);
848 LASSERT(cipher_obj.len <= buflens[2]);
850 /* see explain in gss_cli_ctx_sign() */
851 if (atomic_read(&gctx->gc_seq) - ghdr->gh_seq >
852 GSS_SEQ_REPACK_THRESHOLD) {
853 int behind = atomic_read(&gctx->gc_seq) - ghdr->gh_seq;
855 gss_stat_oos_record_cli(behind);
856 CWARN("req %p: %u behind, retry sealing\n", req, behind);
858 ghdr->gh_seq = atomic_inc_return(&gctx->gc_seq);
862 /* now set the final wire data length */
863 req->rq_reqdata_len = lustre_shrink_msg(req->rq_reqbuf, 2,
870 OBD_FREE(req->rq_reqbuf, req->rq_reqbuf_len);
871 req->rq_reqbuf = NULL;
872 req->rq_reqbuf_len = 0;
878 int gss_cli_ctx_unseal(struct ptlrpc_cli_ctx *ctx,
879 struct ptlrpc_request *req)
881 struct gss_cli_ctx *gctx;
882 struct gss_header *ghdr;
887 LASSERT(req->rq_repbuf);
888 LASSERT(req->rq_cli_ctx == ctx);
890 gctx = container_of(ctx, struct gss_cli_ctx, gc_base);
892 ghdr = gss_swab_header(req->rq_repbuf, 0);
894 CERROR("can't decode gss header\n");
899 if (ghdr->gh_version != PTLRPC_GSS_VERSION) {
900 CERROR("gss version %u mismatch, expect %u\n",
901 ghdr->gh_version, PTLRPC_GSS_VERSION);
905 switch (ghdr->gh_proc) {
906 case PTLRPC_GSS_PROC_DATA:
907 if (lustre_msg_swabbed(req->rq_repbuf))
908 gss_header_swabber(ghdr);
910 major = gss_unseal_msg(gctx->gc_mechctx, req->rq_repbuf,
911 &msglen, req->rq_repbuf_len);
912 if (major != GSS_S_COMPLETE) {
917 if (lustre_unpack_msg(req->rq_repbuf, msglen)) {
918 CERROR("Failed to unpack after decryption\n");
921 req->rq_repdata_len = msglen;
923 if (req->rq_repbuf->lm_bufcount < 1) {
924 CERROR("Invalid reply buffer: empty\n");
928 if (SEC_FLAVOR_HAS_BULK(req->rq_sec_flavor)) {
929 if (req->rq_repbuf->lm_bufcount < 2) {
930 CERROR("Too few request buffer segments %d\n",
931 req->rq_repbuf->lm_bufcount);
935 /* bulk checksum is the last segment */
936 if (bulk_sec_desc_unpack(req->rq_repbuf,
937 req->rq_repbuf->lm_bufcount-1))
941 req->rq_repmsg = lustre_msg_buf(req->rq_repbuf, 0, 0);
942 req->rq_replen = req->rq_repbuf->lm_buflens[0];
946 case PTLRPC_GSS_PROC_ERR:
947 rc = gss_cli_ctx_handle_err_notify(ctx, req, ghdr);
950 CERROR("unexpected proc %d\n", ghdr->gh_proc);
957 static struct ptlrpc_ctx_ops gss_ctxops = {
958 .refresh = gss_cli_ctx_refresh,
959 .match = gss_cli_ctx_match,
960 .display = gss_cli_ctx_display,
961 .sign = gss_cli_ctx_sign,
962 .verify = gss_cli_ctx_verify,
963 .seal = gss_cli_ctx_seal,
964 .unseal = gss_cli_ctx_unseal,
965 .wrap_bulk = gss_cli_ctx_wrap_bulk,
966 .unwrap_bulk = gss_cli_ctx_unwrap_bulk,
969 /*********************************************
970 * reverse context installation *
971 *********************************************/
973 int gss_install_rvs_cli_ctx(struct gss_sec *gsec,
974 struct ptlrpc_svc_ctx *svc_ctx)
976 struct vfs_cred vcred;
977 struct gss_svc_reqctx *grctx;
978 struct ptlrpc_cli_ctx *cli_ctx;
979 struct gss_cli_ctx *cli_gctx;
980 struct gss_ctx *mechctx = NULL;
987 cli_ctx = gss_sec_create_ctx(&gsec->gs_base, &vcred);
991 grctx = container_of(svc_ctx, struct gss_svc_reqctx, src_base);
993 LASSERT(grctx->src_ctx);
994 LASSERT(grctx->src_ctx->gsc_mechctx);
996 major = lgss_copy_reverse_context(grctx->src_ctx->gsc_mechctx, &mechctx);
997 if (major != GSS_S_COMPLETE)
998 GOTO(err_ctx, rc = -ENOMEM);
1000 cli_gctx = container_of(cli_ctx, struct gss_cli_ctx, gc_base);
1002 cli_gctx->gc_proc = PTLRPC_GSS_PROC_DATA;
1003 cli_gctx->gc_win = GSS_SEQ_WIN;
1004 atomic_set(&cli_gctx->gc_seq, 0);
1006 if (rawobj_dup(&cli_gctx->gc_handle, &grctx->src_ctx->gsc_rvs_hdl))
1007 GOTO(err_mechctx, rc = -ENOMEM);
1009 cli_gctx->gc_mechctx = mechctx;
1010 gss_cli_ctx_uptodate(cli_gctx);
1012 sptlrpc_ctx_replace(&gsec->gs_base, cli_ctx);
1016 lgss_delete_sec_context(&mechctx);
1018 gss_sec_destroy_ctx(cli_ctx->cc_sec, cli_ctx);
1024 int gss_install_rvs_svc_ctx(struct obd_import *imp,
1025 struct gss_sec *gsec,
1026 struct gss_cli_ctx *gctx)
1028 return gss_svc_upcall_install_rvs_ctx(imp, gsec, gctx);
1031 /*********************************************
1032 * GSS security APIs *
1033 *********************************************/
1036 struct ptlrpc_cli_ctx * gss_sec_create_ctx(struct ptlrpc_sec *sec,
1037 struct vfs_cred *vcred)
1039 struct gss_cli_ctx *gctx;
1040 struct ptlrpc_cli_ctx *ctx;
1043 OBD_ALLOC_PTR(gctx);
1048 atomic_set(&gctx->gc_seq, 0);
1050 ctx = &gctx->gc_base;
1051 INIT_HLIST_NODE(&ctx->cc_hash);
1052 atomic_set(&ctx->cc_refcount, 0);
1054 ctx->cc_ops = &gss_ctxops;
1057 ctx->cc_vcred = *vcred;
1058 spin_lock_init(&ctx->cc_lock);
1059 INIT_LIST_HEAD(&ctx->cc_req_list);
1061 CDEBUG(D_SEC, "create a gss cred at %p(uid %u)\n", ctx, vcred->vc_uid);
1066 void gss_sec_destroy_ctx(struct ptlrpc_sec *sec, struct ptlrpc_cli_ctx *ctx)
1068 struct gss_cli_ctx *gctx;
1072 LASSERT(atomic_read(&ctx->cc_refcount) == 0);
1074 gctx = container_of(ctx, struct gss_cli_ctx, gc_base);
1075 if (gctx->gc_mechctx) {
1076 gss_do_ctx_fini_rpc(gctx);
1077 gss_cli_ctx_finalize(gctx);
1080 CWARN("%s@%p: destroy ctx %p(%u->%s)\n",
1081 ctx->cc_sec->ps_policy->sp_name, ctx->cc_sec,
1082 ctx, ctx->cc_vcred.vc_uid, sec2target_str(ctx->cc_sec));
1088 #define GSS_CCACHE_SIZE (32)
1091 struct ptlrpc_sec* gss_sec_create(struct obd_import *imp,
1092 struct ptlrpc_svc_ctx *ctx,
1094 unsigned long flags)
1096 struct gss_sec *gsec;
1097 struct ptlrpc_sec *sec;
1098 int alloc_size, cache_size, i;
1102 LASSERT(SEC_FLAVOR_POLICY(flavor) == SPTLRPC_POLICY_GSS);
1104 if (ctx || flags & (PTLRPC_SEC_FL_ROOTONLY | PTLRPC_SEC_FL_REVERSE))
1107 cache_size = GSS_CCACHE_SIZE;
1109 alloc_size = sizeof(*gsec) + sizeof(struct list_head) * cache_size;
1111 OBD_ALLOC(gsec, alloc_size);
1115 gsec->gs_mech = lgss_subflavor_to_mech(SEC_FLAVOR_SUB(flavor));
1116 if (!gsec->gs_mech) {
1117 CERROR("gss backend 0x%x not found\n", SEC_FLAVOR_SUB(flavor));
1121 spin_lock_init(&gsec->gs_lock);
1122 gsec->gs_rvs_hdl = 0ULL; /* will be updated later */
1124 sec = &gsec->gs_base;
1125 sec->ps_policy = &gss_policy;
1126 sec->ps_flavor = flavor;
1127 sec->ps_flags = flags;
1128 sec->ps_import = class_import_get(imp);
1129 sec->ps_lock = SPIN_LOCK_UNLOCKED;
1130 sec->ps_ccache_size = cache_size;
1131 sec->ps_ccache = (struct hlist_head *) (gsec + 1);
1132 atomic_set(&sec->ps_busy, 0);
1134 for (i = 0; i < cache_size; i++)
1135 INIT_HLIST_HEAD(&sec->ps_ccache[i]);
1138 if (gss_sec_upcall_init(gsec))
1141 sec->ps_gc_interval = 30 * 60; /* 30 minutes */
1142 sec->ps_gc_next = cfs_time_current_sec() + sec->ps_gc_interval;
1144 LASSERT(sec->ps_flags & PTLRPC_SEC_FL_REVERSE);
1146 if (gss_install_rvs_cli_ctx(gsec, ctx))
1149 /* never do gc on reverse sec */
1150 sec->ps_gc_interval = 0;
1151 sec->ps_gc_next = 0;
1154 if (SEC_FLAVOR_SVC(flavor) == SPTLRPC_SVC_PRIV &&
1155 flags & PTLRPC_SEC_FL_BULK)
1156 sptlrpc_enc_pool_add_user();
1158 CWARN("create %s%s@%p\n", (ctx ? "reverse " : ""),
1159 gss_policy.sp_name, gsec);
1163 lgss_mech_put(gsec->gs_mech);
1165 OBD_FREE(gsec, alloc_size);
1170 void gss_sec_destroy(struct ptlrpc_sec *sec)
1172 struct gss_sec *gsec;
1175 gsec = container_of(sec, struct gss_sec, gs_base);
1176 CWARN("destroy %s@%p\n", gss_policy.sp_name, gsec);
1178 LASSERT(gsec->gs_mech);
1179 LASSERT(sec->ps_import);
1180 LASSERT(sec->ps_ccache);
1181 LASSERT(sec->ps_ccache_size);
1182 LASSERT(atomic_read(&sec->ps_refcount) == 0);
1183 LASSERT(atomic_read(&sec->ps_busy) == 0);
1185 gss_sec_upcall_cleanup(gsec);
1186 lgss_mech_put(gsec->gs_mech);
1188 class_import_put(sec->ps_import);
1190 if (SEC_FLAVOR_SVC(sec->ps_flavor) == SPTLRPC_SVC_PRIV &&
1191 sec->ps_flags & PTLRPC_SEC_FL_BULK)
1192 sptlrpc_enc_pool_del_user();
1194 OBD_FREE(gsec, sizeof(*gsec) +
1195 sizeof(struct list_head) * sec->ps_ccache_size);
1200 int gss_alloc_reqbuf_auth(struct ptlrpc_sec *sec,
1201 struct ptlrpc_request *req,
1204 struct sec_flavor_config *conf;
1205 int bufsize, txtsize;
1206 int buflens[5], bufcnt = 2;
1213 * - bulk sec descriptor
1216 buflens[0] = PTLRPC_GSS_HEADER_SIZE;
1217 buflens[1] = msgsize;
1218 txtsize = buflens[0] + buflens[1];
1220 if (SEC_FLAVOR_HAS_USER(req->rq_sec_flavor)) {
1221 buflens[bufcnt] = sptlrpc_user_desc_size();
1222 txtsize += buflens[bufcnt];
1226 if (SEC_FLAVOR_HAS_BULK(req->rq_sec_flavor)) {
1227 conf = &req->rq_import->imp_obd->u.cli.cl_sec_conf;
1228 buflens[bufcnt] = bulk_sec_desc_size(conf->sfc_bulk_csum, 1,
1230 txtsize += buflens[bufcnt];
1234 buflens[bufcnt++] = req->rq_ctx_init ? GSS_CTX_INIT_MAX_LEN :
1235 gss_cli_payload(req->rq_cli_ctx, txtsize, 0);
1237 bufsize = lustre_msg_size_v2(bufcnt, buflens);
1239 if (!req->rq_reqbuf) {
1240 OBD_ALLOC(req->rq_reqbuf, bufsize);
1241 if (!req->rq_reqbuf)
1244 req->rq_reqbuf_len = bufsize;
1246 LASSERT(req->rq_pool);
1247 LASSERT(req->rq_reqbuf_len >= bufsize);
1248 memset(req->rq_reqbuf, 0, bufsize);
1251 lustre_init_msg_v2(req->rq_reqbuf, bufcnt, buflens, NULL);
1252 req->rq_reqbuf->lm_secflvr = req->rq_sec_flavor;
1254 req->rq_reqmsg = lustre_msg_buf(req->rq_reqbuf, 1, msgsize);
1255 LASSERT(req->rq_reqmsg);
1257 /* pack user desc here, later we might leave current user's process */
1258 if (SEC_FLAVOR_HAS_USER(req->rq_sec_flavor))
1259 sptlrpc_pack_user_desc(req->rq_reqbuf, 2);
1265 int gss_alloc_reqbuf_priv(struct ptlrpc_sec *sec,
1266 struct ptlrpc_request *req,
1269 struct sec_flavor_config *conf;
1270 int ibuflens[3], ibufcnt;
1272 int clearsize, wiresize;
1275 LASSERT(req->rq_clrbuf == NULL);
1276 LASSERT(req->rq_clrbuf_len == 0);
1278 /* Inner (clear) buffers
1284 ibuflens[0] = msgsize;
1286 if (SEC_FLAVOR_HAS_USER(req->rq_sec_flavor))
1287 ibuflens[ibufcnt++] = sptlrpc_user_desc_size();
1288 if (SEC_FLAVOR_HAS_BULK(req->rq_sec_flavor)) {
1289 conf = &req->rq_import->imp_obd->u.cli.cl_sec_conf;
1290 ibuflens[ibufcnt++] = bulk_sec_desc_size(conf->sfc_bulk_csum, 1,
1293 clearsize = lustre_msg_size_v2(ibufcnt, ibuflens);
1294 /* to allow append padding during encryption */
1295 clearsize += GSS_MAX_CIPHER_BLOCK;
1297 /* Wrapper (wire) buffers
1299 * - signature of gss header
1302 buflens[0] = PTLRPC_GSS_HEADER_SIZE;
1303 buflens[1] = gss_cli_payload(req->rq_cli_ctx, buflens[0], 0);
1304 buflens[2] = gss_cli_payload(req->rq_cli_ctx, clearsize, 1);
1305 wiresize = lustre_msg_size_v2(3, buflens);
1308 /* rq_reqbuf is preallocated */
1309 LASSERT(req->rq_reqbuf);
1310 LASSERT(req->rq_reqbuf_len >= wiresize);
1312 memset(req->rq_reqbuf, 0, req->rq_reqbuf_len);
1314 /* if the pre-allocated buffer is big enough, we just pack
1315 * both clear buf & request buf in it, to avoid more alloc.
1317 if (clearsize + wiresize <= req->rq_reqbuf_len) {
1319 (void *) (((char *) req->rq_reqbuf) + wiresize);
1321 CWARN("pre-allocated buf size %d is not enough for "
1322 "both clear (%d) and cipher (%d) text, proceed "
1323 "with extra allocation\n", req->rq_reqbuf_len,
1324 clearsize, wiresize);
1328 if (!req->rq_clrbuf) {
1329 OBD_ALLOC(req->rq_clrbuf, clearsize);
1330 if (!req->rq_clrbuf)
1333 req->rq_clrbuf_len = clearsize;
1335 lustre_init_msg_v2(req->rq_clrbuf, ibufcnt, ibuflens, NULL);
1336 req->rq_reqmsg = lustre_msg_buf(req->rq_clrbuf, 0, msgsize);
1338 if (SEC_FLAVOR_HAS_USER(req->rq_sec_flavor))
1339 sptlrpc_pack_user_desc(req->rq_clrbuf, 1);
1345 int gss_alloc_reqbuf(struct ptlrpc_sec *sec,
1346 struct ptlrpc_request *req,
1349 LASSERT(!SEC_FLAVOR_HAS_BULK(req->rq_sec_flavor) ||
1350 (req->rq_bulk_read || req->rq_bulk_write));
1352 switch (SEC_FLAVOR_SVC(req->rq_sec_flavor)) {
1353 case SPTLRPC_SVC_NONE:
1354 case SPTLRPC_SVC_AUTH:
1355 return gss_alloc_reqbuf_auth(sec, req, msgsize);
1356 case SPTLRPC_SVC_PRIV:
1357 return gss_alloc_reqbuf_priv(sec, req, msgsize);
1365 void gss_free_reqbuf(struct ptlrpc_sec *sec,
1366 struct ptlrpc_request *req)
1371 LASSERT(!req->rq_pool || req->rq_reqbuf);
1372 privacy = SEC_FLAVOR_SVC(req->rq_sec_flavor) == SPTLRPC_SVC_PRIV;
1374 if (!req->rq_clrbuf)
1375 goto release_reqbuf;
1377 /* release clear buf*/
1379 LASSERT(req->rq_clrbuf_len);
1382 req->rq_clrbuf >= req->rq_reqbuf &&
1383 (char *) req->rq_clrbuf <
1384 (char *) req->rq_reqbuf + req->rq_reqbuf_len)
1385 goto release_reqbuf;
1387 OBD_FREE(req->rq_clrbuf, req->rq_clrbuf_len);
1388 req->rq_clrbuf = NULL;
1389 req->rq_clrbuf_len = 0;
1392 if (!req->rq_pool && req->rq_reqbuf) {
1393 OBD_FREE(req->rq_reqbuf, req->rq_reqbuf_len);
1394 req->rq_reqbuf = NULL;
1395 req->rq_reqbuf_len = 0;
1402 int gss_alloc_repbuf(struct ptlrpc_sec *sec,
1403 struct ptlrpc_request *req,
1406 struct sec_flavor_config *conf;
1407 int privacy = (SEC_FLAVOR_SVC(req->rq_sec_flavor) == SPTLRPC_SVC_PRIV);
1408 int bufsize, txtsize;
1409 int buflens[4], bufcnt;
1412 LASSERT(!SEC_FLAVOR_HAS_BULK(req->rq_sec_flavor) ||
1413 (req->rq_bulk_read || req->rq_bulk_write));
1417 buflens[0] = msgsize;
1418 if (SEC_FLAVOR_HAS_BULK(req->rq_sec_flavor)) {
1419 conf = &req->rq_import->imp_obd->u.cli.cl_sec_conf;
1420 buflens[bufcnt++] = bulk_sec_desc_size(
1421 conf->sfc_bulk_csum, 0,
1424 txtsize = lustre_msg_size_v2(bufcnt, buflens);
1425 txtsize += GSS_MAX_CIPHER_BLOCK;
1428 buflens[0] = PTLRPC_GSS_HEADER_SIZE;
1429 buflens[1] = gss_cli_payload(req->rq_cli_ctx, buflens[0], 0);
1430 buflens[2] = gss_cli_payload(req->rq_cli_ctx, txtsize, 1);
1433 buflens[0] = PTLRPC_GSS_HEADER_SIZE;
1434 buflens[1] = msgsize;
1435 txtsize = buflens[0] + buflens[1];
1437 if (SEC_FLAVOR_HAS_BULK(req->rq_sec_flavor)) {
1438 conf = &req->rq_import->imp_obd->u.cli.cl_sec_conf;
1439 buflens[bufcnt] = bulk_sec_desc_size(
1440 conf->sfc_bulk_csum, 0,
1442 txtsize += buflens[bufcnt];
1445 buflens[bufcnt++] = req->rq_ctx_init ? GSS_CTX_INIT_MAX_LEN :
1446 gss_cli_payload(req->rq_cli_ctx, txtsize, 0);
1449 bufsize = lustre_msg_size_v2(bufcnt, buflens);
1451 OBD_ALLOC(req->rq_repbuf, bufsize);
1452 if (!req->rq_repbuf)
1455 req->rq_repbuf_len = bufsize;
1460 void gss_free_repbuf(struct ptlrpc_sec *sec,
1461 struct ptlrpc_request *req)
1463 OBD_FREE(req->rq_repbuf, req->rq_repbuf_len);
1464 req->rq_repbuf = NULL;
1465 req->rq_repbuf_len = 0;
1469 int gss_sec_install_rctx(struct obd_import *imp,
1470 struct ptlrpc_sec *sec,
1471 struct ptlrpc_cli_ctx *ctx)
1473 struct gss_sec *gsec;
1474 struct gss_cli_ctx *gctx;
1477 gsec = container_of(sec, struct gss_sec, gs_base);
1478 gctx = container_of(ctx, struct gss_cli_ctx, gc_base);
1480 rc = gss_install_rvs_svc_ctx(imp, gsec, gctx);
1484 static struct ptlrpc_sec_cops gss_sec_cops = {
1485 .create_sec = gss_sec_create,
1486 .destroy_sec = gss_sec_destroy,
1487 .create_ctx = gss_sec_create_ctx,
1488 .destroy_ctx = gss_sec_destroy_ctx,
1489 .install_rctx = gss_sec_install_rctx,
1490 .alloc_reqbuf = gss_alloc_reqbuf,
1491 .free_reqbuf = gss_free_reqbuf,
1492 .alloc_repbuf = gss_alloc_repbuf,
1493 .free_repbuf = gss_free_repbuf,
1496 /********************************************
1498 ********************************************/
1501 int gss_svc_reqctx_is_special(struct gss_svc_reqctx *grctx)
1504 return (grctx->src_init || grctx->src_init_continue ||
1505 grctx->src_err_notify);
1509 void gss_svc_reqctx_free(struct gss_svc_reqctx *grctx)
1512 gss_svc_upcall_put_ctx(grctx->src_ctx);
1514 sptlrpc_policy_put(grctx->src_base.sc_policy);
1515 OBD_FREE_PTR(grctx);
1519 void gss_svc_reqctx_addref(struct gss_svc_reqctx *grctx)
1521 LASSERT(atomic_read(&grctx->src_base.sc_refcount) > 0);
1522 atomic_inc(&grctx->src_base.sc_refcount);
1526 void gss_svc_reqctx_decref(struct gss_svc_reqctx *grctx)
1528 LASSERT(atomic_read(&grctx->src_base.sc_refcount) > 0);
1530 if (atomic_dec_and_test(&grctx->src_base.sc_refcount))
1531 gss_svc_reqctx_free(grctx);
1535 int gss_svc_sign(struct ptlrpc_request *req,
1536 struct ptlrpc_reply_state *rs,
1537 struct gss_svc_reqctx *grctx)
1542 LASSERT(rs->rs_msg == lustre_msg_buf(rs->rs_repbuf, 1, 0));
1544 /* embedded lustre_msg might have been shrinked */
1545 if (req->rq_replen != rs->rs_repbuf->lm_buflens[1])
1546 lustre_shrink_msg(rs->rs_repbuf, 1, req->rq_replen, 1);
1548 rc = gss_sign_msg(rs->rs_repbuf, grctx->src_ctx->gsc_mechctx,
1549 PTLRPC_GSS_PROC_DATA, grctx->src_wirectx.gw_seq,
1554 rs->rs_repdata_len = rc;
1558 int gss_pack_err_notify(struct ptlrpc_request *req, __u32 major, __u32 minor)
1560 struct gss_svc_reqctx *grctx = gss_svc_ctx2reqctx(req->rq_svc_ctx);
1561 struct ptlrpc_reply_state *rs;
1562 struct gss_err_header *ghdr;
1563 int replen = sizeof(struct ptlrpc_body);
1567 //OBD_FAIL_RETURN(OBD_FAIL_SVCGSS_ERR_NOTIFY|OBD_FAIL_ONCE, -EINVAL);
1569 grctx->src_err_notify = 1;
1570 grctx->src_reserve_len = 0;
1572 rc = lustre_pack_reply_v2(req, 1, &replen, NULL);
1574 CERROR("could not pack reply, err %d\n", rc);
1579 rs = req->rq_reply_state;
1580 LASSERT(rs->rs_repbuf->lm_buflens[1] >= sizeof(*ghdr));
1581 ghdr = lustre_msg_buf(rs->rs_repbuf, 0, 0);
1582 ghdr->gh_version = PTLRPC_GSS_VERSION;
1584 ghdr->gh_proc = PTLRPC_GSS_PROC_ERR;
1585 ghdr->gh_major = major;
1586 ghdr->gh_minor = minor;
1587 ghdr->gh_handle.len = 0; /* fake context handle */
1589 rs->rs_repdata_len = lustre_msg_size_v2(rs->rs_repbuf->lm_bufcount,
1590 rs->rs_repbuf->lm_buflens);
1592 CDEBUG(D_SEC, "prepare gss error notify(0x%x/0x%x) to %s\n",
1593 major, minor, libcfs_nid2str(req->rq_peer.nid));
1598 int gss_svc_handle_init(struct ptlrpc_request *req,
1599 struct gss_wire_ctx *gw)
1601 struct gss_svc_reqctx *grctx = gss_svc_ctx2reqctx(req->rq_svc_ctx);
1602 struct lustre_msg *reqbuf = req->rq_reqbuf;
1603 struct obd_uuid *uuid;
1604 struct obd_device *target;
1605 rawobj_t uuid_obj, rvs_hdl, in_token;
1607 __u32 *secdata, seclen;
1611 CDEBUG(D_SEC, "processing gss init(%d) request from %s\n", gw->gw_proc,
1612 libcfs_nid2str(req->rq_peer.nid));
1614 if (gw->gw_proc == PTLRPC_GSS_PROC_INIT && gw->gw_handle.len != 0) {
1615 CERROR("proc %u: invalid handle length %u\n",
1616 gw->gw_proc, gw->gw_handle.len);
1617 RETURN(SECSVC_DROP);
1620 if (reqbuf->lm_bufcount < 3 || reqbuf->lm_bufcount > 4){
1621 CERROR("Invalid bufcount %d\n", reqbuf->lm_bufcount);
1622 RETURN(SECSVC_DROP);
1625 /* ctx initiate payload is in last segment */
1626 secdata = lustre_msg_buf(reqbuf, reqbuf->lm_bufcount - 1, 0);
1627 seclen = reqbuf->lm_buflens[reqbuf->lm_bufcount - 1];
1629 if (seclen < 4 + 4) {
1630 CERROR("sec size %d too small\n", seclen);
1631 RETURN(SECSVC_DROP);
1634 /* lustre svc type */
1635 lustre_svc = le32_to_cpu(*secdata++);
1638 /* extract target uuid, note this code is somewhat fragile
1639 * because touched internal structure of obd_uuid
1641 if (rawobj_extract(&uuid_obj, &secdata, &seclen)) {
1642 CERROR("failed to extract target uuid\n");
1643 RETURN(SECSVC_DROP);
1645 uuid_obj.data[uuid_obj.len - 1] = '\0';
1647 uuid = (struct obd_uuid *) uuid_obj.data;
1648 target = class_uuid2obd(uuid);
1649 if (!target || target->obd_stopping || !target->obd_set_up) {
1650 CERROR("target '%s' is not available for context init (%s)",
1651 uuid->uuid, target == NULL ? "no target" :
1652 (target->obd_stopping ? "stopping" : "not set up"));
1653 RETURN(SECSVC_DROP);
1656 /* extract reverse handle */
1657 if (rawobj_extract(&rvs_hdl, &secdata, &seclen)) {
1658 CERROR("failed extract reverse handle\n");
1659 RETURN(SECSVC_DROP);
1663 if (rawobj_extract(&in_token, &secdata, &seclen)) {
1664 CERROR("can't extract token\n");
1665 RETURN(SECSVC_DROP);
1668 rc = gss_svc_upcall_handle_init(req, grctx, gw, target, lustre_svc,
1669 &rvs_hdl, &in_token);
1670 if (rc != SECSVC_OK)
1673 if (SEC_FLAVOR_HAS_USER(req->rq_sec_flavor)) {
1674 if (reqbuf->lm_bufcount < 4) {
1675 CERROR("missing user descriptor\n");
1676 RETURN(SECSVC_DROP);
1678 if (sptlrpc_unpack_user_desc(reqbuf, 2)) {
1679 CERROR("Mal-formed user descriptor\n");
1680 RETURN(SECSVC_DROP);
1682 req->rq_user_desc = lustre_msg_buf(reqbuf, 2, 0);
1685 req->rq_reqmsg = lustre_msg_buf(reqbuf, 1, 0);
1686 req->rq_reqlen = lustre_msg_buflen(reqbuf, 1);
1692 * last segment must be the gss signature.
1695 int gss_svc_verify_request(struct ptlrpc_request *req,
1696 struct gss_svc_ctx *gctx,
1697 struct gss_wire_ctx *gw,
1700 struct lustre_msg *msg = req->rq_reqbuf;
1704 *major = GSS_S_COMPLETE;
1706 if (msg->lm_bufcount < 3) {
1707 CERROR("Too few segments (%u) in request\n", msg->lm_bufcount);
1711 if (gss_check_seq_num(&gctx->gsc_seqdata, gw->gw_seq, 0)) {
1712 CERROR("phase 0: discard replayed req: seq %u\n", gw->gw_seq);
1713 *major = GSS_S_DUPLICATE_TOKEN;
1717 *major = gss_verify_msg(msg, gctx->gsc_mechctx);
1718 if (*major != GSS_S_COMPLETE)
1721 if (gss_check_seq_num(&gctx->gsc_seqdata, gw->gw_seq, 1)) {
1722 CERROR("phase 1+: discard replayed req: seq %u\n", gw->gw_seq);
1723 *major = GSS_S_DUPLICATE_TOKEN;
1727 /* user descriptor */
1728 if (SEC_FLAVOR_HAS_USER(req->rq_sec_flavor)) {
1729 if (msg->lm_bufcount < (offset + 1 + 1)) {
1730 CERROR("no user desc included\n");
1734 if (sptlrpc_unpack_user_desc(msg, offset)) {
1735 CERROR("Mal-formed user descriptor\n");
1739 req->rq_user_desc = lustre_msg_buf(msg, offset, 0);
1743 /* check bulk cksum data */
1744 if (SEC_FLAVOR_HAS_BULK(req->rq_sec_flavor)) {
1745 if (msg->lm_bufcount < (offset + 1 + 1)) {
1746 CERROR("no bulk checksum included\n");
1750 if (bulk_sec_desc_unpack(msg, offset))
1754 req->rq_reqmsg = lustre_msg_buf(msg, 1, 0);
1755 req->rq_reqlen = msg->lm_buflens[1];
1760 int gss_svc_unseal_request(struct ptlrpc_request *req,
1761 struct gss_svc_ctx *gctx,
1762 struct gss_wire_ctx *gw,
1765 struct lustre_msg *msg = req->rq_reqbuf;
1766 int msglen, offset = 1;
1769 if (gss_check_seq_num(&gctx->gsc_seqdata, gw->gw_seq, 0)) {
1770 CERROR("phase 0: discard replayed req: seq %u\n", gw->gw_seq);
1771 *major = GSS_S_DUPLICATE_TOKEN;
1775 *major = gss_unseal_msg(gctx->gsc_mechctx, msg,
1776 &msglen, req->rq_reqdata_len);
1777 if (*major != GSS_S_COMPLETE)
1780 if (gss_check_seq_num(&gctx->gsc_seqdata, gw->gw_seq, 1)) {
1781 CERROR("phase 1+: discard replayed req: seq %u\n", gw->gw_seq);
1782 *major = GSS_S_DUPLICATE_TOKEN;
1786 if (lustre_unpack_msg(msg, msglen)) {
1787 CERROR("Failed to unpack after decryption\n");
1790 req->rq_reqdata_len = msglen;
1792 if (msg->lm_bufcount < 1) {
1793 CERROR("Invalid buffer: is empty\n");
1797 if (SEC_FLAVOR_HAS_USER(req->rq_sec_flavor)) {
1798 if (msg->lm_bufcount < offset + 1) {
1799 CERROR("no user descriptor included\n");
1803 if (sptlrpc_unpack_user_desc(msg, offset)) {
1804 CERROR("Mal-formed user descriptor\n");
1808 req->rq_user_desc = lustre_msg_buf(msg, offset, 0);
1812 if (SEC_FLAVOR_HAS_BULK(req->rq_sec_flavor)) {
1813 if (msg->lm_bufcount < offset + 1) {
1814 CERROR("no bulk checksum included\n");
1818 if (bulk_sec_desc_unpack(msg, offset))
1822 req->rq_reqmsg = lustre_msg_buf(req->rq_reqbuf, 0, 0);
1823 req->rq_reqlen = req->rq_reqbuf->lm_buflens[0];
1828 int gss_svc_handle_data(struct ptlrpc_request *req,
1829 struct gss_wire_ctx *gw)
1831 struct gss_svc_reqctx *grctx = gss_svc_ctx2reqctx(req->rq_svc_ctx);
1836 grctx->src_ctx = gss_svc_upcall_get_ctx(req, gw);
1837 if (!grctx->src_ctx) {
1838 major = GSS_S_NO_CONTEXT;
1842 switch (gw->gw_svc) {
1843 case PTLRPC_GSS_SVC_INTEGRITY:
1844 rc = gss_svc_verify_request(req, grctx->src_ctx, gw, &major);
1846 case PTLRPC_GSS_SVC_PRIVACY:
1847 rc = gss_svc_unseal_request(req, grctx->src_ctx, gw, &major);
1850 CERROR("unsupported gss service %d\n", gw->gw_svc);
1860 CERROR("svc %u failed: major 0x%08x: ctx %p(%u->%s)\n",
1861 gw->gw_svc, major, grctx->src_ctx, grctx->src_ctx->gsc_uid,
1862 libcfs_nid2str(req->rq_peer.nid));
1864 * we only notify client in case of NO_CONTEXT/BAD_SIG, which
1865 * might happen after server reboot, to allow recovery.
1867 if ((major == GSS_S_NO_CONTEXT || major == GSS_S_BAD_SIG) &&
1868 gss_pack_err_notify(req, major, 0) == 0)
1869 RETURN(SECSVC_COMPLETE);
1871 RETURN(SECSVC_DROP);
1875 int gss_svc_handle_destroy(struct ptlrpc_request *req,
1876 struct gss_wire_ctx *gw)
1878 struct gss_svc_reqctx *grctx = gss_svc_ctx2reqctx(req->rq_svc_ctx);
1879 int replen = sizeof(struct ptlrpc_body);
1883 grctx->src_ctx = gss_svc_upcall_get_ctx(req, gw);
1884 if (!grctx->src_ctx) {
1885 CWARN("invalid gss context handle for destroy.\n");
1886 RETURN(SECSVC_DROP);
1889 if (gw->gw_svc != PTLRPC_GSS_SVC_INTEGRITY) {
1890 CERROR("svc %u is not supported in destroy.\n", gw->gw_svc);
1891 RETURN(SECSVC_DROP);
1894 if (gss_svc_verify_request(req, grctx->src_ctx, gw, &major))
1895 RETURN(SECSVC_DROP);
1897 if (lustre_pack_reply_v2(req, 1, &replen, NULL))
1898 RETURN(SECSVC_DROP);
1900 CWARN("gss svc destroy ctx %p(%u->%s)\n", grctx->src_ctx,
1901 grctx->src_ctx->gsc_uid, libcfs_nid2str(req->rq_peer.nid));
1903 gss_svc_upcall_destroy_ctx(grctx->src_ctx);
1905 if (SEC_FLAVOR_HAS_USER(req->rq_sec_flavor)) {
1906 if (req->rq_reqbuf->lm_bufcount < 4) {
1907 CERROR("missing user descriptor, ignore it\n");
1910 if (sptlrpc_unpack_user_desc(req->rq_reqbuf, 2)) {
1911 CERROR("Mal-formed user descriptor, ignore it\n");
1914 req->rq_user_desc = lustre_msg_buf(req->rq_reqbuf, 2, 0);
1921 int gss_svc_accept(struct ptlrpc_request *req)
1923 struct gss_header *ghdr;
1924 struct gss_svc_reqctx *grctx;
1925 struct gss_wire_ctx *gw;
1929 LASSERT(req->rq_reqbuf);
1930 LASSERT(req->rq_svc_ctx == NULL);
1932 if (req->rq_reqbuf->lm_bufcount < 2) {
1933 CERROR("buf count only %d\n", req->rq_reqbuf->lm_bufcount);
1934 RETURN(SECSVC_DROP);
1937 ghdr = gss_swab_header(req->rq_reqbuf, 0);
1939 CERROR("can't decode gss header\n");
1940 RETURN(SECSVC_DROP);
1944 if (ghdr->gh_version != PTLRPC_GSS_VERSION) {
1945 CERROR("gss version %u, expect %u\n", ghdr->gh_version,
1946 PTLRPC_GSS_VERSION);
1947 RETURN(SECSVC_DROP);
1950 /* alloc grctx data */
1951 OBD_ALLOC_PTR(grctx);
1953 CERROR("fail to alloc svc reqctx\n");
1954 RETURN(SECSVC_DROP);
1956 grctx->src_base.sc_policy = sptlrpc_policy_get(&gss_policy);
1957 atomic_set(&grctx->src_base.sc_refcount, 1);
1958 req->rq_svc_ctx = &grctx->src_base;
1959 gw = &grctx->src_wirectx;
1961 /* save wire context */
1962 gw->gw_proc = ghdr->gh_proc;
1963 gw->gw_seq = ghdr->gh_seq;
1964 gw->gw_svc = ghdr->gh_svc;
1965 rawobj_from_netobj(&gw->gw_handle, &ghdr->gh_handle);
1967 /* keep original wire header which subject to checksum verification */
1968 if (lustre_msg_swabbed(req->rq_reqbuf))
1969 gss_header_swabber(ghdr);
1971 switch(ghdr->gh_proc) {
1972 case PTLRPC_GSS_PROC_INIT:
1973 case PTLRPC_GSS_PROC_CONTINUE_INIT:
1974 rc = gss_svc_handle_init(req, gw);
1976 case PTLRPC_GSS_PROC_DATA:
1977 rc = gss_svc_handle_data(req, gw);
1979 case PTLRPC_GSS_PROC_DESTROY:
1980 rc = gss_svc_handle_destroy(req, gw);
1983 CERROR("unknown proc %u\n", gw->gw_proc);
1990 LASSERT (grctx->src_ctx);
1992 req->rq_auth_gss = 1;
1993 req->rq_auth_remote = grctx->src_ctx->gsc_remote;
1994 req->rq_auth_usr_mdt = grctx->src_ctx->gsc_usr_mds;
1995 req->rq_auth_usr_root = grctx->src_ctx->gsc_usr_root;
1996 req->rq_auth_uid = grctx->src_ctx->gsc_uid;
1997 req->rq_auth_mapped_uid = grctx->src_ctx->gsc_mapped_uid;
1999 case SECSVC_COMPLETE:
2002 gss_svc_reqctx_free(grctx);
2003 req->rq_svc_ctx = NULL;
2011 int gss_svc_payload(struct gss_svc_reqctx *grctx, int msgsize, int privacy)
2013 if (gss_svc_reqctx_is_special(grctx))
2014 return grctx->src_reserve_len;
2016 return gss_estimate_payload(NULL, msgsize, privacy);
2020 int gss_svc_alloc_rs(struct ptlrpc_request *req, int msglen)
2022 struct gss_svc_reqctx *grctx;
2023 struct ptlrpc_reply_state *rs;
2024 struct ptlrpc_bulk_sec_desc *bsd;
2026 int ibuflens[2], ibufcnt = 0;
2027 int buflens[4], bufcnt;
2028 int txtsize, wmsg_size, rs_size;
2031 LASSERT(msglen % 8 == 0);
2033 if (SEC_FLAVOR_HAS_BULK(req->rq_sec_flavor) &&
2034 !req->rq_bulk_read && !req->rq_bulk_write) {
2035 CERROR("client request bulk sec on non-bulk rpc\n");
2039 grctx = gss_svc_ctx2reqctx(req->rq_svc_ctx);
2040 if (gss_svc_reqctx_is_special(grctx))
2043 privacy = (SEC_FLAVOR_SVC(req->rq_sec_flavor) ==
2049 ibuflens[0] = msglen;
2051 if (SEC_FLAVOR_HAS_BULK(req->rq_sec_flavor)) {
2052 LASSERT(req->rq_reqbuf->lm_bufcount >= 2);
2053 bsd = lustre_msg_buf(req->rq_reqbuf,
2054 req->rq_reqbuf->lm_bufcount - 1,
2057 ibuflens[ibufcnt++] = bulk_sec_desc_size(
2058 bsd->bsd_csum_alg, 0,
2062 txtsize = lustre_msg_size_v2(ibufcnt, ibuflens);
2063 txtsize += GSS_MAX_CIPHER_BLOCK;
2065 /* wrapper buffer */
2067 buflens[0] = PTLRPC_GSS_HEADER_SIZE;
2068 buflens[1] = gss_svc_payload(grctx, buflens[0], 0);
2069 buflens[2] = gss_svc_payload(grctx, txtsize, 1);
2072 buflens[0] = PTLRPC_GSS_HEADER_SIZE;
2073 buflens[1] = msglen;
2074 txtsize = buflens[0] + buflens[1];
2076 if (SEC_FLAVOR_HAS_BULK(req->rq_sec_flavor)) {
2077 LASSERT(req->rq_reqbuf->lm_bufcount >= 4);
2078 bsd = lustre_msg_buf(req->rq_reqbuf,
2079 req->rq_reqbuf->lm_bufcount - 2,
2082 buflens[bufcnt] = bulk_sec_desc_size(
2083 bsd->bsd_csum_alg, 0,
2085 txtsize += buflens[bufcnt];
2088 buflens[bufcnt++] = gss_svc_payload(grctx, txtsize, 0);
2091 wmsg_size = lustre_msg_size_v2(bufcnt, buflens);
2093 rs_size = sizeof(*rs) + wmsg_size;
2094 rs = req->rq_reply_state;
2098 LASSERT(rs->rs_size >= rs_size);
2100 OBD_ALLOC(rs, rs_size);
2104 rs->rs_size = rs_size;
2107 rs->rs_repbuf = (struct lustre_msg *) (rs + 1);
2108 rs->rs_repbuf_len = wmsg_size;
2111 lustre_init_msg_v2(rs->rs_repbuf, ibufcnt, ibuflens, NULL);
2112 rs->rs_msg = lustre_msg_buf(rs->rs_repbuf, 0, msglen);
2114 lustre_init_msg_v2(rs->rs_repbuf, bufcnt, buflens, NULL);
2115 rs->rs_repbuf->lm_secflvr = req->rq_sec_flavor;
2117 rs->rs_msg = (struct lustre_msg *)
2118 lustre_msg_buf(rs->rs_repbuf, 1, 0);
2121 gss_svc_reqctx_addref(grctx);
2122 rs->rs_svc_ctx = req->rq_svc_ctx;
2124 LASSERT(rs->rs_msg);
2125 req->rq_reply_state = rs;
2130 int gss_svc_seal(struct ptlrpc_request *req,
2131 struct ptlrpc_reply_state *rs,
2132 struct gss_svc_reqctx *grctx)
2134 struct gss_svc_ctx *gctx = grctx->src_ctx;
2135 rawobj_t msgobj, cipher_obj, micobj;
2136 struct gss_header *ghdr;
2138 int cipher_buflen, buflens[3];
2143 /* embedded lustre_msg might have been shrinked */
2144 if (req->rq_replen != rs->rs_repbuf->lm_buflens[0])
2145 lustre_shrink_msg(rs->rs_repbuf, 0, req->rq_replen, 1);
2147 /* clear data length */
2148 msglen = lustre_msg_size_v2(rs->rs_repbuf->lm_bufcount,
2149 rs->rs_repbuf->lm_buflens);
2152 msgobj.len = msglen;
2153 msgobj.data = (__u8 *) rs->rs_repbuf;
2155 /* allocate temporary cipher buffer */
2156 cipher_buflen = gss_estimate_payload(gctx->gsc_mechctx, msglen, 1);
2157 OBD_ALLOC(cipher_buf, cipher_buflen);
2161 cipher_obj.len = cipher_buflen;
2162 cipher_obj.data = cipher_buf;
2164 major = lgss_wrap(gctx->gsc_mechctx, &msgobj, rs->rs_repbuf_len,
2166 if (major != GSS_S_COMPLETE) {
2167 CERROR("priv: wrap message error: %08x\n", major);
2168 GOTO(out_free, rc = -EPERM);
2170 LASSERT(cipher_obj.len <= cipher_buflen);
2172 /* now the real wire data */
2173 buflens[0] = PTLRPC_GSS_HEADER_SIZE;
2174 buflens[1] = gss_estimate_payload(gctx->gsc_mechctx, buflens[0], 0);
2175 buflens[2] = cipher_obj.len;
2177 LASSERT(lustre_msg_size_v2(3, buflens) <= rs->rs_repbuf_len);
2178 lustre_init_msg_v2(rs->rs_repbuf, 3, buflens, NULL);
2179 rs->rs_repbuf->lm_secflvr = req->rq_sec_flavor;
2182 ghdr = lustre_msg_buf(rs->rs_repbuf, 0, 0);
2183 ghdr->gh_version = PTLRPC_GSS_VERSION;
2185 ghdr->gh_proc = PTLRPC_GSS_PROC_DATA;
2186 ghdr->gh_seq = grctx->src_wirectx.gw_seq;
2187 ghdr->gh_svc = PTLRPC_GSS_SVC_PRIVACY;
2188 ghdr->gh_handle.len = 0;
2190 /* header signature */
2191 msgobj.len = rs->rs_repbuf->lm_buflens[0];
2192 msgobj.data = lustre_msg_buf(rs->rs_repbuf, 0, 0);
2193 micobj.len = rs->rs_repbuf->lm_buflens[1];
2194 micobj.data = lustre_msg_buf(rs->rs_repbuf, 1, 0);
2196 major = lgss_get_mic(gctx->gsc_mechctx, 1, &msgobj, &micobj);
2197 if (major != GSS_S_COMPLETE) {
2198 CERROR("priv: sign message error: %08x\n", major);
2199 GOTO(out_free, rc = -EPERM);
2201 lustre_shrink_msg(rs->rs_repbuf, 1, micobj.len, 0);
2204 memcpy(lustre_msg_buf(rs->rs_repbuf, 2, 0),
2205 cipher_obj.data, cipher_obj.len);
2207 rs->rs_repdata_len = lustre_shrink_msg(rs->rs_repbuf, 2,
2210 /* to catch upper layer's further access */
2212 req->rq_repmsg = NULL;
2217 OBD_FREE(cipher_buf, cipher_buflen);
2221 int gss_svc_authorize(struct ptlrpc_request *req)
2223 struct ptlrpc_reply_state *rs = req->rq_reply_state;
2224 struct gss_svc_reqctx *grctx = gss_svc_ctx2reqctx(req->rq_svc_ctx);
2225 struct gss_wire_ctx *gw;
2229 if (gss_svc_reqctx_is_special(grctx))
2232 gw = &grctx->src_wirectx;
2233 if (gw->gw_proc != PTLRPC_GSS_PROC_DATA &&
2234 gw->gw_proc != PTLRPC_GSS_PROC_DESTROY) {
2235 CERROR("proc %d not support\n", gw->gw_proc);
2239 LASSERT(grctx->src_ctx);
2241 switch (gw->gw_svc) {
2242 case PTLRPC_GSS_SVC_INTEGRITY:
2243 rc = gss_svc_sign(req, rs, grctx);
2245 case PTLRPC_GSS_SVC_PRIVACY:
2246 rc = gss_svc_seal(req, rs, grctx);
2249 CERROR("Unknown service %d\n", gw->gw_svc);
2250 GOTO(out, rc = -EINVAL);
2259 void gss_svc_free_rs(struct ptlrpc_reply_state *rs)
2261 struct gss_svc_reqctx *grctx;
2263 LASSERT(rs->rs_svc_ctx);
2264 grctx = container_of(rs->rs_svc_ctx, struct gss_svc_reqctx, src_base);
2266 gss_svc_reqctx_decref(grctx);
2267 rs->rs_svc_ctx = NULL;
2269 if (!rs->rs_prealloc)
2270 OBD_FREE(rs, rs->rs_size);
2274 void gss_svc_free_ctx(struct ptlrpc_svc_ctx *ctx)
2276 LASSERT(atomic_read(&ctx->sc_refcount) == 0);
2277 gss_svc_reqctx_free(gss_svc_ctx2reqctx(ctx));
2281 int gss_svc_install_rctx(struct obd_import *imp, struct ptlrpc_svc_ctx *ctx)
2283 struct gss_sec *gsec;
2285 LASSERT(imp->imp_sec);
2288 gsec = container_of(imp->imp_sec, struct gss_sec, gs_base);
2289 return gss_install_rvs_cli_ctx(gsec, ctx);
2292 static struct ptlrpc_sec_sops gss_sec_sops = {
2293 .accept = gss_svc_accept,
2294 .alloc_rs = gss_svc_alloc_rs,
2295 .authorize = gss_svc_authorize,
2296 .free_rs = gss_svc_free_rs,
2297 .free_ctx = gss_svc_free_ctx,
2298 .unwrap_bulk = gss_svc_unwrap_bulk,
2299 .wrap_bulk = gss_svc_wrap_bulk,
2300 .install_rctx = gss_svc_install_rctx,
2303 static struct ptlrpc_sec_policy gss_policy = {
2304 .sp_owner = THIS_MODULE,
2305 .sp_name = "sec.gss",
2306 .sp_policy = SPTLRPC_POLICY_GSS,
2307 .sp_cops = &gss_sec_cops,
2308 .sp_sops = &gss_sec_sops,
2311 int __init sptlrpc_gss_init(void)
2315 rc = sptlrpc_register_policy(&gss_policy);
2319 rc = gss_init_lproc();
2323 rc = gss_init_upcall();
2327 rc = init_kerberos_module();
2337 sptlrpc_unregister_policy(&gss_policy);
2341 static void __exit sptlrpc_gss_exit(void)
2343 cleanup_kerberos_module();
2346 sptlrpc_unregister_policy(&gss_policy);
2349 MODULE_AUTHOR("Cluster File Systems, Inc. <info@clusterfs.com>");
2350 MODULE_DESCRIPTION("GSS security policy for Lustre");
2351 MODULE_LICENSE("GPL");
2353 module_init(sptlrpc_gss_init);
2354 module_exit(sptlrpc_gss_exit);