From bbee5d1ae941a208d7a07d0348e835ab58ca90ce Mon Sep 17 00:00:00 2001 From: Andreas Dilger Date: Thu, 29 Sep 2016 00:34:24 -0600 Subject: [PATCH] LU-3289 gss: don't build SSK if libssl-1.0+ not available The SSK functionality depends on libssl 1.0 or newer to have the proper HMAC support. If that is not available (e.g. SLES11) then don't try to build this feature at all. Rename the configure check to be OPENSSL_SSK since this is used in several places, and is more clear than HAVE_INT_OPENSSL_HMAC_FUNCS. Signed-off-by: Andreas Dilger Change-Id: I3b15f819bba421539664e629a4017599e23ebbe5 Reviewed-on: http://review.whamcloud.com/22806 Tested-by: Jenkins Tested-by: Maloo Reviewed-by: Minh Diep Reviewed-by: Oleg Drokin --- lustre/autoconf/lustre-core.m4 | 21 ++++++++++++++------- lustre/ptlrpc/gss/Makefile.in | 3 ++- lustre/ptlrpc/gss/gss_internal.h | 5 +++++ lustre/utils/Makefile.am | 5 ++++- lustre/utils/gss/Makefile.am | 17 ++++++++++++----- lustre/utils/gss/lgss_keyring.c | 2 ++ lustre/utils/gss/lgss_krb5_utils.h | 2 +- lustre/utils/gss/lgss_utils.c | 4 ++++ lustre/utils/gss/sk_utils.c | 7 ------- lustre/utils/gss/svcgssd.c | 7 +++++++ lustre/utils/gss/svcgssd_proc.c | 9 +++++++++ lustre/utils/mount_lustre.c | 2 +- lustre/utils/mount_utils.c | 4 +++- lustre/utils/mount_utils.h | 7 +++++++ 14 files changed, 71 insertions(+), 24 deletions(-) diff --git a/lustre/autoconf/lustre-core.m4 b/lustre/autoconf/lustre-core.m4 index 3772621..0578325 100644 --- a/lustre/autoconf/lustre-core.m4 +++ b/lustre/autoconf/lustre-core.m4 @@ -341,13 +341,17 @@ AS_IF([test "x$enable_gss" != xno], [ ], [ enable_gss="no" ]) + + enable_ssk=$enable_gss ]) ]) # LC_CONFIG_GSS -# LC_HAVE_VOID_OPENSSL_HMAC_FUNCS +# LC_OPENSSL_SSK # -# OpenSSL 1.0+ return int for HMAC functions but previous versions do not -AC_DEFUN([LC_HAVE_VOID_OPENSSL_HMAC_FUNCS], [ +# OpenSSL 1.0+ return int for HMAC functions but older SLES11 versions do not +AC_DEFUN([LC_OPENSSL_SSK], [ +AC_MSG_CHECKING([whether OpenSSL has functions needed for SSK]) +AS_IF([test "x$enable_ssk" != xno], [ AC_COMPILE_IFELSE([AC_LANG_SOURCE([ #include #include @@ -358,10 +362,12 @@ AC_COMPILE_IFELSE([AC_LANG_SOURCE([ HMAC_CTX_init(&ctx); rc = HMAC_Init_ex(&ctx, "test", 4, EVP_md_null(), NULL); } -])],[],[AC_DEFINE(HAVE_VOID_OPENSSL_HMAC_FUNCS, 1, - [OpenSSL HMAC functions return void instead of int]) +])],[AC_DEFINE(HAVE_OPENSSL_SSK, 1, + [OpenSSL HMAC functions needed for SSK])], + [enable_ssk="no"]) ]) -]) # LC_HAVE_VOID_OPENSSL_HMAC_FUNCS +AC_MSG_RESULT([$enable_ssk]) +]) # LC_OPENSSL_SSK # LC_INODE_PERMISION_2ARGS # @@ -2234,7 +2240,7 @@ AC_DEFUN([LC_PROG_LINUX], [ LC_GLIBC_SUPPORT_FHANDLES LC_CONFIG_GSS - LC_HAVE_VOID_OPENSSL_HMAC_FUNCS + LC_OPENSSL_SSK # 2.6.32 LC_BLK_QUEUE_MAX_SEGMENTS @@ -2694,6 +2700,7 @@ AM_CONDITIONAL(EXT2FS_DEVEL, test x$ac_cv_header_ext2fs_ext2fs_h = xyes) AM_CONDITIONAL(GSS, test x$enable_gss = xyes) AM_CONDITIONAL(GSS_KEYRING, test x$enable_gss_keyring = xyes) AM_CONDITIONAL(GSS_PIPEFS, test x$enable_gss_pipefs = xyes) +AM_CONDITIONAL(GSS_SSK, test x$enable_ssk = xyes) AM_CONDITIONAL(LIBPTHREAD, test x$enable_libpthread = xyes) AM_CONDITIONAL(LLITE_LLOOP, test x$enable_llite_lloop_module = xyes) ]) # LC_CONDITIONALS diff --git a/lustre/ptlrpc/gss/Makefile.in b/lustre/ptlrpc/gss/Makefile.in index bcc076c..578cc09 100644 --- a/lustre/ptlrpc/gss/Makefile.in +++ b/lustre/ptlrpc/gss/Makefile.in @@ -3,8 +3,9 @@ MODULES := ptlrpc_gss ptlrpc_gss-objs := sec_gss.o gss_bulk.o gss_cli_upcall.o gss_svc_upcall.o \ gss_rawobj.o lproc_gss.o \ gss_generic_token.o gss_mech_switch.o gss_krb5_mech.o \ - gss_null_mech.o gss_sk_mech.o gss_crypto.o + gss_null_mech.o gss_crypto.o +@GSS_SSK_TRUE@ptlrpc_gss-objs += gss_sk_mech.o @GSS_KEYRING_TRUE@ptlrpc_gss-objs += gss_keyring.o @GSS_PIPEFS_TRUE@ptlrpc_gss-objs += gss_pipefs.o diff --git a/lustre/ptlrpc/gss/gss_internal.h b/lustre/ptlrpc/gss/gss_internal.h index 02a00b7..c1e9fea 100644 --- a/lustre/ptlrpc/gss/gss_internal.h +++ b/lustre/ptlrpc/gss/gss_internal.h @@ -520,8 +520,13 @@ int __init init_kerberos_module(void); void cleanup_kerberos_module(void); /* gss_sk_mech.c */ +#ifdef HAVE_OPENSSL_SSK int __init init_sk_module(void); void cleanup_sk_module(void); +#else +static inline int init_sk_module(void) { return 0; } +static inline void cleanup_sk_module(void) { return; } +#endif /* HAVE_OPENSSL_SSK */ /* debug */ static inline diff --git a/lustre/utils/Makefile.am b/lustre/utils/Makefile.am index bf03079..3db356a 100644 --- a/lustre/utils/Makefile.am +++ b/lustre/utils/Makefile.am @@ -19,7 +19,10 @@ if UTILS if GSS SUBDIRS = gss -GSSSRC = gss/sk_utils.c gss/sk_utils.h gss/err_util.c gss/err_util.h +GSSSRC = gss/err_util.c gss/err_util.h +if GSS_SSK +GSSSRC += gss/sk_utils.c gss/sk_utils.h +endif GSSLIB = -lcrypto -lssl -lkeyutils -lm else GSSSRC = diff --git a/lustre/utils/gss/Makefile.am b/lustre/utils/gss/Makefile.am index 5807f0e..e89ce96 100644 --- a/lustre/utils/gss/Makefile.am +++ b/lustre/utils/gss/Makefile.am @@ -8,7 +8,10 @@ LIBCFS := $(top_builddir)/libcfs/libcfs/libcfs.a sbin_PROGRAMS = lsvcgssd l_idmap if GSS_KEYRING -sbin_PROGRAMS += lgss_keyring lgss_sk +sbin_PROGRAMS += lgss_keyring +if GSS_SSK +sbin_PROGRAMS += lgss_sk +endif endif if GSS_PIPEFS @@ -22,7 +25,6 @@ COMMON_SRCS = \ context_heimdal.c \ context_spkm3.c \ gss_util.c \ - sk_utils.c \ gss_oids.c \ err_util.c \ lsupport.c \ @@ -34,6 +36,10 @@ COMMON_SRCS = \ sk_utils.h \ lsupport.h +if GSS_SSK +COMMON_SRCS += sk_utils.c +endif + lgssd_SOURCES = \ $(COMMON_SRCS) \ gssd.c \ @@ -82,14 +88,11 @@ lgss_keyring_SOURCES = \ context_heimdal.c \ lgss_krb5_utils.c \ lgss_null_utils.c \ - lgss_sk_utils.c \ lgss_utils.c \ lsupport.c \ err_util.c \ - sk_utils.c \ lgss_krb5_utils.h \ lgss_utils.h \ - sk_utils.h \ err_util.h \ lsupport.h @@ -98,6 +101,9 @@ lgss_keyring_LDADD = $(LIBCFS) $(GSSAPI_LIBS) $(KRBLIBS) -lcrypto -lssl -lm -lke lgss_keyring_LDFLAGS = $(KRBLDFLAGS) lgss_keyring_DEPENDENCIES = $(LIBCFS) +if GSS_SSK +lgss_keyring_SOURCES += sk_utils.c sk_utils.h lgss_sk_utils.c + lgss_sk_SOURCES = \ lgss_sk.c \ err_util.c \ @@ -108,5 +114,6 @@ lgss_sk_CFLAGS = $(AM_CFLAGS) $(CFLAGS) $(KRBCFLAGS) lgss_sk_LDADD = $(LIBCFS) $(GSSAPI_LIBS) $(KRBLIBS) -lcrypto -lssl -lm -lkeyutils lgss_sk_LDFLAGS = $(KRBLDFLAGS) lgss_sk_DEPENDENCIES = $(LIBCFS) +endif EXTRA_DIST = diff --git a/lustre/utils/gss/lgss_keyring.c b/lustre/utils/gss/lgss_keyring.c index d5938ac..929a49f 100644 --- a/lustre/utils/gss/lgss_keyring.c +++ b/lustre/utils/gss/lgss_keyring.c @@ -422,10 +422,12 @@ static int lgssc_init_nego_data(struct lgss_nego_data *lnd, case LGSS_MECH_NULL: lnd->lnd_mech = (gss_OID)&nulloid; break; +#ifdef HAVE_OPENSSL_SSK case LGSS_MECH_SK: lnd->lnd_mech = (gss_OID)&skoid; lnd->lnd_req_flags = GSS_C_MUTUAL_FLAG; break; +#endif default: logmsg(LL_ERR, "invalid mech: %d\n", mech); lnd->lnd_rpc_err = -EACCES; diff --git a/lustre/utils/gss/lgss_krb5_utils.h b/lustre/utils/gss/lgss_krb5_utils.h index 284be91..b297937 100644 --- a/lustre/utils/gss/lgss_krb5_utils.h +++ b/lustre/utils/gss/lgss_krb5_utils.h @@ -18,8 +18,8 @@ #include "lgss_utils.h" extern struct lgss_mech_type lgss_mech_null; -extern struct lgss_mech_type lgss_mech_sk; extern struct lgss_mech_type lgss_mech_krb5; +extern struct lgss_mech_type lgss_mech_sk; /* * convenient macros, these perhaps need further cleanup diff --git a/lustre/utils/gss/lgss_utils.c b/lustre/utils/gss/lgss_utils.c index 933ea6a..b87d5d6 100644 --- a/lustre/utils/gss/lgss_utils.c +++ b/lustre/utils/gss/lgss_utils.c @@ -237,10 +237,12 @@ gss_OID_desc nulloid = { .length = 12, .elements = "\053\006\001\004\001\311\146\215\126\001\000\000" }; +#ifdef HAVE_OPENSSL_SSK gss_OID_desc skoid = { .length = 12, .elements = "\053\006\001\004\001\311\146\215\126\001\000\001" }; +#endif /**************************************** * log facilities * @@ -342,8 +344,10 @@ struct lgss_mech_type *lgss_name2mech(const char *mech_name) return &lgss_mech_krb5; if (strcmp(mech_name, "gssnull") == 0) return &lgss_mech_null; +#ifdef HAVE_OPENSSL_SSK if (strcmp(mech_name, "sk") == 0) return &lgss_mech_sk; +#endif return NULL; } diff --git a/lustre/utils/gss/sk_utils.c b/lustre/utils/gss/sk_utils.c index 2dc453e..f13eebd 100644 --- a/lustre/utils/gss/sk_utils.c +++ b/lustre/utils/gss/sk_utils.c @@ -909,12 +909,6 @@ int sk_sign_bufs(gss_buffer_desc *key, gss_buffer_desc *bufs, const int numbufs, goto out; } -#ifdef HAVE_VOID_OPENSSL_HMAC_FUNCS - HMAC_Init_ex(&hctx, key->value, key->length, hash_alg, NULL); - for (i = 0; i < numbufs; i++) - HMAC_Update(&hctx, bufs[i].value, bufs[i].length); - HMAC_Final(&hctx, hmac->value, &hashlen); -#else if (HMAC_Init_ex(&hctx, key->value, key->length, hash_alg, NULL) != 1) { printerr(0, "Failed to init HMAC\n"); goto out; @@ -932,7 +926,6 @@ int sk_sign_bufs(gss_buffer_desc *key, gss_buffer_desc *bufs, const int numbufs, printerr(0, "Failed to finalize HMAC\n"); goto out; } -#endif if (hmac->length != hashlen) { printerr(0, "HMAC size does not match expected\n"); diff --git a/lustre/utils/gss/svcgssd.c b/lustre/utils/gss/svcgssd.c index 77cb6bc..85d1bd7 100644 --- a/lustre/utils/gss/svcgssd.c +++ b/lustre/utils/gss/svcgssd.c @@ -191,7 +191,9 @@ usage(FILE *fp, char *progname) fprintf(stderr, "-o - Service OSS\n"); fprintf(stderr, "-g - Service MGS\n"); fprintf(stderr, "-k - Enable kerberos support\n"); +#ifdef HAVE_OPENSSL_SSK fprintf(stderr, "-s - Enable shared key support\n"); +#endif fprintf(stderr, "-z - Enable gssnull support\n"); exit(1); @@ -237,7 +239,12 @@ main(int argc, char *argv[]) usage(stdout, argv[0]); break; case 's': +#ifdef HAVE_OPENSSL_SSK sk_enabled = 1; +#else + printerr(0, "ERROR: Request for sk but service " + "support not enabled\n"); +#endif break; case 'z': null_enabled = 1; diff --git a/lustre/utils/gss/svcgssd_proc.c b/lustre/utils/gss/svcgssd_proc.c index d2b71ee..4b249c3 100644 --- a/lustre/utils/gss/svcgssd_proc.c +++ b/lustre/utils/gss/svcgssd_proc.c @@ -359,6 +359,7 @@ typedef struct gss_union_ctx_id_t { int handle_sk(struct svc_nego_data *snd) { +#ifdef HAVE_OPENSSL_SSK struct sk_cred *skc = NULL; struct svc_cred cred; gss_buffer_desc bufs[7]; @@ -512,6 +513,9 @@ out_err: if (skc) sk_free_cred(skc); printerr(3, "sk returning failure\n"); +#else /* !HAVE_OPENSSL_SSK */ + printerr(0, "ERROR: shared key subflavour is not enabled\n"); +#endif /* HAVE_OPENSSL_SSK */ return -1; } @@ -705,12 +709,17 @@ int handle_channel_request(FILE *f) snd.mech = &nulloid; break; case LGSS_MECH_SK: +#ifdef HAVE_OPENSSL_SSK if (!sk_enabled) { printerr(1, "WARNING: Request for sk but service " "support not enabled\n"); goto ignore; } snd.mech = &skoid; +#else + printerr(1, "ERROR: Request for sk but service " + "support not enabled\n"); +#endif break; default: printerr(0, "WARNING: invalid mechanism recevied: %d\n", diff --git a/lustre/utils/mount_lustre.c b/lustre/utils/mount_lustre.c index 7ed9fff..adda653 100644 --- a/lustre/utils/mount_lustre.c +++ b/lustre/utils/mount_lustre.c @@ -741,7 +741,7 @@ int main(int argc, char *const argv[]) return rc; } } -#endif +#endif /* HAVE_GSS */ if (!mop.mo_fake) { /* flags and target get to lustre_get_sb(), but not diff --git a/lustre/utils/mount_utils.c b/lustre/utils/mount_utils.c index 3de6f2a..356f559 100644 --- a/lustre/utils/mount_utils.c +++ b/lustre/utils/mount_utils.c @@ -880,6 +880,7 @@ int file_create(char *path, __u64 size) } #ifdef HAVE_GSS +#ifdef HAVE_OPENSSL_SSK int load_shared_keys(struct mount_opts *mop) { DIR *dir; @@ -963,4 +964,5 @@ int load_shared_keys(struct mount_opts *mop) return rc; } -#endif +#endif /* HAVE_OPENSSL_SSK */ +#endif /* HAVE_GSS */ diff --git a/lustre/utils/mount_utils.h b/lustre/utils/mount_utils.h index bcacce4..ea7ba53 100644 --- a/lustre/utils/mount_utils.h +++ b/lustre/utils/mount_utils.h @@ -184,5 +184,12 @@ struct module_backfs_ops { struct module_backfs_ops *load_backfs_module(enum ldd_mount_type mount_type); void unload_backfs_ops(struct module_backfs_ops *ops); +#ifdef HAVE_OPENSSL_SSK int load_shared_keys(struct mount_opts *mop); +#else +static inline int load_shared_keys(struct mount_opts *mop) +{ + return EOPNOTSUPP; +} +#endif #endif -- 1.8.3.1