2 * Modified from NFSv4 project for Lustre
4 * Copyright (c) 2007, 2010, Oracle and/or its affiliates. All rights reserved.
6 * Author: Eric Mei <ericm@clusterfs.com>
9 #ifndef __PTLRPC_GSS_GSS_INTERNAL_H_
10 #define __PTLRPC_GSS_GSS_INTERNAL_H_
12 #include <lustre_sec.h>
17 typedef struct netobj_s {
22 #define NETOBJ_EMPTY ((netobj_t) { 0 })
24 typedef struct rawobj_s {
29 #define RAWOBJ_EMPTY ((rawobj_t) { 0, NULL })
31 typedef struct rawobj_buf_s {
38 int rawobj_empty(rawobj_t *obj);
39 int rawobj_alloc(rawobj_t *obj, char *buf, int len);
40 void rawobj_free(rawobj_t *obj);
41 int rawobj_equal(rawobj_t *a, rawobj_t *b);
42 int rawobj_dup(rawobj_t *dest, rawobj_t *src);
43 int rawobj_serialize(rawobj_t *obj, __u32 **buf, __u32 *buflen);
44 int rawobj_extract(rawobj_t *obj, __u32 **buf, __u32 *buflen);
45 int rawobj_extract_alloc(rawobj_t *obj, __u32 **buf, __u32 *buflen);
46 int rawobj_extract_local(rawobj_t *obj, __u32 **buf, __u32 *buflen);
47 int rawobj_extract_local_alloc(rawobj_t *obj, __u32 **buf, __u32 *buflen);
48 int rawobj_from_netobj(rawobj_t *rawobj, netobj_t *netobj);
49 int rawobj_from_netobj_alloc(rawobj_t *obj, netobj_t *netobj);
51 int buffer_extract_bytes(const void **buf, __u32 *buflen,
52 void *res, __u32 reslen);
55 * several timeout values. client refresh upcall timeout we using
56 * default in pipefs implemnetation.
58 #define __TIMEOUT_DELTA (10)
60 #define GSS_SECINIT_RPC_TIMEOUT \
61 (obd_timeout < __TIMEOUT_DELTA ? \
62 __TIMEOUT_DELTA : obd_timeout - __TIMEOUT_DELTA)
64 #define GSS_SECFINI_RPC_TIMEOUT (__TIMEOUT_DELTA)
65 #define GSS_SECSVC_UPCALL_TIMEOUT (GSS_SECINIT_RPC_TIMEOUT)
70 #define GSS_GC_INTERVAL (60 * 60) /* 60 minutes */
73 unsigned long gss_round_ctx_expiry(unsigned long expiry,
74 unsigned long sec_flags)
76 if (sec_flags & PTLRPC_SEC_FL_REVERSE)
79 if (get_seconds() + __TIMEOUT_DELTA <= expiry)
80 return expiry - __TIMEOUT_DELTA;
86 * Max encryption element in block cipher algorithms.
88 #define GSS_MAX_CIPHER_BLOCK (16)
91 * XXX make it visible of kernel and lgssd/lsvcgssd
93 #define GSSD_INTERFACE_VERSION (1)
95 #define PTLRPC_GSS_VERSION (1)
98 enum ptlrpc_gss_proc {
99 PTLRPC_GSS_PROC_DATA = 0,
100 PTLRPC_GSS_PROC_INIT = 1,
101 PTLRPC_GSS_PROC_CONTINUE_INIT = 2,
102 PTLRPC_GSS_PROC_DESTROY = 3,
103 PTLRPC_GSS_PROC_ERR = 4,
106 enum ptlrpc_gss_tgt {
107 LUSTRE_GSS_TGT_MGS = 0,
108 LUSTRE_GSS_TGT_MDS = 1,
109 LUSTRE_GSS_TGT_OSS = 2,
112 enum ptlrpc_gss_header_flags {
113 LUSTRE_GSS_PACK_BULK = 1,
114 LUSTRE_GSS_PACK_USER = 2,
118 __u32 import_to_gss_svc(struct obd_import *imp)
120 const char *name = imp->imp_obd->obd_type->typ_name;
122 if (!strcmp(name, LUSTRE_MGC_NAME))
123 return LUSTRE_GSS_TGT_MGS;
124 if (!strcmp(name, LUSTRE_MDC_NAME))
125 return LUSTRE_GSS_TGT_MDS;
126 if (!strcmp(name, LUSTRE_OSC_NAME))
127 return LUSTRE_GSS_TGT_OSS;
133 * following 3 header must have the same size and offset
136 __u8 gh_version; /* gss version */
137 __u8 gh_sp; /* sec part */
139 __u32 gh_flags; /* wrap flags */
140 __u32 gh_proc; /* proc */
141 __u32 gh_seq; /* sequence */
142 __u32 gh_svc; /* service */
146 netobj_t gh_handle; /* context handle */
149 struct gss_rep_header {
163 struct gss_err_header {
178 * part of wire context information send from client which be saved and
179 * used later by server.
181 struct gss_wire_ctx {
189 #define PTLRPC_GSS_MAX_HANDLE_SIZE (8)
190 #define PTLRPC_GSS_HEADER_SIZE (sizeof(struct gss_header) + \
191 PTLRPC_GSS_MAX_HANDLE_SIZE)
194 static inline __u64 gss_handle_to_u64(rawobj_t *handle)
196 if (handle->len != PTLRPC_GSS_MAX_HANDLE_SIZE)
198 return *((__u64 *) handle->data);
201 #define GSS_SEQ_WIN (2048)
202 #define GSS_SEQ_WIN_MAIN GSS_SEQ_WIN
203 #define GSS_SEQ_WIN_BACK (128)
204 #define GSS_SEQ_REPACK_THRESHOLD (GSS_SEQ_WIN_MAIN / 2 + \
205 GSS_SEQ_WIN_MAIN / 4)
207 struct gss_svc_seq_data {
210 * highest sequence number seen so far, for main and back window
215 * main and back window
216 * for i such that ssd_max - GSS_SEQ_WIN < i <= ssd_max, the i-th bit
217 * of ssd_win is nonzero iff sequence number i has been seen already.
219 unsigned long ssd_win_main[GSS_SEQ_WIN_MAIN/BITS_PER_LONG];
220 unsigned long ssd_win_back[GSS_SEQ_WIN_BACK/BITS_PER_LONG];
224 struct gss_ctx *gsc_mechctx;
225 struct gss_svc_seq_data gsc_seqdata;
226 rawobj_t gsc_rvs_hdl;
230 uid_t gsc_mapped_uid;
231 unsigned int gsc_usr_root:1,
238 struct gss_svc_reqctx {
239 struct ptlrpc_svc_ctx src_base;
243 struct gss_wire_ctx src_wirectx;
244 struct gss_svc_ctx *src_ctx;
246 * record place of bulk_sec_desc in request/reply buffer
248 struct ptlrpc_bulk_sec_desc *src_reqbsd;
250 struct ptlrpc_bulk_sec_desc *src_repbsd;
255 unsigned int src_init:1,
262 struct ptlrpc_cli_ctx gc_base;
268 struct gss_ctx *gc_mechctx;
269 /* handle for the buddy svc ctx */
270 rawobj_t gc_svc_handle;
273 struct gss_cli_ctx_keyring {
274 struct gss_cli_ctx gck_base;
276 struct timer_list *gck_timer;
280 struct ptlrpc_sec gs_base;
281 struct gss_api_mech *gs_mech;
286 struct gss_sec_pipefs {
287 struct gss_sec gsp_base;
288 int gsp_chash_size; /* must be 2^n */
289 cfs_hlist_head_t gsp_chash[0];
293 * FIXME cleanup the keyring upcall mutexes
295 #define HAVE_KEYRING_UPCALL_SERIALIZED 1
297 struct gss_sec_keyring {
298 struct gss_sec gsk_base;
300 * all contexts listed here. access is protected by sec spinlock.
302 cfs_hlist_head_t gsk_clist;
304 * specially point to root ctx (only one at a time). access is
305 * protected by sec spinlock.
307 struct ptlrpc_cli_ctx *gsk_root_ctx;
309 * specially serialize upcalls for root context.
311 struct mutex gsk_root_uc_lock;
313 #ifdef HAVE_KEYRING_UPCALL_SERIALIZED
314 struct mutex gsk_uc_lock; /* serialize upcalls */
318 static inline struct gss_cli_ctx *ctx2gctx(struct ptlrpc_cli_ctx *ctx)
320 return container_of(ctx, struct gss_cli_ctx, gc_base);
324 struct gss_cli_ctx_keyring *ctx2gctx_keyring(struct ptlrpc_cli_ctx *ctx)
326 return container_of(ctx2gctx(ctx),
327 struct gss_cli_ctx_keyring, gck_base);
330 static inline struct gss_sec *sec2gsec(struct ptlrpc_sec *sec)
332 return container_of(sec, struct gss_sec, gs_base);
335 static inline struct gss_sec_pipefs *sec2gsec_pipefs(struct ptlrpc_sec *sec)
337 return container_of(sec2gsec(sec), struct gss_sec_pipefs, gsp_base);
340 static inline struct gss_sec_keyring *sec2gsec_keyring(struct ptlrpc_sec *sec)
342 return container_of(sec2gsec(sec), struct gss_sec_keyring, gsk_base);
346 #define GSS_CTX_INIT_MAX_LEN (1024)
349 * This only guaranteed be enough for current krb5 des-cbc-crc . We might
350 * adjust this when new enc type or mech added in.
352 #define GSS_PRIVBUF_PREFIX_LEN (32)
353 #define GSS_PRIVBUF_SUFFIX_LEN (32)
356 struct gss_svc_reqctx *gss_svc_ctx2reqctx(struct ptlrpc_svc_ctx *ctx)
359 return container_of(ctx, struct gss_svc_reqctx, src_base);
363 struct gss_svc_ctx *gss_svc_ctx2gssctx(struct ptlrpc_svc_ctx *ctx)
366 return gss_svc_ctx2reqctx(ctx)->src_ctx;
370 int gss_cli_ctx_match(struct ptlrpc_cli_ctx *ctx, struct vfs_cred *vcred);
371 int gss_cli_ctx_display(struct ptlrpc_cli_ctx *ctx, char *buf, int bufsize);
372 int gss_cli_ctx_sign(struct ptlrpc_cli_ctx *ctx, struct ptlrpc_request *req);
373 int gss_cli_ctx_verify(struct ptlrpc_cli_ctx *ctx, struct ptlrpc_request *req);
374 int gss_cli_ctx_seal(struct ptlrpc_cli_ctx *ctx, struct ptlrpc_request *req);
375 int gss_cli_ctx_unseal(struct ptlrpc_cli_ctx *ctx, struct ptlrpc_request *req);
377 int gss_sec_install_rctx(struct obd_import *imp, struct ptlrpc_sec *sec,
378 struct ptlrpc_cli_ctx *ctx);
379 int gss_alloc_reqbuf(struct ptlrpc_sec *sec, struct ptlrpc_request *req,
381 void gss_free_reqbuf(struct ptlrpc_sec *sec, struct ptlrpc_request *req);
382 int gss_alloc_repbuf(struct ptlrpc_sec *sec, struct ptlrpc_request *req,
384 void gss_free_repbuf(struct ptlrpc_sec *sec, struct ptlrpc_request *req);
385 int gss_enlarge_reqbuf(struct ptlrpc_sec *sec, struct ptlrpc_request *req,
386 int segment, int newsize);
388 int gss_svc_accept(struct ptlrpc_sec_policy *policy,
389 struct ptlrpc_request *req);
390 void gss_svc_invalidate_ctx(struct ptlrpc_svc_ctx *svc_ctx);
391 int gss_svc_alloc_rs(struct ptlrpc_request *req, int msglen);
392 int gss_svc_authorize(struct ptlrpc_request *req);
393 void gss_svc_free_rs(struct ptlrpc_reply_state *rs);
394 void gss_svc_free_ctx(struct ptlrpc_svc_ctx *ctx);
396 int cli_ctx_expire(struct ptlrpc_cli_ctx *ctx);
397 int cli_ctx_check_death(struct ptlrpc_cli_ctx *ctx);
399 int gss_copy_rvc_cli_ctx(struct ptlrpc_cli_ctx *cli_ctx,
400 struct ptlrpc_svc_ctx *svc_ctx);
402 struct gss_header *gss_swab_header(struct lustre_msg *msg, int segment,
404 netobj_t *gss_swab_netobj(struct lustre_msg *msg, int segment);
406 void gss_cli_ctx_uptodate(struct gss_cli_ctx *gctx);
407 int gss_pack_err_notify(struct ptlrpc_request *req, __u32 major, __u32 minor);
408 int gss_check_seq_num(struct gss_svc_seq_data *sd, __u32 seq_num, int set);
410 int gss_sec_create_common(struct gss_sec *gsec,
411 struct ptlrpc_sec_policy *policy,
412 struct obd_import *imp,
413 struct ptlrpc_svc_ctx *ctx,
414 struct sptlrpc_flavor *sf);
415 void gss_sec_destroy_common(struct gss_sec *gsec);
416 void gss_sec_kill(struct ptlrpc_sec *sec);
418 int gss_cli_ctx_init_common(struct ptlrpc_sec *sec,
419 struct ptlrpc_cli_ctx *ctx,
420 struct ptlrpc_ctx_ops *ctxops,
421 struct vfs_cred *vcred);
422 int gss_cli_ctx_fini_common(struct ptlrpc_sec *sec,
423 struct ptlrpc_cli_ctx *ctx);
425 void gss_cli_ctx_flags2str(unsigned long flags, char *buf, int bufsize);
428 int __init gss_init_keyring(void);
429 void __exit gss_exit_keyring(void);
432 int __init gss_init_pipefs(void);
433 void __exit gss_exit_pipefs(void);
436 int gss_cli_prep_bulk(struct ptlrpc_request *req,
437 struct ptlrpc_bulk_desc *desc);
438 int gss_cli_ctx_wrap_bulk(struct ptlrpc_cli_ctx *ctx,
439 struct ptlrpc_request *req,
440 struct ptlrpc_bulk_desc *desc);
441 int gss_cli_ctx_unwrap_bulk(struct ptlrpc_cli_ctx *ctx,
442 struct ptlrpc_request *req,
443 struct ptlrpc_bulk_desc *desc);
444 int gss_svc_prep_bulk(struct ptlrpc_request *req,
445 struct ptlrpc_bulk_desc *desc);
446 int gss_svc_unwrap_bulk(struct ptlrpc_request *req,
447 struct ptlrpc_bulk_desc *desc);
448 int gss_svc_wrap_bulk(struct ptlrpc_request *req,
449 struct ptlrpc_bulk_desc *desc);
451 /* gss_mech_switch.c */
452 int init_kerberos_module(void);
453 void cleanup_kerberos_module(void);
455 /* gss_generic_token.c */
456 int g_token_size(rawobj_t *mech, unsigned int body_size);
457 void g_make_token_header(rawobj_t *mech, int body_size, unsigned char **buf);
458 __u32 g_verify_token_header(rawobj_t *mech, int *body_size,
459 unsigned char **buf_in, int toksize);
462 /* gss_cli_upcall.c */
463 int gss_do_ctx_init_rpc(char *buffer, unsigned long count);
464 int gss_do_ctx_fini_rpc(struct gss_cli_ctx *gctx);
466 int __init gss_init_cli_upcall(void);
467 void __exit gss_exit_cli_upcall(void);
469 /* gss_svc_upcall.c */
470 __u64 gss_get_next_ctx_index(void);
471 int gss_svc_upcall_install_rvs_ctx(struct obd_import *imp,
472 struct gss_sec *gsec,
473 struct gss_cli_ctx *gctx);
474 int gss_svc_upcall_expire_rvs_ctx(rawobj_t *handle);
475 int gss_svc_upcall_dup_handle(rawobj_t *handle, struct gss_svc_ctx *ctx);
476 int gss_svc_upcall_update_sequence(rawobj_t *handle, __u32 seq);
477 int gss_svc_upcall_handle_init(struct ptlrpc_request *req,
478 struct gss_svc_reqctx *grctx,
479 struct gss_wire_ctx *gw,
480 struct obd_device *target,
484 struct gss_svc_ctx *gss_svc_upcall_get_ctx(struct ptlrpc_request *req,
485 struct gss_wire_ctx *gw);
486 void gss_svc_upcall_put_ctx(struct gss_svc_ctx *ctx);
487 void gss_svc_upcall_destroy_ctx(struct gss_svc_ctx *ctx);
489 int __init gss_init_svc_upcall(void);
490 void __exit gss_exit_svc_upcall(void);
493 void gss_stat_oos_record_cli(int behind);
494 void gss_stat_oos_record_svc(int phase, int replay);
496 int __init gss_init_lproc(void);
497 void __exit gss_exit_lproc(void);
499 /* gss_krb5_mech.c */
500 int __init init_kerberos_module(void);
501 void __exit cleanup_kerberos_module(void);
506 void __dbg_memdump(char *name, void *ptr, int size)
508 char *buf, *p = (char *) ptr;
509 int bufsize = size * 2 + 1, i;
511 OBD_ALLOC(buf, bufsize);
513 CDEBUG(D_ERROR, "DUMP ERROR: can't alloc %d bytes\n", bufsize);
517 for (i = 0; i < size; i++)
518 sprintf(&buf[i+i], "%02x", (__u8) p[i]);
519 buf[size + size] = '\0';
520 LCONSOLE_INFO("DUMP %s@%p(%d): %s\n", name, ptr, size, buf);
521 OBD_FREE(buf, bufsize);
524 #endif /* __PTLRPC_GSS_GSS_INTERNAL_H_ */
git://git.whamcloud.com / fs / lustre-release.git / blob