2 * Modifications for Lustre
4 * Copyright (c) 2007, 2010, Oracle and/or its affiliates. All rights reserved.
6 * Copyright (c) 2011, 2013, Intel Corporation.
8 * Author: Eric Mei <ericm@clusterfs.com>
12 * linux/net/sunrpc/auth_gss.c
14 * RPCSEC_GSS client authentication.
16 * Copyright (c) 2000 The Regents of the University of Michigan.
17 * All rights reserved.
19 * Dug Song <dugsong@monkey.org>
20 * Andy Adamson <andros@umich.edu>
22 * Redistribution and use in source and binary forms, with or without
23 * modification, are permitted provided that the following conditions
26 * 1. Redistributions of source code must retain the above copyright
27 * notice, this list of conditions and the following disclaimer.
28 * 2. Redistributions in binary form must reproduce the above copyright
29 * notice, this list of conditions and the following disclaimer in the
30 * documentation and/or other materials provided with the distribution.
31 * 3. Neither the name of the University nor the names of its
32 * contributors may be used to endorse or promote products derived
33 * from this software without specific prior written permission.
35 * THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED
36 * WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF
37 * MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
38 * DISCLAIMED. IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE
39 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
40 * CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
41 * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR
42 * BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF
43 * LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING
44 * NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS
45 * SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
49 #define DEBUG_SUBSYSTEM S_SEC
51 #include <linux/init.h>
52 #include <linux/module.h>
53 #include <linux/slab.h>
54 #include <linux/dcache.h>
56 #include <linux/mutex.h>
57 #include <asm/atomic.h>
59 #include <liblustre.h>
63 #include <obd_class.h>
64 #include <obd_support.h>
65 #include <obd_cksum.h>
66 #include <lustre/lustre_idl.h>
67 #include <lustre_net.h>
68 #include <lustre_import.h>
69 #include <lustre_sec.h>
72 #include "gss_internal.h"
75 #include <linux/crypto.h>
76 #include <linux/crc32.h>
79 * early reply have fixed size, respectively in privacy and integrity mode.
80 * so we calculate them only once.
82 static int gss_at_reply_off_integ;
83 static int gss_at_reply_off_priv;
86 static inline int msg_last_segidx(struct lustre_msg *msg)
88 LASSERT(msg->lm_bufcount > 0);
89 return msg->lm_bufcount - 1;
91 static inline int msg_last_seglen(struct lustre_msg *msg)
93 return msg->lm_buflens[msg_last_segidx(msg)];
96 /********************************************
98 ********************************************/
101 void gss_header_swabber(struct gss_header *ghdr)
103 __swab32s(&ghdr->gh_flags);
104 __swab32s(&ghdr->gh_proc);
105 __swab32s(&ghdr->gh_seq);
106 __swab32s(&ghdr->gh_svc);
107 __swab32s(&ghdr->gh_pad1);
108 __swab32s(&ghdr->gh_handle.len);
111 struct gss_header *gss_swab_header(struct lustre_msg *msg, int segment,
114 struct gss_header *ghdr;
116 ghdr = lustre_msg_buf(msg, segment, sizeof(*ghdr));
121 gss_header_swabber(ghdr);
123 if (sizeof(*ghdr) + ghdr->gh_handle.len > msg->lm_buflens[segment]) {
124 CERROR("gss header has length %d, now %u received\n",
125 (int) sizeof(*ghdr) + ghdr->gh_handle.len,
126 msg->lm_buflens[segment]);
135 void gss_netobj_swabber(netobj_t *obj)
137 __swab32s(&obj->len);
140 netobj_t *gss_swab_netobj(struct lustre_msg *msg, int segment)
144 obj = lustre_swab_buf(msg, segment, sizeof(*obj), gss_netobj_swabber);
145 if (obj && sizeof(*obj) + obj->len > msg->lm_buflens[segment]) {
146 CERROR("netobj require length %u but only %u received\n",
147 (unsigned int) sizeof(*obj) + obj->len,
148 msg->lm_buflens[segment]);
157 * payload should be obtained from mechanism. but currently since we
158 * only support kerberos, we could simply use fixed value.
161 * - krb5 checksum: 20
163 * for privacy mode, payload also include the cipher text which has the same
164 * size as plain text, plus possible confounder, padding both at maximum cipher
167 #define GSS_KRB5_INTEG_MAX_PAYLOAD (40)
170 int gss_mech_payload(struct gss_ctx *mechctx, int msgsize, int privacy)
173 return GSS_KRB5_INTEG_MAX_PAYLOAD + 16 + 16 + 16 + msgsize;
175 return GSS_KRB5_INTEG_MAX_PAYLOAD;
179 * return signature size, otherwise < 0 to indicate error
181 static int gss_sign_msg(struct lustre_msg *msg,
182 struct gss_ctx *mechctx,
183 enum lustre_sec_part sp,
184 __u32 flags, __u32 proc, __u32 seq, __u32 svc,
187 struct gss_header *ghdr;
188 rawobj_t text[4], mic;
189 int textcnt, max_textcnt, mic_idx;
192 LASSERT(msg->lm_bufcount >= 2);
195 LASSERT(msg->lm_buflens[0] >=
196 sizeof(*ghdr) + (handle ? handle->len : 0));
197 ghdr = lustre_msg_buf(msg, 0, 0);
199 ghdr->gh_version = PTLRPC_GSS_VERSION;
200 ghdr->gh_sp = (__u8) sp;
201 ghdr->gh_flags = flags;
202 ghdr->gh_proc = proc;
206 /* fill in a fake one */
207 ghdr->gh_handle.len = 0;
209 ghdr->gh_handle.len = handle->len;
210 memcpy(ghdr->gh_handle.data, handle->data, handle->len);
213 /* no actual signature for null mode */
214 if (svc == SPTLRPC_SVC_NULL)
215 return lustre_msg_size_v2(msg->lm_bufcount, msg->lm_buflens);
218 mic_idx = msg_last_segidx(msg);
219 max_textcnt = (svc == SPTLRPC_SVC_AUTH) ? 1 : mic_idx;
221 for (textcnt = 0; textcnt < max_textcnt; textcnt++) {
222 text[textcnt].len = msg->lm_buflens[textcnt];
223 text[textcnt].data = lustre_msg_buf(msg, textcnt, 0);
226 mic.len = msg->lm_buflens[mic_idx];
227 mic.data = lustre_msg_buf(msg, mic_idx, 0);
229 major = lgss_get_mic(mechctx, textcnt, text, 0, NULL, &mic);
230 if (major != GSS_S_COMPLETE) {
231 CERROR("fail to generate MIC: %08x\n", major);
234 LASSERT(mic.len <= msg->lm_buflens[mic_idx]);
236 return lustre_shrink_msg(msg, mic_idx, mic.len, 0);
243 __u32 gss_verify_msg(struct lustre_msg *msg,
244 struct gss_ctx *mechctx,
247 rawobj_t text[4], mic;
248 int textcnt, max_textcnt;
252 LASSERT(msg->lm_bufcount >= 2);
254 if (svc == SPTLRPC_SVC_NULL)
255 return GSS_S_COMPLETE;
257 mic_idx = msg_last_segidx(msg);
258 max_textcnt = (svc == SPTLRPC_SVC_AUTH) ? 1 : mic_idx;
260 for (textcnt = 0; textcnt < max_textcnt; textcnt++) {
261 text[textcnt].len = msg->lm_buflens[textcnt];
262 text[textcnt].data = lustre_msg_buf(msg, textcnt, 0);
265 mic.len = msg->lm_buflens[mic_idx];
266 mic.data = lustre_msg_buf(msg, mic_idx, 0);
268 major = lgss_verify_mic(mechctx, textcnt, text, 0, NULL, &mic);
269 if (major != GSS_S_COMPLETE)
270 CERROR("mic verify error: %08x\n", major);
276 * return gss error code
279 __u32 gss_unseal_msg(struct gss_ctx *mechctx,
280 struct lustre_msg *msgbuf,
281 int *msg_len, int msgbuf_len)
283 rawobj_t clear_obj, hdrobj, token;
289 if (msgbuf->lm_bufcount != 2) {
290 CERROR("invalid bufcount %d\n", msgbuf->lm_bufcount);
291 RETURN(GSS_S_FAILURE);
294 /* allocate a temporary clear text buffer, same sized as token,
295 * we assume the final clear text size <= token size */
296 clear_buflen = lustre_msg_buflen(msgbuf, 1);
297 OBD_ALLOC_LARGE(clear_buf, clear_buflen);
299 RETURN(GSS_S_FAILURE);
302 hdrobj.len = lustre_msg_buflen(msgbuf, 0);
303 hdrobj.data = lustre_msg_buf(msgbuf, 0, 0);
304 token.len = lustre_msg_buflen(msgbuf, 1);
305 token.data = lustre_msg_buf(msgbuf, 1, 0);
306 clear_obj.len = clear_buflen;
307 clear_obj.data = clear_buf;
309 major = lgss_unwrap(mechctx, &hdrobj, &token, &clear_obj);
310 if (major != GSS_S_COMPLETE) {
311 CERROR("unwrap message error: %08x\n", major);
312 GOTO(out_free, major = GSS_S_FAILURE);
314 LASSERT(clear_obj.len <= clear_buflen);
315 LASSERT(clear_obj.len <= msgbuf_len);
317 /* now the decrypted message */
318 memcpy(msgbuf, clear_obj.data, clear_obj.len);
319 *msg_len = clear_obj.len;
321 major = GSS_S_COMPLETE;
323 OBD_FREE_LARGE(clear_buf, clear_buflen);
327 /********************************************
328 * gss client context manipulation helpers *
329 ********************************************/
331 int cli_ctx_expire(struct ptlrpc_cli_ctx *ctx)
333 LASSERT(atomic_read(&ctx->cc_refcount));
335 if (!test_and_set_bit(PTLRPC_CTX_DEAD_BIT, &ctx->cc_flags)) {
336 if (!ctx->cc_early_expire)
337 clear_bit(PTLRPC_CTX_UPTODATE_BIT, &ctx->cc_flags);
339 CWARN("ctx %p(%u->%s) get expired: %lu(%+lds)\n",
340 ctx, ctx->cc_vcred.vc_uid, sec2target_str(ctx->cc_sec),
342 ctx->cc_expire == 0 ? 0 :
343 cfs_time_sub(ctx->cc_expire, cfs_time_current_sec()));
345 sptlrpc_cli_ctx_wakeup(ctx);
353 * return 1 if the context is dead.
355 int cli_ctx_check_death(struct ptlrpc_cli_ctx *ctx)
357 if (unlikely(cli_ctx_is_dead(ctx)))
360 /* expire is 0 means never expire. a newly created gss context
361 * which during upcall may has 0 expiration */
362 if (ctx->cc_expire == 0)
365 /* check real expiration */
366 if (cfs_time_after(ctx->cc_expire, cfs_time_current_sec()))
373 void gss_cli_ctx_uptodate(struct gss_cli_ctx *gctx)
375 struct ptlrpc_cli_ctx *ctx = &gctx->gc_base;
376 unsigned long ctx_expiry;
378 if (lgss_inquire_context(gctx->gc_mechctx, &ctx_expiry)) {
379 CERROR("ctx %p(%u): unable to inquire, expire it now\n",
380 gctx, ctx->cc_vcred.vc_uid);
381 ctx_expiry = 1; /* make it expired now */
384 ctx->cc_expire = gss_round_ctx_expiry(ctx_expiry,
385 ctx->cc_sec->ps_flvr.sf_flags);
387 /* At this point this ctx might have been marked as dead by
388 * someone else, in which case nobody will make further use
389 * of it. we don't care, and mark it UPTODATE will help
390 * destroying server side context when it be destroyed. */
391 set_bit(PTLRPC_CTX_UPTODATE_BIT, &ctx->cc_flags);
393 if (sec_is_reverse(ctx->cc_sec)) {
394 CWARN("server installed reverse ctx %p idx "LPX64", "
395 "expiry %lu(%+lds)\n", ctx,
396 gss_handle_to_u64(&gctx->gc_handle),
397 ctx->cc_expire, ctx->cc_expire - cfs_time_current_sec());
399 CWARN("client refreshed ctx %p idx "LPX64" (%u->%s), "
400 "expiry %lu(%+lds)\n", ctx,
401 gss_handle_to_u64(&gctx->gc_handle),
402 ctx->cc_vcred.vc_uid, sec2target_str(ctx->cc_sec),
403 ctx->cc_expire, ctx->cc_expire - cfs_time_current_sec());
405 /* install reverse svc ctx for root context */
406 if (ctx->cc_vcred.vc_uid == 0)
407 gss_sec_install_rctx(ctx->cc_sec->ps_import,
411 sptlrpc_cli_ctx_wakeup(ctx);
414 static void gss_cli_ctx_finalize(struct gss_cli_ctx *gctx)
416 LASSERT(gctx->gc_base.cc_sec);
418 if (gctx->gc_mechctx) {
419 lgss_delete_sec_context(&gctx->gc_mechctx);
420 gctx->gc_mechctx = NULL;
423 if (!rawobj_empty(&gctx->gc_svc_handle)) {
424 /* forward ctx: mark buddy reverse svcctx soon-expire. */
425 if (!sec_is_reverse(gctx->gc_base.cc_sec) &&
426 !rawobj_empty(&gctx->gc_svc_handle))
427 gss_svc_upcall_expire_rvs_ctx(&gctx->gc_svc_handle);
429 rawobj_free(&gctx->gc_svc_handle);
432 rawobj_free(&gctx->gc_handle);
436 * Based on sequence number algorithm as specified in RFC 2203.
438 * modified for our own problem: arriving request has valid sequence number,
439 * but unwrapping request might cost a long time, after that its sequence
440 * are not valid anymore (fall behind the window). It rarely happen, mostly
441 * under extreme load.
443 * note we should not check sequence before verify the integrity of incoming
444 * request, because just one attacking request with high sequence number might
445 * cause all following request be dropped.
447 * so here we use a multi-phase approach: prepare 2 sequence windows,
448 * "main window" for normal sequence and "back window" for fall behind sequence.
449 * and 3-phase checking mechanism:
450 * 0 - before integrity verification, perform a initial sequence checking in
451 * main window, which only try and don't actually set any bits. if the
452 * sequence is high above the window or fit in the window and the bit
453 * is 0, then accept and proceed to integrity verification. otherwise
454 * reject this sequence.
455 * 1 - after integrity verification, check in main window again. if this
456 * sequence is high above the window or fit in the window and the bit
457 * is 0, then set the bit and accept; if it fit in the window but bit
458 * already set, then reject; if it fall behind the window, then proceed
460 * 2 - check in back window. if it is high above the window or fit in the
461 * window and the bit is 0, then set the bit and accept. otherwise reject.
464 * 1: looks like a replay
468 * note phase 0 is necessary, because otherwise replay attacking request of
469 * sequence which between the 2 windows can't be detected.
471 * this mechanism can't totally solve the problem, but could help much less
472 * number of valid requests be dropped.
475 int gss_do_check_seq(unsigned long *window, __u32 win_size, __u32 *max_seq,
476 __u32 seq_num, int phase)
478 LASSERT(phase >= 0 && phase <= 2);
480 if (seq_num > *max_seq) {
482 * 1. high above the window
487 if (seq_num >= *max_seq + win_size) {
488 memset(window, 0, win_size / 8);
491 while(*max_seq < seq_num) {
493 __clear_bit((*max_seq) % win_size, window);
496 __set_bit(seq_num % win_size, window);
497 } else if (seq_num + win_size <= *max_seq) {
499 * 2. low behind the window
501 if (phase == 0 || phase == 2)
504 CWARN("seq %u is %u behind (size %d), check backup window\n",
505 seq_num, *max_seq - win_size - seq_num, win_size);
509 * 3. fit into the window
513 if (test_bit(seq_num % win_size, window))
518 if (__test_and_set_bit(seq_num % win_size, window))
527 CERROR("seq %u (%s %s window) is a replay: max %u, winsize %d\n",
529 seq_num + win_size > *max_seq ? "in" : "behind",
530 phase == 2 ? "backup " : "main",
536 * Based on sequence number algorithm as specified in RFC 2203.
538 * if @set == 0: initial check, don't set any bit in window
539 * if @sec == 1: final check, set bit in window
541 int gss_check_seq_num(struct gss_svc_seq_data *ssd, __u32 seq_num, int set)
545 spin_lock(&ssd->ssd_lock);
551 rc = gss_do_check_seq(ssd->ssd_win_main, GSS_SEQ_WIN_MAIN,
552 &ssd->ssd_max_main, seq_num, 0);
554 gss_stat_oos_record_svc(0, 1);
557 * phase 1 checking main window
559 rc = gss_do_check_seq(ssd->ssd_win_main, GSS_SEQ_WIN_MAIN,
560 &ssd->ssd_max_main, seq_num, 1);
563 gss_stat_oos_record_svc(1, 1);
569 * phase 2 checking back window
571 rc = gss_do_check_seq(ssd->ssd_win_back, GSS_SEQ_WIN_BACK,
572 &ssd->ssd_max_back, seq_num, 2);
574 gss_stat_oos_record_svc(2, 1);
576 gss_stat_oos_record_svc(2, 0);
579 spin_unlock(&ssd->ssd_lock);
583 /***************************************
585 ***************************************/
587 static inline int gss_cli_payload(struct ptlrpc_cli_ctx *ctx,
588 int msgsize, int privacy)
590 return gss_mech_payload(NULL, msgsize, privacy);
593 static int gss_cli_bulk_payload(struct ptlrpc_cli_ctx *ctx,
594 struct sptlrpc_flavor *flvr,
597 int payload = sizeof(struct ptlrpc_bulk_sec_desc);
599 LASSERT(SPTLRPC_FLVR_BULK_TYPE(flvr->sf_rpc) == SPTLRPC_BULK_DEFAULT);
601 if ((!reply && !read) || (reply && read)) {
602 switch (SPTLRPC_FLVR_BULK_SVC(flvr->sf_rpc)) {
603 case SPTLRPC_BULK_SVC_NULL:
605 case SPTLRPC_BULK_SVC_INTG:
606 payload += gss_cli_payload(ctx, 0, 0);
608 case SPTLRPC_BULK_SVC_PRIV:
609 payload += gss_cli_payload(ctx, 0, 1);
611 case SPTLRPC_BULK_SVC_AUTH:
620 int gss_cli_ctx_match(struct ptlrpc_cli_ctx *ctx, struct vfs_cred *vcred)
622 return (ctx->cc_vcred.vc_uid == vcred->vc_uid);
625 void gss_cli_ctx_flags2str(unsigned long flags, char *buf, int bufsize)
629 if (flags & PTLRPC_CTX_NEW)
630 strncat(buf, "new,", bufsize);
631 if (flags & PTLRPC_CTX_UPTODATE)
632 strncat(buf, "uptodate,", bufsize);
633 if (flags & PTLRPC_CTX_DEAD)
634 strncat(buf, "dead,", bufsize);
635 if (flags & PTLRPC_CTX_ERROR)
636 strncat(buf, "error,", bufsize);
637 if (flags & PTLRPC_CTX_CACHED)
638 strncat(buf, "cached,", bufsize);
639 if (flags & PTLRPC_CTX_ETERNAL)
640 strncat(buf, "eternal,", bufsize);
642 strncat(buf, "-,", bufsize);
644 buf[strlen(buf) - 1] = '\0';
647 int gss_cli_ctx_sign(struct ptlrpc_cli_ctx *ctx,
648 struct ptlrpc_request *req)
650 struct gss_cli_ctx *gctx = ctx2gctx(ctx);
651 __u32 flags = 0, seq, svc;
655 LASSERT(req->rq_reqbuf);
656 LASSERT(req->rq_reqbuf->lm_bufcount >= 2);
657 LASSERT(req->rq_cli_ctx == ctx);
659 /* nothing to do for context negotiation RPCs */
660 if (req->rq_ctx_init)
663 svc = SPTLRPC_FLVR_SVC(req->rq_flvr.sf_rpc);
664 if (req->rq_pack_bulk)
665 flags |= LUSTRE_GSS_PACK_BULK;
666 if (req->rq_pack_udesc)
667 flags |= LUSTRE_GSS_PACK_USER;
670 seq = atomic_inc_return(&gctx->gc_seq);
672 rc = gss_sign_msg(req->rq_reqbuf, gctx->gc_mechctx,
673 ctx->cc_sec->ps_part,
674 flags, gctx->gc_proc, seq, svc,
679 /* gss_sign_msg() msg might take long time to finish, in which period
680 * more rpcs could be wrapped up and sent out. if we found too many
681 * of them we should repack this rpc, because sent it too late might
682 * lead to the sequence number fall behind the window on server and
683 * be dropped. also applies to gss_cli_ctx_seal().
685 * Note: null mode doesn't check sequence number. */
686 if (svc != SPTLRPC_SVC_NULL &&
687 atomic_read(&gctx->gc_seq) - seq > GSS_SEQ_REPACK_THRESHOLD) {
688 int behind = atomic_read(&gctx->gc_seq) - seq;
690 gss_stat_oos_record_cli(behind);
691 CWARN("req %p: %u behind, retry signing\n", req, behind);
695 req->rq_reqdata_len = rc;
700 int gss_cli_ctx_handle_err_notify(struct ptlrpc_cli_ctx *ctx,
701 struct ptlrpc_request *req,
702 struct gss_header *ghdr)
704 struct gss_err_header *errhdr;
707 LASSERT(ghdr->gh_proc == PTLRPC_GSS_PROC_ERR);
709 errhdr = (struct gss_err_header *) ghdr;
711 CWARN("req x"LPU64"/t"LPU64", ctx %p idx "LPX64"(%u->%s): "
712 "%sserver respond (%08x/%08x)\n",
713 req->rq_xid, req->rq_transno, ctx,
714 gss_handle_to_u64(&ctx2gctx(ctx)->gc_handle),
715 ctx->cc_vcred.vc_uid, sec2target_str(ctx->cc_sec),
716 sec_is_reverse(ctx->cc_sec) ? "reverse" : "",
717 errhdr->gh_major, errhdr->gh_minor);
719 /* context fini rpc, let it failed */
720 if (req->rq_ctx_fini) {
721 CWARN("context fini rpc failed\n");
725 /* reverse sec, just return error, don't expire this ctx because it's
726 * crucial to callback rpcs. note if the callback rpc failed because
727 * of bit flip during network transfer, the client will be evicted
728 * directly. so more gracefully we probably want let it retry for
729 * number of times. */
730 if (sec_is_reverse(ctx->cc_sec))
733 if (errhdr->gh_major != GSS_S_NO_CONTEXT &&
734 errhdr->gh_major != GSS_S_BAD_SIG)
737 /* server return NO_CONTEXT might be caused by context expire
738 * or server reboot/failover. we try to refresh a new ctx which
739 * be transparent to upper layer.
741 * In some cases, our gss handle is possible to be incidentally
742 * identical to another handle since the handle itself is not
743 * fully random. In krb5 case, the GSS_S_BAD_SIG will be
744 * returned, maybe other gss error for other mechanism.
746 * if we add new mechanism, make sure the correct error are
747 * returned in this case. */
748 CWARN("%s: server might lost the context, retrying\n",
749 errhdr->gh_major == GSS_S_NO_CONTEXT ? "NO_CONTEXT" : "BAD_SIG");
751 sptlrpc_cli_ctx_expire(ctx);
753 /* we need replace the ctx right here, otherwise during
754 * resent we'll hit the logic in sptlrpc_req_refresh_ctx()
755 * which keep the ctx with RESEND flag, thus we'll never
756 * get rid of this ctx. */
757 rc = sptlrpc_req_replace_dead_ctx(req);
764 int gss_cli_ctx_verify(struct ptlrpc_cli_ctx *ctx,
765 struct ptlrpc_request *req)
767 struct gss_cli_ctx *gctx;
768 struct gss_header *ghdr, *reqhdr;
769 struct lustre_msg *msg = req->rq_repdata;
771 int pack_bulk, swabbed, rc = 0;
774 LASSERT(req->rq_cli_ctx == ctx);
777 gctx = container_of(ctx, struct gss_cli_ctx, gc_base);
779 /* special case for context negotiation, rq_repmsg/rq_replen actually
780 * are not used currently. but early reply always be treated normally */
781 if (req->rq_ctx_init && !req->rq_early) {
782 req->rq_repmsg = lustre_msg_buf(msg, 1, 0);
783 req->rq_replen = msg->lm_buflens[1];
787 if (msg->lm_bufcount < 2 || msg->lm_bufcount > 4) {
788 CERROR("unexpected bufcount %u\n", msg->lm_bufcount);
792 swabbed = ptlrpc_rep_need_swab(req);
794 ghdr = gss_swab_header(msg, 0, swabbed);
796 CERROR("can't decode gss header\n");
801 reqhdr = lustre_msg_buf(msg, 0, sizeof(*reqhdr));
804 if (ghdr->gh_version != reqhdr->gh_version) {
805 CERROR("gss version %u mismatch, expect %u\n",
806 ghdr->gh_version, reqhdr->gh_version);
810 switch (ghdr->gh_proc) {
811 case PTLRPC_GSS_PROC_DATA:
812 pack_bulk = ghdr->gh_flags & LUSTRE_GSS_PACK_BULK;
814 if (!req->rq_early && !equi(req->rq_pack_bulk == 1, pack_bulk)){
815 CERROR("%s bulk flag in reply\n",
816 req->rq_pack_bulk ? "missing" : "unexpected");
820 if (ghdr->gh_seq != reqhdr->gh_seq) {
821 CERROR("seqnum %u mismatch, expect %u\n",
822 ghdr->gh_seq, reqhdr->gh_seq);
826 if (ghdr->gh_svc != reqhdr->gh_svc) {
827 CERROR("svc %u mismatch, expect %u\n",
828 ghdr->gh_svc, reqhdr->gh_svc);
833 gss_header_swabber(ghdr);
835 major = gss_verify_msg(msg, gctx->gc_mechctx, reqhdr->gh_svc);
836 if (major != GSS_S_COMPLETE) {
837 CERROR("failed to verify reply: %x\n", major);
841 if (req->rq_early && reqhdr->gh_svc == SPTLRPC_SVC_NULL) {
844 cksum = crc32_le(!(__u32) 0,
845 lustre_msg_buf(msg, 1, 0),
846 lustre_msg_buflen(msg, 1));
847 if (cksum != msg->lm_cksum) {
848 CWARN("early reply checksum mismatch: "
849 "%08x != %08x\n", cksum, msg->lm_cksum);
855 /* bulk checksum is right after the lustre msg */
856 if (msg->lm_bufcount < 3) {
857 CERROR("Invalid reply bufcount %u\n",
862 rc = bulk_sec_desc_unpack(msg, 2, swabbed);
864 CERROR("unpack bulk desc: %d\n", rc);
869 req->rq_repmsg = lustre_msg_buf(msg, 1, 0);
870 req->rq_replen = msg->lm_buflens[1];
872 case PTLRPC_GSS_PROC_ERR:
874 CERROR("server return error with early reply\n");
877 rc = gss_cli_ctx_handle_err_notify(ctx, req, ghdr);
881 CERROR("unknown gss proc %d\n", ghdr->gh_proc);
888 int gss_cli_ctx_seal(struct ptlrpc_cli_ctx *ctx,
889 struct ptlrpc_request *req)
891 struct gss_cli_ctx *gctx;
892 rawobj_t hdrobj, msgobj, token;
893 struct gss_header *ghdr;
894 __u32 buflens[2], major;
898 LASSERT(req->rq_clrbuf);
899 LASSERT(req->rq_cli_ctx == ctx);
900 LASSERT(req->rq_reqlen);
902 gctx = container_of(ctx, struct gss_cli_ctx, gc_base);
904 /* final clear data length */
905 req->rq_clrdata_len = lustre_msg_size_v2(req->rq_clrbuf->lm_bufcount,
906 req->rq_clrbuf->lm_buflens);
908 /* calculate wire data length */
909 buflens[0] = PTLRPC_GSS_HEADER_SIZE;
910 buflens[1] = gss_cli_payload(&gctx->gc_base, req->rq_clrdata_len, 1);
911 wiresize = lustre_msg_size_v2(2, buflens);
913 /* allocate wire buffer */
916 LASSERT(req->rq_reqbuf);
917 LASSERT(req->rq_reqbuf != req->rq_clrbuf);
918 LASSERT(req->rq_reqbuf_len >= wiresize);
920 OBD_ALLOC_LARGE(req->rq_reqbuf, wiresize);
923 req->rq_reqbuf_len = wiresize;
926 lustre_init_msg_v2(req->rq_reqbuf, 2, buflens, NULL);
927 req->rq_reqbuf->lm_secflvr = req->rq_flvr.sf_rpc;
930 ghdr = lustre_msg_buf(req->rq_reqbuf, 0, 0);
931 ghdr->gh_version = PTLRPC_GSS_VERSION;
932 ghdr->gh_sp = (__u8) ctx->cc_sec->ps_part;
934 ghdr->gh_proc = gctx->gc_proc;
935 ghdr->gh_svc = SPTLRPC_SVC_PRIV;
936 ghdr->gh_handle.len = gctx->gc_handle.len;
937 memcpy(ghdr->gh_handle.data, gctx->gc_handle.data, gctx->gc_handle.len);
938 if (req->rq_pack_bulk)
939 ghdr->gh_flags |= LUSTRE_GSS_PACK_BULK;
940 if (req->rq_pack_udesc)
941 ghdr->gh_flags |= LUSTRE_GSS_PACK_USER;
944 ghdr->gh_seq = atomic_inc_return(&gctx->gc_seq);
947 hdrobj.len = PTLRPC_GSS_HEADER_SIZE;
948 hdrobj.data = (__u8 *) ghdr;
949 msgobj.len = req->rq_clrdata_len;
950 msgobj.data = (__u8 *) req->rq_clrbuf;
951 token.len = lustre_msg_buflen(req->rq_reqbuf, 1);
952 token.data = lustre_msg_buf(req->rq_reqbuf, 1, 0);
954 major = lgss_wrap(gctx->gc_mechctx, &hdrobj, &msgobj,
955 req->rq_clrbuf_len, &token);
956 if (major != GSS_S_COMPLETE) {
957 CERROR("priv: wrap message error: %08x\n", major);
958 GOTO(err_free, rc = -EPERM);
960 LASSERT(token.len <= buflens[1]);
962 /* see explain in gss_cli_ctx_sign() */
963 if (unlikely(atomic_read(&gctx->gc_seq) - ghdr->gh_seq >
964 GSS_SEQ_REPACK_THRESHOLD)) {
965 int behind = atomic_read(&gctx->gc_seq) - ghdr->gh_seq;
967 gss_stat_oos_record_cli(behind);
968 CWARN("req %p: %u behind, retry sealing\n", req, behind);
970 ghdr->gh_seq = atomic_inc_return(&gctx->gc_seq);
974 /* now set the final wire data length */
975 req->rq_reqdata_len = lustre_shrink_msg(req->rq_reqbuf, 1, token.len,0);
980 OBD_FREE_LARGE(req->rq_reqbuf, req->rq_reqbuf_len);
981 req->rq_reqbuf = NULL;
982 req->rq_reqbuf_len = 0;
987 int gss_cli_ctx_unseal(struct ptlrpc_cli_ctx *ctx,
988 struct ptlrpc_request *req)
990 struct gss_cli_ctx *gctx;
991 struct gss_header *ghdr;
992 struct lustre_msg *msg = req->rq_repdata;
993 int msglen, pack_bulk, swabbed, rc;
997 LASSERT(req->rq_cli_ctx == ctx);
998 LASSERT(req->rq_ctx_init == 0);
1001 gctx = container_of(ctx, struct gss_cli_ctx, gc_base);
1002 swabbed = ptlrpc_rep_need_swab(req);
1004 ghdr = gss_swab_header(msg, 0, swabbed);
1006 CERROR("can't decode gss header\n");
1011 if (ghdr->gh_version != PTLRPC_GSS_VERSION) {
1012 CERROR("gss version %u mismatch, expect %u\n",
1013 ghdr->gh_version, PTLRPC_GSS_VERSION);
1017 switch (ghdr->gh_proc) {
1018 case PTLRPC_GSS_PROC_DATA:
1019 pack_bulk = ghdr->gh_flags & LUSTRE_GSS_PACK_BULK;
1021 if (!req->rq_early && !equi(req->rq_pack_bulk == 1, pack_bulk)){
1022 CERROR("%s bulk flag in reply\n",
1023 req->rq_pack_bulk ? "missing" : "unexpected");
1028 gss_header_swabber(ghdr);
1030 /* use rq_repdata_len as buffer size, which assume unseal
1031 * doesn't need extra memory space. for precise control, we'd
1032 * better calculate out actual buffer size as
1033 * (repbuf_len - offset - repdata_len) */
1034 major = gss_unseal_msg(gctx->gc_mechctx, msg,
1035 &msglen, req->rq_repdata_len);
1036 if (major != GSS_S_COMPLETE) {
1037 CERROR("failed to unwrap reply: %x\n", major);
1042 swabbed = __lustre_unpack_msg(msg, msglen);
1044 CERROR("Failed to unpack after decryption\n");
1048 if (msg->lm_bufcount < 1) {
1049 CERROR("Invalid reply buffer: empty\n");
1054 if (msg->lm_bufcount < 2) {
1055 CERROR("bufcount %u: missing bulk sec desc\n",
1060 /* bulk checksum is the last segment */
1061 if (bulk_sec_desc_unpack(msg, msg->lm_bufcount - 1,
1066 req->rq_repmsg = lustre_msg_buf(msg, 0, 0);
1067 req->rq_replen = msg->lm_buflens[0];
1071 case PTLRPC_GSS_PROC_ERR:
1072 if (req->rq_early) {
1073 CERROR("server return error with early reply\n");
1076 rc = gss_cli_ctx_handle_err_notify(ctx, req, ghdr);
1080 CERROR("unexpected proc %d\n", ghdr->gh_proc);
1087 /*********************************************
1088 * reverse context installation *
1089 *********************************************/
1092 int gss_install_rvs_svc_ctx(struct obd_import *imp,
1093 struct gss_sec *gsec,
1094 struct gss_cli_ctx *gctx)
1096 return gss_svc_upcall_install_rvs_ctx(imp, gsec, gctx);
1099 /*********************************************
1100 * GSS security APIs *
1101 *********************************************/
1102 int gss_sec_create_common(struct gss_sec *gsec,
1103 struct ptlrpc_sec_policy *policy,
1104 struct obd_import *imp,
1105 struct ptlrpc_svc_ctx *svcctx,
1106 struct sptlrpc_flavor *sf)
1108 struct ptlrpc_sec *sec;
1111 LASSERT(SPTLRPC_FLVR_POLICY(sf->sf_rpc) == SPTLRPC_POLICY_GSS);
1113 gsec->gs_mech = lgss_subflavor_to_mech(
1114 SPTLRPC_FLVR_BASE_SUB(sf->sf_rpc));
1115 if (!gsec->gs_mech) {
1116 CERROR("gss backend 0x%x not found\n",
1117 SPTLRPC_FLVR_BASE_SUB(sf->sf_rpc));
1121 spin_lock_init(&gsec->gs_lock);
1122 gsec->gs_rvs_hdl = 0ULL;
1124 /* initialize upper ptlrpc_sec */
1125 sec = &gsec->gs_base;
1126 sec->ps_policy = policy;
1127 atomic_set(&sec->ps_refcount, 0);
1128 atomic_set(&sec->ps_nctx, 0);
1129 sec->ps_id = sptlrpc_get_next_secid();
1131 sec->ps_import = class_import_get(imp);
1132 spin_lock_init(&sec->ps_lock);
1133 CFS_INIT_LIST_HEAD(&sec->ps_gc_list);
1136 sec->ps_gc_interval = GSS_GC_INTERVAL;
1138 LASSERT(sec_is_reverse(sec));
1140 /* never do gc on reverse sec */
1141 sec->ps_gc_interval = 0;
1144 if (SPTLRPC_FLVR_BULK_SVC(sec->ps_flvr.sf_rpc) == SPTLRPC_BULK_SVC_PRIV)
1145 sptlrpc_enc_pool_add_user();
1147 CDEBUG(D_SEC, "create %s%s@%p\n", (svcctx ? "reverse " : ""),
1148 policy->sp_name, gsec);
1152 void gss_sec_destroy_common(struct gss_sec *gsec)
1154 struct ptlrpc_sec *sec = &gsec->gs_base;
1157 LASSERT(sec->ps_import);
1158 LASSERT(atomic_read(&sec->ps_refcount) == 0);
1159 LASSERT(atomic_read(&sec->ps_nctx) == 0);
1161 if (gsec->gs_mech) {
1162 lgss_mech_put(gsec->gs_mech);
1163 gsec->gs_mech = NULL;
1166 class_import_put(sec->ps_import);
1168 if (SPTLRPC_FLVR_BULK_SVC(sec->ps_flvr.sf_rpc) == SPTLRPC_BULK_SVC_PRIV)
1169 sptlrpc_enc_pool_del_user();
1174 void gss_sec_kill(struct ptlrpc_sec *sec)
1179 int gss_cli_ctx_init_common(struct ptlrpc_sec *sec,
1180 struct ptlrpc_cli_ctx *ctx,
1181 struct ptlrpc_ctx_ops *ctxops,
1182 struct vfs_cred *vcred)
1184 struct gss_cli_ctx *gctx = ctx2gctx(ctx);
1187 atomic_set(&gctx->gc_seq, 0);
1189 CFS_INIT_HLIST_NODE(&ctx->cc_cache);
1190 atomic_set(&ctx->cc_refcount, 0);
1192 ctx->cc_ops = ctxops;
1194 ctx->cc_flags = PTLRPC_CTX_NEW;
1195 ctx->cc_vcred = *vcred;
1196 spin_lock_init(&ctx->cc_lock);
1197 CFS_INIT_LIST_HEAD(&ctx->cc_req_list);
1198 CFS_INIT_LIST_HEAD(&ctx->cc_gc_chain);
1200 /* take a ref on belonging sec, balanced in ctx destroying */
1201 atomic_inc(&sec->ps_refcount);
1202 /* statistic only */
1203 atomic_inc(&sec->ps_nctx);
1205 CDEBUG(D_SEC, "%s@%p: create ctx %p(%u->%s)\n",
1206 sec->ps_policy->sp_name, ctx->cc_sec,
1207 ctx, ctx->cc_vcred.vc_uid, sec2target_str(ctx->cc_sec));
1213 * 1: the context has been taken care of by someone else
1214 * 0: proceed to really destroy the context locally
1216 int gss_cli_ctx_fini_common(struct ptlrpc_sec *sec,
1217 struct ptlrpc_cli_ctx *ctx)
1219 struct gss_cli_ctx *gctx = ctx2gctx(ctx);
1221 LASSERT(atomic_read(&sec->ps_nctx) > 0);
1222 LASSERT(atomic_read(&ctx->cc_refcount) == 0);
1223 LASSERT(ctx->cc_sec == sec);
1226 * remove UPTODATE flag of reverse ctx thus we won't send fini rpc,
1227 * this is to avoid potential problems of client side reverse svc ctx
1228 * be mis-destroyed in various recovery senarios. anyway client can
1229 * manage its reverse ctx well by associating it with its buddy ctx.
1231 if (sec_is_reverse(sec))
1232 ctx->cc_flags &= ~PTLRPC_CTX_UPTODATE;
1234 if (gctx->gc_mechctx) {
1235 /* the final context fini rpc will use this ctx too, and it's
1236 * asynchronous which finished by request_out_callback(). so
1237 * we add refcount, whoever drop finally drop the refcount to
1238 * 0 should responsible for the rest of destroy. */
1239 atomic_inc(&ctx->cc_refcount);
1241 gss_do_ctx_fini_rpc(gctx);
1242 gss_cli_ctx_finalize(gctx);
1244 if (!atomic_dec_and_test(&ctx->cc_refcount))
1248 if (sec_is_reverse(sec))
1249 CWARN("reverse sec %p: destroy ctx %p\n",
1252 CWARN("%s@%p: destroy ctx %p(%u->%s)\n",
1253 sec->ps_policy->sp_name, ctx->cc_sec,
1254 ctx, ctx->cc_vcred.vc_uid, sec2target_str(ctx->cc_sec));
1260 int gss_alloc_reqbuf_intg(struct ptlrpc_sec *sec,
1261 struct ptlrpc_request *req,
1262 int svc, int msgsize)
1264 int bufsize, txtsize;
1270 * on-wire data layout:
1273 * - user descriptor (optional)
1274 * - bulk sec descriptor (optional)
1275 * - signature (optional)
1276 * - svc == NULL: NULL
1277 * - svc == AUTH: signature of gss header
1278 * - svc == INTG: signature of all above
1280 * if this is context negotiation, reserver fixed space
1281 * at the last (signature) segment regardless of svc mode.
1284 buflens[0] = PTLRPC_GSS_HEADER_SIZE;
1285 txtsize = buflens[0];
1287 buflens[1] = msgsize;
1288 if (svc == SPTLRPC_SVC_INTG)
1289 txtsize += buflens[1];
1291 if (req->rq_pack_udesc) {
1292 buflens[bufcnt] = sptlrpc_current_user_desc_size();
1293 if (svc == SPTLRPC_SVC_INTG)
1294 txtsize += buflens[bufcnt];
1298 if (req->rq_pack_bulk) {
1299 buflens[bufcnt] = gss_cli_bulk_payload(req->rq_cli_ctx,
1301 0, req->rq_bulk_read);
1302 if (svc == SPTLRPC_SVC_INTG)
1303 txtsize += buflens[bufcnt];
1307 if (req->rq_ctx_init)
1308 buflens[bufcnt++] = GSS_CTX_INIT_MAX_LEN;
1309 else if (svc != SPTLRPC_SVC_NULL)
1310 buflens[bufcnt++] = gss_cli_payload(req->rq_cli_ctx, txtsize,0);
1312 bufsize = lustre_msg_size_v2(bufcnt, buflens);
1314 if (!req->rq_reqbuf) {
1315 bufsize = size_roundup_power2(bufsize);
1317 OBD_ALLOC_LARGE(req->rq_reqbuf, bufsize);
1318 if (!req->rq_reqbuf)
1321 req->rq_reqbuf_len = bufsize;
1323 LASSERT(req->rq_pool);
1324 LASSERT(req->rq_reqbuf_len >= bufsize);
1325 memset(req->rq_reqbuf, 0, bufsize);
1328 lustre_init_msg_v2(req->rq_reqbuf, bufcnt, buflens, NULL);
1329 req->rq_reqbuf->lm_secflvr = req->rq_flvr.sf_rpc;
1331 req->rq_reqmsg = lustre_msg_buf(req->rq_reqbuf, 1, msgsize);
1332 LASSERT(req->rq_reqmsg);
1334 /* pack user desc here, later we might leave current user's process */
1335 if (req->rq_pack_udesc)
1336 sptlrpc_pack_user_desc(req->rq_reqbuf, 2);
1342 int gss_alloc_reqbuf_priv(struct ptlrpc_sec *sec,
1343 struct ptlrpc_request *req,
1346 __u32 ibuflens[3], wbuflens[2];
1348 int clearsize, wiresize;
1351 LASSERT(req->rq_clrbuf == NULL);
1352 LASSERT(req->rq_clrbuf_len == 0);
1354 /* Inner (clear) buffers
1356 * - user descriptor (optional)
1357 * - bulk checksum (optional)
1360 ibuflens[0] = msgsize;
1362 if (req->rq_pack_udesc)
1363 ibuflens[ibufcnt++] = sptlrpc_current_user_desc_size();
1364 if (req->rq_pack_bulk)
1365 ibuflens[ibufcnt++] = gss_cli_bulk_payload(req->rq_cli_ctx,
1369 clearsize = lustre_msg_size_v2(ibufcnt, ibuflens);
1370 /* to allow append padding during encryption */
1371 clearsize += GSS_MAX_CIPHER_BLOCK;
1373 /* Wrapper (wire) buffers
1377 wbuflens[0] = PTLRPC_GSS_HEADER_SIZE;
1378 wbuflens[1] = gss_cli_payload(req->rq_cli_ctx, clearsize, 1);
1379 wiresize = lustre_msg_size_v2(2, wbuflens);
1382 /* rq_reqbuf is preallocated */
1383 LASSERT(req->rq_reqbuf);
1384 LASSERT(req->rq_reqbuf_len >= wiresize);
1386 memset(req->rq_reqbuf, 0, req->rq_reqbuf_len);
1388 /* if the pre-allocated buffer is big enough, we just pack
1389 * both clear buf & request buf in it, to avoid more alloc. */
1390 if (clearsize + wiresize <= req->rq_reqbuf_len) {
1392 (void *) (((char *) req->rq_reqbuf) + wiresize);
1394 CWARN("pre-allocated buf size %d is not enough for "
1395 "both clear (%d) and cipher (%d) text, proceed "
1396 "with extra allocation\n", req->rq_reqbuf_len,
1397 clearsize, wiresize);
1401 if (!req->rq_clrbuf) {
1402 clearsize = size_roundup_power2(clearsize);
1404 OBD_ALLOC_LARGE(req->rq_clrbuf, clearsize);
1405 if (!req->rq_clrbuf)
1408 req->rq_clrbuf_len = clearsize;
1410 lustre_init_msg_v2(req->rq_clrbuf, ibufcnt, ibuflens, NULL);
1411 req->rq_reqmsg = lustre_msg_buf(req->rq_clrbuf, 0, msgsize);
1413 if (req->rq_pack_udesc)
1414 sptlrpc_pack_user_desc(req->rq_clrbuf, 1);
1420 * NOTE: any change of request buffer allocation should also consider
1421 * changing enlarge_reqbuf() series functions.
1423 int gss_alloc_reqbuf(struct ptlrpc_sec *sec,
1424 struct ptlrpc_request *req,
1427 int svc = SPTLRPC_FLVR_SVC(req->rq_flvr.sf_rpc);
1429 LASSERT(!req->rq_pack_bulk ||
1430 (req->rq_bulk_read || req->rq_bulk_write));
1433 case SPTLRPC_SVC_NULL:
1434 case SPTLRPC_SVC_AUTH:
1435 case SPTLRPC_SVC_INTG:
1436 return gss_alloc_reqbuf_intg(sec, req, svc, msgsize);
1437 case SPTLRPC_SVC_PRIV:
1438 return gss_alloc_reqbuf_priv(sec, req, msgsize);
1440 LASSERTF(0, "bad rpc flavor %x\n", req->rq_flvr.sf_rpc);
1445 void gss_free_reqbuf(struct ptlrpc_sec *sec,
1446 struct ptlrpc_request *req)
1451 LASSERT(!req->rq_pool || req->rq_reqbuf);
1452 privacy = SPTLRPC_FLVR_SVC(req->rq_flvr.sf_rpc) == SPTLRPC_SVC_PRIV;
1454 if (!req->rq_clrbuf)
1455 goto release_reqbuf;
1457 /* release clear buffer */
1459 LASSERT(req->rq_clrbuf_len);
1461 if (req->rq_pool == NULL ||
1462 req->rq_clrbuf < req->rq_reqbuf ||
1463 (char *) req->rq_clrbuf >=
1464 (char *) req->rq_reqbuf + req->rq_reqbuf_len)
1465 OBD_FREE_LARGE(req->rq_clrbuf, req->rq_clrbuf_len);
1467 req->rq_clrbuf = NULL;
1468 req->rq_clrbuf_len = 0;
1471 if (!req->rq_pool && req->rq_reqbuf) {
1472 LASSERT(req->rq_reqbuf_len);
1474 OBD_FREE_LARGE(req->rq_reqbuf, req->rq_reqbuf_len);
1475 req->rq_reqbuf = NULL;
1476 req->rq_reqbuf_len = 0;
1482 static int do_alloc_repbuf(struct ptlrpc_request *req, int bufsize)
1484 bufsize = size_roundup_power2(bufsize);
1486 OBD_ALLOC_LARGE(req->rq_repbuf, bufsize);
1487 if (!req->rq_repbuf)
1490 req->rq_repbuf_len = bufsize;
1495 int gss_alloc_repbuf_intg(struct ptlrpc_sec *sec,
1496 struct ptlrpc_request *req,
1497 int svc, int msgsize)
1505 * on-wire data layout:
1508 * - bulk sec descriptor (optional)
1509 * - signature (optional)
1510 * - svc == NULL: NULL
1511 * - svc == AUTH: signature of gss header
1512 * - svc == INTG: signature of all above
1514 * if this is context negotiation, reserver fixed space
1515 * at the last (signature) segment regardless of svc mode.
1518 buflens[0] = PTLRPC_GSS_HEADER_SIZE;
1519 txtsize = buflens[0];
1521 buflens[1] = msgsize;
1522 if (svc == SPTLRPC_SVC_INTG)
1523 txtsize += buflens[1];
1525 if (req->rq_pack_bulk) {
1526 buflens[bufcnt] = gss_cli_bulk_payload(req->rq_cli_ctx,
1528 1, req->rq_bulk_read);
1529 if (svc == SPTLRPC_SVC_INTG)
1530 txtsize += buflens[bufcnt];
1534 if (req->rq_ctx_init)
1535 buflens[bufcnt++] = GSS_CTX_INIT_MAX_LEN;
1536 else if (svc != SPTLRPC_SVC_NULL)
1537 buflens[bufcnt++] = gss_cli_payload(req->rq_cli_ctx, txtsize,0);
1539 alloc_size = lustre_msg_size_v2(bufcnt, buflens);
1541 /* add space for early reply */
1542 alloc_size += gss_at_reply_off_integ;
1544 return do_alloc_repbuf(req, alloc_size);
1548 int gss_alloc_repbuf_priv(struct ptlrpc_sec *sec,
1549 struct ptlrpc_request *req,
1559 buflens[0] = msgsize;
1561 if (req->rq_pack_bulk)
1562 buflens[bufcnt++] = gss_cli_bulk_payload(req->rq_cli_ctx,
1564 1, req->rq_bulk_read);
1565 txtsize = lustre_msg_size_v2(bufcnt, buflens);
1566 txtsize += GSS_MAX_CIPHER_BLOCK;
1568 /* wrapper buffers */
1570 buflens[0] = PTLRPC_GSS_HEADER_SIZE;
1571 buflens[1] = gss_cli_payload(req->rq_cli_ctx, txtsize, 1);
1573 alloc_size = lustre_msg_size_v2(bufcnt, buflens);
1574 /* add space for early reply */
1575 alloc_size += gss_at_reply_off_priv;
1577 return do_alloc_repbuf(req, alloc_size);
1580 int gss_alloc_repbuf(struct ptlrpc_sec *sec,
1581 struct ptlrpc_request *req,
1584 int svc = SPTLRPC_FLVR_SVC(req->rq_flvr.sf_rpc);
1587 LASSERT(!req->rq_pack_bulk ||
1588 (req->rq_bulk_read || req->rq_bulk_write));
1591 case SPTLRPC_SVC_NULL:
1592 case SPTLRPC_SVC_AUTH:
1593 case SPTLRPC_SVC_INTG:
1594 return gss_alloc_repbuf_intg(sec, req, svc, msgsize);
1595 case SPTLRPC_SVC_PRIV:
1596 return gss_alloc_repbuf_priv(sec, req, msgsize);
1598 LASSERTF(0, "bad rpc flavor %x\n", req->rq_flvr.sf_rpc);
1603 void gss_free_repbuf(struct ptlrpc_sec *sec,
1604 struct ptlrpc_request *req)
1606 OBD_FREE_LARGE(req->rq_repbuf, req->rq_repbuf_len);
1607 req->rq_repbuf = NULL;
1608 req->rq_repbuf_len = 0;
1609 req->rq_repdata = NULL;
1610 req->rq_repdata_len = 0;
1613 static int get_enlarged_msgsize(struct lustre_msg *msg,
1614 int segment, int newsize)
1616 int save, newmsg_size;
1618 LASSERT(newsize >= msg->lm_buflens[segment]);
1620 save = msg->lm_buflens[segment];
1621 msg->lm_buflens[segment] = newsize;
1622 newmsg_size = lustre_msg_size_v2(msg->lm_bufcount, msg->lm_buflens);
1623 msg->lm_buflens[segment] = save;
1628 static int get_enlarged_msgsize2(struct lustre_msg *msg,
1629 int segment1, int newsize1,
1630 int segment2, int newsize2)
1632 int save1, save2, newmsg_size;
1634 LASSERT(newsize1 >= msg->lm_buflens[segment1]);
1635 LASSERT(newsize2 >= msg->lm_buflens[segment2]);
1637 save1 = msg->lm_buflens[segment1];
1638 save2 = msg->lm_buflens[segment2];
1639 msg->lm_buflens[segment1] = newsize1;
1640 msg->lm_buflens[segment2] = newsize2;
1641 newmsg_size = lustre_msg_size_v2(msg->lm_bufcount, msg->lm_buflens);
1642 msg->lm_buflens[segment1] = save1;
1643 msg->lm_buflens[segment2] = save2;
1649 int gss_enlarge_reqbuf_intg(struct ptlrpc_sec *sec,
1650 struct ptlrpc_request *req,
1652 int segment, int newsize)
1654 struct lustre_msg *newbuf;
1655 int txtsize, sigsize = 0, i;
1656 int newmsg_size, newbuf_size;
1659 * gss header is at seg 0;
1660 * embedded msg is at seg 1;
1661 * signature (if any) is at the last seg
1663 LASSERT(req->rq_reqbuf);
1664 LASSERT(req->rq_reqbuf_len > req->rq_reqlen);
1665 LASSERT(req->rq_reqbuf->lm_bufcount >= 2);
1666 LASSERT(lustre_msg_buf(req->rq_reqbuf, 1, 0) == req->rq_reqmsg);
1668 /* 1. compute new embedded msg size */
1669 newmsg_size = get_enlarged_msgsize(req->rq_reqmsg, segment, newsize);
1670 LASSERT(newmsg_size >= req->rq_reqbuf->lm_buflens[1]);
1672 /* 2. compute new wrapper msg size */
1673 if (svc == SPTLRPC_SVC_NULL) {
1674 /* no signature, get size directly */
1675 newbuf_size = get_enlarged_msgsize(req->rq_reqbuf,
1678 txtsize = req->rq_reqbuf->lm_buflens[0];
1680 if (svc == SPTLRPC_SVC_INTG) {
1681 for (i = 1; i < req->rq_reqbuf->lm_bufcount; i++)
1682 txtsize += req->rq_reqbuf->lm_buflens[i];
1683 txtsize += newmsg_size - req->rq_reqbuf->lm_buflens[1];
1686 sigsize = gss_cli_payload(req->rq_cli_ctx, txtsize, 0);
1687 LASSERT(sigsize >= msg_last_seglen(req->rq_reqbuf));
1689 newbuf_size = get_enlarged_msgsize2(
1692 msg_last_segidx(req->rq_reqbuf),
1696 /* request from pool should always have enough buffer */
1697 LASSERT(!req->rq_pool || req->rq_reqbuf_len >= newbuf_size);
1699 if (req->rq_reqbuf_len < newbuf_size) {
1700 newbuf_size = size_roundup_power2(newbuf_size);
1702 OBD_ALLOC_LARGE(newbuf, newbuf_size);
1706 /* Must lock this, so that otherwise unprotected change of
1707 * rq_reqmsg is not racing with parallel processing of
1708 * imp_replay_list traversing threads. See LU-3333
1709 * This is a bandaid at best, we really need to deal with this
1710 * in request enlarging code before unpacking that's already
1713 spin_lock(&req->rq_import->imp_lock);
1715 memcpy(newbuf, req->rq_reqbuf, req->rq_reqbuf_len);
1717 OBD_FREE_LARGE(req->rq_reqbuf, req->rq_reqbuf_len);
1718 req->rq_reqbuf = newbuf;
1719 req->rq_reqbuf_len = newbuf_size;
1720 req->rq_reqmsg = lustre_msg_buf(req->rq_reqbuf, 1, 0);
1723 spin_unlock(&req->rq_import->imp_lock);
1726 /* do enlargement, from wrapper to embedded, from end to begin */
1727 if (svc != SPTLRPC_SVC_NULL)
1728 _sptlrpc_enlarge_msg_inplace(req->rq_reqbuf,
1729 msg_last_segidx(req->rq_reqbuf),
1732 _sptlrpc_enlarge_msg_inplace(req->rq_reqbuf, 1, newmsg_size);
1733 _sptlrpc_enlarge_msg_inplace(req->rq_reqmsg, segment, newsize);
1735 req->rq_reqlen = newmsg_size;
1740 int gss_enlarge_reqbuf_priv(struct ptlrpc_sec *sec,
1741 struct ptlrpc_request *req,
1742 int segment, int newsize)
1744 struct lustre_msg *newclrbuf;
1745 int newmsg_size, newclrbuf_size, newcipbuf_size;
1749 * embedded msg is at seg 0 of clear buffer;
1750 * cipher text is at seg 2 of cipher buffer;
1752 LASSERT(req->rq_pool ||
1753 (req->rq_reqbuf == NULL && req->rq_reqbuf_len == 0));
1754 LASSERT(req->rq_reqbuf == NULL ||
1755 (req->rq_pool && req->rq_reqbuf->lm_bufcount == 3));
1756 LASSERT(req->rq_clrbuf);
1757 LASSERT(req->rq_clrbuf_len > req->rq_reqlen);
1758 LASSERT(lustre_msg_buf(req->rq_clrbuf, 0, 0) == req->rq_reqmsg);
1760 /* compute new embedded msg size */
1761 newmsg_size = get_enlarged_msgsize(req->rq_reqmsg, segment, newsize);
1763 /* compute new clear buffer size */
1764 newclrbuf_size = get_enlarged_msgsize(req->rq_clrbuf, 0, newmsg_size);
1765 newclrbuf_size += GSS_MAX_CIPHER_BLOCK;
1767 /* compute new cipher buffer size */
1768 buflens[0] = PTLRPC_GSS_HEADER_SIZE;
1769 buflens[1] = gss_cli_payload(req->rq_cli_ctx, buflens[0], 0);
1770 buflens[2] = gss_cli_payload(req->rq_cli_ctx, newclrbuf_size, 1);
1771 newcipbuf_size = lustre_msg_size_v2(3, buflens);
1773 /* handle the case that we put both clear buf and cipher buf into
1774 * pre-allocated single buffer. */
1775 if (unlikely(req->rq_pool) &&
1776 req->rq_clrbuf >= req->rq_reqbuf &&
1777 (char *) req->rq_clrbuf <
1778 (char *) req->rq_reqbuf + req->rq_reqbuf_len) {
1779 /* it couldn't be better we still fit into the
1780 * pre-allocated buffer. */
1781 if (newclrbuf_size + newcipbuf_size <= req->rq_reqbuf_len) {
1785 spin_lock(&req->rq_import->imp_lock);
1786 /* move clear text backward. */
1787 src = req->rq_clrbuf;
1788 dst = (char *) req->rq_reqbuf + newcipbuf_size;
1790 memmove(dst, src, req->rq_clrbuf_len);
1792 req->rq_clrbuf = (struct lustre_msg *) dst;
1793 req->rq_clrbuf_len = newclrbuf_size;
1794 req->rq_reqmsg = lustre_msg_buf(req->rq_clrbuf, 0, 0);
1797 spin_unlock(&req->rq_import->imp_lock);
1799 /* sadly we have to split out the clear buffer */
1800 LASSERT(req->rq_reqbuf_len >= newcipbuf_size);
1801 LASSERT(req->rq_clrbuf_len < newclrbuf_size);
1805 if (req->rq_clrbuf_len < newclrbuf_size) {
1806 newclrbuf_size = size_roundup_power2(newclrbuf_size);
1808 OBD_ALLOC_LARGE(newclrbuf, newclrbuf_size);
1809 if (newclrbuf == NULL)
1812 /* Must lock this, so that otherwise unprotected change of
1813 * rq_reqmsg is not racing with parallel processing of
1814 * imp_replay_list traversing threads. See LU-3333
1815 * This is a bandaid at best, we really need to deal with this
1816 * in request enlarging code before unpacking that's already
1819 spin_lock(&req->rq_import->imp_lock);
1821 memcpy(newclrbuf, req->rq_clrbuf, req->rq_clrbuf_len);
1823 if (req->rq_reqbuf == NULL ||
1824 req->rq_clrbuf < req->rq_reqbuf ||
1825 (char *) req->rq_clrbuf >=
1826 (char *) req->rq_reqbuf + req->rq_reqbuf_len) {
1827 OBD_FREE_LARGE(req->rq_clrbuf, req->rq_clrbuf_len);
1830 req->rq_clrbuf = newclrbuf;
1831 req->rq_clrbuf_len = newclrbuf_size;
1832 req->rq_reqmsg = lustre_msg_buf(req->rq_clrbuf, 0, 0);
1835 spin_unlock(&req->rq_import->imp_lock);
1838 _sptlrpc_enlarge_msg_inplace(req->rq_clrbuf, 0, newmsg_size);
1839 _sptlrpc_enlarge_msg_inplace(req->rq_reqmsg, segment, newsize);
1840 req->rq_reqlen = newmsg_size;
1845 int gss_enlarge_reqbuf(struct ptlrpc_sec *sec,
1846 struct ptlrpc_request *req,
1847 int segment, int newsize)
1849 int svc = SPTLRPC_FLVR_SVC(req->rq_flvr.sf_rpc);
1851 LASSERT(!req->rq_ctx_init && !req->rq_ctx_fini);
1854 case SPTLRPC_SVC_NULL:
1855 case SPTLRPC_SVC_AUTH:
1856 case SPTLRPC_SVC_INTG:
1857 return gss_enlarge_reqbuf_intg(sec, req, svc, segment, newsize);
1858 case SPTLRPC_SVC_PRIV:
1859 return gss_enlarge_reqbuf_priv(sec, req, segment, newsize);
1861 LASSERTF(0, "bad rpc flavor %x\n", req->rq_flvr.sf_rpc);
1866 int gss_sec_install_rctx(struct obd_import *imp,
1867 struct ptlrpc_sec *sec,
1868 struct ptlrpc_cli_ctx *ctx)
1870 struct gss_sec *gsec;
1871 struct gss_cli_ctx *gctx;
1874 gsec = container_of(sec, struct gss_sec, gs_base);
1875 gctx = container_of(ctx, struct gss_cli_ctx, gc_base);
1877 rc = gss_install_rvs_svc_ctx(imp, gsec, gctx);
1881 /********************************************
1883 ********************************************/
1886 int gss_svc_reqctx_is_special(struct gss_svc_reqctx *grctx)
1889 return (grctx->src_init || grctx->src_init_continue ||
1890 grctx->src_err_notify);
1894 void gss_svc_reqctx_free(struct gss_svc_reqctx *grctx)
1897 gss_svc_upcall_put_ctx(grctx->src_ctx);
1899 sptlrpc_policy_put(grctx->src_base.sc_policy);
1900 OBD_FREE_PTR(grctx);
1904 void gss_svc_reqctx_addref(struct gss_svc_reqctx *grctx)
1906 LASSERT(atomic_read(&grctx->src_base.sc_refcount) > 0);
1907 atomic_inc(&grctx->src_base.sc_refcount);
1911 void gss_svc_reqctx_decref(struct gss_svc_reqctx *grctx)
1913 LASSERT(atomic_read(&grctx->src_base.sc_refcount) > 0);
1915 if (atomic_dec_and_test(&grctx->src_base.sc_refcount))
1916 gss_svc_reqctx_free(grctx);
1920 int gss_svc_sign(struct ptlrpc_request *req,
1921 struct ptlrpc_reply_state *rs,
1922 struct gss_svc_reqctx *grctx,
1929 LASSERT(rs->rs_msg == lustre_msg_buf(rs->rs_repbuf, 1, 0));
1931 /* embedded lustre_msg might have been shrunk */
1932 if (req->rq_replen != rs->rs_repbuf->lm_buflens[1])
1933 lustre_shrink_msg(rs->rs_repbuf, 1, req->rq_replen, 1);
1935 if (req->rq_pack_bulk)
1936 flags |= LUSTRE_GSS_PACK_BULK;
1938 rc = gss_sign_msg(rs->rs_repbuf, grctx->src_ctx->gsc_mechctx,
1939 LUSTRE_SP_ANY, flags, PTLRPC_GSS_PROC_DATA,
1940 grctx->src_wirectx.gw_seq, svc, NULL);
1944 rs->rs_repdata_len = rc;
1946 if (likely(req->rq_packed_final)) {
1947 if (lustre_msghdr_get_flags(req->rq_reqmsg) & MSGHDR_AT_SUPPORT)
1948 req->rq_reply_off = gss_at_reply_off_integ;
1950 req->rq_reply_off = 0;
1952 if (svc == SPTLRPC_SVC_NULL)
1953 rs->rs_repbuf->lm_cksum = crc32_le(!(__u32) 0,
1954 lustre_msg_buf(rs->rs_repbuf, 1, 0),
1955 lustre_msg_buflen(rs->rs_repbuf, 1));
1956 req->rq_reply_off = 0;
1962 int gss_pack_err_notify(struct ptlrpc_request *req, __u32 major, __u32 minor)
1964 struct gss_svc_reqctx *grctx = gss_svc_ctx2reqctx(req->rq_svc_ctx);
1965 struct ptlrpc_reply_state *rs;
1966 struct gss_err_header *ghdr;
1967 int replen = sizeof(struct ptlrpc_body);
1971 //if (OBD_FAIL_CHECK_ORSET(OBD_FAIL_SVCGSS_ERR_NOTIFY, OBD_FAIL_ONCE))
1974 grctx->src_err_notify = 1;
1975 grctx->src_reserve_len = 0;
1977 rc = lustre_pack_reply_v2(req, 1, &replen, NULL, 0);
1979 CERROR("could not pack reply, err %d\n", rc);
1984 rs = req->rq_reply_state;
1985 LASSERT(rs->rs_repbuf->lm_buflens[1] >= sizeof(*ghdr));
1986 ghdr = lustre_msg_buf(rs->rs_repbuf, 0, 0);
1987 ghdr->gh_version = PTLRPC_GSS_VERSION;
1989 ghdr->gh_proc = PTLRPC_GSS_PROC_ERR;
1990 ghdr->gh_major = major;
1991 ghdr->gh_minor = minor;
1992 ghdr->gh_handle.len = 0; /* fake context handle */
1994 rs->rs_repdata_len = lustre_msg_size_v2(rs->rs_repbuf->lm_bufcount,
1995 rs->rs_repbuf->lm_buflens);
1997 CDEBUG(D_SEC, "prepare gss error notify(0x%x/0x%x) to %s\n",
1998 major, minor, libcfs_nid2str(req->rq_peer.nid));
2003 int gss_svc_handle_init(struct ptlrpc_request *req,
2004 struct gss_wire_ctx *gw)
2006 struct gss_svc_reqctx *grctx = gss_svc_ctx2reqctx(req->rq_svc_ctx);
2007 struct lustre_msg *reqbuf = req->rq_reqbuf;
2008 struct obd_uuid *uuid;
2009 struct obd_device *target;
2010 rawobj_t uuid_obj, rvs_hdl, in_token;
2012 __u32 *secdata, seclen;
2016 CDEBUG(D_SEC, "processing gss init(%d) request from %s\n", gw->gw_proc,
2017 libcfs_nid2str(req->rq_peer.nid));
2019 req->rq_ctx_init = 1;
2021 if (gw->gw_flags & LUSTRE_GSS_PACK_BULK) {
2022 CERROR("unexpected bulk flag\n");
2023 RETURN(SECSVC_DROP);
2026 if (gw->gw_proc == PTLRPC_GSS_PROC_INIT && gw->gw_handle.len != 0) {
2027 CERROR("proc %u: invalid handle length %u\n",
2028 gw->gw_proc, gw->gw_handle.len);
2029 RETURN(SECSVC_DROP);
2032 if (reqbuf->lm_bufcount < 3 || reqbuf->lm_bufcount > 4){
2033 CERROR("Invalid bufcount %d\n", reqbuf->lm_bufcount);
2034 RETURN(SECSVC_DROP);
2037 swabbed = ptlrpc_req_need_swab(req);
2039 /* ctx initiate payload is in last segment */
2040 secdata = lustre_msg_buf(reqbuf, reqbuf->lm_bufcount - 1, 0);
2041 seclen = reqbuf->lm_buflens[reqbuf->lm_bufcount - 1];
2043 if (seclen < 4 + 4) {
2044 CERROR("sec size %d too small\n", seclen);
2045 RETURN(SECSVC_DROP);
2048 /* lustre svc type */
2049 lustre_svc = le32_to_cpu(*secdata++);
2052 /* extract target uuid, note this code is somewhat fragile
2053 * because touched internal structure of obd_uuid */
2054 if (rawobj_extract(&uuid_obj, &secdata, &seclen)) {
2055 CERROR("failed to extract target uuid\n");
2056 RETURN(SECSVC_DROP);
2058 uuid_obj.data[uuid_obj.len - 1] = '\0';
2060 uuid = (struct obd_uuid *) uuid_obj.data;
2061 target = class_uuid2obd(uuid);
2062 if (!target || target->obd_stopping || !target->obd_set_up) {
2063 CERROR("target '%s' is not available for context init (%s)\n",
2064 uuid->uuid, target == NULL ? "no target" :
2065 (target->obd_stopping ? "stopping" : "not set up"));
2066 RETURN(SECSVC_DROP);
2069 /* extract reverse handle */
2070 if (rawobj_extract(&rvs_hdl, &secdata, &seclen)) {
2071 CERROR("failed extract reverse handle\n");
2072 RETURN(SECSVC_DROP);
2076 if (rawobj_extract(&in_token, &secdata, &seclen)) {
2077 CERROR("can't extract token\n");
2078 RETURN(SECSVC_DROP);
2081 rc = gss_svc_upcall_handle_init(req, grctx, gw, target, lustre_svc,
2082 &rvs_hdl, &in_token);
2083 if (rc != SECSVC_OK)
2086 if (grctx->src_ctx->gsc_usr_mds || grctx->src_ctx->gsc_usr_oss ||
2087 grctx->src_ctx->gsc_usr_root)
2088 CWARN("create svc ctx %p: user from %s authenticated as %s\n",
2089 grctx->src_ctx, libcfs_nid2str(req->rq_peer.nid),
2090 grctx->src_ctx->gsc_usr_mds ? "mds" :
2091 (grctx->src_ctx->gsc_usr_oss ? "oss" : "root"));
2093 CWARN("create svc ctx %p: accept user %u from %s\n",
2094 grctx->src_ctx, grctx->src_ctx->gsc_uid,
2095 libcfs_nid2str(req->rq_peer.nid));
2097 if (gw->gw_flags & LUSTRE_GSS_PACK_USER) {
2098 if (reqbuf->lm_bufcount < 4) {
2099 CERROR("missing user descriptor\n");
2100 RETURN(SECSVC_DROP);
2102 if (sptlrpc_unpack_user_desc(reqbuf, 2, swabbed)) {
2103 CERROR("Mal-formed user descriptor\n");
2104 RETURN(SECSVC_DROP);
2107 req->rq_pack_udesc = 1;
2108 req->rq_user_desc = lustre_msg_buf(reqbuf, 2, 0);
2111 req->rq_reqmsg = lustre_msg_buf(reqbuf, 1, 0);
2112 req->rq_reqlen = lustre_msg_buflen(reqbuf, 1);
2118 * last segment must be the gss signature.
2121 int gss_svc_verify_request(struct ptlrpc_request *req,
2122 struct gss_svc_reqctx *grctx,
2123 struct gss_wire_ctx *gw,
2126 struct gss_svc_ctx *gctx = grctx->src_ctx;
2127 struct lustre_msg *msg = req->rq_reqbuf;
2132 *major = GSS_S_COMPLETE;
2134 if (msg->lm_bufcount < 2) {
2135 CERROR("Too few segments (%u) in request\n", msg->lm_bufcount);
2139 if (gw->gw_svc == SPTLRPC_SVC_NULL)
2142 if (gss_check_seq_num(&gctx->gsc_seqdata, gw->gw_seq, 0)) {
2143 CERROR("phase 0: discard replayed req: seq %u\n", gw->gw_seq);
2144 *major = GSS_S_DUPLICATE_TOKEN;
2148 *major = gss_verify_msg(msg, gctx->gsc_mechctx, gw->gw_svc);
2149 if (*major != GSS_S_COMPLETE) {
2150 CERROR("failed to verify request: %x\n", *major);
2154 if (gctx->gsc_reverse == 0 &&
2155 gss_check_seq_num(&gctx->gsc_seqdata, gw->gw_seq, 1)) {
2156 CERROR("phase 1+: discard replayed req: seq %u\n", gw->gw_seq);
2157 *major = GSS_S_DUPLICATE_TOKEN;
2162 swabbed = ptlrpc_req_need_swab(req);
2164 /* user descriptor */
2165 if (gw->gw_flags & LUSTRE_GSS_PACK_USER) {
2166 if (msg->lm_bufcount < (offset + 1)) {
2167 CERROR("no user desc included\n");
2171 if (sptlrpc_unpack_user_desc(msg, offset, swabbed)) {
2172 CERROR("Mal-formed user descriptor\n");
2176 req->rq_pack_udesc = 1;
2177 req->rq_user_desc = lustre_msg_buf(msg, offset, 0);
2181 /* check bulk_sec_desc data */
2182 if (gw->gw_flags & LUSTRE_GSS_PACK_BULK) {
2183 if (msg->lm_bufcount < (offset + 1)) {
2184 CERROR("missing bulk sec descriptor\n");
2188 if (bulk_sec_desc_unpack(msg, offset, swabbed))
2191 req->rq_pack_bulk = 1;
2192 grctx->src_reqbsd = lustre_msg_buf(msg, offset, 0);
2193 grctx->src_reqbsd_size = lustre_msg_buflen(msg, offset);
2196 req->rq_reqmsg = lustre_msg_buf(msg, 1, 0);
2197 req->rq_reqlen = msg->lm_buflens[1];
2202 int gss_svc_unseal_request(struct ptlrpc_request *req,
2203 struct gss_svc_reqctx *grctx,
2204 struct gss_wire_ctx *gw,
2207 struct gss_svc_ctx *gctx = grctx->src_ctx;
2208 struct lustre_msg *msg = req->rq_reqbuf;
2209 int swabbed, msglen, offset = 1;
2212 if (gss_check_seq_num(&gctx->gsc_seqdata, gw->gw_seq, 0)) {
2213 CERROR("phase 0: discard replayed req: seq %u\n", gw->gw_seq);
2214 *major = GSS_S_DUPLICATE_TOKEN;
2218 *major = gss_unseal_msg(gctx->gsc_mechctx, msg,
2219 &msglen, req->rq_reqdata_len);
2220 if (*major != GSS_S_COMPLETE) {
2221 CERROR("failed to unwrap request: %x\n", *major);
2225 if (gss_check_seq_num(&gctx->gsc_seqdata, gw->gw_seq, 1)) {
2226 CERROR("phase 1+: discard replayed req: seq %u\n", gw->gw_seq);
2227 *major = GSS_S_DUPLICATE_TOKEN;
2231 swabbed = __lustre_unpack_msg(msg, msglen);
2233 CERROR("Failed to unpack after decryption\n");
2236 req->rq_reqdata_len = msglen;
2238 if (msg->lm_bufcount < 1) {
2239 CERROR("Invalid buffer: is empty\n");
2243 if (gw->gw_flags & LUSTRE_GSS_PACK_USER) {
2244 if (msg->lm_bufcount < offset + 1) {
2245 CERROR("no user descriptor included\n");
2249 if (sptlrpc_unpack_user_desc(msg, offset, swabbed)) {
2250 CERROR("Mal-formed user descriptor\n");
2254 req->rq_pack_udesc = 1;
2255 req->rq_user_desc = lustre_msg_buf(msg, offset, 0);
2259 if (gw->gw_flags & LUSTRE_GSS_PACK_BULK) {
2260 if (msg->lm_bufcount < offset + 1) {
2261 CERROR("no bulk checksum included\n");
2265 if (bulk_sec_desc_unpack(msg, offset, swabbed))
2268 req->rq_pack_bulk = 1;
2269 grctx->src_reqbsd = lustre_msg_buf(msg, offset, 0);
2270 grctx->src_reqbsd_size = lustre_msg_buflen(msg, offset);
2273 req->rq_reqmsg = lustre_msg_buf(req->rq_reqbuf, 0, 0);
2274 req->rq_reqlen = req->rq_reqbuf->lm_buflens[0];
2279 int gss_svc_handle_data(struct ptlrpc_request *req,
2280 struct gss_wire_ctx *gw)
2282 struct gss_svc_reqctx *grctx = gss_svc_ctx2reqctx(req->rq_svc_ctx);
2287 grctx->src_ctx = gss_svc_upcall_get_ctx(req, gw);
2288 if (!grctx->src_ctx) {
2289 major = GSS_S_NO_CONTEXT;
2293 switch (gw->gw_svc) {
2294 case SPTLRPC_SVC_NULL:
2295 case SPTLRPC_SVC_AUTH:
2296 case SPTLRPC_SVC_INTG:
2297 rc = gss_svc_verify_request(req, grctx, gw, &major);
2299 case SPTLRPC_SVC_PRIV:
2300 rc = gss_svc_unseal_request(req, grctx, gw, &major);
2303 CERROR("unsupported gss service %d\n", gw->gw_svc);
2310 CERROR("svc %u failed: major 0x%08x: req xid "LPU64" ctx %p idx "
2311 LPX64"(%u->%s)\n", gw->gw_svc, major, req->rq_xid,
2312 grctx->src_ctx, gss_handle_to_u64(&gw->gw_handle),
2313 grctx->src_ctx->gsc_uid, libcfs_nid2str(req->rq_peer.nid));
2315 /* we only notify client in case of NO_CONTEXT/BAD_SIG, which
2316 * might happen after server reboot, to allow recovery. */
2317 if ((major == GSS_S_NO_CONTEXT || major == GSS_S_BAD_SIG) &&
2318 gss_pack_err_notify(req, major, 0) == 0)
2319 RETURN(SECSVC_COMPLETE);
2321 RETURN(SECSVC_DROP);
2325 int gss_svc_handle_destroy(struct ptlrpc_request *req,
2326 struct gss_wire_ctx *gw)
2328 struct gss_svc_reqctx *grctx = gss_svc_ctx2reqctx(req->rq_svc_ctx);
2332 req->rq_ctx_fini = 1;
2333 req->rq_no_reply = 1;
2335 grctx->src_ctx = gss_svc_upcall_get_ctx(req, gw);
2336 if (!grctx->src_ctx) {
2337 CDEBUG(D_SEC, "invalid gss context handle for destroy.\n");
2338 RETURN(SECSVC_DROP);
2341 if (gw->gw_svc != SPTLRPC_SVC_INTG) {
2342 CERROR("svc %u is not supported in destroy.\n", gw->gw_svc);
2343 RETURN(SECSVC_DROP);
2346 if (gss_svc_verify_request(req, grctx, gw, &major))
2347 RETURN(SECSVC_DROP);
2349 CWARN("destroy svc ctx %p idx "LPX64" (%u->%s)\n",
2350 grctx->src_ctx, gss_handle_to_u64(&gw->gw_handle),
2351 grctx->src_ctx->gsc_uid, libcfs_nid2str(req->rq_peer.nid));
2353 gss_svc_upcall_destroy_ctx(grctx->src_ctx);
2355 if (gw->gw_flags & LUSTRE_GSS_PACK_USER) {
2356 if (req->rq_reqbuf->lm_bufcount < 4) {
2357 CERROR("missing user descriptor, ignore it\n");
2360 if (sptlrpc_unpack_user_desc(req->rq_reqbuf, 2,
2361 ptlrpc_req_need_swab(req))) {
2362 CERROR("Mal-formed user descriptor, ignore it\n");
2366 req->rq_pack_udesc = 1;
2367 req->rq_user_desc = lustre_msg_buf(req->rq_reqbuf, 2, 0);
2373 int gss_svc_accept(struct ptlrpc_sec_policy *policy, struct ptlrpc_request *req)
2375 struct gss_header *ghdr;
2376 struct gss_svc_reqctx *grctx;
2377 struct gss_wire_ctx *gw;
2381 LASSERT(req->rq_reqbuf);
2382 LASSERT(req->rq_svc_ctx == NULL);
2384 if (req->rq_reqbuf->lm_bufcount < 2) {
2385 CERROR("buf count only %d\n", req->rq_reqbuf->lm_bufcount);
2386 RETURN(SECSVC_DROP);
2389 swabbed = ptlrpc_req_need_swab(req);
2391 ghdr = gss_swab_header(req->rq_reqbuf, 0, swabbed);
2393 CERROR("can't decode gss header\n");
2394 RETURN(SECSVC_DROP);
2398 if (ghdr->gh_version != PTLRPC_GSS_VERSION) {
2399 CERROR("gss version %u, expect %u\n", ghdr->gh_version,
2400 PTLRPC_GSS_VERSION);
2401 RETURN(SECSVC_DROP);
2404 req->rq_sp_from = ghdr->gh_sp;
2406 /* alloc grctx data */
2407 OBD_ALLOC_PTR(grctx);
2409 RETURN(SECSVC_DROP);
2411 grctx->src_base.sc_policy = sptlrpc_policy_get(policy);
2412 atomic_set(&grctx->src_base.sc_refcount, 1);
2413 req->rq_svc_ctx = &grctx->src_base;
2414 gw = &grctx->src_wirectx;
2416 /* save wire context */
2417 gw->gw_flags = ghdr->gh_flags;
2418 gw->gw_proc = ghdr->gh_proc;
2419 gw->gw_seq = ghdr->gh_seq;
2420 gw->gw_svc = ghdr->gh_svc;
2421 rawobj_from_netobj(&gw->gw_handle, &ghdr->gh_handle);
2423 /* keep original wire header which subject to checksum verification */
2425 gss_header_swabber(ghdr);
2427 switch(ghdr->gh_proc) {
2428 case PTLRPC_GSS_PROC_INIT:
2429 case PTLRPC_GSS_PROC_CONTINUE_INIT:
2430 rc = gss_svc_handle_init(req, gw);
2432 case PTLRPC_GSS_PROC_DATA:
2433 rc = gss_svc_handle_data(req, gw);
2435 case PTLRPC_GSS_PROC_DESTROY:
2436 rc = gss_svc_handle_destroy(req, gw);
2439 CERROR("unknown proc %u\n", gw->gw_proc);
2446 LASSERT (grctx->src_ctx);
2448 req->rq_auth_gss = 1;
2449 req->rq_auth_remote = grctx->src_ctx->gsc_remote;
2450 req->rq_auth_usr_mdt = grctx->src_ctx->gsc_usr_mds;
2451 req->rq_auth_usr_ost = grctx->src_ctx->gsc_usr_oss;
2452 req->rq_auth_usr_root = grctx->src_ctx->gsc_usr_root;
2453 req->rq_auth_uid = grctx->src_ctx->gsc_uid;
2454 req->rq_auth_mapped_uid = grctx->src_ctx->gsc_mapped_uid;
2456 case SECSVC_COMPLETE:
2459 gss_svc_reqctx_free(grctx);
2460 req->rq_svc_ctx = NULL;
2467 void gss_svc_invalidate_ctx(struct ptlrpc_svc_ctx *svc_ctx)
2469 struct gss_svc_reqctx *grctx;
2472 if (svc_ctx == NULL) {
2477 grctx = gss_svc_ctx2reqctx(svc_ctx);
2479 CWARN("gss svc invalidate ctx %p(%u)\n",
2480 grctx->src_ctx, grctx->src_ctx->gsc_uid);
2481 gss_svc_upcall_destroy_ctx(grctx->src_ctx);
2487 int gss_svc_payload(struct gss_svc_reqctx *grctx, int early,
2488 int msgsize, int privacy)
2490 /* we should treat early reply normally, but which is actually sharing
2491 * the same ctx with original request, so in this case we should
2492 * ignore the special ctx's special flags */
2493 if (early == 0 && gss_svc_reqctx_is_special(grctx))
2494 return grctx->src_reserve_len;
2496 return gss_mech_payload(NULL, msgsize, privacy);
2499 static int gss_svc_bulk_payload(struct gss_svc_ctx *gctx,
2500 struct sptlrpc_flavor *flvr,
2503 int payload = sizeof(struct ptlrpc_bulk_sec_desc);
2506 switch (SPTLRPC_FLVR_BULK_SVC(flvr->sf_rpc)) {
2507 case SPTLRPC_BULK_SVC_NULL:
2509 case SPTLRPC_BULK_SVC_INTG:
2510 payload += gss_mech_payload(NULL, 0, 0);
2512 case SPTLRPC_BULK_SVC_PRIV:
2513 payload += gss_mech_payload(NULL, 0, 1);
2515 case SPTLRPC_BULK_SVC_AUTH:
2524 int gss_svc_alloc_rs(struct ptlrpc_request *req, int msglen)
2526 struct gss_svc_reqctx *grctx;
2527 struct ptlrpc_reply_state *rs;
2528 int early, privacy, svc, bsd_off = 0;
2529 __u32 ibuflens[2], buflens[4];
2530 int ibufcnt = 0, bufcnt;
2531 int txtsize, wmsg_size, rs_size;
2534 LASSERT(msglen % 8 == 0);
2536 if (req->rq_pack_bulk && !req->rq_bulk_read && !req->rq_bulk_write) {
2537 CERROR("client request bulk sec on non-bulk rpc\n");
2541 svc = SPTLRPC_FLVR_SVC(req->rq_flvr.sf_rpc);
2542 early = (req->rq_packed_final == 0);
2544 grctx = gss_svc_ctx2reqctx(req->rq_svc_ctx);
2545 if (!early && gss_svc_reqctx_is_special(grctx))
2548 privacy = (svc == SPTLRPC_SVC_PRIV);
2551 /* inner clear buffers */
2553 ibuflens[0] = msglen;
2555 if (req->rq_pack_bulk) {
2556 LASSERT(grctx->src_reqbsd);
2559 ibuflens[ibufcnt++] = gss_svc_bulk_payload(
2565 txtsize = lustre_msg_size_v2(ibufcnt, ibuflens);
2566 txtsize += GSS_MAX_CIPHER_BLOCK;
2568 /* wrapper buffer */
2570 buflens[0] = PTLRPC_GSS_HEADER_SIZE;
2571 buflens[1] = gss_svc_payload(grctx, early, txtsize, 1);
2574 buflens[0] = PTLRPC_GSS_HEADER_SIZE;
2575 buflens[1] = msglen;
2577 txtsize = buflens[0];
2578 if (svc == SPTLRPC_SVC_INTG)
2579 txtsize += buflens[1];
2581 if (req->rq_pack_bulk) {
2582 LASSERT(grctx->src_reqbsd);
2585 buflens[bufcnt] = gss_svc_bulk_payload(
2589 if (svc == SPTLRPC_SVC_INTG)
2590 txtsize += buflens[bufcnt];
2594 if ((!early && gss_svc_reqctx_is_special(grctx)) ||
2595 svc != SPTLRPC_SVC_NULL)
2596 buflens[bufcnt++] = gss_svc_payload(grctx, early,
2600 wmsg_size = lustre_msg_size_v2(bufcnt, buflens);
2602 rs_size = sizeof(*rs) + wmsg_size;
2603 rs = req->rq_reply_state;
2607 LASSERT(rs->rs_size >= rs_size);
2609 OBD_ALLOC_LARGE(rs, rs_size);
2613 rs->rs_size = rs_size;
2616 rs->rs_repbuf = (struct lustre_msg *) (rs + 1);
2617 rs->rs_repbuf_len = wmsg_size;
2619 /* initialize the buffer */
2621 lustre_init_msg_v2(rs->rs_repbuf, ibufcnt, ibuflens, NULL);
2622 rs->rs_msg = lustre_msg_buf(rs->rs_repbuf, 0, msglen);
2624 lustre_init_msg_v2(rs->rs_repbuf, bufcnt, buflens, NULL);
2625 rs->rs_repbuf->lm_secflvr = req->rq_flvr.sf_rpc;
2627 rs->rs_msg = lustre_msg_buf(rs->rs_repbuf, 1, 0);
2631 grctx->src_repbsd = lustre_msg_buf(rs->rs_repbuf, bsd_off, 0);
2632 grctx->src_repbsd_size = lustre_msg_buflen(rs->rs_repbuf,
2636 gss_svc_reqctx_addref(grctx);
2637 rs->rs_svc_ctx = req->rq_svc_ctx;
2639 LASSERT(rs->rs_msg);
2640 req->rq_reply_state = rs;
2644 static int gss_svc_seal(struct ptlrpc_request *req,
2645 struct ptlrpc_reply_state *rs,
2646 struct gss_svc_reqctx *grctx)
2648 struct gss_svc_ctx *gctx = grctx->src_ctx;
2649 rawobj_t hdrobj, msgobj, token;
2650 struct gss_header *ghdr;
2653 __u32 buflens[2], major;
2657 /* get clear data length. note embedded lustre_msg might
2658 * have been shrunk */
2659 if (req->rq_replen != lustre_msg_buflen(rs->rs_repbuf, 0))
2660 msglen = lustre_shrink_msg(rs->rs_repbuf, 0, req->rq_replen, 1);
2662 msglen = lustre_msg_size_v2(rs->rs_repbuf->lm_bufcount,
2663 rs->rs_repbuf->lm_buflens);
2665 /* temporarily use tail of buffer to hold gss header data */
2666 LASSERT(msglen + PTLRPC_GSS_HEADER_SIZE <= rs->rs_repbuf_len);
2667 ghdr = (struct gss_header *) ((char *) rs->rs_repbuf +
2668 rs->rs_repbuf_len - PTLRPC_GSS_HEADER_SIZE);
2669 ghdr->gh_version = PTLRPC_GSS_VERSION;
2670 ghdr->gh_sp = LUSTRE_SP_ANY;
2672 ghdr->gh_proc = PTLRPC_GSS_PROC_DATA;
2673 ghdr->gh_seq = grctx->src_wirectx.gw_seq;
2674 ghdr->gh_svc = SPTLRPC_SVC_PRIV;
2675 ghdr->gh_handle.len = 0;
2676 if (req->rq_pack_bulk)
2677 ghdr->gh_flags |= LUSTRE_GSS_PACK_BULK;
2679 /* allocate temporary cipher buffer */
2680 token_buflen = gss_mech_payload(gctx->gsc_mechctx, msglen, 1);
2681 OBD_ALLOC_LARGE(token_buf, token_buflen);
2682 if (token_buf == NULL)
2685 hdrobj.len = PTLRPC_GSS_HEADER_SIZE;
2686 hdrobj.data = (__u8 *) ghdr;
2687 msgobj.len = msglen;
2688 msgobj.data = (__u8 *) rs->rs_repbuf;
2689 token.len = token_buflen;
2690 token.data = token_buf;
2692 major = lgss_wrap(gctx->gsc_mechctx, &hdrobj, &msgobj,
2693 rs->rs_repbuf_len - PTLRPC_GSS_HEADER_SIZE, &token);
2694 if (major != GSS_S_COMPLETE) {
2695 CERROR("wrap message error: %08x\n", major);
2696 GOTO(out_free, rc = -EPERM);
2698 LASSERT(token.len <= token_buflen);
2700 /* we are about to override data at rs->rs_repbuf, nullify pointers
2701 * to which to catch further illegal usage. */
2702 if (req->rq_pack_bulk) {
2703 grctx->src_repbsd = NULL;
2704 grctx->src_repbsd_size = 0;
2707 /* now fill the actual wire data
2711 buflens[0] = PTLRPC_GSS_HEADER_SIZE;
2712 buflens[1] = token.len;
2714 rs->rs_repdata_len = lustre_msg_size_v2(2, buflens);
2715 LASSERT(rs->rs_repdata_len <= rs->rs_repbuf_len);
2717 lustre_init_msg_v2(rs->rs_repbuf, 2, buflens, NULL);
2718 rs->rs_repbuf->lm_secflvr = req->rq_flvr.sf_rpc;
2720 memcpy(lustre_msg_buf(rs->rs_repbuf, 0, 0), ghdr,
2721 PTLRPC_GSS_HEADER_SIZE);
2722 memcpy(lustre_msg_buf(rs->rs_repbuf, 1, 0), token.data, token.len);
2725 if (req->rq_packed_final &&
2726 (lustre_msghdr_get_flags(req->rq_reqmsg) & MSGHDR_AT_SUPPORT))
2727 req->rq_reply_off = gss_at_reply_off_priv;
2729 req->rq_reply_off = 0;
2731 /* to catch upper layer's further access */
2733 req->rq_repmsg = NULL;
2738 OBD_FREE_LARGE(token_buf, token_buflen);
2742 int gss_svc_authorize(struct ptlrpc_request *req)
2744 struct ptlrpc_reply_state *rs = req->rq_reply_state;
2745 struct gss_svc_reqctx *grctx = gss_svc_ctx2reqctx(req->rq_svc_ctx);
2746 struct gss_wire_ctx *gw = &grctx->src_wirectx;
2750 early = (req->rq_packed_final == 0);
2752 if (!early && gss_svc_reqctx_is_special(grctx)) {
2753 LASSERT(rs->rs_repdata_len != 0);
2755 req->rq_reply_off = gss_at_reply_off_integ;
2759 /* early reply could happen in many cases */
2761 gw->gw_proc != PTLRPC_GSS_PROC_DATA &&
2762 gw->gw_proc != PTLRPC_GSS_PROC_DESTROY) {
2763 CERROR("proc %d not support\n", gw->gw_proc);
2767 LASSERT(grctx->src_ctx);
2769 switch (gw->gw_svc) {
2770 case SPTLRPC_SVC_NULL:
2771 case SPTLRPC_SVC_AUTH:
2772 case SPTLRPC_SVC_INTG:
2773 rc = gss_svc_sign(req, rs, grctx, gw->gw_svc);
2775 case SPTLRPC_SVC_PRIV:
2776 rc = gss_svc_seal(req, rs, grctx);
2779 CERROR("Unknown service %d\n", gw->gw_svc);
2780 GOTO(out, rc = -EINVAL);
2788 void gss_svc_free_rs(struct ptlrpc_reply_state *rs)
2790 struct gss_svc_reqctx *grctx;
2792 LASSERT(rs->rs_svc_ctx);
2793 grctx = container_of(rs->rs_svc_ctx, struct gss_svc_reqctx, src_base);
2795 gss_svc_reqctx_decref(grctx);
2796 rs->rs_svc_ctx = NULL;
2798 if (!rs->rs_prealloc)
2799 OBD_FREE_LARGE(rs, rs->rs_size);
2802 void gss_svc_free_ctx(struct ptlrpc_svc_ctx *ctx)
2804 LASSERT(atomic_read(&ctx->sc_refcount) == 0);
2805 gss_svc_reqctx_free(gss_svc_ctx2reqctx(ctx));
2808 int gss_copy_rvc_cli_ctx(struct ptlrpc_cli_ctx *cli_ctx,
2809 struct ptlrpc_svc_ctx *svc_ctx)
2811 struct gss_cli_ctx *cli_gctx = ctx2gctx(cli_ctx);
2812 struct gss_svc_ctx *svc_gctx = gss_svc_ctx2gssctx(svc_ctx);
2813 struct gss_ctx *mechctx = NULL;
2816 LASSERT(svc_gctx && svc_gctx->gsc_mechctx);
2818 cli_gctx->gc_proc = PTLRPC_GSS_PROC_DATA;
2819 cli_gctx->gc_win = GSS_SEQ_WIN;
2821 /* The problem is the reverse ctx might get lost in some recovery
2822 * situations, and the same svc_ctx will be used to re-create it.
2823 * if there's callback be sentout before that, new reverse ctx start
2824 * with sequence 0 will lead to future callback rpc be treated as
2827 * each reverse root ctx will record its latest sequence number on its
2828 * buddy svcctx before be destroyed, so here we continue use it.
2830 atomic_set(&cli_gctx->gc_seq, svc_gctx->gsc_rvs_seq);
2832 if (gss_svc_upcall_dup_handle(&cli_gctx->gc_svc_handle, svc_gctx)) {
2833 CERROR("failed to dup svc handle\n");
2837 if (lgss_copy_reverse_context(svc_gctx->gsc_mechctx, &mechctx) !=
2839 CERROR("failed to copy mech context\n");
2840 goto err_svc_handle;
2843 if (rawobj_dup(&cli_gctx->gc_handle, &svc_gctx->gsc_rvs_hdl)) {
2844 CERROR("failed to dup reverse handle\n");
2848 cli_gctx->gc_mechctx = mechctx;
2849 gss_cli_ctx_uptodate(cli_gctx);
2854 lgss_delete_sec_context(&mechctx);
2856 rawobj_free(&cli_gctx->gc_svc_handle);
2861 static void gss_init_at_reply_offset(void)
2866 buflens[0] = PTLRPC_GSS_HEADER_SIZE;
2867 buflens[1] = lustre_msg_early_size();
2868 buflens[2] = gss_cli_payload(NULL, buflens[1], 0);
2869 gss_at_reply_off_integ = lustre_msg_size_v2(3, buflens);
2871 buflens[0] = lustre_msg_early_size();
2872 clearsize = lustre_msg_size_v2(1, buflens);
2873 buflens[0] = PTLRPC_GSS_HEADER_SIZE;
2874 buflens[1] = gss_cli_payload(NULL, clearsize, 0);
2875 buflens[2] = gss_cli_payload(NULL, clearsize, 1);
2876 gss_at_reply_off_priv = lustre_msg_size_v2(3, buflens);
2879 int __init sptlrpc_gss_init(void)
2883 rc = gss_init_lproc();
2887 rc = gss_init_cli_upcall();
2891 rc = gss_init_svc_upcall();
2893 goto out_cli_upcall;
2895 rc = init_null_module();
2897 goto out_svc_upcall;
2899 rc = init_kerberos_module();
2903 rc = init_sk_module();
2907 /* register policy after all other stuff be initialized, because it
2908 * might be in used immediately after the registration. */
2910 rc = gss_init_keyring();
2914 rc = gss_init_pipefs();
2918 gss_init_at_reply_offset();
2925 cleanup_sk_module();
2927 cleanup_kerberos_module();
2929 cleanup_null_module();
2931 gss_exit_svc_upcall();
2933 gss_exit_cli_upcall();
2939 static void __exit sptlrpc_gss_exit(void)
2943 cleanup_kerberos_module();
2944 gss_exit_svc_upcall();
2945 gss_exit_cli_upcall();
2949 MODULE_AUTHOR("Sun Microsystems, Inc. <http://www.lustre.org/>");
2950 MODULE_DESCRIPTION("GSS security policy for Lustre");
2951 MODULE_LICENSE("GPL");
2953 module_init(sptlrpc_gss_init);
2954 module_exit(sptlrpc_gss_exit);