1 /* -*- mode: c; c-basic-offset: 8; indent-tabs-mode: nil; -*-
2 * vim:expandtab:shiftwidth=8:tabstop=8:
4 * Modifications for Lustre
5 * Copyright 2004 - 2007, Cluster File Systems, Inc.
7 * Author: Eric Mei <ericm@clusterfs.com>
11 * linux/net/sunrpc/auth_gss.c
13 * RPCSEC_GSS client authentication.
15 * Copyright (c) 2000 The Regents of the University of Michigan.
16 * All rights reserved.
18 * Dug Song <dugsong@monkey.org>
19 * Andy Adamson <andros@umich.edu>
21 * Redistribution and use in source and binary forms, with or without
22 * modification, are permitted provided that the following conditions
25 * 1. Redistributions of source code must retain the above copyright
26 * notice, this list of conditions and the following disclaimer.
27 * 2. Redistributions in binary form must reproduce the above copyright
28 * notice, this list of conditions and the following disclaimer in the
29 * documentation and/or other materials provided with the distribution.
30 * 3. Neither the name of the University nor the names of its
31 * contributors may be used to endorse or promote products derived
32 * from this software without specific prior written permission.
34 * THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED
35 * WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF
36 * MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
37 * DISCLAIMED. IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE
38 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
39 * CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
40 * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR
41 * BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF
42 * LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING
43 * NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS
44 * SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
49 # define EXPORT_SYMTAB
51 #define DEBUG_SUBSYSTEM S_SEC
53 #include <linux/init.h>
54 #include <linux/module.h>
55 #include <linux/slab.h>
56 #include <linux/dcache.h>
58 #include <linux/random.h>
59 #include <linux/mutex.h>
60 #include <asm/atomic.h>
62 #include <liblustre.h>
66 #include <obd_class.h>
67 #include <obd_support.h>
68 #include <lustre/lustre_idl.h>
69 #include <lustre_net.h>
70 #include <lustre_import.h>
71 #include <lustre_sec.h>
74 #include "gss_internal.h"
77 #include <linux/crypto.h>
79 /********************************************
81 ********************************************/
84 void gss_header_swabber(struct gss_header *ghdr)
86 __swab32s(&ghdr->gh_version);
87 __swab32s(&ghdr->gh_flags);
88 __swab32s(&ghdr->gh_proc);
89 __swab32s(&ghdr->gh_seq);
90 __swab32s(&ghdr->gh_svc);
91 __swab32s(&ghdr->gh_pad1);
92 __swab32s(&ghdr->gh_pad2);
93 __swab32s(&ghdr->gh_pad3);
94 __swab32s(&ghdr->gh_handle.len);
97 struct gss_header *gss_swab_header(struct lustre_msg *msg, int segment)
99 struct gss_header *ghdr;
101 ghdr = lustre_swab_buf(msg, segment, sizeof(*ghdr),
105 sizeof(*ghdr) + ghdr->gh_handle.len > msg->lm_buflens[segment]) {
106 CERROR("gss header require length %u, now %u received\n",
107 (unsigned int) sizeof(*ghdr) + ghdr->gh_handle.len,
108 msg->lm_buflens[segment]);
116 void gss_netobj_swabber(netobj_t *obj)
118 __swab32s(&obj->len);
121 netobj_t *gss_swab_netobj(struct lustre_msg *msg, int segment)
125 obj = lustre_swab_buf(msg, segment, sizeof(*obj), gss_netobj_swabber);
126 if (obj && sizeof(*obj) + obj->len > msg->lm_buflens[segment]) {
127 CERROR("netobj require length %u but only %u received\n",
128 (unsigned int) sizeof(*obj) + obj->len,
129 msg->lm_buflens[segment]);
137 * payload should be obtained from mechanism. but currently since we
138 * only support kerberos, we could simply use fixed value.
142 #define GSS_KRB5_INTEG_MAX_PAYLOAD (40)
145 int gss_estimate_payload(struct gss_ctx *mechctx, int msgsize, int privacy)
148 /* we suppose max cipher block size is 16 bytes. here we
149 * add 16 for confounder and 16 for padding.
151 return GSS_KRB5_INTEG_MAX_PAYLOAD + msgsize + 16 + 16 + 16;
153 return GSS_KRB5_INTEG_MAX_PAYLOAD;
158 * return signature size, otherwise < 0 to indicate error
161 int gss_sign_msg(struct lustre_msg *msg,
162 struct gss_ctx *mechctx,
163 __u32 proc, __u32 seq,
166 struct gss_header *ghdr;
167 rawobj_t text[3], mic;
168 int textcnt, mic_idx = msg->lm_bufcount - 1;
171 LASSERT(msg->lm_bufcount >= 3);
174 LASSERT(msg->lm_buflens[0] >=
175 sizeof(*ghdr) + (handle ? handle->len : 0));
176 ghdr = lustre_msg_buf(msg, 0, 0);
178 ghdr->gh_version = PTLRPC_GSS_VERSION;
180 ghdr->gh_proc = proc;
182 ghdr->gh_svc = PTLRPC_GSS_SVC_INTEGRITY;
184 /* fill in a fake one */
185 ghdr->gh_handle.len = 0;
187 ghdr->gh_handle.len = handle->len;
188 memcpy(ghdr->gh_handle.data, handle->data, handle->len);
192 for (textcnt = 0; textcnt < mic_idx; textcnt++) {
193 text[textcnt].len = msg->lm_buflens[textcnt];
194 text[textcnt].data = lustre_msg_buf(msg, textcnt, 0);
197 mic.len = msg->lm_buflens[mic_idx];
198 mic.data = lustre_msg_buf(msg, mic_idx, 0);
200 major = lgss_get_mic(mechctx, textcnt, text, &mic);
201 if (major != GSS_S_COMPLETE) {
202 CERROR("fail to generate MIC: %08x\n", major);
205 LASSERT(mic.len <= msg->lm_buflens[mic_idx]);
207 return lustre_shrink_msg(msg, mic_idx, mic.len, 0);
214 __u32 gss_verify_msg(struct lustre_msg *msg,
215 struct gss_ctx *mechctx)
219 int textcnt, mic_idx = msg->lm_bufcount - 1;
222 for (textcnt = 0; textcnt < mic_idx; textcnt++) {
223 text[textcnt].len = msg->lm_buflens[textcnt];
224 text[textcnt].data = lustre_msg_buf(msg, textcnt, 0);
227 mic.len = msg->lm_buflens[mic_idx];
228 mic.data = lustre_msg_buf(msg, mic_idx, 0);
230 major = lgss_verify_mic(mechctx, textcnt, text, &mic);
231 if (major != GSS_S_COMPLETE)
232 CERROR("mic verify error: %08x\n", major);
238 * return gss error code
241 __u32 gss_unseal_msg(struct gss_ctx *mechctx,
242 struct lustre_msg *msgbuf,
243 int *msg_len, int msgbuf_len)
245 rawobj_t clear_obj, micobj, msgobj, token;
251 if (msgbuf->lm_bufcount != 3) {
252 CERROR("invalid bufcount %d\n", msgbuf->lm_bufcount);
253 RETURN(GSS_S_FAILURE);
256 /* verify gss header */
257 msgobj.len = msgbuf->lm_buflens[0];
258 msgobj.data = lustre_msg_buf(msgbuf, 0, 0);
259 micobj.len = msgbuf->lm_buflens[1];
260 micobj.data = lustre_msg_buf(msgbuf, 1, 0);
262 major = lgss_verify_mic(mechctx, 1, &msgobj, &micobj);
263 if (major != GSS_S_COMPLETE) {
264 CERROR("priv: mic verify error: %08x\n", major);
268 /* temporary clear text buffer */
269 clear_buflen = msgbuf->lm_buflens[2];
270 OBD_ALLOC(clear_buf, clear_buflen);
272 RETURN(GSS_S_FAILURE);
274 token.len = msgbuf->lm_buflens[2];
275 token.data = lustre_msg_buf(msgbuf, 2, 0);
277 clear_obj.len = clear_buflen;
278 clear_obj.data = clear_buf;
280 major = lgss_unwrap(mechctx, &token, &clear_obj);
281 if (major != GSS_S_COMPLETE) {
282 CERROR("priv: unwrap message error: %08x\n", major);
283 GOTO(out_free, major = GSS_S_FAILURE);
285 LASSERT(clear_obj.len <= clear_buflen);
287 /* now the decrypted message */
288 memcpy(msgbuf, clear_obj.data, clear_obj.len);
289 *msg_len = clear_obj.len;
291 major = GSS_S_COMPLETE;
293 OBD_FREE(clear_buf, clear_buflen);
297 /********************************************
298 * gss client context manipulation helpers *
299 ********************************************/
301 int cli_ctx_expire(struct ptlrpc_cli_ctx *ctx)
303 LASSERT(atomic_read(&ctx->cc_refcount));
305 if (!test_and_set_bit(PTLRPC_CTX_DEAD_BIT, &ctx->cc_flags)) {
308 clear_bit(PTLRPC_CTX_UPTODATE_BIT, &ctx->cc_flags);
310 now = cfs_time_current_sec();
311 if (ctx->cc_expire && cfs_time_aftereq(now, ctx->cc_expire))
312 CWARN("ctx %p(%u->%s): get expired (%lds exceeds)\n",
313 ctx, ctx->cc_vcred.vc_uid,
314 sec2target_str(ctx->cc_sec),
315 cfs_time_sub(now, ctx->cc_expire));
317 CWARN("ctx %p(%u->%s): force to die (%lds remains)\n",
318 ctx, ctx->cc_vcred.vc_uid,
319 sec2target_str(ctx->cc_sec),
320 ctx->cc_expire == 0 ? 0 :
321 cfs_time_sub(ctx->cc_expire, now));
329 * return 1 if the context is dead.
331 int cli_ctx_check_death(struct ptlrpc_cli_ctx *ctx)
333 if (unlikely(cli_ctx_is_dead(ctx)))
336 /* expire is 0 means never expire. a newly created gss context
337 * which during upcall may has 0 expiration
339 if (ctx->cc_expire == 0)
342 /* check real expiration */
343 if (cfs_time_after(ctx->cc_expire, cfs_time_current_sec()))
350 void gss_cli_ctx_uptodate(struct gss_cli_ctx *gctx)
352 struct ptlrpc_cli_ctx *ctx = &gctx->gc_base;
353 unsigned long ctx_expiry;
355 if (lgss_inquire_context(gctx->gc_mechctx, &ctx_expiry)) {
356 CERROR("ctx %p(%u): unable to inquire, expire it now\n",
357 gctx, ctx->cc_vcred.vc_uid);
358 ctx_expiry = 1; /* make it expired now */
361 ctx->cc_expire = gss_round_ctx_expiry(ctx_expiry,
362 ctx->cc_sec->ps_flags);
364 /* At this point this ctx might have been marked as dead by
365 * someone else, in which case nobody will make further use
366 * of it. we don't care, and mark it UPTODATE will help
367 * destroying server side context when it be destroied.
369 set_bit(PTLRPC_CTX_UPTODATE_BIT, &ctx->cc_flags);
371 CWARN("%s ctx %p(%u->%s), will expire at %lu(%lds lifetime)\n",
372 (ctx->cc_sec->ps_flags & PTLRPC_SEC_FL_REVERSE ?
373 "server installed reverse" : "client refreshed"),
374 ctx, ctx->cc_vcred.vc_uid, sec2target_str(ctx->cc_sec),
375 ctx->cc_expire, (long) (ctx->cc_expire - get_seconds()));
379 void gss_cli_ctx_finalize(struct gss_cli_ctx *gctx)
381 if (gctx->gc_mechctx)
382 lgss_delete_sec_context(&gctx->gc_mechctx);
384 rawobj_free(&gctx->gc_handle);
388 * Based on sequence number algorithm as specified in RFC 2203.
390 * modified for our own problem: arriving request has valid sequence number,
391 * but unwrapping request might cost a long time, after that its sequence
392 * are not valid anymore (fall behind the window). It rarely happen, mostly
393 * under extreme load.
395 * note we should not check sequence before verify the integrity of incoming
396 * request, because just one attacking request with high sequence number might
397 * cause all following request be dropped.
399 * so here we use a multi-phase approach: prepare 2 sequence windows,
400 * "main window" for normal sequence and "back window" for fall behind sequence.
401 * and 3-phase checking mechanism:
402 * 0 - before integrity verification, perform a initial sequence checking in
403 * main window, which only try and don't actually set any bits. if the
404 * sequence is high above the window or fit in the window and the bit
405 * is 0, then accept and proceed to integrity verification. otherwise
406 * reject this sequence.
407 * 1 - after integrity verification, check in main window again. if this
408 * sequence is high above the window or fit in the window and the bit
409 * is 0, then set the bit and accept; if it fit in the window but bit
410 * already set, then reject; if it fall behind the window, then proceed
412 * 2 - check in back window. if it is high above the window or fit in the
413 * window and the bit is 0, then set the bit and accept. otherwise reject.
416 * 1: looks like a replay
420 * note phase 0 is necessary, because otherwise replay attacking request of
421 * sequence which between the 2 windows can't be detected.
423 * this mechanism can't totally solve the problem, but could help much less
424 * number of valid requests be dropped.
427 int gss_do_check_seq(unsigned long *window, __u32 win_size, __u32 *max_seq,
428 __u32 seq_num, int phase)
430 LASSERT(phase >= 0 && phase <= 2);
432 if (seq_num > *max_seq) {
434 * 1. high above the window
439 if (seq_num >= *max_seq + win_size) {
440 memset(window, 0, win_size / 8);
443 while(*max_seq < seq_num) {
445 __clear_bit((*max_seq) % win_size, window);
448 __set_bit(seq_num % win_size, window);
449 } else if (seq_num + win_size <= *max_seq) {
451 * 2. low behind the window
453 if (phase == 0 || phase == 2)
456 CWARN("seq %u is %u behind (size %d), check backup window\n",
457 seq_num, *max_seq - win_size - seq_num, win_size);
461 * 3. fit into the window
465 if (test_bit(seq_num % win_size, window))
470 if (__test_and_set_bit(seq_num % win_size, window))
479 CERROR("seq %u (%s %s window) is a replay: max %u, winsize %d\n",
481 seq_num + win_size > *max_seq ? "in" : "behind",
482 phase == 2 ? "backup " : "main",
488 * Based on sequence number algorithm as specified in RFC 2203.
490 * if @set == 0: initial check, don't set any bit in window
491 * if @sec == 1: final check, set bit in window
493 int gss_check_seq_num(struct gss_svc_seq_data *ssd, __u32 seq_num, int set)
497 spin_lock(&ssd->ssd_lock);
503 rc = gss_do_check_seq(ssd->ssd_win_main, GSS_SEQ_WIN_MAIN,
504 &ssd->ssd_max_main, seq_num, 0);
506 gss_stat_oos_record_svc(0, 1);
509 * phase 1 checking main window
511 rc = gss_do_check_seq(ssd->ssd_win_main, GSS_SEQ_WIN_MAIN,
512 &ssd->ssd_max_main, seq_num, 1);
515 gss_stat_oos_record_svc(1, 1);
521 * phase 2 checking back window
523 rc = gss_do_check_seq(ssd->ssd_win_back, GSS_SEQ_WIN_BACK,
524 &ssd->ssd_max_back, seq_num, 2);
526 gss_stat_oos_record_svc(2, 1);
528 gss_stat_oos_record_svc(2, 0);
531 spin_unlock(&ssd->ssd_lock);
535 /***************************************
537 ***************************************/
540 int gss_cli_payload(struct ptlrpc_cli_ctx *ctx,
541 int msgsize, int privacy)
543 return gss_estimate_payload(NULL, msgsize, privacy);
546 int gss_cli_ctx_match(struct ptlrpc_cli_ctx *ctx, struct vfs_cred *vcred)
548 return (ctx->cc_vcred.vc_uid == vcred->vc_uid);
552 void gss_cli_ctx_flags2str(unsigned long flags, char *buf, int bufsize)
556 if (flags & PTLRPC_CTX_UPTODATE)
557 strncat(buf, "uptodate,", bufsize);
558 if (flags & PTLRPC_CTX_DEAD)
559 strncat(buf, "dead,", bufsize);
560 if (flags & PTLRPC_CTX_ERROR)
561 strncat(buf, "error,", bufsize);
562 if (flags & PTLRPC_CTX_CACHED)
563 strncat(buf, "cached,", bufsize);
564 if (flags & PTLRPC_CTX_ETERNAL)
565 strncat(buf, "eternal,", bufsize);
567 strncat(buf, "-,", bufsize);
569 buf[strlen(buf) - 1] = '\0';
572 int gss_cli_ctx_display(struct ptlrpc_cli_ctx *ctx, char *buf, int bufsize)
574 struct gss_cli_ctx *gctx;
578 gctx = container_of(ctx, struct gss_cli_ctx, gc_base);
580 gss_cli_ctx_flags2str(ctx->cc_flags, flags_str, sizeof(flags_str));
582 written = snprintf(buf, bufsize,
587 ctx->cc_vcred.vc_uid,
590 atomic_read(&gctx->gc_seq));
592 if (gctx->gc_mechctx) {
593 written += lgss_display(gctx->gc_mechctx,
594 buf + written, bufsize - written);
600 int gss_cli_ctx_sign(struct ptlrpc_cli_ctx *ctx,
601 struct ptlrpc_request *req)
603 struct gss_cli_ctx *gctx;
608 LASSERT(req->rq_reqbuf);
609 LASSERT(req->rq_reqbuf->lm_bufcount >= 3);
610 LASSERT(req->rq_cli_ctx == ctx);
612 /* nothing to do for context negotiation RPCs */
613 if (req->rq_ctx_init)
616 gctx = container_of(ctx, struct gss_cli_ctx, gc_base);
618 seq = atomic_inc_return(&gctx->gc_seq);
620 rc = gss_sign_msg(req->rq_reqbuf, gctx->gc_mechctx,
621 gctx->gc_proc, seq, &gctx->gc_handle);
625 /* gss_sign_msg() msg might take long time to finish, in which period
626 * more rpcs could be wrapped up and sent out. if we found too many
627 * of them we should repack this rpc, because sent it too late might
628 * lead to the sequence number fall behind the window on server and
629 * be dropped. also applies to gss_cli_ctx_seal().
631 if (atomic_read(&gctx->gc_seq) - seq > GSS_SEQ_REPACK_THRESHOLD) {
632 int behind = atomic_read(&gctx->gc_seq) - seq;
634 gss_stat_oos_record_cli(behind);
635 CWARN("req %p: %u behind, retry signing\n", req, behind);
639 req->rq_reqdata_len = rc;
644 int gss_cli_ctx_handle_err_notify(struct ptlrpc_cli_ctx *ctx,
645 struct ptlrpc_request *req,
646 struct gss_header *ghdr)
648 struct gss_err_header *errhdr;
651 LASSERT(ghdr->gh_proc == PTLRPC_GSS_PROC_ERR);
653 errhdr = (struct gss_err_header *) ghdr;
655 /* server return NO_CONTEXT might be caused by context expire
656 * or server reboot/failover. we refresh the cred transparently
658 * In some cases, our gss handle is possible to be incidentally
659 * identical to another handle since the handle itself is not
660 * fully random. In krb5 case, the GSS_S_BAD_SIG will be
661 * returned, maybe other gss error for other mechanism.
663 * if we add new mechanism, make sure the correct error are
664 * returned in this case.
666 * but in any cases, don't resend ctx destroying rpc, don't resend
669 if (req->rq_ctx_fini) {
670 CWARN("server respond error (%08x/%08x) for ctx fini\n",
671 errhdr->gh_major, errhdr->gh_minor);
673 } else if (ctx->cc_sec->ps_flags & PTLRPC_SEC_FL_REVERSE) {
674 CWARN("reverse server respond error (%08x/%08x)\n",
675 errhdr->gh_major, errhdr->gh_minor);
677 } else if (errhdr->gh_major == GSS_S_NO_CONTEXT ||
678 errhdr->gh_major == GSS_S_BAD_SIG) {
679 CWARN("req x"LPU64"/t"LPU64": server respond ctx %p(%u->%s) "
680 "%s, server might lost the context.\n",
681 req->rq_xid, req->rq_transno, ctx, ctx->cc_vcred.vc_uid,
682 sec2target_str(ctx->cc_sec),
683 errhdr->gh_major == GSS_S_NO_CONTEXT ?
684 "NO_CONTEXT" : "BAD_SIG");
686 sptlrpc_cli_ctx_expire(ctx);
688 * we need replace the ctx right here, otherwise during
689 * resent we'll hit the logic in sptlrpc_req_refresh_ctx()
690 * which keep the ctx with RESEND flag, thus we'll never
691 * get rid of this ctx.
693 rc = sptlrpc_req_replace_dead_ctx(req);
697 CERROR("req %p: server report gss error (%x/%x)\n",
698 req, errhdr->gh_major, errhdr->gh_minor);
705 int gss_cli_ctx_verify(struct ptlrpc_cli_ctx *ctx,
706 struct ptlrpc_request *req)
708 struct gss_cli_ctx *gctx;
709 struct gss_header *ghdr, *reqhdr;
710 struct lustre_msg *msg = req->rq_repbuf;
715 LASSERT(req->rq_cli_ctx == ctx);
718 req->rq_repdata_len = req->rq_nob_received;
719 gctx = container_of(ctx, struct gss_cli_ctx, gc_base);
721 /* special case for context negotiation, rq_repmsg/rq_replen actually
722 * are not used currently.
724 if (req->rq_ctx_init) {
725 req->rq_repmsg = lustre_msg_buf(msg, 1, 0);
726 req->rq_replen = msg->lm_buflens[1];
730 if (msg->lm_bufcount < 3 || msg->lm_bufcount > 4) {
731 CERROR("unexpected bufcount %u\n", msg->lm_bufcount);
735 ghdr = gss_swab_header(msg, 0);
737 CERROR("can't decode gss header\n");
742 reqhdr = lustre_msg_buf(msg, 0, sizeof(*reqhdr));
745 if (ghdr->gh_version != reqhdr->gh_version) {
746 CERROR("gss version %u mismatch, expect %u\n",
747 ghdr->gh_version, reqhdr->gh_version);
751 switch (ghdr->gh_proc) {
752 case PTLRPC_GSS_PROC_DATA:
753 if (ghdr->gh_seq != reqhdr->gh_seq) {
754 CERROR("seqnum %u mismatch, expect %u\n",
755 ghdr->gh_seq, reqhdr->gh_seq);
759 if (ghdr->gh_svc != PTLRPC_GSS_SVC_INTEGRITY) {
760 CERROR("unexpected svc %d\n", ghdr->gh_svc);
764 if (lustre_msg_swabbed(msg))
765 gss_header_swabber(ghdr);
767 major = gss_verify_msg(msg, gctx->gc_mechctx);
768 if (major != GSS_S_COMPLETE)
771 req->rq_repmsg = lustre_msg_buf(msg, 1, 0);
772 req->rq_replen = msg->lm_buflens[1];
774 if (SEC_FLAVOR_HAS_BULK(req->rq_sec_flavor)) {
775 if (msg->lm_bufcount < 4) {
776 CERROR("Invalid reply bufcount %u\n",
781 /* bulk checksum is the second last segment */
782 rc = bulk_sec_desc_unpack(msg, msg->lm_bufcount - 2);
785 case PTLRPC_GSS_PROC_ERR:
786 rc = gss_cli_ctx_handle_err_notify(ctx, req, ghdr);
789 CERROR("unknown gss proc %d\n", ghdr->gh_proc);
796 int gss_cli_ctx_seal(struct ptlrpc_cli_ctx *ctx,
797 struct ptlrpc_request *req)
799 struct gss_cli_ctx *gctx;
800 rawobj_t msgobj, cipher_obj, micobj;
801 struct gss_header *ghdr;
802 int buflens[3], wiresize, rc;
806 LASSERT(req->rq_clrbuf);
807 LASSERT(req->rq_cli_ctx == ctx);
808 LASSERT(req->rq_reqlen);
810 gctx = container_of(ctx, struct gss_cli_ctx, gc_base);
812 /* close clear data length */
813 req->rq_clrdata_len = lustre_msg_size_v2(req->rq_clrbuf->lm_bufcount,
814 req->rq_clrbuf->lm_buflens);
816 /* calculate wire data length */
817 buflens[0] = PTLRPC_GSS_HEADER_SIZE;
818 buflens[1] = gss_cli_payload(&gctx->gc_base, buflens[0], 0);
819 buflens[2] = gss_cli_payload(&gctx->gc_base, req->rq_clrdata_len, 1);
820 wiresize = lustre_msg_size_v2(3, buflens);
822 /* allocate wire buffer */
825 LASSERT(req->rq_reqbuf);
826 LASSERT(req->rq_reqbuf != req->rq_clrbuf);
827 LASSERT(req->rq_reqbuf_len >= wiresize);
829 OBD_ALLOC(req->rq_reqbuf, wiresize);
832 req->rq_reqbuf_len = wiresize;
835 lustre_init_msg_v2(req->rq_reqbuf, 3, buflens, NULL);
836 req->rq_reqbuf->lm_secflvr = req->rq_sec_flavor;
839 ghdr = lustre_msg_buf(req->rq_reqbuf, 0, 0);
840 ghdr->gh_version = PTLRPC_GSS_VERSION;
842 ghdr->gh_proc = gctx->gc_proc;
843 ghdr->gh_seq = atomic_inc_return(&gctx->gc_seq);
844 ghdr->gh_svc = PTLRPC_GSS_SVC_PRIVACY;
845 ghdr->gh_handle.len = gctx->gc_handle.len;
846 memcpy(ghdr->gh_handle.data, gctx->gc_handle.data, gctx->gc_handle.len);
849 /* header signature */
850 msgobj.len = req->rq_reqbuf->lm_buflens[0];
851 msgobj.data = lustre_msg_buf(req->rq_reqbuf, 0, 0);
852 micobj.len = req->rq_reqbuf->lm_buflens[1];
853 micobj.data = lustre_msg_buf(req->rq_reqbuf, 1, 0);
855 major = lgss_get_mic(gctx->gc_mechctx, 1, &msgobj, &micobj);
856 if (major != GSS_S_COMPLETE) {
857 CERROR("priv: sign message error: %08x\n", major);
858 GOTO(err_free, rc = -EPERM);
860 /* perhaps shrink msg has potential problem in re-packing???
861 * ship a little bit more data is fine.
862 lustre_shrink_msg(req->rq_reqbuf, 1, micobj.len, 0);
866 msgobj.len = req->rq_clrdata_len;
867 msgobj.data = (__u8 *) req->rq_clrbuf;
870 cipher_obj.len = req->rq_reqbuf->lm_buflens[2];
871 cipher_obj.data = lustre_msg_buf(req->rq_reqbuf, 2, 0);
873 major = lgss_wrap(gctx->gc_mechctx, &msgobj, req->rq_clrbuf_len,
875 if (major != GSS_S_COMPLETE) {
876 CERROR("priv: wrap message error: %08x\n", major);
877 GOTO(err_free, rc = -EPERM);
879 LASSERT(cipher_obj.len <= buflens[2]);
881 /* see explain in gss_cli_ctx_sign() */
882 if (atomic_read(&gctx->gc_seq) - ghdr->gh_seq >
883 GSS_SEQ_REPACK_THRESHOLD) {
884 int behind = atomic_read(&gctx->gc_seq) - ghdr->gh_seq;
886 gss_stat_oos_record_cli(behind);
887 CWARN("req %p: %u behind, retry sealing\n", req, behind);
889 ghdr->gh_seq = atomic_inc_return(&gctx->gc_seq);
893 /* now set the final wire data length */
894 req->rq_reqdata_len = lustre_shrink_msg(req->rq_reqbuf, 2,
901 OBD_FREE(req->rq_reqbuf, req->rq_reqbuf_len);
902 req->rq_reqbuf = NULL;
903 req->rq_reqbuf_len = 0;
908 int gss_cli_ctx_unseal(struct ptlrpc_cli_ctx *ctx,
909 struct ptlrpc_request *req)
911 struct gss_cli_ctx *gctx;
912 struct gss_header *ghdr;
917 LASSERT(req->rq_repbuf);
918 LASSERT(req->rq_cli_ctx == ctx);
920 gctx = container_of(ctx, struct gss_cli_ctx, gc_base);
922 ghdr = gss_swab_header(req->rq_repbuf, 0);
924 CERROR("can't decode gss header\n");
929 if (ghdr->gh_version != PTLRPC_GSS_VERSION) {
930 CERROR("gss version %u mismatch, expect %u\n",
931 ghdr->gh_version, PTLRPC_GSS_VERSION);
935 switch (ghdr->gh_proc) {
936 case PTLRPC_GSS_PROC_DATA:
937 if (lustre_msg_swabbed(req->rq_repbuf))
938 gss_header_swabber(ghdr);
940 major = gss_unseal_msg(gctx->gc_mechctx, req->rq_repbuf,
941 &msglen, req->rq_repbuf_len);
942 if (major != GSS_S_COMPLETE) {
947 if (lustre_unpack_msg(req->rq_repbuf, msglen)) {
948 CERROR("Failed to unpack after decryption\n");
951 req->rq_repdata_len = msglen;
953 if (req->rq_repbuf->lm_bufcount < 1) {
954 CERROR("Invalid reply buffer: empty\n");
958 if (SEC_FLAVOR_HAS_BULK(req->rq_sec_flavor)) {
959 if (req->rq_repbuf->lm_bufcount < 2) {
960 CERROR("Too few request buffer segments %d\n",
961 req->rq_repbuf->lm_bufcount);
965 /* bulk checksum is the last segment */
966 if (bulk_sec_desc_unpack(req->rq_repbuf,
967 req->rq_repbuf->lm_bufcount-1))
971 req->rq_repmsg = lustre_msg_buf(req->rq_repbuf, 0, 0);
972 req->rq_replen = req->rq_repbuf->lm_buflens[0];
976 case PTLRPC_GSS_PROC_ERR:
977 rc = gss_cli_ctx_handle_err_notify(ctx, req, ghdr);
980 CERROR("unexpected proc %d\n", ghdr->gh_proc);
987 /*********************************************
988 * reverse context installation *
989 *********************************************/
992 int gss_install_rvs_svc_ctx(struct obd_import *imp,
993 struct gss_sec *gsec,
994 struct gss_cli_ctx *gctx)
996 return gss_svc_upcall_install_rvs_ctx(imp, gsec, gctx);
999 /*********************************************
1000 * GSS security APIs *
1001 *********************************************/
1002 int gss_sec_create_common(struct gss_sec *gsec,
1003 struct ptlrpc_sec_policy *policy,
1004 struct obd_import *imp,
1005 struct ptlrpc_svc_ctx *ctx,
1007 unsigned long flags)
1009 struct ptlrpc_sec *sec;
1012 LASSERT(SEC_FLAVOR_POLICY(flavor) == SPTLRPC_POLICY_GSS);
1014 gsec->gs_mech = lgss_subflavor_to_mech(SEC_FLAVOR_SUB(flavor));
1015 if (!gsec->gs_mech) {
1016 CERROR("gss backend 0x%x not found\n", SEC_FLAVOR_SUB(flavor));
1020 spin_lock_init(&gsec->gs_lock);
1021 gsec->gs_rvs_hdl = 0ULL;
1023 /* initialize upper ptlrpc_sec */
1024 sec = &gsec->gs_base;
1025 sec->ps_policy = policy;
1026 sec->ps_flavor = flavor;
1027 sec->ps_flags = flags;
1028 sec->ps_import = class_import_get(imp);
1029 sec->ps_lock = SPIN_LOCK_UNLOCKED;
1030 atomic_set(&sec->ps_busy, 0);
1031 INIT_LIST_HEAD(&sec->ps_gc_list);
1034 sec->ps_gc_interval = GSS_GC_INTERVAL;
1035 sec->ps_gc_next = cfs_time_current_sec() + sec->ps_gc_interval;
1037 LASSERT(sec->ps_flags & PTLRPC_SEC_FL_REVERSE);
1039 /* never do gc on reverse sec */
1040 sec->ps_gc_interval = 0;
1041 sec->ps_gc_next = 0;
1044 if (SEC_FLAVOR_SVC(flavor) == SPTLRPC_SVC_PRIV &&
1045 flags & PTLRPC_SEC_FL_BULK)
1046 sptlrpc_enc_pool_add_user();
1048 CWARN("create %s%s@%p\n", (ctx ? "reverse " : ""),
1049 policy->sp_name, gsec);
1053 void gss_sec_destroy_common(struct gss_sec *gsec)
1055 struct ptlrpc_sec *sec = &gsec->gs_base;
1058 LASSERT(sec->ps_import);
1059 LASSERT(atomic_read(&sec->ps_refcount) == 0);
1060 LASSERT(atomic_read(&sec->ps_busy) == 0);
1062 if (gsec->gs_mech) {
1063 lgss_mech_put(gsec->gs_mech);
1064 gsec->gs_mech = NULL;
1067 class_import_put(sec->ps_import);
1069 if (SEC_FLAVOR_SVC(sec->ps_flavor) == SPTLRPC_SVC_PRIV &&
1070 sec->ps_flags & PTLRPC_SEC_FL_BULK)
1071 sptlrpc_enc_pool_del_user();
1076 int gss_cli_ctx_init_common(struct ptlrpc_sec *sec,
1077 struct ptlrpc_cli_ctx *ctx,
1078 struct ptlrpc_ctx_ops *ctxops,
1079 struct vfs_cred *vcred)
1081 struct gss_cli_ctx *gctx = ctx2gctx(ctx);
1084 atomic_set(&gctx->gc_seq, 0);
1086 INIT_HLIST_NODE(&ctx->cc_hash);
1087 atomic_set(&ctx->cc_refcount, 0);
1089 ctx->cc_ops = ctxops;
1091 ctx->cc_flags = PTLRPC_CTX_NEW;
1092 ctx->cc_vcred = *vcred;
1093 spin_lock_init(&ctx->cc_lock);
1094 INIT_LIST_HEAD(&ctx->cc_req_list);
1096 /* take a ref on belonging sec */
1097 atomic_inc(&sec->ps_busy);
1099 CWARN("%s@%p: create ctx %p(%u->%s)\n",
1100 sec->ps_policy->sp_name, ctx->cc_sec,
1101 ctx, ctx->cc_vcred.vc_uid, sec2target_str(ctx->cc_sec));
1106 * return 1 if the busy count of the sec dropped to zero, then usually caller
1107 * should destroy the sec too; otherwise return 0.
1109 int gss_cli_ctx_fini_common(struct ptlrpc_sec *sec,
1110 struct ptlrpc_cli_ctx *ctx)
1112 struct gss_cli_ctx *gctx = ctx2gctx(ctx);
1114 LASSERT(ctx->cc_sec == sec);
1115 LASSERT(atomic_read(&ctx->cc_refcount) == 0);
1116 LASSERT(atomic_read(&sec->ps_busy) > 0);
1118 if (gctx->gc_mechctx) {
1119 gss_do_ctx_fini_rpc(gctx);
1120 gss_cli_ctx_finalize(gctx);
1123 CWARN("%s@%p: destroy ctx %p(%u->%s)\n",
1124 sec->ps_policy->sp_name, ctx->cc_sec,
1125 ctx, ctx->cc_vcred.vc_uid, sec2target_str(ctx->cc_sec));
1127 if (atomic_dec_and_test(&sec->ps_busy)) {
1128 LASSERT(atomic_read(&sec->ps_refcount) == 0);
1136 int gss_alloc_reqbuf_auth(struct ptlrpc_sec *sec,
1137 struct ptlrpc_request *req,
1140 struct sec_flavor_config *conf;
1141 int bufsize, txtsize;
1142 int buflens[5], bufcnt = 2;
1149 * - bulk sec descriptor
1152 buflens[0] = PTLRPC_GSS_HEADER_SIZE;
1153 buflens[1] = msgsize;
1154 txtsize = buflens[0] + buflens[1];
1156 if (SEC_FLAVOR_HAS_USER(req->rq_sec_flavor)) {
1157 buflens[bufcnt] = sptlrpc_current_user_desc_size();
1158 txtsize += buflens[bufcnt];
1162 if (SEC_FLAVOR_HAS_BULK(req->rq_sec_flavor)) {
1163 conf = &req->rq_import->imp_obd->u.cli.cl_sec_conf;
1164 buflens[bufcnt] = bulk_sec_desc_size(conf->sfc_bulk_csum, 1,
1166 txtsize += buflens[bufcnt];
1170 buflens[bufcnt++] = req->rq_ctx_init ? GSS_CTX_INIT_MAX_LEN :
1171 gss_cli_payload(req->rq_cli_ctx, txtsize, 0);
1173 bufsize = lustre_msg_size_v2(bufcnt, buflens);
1175 if (!req->rq_reqbuf) {
1176 bufsize = size_roundup_power2(bufsize);
1178 OBD_ALLOC(req->rq_reqbuf, bufsize);
1179 if (!req->rq_reqbuf)
1182 req->rq_reqbuf_len = bufsize;
1184 LASSERT(req->rq_pool);
1185 LASSERT(req->rq_reqbuf_len >= bufsize);
1186 memset(req->rq_reqbuf, 0, bufsize);
1189 lustre_init_msg_v2(req->rq_reqbuf, bufcnt, buflens, NULL);
1190 req->rq_reqbuf->lm_secflvr = req->rq_sec_flavor;
1192 req->rq_reqmsg = lustre_msg_buf(req->rq_reqbuf, 1, msgsize);
1193 LASSERT(req->rq_reqmsg);
1195 /* pack user desc here, later we might leave current user's process */
1196 if (SEC_FLAVOR_HAS_USER(req->rq_sec_flavor))
1197 sptlrpc_pack_user_desc(req->rq_reqbuf, 2);
1203 int gss_alloc_reqbuf_priv(struct ptlrpc_sec *sec,
1204 struct ptlrpc_request *req,
1207 struct sec_flavor_config *conf;
1208 int ibuflens[3], ibufcnt;
1210 int clearsize, wiresize;
1213 LASSERT(req->rq_clrbuf == NULL);
1214 LASSERT(req->rq_clrbuf_len == 0);
1216 /* Inner (clear) buffers
1222 ibuflens[0] = msgsize;
1224 if (SEC_FLAVOR_HAS_USER(req->rq_sec_flavor))
1225 ibuflens[ibufcnt++] = sptlrpc_current_user_desc_size();
1226 if (SEC_FLAVOR_HAS_BULK(req->rq_sec_flavor)) {
1227 conf = &req->rq_import->imp_obd->u.cli.cl_sec_conf;
1228 ibuflens[ibufcnt++] = bulk_sec_desc_size(conf->sfc_bulk_csum, 1,
1231 clearsize = lustre_msg_size_v2(ibufcnt, ibuflens);
1232 /* to allow append padding during encryption */
1233 clearsize += GSS_MAX_CIPHER_BLOCK;
1235 /* Wrapper (wire) buffers
1237 * - signature of gss header
1240 buflens[0] = PTLRPC_GSS_HEADER_SIZE;
1241 buflens[1] = gss_cli_payload(req->rq_cli_ctx, buflens[0], 0);
1242 buflens[2] = gss_cli_payload(req->rq_cli_ctx, clearsize, 1);
1243 wiresize = lustre_msg_size_v2(3, buflens);
1246 /* rq_reqbuf is preallocated */
1247 LASSERT(req->rq_reqbuf);
1248 LASSERT(req->rq_reqbuf_len >= wiresize);
1250 memset(req->rq_reqbuf, 0, req->rq_reqbuf_len);
1252 /* if the pre-allocated buffer is big enough, we just pack
1253 * both clear buf & request buf in it, to avoid more alloc.
1255 if (clearsize + wiresize <= req->rq_reqbuf_len) {
1257 (void *) (((char *) req->rq_reqbuf) + wiresize);
1259 CWARN("pre-allocated buf size %d is not enough for "
1260 "both clear (%d) and cipher (%d) text, proceed "
1261 "with extra allocation\n", req->rq_reqbuf_len,
1262 clearsize, wiresize);
1266 if (!req->rq_clrbuf) {
1267 clearsize = size_roundup_power2(clearsize);
1269 OBD_ALLOC(req->rq_clrbuf, clearsize);
1270 if (!req->rq_clrbuf)
1273 req->rq_clrbuf_len = clearsize;
1275 lustre_init_msg_v2(req->rq_clrbuf, ibufcnt, ibuflens, NULL);
1276 req->rq_reqmsg = lustre_msg_buf(req->rq_clrbuf, 0, msgsize);
1278 if (SEC_FLAVOR_HAS_USER(req->rq_sec_flavor))
1279 sptlrpc_pack_user_desc(req->rq_clrbuf, 1);
1285 * NOTE: any change of request buffer allocation should also consider
1286 * changing enlarge_reqbuf() series functions.
1288 int gss_alloc_reqbuf(struct ptlrpc_sec *sec,
1289 struct ptlrpc_request *req,
1292 LASSERT(!SEC_FLAVOR_HAS_BULK(req->rq_sec_flavor) ||
1293 (req->rq_bulk_read || req->rq_bulk_write));
1295 switch (SEC_FLAVOR_SVC(req->rq_sec_flavor)) {
1296 case SPTLRPC_SVC_NONE:
1297 case SPTLRPC_SVC_AUTH:
1298 return gss_alloc_reqbuf_auth(sec, req, msgsize);
1299 case SPTLRPC_SVC_PRIV:
1300 return gss_alloc_reqbuf_priv(sec, req, msgsize);
1307 void gss_free_reqbuf(struct ptlrpc_sec *sec,
1308 struct ptlrpc_request *req)
1313 LASSERT(!req->rq_pool || req->rq_reqbuf);
1314 privacy = SEC_FLAVOR_SVC(req->rq_sec_flavor) == SPTLRPC_SVC_PRIV;
1316 if (!req->rq_clrbuf)
1317 goto release_reqbuf;
1319 /* release clear buffer */
1321 LASSERT(req->rq_clrbuf_len);
1324 req->rq_clrbuf >= req->rq_reqbuf &&
1325 (char *) req->rq_clrbuf <
1326 (char *) req->rq_reqbuf + req->rq_reqbuf_len)
1327 goto release_reqbuf;
1329 OBD_FREE(req->rq_clrbuf, req->rq_clrbuf_len);
1330 req->rq_clrbuf = NULL;
1331 req->rq_clrbuf_len = 0;
1334 if (!req->rq_pool && req->rq_reqbuf) {
1335 OBD_FREE(req->rq_reqbuf, req->rq_reqbuf_len);
1336 req->rq_reqbuf = NULL;
1337 req->rq_reqbuf_len = 0;
1343 int gss_alloc_repbuf(struct ptlrpc_sec *sec,
1344 struct ptlrpc_request *req,
1347 struct sec_flavor_config *conf;
1348 int privacy = (SEC_FLAVOR_SVC(req->rq_sec_flavor) == SPTLRPC_SVC_PRIV);
1349 int bufsize, txtsize;
1350 int buflens[4], bufcnt;
1353 LASSERT(!SEC_FLAVOR_HAS_BULK(req->rq_sec_flavor) ||
1354 (req->rq_bulk_read || req->rq_bulk_write));
1358 buflens[0] = msgsize;
1359 if (SEC_FLAVOR_HAS_BULK(req->rq_sec_flavor)) {
1360 conf = &req->rq_import->imp_obd->u.cli.cl_sec_conf;
1361 buflens[bufcnt++] = bulk_sec_desc_size(
1362 conf->sfc_bulk_csum, 0,
1365 txtsize = lustre_msg_size_v2(bufcnt, buflens);
1366 txtsize += GSS_MAX_CIPHER_BLOCK;
1369 buflens[0] = PTLRPC_GSS_HEADER_SIZE;
1370 buflens[1] = gss_cli_payload(req->rq_cli_ctx, buflens[0], 0);
1371 buflens[2] = gss_cli_payload(req->rq_cli_ctx, txtsize, 1);
1374 buflens[0] = PTLRPC_GSS_HEADER_SIZE;
1375 buflens[1] = msgsize;
1376 txtsize = buflens[0] + buflens[1];
1378 if (SEC_FLAVOR_HAS_BULK(req->rq_sec_flavor)) {
1379 conf = &req->rq_import->imp_obd->u.cli.cl_sec_conf;
1380 buflens[bufcnt] = bulk_sec_desc_size(
1381 conf->sfc_bulk_csum, 0,
1383 txtsize += buflens[bufcnt];
1386 buflens[bufcnt++] = req->rq_ctx_init ? GSS_CTX_INIT_MAX_LEN :
1387 gss_cli_payload(req->rq_cli_ctx, txtsize, 0);
1390 bufsize = lustre_msg_size_v2(bufcnt, buflens);
1391 bufsize = size_roundup_power2(bufsize);
1393 OBD_ALLOC(req->rq_repbuf, bufsize);
1394 if (!req->rq_repbuf)
1397 req->rq_repbuf_len = bufsize;
1401 void gss_free_repbuf(struct ptlrpc_sec *sec,
1402 struct ptlrpc_request *req)
1404 OBD_FREE(req->rq_repbuf, req->rq_repbuf_len);
1405 req->rq_repbuf = NULL;
1406 req->rq_repbuf_len = 0;
1409 static int get_enlarged_msgsize(struct lustre_msg *msg,
1410 int segment, int newsize)
1412 int save, newmsg_size;
1414 LASSERT(newsize >= msg->lm_buflens[segment]);
1416 save = msg->lm_buflens[segment];
1417 msg->lm_buflens[segment] = newsize;
1418 newmsg_size = lustre_msg_size_v2(msg->lm_bufcount, msg->lm_buflens);
1419 msg->lm_buflens[segment] = save;
1424 static int get_enlarged_msgsize2(struct lustre_msg *msg,
1425 int segment1, int newsize1,
1426 int segment2, int newsize2)
1428 int save1, save2, newmsg_size;
1430 LASSERT(newsize1 >= msg->lm_buflens[segment1]);
1431 LASSERT(newsize2 >= msg->lm_buflens[segment2]);
1433 save1 = msg->lm_buflens[segment1];
1434 save2 = msg->lm_buflens[segment2];
1435 msg->lm_buflens[segment1] = newsize1;
1436 msg->lm_buflens[segment2] = newsize2;
1437 newmsg_size = lustre_msg_size_v2(msg->lm_bufcount, msg->lm_buflens);
1438 msg->lm_buflens[segment1] = save1;
1439 msg->lm_buflens[segment2] = save2;
1444 static inline int msg_last_seglen(struct lustre_msg *msg)
1446 return msg->lm_buflens[msg->lm_bufcount - 1];
1450 int gss_enlarge_reqbuf_auth(struct ptlrpc_sec *sec,
1451 struct ptlrpc_request *req,
1452 int segment, int newsize)
1454 struct lustre_msg *newbuf;
1455 int txtsize, sigsize, i;
1456 int newmsg_size, newbuf_size;
1459 * embedded msg is at seg 1; signature is at the last seg
1461 LASSERT(req->rq_reqbuf);
1462 LASSERT(req->rq_reqbuf_len > req->rq_reqlen);
1463 LASSERT(req->rq_reqbuf->lm_bufcount >= 2);
1464 LASSERT(lustre_msg_buf(req->rq_reqbuf, 1, 0) == req->rq_reqmsg);
1466 /* compute new embedded msg size */
1467 newmsg_size = get_enlarged_msgsize(req->rq_reqmsg, segment, newsize);
1468 LASSERT(newmsg_size >= req->rq_reqbuf->lm_buflens[1]);
1470 /* compute new wrapper msg size */
1471 for (txtsize = 0, i = 0; i < req->rq_reqbuf->lm_bufcount; i++)
1472 txtsize += req->rq_reqbuf->lm_buflens[i];
1473 txtsize += newmsg_size - req->rq_reqbuf->lm_buflens[1];
1475 sigsize = gss_cli_payload(req->rq_cli_ctx, txtsize, 0);
1476 LASSERT(sigsize >= msg_last_seglen(req->rq_reqbuf));
1477 newbuf_size = get_enlarged_msgsize2(req->rq_reqbuf, 1, newmsg_size,
1478 req->rq_reqbuf->lm_bufcount - 1,
1481 /* request from pool should always have enough buffer */
1482 LASSERT(!req->rq_pool || req->rq_reqbuf_len >= newbuf_size);
1484 if (req->rq_reqbuf_len < newbuf_size) {
1485 newbuf_size = size_roundup_power2(newbuf_size);
1487 OBD_ALLOC(newbuf, newbuf_size);
1491 memcpy(newbuf, req->rq_reqbuf, req->rq_reqbuf_len);
1493 OBD_FREE(req->rq_reqbuf, req->rq_reqbuf_len);
1494 req->rq_reqbuf = newbuf;
1495 req->rq_reqbuf_len = newbuf_size;
1496 req->rq_reqmsg = lustre_msg_buf(req->rq_reqbuf, 1, 0);
1499 _sptlrpc_enlarge_msg_inplace(req->rq_reqbuf,
1500 req->rq_reqbuf->lm_bufcount - 1, sigsize);
1501 _sptlrpc_enlarge_msg_inplace(req->rq_reqbuf, 1, newmsg_size);
1502 _sptlrpc_enlarge_msg_inplace(req->rq_reqmsg, segment, newsize);
1504 req->rq_reqlen = newmsg_size;
1509 int gss_enlarge_reqbuf_priv(struct ptlrpc_sec *sec,
1510 struct ptlrpc_request *req,
1511 int segment, int newsize)
1513 struct lustre_msg *newclrbuf;
1514 int newmsg_size, newclrbuf_size, newcipbuf_size;
1518 * embedded msg is at seg 0 of clear buffer;
1519 * cipher text is at seg 2 of cipher buffer;
1521 LASSERT(req->rq_pool ||
1522 (req->rq_reqbuf == NULL && req->rq_reqbuf_len == 0));
1523 LASSERT(req->rq_reqbuf == NULL ||
1524 (req->rq_pool && req->rq_reqbuf->lm_bufcount == 3));
1525 LASSERT(req->rq_clrbuf);
1526 LASSERT(req->rq_clrbuf_len > req->rq_reqlen);
1527 LASSERT(lustre_msg_buf(req->rq_clrbuf, 0, 0) == req->rq_reqmsg);
1529 /* compute new embedded msg size */
1530 newmsg_size = get_enlarged_msgsize(req->rq_reqmsg, segment, newsize);
1532 /* compute new clear buffer size */
1533 newclrbuf_size = get_enlarged_msgsize(req->rq_clrbuf, 0, newmsg_size);
1534 newclrbuf_size += GSS_MAX_CIPHER_BLOCK;
1536 /* compute new cipher buffer size */
1537 buflens[0] = PTLRPC_GSS_HEADER_SIZE;
1538 buflens[1] = gss_cli_payload(req->rq_cli_ctx, buflens[0], 0);
1539 buflens[2] = gss_cli_payload(req->rq_cli_ctx, newclrbuf_size, 1);
1540 newcipbuf_size = lustre_msg_size_v2(3, buflens);
1543 * handle the case that we put both clear buf and cipher buf into
1544 * pre-allocated single buffer.
1546 if (unlikely(req->rq_pool) &&
1547 req->rq_clrbuf >= req->rq_reqbuf &&
1548 (char *) req->rq_clrbuf <
1549 (char *) req->rq_reqbuf + req->rq_reqbuf_len) {
1551 * it couldn't be better we still fit into the
1552 * pre-allocated buffer.
1554 if (newclrbuf_size + newcipbuf_size <= req->rq_reqbuf_len) {
1557 /* move clear text backward. */
1558 src = req->rq_clrbuf;
1559 dst = (char *) req->rq_reqbuf + newcipbuf_size;
1561 memmove(dst, src, req->rq_clrbuf_len);
1563 req->rq_clrbuf = (struct lustre_msg *) dst;
1564 req->rq_clrbuf_len = newclrbuf_size;
1565 req->rq_reqmsg = lustre_msg_buf(req->rq_clrbuf, 0, 0);
1568 * sadly we have to split out the clear buffer
1570 LASSERT(req->rq_reqbuf_len >= newcipbuf_size);
1571 LASSERT(req->rq_clrbuf_len < newclrbuf_size);
1575 if (req->rq_clrbuf_len < newclrbuf_size) {
1576 newclrbuf_size = size_roundup_power2(newclrbuf_size);
1578 OBD_ALLOC(newclrbuf, newclrbuf_size);
1579 if (newclrbuf == NULL)
1582 memcpy(newclrbuf, req->rq_clrbuf, req->rq_clrbuf_len);
1584 if (req->rq_reqbuf == NULL ||
1585 req->rq_clrbuf < req->rq_reqbuf ||
1586 (char *) req->rq_clrbuf >=
1587 (char *) req->rq_reqbuf + req->rq_reqbuf_len) {
1588 OBD_FREE(req->rq_clrbuf, req->rq_clrbuf_len);
1591 req->rq_clrbuf = newclrbuf;
1592 req->rq_clrbuf_len = newclrbuf_size;
1593 req->rq_reqmsg = lustre_msg_buf(req->rq_clrbuf, 0, 0);
1596 _sptlrpc_enlarge_msg_inplace(req->rq_clrbuf, 0, newmsg_size);
1597 _sptlrpc_enlarge_msg_inplace(req->rq_reqmsg, segment, newsize);
1598 req->rq_reqlen = newmsg_size;
1603 int gss_enlarge_reqbuf(struct ptlrpc_sec *sec,
1604 struct ptlrpc_request *req,
1605 int segment, int newsize)
1607 LASSERT(!req->rq_ctx_init && !req->rq_ctx_fini);
1609 switch (SEC_FLAVOR_SVC(req->rq_sec_flavor)) {
1610 case SPTLRPC_SVC_AUTH:
1611 return gss_enlarge_reqbuf_auth(sec, req, segment, newsize);
1612 case SPTLRPC_SVC_PRIV:
1613 return gss_enlarge_reqbuf_priv(sec, req, segment, newsize);
1615 LASSERTF(0, "bad flavor %x\n", req->rq_sec_flavor);
1620 int gss_sec_install_rctx(struct obd_import *imp,
1621 struct ptlrpc_sec *sec,
1622 struct ptlrpc_cli_ctx *ctx)
1624 struct gss_sec *gsec;
1625 struct gss_cli_ctx *gctx;
1628 gsec = container_of(sec, struct gss_sec, gs_base);
1629 gctx = container_of(ctx, struct gss_cli_ctx, gc_base);
1631 rc = gss_install_rvs_svc_ctx(imp, gsec, gctx);
1635 /********************************************
1637 ********************************************/
1640 int gss_svc_reqctx_is_special(struct gss_svc_reqctx *grctx)
1643 return (grctx->src_init || grctx->src_init_continue ||
1644 grctx->src_err_notify);
1648 void gss_svc_reqctx_free(struct gss_svc_reqctx *grctx)
1651 gss_svc_upcall_put_ctx(grctx->src_ctx);
1653 sptlrpc_policy_put(grctx->src_base.sc_policy);
1654 OBD_FREE_PTR(grctx);
1658 void gss_svc_reqctx_addref(struct gss_svc_reqctx *grctx)
1660 LASSERT(atomic_read(&grctx->src_base.sc_refcount) > 0);
1661 atomic_inc(&grctx->src_base.sc_refcount);
1665 void gss_svc_reqctx_decref(struct gss_svc_reqctx *grctx)
1667 LASSERT(atomic_read(&grctx->src_base.sc_refcount) > 0);
1669 if (atomic_dec_and_test(&grctx->src_base.sc_refcount))
1670 gss_svc_reqctx_free(grctx);
1674 int gss_svc_sign(struct ptlrpc_request *req,
1675 struct ptlrpc_reply_state *rs,
1676 struct gss_svc_reqctx *grctx)
1681 LASSERT(rs->rs_msg == lustre_msg_buf(rs->rs_repbuf, 1, 0));
1683 /* embedded lustre_msg might have been shrinked */
1684 if (req->rq_replen != rs->rs_repbuf->lm_buflens[1])
1685 lustre_shrink_msg(rs->rs_repbuf, 1, req->rq_replen, 1);
1687 rc = gss_sign_msg(rs->rs_repbuf, grctx->src_ctx->gsc_mechctx,
1688 PTLRPC_GSS_PROC_DATA, grctx->src_wirectx.gw_seq,
1693 rs->rs_repdata_len = rc;
1697 int gss_pack_err_notify(struct ptlrpc_request *req, __u32 major, __u32 minor)
1699 struct gss_svc_reqctx *grctx = gss_svc_ctx2reqctx(req->rq_svc_ctx);
1700 struct ptlrpc_reply_state *rs;
1701 struct gss_err_header *ghdr;
1702 int replen = sizeof(struct ptlrpc_body);
1706 //OBD_FAIL_RETURN(OBD_FAIL_SVCGSS_ERR_NOTIFY|OBD_FAIL_ONCE, -EINVAL);
1708 grctx->src_err_notify = 1;
1709 grctx->src_reserve_len = 0;
1711 rc = lustre_pack_reply_v2(req, 1, &replen, NULL);
1713 CERROR("could not pack reply, err %d\n", rc);
1718 rs = req->rq_reply_state;
1719 LASSERT(rs->rs_repbuf->lm_buflens[1] >= sizeof(*ghdr));
1720 ghdr = lustre_msg_buf(rs->rs_repbuf, 0, 0);
1721 ghdr->gh_version = PTLRPC_GSS_VERSION;
1723 ghdr->gh_proc = PTLRPC_GSS_PROC_ERR;
1724 ghdr->gh_major = major;
1725 ghdr->gh_minor = minor;
1726 ghdr->gh_handle.len = 0; /* fake context handle */
1728 rs->rs_repdata_len = lustre_msg_size_v2(rs->rs_repbuf->lm_bufcount,
1729 rs->rs_repbuf->lm_buflens);
1731 CDEBUG(D_SEC, "prepare gss error notify(0x%x/0x%x) to %s\n",
1732 major, minor, libcfs_nid2str(req->rq_peer.nid));
1737 int gss_svc_handle_init(struct ptlrpc_request *req,
1738 struct gss_wire_ctx *gw)
1740 struct gss_svc_reqctx *grctx = gss_svc_ctx2reqctx(req->rq_svc_ctx);
1741 struct lustre_msg *reqbuf = req->rq_reqbuf;
1742 struct obd_uuid *uuid;
1743 struct obd_device *target;
1744 rawobj_t uuid_obj, rvs_hdl, in_token;
1746 __u32 *secdata, seclen;
1750 CDEBUG(D_SEC, "processing gss init(%d) request from %s\n", gw->gw_proc,
1751 libcfs_nid2str(req->rq_peer.nid));
1753 if (gw->gw_proc == PTLRPC_GSS_PROC_INIT && gw->gw_handle.len != 0) {
1754 CERROR("proc %u: invalid handle length %u\n",
1755 gw->gw_proc, gw->gw_handle.len);
1756 RETURN(SECSVC_DROP);
1759 if (reqbuf->lm_bufcount < 3 || reqbuf->lm_bufcount > 4){
1760 CERROR("Invalid bufcount %d\n", reqbuf->lm_bufcount);
1761 RETURN(SECSVC_DROP);
1764 /* ctx initiate payload is in last segment */
1765 secdata = lustre_msg_buf(reqbuf, reqbuf->lm_bufcount - 1, 0);
1766 seclen = reqbuf->lm_buflens[reqbuf->lm_bufcount - 1];
1768 if (seclen < 4 + 4) {
1769 CERROR("sec size %d too small\n", seclen);
1770 RETURN(SECSVC_DROP);
1773 /* lustre svc type */
1774 lustre_svc = le32_to_cpu(*secdata++);
1777 /* extract target uuid, note this code is somewhat fragile
1778 * because touched internal structure of obd_uuid
1780 if (rawobj_extract(&uuid_obj, &secdata, &seclen)) {
1781 CERROR("failed to extract target uuid\n");
1782 RETURN(SECSVC_DROP);
1784 uuid_obj.data[uuid_obj.len - 1] = '\0';
1786 uuid = (struct obd_uuid *) uuid_obj.data;
1787 target = class_uuid2obd(uuid);
1788 if (!target || target->obd_stopping || !target->obd_set_up) {
1789 CERROR("target '%s' is not available for context init (%s)",
1790 uuid->uuid, target == NULL ? "no target" :
1791 (target->obd_stopping ? "stopping" : "not set up"));
1792 RETURN(SECSVC_DROP);
1795 /* extract reverse handle */
1796 if (rawobj_extract(&rvs_hdl, &secdata, &seclen)) {
1797 CERROR("failed extract reverse handle\n");
1798 RETURN(SECSVC_DROP);
1802 if (rawobj_extract(&in_token, &secdata, &seclen)) {
1803 CERROR("can't extract token\n");
1804 RETURN(SECSVC_DROP);
1807 rc = gss_svc_upcall_handle_init(req, grctx, gw, target, lustre_svc,
1808 &rvs_hdl, &in_token);
1809 if (rc != SECSVC_OK)
1812 if (SEC_FLAVOR_HAS_USER(req->rq_sec_flavor)) {
1813 if (reqbuf->lm_bufcount < 4) {
1814 CERROR("missing user descriptor\n");
1815 RETURN(SECSVC_DROP);
1817 if (sptlrpc_unpack_user_desc(reqbuf, 2)) {
1818 CERROR("Mal-formed user descriptor\n");
1819 RETURN(SECSVC_DROP);
1821 req->rq_user_desc = lustre_msg_buf(reqbuf, 2, 0);
1824 req->rq_reqmsg = lustre_msg_buf(reqbuf, 1, 0);
1825 req->rq_reqlen = lustre_msg_buflen(reqbuf, 1);
1831 * last segment must be the gss signature.
1834 int gss_svc_verify_request(struct ptlrpc_request *req,
1835 struct gss_svc_ctx *gctx,
1836 struct gss_wire_ctx *gw,
1839 struct lustre_msg *msg = req->rq_reqbuf;
1843 *major = GSS_S_COMPLETE;
1845 if (msg->lm_bufcount < 3) {
1846 CERROR("Too few segments (%u) in request\n", msg->lm_bufcount);
1850 if (gss_check_seq_num(&gctx->gsc_seqdata, gw->gw_seq, 0)) {
1851 CERROR("phase 0: discard replayed req: seq %u\n", gw->gw_seq);
1852 *major = GSS_S_DUPLICATE_TOKEN;
1856 *major = gss_verify_msg(msg, gctx->gsc_mechctx);
1857 if (*major != GSS_S_COMPLETE)
1860 if (gss_check_seq_num(&gctx->gsc_seqdata, gw->gw_seq, 1)) {
1861 CERROR("phase 1+: discard replayed req: seq %u\n", gw->gw_seq);
1862 *major = GSS_S_DUPLICATE_TOKEN;
1866 /* user descriptor */
1867 if (SEC_FLAVOR_HAS_USER(req->rq_sec_flavor)) {
1868 if (msg->lm_bufcount < (offset + 1 + 1)) {
1869 CERROR("no user desc included\n");
1873 if (sptlrpc_unpack_user_desc(msg, offset)) {
1874 CERROR("Mal-formed user descriptor\n");
1878 req->rq_user_desc = lustre_msg_buf(msg, offset, 0);
1882 /* check bulk cksum data */
1883 if (SEC_FLAVOR_HAS_BULK(req->rq_sec_flavor)) {
1884 if (msg->lm_bufcount < (offset + 1 + 1)) {
1885 CERROR("no bulk checksum included\n");
1889 if (bulk_sec_desc_unpack(msg, offset))
1893 req->rq_reqmsg = lustre_msg_buf(msg, 1, 0);
1894 req->rq_reqlen = msg->lm_buflens[1];
1899 int gss_svc_unseal_request(struct ptlrpc_request *req,
1900 struct gss_svc_ctx *gctx,
1901 struct gss_wire_ctx *gw,
1904 struct lustre_msg *msg = req->rq_reqbuf;
1905 int msglen, offset = 1;
1908 if (gss_check_seq_num(&gctx->gsc_seqdata, gw->gw_seq, 0)) {
1909 CERROR("phase 0: discard replayed req: seq %u\n", gw->gw_seq);
1910 *major = GSS_S_DUPLICATE_TOKEN;
1914 *major = gss_unseal_msg(gctx->gsc_mechctx, msg,
1915 &msglen, req->rq_reqdata_len);
1916 if (*major != GSS_S_COMPLETE)
1919 if (gss_check_seq_num(&gctx->gsc_seqdata, gw->gw_seq, 1)) {
1920 CERROR("phase 1+: discard replayed req: seq %u\n", gw->gw_seq);
1921 *major = GSS_S_DUPLICATE_TOKEN;
1925 if (lustre_unpack_msg(msg, msglen)) {
1926 CERROR("Failed to unpack after decryption\n");
1929 req->rq_reqdata_len = msglen;
1931 if (msg->lm_bufcount < 1) {
1932 CERROR("Invalid buffer: is empty\n");
1936 if (SEC_FLAVOR_HAS_USER(req->rq_sec_flavor)) {
1937 if (msg->lm_bufcount < offset + 1) {
1938 CERROR("no user descriptor included\n");
1942 if (sptlrpc_unpack_user_desc(msg, offset)) {
1943 CERROR("Mal-formed user descriptor\n");
1947 req->rq_user_desc = lustre_msg_buf(msg, offset, 0);
1951 if (SEC_FLAVOR_HAS_BULK(req->rq_sec_flavor)) {
1952 if (msg->lm_bufcount < offset + 1) {
1953 CERROR("no bulk checksum included\n");
1957 if (bulk_sec_desc_unpack(msg, offset))
1961 req->rq_reqmsg = lustre_msg_buf(req->rq_reqbuf, 0, 0);
1962 req->rq_reqlen = req->rq_reqbuf->lm_buflens[0];
1967 int gss_svc_handle_data(struct ptlrpc_request *req,
1968 struct gss_wire_ctx *gw)
1970 struct gss_svc_reqctx *grctx = gss_svc_ctx2reqctx(req->rq_svc_ctx);
1975 grctx->src_ctx = gss_svc_upcall_get_ctx(req, gw);
1976 if (!grctx->src_ctx) {
1977 major = GSS_S_NO_CONTEXT;
1981 switch (gw->gw_svc) {
1982 case PTLRPC_GSS_SVC_INTEGRITY:
1983 rc = gss_svc_verify_request(req, grctx->src_ctx, gw, &major);
1985 case PTLRPC_GSS_SVC_PRIVACY:
1986 rc = gss_svc_unseal_request(req, grctx->src_ctx, gw, &major);
1989 CERROR("unsupported gss service %d\n", gw->gw_svc);
1996 CERROR("svc %u failed: major 0x%08x: ctx %p(%u->%s)\n",
1997 gw->gw_svc, major, grctx->src_ctx, grctx->src_ctx->gsc_uid,
1998 libcfs_nid2str(req->rq_peer.nid));
2001 * we only notify client in case of NO_CONTEXT/BAD_SIG, which
2002 * might happen after server reboot, to allow recovery.
2004 if ((major == GSS_S_NO_CONTEXT || major == GSS_S_BAD_SIG) &&
2005 gss_pack_err_notify(req, major, 0) == 0)
2006 RETURN(SECSVC_COMPLETE);
2008 RETURN(SECSVC_DROP);
2012 int gss_svc_handle_destroy(struct ptlrpc_request *req,
2013 struct gss_wire_ctx *gw)
2015 struct gss_svc_reqctx *grctx = gss_svc_ctx2reqctx(req->rq_svc_ctx);
2016 int replen = sizeof(struct ptlrpc_body);
2020 grctx->src_ctx = gss_svc_upcall_get_ctx(req, gw);
2021 if (!grctx->src_ctx) {
2022 CWARN("invalid gss context handle for destroy.\n");
2023 RETURN(SECSVC_DROP);
2026 if (gw->gw_svc != PTLRPC_GSS_SVC_INTEGRITY) {
2027 CERROR("svc %u is not supported in destroy.\n", gw->gw_svc);
2028 RETURN(SECSVC_DROP);
2031 if (gss_svc_verify_request(req, grctx->src_ctx, gw, &major))
2032 RETURN(SECSVC_DROP);
2034 if (lustre_pack_reply_v2(req, 1, &replen, NULL))
2035 RETURN(SECSVC_DROP);
2037 CWARN("gss svc destroy ctx %p(%u->%s)\n", grctx->src_ctx,
2038 grctx->src_ctx->gsc_uid, libcfs_nid2str(req->rq_peer.nid));
2040 gss_svc_upcall_destroy_ctx(grctx->src_ctx);
2042 if (SEC_FLAVOR_HAS_USER(req->rq_sec_flavor)) {
2043 if (req->rq_reqbuf->lm_bufcount < 4) {
2044 CERROR("missing user descriptor, ignore it\n");
2047 if (sptlrpc_unpack_user_desc(req->rq_reqbuf, 2)) {
2048 CERROR("Mal-formed user descriptor, ignore it\n");
2051 req->rq_user_desc = lustre_msg_buf(req->rq_reqbuf, 2, 0);
2057 int gss_svc_accept(struct ptlrpc_sec_policy *policy, struct ptlrpc_request *req)
2059 struct gss_header *ghdr;
2060 struct gss_svc_reqctx *grctx;
2061 struct gss_wire_ctx *gw;
2065 LASSERT(req->rq_reqbuf);
2066 LASSERT(req->rq_svc_ctx == NULL);
2068 if (req->rq_reqbuf->lm_bufcount < 2) {
2069 CERROR("buf count only %d\n", req->rq_reqbuf->lm_bufcount);
2070 RETURN(SECSVC_DROP);
2073 ghdr = gss_swab_header(req->rq_reqbuf, 0);
2075 CERROR("can't decode gss header\n");
2076 RETURN(SECSVC_DROP);
2080 if (ghdr->gh_version != PTLRPC_GSS_VERSION) {
2081 CERROR("gss version %u, expect %u\n", ghdr->gh_version,
2082 PTLRPC_GSS_VERSION);
2083 RETURN(SECSVC_DROP);
2086 /* alloc grctx data */
2087 OBD_ALLOC_PTR(grctx);
2089 CERROR("fail to alloc svc reqctx\n");
2090 RETURN(SECSVC_DROP);
2092 grctx->src_base.sc_policy = sptlrpc_policy_get(policy);
2093 atomic_set(&grctx->src_base.sc_refcount, 1);
2094 req->rq_svc_ctx = &grctx->src_base;
2095 gw = &grctx->src_wirectx;
2097 /* save wire context */
2098 gw->gw_proc = ghdr->gh_proc;
2099 gw->gw_seq = ghdr->gh_seq;
2100 gw->gw_svc = ghdr->gh_svc;
2101 rawobj_from_netobj(&gw->gw_handle, &ghdr->gh_handle);
2103 /* keep original wire header which subject to checksum verification */
2104 if (lustre_msg_swabbed(req->rq_reqbuf))
2105 gss_header_swabber(ghdr);
2107 switch(ghdr->gh_proc) {
2108 case PTLRPC_GSS_PROC_INIT:
2109 case PTLRPC_GSS_PROC_CONTINUE_INIT:
2110 rc = gss_svc_handle_init(req, gw);
2112 case PTLRPC_GSS_PROC_DATA:
2113 rc = gss_svc_handle_data(req, gw);
2115 case PTLRPC_GSS_PROC_DESTROY:
2116 rc = gss_svc_handle_destroy(req, gw);
2119 CERROR("unknown proc %u\n", gw->gw_proc);
2126 LASSERT (grctx->src_ctx);
2128 req->rq_auth_gss = 1;
2129 req->rq_auth_remote = grctx->src_ctx->gsc_remote;
2130 req->rq_auth_usr_mdt = grctx->src_ctx->gsc_usr_mds;
2131 req->rq_auth_usr_root = grctx->src_ctx->gsc_usr_root;
2132 req->rq_auth_uid = grctx->src_ctx->gsc_uid;
2133 req->rq_auth_mapped_uid = grctx->src_ctx->gsc_mapped_uid;
2135 case SECSVC_COMPLETE:
2138 gss_svc_reqctx_free(grctx);
2139 req->rq_svc_ctx = NULL;
2146 void gss_svc_invalidate_ctx(struct ptlrpc_svc_ctx *svc_ctx)
2148 struct gss_svc_reqctx *grctx;
2151 if (svc_ctx == NULL) {
2156 grctx = gss_svc_ctx2reqctx(svc_ctx);
2158 CWARN("gss svc invalidate ctx %p(%u)\n",
2159 grctx->src_ctx, grctx->src_ctx->gsc_uid);
2160 gss_svc_upcall_destroy_ctx(grctx->src_ctx);
2166 int gss_svc_payload(struct gss_svc_reqctx *grctx, int msgsize, int privacy)
2168 if (gss_svc_reqctx_is_special(grctx))
2169 return grctx->src_reserve_len;
2171 return gss_estimate_payload(NULL, msgsize, privacy);
2174 int gss_svc_alloc_rs(struct ptlrpc_request *req, int msglen)
2176 struct gss_svc_reqctx *grctx;
2177 struct ptlrpc_reply_state *rs;
2178 struct ptlrpc_bulk_sec_desc *bsd;
2180 int ibuflens[2], ibufcnt = 0;
2181 int buflens[4], bufcnt;
2182 int txtsize, wmsg_size, rs_size;
2185 LASSERT(msglen % 8 == 0);
2187 if (SEC_FLAVOR_HAS_BULK(req->rq_sec_flavor) &&
2188 !req->rq_bulk_read && !req->rq_bulk_write) {
2189 CERROR("client request bulk sec on non-bulk rpc\n");
2193 grctx = gss_svc_ctx2reqctx(req->rq_svc_ctx);
2194 if (gss_svc_reqctx_is_special(grctx))
2197 privacy = (SEC_FLAVOR_SVC(req->rq_sec_flavor) ==
2203 ibuflens[0] = msglen;
2205 if (SEC_FLAVOR_HAS_BULK(req->rq_sec_flavor)) {
2206 LASSERT(req->rq_reqbuf->lm_bufcount >= 2);
2207 bsd = lustre_msg_buf(req->rq_reqbuf,
2208 req->rq_reqbuf->lm_bufcount - 1,
2211 ibuflens[ibufcnt++] = bulk_sec_desc_size(
2212 bsd->bsd_csum_alg, 0,
2216 txtsize = lustre_msg_size_v2(ibufcnt, ibuflens);
2217 txtsize += GSS_MAX_CIPHER_BLOCK;
2219 /* wrapper buffer */
2221 buflens[0] = PTLRPC_GSS_HEADER_SIZE;
2222 buflens[1] = gss_svc_payload(grctx, buflens[0], 0);
2223 buflens[2] = gss_svc_payload(grctx, txtsize, 1);
2226 buflens[0] = PTLRPC_GSS_HEADER_SIZE;
2227 buflens[1] = msglen;
2228 txtsize = buflens[0] + buflens[1];
2230 if (SEC_FLAVOR_HAS_BULK(req->rq_sec_flavor)) {
2231 LASSERT(req->rq_reqbuf->lm_bufcount >= 4);
2232 bsd = lustre_msg_buf(req->rq_reqbuf,
2233 req->rq_reqbuf->lm_bufcount - 2,
2236 buflens[bufcnt] = bulk_sec_desc_size(
2237 bsd->bsd_csum_alg, 0,
2239 txtsize += buflens[bufcnt];
2242 buflens[bufcnt++] = gss_svc_payload(grctx, txtsize, 0);
2245 wmsg_size = lustre_msg_size_v2(bufcnt, buflens);
2247 rs_size = sizeof(*rs) + wmsg_size;
2248 rs = req->rq_reply_state;
2252 LASSERT(rs->rs_size >= rs_size);
2254 OBD_ALLOC(rs, rs_size);
2258 rs->rs_size = rs_size;
2261 rs->rs_repbuf = (struct lustre_msg *) (rs + 1);
2262 rs->rs_repbuf_len = wmsg_size;
2265 lustre_init_msg_v2(rs->rs_repbuf, ibufcnt, ibuflens, NULL);
2266 rs->rs_msg = lustre_msg_buf(rs->rs_repbuf, 0, msglen);
2268 lustre_init_msg_v2(rs->rs_repbuf, bufcnt, buflens, NULL);
2269 rs->rs_repbuf->lm_secflvr = req->rq_sec_flavor;
2271 rs->rs_msg = (struct lustre_msg *)
2272 lustre_msg_buf(rs->rs_repbuf, 1, 0);
2275 gss_svc_reqctx_addref(grctx);
2276 rs->rs_svc_ctx = req->rq_svc_ctx;
2278 LASSERT(rs->rs_msg);
2279 req->rq_reply_state = rs;
2284 int gss_svc_seal(struct ptlrpc_request *req,
2285 struct ptlrpc_reply_state *rs,
2286 struct gss_svc_reqctx *grctx)
2288 struct gss_svc_ctx *gctx = grctx->src_ctx;
2289 rawobj_t msgobj, cipher_obj, micobj;
2290 struct gss_header *ghdr;
2292 int cipher_buflen, buflens[3];
2297 /* embedded lustre_msg might have been shrinked */
2298 if (req->rq_replen != rs->rs_repbuf->lm_buflens[0])
2299 lustre_shrink_msg(rs->rs_repbuf, 0, req->rq_replen, 1);
2301 /* clear data length */
2302 msglen = lustre_msg_size_v2(rs->rs_repbuf->lm_bufcount,
2303 rs->rs_repbuf->lm_buflens);
2306 msgobj.len = msglen;
2307 msgobj.data = (__u8 *) rs->rs_repbuf;
2309 /* allocate temporary cipher buffer */
2310 cipher_buflen = gss_estimate_payload(gctx->gsc_mechctx, msglen, 1);
2311 OBD_ALLOC(cipher_buf, cipher_buflen);
2315 cipher_obj.len = cipher_buflen;
2316 cipher_obj.data = cipher_buf;
2318 major = lgss_wrap(gctx->gsc_mechctx, &msgobj, rs->rs_repbuf_len,
2320 if (major != GSS_S_COMPLETE) {
2321 CERROR("priv: wrap message error: %08x\n", major);
2322 GOTO(out_free, rc = -EPERM);
2324 LASSERT(cipher_obj.len <= cipher_buflen);
2326 /* now the real wire data */
2327 buflens[0] = PTLRPC_GSS_HEADER_SIZE;
2328 buflens[1] = gss_estimate_payload(gctx->gsc_mechctx, buflens[0], 0);
2329 buflens[2] = cipher_obj.len;
2331 LASSERT(lustre_msg_size_v2(3, buflens) <= rs->rs_repbuf_len);
2332 lustre_init_msg_v2(rs->rs_repbuf, 3, buflens, NULL);
2333 rs->rs_repbuf->lm_secflvr = req->rq_sec_flavor;
2336 ghdr = lustre_msg_buf(rs->rs_repbuf, 0, 0);
2337 ghdr->gh_version = PTLRPC_GSS_VERSION;
2339 ghdr->gh_proc = PTLRPC_GSS_PROC_DATA;
2340 ghdr->gh_seq = grctx->src_wirectx.gw_seq;
2341 ghdr->gh_svc = PTLRPC_GSS_SVC_PRIVACY;
2342 ghdr->gh_handle.len = 0;
2344 /* header signature */
2345 msgobj.len = rs->rs_repbuf->lm_buflens[0];
2346 msgobj.data = lustre_msg_buf(rs->rs_repbuf, 0, 0);
2347 micobj.len = rs->rs_repbuf->lm_buflens[1];
2348 micobj.data = lustre_msg_buf(rs->rs_repbuf, 1, 0);
2350 major = lgss_get_mic(gctx->gsc_mechctx, 1, &msgobj, &micobj);
2351 if (major != GSS_S_COMPLETE) {
2352 CERROR("priv: sign message error: %08x\n", major);
2353 GOTO(out_free, rc = -EPERM);
2355 lustre_shrink_msg(rs->rs_repbuf, 1, micobj.len, 0);
2358 memcpy(lustre_msg_buf(rs->rs_repbuf, 2, 0),
2359 cipher_obj.data, cipher_obj.len);
2361 rs->rs_repdata_len = lustre_shrink_msg(rs->rs_repbuf, 2,
2364 /* to catch upper layer's further access */
2366 req->rq_repmsg = NULL;
2371 OBD_FREE(cipher_buf, cipher_buflen);
2375 int gss_svc_authorize(struct ptlrpc_request *req)
2377 struct ptlrpc_reply_state *rs = req->rq_reply_state;
2378 struct gss_svc_reqctx *grctx = gss_svc_ctx2reqctx(req->rq_svc_ctx);
2379 struct gss_wire_ctx *gw;
2383 if (gss_svc_reqctx_is_special(grctx))
2386 gw = &grctx->src_wirectx;
2387 if (gw->gw_proc != PTLRPC_GSS_PROC_DATA &&
2388 gw->gw_proc != PTLRPC_GSS_PROC_DESTROY) {
2389 CERROR("proc %d not support\n", gw->gw_proc);
2393 LASSERT(grctx->src_ctx);
2395 switch (gw->gw_svc) {
2396 case PTLRPC_GSS_SVC_INTEGRITY:
2397 rc = gss_svc_sign(req, rs, grctx);
2399 case PTLRPC_GSS_SVC_PRIVACY:
2400 rc = gss_svc_seal(req, rs, grctx);
2403 CERROR("Unknown service %d\n", gw->gw_svc);
2404 GOTO(out, rc = -EINVAL);
2412 void gss_svc_free_rs(struct ptlrpc_reply_state *rs)
2414 struct gss_svc_reqctx *grctx;
2416 LASSERT(rs->rs_svc_ctx);
2417 grctx = container_of(rs->rs_svc_ctx, struct gss_svc_reqctx, src_base);
2419 gss_svc_reqctx_decref(grctx);
2420 rs->rs_svc_ctx = NULL;
2422 if (!rs->rs_prealloc)
2423 OBD_FREE(rs, rs->rs_size);
2426 void gss_svc_free_ctx(struct ptlrpc_svc_ctx *ctx)
2428 LASSERT(atomic_read(&ctx->sc_refcount) == 0);
2429 gss_svc_reqctx_free(gss_svc_ctx2reqctx(ctx));
2432 int gss_copy_rvc_cli_ctx(struct ptlrpc_cli_ctx *cli_ctx,
2433 struct ptlrpc_svc_ctx *svc_ctx)
2435 struct gss_cli_ctx *cli_gctx = ctx2gctx(cli_ctx);
2436 struct gss_svc_reqctx *grctx;
2437 struct gss_ctx *mechctx = NULL;
2439 cli_gctx->gc_proc = PTLRPC_GSS_PROC_DATA;
2440 cli_gctx->gc_win = GSS_SEQ_WIN;
2441 atomic_set(&cli_gctx->gc_seq, 0);
2443 grctx = container_of(svc_ctx, struct gss_svc_reqctx, src_base);
2444 LASSERT(grctx->src_ctx);
2445 LASSERT(grctx->src_ctx->gsc_mechctx);
2447 if (lgss_copy_reverse_context(grctx->src_ctx->gsc_mechctx, &mechctx) !=
2449 CERROR("failed to copy mech context\n");
2453 if (rawobj_dup(&cli_gctx->gc_handle, &grctx->src_ctx->gsc_rvs_hdl)) {
2454 CERROR("failed to dup reverse handle\n");
2455 lgss_delete_sec_context(&mechctx);
2459 cli_gctx->gc_mechctx = mechctx;
2460 gss_cli_ctx_uptodate(cli_gctx);
2465 int __init sptlrpc_gss_init(void)
2469 rc = gss_init_lproc();
2473 rc = gss_init_cli_upcall();
2477 rc = gss_init_svc_upcall();
2479 goto out_cli_upcall;
2481 rc = init_kerberos_module();
2483 goto out_svc_upcall;
2486 * register policy after all other stuff be intialized, because it
2487 * might be in used immediately after the registration.
2490 rc = gss_init_keyring();
2494 #ifdef HAVE_GSS_PIPEFS
2495 rc = gss_init_pipefs();
2502 #ifdef HAVE_GSS_PIPEFS
2508 cleanup_kerberos_module();
2510 gss_exit_svc_upcall();
2512 gss_exit_cli_upcall();
2518 static void __exit sptlrpc_gss_exit(void)
2521 #ifdef HAVE_GSS_PIPEFS
2524 cleanup_kerberos_module();
2525 gss_exit_svc_upcall();
2526 gss_exit_cli_upcall();
2530 MODULE_AUTHOR("Cluster File Systems, Inc. <info@clusterfs.com>");
2531 MODULE_DESCRIPTION("GSS security policy for Lustre");
2532 MODULE_LICENSE("GPL");
2534 module_init(sptlrpc_gss_init);
2535 module_exit(sptlrpc_gss_exit);