1 /* -*- mode: c; c-basic-offset: 8; indent-tabs-mode: nil; -*-
2 * vim:expandtab:shiftwidth=8:tabstop=8:
4 * Modifications for Lustre
5 * Copyright 2004 - 2007, Cluster File Systems, Inc.
7 * Author: Eric Mei <ericm@clusterfs.com>
11 * linux/net/sunrpc/auth_gss.c
13 * RPCSEC_GSS client authentication.
15 * Copyright (c) 2000 The Regents of the University of Michigan.
16 * All rights reserved.
18 * Dug Song <dugsong@monkey.org>
19 * Andy Adamson <andros@umich.edu>
21 * Redistribution and use in source and binary forms, with or without
22 * modification, are permitted provided that the following conditions
25 * 1. Redistributions of source code must retain the above copyright
26 * notice, this list of conditions and the following disclaimer.
27 * 2. Redistributions in binary form must reproduce the above copyright
28 * notice, this list of conditions and the following disclaimer in the
29 * documentation and/or other materials provided with the distribution.
30 * 3. Neither the name of the University nor the names of its
31 * contributors may be used to endorse or promote products derived
32 * from this software without specific prior written permission.
34 * THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED
35 * WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF
36 * MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
37 * DISCLAIMED. IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE
38 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
39 * CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
40 * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR
41 * BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF
42 * LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING
43 * NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS
44 * SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
49 # define EXPORT_SYMTAB
51 #define DEBUG_SUBSYSTEM S_SEC
53 #include <linux/init.h>
54 #include <linux/module.h>
55 #include <linux/slab.h>
56 #include <linux/dcache.h>
58 #include <linux/random.h>
59 #include <linux/mutex.h>
60 #include <asm/atomic.h>
62 #include <liblustre.h>
66 #include <obd_class.h>
67 #include <obd_support.h>
68 #include <obd_cksum.h>
69 #include <lustre/lustre_idl.h>
70 #include <lustre_net.h>
71 #include <lustre_import.h>
72 #include <lustre_sec.h>
75 #include "gss_internal.h"
78 #include <linux/crypto.h>
81 * early reply have fixed size, respectively in privacy and integrity mode.
82 * so we calculate them only once.
84 static int gss_at_reply_off_integ;
85 static int gss_at_reply_off_priv;
88 static inline int msg_last_segidx(struct lustre_msg *msg)
90 LASSERT(msg->lm_bufcount > 0);
91 return msg->lm_bufcount - 1;
93 static inline int msg_last_seglen(struct lustre_msg *msg)
95 return msg->lm_buflens[msg_last_segidx(msg)];
98 /********************************************
100 ********************************************/
103 void gss_header_swabber(struct gss_header *ghdr)
105 __swab32s(&ghdr->gh_flags);
106 __swab32s(&ghdr->gh_proc);
107 __swab32s(&ghdr->gh_seq);
108 __swab32s(&ghdr->gh_svc);
109 __swab32s(&ghdr->gh_pad1);
110 __swab32s(&ghdr->gh_handle.len);
113 struct gss_header *gss_swab_header(struct lustre_msg *msg, int segment)
115 struct gss_header *ghdr;
117 ghdr = lustre_swab_buf(msg, segment, sizeof(*ghdr),
121 sizeof(*ghdr) + ghdr->gh_handle.len > msg->lm_buflens[segment]) {
122 CERROR("gss header require length %u, now %u received\n",
123 (unsigned int) sizeof(*ghdr) + ghdr->gh_handle.len,
124 msg->lm_buflens[segment]);
132 void gss_netobj_swabber(netobj_t *obj)
134 __swab32s(&obj->len);
137 netobj_t *gss_swab_netobj(struct lustre_msg *msg, int segment)
141 obj = lustre_swab_buf(msg, segment, sizeof(*obj), gss_netobj_swabber);
142 if (obj && sizeof(*obj) + obj->len > msg->lm_buflens[segment]) {
143 CERROR("netobj require length %u but only %u received\n",
144 (unsigned int) sizeof(*obj) + obj->len,
145 msg->lm_buflens[segment]);
153 * payload should be obtained from mechanism. but currently since we
154 * only support kerberos, we could simply use fixed value.
157 * - krb5 checksum: 20
159 * for privacy mode, payload also include the cipher text which has the same
160 * size as plain text, plus possible confounder, padding both at maximum cipher
163 #define GSS_KRB5_INTEG_MAX_PAYLOAD (40)
166 int gss_mech_payload(struct gss_ctx *mechctx, int msgsize, int privacy)
169 return GSS_KRB5_INTEG_MAX_PAYLOAD + 16 + 16 + 16 + msgsize;
171 return GSS_KRB5_INTEG_MAX_PAYLOAD;
175 * return signature size, otherwise < 0 to indicate error
177 static int gss_sign_msg(struct lustre_msg *msg,
178 struct gss_ctx *mechctx,
179 enum lustre_sec_part sp,
180 __u32 flags, __u32 proc, __u32 seq, __u32 svc,
183 struct gss_header *ghdr;
184 rawobj_t text[3], mic;
185 int textcnt, max_textcnt, mic_idx;
188 LASSERT(msg->lm_bufcount >= 2);
191 LASSERT(msg->lm_buflens[0] >=
192 sizeof(*ghdr) + (handle ? handle->len : 0));
193 ghdr = lustre_msg_buf(msg, 0, 0);
195 ghdr->gh_version = PTLRPC_GSS_VERSION;
196 ghdr->gh_sp = (__u8) sp;
197 ghdr->gh_flags = flags;
198 ghdr->gh_proc = proc;
202 /* fill in a fake one */
203 ghdr->gh_handle.len = 0;
205 ghdr->gh_handle.len = handle->len;
206 memcpy(ghdr->gh_handle.data, handle->data, handle->len);
209 /* no actual signature for null mode */
210 if (svc == SPTLRPC_SVC_NULL)
211 return lustre_msg_size_v2(msg->lm_bufcount, msg->lm_buflens);
214 mic_idx = msg_last_segidx(msg);
215 max_textcnt = (svc == SPTLRPC_SVC_AUTH) ? 1 : mic_idx;
217 for (textcnt = 0; textcnt < max_textcnt; textcnt++) {
218 text[textcnt].len = msg->lm_buflens[textcnt];
219 text[textcnt].data = lustre_msg_buf(msg, textcnt, 0);
222 mic.len = msg->lm_buflens[mic_idx];
223 mic.data = lustre_msg_buf(msg, mic_idx, 0);
225 major = lgss_get_mic(mechctx, textcnt, text, &mic);
226 if (major != GSS_S_COMPLETE) {
227 CERROR("fail to generate MIC: %08x\n", major);
230 LASSERT(mic.len <= msg->lm_buflens[mic_idx]);
232 return lustre_shrink_msg(msg, mic_idx, mic.len, 0);
239 __u32 gss_verify_msg(struct lustre_msg *msg,
240 struct gss_ctx *mechctx,
243 rawobj_t text[3], mic;
244 int textcnt, max_textcnt;
248 LASSERT(msg->lm_bufcount >= 2);
250 if (svc == SPTLRPC_SVC_NULL)
251 return GSS_S_COMPLETE;
253 mic_idx = msg_last_segidx(msg);
254 max_textcnt = (svc == SPTLRPC_SVC_AUTH) ? 1 : mic_idx;
256 for (textcnt = 0; textcnt < max_textcnt; textcnt++) {
257 text[textcnt].len = msg->lm_buflens[textcnt];
258 text[textcnt].data = lustre_msg_buf(msg, textcnt, 0);
261 mic.len = msg->lm_buflens[mic_idx];
262 mic.data = lustre_msg_buf(msg, mic_idx, 0);
264 major = lgss_verify_mic(mechctx, textcnt, text, &mic);
265 if (major != GSS_S_COMPLETE)
266 CERROR("mic verify error: %08x\n", major);
272 * return gss error code
275 __u32 gss_unseal_msg(struct gss_ctx *mechctx,
276 struct lustre_msg *msgbuf,
277 int *msg_len, int msgbuf_len)
279 rawobj_t clear_obj, micobj, msgobj, token;
285 if (msgbuf->lm_bufcount != 3) {
286 CERROR("invalid bufcount %d\n", msgbuf->lm_bufcount);
287 RETURN(GSS_S_FAILURE);
290 /* verify gss header */
291 msgobj.len = msgbuf->lm_buflens[0];
292 msgobj.data = lustre_msg_buf(msgbuf, 0, 0);
293 micobj.len = msgbuf->lm_buflens[1];
294 micobj.data = lustre_msg_buf(msgbuf, 1, 0);
296 major = lgss_verify_mic(mechctx, 1, &msgobj, &micobj);
297 if (major != GSS_S_COMPLETE) {
298 CERROR("priv: mic verify error: %08x\n", major);
302 /* temporary clear text buffer */
303 clear_buflen = msgbuf->lm_buflens[2];
304 OBD_ALLOC(clear_buf, clear_buflen);
306 RETURN(GSS_S_FAILURE);
308 token.len = msgbuf->lm_buflens[2];
309 token.data = lustre_msg_buf(msgbuf, 2, 0);
311 clear_obj.len = clear_buflen;
312 clear_obj.data = clear_buf;
314 major = lgss_unwrap(mechctx, &token, &clear_obj);
315 if (major != GSS_S_COMPLETE) {
316 CERROR("priv: unwrap message error: %08x\n", major);
317 GOTO(out_free, major = GSS_S_FAILURE);
319 LASSERT(clear_obj.len <= clear_buflen);
321 /* now the decrypted message */
322 memcpy(msgbuf, clear_obj.data, clear_obj.len);
323 *msg_len = clear_obj.len;
325 major = GSS_S_COMPLETE;
327 OBD_FREE(clear_buf, clear_buflen);
331 /********************************************
332 * gss client context manipulation helpers *
333 ********************************************/
335 int cli_ctx_expire(struct ptlrpc_cli_ctx *ctx)
337 LASSERT(atomic_read(&ctx->cc_refcount));
339 if (!test_and_set_bit(PTLRPC_CTX_DEAD_BIT, &ctx->cc_flags)) {
340 if (!ctx->cc_early_expire)
341 clear_bit(PTLRPC_CTX_UPTODATE_BIT, &ctx->cc_flags);
343 CWARN("ctx %p(%u->%s) get expired: %lu(%+lds)\n",
344 ctx, ctx->cc_vcred.vc_uid, sec2target_str(ctx->cc_sec),
346 ctx->cc_expire == 0 ? 0 :
347 cfs_time_sub(ctx->cc_expire, cfs_time_current_sec()));
356 * return 1 if the context is dead.
358 int cli_ctx_check_death(struct ptlrpc_cli_ctx *ctx)
360 if (unlikely(cli_ctx_is_dead(ctx)))
363 /* expire is 0 means never expire. a newly created gss context
364 * which during upcall may has 0 expiration */
365 if (ctx->cc_expire == 0)
368 /* check real expiration */
369 if (cfs_time_after(ctx->cc_expire, cfs_time_current_sec()))
376 void gss_cli_ctx_uptodate(struct gss_cli_ctx *gctx)
378 struct ptlrpc_cli_ctx *ctx = &gctx->gc_base;
379 unsigned long ctx_expiry;
381 if (lgss_inquire_context(gctx->gc_mechctx, &ctx_expiry)) {
382 CERROR("ctx %p(%u): unable to inquire, expire it now\n",
383 gctx, ctx->cc_vcred.vc_uid);
384 ctx_expiry = 1; /* make it expired now */
387 ctx->cc_expire = gss_round_ctx_expiry(ctx_expiry,
388 ctx->cc_sec->ps_flvr.sf_flags);
390 /* At this point this ctx might have been marked as dead by
391 * someone else, in which case nobody will make further use
392 * of it. we don't care, and mark it UPTODATE will help
393 * destroying server side context when it be destroied. */
394 set_bit(PTLRPC_CTX_UPTODATE_BIT, &ctx->cc_flags);
396 if (sec_is_reverse(ctx->cc_sec)) {
397 CWARN("server installed reverse ctx %p idx "LPX64", "
398 "expiry %lu(%+lds)\n", ctx,
399 gss_handle_to_u64(&gctx->gc_handle),
400 ctx->cc_expire, ctx->cc_expire - cfs_time_current_sec());
402 CWARN("client refreshed ctx %p idx "LPX64" (%u->%s), "
403 "expiry %lu(%+lds)\n", ctx,
404 gss_handle_to_u64(&gctx->gc_handle),
405 ctx->cc_vcred.vc_uid, sec2target_str(ctx->cc_sec),
406 ctx->cc_expire, ctx->cc_expire - cfs_time_current_sec());
408 /* install reverse svc ctx for root context */
409 if (ctx->cc_vcred.vc_uid == 0)
410 gss_sec_install_rctx(ctx->cc_sec->ps_import,
415 static void gss_cli_ctx_finalize(struct gss_cli_ctx *gctx)
417 LASSERT(gctx->gc_base.cc_sec);
419 if (gctx->gc_mechctx) {
420 lgss_delete_sec_context(&gctx->gc_mechctx);
421 gctx->gc_mechctx = NULL;
424 if (!rawobj_empty(&gctx->gc_svc_handle)) {
425 /* forward ctx: mark buddy reverse svcctx soon-expire. */
426 if (!sec_is_reverse(gctx->gc_base.cc_sec) &&
427 !rawobj_empty(&gctx->gc_svc_handle))
428 gss_svc_upcall_expire_rvs_ctx(&gctx->gc_svc_handle);
430 rawobj_free(&gctx->gc_svc_handle);
433 rawobj_free(&gctx->gc_handle);
437 * Based on sequence number algorithm as specified in RFC 2203.
439 * modified for our own problem: arriving request has valid sequence number,
440 * but unwrapping request might cost a long time, after that its sequence
441 * are not valid anymore (fall behind the window). It rarely happen, mostly
442 * under extreme load.
444 * note we should not check sequence before verify the integrity of incoming
445 * request, because just one attacking request with high sequence number might
446 * cause all following request be dropped.
448 * so here we use a multi-phase approach: prepare 2 sequence windows,
449 * "main window" for normal sequence and "back window" for fall behind sequence.
450 * and 3-phase checking mechanism:
451 * 0 - before integrity verification, perform a initial sequence checking in
452 * main window, which only try and don't actually set any bits. if the
453 * sequence is high above the window or fit in the window and the bit
454 * is 0, then accept and proceed to integrity verification. otherwise
455 * reject this sequence.
456 * 1 - after integrity verification, check in main window again. if this
457 * sequence is high above the window or fit in the window and the bit
458 * is 0, then set the bit and accept; if it fit in the window but bit
459 * already set, then reject; if it fall behind the window, then proceed
461 * 2 - check in back window. if it is high above the window or fit in the
462 * window and the bit is 0, then set the bit and accept. otherwise reject.
465 * 1: looks like a replay
469 * note phase 0 is necessary, because otherwise replay attacking request of
470 * sequence which between the 2 windows can't be detected.
472 * this mechanism can't totally solve the problem, but could help much less
473 * number of valid requests be dropped.
476 int gss_do_check_seq(unsigned long *window, __u32 win_size, __u32 *max_seq,
477 __u32 seq_num, int phase)
479 LASSERT(phase >= 0 && phase <= 2);
481 if (seq_num > *max_seq) {
483 * 1. high above the window
488 if (seq_num >= *max_seq + win_size) {
489 memset(window, 0, win_size / 8);
492 while(*max_seq < seq_num) {
494 __clear_bit((*max_seq) % win_size, window);
497 __set_bit(seq_num % win_size, window);
498 } else if (seq_num + win_size <= *max_seq) {
500 * 2. low behind the window
502 if (phase == 0 || phase == 2)
505 CWARN("seq %u is %u behind (size %d), check backup window\n",
506 seq_num, *max_seq - win_size - seq_num, win_size);
510 * 3. fit into the window
514 if (test_bit(seq_num % win_size, window))
519 if (__test_and_set_bit(seq_num % win_size, window))
528 CERROR("seq %u (%s %s window) is a replay: max %u, winsize %d\n",
530 seq_num + win_size > *max_seq ? "in" : "behind",
531 phase == 2 ? "backup " : "main",
537 * Based on sequence number algorithm as specified in RFC 2203.
539 * if @set == 0: initial check, don't set any bit in window
540 * if @sec == 1: final check, set bit in window
542 int gss_check_seq_num(struct gss_svc_seq_data *ssd, __u32 seq_num, int set)
546 spin_lock(&ssd->ssd_lock);
552 rc = gss_do_check_seq(ssd->ssd_win_main, GSS_SEQ_WIN_MAIN,
553 &ssd->ssd_max_main, seq_num, 0);
555 gss_stat_oos_record_svc(0, 1);
558 * phase 1 checking main window
560 rc = gss_do_check_seq(ssd->ssd_win_main, GSS_SEQ_WIN_MAIN,
561 &ssd->ssd_max_main, seq_num, 1);
564 gss_stat_oos_record_svc(1, 1);
570 * phase 2 checking back window
572 rc = gss_do_check_seq(ssd->ssd_win_back, GSS_SEQ_WIN_BACK,
573 &ssd->ssd_max_back, seq_num, 2);
575 gss_stat_oos_record_svc(2, 1);
577 gss_stat_oos_record_svc(2, 0);
580 spin_unlock(&ssd->ssd_lock);
584 /***************************************
586 ***************************************/
588 static inline int gss_cli_payload(struct ptlrpc_cli_ctx *ctx,
589 int msgsize, int privacy)
591 return gss_mech_payload(NULL, msgsize, privacy);
594 int gss_cli_ctx_match(struct ptlrpc_cli_ctx *ctx, struct vfs_cred *vcred)
596 return (ctx->cc_vcred.vc_uid == vcred->vc_uid);
599 void gss_cli_ctx_flags2str(unsigned long flags, char *buf, int bufsize)
603 if (flags & PTLRPC_CTX_NEW)
604 strncat(buf, "new,", bufsize);
605 if (flags & PTLRPC_CTX_UPTODATE)
606 strncat(buf, "uptodate,", bufsize);
607 if (flags & PTLRPC_CTX_DEAD)
608 strncat(buf, "dead,", bufsize);
609 if (flags & PTLRPC_CTX_ERROR)
610 strncat(buf, "error,", bufsize);
611 if (flags & PTLRPC_CTX_CACHED)
612 strncat(buf, "cached,", bufsize);
613 if (flags & PTLRPC_CTX_ETERNAL)
614 strncat(buf, "eternal,", bufsize);
616 strncat(buf, "-,", bufsize);
618 buf[strlen(buf) - 1] = '\0';
621 int gss_cli_ctx_sign(struct ptlrpc_cli_ctx *ctx,
622 struct ptlrpc_request *req)
624 struct gss_cli_ctx *gctx = ctx2gctx(ctx);
625 __u32 flags = 0, seq, svc;
629 LASSERT(req->rq_reqbuf);
630 LASSERT(req->rq_reqbuf->lm_bufcount >= 2);
631 LASSERT(req->rq_cli_ctx == ctx);
633 /* nothing to do for context negotiation RPCs */
634 if (req->rq_ctx_init)
637 svc = RPC_FLVR_SVC(req->rq_flvr.sf_rpc);
638 if (req->rq_pack_bulk)
639 flags |= LUSTRE_GSS_PACK_BULK;
640 if (req->rq_pack_udesc)
641 flags |= LUSTRE_GSS_PACK_USER;
644 seq = atomic_inc_return(&gctx->gc_seq);
646 rc = gss_sign_msg(req->rq_reqbuf, gctx->gc_mechctx,
647 ctx->cc_sec->ps_part,
648 flags, gctx->gc_proc, seq, svc,
653 /* gss_sign_msg() msg might take long time to finish, in which period
654 * more rpcs could be wrapped up and sent out. if we found too many
655 * of them we should repack this rpc, because sent it too late might
656 * lead to the sequence number fall behind the window on server and
657 * be dropped. also applies to gss_cli_ctx_seal().
659 * Note: null mode dosen't check sequence number. */
660 if (svc != SPTLRPC_SVC_NULL &&
661 atomic_read(&gctx->gc_seq) - seq > GSS_SEQ_REPACK_THRESHOLD) {
662 int behind = atomic_read(&gctx->gc_seq) - seq;
664 gss_stat_oos_record_cli(behind);
665 CWARN("req %p: %u behind, retry signing\n", req, behind);
669 req->rq_reqdata_len = rc;
674 int gss_cli_ctx_handle_err_notify(struct ptlrpc_cli_ctx *ctx,
675 struct ptlrpc_request *req,
676 struct gss_header *ghdr)
678 struct gss_err_header *errhdr;
681 LASSERT(ghdr->gh_proc == PTLRPC_GSS_PROC_ERR);
683 errhdr = (struct gss_err_header *) ghdr;
685 CWARN("req x"LPU64"/t"LPU64", ctx %p idx "LPX64"(%u->%s): "
686 "%sserver respond (%08x/%08x)\n",
687 req->rq_xid, req->rq_transno, ctx,
688 gss_handle_to_u64(&ctx2gctx(ctx)->gc_handle),
689 ctx->cc_vcred.vc_uid, sec2target_str(ctx->cc_sec),
690 sec_is_reverse(ctx->cc_sec) ? "reverse" : "",
691 errhdr->gh_major, errhdr->gh_minor);
693 /* context fini rpc, let it failed */
694 if (req->rq_ctx_fini) {
695 CWARN("context fini rpc failed\n");
699 /* reverse sec, just return error, don't expire this ctx because it's
700 * crucial to callback rpcs. note if the callback rpc failed because
701 * of bit flip during network transfer, the client will be evicted
702 * directly. so more gracefully we probably want let it retry for
703 * number of times. */
704 if (sec_is_reverse(ctx->cc_sec))
707 if (errhdr->gh_major != GSS_S_NO_CONTEXT &&
708 errhdr->gh_major != GSS_S_BAD_SIG)
711 /* server return NO_CONTEXT might be caused by context expire
712 * or server reboot/failover. we try to refresh a new ctx which
713 * be transparent to upper layer.
715 * In some cases, our gss handle is possible to be incidentally
716 * identical to another handle since the handle itself is not
717 * fully random. In krb5 case, the GSS_S_BAD_SIG will be
718 * returned, maybe other gss error for other mechanism.
720 * if we add new mechanism, make sure the correct error are
721 * returned in this case. */
722 CWARN("%s: server might lost the context, retrying\n",
723 errhdr->gh_major == GSS_S_NO_CONTEXT ? "NO_CONTEXT" : "BAD_SIG");
725 sptlrpc_cli_ctx_expire(ctx);
727 /* we need replace the ctx right here, otherwise during
728 * resent we'll hit the logic in sptlrpc_req_refresh_ctx()
729 * which keep the ctx with RESEND flag, thus we'll never
730 * get rid of this ctx. */
731 rc = sptlrpc_req_replace_dead_ctx(req);
738 int gss_cli_ctx_verify(struct ptlrpc_cli_ctx *ctx,
739 struct ptlrpc_request *req)
741 struct gss_cli_ctx *gctx;
742 struct gss_header *ghdr, *reqhdr;
743 struct lustre_msg *msg = req->rq_repdata;
745 int pack_bulk, early = 0, rc = 0;
748 LASSERT(req->rq_cli_ctx == ctx);
751 gctx = container_of(ctx, struct gss_cli_ctx, gc_base);
753 if ((char *) msg < req->rq_repbuf ||
754 (char *) msg >= req->rq_repbuf + req->rq_repbuf_len)
757 /* special case for context negotiation, rq_repmsg/rq_replen actually
758 * are not used currently. but early reply always be treated normally */
759 if (req->rq_ctx_init && !early) {
760 req->rq_repmsg = lustre_msg_buf(msg, 1, 0);
761 req->rq_replen = msg->lm_buflens[1];
765 if (msg->lm_bufcount < 2 || msg->lm_bufcount > 4) {
766 CERROR("unexpected bufcount %u\n", msg->lm_bufcount);
770 ghdr = gss_swab_header(msg, 0);
772 CERROR("can't decode gss header\n");
777 reqhdr = lustre_msg_buf(msg, 0, sizeof(*reqhdr));
780 if (ghdr->gh_version != reqhdr->gh_version) {
781 CERROR("gss version %u mismatch, expect %u\n",
782 ghdr->gh_version, reqhdr->gh_version);
786 switch (ghdr->gh_proc) {
787 case PTLRPC_GSS_PROC_DATA:
788 pack_bulk = ghdr->gh_flags & LUSTRE_GSS_PACK_BULK;
790 if (!early && !equi(req->rq_pack_bulk == 1, pack_bulk)) {
791 CERROR("%s bulk flag in reply\n",
792 req->rq_pack_bulk ? "missing" : "unexpected");
796 if (ghdr->gh_seq != reqhdr->gh_seq) {
797 CERROR("seqnum %u mismatch, expect %u\n",
798 ghdr->gh_seq, reqhdr->gh_seq);
802 if (ghdr->gh_svc != reqhdr->gh_svc) {
803 CERROR("svc %u mismatch, expect %u\n",
804 ghdr->gh_svc, reqhdr->gh_svc);
808 if (lustre_msg_swabbed(msg))
809 gss_header_swabber(ghdr);
811 major = gss_verify_msg(msg, gctx->gc_mechctx, reqhdr->gh_svc);
812 if (major != GSS_S_COMPLETE)
815 if (early && reqhdr->gh_svc == SPTLRPC_SVC_NULL) {
818 cksum = crc32_le(!(__u32) 0,
819 lustre_msg_buf(msg, 1, 0),
820 lustre_msg_buflen(msg, 1));
821 if (cksum != msg->lm_cksum) {
822 CWARN("early reply checksum mismatch: "
823 "%08x != %08x\n", cksum, msg->lm_cksum);
829 /* bulk checksum is right after the lustre msg */
830 if (msg->lm_bufcount < 3) {
831 CERROR("Invalid reply bufcount %u\n",
836 rc = bulk_sec_desc_unpack(msg, 2);
838 CERROR("unpack bulk desc: %d\n", rc);
843 req->rq_repmsg = lustre_msg_buf(msg, 1, 0);
844 req->rq_replen = msg->lm_buflens[1];
846 case PTLRPC_GSS_PROC_ERR:
848 CERROR("server return error with early reply\n");
851 rc = gss_cli_ctx_handle_err_notify(ctx, req, ghdr);
855 CERROR("unknown gss proc %d\n", ghdr->gh_proc);
862 int gss_cli_ctx_seal(struct ptlrpc_cli_ctx *ctx,
863 struct ptlrpc_request *req)
865 struct gss_cli_ctx *gctx;
866 rawobj_t msgobj, cipher_obj, micobj;
867 struct gss_header *ghdr;
868 int buflens[3], wiresize, rc;
872 LASSERT(req->rq_clrbuf);
873 LASSERT(req->rq_cli_ctx == ctx);
874 LASSERT(req->rq_reqlen);
876 gctx = container_of(ctx, struct gss_cli_ctx, gc_base);
878 /* close clear data length */
879 req->rq_clrdata_len = lustre_msg_size_v2(req->rq_clrbuf->lm_bufcount,
880 req->rq_clrbuf->lm_buflens);
882 /* calculate wire data length */
883 buflens[0] = PTLRPC_GSS_HEADER_SIZE;
884 buflens[1] = gss_cli_payload(&gctx->gc_base, buflens[0], 0);
885 buflens[2] = gss_cli_payload(&gctx->gc_base, req->rq_clrdata_len, 1);
886 wiresize = lustre_msg_size_v2(3, buflens);
888 /* allocate wire buffer */
891 LASSERT(req->rq_reqbuf);
892 LASSERT(req->rq_reqbuf != req->rq_clrbuf);
893 LASSERT(req->rq_reqbuf_len >= wiresize);
895 OBD_ALLOC(req->rq_reqbuf, wiresize);
898 req->rq_reqbuf_len = wiresize;
901 lustre_init_msg_v2(req->rq_reqbuf, 3, buflens, NULL);
902 req->rq_reqbuf->lm_secflvr = req->rq_flvr.sf_rpc;
905 ghdr = lustre_msg_buf(req->rq_reqbuf, 0, 0);
906 ghdr->gh_version = PTLRPC_GSS_VERSION;
907 ghdr->gh_sp = (__u8) ctx->cc_sec->ps_part;
909 ghdr->gh_proc = gctx->gc_proc;
910 ghdr->gh_seq = atomic_inc_return(&gctx->gc_seq);
911 ghdr->gh_svc = SPTLRPC_SVC_PRIV;
912 ghdr->gh_handle.len = gctx->gc_handle.len;
913 memcpy(ghdr->gh_handle.data, gctx->gc_handle.data, gctx->gc_handle.len);
914 if (req->rq_pack_bulk)
915 ghdr->gh_flags |= LUSTRE_GSS_PACK_BULK;
916 if (req->rq_pack_udesc)
917 ghdr->gh_flags |= LUSTRE_GSS_PACK_USER;
920 /* header signature */
921 msgobj.len = req->rq_reqbuf->lm_buflens[0];
922 msgobj.data = lustre_msg_buf(req->rq_reqbuf, 0, 0);
923 micobj.len = req->rq_reqbuf->lm_buflens[1];
924 micobj.data = lustre_msg_buf(req->rq_reqbuf, 1, 0);
926 major = lgss_get_mic(gctx->gc_mechctx, 1, &msgobj, &micobj);
927 if (major != GSS_S_COMPLETE) {
928 CERROR("priv: sign message error: %08x\n", major);
929 GOTO(err_free, rc = -EPERM);
931 /* perhaps shrink msg has potential problem in re-packing???
932 * ship a little bit more data is fine.
933 lustre_shrink_msg(req->rq_reqbuf, 1, micobj.len, 0);
937 msgobj.len = req->rq_clrdata_len;
938 msgobj.data = (__u8 *) req->rq_clrbuf;
941 cipher_obj.len = req->rq_reqbuf->lm_buflens[2];
942 cipher_obj.data = lustre_msg_buf(req->rq_reqbuf, 2, 0);
944 major = lgss_wrap(gctx->gc_mechctx, &msgobj, req->rq_clrbuf_len,
946 if (major != GSS_S_COMPLETE) {
947 CERROR("priv: wrap message error: %08x\n", major);
948 GOTO(err_free, rc = -EPERM);
950 LASSERT(cipher_obj.len <= buflens[2]);
952 /* see explain in gss_cli_ctx_sign() */
953 if (atomic_read(&gctx->gc_seq) - ghdr->gh_seq >
954 GSS_SEQ_REPACK_THRESHOLD) {
955 int behind = atomic_read(&gctx->gc_seq) - ghdr->gh_seq;
957 gss_stat_oos_record_cli(behind);
958 CWARN("req %p: %u behind, retry sealing\n", req, behind);
960 ghdr->gh_seq = atomic_inc_return(&gctx->gc_seq);
964 /* now set the final wire data length */
965 req->rq_reqdata_len = lustre_shrink_msg(req->rq_reqbuf, 2,
972 OBD_FREE(req->rq_reqbuf, req->rq_reqbuf_len);
973 req->rq_reqbuf = NULL;
974 req->rq_reqbuf_len = 0;
979 int gss_cli_ctx_unseal(struct ptlrpc_cli_ctx *ctx,
980 struct ptlrpc_request *req)
982 struct gss_cli_ctx *gctx;
983 struct gss_header *ghdr;
984 struct lustre_msg *msg = req->rq_repdata;
985 int msglen, pack_bulk, early = 0, rc;
989 LASSERT(req->rq_cli_ctx == ctx);
990 LASSERT(req->rq_ctx_init == 0);
993 gctx = container_of(ctx, struct gss_cli_ctx, gc_base);
995 if ((char *) msg < req->rq_repbuf ||
996 (char *) msg >= req->rq_repbuf + req->rq_repbuf_len)
999 ghdr = gss_swab_header(msg, 0);
1001 CERROR("can't decode gss header\n");
1006 if (ghdr->gh_version != PTLRPC_GSS_VERSION) {
1007 CERROR("gss version %u mismatch, expect %u\n",
1008 ghdr->gh_version, PTLRPC_GSS_VERSION);
1012 switch (ghdr->gh_proc) {
1013 case PTLRPC_GSS_PROC_DATA:
1014 pack_bulk = ghdr->gh_flags & LUSTRE_GSS_PACK_BULK;
1016 if (!early && !equi(req->rq_pack_bulk == 1, pack_bulk)) {
1017 CERROR("%s bulk flag in reply\n",
1018 req->rq_pack_bulk ? "missing" : "unexpected");
1022 if (lustre_msg_swabbed(msg))
1023 gss_header_swabber(ghdr);
1025 /* use rq_repdata_len as buffer size, which assume unseal
1026 * doesn't need extra memory space. for precise control, we'd
1027 * better calculate out actual buffer size as
1028 * (repbuf_len - offset - repdata_len) */
1029 major = gss_unseal_msg(gctx->gc_mechctx, msg,
1030 &msglen, req->rq_repdata_len);
1031 if (major != GSS_S_COMPLETE) {
1036 if (lustre_unpack_msg(msg, msglen)) {
1037 CERROR("Failed to unpack after decryption\n");
1041 if (msg->lm_bufcount < 1) {
1042 CERROR("Invalid reply buffer: empty\n");
1047 if (msg->lm_bufcount < 2) {
1048 CERROR("bufcount %u: missing bulk sec desc\n",
1053 /* bulk checksum is the last segment */
1054 if (bulk_sec_desc_unpack(msg, msg->lm_bufcount-1))
1058 req->rq_repmsg = lustre_msg_buf(msg, 0, 0);
1059 req->rq_replen = msg->lm_buflens[0];
1063 case PTLRPC_GSS_PROC_ERR:
1064 rc = gss_cli_ctx_handle_err_notify(ctx, req, ghdr);
1067 CERROR("unexpected proc %d\n", ghdr->gh_proc);
1074 /*********************************************
1075 * reverse context installation *
1076 *********************************************/
1079 int gss_install_rvs_svc_ctx(struct obd_import *imp,
1080 struct gss_sec *gsec,
1081 struct gss_cli_ctx *gctx)
1083 return gss_svc_upcall_install_rvs_ctx(imp, gsec, gctx);
1086 /*********************************************
1087 * GSS security APIs *
1088 *********************************************/
1089 int gss_sec_create_common(struct gss_sec *gsec,
1090 struct ptlrpc_sec_policy *policy,
1091 struct obd_import *imp,
1092 struct ptlrpc_svc_ctx *svcctx,
1093 struct sptlrpc_flavor *sf)
1095 struct ptlrpc_sec *sec;
1098 LASSERT(RPC_FLVR_POLICY(sf->sf_rpc) == SPTLRPC_POLICY_GSS);
1100 gsec->gs_mech = lgss_subflavor_to_mech(RPC_FLVR_SUB(sf->sf_rpc));
1101 if (!gsec->gs_mech) {
1102 CERROR("gss backend 0x%x not found\n",
1103 RPC_FLVR_SUB(sf->sf_rpc));
1107 spin_lock_init(&gsec->gs_lock);
1108 gsec->gs_rvs_hdl = 0ULL;
1110 /* initialize upper ptlrpc_sec */
1111 sec = &gsec->gs_base;
1112 sec->ps_policy = policy;
1113 atomic_set(&sec->ps_refcount, 0);
1114 atomic_set(&sec->ps_nctx, 0);
1115 sec->ps_id = sptlrpc_get_next_secid();
1117 sec->ps_import = class_import_get(imp);
1118 sec->ps_lock = SPIN_LOCK_UNLOCKED;
1119 CFS_INIT_LIST_HEAD(&sec->ps_gc_list);
1122 sec->ps_gc_interval = GSS_GC_INTERVAL;
1124 LASSERT(sec_is_reverse(sec));
1126 /* never do gc on reverse sec */
1127 sec->ps_gc_interval = 0;
1130 if (sec->ps_flvr.sf_bulk_ciph != BULK_CIPH_ALG_NULL &&
1131 sec->ps_flvr.sf_flags & PTLRPC_SEC_FL_BULK)
1132 sptlrpc_enc_pool_add_user();
1134 CDEBUG(D_SEC, "create %s%s@%p\n", (svcctx ? "reverse " : ""),
1135 policy->sp_name, gsec);
1139 void gss_sec_destroy_common(struct gss_sec *gsec)
1141 struct ptlrpc_sec *sec = &gsec->gs_base;
1144 LASSERT(sec->ps_import);
1145 LASSERT(atomic_read(&sec->ps_refcount) == 0);
1146 LASSERT(atomic_read(&sec->ps_nctx) == 0);
1148 if (gsec->gs_mech) {
1149 lgss_mech_put(gsec->gs_mech);
1150 gsec->gs_mech = NULL;
1153 class_import_put(sec->ps_import);
1155 if (sec->ps_flvr.sf_bulk_ciph != BULK_CIPH_ALG_NULL &&
1156 sec->ps_flvr.sf_flags & PTLRPC_SEC_FL_BULK)
1157 sptlrpc_enc_pool_del_user();
1162 void gss_sec_kill(struct ptlrpc_sec *sec)
1167 int gss_cli_ctx_init_common(struct ptlrpc_sec *sec,
1168 struct ptlrpc_cli_ctx *ctx,
1169 struct ptlrpc_ctx_ops *ctxops,
1170 struct vfs_cred *vcred)
1172 struct gss_cli_ctx *gctx = ctx2gctx(ctx);
1175 atomic_set(&gctx->gc_seq, 0);
1177 CFS_INIT_HLIST_NODE(&ctx->cc_cache);
1178 atomic_set(&ctx->cc_refcount, 0);
1180 ctx->cc_ops = ctxops;
1182 ctx->cc_flags = PTLRPC_CTX_NEW;
1183 ctx->cc_vcred = *vcred;
1184 spin_lock_init(&ctx->cc_lock);
1185 CFS_INIT_LIST_HEAD(&ctx->cc_req_list);
1186 CFS_INIT_LIST_HEAD(&ctx->cc_gc_chain);
1188 /* take a ref on belonging sec, balanced in ctx destroying */
1189 atomic_inc(&sec->ps_refcount);
1190 /* statistic only */
1191 atomic_inc(&sec->ps_nctx);
1193 CDEBUG(D_SEC, "%s@%p: create ctx %p(%u->%s)\n",
1194 sec->ps_policy->sp_name, ctx->cc_sec,
1195 ctx, ctx->cc_vcred.vc_uid, sec2target_str(ctx->cc_sec));
1201 * 1: the context has been taken care of by someone else
1202 * 0: proceed to really destroy the context locally
1204 int gss_cli_ctx_fini_common(struct ptlrpc_sec *sec,
1205 struct ptlrpc_cli_ctx *ctx)
1207 struct gss_cli_ctx *gctx = ctx2gctx(ctx);
1209 LASSERT(atomic_read(&sec->ps_nctx) > 0);
1210 LASSERT(atomic_read(&ctx->cc_refcount) == 0);
1211 LASSERT(ctx->cc_sec == sec);
1213 if (gctx->gc_mechctx) {
1214 /* the final context fini rpc will use this ctx too, and it's
1215 * asynchronous which finished by request_out_callback(). so
1216 * we add refcount, whoever drop finally drop the refcount to
1217 * 0 should responsible for the rest of destroy. */
1218 atomic_inc(&ctx->cc_refcount);
1220 gss_do_ctx_fini_rpc(gctx);
1221 gss_cli_ctx_finalize(gctx);
1223 if (!atomic_dec_and_test(&ctx->cc_refcount))
1227 if (sec_is_reverse(sec))
1228 CWARN("reverse sec %p: destroy ctx %p\n",
1231 CWARN("%s@%p: destroy ctx %p(%u->%s)\n",
1232 sec->ps_policy->sp_name, ctx->cc_sec,
1233 ctx, ctx->cc_vcred.vc_uid, sec2target_str(ctx->cc_sec));
1239 int gss_alloc_reqbuf_intg(struct ptlrpc_sec *sec,
1240 struct ptlrpc_request *req,
1241 int svc, int msgsize)
1243 int bufsize, txtsize;
1244 int buflens[5], bufcnt = 2;
1248 * on-wire data layout:
1251 * - user descriptor (optional)
1252 * - bulk sec descriptor (optional)
1253 * - signature (optional)
1254 * - svc == NULL: NULL
1255 * - svc == AUTH: signature of gss header
1256 * - svc == INTG: signature of all above
1258 * if this is context negotiation, reserver fixed space
1259 * at the last (signature) segment regardless of svc mode.
1262 buflens[0] = PTLRPC_GSS_HEADER_SIZE;
1263 txtsize = buflens[0];
1265 buflens[1] = msgsize;
1266 if (svc == SPTLRPC_SVC_INTG)
1267 txtsize += buflens[1];
1269 if (req->rq_pack_udesc) {
1270 buflens[bufcnt] = sptlrpc_current_user_desc_size();
1271 if (svc == SPTLRPC_SVC_INTG)
1272 txtsize += buflens[bufcnt];
1276 if (req->rq_pack_bulk) {
1277 buflens[bufcnt] = bulk_sec_desc_size(
1278 req->rq_flvr.sf_bulk_hash, 1,
1280 if (svc == SPTLRPC_SVC_INTG)
1281 txtsize += buflens[bufcnt];
1285 if (req->rq_ctx_init)
1286 buflens[bufcnt++] = GSS_CTX_INIT_MAX_LEN;
1287 else if (svc != SPTLRPC_SVC_NULL)
1288 buflens[bufcnt++] = gss_cli_payload(req->rq_cli_ctx, txtsize,0);
1290 bufsize = lustre_msg_size_v2(bufcnt, buflens);
1292 if (!req->rq_reqbuf) {
1293 bufsize = size_roundup_power2(bufsize);
1295 OBD_ALLOC(req->rq_reqbuf, bufsize);
1296 if (!req->rq_reqbuf)
1299 req->rq_reqbuf_len = bufsize;
1301 LASSERT(req->rq_pool);
1302 LASSERT(req->rq_reqbuf_len >= bufsize);
1303 memset(req->rq_reqbuf, 0, bufsize);
1306 lustre_init_msg_v2(req->rq_reqbuf, bufcnt, buflens, NULL);
1307 req->rq_reqbuf->lm_secflvr = req->rq_flvr.sf_rpc;
1309 req->rq_reqmsg = lustre_msg_buf(req->rq_reqbuf, 1, msgsize);
1310 LASSERT(req->rq_reqmsg);
1312 /* pack user desc here, later we might leave current user's process */
1313 if (req->rq_pack_udesc)
1314 sptlrpc_pack_user_desc(req->rq_reqbuf, 2);
1320 int gss_alloc_reqbuf_priv(struct ptlrpc_sec *sec,
1321 struct ptlrpc_request *req,
1324 int ibuflens[3], ibufcnt;
1326 int clearsize, wiresize;
1329 LASSERT(req->rq_clrbuf == NULL);
1330 LASSERT(req->rq_clrbuf_len == 0);
1332 /* Inner (clear) buffers
1334 * - user descriptor (optional)
1335 * - bulk checksum (optional)
1339 ibuflens[0] = msgsize;
1341 if (req->rq_pack_udesc)
1342 ibuflens[ibufcnt++] = sptlrpc_current_user_desc_size();
1343 if (req->rq_pack_bulk)
1344 ibuflens[ibufcnt++] = bulk_sec_desc_size(
1345 req->rq_flvr.sf_bulk_hash, 1,
1348 clearsize = lustre_msg_size_v2(ibufcnt, ibuflens);
1349 /* to allow append padding during encryption */
1350 clearsize += GSS_MAX_CIPHER_BLOCK;
1352 /* Wrapper (wire) buffers
1354 * - signature of gss header
1358 buflens[0] = PTLRPC_GSS_HEADER_SIZE;
1359 buflens[1] = gss_cli_payload(req->rq_cli_ctx, buflens[0], 0);
1360 buflens[2] = gss_cli_payload(req->rq_cli_ctx, clearsize, 1);
1361 wiresize = lustre_msg_size_v2(3, buflens);
1364 /* rq_reqbuf is preallocated */
1365 LASSERT(req->rq_reqbuf);
1366 LASSERT(req->rq_reqbuf_len >= wiresize);
1368 memset(req->rq_reqbuf, 0, req->rq_reqbuf_len);
1370 /* if the pre-allocated buffer is big enough, we just pack
1371 * both clear buf & request buf in it, to avoid more alloc. */
1372 if (clearsize + wiresize <= req->rq_reqbuf_len) {
1374 (void *) (((char *) req->rq_reqbuf) + wiresize);
1376 CWARN("pre-allocated buf size %d is not enough for "
1377 "both clear (%d) and cipher (%d) text, proceed "
1378 "with extra allocation\n", req->rq_reqbuf_len,
1379 clearsize, wiresize);
1383 if (!req->rq_clrbuf) {
1384 clearsize = size_roundup_power2(clearsize);
1386 OBD_ALLOC(req->rq_clrbuf, clearsize);
1387 if (!req->rq_clrbuf)
1390 req->rq_clrbuf_len = clearsize;
1392 lustre_init_msg_v2(req->rq_clrbuf, ibufcnt, ibuflens, NULL);
1393 req->rq_reqmsg = lustre_msg_buf(req->rq_clrbuf, 0, msgsize);
1395 if (req->rq_pack_udesc)
1396 sptlrpc_pack_user_desc(req->rq_clrbuf, 1);
1402 * NOTE: any change of request buffer allocation should also consider
1403 * changing enlarge_reqbuf() series functions.
1405 int gss_alloc_reqbuf(struct ptlrpc_sec *sec,
1406 struct ptlrpc_request *req,
1409 int svc = RPC_FLVR_SVC(req->rq_flvr.sf_rpc);
1411 LASSERT(!req->rq_pack_bulk ||
1412 (req->rq_bulk_read || req->rq_bulk_write));
1415 case SPTLRPC_SVC_NULL:
1416 case SPTLRPC_SVC_AUTH:
1417 case SPTLRPC_SVC_INTG:
1418 return gss_alloc_reqbuf_intg(sec, req, svc, msgsize);
1419 case SPTLRPC_SVC_PRIV:
1420 return gss_alloc_reqbuf_priv(sec, req, msgsize);
1422 LASSERTF(0, "bad rpc flavor %x\n", req->rq_flvr.sf_rpc);
1427 void gss_free_reqbuf(struct ptlrpc_sec *sec,
1428 struct ptlrpc_request *req)
1433 LASSERT(!req->rq_pool || req->rq_reqbuf);
1434 privacy = RPC_FLVR_SVC(req->rq_flvr.sf_rpc) == SPTLRPC_SVC_PRIV;
1436 if (!req->rq_clrbuf)
1437 goto release_reqbuf;
1439 /* release clear buffer */
1441 LASSERT(req->rq_clrbuf_len);
1444 req->rq_clrbuf >= req->rq_reqbuf &&
1445 (char *) req->rq_clrbuf <
1446 (char *) req->rq_reqbuf + req->rq_reqbuf_len)
1447 goto release_reqbuf;
1449 OBD_FREE(req->rq_clrbuf, req->rq_clrbuf_len);
1450 req->rq_clrbuf = NULL;
1451 req->rq_clrbuf_len = 0;
1454 if (!req->rq_pool && req->rq_reqbuf) {
1455 LASSERT(req->rq_reqbuf_len);
1457 OBD_FREE(req->rq_reqbuf, req->rq_reqbuf_len);
1458 req->rq_reqbuf = NULL;
1459 req->rq_reqbuf_len = 0;
1462 req->rq_reqmsg = NULL;
1467 static int do_alloc_repbuf(struct ptlrpc_request *req, int bufsize)
1469 bufsize = size_roundup_power2(bufsize);
1471 OBD_ALLOC(req->rq_repbuf, bufsize);
1472 if (!req->rq_repbuf)
1475 req->rq_repbuf_len = bufsize;
1480 int gss_alloc_repbuf_intg(struct ptlrpc_sec *sec,
1481 struct ptlrpc_request *req,
1482 int svc, int msgsize)
1485 int buflens[4], bufcnt = 2;
1489 * on-wire data layout:
1492 * - bulk sec descriptor (optional)
1493 * - signature (optional)
1494 * - svc == NULL: NULL
1495 * - svc == AUTH: signature of gss header
1496 * - svc == INTG: signature of all above
1498 * if this is context negotiation, reserver fixed space
1499 * at the last (signature) segment regardless of svc mode.
1502 buflens[0] = PTLRPC_GSS_HEADER_SIZE;
1503 txtsize = buflens[0];
1505 buflens[1] = msgsize;
1506 if (svc == SPTLRPC_SVC_INTG)
1507 txtsize += buflens[1];
1509 if (req->rq_pack_bulk) {
1510 buflens[bufcnt] = bulk_sec_desc_size(
1511 req->rq_flvr.sf_bulk_hash, 0,
1513 if (svc == SPTLRPC_SVC_INTG)
1514 txtsize += buflens[bufcnt];
1518 if (req->rq_ctx_init)
1519 buflens[bufcnt++] = GSS_CTX_INIT_MAX_LEN;
1520 else if (svc != SPTLRPC_SVC_NULL)
1521 buflens[bufcnt++] = gss_cli_payload(req->rq_cli_ctx, txtsize,0);
1523 alloc_size = lustre_msg_size_v2(bufcnt, buflens);
1525 /* add space for early reply */
1526 alloc_size += gss_at_reply_off_integ;
1528 return do_alloc_repbuf(req, alloc_size);
1532 int gss_alloc_repbuf_priv(struct ptlrpc_sec *sec,
1533 struct ptlrpc_request *req,
1537 int buflens[3], bufcnt;
1540 /* Inner (clear) buffers
1542 * - bulk checksum (optional)
1546 buflens[0] = msgsize;
1548 if (req->rq_pack_bulk) {
1549 buflens[bufcnt++] = bulk_sec_desc_size(
1550 req->rq_flvr.sf_bulk_hash, 0,
1553 txtsize = lustre_msg_size_v2(bufcnt, buflens);
1554 txtsize += GSS_MAX_CIPHER_BLOCK;
1556 /* Wrapper (wire) buffers
1558 * - signature of gss header
1563 buflens[0] = PTLRPC_GSS_HEADER_SIZE;
1564 buflens[1] = gss_cli_payload(req->rq_cli_ctx, buflens[0], 0);
1565 buflens[2] = gss_cli_payload(req->rq_cli_ctx, txtsize, 1);
1567 alloc_size = lustre_msg_size_v2(bufcnt, buflens);
1569 /* add space for early reply */
1570 alloc_size += gss_at_reply_off_priv;
1572 return do_alloc_repbuf(req, alloc_size);
1575 int gss_alloc_repbuf(struct ptlrpc_sec *sec,
1576 struct ptlrpc_request *req,
1579 int svc = RPC_FLVR_SVC(req->rq_flvr.sf_rpc);
1582 LASSERT(!req->rq_pack_bulk ||
1583 (req->rq_bulk_read || req->rq_bulk_write));
1586 case SPTLRPC_SVC_NULL:
1587 case SPTLRPC_SVC_AUTH:
1588 case SPTLRPC_SVC_INTG:
1589 return gss_alloc_repbuf_intg(sec, req, svc, msgsize);
1590 case SPTLRPC_SVC_PRIV:
1591 return gss_alloc_repbuf_priv(sec, req, msgsize);
1593 LASSERTF(0, "bad rpc flavor %x\n", req->rq_flvr.sf_rpc);
1598 void gss_free_repbuf(struct ptlrpc_sec *sec,
1599 struct ptlrpc_request *req)
1601 OBD_FREE(req->rq_repbuf, req->rq_repbuf_len);
1602 req->rq_repbuf = NULL;
1603 req->rq_repbuf_len = 0;
1605 req->rq_repmsg = NULL;
1608 static int get_enlarged_msgsize(struct lustre_msg *msg,
1609 int segment, int newsize)
1611 int save, newmsg_size;
1613 LASSERT(newsize >= msg->lm_buflens[segment]);
1615 save = msg->lm_buflens[segment];
1616 msg->lm_buflens[segment] = newsize;
1617 newmsg_size = lustre_msg_size_v2(msg->lm_bufcount, msg->lm_buflens);
1618 msg->lm_buflens[segment] = save;
1623 static int get_enlarged_msgsize2(struct lustre_msg *msg,
1624 int segment1, int newsize1,
1625 int segment2, int newsize2)
1627 int save1, save2, newmsg_size;
1629 LASSERT(newsize1 >= msg->lm_buflens[segment1]);
1630 LASSERT(newsize2 >= msg->lm_buflens[segment2]);
1632 save1 = msg->lm_buflens[segment1];
1633 save2 = msg->lm_buflens[segment2];
1634 msg->lm_buflens[segment1] = newsize1;
1635 msg->lm_buflens[segment2] = newsize2;
1636 newmsg_size = lustre_msg_size_v2(msg->lm_bufcount, msg->lm_buflens);
1637 msg->lm_buflens[segment1] = save1;
1638 msg->lm_buflens[segment2] = save2;
1644 int gss_enlarge_reqbuf_intg(struct ptlrpc_sec *sec,
1645 struct ptlrpc_request *req,
1647 int segment, int newsize)
1649 struct lustre_msg *newbuf;
1650 int txtsize, sigsize = 0, i;
1651 int newmsg_size, newbuf_size;
1654 * gss header is at seg 0;
1655 * embedded msg is at seg 1;
1656 * signature (if any) is at the last seg
1658 LASSERT(req->rq_reqbuf);
1659 LASSERT(req->rq_reqbuf_len > req->rq_reqlen);
1660 LASSERT(req->rq_reqbuf->lm_bufcount >= 2);
1661 LASSERT(lustre_msg_buf(req->rq_reqbuf, 1, 0) == req->rq_reqmsg);
1663 /* 1. compute new embedded msg size */
1664 newmsg_size = get_enlarged_msgsize(req->rq_reqmsg, segment, newsize);
1665 LASSERT(newmsg_size >= req->rq_reqbuf->lm_buflens[1]);
1667 /* 2. compute new wrapper msg size */
1668 if (svc == SPTLRPC_SVC_NULL) {
1669 /* no signature, get size directly */
1670 newbuf_size = get_enlarged_msgsize(req->rq_reqbuf,
1673 txtsize = req->rq_reqbuf->lm_buflens[0];
1675 if (svc == SPTLRPC_SVC_INTG) {
1676 for (i = 1; i < req->rq_reqbuf->lm_bufcount; i++)
1677 txtsize += req->rq_reqbuf->lm_buflens[i];
1678 txtsize += newmsg_size - req->rq_reqbuf->lm_buflens[1];
1681 sigsize = gss_cli_payload(req->rq_cli_ctx, txtsize, 0);
1682 LASSERT(sigsize >= msg_last_seglen(req->rq_reqbuf));
1684 newbuf_size = get_enlarged_msgsize2(
1687 msg_last_segidx(req->rq_reqbuf),
1691 /* request from pool should always have enough buffer */
1692 LASSERT(!req->rq_pool || req->rq_reqbuf_len >= newbuf_size);
1694 if (req->rq_reqbuf_len < newbuf_size) {
1695 newbuf_size = size_roundup_power2(newbuf_size);
1697 OBD_ALLOC(newbuf, newbuf_size);
1701 memcpy(newbuf, req->rq_reqbuf, req->rq_reqbuf_len);
1703 OBD_FREE(req->rq_reqbuf, req->rq_reqbuf_len);
1704 req->rq_reqbuf = newbuf;
1705 req->rq_reqbuf_len = newbuf_size;
1706 req->rq_reqmsg = lustre_msg_buf(req->rq_reqbuf, 1, 0);
1709 /* do enlargement, from wrapper to embedded, from end to begin */
1710 if (svc != SPTLRPC_SVC_NULL)
1711 _sptlrpc_enlarge_msg_inplace(req->rq_reqbuf,
1712 msg_last_segidx(req->rq_reqbuf),
1715 _sptlrpc_enlarge_msg_inplace(req->rq_reqbuf, 1, newmsg_size);
1716 _sptlrpc_enlarge_msg_inplace(req->rq_reqmsg, segment, newsize);
1718 req->rq_reqlen = newmsg_size;
1723 int gss_enlarge_reqbuf_priv(struct ptlrpc_sec *sec,
1724 struct ptlrpc_request *req,
1725 int segment, int newsize)
1727 struct lustre_msg *newclrbuf;
1728 int newmsg_size, newclrbuf_size, newcipbuf_size;
1732 * embedded msg is at seg 0 of clear buffer;
1733 * cipher text is at seg 2 of cipher buffer;
1735 LASSERT(req->rq_pool ||
1736 (req->rq_reqbuf == NULL && req->rq_reqbuf_len == 0));
1737 LASSERT(req->rq_reqbuf == NULL ||
1738 (req->rq_pool && req->rq_reqbuf->lm_bufcount == 3));
1739 LASSERT(req->rq_clrbuf);
1740 LASSERT(req->rq_clrbuf_len > req->rq_reqlen);
1741 LASSERT(lustre_msg_buf(req->rq_clrbuf, 0, 0) == req->rq_reqmsg);
1743 /* compute new embedded msg size */
1744 newmsg_size = get_enlarged_msgsize(req->rq_reqmsg, segment, newsize);
1746 /* compute new clear buffer size */
1747 newclrbuf_size = get_enlarged_msgsize(req->rq_clrbuf, 0, newmsg_size);
1748 newclrbuf_size += GSS_MAX_CIPHER_BLOCK;
1750 /* compute new cipher buffer size */
1751 buflens[0] = PTLRPC_GSS_HEADER_SIZE;
1752 buflens[1] = gss_cli_payload(req->rq_cli_ctx, buflens[0], 0);
1753 buflens[2] = gss_cli_payload(req->rq_cli_ctx, newclrbuf_size, 1);
1754 newcipbuf_size = lustre_msg_size_v2(3, buflens);
1756 /* handle the case that we put both clear buf and cipher buf into
1757 * pre-allocated single buffer. */
1758 if (unlikely(req->rq_pool) &&
1759 req->rq_clrbuf >= req->rq_reqbuf &&
1760 (char *) req->rq_clrbuf <
1761 (char *) req->rq_reqbuf + req->rq_reqbuf_len) {
1762 /* it couldn't be better we still fit into the
1763 * pre-allocated buffer. */
1764 if (newclrbuf_size + newcipbuf_size <= req->rq_reqbuf_len) {
1767 /* move clear text backward. */
1768 src = req->rq_clrbuf;
1769 dst = (char *) req->rq_reqbuf + newcipbuf_size;
1771 memmove(dst, src, req->rq_clrbuf_len);
1773 req->rq_clrbuf = (struct lustre_msg *) dst;
1774 req->rq_clrbuf_len = newclrbuf_size;
1775 req->rq_reqmsg = lustre_msg_buf(req->rq_clrbuf, 0, 0);
1777 /* sadly we have to split out the clear buffer */
1778 LASSERT(req->rq_reqbuf_len >= newcipbuf_size);
1779 LASSERT(req->rq_clrbuf_len < newclrbuf_size);
1783 if (req->rq_clrbuf_len < newclrbuf_size) {
1784 newclrbuf_size = size_roundup_power2(newclrbuf_size);
1786 OBD_ALLOC(newclrbuf, newclrbuf_size);
1787 if (newclrbuf == NULL)
1790 memcpy(newclrbuf, req->rq_clrbuf, req->rq_clrbuf_len);
1792 if (req->rq_reqbuf == NULL ||
1793 req->rq_clrbuf < req->rq_reqbuf ||
1794 (char *) req->rq_clrbuf >=
1795 (char *) req->rq_reqbuf + req->rq_reqbuf_len) {
1796 OBD_FREE(req->rq_clrbuf, req->rq_clrbuf_len);
1799 req->rq_clrbuf = newclrbuf;
1800 req->rq_clrbuf_len = newclrbuf_size;
1801 req->rq_reqmsg = lustre_msg_buf(req->rq_clrbuf, 0, 0);
1804 _sptlrpc_enlarge_msg_inplace(req->rq_clrbuf, 0, newmsg_size);
1805 _sptlrpc_enlarge_msg_inplace(req->rq_reqmsg, segment, newsize);
1806 req->rq_reqlen = newmsg_size;
1811 int gss_enlarge_reqbuf(struct ptlrpc_sec *sec,
1812 struct ptlrpc_request *req,
1813 int segment, int newsize)
1815 int svc = RPC_FLVR_SVC(req->rq_flvr.sf_rpc);
1817 LASSERT(!req->rq_ctx_init && !req->rq_ctx_fini);
1820 case SPTLRPC_SVC_NULL:
1821 case SPTLRPC_SVC_AUTH:
1822 case SPTLRPC_SVC_INTG:
1823 return gss_enlarge_reqbuf_intg(sec, req, svc, segment, newsize);
1824 case SPTLRPC_SVC_PRIV:
1825 return gss_enlarge_reqbuf_priv(sec, req, segment, newsize);
1827 LASSERTF(0, "bad rpc flavor %x\n", req->rq_flvr.sf_rpc);
1832 int gss_sec_install_rctx(struct obd_import *imp,
1833 struct ptlrpc_sec *sec,
1834 struct ptlrpc_cli_ctx *ctx)
1836 struct gss_sec *gsec;
1837 struct gss_cli_ctx *gctx;
1840 gsec = container_of(sec, struct gss_sec, gs_base);
1841 gctx = container_of(ctx, struct gss_cli_ctx, gc_base);
1843 rc = gss_install_rvs_svc_ctx(imp, gsec, gctx);
1847 /********************************************
1849 ********************************************/
1852 int gss_svc_reqctx_is_special(struct gss_svc_reqctx *grctx)
1855 return (grctx->src_init || grctx->src_init_continue ||
1856 grctx->src_err_notify);
1860 void gss_svc_reqctx_free(struct gss_svc_reqctx *grctx)
1863 gss_svc_upcall_put_ctx(grctx->src_ctx);
1865 sptlrpc_policy_put(grctx->src_base.sc_policy);
1866 OBD_FREE_PTR(grctx);
1870 void gss_svc_reqctx_addref(struct gss_svc_reqctx *grctx)
1872 LASSERT(atomic_read(&grctx->src_base.sc_refcount) > 0);
1873 atomic_inc(&grctx->src_base.sc_refcount);
1877 void gss_svc_reqctx_decref(struct gss_svc_reqctx *grctx)
1879 LASSERT(atomic_read(&grctx->src_base.sc_refcount) > 0);
1881 if (atomic_dec_and_test(&grctx->src_base.sc_refcount))
1882 gss_svc_reqctx_free(grctx);
1886 int gss_svc_sign(struct ptlrpc_request *req,
1887 struct ptlrpc_reply_state *rs,
1888 struct gss_svc_reqctx *grctx,
1895 LASSERT(rs->rs_msg == lustre_msg_buf(rs->rs_repbuf, 1, 0));
1897 /* embedded lustre_msg might have been shrinked */
1898 if (req->rq_replen != rs->rs_repbuf->lm_buflens[1])
1899 lustre_shrink_msg(rs->rs_repbuf, 1, req->rq_replen, 1);
1901 if (req->rq_pack_bulk)
1902 flags |= LUSTRE_GSS_PACK_BULK;
1904 rc = gss_sign_msg(rs->rs_repbuf, grctx->src_ctx->gsc_mechctx,
1905 LUSTRE_SP_ANY, flags, PTLRPC_GSS_PROC_DATA,
1906 grctx->src_wirectx.gw_seq, svc, NULL);
1910 rs->rs_repdata_len = rc;
1912 if (likely(req->rq_packed_final)) {
1913 req->rq_reply_off = gss_at_reply_off_integ;
1915 if (svc == SPTLRPC_SVC_NULL)
1916 rs->rs_repbuf->lm_cksum = crc32_le(!(__u32) 0,
1917 lustre_msg_buf(rs->rs_repbuf, 1, 0),
1918 lustre_msg_buflen(rs->rs_repbuf, 1));
1919 req->rq_reply_off = 0;
1925 int gss_pack_err_notify(struct ptlrpc_request *req, __u32 major, __u32 minor)
1927 struct gss_svc_reqctx *grctx = gss_svc_ctx2reqctx(req->rq_svc_ctx);
1928 struct ptlrpc_reply_state *rs;
1929 struct gss_err_header *ghdr;
1930 int replen = sizeof(struct ptlrpc_body);
1934 //if (OBD_FAIL_CHECK_ORSET(OBD_FAIL_SVCGSS_ERR_NOTIFY, OBD_FAIL_ONCE))
1937 grctx->src_err_notify = 1;
1938 grctx->src_reserve_len = 0;
1940 rc = lustre_pack_reply_v2(req, 1, &replen, NULL, 0);
1942 CERROR("could not pack reply, err %d\n", rc);
1947 rs = req->rq_reply_state;
1948 LASSERT(rs->rs_repbuf->lm_buflens[1] >= sizeof(*ghdr));
1949 ghdr = lustre_msg_buf(rs->rs_repbuf, 0, 0);
1950 ghdr->gh_version = PTLRPC_GSS_VERSION;
1952 ghdr->gh_proc = PTLRPC_GSS_PROC_ERR;
1953 ghdr->gh_major = major;
1954 ghdr->gh_minor = minor;
1955 ghdr->gh_handle.len = 0; /* fake context handle */
1957 rs->rs_repdata_len = lustre_msg_size_v2(rs->rs_repbuf->lm_bufcount,
1958 rs->rs_repbuf->lm_buflens);
1960 CDEBUG(D_SEC, "prepare gss error notify(0x%x/0x%x) to %s\n",
1961 major, minor, libcfs_nid2str(req->rq_peer.nid));
1966 int gss_svc_handle_init(struct ptlrpc_request *req,
1967 struct gss_wire_ctx *gw)
1969 struct gss_svc_reqctx *grctx = gss_svc_ctx2reqctx(req->rq_svc_ctx);
1970 struct lustre_msg *reqbuf = req->rq_reqbuf;
1971 struct obd_uuid *uuid;
1972 struct obd_device *target;
1973 rawobj_t uuid_obj, rvs_hdl, in_token;
1975 __u32 *secdata, seclen;
1979 CDEBUG(D_SEC, "processing gss init(%d) request from %s\n", gw->gw_proc,
1980 libcfs_nid2str(req->rq_peer.nid));
1982 req->rq_ctx_init = 1;
1984 if (gw->gw_flags & LUSTRE_GSS_PACK_BULK) {
1985 CERROR("unexpected bulk flag\n");
1986 RETURN(SECSVC_DROP);
1989 if (gw->gw_proc == PTLRPC_GSS_PROC_INIT && gw->gw_handle.len != 0) {
1990 CERROR("proc %u: invalid handle length %u\n",
1991 gw->gw_proc, gw->gw_handle.len);
1992 RETURN(SECSVC_DROP);
1995 if (reqbuf->lm_bufcount < 3 || reqbuf->lm_bufcount > 4){
1996 CERROR("Invalid bufcount %d\n", reqbuf->lm_bufcount);
1997 RETURN(SECSVC_DROP);
2000 /* ctx initiate payload is in last segment */
2001 secdata = lustre_msg_buf(reqbuf, reqbuf->lm_bufcount - 1, 0);
2002 seclen = reqbuf->lm_buflens[reqbuf->lm_bufcount - 1];
2004 if (seclen < 4 + 4) {
2005 CERROR("sec size %d too small\n", seclen);
2006 RETURN(SECSVC_DROP);
2009 /* lustre svc type */
2010 lustre_svc = le32_to_cpu(*secdata++);
2013 /* extract target uuid, note this code is somewhat fragile
2014 * because touched internal structure of obd_uuid */
2015 if (rawobj_extract(&uuid_obj, &secdata, &seclen)) {
2016 CERROR("failed to extract target uuid\n");
2017 RETURN(SECSVC_DROP);
2019 uuid_obj.data[uuid_obj.len - 1] = '\0';
2021 uuid = (struct obd_uuid *) uuid_obj.data;
2022 target = class_uuid2obd(uuid);
2023 if (!target || target->obd_stopping || !target->obd_set_up) {
2024 CERROR("target '%s' is not available for context init (%s)\n",
2025 uuid->uuid, target == NULL ? "no target" :
2026 (target->obd_stopping ? "stopping" : "not set up"));
2027 RETURN(SECSVC_DROP);
2030 /* extract reverse handle */
2031 if (rawobj_extract(&rvs_hdl, &secdata, &seclen)) {
2032 CERROR("failed extract reverse handle\n");
2033 RETURN(SECSVC_DROP);
2037 if (rawobj_extract(&in_token, &secdata, &seclen)) {
2038 CERROR("can't extract token\n");
2039 RETURN(SECSVC_DROP);
2042 rc = gss_svc_upcall_handle_init(req, grctx, gw, target, lustre_svc,
2043 &rvs_hdl, &in_token);
2044 if (rc != SECSVC_OK)
2047 if (grctx->src_ctx->gsc_usr_mds || grctx->src_ctx->gsc_usr_root)
2048 CWARN("create svc ctx %p: user from %s authenticated as %s\n",
2049 grctx->src_ctx, libcfs_nid2str(req->rq_peer.nid),
2050 grctx->src_ctx->gsc_usr_mds ? "mds" : "root");
2052 CWARN("create svc ctx %p: accept user %u from %s\n",
2053 grctx->src_ctx, grctx->src_ctx->gsc_uid,
2054 libcfs_nid2str(req->rq_peer.nid));
2056 if (gw->gw_flags & LUSTRE_GSS_PACK_USER) {
2057 if (reqbuf->lm_bufcount < 4) {
2058 CERROR("missing user descriptor\n");
2059 RETURN(SECSVC_DROP);
2061 if (sptlrpc_unpack_user_desc(reqbuf, 2)) {
2062 CERROR("Mal-formed user descriptor\n");
2063 RETURN(SECSVC_DROP);
2066 req->rq_pack_udesc = 1;
2067 req->rq_user_desc = lustre_msg_buf(reqbuf, 2, 0);
2070 req->rq_reqmsg = lustre_msg_buf(reqbuf, 1, 0);
2071 req->rq_reqlen = lustre_msg_buflen(reqbuf, 1);
2077 * last segment must be the gss signature.
2080 int gss_svc_verify_request(struct ptlrpc_request *req,
2081 struct gss_svc_reqctx *grctx,
2082 struct gss_wire_ctx *gw,
2085 struct gss_svc_ctx *gctx = grctx->src_ctx;
2086 struct lustre_msg *msg = req->rq_reqbuf;
2090 *major = GSS_S_COMPLETE;
2092 if (msg->lm_bufcount < 2) {
2093 CERROR("Too few segments (%u) in request\n", msg->lm_bufcount);
2097 if (gw->gw_svc == SPTLRPC_SVC_NULL)
2100 if (gss_check_seq_num(&gctx->gsc_seqdata, gw->gw_seq, 0)) {
2101 CERROR("phase 0: discard replayed req: seq %u\n", gw->gw_seq);
2102 *major = GSS_S_DUPLICATE_TOKEN;
2106 *major = gss_verify_msg(msg, gctx->gsc_mechctx, gw->gw_svc);
2107 if (*major != GSS_S_COMPLETE)
2110 if (gctx->gsc_reverse == 0 &&
2111 gss_check_seq_num(&gctx->gsc_seqdata, gw->gw_seq, 1)) {
2112 CERROR("phase 1+: discard replayed req: seq %u\n", gw->gw_seq);
2113 *major = GSS_S_DUPLICATE_TOKEN;
2118 /* user descriptor */
2119 if (gw->gw_flags & LUSTRE_GSS_PACK_USER) {
2120 if (msg->lm_bufcount < (offset + 1)) {
2121 CERROR("no user desc included\n");
2125 if (sptlrpc_unpack_user_desc(msg, offset)) {
2126 CERROR("Mal-formed user descriptor\n");
2130 req->rq_pack_udesc = 1;
2131 req->rq_user_desc = lustre_msg_buf(msg, offset, 0);
2135 /* check bulk cksum data */
2136 if (gw->gw_flags & LUSTRE_GSS_PACK_BULK) {
2137 if (msg->lm_bufcount < (offset + 1)) {
2138 CERROR("no bulk checksum included\n");
2142 if (bulk_sec_desc_unpack(msg, offset))
2145 req->rq_pack_bulk = 1;
2146 grctx->src_reqbsd = lustre_msg_buf(msg, offset, 0);
2147 grctx->src_reqbsd_size = lustre_msg_buflen(msg, offset);
2150 req->rq_reqmsg = lustre_msg_buf(msg, 1, 0);
2151 req->rq_reqlen = msg->lm_buflens[1];
2156 int gss_svc_unseal_request(struct ptlrpc_request *req,
2157 struct gss_svc_reqctx *grctx,
2158 struct gss_wire_ctx *gw,
2161 struct gss_svc_ctx *gctx = grctx->src_ctx;
2162 struct lustre_msg *msg = req->rq_reqbuf;
2163 int msglen, offset = 1;
2166 if (gss_check_seq_num(&gctx->gsc_seqdata, gw->gw_seq, 0)) {
2167 CERROR("phase 0: discard replayed req: seq %u\n", gw->gw_seq);
2168 *major = GSS_S_DUPLICATE_TOKEN;
2172 *major = gss_unseal_msg(gctx->gsc_mechctx, msg,
2173 &msglen, req->rq_reqdata_len);
2174 if (*major != GSS_S_COMPLETE)
2177 if (gss_check_seq_num(&gctx->gsc_seqdata, gw->gw_seq, 1)) {
2178 CERROR("phase 1+: discard replayed req: seq %u\n", gw->gw_seq);
2179 *major = GSS_S_DUPLICATE_TOKEN;
2183 if (lustre_unpack_msg(msg, msglen)) {
2184 CERROR("Failed to unpack after decryption\n");
2187 req->rq_reqdata_len = msglen;
2189 if (msg->lm_bufcount < 1) {
2190 CERROR("Invalid buffer: is empty\n");
2194 if (gw->gw_flags & LUSTRE_GSS_PACK_USER) {
2195 if (msg->lm_bufcount < offset + 1) {
2196 CERROR("no user descriptor included\n");
2200 if (sptlrpc_unpack_user_desc(msg, offset)) {
2201 CERROR("Mal-formed user descriptor\n");
2205 req->rq_pack_udesc = 1;
2206 req->rq_user_desc = lustre_msg_buf(msg, offset, 0);
2210 if (gw->gw_flags & LUSTRE_GSS_PACK_BULK) {
2211 if (msg->lm_bufcount < offset + 1) {
2212 CERROR("no bulk checksum included\n");
2216 if (bulk_sec_desc_unpack(msg, offset))
2219 req->rq_pack_bulk = 1;
2220 grctx->src_reqbsd = lustre_msg_buf(msg, offset, 0);
2221 grctx->src_reqbsd_size = lustre_msg_buflen(msg, offset);
2224 req->rq_reqmsg = lustre_msg_buf(req->rq_reqbuf, 0, 0);
2225 req->rq_reqlen = req->rq_reqbuf->lm_buflens[0];
2230 int gss_svc_handle_data(struct ptlrpc_request *req,
2231 struct gss_wire_ctx *gw)
2233 struct gss_svc_reqctx *grctx = gss_svc_ctx2reqctx(req->rq_svc_ctx);
2238 grctx->src_ctx = gss_svc_upcall_get_ctx(req, gw);
2239 if (!grctx->src_ctx) {
2240 major = GSS_S_NO_CONTEXT;
2244 switch (gw->gw_svc) {
2245 case SPTLRPC_SVC_NULL:
2246 case SPTLRPC_SVC_AUTH:
2247 case SPTLRPC_SVC_INTG:
2248 rc = gss_svc_verify_request(req, grctx, gw, &major);
2250 case SPTLRPC_SVC_PRIV:
2251 rc = gss_svc_unseal_request(req, grctx, gw, &major);
2254 CERROR("unsupported gss service %d\n", gw->gw_svc);
2261 CERROR("svc %u failed: major 0x%08x: req xid "LPU64" ctx %p idx "
2262 LPX64"(%u->%s)\n", gw->gw_svc, major, req->rq_xid,
2263 grctx->src_ctx, gss_handle_to_u64(&gw->gw_handle),
2264 grctx->src_ctx->gsc_uid, libcfs_nid2str(req->rq_peer.nid));
2266 /* we only notify client in case of NO_CONTEXT/BAD_SIG, which
2267 * might happen after server reboot, to allow recovery. */
2268 if ((major == GSS_S_NO_CONTEXT || major == GSS_S_BAD_SIG) &&
2269 gss_pack_err_notify(req, major, 0) == 0)
2270 RETURN(SECSVC_COMPLETE);
2272 RETURN(SECSVC_DROP);
2276 int gss_svc_handle_destroy(struct ptlrpc_request *req,
2277 struct gss_wire_ctx *gw)
2279 struct gss_svc_reqctx *grctx = gss_svc_ctx2reqctx(req->rq_svc_ctx);
2283 req->rq_ctx_fini = 1;
2284 req->rq_no_reply = 1;
2286 grctx->src_ctx = gss_svc_upcall_get_ctx(req, gw);
2287 if (!grctx->src_ctx) {
2288 CDEBUG(D_SEC, "invalid gss context handle for destroy.\n");
2289 RETURN(SECSVC_DROP);
2292 if (gw->gw_svc != SPTLRPC_SVC_INTG) {
2293 CERROR("svc %u is not supported in destroy.\n", gw->gw_svc);
2294 RETURN(SECSVC_DROP);
2297 if (gss_svc_verify_request(req, grctx, gw, &major))
2298 RETURN(SECSVC_DROP);
2300 CWARN("destroy svc ctx %p idx "LPX64" (%u->%s)\n",
2301 grctx->src_ctx, gss_handle_to_u64(&gw->gw_handle),
2302 grctx->src_ctx->gsc_uid, libcfs_nid2str(req->rq_peer.nid));
2304 gss_svc_upcall_destroy_ctx(grctx->src_ctx);
2306 if (gw->gw_flags & LUSTRE_GSS_PACK_USER) {
2307 if (req->rq_reqbuf->lm_bufcount < 4) {
2308 CERROR("missing user descriptor, ignore it\n");
2311 if (sptlrpc_unpack_user_desc(req->rq_reqbuf, 2)) {
2312 CERROR("Mal-formed user descriptor, ignore it\n");
2316 req->rq_pack_udesc = 1;
2317 req->rq_user_desc = lustre_msg_buf(req->rq_reqbuf, 2, 0);
2323 int gss_svc_accept(struct ptlrpc_sec_policy *policy, struct ptlrpc_request *req)
2325 struct gss_header *ghdr;
2326 struct gss_svc_reqctx *grctx;
2327 struct gss_wire_ctx *gw;
2331 LASSERT(req->rq_reqbuf);
2332 LASSERT(req->rq_svc_ctx == NULL);
2334 if (req->rq_reqbuf->lm_bufcount < 2) {
2335 CERROR("buf count only %d\n", req->rq_reqbuf->lm_bufcount);
2336 RETURN(SECSVC_DROP);
2339 ghdr = gss_swab_header(req->rq_reqbuf, 0);
2341 CERROR("can't decode gss header\n");
2342 RETURN(SECSVC_DROP);
2346 if (ghdr->gh_version != PTLRPC_GSS_VERSION) {
2347 CERROR("gss version %u, expect %u\n", ghdr->gh_version,
2348 PTLRPC_GSS_VERSION);
2349 RETURN(SECSVC_DROP);
2352 req->rq_sp_from = ghdr->gh_sp;
2354 /* alloc grctx data */
2355 OBD_ALLOC_PTR(grctx);
2357 CERROR("fail to alloc svc reqctx\n");
2358 RETURN(SECSVC_DROP);
2360 grctx->src_base.sc_policy = sptlrpc_policy_get(policy);
2361 atomic_set(&grctx->src_base.sc_refcount, 1);
2362 req->rq_svc_ctx = &grctx->src_base;
2363 gw = &grctx->src_wirectx;
2365 /* save wire context */
2366 gw->gw_flags = ghdr->gh_flags;
2367 gw->gw_proc = ghdr->gh_proc;
2368 gw->gw_seq = ghdr->gh_seq;
2369 gw->gw_svc = ghdr->gh_svc;
2370 rawobj_from_netobj(&gw->gw_handle, &ghdr->gh_handle);
2372 /* keep original wire header which subject to checksum verification */
2373 if (lustre_msg_swabbed(req->rq_reqbuf))
2374 gss_header_swabber(ghdr);
2376 switch(ghdr->gh_proc) {
2377 case PTLRPC_GSS_PROC_INIT:
2378 case PTLRPC_GSS_PROC_CONTINUE_INIT:
2379 rc = gss_svc_handle_init(req, gw);
2381 case PTLRPC_GSS_PROC_DATA:
2382 rc = gss_svc_handle_data(req, gw);
2384 case PTLRPC_GSS_PROC_DESTROY:
2385 rc = gss_svc_handle_destroy(req, gw);
2388 CERROR("unknown proc %u\n", gw->gw_proc);
2395 LASSERT (grctx->src_ctx);
2397 req->rq_auth_gss = 1;
2398 req->rq_auth_remote = grctx->src_ctx->gsc_remote;
2399 req->rq_auth_usr_mdt = grctx->src_ctx->gsc_usr_mds;
2400 req->rq_auth_usr_root = grctx->src_ctx->gsc_usr_root;
2401 req->rq_auth_uid = grctx->src_ctx->gsc_uid;
2402 req->rq_auth_mapped_uid = grctx->src_ctx->gsc_mapped_uid;
2404 case SECSVC_COMPLETE:
2407 gss_svc_reqctx_free(grctx);
2408 req->rq_svc_ctx = NULL;
2415 void gss_svc_invalidate_ctx(struct ptlrpc_svc_ctx *svc_ctx)
2417 struct gss_svc_reqctx *grctx;
2420 if (svc_ctx == NULL) {
2425 grctx = gss_svc_ctx2reqctx(svc_ctx);
2427 CWARN("gss svc invalidate ctx %p(%u)\n",
2428 grctx->src_ctx, grctx->src_ctx->gsc_uid);
2429 gss_svc_upcall_destroy_ctx(grctx->src_ctx);
2435 int gss_svc_payload(struct gss_svc_reqctx *grctx, int early,
2436 int msgsize, int privacy)
2438 /* we should treat early reply normally, but which is actually sharing
2439 * the same ctx with original request, so in this case we should
2440 * ignore the special ctx's special flags */
2441 if (early == 0 && gss_svc_reqctx_is_special(grctx))
2442 return grctx->src_reserve_len;
2444 return gss_mech_payload(NULL, msgsize, privacy);
2447 int gss_svc_alloc_rs(struct ptlrpc_request *req, int msglen)
2449 struct gss_svc_reqctx *grctx;
2450 struct ptlrpc_reply_state *rs;
2451 int early, privacy, svc, bsd_off = 0;
2452 int ibuflens[2], ibufcnt = 0;
2453 int buflens[4], bufcnt;
2454 int txtsize, wmsg_size, rs_size;
2457 LASSERT(msglen % 8 == 0);
2459 if (req->rq_pack_bulk && !req->rq_bulk_read && !req->rq_bulk_write) {
2460 CERROR("client request bulk sec on non-bulk rpc\n");
2464 svc = RPC_FLVR_SVC(req->rq_flvr.sf_rpc);
2465 early = (req->rq_packed_final == 0);
2467 grctx = gss_svc_ctx2reqctx(req->rq_svc_ctx);
2468 if (!early && gss_svc_reqctx_is_special(grctx))
2471 privacy = (svc == SPTLRPC_SVC_PRIV);
2476 ibuflens[0] = msglen;
2478 if (req->rq_pack_bulk) {
2479 LASSERT(grctx->src_reqbsd);
2482 ibuflens[ibufcnt++] = bulk_sec_desc_size(
2483 grctx->src_reqbsd->bsd_hash_alg,
2484 0, req->rq_bulk_read);
2487 txtsize = lustre_msg_size_v2(ibufcnt, ibuflens);
2488 txtsize += GSS_MAX_CIPHER_BLOCK;
2490 /* wrapper buffer */
2492 buflens[0] = PTLRPC_GSS_HEADER_SIZE;
2493 buflens[1] = gss_svc_payload(grctx, early, buflens[0], 0);
2494 buflens[2] = gss_svc_payload(grctx, early, txtsize, 1);
2497 buflens[0] = PTLRPC_GSS_HEADER_SIZE;
2498 buflens[1] = msglen;
2500 txtsize = buflens[0];
2501 if (svc == SPTLRPC_SVC_INTG)
2502 txtsize += buflens[1];
2504 if (req->rq_pack_bulk) {
2505 LASSERT(grctx->src_reqbsd);
2508 buflens[bufcnt] = bulk_sec_desc_size(
2509 grctx->src_reqbsd->bsd_hash_alg,
2510 0, req->rq_bulk_read);
2511 if (svc == SPTLRPC_SVC_INTG)
2512 txtsize += buflens[bufcnt];
2516 if ((!early && gss_svc_reqctx_is_special(grctx)) ||
2517 svc != SPTLRPC_SVC_NULL)
2518 buflens[bufcnt++] = gss_svc_payload(grctx, early,
2522 wmsg_size = lustre_msg_size_v2(bufcnt, buflens);
2524 rs_size = sizeof(*rs) + wmsg_size;
2525 rs = req->rq_reply_state;
2529 LASSERT(rs->rs_size >= rs_size);
2531 OBD_ALLOC(rs, rs_size);
2535 rs->rs_size = rs_size;
2538 rs->rs_repbuf = (struct lustre_msg *) (rs + 1);
2539 rs->rs_repbuf_len = wmsg_size;
2541 /* initialize the buffer */
2543 lustre_init_msg_v2(rs->rs_repbuf, ibufcnt, ibuflens, NULL);
2544 rs->rs_msg = lustre_msg_buf(rs->rs_repbuf, 0, msglen);
2546 lustre_init_msg_v2(rs->rs_repbuf, bufcnt, buflens, NULL);
2547 rs->rs_repbuf->lm_secflvr = req->rq_flvr.sf_rpc;
2549 rs->rs_msg = lustre_msg_buf(rs->rs_repbuf, 1, 0);
2553 grctx->src_repbsd = lustre_msg_buf(rs->rs_repbuf, bsd_off, 0);
2554 grctx->src_repbsd_size = lustre_msg_buflen(rs->rs_repbuf,
2558 gss_svc_reqctx_addref(grctx);
2559 rs->rs_svc_ctx = req->rq_svc_ctx;
2561 LASSERT(rs->rs_msg);
2562 req->rq_reply_state = rs;
2567 int gss_svc_seal(struct ptlrpc_request *req,
2568 struct ptlrpc_reply_state *rs,
2569 struct gss_svc_reqctx *grctx)
2571 struct gss_svc_ctx *gctx = grctx->src_ctx;
2572 rawobj_t msgobj, cipher_obj, micobj;
2573 struct gss_header *ghdr;
2575 int cipher_buflen, buflens[3];
2580 /* embedded lustre_msg might have been shrinked */
2581 if (req->rq_replen != rs->rs_repbuf->lm_buflens[0])
2582 lustre_shrink_msg(rs->rs_repbuf, 0, req->rq_replen, 1);
2584 /* clear data length */
2585 msglen = lustre_msg_size_v2(rs->rs_repbuf->lm_bufcount,
2586 rs->rs_repbuf->lm_buflens);
2589 msgobj.len = msglen;
2590 msgobj.data = (__u8 *) rs->rs_repbuf;
2592 /* allocate temporary cipher buffer */
2593 cipher_buflen = gss_mech_payload(gctx->gsc_mechctx, msglen, 1);
2594 OBD_ALLOC(cipher_buf, cipher_buflen);
2598 cipher_obj.len = cipher_buflen;
2599 cipher_obj.data = cipher_buf;
2601 major = lgss_wrap(gctx->gsc_mechctx, &msgobj, rs->rs_repbuf_len,
2603 if (major != GSS_S_COMPLETE) {
2604 CERROR("priv: wrap message error: %08x\n", major);
2605 GOTO(out_free, rc = -EPERM);
2607 LASSERT(cipher_obj.len <= cipher_buflen);
2609 /* we are about to override data at rs->rs_repbuf, nullify pointers
2610 * to which to catch further illegal usage. */
2611 if (req->rq_pack_bulk) {
2612 grctx->src_repbsd = NULL;
2613 grctx->src_repbsd_size = 0;
2616 /* now the real wire data */
2617 buflens[0] = PTLRPC_GSS_HEADER_SIZE;
2618 buflens[1] = gss_mech_payload(gctx->gsc_mechctx, buflens[0], 0);
2619 buflens[2] = cipher_obj.len;
2621 LASSERT(lustre_msg_size_v2(3, buflens) <= rs->rs_repbuf_len);
2622 lustre_init_msg_v2(rs->rs_repbuf, 3, buflens, NULL);
2623 rs->rs_repbuf->lm_secflvr = req->rq_flvr.sf_rpc;
2626 ghdr = lustre_msg_buf(rs->rs_repbuf, 0, 0);
2627 ghdr->gh_version = PTLRPC_GSS_VERSION;
2629 ghdr->gh_proc = PTLRPC_GSS_PROC_DATA;
2630 ghdr->gh_seq = grctx->src_wirectx.gw_seq;
2631 ghdr->gh_svc = SPTLRPC_SVC_PRIV;
2632 ghdr->gh_handle.len = 0;
2633 if (req->rq_pack_bulk)
2634 ghdr->gh_flags |= LUSTRE_GSS_PACK_BULK;
2636 /* header signature */
2637 msgobj.len = rs->rs_repbuf->lm_buflens[0];
2638 msgobj.data = lustre_msg_buf(rs->rs_repbuf, 0, 0);
2639 micobj.len = rs->rs_repbuf->lm_buflens[1];
2640 micobj.data = lustre_msg_buf(rs->rs_repbuf, 1, 0);
2642 major = lgss_get_mic(gctx->gsc_mechctx, 1, &msgobj, &micobj);
2643 if (major != GSS_S_COMPLETE) {
2644 CERROR("priv: sign message error: %08x\n", major);
2645 GOTO(out_free, rc = -EPERM);
2647 lustre_shrink_msg(rs->rs_repbuf, 1, micobj.len, 0);
2650 memcpy(lustre_msg_buf(rs->rs_repbuf, 2, 0),
2651 cipher_obj.data, cipher_obj.len);
2653 rs->rs_repdata_len = lustre_shrink_msg(rs->rs_repbuf, 2,
2657 if (likely(req->rq_packed_final))
2658 req->rq_reply_off = gss_at_reply_off_priv;
2660 req->rq_reply_off = 0;
2662 /* to catch upper layer's further access */
2664 req->rq_repmsg = NULL;
2669 OBD_FREE(cipher_buf, cipher_buflen);
2673 int gss_svc_authorize(struct ptlrpc_request *req)
2675 struct ptlrpc_reply_state *rs = req->rq_reply_state;
2676 struct gss_svc_reqctx *grctx = gss_svc_ctx2reqctx(req->rq_svc_ctx);
2677 struct gss_wire_ctx *gw = &grctx->src_wirectx;
2681 early = (req->rq_packed_final == 0);
2683 if (!early && gss_svc_reqctx_is_special(grctx)) {
2684 LASSERT(rs->rs_repdata_len != 0);
2686 req->rq_reply_off = gss_at_reply_off_integ;
2690 /* early reply could happen in many cases */
2692 gw->gw_proc != PTLRPC_GSS_PROC_DATA &&
2693 gw->gw_proc != PTLRPC_GSS_PROC_DESTROY) {
2694 CERROR("proc %d not support\n", gw->gw_proc);
2698 LASSERT(grctx->src_ctx);
2700 switch (gw->gw_svc) {
2701 case SPTLRPC_SVC_NULL:
2702 case SPTLRPC_SVC_AUTH:
2703 case SPTLRPC_SVC_INTG:
2704 rc = gss_svc_sign(req, rs, grctx, gw->gw_svc);
2706 case SPTLRPC_SVC_PRIV:
2707 rc = gss_svc_seal(req, rs, grctx);
2710 CERROR("Unknown service %d\n", gw->gw_svc);
2711 GOTO(out, rc = -EINVAL);
2719 void gss_svc_free_rs(struct ptlrpc_reply_state *rs)
2721 struct gss_svc_reqctx *grctx;
2723 LASSERT(rs->rs_svc_ctx);
2724 grctx = container_of(rs->rs_svc_ctx, struct gss_svc_reqctx, src_base);
2726 gss_svc_reqctx_decref(grctx);
2727 rs->rs_svc_ctx = NULL;
2729 if (!rs->rs_prealloc)
2730 OBD_FREE(rs, rs->rs_size);
2733 void gss_svc_free_ctx(struct ptlrpc_svc_ctx *ctx)
2735 LASSERT(atomic_read(&ctx->sc_refcount) == 0);
2736 gss_svc_reqctx_free(gss_svc_ctx2reqctx(ctx));
2739 int gss_copy_rvc_cli_ctx(struct ptlrpc_cli_ctx *cli_ctx,
2740 struct ptlrpc_svc_ctx *svc_ctx)
2742 struct gss_cli_ctx *cli_gctx = ctx2gctx(cli_ctx);
2743 struct gss_svc_ctx *svc_gctx = gss_svc_ctx2gssctx(svc_ctx);
2744 struct gss_ctx *mechctx = NULL;
2747 LASSERT(svc_gctx && svc_gctx->gsc_mechctx);
2749 cli_gctx->gc_proc = PTLRPC_GSS_PROC_DATA;
2750 cli_gctx->gc_win = GSS_SEQ_WIN;
2752 /* The problem is the reverse ctx might get lost in some recovery
2753 * situations, and the same svc_ctx will be used to re-create it.
2754 * if there's callback be sentout before that, new reverse ctx start
2755 * with sequence 0 will lead to future callback rpc be treated as
2758 * each reverse root ctx will record its latest sequence number on its
2759 * buddy svcctx before be destroied, so here we continue use it.
2761 atomic_set(&cli_gctx->gc_seq, svc_gctx->gsc_rvs_seq);
2763 if (gss_svc_upcall_dup_handle(&cli_gctx->gc_svc_handle, svc_gctx)) {
2764 CERROR("failed to dup svc handle\n");
2768 if (lgss_copy_reverse_context(svc_gctx->gsc_mechctx, &mechctx) !=
2770 CERROR("failed to copy mech context\n");
2771 goto err_svc_handle;
2774 if (rawobj_dup(&cli_gctx->gc_handle, &svc_gctx->gsc_rvs_hdl)) {
2775 CERROR("failed to dup reverse handle\n");
2779 cli_gctx->gc_mechctx = mechctx;
2780 gss_cli_ctx_uptodate(cli_gctx);
2785 lgss_delete_sec_context(&mechctx);
2787 rawobj_free(&cli_gctx->gc_svc_handle);
2792 static void gss_init_at_reply_offset(void)
2794 int buflens[3], clearsize;
2796 buflens[0] = PTLRPC_GSS_HEADER_SIZE;
2797 buflens[1] = lustre_msg_early_size();
2798 buflens[2] = gss_cli_payload(NULL, buflens[1], 0);
2799 gss_at_reply_off_integ = lustre_msg_size_v2(3, buflens);
2801 buflens[0] = lustre_msg_early_size();
2802 clearsize = lustre_msg_size_v2(1, buflens);
2803 buflens[0] = PTLRPC_GSS_HEADER_SIZE;
2804 buflens[1] = gss_cli_payload(NULL, clearsize, 0);
2805 buflens[2] = gss_cli_payload(NULL, clearsize, 1);
2806 gss_at_reply_off_priv = lustre_msg_size_v2(3, buflens);
2809 int __init sptlrpc_gss_init(void)
2813 rc = gss_init_lproc();
2817 rc = gss_init_cli_upcall();
2821 rc = gss_init_svc_upcall();
2823 goto out_cli_upcall;
2825 rc = init_kerberos_module();
2827 goto out_svc_upcall;
2829 /* register policy after all other stuff be intialized, because it
2830 * might be in used immediately after the registration. */
2832 rc = gss_init_keyring();
2836 #ifdef HAVE_GSS_PIPEFS
2837 rc = gss_init_pipefs();
2842 gss_init_at_reply_offset();
2846 #ifdef HAVE_GSS_PIPEFS
2852 cleanup_kerberos_module();
2854 gss_exit_svc_upcall();
2856 gss_exit_cli_upcall();
2862 static void __exit sptlrpc_gss_exit(void)
2865 #ifdef HAVE_GSS_PIPEFS
2868 cleanup_kerberos_module();
2869 gss_exit_svc_upcall();
2870 gss_exit_cli_upcall();
2874 MODULE_AUTHOR("Cluster File Systems, Inc. <info@clusterfs.com>");
2875 MODULE_DESCRIPTION("GSS security policy for Lustre");
2876 MODULE_LICENSE("GPL");
2878 module_init(sptlrpc_gss_init);
2879 module_exit(sptlrpc_gss_exit);