lustre/sec/gss/gss_internal.h

   1 /* -*- mode: c; c-basic-offset: 8; indent-tabs-mode: nil; -*-
   2  * vim:expandtab:shiftwidth=8:tabstop=8:
   3  *
   4  * Modified from NFSv4 project for Lustre
   5  * Copyright 2004, Cluster File Systems, Inc.
   6  * All rights reserved
   7  * Author: Eric Mei <ericm@clusterfs.com>
   8  */
   9
  10 #include <linux/lustre_sec.h>
  11 #ifndef __SEC_GSS_GSS_INTERNAL_H_
  12 #define __SEC_GSS_GSS_INTERNAL_H_
  13
  14 /* remove this mess when libkcrypt is ready --umka */
  15 #ifndef __KERNEL__
  16 /*
  17  * Algorithm masks and types.
  18  */
  19 #define CRYPTO_ALG_TYPE_MASK            0x000000ff
  20 #define CRYPTO_ALG_TYPE_CIPHER          0x00000001
  21 #define CRYPTO_ALG_TYPE_DIGEST          0x00000002
  22 #define CRYPTO_ALG_TYPE_COMPRESS        0x00000004
  23
  24 /*
  25  * Transform masks and values (for crt_flags).
  26  */
  27 #define CRYPTO_TFM_MODE_MASK            0x000000ff
  28 #define CRYPTO_TFM_REQ_MASK             0x000fff00
  29 #define CRYPTO_TFM_RES_MASK             0xfff00000
  30
  31 #define CRYPTO_TFM_MODE_ECB             0x00000001
  32 #define CRYPTO_TFM_MODE_CBC             0x00000002
  33 #define CRYPTO_TFM_MODE_CFB             0x00000004
  34 #define CRYPTO_TFM_MODE_CTR             0x00000008
  35
  36 #define CRYPTO_TFM_REQ_WEAK_KEY         0x00000100
  37 #define CRYPTO_TFM_RES_WEAK_KEY         0x00100000
  38 #define CRYPTO_TFM_RES_BAD_KEY_LEN      0x00200000
  39 #define CRYPTO_TFM_RES_BAD_KEY_SCHED    0x00400000
  40 #define CRYPTO_TFM_RES_BAD_BLOCK_LEN    0x00800000
  41 #define CRYPTO_TFM_RES_BAD_FLAGS        0x01000000
  42
  43 /*
  44  * Miscellaneous stuff.
  45  */
  46 #define CRYPTO_UNSPEC                   0
  47 #define CRYPTO_MAX_ALG_NAME             64
  48
  49 static inline struct crypto_tfm *
  50 crypto_alloc_tfm(const char *name, __u32 flags)
  51 {
  52         return NULL;
  53 }
  54
  55 static inline void
  56 crypto_free_tfm(struct crypto_tfm *tfm)
  57 {
  58         return;
  59 }
  60
  61 static inline int
  62 crypto_digest_setkey(struct crypto_tfm *tfm,
  63                      const __u8 *key, unsigned int keylen)
  64 {
  65         return -ENOSYS;
  66 }
  67
  68 static inline unsigned int
  69 crypto_tfm_alg_blocksize(struct crypto_tfm *tfm)
  70 {
  71         return 0;
  72 }
  73
  74 static inline unsigned int
  75 crypto_tfm_alg_ivsize(struct crypto_tfm *tfm)
  76 {
  77         return 0;
  78 }
  79
  80 #endif /* __KERNEL__ */
  81
  82 struct ptlrpc_sec;
  83 struct ptlrpc_cred;
  84
  85 /*
  86  * rawobj stuff
  87  */
  88 typedef struct rawobj_s {
  89         __u32           len;
  90         __u8           *data;
  91 } rawobj_t;
  92
  93 typedef struct rawobj_buf_s {
  94         __u32           dataoff;
  95         __u32           datalen;
  96         __u32           buflen;
  97         __u8           *buf;
  98 } rawobj_buf_t;
  99
 100 int rawobj_alloc(rawobj_t *obj, char *buf, int len);
 101 void rawobj_free(rawobj_t *obj);
 102 int rawobj_equal(rawobj_t *a, rawobj_t *b);
 103 int rawobj_dup(rawobj_t *dest, rawobj_t *src);
 104 int rawobj_serialize(rawobj_t *obj, __u32 **buf, __u32 *buflen);
 105 int rawobj_extract(rawobj_t *obj, __u32 **buf, __u32 *buflen);
 106 int rawobj_extract_alloc(rawobj_t *obj, __u32 **buf, __u32 *buflen);
 107 int rawobj_extract_local(rawobj_t *obj, __u32 **buf, __u32 *buflen);
 108
 109 /*
 110  * definition of several timeout values
 111  */
 112 #define GSS_TIMEOUT_DELTA       (5)
 113 #define CRED_REFRESH_UPCALL_TIMEOUT                             \
 114         ({                                                      \
 115                 int timeout = obd_timeout - GSS_TIMEOUT_DELTA;  \
 116                                                                 \
 117                 if (timeout < GSS_TIMEOUT_DELTA * 2)            \
 118                         timeout = GSS_TIMEOUT_DELTA * 2;        \
 119                 timeout;                                        \
 120         })
 121 #define SECINIT_RPC_TIMEOUT                                     \
 122         ({                                                      \
 123                 int timeout = CRED_REFRESH_UPCALL_TIMEOUT -     \
 124                               GSS_TIMEOUT_DELTA;                \
 125                 if (timeout < GSS_TIMEOUT_DELTA)                \
 126                         timeout = GSS_TIMEOUT_DELTA;            \
 127                 timeout;                                        \
 128         })
 129 #define SECFINI_RPC_TIMEOUT     (GSS_TIMEOUT_DELTA)
 130
 131 #define SVCSEC_UPCALL_TIMEOUT   (SECINIT_RPC_TIMEOUT)
 132
 133 /*
 134  * mark of the interface between kernel and lgssd/lsvcgssd
 135  */
 136 #define GSSD_INTERFACE_VERSION  (1)
 137
 138 /*
 139  * target of gss request
 140  */
 141 #define LUSTRE_GSS_SVC_MDS      0
 142 #define LUSTRE_GSS_SVC_OSS      1
 143
 144
 145 /* on-the-wire gss cred: */
 146 struct rpc_gss_wire_cred {
 147         __u32                   gc_v;           /* version */
 148         __u32                   gc_proc;        /* control procedure */
 149         __u32                   gc_seq;         /* sequence number */
 150         __u32                   gc_svc;         /* service */
 151         rawobj_t                gc_ctx;         /* context handle */
 152 };
 153
 154 struct gss_svc_data {
 155         /* decoded gss client cred: */
 156         struct rpc_gss_wire_cred        clcred;
 157         /* internal used status */
 158         unsigned int                    is_init:1,
 159                                         is_init_continue:1,
 160                                         is_err_notify:1,
 161                                         is_fini:1;
 162         int                             reserve_len;
 163 };
 164
 165 /*
 166  * data types in gss header
 167  */
 168 #define MAXSEQ 0x80000000 /* maximum legal sequence number, from rfc 2203 */
 169
 170 enum rpc_gss_proc {
 171         RPC_GSS_PROC_DATA =             0,
 172         RPC_GSS_PROC_INIT =             1,
 173         RPC_GSS_PROC_CONTINUE_INIT =    2,
 174         RPC_GSS_PROC_DESTROY =          3,
 175 };
 176
 177 enum rpc_gss_svc {
 178         RPC_GSS_SVC_NONE =              1,
 179         RPC_GSS_SVC_INTEGRITY =         2,
 180         RPC_GSS_SVC_PRIVACY =           3,
 181 };
 182
 183 /* on-the-wire gss verifier: */
 184 struct rpc_gss_wire_verf {
 185         __u32                   gv_flavor;
 186         rawobj_t                gv_verf;
 187 };
 188
 189 struct gss_cl_ctx {
 190         atomic_t                gc_refcount;
 191         __u32                   gc_proc;
 192         __u32                   gc_seq;
 193         spinlock_t              gc_seq_lock;
 194         struct gss_ctx         *gc_gss_ctx;
 195         rawobj_t                gc_wire_ctx;
 196         __u32                   gc_win;
 197 };
 198
 199 struct gss_cred {
 200         struct ptlrpc_cred      gc_base;
 201         __u32                   gc_flavor;
 202         struct gss_cl_ctx      *gc_ctx;
 203 };
 204
 205 /*
 206  * This only guaranteed be enough for current krb5 des-cbc-crc . We might
 207  * adjust this when new enc type or mech added in.
 208  */
 209 #define GSS_PRIVBUF_PREFIX_LEN         (32)
 210 #define GSS_PRIVBUF_SUFFIX_LEN         (32)
 211
 212 /* This is too coarse. We'll let mech determine it */
 213 #define GSS_MAX_AUTH_PAYLOAD    (128)
 214
 215 /* FIXME we'd better make it expire sooner than it really is, since
 216  * there's chance it might get expire between the last check and
 217  * encrypt rpc. but the time between check & encrypt is not so certain.
 218  */
 219 static inline
 220 unsigned long gss_roundup_expire_time(__u64 expiry)
 221 {
 222         unsigned long cur = get_seconds();
 223
 224         if (expiry >= cur + obd_timeout)
 225                 return (unsigned long) expiry - obd_timeout;
 226         return (unsigned long) expiry;
 227 }
 228
 229 /* gss_mech_switch.c */
 230 int init_kerberos_module(void);
 231 void cleanup_kerberos_module(void);
 232
 233 /* gss_generic_token.c */
 234 int g_token_size(rawobj_t *mech, unsigned int body_size);
 235 void g_make_token_header(rawobj_t *mech, int body_size, unsigned char **buf);
 236 __u32 g_verify_token_header(rawobj_t *mech, int *body_size,
 237                             unsigned char **buf_in, int toksize);
 238
 239 /* svcsec_gss.c */
 240 int gss_svc_init(void);
 241 void gss_svc_exit(void);
 242
 243 #endif /* __SEC_GSS_GSS_INTERNAL_H_ */