* vim:expandtab:shiftwidth=8:tabstop=8:
*
* Copyright (C) 2006 Cluster File Systems, Inc.
+ * Author: Eric Mei <ericm@clusterfs.com>
*
* This file is part of Lustre, http://www.lustre.org.
*
{
struct crypto_tfm *tfm;
struct scatterlist sg, sg2, *sgd;
+ unsigned int blksize;
int i, rc;
__u8 local_iv[sizeof(bsd->bsd_iv)];
if (alg == BULK_PRIV_ALG_NULL)
return 0;
- if (encrypt)
- get_random_bytes(bsd->bsd_iv, sizeof(bsd->bsd_iv));
-
- /* compute the secret iv */
- lgss_plain_encrypt(gctx, sizeof(local_iv), bsd->bsd_iv, local_iv);
-
tfm = crypto_alloc_tfm(sptlrpc_bulk_priv_alg2name(alg),
sptlrpc_bulk_priv_alg2flags(alg));
if (tfm == NULL) {
return -ENOMEM;
}
+ blksize = crypto_tfm_alg_blocksize(tfm);
+ LASSERT(blksize <= sizeof(local_iv));
+
+ if (encrypt)
+ get_random_bytes(bsd->bsd_iv, sizeof(bsd->bsd_iv));
+
+ /* compute the secret iv */
+ rc = lgss_plain_encrypt(gctx, 0,
+ sizeof(local_iv), bsd->bsd_iv, local_iv);
+ if (rc) {
+ CERROR("failed to compute secret iv: %d\n", rc);
+ goto out;
+ }
+
rc = crypto_cipher_setkey(tfm, local_iv, sizeof(local_iv));
if (rc) {
CERROR("Failed to set key for TFM %s: %d\n",
sptlrpc_bulk_priv_alg2name(alg), rc);
- crypto_free_tfm(tfm);
- return rc;
+ goto out;
}
for (i = 0; i < desc->bd_iov_count; i++) {
*/
}
- crypto_free_tfm(tfm);
-
if (encrypt)
bsd->bsd_priv_alg = alg;
- return 0;
+out:
+ crypto_free_tfm(tfm);
+ return rc;
}
int gss_cli_ctx_wrap_bulk(struct ptlrpc_cli_ctx *ctx,
struct gss_cli_ctx *gctx;
struct lustre_msg *msg;
struct ptlrpc_bulk_sec_desc *bsdr;
- struct sec_flavor_config *conf;
int offset, rc;
ENTRY;
- LASSERT(SEC_FLAVOR_HAS_BULK(req->rq_sec_flavor));
+ LASSERT(req->rq_pack_bulk);
LASSERT(req->rq_bulk_read || req->rq_bulk_write);
- switch (SEC_FLAVOR_SVC(req->rq_sec_flavor)) {
+ switch (RPC_FLVR_SVC(req->rq_flvr.sf_rpc)) {
+ case SPTLRPC_SVC_NULL:
+ LASSERT(req->rq_reqbuf->lm_bufcount >= 3);
+ msg = req->rq_reqbuf;
+ offset = msg->lm_bufcount - 1;
+ break;
case SPTLRPC_SVC_AUTH:
+ case SPTLRPC_SVC_INTG:
LASSERT(req->rq_reqbuf->lm_bufcount >= 4);
msg = req->rq_reqbuf;
offset = msg->lm_bufcount - 2;
}
/* make checksum */
- conf = &req->rq_import->imp_obd->u.cli.cl_sec_conf;
- rc = bulk_csum_cli_request(desc, req->rq_bulk_read, conf->sfc_bulk_csum,
- msg, offset);
+ rc = bulk_csum_cli_request(desc, req->rq_bulk_read,
+ req->rq_flvr.sf_bulk_csum, msg, offset);
if (rc) {
CERROR("client bulk %s: failed to generate checksum: %d\n",
req->rq_bulk_read ? "read" : "write", rc);
RETURN(rc);
}
- if (conf->sfc_bulk_priv == BULK_PRIV_ALG_NULL)
+ if (req->rq_flvr.sf_bulk_priv == BULK_PRIV_ALG_NULL)
RETURN(0);
/* previous bulk_csum_cli_request() has verified bsdr is good */
bsdr = lustre_msg_buf(msg, offset, 0);
if (req->rq_bulk_read) {
- bsdr->bsd_priv_alg = conf->sfc_bulk_priv;
+ bsdr->bsd_priv_alg = req->rq_flvr.sf_bulk_priv;
RETURN(0);
}
LASSERT(gctx->gc_mechctx);
rc = do_bulk_privacy(gctx->gc_mechctx, desc, 1,
- conf->sfc_bulk_priv, bsdr);
+ req->rq_flvr.sf_bulk_priv, bsdr);
if (rc)
CERROR("bulk write: client failed to encrypt pages\n");
int roff, voff, rc;
ENTRY;
- LASSERT(SEC_FLAVOR_HAS_BULK(req->rq_sec_flavor));
+ LASSERT(req->rq_pack_bulk);
LASSERT(req->rq_bulk_read || req->rq_bulk_write);
- switch (SEC_FLAVOR_SVC(req->rq_sec_flavor)) {
+ switch (RPC_FLVR_SVC(req->rq_flvr.sf_rpc)) {
+ case SPTLRPC_SVC_NULL:
+ vmsg = req->rq_repbuf;
+ voff = vmsg->lm_bufcount - 1;
+ LASSERT(vmsg && vmsg->lm_bufcount >= 3);
+
+ rmsg = req->rq_reqbuf;
+ roff = rmsg->lm_bufcount - 1; /* last segment */
+ LASSERT(rmsg && rmsg->lm_bufcount >= 3);
+ break;
case SPTLRPC_SVC_AUTH:
+ case SPTLRPC_SVC_INTG:
vmsg = req->rq_repbuf;
voff = vmsg->lm_bufcount - 2;
LASSERT(vmsg && vmsg->lm_bufcount >= 4);
int gss_svc_unwrap_bulk(struct ptlrpc_request *req,
struct ptlrpc_bulk_desc *desc)
{
- struct ptlrpc_reply_state *rs = req->rq_reply_state;
struct gss_svc_reqctx *grctx;
- struct ptlrpc_bulk_sec_desc *bsdv;
- int voff, roff, rc;
+ int rc;
ENTRY;
- LASSERT(rs);
+ LASSERT(req->rq_svc_ctx);
+ LASSERT(req->rq_pack_bulk);
LASSERT(req->rq_bulk_write);
- if (SEC_FLAVOR_SVC(req->rq_sec_flavor) == SPTLRPC_SVC_PRIV) {
- LASSERT(req->rq_reqbuf->lm_bufcount >= 2);
- LASSERT(rs->rs_repbuf->lm_bufcount >= 2);
- voff = req->rq_reqbuf->lm_bufcount - 1;
- roff = rs->rs_repbuf->lm_bufcount - 1;
- } else {
- LASSERT(req->rq_reqbuf->lm_bufcount >= 4);
- LASSERT(rs->rs_repbuf->lm_bufcount >= 4);
- voff = req->rq_reqbuf->lm_bufcount - 2;
- roff = rs->rs_repbuf->lm_bufcount - 2;
- }
+ grctx = gss_svc_ctx2reqctx(req->rq_svc_ctx);
- bsdv = lustre_msg_buf(req->rq_reqbuf, voff, sizeof(*bsdv));
- if (bsdv->bsd_priv_alg != BULK_PRIV_ALG_NULL) {
- grctx = gss_svc_ctx2reqctx(req->rq_svc_ctx);
- LASSERT(grctx->src_ctx);
- LASSERT(grctx->src_ctx->gsc_mechctx);
+ LASSERT(grctx->src_reqbsd);
+ LASSERT(grctx->src_repbsd);
+ LASSERT(grctx->src_ctx);
+ LASSERT(grctx->src_ctx->gsc_mechctx);
+ /* decrypt bulk data if it's encrypted */
+ if (grctx->src_reqbsd->bsd_priv_alg != BULK_PRIV_ALG_NULL) {
rc = do_bulk_privacy(grctx->src_ctx->gsc_mechctx, desc, 0,
- bsdv->bsd_priv_alg, bsdv);
+ grctx->src_reqbsd->bsd_priv_alg,
+ grctx->src_reqbsd);
if (rc) {
CERROR("bulk write: server failed to decrypt data\n");
RETURN(rc);
}
}
+ /* verify bulk data checksum */
rc = bulk_csum_svc(desc, req->rq_bulk_read,
- req->rq_reqbuf, voff, rs->rs_repbuf, roff);
+ grctx->src_reqbsd, grctx->src_reqbsd_size,
+ grctx->src_repbsd, grctx->src_repbsd_size);
RETURN(rc);
}
int gss_svc_wrap_bulk(struct ptlrpc_request *req,
struct ptlrpc_bulk_desc *desc)
{
- struct ptlrpc_reply_state *rs = req->rq_reply_state;
struct gss_svc_reqctx *grctx;
- struct ptlrpc_bulk_sec_desc *bsdv, *bsdr;
- int voff, roff, rc;
+ int rc;
ENTRY;
- LASSERT(rs);
+ LASSERT(req->rq_svc_ctx);
+ LASSERT(req->rq_pack_bulk);
LASSERT(req->rq_bulk_read);
- if (SEC_FLAVOR_SVC(req->rq_sec_flavor) == SPTLRPC_SVC_PRIV) {
- voff = req->rq_reqbuf->lm_bufcount - 1;
- roff = rs->rs_repbuf->lm_bufcount - 1;
- } else {
- voff = req->rq_reqbuf->lm_bufcount - 2;
- roff = rs->rs_repbuf->lm_bufcount - 2;
- }
+ grctx = gss_svc_ctx2reqctx(req->rq_svc_ctx);
+
+ LASSERT(grctx->src_reqbsd);
+ LASSERT(grctx->src_repbsd);
+ LASSERT(grctx->src_ctx);
+ LASSERT(grctx->src_ctx->gsc_mechctx);
+ /* generate bulk data checksum */
rc = bulk_csum_svc(desc, req->rq_bulk_read,
- req->rq_reqbuf, voff, rs->rs_repbuf, roff);
+ grctx->src_reqbsd, grctx->src_reqbsd_size,
+ grctx->src_repbsd, grctx->src_repbsd_size);
if (rc)
RETURN(rc);
- bsdv = lustre_msg_buf(req->rq_reqbuf, voff, sizeof(*bsdv));
- if (bsdv->bsd_priv_alg != BULK_PRIV_ALG_NULL) {
- grctx = gss_svc_ctx2reqctx(req->rq_svc_ctx);
- LASSERT(grctx->src_ctx);
- LASSERT(grctx->src_ctx->gsc_mechctx);
-
- bsdr = lustre_msg_buf(rs->rs_repbuf, roff, sizeof(*bsdr));
-
+ /* encrypt bulk data if required */
+ if (grctx->src_reqbsd->bsd_priv_alg != BULK_PRIV_ALG_NULL) {
rc = do_bulk_privacy(grctx->src_ctx->gsc_mechctx, desc, 1,
- bsdv->bsd_priv_alg, bsdr);
+ grctx->src_reqbsd->bsd_priv_alg,
+ grctx->src_repbsd);
if (rc)
- CERROR("bulk read: server failed to encrypt data\n");
+ CERROR("bulk read: server failed to encrypt data: "
+ "rc %d\n", rc);
}
RETURN(rc);