#include <linux/types.h>
#include <linux/init.h>
#include <linux/module.h>
+#include <linux/random.h>
#include <linux/slab.h>
#include <linux/hash.h>
#include <linux/mutex.h>
#include "gss_err.h"
#include "gss_internal.h"
#include "gss_api.h"
+#include "gss_crypto.h"
#define GSS_SVC_UPCALL_TIMEOUT (20)
-static spinlock_t __ctx_index_lock;
+static DEFINE_SPINLOCK(__ctx_index_lock);
static __u64 __ctx_index;
+unsigned int krb5_allow_old_client_csum;
+
__u64 gss_get_next_ctx_index(void)
{
__u64 idx;
return hash >> (BITS_PER_LONG - bits);
}
-/* This compatibility can be removed once kernel 3.3 is used,
- * since cache_register_net/cache_unregister_net are exported.
- * Note that since kernel 3.4 cache_register and cache_unregister
- * are removed.
-*/
-static inline int _cache_register_net(struct cache_detail *cd, struct net *net)
-{
-#ifdef HAVE_CACHE_REGISTER
- return cache_register(cd);
-#else
- return cache_register_net(cd, net);
-#endif
-}
-static inline void _cache_unregister_net(struct cache_detail *cd,
- struct net *net)
-{
-#ifdef HAVE_CACHE_REGISTER
- cache_unregister(cd);
-#else
- cache_unregister_net(cd, net);
-#endif
-}
/****************************************
* rpc sec init (rsi) cache *
****************************************/
rawobj_t in_handle, in_token;
rawobj_t out_handle, out_token;
int major_status, minor_status;
+#ifdef HAVE_CACHE_HASH_SPINLOCK
+ struct rcu_head rcu_head;
+#endif
};
#ifdef HAVE_CACHE_HEAD_HLIST
static struct rsi *rsi_update(struct rsi *new, struct rsi *old);
static struct rsi *rsi_lookup(struct rsi *item);
+#ifdef HAVE_CACHE_DETAIL_WRITERS
+static inline int channel_users(struct cache_detail *cd)
+{
+ return atomic_read(&cd->writers);
+}
+#else
+static inline int channel_users(struct cache_detail *cd)
+{
+ return atomic_read(&cd->readers);
+}
+#endif
+
static inline int rsi_hash(struct rsi *item)
{
return hash_mem((char *)item->in_handle.data, item->in_handle.len,
(*bpp)[-1] = '\n';
}
-#ifdef HAVE_SUNRPC_UPCALL_HAS_3ARGS
-static int rsi_upcall(struct cache_detail *cd, struct cache_head *h)
-{
- return sunrpc_cache_pipe_upcall(cd, h, rsi_request);
-}
-#else
-
-static int rsi_upcall(struct cache_detail *cd, struct cache_head *h)
-{
- return sunrpc_cache_pipe_upcall(cd, h);
-}
-#endif
-
static inline void __rsi_init(struct rsi *new, struct rsi *item)
{
new->out_handle = RAWOBJ_EMPTY;
new->minor_status = item->minor_status;
}
+#ifdef HAVE_CACHE_HASH_SPINLOCK
+static void rsi_free_rcu(struct rcu_head *head)
+{
+ struct rsi *rsi = container_of(head, struct rsi, rcu_head);
+
+#ifdef HAVE_CACHE_HEAD_HLIST
+ LASSERT(hlist_unhashed(&rsi->h.cache_list));
+#else
+ LASSERT(rsi->h.next == NULL);
+#endif
+ rsi_free(rsi);
+ OBD_FREE_PTR(rsi);
+}
+
+static void rsi_put(struct kref *ref)
+{
+ struct rsi *rsi = container_of(ref, struct rsi, h.ref);
+
+ call_rcu(&rsi->rcu_head, rsi_free_rcu);
+}
+#else /* !HAVE_CACHE_HASH_SPINLOCK */
static void rsi_put(struct kref *ref)
{
- struct rsi *rsi = container_of(ref, struct rsi, h.ref);
+ struct rsi *rsi = container_of(ref, struct rsi, h.ref);
#ifdef HAVE_CACHE_HEAD_HLIST
- LASSERT(rsi->h.cache_list.next == NULL);
+ LASSERT(hlist_unhashed(&rsi->h.cache_list));
#else
LASSERT(rsi->h.next == NULL);
#endif
- rsi_free(rsi);
- OBD_FREE_PTR(rsi);
+ rsi_free(rsi);
+ OBD_FREE_PTR(rsi);
}
+#endif /* HAVE_CACHE_HASH_SPINLOCK */
static int rsi_match(struct cache_head *a, struct cache_head *b)
{
char *buf = mesg;
int len;
struct rsi rsii, *rsip = NULL;
- time_t expiry;
+ time64_t expiry;
int status = -EINVAL;
ENTRY;
.hash_table = rsi_table,
.name = "auth.sptlrpc.init",
.cache_put = rsi_put,
-#ifndef HAVE_SUNRPC_UPCALL_HAS_3ARGS
.cache_request = rsi_request,
-#endif
- .cache_upcall = rsi_upcall,
+ .cache_upcall = sunrpc_cache_pipe_upcall,
.cache_parse = rsi_parse,
.match = rsi_match,
.init = rsi_init,
struct obd_device *target;
rawobj_t handle;
struct gss_svc_ctx ctx;
+#ifdef HAVE_CACHE_HASH_SPINLOCK
+ struct rcu_head rcu_head;
+#endif
};
#ifdef HAVE_CACHE_HEAD_HLIST
static inline void __rsc_update(struct rsc *new, struct rsc *tmp)
{
- new->ctx = tmp->ctx;
- tmp->ctx.gsc_rvs_hdl = RAWOBJ_EMPTY;
- tmp->ctx.gsc_mechctx = NULL;
+ new->ctx = tmp->ctx;
+ memset(&tmp->ctx, 0, sizeof(tmp->ctx));
+ tmp->ctx.gsc_rvs_hdl = RAWOBJ_EMPTY;
+ tmp->ctx.gsc_mechctx = NULL;
+ tmp->target = NULL;
- memset(&new->ctx.gsc_seqdata, 0, sizeof(new->ctx.gsc_seqdata));
+ memset(&new->ctx.gsc_seqdata, 0, sizeof(new->ctx.gsc_seqdata));
spin_lock_init(&new->ctx.gsc_seqdata.ssd_lock);
}
+#ifdef HAVE_CACHE_HASH_SPINLOCK
+static void rsc_free_rcu(struct rcu_head *head)
+{
+ struct rsc *rsci = container_of(head, struct rsc, rcu_head);
+
+#ifdef HAVE_CACHE_HEAD_HLIST
+ LASSERT(hlist_unhashed(&rsci->h.cache_list));
+#else
+ LASSERT(rsci->h.next == NULL);
+#endif
+ rawobj_free(&rsci->handle);
+ OBD_FREE_PTR(rsci);
+}
+
+static void rsc_put(struct kref *ref)
+{
+ struct rsc *rsci = container_of(ref, struct rsc, h.ref);
+
+ rawobj_free(&rsci->ctx.gsc_rvs_hdl);
+ lgss_delete_sec_context(&rsci->ctx.gsc_mechctx);
+ call_rcu(&rsci->rcu_head, rsc_free_rcu);
+}
+#else /* !HAVE_CACHE_HASH_SPINLOCK */
static void rsc_put(struct kref *ref)
{
- struct rsc *rsci = container_of(ref, struct rsc, h.ref);
+ struct rsc *rsci = container_of(ref, struct rsc, h.ref);
#ifdef HAVE_CACHE_HEAD_HLIST
- LASSERT(rsci->h.cache_list.next == NULL);
+ LASSERT(hlist_unhashed(&rsci->h.cache_list));
#else
- LASSERT(rsci->h.next == NULL);
+ LASSERT(rsci->h.next == NULL);
#endif
- rsc_free(rsci);
- OBD_FREE_PTR(rsci);
+ rsc_free(rsci);
+ OBD_FREE_PTR(rsci);
}
+#endif /* HAVE_CACHE_HASH_SPINLOCK */
static int rsc_match(struct cache_head *a, struct cache_head *b)
{
char *buf = mesg;
int len, rv, tmp_int;
struct rsc rsci, *rscp = NULL;
- time_t expiry;
+ time64_t expiry;
int status = -EINVAL;
struct gss_api_mech *gm = NULL;
* rsc cache flush *
****************************************/
-typedef int rsc_entry_match(struct rsc *rscp, long data);
-
-static void rsc_flush(rsc_entry_match *match, long data)
-{
-#ifdef HAVE_CACHE_HEAD_HLIST
- struct cache_head *ch = NULL;
- struct hlist_head *head;
-#else
- struct cache_head **ch;
-#endif
- struct rsc *rscp;
- int n;
- ENTRY;
-
- write_lock(&rsc_cache.hash_lock);
- for (n = 0; n < RSC_HASHMAX; n++) {
-#ifdef HAVE_CACHE_HEAD_HLIST
- head = &rsc_cache.hash_table[n];
- hlist_for_each_entry(ch, head, cache_list) {
- rscp = container_of(ch, struct rsc, h);
-#else
- for (ch = &rsc_cache.hash_table[n]; *ch;) {
- rscp = container_of(*ch, struct rsc, h);
-#endif
-
- if (!match(rscp, data)) {
-#ifndef HAVE_CACHE_HEAD_HLIST
- ch = &((*ch)->next);
-#endif
- continue;
- }
-
- /* it seems simply set NEGATIVE doesn't work */
-#ifdef HAVE_CACHE_HEAD_HLIST
- hlist_del_init(&ch->cache_list);
-#else
- *ch = (*ch)->next;
- rscp->h.next = NULL;
-#endif
- cache_get(&rscp->h);
- set_bit(CACHE_NEGATIVE, &rscp->h.flags);
- COMPAT_RSC_PUT(&rscp->h, &rsc_cache);
- rsc_cache.entries--;
- }
- }
- write_unlock(&rsc_cache.hash_lock);
- EXIT;
-}
-
-static int match_uid(struct rsc *rscp, long uid)
-{
- if ((int) uid == -1)
- return 1;
- return ((int) rscp->ctx.gsc_uid == (int) uid);
-}
-
-static int match_target(struct rsc *rscp, long target)
-{
- return (rscp->target == (struct obd_device *) target);
-}
-
-static inline void rsc_flush_uid(int uid)
-{
- if (uid == -1)
- CWARN("flush all gss contexts...\n");
-
- rsc_flush(match_uid, (long) uid);
-}
-
-static inline void rsc_flush_target(struct obd_device *target)
-{
- rsc_flush(match_target, (long) target);
-}
-
-void gss_secsvc_flush(struct obd_device *target)
-{
- rsc_flush_target(target);
-}
-
static struct rsc *gss_svc_searchbyctx(rawobj_t *handle)
{
struct rsc rsci;
CERROR("unable to get expire time, drop it\n");
GOTO(out, rc = -EINVAL);
}
- rsci.h.expiry_time = (time_t) ctx_expiry;
+ rsci.h.expiry_time = ctx_expiry;
switch (imp->imp_obd->u.cli.cl_sp_to) {
case LUSTRE_SP_MDT:
break;
case LUSTRE_SP_CLI:
rsci.ctx.gsc_usr_root = 1;
+ break;
+ case LUSTRE_SP_MGS:
+ /* by convention, all 3 set to 1 means MGS */
+ rsci.ctx.gsc_usr_mds = 1;
+ rsci.ctx.gsc_usr_oss = 1;
+ rsci.ctx.gsc_usr_root = 1;
+ break;
default:
break;
}
memset(&rsikey, 0, sizeof(rsikey));
rsikey.lustre_svc = lustre_svc;
- rsikey.nid = (__u64) req->rq_peer.nid;
+ /* In case of MR, rq_peer is not the NID from which request is received,
+ * but primary NID of peer.
+ * So we need rq_source, which contains the NID actually in use.
+ */
+ rsikey.nid = (__u64) req->rq_source.nid;
nodemap_test_nid(req->rq_peer.nid, rsikey.nm_name,
sizeof(rsikey.nm_name));
}
cache_get(&rsip->h); /* take an extra ref */
- init_waitqueue_head(&rsip->waitq);
- init_waitqueue_entry(&wait, current);
+ init_wait(&wait);
add_wait_queue(&rsip->waitq, &wait);
cache_check:
if (first_check) {
first_check = 0;
- read_lock(&rsi_cache.hash_lock);
+ cache_read_lock(&rsi_cache);
valid = test_bit(CACHE_VALID, &rsip->h.flags);
if (valid == 0)
set_current_state(TASK_INTERRUPTIBLE);
- read_unlock(&rsi_cache.hash_lock);
+ cache_read_unlock(&rsi_cache);
if (valid == 0) {
- unsigned long jiffies;
- jiffies = msecs_to_jiffies(MSEC_PER_SEC *
- GSS_SVC_UPCALL_TIMEOUT);
- schedule_timeout(jiffies);
+ unsigned long timeout;
+
+ timeout = cfs_time_seconds(GSS_SVC_UPCALL_TIMEOUT);
+ schedule_timeout(timeout);
}
cache_get(&rsip->h);
goto cache_check;
grctx->src_ctx = &rsci->ctx;
}
+ if (gw->gw_flags & LUSTRE_GSS_PACK_KCSUM) {
+ grctx->src_ctx->gsc_mechctx->hash_func = gss_digest_hash;
+ } else if (!strcmp(grctx->src_ctx->gsc_mechctx->mech_type->gm_name,
+ "krb5") &&
+ !krb5_allow_old_client_csum) {
+ CWARN("%s: deny connection from '%s' due to missing 'krb_csum' feature, set 'sptlrpc.gss.krb5_allow_old_client_csum=1' to allow, but recommend client upgrade: rc = %d\n",
+ target->obd_name, libcfs_nid2str(req->rq_peer.nid),
+ -EPROTO);
+ GOTO(out, rc = SECSVC_DROP);
+ } else {
+ grctx->src_ctx->gsc_mechctx->hash_func =
+ gss_digest_hash_compat;
+ }
+
if (rawobj_dup(&rsci->ctx.gsc_rvs_hdl, rvs_hdl)) {
CERROR("failed duplicate reverse handle\n");
GOTO(out, rc);
{
int i, rc;
- spin_lock_init(&__ctx_index_lock);
/*
* this helps reducing context index confliction. after server reboot,
* conflicting request from clients might be filtered out by initial
* sequence number checking, thus no chance to sent error notification
* back to clients.
*/
- cfs_get_random_bytes(&__ctx_index, sizeof(__ctx_index));
+ get_random_bytes(&__ctx_index, sizeof(__ctx_index));
- rc = _cache_register_net(&rsi_cache, &init_net);
+#ifdef HAVE_CACHE_HEAD_HLIST
+ for (i = 0; i < rsi_cache.hash_size; i++)
+ INIT_HLIST_HEAD(&rsi_cache.hash_table[i]);
+#endif
+ rc = cache_register_net(&rsi_cache, &init_net);
if (rc != 0)
return rc;
- rc = _cache_register_net(&rsc_cache, &init_net);
+#ifdef HAVE_CACHE_HEAD_HLIST
+ for (i = 0; i < rsc_cache.hash_size; i++)
+ INIT_HLIST_HEAD(&rsc_cache.hash_table[i]);
+#endif
+ rc = cache_register_net(&rsc_cache, &init_net);
if (rc != 0) {
- _cache_unregister_net(&rsi_cache, &init_net);
+ cache_unregister_net(&rsi_cache, &init_net);
return rc;
}
* Here we wait at minimum 1.5 seconds.
*/
for (i = 0; i < 6; i++) {
- if (atomic_read(&rsi_cache.readers) > 0)
+ if (channel_users(&rsi_cache) > 0)
break;
- set_current_state(TASK_UNINTERRUPTIBLE);
- LASSERT(msecs_to_jiffies(MSEC_PER_SEC / 4) > 0);
- schedule_timeout(msecs_to_jiffies(MSEC_PER_SEC / 4));
+ schedule_timeout_uninterruptible(cfs_time_seconds(1) / 4);
}
- if (atomic_read(&rsi_cache.readers) == 0)
+ if (channel_users(&rsi_cache) == 0)
CWARN("Init channel is not opened by lsvcgssd, following "
"request might be dropped until lsvcgssd is active\n");
void gss_exit_svc_upcall(void)
{
cache_purge(&rsi_cache);
- _cache_unregister_net(&rsi_cache, &init_net);
+ cache_unregister_net(&rsi_cache, &init_net);
cache_purge(&rsc_cache);
- _cache_unregister_net(&rsc_cache, &init_net);
+ cache_unregister_net(&rsc_cache, &init_net);
}