LU-2384 kerberos: Support for MIT-kerberos >=1.8.X is broken

Since version 1.8.X the function signature for deriving
cryptographic keys of the MIT-kerberos library:
krb5_derive_key(const struct krb5_enc_provider *enc,
                const krb5_keyblock *inkey,
                krb5_keyblock *outkey,
                const krb5_data *in_constant)
is changed in:
krb5int_derive_key(const struct krb5_enc_provider *enc,
                   krb5_key inkey, krb5_key *outkey,
                   const krb5_data *in_constant)
The kerberos support for lustre thus is not working anymore
with current linux distributions supporting MIT-kerberos
library >= 1.8.X.

Signed-off-by: Andrew Korty <ajk@iu.edu>
Change-Id: I35e85a15e7fd846df6d63d430d7ac98ec53d7c56
Reviewed-on: http://review.whamcloud.com/4672
Tested-by: Hudson
Reviewed-by: Andreas Dilger <andreas.dilger@intel.com>
Reviewed-by: Keith Mannthey <keith.mannthey@intel.com>
Tested-by: Maloo <whamcloud.maloo@gmail.com>
Reviewed-by: Fan Yong <fan.yong@intel.com>

diff --git a/lustre/autoconf/kerberos5.m4 b/lustre/autoconf/kerberos5.m4
index 05c2ee3..4aaffae 100644 (file)
--- a/lustre/autoconf/kerberos5.m4
+++ b/lustre/autoconf/kerberos5.m4
@@ -102,6 +102,10 @@ AC_DEFUN([AC_KERBEROS_V5],[
   AC_CHECK_LIB($gssapi_lib, krb5_get_init_creds_opt_set_addressless,
     AC_DEFINE(HAVE_KRB5_GET_INIT_CREDS_OPT_SET_ADDRESSLESS, 1, [Define this if the function krb5_get_init_creds_opt_set_addressless is available]), ,$KRBLIBS)
 
   AC_CHECK_LIB($gssapi_lib, krb5_get_init_creds_opt_set_addressless,
     AC_DEFINE(HAVE_KRB5_GET_INIT_CREDS_OPT_SET_ADDRESSLESS, 1, [Define this if the function krb5_get_init_creds_opt_set_addressless is available]), ,$KRBLIBS)
 

+  dnl Check for krb5int_derive_key
+  AC_CHECK_LIB($gssapi_lib, krb5int_derive_key,
+    AC_DEFINE(HAVE_KRB5INT_DERIVE_KEY, 1, [Define this if the function krb5int_derive_key is available]), ,$KRBLIBS)
+

   dnl If they specified a directory and it didn't work, give them a warning
   if test "x$krb5_with" != "x" -a "$krb5_with" != "$KRBDIR"; then
     AC_MSG_WARN(Using $KRBDIR instead of requested value of $krb5_with for Kerberos!)
   dnl If they specified a directory and it didn't work, give them a warning
   if test "x$krb5_with" != "x" -a "$krb5_with" != "$KRBDIR"; then
     AC_MSG_WARN(Using $KRBDIR instead of requested value of $krb5_with for Kerberos!)

diff --git a/lustre/utils/gss/context.h b/lustre/utils/gss/context.h
index 8243f5d..369cfea 100644 (file)
--- a/lustre/utils/gss/context.h
+++ b/lustre/utils/gss/context.h
@@ -39,6 +39,13 @@
 #define KRB5_CTX_FLAG_CFX               0x00000002
 #define KRB5_CTX_FLAG_ACCEPTOR_SUBKEY   0x00000004
 
 #define KRB5_CTX_FLAG_CFX               0x00000002
 #define KRB5_CTX_FLAG_ACCEPTOR_SUBKEY   0x00000004
 

+#if HAVE_KRB5INT_DERIVE_KEY
+extern int krb5int_derive_key();
+extern int krb5_k_create_key();
+#else /* !HAVE_KRB5INT_DERIVE_KEY */
+extern int krb5_derive_key();
+#endif
+

 int serialize_context_for_kernel(gss_ctx_id_t ctx, gss_buffer_desc *buf,
                                 gss_OID mech);
 int serialize_spkm3_ctx(gss_ctx_id_t ctx, gss_buffer_desc *buf);
 int serialize_context_for_kernel(gss_ctx_id_t ctx, gss_buffer_desc *buf,
                                 gss_OID mech);
 int serialize_spkm3_ctx(gss_ctx_id_t ctx, gss_buffer_desc *buf);

diff --git a/lustre/utils/gss/context_lucid.c b/lustre/utils/gss/context_lucid.c
index 6c5e672..f64f49b 100644 (file)
--- a/lustre/utils/gss/context_lucid.c
+++ b/lustre/utils/gss/context_lucid.c
@@ -208,7 +208,15 @@ extern void krb5int_enc_arcfour;
 extern void krb5int_enc_des3;
 extern void krb5int_enc_aes128;
 extern void krb5int_enc_aes256;
 extern void krb5int_enc_des3;
 extern void krb5int_enc_aes128;
 extern void krb5int_enc_aes256;

-extern int krb5_derive_key();
+#if HAVE_KRB5INT_DERIVE_KEY
+/* Taken from crypto_int.h */
+enum deriv_alg {
+       DERIVE_RFC3961,         /* RFC 3961 section 5.1 */
+#ifdef CAMELLIA
+       DERIVE_SP800_108_CMAC,  /* NIST SP 800-108 with CMAC as PRF */
+#endif
+};
+#endif  /* HAVE_KRB5INT_DERIVE_KEY */

 
 static void
 key_lucid_to_krb5(const gss_krb5_lucid_key_t *lin, krb5_keyblock *kout)
 
 static void
 key_lucid_to_krb5(const gss_krb5_lucid_key_t *lin, krb5_keyblock *kout)


@@ -257,8 +265,13 @@ derive_key_lucid(const gss_krb5_lucid_key_t *in, gss_krb5_lucid_key_t *out,
        int keylength;
        void *enc;
        krb5_keyblock kin, kout;  /* must send krb5_keyblock, not lucid! */
        int keylength;
        void *enc;
        krb5_keyblock kin, kout;  /* must send krb5_keyblock, not lucid! */

-#ifdef HAVE_HEIMDAL
+#if defined(HAVE_HEIMDAL) || HAVE_KRB5INT_DERIVE_KEY

        krb5_context kcontext;
        krb5_context kcontext;

+#endif
+#if HAVE_KRB5INT_DERIVE_KEY
+       krb5_key key_in, key_out;
+#endif
+#ifdef HAVE_HEIMDAL

        krb5_keyblock *outkey;
 #endif
 
        krb5_keyblock *outkey;
 #endif
 


@@ -316,12 +329,35 @@ derive_key_lucid(const gss_krb5_lucid_key_t *in, gss_krb5_lucid_key_t *out,
        ((char *)(datain.data))[4] = (char) extra;
 
 #ifdef HAVE_KRB5
        ((char *)(datain.data))[4] = (char) extra;
 
 #ifdef HAVE_KRB5

+#if HAVE_KRB5INT_DERIVE_KEY
+       code = krb5_init_context(&kcontext);
+       if (code) {
+               free(out->data);
+               out->data = NULL;
+               goto out;
+       }
+       code = krb5_k_create_key(kcontext, &kin, &key_in);
+       if (code) {
+               free(out->data);
+               out->data = NULL;
+               goto out;
+       }
+       code = krb5_k_create_key(kcontext, &kout, &key_out);
+       if (code) {
+               free(out->data);
+               out->data = NULL;
+               goto out;
+       }
+       code = krb5int_derive_key(enc, key_in, &key_out, &datain,
+                                 DERIVE_RFC3961);
+#else  /* !HAVE_KRB5INT_DERIVE_KEY */

        code = krb5_derive_key(enc, &kin, &kout, &datain);
        code = krb5_derive_key(enc, &kin, &kout, &datain);

-#else
+#endif /* HAVE_KRB5INT_DERIVE_KEY */
+#else  /* !defined(HAVE_KRB5) */

        if ((code = krb5_init_context(&kcontext))) {
        }
        code = krb5_derive_key(kcontext, &kin, in->type, constant_data, K5CLENGTH, &outkey);
        if ((code = krb5_init_context(&kcontext))) {
        }
        code = krb5_derive_key(kcontext, &kin, in->type, constant_data, K5CLENGTH, &outkey);

-#endif
+#endif /* defined(HAVE_KRB5) */

        if (code) {
                free(out->data);
                out->data = NULL;
        if (code) {
                free(out->data);
                out->data = NULL;


@@ -329,14 +365,17 @@ derive_key_lucid(const gss_krb5_lucid_key_t *in, gss_krb5_lucid_key_t *out,
        }
 #ifdef HAVE_KRB5
        key_krb5_to_lucid(&kout, out);
        }
 #ifdef HAVE_KRB5
        key_krb5_to_lucid(&kout, out);

-#else
+#if HAVE_KRB5INT_DERIVE_KEY
+       krb5_free_context(kcontext);
+#endif /* HAVE_KRB5INT_DERIVE_KEY */
+#else  /* !defined(HAVE_KRB5) */

        key_krb5_to_lucid(outkey, out);
        krb5_free_keyblock(kcontext, outkey);
        krb5_free_context(kcontext);
        key_krb5_to_lucid(outkey, out);
        krb5_free_keyblock(kcontext, outkey);
        krb5_free_context(kcontext);

-#endif
+#endif /* defined(HAVE_KRB5) */

 
   out:
 
   out:

-       if (code)
+       if (code)

                printerr(0, "ERROR: %s: returning error %d (%s)\n",
                         __FUNCTION__, code, error_message(code));
        return (code);
                printerr(0, "ERROR: %s: returning error %d (%s)\n",
                         __FUNCTION__, code, error_message(code));
        return (code);