])
fi
fi
- AC_MSG_RESULT($KRBDIR)
-
- dnl Check if -rpath=$(KRBDIR)/lib is needed
- echo "The current KRBDIR is $KRBDIR"
- if test "$KRBDIR/lib" = "/lib" -o "$KRBDIR/lib" = "/usr/lib" \
- -o "$KRBDIR/lib" = "//lib" -o "$KRBDIR/lib" = "/usr//lib" ; then
- KRBLDFLAGS="";
- elif /sbin/ldconfig -p | grep > /dev/null "=> $KRBDIR/lib/"; then
- KRBLDFLAGS="";
- else
- KRBLDFLAGS="-Wl,-rpath=$KRBDIR/lib"
- fi
- dnl Now check for functions within gssapi library
- AC_CHECK_LIB($gssapi_lib, gss_krb5_export_lucid_sec_context,
- AC_DEFINE(HAVE_LUCID_CONTEXT_SUPPORT, 1, [Define this if the Kerberos GSS library supports gss_krb5_export_lucid_sec_context]), ,$KRBLIBS)
- AC_CHECK_LIB($gssapi_lib, gss_krb5_set_allowable_enctypes,
- AC_DEFINE(HAVE_SET_ALLOWABLE_ENCTYPES, 1, [Define this if the Kerberos GSS library supports gss_krb5_set_allowable_enctypes]), ,$KRBLIBS)
- AC_CHECK_LIB($gssapi_lib, gss_krb5_ccache_name,
- AC_DEFINE(HAVE_GSS_KRB5_CCACHE_NAME, 1, [Define this if the Kerberos GSS library supports gss_krb5_ccache_name]), ,$KRBLIBS)
+ if test "x$KRBDIR" != "x"; then
+
+ AC_MSG_RESULT($KRBDIR)
+
+ dnl Check if -rpath=$(KRBDIR)/lib is needed
+ echo "The current KRBDIR is $KRBDIR"
+ if test "$KRBDIR/lib" = "/lib" -o "$KRBDIR/lib" = "/usr/lib" \
+ -o "$KRBDIR/lib" = "//lib" -o "$KRBDIR/lib" = "/usr//lib" ; then
+ KRBLDFLAGS="";
+ elif /sbin/ldconfig -p | grep > /dev/null "=> $KRBDIR/lib/"; then
+ KRBLDFLAGS="";
+ else
+ KRBLDFLAGS="-Wl,-rpath=$KRBDIR/lib"
+ fi
+
+ dnl Now check for functions within gssapi library
+ AC_CHECK_LIB($gssapi_lib, gss_krb5_export_lucid_sec_context,
+ AC_DEFINE(HAVE_LUCID_CONTEXT_SUPPORT, 1, [Define this if the Kerberos GSS library supports gss_krb5_export_lucid_sec_context]), ,$KRBLIBS)
+ AC_CHECK_LIB($gssapi_lib, gss_krb5_set_allowable_enctypes,
+ AC_DEFINE(HAVE_SET_ALLOWABLE_ENCTYPES, 1, [Define this if the Kerberos GSS library supports gss_krb5_set_allowable_enctypes]), ,$KRBLIBS)
+ AC_CHECK_LIB($gssapi_lib, gss_krb5_ccache_name,
+ AC_DEFINE(HAVE_GSS_KRB5_CCACHE_NAME, 1, [Define this if the Kerberos GSS library supports gss_krb5_ccache_name]), ,$KRBLIBS)
- dnl Check for newer error message facility
- AC_CHECK_LIB($gssapi_lib, krb5_get_error_message,
- AC_DEFINE(HAVE_KRB5_GET_ERROR_MESSAGE, 1, [Define this if the function krb5_get_error_message is available]), ,$KRBLIBS)
+ dnl Check for newer error message facility
+ AC_CHECK_LIB($gssapi_lib, krb5_get_error_message,
+ AC_DEFINE(HAVE_KRB5_GET_ERROR_MESSAGE, 1, [Define this if the function krb5_get_error_message is available]), ,$KRBLIBS)
- dnl Check for function to specify addressless tickets
- AC_CHECK_LIB($gssapi_lib, krb5_get_init_creds_opt_set_addressless,
- AC_DEFINE(HAVE_KRB5_GET_INIT_CREDS_OPT_SET_ADDRESSLESS, 1, [Define this if the function krb5_get_init_creds_opt_set_addressless is available]), ,$KRBLIBS)
+ dnl Check for function to specify addressless tickets
+ AC_CHECK_LIB($gssapi_lib, krb5_get_init_creds_opt_set_addressless,
+ AC_DEFINE(HAVE_KRB5_GET_INIT_CREDS_OPT_SET_ADDRESSLESS, 1, [Define this if the function krb5_get_init_creds_opt_set_addressless is available]), ,$KRBLIBS)
- dnl Check for krb5int_derive_key
- AC_CHECK_LIB($gssapi_lib, krb5int_derive_key,
- [HAVE_KRB5INT_DERIVE_KEY=1; AC_DEFINE(HAVE_KRB5INT_DERIVE_KEY, 1, [Define this if the function krb5int_derive_key is available])], ,$KRBLIBS)
+ dnl Check for krb5int_derive_key
+ AC_CHECK_LIB($gssapi_lib, krb5int_derive_key,
+ [HAVE_KRB5INT_DERIVE_KEY=1; AC_DEFINE(HAVE_KRB5INT_DERIVE_KEY, 1, [Define this if the function krb5int_derive_key is available])], ,$KRBLIBS)
- dnl Check for krb5_derive_key
- AC_CHECK_LIB($gssapi_lib, krb5_derive_key,
- [HAVE_KRB5_DERIVE_KEY=1; AC_DEFINE(HAVE_KRB5_DERIVE_KEY, 1, [Define this if the function krb5_derive_key is available])], ,$KRBLIBS)
+ dnl Check for krb5_derive_key
+ AC_CHECK_LIB($gssapi_lib, krb5_derive_key,
+ [HAVE_KRB5_DERIVE_KEY=1; AC_DEFINE(HAVE_KRB5_DERIVE_KEY, 1, [Define this if the function krb5_derive_key is available])], ,$KRBLIBS)
- AS_IF([test "x$HAVE_KRB5INT_DERIVE_KEY" = "x1" -o "x$HAVE_KRB5_DERIVE_KEY" = "x1"],
- [AC_DEFINE(HAVE_KRB5, 1, [Define this if you have MIT Kerberos libraries])],
- [KRBDIR=""; AC_MSG_WARN([
+ AS_IF([test "x$HAVE_KRB5INT_DERIVE_KEY" = "x1" -o "x$HAVE_KRB5_DERIVE_KEY" = "x1"],
+ [AC_DEFINE(HAVE_KRB5, 1, [Define this if you have MIT Kerberos libraries])],
+ [KRBDIR=""; AC_MSG_WARN([
Disable gss/krb5 due to missing both
krb5int_derive_key and krb5_derive_key functions!
])
-])
+ ])
- dnl If they specified a directory and it didn't work, give them a warning
- if test "x$krb5_with" != "x" -a "$krb5_with" != "$KRBDIR"; then
- AC_MSG_WARN([
+ dnl If they specified a directory and it didn't work, give them a warning
+ if test "x$krb5_with" != "x" -a "$krb5_with" != "$KRBDIR"; then
+ AC_MSG_WARN([
Using $KRBDIR instead of requested value of $krb5_with for Kerberos!
])
- fi
+ fi
+
+ AC_SUBST([KRBDIR])
+ AC_SUBST([KRBLIBS])
+ AC_SUBST([KRBCFLAGS])
+ AC_SUBST([KRBLDFLAGS])
+ AC_SUBST([K5VERS])
- AC_SUBST([KRBDIR])
- AC_SUBST([KRBLIBS])
- AC_SUBST([KRBCFLAGS])
- AC_SUBST([KRBLDFLAGS])
- AC_SUBST([K5VERS])
+ fi # "x$KRBDIR" != "x"
])
]) # LC_CONFIG_GSS_KEYRING
#
+# LC_HAVE_CRED_TGCRED
+#
+# rhel7 struct cred has no member tgcred
+#
+AC_DEFUN([LC_HAVE_CRED_TGCRED], [
+LB_CHECK_COMPILE([if 'struct cred' has member 'tgcred'],
+cred_tgcred, [
+ #include <linux/cred.h>
+],[
+ ((struct cred *)0)->tgcred = NULL;
+],[
+ AC_DEFINE(HAVE_CRED_TGCRED, 1,
+ [struct cred has member tgcred])
+])
+]) # LC_HAVE_CRED_TGCRED
+
+#
+# LC_KEY_TYPE_INSTANTIATE_2ARGS
+#
+# rhel7 key_type->instantiate takes 2 args (struct key, struct key_preparsed_payload)
+#
+AC_DEFUN([LC_KEY_TYPE_INSTANTIATE_2ARGS], [
+LB_CHECK_COMPILE([if 'key_type->instantiate' has two args],
+key_type_instantiate_2args, [
+ #include <linux/key-type.h>
+],[
+ ((struct key_type *)0)->instantiate(0, NULL);
+],[
+ AC_DEFINE(HAVE_KEY_TYPE_INSTANTIATE_2ARGS, 1,
+ [key_type->instantiate has two args])
+])
+]) # LC_KEY_TYPE_INSTANTIATE_2ARGS
+
+#
# LC_CONFIG_SUNRPC
#
AC_DEFUN([LC_CONFIG_SUNRPC], [
AS_IF([test "x$enable_gss" != xno], [
LC_CONFIG_GSS_KEYRING
+ LC_HAVE_CRED_TGCRED
+ LC_KEY_TYPE_INSTANTIATE_2ARGS
sunrpc_required=$enable_gss
LC_CONFIG_SUNRPC
sunrpc_required="no"
require_krb5="no"
AS_IF([test -n "$KRBDIR"], [
- AC_CHECK_LIB([gssapi], [gss_export_lucid_sec_context], [
- GSSAPI_LIBS="$GSSAPI_LDFLAGS -lgssapi"
- gss_conf_test="success"
- ], [
- AC_CHECK_LIB([gssglue], [gss_export_lucid_sec_context], [
- GSSAPI_LIBS="$GSSAPI_LDFLAGS -lgssglue"
- gss_conf_test="success"
- ], [
- AS_IF([test "x$enable_gss" = xyes], [
- AC_MSG_ERROR([
-
-libgssapi or libgssglue is not found, which is required by GSS.
-])
- ], [
- AC_MSG_WARN([
-
-libgssapi or libgssglue is not found, which is required by GSS.
-])
- ])
- ])
- ])
- AC_SUBST(GSSAPI_LIBS)
+ gss_conf_test="success"
+ ], [
+ AC_MSG_WARN([not found!])
+ gss_conf_test="failure"
])
AS_IF([test "x$gss_conf_test" = xsuccess], [
AC_DEFINE([HAVE_GSS], [1], [Define this is if you enable gss])
enable_gss="yes"
+ ], [
+ enable_gss="no"
])
])
]) # LC_CONFIG_GSS
}
#define key_cred(tsk) ((tsk)->cred)
+#ifdef HAVE_CRED_TGCRED
#define key_tgcred(tsk) ((tsk)->cred->tgcred)
+#else
+#define key_tgcred(tsk) key_cred(tsk)
+#endif
static inline void keyring_upcall_lock(struct gss_sec_keyring *gsec_kr)
{
strcmp(imp->imp_obd->obd_type->typ_name, LUSTRE_OSP_NAME)) {
CERROR("obd %s is not a supported device\n",
imp->imp_obd->obd_name);
- RETURN(NULL);
+ GOTO(out, ctx = NULL);
}
construct_key_desc(desc, sizeof(desc), sec, vcred->vc_uid);
****************************************/
static
+#ifdef HAVE_KEY_TYPE_INSTANTIATE_2ARGS
+int gss_kt_instantiate(struct key *key, struct key_preparsed_payload *prep)
+{
+ const void *data = prep->data;
+ size_t datalen = prep->datalen;
+#else
int gss_kt_instantiate(struct key *key, const void *data, size_t datalen)
{
+#endif
int rc;
ENTRY;
* on the context without fear of loosing refcount.
*/
static
+#ifdef HAVE_KEY_TYPE_INSTANTIATE_2ARGS
+int gss_kt_update(struct key *key, struct key_preparsed_payload *prep)
+{
+ const void *data = prep->data;
+ __u32 datalen32 = (__u32) prep->datalen;
+#else
int gss_kt_update(struct key *key, const void *data, size_t datalen)
{
+ __u32 datalen32 = (__u32) datalen;
+#endif
struct ptlrpc_cli_ctx *ctx = key->payload.data;
struct gss_cli_ctx *gctx;
rawobj_t tmpobj = RAWOBJ_EMPTY;
- __u32 datalen32 = (__u32) datalen;
int rc;
ENTRY;
- if (data == NULL || datalen == 0) {
- CWARN("invalid: data %p, len %lu\n", data, (long)datalen);
- RETURN(-EINVAL);
- }
+ if (data == NULL || datalen32 == 0) {
+ CWARN("invalid: data %p, len %lu\n", data, (long)datalen32);
+ RETURN(-EINVAL);
+ }
/* if upcall finished negotiation too fast (mostly likely because
* of local error happened) and call kt_update(), the ctx
#include "write_bytes.h"
#include "context.h"
-extern OM_uint32 gss_export_lucid_sec_context(OM_uint32 *min_stat,
- gss_ctx_id_t *ctx,
- OM_uint32 version,
- void **kctx);
-extern OM_uint32 gss_free_lucid_sec_context(OM_uint32 *min_stat,
- gss_ctx_id_t ctx,
- void *kctx);
static int
write_lucid_keyblock(char **p, char *end, gss_krb5_lucid_key_t *key)
int retcode = 0;
printerr(3, "lucid version!\n");
- maj_stat = gss_export_lucid_sec_context(&min_stat, &ctx,
+ maj_stat = gss_krb5_export_lucid_sec_context(&min_stat, &ctx,
1, &return_ctx);
if (maj_stat != GSS_S_COMPLETE) {
- pgsserr("gss_export_lucid_sec_context",
+ pgsserr("gss_krb5_export_lucid_sec_context",
maj_stat, min_stat, &krb5oid);
goto out_err;
}
else
retcode = prepare_krb5_rfc4121_buffer(lctx, buf);
- maj_stat = gss_free_lucid_sec_context(&min_stat, ctx, return_ctx);
+ maj_stat = gss_krb5_free_lucid_sec_context(&min_stat, return_ctx);
if (maj_stat != GSS_S_COMPLETE) {
- pgsserr("gss_export_lucid_sec_context",
+ pgsserr("gss_krb5_export_lucid_sec_context",
maj_stat, min_stat, &krb5oid);
printerr(0, "WARN: failed to free lucid sec context\n");
}
printerr(pri, "\n");
for (i = 0; i < length; i += 0x10) {
- printerr(pri, " %04x: ", (u_int)i);
+ printerr(pri, " %04x: ", (unsigned int)i);
jm = length - i;
jm = jm > 16 ? 16 : jm;
for (j = 0; j < jm; j++) {
if ((j % 2) == 1)
- printerr(pri,"%02x ", (u_int)cp[i+j]);
+ printerr(pri, "%02x ", (unsigned int)cp[i+j]);
else
- printerr(pri,"%02x", (u_int)cp[i+j]);
+ printerr(pri, "%02x", (unsigned int)cp[i+j]);
}
for (; j < 16; j++) {
if ((j % 2) == 1)
/* Context creation response. */
struct lustre_gss_init_res {
- gss_buffer_desc gr_ctx; /* context handle */
- u_int gr_major; /* major status */
- u_int gr_minor; /* minor status */
- u_int gr_win; /* sequence window */
- gss_buffer_desc gr_token; /* token */
+ gss_buffer_desc gr_ctx; /* context handle */
+ unsigned int gr_major; /* major status */
+ unsigned int gr_minor; /* minor status */
+ unsigned int gr_win; /* sequence window */
+ gss_buffer_desc gr_token; /* token */
};
struct lustre_gss_data {
- int lgd_established;
- int lgd_lustre_svc; /* mds/oss */
- int lgd_uid; /* uid */
- char *lgd_uuid; /* client device uuid */
- gss_name_t lgd_name; /* service name */
-
- gss_OID lgd_mech; /* mech OID */
- u_int lgd_req_flags; /* request flags */
- gss_cred_id_t lgd_cred; /* credential */
- gss_ctx_id_t lgd_ctx; /* session context */
- gss_buffer_desc lgd_rmt_ctx; /* remote handle of context */
- uint32_t lgd_seq_win; /* sequence window */
-
- int lgd_rpc_err;
- int lgd_gss_err;
+ int lgd_established;
+ int lgd_lustre_svc; /* mds/oss */
+ int lgd_uid; /* uid */
+ char *lgd_uuid; /* client device uuid */
+ gss_name_t lgd_name; /* service name */
+
+ gss_OID lgd_mech; /* mech OID */
+ unsigned int lgd_req_flags; /* request flags */
+ gss_cred_id_t lgd_cred; /* credential */
+ gss_ctx_id_t lgd_ctx; /* session context */
+ gss_buffer_desc lgd_rmt_ctx; /* remote handle of context */
+ uint32_t lgd_seq_win; /* sequence window */
+
+ int lgd_rpc_err;
+ int lgd_gss_err;
};
static int
gssd_set_krb5_ccache_name(char *ccname)
{
#ifdef USE_GSS_KRB5_CCACHE_NAME
- u_int maj_stat, min_stat;
+ unsigned int maj_stat, min_stat;
printerr(2, "using gss_krb5_ccache_name to select krb5 ccache %s\n",
ccname);
int
limit_krb5_enctypes(struct rpc_gss_sec *sec, uid_t uid)
{
- u_int maj_stat, min_stat;
+ unsigned int maj_stat, min_stat;
gss_cred_id_t credh;
gss_OID_set_desc desired_mechs;
krb5_enctype enctypes[] = {ENCTYPE_DES_CBC_CRC};
* all data about negotiation
*/
struct lgss_nego_data {
- uint32_t lnd_established:1;
-
- int lnd_secid;
- uint32_t lnd_uid;
- uint32_t lnd_lsvc;
- char *lnd_uuid;
-
- gss_OID lnd_mech; /* mech OID */
- gss_name_t lnd_svc_name; /* service name */
- u_int lnd_req_flags; /* request flags */
- gss_cred_id_t lnd_cred; /* credential */
- gss_ctx_id_t lnd_ctx; /* session context */
- gss_buffer_desc lnd_rmt_ctx; /* remote handle of context */
- uint32_t lnd_seq_win; /* sequence window */
-
- int lnd_rpc_err;
- int lnd_gss_err;
+ uint32_t lnd_established:1;
+
+ int lnd_secid;
+ uint32_t lnd_uid;
+ uint32_t lnd_lsvc;
+ char *lnd_uuid;
+
+ gss_OID lnd_mech; /* mech OID */
+ gss_name_t lnd_svc_name; /* service name */
+ unsigned int lnd_req_flags; /* request flags */
+ gss_cred_id_t lnd_cred; /* credential */
+ gss_ctx_id_t lnd_ctx; /* session context */
+ gss_buffer_desc lnd_rmt_ctx; /* remote handle of context */
+ uint32_t lnd_seq_win; /* sequence window */
+
+ int lnd_rpc_err;
+ int lnd_gss_err;
};
/*
* context creation response
*/
struct lgss_init_res {
- gss_buffer_desc gr_ctx; /* context handle */
- u_int gr_major; /* major status */
- u_int gr_minor; /* minor status */
- u_int gr_win; /* sequence window */
- gss_buffer_desc gr_token; /* token */
+ gss_buffer_desc gr_ctx; /* context handle */
+ unsigned int gr_major; /* major status */
+ unsigned int gr_minor; /* minor status */
+ unsigned int gr_win; /* sequence window */
+ gss_buffer_desc gr_token; /* token */
};
struct keyring_upcall_param {
printerr(pri, "\n");
for (i = 0; i < length; i += 0x10) {
- printerr(pri, " %04x: ", (u_int)i);
+ printerr(pri, " %04x: ", (unsigned int)i);
jm = length - i;
jm = jm > 16 ? 16 : jm;
for (j = 0; j < jm; j++) {
if ((j % 2) == 1)
- printerr(pri,"%02x ", (u_int)cp[i+j]);
+ printerr(pri, "%02x ", (unsigned int)cp[i+j]);
else
- printerr(pri,"%02x", (u_int)cp[i+j]);
+ printerr(pri, "%02x", (unsigned int)cp[i+j]);
}
for (; j < 16; j++) {
if ((j % 2) == 1)