LU-3289 gss: gssnull security flavor

This change implements the gssnull security flavor for the purpose of
testing the Lustre GSS code.  It provides and uses a null GSS
mechanism so this testing doesn't have to involve any code related to
Kerberos or any other authentication method.

Signed-off-by: Andrew Korty <ajk@iu.edu>
Change-Id: Ic8378a052fd2a0f5a84877476a4a29aef7b0412a
Reviewed-on: http://review.whamcloud.com/8475
Tested-by: Jenkins
Reviewed-by: Andreas Dilger <andreas.dilger@intel.com>
Tested-by: Maloo <hpdd-maloo@intel.com>
Reviewed-by: Thomas Stibor <thomas@stibor.net>

diff --git a/lustre/include/lustre_sec.h b/lustre/include/lustre_sec.h
index 11d8460..cd28ed4 100644 (file)
--- a/lustre/include/lustre_sec.h
+++ b/lustre/include/lustre_sec.h
@@ -170,6 +170,8 @@ enum sptlrpc_bulk_service {
         ((__u32)(mech) |                                                \
          ((__u32)(svc) << (FLVR_SVC_OFFSET - FLVR_MECH_OFFSET)))
 
         ((__u32)(mech) |                                                \
          ((__u32)(svc) << (FLVR_SVC_OFFSET - FLVR_MECH_OFFSET)))
 

+#define SPTLRPC_SUBFLVR_GSSNULL                                                \
+       MAKE_BASE_SUBFLVR(SPTLRPC_MECH_GSS_NULL, SPTLRPC_SVC_NULL)

 #define SPTLRPC_SUBFLVR_KRB5N                                           \
         MAKE_BASE_SUBFLVR(SPTLRPC_MECH_GSS_KRB5, SPTLRPC_SVC_NULL)
 #define SPTLRPC_SUBFLVR_KRB5A                                           \
 #define SPTLRPC_SUBFLVR_KRB5N                                           \
         MAKE_BASE_SUBFLVR(SPTLRPC_MECH_GSS_KRB5, SPTLRPC_SVC_NULL)
 #define SPTLRPC_SUBFLVR_KRB5A                                           \


@@ -194,6 +196,12 @@ enum sptlrpc_bulk_service {
                   SPTLRPC_SVC_NULL,                     \
                   SPTLRPC_BULK_HASH,                    \
                   SPTLRPC_BULK_SVC_INTG)
                   SPTLRPC_SVC_NULL,                     \
                   SPTLRPC_BULK_HASH,                    \
                   SPTLRPC_BULK_SVC_INTG)

+#define SPTLRPC_FLVR_GSSNULL                           \
+       MAKE_FLVR(SPTLRPC_POLICY_GSS,                   \
+                 SPTLRPC_MECH_GSS_NULL,                \
+                 SPTLRPC_SVC_NULL,                     \
+                 SPTLRPC_BULK_DEFAULT,                 \
+                 SPTLRPC_BULK_SVC_NULL)

 #define SPTLRPC_FLVR_KRB5N                              \
         MAKE_FLVR(SPTLRPC_POLICY_GSS,                   \
                   SPTLRPC_MECH_GSS_KRB5,                \
 #define SPTLRPC_FLVR_KRB5N                              \
         MAKE_FLVR(SPTLRPC_POLICY_GSS,                   \
                   SPTLRPC_MECH_GSS_KRB5,                \

diff --git a/lustre/ptlrpc/gss/Makefile.in b/lustre/ptlrpc/gss/Makefile.in
index 2b4597a..31d99c4 100644 (file)
--- a/lustre/ptlrpc/gss/Makefile.in
+++ b/lustre/ptlrpc/gss/Makefile.in
@@ -1,8 +1,9 @@
 MODULES := ptlrpc_gss
 
 ptlrpc_gss-objs := sec_gss.o gss_bulk.o gss_cli_upcall.o gss_svc_upcall.o      \
 MODULES := ptlrpc_gss
 
 ptlrpc_gss-objs := sec_gss.o gss_bulk.o gss_cli_upcall.o gss_svc_upcall.o      \

-                   gss_rawobj.o lproc_gss.o                                    \
-                   gss_generic_token.o gss_mech_switch.o gss_krb5_mech.o
+                  gss_rawobj.o lproc_gss.o                                    \
+                  gss_generic_token.o gss_mech_switch.o gss_krb5_mech.o       \
+                  gss_null_mech.o

 
 @GSS_KEYRING_TRUE@ptlrpc_gss-objs += gss_keyring.o
 @GSS_PIPEFS_TRUE@ptlrpc_gss-objs += gss_pipefs.o
 
 @GSS_KEYRING_TRUE@ptlrpc_gss-objs += gss_keyring.o
 @GSS_PIPEFS_TRUE@ptlrpc_gss-objs += gss_pipefs.o

diff --git a/lustre/ptlrpc/gss/gss_internal.h b/lustre/ptlrpc/gss/gss_internal.h
index 301413e..a844e65 100644 (file)
--- a/lustre/ptlrpc/gss/gss_internal.h
+++ b/lustre/ptlrpc/gss/gss_internal.h
@@ -504,6 +504,10 @@ void gss_stat_oos_record_svc(int phase, int replay);
 int  __init gss_init_lproc(void);
 void gss_exit_lproc(void);
 
 int  __init gss_init_lproc(void);
 void gss_exit_lproc(void);
 

+/* gss_null_mech.c */
+int __init init_null_module(void);
+void cleanup_null_module(void);
+

 /* gss_krb5_mech.c */
 int __init init_kerberos_module(void);
 void cleanup_kerberos_module(void);
 /* gss_krb5_mech.c */
 int __init init_kerberos_module(void);
 void cleanup_kerberos_module(void);

diff --git a/lustre/ptlrpc/gss/gss_null_mech.c b/lustre/ptlrpc/gss/gss_null_mech.c
new file mode 100644 (file)
index 0000000..5565773
--- /dev/null
+++ b/lustre/ptlrpc/gss/gss_null_mech.c
@@ -0,0 +1,199 @@
+/*
+ * GPL HEADER START
+ *
+ * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
+ *
+ * This program is free software; you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License version 2 only,
+ * as published by the Free Software Foundation.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
+ * General Public License version 2 for more details (a copy is included
+ * in the LICENSE file that accompanied this code).
+ *
+ * You should have received a copy of the GNU General Public License
+ * version 2 along with this program; If not, see
+ * http://www.gnu.org/licenses/gpl-2.0.html
+ *
+ * GPL HEADER END
+ */
+/*
+ * Copyright (C) 2013, Trustees of Indiana University
+ * Author: Andrew Korty <ajk@iu.edu>
+ */
+
+#define DEBUG_SUBSYSTEM S_SEC
+#ifdef __KERNEL__
+#include <linux/init.h>
+#include <linux/module.h>
+#include <linux/slab.h>
+#include <linux/crypto.h>
+#include <linux/mutex.h>
+#else
+#include <liblustre.h>
+#endif
+
+#include <obd.h>
+#include <obd_class.h>
+#include <obd_support.h>
+
+#include "gss_err.h"
+#include "gss_internal.h"
+#include "gss_api.h"
+#include "gss_asn1.h"
+
+struct null_ctx {
+};
+
+static
+__u32 gss_import_sec_context_null(rawobj_t *inbuf, struct gss_ctx *gss_context)
+{
+       struct null_ctx *null_context;
+
+       if (inbuf == NULL || inbuf->data == NULL)
+               return GSS_S_FAILURE;
+
+       OBD_ALLOC_PTR(null_context);
+       if (null_context == NULL)
+               return GSS_S_FAILURE;
+
+       gss_context->internal_ctx_id = null_context;
+       CDEBUG(D_SEC, "succesfully imported null context\n");
+
+       return GSS_S_COMPLETE;
+}
+
+static
+__u32 gss_copy_reverse_context_null(struct gss_ctx *gss_context_old,
+                                   struct gss_ctx *gss_context_new)
+{
+       struct null_ctx *null_context_old;
+       struct null_ctx *null_context_new;
+
+       OBD_ALLOC_PTR(null_context_new);
+       if (null_context_new == NULL)
+               return GSS_S_FAILURE;
+
+       null_context_old = gss_context_old->internal_ctx_id;
+       memcpy(null_context_new, null_context_old, sizeof *null_context_new);
+       gss_context_new->internal_ctx_id = null_context_new;
+       CDEBUG(D_SEC, "succesfully copied reverse null context\n");
+
+       return GSS_S_COMPLETE;
+}
+
+static
+__u32 gss_inquire_context_null(struct gss_ctx *gss_context,
+                              unsigned long *endtime)
+{
+       *endtime = 0;
+       return GSS_S_COMPLETE;
+}
+
+static
+__u32 gss_wrap_null(struct gss_ctx *gss_context, rawobj_t *gss_header,
+                   rawobj_t *message, int message_buffer_length,
+                   rawobj_t *token)
+{
+       return GSS_S_COMPLETE;
+}
+
+static
+__u32 gss_unwrap_null(struct gss_ctx *gss_context, rawobj_t *gss_header,
+                     rawobj_t *token, rawobj_t *message)
+{
+       return GSS_S_COMPLETE;
+}
+
+static
+__u32 gss_prep_bulk_null(struct gss_ctx *gss_context,
+                        struct ptlrpc_bulk_desc *desc)
+{
+       return GSS_S_COMPLETE;
+}
+
+static
+__u32 gss_wrap_bulk_null(struct gss_ctx *gss_context,
+                        struct ptlrpc_bulk_desc *desc, rawobj_t *token,
+                        int adj_nob)
+{
+       return GSS_S_COMPLETE;
+}
+
+static
+__u32 gss_unwrap_bulk_null(struct gss_ctx *gss_context,
+                          struct ptlrpc_bulk_desc *desc,
+                          rawobj_t *token, int adj_nob)
+{
+       return GSS_S_COMPLETE;
+}
+
+static
+void gss_delete_sec_context_null(void *internal_context)
+{
+       struct null_ctx *null_context = internal_context;
+
+       OBD_FREE_PTR(null_context);
+}
+
+int gss_display_null(struct gss_ctx *gss_context, char *buf, int bufsize)
+{
+       return snprintf(buf, bufsize, "null");
+}
+
+static struct gss_api_ops gss_null_ops = {
+       .gss_import_sec_context     = gss_import_sec_context_null,
+       .gss_copy_reverse_context   = gss_copy_reverse_context_null,
+       .gss_inquire_context        = gss_inquire_context_null,
+       .gss_get_mic                = NULL,
+       .gss_verify_mic             = NULL,
+       .gss_wrap                   = gss_wrap_null,
+       .gss_unwrap                 = gss_unwrap_null,
+       .gss_prep_bulk              = gss_prep_bulk_null,
+       .gss_wrap_bulk              = gss_wrap_bulk_null,
+       .gss_unwrap_bulk            = gss_unwrap_bulk_null,
+       .gss_delete_sec_context     = gss_delete_sec_context_null,
+       .gss_display                = gss_display_null,
+};
+
+static struct subflavor_desc gss_null_sfs[] = {
+       {
+               .sf_subflavor   = SPTLRPC_SUBFLVR_GSSNULL,
+               .sf_qop         = 0,
+               .sf_service     = SPTLRPC_SVC_NULL,
+               .sf_name        = "gssnull"
+       },
+};
+
+/*
+ * currently we leave module owner NULL
+ */
+static struct gss_api_mech gss_null_mech = {
+       .gm_owner       = NULL, /*THIS_MODULE, */
+       .gm_name        = "gssnull",
+       .gm_oid         = (rawobj_t) {
+               12,
+               "\053\006\001\004\001\311\146\215\126\001\000\000"
+       },
+       .gm_ops         = &gss_null_ops,
+       .gm_sf_num      = 1,
+       .gm_sfs         = gss_null_sfs,
+};
+
+int __init init_null_module(void)
+{
+       int status;
+
+       status = lgss_mech_register(&gss_null_mech);
+       if (status)
+               CERROR("Failed to register null gss mechanism!\n");
+
+       return status;
+}
+
+void cleanup_null_module(void)
+{
+       lgss_mech_unregister(&gss_null_mech);
+}

diff --git a/lustre/ptlrpc/gss/sec_gss.c b/lustre/ptlrpc/gss/sec_gss.c
index 043a683..377e367 100644 (file)
--- a/lustre/ptlrpc/gss/sec_gss.c
+++ b/lustre/ptlrpc/gss/sec_gss.c
@@ -2863,9 +2863,13 @@ int __init sptlrpc_gss_init(void)
         if (rc)
                 goto out_cli_upcall;
 
         if (rc)
                 goto out_cli_upcall;
 

-        rc = init_kerberos_module();
-        if (rc)
-                goto out_svc_upcall;
+       rc = init_null_module();
+       if (rc)
+               goto out_svc_upcall;
+
+       rc = init_kerberos_module();
+       if (rc)
+               goto out_null;

 
         /* register policy after all other stuff be intialized, because it
          * might be in used immediately after the registration. */
 
         /* register policy after all other stuff be intialized, because it
          * might be in used immediately after the registration. */


@@ -2886,6 +2890,8 @@ out_keyring:
         gss_exit_keyring();
 out_kerberos:
         cleanup_kerberos_module();
         gss_exit_keyring();
 out_kerberos:
         cleanup_kerberos_module();

+out_null:
+       cleanup_null_module();

 out_svc_upcall:
         gss_exit_svc_upcall();
 out_cli_upcall:
 out_svc_upcall:
         gss_exit_svc_upcall();
 out_cli_upcall:

diff --git a/lustre/ptlrpc/sec.c b/lustre/ptlrpc/sec.c
index cbfa405..1c2e30e 100644 (file)
--- a/lustre/ptlrpc/sec.c
+++ b/lustre/ptlrpc/sec.c
@@ -158,10 +158,12 @@ struct ptlrpc_sec_policy * sptlrpc_wireflavor2policy(__u32 flavor)
 
 __u32 sptlrpc_name2flavor_base(const char *name)
 {
 
 __u32 sptlrpc_name2flavor_base(const char *name)
 {

-        if (!strcmp(name, "null"))
-                return SPTLRPC_FLVR_NULL;
-        if (!strcmp(name, "plain"))
-                return SPTLRPC_FLVR_PLAIN;
+       if (!strcmp(name, "null"))
+               return SPTLRPC_FLVR_NULL;
+       if (!strcmp(name, "plain"))
+               return SPTLRPC_FLVR_PLAIN;
+       if (!strcmp(name, "gssnull"))
+               return SPTLRPC_FLVR_GSSNULL;

         if (!strcmp(name, "krb5n"))
                 return SPTLRPC_FLVR_KRB5N;
         if (!strcmp(name, "krb5a"))
         if (!strcmp(name, "krb5n"))
                 return SPTLRPC_FLVR_KRB5N;
         if (!strcmp(name, "krb5a"))


@@ -183,6 +185,8 @@ const char *sptlrpc_flavor2name_base(__u32 flvr)
                 return "null";
         else if (base == SPTLRPC_FLVR_BASE(SPTLRPC_FLVR_PLAIN))
                 return "plain";
                 return "null";
         else if (base == SPTLRPC_FLVR_BASE(SPTLRPC_FLVR_PLAIN))
                 return "plain";

+       else if (base == SPTLRPC_FLVR_BASE(SPTLRPC_FLVR_GSSNULL))
+               return "gssnull";

         else if (base == SPTLRPC_FLVR_BASE(SPTLRPC_FLVR_KRB5N))
                 return "krb5n";
         else if (base == SPTLRPC_FLVR_BASE(SPTLRPC_FLVR_KRB5A))
         else if (base == SPTLRPC_FLVR_BASE(SPTLRPC_FLVR_KRB5N))
                 return "krb5n";
         else if (base == SPTLRPC_FLVR_BASE(SPTLRPC_FLVR_KRB5A))

diff --git a/lustre/utils/gss/gss_oids.c b/lustre/utils/gss/gss_oids.c
index c569b0c..0c839c8 100644 (file)
--- a/lustre/utils/gss/gss_oids.c
+++ b/lustre/utils/gss/gss_oids.c
@@ -32,8 +32,21 @@
 #include <gssapi/gssapi.h>
 
 /* from kerberos source, gssapi_krb5.c */
 #include <gssapi/gssapi.h>
 
 /* from kerberos source, gssapi_krb5.c */

-gss_OID_desc krb5oid =
-   {9, "\052\206\110\206\367\022\001\002\002"};
+gss_OID_desc krb5oid = {
+       9,
+       "\052\206\110\206\367\022\001\002\002",
+};

 
 

-gss_OID_desc spkm3oid =
-   {7, "\053\006\001\005\005\001\003"};
+/*
+ * OpenSFS doesn't have reserved OID space, so for the null and shared
+ * key mechanisms, we use Indiana University's OID space for now
+ */
+gss_OID_desc nulloid = {
+       12,
+       "\053\006\001\004\001\311\146\215\126\001\000\000",
+};
+
+gss_OID_desc spkm3oid = {
+       7,
+       "\053\006\001\005\005\001\003",
+};

diff --git a/lustre/utils/gss/gss_oids.h b/lustre/utils/gss/gss_oids.h
index 8b0a352..8234ef2 100644 (file)
--- a/lustre/utils/gss/gss_oids.h
+++ b/lustre/utils/gss/gss_oids.h
@@ -34,6 +34,7 @@
 #include <sys/types.h>
 
 extern gss_OID_desc krb5oid;
 #include <sys/types.h>
 
 extern gss_OID_desc krb5oid;

+extern gss_OID_desc nulloid;

 extern gss_OID_desc spkm3oid;
 
 #ifndef g_OID_equal
 extern gss_OID_desc spkm3oid;
 
 #ifndef g_OID_equal