LU-12894 sec: fix checksum for skpi

author Sebastien Buisson <sbuisson@ddn.com>

Tue, 29 Oct 2019 09:32:22 +0000 (18:32 +0900)

committer Oleg Drokin <green@whamcloud.com>

Mon, 16 Dec 2019 05:58:40 +0000 (05:58 +0000)
author Sebastien Buisson <sbuisson@ddn.com>
Tue, 29 Oct 2019 09:32:22 +0000 (18:32 +0900)
committer Oleg Drokin <green@whamcloud.com>
Mon, 16 Dec 2019 05:58:40 +0000 (05:58 +0000)
diff --git a/lustre/ptlrpc/gss/gss_sk_mech.c b/lustre/ptlrpc/gss/gss_sk_mech.c

index f6b62f6..862ab89 100644 (file)
--- a/lustre/ptlrpc/gss/gss_sk_mech.c
+++ b/lustre/ptlrpc/gss/gss_sk_mech.c
@@ -409,7 +409,7 @@ u32 sk_verify_bulk_hmac(enum cfs_crypto_hash_alg sc_hmac, rawobj_t *key,
         rawobj_t checksum = RAWOBJ_EMPTY;
         struct ahash_request *req;
         struct scatterlist sg[1];
-       int rc = GSS_S_FAILURE;
+       int rc = 0;
         struct sg_table sgt;
         int bytes;
         int i;
@@ -423,11 +423,13 @@ u32 sk_verify_bulk_hmac(enum cfs_crypto_hash_alg sc_hmac, rawobj_t *key,
  
         OBD_ALLOC_LARGE(checksum.data, checksum.len);
         if (!checksum.data)
-               return rc;
+               return GSS_S_FAILURE;
  
         req = cfs_crypto_hash_init(sc_hmac, key->data, key->len);
-       if (IS_ERR(req))
+       if (IS_ERR(req)) {
+               rc = GSS_S_FAILURE;
                 goto cleanup;
+       }
  
         for (i = 0; i < msgcnt; i++) {
                 if (!msgs[i].len)
@@ -463,15 +465,15 @@ u32 sk_verify_bulk_hmac(enum cfs_crypto_hash_alg sc_hmac, rawobj_t *key,
                         goto hash_cleanup;
         }
  
-       if (memcmp(token->data, checksum.data, checksum.len)) {
-               rc = GSS_S_BAD_SIG;
-               goto hash_cleanup;
-       }
-
-       rc = GSS_S_COMPLETE;
-
  hash_cleanup:
         cfs_crypto_hash_final(req, checksum.data, &checksum.len);
+       if (rc)
+               goto cleanup;
+
+       if (memcmp(token->data, checksum.data, checksum.len))
+               rc = GSS_S_BAD_SIG;
+       else
+               rc = GSS_S_COMPLETE;
  
  cleanup:
         OBD_FREE_LARGE(checksum.data, checksum.len);
diff --git a/lustre/tests/sanity-sec.sh b/lustre/tests/sanity-sec.sh

index b77e1ab..5c81f80 100755 (executable)
--- a/lustre/tests/sanity-sec.sh
+++ b/lustre/tests/sanity-sec.sh
@@ -2147,22 +2147,26 @@ test_29() {
         touch $DIR/$tdir/$tfile || error "touch"
         zconf_umount_clients ${clients_arr[0]} $MOUNT ||
                 error "unable to umount clients"
-       keyctl show | awk '/lustre/ { print $1 }' |
-               xargs -IX keyctl unlink X
+       do_node ${clients_arr[0]} "keyctl show |
+               awk '/lustre/ { print \\\$1 }' | xargs -IX keyctl unlink X"
         OLD_SK_PATH=$SK_PATH
         export SK_PATH=/dev/null
         if zconf_mount_clients ${clients_arr[0]} $MOUNT; then
                 export SK_PATH=$OLD_SK_PATH
-               if [ -e $DIR/$tdir/$tfile ]; then
+               do_node ${clients_arr[0]} "ls $DIR/$tdir/$tfile"
+               if [ $? -eq 0 ]; then
                         error "able to mount and read without key"
                 else
                         error "able to mount without key"
                 fi
         else
                 export SK_PATH=$OLD_SK_PATH
-               keyctl show | awk '/lustre/ { print $1 }' |
-                       xargs -IX keyctl unlink X
+               do_node ${clients_arr[0]} "keyctl show |
+                       awk '/lustre/ { print \\\$1 }' |
+                       xargs -IX keyctl unlink X"
         fi
+       zconf_mount_clients ${clients_arr[0]} $MOUNT ||
+               error "unable to mount clients"
  }
  run_test 29 "check for missing shared key"
  
@@ -2178,17 +2182,19 @@ test_30() {
         zconf_umount_clients ${clients_arr[0]} $MOUNT ||
                 error "unable to umount clients"
         # unload keys from ring
-       keyctl show | awk '/lustre/ { print $1 }' |
-               xargs -IX keyctl unlink X
+       do_node ${clients_arr[0]} "keyctl show |
+               awk '/lustre/ { print \\\$1 }' | xargs -IX keyctl unlink X"
         # invalidate the key with bogus filesystem name
-       lgss_sk -w $SK_PATH/$FSNAME-bogus.key -f $FSNAME.bogus \
-               -t client -d /dev/urandom || error "lgss_sk failed (1)"
+       do_node ${clients_arr[0]} "lgss_sk -w $SK_PATH/$FSNAME-bogus.key \
+               -f $FSNAME.bogus -t client -d /dev/urandom" ||
+               error "lgss_sk failed (1)"
         do_facet $SINGLEMDS lfs flushctx || error "could not run flushctx"
         OLD_SK_PATH=$SK_PATH
         export SK_PATH=$SK_PATH/$FSNAME-bogus.key
         if zconf_mount_clients ${clients_arr[0]} $MOUNT; then
                 SK_PATH=$OLD_SK_PATH
-               if [ -a $DIR/$tdir/$tdir.out ]; then
+               do_node ${clients_arr[0]} "ls $DIR/$tdir/$tdir.out"
+               if [ $? -eq 0 ]; then
                         error "mount and read file with invalid key"
                 else
                         error "mount with invalid key"
@@ -2197,9 +2203,46 @@ test_30() {
         SK_PATH=$OLD_SK_PATH
         zconf_umount_clients ${clients_arr[0]} $MOUNT ||
                 error "unable to umount clients"
+       zconf_mount_clients ${clients_arr[0]} $MOUNT ||
+               error "unable to mount clients"
  }
  run_test 30 "check for invalid shared key"
  
+basic_ios() {
+       local flvr=$1
+
+       mkdir -p $DIR/$tdir || error "mkdir $flvr"
+       touch $DIR/$tdir/f0 || error "touch $flvr"
+       ls $DIR/$tdir || error "ls $flvr"
+       dd if=/dev/zero of=$DIR/$tdir/f0 conv=fsync bs=1M count=10 \
+               >& /dev/null || error "dd $flvr"
+       rm -f $DIR/$tdir/f0 || error "rm $flvr"
+       rmdir $DIR/$tdir || error "rmdir $flvr"
+
+       sync ; sync
+       echo 3 > /proc/sys/vm/drop_caches
+}
+
+test_30b() {
+       local save_flvr=$SK_FLAVOR
+
+       if ! $SHARED_KEY; then
+               skip "need shared key feature for this test"
+       fi
+
+       stack_trap restore_to_default_flavor EXIT
+
+       for flvr in skn ska ski skpi; do
+               # set flavor
+               SK_FLAVOR=$flvr
+               restore_to_default_flavor || error "cannot set $flvr flavor"
+               SK_FLAVOR=$save_flvr
+
+               basic_ios $flvr
+       done
+}
+run_test 30b "basic test of all different SSK flavors"
+
  cleanup_31() {
         # unmount client
         zconf_umount $HOSTNAME $MOUNT || error "unable to umount client"
diff --git a/lustre/tests/test-framework.sh b/lustre/tests/test-framework.sh

index 78004fc..1566801 100755 (executable)
--- a/lustre/tests/test-framework.sh
+++ b/lustre/tests/test-framework.sh
@@ -2259,6 +2259,11 @@ zconf_mount() {
                 exit 1
         fi
  
+       if $GSS_SK; then
+               # update mount option with skpath
+               opts=$(add_sk_mntflag $opts)
+       fi
+
         echo "Starting client: $client: $flags $opts $device $mnt"
         do_node $client mkdir -p $mnt
         if [ -n "$FILESET" -a -z "$SKIP_FILESET" ];then
author	Sebastien Buisson <sbuisson@ddn.com>
	Tue, 29 Oct 2019 09:32:22 +0000 (18:32 +0900)
committer	Oleg Drokin <green@whamcloud.com>
	Mon, 16 Dec 2019 05:58:40 +0000 (05:58 +0000)
lustre/ptlrpc/gss/gss_sk_mech.c		patch \| blob \| history
lustre/tests/sanity-sec.sh		patch \| blob \| history
lustre/tests/test-framework.sh		patch \| blob \| history