From: Andrew Korty <ajk@iu.edu>
Date: Tue, 3 Dec 2013 20:07:13 +0000 (-0800)
Subject: LU-3289 gss: gssnull security flavor
X-Git-Tag: 2.5.55~59
X-Git-Url: https://git.whamcloud.com/?p=fs%2Flustre-release.git;a=commitdiff_plain;h=67d4ed9e1a9b46ddf97b032bec4f4c559d0f06ed

LU-3289 gss: gssnull security flavor

This change implements the gssnull security flavor for the purpose of
testing the Lustre GSS code.  It provides and uses a null GSS
mechanism so this testing doesn't have to involve any code related to
Kerberos or any other authentication method.

Signed-off-by: Andrew Korty <ajk@iu.edu>
Change-Id: Ic8378a052fd2a0f5a84877476a4a29aef7b0412a
Reviewed-on: http://review.whamcloud.com/8475
Tested-by: Jenkins
Reviewed-by: Andreas Dilger <andreas.dilger@intel.com>
Tested-by: Maloo <hpdd-maloo@intel.com>
Reviewed-by: Thomas Stibor <thomas@stibor.net>
---

diff --git a/lustre/include/lustre_sec.h b/lustre/include/lustre_sec.h
index 11d8460..cd28ed4 100644
--- a/lustre/include/lustre_sec.h
+++ b/lustre/include/lustre_sec.h
@@ -170,6 +170,8 @@ enum sptlrpc_bulk_service {
         ((__u32)(mech) |                                                \
          ((__u32)(svc) << (FLVR_SVC_OFFSET - FLVR_MECH_OFFSET)))
 
+#define SPTLRPC_SUBFLVR_GSSNULL						\
+	MAKE_BASE_SUBFLVR(SPTLRPC_MECH_GSS_NULL, SPTLRPC_SVC_NULL)
 #define SPTLRPC_SUBFLVR_KRB5N                                           \
         MAKE_BASE_SUBFLVR(SPTLRPC_MECH_GSS_KRB5, SPTLRPC_SVC_NULL)
 #define SPTLRPC_SUBFLVR_KRB5A                                           \
@@ -194,6 +196,12 @@ enum sptlrpc_bulk_service {
                   SPTLRPC_SVC_NULL,                     \
                   SPTLRPC_BULK_HASH,                    \
                   SPTLRPC_BULK_SVC_INTG)
+#define SPTLRPC_FLVR_GSSNULL				\
+	MAKE_FLVR(SPTLRPC_POLICY_GSS,			\
+		  SPTLRPC_MECH_GSS_NULL,		\
+		  SPTLRPC_SVC_NULL,			\
+		  SPTLRPC_BULK_DEFAULT,			\
+		  SPTLRPC_BULK_SVC_NULL)
 #define SPTLRPC_FLVR_KRB5N                              \
         MAKE_FLVR(SPTLRPC_POLICY_GSS,                   \
                   SPTLRPC_MECH_GSS_KRB5,                \
diff --git a/lustre/ptlrpc/gss/Makefile.in b/lustre/ptlrpc/gss/Makefile.in
index 2b4597a..31d99c4 100644
--- a/lustre/ptlrpc/gss/Makefile.in
+++ b/lustre/ptlrpc/gss/Makefile.in
@@ -1,8 +1,9 @@
 MODULES := ptlrpc_gss
 
 ptlrpc_gss-objs := sec_gss.o gss_bulk.o gss_cli_upcall.o gss_svc_upcall.o      \
-                   gss_rawobj.o lproc_gss.o                                    \
-                   gss_generic_token.o gss_mech_switch.o gss_krb5_mech.o
+		   gss_rawobj.o lproc_gss.o                                    \
+		   gss_generic_token.o gss_mech_switch.o gss_krb5_mech.o       \
+		   gss_null_mech.o
 
 @GSS_KEYRING_TRUE@ptlrpc_gss-objs += gss_keyring.o
 @GSS_PIPEFS_TRUE@ptlrpc_gss-objs += gss_pipefs.o
diff --git a/lustre/ptlrpc/gss/gss_internal.h b/lustre/ptlrpc/gss/gss_internal.h
index 301413e..a844e65 100644
--- a/lustre/ptlrpc/gss/gss_internal.h
+++ b/lustre/ptlrpc/gss/gss_internal.h
@@ -504,6 +504,10 @@ void gss_stat_oos_record_svc(int phase, int replay);
 int  __init gss_init_lproc(void);
 void gss_exit_lproc(void);
 
+/* gss_null_mech.c */
+int __init init_null_module(void);
+void cleanup_null_module(void);
+
 /* gss_krb5_mech.c */
 int __init init_kerberos_module(void);
 void cleanup_kerberos_module(void);
diff --git a/lustre/ptlrpc/gss/gss_null_mech.c b/lustre/ptlrpc/gss/gss_null_mech.c
new file mode 100644
index 0000000..5565773
--- /dev/null
+++ b/lustre/ptlrpc/gss/gss_null_mech.c
@@ -0,0 +1,199 @@
+/*
+ * GPL HEADER START
+ *
+ * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
+ *
+ * This program is free software; you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License version 2 only,
+ * as published by the Free Software Foundation.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
+ * General Public License version 2 for more details (a copy is included
+ * in the LICENSE file that accompanied this code).
+ *
+ * You should have received a copy of the GNU General Public License
+ * version 2 along with this program; If not, see
+ * http://www.gnu.org/licenses/gpl-2.0.html
+ *
+ * GPL HEADER END
+ */
+/*
+ * Copyright (C) 2013, Trustees of Indiana University
+ * Author: Andrew Korty <ajk@iu.edu>
+ */
+
+#define DEBUG_SUBSYSTEM S_SEC
+#ifdef __KERNEL__
+#include <linux/init.h>
+#include <linux/module.h>
+#include <linux/slab.h>
+#include <linux/crypto.h>
+#include <linux/mutex.h>
+#else
+#include <liblustre.h>
+#endif
+
+#include <obd.h>
+#include <obd_class.h>
+#include <obd_support.h>
+
+#include "gss_err.h"
+#include "gss_internal.h"
+#include "gss_api.h"
+#include "gss_asn1.h"
+
+struct null_ctx {
+};
+
+static
+__u32 gss_import_sec_context_null(rawobj_t *inbuf, struct gss_ctx *gss_context)
+{
+	struct null_ctx *null_context;
+
+	if (inbuf == NULL || inbuf->data == NULL)
+		return GSS_S_FAILURE;
+
+	OBD_ALLOC_PTR(null_context);
+	if (null_context == NULL)
+		return GSS_S_FAILURE;
+
+	gss_context->internal_ctx_id = null_context;
+	CDEBUG(D_SEC, "succesfully imported null context\n");
+
+	return GSS_S_COMPLETE;
+}
+
+static
+__u32 gss_copy_reverse_context_null(struct gss_ctx *gss_context_old,
+				    struct gss_ctx *gss_context_new)
+{
+	struct null_ctx *null_context_old;
+	struct null_ctx *null_context_new;
+
+	OBD_ALLOC_PTR(null_context_new);
+	if (null_context_new == NULL)
+		return GSS_S_FAILURE;
+
+	null_context_old = gss_context_old->internal_ctx_id;
+	memcpy(null_context_new, null_context_old, sizeof *null_context_new);
+	gss_context_new->internal_ctx_id = null_context_new;
+	CDEBUG(D_SEC, "succesfully copied reverse null context\n");
+
+	return GSS_S_COMPLETE;
+}
+
+static
+__u32 gss_inquire_context_null(struct gss_ctx *gss_context,
+			       unsigned long *endtime)
+{
+	*endtime = 0;
+	return GSS_S_COMPLETE;
+}
+
+static
+__u32 gss_wrap_null(struct gss_ctx *gss_context, rawobj_t *gss_header,
+		    rawobj_t *message, int message_buffer_length,
+		    rawobj_t *token)
+{
+	return GSS_S_COMPLETE;
+}
+
+static
+__u32 gss_unwrap_null(struct gss_ctx *gss_context, rawobj_t *gss_header,
+		      rawobj_t *token, rawobj_t *message)
+{
+	return GSS_S_COMPLETE;
+}
+
+static
+__u32 gss_prep_bulk_null(struct gss_ctx *gss_context,
+			 struct ptlrpc_bulk_desc *desc)
+{
+	return GSS_S_COMPLETE;
+}
+
+static
+__u32 gss_wrap_bulk_null(struct gss_ctx *gss_context,
+			 struct ptlrpc_bulk_desc *desc, rawobj_t *token,
+			 int adj_nob)
+{
+	return GSS_S_COMPLETE;
+}
+
+static
+__u32 gss_unwrap_bulk_null(struct gss_ctx *gss_context,
+			   struct ptlrpc_bulk_desc *desc,
+			   rawobj_t *token, int adj_nob)
+{
+	return GSS_S_COMPLETE;
+}
+
+static
+void gss_delete_sec_context_null(void *internal_context)
+{
+	struct null_ctx *null_context = internal_context;
+
+	OBD_FREE_PTR(null_context);
+}
+
+int gss_display_null(struct gss_ctx *gss_context, char *buf, int bufsize)
+{
+	return snprintf(buf, bufsize, "null");
+}
+
+static struct gss_api_ops gss_null_ops = {
+	.gss_import_sec_context     = gss_import_sec_context_null,
+	.gss_copy_reverse_context   = gss_copy_reverse_context_null,
+	.gss_inquire_context        = gss_inquire_context_null,
+	.gss_get_mic                = NULL,
+	.gss_verify_mic             = NULL,
+	.gss_wrap                   = gss_wrap_null,
+	.gss_unwrap                 = gss_unwrap_null,
+	.gss_prep_bulk              = gss_prep_bulk_null,
+	.gss_wrap_bulk              = gss_wrap_bulk_null,
+	.gss_unwrap_bulk            = gss_unwrap_bulk_null,
+	.gss_delete_sec_context     = gss_delete_sec_context_null,
+	.gss_display                = gss_display_null,
+};
+
+static struct subflavor_desc gss_null_sfs[] = {
+	{
+		.sf_subflavor   = SPTLRPC_SUBFLVR_GSSNULL,
+		.sf_qop         = 0,
+		.sf_service     = SPTLRPC_SVC_NULL,
+		.sf_name        = "gssnull"
+	},
+};
+
+/*
+ * currently we leave module owner NULL
+ */
+static struct gss_api_mech gss_null_mech = {
+	.gm_owner       = NULL, /*THIS_MODULE, */
+	.gm_name        = "gssnull",
+	.gm_oid         = (rawobj_t) {
+		12,
+		"\053\006\001\004\001\311\146\215\126\001\000\000"
+	},
+	.gm_ops         = &gss_null_ops,
+	.gm_sf_num      = 1,
+	.gm_sfs         = gss_null_sfs,
+};
+
+int __init init_null_module(void)
+{
+	int status;
+
+	status = lgss_mech_register(&gss_null_mech);
+	if (status)
+		CERROR("Failed to register null gss mechanism!\n");
+
+	return status;
+}
+
+void cleanup_null_module(void)
+{
+	lgss_mech_unregister(&gss_null_mech);
+}
diff --git a/lustre/ptlrpc/gss/sec_gss.c b/lustre/ptlrpc/gss/sec_gss.c
index 043a683..377e367 100644
--- a/lustre/ptlrpc/gss/sec_gss.c
+++ b/lustre/ptlrpc/gss/sec_gss.c
@@ -2863,9 +2863,13 @@ int __init sptlrpc_gss_init(void)
         if (rc)
                 goto out_cli_upcall;
 
-        rc = init_kerberos_module();
-        if (rc)
-                goto out_svc_upcall;
+	rc = init_null_module();
+	if (rc)
+		goto out_svc_upcall;
+
+	rc = init_kerberos_module();
+	if (rc)
+		goto out_null;
 
         /* register policy after all other stuff be intialized, because it
          * might be in used immediately after the registration. */
@@ -2886,6 +2890,8 @@ out_keyring:
         gss_exit_keyring();
 out_kerberos:
         cleanup_kerberos_module();
+out_null:
+	cleanup_null_module();
 out_svc_upcall:
         gss_exit_svc_upcall();
 out_cli_upcall:
diff --git a/lustre/ptlrpc/sec.c b/lustre/ptlrpc/sec.c
index cbfa405..1c2e30e 100644
--- a/lustre/ptlrpc/sec.c
+++ b/lustre/ptlrpc/sec.c
@@ -158,10 +158,12 @@ struct ptlrpc_sec_policy * sptlrpc_wireflavor2policy(__u32 flavor)
 
 __u32 sptlrpc_name2flavor_base(const char *name)
 {
-        if (!strcmp(name, "null"))
-                return SPTLRPC_FLVR_NULL;
-        if (!strcmp(name, "plain"))
-                return SPTLRPC_FLVR_PLAIN;
+	if (!strcmp(name, "null"))
+		return SPTLRPC_FLVR_NULL;
+	if (!strcmp(name, "plain"))
+		return SPTLRPC_FLVR_PLAIN;
+	if (!strcmp(name, "gssnull"))
+		return SPTLRPC_FLVR_GSSNULL;
         if (!strcmp(name, "krb5n"))
                 return SPTLRPC_FLVR_KRB5N;
         if (!strcmp(name, "krb5a"))
@@ -183,6 +185,8 @@ const char *sptlrpc_flavor2name_base(__u32 flvr)
                 return "null";
         else if (base == SPTLRPC_FLVR_BASE(SPTLRPC_FLVR_PLAIN))
                 return "plain";
+	else if (base == SPTLRPC_FLVR_BASE(SPTLRPC_FLVR_GSSNULL))
+		return "gssnull";
         else if (base == SPTLRPC_FLVR_BASE(SPTLRPC_FLVR_KRB5N))
                 return "krb5n";
         else if (base == SPTLRPC_FLVR_BASE(SPTLRPC_FLVR_KRB5A))
diff --git a/lustre/utils/gss/gss_oids.c b/lustre/utils/gss/gss_oids.c
index c569b0c..0c839c8 100644
--- a/lustre/utils/gss/gss_oids.c
+++ b/lustre/utils/gss/gss_oids.c
@@ -32,8 +32,21 @@
 #include <gssapi/gssapi.h>
 
 /* from kerberos source, gssapi_krb5.c */
-gss_OID_desc krb5oid =
-   {9, "\052\206\110\206\367\022\001\002\002"};
+gss_OID_desc krb5oid = {
+	9,
+	"\052\206\110\206\367\022\001\002\002",
+};
 
-gss_OID_desc spkm3oid =
-   {7, "\053\006\001\005\005\001\003"};
+/*
+ * OpenSFS doesn't have reserved OID space, so for the null and shared
+ * key mechanisms, we use Indiana University's OID space for now
+ */
+gss_OID_desc nulloid = {
+	12,
+	"\053\006\001\004\001\311\146\215\126\001\000\000",
+};
+
+gss_OID_desc spkm3oid = {
+	7,
+	"\053\006\001\005\005\001\003",
+};
diff --git a/lustre/utils/gss/gss_oids.h b/lustre/utils/gss/gss_oids.h
index 8b0a352..8234ef2 100644
--- a/lustre/utils/gss/gss_oids.h
+++ b/lustre/utils/gss/gss_oids.h
@@ -34,6 +34,7 @@
 #include <sys/types.h>
 
 extern gss_OID_desc krb5oid;
+extern gss_OID_desc nulloid;
 extern gss_OID_desc spkm3oid;
 
 #ifndef g_OID_equal