From: Jeremy Filizetti Date: Thu, 3 Mar 2016 03:01:48 +0000 (-0500) Subject: LU-3289 gss: Add two additional security flavors for sk X-Git-Tag: 2.8.55~69 X-Git-Url: https://git.whamcloud.com/?p=fs%2Flustre-release.git;a=commitdiff_plain;h=7dd6c394161a62b229ba65f50044a1d8f2da2d03 LU-3289 gss: Add two additional security flavors for sk This patch adds shared key null (skn) and shared key auth (ska) flavors to make shared key consistent with the kerberos implementation. Shared key null requires a key to establish the security context but does not use integrity or privacy outside of the SEC_CTX_INIT RPC. Shared key auth enables integrity for normal service but not bulk. Signed-off-by: Jeremy Filizetti Change-Id: I55fa52dfe1089f3dc9a40ffad28997a0b08aadec Reviewed-on: http://review.whamcloud.com/18773 Tested-by: Jenkins Tested-by: Maloo Reviewed-by: Sebastien Buisson Reviewed-by: John L. Hammond Reviewed-by: Oleg Drokin --- diff --git a/lustre/include/lustre_sec.h b/lustre/include/lustre_sec.h index 524421e..306215a 100644 --- a/lustre/include/lustre_sec.h +++ b/lustre/include/lustre_sec.h @@ -182,6 +182,10 @@ enum sptlrpc_bulk_service { MAKE_BASE_SUBFLVR(SPTLRPC_MECH_GSS_KRB5, SPTLRPC_SVC_INTG) #define SPTLRPC_SUBFLVR_KRB5P \ MAKE_BASE_SUBFLVR(SPTLRPC_MECH_GSS_KRB5, SPTLRPC_SVC_PRIV) +#define SPTLRPC_SUBFLVR_SKN \ + MAKE_BASE_SUBFLVR(SPTLRPC_MECH_GSS_SK, SPTLRPC_SVC_NULL) +#define SPTLRPC_SUBFLVR_SKA \ + MAKE_BASE_SUBFLVR(SPTLRPC_MECH_GSS_SK, SPTLRPC_SVC_AUTH) #define SPTLRPC_SUBFLVR_SKI \ MAKE_BASE_SUBFLVR(SPTLRPC_MECH_GSS_SK, SPTLRPC_SVC_INTG) #define SPTLRPC_SUBFLVR_SKPI \ @@ -232,6 +236,18 @@ enum sptlrpc_bulk_service { SPTLRPC_SVC_PRIV, \ SPTLRPC_BULK_DEFAULT, \ SPTLRPC_BULK_SVC_PRIV) +#define SPTLRPC_FLVR_SKN \ + MAKE_FLVR(SPTLRPC_POLICY_GSS, \ + SPTLRPC_MECH_GSS_SK, \ + SPTLRPC_SVC_NULL, \ + SPTLRPC_BULK_DEFAULT, \ + SPTLRPC_BULK_SVC_NULL) +#define SPTLRPC_FLVR_SKA \ + MAKE_FLVR(SPTLRPC_POLICY_GSS, \ + SPTLRPC_MECH_GSS_SK, \ + SPTLRPC_SVC_AUTH, \ + SPTLRPC_BULK_DEFAULT, \ + SPTLRPC_BULK_SVC_NULL) #define SPTLRPC_FLVR_SKI \ MAKE_FLVR(SPTLRPC_POLICY_GSS, \ SPTLRPC_MECH_GSS_SK, \ diff --git a/lustre/ptlrpc/gss/gss_sk_mech.c b/lustre/ptlrpc/gss/gss_sk_mech.c index dbcb1ee..1cb3645 100644 --- a/lustre/ptlrpc/gss/gss_sk_mech.c +++ b/lustre/ptlrpc/gss/gss_sk_mech.c @@ -723,6 +723,18 @@ static struct gss_api_ops gss_sk_ops = { static struct subflavor_desc gss_sk_sfs[] = { { + .sf_subflavor = SPTLRPC_SUBFLVR_SKN, + .sf_qop = 0, + .sf_service = SPTLRPC_SVC_NULL, + .sf_name = "skn" + }, + { + .sf_subflavor = SPTLRPC_SUBFLVR_SKA, + .sf_qop = 0, + .sf_service = SPTLRPC_SVC_AUTH, + .sf_name = "ska" + }, + { .sf_subflavor = SPTLRPC_SUBFLVR_SKI, .sf_qop = 0, .sf_service = SPTLRPC_SVC_INTG, @@ -747,7 +759,7 @@ static struct gss_api_mech gss_sk_mech = { "\053\006\001\004\001\311\146\215\126\001\000\001", }, .gm_ops = &gss_sk_ops, - .gm_sf_num = 2, + .gm_sf_num = 4, .gm_sfs = gss_sk_sfs, }; diff --git a/lustre/ptlrpc/sec.c b/lustre/ptlrpc/sec.c index 828a161..a4289d3 100644 --- a/lustre/ptlrpc/sec.c +++ b/lustre/ptlrpc/sec.c @@ -171,6 +171,10 @@ __u32 sptlrpc_name2flavor_base(const char *name) return SPTLRPC_FLVR_KRB5I; if (!strcmp(name, "krb5p")) return SPTLRPC_FLVR_KRB5P; + if (!strcmp(name, "skn")) + return SPTLRPC_FLVR_SKN; + if (!strcmp(name, "ska")) + return SPTLRPC_FLVR_SKA; if (!strcmp(name, "ski")) return SPTLRPC_FLVR_SKI; if (!strcmp(name, "skpi")) @@ -198,6 +202,10 @@ const char *sptlrpc_flavor2name_base(__u32 flvr) return "krb5i"; else if (base == SPTLRPC_FLVR_BASE(SPTLRPC_FLVR_KRB5P)) return "krb5p"; + else if (base == SPTLRPC_FLVR_BASE(SPTLRPC_FLVR_SKN)) + return "skn"; + else if (base == SPTLRPC_FLVR_BASE(SPTLRPC_FLVR_SKA)) + return "ska"; else if (base == SPTLRPC_FLVR_BASE(SPTLRPC_FLVR_SKI)) return "ski"; else if (base == SPTLRPC_FLVR_BASE(SPTLRPC_FLVR_SKPI))