From: Sebastien Buisson Date: Tue, 29 Oct 2019 09:32:22 +0000 (+0900) Subject: LU-12894 sec: fix checksum for skpi X-Git-Tag: 2.13.51~88 X-Git-Url: https://git.whamcloud.com/gitweb?a=commitdiff_plain;h=dcdf060342e7d69b64171840cf9475bf65d036ea;p=fs%2Flustre-release.git LU-12894 sec: fix checksum for skpi Compute checkum on message before actually comparing it to hmac value. Add test to exercise all SSK flavors. Make sure zconf_mount does include skpath mount option if SSK or Kerberos is in use. Fixes: a21c13d4df ("LU-8602 gss: Properly port gss to newer crypto api.") Test-Parameters: envdefinitions=SHARED_KEY=true testlist=sanity-sec Test-Parameters: envdefinitions=SHARED_KEY=true,SK_FLAVOR=skn testlist=sanity,recovery-small Test-Parameters: envdefinitions=SHARED_KEY=true,SK_FLAVOR=ska testlist=sanity,recovery-small Test-Parameters: envdefinitions=SHARED_KEY=true,SK_FLAVOR=ski testlist=sanity,recovery-small Test-Parameters: envdefinitions=SHARED_KEY=true,SK_FLAVOR=skpi testlist=sanity,recovery-small Signed-off-by: Sebastien Buisson Change-Id: I7bcc3618c1824a0f0ca73219c7ac0ccc8405b946 Reviewed-on: https://review.whamcloud.com/36604 Tested-by: jenkins Tested-by: Maloo Reviewed-by: James Nunez Reviewed-by: James Simmons Reviewed-by: Oleg Drokin --- diff --git a/lustre/ptlrpc/gss/gss_sk_mech.c b/lustre/ptlrpc/gss/gss_sk_mech.c index f6b62f6..862ab89 100644 --- a/lustre/ptlrpc/gss/gss_sk_mech.c +++ b/lustre/ptlrpc/gss/gss_sk_mech.c @@ -409,7 +409,7 @@ u32 sk_verify_bulk_hmac(enum cfs_crypto_hash_alg sc_hmac, rawobj_t *key, rawobj_t checksum = RAWOBJ_EMPTY; struct ahash_request *req; struct scatterlist sg[1]; - int rc = GSS_S_FAILURE; + int rc = 0; struct sg_table sgt; int bytes; int i; @@ -423,11 +423,13 @@ u32 sk_verify_bulk_hmac(enum cfs_crypto_hash_alg sc_hmac, rawobj_t *key, OBD_ALLOC_LARGE(checksum.data, checksum.len); if (!checksum.data) - return rc; + return GSS_S_FAILURE; req = cfs_crypto_hash_init(sc_hmac, key->data, key->len); - if (IS_ERR(req)) + if (IS_ERR(req)) { + rc = GSS_S_FAILURE; goto cleanup; + } for (i = 0; i < msgcnt; i++) { if (!msgs[i].len) @@ -463,15 +465,15 @@ u32 sk_verify_bulk_hmac(enum cfs_crypto_hash_alg sc_hmac, rawobj_t *key, goto hash_cleanup; } - if (memcmp(token->data, checksum.data, checksum.len)) { - rc = GSS_S_BAD_SIG; - goto hash_cleanup; - } - - rc = GSS_S_COMPLETE; - hash_cleanup: cfs_crypto_hash_final(req, checksum.data, &checksum.len); + if (rc) + goto cleanup; + + if (memcmp(token->data, checksum.data, checksum.len)) + rc = GSS_S_BAD_SIG; + else + rc = GSS_S_COMPLETE; cleanup: OBD_FREE_LARGE(checksum.data, checksum.len); diff --git a/lustre/tests/sanity-sec.sh b/lustre/tests/sanity-sec.sh index b77e1ab..5c81f80 100755 --- a/lustre/tests/sanity-sec.sh +++ b/lustre/tests/sanity-sec.sh @@ -2147,22 +2147,26 @@ test_29() { touch $DIR/$tdir/$tfile || error "touch" zconf_umount_clients ${clients_arr[0]} $MOUNT || error "unable to umount clients" - keyctl show | awk '/lustre/ { print $1 }' | - xargs -IX keyctl unlink X + do_node ${clients_arr[0]} "keyctl show | + awk '/lustre/ { print \\\$1 }' | xargs -IX keyctl unlink X" OLD_SK_PATH=$SK_PATH export SK_PATH=/dev/null if zconf_mount_clients ${clients_arr[0]} $MOUNT; then export SK_PATH=$OLD_SK_PATH - if [ -e $DIR/$tdir/$tfile ]; then + do_node ${clients_arr[0]} "ls $DIR/$tdir/$tfile" + if [ $? -eq 0 ]; then error "able to mount and read without key" else error "able to mount without key" fi else export SK_PATH=$OLD_SK_PATH - keyctl show | awk '/lustre/ { print $1 }' | - xargs -IX keyctl unlink X + do_node ${clients_arr[0]} "keyctl show | + awk '/lustre/ { print \\\$1 }' | + xargs -IX keyctl unlink X" fi + zconf_mount_clients ${clients_arr[0]} $MOUNT || + error "unable to mount clients" } run_test 29 "check for missing shared key" @@ -2178,17 +2182,19 @@ test_30() { zconf_umount_clients ${clients_arr[0]} $MOUNT || error "unable to umount clients" # unload keys from ring - keyctl show | awk '/lustre/ { print $1 }' | - xargs -IX keyctl unlink X + do_node ${clients_arr[0]} "keyctl show | + awk '/lustre/ { print \\\$1 }' | xargs -IX keyctl unlink X" # invalidate the key with bogus filesystem name - lgss_sk -w $SK_PATH/$FSNAME-bogus.key -f $FSNAME.bogus \ - -t client -d /dev/urandom || error "lgss_sk failed (1)" + do_node ${clients_arr[0]} "lgss_sk -w $SK_PATH/$FSNAME-bogus.key \ + -f $FSNAME.bogus -t client -d /dev/urandom" || + error "lgss_sk failed (1)" do_facet $SINGLEMDS lfs flushctx || error "could not run flushctx" OLD_SK_PATH=$SK_PATH export SK_PATH=$SK_PATH/$FSNAME-bogus.key if zconf_mount_clients ${clients_arr[0]} $MOUNT; then SK_PATH=$OLD_SK_PATH - if [ -a $DIR/$tdir/$tdir.out ]; then + do_node ${clients_arr[0]} "ls $DIR/$tdir/$tdir.out" + if [ $? -eq 0 ]; then error "mount and read file with invalid key" else error "mount with invalid key" @@ -2197,9 +2203,46 @@ test_30() { SK_PATH=$OLD_SK_PATH zconf_umount_clients ${clients_arr[0]} $MOUNT || error "unable to umount clients" + zconf_mount_clients ${clients_arr[0]} $MOUNT || + error "unable to mount clients" } run_test 30 "check for invalid shared key" +basic_ios() { + local flvr=$1 + + mkdir -p $DIR/$tdir || error "mkdir $flvr" + touch $DIR/$tdir/f0 || error "touch $flvr" + ls $DIR/$tdir || error "ls $flvr" + dd if=/dev/zero of=$DIR/$tdir/f0 conv=fsync bs=1M count=10 \ + >& /dev/null || error "dd $flvr" + rm -f $DIR/$tdir/f0 || error "rm $flvr" + rmdir $DIR/$tdir || error "rmdir $flvr" + + sync ; sync + echo 3 > /proc/sys/vm/drop_caches +} + +test_30b() { + local save_flvr=$SK_FLAVOR + + if ! $SHARED_KEY; then + skip "need shared key feature for this test" + fi + + stack_trap restore_to_default_flavor EXIT + + for flvr in skn ska ski skpi; do + # set flavor + SK_FLAVOR=$flvr + restore_to_default_flavor || error "cannot set $flvr flavor" + SK_FLAVOR=$save_flvr + + basic_ios $flvr + done +} +run_test 30b "basic test of all different SSK flavors" + cleanup_31() { # unmount client zconf_umount $HOSTNAME $MOUNT || error "unable to umount client" diff --git a/lustre/tests/test-framework.sh b/lustre/tests/test-framework.sh index 78004fc..1566801 100755 --- a/lustre/tests/test-framework.sh +++ b/lustre/tests/test-framework.sh @@ -2259,6 +2259,11 @@ zconf_mount() { exit 1 fi + if $GSS_SK; then + # update mount option with skpath + opts=$(add_sk_mntflag $opts) + fi + echo "Starting client: $client: $flags $opts $device $mnt" do_node $client mkdir -p $mnt if [ -n "$FILESET" -a -z "$SKIP_FILESET" ];then