[#LU-8602] Support GSS crypto code with linux 4.6 kernels

[LU-8602] Support GSS crypto code with linux 4.6 kernels Created: 12/Sep/16 Updated: 17/Nov/18 Resolved: 17/Nov/18
Status:	Resolved
Project:	Lustre
Component/s:	None
Affects Version/s:	None
Fix Version/s:	Lustre 2.12.0

Type:

Improvement

Priority:

Minor

Reporter:

James A Simmons

Assignee:

James A Simmons

Resolution:

Fixed

Votes:

Labels:

None

Environment:

Any system using GSS and a linux kernel 4.6 and above.

Issue Links:

Related
is related to	LU-9795	SSK test failures in many suites when...	Reopened
is related to	~~LU-11635~~	GSS build for client-only	Resolved
is related to	~~LU-3289~~	IU Shared Secret Key authentication a...	Resolved
is related to	~~LU-8560~~	Support for linux 4.6 kernels	Resolved
is related to	~~LU-9073~~	SSK: lgss_sk generates keys with inva...	Resolved
is related to	~~LU-9245~~	lgss_sk may unsafely overwrite nodema...	Resolved
is related to	~~LU-9430~~	logic errors in lgss_sk code	Resolved

Rank (Obsolete):

9223372036854775807

Description

Currently the GSS code for Lustre directly uses the linux crypto API. This code uses struct crypto_hash which has now been removed in newer kernels for struct crypto_ahash. Libcfs crypto API has moved to this new kernel API but it doesn't have support for the algos that GSS wants to use. So the first question to ask is does GSS move to libcfs crypto API and we expand support in the libcfs crypto API to AES and DEC or do we ignore libcfs crypto API and just use the linux crypto api directly and use the newer ahash api.

Comments

Comment by Peter Jones [ 12/Sep/16 ]

Thanks for your efforts here James

Comment by Gerrit Updater [ 20/Oct/16 ]

James Simmons (uja.ornl@yahoo.com) uploaded a new patch: http://review.whamcloud.com/23289
Subject: ~~LU-8602~~ gss: Support GSS on linux 4.6+ kernels
Project: fs/lustre-release
Branch: master
Current Patch Set: 1
Commit: f2603ddf218d9882dfe2f4f87fc27270218a543e

Comment by James A Simmons [ 20/Oct/16 ]

Now that the GSS code has settled down I have create the linux 4.6 port. Its only a compile test since I don't have a GSS security setup to really test.

Comment by Gerrit Updater [ 31/Jan/17 ]

Oleg Drokin (oleg.drokin@intel.com) merged in patch https://review.whamcloud.com/23289/
Subject: ~~LU-8602~~ gss: Support GSS on linux 4.6+ kernels
Project: fs/lustre-release
Branch: master
Current Patch Set:
Commit: c6f5e8121366be05765dabe0008165166d3f431c

Comment by Gerrit Updater [ 01/Aug/17 ]

James Simmons (uja.ornl@yahoo.com) uploaded a new patch: https://review.whamcloud.com/28309
Subject: ~~LU-8602~~ gss: Properly port gss to newer crypto api.
Project: fs/lustre-release
Branch: master
Current Patch Set: 1
Commit: c20d520c935b367571dbd04df139222531b5a35d

Comment by Gerrit Updater [ 17/Dec/17 ]

Oleg Drokin (oleg.drokin@intel.com) merged in patch https://review.whamcloud.com/25199/
Subject: ~~LU-8602~~ libcfs: call proper crypto algo when keys are passed in
Project: fs/lustre-release
Branch: master
Current Patch Set:
Commit: 53e967746f37d5f0322bfc984af3ce1c9517079b

Comment by Olaf Faaland [ 30/Jan/18 ]

There is an bug in the autoconf code for LC_CONFIG_GSS; if LC_HAVE_CRYPTO_HASH sets enable_gss to no, but gss_conf_test==success, enable_gss is set back to yes and the build fails.

Should I submit a patch? That code will go away when "gss: Properly port gss to newer crypto api" is landed, but I assume the latter will not be backported to 2.10 whereas the autoconf fix could be.

Comment by Gerrit Updater [ 31/Jan/18 ]

Olaf Faaland-LLNL (faaland1@llnl.gov) uploaded a new patch: https://review.whamcloud.com/31095
Subject: ~~LU-8602~~ gss: Fix autoconf check for crypto_hash
Project: fs/lustre-release
Branch: master
Current Patch Set: 1
Commit: 4d35ca99ac1a1e23c3ccf30303e88e5e7d063d79

Comment by Gerrit Updater [ 06/Feb/18 ]

Oleg Drokin (oleg.drokin@intel.com) merged in patch https://review.whamcloud.com/31095/
Subject: ~~LU-8602~~ gss: Fix autoconf check for crypto_hash
Project: fs/lustre-release
Branch: master
Current Patch Set:
Commit: f6329102615e111490c7955a0a9e8b8610f8a244

Comment by Jeremy Filizetti [ 06/Feb/18 ]

The patch at https://review.whamcloud.com/31095 breaks the ability to build SSK due to a script error:

checking for krb5_derive_key in -lgssapi_krb5... no
./configure: line 21783: xyes: command not found
checking whether OpenSSL has functions needed for SSK... no

This is due to the second part of the if statement after the &&:
AS_IF([test "x$gss_conf_test" = xsuccess && "x$enable_gss" != xno], [

This should probably be
AS_IF([test "x$gss_conf_test" = xsuccess && test "x$enable_gss" != xno], [

Comment by Gerrit Updater [ 07/Feb/18 ]

Olaf Faaland-LLNL (faaland1@llnl.gov) uploaded a new patch: https://review.whamcloud.com/31191
Subject: ~~LU-8602~~ gss: autoconf check missing "test" keyword
Project: fs/lustre-release
Branch: master
Current Patch Set: 1
Commit: 9b73c8b86b67f7f78b97c95ac81ff2d5f7a0bc69

Comment by Gerrit Updater [ 14/Feb/18 ]

Oleg Drokin (oleg.drokin@intel.com) merged in patch https://review.whamcloud.com/31191/
Subject: ~~LU-8602~~ gss: autoconf check missing "test" keyword
Project: fs/lustre-release
Branch: master
Current Patch Set:
Commit: 4dd55cb2bcffd681117b8513a91908afe0647108

Comment by Peter Jones [ 11/Oct/18 ]

James

Have you tried this recently? How does GSS behave with Ubuntu 18.04 clients?

Peter

Comment by Gerrit Updater [ 26/Oct/18 ]

Sebastien Buisson (sbuisson@ddn.com) uploaded a new patch: https://review.whamcloud.com/33493
Subject: ~~LU-8602~~ gss: get rid of cfs_crypto_hash_desc
Project: fs/lustre-release
Branch: master
Current Patch Set: 1
Commit: 3ef2ea65e9701f8cee19d987c9927fe1e12779b9

Comment by Gerrit Updater [ 06/Nov/18 ]

Sebastien Buisson (sbuisson@ddn.com) uploaded a new patch: https://review.whamcloud.com/33592
Subject: ~~LU-8602~~ gss: support OpenSSL 1.1
Project: fs/lustre-release
Branch: master
Current Patch Set: 1
Commit: 4cb1c93ba786b8378a808cd7a863f46b45eab238

Comment by James A Simmons [ 09/Nov/18 ]

Sebastien I got everything to work on Ubuntu/Debian

Comment by Gerrit Updater [ 13/Nov/18 ]

Oleg Drokin (green@whamcloud.com) merged in patch https://review.whamcloud.com/28309/
Subject: ~~LU-8602~~ gss: Properly port gss to newer crypto api.
Project: fs/lustre-release
Branch: master
Current Patch Set:
Commit: a21c13d4df4bea1bec0f5804136740ed53d5a57f

Comment by Gerrit Updater [ 13/Nov/18 ]

Oleg Drokin (green@whamcloud.com) merged in patch https://review.whamcloud.com/33493/
Subject: ~~LU-8602~~ gss: get rid of cfs_crypto_hash_desc
Project: fs/lustre-release
Branch: master
Current Patch Set:
Commit: 553d93361d2db4ff39bf19ac66dc2d79f6e3e324

Comment by Gerrit Updater [ 17/Nov/18 ]

Oleg Drokin (green@whamcloud.com) merged in patch https://review.whamcloud.com/33592/
Subject: ~~LU-8602~~ gss: support OpenSSL 1.1
Project: fs/lustre-release
Branch: master
Current Patch Set:
Commit: f44a953b30b2a439a9477ed5ecf599e172366493

Generated at Sat Feb 10 02:18:59 UTC 2024 using Jira 9.4.14#940014-sha1:734e6822bbf0d45eff9af51f82432957f73aa32c.

[LU-8602] Support GSS crypto code with linux 4.6 kernels Created: 12/Sep/16 Updated: 17/Nov/18 Resolved: 17/Nov/18