4 * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
6 * This program is free software; you can redistribute it and/or modify
7 * it under the terms of the GNU General Public License version 2 only,
8 * as published by the Free Software Foundation.
10 * This program is distributed in the hope that it will be useful, but
11 * WITHOUT ANY WARRANTY; without even the implied warranty of
12 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
13 * General Public License version 2 for more details (a copy is included
14 * in the LICENSE file that accompanied this code).
16 * You should have received a copy of the GNU General Public License
17 * version 2 along with this program; If not, see
18 * http://www.gnu.org/licenses/gpl-2.0.html
23 * Copyright (C) 2015, Trustees of Indiana University
25 * Author: Jeremy Filizetti <jfilizet@iu.edu>
31 #include <gssapi/gssapi.h>
33 #include <linux/lustre/lustre_idl.h>
34 #include <openssl/dh.h>
35 #include <openssl/evp.h>
36 #include <sys/types.h>
40 /* Some limits and defaults */
41 #define SK_CONF_VERSION 1
42 #define SK_MSG_VERSION 1
43 #define SK_GENERATOR 2
44 #define SK_SESSION_MAX_KEYLEN_BYTES 1024
45 #define SK_MAX_KEYLEN_BYTES 128
46 #define SK_MAX_P_BYTES 2048
47 #define SK_NONCE_SIZE 4
48 #define MAX_MGSNIDS 16
50 enum sk_ctx_init_buffers {
51 /* Initiator netstring buffer ordering */
62 /* Responder netstring buffer ordering */
70 /* String consisting of "lustre:fsname:nodemap_hash" */
71 #define SK_DESCRIPTION_SIZE (9 + MTI_NAME_MAXLEN + LUSTRE_NODEMAP_NAME_LENGTH)
74 SK_TYPE_INVALID = 0x0,
80 /* This is the packed structure format of key files that are distributed.
81 * The on disk format should be store in big-endian. */
82 struct sk_keyfile_config {
83 /* File format version */
85 /* HMAC algorithm used for message integrity */
86 uint16_t skc_hmac_alg;
87 /* Crypt algorithm used for privacy mode */
88 uint16_t skc_crypt_alg;
89 /* Number of seconds that a context is valid after it is created from
92 /* Length of shared key in skc_shared_key */
93 uint32_t skc_shared_keylen;
94 /* Length of the prime used in the DHKE */
95 uint32_t skc_prime_bits;
98 /* Array of MGS NIDs to load key's for. This is for the client since
99 * the upcall only knows the target name which is MGC<IP>@<NET>
100 * Only needed when mounting with mgssec */
101 lnet_nid_t skc_mgsnids[MAX_MGSNIDS];
102 /* File system name for this key. It can be unused for MGS only keys */
103 char skc_fsname[MTI_NAME_MAXLEN + 1];
104 /* Nodemap name for this key. Used by the server side to verify the
105 * client is in the correct nodemap */
106 char skc_nodemap[LUSTRE_NODEMAP_NAME_LENGTH + 1];
108 unsigned char skc_shared_key[SK_MAX_KEYLEN_BYTES];
109 /* Prime (p) for DHKE */
110 unsigned char skc_p[SK_MAX_P_BYTES];
111 } __attribute__((packed));
113 /* Format passed to the kernel from userspace */
114 struct sk_kernel_ctx {
115 uint32_t skc_version;
116 uint16_t skc_hmac_alg;
117 uint16_t skc_crypt_alg;
119 uint32_t skc_host_random;
120 uint32_t skc_peer_random;
121 gss_buffer_desc skc_hmac_key;
122 gss_buffer_desc skc_encrypt_key;
123 gss_buffer_desc skc_shared_key;
124 gss_buffer_desc skc_session_key;
127 /* Structure used in context initiation to hold all necessary data */
130 gss_buffer_desc sc_p;
131 gss_buffer_desc sc_pub_key;
132 gss_buffer_desc sc_tgt;
133 gss_buffer_desc sc_nodemap_hash;
134 gss_buffer_desc sc_hmac;
135 gss_buffer_desc sc_dh_shared_key;
136 struct sk_kernel_ctx sc_kctx;
140 void sk_init_logging(char *program, int verbose, int fg);
141 struct sk_keyfile_config *sk_read_file(char *filename);
142 int sk_load_keyfile(char *path);
143 void sk_config_disk_to_cpu(struct sk_keyfile_config *config);
144 void sk_config_cpu_to_disk(struct sk_keyfile_config *config);
145 int sk_validate_config(const struct sk_keyfile_config *config);
146 uint32_t sk_verify_hash(const char *string, const EVP_MD *hash_alg,
147 const gss_buffer_desc *current_hash);
148 struct sk_cred *sk_create_cred(const char *fsname, const char *cluster,
149 const uint32_t flags);
150 uint32_t sk_gen_params(struct sk_cred *skc);
151 int sk_sign_bufs(gss_buffer_desc *key, gss_buffer_desc *bufs, const int numbufs,
152 const EVP_MD *hash_alg, gss_buffer_desc *hmac);
153 uint32_t sk_verify_hmac(struct sk_cred *skc, gss_buffer_desc *bufs,
154 const int numbufs, const EVP_MD *hash_alg,
155 gss_buffer_desc *hmac);
156 void sk_free_cred(struct sk_cred *skc);
157 int sk_session_kdf(struct sk_cred *skc, lnet_nid_t client_nid,
158 gss_buffer_desc *client_token, gss_buffer_desc *server_token);
159 uint32_t sk_compute_dh_key(struct sk_cred *skc, const gss_buffer_desc *pub_key);
160 int sk_compute_keys(struct sk_cred *skc);
161 int sk_serialize_kctx(struct sk_cred *skc, gss_buffer_desc *ctx_token);
162 int sk_decode_netstring(gss_buffer_desc *bufs, int numbufs,
163 gss_buffer_desc *ns);
164 int sk_encode_netstring(gss_buffer_desc *bufs, int numbufs,
165 gss_buffer_desc *ns);
167 #endif /* SK_UTILS_H */