/* -*- mode: c; c-basic-offset: 8; indent-tabs-mode: nil; -*-
* vim:expandtab:shiftwidth=8:tabstop=8:
*
- * lustre/obdclass/capa.c
- * Lustre Capability Cache Management
+ * GPL HEADER START
*
- * Copyright (c) 2001-2003 Cluster File Systems, Inc.
- * Author: Lai Siyao<lsy@clusterfs.com>
+ * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
*
- * This file is part of Lustre, http://www.lustre.org.
+ * This program is free software; you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License version 2 only,
+ * as published by the Free Software Foundation.
*
- * Lustre is free software; you can redistribute it and/or
- * modify it under the terms of version 2 of the GNU General Public
- * License as published by the Free Software Foundation.
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
+ * General Public License version 2 for more details (a copy is included
+ * in the LICENSE file that accompanied this code).
*
- * Lustre is distributed in the hope that it will be useful,
- * but WITHOUT ANY WARRANTY; without even the implied warranty of
- * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
- * GNU General Public License for more details.
+ * You should have received a copy of the GNU General Public License
+ * version 2 along with this program; If not, see
+ * http://www.sun.com/software/products/lustre/docs/GPLv2.pdf
*
- * You should have received a copy of the GNU General Public License
- * along with Lustre; if not, write to the Free Software
- * Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA.
+ * Please contact Sun Microsystems, Inc., 4150 Network Circle, Santa Clara,
+ * CA 95054 USA or visit www.sun.com if you need additional information or
+ * have any questions.
+ *
+ * GPL HEADER END
+ */
+/*
+ * Copyright 2008 Sun Microsystems, Inc. All rights reserved
+ * Use is subject to license terms.
*/
+/*
+ * This file is part of Lustre, http://www.lustre.org/
+ * Lustre is a trademark of Sun Microsystems, Inc.
+ *
+ * lustre/obdclass/capa.c
+ *
+ * Lustre Capability Hash Management
+ *
+ * Author: Lai Siyao<lsy@clusterfs.com>
+ */
+
#ifndef EXPORT_SYMTAB
# define EXPORT_SYMTAB
#endif
#include <linux/module.h>
#include <linux/init.h>
-#include <linux/obd_class.h>
-#include <linux/lustre_debug.h>
-#include <linux/lustre_idl.h>
-#include <linux/lustre_sec.h>
+#include <obd_class.h>
+#include <lustre_debug.h>
+#include <lustre/lustre_idl.h>
#else
#include <liblustre.h>
#endif
#include <libcfs/list.h>
-#include <linux/lustre_sec.h>
+#include <lustre_capa.h>
-kmem_cache_t *capa_cachep = NULL;
+#define NR_CAPAHASH 32
+#define CAPA_HASH_SIZE 3000 /* for MDS & OSS */
-/* capa_lock protect capa hash, list and content. */
+cfs_mem_cache_t *capa_cachep = NULL;
+
+#ifdef __KERNEL__
+/* lock for capa hash/capa_list/fo_capa_keys */
spinlock_t capa_lock = SPIN_LOCK_UNLOCKED;
-struct hlist_head *capa_hash;
-struct list_head capa_list[3];
-static int capa_count[3] = { 0 };
-static char *capa_type_name[] = { "client", "mds", "filter" };
+struct list_head capa_list[CAPA_SITE_MAX];
-/* TODO: mdc and llite all need this, so define it here.
- * in the future it will be moved to ll_sb_info to support multi-
- * mount point */
-struct timer_list ll_capa_timer;
+static struct capa_hmac_alg capa_hmac_algs[] = {
+ DEF_CAPA_HMAC_ALG("sha1", SHA1, 20, 20),
+};
+#endif
+/* capa count */
+int capa_count[CAPA_SITE_MAX] = { 0, };
-EXPORT_SYMBOL(capa_lock);
-EXPORT_SYMBOL(capa_hash);
+EXPORT_SYMBOL(capa_cachep);
EXPORT_SYMBOL(capa_list);
-EXPORT_SYMBOL(ll_capa_timer);
-
-static inline int const
-capa_hashfn(unsigned int uid, __u64 mdsid, unsigned long ino)
-{
- return (ino ^ uid) * (unsigned long)(mdsid + 1) % NR_CAPAHASH;
-}
-
-int capa_op(int flags)
-{
- if (flags & (FMODE_WRITE|MDS_OPEN_TRUNC))
- return CAPA_WRITE;
- else if (flags & FMODE_READ)
- return CAPA_READ;
-
- LBUG(); /* should be either MAY_READ or MAY_WRITE */
- return 0;
-}
+EXPORT_SYMBOL(capa_lock);
+EXPORT_SYMBOL(capa_count);
-static struct obd_capa *
-find_capa(struct hlist_head *head, uid_t uid, int capa_op, __u64 mdsid,
- unsigned long ino, __u32 igen, int type)
+struct hlist_head *init_capa_hash(void)
{
- struct hlist_node *pos;
- struct obd_capa *ocapa;
- uid_t ouid;
-
- CDEBUG(D_INODE, "find capa for (uid %u, op %d, mdsid "LPU64", ino %lu"
- " igen %u, type %d\n", (unsigned) uid, capa_op, mdsid, ino, igen, type);
- hlist_for_each_entry(ocapa, pos, head, c_hash) {
- if (ocapa->c_capa.lc_ino != ino)
- continue;
- if (ocapa->c_capa.lc_igen != igen)
- continue;
- if (ocapa->c_capa.lc_mdsid != mdsid)
- continue;
- if ((ocapa->c_capa.lc_op & capa_op) != ocapa->c_capa.lc_op)
- continue;
- if (ocapa->c_type != type)
- continue;
-
- if (ocapa->c_type == CLIENT_CAPA)
- ouid = ocapa->c_capa.lc_ruid;
- else
- ouid = ocapa->c_capa.lc_uid;
-
- if (ouid != uid)
- continue;
+ struct hlist_head *hash;
+ int nr_hash, i;
- DEBUG_CAPA(D_INODE, &ocapa->c_capa, "found %s",
- capa_type_name[ocapa->c_type]);
+ OBD_ALLOC(hash, CFS_PAGE_SIZE);
+ if (!hash)
+ return NULL;
- return ocapa;
- }
+ nr_hash = CFS_PAGE_SIZE / sizeof(struct hlist_head);
+ LASSERT(nr_hash > NR_CAPAHASH);
- return NULL;
+ for (i = 0; i < NR_CAPAHASH; i++)
+ INIT_HLIST_HEAD(hash + i);
+ return hash;
}
-inline void __capa_get(struct obd_capa *ocapa)
+#ifdef __KERNEL__
+static inline int capa_on_server(struct obd_capa *ocapa)
{
- if (ocapa->c_type != CLIENT_CAPA)
- atomic_inc(&ocapa->c_refc);
+ return ocapa->c_site == CAPA_SITE_SERVER;
}
-static struct obd_capa *
-find_capa_locked(struct hlist_head *head, uid_t uid, int capa_op, __u64 mdsid,
- unsigned long ino, __u32 igen, int type)
+static inline void capa_delete(struct obd_capa *ocapa)
{
- struct obd_capa *ocapa;
-
- spin_lock(&capa_lock);
- ocapa = find_capa(head, uid, capa_op, mdsid, ino, igen, type);
- if (ocapa)
- __capa_get(ocapa);
- spin_unlock(&capa_lock);
-
- return ocapa;
+ LASSERT(capa_on_server(ocapa));
+ hlist_del_init(&ocapa->u.tgt.c_hash);
+ list_del_init(&ocapa->c_list);
+ capa_count[ocapa->c_site]--;
+ /* release the ref when alloc */
+ capa_put(ocapa);
}
-static struct obd_capa *alloc_capa(void)
+void cleanup_capa_hash(struct hlist_head *hash)
{
- struct obd_capa *ocapa;
+ int i;
+ struct hlist_node *pos, *next;
+ struct obd_capa *oc;
- OBD_SLAB_ALLOC(ocapa, capa_cachep, SLAB_NOFS, sizeof(*ocapa));
- if (ocapa) {
- INIT_HLIST_NODE(&ocapa->c_hash);
- INIT_LIST_HEAD(&ocapa->c_list);
+ spin_lock(&capa_lock);
+ for (i = 0; i < NR_CAPAHASH; i++) {
+ hlist_for_each_entry_safe(oc, pos, next, hash + i, u.tgt.c_hash)
+ capa_delete(oc);
}
+ spin_unlock(&capa_lock);
- return ocapa;
+ OBD_FREE(hash, CFS_PAGE_SIZE);
}
-static void __capa_put(struct obd_capa *ocapa)
+static inline int capa_hashfn(struct lu_fid *fid)
{
- hlist_del_init(&ocapa->c_hash);
- list_del_init(&ocapa->c_list);
- capa_count[ocapa->c_type]--;
+ return (fid_oid(fid) ^ fid_ver(fid)) *
+ (unsigned long)(fid_seq(fid) + 1) % NR_CAPAHASH;
}
-static void destroy_capa(struct obd_capa *ocapa)
+/* capa renewal time check is earlier than that on client, which is to prevent
+ * client renew right after obtaining it. */
+static inline int capa_is_to_expire(struct obd_capa *oc)
{
- OBD_SLAB_FREE(ocapa, capa_cachep, sizeof(*ocapa));
+ return cfs_time_before(cfs_time_sub(oc->c_expiry,
+ cfs_time_seconds(oc->c_capa.lc_timeout)*2/3),
+ cfs_time_current());
}
-int capa_cache_init(void)
+static struct obd_capa *find_capa(struct lustre_capa *capa,
+ struct hlist_head *head, int alive)
{
- int nr_hash, i;
-
- OBD_ALLOC(capa_hash, PAGE_SIZE);
- if (!capa_hash)
- return -ENOMEM;
-
- nr_hash = PAGE_SIZE / sizeof(struct hlist_head);
- LASSERT(nr_hash > NR_CAPAHASH);
-
- for (i = 0; i < NR_CAPAHASH; i++)
- INIT_HLIST_HEAD(capa_hash + i);
-
- for (i = 0; i < 3; i++)
- INIT_LIST_HEAD(&capa_list[i]);
+ struct hlist_node *pos;
+ struct obd_capa *ocapa;
+ int len = alive ? offsetof(struct lustre_capa, lc_keyid):sizeof(*capa);
- return 0;
-}
+ hlist_for_each_entry(ocapa, pos, head, u.tgt.c_hash) {
+ if (memcmp(&ocapa->c_capa, capa, len))
+ continue;
+ /* don't return one that will expire soon in this case */
+ if (alive && capa_is_to_expire(ocapa))
+ continue;
-void capa_cache_cleanup(void)
-{
- struct obd_capa *ocapa, *tmp;
- int i;
+ LASSERT(capa_on_server(ocapa));
- for (i = MDS_CAPA; i <= FILTER_CAPA; i++) {
- list_for_each_entry_safe(ocapa, tmp, &capa_list[i], c_list) {
- __capa_put(ocapa);
- destroy_capa(ocapa);
- }
+ DEBUG_CAPA(D_SEC, &ocapa->c_capa, "found");
+ return ocapa;
}
- OBD_FREE(capa_hash, PAGE_SIZE);
+ return NULL;
}
-
-static inline void list_add_capa(struct obd_capa *ocapa, struct list_head *head)
+#define LRU_CAPA_DELETE_COUNT 12
+static inline void capa_delete_lru(struct list_head *head)
{
- struct obd_capa *tmp;
-
- /* XXX: capa is sorted in client, this could be optimized */
- if (ocapa->c_type == CLIENT_CAPA) {
- list_for_each_entry_reverse(tmp, head, c_list) {
- if (ocapa->c_capa.lc_expiry > tmp->c_capa.lc_expiry) {
- list_add(&ocapa->c_list, &tmp->c_list);
- return;
- }
- }
- }
+ struct obd_capa *ocapa;
+ struct list_head *node = head->next;
+ int count = 0;
+
+ /* free LRU_CAPA_DELETE_COUNT unused capa from head */
+ while (count++ < LRU_CAPA_DELETE_COUNT) {
+ ocapa = list_entry(node, struct obd_capa, c_list);
+ node = node->next;
+ if (atomic_read(&ocapa->c_refc))
+ continue;
- list_add(&ocapa->c_list, head);
+ DEBUG_CAPA(D_SEC, &ocapa->c_capa, "free lru");
+ capa_delete(ocapa);
+ }
}
-static inline void do_update_capa(struct obd_capa *ocapa, struct lustre_capa *capa)
+/* add or update */
+struct obd_capa *capa_add(struct hlist_head *hash, struct lustre_capa *capa)
{
- memcpy(&ocapa->c_capa, capa, sizeof(*capa));
-}
+ struct hlist_head *head = hash + capa_hashfn(&capa->lc_fid);
+ struct obd_capa *ocapa, *old = NULL;
+ struct list_head *list = &capa_list[CAPA_SITE_SERVER];
-static struct obd_capa *
-get_new_capa_locked(struct hlist_head *head, int type, struct lustre_capa *capa)
-{
- uid_t uid = capa->lc_uid;
- int capa_op = capa->lc_op;
- __u64 mdsid = capa->lc_mdsid;
- unsigned long ino = capa->lc_ino;
- struct obd_capa *ocapa, *old;
-
- ocapa = alloc_capa();
- if (!ocapa)
+ ocapa = alloc_capa(CAPA_SITE_SERVER);
+ if (IS_ERR(ocapa))
return NULL;
spin_lock(&capa_lock);
- old = find_capa(head, uid, capa_op, mdsid, ino, capa->lc_igen, type);
+ old = find_capa(capa, head, 0);
if (!old) {
- do_update_capa(ocapa, capa);
- ocapa->c_type = type;
- list_add_capa(ocapa, &capa_list[type]);
- hlist_add_head(&ocapa->c_hash, head);
- if (type == CLIENT_CAPA)
- INIT_LIST_HEAD(&ocapa->c_lli_list);
- __capa_get(ocapa);
-
- capa_count[type]++;
-
- DEBUG_CAPA(D_INODE, &ocapa->c_capa, "new %s",
- capa_type_name[type]);
-
- if (type != CLIENT_CAPA && capa_count[type] > CAPA_CACHE_SIZE) {
- struct list_head *node = capa_list[type].next;
- struct obd_capa *tcapa;
- int count = 0;
-
- /* free 12 unused capa from head */
- while (node->next != &capa_list[type] && count < 12) {
- tcapa = list_entry(node, struct obd_capa,
- c_list);
- node = node->next;
- if (atomic_read(&tcapa->c_refc) > 0)
- continue;
- DEBUG_CAPA(D_INODE, &tcapa->c_capa,
- "free unused %s",
- capa_type_name[type]);
- __capa_put(tcapa);
- destroy_capa(tcapa);
- count++;
- }
- }
-
+ ocapa->c_capa = *capa;
+ set_capa_expiry(ocapa);
+ hlist_add_head(&ocapa->u.tgt.c_hash, head);
+ list_add_tail(&ocapa->c_list, list);
+ capa_get(ocapa);
+ capa_count[CAPA_SITE_SERVER]++;
+ if (capa_count[CAPA_SITE_SERVER] > CAPA_HASH_SIZE)
+ capa_delete_lru(list);
spin_unlock(&capa_lock);
return ocapa;
- }
- spin_unlock(&capa_lock);
-
- destroy_capa(ocapa);
- return old;
-}
-
-struct obd_capa *
-capa_get(uid_t uid, int capa_op,__u64 mdsid, unsigned long ino,
- __u32 igen, int type)
-{
- struct hlist_head *head = capa_hash + capa_hashfn(uid, mdsid, ino);
- struct obd_capa *ocapa;
-
- ocapa = find_capa_locked(head, uid, capa_op, mdsid, ino, igen, type);
-
- return ocapa;
-}
-
-void capa_put(struct obd_capa *ocapa)
-{
- if (!ocapa)
- return;
-
- DEBUG_CAPA(D_INODE, &ocapa->c_capa, "put %s",
- capa_type_name[ocapa->c_type]);
- spin_lock(&capa_lock);
- if (ocapa->c_type == CLIENT_CAPA) {
- list_del_init(&ocapa->c_lli_list);
- __capa_put(ocapa);
- destroy_capa(ocapa);
} else {
- atomic_dec(&ocapa->c_refc);
+ capa_get(old);
+ spin_unlock(&capa_lock);
+ capa_put(ocapa);
+ return old;
}
- spin_unlock(&capa_lock);
}
-struct obd_capa *capa_renew(struct lustre_capa *capa, int type)
+struct obd_capa *capa_lookup(struct hlist_head *hash, struct lustre_capa *capa,
+ int alive)
{
- uid_t uid = capa->lc_uid;
- int capa_op = capa->lc_op;
- __u64 mdsid = capa->lc_mdsid;
- unsigned long ino = capa->lc_ino;
- struct hlist_head *head = capa_hash +
- capa_hashfn(uid, mdsid, ino);
struct obd_capa *ocapa;
spin_lock(&capa_lock);
- ocapa = find_capa(head, uid, capa_op, mdsid, ino, capa->lc_igen, type);
+ ocapa = find_capa(capa, hash + capa_hashfn(&capa->lc_fid), alive);
if (ocapa) {
- DEBUG_CAPA(D_INFO, capa, "renew %s", capa_type_name[type]);
- do_update_capa(ocapa, capa);
+ list_move_tail(&ocapa->c_list, &capa_list[CAPA_SITE_SERVER]);
+ capa_get(ocapa);
}
spin_unlock(&capa_lock);
- if (!ocapa)
- ocapa = get_new_capa_locked(head, type, capa);
-
return ocapa;
}
-void capa_hmac(struct crypto_tfm *_tfm, __u8 *key, struct lustre_capa *capa)
+int capa_hmac(__u8 *hmac, struct lustre_capa *capa, __u8 *key)
{
- struct crypto_tfm *_tfm;
- int keylen = CAPA_KEY_LEN;
+ struct ll_crypto_hash *tfm;
+ struct capa_hmac_alg *alg;
+ int keylen;
struct scatterlist sl = {
.page = virt_to_page(capa),
- .offset = (unsigned long)(capa) % PAGE_SIZE,
- .length = sizeof(struct lustre_capa_data),
+ .offset = (unsigned long)(capa) % CFS_PAGE_SIZE,
+ .length = offsetof(struct lustre_capa, lc_hmac),
};
- tfm = crypto_alloc_tfm(CAPA_HMAC_ALG, 0);
- LASSERT(tfm);
- crypto_hmac(tfm, key, &keylen, &sl, 1, capa->lc_hmac);
- crypto_free_tfm(tfm);
-}
+ if (capa_alg(capa) != CAPA_HMAC_ALG_SHA1) {
+ CERROR("unknown capability hmac algorithm!\n");
+ return -EFAULT;
+ }
-void capa_dup(void *dst, struct obd_capa *ocapa)
-{
- spin_lock(&capa_lock);
- memcpy(dst, &ocapa->c_capa, sizeof(ocapa->c_capa));
- spin_unlock(&capa_lock);
-}
+ alg = &capa_hmac_algs[capa_alg(capa)];
-void capa_dup2(void *dst, struct lustre_capa *capa)
-{
- spin_lock(&capa_lock);
- memcpy(dst, capa, sizeof(*capa));
- spin_unlock(&capa_lock);
-}
+ tfm = ll_crypto_alloc_hash(alg->ha_name, 0, 0);
+ if (!tfm) {
+ CERROR("crypto_alloc_tfm failed, check whether your kernel"
+ "has crypto support!\n");
+ return -ENOMEM;
+ }
+ keylen = alg->ha_keylen;
-int capa_expired(struct lustre_capa *capa)
-{
- struct timeval tv;
+ ll_crypto_hmac(tfm, key, &keylen, &sl, sl.length, hmac);
+ ll_crypto_free_hash(tfm);
- do_gettimeofday(&tv);
- return ((unsigned long )capa->lc_expiry <= tv.tv_sec) ? 1 : 0;
+ return 0;
}
-int __capa_is_to_expire(struct obd_capa *ocapa, struct timeval *tv)
+int capa_encrypt_id(__u32 *d, __u32 *s, __u8 *key, int keylen)
{
- int pre_expiry = capa_pre_expiry(&ocapa->c_capa);
+ struct ll_crypto_cipher *tfm;
+ struct scatterlist sd = {
+ .page = virt_to_page(d),
+ .offset = (unsigned long)(d) % CFS_PAGE_SIZE,
+ .length = 16,
+ };
+ struct scatterlist ss = {
+ .page = virt_to_page(s),
+ .offset = (unsigned long)(s) % CFS_PAGE_SIZE,
+ .length = 16,
+ };
+ struct blkcipher_desc desc;
+ unsigned int min;
+ int rc;
+ ENTRY;
+
+ tfm = ll_crypto_alloc_blkcipher("aes", 0, 0 );
+ if (tfm == NULL) {
+ CERROR("failed to load transform for aes\n");
+ RETURN(-EFAULT);
+ }
+
+ min = crypto_tfm_alg_min_keysize(tfm);
+ if (keylen < min) {
+ CERROR("keylen at least %d bits for aes\n", min * 8);
+ GOTO(out, rc = -EINVAL);
+ }
+
+ rc = ll_crypto_blkcipher_setkey(tfm, key, min);
+ if (rc) {
+ CERROR("failed to setting key for aes\n");
+ GOTO(out, rc);
+ }
+
+ desc.tfm = tfm;
+ desc.info = NULL;
+ desc.flags = 0;
+ rc = ll_crypto_blkcipher_encrypt(&desc, &sd, &ss, 16);
+ if (rc) {
+ CERROR("failed to encrypt for aes\n");
+ GOTO(out, rc);
+ }
+
+ EXIT;
- /* XXX: in case the clock is inaccurate, minus one more
- * pre_expiry to make sure the expiry won't miss */
- return ((unsigned long)ocapa->c_capa.lc_expiry -
- 2 * pre_expiry <= tv->tv_sec)? 1 : 0;
+out:
+ ll_crypto_free_blkcipher(tfm);
+ return rc;
}
-int capa_is_to_expire(struct obd_capa *ocapa)
+int capa_decrypt_id(__u32 *d, __u32 *s, __u8 *key, int keylen)
{
- struct timeval tv;
+ struct ll_crypto_cipher *tfm;
+ struct scatterlist sd = {
+ .page = virt_to_page(d),
+ .offset = (unsigned long)(d) % CFS_PAGE_SIZE,
+ .length = 16,
+ };
+ struct scatterlist ss = {
+ .page = virt_to_page(s),
+ .offset = (unsigned long)(s) % CFS_PAGE_SIZE,
+ .length = 16,
+ };
+ struct blkcipher_desc desc;
+ unsigned int min;
int rc;
+ ENTRY;
- do_gettimeofday(&tv);
- spin_lock(&capa_lock);
- rc = __capa_is_to_expire(ocapa, &tv);
- spin_unlock(&capa_lock);
+ tfm = ll_crypto_alloc_blkcipher("aes", 0, 0 );
+ if (tfm == NULL) {
+ CERROR("failed to load transform for aes\n");
+ RETURN(-EFAULT);
+ }
+
+ min = crypto_tfm_alg_min_keysize(tfm);
+ if (keylen < min) {
+ CERROR("keylen at least %d bits for aes\n", min * 8);
+ GOTO(out, rc = -EINVAL);
+ }
+ rc = ll_crypto_blkcipher_setkey(tfm, key, min);
+ if (rc) {
+ CERROR("failed to setting key for aes\n");
+ GOTO(out, rc);
+ }
+
+ desc.tfm = tfm;
+ desc.info = NULL;
+ desc.flags = 0;
+ rc = ll_crypto_blkcipher_decrypt(&desc, &sd, &ss, 16);
+ if (rc) {
+ CERROR("failed to decrypt for aes\n");
+ GOTO(out, rc);
+ }
+
+ EXIT;
+
+out:
+ ll_crypto_free_blkcipher(tfm);
return rc;
}
+#endif
+
+void capa_cpy(void *capa, struct obd_capa *ocapa)
+{
+ spin_lock(&ocapa->c_lock);
+ *(struct lustre_capa *)capa = ocapa->c_capa;
+ spin_unlock(&ocapa->c_lock);
+}
-EXPORT_SYMBOL(capa_op);
-EXPORT_SYMBOL(capa_get);
-EXPORT_SYMBOL(capa_put);
-EXPORT_SYMBOL(capa_renew);
-EXPORT_SYMBOL(__capa_get);
+EXPORT_SYMBOL(init_capa_hash);
+EXPORT_SYMBOL(cleanup_capa_hash);
+EXPORT_SYMBOL(capa_add);
+EXPORT_SYMBOL(capa_lookup);
EXPORT_SYMBOL(capa_hmac);
-EXPORT_SYMBOL(capa_dup);
-EXPORT_SYMBOL(capa_dup2);
-EXPORT_SYMBOL(capa_expired);
-EXPORT_SYMBOL(__capa_is_to_expire);
-EXPORT_SYMBOL(capa_is_to_expire);
+EXPORT_SYMBOL(capa_encrypt_id);
+EXPORT_SYMBOL(capa_decrypt_id);
+EXPORT_SYMBOL(capa_cpy);