From: wangdi Date: Thu, 11 Aug 2005 08:45:05 +0000 (+0000) Subject: Branch: HEAD X-Git-Tag: v1_7_100~939 X-Git-Url: https://git.whamcloud.com/?a=commitdiff_plain;h=c20f7da25445308ed1f5a78cfe3a07d55b796fbf;p=fs%2Flustre-release.git Branch: HEAD some fixes about crypto api 1)some fixes about init inode key 2)some fixes about compute new mac --- diff --git a/lustre/include/linux/lustre_gs.h b/lustre/include/linux/lustre_gs.h index d155efd..35c7827 100644 --- a/lustre/include/linux/lustre_gs.h +++ b/lustre/include/linux/lustre_gs.h @@ -49,6 +49,7 @@ struct lustre_key { atomic_t lk_refcount; __u32 lk_key_type; __u32 lk_flags; + __u8 lk_dk[KEY_SIZE]; }; static inline struct lustre_key * diff --git a/lustre/llite/llite_gs.c b/lustre/llite/llite_gs.c index 83b1255..574a926 100644 --- a/lustre/llite/llite_gs.c +++ b/lustre/llite/llite_gs.c @@ -240,7 +240,7 @@ int ll_gks_init_it(struct inode *parent, struct lookup_intent *it) RETURN(rc); ll_gs_intent_init(it); - if (!(it->it_op & IT_CREAT)) + if (!(it->it_flags & O_CREAT)) RETURN(rc); LASSERT(it->d.fs_data != NULL); @@ -330,7 +330,7 @@ int ll_gks_decrypt_key(struct inode *inode, struct lookup_intent *it) /*copy the decrypt key from kcontext to the lustre key*/ spin_lock(&lli->lli_lock); - memcpy(&lkey->lk_ck, ckey, sizeof(*ckey)); + memcpy(&lkey->lk_dk, ckey->ck_key, KEY_SIZE); SET_DECRYPTED(lkey->lk_flags); spin_unlock(&lli->lli_lock); out: @@ -382,6 +382,7 @@ int ll_gks_get_mac(struct inode *inode, struct iattr *iattr, void *value, struct key_perm *kperm = NULL; struct key_parms kparms; struct lustre_key *lkey = NULL; + struct crypto_key *ckey = NULL; struct posix_acl *acl = NULL, *new_acl = NULL; int rc = 0, kperm_size = 0, kcontext_size = 0; mode_t mac_mode; @@ -422,7 +423,9 @@ int ll_gks_get_mac(struct inode *inode, struct iattr *iattr, void *value, GOTO(out, rc); } } - } + } else { + new_acl = acl; + } acl_count = new_acl ? new_acl->a_count : 0; kperm_size = crypto_kperm_size(acl_count); OBD_ALLOC(kperm, kperm_size); @@ -434,22 +437,18 @@ int ll_gks_get_mac(struct inode *inode, struct iattr *iattr, void *value, kparms.perm_size = kperm_size; *key_size = sizeof(struct crypto_key); - OBD_ALLOC(*key, *key_size); - if (!*key) + OBD_ALLOC(ckey, sizeof(struct crypto_key)); + if (!ckey) GOTO(out, rc = -ENOMEM); /*GET an encrypt key from GS server*/ rc = obd_get_info(gs_exp, sizeof(struct key_parms), (void *)&kparms, - key_size, *key); + key_size, ckey); if (rc) { CERROR("decrypt key error rc %d \n", rc); GOTO(out, rc); } - printk("come here 5\n"); - /*copy the decrypt key from kcontext to the lustre key*/ - spin_lock(&lli->lli_lock); - memcpy(&lkey->lk_ck, *key, *key_size); + *key = ckey; iattr->ia_valid |= ATTR_MAC; - spin_unlock(&lli->lli_lock); out: if (acl) posix_acl_release(acl); @@ -464,6 +463,17 @@ out: RETURN(rc); } +static int ll_crypt_permission_check(struct lustre_key *lkey, + int flags) +{ + if (!IS_DECRYPTED(lkey->lk_flags)) + RETURN(-EFAULT); + if (flags == ENCRYPT_DATA && !IS_ENABLE_ENCRYPT(lkey->lk_flags)) + RETURN(-EFAULT); + if (flags == DECRYPT_DATA && !IS_ENABLE_DECRYPT(lkey->lk_flags)) + RETURN(-EFAULT); + RETURN(0); +} /*key function for calculate the key for countermode method*/ static int ll_crypt_cb(struct page *page, __u64 offset, __u64 count, int flags) @@ -475,23 +485,19 @@ static int ll_crypt_cb(struct page *page, __u64 offset, __u64 count, char *key_ptr; int index = page->index; __u64 data_key = 0; - int i; + int i, rc = 0; ENTRY; if (!lkey) RETURN(0); - if (!IS_DECRYPTED(lkey->lk_flags)) - RETURN(-EFAULT); - if (flags == ENCRYPT_DATA && !IS_ENABLE_ENCRYPT(lkey->lk_flags)) - RETURN(-EFAULT); - if (flags == DECRYPT_DATA && !IS_ENABLE_DECRYPT(lkey->lk_flags)) - RETURN(-EFAULT); - - /*FIXME: tmp calculate method, should calculate - the key according to KEY_TYPE*/ - spin_lock(&lli->lli_lock); - key_ptr = &lkey->lk_ck.ck_key[0]; + rc = ll_crypt_permission_check(lkey, flags); + if (rc) { + spin_unlock(&lli->lli_lock); + RETURN(rc); + } + + key_ptr = &lkey->lk_dk[0]; for (i=0; i < KEY_SIZE; i++) data_key += *key_ptr++; spin_unlock(&lli->lli_lock); @@ -508,7 +514,7 @@ static int ll_crypt_cb(struct page *page, __u64 offset, __u64 count, CDEBUG(D_INFO, "encrypted ptr is %s \n", key_ptr); kunmap(page); - RETURN(0); + RETURN(rc); } int ll_gs_init_inode_key(struct inode *inode, void *mkey) @@ -533,25 +539,25 @@ int ll_gs_init_inode_key(struct inode *inode, void *mkey) spin_lock(&lli->lli_lock); lli->lli_key_info = lkey; spin_unlock(&lli->lli_lock); + CDEBUG(D_INFO, "set key %s mac %s in inode %lu \n", + lli->lli_key_info->lk_ck.ck_key, + lli->lli_key_info->lk_ck.ck_mac, + inode->i_ino); } else { lkey = lustre_key_get(lli->lli_key_info); - if (!IS_DECRYPTED(lkey->lk_flags)) { - if (memcmp(&lkey->lk_ck, key, sizeof(*key))) { - CWARN("already have key_info %p in ino %ld \n", - lli->lli_key_info, inode->i_ino); - } - } else { - spin_lock(&lli->lli_lock); + LASSERTF(!memcmp(lkey->lk_ck.ck_key, key->ck_key, KEY_SIZE), + "old key %s != new key %s\n", lkey->lk_ck.ck_key, + key->ck_key); + spin_lock(&lli->lli_lock); + if (memcmp(lkey->lk_ck.ck_mac, key->ck_mac, MAC_SIZE)){ + CDEBUG(D_INFO, "reset mac %s to %s ino %ld \n", + lkey->lk_ck.ck_mac, key->ck_mac, inode->i_ino); + memcpy(lkey->lk_ck.ck_mac, key->ck_mac, MAC_SIZE); SET_UNDECRYPTED(lkey->lk_flags); - memcpy(&lkey->lk_ck, key, sizeof(*key)); - spin_unlock(&lli->lli_lock); } + spin_unlock(&lli->lli_lock); lustre_key_release(lkey); } - CDEBUG(D_INFO, "set key %s mac %s in inode %lu \n", - lli->lli_key_info->lk_ck.ck_mac, - lli->lli_key_info->lk_ck.ck_key, - inode->i_ino); RETURN(0); } diff --git a/lustre/osc/osc_request.c b/lustre/osc/osc_request.c index aeae7d0..6c3b4aa 100644 --- a/lustre/osc/osc_request.c +++ b/lustre/osc/osc_request.c @@ -868,7 +868,9 @@ get_capa: pg_prev->disk_offset); if (opc == OST_WRITE) { - osc_encrypt_page(pg->pg, pg->page_offset, pg->count); + rc = osc_encrypt_page(pg->pg, pg->page_offset, pg->count); + if (rc) + GOTO(out, rc); } ptlrpc_prep_bulk_page(desc, pg->pg, diff --git a/lustre/sec/gks/gks_client.c b/lustre/sec/gks/gks_client.c index 5e1fb45..47cc624 100644 --- a/lustre/sec/gks/gks_client.c +++ b/lustre/sec/gks/gks_client.c @@ -71,7 +71,7 @@ static int gkc_get_key(struct obd_export *exp, struct key_parms *kparms, memcpy(ckey, rep_key, sizeof(*rep_key)); - CDEBUG(D_INFO, "get enkey %s, mac %s type %d\n", ckey->ck_key, ckey->ck_mac, + CDEBUG(D_INFO, "get key %s, mac %s type %d\n", ckey->ck_key, ckey->ck_mac, ckey->ck_type); ptlrpc_req_finished(req); diff --git a/lustre/sec/gks/gks_server.c b/lustre/sec/gks/gks_server.c index c7f8b5a..ecea3a3 100644 --- a/lustre/sec/gks/gks_server.c +++ b/lustre/sec/gks/gks_server.c @@ -226,7 +226,7 @@ static int gks_create_key(struct ptlrpc_request *req, int offset) ckey->ck_type = GKS_TYPE; - CDEBUG(D_INFO, "get key %s\n", ckey->ck_key); + CDEBUG(D_INFO, "original decrypt key %s\n", ckey->ck_key); crypto_encrypt_gks_key(req, ckey->ck_key, KEY_SIZE); @@ -289,12 +289,14 @@ static int gks_decrypt_key(struct ptlrpc_request *req, int offset) ckey = (struct crypto_key *)lustre_msg_buf(req->rq_repmsg, 0, sizeof (*ckey)); memcpy(ckey, &kctxt->kc_ck, sizeof(*ckey)); - + + CDEBUG(D_INFO, "encrypt key %s mac %s \n", ckey->ck_key, ckey->ck_mac); rc = crypto_decrypt_gks_key(req, ckey->ck_key, KEY_SIZE); if (rc != 0) { CERROR("permssion check failed\n"); RETURN(rc); } + CDEBUG(D_INFO, "decrypt key %s mac %s \n", ckey->ck_key, ckey->ck_mac); RETURN(0); } diff --git a/lustre/tests/sanity-crypto.sh b/lustre/tests/sanity-crypto.sh index 936220f..fbfca4e 100755 --- a/lustre/tests/sanity-crypto.sh +++ b/lustre/tests/sanity-crypto.sh @@ -117,25 +117,26 @@ disable_encrypt() { } enable_encrypt() { NAME=$1 - grep " $MOUNT " /proc/mounts || zconf_mount `hostname` $MOUNT + grep " $MOUNT " /proc/mounts && umount $MOUNT + zconf_mount `hostname` $MOUNT $LCTL set_crypt $MOUNT $CRYPT_TYPE } mkdir -p $DIR test_1a() { - rm -rf $DIR1/1a* enable_encrypt $MOUNT echo aaaaaaaaaaaaaaaaaaaa >> $DIR1/1a0 echo aaaaaaaaaaaaaaaaaaaa >> $DIR2/1a1 diff -u $DIR1/1a0 $DIR2/1a1 || error "files are different" disable_encrypt $MOUNT diff -u $DIR1/1a0 $DIR2/1a1 && error "write encryption failed" + enable_encrypt $MOUNT + diff -u $DIR1/1a0 $DIR2/1a1 || error "files are different" } run_test 1a "read/write encryption=============" test_2a() { - rm -rf $DIR1/2a* enable_encrypt $MOUNT touch $DIR1/2a0 setfacl -m u:bin:rw $DIR1/2a0 @@ -144,6 +145,8 @@ test_2a() { diff -u $DIR1/2a0 $DIR2/2a1 || error "files are different" disable_encrypt $MOUNT diff -u $DIR1/2a0 $DIR2/2a1 && error "write encryption failed" + enable_encrypt $MOUNT + diff -u $DIR1/2a0 $DIR2/2a1 || error "files are different" } run_test 2a "read/write encryption with acl=============" @@ -158,6 +161,8 @@ test_3a() { diff -u $DIR1/3a0 $DIR2/3a1 || error "files are different" disable_encrypt $MOUNT diff -u $DIR1/3a0 $DIR2/3a1 && error "write encryption failed" + enable_encrypt $MOUNT + diff -u $DIR1/3a0 $DIR2/3a1 || error "files are different" } run_test 3a "write chmod encryption=============" @@ -172,6 +177,8 @@ test_4a() { diff -u $DIR1/4a0 $DIR2/4a1 || error "files are different" disable_encrypt $MOUNT diff -u $DIR1/4a0 $DIR2/4a1 && error "write encryption failed" + enable_encrypt $MOUNT + diff -u $DIR1/4a0 $DIR2/4a1 || error "files are different" } run_test 4a "write chacl encryption=============" @@ -181,12 +188,15 @@ test_5a() { echo aaaaaaaaaaaaaaaaaaaa >> $DIR1/5a0 echo aaaaaaaaaaaaaaaaaaaa >> $DIR2/5a1 setfacl -m u:bin:rw $DIR1/5a0 - chown $RUN_UID $DIR1/3a0 + chown $RUN_UID $DIR1/5a0 echo aaaaaaaaaaaaaaaaaaaa >> $DIR1/5a0 || error "chown write error" echo aaaaaaaaaaaaaaaaaaaa >> $DIR1/5a1 diff -u $DIR1/5a0 $DIR2/5a1 || error "files are different" + echo "enable crypt read success" disable_encrypt $MOUNT diff -u $DIR1/5a0 $DIR2/5a1 && error "write encryption failed" + enable_encrypt $MOUNT + diff -u $DIR1/5a0 $DIR2/5a1 || error "files are different" } run_test 5a "write chacl encryption============="