4 * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
6 * This program is free software; you can redistribute it and/or modify
7 * it under the terms of the GNU General Public License version 2 only,
8 * as published by the Free Software Foundation.
10 * This program is distributed in the hope that it will be useful, but
11 * WITHOUT ANY WARRANTY; without even the implied warranty of
12 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
13 * General Public License version 2 for more details (a copy is included
14 * in the LICENSE file that accompanied this code).
16 * You should have received a copy of the GNU General Public License
17 * version 2 along with this program; If not, see
18 * http://www.gnu.org/licenses/gpl-2.0.html
23 * Copyright (C) 2015, Trustees of Indiana University
25 * Copyright (c) 2016, Intel Corporation.
27 * Author: Jeremy Filizetti <jfilizet@iu.edu>
40 #include <sys/types.h>
43 #include <linux/lustre/lustre_user.h>
52 /* One week default expiration */
53 #define SK_DEFAULT_EXPIRE 604800
54 #define SK_DEFAULT_SK_KEYLEN 256
55 #define SK_DEFAULT_PRIME_BITS 2048
56 #define SK_DEFAULT_NODEMAP "default"
58 static void usage(FILE *fp, char *program)
62 fprintf(fp, "Usage %s [OPTIONS] {-l|-m|-r|-w} <keyfile>\n", program);
63 fprintf(fp, "-l|--load <keyfile> Load key from file into user's "
65 fprintf(fp, "-m|--modify <keyfile> Modify keyfile's attributes\n");
66 fprintf(fp, "-r|--read <keyfile> Show keyfile's attributes\n");
67 fprintf(fp, "-w|--write <keyfile> Generate keyfile\n\n");
68 fprintf(fp, "Modify/Write Options:\n");
69 fprintf(fp, "-c|--crypt <num> Cipher for encryption "
70 "(Default: AES Counter mode)\n");
71 for (i = 1; i < ARRAY_SIZE(sk_crypt_algs); i++)
73 sk_crypt_algs[i].sct_name);
74 fprintf(fp, "-i|--hmac <num> Hash algorithm for integrity "
75 "(Default: SHA256)\n");
76 for (i = 1; i < ARRAY_SIZE(sk_hmac_algs); i++)
78 sk_hmac_algs[i].sht_name);
79 fprintf(fp, "-e|--expire <num> Seconds before contexts from "
80 "key expire (Default: %d seconds (%.3g days))\n",
81 SK_DEFAULT_EXPIRE, (double)SK_DEFAULT_EXPIRE / 3600 / 24);
82 fprintf(fp, "-f|--fsname <name> File system name for key\n");
83 fprintf(fp, "-g|--mgsnids <nids> Comma seperated list of MGS "
84 "NIDs. Only required when mgssec is used (Default: \"\")\n");
85 fprintf(fp, "-n|--nodemap <name> Nodemap name for key "
86 "(Default: \"%s\")\n", SK_DEFAULT_NODEMAP);
87 fprintf(fp, "-p|--prime-bits <len> Prime length (p) for DHKE in "
88 "bits (Default: %d)\n", SK_DEFAULT_PRIME_BITS);
89 fprintf(fp, "-t|--type <type> Key type (mgs, server, "
91 fprintf(fp, "-k|--key-bits <len> Shared key length in bits "
92 "(Default: %d)\n", SK_DEFAULT_SK_KEYLEN);
93 fprintf(fp, "-d|--data <file> Key data source for new keys "
94 "(Default: /dev/random)\n");
95 fprintf(fp, " Not a seed value. "
96 "This is the actual key value.\n\n");
97 fprintf(fp, "Other Options:\n");
98 fprintf(fp, "-v|--verbose Increase verbosity for errors\n");
102 static ssize_t get_key_data(char *src, void *buffer, size_t bits)
109 /* convert bits to minimum number of bytes */
110 remain = (bits + 7) / 8;
112 printf("Reading random data for shared key from '%s'\n", src);
113 fd = open(src, O_RDONLY);
115 fprintf(stderr, "error: opening '%s': %s\n", src,
121 rc = read(fd, ptr, remain);
125 fprintf(stderr, "error: reading from '%s': %s\n", src,
130 } else if (rc == 0) {
132 "error: key source too short for %zd-bit key\n",
147 static int write_config_file(char *output_file,
148 struct sk_keyfile_config *config, bool overwrite)
152 int flags = O_WRONLY | O_CREAT;
157 sk_config_cpu_to_disk(config);
159 fd = open(output_file, flags, 0400);
161 fprintf(stderr, "error: opening '%s': %s\n", output_file,
166 rc = write(fd, config, sizeof(*config));
168 fprintf(stderr, "error: writing to '%s': %s\n", output_file,
171 } else if (rc != sizeof(*config)) {
172 fprintf(stderr, "error: short write to '%s'\n", output_file);
183 static int print_config(char *filename)
185 struct sk_keyfile_config *config;
188 config = sk_read_file(filename);
192 if (sk_validate_config(config)) {
193 fprintf(stderr, "error: key configuration failed validation\n");
198 printf("Version: %u\n", config->skc_version);
200 if (config->skc_type & SK_TYPE_MGS)
202 if (config->skc_type & SK_TYPE_SERVER)
204 if (config->skc_type & SK_TYPE_CLIENT)
207 printf("HMAC alg: %s\n", sk_hmac2name(config->skc_hmac_alg));
208 printf("Crypto alg: %s\n", sk_crypt2name(config->skc_crypt_alg));
209 printf("Ctx Expiration: %u seconds\n", config->skc_expire);
210 printf("Shared keylen: %u bits\n", config->skc_shared_keylen);
211 printf("Prime length: %u bits\n", config->skc_prime_bits);
212 printf("File system: %s\n", config->skc_fsname);
213 printf("MGS NIDs: ");
214 for (i = 0; i < MAX_MGSNIDS; i++) {
215 if (config->skc_mgsnids[i] == LNET_NID_ANY)
217 printf(" %s", libcfs_nid2str(config->skc_mgsnids[i]));
220 printf("Nodemap name: %s\n", config->skc_nodemap);
221 printf("Shared key:\n");
222 print_hex(0, config->skc_shared_key, config->skc_shared_keylen / 8);
224 /* Don't print empty keys */
225 for (i = 0; i < SK_MAX_P_BYTES; i++)
226 if (config->skc_p[i] != 0)
229 if (i != SK_MAX_P_BYTES) {
230 printf("Prime (p):\n");
231 print_hex(0, config->skc_p, config->skc_prime_bits / 8);
238 static int parse_mgsnids(char *mgsnids, struct sk_keyfile_config *config)
247 /* replace all old values */
248 for (i = 0; i < MAX_MGSNIDS; i++)
249 config->skc_mgsnids[i] = LNET_NID_ANY;
252 end = mgsnids + strlen(mgsnids);
254 while (ptr < end && i < MAX_MGSNIDS) {
255 sep = strstr(ptr, ",");
259 nid = libcfs_str2nid(ptr);
260 if (nid == LNET_NID_ANY) {
261 fprintf(stderr, "error: invalid MGS NID: %s\n", ptr);
266 config->skc_mgsnids[i++] = nid;
267 ptr += strlen(ptr) + 1;
270 if (i == MAX_MGSNIDS) {
271 fprintf(stderr, "error: more than %u MGS NIDs provided\n", i);
278 int main(int argc, char **argv)
280 struct sk_keyfile_config *config;
281 char *datafile = NULL;
286 char *mgsnids = NULL;
287 char *nodemap = NULL;
291 int crypt = SK_CRYPT_EMPTY;
292 int hmac = SK_HMAC_EMPTY;
294 int shared_keylen = -1;
299 enum sk_key_type type = SK_TYPE_INVALID;
300 bool generate_prime = false;
303 static struct option long_opts[] = {
304 { .name = "crypt", .has_arg = required_argument, .val = 'c'},
305 { .name = "data", .has_arg = required_argument, .val = 'd'},
306 { .name = "expire", .has_arg = required_argument, .val = 'e'},
307 { .name = "fsname", .has_arg = required_argument, .val = 'f'},
308 { .name = "mgsnids", .has_arg = required_argument, .val = 'g'},
309 { .name = "help", .has_arg = no_argument, .val = 'h'},
310 { .name = "hmac", .has_arg = required_argument, .val = 'i'},
311 { .name = "integrity", .has_arg = required_argument, .val = 'i'},
312 { .name = "key-bits", .has_arg = required_argument, .val = 'k'},
313 { .name = "shared", .has_arg = required_argument, .val = 'k'},
314 { .name = "load", .has_arg = required_argument, .val = 'l'},
315 { .name = "modify", .has_arg = required_argument, .val = 'm'},
316 { .name = "nodemap", .has_arg = required_argument, .val = 'n'},
317 { .name = "prime-bits", .has_arg = required_argument, .val = 'p'},
318 { .name = "read", .has_arg = required_argument, .val = 'r'},
319 { .name = "type", .has_arg = required_argument, .val = 't'},
320 { .name = "verbose", .has_arg = no_argument, .val = 'v'},
321 { .name = "write", .has_arg = required_argument, .val = 'w'},
324 while ((opt = getopt_long(argc, argv,
325 "c:d:e:f:g:hi:l:m:n:p:r:s:k:t:w:v", long_opts,
329 crypt = sk_name2crypt(optarg);
335 expire = atoi(optarg);
337 fprintf(stderr, "warning: using a %us key "
338 "expiration may cause issues during "
339 "key renegotiation\n", expire);
343 if (strlen(fsname) > MTI_NAME_MAXLEN) {
345 "error: file system name longer than "
346 "%u characters\n", MTI_NAME_MAXLEN);
354 usage(stdout, argv[0]);
357 hmac = sk_name2hmac(optarg);
360 shared_keylen = atoi(optarg);
370 if (strlen(nodemap) > LUSTRE_NODEMAP_NAME_LENGTH) {
372 "error: nodemap name longer than "
374 LUSTRE_NODEMAP_NAME_LENGTH);
379 prime_bits = atoi(optarg);
380 if (prime_bits <= 0) {
382 "error: invalid prime length: '%s'\n",
391 tmp2 = strdup(optarg);
394 "error: failed to allocate type\n");
397 tmp = strsep(&tmp2, ",");
398 while (tmp != NULL) {
399 if (strcasecmp(tmp, "server") == 0) {
400 type |= SK_TYPE_SERVER;
401 } else if (strcasecmp(tmp, "mgs") == 0) {
403 } else if (strcasecmp(tmp, "client") == 0) {
404 type |= SK_TYPE_CLIENT;
407 "error: invalid type '%s', "
408 "must be mgs, server, or client"
412 tmp = strsep(&tmp2, ",");
423 fprintf(stderr, "error: unknown option: '%c'\n", opt);
429 if (optind != argc) {
431 "error: extraneous arguments provided, check usage\n");
435 if (!input && !output && !load && !modify) {
436 usage(stderr, argv[0]);
440 /* init gss logger for foreground (no syslog) which prints to stderr */
441 initerr(NULL, verbose, 1);
444 return print_config(input);
447 if (sk_load_keyfile(load))
452 if (crypt == SK_CRYPT_INVALID) {
453 fprintf(stderr, "error: invalid crypt algorithm specified\n");
456 if (hmac == SK_HMAC_INVALID) {
457 fprintf(stderr, "error: invalid HMAC algorithm specified\n");
461 if (modify && datafile) {
463 "error: data file option not valid in key modify\n");
468 config = sk_read_file(modify);
472 if (type != SK_TYPE_INVALID) {
473 /* generate key when adding client type */
474 if (!(config->skc_type & SK_TYPE_CLIENT) &&
475 type & SK_TYPE_CLIENT)
476 generate_prime = true;
477 else if (!(type & SK_TYPE_CLIENT))
478 memset(config->skc_p, 0, SK_MAX_P_BYTES);
480 config->skc_type = type;
482 if (prime_bits != -1) {
483 memset(config->skc_p, 0, SK_MAX_P_BYTES);
484 if (config->skc_prime_bits != prime_bits &&
485 config->skc_type & SK_TYPE_CLIENT)
486 generate_prime = true;
489 /* write mode for a new key */
490 if (!fsname && !mgsnids) {
492 "error: missing --fsname or --mgsnids\n");
496 config = calloc(1, sizeof(*config));
500 /* Set the defaults for new key */
501 config->skc_version = SK_CONF_VERSION;
502 config->skc_expire = SK_DEFAULT_EXPIRE;
503 config->skc_shared_keylen = SK_DEFAULT_SK_KEYLEN;
504 config->skc_prime_bits = SK_DEFAULT_PRIME_BITS;
505 config->skc_crypt_alg = SK_CRYPT_AES256_CTR;
506 config->skc_hmac_alg = SK_HMAC_SHA256;
507 for (i = 0; i < MAX_MGSNIDS; i++)
508 config->skc_mgsnids[i] = LNET_NID_ANY;
510 if (type == SK_TYPE_INVALID) {
511 fprintf(stderr, "error: no type specified for key\n");
514 config->skc_type = type;
515 generate_prime = type & SK_TYPE_CLIENT;
517 /* SK_DEFAULT_NODEMAP is made to fit in skc_nodemap */
518 strcpy(config->skc_nodemap, SK_DEFAULT_NODEMAP);
521 datafile = "/dev/random";
524 if (crypt != SK_CRYPT_EMPTY)
525 config->skc_crypt_alg = crypt;
526 if (hmac != SK_HMAC_EMPTY)
527 config->skc_hmac_alg = hmac;
529 config->skc_expire = expire;
530 if (shared_keylen != -1)
531 config->skc_shared_keylen = shared_keylen;
532 if (prime_bits != -1)
533 config->skc_prime_bits = prime_bits;
535 /* fsname string length was checked when parsing
536 * command-line options
538 strcpy(config->skc_fsname, fsname);
540 /* nodemap string length was checked when parsing
541 * command-line options
543 strcpy(config->skc_nodemap, nodemap);
544 if (mgsnids && parse_mgsnids(mgsnids, config))
546 if (sk_validate_config(config)) {
547 fprintf(stderr, "error: key configuration failed validation\n");
551 if (datafile && get_key_data(datafile, config->skc_shared_key,
552 config->skc_shared_keylen)) {
553 fprintf(stderr, "error: failure getting key data from '%s'\n",
558 if (generate_prime) {
559 printf("Generating DH parameters, this can take a while...\n");
560 dh = DH_generate_parameters(config->skc_prime_bits,
561 SK_GENERATOR, NULL, NULL);
562 if (BN_num_bytes(dh->p) > SK_MAX_P_BYTES) {
563 fprintf(stderr, "error: cannot generate DH parameters: "
564 "requested length %d exceeds maximum %d\n",
565 config->skc_prime_bits, SK_MAX_P_BYTES * 8);
568 if (BN_bn2bin(dh->p, config->skc_p) != BN_num_bytes(dh->p)) {
570 "error: convert BIGNUM p to binary failed\n");
575 if (write_config_file(modify ?: output, config, modify))
git://git.whamcloud.com / fs / lustre-release.git / blob