4 * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
6 * This program is free software; you can redistribute it and/or modify
7 * it under the terms of the GNU General Public License version 2 only,
8 * as published by the Free Software Foundation.
10 * This program is distributed in the hope that it will be useful, but
11 * WITHOUT ANY WARRANTY; without even the implied warranty of
12 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
13 * General Public License version 2 for more details (a copy is included
14 * in the LICENSE file that accompanied this code).
16 * You should have received a copy of the GNU General Public License
17 * version 2 along with this program; If not, see
18 * http://www.gnu.org/licenses/gpl-2.0.html
23 * Copyright (C) 2015, Trustees of Indiana University
25 * Copyright (c) 2016, Intel Corporation.
27 * Author: Jeremy Filizetti <jfilizet@iu.edu>
40 #include <sys/types.h>
43 #include <lnet/nidstr.h>
44 #include <lustre/lustre_idl.h>
53 /* One week default expiration */
54 #define SK_DEFAULT_EXPIRE 604800
55 #define SK_DEFAULT_SK_KEYLEN 256
56 #define SK_DEFAULT_PRIME_BITS 2048
57 #define SK_DEFAULT_NODEMAP "default"
59 /* Names match up with openssl enc and dgst commands */
60 char *sk_crypt2name[] = {
61 [SK_CRYPT_EMPTY] = "NONE",
62 [SK_CRYPT_AES256_CTR] = "AES-256-CTR",
65 const char *sk_hmac2name[] = { "NONE", "SHA256", "SHA512" };
67 static int sk_name2crypt(char *name)
71 for (i = 0; i < SK_CRYPT_MAX; i++) {
72 if (strcasecmp(name, sk_crypt2name[i]) == 0)
76 return SK_CRYPT_INVALID;
79 enum cfs_crypto_hash_alg sk_name2hmac(char *name)
81 enum cfs_crypto_hash_alg algo;
84 /* convert to lower case */
86 putchar(tolower(name[i]));
90 if (strcmp(name, "none"))
91 return CFS_HASH_ALG_NULL;
93 algo = cfs_crypto_hash_alg(name);
94 if ((algo != CFS_HASH_ALG_SHA256) ||
95 (algo != CFS_HASH_ALG_SHA512))
96 return SK_HMAC_INVALID;
101 static void usage(FILE *fp, char *program)
105 fprintf(fp, "Usage %s [OPTIONS] {-l|-m|-r|-w} <keyfile>\n", program);
106 fprintf(fp, "-l|--load <keyfile> Load key from file into user's "
107 "session keyring\n");
108 fprintf(fp, "-m|--modify <keyfile> Modify keyfile's attributes\n");
109 fprintf(fp, "-r|--read <keyfile> Show keyfile's attributes\n");
110 fprintf(fp, "-w|--write <keyfile> Generate keyfile\n\n");
111 fprintf(fp, "Modify/Write Options:\n");
112 fprintf(fp, "-c|--crypt <num> Cipher for encryption "
113 "(Default: AES Counter mode)\n");
114 for (i = 1; i < SK_CRYPT_MAX; i++)
115 fprintf(fp, " %s\n", sk_crypt2name[i]);
117 fprintf(fp, "-i|--hmac <num> Hash algorithm for integrity "
118 "(Default: SHA256)\n");
119 for (i = 1; i < sizeof(sk_hmac2name) / sizeof(sk_hmac2name[0]); i++)
120 fprintf(fp, " %s\n", sk_hmac2name[i]);
122 fprintf(fp, "-e|--expire <num> Seconds before contexts from "
123 "key expire (Default: %d seconds (%.3g days))\n",
124 SK_DEFAULT_EXPIRE, (double)SK_DEFAULT_EXPIRE / 3600 / 24);
125 fprintf(fp, "-f|--fsname <name> File system name for key\n");
126 fprintf(fp, "-g|--mgsnids <nids> Comma seperated list of MGS "
127 "NIDs. Only required when mgssec is used (Default: \"\")\n");
128 fprintf(fp, "-n|--nodemap <name> Nodemap name for key "
129 "(Default: \"%s\")\n", SK_DEFAULT_NODEMAP);
130 fprintf(fp, "-p|--prime-bits <len> Prime length (p) for DHKE in "
131 "bits (Default: %d)\n", SK_DEFAULT_PRIME_BITS);
132 fprintf(fp, "-t|--type <type> Key type (mgs, server, "
134 fprintf(fp, "-k|--key-bits <len> Shared key length in bits "
135 "(Default: %d)\n", SK_DEFAULT_SK_KEYLEN);
136 fprintf(fp, "-d|--data <file> Key data source for new keys "
137 "(Default: /dev/random)\n");
138 fprintf(fp, " Not a seed value. This is the actual key value.\n\n");
139 fprintf(fp, "Other Options:\n");
140 fprintf(fp, "-v|--verbose Increase verbosity for errors\n");
144 static ssize_t get_key_data(char *src, void *buffer, size_t bits)
151 /* convert bits to minimum number of bytes */
152 remain = (bits + 7) / 8;
154 printf("Reading random data for shared key from '%s'\n", src);
155 fd = open(src, O_RDONLY);
157 fprintf(stderr, "error: opening '%s': %s\n", src,
163 rc = read(fd, ptr, remain);
167 fprintf(stderr, "error: reading from '%s': %s\n", src,
172 } else if (rc == 0) {
174 "error: key source too short for %zd-bit key\n",
189 static int write_config_file(char *output_file,
190 struct sk_keyfile_config *config, bool overwrite)
194 int flags = O_WRONLY | O_CREAT;
199 sk_config_cpu_to_disk(config);
201 fd = open(output_file, flags, 0400);
203 fprintf(stderr, "error: opening '%s': %s\n", output_file,
208 rc = write(fd, config, sizeof(*config));
210 fprintf(stderr, "error: writing to '%s': %s\n", output_file,
213 } else if (rc != sizeof(*config)) {
214 fprintf(stderr, "error: short write to '%s'\n", output_file);
225 static int print_config(char *filename)
227 struct sk_keyfile_config *config;
230 config = sk_read_file(filename);
234 if (sk_validate_config(config)) {
235 fprintf(stderr, "error: key configuration failed validation\n");
240 printf("Version: %u\n", config->skc_version);
242 if (config->skc_type & SK_TYPE_MGS)
244 if (config->skc_type & SK_TYPE_SERVER)
246 if (config->skc_type & SK_TYPE_CLIENT)
249 printf("HMAC alg: %s\n", sk_hmac2name[config->skc_hmac_alg]);
250 printf("Crypto alg: %s\n", cfs_crypto_hash_name(config->skc_hmac_alg));
251 printf("Ctx Expiration: %u seconds\n", config->skc_expire);
252 printf("Shared keylen: %u bits\n", config->skc_shared_keylen);
253 printf("Prime length: %u bits\n", config->skc_prime_bits);
254 printf("File system: %s\n", config->skc_fsname);
255 printf("MGS NIDs: ");
256 for (i = 0; i < MAX_MGSNIDS; i++) {
257 if (config->skc_mgsnids[i] == LNET_NID_ANY)
259 printf(" %s", libcfs_nid2str(config->skc_mgsnids[i]));
262 printf("Nodemap name: %s\n", config->skc_nodemap);
263 printf("Shared key:\n");
264 print_hex(0, config->skc_shared_key, config->skc_shared_keylen / 8);
266 /* Don't print empty keys */
267 for (i = 0; i < SK_MAX_P_BYTES; i++)
268 if (config->skc_p[i] != 0)
271 if (i != SK_MAX_P_BYTES) {
272 printf("Prime (p):\n");
273 print_hex(0, config->skc_p, config->skc_prime_bits / 8);
280 static int parse_mgsnids(char *mgsnids, struct sk_keyfile_config *config)
289 /* replace all old values */
290 for (i = 0; i < MAX_MGSNIDS; i++)
291 config->skc_mgsnids[i] = LNET_NID_ANY;
294 end = mgsnids + strlen(mgsnids);
296 while (ptr < end && i < MAX_MGSNIDS) {
297 sep = strstr(ptr, ",");
301 nid = libcfs_str2nid(ptr);
302 if (nid == LNET_NID_ANY) {
303 fprintf(stderr, "error: invalid MGS NID: %s\n", ptr);
308 config->skc_mgsnids[i++] = nid;
309 ptr += strlen(ptr) + 1;
312 if (i == MAX_MGSNIDS) {
313 fprintf(stderr, "error: more than %u MGS NIDs provided\n", i);
320 int main(int argc, char **argv)
322 struct sk_keyfile_config *config;
323 char *datafile = NULL;
328 char *mgsnids = NULL;
329 char *nodemap = NULL;
333 int crypt = SK_CRYPT_EMPTY;
334 enum cfs_crypto_hash_alg hmac = CFS_HASH_ALG_NULL;
336 int shared_keylen = -1;
341 enum sk_key_type type = SK_TYPE_INVALID;
342 bool generate_prime = false;
345 static struct option long_opts[] = {
346 { .name = "crypt", .has_arg = required_argument, .val = 'c'},
347 { .name = "data", .has_arg = required_argument, .val = 'd'},
348 { .name = "expire", .has_arg = required_argument, .val = 'e'},
349 { .name = "fsname", .has_arg = required_argument, .val = 'f'},
350 { .name = "mgsnids", .has_arg = required_argument, .val = 'g'},
351 { .name = "help", .has_arg = no_argument, .val = 'h'},
352 { .name = "hmac", .has_arg = required_argument, .val = 'i'},
353 { .name = "integrity", .has_arg = required_argument, .val = 'i'},
354 { .name = "key-bits", .has_arg = required_argument, .val = 'k'},
355 { .name = "shared", .has_arg = required_argument, .val = 'k'},
356 { .name = "load", .has_arg = required_argument, .val = 'l'},
357 { .name = "modify", .has_arg = required_argument, .val = 'm'},
358 { .name = "nodemap", .has_arg = required_argument, .val = 'n'},
359 { .name = "prime-bits", .has_arg = required_argument, .val = 'p'},
360 { .name = "read", .has_arg = required_argument, .val = 'r'},
361 { .name = "type", .has_arg = required_argument, .val = 't'},
362 { .name = "verbose", .has_arg = no_argument, .val = 'v'},
363 { .name = "write", .has_arg = required_argument, .val = 'w'},
366 while ((opt = getopt_long(argc, argv,
367 "c:d:e:f:g:hi:l:m:n:p:r:s:k:t:w:v", long_opts,
371 crypt = sk_name2crypt(optarg);
377 expire = atoi(optarg);
379 fprintf(stderr, "warning: using a %us key "
380 "expiration may cause issues during "
381 "key renegotiation\n", expire);
385 if (strlen(fsname) > MTI_NAME_MAXLEN) {
387 "error: file system name longer than "
388 "%u characters\n", MTI_NAME_MAXLEN);
396 usage(stdout, argv[0]);
399 hmac = sk_name2hmac(optarg);
402 shared_keylen = atoi(optarg);
412 if (strlen(nodemap) > LUSTRE_NODEMAP_NAME_LENGTH) {
414 "error: nodemap name longer than "
416 LUSTRE_NODEMAP_NAME_LENGTH);
421 prime_bits = atoi(optarg);
422 if (prime_bits <= 0) {
424 "error: invalid prime length: '%s'\n",
433 tmp2 = strdup(optarg);
436 "error: failed to allocate type\n");
439 tmp = strsep(&tmp2, ",");
440 while (tmp != NULL) {
441 if (strcasecmp(tmp, "server") == 0) {
442 type |= SK_TYPE_SERVER;
443 } else if (strcasecmp(tmp, "mgs") == 0) {
445 } else if (strcasecmp(tmp, "client") == 0) {
446 type |= SK_TYPE_CLIENT;
449 "error: invalid type '%s', "
450 "must be mgs, server, or client"
454 tmp = strsep(&tmp2, ",");
465 fprintf(stderr, "error: unknown option: '%c'\n", opt);
471 if (optind != argc) {
473 "error: extraneous arguments provided, check usage\n");
477 if (!input && !output && !load && !modify) {
478 usage(stderr, argv[0]);
482 /* init gss logger for foreground (no syslog) which prints to stderr */
483 initerr(NULL, verbose, 1);
486 return print_config(input);
489 if (sk_load_keyfile(load))
494 if (crypt == SK_CRYPT_INVALID) {
495 fprintf(stderr, "error: invalid crypt algorithm specified\n");
498 if (hmac == SK_HMAC_INVALID) {
499 fprintf(stderr, "error: invalid HMAC algorithm specified\n");
502 if (modify && datafile) {
503 fprintf(stderr, "error: data file option not valid in key modify\n");
508 config = sk_read_file(modify);
512 if (type != SK_TYPE_INVALID) {
513 /* generate key when adding client type */
514 if (!(config->skc_type & SK_TYPE_CLIENT) &&
515 type & SK_TYPE_CLIENT)
516 generate_prime = true;
517 else if (!(type & SK_TYPE_CLIENT))
518 memset(config->skc_p, 0, SK_MAX_P_BYTES);
520 config->skc_type = type;
522 if (prime_bits != -1) {
523 memset(config->skc_p, 0, SK_MAX_P_BYTES);
524 if (config->skc_prime_bits != prime_bits &&
525 config->skc_type & SK_TYPE_CLIENT)
526 generate_prime = true;
529 /* write mode for a new key */
530 if (!fsname && !mgsnids) {
532 "error: missing --fsname or --mgsnids\n");
536 config = calloc(1, sizeof(*config));
540 /* Set the defaults for new key */
541 config->skc_version = SK_CONF_VERSION;
542 config->skc_expire = SK_DEFAULT_EXPIRE;
543 config->skc_shared_keylen = SK_DEFAULT_SK_KEYLEN;
544 config->skc_prime_bits = SK_DEFAULT_PRIME_BITS;
545 config->skc_crypt_alg = SK_CRYPT_AES256_CTR;
546 config->skc_hmac_alg = CFS_HASH_ALG_SHA256;
547 for (i = 0; i < MAX_MGSNIDS; i++)
548 config->skc_mgsnids[i] = LNET_NID_ANY;
550 if (type == SK_TYPE_INVALID) {
551 fprintf(stderr, "error: no type specified for key\n");
554 config->skc_type = type;
555 generate_prime = type & SK_TYPE_CLIENT;
557 strncpy(config->skc_nodemap, SK_DEFAULT_NODEMAP,
558 sizeof(config->skc_nodemap) - 1);
561 datafile = "/dev/random";
564 if (crypt != SK_CRYPT_EMPTY)
565 config->skc_crypt_alg = crypt;
566 if (hmac != CFS_HASH_ALG_NULL)
567 config->skc_hmac_alg = hmac;
569 config->skc_expire = expire;
570 if (shared_keylen != -1)
571 config->skc_shared_keylen = shared_keylen;
572 if (prime_bits != -1)
573 config->skc_prime_bits = prime_bits;
575 strncpy(config->skc_fsname, fsname,
576 sizeof(config->skc_fsname) - 1);
578 strncpy(config->skc_nodemap, nodemap,
579 sizeof(config->skc_nodemap) - 1);
580 if (mgsnids && parse_mgsnids(mgsnids, config))
582 if (sk_validate_config(config)) {
583 fprintf(stderr, "error: key configuration failed validation\n");
587 if (datafile && get_key_data(datafile, config->skc_shared_key,
588 config->skc_shared_keylen)) {
589 fprintf(stderr, "error: failure getting key data from '%s'\n",
594 if (generate_prime) {
595 printf("Generating DH parameters, this can take a while...\n");
596 dh = DH_generate_parameters(config->skc_prime_bits,
597 SK_GENERATOR, NULL, NULL);
598 if (BN_num_bytes(dh->p) > SK_MAX_P_BYTES) {
599 fprintf(stderr, "error: cannot generate DH parameters: "
600 "requested length %d exceeds maximum %d\n",
601 config->skc_prime_bits, SK_MAX_P_BYTES * 8);
604 if (BN_bn2bin(dh->p, config->skc_p) != BN_num_bytes(dh->p)) {
606 "error: convert BIGNUM p to binary failed\n");
611 if (write_config_file(modify ?: output, config, modify))