4 * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
6 * This program is free software; you can redistribute it and/or modify
7 * it under the terms of the GNU General Public License version 2 only,
8 * as published by the Free Software Foundation.
10 * This program is distributed in the hope that it will be useful, but
11 * WITHOUT ANY WARRANTY; without even the implied warranty of
12 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
13 * General Public License version 2 for more details (a copy is included
14 * in the LICENSE file that accompanied this code).
16 * You should have received a copy of the GNU General Public License
17 * version 2 along with this program; If not, see
18 * http://www.gnu.org/licenses/gpl-2.0.html
23 * Copyright (C) 2015, Trustees of Indiana University
25 * Copyright (c) 2016, Intel Corporation.
27 * Author: Jeremy Filizetti <jfilizet@iu.edu>
39 #include <sys/types.h>
42 #include <lnet/nidstr.h>
43 #include <lustre/lustre_idl.h>
52 /* One week default expiration */
53 #define SK_DEFAULT_EXPIRE 604800
54 #define SK_DEFAULT_SK_KEYLEN 256
55 #define SK_DEFAULT_PRIME_BITS 2048
56 #define SK_DEFAULT_NODEMAP "default"
58 /* Names match up with openssl enc and dgst commands */
59 char *sk_crypt2name[] = {
60 [SK_CRYPT_EMPTY] = "NONE",
61 [SK_CRYPT_AES256_CTR] = "AES-256-CTR",
64 char *sk_hmac2name[] = {
65 [SK_HMAC_EMPTY] = "NONE",
66 [SK_HMAC_SHA256] = "SHA256",
67 [SK_HMAC_SHA512] = "SHA512",
70 static int sk_name2crypt(char *name)
74 for (i = 0; i < SK_CRYPT_MAX; i++) {
75 if (strcasecmp(name, sk_crypt2name[i]) == 0)
79 return SK_CRYPT_INVALID;
82 static int sk_name2hmac(char *name)
86 for (i = 0; i < SK_HMAC_MAX; i++) {
87 if (strcasecmp(name, sk_hmac2name[i]) == 0)
91 return SK_HMAC_INVALID;
94 static void usage(FILE *fp, char *program)
98 fprintf(fp, "Usage %s [OPTIONS] {-l|-m|-r|-w} <keyfile>\n", program);
99 fprintf(fp, "-l|--load <keyfile> Load key from file into user's "
100 "session keyring\n");
101 fprintf(fp, "-m|--modify <keyfile> Modify keyfile's attributes\n");
102 fprintf(fp, "-r|--read <keyfile> Show keyfile's attributes\n");
103 fprintf(fp, "-w|--write <keyfile> Generate keyfile\n\n");
104 fprintf(fp, "Modify/Write Options:\n");
105 fprintf(fp, "-c|--crypt <num> Cipher for encryption "
106 "(Default: AES Counter mode)\n");
107 for (i = 1; i < SK_CRYPT_MAX; i++)
108 fprintf(fp, " %s\n", sk_crypt2name[i]);
110 fprintf(fp, "-i|--hmac <num> Hash algorithm for integrity "
111 "(Default: SHA256)\n");
112 for (i = 1; i < SK_HMAC_MAX; i++)
113 fprintf(fp, " %s\n", sk_hmac2name[i]);
115 fprintf(fp, "-e|--expire <num> Seconds before contexts from "
116 "key expire (Default: %d seconds (%.3g days))\n",
117 SK_DEFAULT_EXPIRE, (double)SK_DEFAULT_EXPIRE / 3600 / 24);
118 fprintf(fp, "-f|--fsname <name> File system name for key\n");
119 fprintf(fp, "-g|--mgsnids <nids> Comma seperated list of MGS "
120 "NIDs. Only required when mgssec is used (Default: \"\")\n");
121 fprintf(fp, "-n|--nodemap <name> Nodemap name for key "
122 "(Default: \"%s\")\n", SK_DEFAULT_NODEMAP);
123 fprintf(fp, "-p|--prime-bits <len> Prime length (p) for DHKE in "
124 "bits (Default: %d)\n", SK_DEFAULT_PRIME_BITS);
125 fprintf(fp, "-t|--type <type> Key type (mgs, server, "
127 fprintf(fp, "-k|--key-bits <len> Shared key length in bits "
128 "(Default: %d)\n", SK_DEFAULT_SK_KEYLEN);
129 fprintf(fp, "-d|--data <file> Key random data source "
130 "(Default: /dev/random)\n\n");
131 fprintf(fp, "Other Options:\n");
132 fprintf(fp, "-v|--verbose Increase verbosity for errors\n");
136 static ssize_t get_key_data(char *src, void *buffer, size_t bits)
143 /* convert bits to minimum number of bytes */
144 remain = (bits + 7) / 8;
146 printf("Reading random data for shared key from '%s'\n", src);
147 fd = open(src, O_RDONLY);
149 fprintf(stderr, "error: opening '%s': %s\n", src,
155 rc = read(fd, ptr, remain);
159 fprintf(stderr, "error: reading from '%s': %s\n", src,
164 } else if (rc == 0) {
166 "error: key source too short for %zd-bit key\n",
181 static int write_config_file(char *output_file,
182 struct sk_keyfile_config *config, bool overwrite)
186 int flags = O_WRONLY | O_CREAT;
191 sk_config_cpu_to_disk(config);
193 fd = open(output_file, flags, 0400);
195 fprintf(stderr, "error: opening '%s': %s\n", output_file,
200 rc = write(fd, config, sizeof(*config));
202 fprintf(stderr, "error: writing to '%s': %s\n", output_file,
205 } else if (rc != sizeof(*config)) {
206 fprintf(stderr, "error: short write to '%s'\n", output_file);
217 static int print_config(char *filename)
219 struct sk_keyfile_config *config;
222 config = sk_read_file(filename);
226 if (sk_validate_config(config)) {
227 fprintf(stderr, "error: key configuration failed validation\n");
232 printf("Version: %u\n", config->skc_version);
234 if (config->skc_type & SK_TYPE_MGS)
236 if (config->skc_type & SK_TYPE_SERVER)
238 if (config->skc_type & SK_TYPE_CLIENT)
241 printf("HMAC alg: %s\n", sk_hmac2name[config->skc_hmac_alg]);
242 printf("Crypto alg: %s\n", sk_crypt2name[config->skc_crypt_alg]);
243 printf("Ctx Expiration: %u seconds\n", config->skc_expire);
244 printf("Shared keylen: %u bits\n", config->skc_shared_keylen);
245 printf("Prime length: %u bits\n", config->skc_prime_bits);
246 printf("File system: %s\n", config->skc_fsname);
247 printf("MGS NIDs: ");
248 for (i = 0; i < MAX_MGSNIDS; i++) {
249 if (config->skc_mgsnids[i] == LNET_NID_ANY)
251 printf(" %s", libcfs_nid2str(config->skc_mgsnids[i]));
254 printf("Nodemap name: %s\n", config->skc_nodemap);
255 printf("Shared key:\n");
256 print_hex(0, config->skc_shared_key, config->skc_shared_keylen / 8);
258 /* Don't print empty keys */
259 for (i = 0; i < SK_MAX_P_BYTES; i++)
260 if (config->skc_p[i] != 0)
263 if (i != SK_MAX_P_BYTES) {
264 printf("Prime (p):\n");
265 print_hex(0, config->skc_p, config->skc_prime_bits / 8);
272 static int parse_mgsnids(char *mgsnids, struct sk_keyfile_config *config)
281 /* replace all old values */
282 for (i = 0; i < MAX_MGSNIDS; i++)
283 config->skc_mgsnids[i] = LNET_NID_ANY;
286 end = mgsnids + strlen(mgsnids);
288 while (ptr < end && i < MAX_MGSNIDS) {
289 sep = strstr(ptr, ",");
293 nid = libcfs_str2nid(ptr);
294 if (nid == LNET_NID_ANY) {
295 fprintf(stderr, "error: invalid MGS NID: %s\n", ptr);
300 config->skc_mgsnids[i++] = nid;
301 ptr += strlen(ptr) + 1;
304 if (i == MAX_MGSNIDS) {
305 fprintf(stderr, "error: more than %u MGS NIDs provided\n", i);
312 int main(int argc, char **argv)
314 struct sk_keyfile_config *config;
315 char *datafile = NULL;
320 char *mgsnids = NULL;
321 char *nodemap = NULL;
325 int crypt = SK_CRYPT_EMPTY;
326 int hmac = SK_HMAC_EMPTY;
328 int shared_keylen = -1;
333 enum sk_key_type type = SK_TYPE_INVALID;
334 bool generate_prime = false;
337 static struct option long_opt[] = {
338 {"crypt", 1, 0, 'c'},
340 {"expire", 1, 0, 'e'},
341 {"fsname", 1, 0, 'f'},
342 {"mgsnids", 1, 0, 'g'},
345 {"integrity", 1, 0, 'i'},
346 {"key-bits", 1, 0, 'k'},
347 {"shared", 1, 0, 'k'},
349 {"modify", 1, 0, 'm'},
350 {"nodemap", 1, 0, 'n'},
351 {"prime-bits", 1, 0, 'p'},
354 {"verbose", 0, 0, 'v'},
355 {"write", 1, 0, 'w'},
359 while ((opt = getopt_long(argc, argv,
360 "c:d:e:f:g:hi:l:m:n:p:r:s:k:t:w:v", long_opt,
364 crypt = sk_name2crypt(optarg);
370 expire = atoi(optarg);
372 fprintf(stderr, "warning: using a %us key "
373 "expiration may cause issues during "
374 "key renegotiation\n", expire);
378 if (strlen(fsname) > MTI_NAME_MAXLEN) {
380 "error: file system name longer than "
381 "%u characters\n", MTI_NAME_MAXLEN);
389 usage(stdout, argv[0]);
392 hmac = sk_name2hmac(optarg);
395 shared_keylen = atoi(optarg);
405 if (strlen(nodemap) > LUSTRE_NODEMAP_NAME_LENGTH) {
407 "error: nodemap name longer than "
409 LUSTRE_NODEMAP_NAME_LENGTH);
414 prime_bits = atoi(optarg);
415 if (prime_bits <= 0) {
417 "error: invalid prime length: '%s'\n",
426 tmp2 = strdup(optarg);
429 "error: failed to allocate type\n");
432 tmp = strsep(&tmp2, ",");
433 while (tmp != NULL) {
434 if (strcasecmp(tmp, "server") == 0) {
435 type |= SK_TYPE_SERVER;
436 } else if (strcasecmp(tmp, "mgs") == 0) {
438 } else if (strcasecmp(tmp, "client") == 0) {
439 type |= SK_TYPE_CLIENT;
442 "error: invalid type '%s', "
443 "must be mgs, server, or client"
447 tmp = strsep(&tmp2, ",");
458 fprintf(stderr, "error: unknown option: '%c'\n", opt);
464 if (optind != argc) {
466 "error: extraneous arguments provided, check usage\n");
470 if (!input && !output && !load && !modify) {
471 usage(stderr, argv[0]);
475 /* init gss logger for foreground (no syslog) which prints to stderr */
476 initerr(NULL, verbose, 1);
479 return print_config(input);
482 if (sk_load_keyfile(load))
487 if (crypt == SK_CRYPT_INVALID) {
488 fprintf(stderr, "error: invalid crypt algorithm specified\n");
491 if (hmac == SK_HMAC_INVALID) {
492 fprintf(stderr, "error: invalid HMAC algorithm specified\n");
497 config = sk_read_file(modify);
501 if (type != SK_TYPE_INVALID) {
502 /* generate key when adding client type */
503 if (!(config->skc_type & SK_TYPE_CLIENT) &&
504 type & SK_TYPE_CLIENT)
505 generate_prime = true;
506 else if (!(type & SK_TYPE_CLIENT))
507 memset(config->skc_p, 0, SK_MAX_P_BYTES);
509 config->skc_type = type;
511 if (prime_bits != -1) {
512 memset(config->skc_p, 0, SK_MAX_P_BYTES);
513 if (config->skc_prime_bits != prime_bits &&
514 config->skc_type & SK_TYPE_CLIENT)
515 generate_prime = true;
518 /* write mode for a new key */
519 if (!fsname && !mgsnids) {
521 "error: missing --fsname or --mgsnids\n");
525 config = calloc(1, sizeof(*config));
529 /* Set the defaults for new key */
530 config->skc_version = SK_CONF_VERSION;
531 config->skc_expire = SK_DEFAULT_EXPIRE;
532 config->skc_shared_keylen = SK_DEFAULT_SK_KEYLEN;
533 config->skc_prime_bits = SK_DEFAULT_PRIME_BITS;
534 config->skc_crypt_alg = SK_CRYPT_AES256_CTR;
535 config->skc_hmac_alg = SK_HMAC_SHA256;
536 for (i = 0; i < MAX_MGSNIDS; i++)
537 config->skc_mgsnids[i] = LNET_NID_ANY;
539 if (type == SK_TYPE_INVALID) {
540 fprintf(stderr, "error: no type specified for key\n");
543 config->skc_type = type;
544 generate_prime = type & SK_TYPE_CLIENT;
546 strncpy(config->skc_nodemap, SK_DEFAULT_NODEMAP,
547 strlen(SK_DEFAULT_NODEMAP));
550 datafile = "/dev/random";
553 if (crypt != SK_CRYPT_EMPTY)
554 config->skc_crypt_alg = crypt;
555 if (hmac != SK_HMAC_EMPTY)
556 config->skc_hmac_alg = hmac;
558 config->skc_expire = expire;
559 if (shared_keylen != -1)
560 config->skc_shared_keylen = shared_keylen;
561 if (prime_bits != -1)
562 config->skc_prime_bits = prime_bits;
564 strncpy(config->skc_fsname, fsname, strlen(fsname));
566 strncpy(config->skc_nodemap, nodemap, strlen(nodemap));
567 if (mgsnids && parse_mgsnids(mgsnids, config))
569 if (sk_validate_config(config)) {
570 fprintf(stderr, "error: key configuration failed validation\n");
574 if (datafile && get_key_data(datafile, config->skc_shared_key,
575 config->skc_shared_keylen)) {
576 fprintf(stderr, "error: failure getting key data from '%s'\n",
581 if (generate_prime) {
582 printf("Generating DH parameters, this can take a while...\n");
583 dh = DH_generate_parameters(config->skc_prime_bits,
584 SK_GENERATOR, NULL, NULL);
585 if (BN_num_bytes(dh->p) > SK_MAX_P_BYTES) {
586 fprintf(stderr, "error: cannot generate DH parameters: "
587 "requested length %d exceeds maximum %d\n",
588 config->skc_prime_bits, SK_MAX_P_BYTES * 8);
591 if (BN_bn2bin(dh->p, config->skc_p) != BN_num_bytes(dh->p)) {
593 "error: convert BIGNUM p to binary failed\n");
598 if (write_config_file(modify ?: output, config, modify))