X-Git-Url: https://git.whamcloud.com/?p=fs%2Flustre-release.git;a=blobdiff_plain;f=lustre%2Futils%2Fgss%2Fsk_utils.c;h=4b4a911d8f62a8b7ddaa6c11b695a36f78242b09;hp=596e3af71f5e5853ef116fc84912f73cfe7d2967;hb=a21c13d4df4bea1bec0f5804136740ed53d5a57f;hpb=f431777cf5cbb0f1493e91a35bbc2a26e1d14db9

diff --git a/lustre/utils/gss/sk_utils.c b/lustre/utils/gss/sk_utils.c
index 596e3af..4b4a911 100644
--- a/lustre/utils/gss/sk_utils.c
+++ b/lustre/utils/gss/sk_utils.c
@@ -22,7 +22,7 @@
 /*
  * Copyright (C) 2015, Trustees of Indiana University
  *
- * Copyright (c) 2016, Intel Corporation.
+ * Copyright (c) 2016, 2017, Intel Corporation.
  *
  * Author: Jeremy Filizetti <jfilizet@iu.edu>
  */
@@ -39,31 +39,12 @@
 #include <openssl/hmac.h>
 #include <sys/types.h>
 #include <sys/stat.h>
-#include <lnet/nidstr.h>
 
 #include "sk_utils.h"
 #include "write_bytes.h"
 
 #define SK_PBKDF2_ITERATIONS 10000
 
-static struct sk_crypt_type sk_crypt_types[] = {
-	[SK_CRYPT_AES256_CTR] = {
-		.sct_name = "ctr(aes)",
-		.sct_bytes = 32,
-	},
-};
-
-static struct sk_hmac_type sk_hmac_types[] = {
-	[SK_HMAC_SHA256] = {
-		.sht_name = "hmac(sha256)",
-		.sht_bytes = 32,
-	},
-	[SK_HMAC_SHA512] = {
-		.sht_name = "hmac(sha512)",
-		.sht_bytes = 64,
-	},
-};
-
 #ifdef _NEW_BUILD_
 # include "lgss_utils.h"
 #else
@@ -123,7 +104,7 @@ struct sk_keyfile_config *sk_read_file(char *filename)
 		struct stat st;
 
 		rc = fstat(fd, &st);
-		if (rc == 0 && (st.st_mode & ~0600))
+		if (rc == 0 && (st.st_mode & ~(S_IFREG | 0600)))
 			fprintf(stderr, "warning: "
 				"secret key '%s' has insecure file mode %#o\n",
 				filename, st.st_mode);
@@ -365,18 +346,22 @@ int sk_validate_config(const struct sk_keyfile_config *config)
 		printerr(0, "Null configuration passed\n");
 		return -1;
 	}
+
 	if (config->skc_version != SK_CONF_VERSION) {
 		printerr(0, "Invalid version\n");
 		return -1;
 	}
-	if (config->skc_hmac_alg >= SK_HMAC_MAX) {
+
+	if (config->skc_hmac_alg == SK_HMAC_INVALID) {
 		printerr(0, "Invalid HMAC algorithm\n");
 		return -1;
 	}
-	if (config->skc_crypt_alg >= SK_CRYPT_MAX) {
+
+	if (config->skc_crypt_alg == SK_CRYPT_INVALID) {
 		printerr(0, "Invalid crypt algorithm\n");
 		return -1;
 	}
+
 	if (config->skc_expire < 60 || config->skc_expire > INT_MAX) {
 		/* Try to limit key expiration to some reasonable minimum and
 		 * also prevent values over INT_MAX because there appears
@@ -661,8 +646,8 @@ struct sk_cred *sk_create_cred(const char *tgt, const char *nodemap,
 
 	kctx = &skc->sc_kctx;
 	kctx->skc_version = config->skc_version;
-	kctx->skc_hmac_alg = config->skc_hmac_alg;
-	kctx->skc_crypt_alg = config->skc_crypt_alg;
+	strcpy(kctx->skc_hmac_alg, sk_hmac2name(config->skc_hmac_alg));
+	strcpy(kctx->skc_crypt_alg, sk_crypt2name(config->skc_crypt_alg));
 	kctx->skc_expire = config->skc_expire;
 
 	/* key payload format is in bits, convert to bytes */
@@ -782,12 +767,12 @@ uint32_t sk_gen_params(struct sk_cred *skc)
  *
  * \retval		EVP_MD
  */
-static inline const EVP_MD *sk_hash_to_evp_md(enum sk_hmac_alg alg)
+static inline const EVP_MD *sk_hash_to_evp_md(enum cfs_crypto_hash_alg alg)
 {
 	switch (alg) {
-	case SK_HMAC_SHA256:
+	case CFS_HASH_ALG_SHA256:
 		return EVP_sha256();
-	case SK_HMAC_SHA512:
+	case CFS_HASH_ALG_SHA512:
 		return EVP_sha512();
 	default:
 		return EVP_md_null();
@@ -972,7 +957,8 @@ void sk_free_cred(struct sk_cred *skc)
  * If the size is smaller it will take copy the first N bytes necessary to
  * fill the derived key. */
 int sk_kdf(gss_buffer_desc *derived_key , gss_buffer_desc *origin_key,
-	   gss_buffer_desc *key_binding_bufs, int numbufs, int hmac_alg)
+	   gss_buffer_desc *key_binding_bufs, int numbufs,
+	   enum cfs_crypto_hash_alg hmac_alg)
 {
 	size_t remain;
 	size_t bytes;
@@ -1004,7 +990,7 @@ int sk_kdf(gss_buffer_desc *derived_key , gss_buffer_desc *origin_key,
 			return rc;
 		}
 
-		if (sk_hmac_types[hmac_alg].sht_bytes != tmp_hash.length) {
+		if (cfs_crypto_hash_digestsize(hmac_alg) != tmp_hash.length) {
 			free(tmp_hash.value);
 			return -EINVAL;
 		}
@@ -1034,9 +1020,11 @@ int sk_session_kdf(struct sk_cred *skc, lnet_nid_t client_nid,
 	struct sk_kernel_ctx *kctx = &skc->sc_kctx;
 	gss_buffer_desc *session_key = &kctx->skc_session_key;
 	gss_buffer_desc bufs[5];
+	enum cfs_crypto_crypt_alg crypt_alg;
 	int rc = -1;
 
-	session_key->length = sk_crypt_types[kctx->skc_crypt_alg].sct_bytes;
+	crypt_alg = cfs_crypto_crypt_alg(kctx->skc_crypt_alg);
+	session_key->length = cfs_crypto_crypt_keysize(crypt_alg);
 	session_key->value = malloc(session_key->length);
 	if (!session_key->value) {
 		printerr(0, "Failed to allocate memory for session key\n");
@@ -1058,7 +1046,7 @@ int sk_session_kdf(struct sk_cred *skc, lnet_nid_t client_nid,
 	bufs[4] = *server_token;
 
 	return sk_kdf(&kctx->skc_session_key, &kctx->skc_shared_key, bufs,
-		      5, kctx->skc_hmac_alg);
+		      5, cfs_crypto_hash_alg(kctx->skc_hmac_alg));
 }
 
 /* Uses the session key to create an HMAC key and encryption key.  In
@@ -1090,18 +1078,21 @@ int sk_compute_keys(struct sk_cred *skc)
 	gss_buffer_desc *session_key = &kctx->skc_session_key;
 	gss_buffer_desc *hmac_key = &kctx->skc_hmac_key;
 	gss_buffer_desc *encrypt_key = &kctx->skc_encrypt_key;
+	enum cfs_crypto_hash_alg hmac_alg;
+	enum cfs_crypto_crypt_alg crypt_alg;
 	char *encrypt = "Encrypt";
 	char *integrity = "Integrity";
 	int rc;
 
-	hmac_key->length = sk_hmac_types[kctx->skc_hmac_alg].sht_bytes;
+	hmac_alg = cfs_crypto_hash_alg(kctx->skc_hmac_alg);
+	hmac_key->length = cfs_crypto_hash_digestsize(hmac_alg);
 	hmac_key->value = malloc(hmac_key->length);
 	if (!hmac_key->value)
 		return -ENOMEM;
 
 	rc = PKCS5_PBKDF2_HMAC(integrity, -1, session_key->value,
 			       session_key->length, SK_PBKDF2_ITERATIONS,
-			       sk_hash_to_evp_md(kctx->skc_hmac_alg),
+			       sk_hash_to_evp_md(hmac_alg),
 			       hmac_key->length, hmac_key->value);
 	if (rc == 0)
 		return -EINVAL;
@@ -1110,14 +1101,15 @@ int sk_compute_keys(struct sk_cred *skc)
 	if ((skc->sc_flags & LGSS_SVC_PRIV) == 0)
 		return 0;
 
-	encrypt_key->length = sk_crypt_types[kctx->skc_crypt_alg].sct_bytes;
+	crypt_alg = cfs_crypto_crypt_alg(kctx->skc_crypt_alg);
+	encrypt_key->length = cfs_crypto_crypt_keysize(crypt_alg);
 	encrypt_key->value = malloc(encrypt_key->length);
 	if (!encrypt_key->value)
 		return -ENOMEM;
 
 	rc = PKCS5_PBKDF2_HMAC(encrypt, -1, session_key->value,
 			       session_key->length, SK_PBKDF2_ITERATIONS,
-			       sk_hash_to_evp_md(kctx->skc_hmac_alg),
+			       sk_hash_to_evp_md(hmac_alg),
 			       encrypt_key->length, encrypt_key->value);
 	if (rc == 0)
 		return -EINVAL;