#ifndef SK_UTILS_H
#define SK_UTILS_H
+#ifdef HAVE_OPENSSL_SSK
#include <gssapi/gssapi.h>
+#ifdef HAVE_LIBKEYUTILS
#include <keyutils.h>
+#endif
#include <linux/lustre/lustre_idl.h>
+#include <linux/lustre/lustre_disk.h>
#include <openssl/dh.h>
+#include <openssl/dsa.h>
#include <openssl/evp.h>
#include <openssl/hmac.h>
+#ifdef HAVE_OPENSSL_FIPS
+#include <openssl/fips.h>
+#endif
+#ifdef HAVE_OPENSSL_EVP_PKEY
+#include <openssl/core_names.h>
+#endif
+#include <openssl/err.h>
#include <sys/types.h>
-#include <libcfs/libcfs_crypto.h>
+#include <linux/lnet/lnet-crypto.h>
#include "lsupport.h"
#ifndef ARRAY_SIZE
if (priv_key != NULL)
*priv_key = dh->priv_key;
}
+
+static inline const BIGNUM *DH_get0_p(const DH *dh)
+{
+ return dh->p;
+}
+#endif
+
+#ifndef HAVE_OPENSSL_FIPS
+#define FIPS_mode() 0
#endif
/* Some limits and defaults */
gss_buffer_desc skc_session_key;
};
+
+#ifdef HAVE_OPENSSL_EVP_PKEY
+#define DECLARE_EVP_MD(name, hash) \
+ OSSL_PARAM name[] = { \
+ OSSL_PARAM_construct_utf8_string(OSSL_MAC_PARAM_DIGEST, \
+ (char *)EVP_MD_get0_name(hash), \
+ 0), \
+ OSSL_PARAM_END \
+ }
+#else /* !HAVE_OPENSSL_EVP_PKEY */
+#define EVP_PKEY DH
+#define EVP_PKEY_free(dh) DH_free(dh)
+struct dh_ssk_ctx { uint32_t bits; uint32_t gen; };
+#define EVP_PKEY_CTX struct dh_ssk_ctx
+#define EVP_PKEY_CTX_new_from_name(p1, name, p2) malloc(sizeof(EVP_PKEY_CTX))
+#define EVP_PKEY_paramgen_init(ctx) 1
+#undef EVP_PKEY_CTX_set_dh_paramgen_prime_len
+#define EVP_PKEY_CTX_set_dh_paramgen_prime_len(ctx, len) ((ctx)->bits = len)
+#undef EVP_PKEY_CTX_set_dh_paramgen_generator
+#define EVP_PKEY_CTX_set_dh_paramgen_generator(ctx, g) ((ctx)->gen = g)
+#define EVP_PKEY_paramgen(ctx, dhp) \
+ ((*dhp = DH_new()) && \
+ DH_generate_parameters_ex(*(dhp), (ctx)->bits, (ctx)->gen, NULL))
+#define EVP_PKEY_get_bn_param(dh, param, bnp) (*bnp = (BIGNUM *)DH_get0_p(dh))
+#define EVP_PKEY_CTX_free(ctx) free(ctx)
+#define DECLARE_EVP_MD(name, hash) \
+ const EVP_MD *name = hash
+#define EVP_MAC_CTX HMAC_CTX
+#define EVP_MAC_CTX_new(mac) HMAC_CTX_new()
+#define EVP_MAC_CTX_free HMAC_CTX_free
+#define EVP_MAC void
+#define EVP_MAC_fetch(a, b, c) (void *)1
+#define EVP_MAC_init(ctx, val, len, alg) HMAC_Init_ex(ctx, val, len, alg, NULL)
+#define EVP_MAC_update HMAC_Update
+#define EVP_MAC_final(ctx, val, lenp, hlen) \
+ HMAC_Final(ctx, val, (unsigned int *)(lenp))
+#define EVP_MAC_free(mac) {}
+#endif
+
/* Structure used in context initiation to hold all necessary data */
struct sk_cred {
uint32_t sc_flags;
gss_buffer_desc sc_hmac;
gss_buffer_desc sc_dh_shared_key;
struct sk_kernel_ctx sc_kctx;
- DH *sc_params;
+ EVP_PKEY *sc_params;
};
/* Names match up with openssl enc and dgst commands */
return NULL;
}
+#ifndef NID_ffdhe2048
+#define NID_ffdhe2048 1126
+#define NID_ffdhe3072 1127
+#define NID_ffdhe4096 1128
+#define NID_ffdhe6144 1129
+#define NID_ffdhe8192 1130
+#endif
+
+static const struct sk_prime_type sk_prime_nids[] = {
+ {
+ .spt_name = "null",
+ .spt_type = 0,
+ .spt_primebits = 0
+ },
+ {
+ .spt_name = "ffdhe2048",
+ .spt_type = NID_ffdhe2048,
+ .spt_primebits = 2048
+ },
+ {
+ .spt_name = "ffdhe3072",
+ .spt_type = NID_ffdhe3072,
+ .spt_primebits = 3072
+ },
+ {
+ .spt_name = "ffdhe4096",
+ .spt_type = NID_ffdhe4096,
+ .spt_primebits = 4096
+ },
+ {
+ .spt_name = "ffdhe6144",
+ .spt_type = NID_ffdhe6144,
+ .spt_primebits = 6144
+ },
+ {
+ .spt_name = "ffdhe8192",
+ .spt_type = NID_ffdhe8192,
+ .spt_primebits = 8192
+ },
+};
+
+static inline int sk_primebits2primenid(int primebits)
+{
+ int i;
+
+ for (i = 0; i < ARRAY_SIZE(sk_prime_nids); i++) {
+ if (primebits == sk_prime_nids[i].spt_primebits)
+ return sk_prime_nids[i].spt_type;
+ }
+
+ return -1;
+}
+
+static inline const char *sk_primebits2name(int primebits)
+{
+ int i;
+
+ for (i = 0; i < ARRAY_SIZE(sk_prime_nids); i++) {
+ if (primebits == sk_prime_nids[i].spt_primebits)
+ return sk_prime_nids[i].spt_name;
+ }
+
+ return NULL;
+}
+
void sk_init_logging(char *program, int verbose, int fg);
struct sk_keyfile_config *sk_read_file(char *filename);
int sk_load_keyfile(char *path);
const gss_buffer_desc *current_hash);
struct sk_cred *sk_create_cred(const char *fsname, const char *cluster,
const uint32_t flags);
-uint32_t sk_gen_params(struct sk_cred *skc);
+#ifndef HAVE_OPENSSL_EVP_PKEY
+int sk_speedtest_dh_valid(unsigned int usec_check_max, pid_t *child);
+#endif
+uint32_t sk_gen_params(struct sk_cred *skc, int num_rounds);
int sk_sign_bufs(gss_buffer_desc *key, gss_buffer_desc *bufs, const int numbufs,
const EVP_MD *hash_alg, gss_buffer_desc *hmac);
uint32_t sk_verify_hmac(struct sk_cred *skc, gss_buffer_desc *bufs,
int sk_encode_netstring(gss_buffer_desc *bufs, int numbufs,
gss_buffer_desc *ns);
+#endif /* HAVE_OPENSSL_SSK */
#endif /* SK_UTILS_H */