RETURN(rc);
ll_gs_intent_init(it);
- if (!(it->it_op & IT_CREAT))
+ if (!(it->it_flags & O_CREAT))
RETURN(rc);
LASSERT(it->d.fs_data != NULL);
/*copy the decrypt key from kcontext to the lustre key*/
spin_lock(&lli->lli_lock);
- memcpy(&lkey->lk_ck, ckey, sizeof(*ckey));
+ memcpy(&lkey->lk_dk, ckey->ck_key, KEY_SIZE);
SET_DECRYPTED(lkey->lk_flags);
spin_unlock(&lli->lli_lock);
out:
struct key_perm *kperm = NULL;
struct key_parms kparms;
struct lustre_key *lkey = NULL;
+ struct crypto_key *ckey = NULL;
struct posix_acl *acl = NULL, *new_acl = NULL;
int rc = 0, kperm_size = 0, kcontext_size = 0;
mode_t mac_mode;
GOTO(out, rc);
}
}
- }
+ } else {
+ new_acl = acl;
+ }
acl_count = new_acl ? new_acl->a_count : 0;
kperm_size = crypto_kperm_size(acl_count);
OBD_ALLOC(kperm, kperm_size);
kparms.perm_size = kperm_size;
*key_size = sizeof(struct crypto_key);
- OBD_ALLOC(*key, *key_size);
- if (!*key)
+ OBD_ALLOC(ckey, sizeof(struct crypto_key));
+ if (!ckey)
GOTO(out, rc = -ENOMEM);
/*GET an encrypt key from GS server*/
rc = obd_get_info(gs_exp, sizeof(struct key_parms), (void *)&kparms,
- key_size, *key);
+ key_size, ckey);
if (rc) {
CERROR("decrypt key error rc %d \n", rc);
GOTO(out, rc);
}
- printk("come here 5\n");
- /*copy the decrypt key from kcontext to the lustre key*/
- spin_lock(&lli->lli_lock);
- memcpy(&lkey->lk_ck, *key, *key_size);
+ *key = ckey;
iattr->ia_valid |= ATTR_MAC;
- spin_unlock(&lli->lli_lock);
out:
if (acl)
posix_acl_release(acl);
RETURN(rc);
}
+static int ll_crypt_permission_check(struct lustre_key *lkey,
+ int flags)
+{
+ if (!IS_DECRYPTED(lkey->lk_flags))
+ RETURN(-EFAULT);
+ if (flags == ENCRYPT_DATA && !IS_ENABLE_ENCRYPT(lkey->lk_flags))
+ RETURN(-EFAULT);
+ if (flags == DECRYPT_DATA && !IS_ENABLE_DECRYPT(lkey->lk_flags))
+ RETURN(-EFAULT);
+ RETURN(0);
+}
/*key function for calculate the key for countermode method*/
static int ll_crypt_cb(struct page *page, __u64 offset, __u64 count,
int flags)
char *key_ptr;
int index = page->index;
__u64 data_key = 0;
- int i;
+ int i, rc = 0;
ENTRY;
if (!lkey)
RETURN(0);
- if (!IS_DECRYPTED(lkey->lk_flags))
- RETURN(-EFAULT);
- if (flags == ENCRYPT_DATA && !IS_ENABLE_ENCRYPT(lkey->lk_flags))
- RETURN(-EFAULT);
- if (flags == DECRYPT_DATA && !IS_ENABLE_DECRYPT(lkey->lk_flags))
- RETURN(-EFAULT);
-
- /*FIXME: tmp calculate method, should calculate
- the key according to KEY_TYPE*/
-
spin_lock(&lli->lli_lock);
- key_ptr = &lkey->lk_ck.ck_key[0];
+ rc = ll_crypt_permission_check(lkey, flags);
+ if (rc) {
+ spin_unlock(&lli->lli_lock);
+ RETURN(rc);
+ }
+
+ key_ptr = &lkey->lk_dk[0];
for (i=0; i < KEY_SIZE; i++)
data_key += *key_ptr++;
spin_unlock(&lli->lli_lock);
CDEBUG(D_INFO, "encrypted ptr is %s \n", key_ptr);
kunmap(page);
- RETURN(0);
+ RETURN(rc);
}
int ll_gs_init_inode_key(struct inode *inode, void *mkey)
spin_lock(&lli->lli_lock);
lli->lli_key_info = lkey;
spin_unlock(&lli->lli_lock);
+ CDEBUG(D_INFO, "set key %s mac %s in inode %lu \n",
+ lli->lli_key_info->lk_ck.ck_key,
+ lli->lli_key_info->lk_ck.ck_mac,
+ inode->i_ino);
} else {
lkey = lustre_key_get(lli->lli_key_info);
- if (!IS_DECRYPTED(lkey->lk_flags)) {
- if (memcmp(&lkey->lk_ck, key, sizeof(*key))) {
- CWARN("already have key_info %p in ino %ld \n",
- lli->lli_key_info, inode->i_ino);
- }
- } else {
- spin_lock(&lli->lli_lock);
+ LASSERTF(!memcmp(lkey->lk_ck.ck_key, key->ck_key, KEY_SIZE),
+ "old key %s != new key %s\n", lkey->lk_ck.ck_key,
+ key->ck_key);
+ spin_lock(&lli->lli_lock);
+ if (memcmp(lkey->lk_ck.ck_mac, key->ck_mac, MAC_SIZE)){
+ CDEBUG(D_INFO, "reset mac %s to %s ino %ld \n",
+ lkey->lk_ck.ck_mac, key->ck_mac, inode->i_ino);
+ memcpy(lkey->lk_ck.ck_mac, key->ck_mac, MAC_SIZE);
SET_UNDECRYPTED(lkey->lk_flags);
- memcpy(&lkey->lk_ck, key, sizeof(*key));
- spin_unlock(&lli->lli_lock);
}
+ spin_unlock(&lli->lli_lock);
lustre_key_release(lkey);
}
- CDEBUG(D_INFO, "set key %s mac %s in inode %lu \n",
- lli->lli_key_info->lk_ck.ck_mac,
- lli->lli_key_info->lk_ck.ck_key,
- inode->i_ino);
RETURN(0);
}
}
enable_encrypt() {
NAME=$1
- grep " $MOUNT " /proc/mounts || zconf_mount `hostname` $MOUNT
+ grep " $MOUNT " /proc/mounts && umount $MOUNT
+ zconf_mount `hostname` $MOUNT
$LCTL set_crypt $MOUNT $CRYPT_TYPE
}
mkdir -p $DIR
test_1a() {
- rm -rf $DIR1/1a*
enable_encrypt $MOUNT
echo aaaaaaaaaaaaaaaaaaaa >> $DIR1/1a0
echo aaaaaaaaaaaaaaaaaaaa >> $DIR2/1a1
diff -u $DIR1/1a0 $DIR2/1a1 || error "files are different"
disable_encrypt $MOUNT
diff -u $DIR1/1a0 $DIR2/1a1 && error "write encryption failed"
+ enable_encrypt $MOUNT
+ diff -u $DIR1/1a0 $DIR2/1a1 || error "files are different"
}
run_test 1a "read/write encryption============="
test_2a() {
- rm -rf $DIR1/2a*
enable_encrypt $MOUNT
touch $DIR1/2a0
setfacl -m u:bin:rw $DIR1/2a0
diff -u $DIR1/2a0 $DIR2/2a1 || error "files are different"
disable_encrypt $MOUNT
diff -u $DIR1/2a0 $DIR2/2a1 && error "write encryption failed"
+ enable_encrypt $MOUNT
+ diff -u $DIR1/2a0 $DIR2/2a1 || error "files are different"
}
run_test 2a "read/write encryption with acl============="
diff -u $DIR1/3a0 $DIR2/3a1 || error "files are different"
disable_encrypt $MOUNT
diff -u $DIR1/3a0 $DIR2/3a1 && error "write encryption failed"
+ enable_encrypt $MOUNT
+ diff -u $DIR1/3a0 $DIR2/3a1 || error "files are different"
}
run_test 3a "write chmod encryption============="
diff -u $DIR1/4a0 $DIR2/4a1 || error "files are different"
disable_encrypt $MOUNT
diff -u $DIR1/4a0 $DIR2/4a1 && error "write encryption failed"
+ enable_encrypt $MOUNT
+ diff -u $DIR1/4a0 $DIR2/4a1 || error "files are different"
}
run_test 4a "write chacl encryption============="
echo aaaaaaaaaaaaaaaaaaaa >> $DIR1/5a0
echo aaaaaaaaaaaaaaaaaaaa >> $DIR2/5a1
setfacl -m u:bin:rw $DIR1/5a0
- chown $RUN_UID $DIR1/3a0
+ chown $RUN_UID $DIR1/5a0
echo aaaaaaaaaaaaaaaaaaaa >> $DIR1/5a0 || error "chown write error"
echo aaaaaaaaaaaaaaaaaaaa >> $DIR1/5a1
diff -u $DIR1/5a0 $DIR2/5a1 || error "files are different"
+ echo "enable crypt read success"
disable_encrypt $MOUNT
diff -u $DIR1/5a0 $DIR2/5a1 && error "write encryption failed"
+ enable_encrypt $MOUNT
+ diff -u $DIR1/5a0 $DIR2/5a1 || error "files are different"
}
run_test 5a "write chacl encryption============="