Signed-off-by: Jan Friesse <jfriesse@xxxxxxxxxx>
---
exec/coroparse.c | 16 +++++++++
exec/totemconfig.c | 70 ++++++++++++++++++++++++----------------
exec/totemcrypto.c | 63 +++++++++++++++++++++++++-----------
exec/totemcrypto.h | 16 +++++++--
exec/totemudp.c | 2 +-
exec/totemudpu.c | 2 +-
include/corosync/totem/totem.h | 6 +--
7 files changed, 119 insertions(+), 56 deletions(-)
diff --git a/exec/coroparse.c b/exec/coroparse.c
index 5efffc0..366cf3e 100644
--- a/exec/coroparse.c
+++ b/exec/coroparse.c
@@ -470,6 +470,22 @@ static int main_config_parser_cb(const char *path,
return (0);
}
}
+ if (strcmp(path, "totem.crypto_cipher") == 0) {
+ if ((strcmp(value, "none") != 0) &&
+ (strcmp(value, "aes256") != 0)) {
+ *error_string = "Invalid cipher type";
+
+ return (0);
+ }
+ }
+ if (strcmp(path, "totem.crypto_hash") == 0) {
+ if ((strcmp(value, "none") != 0) &&
+ (strcmp(value, "sha1") != 0)) {
+ *error_string = "Invalid hash type";
+
+ return (0);
+ }
+ }
break;
case MAIN_CP_CB_DATA_STATE_INTERFACE:
diff --git a/exec/totemconfig.c b/exec/totemconfig.c
index a5c1617..931bd7a 100644
--- a/exec/totemconfig.c
+++ b/exec/totemconfig.c
@@ -121,23 +121,54 @@ static void totem_volatile_config_read (struct totem_config *totem_config)
}
-static void totem_get_crypto_type(struct totem_config *totem_config)
+static void totem_get_crypto(struct totem_config *totem_config)
{
char *str;
+ const char *tmp_cipher;
+ const char *tmp_hash;
- /*
- * We must set these even if the key does not exist.
- * Encryption type can be set on-the-fly using CFG
- */
- totem_config->crypto_crypt_type = CKM_AES_CBC_PAD;
- totem_config->crypto_hash_type = CKM_SHA256_RSA_PKCS;
+ tmp_hash = "sha1";
+ tmp_cipher = "aes256";
+ totem_config->secauth = 1;
+
+ if (icmap_get_string("totem.secauth", &str) == CS_OK) {
+ if (strcmp (str, "off") == 0) {
+ totem_config->secauth = 0;
+ tmp_hash = "none";
+ tmp_cipher = "none";
+ }
+ free(str);
+ }
- if (icmap_get_string("totem.crypto_type", &str) == CS_OK) {
- if (strcmp(str, "nss") == 0 || strcmp(str, "aes256") == 0) {
- totem_config->crypto_type = TOTEM_CRYPTO_AES256;
+ if (icmap_get_string("totem.crypto_cipher", &str) == CS_OK) {
+ if (strcmp(str, "none") == 0) {
+ tmp_cipher = "none";
+ }
+ if (strcmp(str, "aes256") == 0) {
+ tmp_cipher = "aes256";
+ }
+ free(str);
+ }
+
+ if (icmap_get_string("totem.crypto_hash", &str) == CS_OK) {
+ if (strcmp(str, "none") == 0) {
+ tmp_hash = "none";
+ }
+ if (strcmp(str, "sha1") == 0) {
+ tmp_hash = "sha1";
}
free(str);
}
+
+ if (strcmp(tmp_hash, "none") == 0 && strcmp(tmp_cipher, "none") == 0) {
+ totem_config->secauth = 0;
+ }
+
+ free(totem_config->crypto_cipher_type);
+ free(totem_config->crypto_hash_type);
+
+ totem_config->crypto_cipher_type = strdup(tmp_cipher);
+ totem_config->crypto_hash_type = strdup(tmp_hash);
}
static uint16_t generate_cluster_id (const char *cluster_name)
@@ -410,25 +441,11 @@ extern int totem_config_read (
memset (totem_config->interfaces, 0,
sizeof (struct totem_interface) * INTERFACE_MAX);
- totem_config->secauth = 1;
-
strcpy (totem_config->rrp_mode, "none");
icmap_get_uint32("totem.version", (uint32_t *)&totem_config->version);
- if (icmap_get_string("totem.secauth", &str) == CS_OK) {
- if (strcmp (str, "on") == 0) {
- totem_config->secauth = 1;
- }
- if (strcmp (str, "off") == 0) {
- totem_config->secauth = 0;
- }
- free(str);
- }
-
- if (totem_config->secauth == 1) {
- totem_get_crypto_type(totem_config);
- }
+ totem_get_crypto(totem_config);
if (icmap_get_string("totem.rrp_mode", &str) == CS_OK) {
strcpy (totem_config->rrp_mode, str);
@@ -924,9 +941,6 @@ int totem_config_validate (
if (totem_config->threads > SEND_THREADS_MAX) {
totem_config->threads = SEND_THREADS_MAX;
}
- if (totem_config->secauth == 0) {
- totem_config->threads = 0;
- }
if (totem_config->net_mtu > FRAME_SIZE_MAX) {
error_reason = "This net_mtu parameter is greater then the maximum frame size";
goto parse_error;
diff --git a/exec/totemcrypto.c b/exec/totemcrypto.c
index 4ee839e..8c0ec91 100644
--- a/exec/totemcrypto.c
+++ b/exec/totemcrypto.c
@@ -91,9 +91,9 @@ struct crypto_instance {
unsigned int private_key_len;
- int crypto_crypt_type;
+ enum crypto_crypt_t crypto_cipher_type;
- int crypto_hash_type;
+ enum crypto_hash_t crypto_hash_type;
void (*log_printf_func) (
int level,
@@ -110,6 +110,21 @@ struct crypto_instance {
int log_subsys_id;
};
+CK_MECHANISM_TYPE cipher_to_nss[] = {
+ 0, /* CRYPTO_CIPHER_TYPE_NONE */
+ CKM_AES_CBC_PAD /* CRYPTO_CIPHER_TYPE_AES256 */
+};
+
+size_t cipher_key_len[] = {
+ 0, /* CRYPTO_CIPHER_TYPE_NONE */
+ 32, /* CRYPTO_CIPHER_TYPE_AES256 */
+};
+
+CK_MECHANISM_TYPE hash_to_nss[] = {
+ 0, /* CRYPTO_HASH_TYPE_NONE */
+ CKM_SHA_1_HMAC /* CRYPTO_HASH_TYPE_SHA1 */
+};
+
#define log_printf(level, format, args...) \
do { \
instance->log_printf_func ( \
@@ -148,7 +163,7 @@ static void init_nss_crypto(struct crypto_instance *instance)
/*
* TODO: use instance info!
*/
- aes_slot = PK11_GetBestSlot(CKM_AES_CBC_PAD, NULL);
+ aes_slot = PK11_GetBestSlot(cipher_to_nss[instance->crypto_cipher_type], NULL);
if (aes_slot == NULL)
{
log_printf(instance->log_level_security, "Unable to find security slot (err %d)",
@@ -156,7 +171,7 @@ static void init_nss_crypto(struct crypto_instance *instance)
goto out;
}
- sha1_slot = PK11_GetBestSlot(CKM_SHA_1_HMAC, NULL);
+ sha1_slot = PK11_GetBestSlot(hash_to_nss[instance->crypto_hash_type], NULL);
if (sha1_slot == NULL)
{
log_printf(instance->log_level_security, "Unable to find security slot (err %d)",
@@ -168,10 +183,10 @@ static void init_nss_crypto(struct crypto_instance *instance)
*/
key_item.type = siBuffer;
key_item.data = instance->private_key;
- key_item.len = 32; /* Use 256 bits */
+ key_item.len = cipher_key_len[instance->crypto_cipher_type];
instance->nss_sym_key = PK11_ImportSymKey(aes_slot,
- CKM_AES_CBC_PAD,
+ cipher_to_nss[instance->crypto_cipher_type],
PK11_OriginUnwrap, CKA_ENCRYPT|CKA_DECRYPT,
&key_item, NULL);
if (instance->nss_sym_key == NULL)
@@ -182,7 +197,7 @@ static void init_nss_crypto(struct crypto_instance *instance)
}
instance->nss_sym_key_sign = PK11_ImportSymKey(sha1_slot,
- CKM_SHA_1_HMAC,
+ hash_to_nss[instance->crypto_hash_type],
PK11_OriginUnwrap, CKA_SIGN,
&key_item, NULL);
if (instance->nss_sym_key_sign == NULL) {
@@ -237,7 +252,7 @@ static int encrypt_and_sign_nss (
iv_item.len = sizeof (nss_iv_data);
nss_sec_param = PK11_ParamFromIV (
- CKM_AES_CBC_PAD,
+ cipher_to_nss[instance->crypto_cipher_type],
&iv_item);
if (nss_sec_param == NULL) {
log_printf(instance->log_level_security,
@@ -250,7 +265,7 @@ static int encrypt_and_sign_nss (
* Create cipher context for encryption
*/
enc_context = PK11_CreateContextBySymKey (
- CKM_AES_CBC_PAD,
+ cipher_to_nss[instance->crypto_cipher_type],
CKA_ENCRYPT,
instance->nss_sym_key,
nss_sec_param);
@@ -260,7 +275,7 @@ static int encrypt_and_sign_nss (
err[PR_GetErrorTextLength()] = 0;
log_printf(instance->log_level_security,
"PK11_CreateContext failed (encrypt) crypt_type=%d (err %d): %s",
- CKM_AES_CBC_PAD,
+ (int)cipher_to_nss[instance->crypto_cipher_type],
PR_GetError(), err);
return -1;
}
@@ -277,7 +292,7 @@ static int encrypt_and_sign_nss (
goto out;
/* Now do the digest */
- enc_context = PK11_CreateContextBySymKey(CKM_SHA_1_HMAC,
+ enc_context = PK11_CreateContextBySymKey(hash_to_nss[instance->crypto_hash_type],
CKA_SIGN, instance->nss_sym_key_sign, &no_params);
if (!enc_context) {
char err[1024];
@@ -299,7 +314,6 @@ static int encrypt_and_sign_nss (
if (rv1 != SECSuccess || rv2 != SECSuccess)
goto out;
-
*buf_out_len = *buf_out_len + sizeof(struct crypto_security_header);
SECITEM_FreeItem(nss_sec_param, PR_TRUE);
return 0;
@@ -343,7 +357,7 @@ static int authenticate_and_decrypt_nss (
/* Check the digest */
enc_context = PK11_CreateContextBySymKey (
- CKM_SHA_1_HMAC, CKA_SIGN,
+ hash_to_nss[instance->crypto_hash_type], CKA_SIGN,
instance->nss_sym_key_sign,
&no_params);
if (!enc_context) {
@@ -384,7 +398,7 @@ static int authenticate_and_decrypt_nss (
ivdata.len = sizeof(header->salt);
enc_context = PK11_CreateContextBySymKey(
- CKM_AES_CBC_PAD,
+ cipher_to_nss[instance->crypto_cipher_type],
CKA_DECRYPT,
instance->nss_sym_key, &ivdata);
if (!enc_context) {
@@ -418,7 +432,7 @@ static int authenticate_and_decrypt_nss (
return 0;
}
-size_t crypto_sec_header_size(int crypt_hash_type)
+size_t crypto_sec_header_size(const char *crypto_hash_type)
{
/*
* TODO: add switch / size mapping
@@ -446,8 +460,8 @@ int crypto_authenticate_and_decrypt (struct crypto_instance *instance,
struct crypto_instance *crypto_init(
const unsigned char *private_key,
unsigned int private_key_len,
- int crypto_crypt_type,
- int crypto_hash_type,
+ const char *crypto_cipher_type,
+ const char *crypto_hash_type,
void (*log_printf_func) (
int level,
int subsys,
@@ -470,8 +484,19 @@ struct crypto_instance *crypto_init(
memcpy(instance->private_key, private_key, private_key_len);
instance->private_key_len = private_key_len;
- instance->crypto_crypt_type = crypto_crypt_type;
- instance->crypto_hash_type = crypto_hash_type;
+
+ if (strcmp(crypto_cipher_type, "none") == 0) {
+ instance->crypto_cipher_type = CRYPTO_CIPHER_TYPE_NONE;
+ } else if (strcmp(crypto_cipher_type, "aes256") == 0) {
+ instance->crypto_cipher_type = CRYPTO_CIPHER_TYPE_AES256;
+ }
+
+ if (strcmp(crypto_hash_type, "none") == 0) {
+ instance->crypto_hash_type = CRYPTO_HASH_TYPE_NONE;
+ } else if (strcmp(crypto_hash_type, "sha1") == 0) {
+ instance->crypto_hash_type = CRYPTO_HASH_TYPE_SHA1;
+ }
+
instance->log_printf_func = log_printf_func;
instance->log_level_security = log_level_security;
instance->log_level_notice = log_level_notice;
diff --git a/exec/totemcrypto.h b/exec/totemcrypto.h
index 0758f10..13fd19b 100644
--- a/exec/totemcrypto.h
+++ b/exec/totemcrypto.h
@@ -38,10 +38,20 @@
#include <sys/types.h>
+enum crypto_crypt_t {
+ CRYPTO_CIPHER_TYPE_NONE = 0,
+ CRYPTO_CIPHER_TYPE_AES256 = 1
+};
+
+enum crypto_hash_t {
+ CRYPTO_HASH_TYPE_NONE = 0,
+ CRYPTO_HASH_TYPE_SHA1 = 1
+};
+
struct crypto_instance;
extern size_t crypto_sec_header_size(
- int crypt_hash_type);
+ const char *crypto_hash_type);
extern int crypto_authenticate_and_decrypt (
struct crypto_instance *instance,
@@ -58,8 +68,8 @@ extern int crypto_encrypt_and_sign (
extern struct crypto_instance *crypto_init(
const unsigned char *private_key,
unsigned int private_key_len,
- int crypto_crypt_type,
- int crypto_hash_type,
+ const char *crypto_cipher_type,
+ const char *crypto_hash_type,
void (*log_printf_func) (
int level,
int subsys,
diff --git a/exec/totemudp.c b/exec/totemudp.c
index b6f8126..21a6122 100644
--- a/exec/totemudp.c
+++ b/exec/totemudp.c
@@ -1024,7 +1024,7 @@ int totemudp_initialize (
*/
instance->crypto_inst = crypto_init (totem_config->private_key,
totem_config->private_key_len,
- totem_config->crypto_crypt_type,
+ totem_config->crypto_cipher_type,
totem_config->crypto_hash_type,
instance->totemudp_log_printf,
instance->totemudp_log_level_security,
diff --git a/exec/totemudpu.c b/exec/totemudpu.c
index d4530ce..be4ca50 100644
--- a/exec/totemudpu.c
+++ b/exec/totemudpu.c
@@ -744,7 +744,7 @@ int totemudpu_initialize (
*/
instance->crypto_inst = crypto_init (totem_config->private_key,
totem_config->private_key_len,
- totem_config->crypto_crypt_type,
+ totem_config->crypto_cipher_type,
totem_config->crypto_hash_type,
instance->totemudpu_log_printf,
instance->totemudpu_log_level_security,
diff --git a/include/corosync/totem/totem.h b/include/corosync/totem/totem.h
index 333c632..eba3850 100644
--- a/include/corosync/totem/totem.h
+++ b/include/corosync/totem/totem.h
@@ -169,11 +169,9 @@ struct totem_config {
unsigned int broadcast_use;
- enum { TOTEM_CRYPTO_AES256 = 0} crypto_type;
+ char *crypto_cipher_type;
- int crypto_crypt_type;
-
- int crypto_hash_type;
+ char *crypto_hash_type;
totem_transport_t transport_number;
--
1.7.1
_______________________________________________
discuss mailing list
discuss@xxxxxxxxxxxx
http://lists.corosync.org/mailman/listinfo/discuss
