ACK
On 3/13/2012 5:23 PM, Jan Friesse wrote:
> Signed-off-by: Jan Friesse <jfriesse@xxxxxxxxxx>
> ---
> exec/coroparse.c | 16 +++++++++
> exec/totemconfig.c | 70 ++++++++++++++++++++++++----------------
> exec/totemcrypto.c | 63 +++++++++++++++++++++++++-----------
> exec/totemcrypto.h | 16 +++++++--
> exec/totemudp.c | 2 +-
> exec/totemudpu.c | 2 +-
> include/corosync/totem/totem.h | 6 +--
> 7 files changed, 119 insertions(+), 56 deletions(-)
>
> diff --git a/exec/coroparse.c b/exec/coroparse.c
> index 5efffc0..366cf3e 100644
> --- a/exec/coroparse.c
> +++ b/exec/coroparse.c
> @@ -470,6 +470,22 @@ static int main_config_parser_cb(const char *path,
> return (0);
> }
> }
> + if (strcmp(path, "totem.crypto_cipher") == 0) {
> + if ((strcmp(value, "none") != 0) &&
> + (strcmp(value, "aes256") != 0)) {
> + *error_string = "Invalid cipher type";
> +
> + return (0);
> + }
> + }
> + if (strcmp(path, "totem.crypto_hash") == 0) {
> + if ((strcmp(value, "none") != 0) &&
> + (strcmp(value, "sha1") != 0)) {
> + *error_string = "Invalid hash type";
> +
> + return (0);
> + }
> + }
> break;
>
> case MAIN_CP_CB_DATA_STATE_INTERFACE:
> diff --git a/exec/totemconfig.c b/exec/totemconfig.c
> index a5c1617..931bd7a 100644
> --- a/exec/totemconfig.c
> +++ b/exec/totemconfig.c
> @@ -121,23 +121,54 @@ static void totem_volatile_config_read (struct totem_config *totem_config)
> }
>
>
> -static void totem_get_crypto_type(struct totem_config *totem_config)
> +static void totem_get_crypto(struct totem_config *totem_config)
> {
> char *str;
> + const char *tmp_cipher;
> + const char *tmp_hash;
>
> - /*
> - * We must set these even if the key does not exist.
> - * Encryption type can be set on-the-fly using CFG
> - */
> - totem_config->crypto_crypt_type = CKM_AES_CBC_PAD;
> - totem_config->crypto_hash_type = CKM_SHA256_RSA_PKCS;
> + tmp_hash = "sha1";
> + tmp_cipher = "aes256";
> + totem_config->secauth = 1;
> +
> + if (icmap_get_string("totem.secauth", &str) == CS_OK) {
> + if (strcmp (str, "off") == 0) {
> + totem_config->secauth = 0;
> + tmp_hash = "none";
> + tmp_cipher = "none";
> + }
> + free(str);
> + }
>
> - if (icmap_get_string("totem.crypto_type", &str) == CS_OK) {
> - if (strcmp(str, "nss") == 0 || strcmp(str, "aes256") == 0) {
> - totem_config->crypto_type = TOTEM_CRYPTO_AES256;
> + if (icmap_get_string("totem.crypto_cipher", &str) == CS_OK) {
> + if (strcmp(str, "none") == 0) {
> + tmp_cipher = "none";
> + }
> + if (strcmp(str, "aes256") == 0) {
> + tmp_cipher = "aes256";
> + }
> + free(str);
> + }
> +
> + if (icmap_get_string("totem.crypto_hash", &str) == CS_OK) {
> + if (strcmp(str, "none") == 0) {
> + tmp_hash = "none";
> + }
> + if (strcmp(str, "sha1") == 0) {
> + tmp_hash = "sha1";
> }
> free(str);
> }
> +
> + if (strcmp(tmp_hash, "none") == 0 && strcmp(tmp_cipher, "none") == 0) {
> + totem_config->secauth = 0;
> + }
> +
> + free(totem_config->crypto_cipher_type);
> + free(totem_config->crypto_hash_type);
> +
> + totem_config->crypto_cipher_type = strdup(tmp_cipher);
> + totem_config->crypto_hash_type = strdup(tmp_hash);
> }
>
> static uint16_t generate_cluster_id (const char *cluster_name)
> @@ -410,25 +441,11 @@ extern int totem_config_read (
> memset (totem_config->interfaces, 0,
> sizeof (struct totem_interface) * INTERFACE_MAX);
>
> - totem_config->secauth = 1;
> -
> strcpy (totem_config->rrp_mode, "none");
>
> icmap_get_uint32("totem.version", (uint32_t *)&totem_config->version);
>
> - if (icmap_get_string("totem.secauth", &str) == CS_OK) {
> - if (strcmp (str, "on") == 0) {
> - totem_config->secauth = 1;
> - }
> - if (strcmp (str, "off") == 0) {
> - totem_config->secauth = 0;
> - }
> - free(str);
> - }
> -
> - if (totem_config->secauth == 1) {
> - totem_get_crypto_type(totem_config);
> - }
> + totem_get_crypto(totem_config);
>
> if (icmap_get_string("totem.rrp_mode", &str) == CS_OK) {
> strcpy (totem_config->rrp_mode, str);
> @@ -924,9 +941,6 @@ int totem_config_validate (
> if (totem_config->threads > SEND_THREADS_MAX) {
> totem_config->threads = SEND_THREADS_MAX;
> }
> - if (totem_config->secauth == 0) {
> - totem_config->threads = 0;
> - }
> if (totem_config->net_mtu > FRAME_SIZE_MAX) {
> error_reason = "This net_mtu parameter is greater then the maximum frame size";
> goto parse_error;
> diff --git a/exec/totemcrypto.c b/exec/totemcrypto.c
> index 4ee839e..8c0ec91 100644
> --- a/exec/totemcrypto.c
> +++ b/exec/totemcrypto.c
> @@ -91,9 +91,9 @@ struct crypto_instance {
>
> unsigned int private_key_len;
>
> - int crypto_crypt_type;
> + enum crypto_crypt_t crypto_cipher_type;
>
> - int crypto_hash_type;
> + enum crypto_hash_t crypto_hash_type;
>
> void (*log_printf_func) (
> int level,
> @@ -110,6 +110,21 @@ struct crypto_instance {
> int log_subsys_id;
> };
>
> +CK_MECHANISM_TYPE cipher_to_nss[] = {
> + 0, /* CRYPTO_CIPHER_TYPE_NONE */
> + CKM_AES_CBC_PAD /* CRYPTO_CIPHER_TYPE_AES256 */
> +};
> +
> +size_t cipher_key_len[] = {
> + 0, /* CRYPTO_CIPHER_TYPE_NONE */
> + 32, /* CRYPTO_CIPHER_TYPE_AES256 */
> +};
> +
> +CK_MECHANISM_TYPE hash_to_nss[] = {
> + 0, /* CRYPTO_HASH_TYPE_NONE */
> + CKM_SHA_1_HMAC /* CRYPTO_HASH_TYPE_SHA1 */
> +};
> +
> #define log_printf(level, format, args...) \
> do { \
> instance->log_printf_func ( \
> @@ -148,7 +163,7 @@ static void init_nss_crypto(struct crypto_instance *instance)
> /*
> * TODO: use instance info!
> */
> - aes_slot = PK11_GetBestSlot(CKM_AES_CBC_PAD, NULL);
> + aes_slot = PK11_GetBestSlot(cipher_to_nss[instance->crypto_cipher_type], NULL);
> if (aes_slot == NULL)
> {
> log_printf(instance->log_level_security, "Unable to find security slot (err %d)",
> @@ -156,7 +171,7 @@ static void init_nss_crypto(struct crypto_instance *instance)
> goto out;
> }
>
> - sha1_slot = PK11_GetBestSlot(CKM_SHA_1_HMAC, NULL);
> + sha1_slot = PK11_GetBestSlot(hash_to_nss[instance->crypto_hash_type], NULL);
> if (sha1_slot == NULL)
> {
> log_printf(instance->log_level_security, "Unable to find security slot (err %d)",
> @@ -168,10 +183,10 @@ static void init_nss_crypto(struct crypto_instance *instance)
> */
> key_item.type = siBuffer;
> key_item.data = instance->private_key;
> - key_item.len = 32; /* Use 256 bits */
> + key_item.len = cipher_key_len[instance->crypto_cipher_type];
>
> instance->nss_sym_key = PK11_ImportSymKey(aes_slot,
> - CKM_AES_CBC_PAD,
> + cipher_to_nss[instance->crypto_cipher_type],
> PK11_OriginUnwrap, CKA_ENCRYPT|CKA_DECRYPT,
> &key_item, NULL);
> if (instance->nss_sym_key == NULL)
> @@ -182,7 +197,7 @@ static void init_nss_crypto(struct crypto_instance *instance)
> }
>
> instance->nss_sym_key_sign = PK11_ImportSymKey(sha1_slot,
> - CKM_SHA_1_HMAC,
> + hash_to_nss[instance->crypto_hash_type],
> PK11_OriginUnwrap, CKA_SIGN,
> &key_item, NULL);
> if (instance->nss_sym_key_sign == NULL) {
> @@ -237,7 +252,7 @@ static int encrypt_and_sign_nss (
> iv_item.len = sizeof (nss_iv_data);
>
> nss_sec_param = PK11_ParamFromIV (
> - CKM_AES_CBC_PAD,
> + cipher_to_nss[instance->crypto_cipher_type],
> &iv_item);
> if (nss_sec_param == NULL) {
> log_printf(instance->log_level_security,
> @@ -250,7 +265,7 @@ static int encrypt_and_sign_nss (
> * Create cipher context for encryption
> */
> enc_context = PK11_CreateContextBySymKey (
> - CKM_AES_CBC_PAD,
> + cipher_to_nss[instance->crypto_cipher_type],
> CKA_ENCRYPT,
> instance->nss_sym_key,
> nss_sec_param);
> @@ -260,7 +275,7 @@ static int encrypt_and_sign_nss (
> err[PR_GetErrorTextLength()] = 0;
> log_printf(instance->log_level_security,
> "PK11_CreateContext failed (encrypt) crypt_type=%d (err %d): %s",
> - CKM_AES_CBC_PAD,
> + (int)cipher_to_nss[instance->crypto_cipher_type],
> PR_GetError(), err);
> return -1;
> }
> @@ -277,7 +292,7 @@ static int encrypt_and_sign_nss (
> goto out;
>
> /* Now do the digest */
> - enc_context = PK11_CreateContextBySymKey(CKM_SHA_1_HMAC,
> + enc_context = PK11_CreateContextBySymKey(hash_to_nss[instance->crypto_hash_type],
> CKA_SIGN, instance->nss_sym_key_sign, &no_params);
> if (!enc_context) {
> char err[1024];
> @@ -299,7 +314,6 @@ static int encrypt_and_sign_nss (
> if (rv1 != SECSuccess || rv2 != SECSuccess)
> goto out;
>
> -
> *buf_out_len = *buf_out_len + sizeof(struct crypto_security_header);
> SECITEM_FreeItem(nss_sec_param, PR_TRUE);
> return 0;
> @@ -343,7 +357,7 @@ static int authenticate_and_decrypt_nss (
>
> /* Check the digest */
> enc_context = PK11_CreateContextBySymKey (
> - CKM_SHA_1_HMAC, CKA_SIGN,
> + hash_to_nss[instance->crypto_hash_type], CKA_SIGN,
> instance->nss_sym_key_sign,
> &no_params);
> if (!enc_context) {
> @@ -384,7 +398,7 @@ static int authenticate_and_decrypt_nss (
> ivdata.len = sizeof(header->salt);
>
> enc_context = PK11_CreateContextBySymKey(
> - CKM_AES_CBC_PAD,
> + cipher_to_nss[instance->crypto_cipher_type],
> CKA_DECRYPT,
> instance->nss_sym_key, &ivdata);
> if (!enc_context) {
> @@ -418,7 +432,7 @@ static int authenticate_and_decrypt_nss (
> return 0;
> }
>
> -size_t crypto_sec_header_size(int crypt_hash_type)
> +size_t crypto_sec_header_size(const char *crypto_hash_type)
> {
> /*
> * TODO: add switch / size mapping
> @@ -446,8 +460,8 @@ int crypto_authenticate_and_decrypt (struct crypto_instance *instance,
> struct crypto_instance *crypto_init(
> const unsigned char *private_key,
> unsigned int private_key_len,
> - int crypto_crypt_type,
> - int crypto_hash_type,
> + const char *crypto_cipher_type,
> + const char *crypto_hash_type,
> void (*log_printf_func) (
> int level,
> int subsys,
> @@ -470,8 +484,19 @@ struct crypto_instance *crypto_init(
>
> memcpy(instance->private_key, private_key, private_key_len);
> instance->private_key_len = private_key_len;
> - instance->crypto_crypt_type = crypto_crypt_type;
> - instance->crypto_hash_type = crypto_hash_type;
> +
> + if (strcmp(crypto_cipher_type, "none") == 0) {
> + instance->crypto_cipher_type = CRYPTO_CIPHER_TYPE_NONE;
> + } else if (strcmp(crypto_cipher_type, "aes256") == 0) {
> + instance->crypto_cipher_type = CRYPTO_CIPHER_TYPE_AES256;
> + }
> +
> + if (strcmp(crypto_hash_type, "none") == 0) {
> + instance->crypto_hash_type = CRYPTO_HASH_TYPE_NONE;
> + } else if (strcmp(crypto_hash_type, "sha1") == 0) {
> + instance->crypto_hash_type = CRYPTO_HASH_TYPE_SHA1;
> + }
> +
> instance->log_printf_func = log_printf_func;
> instance->log_level_security = log_level_security;
> instance->log_level_notice = log_level_notice;
> diff --git a/exec/totemcrypto.h b/exec/totemcrypto.h
> index 0758f10..13fd19b 100644
> --- a/exec/totemcrypto.h
> +++ b/exec/totemcrypto.h
> @@ -38,10 +38,20 @@
>
> #include <sys/types.h>
>
> +enum crypto_crypt_t {
> + CRYPTO_CIPHER_TYPE_NONE = 0,
> + CRYPTO_CIPHER_TYPE_AES256 = 1
> +};
> +
> +enum crypto_hash_t {
> + CRYPTO_HASH_TYPE_NONE = 0,
> + CRYPTO_HASH_TYPE_SHA1 = 1
> +};
> +
> struct crypto_instance;
>
> extern size_t crypto_sec_header_size(
> - int crypt_hash_type);
> + const char *crypto_hash_type);
>
> extern int crypto_authenticate_and_decrypt (
> struct crypto_instance *instance,
> @@ -58,8 +68,8 @@ extern int crypto_encrypt_and_sign (
> extern struct crypto_instance *crypto_init(
> const unsigned char *private_key,
> unsigned int private_key_len,
> - int crypto_crypt_type,
> - int crypto_hash_type,
> + const char *crypto_cipher_type,
> + const char *crypto_hash_type,
> void (*log_printf_func) (
> int level,
> int subsys,
> diff --git a/exec/totemudp.c b/exec/totemudp.c
> index b6f8126..21a6122 100644
> --- a/exec/totemudp.c
> +++ b/exec/totemudp.c
> @@ -1024,7 +1024,7 @@ int totemudp_initialize (
> */
> instance->crypto_inst = crypto_init (totem_config->private_key,
> totem_config->private_key_len,
> - totem_config->crypto_crypt_type,
> + totem_config->crypto_cipher_type,
> totem_config->crypto_hash_type,
> instance->totemudp_log_printf,
> instance->totemudp_log_level_security,
> diff --git a/exec/totemudpu.c b/exec/totemudpu.c
> index d4530ce..be4ca50 100644
> --- a/exec/totemudpu.c
> +++ b/exec/totemudpu.c
> @@ -744,7 +744,7 @@ int totemudpu_initialize (
> */
> instance->crypto_inst = crypto_init (totem_config->private_key,
> totem_config->private_key_len,
> - totem_config->crypto_crypt_type,
> + totem_config->crypto_cipher_type,
> totem_config->crypto_hash_type,
> instance->totemudpu_log_printf,
> instance->totemudpu_log_level_security,
> diff --git a/include/corosync/totem/totem.h b/include/corosync/totem/totem.h
> index 333c632..eba3850 100644
> --- a/include/corosync/totem/totem.h
> +++ b/include/corosync/totem/totem.h
> @@ -169,11 +169,9 @@ struct totem_config {
>
> unsigned int broadcast_use;
>
> - enum { TOTEM_CRYPTO_AES256 = 0} crypto_type;
> + char *crypto_cipher_type;
>
> - int crypto_crypt_type;
> -
> - int crypto_hash_type;
> + char *crypto_hash_type;
>
> totem_transport_t transport_number;
>
_______________________________________________
discuss mailing list
discuss@xxxxxxxxxxxx
http://lists.corosync.org/mailman/listinfo/discuss
