From: "Fabio M. Di Nitto" <fdinitto@xxxxxxxxxx>
(backport from nsscrypto kronosnet code)
Signed-off-by: Fabio M. Di Nitto <fdinitto@xxxxxxxxxx>
---
TODO | 1 -
conf/lenses/corosync.aug | 4 ++--
exec/coroparse.c | 10 ++++++++--
exec/totemconfig.c | 9 +++++++++
exec/totemcrypto.c | 36 +++++++++++++++++++++++++++---------
man/corosync.conf.5 | 2 +-
6 files changed, 47 insertions(+), 15 deletions(-)
diff --git a/TODO b/TODO
index c831948..117665a 100644
--- a/TODO
+++ b/TODO
@@ -27,7 +27,6 @@
* Modify totemsrp to allow dynamic definitions of the ring counts
to allow a larger number of redundant rings then 2.
* Investigate always-on flight recorder
-* support more encryption methods (other than none/aes256) from nss
* implement topic-rdmaud
--------------------------------
diff --git a/conf/lenses/corosync.aug b/conf/lenses/corosync.aug
index 98cd268..8f0e7f4 100644
--- a/conf/lenses/corosync.aug
+++ b/conf/lenses/corosync.aug
@@ -50,8 +50,8 @@ let totem =
|kv "rrp_mode" /none|active|passive/
|kv "vsftype" /none|ykd/
|kv "secauth" /on|off/
- |kv "crypto_type" /nss|aes256/
- |kv "crypto_cipher" /none|nss|aes256/
+ |kv "crypto_type" /nss|aes256|aes192|aes128|3des/
+ |kv "crypto_cipher" /none|nss|aes256|aes192|aes128/3des/
|kv "crypto_hash" /none|md5|sha1|sha256|sha384|sha512/
|kv "transport" /udp|iba/
|kv "version" Rx.integer
diff --git a/exec/coroparse.c b/exec/coroparse.c
index 100b717..b9655c5 100644
--- a/exec/coroparse.c
+++ b/exec/coroparse.c
@@ -502,7 +502,10 @@ static int main_config_parser_cb(const char *path,
}
if (strcmp(path, "totem.crypto_type") == 0) {
if ((strcmp(value, "nss") != 0) &&
- (strcmp(value, "aes256") != 0)) {
+ (strcmp(value, "aes256") != 0) &&
+ (strcmp(value, "aes192") != 0) &&
+ (strcmp(value, "aes128") != 0) &&
+ (strcmp(value, "3des") != 0)) {
*error_string = "Invalid crypto type";
return (0);
@@ -510,7 +513,10 @@ static int main_config_parser_cb(const char *path,
}
if (strcmp(path, "totem.crypto_cipher") == 0) {
if ((strcmp(value, "none") != 0) &&
- (strcmp(value, "aes256") != 0)) {
+ (strcmp(value, "aes256") != 0) &&
+ (strcmp(value, "aes192") != 0) &&
+ (strcmp(value, "aes128") != 0) &&
+ (strcmp(value, "3des") != 0)) {
*error_string = "Invalid cipher type";
return (0);
diff --git a/exec/totemconfig.c b/exec/totemconfig.c
index e1b9f80..17d8e03 100644
--- a/exec/totemconfig.c
+++ b/exec/totemconfig.c
@@ -138,6 +138,15 @@ static void totem_get_crypto(struct totem_config *totem_config)
if (strcmp(str, "aes256") == 0) {
tmp_cipher = "aes256";
}
+ if (strcmp(str, "aes192") == 0) {
+ tmp_cipher = "aes192";
+ }
+ if (strcmp(str, "aes128") == 0) {
+ tmp_cipher = "aes128";
+ }
+ if (strcmp(str, "3des") == 0) {
+ tmp_cipher = "3des";
+ }
free(str);
}
diff --git a/exec/totemcrypto.c b/exec/totemcrypto.c
index dc6b863..f2484e9 100644
--- a/exec/totemcrypto.c
+++ b/exec/totemcrypto.c
@@ -68,22 +68,34 @@ struct crypto_config_header {
enum crypto_crypt_t {
CRYPTO_CIPHER_TYPE_NONE = 0,
- CRYPTO_CIPHER_TYPE_AES256 = 1
+ CRYPTO_CIPHER_TYPE_AES256 = 1,
+ CRYPTO_CIPHER_TYPE_AES192 = 2,
+ CRYPTO_CIPHER_TYPE_AES128 = 3,
+ CRYPTO_CIPHER_TYPE_3DES = 4
};
CK_MECHANISM_TYPE cipher_to_nss[] = {
0, /* CRYPTO_CIPHER_TYPE_NONE */
- CKM_AES_CBC_PAD /* CRYPTO_CIPHER_TYPE_AES256 */
+ CKM_AES_CBC_PAD, /* CRYPTO_CIPHER_TYPE_AES256 */
+ CKM_AES_CBC_PAD, /* CRYPTO_CIPHER_TYPE_AES192 */
+ CKM_AES_CBC_PAD, /* CRYPTO_CIPHER_TYPE_AES128 */
+ CKM_DES3_CBC_PAD /* CRYPTO_CIPHER_TYPE_3DES */
};
size_t cipher_key_len[] = {
- 0, /* CRYPTO_CIPHER_TYPE_NONE */
- 32, /* CRYPTO_CIPHER_TYPE_AES256 */
+ 0, /* CRYPTO_CIPHER_TYPE_NONE */
+ AES_256_KEY_LENGTH, /* CRYPTO_CIPHER_TYPE_AES256 */
+ AES_192_KEY_LENGTH, /* CRYPTO_CIPHER_TYPE_AES192 */
+ AES_128_KEY_LENGTH, /* CRYPTO_CIPHER_TYPE_AES128 */
+ 16 /* CRYPTO_CIPHER_TYPE_3DES - no magic in nss headers */
};
size_t cypher_block_len[] = {
- 0, /* CRYPTO_CIPHER_TYPE_NONE */
- AES_BLOCK_SIZE /* CRYPTO_CIPHER_TYPE_AES256 */
+ 0, /* CRYPTO_CIPHER_TYPE_NONE */
+ AES_BLOCK_SIZE, /* CRYPTO_CIPHER_TYPE_AES256 */
+ AES_BLOCK_SIZE, /* CRYPTO_CIPHER_TYPE_AES192 */
+ AES_BLOCK_SIZE, /* CRYPTO_CIPHER_TYPE_AES128 */
+ 0 /* CRYPTO_CIPHER_TYPE_3DES */
};
/*
@@ -100,7 +112,7 @@ enum crypto_hash_t {
};
CK_MECHANISM_TYPE hash_to_nss[] = {
- 0, /* CRYPTO_HASH_TYPE_NONE */
+ 0, /* CRYPTO_HASH_TYPE_NONE */
CKM_MD5_HMAC, /* CRYPTO_HASH_TYPE_MD5 */
CKM_SHA_1_HMAC, /* CRYPTO_HASH_TYPE_SHA1 */
CKM_SHA256_HMAC, /* CRYPTO_HASH_TYPE_SHA256 */
@@ -109,7 +121,7 @@ CK_MECHANISM_TYPE hash_to_nss[] = {
};
size_t hash_len[] = {
- 0, /* CRYPTO_HASH_TYPE_NONE */
+ 0, /* CRYPTO_HASH_TYPE_NONE */
MD5_LENGTH, /* CRYPTO_HASH_TYPE_MD5 */
SHA1_LENGTH, /* CRYPTO_HASH_TYPE_SHA1 */
SHA256_LENGTH, /* CRYPTO_HASH_TYPE_SHA256 */
@@ -118,7 +130,7 @@ size_t hash_len[] = {
};
size_t hash_block_len[] = {
- 0, /* CRYPTO_HASH_TYPE_NONE */
+ 0, /* CRYPTO_HASH_TYPE_NONE */
MD5_BLOCK_LENGTH, /* CRYPTO_HASH_TYPE_MD5 */
SHA1_BLOCK_LENGTH, /* CRYPTO_HASH_TYPE_SHA1 */
SHA256_BLOCK_LENGTH, /* CRYPTO_HASH_TYPE_SHA256 */
@@ -173,6 +185,12 @@ static int string_to_crypto_cipher_type(const char* crypto_cipher_type)
return CRYPTO_CIPHER_TYPE_NONE;
} else if (strcmp(crypto_cipher_type, "aes256") == 0) {
return CRYPTO_CIPHER_TYPE_AES256;
+ } else if (strcmp(crypto_cipher_type, "aes192") == 0) {
+ return CRYPTO_CIPHER_TYPE_AES192;
+ } else if (strcmp(crypto_cipher_type, "aes128") == 0) {
+ return CRYPTO_CIPHER_TYPE_AES128;
+ } else if (strcmp(crypto_cipher_type, "3des") == 0) {
+ return CRYPTO_CIPHER_TYPE_3DES;
}
return CRYPTO_CIPHER_TYPE_AES256;
}
diff --git a/man/corosync.conf.5 b/man/corosync.conf.5
index 34dd7b8..1ef9dc5 100644
--- a/man/corosync.conf.5
+++ b/man/corosync.conf.5
@@ -173,7 +173,7 @@ The default is sha1.
.TP
crypto_cipher
This specifies which cipher should be used to encrypt all messages.
-Valid values are none (no encryption) and aes256.
+Valid values are none (no encryption), aes256, aes192, aes128 and 3des.
The default is aes256.
--
1.7.7.6
_______________________________________________
discuss mailing list
discuss@xxxxxxxxxxxx
http://lists.corosync.org/mailman/listinfo/discuss
