1 /*
2 * GPL HEADER START
3 *
4 * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
5 *
6 * This program is free software; you can redistribute it and/or modify
7 * it under the terms of the GNU General Public License version 2 only,
8 * as published by the Free Software Foundation.
9 *
10 * This program is distributed in the hope that it will be useful, but
11 * WITHOUT ANY WARRANTY; without even the implied warranty of
12 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
13 * General Public License version 2 for more details (a copy is included
14 * in the LICENSE file that accompanied this code).
15 *
16 * You should have received a copy of the GNU General Public License
17 * version 2 along with this program; If not, see
18 * http://www.sun.com/software/products/lustre/docs/GPLv2.pdf
19 *
20 * Please contact Sun Microsystems, Inc., 4150 Network Circle, Santa Clara,
21 * CA 95054 USA or visit www.sun.com if you need additional information or
22 * have any questions.
23 *
24 * GPL HEADER END
25 */
26 /*
27 * Copyright (c) 2005, 2010, Oracle and/or its affiliates. All rights reserved.
28 * Use is subject to license terms.
29 *
30 * Copyright (c) 2012, Intel Corporation.
31 */
32 /*
33 * This file is part of Lustre, http://www.lustre.org/
34 * Lustre is a trademark of Sun Microsystems, Inc.
35 *
36 * lustre/obdclass/capa.c
37 *
38 * Lustre Capability Hash Management
39 *
40 * Author: Lai Siyao<lsy@clusterfs.com>
41 */
42
43 #define DEBUG_SUBSYSTEM S_SEC
44
45 #include <linux/fs.h>
46 #include <asm/unistd.h>
47 #include <linux/slab.h>
48 #include <linux/module.h>
49 #include <linux/crypto.h>
50
51 #include "../include/obd_class.h"
52 #include "../include/lustre_debug.h"
53 #include "../include/lustre/lustre_idl.h"
54
55 #include <linux/list.h>
56 #include "../include/lustre_capa.h"
57
58 #define NR_CAPAHASH 32
59 #define CAPA_HASH_SIZE 3000 /* for MDS & OSS */
60
61 struct kmem_cache *capa_cachep = NULL;
62
63 /* lock for capa hash/capa_list/fo_capa_keys */
64 DEFINE_SPINLOCK(capa_lock);
65
66 struct list_head capa_list[CAPA_SITE_MAX];
67
68 static struct capa_hmac_alg capa_hmac_algs[] = {
69 DEF_CAPA_HMAC_ALG("sha1", SHA1, 20, 20),
70 };
71 /* capa count */
72 int capa_count[CAPA_SITE_MAX] = { 0, };
73
74 EXPORT_SYMBOL(capa_cachep);
75 EXPORT_SYMBOL(capa_list);
76 EXPORT_SYMBOL(capa_lock);
77 EXPORT_SYMBOL(capa_count);
78
79 static inline
ll_crypto_tfm_alg_min_keysize(struct crypto_blkcipher * tfm)80 unsigned int ll_crypto_tfm_alg_min_keysize(struct crypto_blkcipher *tfm)
81 {
82 return crypto_blkcipher_tfm(tfm)->__crt_alg->cra_blkcipher.min_keysize;
83 }
84
init_capa_hash(void)85 struct hlist_head *init_capa_hash(void)
86 {
87 struct hlist_head *hash;
88 int nr_hash, i;
89
90 OBD_ALLOC(hash, PAGE_CACHE_SIZE);
91 if (!hash)
92 return NULL;
93
94 nr_hash = PAGE_CACHE_SIZE / sizeof(struct hlist_head);
95 LASSERT(nr_hash > NR_CAPAHASH);
96
97 for (i = 0; i < NR_CAPAHASH; i++)
98 INIT_HLIST_HEAD(hash + i);
99 return hash;
100 }
101 EXPORT_SYMBOL(init_capa_hash);
102
capa_on_server(struct obd_capa * ocapa)103 static inline int capa_on_server(struct obd_capa *ocapa)
104 {
105 return ocapa->c_site == CAPA_SITE_SERVER;
106 }
107
capa_delete(struct obd_capa * ocapa)108 static inline void capa_delete(struct obd_capa *ocapa)
109 {
110 LASSERT(capa_on_server(ocapa));
111 hlist_del_init(&ocapa->u.tgt.c_hash);
112 list_del_init(&ocapa->c_list);
113 capa_count[ocapa->c_site]--;
114 /* release the ref when alloc */
115 capa_put(ocapa);
116 }
117
cleanup_capa_hash(struct hlist_head * hash)118 void cleanup_capa_hash(struct hlist_head *hash)
119 {
120 int i;
121 struct hlist_node *next;
122 struct obd_capa *oc;
123
124 spin_lock(&capa_lock);
125 for (i = 0; i < NR_CAPAHASH; i++) {
126 hlist_for_each_entry_safe(oc, next, hash + i,
127 u.tgt.c_hash)
128 capa_delete(oc);
129 }
130 spin_unlock(&capa_lock);
131
132 OBD_FREE(hash, PAGE_CACHE_SIZE);
133 }
134 EXPORT_SYMBOL(cleanup_capa_hash);
135
capa_hashfn(struct lu_fid * fid)136 static inline int capa_hashfn(struct lu_fid *fid)
137 {
138 return (fid_oid(fid) ^ fid_ver(fid)) *
139 (unsigned long)(fid_seq(fid) + 1) % NR_CAPAHASH;
140 }
141
142 /* capa renewal time check is earlier than that on client, which is to prevent
143 * client renew right after obtaining it. */
capa_is_to_expire(struct obd_capa * oc)144 static inline int capa_is_to_expire(struct obd_capa *oc)
145 {
146 return time_before(cfs_time_sub(oc->c_expiry,
147 cfs_time_seconds(oc->c_capa.lc_timeout)*2/3),
148 cfs_time_current());
149 }
150
find_capa(struct lustre_capa * capa,struct hlist_head * head,int alive)151 static struct obd_capa *find_capa(struct lustre_capa *capa,
152 struct hlist_head *head, int alive)
153 {
154 struct obd_capa *ocapa;
155 int len = alive ? offsetof(struct lustre_capa, lc_keyid):sizeof(*capa);
156
157 hlist_for_each_entry(ocapa, head, u.tgt.c_hash) {
158 if (memcmp(&ocapa->c_capa, capa, len))
159 continue;
160 /* don't return one that will expire soon in this case */
161 if (alive && capa_is_to_expire(ocapa))
162 continue;
163
164 LASSERT(capa_on_server(ocapa));
165
166 DEBUG_CAPA(D_SEC, &ocapa->c_capa, "found");
167 return ocapa;
168 }
169
170 return NULL;
171 }
172
173 #define LRU_CAPA_DELETE_COUNT 12
capa_delete_lru(struct list_head * head)174 static inline void capa_delete_lru(struct list_head *head)
175 {
176 struct obd_capa *ocapa;
177 struct list_head *node = head->next;
178 int count = 0;
179
180 /* free LRU_CAPA_DELETE_COUNT unused capa from head */
181 while (count++ < LRU_CAPA_DELETE_COUNT) {
182 ocapa = list_entry(node, struct obd_capa, c_list);
183 node = node->next;
184 if (atomic_read(&ocapa->c_refc))
185 continue;
186
187 DEBUG_CAPA(D_SEC, &ocapa->c_capa, "free lru");
188 capa_delete(ocapa);
189 }
190 }
191
192 /* add or update */
capa_add(struct hlist_head * hash,struct lustre_capa * capa)193 struct obd_capa *capa_add(struct hlist_head *hash, struct lustre_capa *capa)
194 {
195 struct hlist_head *head = hash + capa_hashfn(&capa->lc_fid);
196 struct obd_capa *ocapa, *old = NULL;
197 struct list_head *list = &capa_list[CAPA_SITE_SERVER];
198
199 ocapa = alloc_capa(CAPA_SITE_SERVER);
200 if (IS_ERR(ocapa))
201 return NULL;
202
203 spin_lock(&capa_lock);
204 old = find_capa(capa, head, 0);
205 if (!old) {
206 ocapa->c_capa = *capa;
207 set_capa_expiry(ocapa);
208 hlist_add_head(&ocapa->u.tgt.c_hash, head);
209 list_add_tail(&ocapa->c_list, list);
210 capa_get(ocapa);
211 capa_count[CAPA_SITE_SERVER]++;
212 if (capa_count[CAPA_SITE_SERVER] > CAPA_HASH_SIZE)
213 capa_delete_lru(list);
214 spin_unlock(&capa_lock);
215 return ocapa;
216 }
217 capa_get(old);
218 spin_unlock(&capa_lock);
219 capa_put(ocapa);
220 return old;
221 }
222 EXPORT_SYMBOL(capa_add);
223
capa_lookup(struct hlist_head * hash,struct lustre_capa * capa,int alive)224 struct obd_capa *capa_lookup(struct hlist_head *hash, struct lustre_capa *capa,
225 int alive)
226 {
227 struct obd_capa *ocapa;
228
229 spin_lock(&capa_lock);
230 ocapa = find_capa(capa, hash + capa_hashfn(&capa->lc_fid), alive);
231 if (ocapa) {
232 list_move_tail(&ocapa->c_list,
233 &capa_list[CAPA_SITE_SERVER]);
234 capa_get(ocapa);
235 }
236 spin_unlock(&capa_lock);
237
238 return ocapa;
239 }
240 EXPORT_SYMBOL(capa_lookup);
241
ll_crypto_hmac(struct crypto_hash * tfm,u8 * key,unsigned int * keylen,struct scatterlist * sg,unsigned int size,u8 * result)242 static inline int ll_crypto_hmac(struct crypto_hash *tfm,
243 u8 *key, unsigned int *keylen,
244 struct scatterlist *sg,
245 unsigned int size, u8 *result)
246 {
247 struct hash_desc desc;
248 int rv;
249 desc.tfm = tfm;
250 desc.flags = 0;
251 rv = crypto_hash_setkey(desc.tfm, key, *keylen);
252 if (rv) {
253 CERROR("failed to hash setkey: %d\n", rv);
254 return rv;
255 }
256 return crypto_hash_digest(&desc, sg, size, result);
257 }
258
capa_hmac(__u8 * hmac,struct lustre_capa * capa,__u8 * key)259 int capa_hmac(__u8 *hmac, struct lustre_capa *capa, __u8 *key)
260 {
261 struct crypto_hash *tfm;
262 struct capa_hmac_alg *alg;
263 int keylen;
264 struct scatterlist sl;
265
266 if (capa_alg(capa) != CAPA_HMAC_ALG_SHA1) {
267 CERROR("unknown capability hmac algorithm!\n");
268 return -EFAULT;
269 }
270
271 alg = &capa_hmac_algs[capa_alg(capa)];
272
273 tfm = crypto_alloc_hash(alg->ha_name, 0, 0);
274 if (IS_ERR(tfm)) {
275 CERROR("crypto_alloc_tfm failed, check whether your kernel has crypto support!\n");
276 return PTR_ERR(tfm);
277 }
278 keylen = alg->ha_keylen;
279
280 sg_init_table(&sl, 1);
281 sg_set_page(&sl, virt_to_page(capa),
282 offsetof(struct lustre_capa, lc_hmac),
283 (unsigned long)(capa) % PAGE_CACHE_SIZE);
284
285 ll_crypto_hmac(tfm, key, &keylen, &sl, sl.length, hmac);
286 crypto_free_hash(tfm);
287
288 return 0;
289 }
290 EXPORT_SYMBOL(capa_hmac);
291
capa_encrypt_id(__u32 * d,__u32 * s,__u8 * key,int keylen)292 int capa_encrypt_id(__u32 *d, __u32 *s, __u8 *key, int keylen)
293 {
294 struct crypto_blkcipher *tfm;
295 struct scatterlist sd;
296 struct scatterlist ss;
297 struct blkcipher_desc desc;
298 unsigned int min;
299 int rc;
300 char alg[CRYPTO_MAX_ALG_NAME+1] = "aes";
301
302 /* passing "aes" in a variable instead of a constant string keeps gcc
303 * 4.3.2 happy */
304 tfm = crypto_alloc_blkcipher(alg, 0, 0);
305 if (IS_ERR(tfm)) {
306 CERROR("failed to load transform for aes\n");
307 return PTR_ERR(tfm);
308 }
309
310 min = ll_crypto_tfm_alg_min_keysize(tfm);
311 if (keylen < min) {
312 CERROR("keylen at least %d bits for aes\n", min * 8);
313 rc = -EINVAL;
314 goto out;
315 }
316
317 rc = crypto_blkcipher_setkey(tfm, key, min);
318 if (rc) {
319 CERROR("failed to setting key for aes\n");
320 goto out;
321 }
322
323 sg_init_table(&sd, 1);
324 sg_set_page(&sd, virt_to_page(d), 16,
325 (unsigned long)(d) % PAGE_CACHE_SIZE);
326
327 sg_init_table(&ss, 1);
328 sg_set_page(&ss, virt_to_page(s), 16,
329 (unsigned long)(s) % PAGE_CACHE_SIZE);
330 desc.tfm = tfm;
331 desc.info = NULL;
332 desc.flags = 0;
333 rc = crypto_blkcipher_encrypt(&desc, &sd, &ss, 16);
334 if (rc) {
335 CERROR("failed to encrypt for aes\n");
336 goto out;
337 }
338
339 out:
340 crypto_free_blkcipher(tfm);
341 return rc;
342 }
343 EXPORT_SYMBOL(capa_encrypt_id);
344
capa_decrypt_id(__u32 * d,__u32 * s,__u8 * key,int keylen)345 int capa_decrypt_id(__u32 *d, __u32 *s, __u8 *key, int keylen)
346 {
347 struct crypto_blkcipher *tfm;
348 struct scatterlist sd;
349 struct scatterlist ss;
350 struct blkcipher_desc desc;
351 unsigned int min;
352 int rc;
353 char alg[CRYPTO_MAX_ALG_NAME+1] = "aes";
354
355 /* passing "aes" in a variable instead of a constant string keeps gcc
356 * 4.3.2 happy */
357 tfm = crypto_alloc_blkcipher(alg, 0, 0);
358 if (IS_ERR(tfm)) {
359 CERROR("failed to load transform for aes\n");
360 return PTR_ERR(tfm);
361 }
362
363 min = ll_crypto_tfm_alg_min_keysize(tfm);
364 if (keylen < min) {
365 CERROR("keylen at least %d bits for aes\n", min * 8);
366 rc = -EINVAL;
367 goto out;
368 }
369
370 rc = crypto_blkcipher_setkey(tfm, key, min);
371 if (rc) {
372 CERROR("failed to setting key for aes\n");
373 goto out;
374 }
375
376 sg_init_table(&sd, 1);
377 sg_set_page(&sd, virt_to_page(d), 16,
378 (unsigned long)(d) % PAGE_CACHE_SIZE);
379
380 sg_init_table(&ss, 1);
381 sg_set_page(&ss, virt_to_page(s), 16,
382 (unsigned long)(s) % PAGE_CACHE_SIZE);
383
384 desc.tfm = tfm;
385 desc.info = NULL;
386 desc.flags = 0;
387 rc = crypto_blkcipher_decrypt(&desc, &sd, &ss, 16);
388 if (rc) {
389 CERROR("failed to decrypt for aes\n");
390 goto out;
391 }
392
393 out:
394 crypto_free_blkcipher(tfm);
395 return rc;
396 }
397 EXPORT_SYMBOL(capa_decrypt_id);
398
capa_cpy(void * capa,struct obd_capa * ocapa)399 void capa_cpy(void *capa, struct obd_capa *ocapa)
400 {
401 spin_lock(&ocapa->c_lock);
402 *(struct lustre_capa *)capa = ocapa->c_capa;
403 spin_unlock(&ocapa->c_lock);
404 }
405 EXPORT_SYMBOL(capa_cpy);
406
_debug_capa(struct lustre_capa * c,struct libcfs_debug_msg_data * msgdata,const char * fmt,...)407 void _debug_capa(struct lustre_capa *c,
408 struct libcfs_debug_msg_data *msgdata,
409 const char *fmt, ...)
410 {
411 va_list args;
412 va_start(args, fmt);
413 libcfs_debug_vmsg2(msgdata, fmt, args,
414 " capability@%p fid " DFID " opc %#llx uid %llu gid %llu flags %u alg %d keyid %u timeout %u expiry %u\n",
415 c, PFID(capa_fid(c)), capa_opc(c),
416 capa_uid(c), capa_gid(c), capa_flags(c),
417 capa_alg(c), capa_keyid(c), capa_timeout(c),
418 capa_expiry(c));
419 va_end(args);
420 }
421 EXPORT_SYMBOL(_debug_capa);
422