[Pvfs2-cvs] commit by nlmills in pvfs2/src/common/security:
pint-security.c pint-security.h security-hash.c
CVS commit program
cvs at parl.clemson.edu
Tue May 20 15:28:37 EDT 2008
Update of /anoncvs/pvfs2/src/common/security
In directory parlweb1:/tmp/cvs-serv28830/src/common/security
Modified Files:
Tag: cu-security-branch
pint-security.c pint-security.h security-hash.c
Log Message:
implemented private key loading and capability signatures
Index: pint-security.c
===================================================================
RCS file: /anoncvs/pvfs2/src/common/security/Attic/pint-security.c,v
diff -p -u -r1.1.2.13 -r1.1.2.14
--- pint-security.c 20 May 2008 19:05:23 -0000 1.1.2.13
+++ pint-security.c 20 May 2008 19:28:37 -0000 1.1.2.14
@@ -31,12 +31,17 @@
/* TODO: move to global configuration */
#define SECURITY_DEFAULT_KEYSTORE "/tmp/keystore"
+#define SECURITY_DEFAULT_PRIVKEYFILE "/tmp/privkey.pem"
+/* the private key used for signing */
+static EVP_PKEY *security_privkey = NULL;
+
static gen_mutex_t security_init_mutex = GEN_MUTEX_INITIALIZER;
static int security_init_status = 0;
+static int load_private_key(const char*);
static int load_public_keys(const char*);
@@ -67,6 +72,12 @@ int PINT_security_initialize(void)
{
return ret;
}
+
+ ret = load_private_key(SECURITY_DEFAULT_PRIVKEYFILE);
+ if (ret < 0)
+ {
+ return -PVFS_EIO;
+ }
/* TODO: better error handling */
ret = load_public_keys(SECURITY_DEFAULT_KEYSTORE);
@@ -97,6 +108,8 @@ int PINT_security_finalize(void)
return -PVFS_EALREADY;
}
+ EVP_PKEY_free(security_privkey);
+
EVP_cleanup();
ERR_free_strings();
SECURITY_hash_finalize();
@@ -107,6 +120,56 @@ int PINT_security_finalize(void)
return 0;
}
+int PINT_sign_capability(PVFS_capability *cap)
+{
+ EVP_MD_CTX mdctx;
+ unsigned siglen;
+ char buf[256];
+ int ret;
+
+ assert(security_privkey);
+
+ EVP_MD_CTX_init(&mdctx);
+
+ ret = EVP_SignInit_ex(&mdctx, EVP_sha1(), NULL);
+ if (!ret)
+ {
+ gossip_debug(GOSSIP_SECURITY_DEBUG, "Error signing capability: "
+ "%s\n", ERR_error_string(ERR_get_error(), buf));
+ EVP_MD_CTX_cleanup(&mdctx);
+ return -1;
+ }
+
+ ret = EVP_SignUpdate(&mdctx, &cap->owner, sizeof(PVFS_handle));
+ ret &= EVP_SignUpdate(&mdctx, &cap->fsid, sizeof(PVFS_fs_id));
+ ret &= EVP_SignUpdate(&mdctx, &cap->timeout, sizeof(PVFS_time));
+ ret &= EVP_SignUpdate(&mdctx, &cap->op_mask, sizeof(uint32_t));
+ ret &= EVP_SignUpdate(&mdctx, &cap->num_handles, sizeof(uint32_t));
+ ret &= EVP_SignUpdate(&mdctx, cap->handle_array, cap->num_handles *
+ sizeof(PVFS_handle));
+
+ if (!ret)
+ {
+ gossip_debug(GOSSIP_SECURITY_DEBUG, "Error signing capability: "
+ "%s\n", ERR_error_string(ERR_get_error(), buf));
+ EVP_MD_CTX_cleanup(&mdctx);
+ return -1;
+ }
+
+ ret = EVP_SignFinal(&mdctx, cap->signature, &siglen, security_privkey);
+ if (!ret)
+ {
+ gossip_debug(GOSSIP_SECURITY_DEBUG, "Error signing capability: "
+ "%s\n", ERR_error_string(ERR_get_error(), buf));
+ EVP_MD_CTX_cleanup(&mdctx);
+ return -1;
+ }
+
+ EVP_MD_CTX_cleanup(&mdctx);
+
+ return 0;
+}
+
/* PINT_verify_capability
*
* Takes in a PVFS_capability structere and checks to see if the
@@ -175,6 +238,38 @@ int PINT_verify_capability(PVFS_capabili
return ret;
}
+/* load_private_key
+ *
+ * Reads the private key from a file in PEM format.
+ *
+ * returns -1 on error
+ * returns 0 on success
+ */
+static int load_private_key(const char *path)
+{
+ FILE *keyfile;
+ char buf[256];
+
+ keyfile = fopen(path, "r");
+ if (keyfile == NULL)
+ {
+ gossip_err("%s: %s\n", path, strerror(errno));
+ return -1;
+ }
+
+ security_privkey = PEM_read_PrivateKey(keyfile, NULL, NULL, NULL);
+ if (security_privkey == NULL)
+ {
+ gossip_debug(GOSSIP_SECURITY_DEBUG, "Error loading private key: "
+ "%s\n", ERR_error_string(ERR_get_error(), buf));
+ fclose(keyfile);
+ }
+
+ fclose(keyfile);
+
+ return 0;
+}
+
/* load_public_keys
*
* Internal function to load keys from a file.
@@ -262,7 +357,7 @@ static int load_public_keys(const char *
{
PVFS_strerror_r(ret, buf, 1024);
gossip_debug(GOSSIP_SECURITY_DEBUG, "Error inserting public "
- "key: %s", buf);
+ "key: %s\n", buf);
fclose(keyfile);
return -1;
}
Index: pint-security.h
===================================================================
RCS file: /anoncvs/pvfs2/src/common/security/Attic/pint-security.h,v
diff -p -u -r1.1.2.7 -r1.1.2.8
--- pint-security.h 19 May 2008 19:21:34 -0000 1.1.2.7
+++ pint-security.h 20 May 2008 19:28:37 -0000 1.1.2.8
@@ -74,7 +74,7 @@ int PINT_security_finalize(void);
/* creates a signature from the remaining fields
* any existing signature is overwritten
*/
-void PINT_sign_capability(PVFS_capability *);
+int PINT_sign_capability(PVFS_capability *);
/* computes a signature from the fields and compares
* to the existing signature returns non-zero if equal
Index: security-hash.c
===================================================================
RCS file: /anoncvs/pvfs2/src/common/security/Attic/security-hash.c,v
diff -p -u -r1.1.2.15 -r1.1.2.16
--- security-hash.c 20 May 2008 18:14:00 -0000 1.1.2.15
+++ security-hash.c 20 May 2008 19:28:37 -0000 1.1.2.16
@@ -196,7 +196,7 @@ static void free_pubkey_entry(void *to_f
pubkey_entry_t *temp = (pubkey_entry_t *)to_free;
if (temp != NULL)
{
- free(temp->pubkey);
+ EVP_PKEY_free(temp->pubkey);
free(temp->host);
}
}
More information about the Pvfs2-cvs
mailing list