1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
|
/*
* Security functions for iSNS
*
* Copyright (C) 2007 Olaf Kirch <olaf.kirch@oracle.com>
*/
#ifndef ISNS_SECURITY_H
#define ISNS_SECURITY_H
#ifdef WITH_SECURITY
#include <openssl/evp.h>
#else
typedef void EVP_PKEY;
#endif
#include <libisns/buffer.h>
#include <libisns/util.h>
/*
* Security context
*/
struct isns_security {
const char * is_name;
unsigned int is_type;
unsigned int is_replay_window;
unsigned int is_timestamp_jitter;
/* Our own key and identity */
isns_principal_t * is_self;
/* Key store for peer keys */
isns_principal_t * is_peers;
isns_keystore_t * is_peer_keys;
EVP_PKEY * (*is_load_private)(isns_security_t *ctx,
const char *filename);
EVP_PKEY * (*is_load_public)(isns_security_t *ctx,
const char *filename);
int (*is_verify)(isns_security_t *ctx,
isns_principal_t *peer,
buf_t *pdu,
const struct isns_authblk *);
int (*is_sign)(isns_security_t *ctx,
isns_principal_t *peer,
buf_t *pdu,
struct isns_authblk *);
};
struct isns_principal {
unsigned int is_users;
isns_principal_t * is_next;
char * is_name;
unsigned int is_namelen;
EVP_PKEY * is_key;
unsigned int is_generation;
uint64_t is_timestamp;
isns_policy_t * is_policy;
};
struct isns_policy {
unsigned int ip_users;
unsigned int ip_gen;
/* SPI */
char * ip_name;
/* The client's entity name. This is usually
* the FQDN. */
char * ip_entity;
/* Bitmap of functions the client is
* permitted to call. */
unsigned int ip_functions;
/* Bitmap of object types the client is
* permitted to register (uses iot_handle) */
unsigned int ip_object_types;
/* Names of storage nodes the client is permitted
* to register. */
struct string_array ip_node_names;
/* Storage node types the client is permitted
* to read or modify. */
unsigned int ip_node_types;
/* The client's default Discovery Domain */
char * ip_dd_default;
};
#define ISNS_PERMISSION_READ 0x01
#define ISNS_PERMISSION_WRITE 0x02
#define ISNS_ACCESS(t, p) ((p) << (2 * (t)))
#define ISNS_ACCESS_W(t) ISNS_ACCESS(t, ISNS_PERMISSION_WRITE)
#define ISNS_ACCESS_R(t) ISNS_ACCESS(t, ISNS_PERMISSION_READ)
#define ISNS_ACCESS_RW(t) ISNS_ACCESS(t, ISNS_PERMISSION_READ|ISNS_PERMISSION_WRITE)
#define ISNS_DEFAULT_OBJECT_ACCESS \
ISNS_ACCESS_RW(ISNS_OBJECT_TYPE_ENTITY) | \
ISNS_ACCESS_RW(ISNS_OBJECT_TYPE_NODE) | \
ISNS_ACCESS_RW(ISNS_OBJECT_TYPE_FC_PORT) | \
ISNS_ACCESS_RW(ISNS_OBJECT_TYPE_FC_NODE) | \
ISNS_ACCESS_RW(ISNS_OBJECT_TYPE_PORTAL) | \
ISNS_ACCESS_RW(ISNS_OBJECT_TYPE_PG) | \
ISNS_ACCESS_R(ISNS_OBJECT_TYPE_DD)
struct isns_keystore {
char * ic_name;
unsigned int ic_generation;
EVP_PKEY * (*ic_find)(isns_keystore_t *,
const char *, size_t);
isns_policy_t * (*ic_get_policy)(isns_keystore_t *,
const char *, size_t);
};
extern isns_principal_t * isns_get_principal(isns_security_t *,
const char *, size_t);
extern int isns_security_sign(isns_security_t *,
isns_principal_t *, buf_t *,
struct isns_authblk *);
extern int isns_security_verify(isns_security_t *,
isns_principal_t *, buf_t *,
struct isns_authblk *);
extern int isns_security_protected_entity(isns_security_t *,
const char *);
extern isns_keystore_t * isns_create_keystore(const char *);
extern isns_keystore_t * isns_create_simple_keystore(const char *);
extern isns_keystore_t * isns_create_db_keystore(isns_db_t *);
extern int isns_authblock_encode(buf_t *,
const struct isns_authblk *);
extern int isns_authblock_decode(buf_t *,
struct isns_authblk *);
extern isns_policy_t * __isns_policy_alloc(const char *, size_t);
extern isns_policy_t * isns_policy_bind(const isns_message_t *);
extern void isns_principal_set_policy(isns_principal_t *,
isns_policy_t *);
extern void isns_policy_release(isns_policy_t *);
extern int isns_policy_validate_function(const isns_policy_t *,
const isns_message_t *);
extern int isns_policy_validate_source(const isns_policy_t *,
const isns_source_t *);
extern int isns_policy_validate_object_access(const isns_policy_t *,
const isns_source_t *,
const isns_object_t *,
unsigned int);
extern int isns_policy_validate_object_update(const isns_policy_t *,
const isns_source_t *,
const isns_object_t *,
const isns_attr_list_t *,
unsigned int);
extern int isns_policy_validate_object_creation(const isns_policy_t *,
const isns_source_t *,
isns_object_template_t *,
const isns_attr_list_t *,
const isns_attr_list_t *,
unsigned int);
extern int isns_policy_validate_object_type(const isns_policy_t *,
isns_object_template_t *,
unsigned int function);
extern int isns_policy_validate_node_type(const isns_policy_t *,
uint32_t type);
extern int isns_policy_validate_entity(const isns_policy_t *,
const char *);
extern int isns_policy_validate_node_name(const isns_policy_t *,
const char *);
extern int isns_policy_validate_scn_bitmap(const isns_policy_t *,
uint32_t);
extern const char * isns_policy_default_entity(const isns_policy_t *);
extern isns_policy_t * isns_policy_default(const char *, size_t);
extern isns_policy_t * isns_policy_server(void);
extern EVP_PKEY * isns_dsa_decode_public(const void *, size_t);
extern int isns_dsa_encode_public(EVP_PKEY *,
void **, size_t *);
extern EVP_PKEY * isns_dsa_load_public(const char *);
extern int isns_dsa_store_private(const char *, EVP_PKEY *);
extern EVP_PKEY * isns_dsa_generate_key(void);
extern int isns_dsa_init_params(const char *);
extern int isns_dsa_init_key(const char *);
#endif /* ISNS_SECURITY_H */
|
