source-git / isns-utils

Clone
Source Code
GIT

Files

  1.   e1003a4de7590d414101eb7dae6d0284875daf7f
  2.   security.h
Blob Blame History Raw 
/*
 * Security functions for iSNS
 *
 * Copyright (C) 2007 Olaf Kirch <olaf.kirch@oracle.com>
 */

#ifndef ISNS_SECURITY_H
#define ISNS_SECURITY_H

#ifdef	WITH_SECURITY
#include <openssl/evp.h>
#else
typedef void EVP_PKEY;
#endif
#include <libisns/buffer.h>
#include <libisns/util.h>

/*
 * Security context
 */
struct isns_security {
	const char *		is_name;
	unsigned int		is_type;
	unsigned int		is_replay_window;
	unsigned int		is_timestamp_jitter;

	/* Our own key and identity */
	isns_principal_t *	is_self;

	/* Key store for peer keys */
	isns_principal_t *	is_peers;
	isns_keystore_t *	is_peer_keys;

	EVP_PKEY *		(*is_load_private)(isns_security_t *ctx,
					const char *filename);
	EVP_PKEY *		(*is_load_public)(isns_security_t *ctx,
					const char *filename);
	int			(*is_verify)(isns_security_t *ctx,
					isns_principal_t *peer,
					buf_t *pdu,
					const struct isns_authblk *);
	int			(*is_sign)(isns_security_t *ctx,
					isns_principal_t *peer,
					buf_t *pdu,
					struct isns_authblk *);
};

struct isns_principal {
	unsigned int		is_users;
	isns_principal_t *	is_next;
	char *			is_name;
	unsigned int		is_namelen;
	EVP_PKEY *		is_key;
	unsigned int		is_generation;
	uint64_t		is_timestamp;

	isns_policy_t *		is_policy;
};

struct isns_policy {
	unsigned int		ip_users;
	unsigned int		ip_gen;

	/* SPI */
	char *			ip_name;

	/* The client's entity name. This is usually
	 * the FQDN. */
	char *			ip_entity;

	/* Bitmap of functions the client is
	 * permitted to call. */
	unsigned int		ip_functions;

	/* Bitmap of object types the client is
	 * permitted to register (uses iot_handle) */
	unsigned int		ip_object_types;

	/* Names of storage nodes the client is permitted
	 * to register. */
	struct string_array	ip_node_names;

	/* Storage node types the client is permitted
	 * to read or modify. */
	unsigned int		ip_node_types;

	/* The client's default Discovery Domain */
	char *			ip_dd_default;
};

#define ISNS_PERMISSION_READ	0x01
#define ISNS_PERMISSION_WRITE	0x02
#define ISNS_ACCESS(t, p)	((p) << (2 * (t)))
#define ISNS_ACCESS_W(t)	ISNS_ACCESS(t, ISNS_PERMISSION_WRITE)
#define ISNS_ACCESS_R(t)	ISNS_ACCESS(t, ISNS_PERMISSION_READ)
#define ISNS_ACCESS_RW(t)	ISNS_ACCESS(t, ISNS_PERMISSION_READ|ISNS_PERMISSION_WRITE)

#define ISNS_DEFAULT_OBJECT_ACCESS \
		ISNS_ACCESS_RW(ISNS_OBJECT_TYPE_ENTITY) | \
		ISNS_ACCESS_RW(ISNS_OBJECT_TYPE_NODE) | \
		ISNS_ACCESS_RW(ISNS_OBJECT_TYPE_FC_PORT) | \
		ISNS_ACCESS_RW(ISNS_OBJECT_TYPE_FC_NODE) | \
		ISNS_ACCESS_RW(ISNS_OBJECT_TYPE_PORTAL) | \
		ISNS_ACCESS_RW(ISNS_OBJECT_TYPE_PG) | \
		ISNS_ACCESS_R(ISNS_OBJECT_TYPE_DD)

struct isns_keystore {
	char *			ic_name;
	unsigned int		ic_generation;
	EVP_PKEY *		(*ic_find)(isns_keystore_t *,
					const char *, size_t);
	isns_policy_t *		(*ic_get_policy)(isns_keystore_t *,
					const char *, size_t);
};

extern isns_principal_t *	isns_get_principal(isns_security_t *,
					const char *, size_t);
extern int			isns_security_sign(isns_security_t *,
					isns_principal_t *, buf_t *,
					struct isns_authblk *);
extern int			isns_security_verify(isns_security_t *,
					isns_principal_t *, buf_t *,
					struct isns_authblk *);
extern int			isns_security_protected_entity(isns_security_t *,
					const char *);

extern isns_keystore_t *	isns_create_keystore(const char *);
extern isns_keystore_t *	isns_create_simple_keystore(const char *);
extern isns_keystore_t *	isns_create_db_keystore(isns_db_t *);

extern int			isns_authblock_encode(buf_t *,
					const struct isns_authblk *);
extern int			isns_authblock_decode(buf_t *,
					struct isns_authblk *);

extern isns_policy_t *		__isns_policy_alloc(const char *, size_t);
extern isns_policy_t *		isns_policy_bind(const isns_message_t *);
extern void			isns_principal_set_policy(isns_principal_t *,
					isns_policy_t *);
extern void			isns_policy_release(isns_policy_t *);
extern int			isns_policy_validate_function(const isns_policy_t *,
					const isns_message_t *);
extern int			isns_policy_validate_source(const isns_policy_t *,
					const isns_source_t *);
extern int			isns_policy_validate_object_access(const isns_policy_t *,
					const isns_source_t *,
					const isns_object_t *,
					unsigned int);
extern int			isns_policy_validate_object_update(const isns_policy_t *,
					const isns_source_t *,
					const isns_object_t *,
					const isns_attr_list_t *,
					unsigned int);
extern int			isns_policy_validate_object_creation(const isns_policy_t *,
					const isns_source_t *,
					isns_object_template_t *,
					const isns_attr_list_t *,
					const isns_attr_list_t *,
					unsigned int);
extern int			isns_policy_validate_object_type(const isns_policy_t *,
					isns_object_template_t *,
					unsigned int function);
extern int			isns_policy_validate_node_type(const isns_policy_t *,
					uint32_t type);
extern int			isns_policy_validate_entity(const isns_policy_t *,
					const char *);
extern int			isns_policy_validate_node_name(const isns_policy_t *,
					const char *);
extern int			isns_policy_validate_scn_bitmap(const isns_policy_t *,
					uint32_t);
extern const char *		isns_policy_default_entity(const isns_policy_t *);
extern isns_policy_t *		isns_policy_default(const char *, size_t);
extern isns_policy_t *		isns_policy_server(void);

extern EVP_PKEY *		isns_dsa_decode_public(const void *, size_t);
extern int			isns_dsa_encode_public(EVP_PKEY *,
					void **, size_t *);
extern EVP_PKEY *		isns_dsa_load_public(const char *);
extern int			isns_dsa_store_private(const char *, EVP_PKEY *);
extern EVP_PKEY *		isns_dsa_generate_key(void);
extern int			isns_dsa_init_params(const char *);
extern int			isns_dsa_init_key(const char *);

#endif /* ISNS_SECURITY_H */

Powered by Pagure 5.13.3

SSH Hostkey/Fingerprint | Documentation