ceph/src/common/secret.c

   1 // -*- mode:C++; tab-width:8; c-basic-offset:2; indent-tabs-mode:t -*-
   2 // vim: ts=8 sw=2 smarttab
   3 /*
   4  * Ceph - scalable distributed file system
   5  *
   6  * Copyright (C) 2011 New Dream Network
   7  *
   8  * This is free software; you can redistribute it and/or
   9  * modify it under the terms of the GNU Lesser General Public
  10  * License version 2.1, as published by the Free Software
  11  * Foundation.  See file COPYING.
  12  *
  13  */
  14
  15 #include <string.h>
  16 #include <stdio.h>
  17 #include <stdlib.h>
  18 #include <unistd.h>
  19 #include <errno.h>
  20 #include <fcntl.h>
  21 #include <keyutils.h>
  22 #include <sys/types.h>
  23
  24 #include "common/armor.h"
  25 #include "common/safe_io.h"
  26
  27 int read_secret_from_file(const char *filename, char *secret, size_t max_len)
  28 {
  29   char *end;
  30   int fd;
  31   int len;
  32
  33   fd = open(filename, O_RDONLY);
  34   if (fd < 0) {
  35     perror("unable to read secretfile");
  36     return -1;
  37   }
  38   len = safe_read(fd, secret, max_len);
  39   if (len <= 0) {
  40     perror("unable to read secret from file");
  41     close(fd);
  42     return -1;
  43   }
  44   end = secret;
  45   while (end < secret + len && *end && *end != '\n' && *end != '\r')
  46     end++;
  47   *end = '\0';
  48   close(fd);
  49
  50   return 0;
  51 }
  52
  53 int set_kernel_secret(const char *secret, const char *key_name)
  54 {
  55   /* try to submit key to kernel via the keys api */
  56   key_serial_t serial;
  57   int ret;
  58   int secret_len = strlen(secret);
  59   char payload[((secret_len * 3) / 4) + 4];
  60
  61   if (!secret_len) {
  62     fprintf(stderr, "secret is empty.\n");
  63     return -EINVAL;
  64   }
  65
  66   ret = ceph_unarmor(payload, payload+sizeof(payload), secret, secret+secret_len);
  67   if (ret < 0) {
  68     char error_buf[80];
  69     fprintf(stderr, "secret is not valid base64: %s.\n",
  70             strerror_r(-ret, error_buf, sizeof(error_buf)));
  71     return ret;
  72   }
  73
  74   serial = add_key("ceph", key_name, payload, sizeof(payload), KEY_SPEC_PROCESS_KEYRING);
  75   if (serial == -1) {
  76     ret = -errno;
  77   }
  78
  79   return ret;
  80 }
  81
  82 int is_kernel_secret(const char *key_name)
  83 {
  84   key_serial_t serial;
  85   serial = request_key("ceph", key_name, NULL, KEY_SPEC_USER_KEYRING);
  86   return serial != -1;
  87 }
  88
  89 int get_secret_option(const char *secret, const char *key_name,
  90                       char *secret_option, size_t max_len)
  91 {
  92   if (!key_name) {
  93     return -EINVAL;
  94   }
  95
  96   int ret = 0;
  97   int olen = strlen(key_name) + 7;
  98   if (secret) {
  99     olen += strlen(secret);
 100   }
 101   char option[olen+1];
 102   int use_key = 1;
 103
 104   option[olen] = '\0';
 105
 106
 107   if (secret) {
 108     ret = set_kernel_secret(secret, key_name);
 109     if (ret < 0) {
 110       if (ret == -ENODEV || ret == -ENOSYS) {
 111         /* running against older kernel; fall back to secret= in options */
 112         snprintf(option, olen, "secret=%s", secret);
 113         ret = 0;
 114         use_key = 0;
 115       } else {
 116         char error_buf[80];
 117         fprintf(stderr, "adding ceph secret key to kernel failed: %s.\n",
 118                 strerror_r(-ret, error_buf, sizeof(error_buf)));
 119         return ret;
 120       }
 121     }
 122   }
 123
 124   if (use_key) {
 125     /* add key= option to identify key to use */
 126     snprintf(option, olen, "key=%s", key_name);
 127   }
 128
 129   if (strlen(option) + 1 > max_len) {
 130     ret = -ERANGE;
 131   } else {
 132     secret_option[max_len-1] = '\0';
 133     strncpy(secret_option, option, max_len-1);
 134   }
 135
 136   return ret;
 137 }