lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Date:   Fri, 16 Oct 2020 23:02:01 +0700
From:   Tuong Lien <tuong.t.lien@...tech.com.au>
To:     dsahern@...il.com, jmaloy@...hat.com, maloy@...jonn.com,
        ying.xue@...driver.com, netdev@...r.kernel.org
Cc:     tipc-discussion@...ts.sourceforge.net
Subject: [iproute2-next 2/2] tipc: add option to set rekeying for encryption

As supported in kernel, the TIPC encryption rekeying can be tuned using
the netlink attribute - 'TIPC_NLA_NODE_REKEYING'. Now we add the
'rekeying' option correspondingly to the 'tipc node set key' command so
that user will be able to perform that tuning:

tipc node set key rekeying REKEYING

where the 'REKEYING' value can be:

INTERVAL              - Set rekeying interval (in minutes) [0: disable]
now                   - Trigger one (first) rekeying immediately

For example:
$ tipc node set key rekeying 60
$ tipc node set key rekeying now

The command's help menu is also updated with these descriptions for the
new command option.

Acked-by: Jon Maloy <jmaloy@...hat.com>
Signed-off-by: Tuong Lien <tuong.t.lien@...tech.com.au>
---
 tipc/cmdl.c |  2 +-
 tipc/cmdl.h |  1 +
 tipc/node.c | 47 +++++++++++++++++++++++++++++++++++++----------
 3 files changed, 39 insertions(+), 11 deletions(-)

diff --git a/tipc/cmdl.c b/tipc/cmdl.c
index f2f259cc..981e268e 100644
--- a/tipc/cmdl.c
+++ b/tipc/cmdl.c
@@ -33,7 +33,7 @@ static const struct cmd *find_cmd(const struct cmd *cmds, char *str)
 	return match;
 }
 
-static struct opt *find_opt(struct opt *opts, char *str)
+struct opt *find_opt(struct opt *opts, char *str)
 {
 	struct opt *o;
 	struct opt *match = NULL;
diff --git a/tipc/cmdl.h b/tipc/cmdl.h
index 03db3599..dcade362 100644
--- a/tipc/cmdl.h
+++ b/tipc/cmdl.h
@@ -46,6 +46,7 @@ struct opt {
 	char *val;
 };
 
+struct opt *find_opt(struct opt *opts, char *str);
 struct opt *get_opt(struct opt *opts, char *key);
 bool has_opt(struct opt *opts, char *key);
 int parse_opts(struct opt *opts, struct cmdl *cmdl);
diff --git a/tipc/node.c b/tipc/node.c
index 1ff0baa4..05246013 100644
--- a/tipc/node.c
+++ b/tipc/node.c
@@ -160,7 +160,8 @@ static int cmd_node_set_nodeid(struct nlmsghdr *nlh, const struct cmd *cmd,
 static void cmd_node_set_key_help(struct cmdl *cmdl)
 {
 	fprintf(stderr,
-		"Usage: %s node set key KEY [algname ALGNAME] [PROPERTIES]\n\n"
+		"Usage: %s node set key KEY [algname ALGNAME] [PROPERTIES]\n"
+		"       %s node set key rekeying REKEYING\n\n"
 		"KEY\n"
 		"  Symmetric KEY & SALT as a composite ASCII or hex string (0x...) in form:\n"
 		"  [KEY: 16, 24 or 32 octets][SALT: 4 octets]\n\n"
@@ -170,11 +171,16 @@ static void cmd_node_set_key_help(struct cmdl *cmdl)
 		"  master                - Set KEY as a cluster master key\n"
 		"  <empty>               - Set KEY as a cluster key\n"
 		"  nodeid NODEID         - Set KEY as a per-node key for own or peer\n\n"
+		"REKEYING\n"
+		"  INTERVAL              - Set rekeying interval (in minutes) [0: disable]\n"
+		"  now                   - Trigger one (first) rekeying immediately\n\n"
 		"EXAMPLES\n"
 		"  %s node set key this_is_a_master_key master\n"
 		"  %s node set key 0x746869735F69735F615F6B657931365F73616C74\n"
-		"  %s node set key this_is_a_key16_salt algname \"gcm(aes)\" nodeid 1001002\n\n",
-		cmdl->argv[0], cmdl->argv[0], cmdl->argv[0], cmdl->argv[0]);
+		"  %s node set key this_is_a_key16_salt algname \"gcm(aes)\" nodeid 1001002\n"
+		"  %s node set key rekeying 600\n\n",
+		cmdl->argv[0], cmdl->argv[0], cmdl->argv[0], cmdl->argv[0],
+		cmdl->argv[0], cmdl->argv[0]);
 }
 
 static int cmd_node_set_key(struct nlmsghdr *nlh, const struct cmd *cmd,
@@ -190,12 +196,15 @@ static int cmd_node_set_key(struct nlmsghdr *nlh, const struct cmd *cmd,
 		{ "algname",	OPT_KEYVAL,	NULL },
 		{ "nodeid",	OPT_KEYVAL,	NULL },
 		{ "master",	OPT_KEY,	NULL },
+		{ "rekeying",	OPT_KEYVAL,	NULL },
 		{ NULL }
 	};
 	struct nlattr *nest;
-	struct opt *opt_algname, *opt_nodeid, *opt_master;
+	struct opt *opt_algname, *opt_nodeid, *opt_master, *opt_rekeying;
 	char buf[MNL_SOCKET_BUFFER_SIZE];
 	uint8_t id[TIPC_NODEID_LEN] = {0,};
+	uint32_t rekeying = 0;
+	bool has_key = false;
 	int keysize;
 	char *str;
 
@@ -204,17 +213,31 @@ static int cmd_node_set_key(struct nlmsghdr *nlh, const struct cmd *cmd,
 		return -EINVAL;
 	}
 
+	/* Check if command starts with opts i.e. "rekeying" opt without key */
+	if (find_opt(opts, cmdl->argv[cmdl->optind]))
+		goto get_ops;
 
 	/* Get user key */
+	has_key = true;
 	str = shift_cmdl(cmdl);
 	if (str2key(str, &input.key)) {
 		fprintf(stderr, "error, invalid key input\n");
 		return -EINVAL;
 	}
 
+get_ops:
 	if (parse_opts(opts, cmdl) < 0)
 		return -EINVAL;
 
+	/* Get rekeying time */
+	opt_rekeying = get_opt(opts, "rekeying");
+	if (opt_rekeying) {
+		if (!strcmp(opt_rekeying->val, "now"))
+			rekeying = TIPC_REKEYING_NOW;
+		else
+			rekeying = atoi(opt_rekeying->val);
+	}
+
 	/* Get algorithm name, default: "gcm(aes)" */
 	opt_algname = get_opt(opts, "algname");
 	if (!opt_algname)
@@ -246,12 +269,16 @@ static int cmd_node_set_key(struct nlmsghdr *nlh, const struct cmd *cmd,
 	}
 
 	nest = mnl_attr_nest_start(nlh, TIPC_NLA_NODE);
-	keysize = tipc_aead_key_size(&input.key);
-	mnl_attr_put(nlh, TIPC_NLA_NODE_KEY, keysize, &input.key);
-	if (opt_nodeid)
-		mnl_attr_put(nlh, TIPC_NLA_NODE_ID, TIPC_NODEID_LEN, id);
-	if (opt_master)
-		mnl_attr_put(nlh, TIPC_NLA_NODE_KEY_MASTER, 0, NULL);
+	if (has_key) {
+		keysize = tipc_aead_key_size(&input.key);
+		mnl_attr_put(nlh, TIPC_NLA_NODE_KEY, keysize, &input.key);
+		if (opt_nodeid)
+			mnl_attr_put(nlh, TIPC_NLA_NODE_ID, TIPC_NODEID_LEN, id);
+		if (opt_master)
+			mnl_attr_put(nlh, TIPC_NLA_NODE_KEY_MASTER, 0, NULL);
+	}
+	if (opt_rekeying)
+		mnl_attr_put_u32(nlh, TIPC_NLA_NODE_REKEYING, rekeying);
 
 	mnl_attr_nest_end(nlh, nest);
 	return msg_doit(nlh, NULL, NULL);
-- 
2.26.2

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ