socsvn commit: r236318 - in soc2012/gpf/pefs_kmod: sbin/pefs sys/fs/pefs sys/modules/pefs

gpf at FreeBSD.org gpf at FreeBSD.org
Thu May 24 20:28:09 UTC 2012 

Author: gpf
Date: Thu May 24 20:28:06 2012
New Revision: 236318
URL: http://svnweb.FreeBSD.org/socsvn/?view=rev&rev=236318

Log:
  adding checks & locks at pefs_ioctl(), plus a couple of minor changes.
  

Modified:
  soc2012/gpf/pefs_kmod/sbin/pefs/pefs_checksum.c
  soc2012/gpf/pefs_kmod/sbin/pefs/pefs_ctl.c
  soc2012/gpf/pefs_kmod/sys/fs/pefs/pefs.h
  soc2012/gpf/pefs_kmod/sys/fs/pefs/pefs_vnops.c
  soc2012/gpf/pefs_kmod/sys/modules/pefs/Makefile

Modified: soc2012/gpf/pefs_kmod/sbin/pefs/pefs_checksum.c
==============================================================================
--- soc2012/gpf/pefs_kmod/sbin/pefs/pefs_checksum.c	Thu May 24 20:25:05 2012	(r236317)
+++ soc2012/gpf/pefs_kmod/sbin/pefs/pefs_checksum.c	Thu May 24 20:28:06 2012	(r236318)
@@ -280,25 +280,22 @@
 	}
 }
 
+/*
+ * pefs encrypted filename = XBase64(checksum || E(tweak || filename))
+ * We use filename mac (checksum) as file_id. This way, should a filesystem
+ * be dump/restored, there will be no need to recreate .pefs.checksum because
+ * filenames remain the same.
+ *
+ * file id used is checksum = VMAC(E(tweak || filename))
+ */
 static int
 pefs_get_file_id(struct file_header *fhp)
 {
 	char parent_dir[MAXPATHLEN];
-	struct pefs_mac mac;
+	struct pefs_namemac namemac;
 	char *pch;
 	int error, fd;
-	struct stat sb;
 
-	if (stat(fhp->path, &sb) != 0) {
-		warn("cannot stat file %s", fhp->path);
-		return (PEFS_ERR_SYS);
-	}
-	/*
-	 * XXXgpf: [TODO] This is only temporary so that we won't have conflict errors
-	 * when adding a file header to a bucket.
-	 */
-	fhp->file_id = sb.st_ino;
-	
 	/* feed parent directory to ioctl() */
 	strlcpy(parent_dir, fhp->path, sizeof(parent_dir));
 	pch = strrchr(parent_dir, '/');
@@ -307,7 +304,7 @@
 		return (PEFS_ERR_NOENT);
 	}
 	*pch = '\0';
-	
+
 	fd = open(parent_dir, O_RDONLY);
 	if (fd < 0) {
 		warn("unable to open file %s", parent_dir);
@@ -316,13 +313,13 @@
 
 	pch = strrchr(fhp->path, '/');
 	pch++;
-	strlcpy(mac.mac_filename, pch, sizeof(mac.mac_filename));
-	mac.mac_namelen = strlen(mac.mac_filename);
+	strlcpy(namemac.pnm_filename, pch, sizeof(namemac.pnm_filename));
+	namemac.pnm_namelen = strnlen(namemac.pnm_filename, sizeof(namemac.pnm_filename));
+
+	error = ioctl(fd, PEFS_GETNAMEMAC, &namemac);
 
-	printf("giving values to ioctl() %s and dir = %s\n", mac.mac_filename, parent_dir);
-	error = ioctl(fd, PEFS_GETMAC, &mac);
-	printf("ioctl error = %d\n", error);
-	printf("values returned %lld\n\n", mac.mac_csum);
+	if (error == 0)
+		fhp->file_id = namemac.pnm_csum;
 
 	close(fd);
 	return (error);
@@ -399,7 +396,7 @@
  * the checksum file.
  * A) The total sum of entries is gathered so that a hash table is allocated.
  * B) For each file entry:
- * 		B1) semantic checks: file should reside in pefs filesystem & 
+ * 		B1) semantic checks: file should reside in pefs filesystem &
  * 			file should be regular file
  * 		B2) the file_id is retrieved.
  * 		B3) list of checksums is computed for the file's 4k blocks.
@@ -666,7 +663,7 @@
 	snprintf(checksum_path, sizeof(checksum_path), "%s/%s", fsroot, PEFS_FILE_CHECKSUM);
 	/*
 	 * XXXgpf: [TODO] If pefs fs is mounted when .pefs.checksum is created, then it will obtain an
-	 * encrypted filename & encrypted data. I should make sure that checksum file is not being 
+	 * encrypted filename & encrypted data. I should make sure that checksum file is not being
 	 * opened inside a mounted pefs filesystem.
 	 */
 	fdout = open(checksum_path, O_WRONLY | O_CREAT | O_EXCL,  S_IRUSR | S_IWUSR);

Modified: soc2012/gpf/pefs_kmod/sbin/pefs/pefs_ctl.c
==============================================================================
--- soc2012/gpf/pefs_kmod/sbin/pefs/pefs_ctl.c	Thu May 24 20:25:05 2012	(r236317)
+++ soc2012/gpf/pefs_kmod/sbin/pefs/pefs_ctl.c	Thu May 24 20:28:06 2012	(r236318)
@@ -1013,7 +1013,7 @@
  *
  * pefs addchecksum [-a algo] [-i inputfile] filesystem
  *
- * $command creates .pefs.checksum db file in root of filesystem.
+ * $command creates .pefs.checksum db file for filesystem.
  * This file will contain all checksums necessary to check integrity
  * of files upon access.
  *
@@ -1021,11 +1021,11 @@
  * hash function; supported algorithms: sha256, sha512.
  *
  * inputfile contains list of files that need integrity checking.
- * This should be the outputfile of `pefs addchecklist`.
  *
- * When $command is run, filesystem should *not* be already
- * mounted with pefs so that hashes are calculated for ciphertexts
- * and not plain texts.
+ * When $command is run, filesystem should be already mounted with 
+ * pefs.
+ * 
+ * [TODO] reference for where .pefs.checksum file should be created.
  *
  */
 static int
@@ -1082,7 +1082,8 @@
 }
 
 /*
- * XXXgpf: Instead of a man page entry
+ * XXXgpf: This should get the axe soon. But I'm keeping it here
+ * a little while longer just in case.
  *
  * pefs addchecklist [-i inputfile] [-o outputfile] filesystem
  *

Modified: soc2012/gpf/pefs_kmod/sys/fs/pefs/pefs.h
==============================================================================
--- soc2012/gpf/pefs_kmod/sys/fs/pefs/pefs.h	Thu May 24 20:25:05 2012	(r236317)
+++ soc2012/gpf/pefs_kmod/sys/fs/pefs/pefs.h	Thu May 24 20:28:06 2012	(r236318)
@@ -48,10 +48,10 @@
 	char			pxk_key[PEFS_KEY_SIZE];
 };
 
-struct pefs_mac {
-	char			mac_filename[MAXPATHLEN];
-	uint32_t		mac_namelen;
-	uint64_t		mac_csum;
+struct pefs_namemac {
+	uint32_t		pnm_namelen;
+	uint64_t		pnm_csum;
+	char			pnm_filename[MAXPATHLEN];
 };
 
 #ifdef _IO
@@ -61,7 +61,7 @@
 #define	PEFS_DELKEY			_IOWR('p', 3, struct pefs_xkey)
 #define	PEFS_FLUSHKEYS			_IO('p', 4)
 #define	PEFS_GETNODEKEY			_IOWR('p', 5, struct pefs_xkey)
-#define PEFS_GETMAC			_IOWR('p', 6, struct pefs_mac)
+#define PEFS_GETNAMEMAC			_IOWR('p', 6, struct pefs_namemac)
 #endif
 
 #ifdef _KERNEL

Modified: soc2012/gpf/pefs_kmod/sys/fs/pefs/pefs_vnops.c
==============================================================================
--- soc2012/gpf/pefs_kmod/sys/fs/pefs/pefs_vnops.c	Thu May 24 20:25:05 2012	(r236317)
+++ soc2012/gpf/pefs_kmod/sys/fs/pefs/pefs_vnops.c	Thu May 24 20:28:06 2012	(r236318)
@@ -2357,18 +2357,17 @@
 {
 	struct pefs_enccn enccn;
 	struct componentname cn;
-	char buf[MAXNAMLEN +1];
 	struct vnode *vp = ap->a_vp;
 	struct pefs_xkey *xk = ap->a_data;
-	struct pefs_mac *mac = ap->a_data;
+	struct pefs_namemac *namemac = ap->a_data;
 	struct ucred *cred = ap->a_cred;
 	struct thread *td = ap->a_td;
 	struct mount *mp = vp->v_mount;
 	struct pefs_mount *pm = VFS_TO_PEFS(mp);
 	struct pefs_node *pn;
 	struct pefs_key *pk;
-	char *enc;
-	size_t enc_len;
+	char *enc, *buf;
+	size_t enc_len, buf_len;
 	int error = 0, i, r;
 
 	if (mp->mnt_cred->cr_uid != cred->cr_uid) {
@@ -2471,23 +2470,32 @@
 		if (pefs_key_remove_all(pm))
 			pefs_flushkey(mp, td, PEFS_FLUSHKEY_ALL, NULL);
 		break;
-	case PEFS_GETMAC:		
+	case PEFS_GETNAMEMAC:
+		if (vp->v_type != VDIR)
+			panic("pefs_ioctl: PEFS_GETNAMEMAC vp is not a directory\n");
+
+		if (strnlen(namemac->pnm_filename, sizeof(namemac->pnm_filename)) !=
+			namemac->pnm_namelen)
+			panic("pefs_ioctl: PEFS_GETNAMEMAC incorrect pnm_namelen\n");
+
+		if (strchr(namemac->pnm_filename, '/') != NULL)
+			panic("pefs_ioctl: PEFS_GETNAMEMAC pnm_filename contains '/'\n");
+
+		vn_lock(vp, LK_EXCLUSIVE);
 		pefs_enccn_init(&enccn);
 
 		cn.cn_nameiop = LOOKUP;
 		cn.cn_thread = td;
 		cn.cn_cred = cred;
-		/* XXXgpf: should probably acquire a shared lock if possible */
 		cn.cn_lkflags = 0;
 		cn.cn_flags = 0;
-		cn.cn_nameptr = mac->mac_filename;
-		cn.cn_namelen = mac->mac_namelen;
+		cn.cn_nameptr = namemac->pnm_filename;
+		cn.cn_namelen = namemac->pnm_namelen;
 
 		error = pefs_enccn_lookup(&enccn, vp, &cn);
-		printf("pefs_enccn_lookup = %d\n", error);
-		if (error == 0) {
-			printf("found!\nlen%ld %s", enccn.pec_cn.cn_namelen, enccn.pec_cn.cn_nameptr);
+		VOP_UNLOCK(vp, 0);
 
+		if (error == 0) {
 			enc = enccn.pec_cn.cn_nameptr;
 			enc_len = enccn.pec_cn.cn_namelen;
 
@@ -2497,16 +2505,18 @@
 			}
 			enc++;
 			enc_len--;
+			buf_len = MAXNAMLEN + 1;
+			buf = malloc(buf_len, M_TEMP, M_WAITOK);
 
-			r = pefs_name_pton(enc, enc_len, buf, sizeof(buf));
+			r = pefs_name_pton(enc, enc_len, buf, buf_len);
 			if (r <= 0)
 				error = EINVAL;
 			else
-				memcpy(&(mac->mac_csum), buf, PEFS_NAME_CSUM_SIZE);
-			
+				memcpy(&(namemac->pnm_csum), buf, PEFS_NAME_CSUM_SIZE);
+
 			pefs_enccn_free(&enccn);
+			free(buf, M_TEMP);
 		}
-
 		break;
 	default:
 		error = ENOTTY;

Modified: soc2012/gpf/pefs_kmod/sys/modules/pefs/Makefile
==============================================================================
--- soc2012/gpf/pefs_kmod/sys/modules/pefs/Makefile	Thu May 24 20:25:05 2012	(r236317)
+++ soc2012/gpf/pefs_kmod/sys/modules/pefs/Makefile	Thu May 24 20:28:06 2012	(r236318)
@@ -17,9 +17,7 @@
 #DEBUG_FLAGS+= -DPEFS_DEBUG
 #DEBUG_FLAGS+= -DPEFS_DEBUG_EXTRA
 
-CFLAGS+= -I${.CURDIR}/../../
-
-# Temporally build crypto/hmac into pefs module
+CFLAGS+= -I${.CURDIR}/../../# Temporally build crypto/hmac into pefs module
 .PATH:	${.CURDIR}/../../crypto/hmac
 
 SRCS+=	hmac_sha512.c

More information about the svn-soc-all mailing list