totemcrypto: add support for different encryption methods

(backport from nsscrypto kronosnet code)

Signed-off-by: Fabio M. Di Nitto <fdinitto@redhat.com>
Reviewed-by: Jan Friesse <jfriesse@redhat.com>

TODO

@@ -27,7 +27,6 @@
 * Modify totemsrp to allow dynamic definitions of the ring counts
    to allow a larger number of redundant rings then 2.
 * Investigate always-on flight recorder
-* support more encryption methods (other than none/aes256) from nss
 * implement topic-rdmaud
 
 --------------------------------

conf/lenses/corosync.aug

@@ -50,8 +50,8 @@ let totem =
     |kv "rrp_mode" /none|active|passive/
     |kv "vsftype" /none|ykd/
     |kv "secauth" /on|off/
-    |kv "crypto_type" /nss|aes256/
-    |kv "crypto_cipher" /none|nss|aes256/
+    |kv "crypto_type" /nss|aes256|aes192|aes128|3des/
+    |kv "crypto_cipher" /none|nss|aes256|aes192|aes128|3des/
     |kv "crypto_hash" /none|md5|sha1|sha256|sha384|sha512/
     |kv "transport" /udp|iba/
     |kv "version" Rx.integer

exec/coroparse.c

@@ -502,7 +502,10 @@ static int main_config_parser_cb(const char *path,
 			}
 			if (strcmp(path, "totem.crypto_type") == 0) {
 				if ((strcmp(value, "nss") != 0) &&
-				    (strcmp(value, "aes256") != 0)) {
+				    (strcmp(value, "aes256") != 0) &&
+				    (strcmp(value, "aes192") != 0) &&
+				    (strcmp(value, "aes128") != 0) &&
+				    (strcmp(value, "3des") != 0)) {
 					*error_string = "Invalid crypto type";
 
 					return (0);
@@ -510,7 +513,10 @@ static int main_config_parser_cb(const char *path,
 			}
 			if (strcmp(path, "totem.crypto_cipher") == 0) {
 				if ((strcmp(value, "none") != 0) &&
-				    (strcmp(value, "aes256") != 0)) {
+				    (strcmp(value, "aes256") != 0) &&
+				    (strcmp(value, "aes192") != 0) &&
+				    (strcmp(value, "aes128") != 0) &&
+				    (strcmp(value, "3des") != 0)) {
 					*error_string = "Invalid cipher type";
 
 					return (0);

exec/totemconfig.c

@@ -138,6 +138,15 @@ static void totem_get_crypto(struct totem_config *totem_config)
 		if (strcmp(str, "aes256") == 0) {
 			tmp_cipher = "aes256";
 		}
+		if (strcmp(str, "aes192") == 0) {
+			tmp_cipher = "aes192";
+		}
+		if (strcmp(str, "aes128") == 0) {
+			tmp_cipher = "aes128";
+		}
+		if (strcmp(str, "3des") == 0) {
+			tmp_cipher = "3des";
+		}
 		free(str);
 	}
 

exec/totemcrypto.c

@@ -68,22 +68,34 @@ struct crypto_config_header {
 
 enum crypto_crypt_t {
 	CRYPTO_CIPHER_TYPE_NONE = 0,
-	CRYPTO_CIPHER_TYPE_AES256 = 1
+	CRYPTO_CIPHER_TYPE_AES256 = 1,
+	CRYPTO_CIPHER_TYPE_AES192 = 2,
+	CRYPTO_CIPHER_TYPE_AES128 = 3,
+	CRYPTO_CIPHER_TYPE_3DES = 4
 };
 
 CK_MECHANISM_TYPE cipher_to_nss[] = {
 	0,				/* CRYPTO_CIPHER_TYPE_NONE */
-	CKM_AES_CBC_PAD			/* CRYPTO_CIPHER_TYPE_AES256 */
+	CKM_AES_CBC_PAD,		/* CRYPTO_CIPHER_TYPE_AES256 */
+	CKM_AES_CBC_PAD,		/* CRYPTO_CIPHER_TYPE_AES192 */
+	CKM_AES_CBC_PAD,		/* CRYPTO_CIPHER_TYPE_AES128 */
+	CKM_DES3_CBC_PAD		/* CRYPTO_CIPHER_TYPE_3DES */
 };
 
 size_t cipher_key_len[] = {
-	 0,				/* CRYPTO_CIPHER_TYPE_NONE */
-	32,				/* CRYPTO_CIPHER_TYPE_AES256 */
+	0,				/* CRYPTO_CIPHER_TYPE_NONE */
+	AES_256_KEY_LENGTH,		/* CRYPTO_CIPHER_TYPE_AES256 */
+	AES_192_KEY_LENGTH,		/* CRYPTO_CIPHER_TYPE_AES192 */
+	AES_128_KEY_LENGTH,		/* CRYPTO_CIPHER_TYPE_AES128 */
+	24				/* CRYPTO_CIPHER_TYPE_3DES - no magic in nss headers */
 };
 
 size_t cypher_block_len[] = {
-	 0,				/* CRYPTO_CIPHER_TYPE_NONE */
-	AES_BLOCK_SIZE			/* CRYPTO_CIPHER_TYPE_AES256 */
+	0,				/* CRYPTO_CIPHER_TYPE_NONE */
+	AES_BLOCK_SIZE,			/* CRYPTO_CIPHER_TYPE_AES256 */
+	AES_BLOCK_SIZE,			/* CRYPTO_CIPHER_TYPE_AES192 */
+	AES_BLOCK_SIZE,			/* CRYPTO_CIPHER_TYPE_AES128 */
+	0				/* CRYPTO_CIPHER_TYPE_3DES */
 };
 
 /*
@@ -100,7 +112,7 @@ enum crypto_hash_t {
 };
 
 CK_MECHANISM_TYPE hash_to_nss[] = {
-	 0,				/* CRYPTO_HASH_TYPE_NONE */
+	0,				/* CRYPTO_HASH_TYPE_NONE */
 	CKM_MD5_HMAC,			/* CRYPTO_HASH_TYPE_MD5 */
 	CKM_SHA_1_HMAC,			/* CRYPTO_HASH_TYPE_SHA1 */
 	CKM_SHA256_HMAC,		/* CRYPTO_HASH_TYPE_SHA256 */
@@ -109,7 +121,7 @@ CK_MECHANISM_TYPE hash_to_nss[] = {
 };
 
 size_t hash_len[] = {
-	 0,				/* CRYPTO_HASH_TYPE_NONE */
+	0,				/* CRYPTO_HASH_TYPE_NONE */
 	MD5_LENGTH,			/* CRYPTO_HASH_TYPE_MD5 */
 	SHA1_LENGTH,			/* CRYPTO_HASH_TYPE_SHA1 */
 	SHA256_LENGTH,			/* CRYPTO_HASH_TYPE_SHA256 */
@@ -118,7 +130,7 @@ size_t hash_len[] = {
 };
 
 size_t hash_block_len[] = {
-	 0,				/* CRYPTO_HASH_TYPE_NONE */
+	0,				/* CRYPTO_HASH_TYPE_NONE */
 	MD5_BLOCK_LENGTH,		/* CRYPTO_HASH_TYPE_MD5 */
 	SHA1_BLOCK_LENGTH,		/* CRYPTO_HASH_TYPE_SHA1 */
 	SHA256_BLOCK_LENGTH,		/* CRYPTO_HASH_TYPE_SHA256 */
@@ -173,6 +185,12 @@ static int string_to_crypto_cipher_type(const char* crypto_cipher_type)
 		return CRYPTO_CIPHER_TYPE_NONE;
 	} else if (strcmp(crypto_cipher_type, "aes256") == 0) {
 		return CRYPTO_CIPHER_TYPE_AES256;
+	} else if (strcmp(crypto_cipher_type, "aes192") == 0) {
+		return CRYPTO_CIPHER_TYPE_AES192;
+	} else if (strcmp(crypto_cipher_type, "aes128") == 0) {
+		return CRYPTO_CIPHER_TYPE_AES128;
+	} else if (strcmp(crypto_cipher_type, "3des") == 0) {
+		return CRYPTO_CIPHER_TYPE_3DES;
 	}
 	return CRYPTO_CIPHER_TYPE_AES256;
 }

man/corosync.conf.5

@@ -173,7 +173,7 @@ The default is sha1.
 .TP
 crypto_cipher
 This specifies which cipher should be used to encrypt all messages.
-Valid values are none (no encryption) and aes256.
+Valid values are none (no encryption), aes256, aes192, aes128 and 3des.
 
 The default is aes256.