From patchwork Thu Jan 24 18:36:12 2013 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Chuck Lever X-Patchwork-Id: 215474 Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@bilbo.ozlabs.org Received: from userp1040.oracle.com (userp1040.oracle.com [156.151.31.81]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (Client CN "userp1040.oracle.com", Issuer "VeriSign Class 3 International Server CA - G3" (not verified)) by ozlabs.org (Postfix) with ESMTPS id DB6712C008C for ; Fri, 25 Jan 2013 05:36:20 +1100 (EST) Received: from acsinet21.oracle.com (acsinet21.oracle.com [141.146.126.237]) by userp1040.oracle.com (Sentrion-MTA-4.2.2/Sentrion-MTA-4.2.2) with ESMTP id r0OIaH4O014919 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=OK); Thu, 24 Jan 2013 18:36:18 GMT Received: from oss.oracle.com (oss-external.oracle.com [137.254.96.51]) by acsinet21.oracle.com (8.14.4+Sun/8.14.4) with ESMTP id r0OIaHZG005792 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO); Thu, 24 Jan 2013 18:36:17 GMT Received: from localhost ([127.0.0.1] helo=oss.oracle.com) by oss.oracle.com with esmtp (Exim 4.63) (envelope-from ) id 1TyReq-0000S8-W0; Thu, 24 Jan 2013 10:36:17 -0800 Received: from acsinet22.oracle.com ([141.146.126.238]) by oss.oracle.com with esmtp (Exim 4.63) (envelope-from ) id 1TyRep-0000Rw-BL for fedfs-utils-devel@oss.oracle.com; Thu, 24 Jan 2013 10:36:15 -0800 Received: from aserp1030.oracle.com (aserp1030.oracle.com [141.146.126.68]) by acsinet22.oracle.com (8.14.4+Sun/8.14.4) with ESMTP id r0OIaETM019633 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=OK) for ; Thu, 24 Jan 2013 18:36:15 GMT Received: from mail-ia0-f181.google.com (mail-ia0-f181.google.com [209.85.210.181]) by aserp1030.oracle.com (Sentrion-MTA-4.2.2/Sentrion-MTA-4.2.2) with ESMTP id r0OIaEZs005132 (version=TLSv1/SSLv3 cipher=RC4-SHA bits=128 verify=OK) for ; Thu, 24 Jan 2013 18:36:14 GMT Received: by mail-ia0-f181.google.com with SMTP id k25so5185074iah.26 for ; Thu, 24 Jan 2013 10:36:13 -0800 (PST) X-Received: by 10.42.42.69 with SMTP id s5mr1877439ice.2.1359052573793; Thu, 24 Jan 2013 10:36:13 -0800 (PST) Received: from seurat.1015granger.net ([99.26.161.222]) by mx.google.com with ESMTPS id dc8sm1842168igb.15.2013.01.24.10.36.13 (version=TLSv1 cipher=RC4-SHA bits=128/128); Thu, 24 Jan 2013 10:36:13 -0800 (PST) From: Chuck Lever To: fedfs-utils-devel@oss.oracle.com Date: Thu, 24 Jan 2013 13:36:12 -0500 Message-ID: <20130124183612.13601.36702.stgit@seurat.1015granger.net> In-Reply-To: <20130124182619.13601.61251.stgit@seurat.1015granger.net> References: <20130124182619.13601.61251.stgit@seurat.1015granger.net> User-Agent: StGIT/0.14.3 MIME-Version: 1.0 X-Flow-Control-Info: class=Default reputation=ipRepBelow100 ip=209.85.210.181 ct-class=R5 ct-vol1=-48 ct-vol2=8 ct-vol3=8 ct-risk=47 ct-spam1=77 ct-spam2=5 ct-bulk=5 rcpts=1 size=3565 X-MM-CT-Classification: not spam X-MM-CT-RefID: str=0001.0A090201.51017F1E.00B5,ss=1,re=0.000,fgs=0 Subject: [fedfs-utils] [PATCH 11/11] libnsdb: nsdb_ping_s() should handle TLS-only NSDBs X-BeenThere: fedfs-utils-devel@oss.oracle.com X-Mailman-Version: 2.1.9 Precedence: list Reply-To: fedfs-utils Developers List-Id: fedfs-utils Developers List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Sender: fedfs-utils-devel-bounces@oss.oracle.com Errors-To: fedfs-utils-devel-bounces@oss.oracle.com X-Source-IP: acsinet21.oracle.com [141.146.126.237] If an NSDB requires TLS (as recommended by the NSDB protocol draft) nsdb_ping_s() will return FEDFS_ERR_NSDB_LDAP_VAL. When performing an NSDB ping, an NSDB client doesn't yet have NSDB connection parameters, so it can't actually connect to the NSDB and see if it has an NCE. But nsdb_ping_s() can report in this case that TLS is required. The two cases where nsdb_ping_s() is invoked are when fedfsd or nsdbparams is trying to determine if a new NSDB entry is allowed. If the ping tells us we need TLS security, fedfsd and nsdbparams can ensure that the new connection parameters do configure FEDFS_SEC_TLS. Signed-off-by: Chuck Lever --- src/fedfsd/svc.c | 16 +++++++++++++++- src/libnsdb/fileserver.c | 16 +++++++++++++--- src/nsdbparams/update.c | 5 +++++ 3 files changed, 33 insertions(+), 4 deletions(-) diff --git a/src/fedfsd/svc.c b/src/fedfsd/svc.c index 861e92f..db1d5b9 100644 --- a/src/fedfsd/svc.c +++ b/src/fedfsd/svc.c @@ -955,6 +955,10 @@ fedfsd_test_nsdb(const char *hostname, unsigned short port) xlog(D_GENERAL, "%s: %s:%u passed ping test", __func__, hostname, port); break; + case FEDFS_ERR_NSDB_AUTH: + xlog(D_GENERAL, "%s: TLS is required for NSDB %s:%u", + __func__, hostname, port); + break; case FEDFS_ERR_NSDB_NONCE: xlog(D_GENERAL, "%s: %s:%u is up, but not an NSDB: %s", __func__, hostname, port, @@ -1008,8 +1012,18 @@ fedfsd_svc_set_nsdb_params_1(SVCXPRT *xprt) break; case FEDFS_ERR_NSDB_PARAMS: result = fedfsd_test_nsdb(hostname, port); - if (result != FEDFS_OK) + switch (result) { + case FEDFS_OK: + break; + case FEDFS_ERR_NSDB_AUTH: + if (args.params.secType == FEDFS_SEC_NONE) + goto out; + result = FEDFS_OK; + break; + default: goto out; + } + result = nsdb_create_nsdb(hostname, port); if (result != FEDFS_OK) { xlog(L_ERROR, "Failed to create entry for %s:%u in " diff --git a/src/libnsdb/fileserver.c b/src/libnsdb/fileserver.c index 56837a8..b08ce5c 100644 --- a/src/libnsdb/fileserver.c +++ b/src/libnsdb/fileserver.c @@ -1749,17 +1749,27 @@ out: static FedFsStatus nsdb_ping_contexts_s(nsdb_t host, char **contexts, unsigned int *ldap_err) { + unsigned int ldap_result; FedFsStatus retval; char *dn; int i; + retval = FEDFS_ERR_NSDB_RESPONSE; for (i = 0; contexts[i] != NULL; i++) { - retval = nsdb_get_ncedn_s(host, contexts[i], &dn, ldap_err); - if (retval == FEDFS_OK) { + retval = nsdb_get_ncedn_s(host, contexts[i], &dn, &ldap_result); + switch (retval) { + case FEDFS_OK: free(dn); break; - } else + case FEDFS_ERR_NSDB_LDAP_VAL: + if (ldap_result == LDAP_CONFIDENTIALITY_REQUIRED) + retval = FEDFS_ERR_NSDB_AUTH; + else + *ldap_err = ldap_result; + break; + default: retval = FEDFS_ERR_NSDB_NONCE; + } } return retval; } diff --git a/src/nsdbparams/update.c b/src/nsdbparams/update.c index 62de0c2..ef0ceb0 100644 --- a/src/nsdbparams/update.c +++ b/src/nsdbparams/update.c @@ -118,6 +118,11 @@ nsdbparams_test_nsdb(const char *nsdbname, unsigned short nsdbport) nsdbname, nsdbport, nsdb_display_fedfsstatus(retval)); retval = FEDFS_OK; break; + case FEDFS_ERR_NSDB_AUTH: + xlog(L_WARNING, "Warning: TLS is required for NSDB %s:%u", + nsdbname, nsdbport); + retval = FEDFS_OK; + break; case FEDFS_ERR_NSDB_LDAP_VAL: xlog(L_WARNING, "Failed to ping NSDB %s:%u: %s", nsdbname, nsdbport, ldap_err2string(ldap_err));