[DRBD-cvs] r1729 - in trunk: . drbd drbd/linux scripts user
svn at svn.drbd.org
svn at svn.drbd.org
Fri Jan 21 00:06:35 CET 2005
Author: phil
Date: 2005-01-21 00:06:32 +0100 (Fri, 21 Jan 2005)
New Revision: 1729
Modified:
trunk/ROADMAP
trunk/drbd/drbd_main.c
trunk/drbd/drbd_receiver.c
trunk/drbd/drbd_sizeof_sanity_check.c
trunk/drbd/linux/drbd.h
trunk/scripts/drbd.conf
trunk/user/drbdsetup.c
Log:
Fixed the challenge/response authentication!
Great, was less work than I expected. The kernel's
crypto API is a nice thing...
Modified: trunk/ROADMAP
===================================================================
--- trunk/ROADMAP 2005-01-20 13:26:04 UTC (rev 1728)
+++ trunk/ROADMAP 2005-01-20 23:06:32 UTC (rev 1729)
@@ -15,10 +15,10 @@
40% DONE
3 Authenticate the peer upon connect by using a shared secret.
- Configuration file syntax: net { auth-secret "secret-word" }
- Using a challenge-response authentication within the new
- handshake.
- 0% ASSIGNED TO rodrigo at corporacionlinux.cl
+ Configuration file syntax: net { cram-hmac-alg "sha1";
+ shared-secret "secret-word"; }
+ Using a challenge-response authentication.
+ 99% DONE
4 Consolidate state changes into a central function, that makes
sure that the new state is valid. Replace set_cstate() with
Modified: trunk/drbd/drbd_main.c
===================================================================
--- trunk/drbd/drbd_main.c 2005-01-20 13:26:04 UTC (rev 1728)
+++ trunk/drbd/drbd_main.c 2005-01-20 23:06:32 UTC (rev 1729)
@@ -814,6 +814,10 @@
Drbd_Header h;
int ok;
+ h.magic = BE_DRBD_MAGIC;
+ h.command = cpu_to_be16(cmd);
+ h.length = cpu_to_be16(size);
+
down(&mdev->data.mutex);
spin_lock(&mdev->send_task_lock);
mdev->send_task=current;
@@ -821,7 +825,7 @@
old_blocked = drbd_block_all_signals();
- ok = _drbd_send_cmd(mdev,mdev->data.socket,cmd,&h,size,0);
+ ok = ( sizeof(h) == drbd_send(mdev,mdev->data.socket,&h,sizeof(h),0) );
ok = ok && ( size == drbd_send(mdev,mdev->data.socket,data,size,0) );
restore_old_sigset(old_blocked);
Modified: trunk/drbd/drbd_receiver.c
===================================================================
--- trunk/drbd/drbd_receiver.c 2005-01-20 13:26:04 UTC (rev 1728)
+++ trunk/drbd/drbd_receiver.c 2005-01-20 23:06:32 UTC (rev 1729)
@@ -701,7 +701,7 @@
if ( mdev->cram_hmac_tfm ) {
if (!drbd_do_auth(mdev)) {
- ERR("Authentication of Peer failed.");
+ ERR("Authentication of peer failed\n");
return 0;
}
}
@@ -1951,7 +1951,7 @@
}
if (p.length != resp_size ) {
- ERR( "expected AuthResponse payload of wrong size.\n" );
+ ERR( "expected AuthResponse payload of wrong size\n" );
return 0;
}
@@ -1979,6 +1979,11 @@
kfree(response);
kfree(right_response);
+ if(rv) {
+ INFO("Peer authenticated usind %d bytes of '%s' HMAC\n",
+ resp_size,mdev->conf.cram_hmac_alg);
+ }
+
return rv;
}
#endif
Modified: trunk/drbd/drbd_sizeof_sanity_check.c
===================================================================
--- trunk/drbd/drbd_sizeof_sanity_check.c 2005-01-20 13:26:04 UTC (rev 1728)
+++ trunk/drbd/drbd_sizeof_sanity_check.c 2005-01-20 23:06:32 UTC (rev 1729)
@@ -16,13 +16,14 @@
{
int err = 0, s = 0;
SZO(struct disk_config, 24)
- SZO(struct net_config, 304)
+ SZO(struct net_config, 432)
SZO(struct syncer_config, 24)
SZO(struct ioctl_disk_config, 32)
- SZO(struct ioctl_net_config, 312)
+ SZO(struct ioctl_net_config, 440)
SZO(struct ioctl_syncer_config, 32)
SZO(struct ioctl_wait, 16)
- SZO(struct ioctl_get_config, 432)
+ SZO(struct ioctl_get_config, 560)
+ SZO(struct ioctl_get_gen_cnt, 48)
if (err) printk("<3>ioctls won't work, aborting\n");
return err;
}
Modified: trunk/drbd/linux/drbd.h
===================================================================
--- trunk/drbd/linux/drbd.h 2005-01-20 13:26:04 UTC (rev 1728)
+++ trunk/drbd/linux/drbd.h 2005-01-20 23:06:32 UTC (rev 1729)
@@ -284,7 +284,6 @@
OUT __u64 current_size;
OUT __u32 gen_cnt[GEN_CNT_SIZE]; /* generation counter */
OUT unsigned int bits_set;
- int _pad;
};
#define DRBD_MAGIC 0x83740267
Modified: trunk/scripts/drbd.conf
===================================================================
--- trunk/scripts/drbd.conf 2005-01-20 13:26:04 UTC (rev 1728)
+++ trunk/scripts/drbd.conf 2005-01-20 23:06:32 UTC (rev 1729)
@@ -213,8 +213,18 @@
# ext3,reiserFS,XFS,JFS etc...
# allow-two-primaries;
- # cram-hmac-alg=sha1;
- # shared-secret="FooFunFactory";
+ # This enables peer authentication. Without this everybody
+ # on the network could connect to one of your DRBD nodes with
+ # a program that emulates DRBD's protocoll and could suck off
+ # all your data.
+ # Specify one of the kernel's digest algorithms, e.g.:
+ # md5, sha1, sha256, sha512, wp256, wp384, wp512, michael_mic ...
+ # an a shared secret.
+ # Authentication is only done once after the TCP connection
+ # is establised, there are no disadvantages from using authentication,
+ # therefore I suggest to enable it in any case.
+ # cram-hmac-alg "sha1";
+ # shared-secret "FooFunFactory";
}
syncer {
Modified: trunk/user/drbdsetup.c
===================================================================
--- trunk/user/drbdsetup.c 2005-01-20 13:26:04 UTC (rev 1728)
+++ trunk/user/drbdsetup.c 2005-01-20 23:06:32 UTC (rev 1729)
@@ -560,6 +560,8 @@
[MDIOError]="IO error(s) orruced during initial access to meta-data.\n",
[MDInvalid]="No valid meta-data signature found.\n"
"Use 'drbdadm create-md res' to initialize meta-data area.\n",
+ [CRAMAlgNotAvail]="The 'cram-hmac-alg' you specified is not known in "
+ "the kernel.\n"
};
if (err_no>ARRY_SIZE(etext) || err_no<0) err_no=0;
More information about the drbd-cvs
mailing list