[DRBD-cvs] r1729 - in trunk: . drbd drbd/linux scripts user

svn at svn.drbd.org svn at svn.drbd.org
Fri Jan 21 00:06:35 CET 2005


Author: phil
Date: 2005-01-21 00:06:32 +0100 (Fri, 21 Jan 2005)
New Revision: 1729

Modified:
   trunk/ROADMAP
   trunk/drbd/drbd_main.c
   trunk/drbd/drbd_receiver.c
   trunk/drbd/drbd_sizeof_sanity_check.c
   trunk/drbd/linux/drbd.h
   trunk/scripts/drbd.conf
   trunk/user/drbdsetup.c
Log:
Fixed the challenge/response authentication! 
Great, was less work than I expected. The kernel's
crypto API is a nice thing...


Modified: trunk/ROADMAP
===================================================================
--- trunk/ROADMAP	2005-01-20 13:26:04 UTC (rev 1728)
+++ trunk/ROADMAP	2005-01-20 23:06:32 UTC (rev 1729)
@@ -15,10 +15,10 @@
   40% DONE
 
 3 Authenticate the peer upon connect by using a shared secret. 
-  Configuration file syntax:  net { auth-secret "secret-word" }
-  Using a challenge-response authentication within the new
-  handshake.
-  0% ASSIGNED TO rodrigo at corporacionlinux.cl 
+  Configuration file syntax:  net { cram-hmac-alg "sha1"; 
+  shared-secret "secret-word"; }
+  Using a challenge-response authentication.
+  99% DONE
 
 4 Consolidate state changes into a central function, that makes
   sure that the new state is valid. Replace set_cstate() with

Modified: trunk/drbd/drbd_main.c
===================================================================
--- trunk/drbd/drbd_main.c	2005-01-20 13:26:04 UTC (rev 1728)
+++ trunk/drbd/drbd_main.c	2005-01-20 23:06:32 UTC (rev 1729)
@@ -814,6 +814,10 @@
 	Drbd_Header h;
 	int ok;
 
+	h.magic   = BE_DRBD_MAGIC;
+	h.command = cpu_to_be16(cmd);
+	h.length  = cpu_to_be16(size);
+
 	down(&mdev->data.mutex);
 	spin_lock(&mdev->send_task_lock);
 	mdev->send_task=current;
@@ -821,7 +825,7 @@
 
 	old_blocked = drbd_block_all_signals();
 
-	ok = _drbd_send_cmd(mdev,mdev->data.socket,cmd,&h,size,0);
+	ok = ( sizeof(h) == drbd_send(mdev,mdev->data.socket,&h,sizeof(h),0) );
 	ok = ok && ( size == drbd_send(mdev,mdev->data.socket,data,size,0) );
 
 	restore_old_sigset(old_blocked);

Modified: trunk/drbd/drbd_receiver.c
===================================================================
--- trunk/drbd/drbd_receiver.c	2005-01-20 13:26:04 UTC (rev 1728)
+++ trunk/drbd/drbd_receiver.c	2005-01-20 23:06:32 UTC (rev 1729)
@@ -701,7 +701,7 @@
 
 	if ( mdev->cram_hmac_tfm ) {
 		if (!drbd_do_auth(mdev)) {
-			ERR("Authentication of Peer failed.");
+			ERR("Authentication of peer failed\n");
 			return 0;
 		}
 	}
@@ -1951,7 +1951,7 @@
 	}
 
 	if (p.length != resp_size ) {
-		ERR( "expected AuthResponse payload of wrong size.\n" );
+		ERR( "expected AuthResponse payload of wrong size\n" );
 		return 0;
 	}
 
@@ -1979,6 +1979,11 @@
 	kfree(response);
 	kfree(right_response);
 
+	if(rv) {
+		INFO("Peer authenticated usind %d bytes of '%s' HMAC\n",
+		     resp_size,mdev->conf.cram_hmac_alg);
+	}
+
 	return rv;
 }
 #endif

Modified: trunk/drbd/drbd_sizeof_sanity_check.c
===================================================================
--- trunk/drbd/drbd_sizeof_sanity_check.c	2005-01-20 13:26:04 UTC (rev 1728)
+++ trunk/drbd/drbd_sizeof_sanity_check.c	2005-01-20 23:06:32 UTC (rev 1729)
@@ -16,13 +16,14 @@
 {
 	int err = 0, s = 0;
 	SZO(struct disk_config,		 24)
-	SZO(struct net_config,		304)
+	SZO(struct net_config,		432)
 	SZO(struct syncer_config,	 24)
 	SZO(struct ioctl_disk_config,	 32)
-	SZO(struct ioctl_net_config,	312)
+	SZO(struct ioctl_net_config,	440)
 	SZO(struct ioctl_syncer_config,	 32)
 	SZO(struct ioctl_wait,		 16)
-	SZO(struct ioctl_get_config,	432)
+	SZO(struct ioctl_get_config,	560)
+	SZO(struct ioctl_get_gen_cnt,    48)
 	if (err) printk("<3>ioctls won't work, aborting\n");
 	return err;
 }

Modified: trunk/drbd/linux/drbd.h
===================================================================
--- trunk/drbd/linux/drbd.h	2005-01-20 13:26:04 UTC (rev 1728)
+++ trunk/drbd/linux/drbd.h	2005-01-20 23:06:32 UTC (rev 1729)
@@ -284,7 +284,6 @@
 	OUT __u64        current_size;
 	OUT __u32        gen_cnt[GEN_CNT_SIZE];	/* generation counter */
 	OUT unsigned int bits_set;
-	int              _pad;
 };
 
 #define DRBD_MAGIC 0x83740267

Modified: trunk/scripts/drbd.conf
===================================================================
--- trunk/scripts/drbd.conf	2005-01-20 13:26:04 UTC (rev 1728)
+++ trunk/scripts/drbd.conf	2005-01-20 23:06:32 UTC (rev 1729)
@@ -213,8 +213,18 @@
     # ext3,reiserFS,XFS,JFS etc...
     # allow-two-primaries;
 
-    # cram-hmac-alg=sha1;
-    # shared-secret="FooFunFactory";
+    # This enables peer authentication. Without this everybody
+    # on the network could connect to one of your DRBD nodes with
+    # a program that emulates DRBD's protocoll and could suck off
+    # all your data. 
+    # Specify one of the kernel's digest algorithms, e.g.:
+    # md5, sha1, sha256, sha512, wp256, wp384, wp512, michael_mic ...
+    # an a shared secret. 
+    # Authentication is only done once after the TCP connection
+    # is establised, there are no disadvantages from using authentication,
+    # therefore I suggest to enable it in any case.
+    # cram-hmac-alg "sha1";
+    # shared-secret "FooFunFactory";
   }
 
   syncer {

Modified: trunk/user/drbdsetup.c
===================================================================
--- trunk/user/drbdsetup.c	2005-01-20 13:26:04 UTC (rev 1728)
+++ trunk/user/drbdsetup.c	2005-01-20 23:06:32 UTC (rev 1729)
@@ -560,6 +560,8 @@
     [MDIOError]="IO error(s) orruced during initial access to meta-data.\n",
     [MDInvalid]="No valid meta-data signature found.\n"
                 "Use 'drbdadm create-md res' to initialize meta-data area.\n",
+    [CRAMAlgNotAvail]="The 'cram-hmac-alg' you specified is not known in "
+                      "the kernel.\n"
   };
 
   if (err_no>ARRY_SIZE(etext) || err_no<0) err_no=0;



More information about the drbd-cvs mailing list