From: David Howells <dhowells@redhat.com>
Date: Tue, 8 Apr 2014 17:23:54 +0000 (+0100)
Subject: Allow RxRPC transport security to be requested
X-Git-Url: https://www.infradead.org/git/?a=commitdiff_plain;h=68a11a117d083577519892530059af44a8601072;p=users%2Fdhowells%2Fkafs-utils.git

Allow RxRPC transport security to be requested

Honour the -encrypt flag to vos listvldb and make it tell AF_RXRPC to secure
the connection.  This requires an appropriate key to be available in one of
the user's keyrings, labelled:

	afs@<UPPERCASE.CELL.NAME>

Without such a key, error:

	[Errno 126] Required key not available

will be issued.

Signed-off-by: David Howells <dhowells@redhat.com>
---

diff --git a/af_rxrpc.c b/af_rxrpc.c
index 09f58d1..9966994 100644
--- a/af_rxrpc.c
+++ b/af_rxrpc.c
@@ -121,7 +121,9 @@ struct rx_connection *rx_new_connection(const struct sockaddr *sa,
 					uint16_t service,
 					uint16_t local_port,
 					uint16_t local_service,
-					int exclusive)
+					int exclusive,
+					const char *key,
+					int security)
 {
 	struct sockaddr_rxrpc srx;
 	struct rx_connection *z_conn;
@@ -153,6 +155,10 @@ struct rx_connection *rx_new_connection(const struct sockaddr *sa,
 		goto error_conn;
 	}
 
+	if (security < RXRPC_SECURITY_PLAIN ||
+	    security > RXRPC_SECURITY_ENCRYPT)
+		goto inval;
+
 	memcpy(&z_conn->peer.transport, sa, salen);
 	switch (sa->sa_family) {
 	case AF_INET:
@@ -182,6 +188,18 @@ struct rx_connection *rx_new_connection(const struct sockaddr *sa,
 			goto error_conn;
 	}
 
+	if (key) {
+		ret = setsockopt(z_conn->fd, SOL_RXRPC, RXRPC_MIN_SECURITY_LEVEL,
+				 &security, sizeof(security));
+		if (ret == -1)
+			goto error_conn;
+
+		ret = setsockopt(z_conn->fd, SOL_RXRPC, RXRPC_SECURITY_KEY,
+				 key, strlen(key));
+		if (ret == -1)
+			goto error_conn;
+	}
+
 	/* Bind an address to the local endpoint */
 	memset(&srx, 0, sizeof(srx));
 	srx.srx_family = AF_RXRPC;
diff --git a/py_rxconn.c b/py_rxconn.c
index 0203ddd..309cbb7 100644
--- a/py_rxconn.c
+++ b/py_rxconn.c
@@ -111,13 +111,13 @@ kafs_py_rx_new_connection(PyObject *_self, PyObject *args)
 		struct sockaddr_in sin;
 		struct sockaddr_in6 sin6;
 	} sa;
-	const char *address = NULL;
+	const char *address = NULL, *key = NULL;
 	socklen_t salen;
 	uint16_t port, service, local_port = 0, local_service = 0;
-	int exclusive = 0;
+	int exclusive = 0, security = 0;
 
-	if (!PyArg_ParseTuple(args, "sHH|HHp",
-			      &address, &port, &service,
+	if (!PyArg_ParseTuple(args, "sHHzi|HHp",
+			      &address, &port, &service, &key, &security,
 			      &local_port, &local_service, &exclusive))
 		return NULL;
 
@@ -141,7 +141,8 @@ kafs_py_rx_new_connection(PyObject *_self, PyObject *args)
 	assert(obj->x == NULL);
 
 	z_conn = rx_new_connection(&sa.sa, salen, service,
-				   local_port, local_service, exclusive);
+				   local_port, local_service, exclusive,
+				   key, security);
 	if (!z_conn) {
 		Py_DECREF(obj);
 		return errno == ENOMEM ? PyExc_MemoryError :
diff --git a/rxgen.h b/rxgen.h
index a6fbdbd..6d7ef28 100644
--- a/rxgen.h
+++ b/rxgen.h
@@ -170,7 +170,9 @@ extern struct rx_connection *rx_new_connection(const struct sockaddr *sa,
 					       uint16_t service,
 					       uint16_t local_port,
 					       uint16_t local_service,
-					       int exclusive);
+					       int exclusive,
+					       const char *key,
+					       int security);
 
 extern void rx_close_connection(struct rx_connection *z_conn);
 
diff --git a/rxgen/rxgen.pl b/rxgen/rxgen.pl
index 1c33221..33d15c8 100755
--- a/rxgen/rxgen.pl
+++ b/rxgen/rxgen.pl
@@ -36,6 +36,10 @@ our @abort_codes = ();	# Abort codes
 our @py_type_defs = ();	# Python type definitions
 our @py_func_defs = (); # Python function definitions
 
+$constants{RXRPC_SECURITY_PLAIN}	= { name => "RXRPC_SECURITY_PLAIN",   val => 0 };
+$constants{RXRPC_SECURITY_AUTH}		= { name => "RXRPC_SECURITY_AUTH",    val => 1 };
+$constants{RXRPC_SECURITY_ENCRYPT}	= { name => "RXRPC_SECURITY_ENCRYPT", val => 2 };
+
 #
 # Divide the lines from the files up into typed collections
 #
diff --git a/suite/commands/vos/listvldb.py b/suite/commands/vos/listvldb.py
index b0bb532..2bbe782 100644
--- a/suite/commands/vos/listvldb.py
+++ b/suite/commands/vos/listvldb.py
@@ -100,7 +100,17 @@ def print_record(params, vldb):
 def main(params):
     # Get a list of VLDB servers to query
     cell = params["cell"]
-    z_conn = cell.open_vl_server()
+
+    if "localauth" in params:
+        raise RuntimeError("Don't support -localauth yet")
+    elif "noauth" in params:
+        security = None
+    elif "encrypt" in params:
+        security = kafs.RXRPC_SECURITY_ENCRYPT
+    else:
+        security = None
+
+    z_conn = cell.open_vl_server(security)
     quiet = "quiet" in params
 
     if "name" in params:
diff --git a/suite/lib/cell.py b/suite/lib/cell.py
index a721cec..a4938ee 100644
--- a/suite/lib/cell.py
+++ b/suite/lib/cell.py
@@ -119,14 +119,21 @@ class cell:
         return addrs
 
     # Open a VL Server connection
-    def open_vl_server(self):
+    def open_vl_server(self, security=None):
         if self.__vlconn:
             return
 
         for vlserver in self.query_vl_addrs():
             debug("Trying", vlserver)
 
-            z_conn = kafs.rx_new_connection(vlserver, kafs.VL_PORT, kafs.VL_SERVICE)
+            if security != None:
+                key = "afs@" + self.__name.upper()
+            else:
+                key = None
+                security = 0
+
+            z_conn = kafs.rx_new_connection(vlserver, kafs.VL_PORT, kafs.VL_SERVICE,
+                                            key, security)
             try:
                 ret = kafs.VL_Probe(z_conn)
                 self.__vlconn = z_conn