From 4a2f48b17b06638d3d3adcae683aff1639351434 Mon Sep 17 00:00:00 2001

From: Jan Friesse <jfriesse@redhat.com>

Date: Tue, 10 Nov 2020 18:10:17 +0100

Subject: [PATCH] totemknet: Check both cipher and hash for crypto

Previously only crypto cipher was used as a way to find out if crypto is

enabled or disabled.

This usually works ok until cipher is set to none and hash to some other

value (like sha1). Such config is perfectly valid and it was not

supported correctly.

As a solution, check both cipher and hash.

Signed-off-by: Jan Friesse <jfriesse@redhat.com>

Reviewed-by: Fabio M. Di Nitto <fdinitto@redhat.com>

Reviewed-by: Christine Caulfield <ccaulfie@redhat.com>

---

 exec/totemknet.c | 18 +++++++++++++-----

 1 file changed, 13 insertions(+), 5 deletions(-)

diff --git a/exec/totemknet.c b/exec/totemknet.c

index c6a1649d..0834e8e4 100644

--- a/exec/totemknet.c

+++ b/exec/totemknet.c

@@ -905,6 +905,14 @@ static void totemknet_add_config_notifications(struct totemknet_instance *instan

 	LEAVE();

 }

+static int totemknet_is_crypto_enabled(const struct totemknet_instance *instance)

+{

+

+	return (!(strcmp(instance->totem_config->crypto_cipher_type, "none") == 0 &&

+	    strcmp(instance->totem_config->crypto_hash_type, "none") == 0));

+

+}

+

 static int totemknet_set_knet_crypto(struct totemknet_instance *instance)

 {

 	struct knet_handle_crypto_cfg crypto_cfg;

@@ -927,7 +935,7 @@ static int totemknet_set_knet_crypto(struct totemknet_instance *instance)

 		);

 	/* If crypto is being disabled we need to explicitly allow cleartext traffic in knet */

-	if (strcmp(instance->totem_config->crypto_cipher_type, "none") == 0) {

+	if (!totemknet_is_crypto_enabled(instance)) {

 		res = knet_handle_crypto_rx_clear_traffic(instance->knet_handle, KNET_CRYPTO_RX_ALLOW_CLEAR_TRAFFIC);

 		if (res) {

 			knet_log_printf(LOGSYS_LEVEL_ERROR, "knet_handle_crypto_rx_clear_traffic(ALLOW) failed %s", strerror(errno));

@@ -1108,7 +1116,7 @@ int totemknet_initialize (

 	/* Enable crypto if requested */

 #ifdef HAVE_KNET_CRYPTO_RECONF

-	if (strcmp(instance->totem_config->crypto_cipher_type, "none") != 0) {

+	if (totemknet_is_crypto_enabled(instance)) {

 	        res = totemknet_set_knet_crypto(instance);

 		if (res == 0) {

 			res = knet_handle_crypto_use_config(instance->knet_handle, totem_config->crypto_index);

@@ -1134,7 +1142,7 @@ int totemknet_initialize (

 		}

 	}

 #else

-	if (strcmp(instance->totem_config->crypto_cipher_type, "none") != 0) {

+	if (totemknet_is_crypto_enabled(instance)) {

 		res = totemknet_set_knet_crypto(instance);

 		if (res) {

 			knet_log_printf(LOG_DEBUG, "Failed to set up knet crypto");

@@ -1616,7 +1624,7 @@ int totemknet_crypto_reconfigure_phase (

 	switch (phase) {

 		case CRYPTO_RECONFIG_PHASE_ACTIVATE:

 			config_to_use = totem_config->crypto_index;

-			if (strcmp(instance->totem_config->crypto_cipher_type, "none") == 0) {

+			if (!totemknet_is_crypto_enabled(instance)) {

 				config_to_use = 0; /* we are clearing it */

 			}

@@ -1647,7 +1655,7 @@ int totemknet_crypto_reconfigure_phase (

 			}

 			/* If crypto is enabled then disable all cleartext reception */

-			if (strcmp(instance->totem_config->crypto_cipher_type, "none") != 0) {

+			if (totemknet_is_crypto_enabled(instance)) {

 				res = knet_handle_crypto_rx_clear_traffic(instance->knet_handle, KNET_CRYPTO_RX_DISALLOW_CLEAR_TRAFFIC);

 				if (res) {

 					knet_log_printf(LOGSYS_LEVEL_ERROR, "knet_handle_crypto_rx_clear_traffic(DISALLOW) failed %s", strerror(errno));

-- 

2.18.2