From 4a2f48b17b06638d3d3adcae683aff1639351434 Mon Sep 17 00:00:00 2001
From: Jan Friesse <jfriesse@redhat.com>
Date: Tue, 10 Nov 2020 18:10:17 +0100
Subject: [PATCH] totemknet: Check both cipher and hash for crypto

Previously only crypto cipher was used as a way to find out if crypto is
enabled or disabled.

This usually works ok until cipher is set to none and hash to some other
value (like sha1). Such config is perfectly valid and it was not
supported correctly.

As a solution, check both cipher and hash.

Signed-off-by: Jan Friesse <jfriesse@redhat.com>
Reviewed-by: Fabio M. Di Nitto <fdinitto@redhat.com>
Reviewed-by: Christine Caulfield <ccaulfie@redhat.com>
---
 exec/totemknet.c | 18 +++++++++++++-----
 1 file changed, 13 insertions(+), 5 deletions(-)

diff --git a/exec/totemknet.c b/exec/totemknet.c
index c6a1649d..0834e8e4 100644
--- a/exec/totemknet.c
+++ b/exec/totemknet.c
@@ -905,6 +905,14 @@ static void totemknet_add_config_notifications(struct totemknet_instance *instan
 	LEAVE();
 }
 
+static int totemknet_is_crypto_enabled(const struct totemknet_instance *instance)
+{
+
+	return (!(strcmp(instance->totem_config->crypto_cipher_type, "none") == 0 &&
+	    strcmp(instance->totem_config->crypto_hash_type, "none") == 0));
+
+}
+
 static int totemknet_set_knet_crypto(struct totemknet_instance *instance)
 {
 	struct knet_handle_crypto_cfg crypto_cfg;
@@ -927,7 +935,7 @@ static int totemknet_set_knet_crypto(struct totemknet_instance *instance)
 		);
 
 	/* If crypto is being disabled we need to explicitly allow cleartext traffic in knet */
-	if (strcmp(instance->totem_config->crypto_cipher_type, "none") == 0) {
+	if (!totemknet_is_crypto_enabled(instance)) {
 		res = knet_handle_crypto_rx_clear_traffic(instance->knet_handle, KNET_CRYPTO_RX_ALLOW_CLEAR_TRAFFIC);
 		if (res) {
 			knet_log_printf(LOGSYS_LEVEL_ERROR, "knet_handle_crypto_rx_clear_traffic(ALLOW) failed %s", strerror(errno));
@@ -1108,7 +1116,7 @@ int totemknet_initialize (
 
 	/* Enable crypto if requested */
 #ifdef HAVE_KNET_CRYPTO_RECONF
-	if (strcmp(instance->totem_config->crypto_cipher_type, "none") != 0) {
+	if (totemknet_is_crypto_enabled(instance)) {
 	        res = totemknet_set_knet_crypto(instance);
 		if (res == 0) {
 			res = knet_handle_crypto_use_config(instance->knet_handle, totem_config->crypto_index);
@@ -1134,7 +1142,7 @@ int totemknet_initialize (
 		}
 	}
 #else
-	if (strcmp(instance->totem_config->crypto_cipher_type, "none") != 0) {
+	if (totemknet_is_crypto_enabled(instance)) {
 		res = totemknet_set_knet_crypto(instance);
 		if (res) {
 			knet_log_printf(LOG_DEBUG, "Failed to set up knet crypto");
@@ -1616,7 +1624,7 @@ int totemknet_crypto_reconfigure_phase (
 	switch (phase) {
 		case CRYPTO_RECONFIG_PHASE_ACTIVATE:
 			config_to_use = totem_config->crypto_index;
-			if (strcmp(instance->totem_config->crypto_cipher_type, "none") == 0) {
+			if (!totemknet_is_crypto_enabled(instance)) {
 				config_to_use = 0; /* we are clearing it */
 			}
 
@@ -1647,7 +1655,7 @@ int totemknet_crypto_reconfigure_phase (
 			}
 
 			/* If crypto is enabled then disable all cleartext reception */
-			if (strcmp(instance->totem_config->crypto_cipher_type, "none") != 0) {
+			if (totemknet_is_crypto_enabled(instance)) {
 				res = knet_handle_crypto_rx_clear_traffic(instance->knet_handle, KNET_CRYPTO_RX_DISALLOW_CLEAR_TRAFFIC);
 				if (res) {
 					knet_log_printf(LOGSYS_LEVEL_ERROR, "knet_handle_crypto_rx_clear_traffic(DISALLOW) failed %s", strerror(errno));
-- 
2.18.2