From: "Fabio M. Di Nitto" <fdinitto@xxxxxxxxxx>
this was another old onwire compat mode that is not useful anylonger.
we can safely move the new model by default.
According to Honza (real hardware 1 node testing) there are no
performance impact.
My tests (8 nodes VM cluster), there is up to 10/12% performance
improvements up to 1M packet size where old and new models are equal.
As a side note, nss still shows to be a performance loss on both
real and virtual hw (without any kind of nss hw acceleration).
Signed-off-by: Fabio M. Di Nitto <fdinitto@xxxxxxxxxx>
---
SECURITY | 23 ++---------
conf/lenses/corosync.aug | 1 -
conf/lenses/tests/test_corosync.aug | 2 -
cts/corotests.py | 1 -
exec/totemconfig.c | 13 +-----
exec/totemudp.c | 74 +++++++++++------------------------
exec/totemudpu.c | 74 +++++++++++------------------------
include/corosync/totem/totem.h | 1 -
8 files changed, 52 insertions(+), 137 deletions(-)
diff --git a/SECURITY b/SECURITY
index 340910e..09fb894 100644
--- a/SECURITY
+++ b/SECURITY
@@ -155,33 +155,18 @@ When a message is received (decrypt_and_authenticate):
Compatibility
-------------
-The default mode of operation is to allow for wire-compatibility with existing
-openais systems. That means that the internal encryption system is used
-and all received packets are expected to use that system. This allows a rolling
-upgrade from openais to corosync.
-
-Once all nodes in the cluster are running corosync they can be changed to allow
-the newer libnss-based encryption by setting the
-totem {
- crypto_accept: new
-}
-option in corosync.conf.
-
-This enables the new encryption system but does not switch it on. It simply
-adds a byte to the end of the packets to indicate the encryption type.
-
-Once all nodes have been upgraded and 'crypto_accept: new' has been set,
-the encryption type can be set using a single command:
+The encryption type can be changed at runtime with a single command:
# corosync-cfgtool -c1
+(0 for sober, 1 for nss)
+
This will tell all cluster nodes to start using libnss encryption. Note that
-it is possible to upgrade node individially by seetting the encryption type in
+it is possible to upgrade node individially by setting the encryption type in
corosync.conf. The last byte of the packet indicates the decryption algorithm
that the receiver should use.
Once all nodes are using libnss encryption, the option should be set in
in corosync.conf so that it takes effect at the next system reboot.
-
Comments welcome mailto:discuss@xxxxxxxxxxxx
diff --git a/conf/lenses/corosync.aug b/conf/lenses/corosync.aug
index 67abfb9..4a8317b 100644
--- a/conf/lenses/corosync.aug
+++ b/conf/lenses/corosync.aug
@@ -51,7 +51,6 @@ let totem =
|kv "vsftype" /none|ykd/
|kv "secauth" /on|off/
|kv "crypto_type" /nss|sober/
- |kv "crypto_accept" /new|old/
|kv "transport" /udp|iba/
|kv "version" Rx.integer
|kv "nodeid" Rx.integer
diff --git a/conf/lenses/tests/test_corosync.aug b/conf/lenses/tests/test_corosync.aug
index 78c87cc..f67782f 100644
--- a/conf/lenses/tests/test_corosync.aug
+++ b/conf/lenses/tests/test_corosync.aug
@@ -6,7 +6,6 @@ totem {
version: 2
secauth: off
crypto_type: nss
- crypto_accept: new
threads: 0
clear_node_high_bit: no
rrp_mode: none
@@ -81,7 +80,6 @@ test Corosync.lns get conf =
{ "version" = "2" }
{ "secauth" = "off" }
{ "crypto_type" = "nss" }
- { "crypto_accept" = "new" }
{ "threads" = "0" }
{ "clear_node_high_bit" = "no" }
{ "rrp_mode" = "none" }
diff --git a/cts/corotests.py b/cts/corotests.py
index e355ac2..f52ca3d 100644
--- a/cts/corotests.py
+++ b/cts/corotests.py
@@ -1556,7 +1556,6 @@ def CoroTestList(cm, audits):
c = ConfigContainer('pcmk_sec_nss')
c['totem/secauth'] = 'on'
- c['totem/crypto_accept'] = 'new'
c['totem/crypto_type'] = 'nss'
c['totem/token'] = 5000
c['totem/token_retransmits_before_loss_const'] = 10
diff --git a/exec/totemconfig.c b/exec/totemconfig.c
index 9434673..e53163f 100644
--- a/exec/totemconfig.c
+++ b/exec/totemconfig.c
@@ -127,14 +127,6 @@ static void totem_get_crypto_type(struct totem_config *totem_config)
{
char *str;
- totem_config->crypto_accept = TOTEM_CRYPTO_ACCEPT_OLD;
- if (icmap_get_string("totem.crypto_accept", &str) == CS_OK) {
- if (strcmp(str, "new") == 0) {
- totem_config->crypto_accept = TOTEM_CRYPTO_ACCEPT_NEW;
- }
- free(str);
- }
-
totem_config->crypto_type = TOTEM_CRYPTO_SOBER;
#ifdef HAVE_LIBNSS
@@ -148,15 +140,14 @@ static void totem_get_crypto_type(struct totem_config *totem_config)
if (icmap_get_string("totem.crypto_type", &str) == CS_OK) {
if (strcmp(str, "sober") == 0) {
- free(str);
- return;
+ totem_config->crypto_type = TOTEM_CRYPTO_SOBER;
}
#ifdef HAVE_LIBNSS
if (strcmp(str, "nss") == 0) {
totem_config->crypto_type = TOTEM_CRYPTO_NSS;
}
- free(str);
#endif
+ free(str);
}
}
diff --git a/exec/totemudp.c b/exec/totemudp.c
index a4649e5..0fe52aa 100644
--- a/exec/totemudp.c
+++ b/exec/totemudp.c
@@ -789,12 +789,13 @@ static int encrypt_and_sign_worker (
const struct iovec *iovec,
unsigned int iov_len)
{
- if (instance->totem_config->crypto_type == TOTEM_CRYPTO_SOBER ||
- instance->totem_config->crypto_accept == TOTEM_CRYPTO_ACCEPT_OLD)
+ if (instance->totem_config->crypto_type == TOTEM_CRYPTO_SOBER) {
return encrypt_and_sign_sober(instance, buf, buf_len, iovec, iov_len);
+ }
#ifdef HAVE_LIBNSS
- if (instance->totem_config->crypto_type == TOTEM_CRYPTO_NSS)
+ if (instance->totem_config->crypto_type == TOTEM_CRYPTO_NSS) {
return encrypt_and_sign_nss(instance, buf, buf_len, iovec, iov_len);
+ }
#endif
return -1;
}
@@ -814,18 +815,15 @@ static int authenticate_and_decrypt (
type = endbuf[iov[iov_len-1].iov_len-1];
iov[iov_len-1].iov_len -= 1;
- if (type == TOTEM_CRYPTO_SOBER)
+ if (type == TOTEM_CRYPTO_SOBER) {
res = authenticate_and_decrypt_sober(instance, iov, iov_len);
+ }
- /*
- * Only try higher crypto options if NEW has been requested
- */
- if (instance->totem_config->crypto_accept == TOTEM_CRYPTO_ACCEPT_NEW) {
#ifdef HAVE_LIBNSS
- if (type == TOTEM_CRYPTO_NSS)
+ if (type == TOTEM_CRYPTO_NSS) {
res = authenticate_and_decrypt_nss(instance, iov, iov_len);
-#endif
}
+#endif
/*
* If it failed, then try decrypting the whole packet
@@ -841,16 +839,7 @@ static int authenticate_and_decrypt (
static void init_crypto(
struct totemudp_instance *instance)
{
- /*
- * If we are expecting NEW crypto type then initialise all available
- * crypto options. For OLD then we only need SOBER128.
- */
-
init_sober_crypto(instance);
-
- if (instance->totem_config->crypto_accept == TOTEM_CRYPTO_ACCEPT_OLD)
- return;
-
#ifdef HAVE_LIBNSS
init_nss_crypto(instance);
#endif
@@ -864,27 +853,20 @@ int totemudp_crypto_set (
int res = 0;
/*
- * Can't set crypto type if OLD is selected
+ * Validate crypto algorithm
*/
- if (instance->totem_config->crypto_accept == TOTEM_CRYPTO_ACCEPT_OLD) {
- res = -1;
- } else {
- /*
- * Validate crypto algorithm
- */
- switch (type) {
- case TOTEM_CRYPTO_SOBER:
- log_printf(instance->totemudp_log_level_security,
- "Transmit security set to: libtomcrypt SOBER128/SHA1HMAC (mode 0)");
- break;
- case TOTEM_CRYPTO_NSS:
- log_printf(instance->totemudp_log_level_security,
- "Transmit security set to: NSS AES128CBC/SHA1HMAC (mode 1)");
- break;
- default:
- res = -1;
- break;
- }
+ switch (type) {
+ case TOTEM_CRYPTO_SOBER:
+ log_printf(instance->totemudp_log_level_security,
+ "Transmit security set to: libtomcrypt SOBER128/SHA1HMAC (mode 0)");
+ break;
+ case TOTEM_CRYPTO_NSS:
+ log_printf(instance->totemudp_log_level_security,
+ "Transmit security set to: NSS AES128CBC/SHA1HMAC (mode 1)");
+ break;
+ default:
+ res = -1;
+ break;
}
return (res);
@@ -925,12 +907,7 @@ static inline void ucast_sendmsg (
iovec_encrypt,
2);
- if (instance->totem_config->crypto_accept == TOTEM_CRYPTO_ACCEPT_NEW) {
- encrypt_data[buf_len++] = instance->totem_config->crypto_type;
- }
- else {
- encrypt_data[buf_len++] = 0;
- }
+ encrypt_data[buf_len++] = instance->totem_config->crypto_type;
iovec_encrypt[0].iov_base = (void *)encrypt_data;
iovec_encrypt[0].iov_len = buf_len;
@@ -1008,12 +985,7 @@ static inline void mcast_sendmsg (
iovec_encrypt,
2);
- if (instance->totem_config->crypto_accept == TOTEM_CRYPTO_ACCEPT_NEW) {
- encrypt_data[buf_len++] = instance->totem_config->crypto_type;
- }
- else {
- encrypt_data[buf_len++] = 0;
- }
+ encrypt_data[buf_len++] = instance->totem_config->crypto_type;
iovec_encrypt[0].iov_base = (void *)encrypt_data;
iovec_encrypt[0].iov_len = buf_len;
diff --git a/exec/totemudpu.c b/exec/totemudpu.c
index 37028fb..250921e 100644
--- a/exec/totemudpu.c
+++ b/exec/totemudpu.c
@@ -771,12 +771,13 @@ static int encrypt_and_sign_worker (
const struct iovec *iovec,
unsigned int iov_len)
{
- if (instance->totem_config->crypto_type == TOTEM_CRYPTO_SOBER ||
- instance->totem_config->crypto_accept == TOTEM_CRYPTO_ACCEPT_OLD)
+ if (instance->totem_config->crypto_type == TOTEM_CRYPTO_SOBER) {
return encrypt_and_sign_sober(instance, buf, buf_len, iovec, iov_len);
+ }
#ifdef HAVE_LIBNSS
- if (instance->totem_config->crypto_type == TOTEM_CRYPTO_NSS)
+ if (instance->totem_config->crypto_type == TOTEM_CRYPTO_NSS) {
return encrypt_and_sign_nss(instance, buf, buf_len, iovec, iov_len);
+ }
#endif
return -1;
}
@@ -796,18 +797,15 @@ static int authenticate_and_decrypt (
type = endbuf[iov[iov_len-1].iov_len-1];
iov[iov_len-1].iov_len -= 1;
- if (type == TOTEM_CRYPTO_SOBER)
+ if (type == TOTEM_CRYPTO_SOBER) {
res = authenticate_and_decrypt_sober(instance, iov, iov_len);
+ }
- /*
- * Only try higher crypto options if NEW has been requested
- */
- if (instance->totem_config->crypto_accept == TOTEM_CRYPTO_ACCEPT_NEW) {
#ifdef HAVE_LIBNSS
- if (type == TOTEM_CRYPTO_NSS)
+ if (type == TOTEM_CRYPTO_NSS) {
res = authenticate_and_decrypt_nss(instance, iov, iov_len);
-#endif
}
+#endif
/*
* If it failed, then try decrypting the whole packet
@@ -823,16 +821,7 @@ static int authenticate_and_decrypt (
static void init_crypto(
struct totemudpu_instance *instance)
{
- /*
- * If we are expecting NEW crypto type then initialise all available
- * crypto options. For OLD then we only need SOBER128.
- */
-
init_sober_crypto(instance);
-
- if (instance->totem_config->crypto_accept == TOTEM_CRYPTO_ACCEPT_OLD)
- return;
-
#ifdef HAVE_LIBNSS
init_nss_crypto(instance);
#endif
@@ -846,27 +835,20 @@ int totemudpu_crypto_set (
int res = 0;
/*
- * Can't set crypto type if OLD is selected
+ * Validate crypto algorithm
*/
- if (instance->totem_config->crypto_accept == TOTEM_CRYPTO_ACCEPT_OLD) {
- res = -1;
- } else {
- /*
- * Validate crypto algorithm
- */
- switch (type) {
- case TOTEM_CRYPTO_SOBER:
- log_printf(instance->totemudpu_log_level_security,
- "Transmit security set to: libtomcrypt SOBER128/SHA1HMAC (mode 0)");
- break;
- case TOTEM_CRYPTO_NSS:
- log_printf(instance->totemudpu_log_level_security,
- "Transmit security set to: NSS AES128CBC/SHA1HMAC (mode 1)");
- break;
- default:
- res = -1;
- break;
- }
+ switch (type) {
+ case TOTEM_CRYPTO_SOBER:
+ log_printf(instance->totemudpu_log_level_security,
+ "Transmit security set to: libtomcrypt SOBER128/SHA1HMAC (mode 0)");
+ break;
+ case TOTEM_CRYPTO_NSS:
+ log_printf(instance->totemudpu_log_level_security,
+ "Transmit security set to: NSS AES128CBC/SHA1HMAC (mode 1)");
+ break;
+ default:
+ res = -1;
+ break;
}
return (res);
@@ -907,12 +889,7 @@ static inline void ucast_sendmsg (
iovec_encrypt,
2);
- if (instance->totem_config->crypto_accept == TOTEM_CRYPTO_ACCEPT_NEW) {
- encrypt_data[buf_len++] = instance->totem_config->crypto_type;
- }
- else {
- encrypt_data[buf_len++] = 0;
- }
+ encrypt_data[buf_len++] = instance->totem_config->crypto_type;
iovec_encrypt[0].iov_base = (void *)encrypt_data;
iovec_encrypt[0].iov_len = buf_len;
@@ -990,12 +967,7 @@ static inline void mcast_sendmsg (
iovec_encrypt,
2);
- if (instance->totem_config->crypto_accept == TOTEM_CRYPTO_ACCEPT_NEW) {
- encrypt_data[buf_len++] = instance->totem_config->crypto_type;
- }
- else {
- encrypt_data[buf_len++] = 0;
- }
+ encrypt_data[buf_len++] = instance->totem_config->crypto_type;
iovec_encrypt[0].iov_base = (void *)encrypt_data;
iovec_encrypt[0].iov_len = buf_len;
diff --git a/include/corosync/totem/totem.h b/include/corosync/totem/totem.h
index 343b2c3..a9cb1f3 100644
--- a/include/corosync/totem/totem.h
+++ b/include/corosync/totem/totem.h
@@ -170,7 +170,6 @@ struct totem_config {
unsigned int broadcast_use;
enum { TOTEM_CRYPTO_SOBER=0, TOTEM_CRYPTO_NSS } crypto_type;
- enum { TOTEM_CRYPTO_ACCEPT_OLD=0, TOTEM_CRYPTO_ACCEPT_NEW } crypto_accept;
int crypto_crypt_type;
int crypto_sign_type;
--
1.7.7.6
_______________________________________________
discuss mailing list
discuss@xxxxxxxxxxxx
http://lists.corosync.org/mailman/listinfo/discuss
