Hi,
These patchs add a transport encryption mechanism and two transport
encryption translators. It is hooked in the core transport code, and
need some modification of transports (socket, ipverb) to conserve the
data structure. This may be cleaned later.
There also some modification in protocol to add crypto xlator private data
(crytpo type + private data in fact). For example the way NaCl work make
us add the nonce and some data in gf_hdr_common_t (inside gf_ndr_nacl_t)
A "transport.crypto.type" option is added in protocol/client and
protocol/server to choose the crypto xlator.
The nacl transport have been used in production, and can be considered
as stable. nacl adds an "transport.crypto.passphrase" option to setup
the passphrase wich is shared between each servers and clients.
NaCl
Here is a small howto to install and build nacl so it can be linked
to a shared library:
Before building the glusterfs package, you need to install nacl correctly.
wget http://hyperelliptic.org/nacl/nacl-20090405.tar.bz2
bunzip2 < nacl-20090405.tar.bz2 | tar -xf -
cd nacl-20090405
* On x86:
emacs okcompilers/c
gcc -m32 -O2 -fPIC -march=i686
* On amd64:
emacs okcompilers/c
gcc -m64 -O2 -fPIC
mv crypto_onetimeauth/poly1305/amd64/constants.s crypto_onetimeauth/poly1305/amd64/constants.s.bak
mv crypto_onetimeauth/poly1305/amd64/auth.s crypto_onetimeauth/poly1305/amd64/auth.s.bak
cat crypto_onetimeauth/poly1305/amd64/constants.s.bak | grep -v globl > crypto_onetimeauth/poly1305/amd64/auth.s
cat crypto_onetimeauth/poly1305/amd64/auth.s.bak >> crypto_onetimeauth/poly1305/amd64/auth.s
Then
./do
sudo cp -r build/localhost/lib/* /usr/lib/
sudo cp -r build/localhost/include/* /usr/include/
Now, ./configure should detect nacl and enable it.
You can still explicitly disable it using --disable-nacl
Corentin Chary (10):
transport/encryption: add infrastructure
transport/encryption: add directory and base Makefile.am
transport/encryption: add rot-13 demo
transport/encryption: keep xlator reference
transport/encryption: pass transport_crypto_t instead of transport_t
libglusterfs: add iov_load function
transport/encryption: add NaCl encryptor
transport/ib-verbs: add missing buflen_p parameter
libglusterfs: add iov_link
transport/encryption: fix encryption when used with afr
configure.ac | 69 ++++++-
libglusterfs/src/Makefile.am | 2 +-
libglusterfs/src/common-utils.h | 24 ++-
libglusterfs/src/protocol.h | 10 +
libglusterfs/src/transport.c | 293 +++++++++++++++++++------
libglusterfs/src/transport.h | 25 ++-
transport/Makefile.am | 4 +-
transport/encryption/Makefile.am | 3 +
transport/encryption/nacl/Makefile.am | 1 +
transport/encryption/nacl/src/Makefile.am | 16 ++
transport/encryption/nacl/src/nacl.c | 275 +++++++++++++++++++++++
transport/encryption/nacl/src/nacl.h | 39 ++++
transport/encryption/rot-13c/Makefile.am | 1 +
transport/encryption/rot-13c/src/Makefile.am | 14 ++
transport/encryption/rot-13c/src/rot-13c.c | 106 +++++++++
transport/encryption/rot-13c/src/rot-13c.h | 30 +++
transport/ib-verbs/src/ib-verbs.c | 5 +-
transport/socket/src/socket.c | 6 +-
xlators/protocol/client/src/client-protocol.c | 3 +
xlators/protocol/server/src/server-protocol.c | 3 +
20 files changed, 849 insertions(+), 80 deletions(-)
create mode 100644 transport/encryption/Makefile.am
create mode 100644 transport/encryption/nacl/Makefile.am
create mode 100644 transport/encryption/nacl/src/Makefile.am
create mode 100644 transport/encryption/nacl/src/nacl.c
create mode 100644 transport/encryption/nacl/src/nacl.h
create mode 100644 transport/encryption/rot-13c/Makefile.am
create mode 100644 transport/encryption/rot-13c/src/Makefile.am
create mode 100644 transport/encryption/rot-13c/src/rot-13c.c
create mode 100644 transport/encryption/rot-13c/src/rot-13c.h
