From patchwork Wed Jan 16 21:51:59 2013
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Chuck Lever <chuck.lever@oracle.com>
X-Patchwork-Id: 213070
Return-Path: <fedfs-utils-devel-bounces@oss.oracle.com>
X-Original-To: incoming@patchwork.ozlabs.org
Delivered-To: patchwork-incoming@bilbo.ozlabs.org
Received: from aserp1040.oracle.com (aserp1040.oracle.com [141.146.126.69])
	(using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits))
	(Client CN "aserp1040.oracle.com",
	Issuer "VeriSign Class 3 International Server CA - G3" (not
	verified)) by ozlabs.org (Postfix) with ESMTPS id EBFA22C007E
	for <incoming@patchwork.ozlabs.org>;
	Thu, 17 Jan 2013 08:52:09 +1100 (EST)
Received: from acsinet21.oracle.com (acsinet21.oracle.com [141.146.126.237])
	by aserp1040.oracle.com (Sentrion-MTA-4.2.2/Sentrion-MTA-4.2.2)
	with ESMTP id r0GLq6gJ009302
	(version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=OK);
	Wed, 16 Jan 2013 21:52:07 GMT
Received: from oss.oracle.com (oss-external.oracle.com [137.254.96.51])
	by acsinet21.oracle.com (8.14.4+Sun/8.14.4) with ESMTP id
	r0GLq5CP011052
	(version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO);
	Wed, 16 Jan 2013 21:52:05 GMT
Received: from localhost ([127.0.0.1] helo=oss.oracle.com)
	by oss.oracle.com with esmtp (Exim 4.63)
	(envelope-from <fedfs-utils-devel-bounces@oss.oracle.com>)
	id 1Tvatx-00068b-6N; Wed, 16 Jan 2013 13:52:05 -0800
Received: from ucsinet22.oracle.com ([156.151.31.94])
	by oss.oracle.com with esmtp (Exim 4.63)
	(envelope-from <chucklever@gmail.com>) id 1Tvatu-00067d-Nt
	for fedfs-utils-devel@oss.oracle.com; Wed, 16 Jan 2013 13:52:02 -0800
Received: from userp1020.oracle.com (userp1020.oracle.com [156.151.31.79])
	by ucsinet22.oracle.com (8.14.4+Sun/8.14.4) with ESMTP id
	r0GLq2JY027395
	(version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=OK)
	for <fedfs-utils-devel@oss.oracle.com>; Wed, 16 Jan 2013 21:52:02 GMT
Received: from mail-ie0-f181.google.com (mail-ie0-f181.google.com
	[209.85.223.181])
	by userp1020.oracle.com (Sentrion-MTA-4.2.2/Sentrion-MTA-4.2.2) with
	ESMTP id r0GLq1WW009934
	(version=TLSv1/SSLv3 cipher=RC4-SHA bits=128 verify=OK)
	for <fedfs-utils-devel@oss.oracle.com>; Wed, 16 Jan 2013 21:52:01 GMT
Received: by mail-ie0-f181.google.com with SMTP id 16so3560110iea.12
	for <fedfs-utils-devel@oss.oracle.com>;
	Wed, 16 Jan 2013 13:52:01 -0800 (PST)
X-Received: by 10.42.57.11 with SMTP id b11mr1713120ich.15.1358373121241;
	Wed, 16 Jan 2013 13:52:01 -0800 (PST)
Received: from seurat.1015granger.net ([99.26.161.222])
	by mx.google.com with ESMTPS id s3sm5800487igb.14.2013.01.16.13.52.00
	(version=TLSv1 cipher=RC4-SHA bits=128/128);
	Wed, 16 Jan 2013 13:52:00 -0800 (PST)
From: Chuck Lever <chuck.lever@oracle.com>
To: fedfs-utils-devel@oss.oracle.com
Date: Wed, 16 Jan 2013 16:51:59 -0500
Message-ID: <20130116215159.21683.16689.stgit@seurat.1015granger.net>
In-Reply-To: <20130116214757.21683.47697.stgit@seurat.1015granger.net>
References: <20130116214757.21683.47697.stgit@seurat.1015granger.net>
User-Agent: StGIT/0.14.3
MIME-Version: 1.0
X-Flow-Control-Info: class=Default reputation=ipRepBelow100 ip=209.85.223.181
	ct-class=R4 ct-vol1=-96 ct-vol2=8 ct-vol3=8 ct-risk=34
	ct-spam1=48 ct-spam2=6 ct-bulk=6 rcpts=1 size=5957
X-MM-CT-Classification: not spam
X-MM-CT-RefID: str=0001.0A090207.50F72102.001B,ss=1,re=0.000,fgs=0
Subject: [fedfs-utils] [PATCH 02/11] libnsdb: Add API for retrieving
	certificate data
X-BeenThere: fedfs-utils-devel@oss.oracle.com
X-Mailman-Version: 2.1.9
Precedence: list
Reply-To: fedfs-utils Developers <fedfs-utils-devel@oss.oracle.com>
List-Id: fedfs-utils Developers <fedfs-utils-devel.oss.oracle.com>
List-Unsubscribe: <https://oss.oracle.com/mailman/listinfo/fedfs-utils-devel>,
	<mailto:fedfs-utils-devel-request@oss.oracle.com?subject=unsubscribe>
List-Archive: <http://oss.oracle.com/pipermail/fedfs-utils-devel>
List-Post: <mailto:fedfs-utils-devel@oss.oracle.com>
List-Help: <mailto:fedfs-utils-devel-request@oss.oracle.com?subject=help>
List-Subscribe: <https://oss.oracle.com/mailman/listinfo/fedfs-utils-devel>,
	<mailto:fedfs-utils-devel-request@oss.oracle.com?subject=subscribe>
Sender: fedfs-utils-devel-bounces@oss.oracle.com
Errors-To: fedfs-utils-devel-bounces@oss.oracle.com
X-Source-IP: acsinet21.oracle.com [141.146.126.237]

We're about to optimize nsdb_lookup_nsdb() for the common case,
which is the case that does not need to retrieve any security data.
In fact, right now, there is only a single caller of
nsdb_lookup_nsdb() that needs this data.

Introduce a separate API for retrieving certificate data for an
already-initialized nsdb_t object.

Signed-off-by: Chuck Lever <chuck.lever@oracle.com>
---

 src/fedfsd/svc.c        |   36 +++++++++++++++++++--------
 src/include/nsdb.h      |    6 ++++
 src/libnsdb/Makefile.am |    4 +--
 src/libnsdb/connsec.c   |   63 +++++++++++++++++++++++++++++++++++++++++++++++
 4 files changed, 96 insertions(+), 13 deletions(-)
 create mode 100644 src/libnsdb/connsec.c

diff --git a/src/fedfsd/svc.c b/src/fedfsd/svc.c
index 9132177..a384f32 100644
--- a/src/fedfsd/svc.c
+++ b/src/fedfsd/svc.c
@@ -1021,11 +1021,12 @@ static void
 fedfsd_svc_get_nsdb_params_1(SVCXPRT *xprt)
 {
 	FedFsGetNsdbParamsRes result;
-	struct fedfs_secdata secdata;
+	FedFsNsdbParams *params = &result.FedFsGetNsdbParamsRes_u.params;
+	FedFsConnectionSec type;
 	char *hostname = NULL;
 	unsigned short port;
 	FedFsNsdbName args;
-	nsdb_t host;
+	nsdb_t host = NULL;
 
 	memset(&args, 0, sizeof(args));
 	if (!svc_getargs(xprt, (xdrproc_t)xdr_FedFsNsdbName, (caddr_t)&args)) {
@@ -1040,14 +1041,27 @@ fedfsd_svc_get_nsdb_params_1(SVCXPRT *xprt)
 	if (result.status != FEDFS_OK)
 		goto out;
 
-	result.status = nsdb_lookup_nsdb(hostname, port, &host, &secdata);
-	if (result.status == FEDFS_OK) {
-		FedFsNsdbParams *params = &result.FedFsGetNsdbParamsRes_u.params;
-		params->secType = (FedFsConnectionSec)secdata.type;
-		params->FedFsNsdbParams_u.secData.secData_len =
-							secdata.len;
-		params->FedFsNsdbParams_u.secData.secData_val =
-							secdata.data;
+	result.status = nsdb_lookup_nsdb(hostname, port, &host, NULL);
+	if (result.status != FEDFS_OK)
+		goto out;
+
+	type = nsdb_sectype(host);
+	switch (type) {
+	case FEDFS_SEC_NONE:
+		result.status = FEDFS_OK;
+		params->secType = type;
+		break;
+	case FEDFS_SEC_TLS:
+		result.status = nsdb_connsec_get_cert_data(host,
+				&params->FedFsNsdbParams_u.secData.secData_val,
+				&params->FedFsNsdbParams_u.secData.secData_len);
+		if (result.status == FEDFS_OK)
+			params->secType = type;
+		break;
+	default:
+		result.status = FEDFS_ERR_SVRFAULT;
+		xlog(L_WARNING, "Unrecognized NSDB connection security "
+			"type for %s:%u", hostname, port);
 	}
 
 out:
@@ -1062,9 +1076,9 @@ out:
 	if (!svc_freeargs(xprt, (xdrproc_t)xdr_FedFsNsdbName, (caddr_t)&args))
 		xlog(L_WARNING, "Failed to free GET_NSDB_PARAMS arguments");
 
+	free(params->FedFsNsdbParams_u.secData.secData_val);
 	nsdb_free_nsdb(host);
 	free(hostname);
-	free(secdata.data);
 }
 
 /**
diff --git a/src/include/nsdb.h b/src/include/nsdb.h
index 2612263..bcf9432 100644
--- a/src/include/nsdb.h
+++ b/src/include/nsdb.h
@@ -186,6 +186,12 @@ FedFsStatus	 nsdb_lookup_nsdb(const char *hostname,
 FedFsStatus	 nsdb_lookup_nsdb_by_uri(const char *uri, nsdb_t *host);
 
 /**
+ * Retrieve NSDB certificate data for "host"
+ */
+FedFsStatus	 nsdb_connsec_get_cert_data(nsdb_t host,
+				char **data, unsigned int *len);
+
+/**
  * Update stored connection parameters for an NSDB
  */
 FedFsStatus	 nsdb_update_nsdb(const char *hostname,
diff --git a/src/libnsdb/Makefile.am b/src/libnsdb/Makefile.am
index cd7805b..13dc0b3 100644
--- a/src/libnsdb/Makefile.am
+++ b/src/libnsdb/Makefile.am
@@ -26,8 +26,8 @@
 noinst_HEADERS		= nsdb-internal.h
 
 noinst_LTLIBRARIES	= libnsdb.la
-libnsdb_la_SOURCES	= administrator.c annotation.c display.c fileserver.c \
-			  ldap.c nsdb.c path.c sqlite.c
+libnsdb_la_SOURCES	= administrator.c annotation.c connsec.c display.c \
+			  fileserver.c ldap.c nsdb.c path.c sqlite.c
 
 CLEANFILES		= cscope.in.out cscope.out cscope.po.out *~
 DISTCLEANFILES		= Makefile.in
diff --git a/src/libnsdb/connsec.c b/src/libnsdb/connsec.c
new file mode 100644
index 0000000..fb708cb
--- /dev/null
+++ b/src/libnsdb/connsec.c
@@ -0,0 +1,63 @@
+/**
+ * @file src/libnsdb/connsec.c
+ * @brief Handle security-related NSDB connection parameters
+ */
+
+/*
+ * Copyright 2012 Oracle.  All rights reserved.
+ *
+ * This file is part of fedfs-utils.
+ *
+ * fedfs-utils is free software; you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License version 2.0 as
+ * published by the Free Software Foundation.
+ *
+ * fedfs-utils is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ * GNU General Public License version 2.0 for more details.
+ *
+ * You should have received a copy of the GNU General Public License
+ * version 2.0 along with fedfs-utils.  If not, see:
+ *
+ *	http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt
+ */
+
+#include "fedfs.h"
+#include "nsdb.h"
+#include "nsdb-internal.h"
+#include "xlog.h"
+
+/**
+ * Retrieve certificate data for NSDB "host" from NSDB database
+ *
+ * @param host an initialized nsdb_t object
+ * @param data OUT: buffer containing security data
+ * @param len OUT: length of security data buffer
+ * @return a FedFsStatus code
+ *
+ * On success, FEDFS_OK is returned and the security data is filled in.
+ *
+ * Caller must free the returned buffer with free(3).
+ */
+FedFsStatus
+nsdb_connsec_get_cert_data(nsdb_t host, char **data, unsigned int *len)
+{
+	FedFsStatus retval;
+
+	if (data == NULL || len == NULL)
+		return FEDFS_ERR_INVAL;
+
+	switch (nsdb_sectype(host)) {
+	case FEDFS_SEC_NONE:
+		retval = FEDFS_ERR_INVAL;
+		break;
+	case FEDFS_SEC_TLS:
+		retval = nsdb_read_certfile(nsdb_certfile(host), data, len);
+		break;
+	default:
+		retval = FEDFS_ERR_SVRFAULT;
+	}
+
+	return retval;
+}