Make knet_handle_* call compliant to documented API

allow knet_handle_crypto to be invoked at runtime

Signed-off-by: Fabio M. Di Nitto <fdinitto@redhat.com>

libknet/handle.c

@@ -551,26 +551,76 @@ int knet_handle_enable_filter(knet_handle_t knet_h,
 					uint16_t *dst_host_ids,
 					size_t *dst_host_ids_entries))
 {
+	int savederrno = 0;
+
+	if (!knet_h) {
+		errno = EINVAL;
+		return -1;
+	}
+
+	if (pthread_rwlock_wrlock(&knet_h->list_rwlock)) {
+		savederrno = errno;
+		log_err(knet_h, KNET_SUB_HANDLE, "Unable to get write lock: %s",
+			strerror(savederrno));
+		return -1;
+	}
+
 	knet_h->dst_host_filter_fn = dst_host_filter_fn;
 	if (knet_h->dst_host_filter_fn) {
 		log_debug(knet_h, KNET_SUB_HANDLE, "dst_host_filter_fn enabled");
 	} else {
 		log_debug(knet_h, KNET_SUB_HANDLE, "dst_host_filter_fn disabled");
 	}
+
+	pthread_rwlock_unlock(&knet_h->list_rwlock);
+
 	return 0;
 }
 
-int knet_handle_setfwd(knet_handle_t knet_h, int enabled)
+int knet_handle_setfwd(knet_handle_t knet_h, unsigned int enabled)
 {
-	knet_h->enabled = (enabled == 1) ? 1 : 0;
+	int savederrno = 0;
+
+	if (!knet_h) {
+		errno = EINVAL;
+		return -1;
+	}
+
+	if (pthread_rwlock_wrlock(&knet_h->list_rwlock)) {
+		savederrno = errno;
+		log_err(knet_h, KNET_SUB_HANDLE, "Unable to get write lock: %s",
+			strerror(savederrno));
+		return -1;
+	}
+
+	if (enabled) {
+		knet_h->enabled = 1;
+		log_debug(knet_h, KNET_SUB_HANDLE, "Data forwarding is enabled");
+	} else {
+		knet_h->enabled = 0;
+		log_debug(knet_h, KNET_SUB_HANDLE, "Data forwarding is disabled");
+	}
+
+	pthread_rwlock_unlock(&knet_h->list_rwlock);
 
 	return 0;
 }
 
 int knet_handle_crypto(knet_handle_t knet_h, struct knet_handle_crypto_cfg *knet_handle_crypto_cfg)
 {
-	if (knet_h->enabled) {
-		log_err(knet_h, KNET_SUB_CRYPTO, "Cannot enable crypto while forwarding is enabled");
+	int savederrno = 0;
+	int err;
+
+	if ((!knet_h) || (!knet_handle_crypto_cfg)) {
+		errno = EINVAL;
+		return -1;
+	}
+
+	if (pthread_rwlock_wrlock(&knet_h->list_rwlock)) {
+		savederrno = errno;
+		log_err(knet_h, KNET_SUB_HANDLE, "Unable to get write lock: %s",
+			strerror(savederrno));
+		errno = savederrno;
 		return -1;
 	}
 
@@ -580,8 +630,17 @@ int knet_handle_crypto(knet_handle_t knet_h, struct knet_handle_crypto_cfg *knet
 	    ((!strncmp("none", knet_handle_crypto_cfg->crypto_cipher_type, 4)) &&
 	     (!strncmp("none", knet_handle_crypto_cfg->crypto_hash_type, 4)))) {
 		log_debug(knet_h, KNET_SUB_CRYPTO, "crypto is not enabled");
-		return 0;
+		err = 0;
+		goto exit_unlock;
+	}
+
+	err = crypto_init(knet_h, knet_handle_crypto_cfg);
+
+	if (err) {
+		err = -2;
 	}
 
-	return crypto_init(knet_h, knet_handle_crypto_cfg);
+exit_unlock:
+	pthread_rwlock_unlock(&knet_h->list_rwlock);
+	return err;
 }

libknet/libknet.h

@@ -158,12 +158,10 @@ int knet_handle_enable_filter(knet_handle_t knet_h,
  * 0 on success
  * -1 on error and errno is set.
  *
- * Some special config operations, such as enable/disable crypto, requires
- * data forwarding to be disabled.
  * By default data forwarding is off.
  */
 
-int knet_handle_setfwd(knet_handle_t knet_h, int enabled);
+int knet_handle_setfwd(knet_handle_t knet_h, unsigned int enabled);
 
 /*
  * knet_handle_crypto
@@ -202,19 +200,26 @@ int knet_handle_setfwd(knet_handle_t knet_h, int enabled);
  *   to processed.
  * - enabling crypto might reduce the overall throughtput
  *   due to crypto data overhead.
- * - re-keying is not implemented yet. Current workaround is:
- *   - disable data forward
- *   - issue a new crypto config
- *   - enable data forward
+ * - re-keying is not implemented yet.
  * - private/public key encryption/hashing is not currently
  *   planned.
  * - crypto key must be the same for all hosts in the same
  *   knet instance.
+ * - it is safe to call knet_handle_crypto multiple times at runtime.
+ *   The last config will be used.
+ *   IMPORTANT: a call to knet_handle_crypto can fail due:
+ *              1) obtain locking to change config
+ *              2) errors to initializes the crypto level.
+ *   This can happen even in subsequent calls to knet_handle_crypto.
+ *   A failure in crypto init, might leave your traffic unencrypted!
+ *   It's best to stop data forwarding (see above), change crypto config,
+ *   start forward again.
  *
  * knet_handle_crypto returns:
  *
  * 0 on success
- * -1 on error and errno is set.
+ * -1 on locking error and errno is set.
+ * -2 on crypto initialization error. No errno is provided at the moment.
  */
 
 #define KNET_MIN_KEY_LEN 1024

libknet/ping_test.c

@@ -210,6 +210,7 @@ int main(int argc, char *argv[])
 	int logpipefd[2];
 	uint16_t host_ids[KNET_MAX_HOST];
 	size_t host_ids_entries = 0;
+	int has_crypto = 0;
 
 	if (argc < 3) {
 		print_usage(argv[0]);
@@ -247,6 +248,7 @@ int main(int argc, char *argv[])
 			printf("Unable to init crypto\n");
 			exit(EXIT_FAILURE);
 		}
+		has_crypto = 1;
 	} else {
 		printf("Crypto not activated\n");
 	}
@@ -287,6 +289,14 @@ int main(int argc, char *argv[])
 		} else if (FD_ISSET(knet_sock[1], &rfds)) {
 			len = read(knet_sock[1], buff, sizeof(buff));
 			printf("Received data (%zu bytes): '%s'\n", len, buff);
+			if (has_crypto) {
+				printf("changing crypto key\n");
+				memset(knet_handle_crypto_cfg.private_key, has_crypto, KNET_MAX_KEY_LEN);
+				if (knet_handle_crypto(knet_h, &knet_handle_crypto_cfg)) {
+					printf("Unable to change key on the fly\n");
+					has_crypto++;
+				}
+			}
 		} else if (FD_ISSET(logpipefd[0], &rfds)) {
 			struct knet_log_msg msg;
 			size_t bytes_read = 0;

libknet/threads.c

@@ -33,7 +33,7 @@
 
 static void _handle_tap_to_links(knet_handle_t knet_h, int sockfd)
 {
-	ssize_t inlen, len, outlen;
+	ssize_t inlen = 0, len, outlen;
 	struct knet_host *dst_host;
 	int link_idx;
 	uint16_t dst_host_ids[KNET_MAX_HOST];
@@ -42,20 +42,25 @@ static void _handle_tap_to_links(knet_handle_t knet_h, int sockfd)
 	unsigned char *outbuf = (unsigned char *)knet_h->tap_to_links_buf;
 	struct knet_hinfo_data *knet_hinfo_data;
 
+	if (pthread_rwlock_rdlock(&knet_h->list_rwlock) != 0) {
+		log_debug(knet_h, KNET_SUB_TAP_T, "Unable to get read lock");
+		goto host_unlock;
+	}
+
 	inlen = read(sockfd, knet_h->tap_to_links_buf->kf_data, KNET_MAX_PACKET_SIZE);
 
 	if (inlen == 0) {
 		log_err(knet_h, KNET_SUB_TAP_T, "Unrecoverable error! Got 0 bytes from tap device!");
 		/* TODO: disconnection, should never happen! */
-		goto host_unlock;
+		goto out_unlock;
 	}
 
 	outlen = len = inlen + KNET_FRAME_SIZE + sizeof(seq_num_t);
 
 	if ((knet_h->enabled != 1) &&
 	    (knet_h->tap_to_links_buf->kf_type != KNET_FRAME_HOST_INFO)) { /* data forward is disabled */
 		log_debug(knet_h, KNET_SUB_TAP_T, "Received data packet but forwarding is disabled");
-		goto host_unlock;
+		goto out_unlock;
 	}
 
 	switch(knet_h->tap_to_links_buf->kf_type) {
@@ -69,12 +74,12 @@ static void _handle_tap_to_links(knet_handle_t knet_h, int sockfd)
 						&dst_host_ids_entries);
 				if (bcast < 0) {
 					log_debug(knet_h, KNET_SUB_TAP_T, "Error from dst_host_filter_fn: %d", bcast);
-					goto host_unlock;
+					goto out_unlock;
 				}
 
 				if ((!bcast) && (!dst_host_ids_entries)) {
 					log_debug(knet_h, KNET_SUB_TAP_T, "Message is unicast but no dst_host_ids_entries");
-					goto host_unlock;
+					goto out_unlock;
 				}
 			}
 			break;
@@ -88,15 +93,10 @@ static void _handle_tap_to_links(knet_handle_t knet_h, int sockfd)
 			break;
 		default:
 			log_warn(knet_h, KNET_SUB_TAP_T, "Receiving unknown messages from tap");
-			goto host_unlock;
+			goto out_unlock;
 			break;
 	}
 
-	if (pthread_rwlock_rdlock(&knet_h->list_rwlock) != 0) {
-		log_debug(knet_h, KNET_SUB_TAP_T, "Unable to get read lock");
-		goto host_unlock;
-	}
-
 	if (!bcast) {
 		int host_idx;
 
@@ -177,7 +177,7 @@ static void _handle_tap_to_links(knet_handle_t knet_h, int sockfd)
 	pthread_rwlock_unlock(&knet_h->list_rwlock);
 
 host_unlock:
-	if (knet_h->tap_to_links_buf->kf_type == KNET_FRAME_HOST_INFO) {
+	if ((inlen > 0) && (knet_h->tap_to_links_buf->kf_type == KNET_FRAME_HOST_INFO)) {
 		if (pthread_mutex_lock(&knet_h->host_mutex) != 0)
 			log_debug(knet_h, KNET_SUB_TAP_T, "Unable to get mutex lock");
 		pthread_cond_signal(&knet_h->host_cond);