[2/2] kudu git commit: Fix TLS_AUTHENTICATION_ONLY detection

Tue, 14 Feb 2017 10:47:22 -0800 

Fix TLS_AUTHENTICATION_ONLY detection

The patch which added support for TLS_AUTHENTICATION_ONLY had a serious bug: it
always got enabled due to a typo in Socket::IsLoopbackConnection. This fixes the
typo and also adds some trace messages in negotiation when TLS-only auth
is negotiated.

I manually verified on an Impala cluster that tshark showed encrypted traffic
between nodes and plaintext on the loopback interface after fixing this issue
(previously I saw plaintext everywhere!)

Change-Id: I76fd3bb7c64c6b831f406912852b064f9fec3d00
Reviewed-on: http://gerrit.cloudera.org:8080/5996
Tested-by: Kudu Jenkins
Reviewed-by: Dan Burkert <[email protected]>


Project: http://git-wip-us.apache.org/repos/asf/kudu/repo
Commit: http://git-wip-us.apache.org/repos/asf/kudu/commit/a29871f3
Tree: http://git-wip-us.apache.org/repos/asf/kudu/tree/a29871f3
Diff: http://git-wip-us.apache.org/repos/asf/kudu/diff/a29871f3

Branch: refs/heads/master
Commit: a29871f306464c5ef5f586431ac6f4f1bed026ae
Parents: c4b44dc
Author: Todd Lipcon <[email protected]>
Authored: Mon Feb 13 23:21:11 2017 -0800
Committer: Todd Lipcon <[email protected]>
Committed: Tue Feb 14 18:41:38 2017 +0000

----------------------------------------------------------------------
 src/kudu/rpc/client_negotiation.cc | 1 +
 src/kudu/rpc/server_negotiation.cc | 1 +
 src/kudu/util/net/socket.cc        | 2 +-
 3 files changed, 3 insertions(+), 1 deletion(-)
----------------------------------------------------------------------


http://git-wip-us.apache.org/repos/asf/kudu/blob/a29871f3/src/kudu/rpc/client_negotiation.cc
----------------------------------------------------------------------
diff --git a/src/kudu/rpc/client_negotiation.cc 
b/src/kudu/rpc/client_negotiation.cc
index 4319183..934b714 100644
--- a/src/kudu/rpc/client_negotiation.cc
+++ b/src/kudu/rpc/client_negotiation.cc
@@ -418,6 +418,7 @@ Status ClientNegotiation::HandleTlsHandshake(const 
NegotiatePB& response) {
 
   if (ContainsKey(server_features_, TLS_AUTHENTICATION_ONLY) &&
       ContainsKey(client_features_, TLS_AUTHENTICATION_ONLY)) {
+    TRACE("Negotiated auth-only TLS");
     return tls_handshake_.FinishNoWrap(*socket_);
   }
   return tls_handshake_.Finish(&socket_);

http://git-wip-us.apache.org/repos/asf/kudu/blob/a29871f3/src/kudu/rpc/server_negotiation.cc
----------------------------------------------------------------------
diff --git a/src/kudu/rpc/server_negotiation.cc 
b/src/kudu/rpc/server_negotiation.cc
index 00c66e8..078acc7 100644
--- a/src/kudu/rpc/server_negotiation.cc
+++ b/src/kudu/rpc/server_negotiation.cc
@@ -408,6 +408,7 @@ Status ServerNegotiation::HandleTlsHandshake(const 
NegotiatePB& request) {
   // TLS handshake is finished.
   if (ContainsKey(server_features_, TLS_AUTHENTICATION_ONLY) &&
       ContainsKey(client_features_, TLS_AUTHENTICATION_ONLY)) {
+    TRACE("Negotiated auth-only TLS");
     return tls_handshake_.FinishNoWrap(*socket_);
   }
   return tls_handshake_.Finish(&socket_);

http://git-wip-us.apache.org/repos/asf/kudu/blob/a29871f3/src/kudu/util/net/socket.cc
----------------------------------------------------------------------
diff --git a/src/kudu/util/net/socket.cc b/src/kudu/util/net/socket.cc
index 85e858a..c0945ca 100644
--- a/src/kudu/util/net/socket.cc
+++ b/src/kudu/util/net/socket.cc
@@ -299,7 +299,7 @@ Status Socket::GetPeerAddress(Sockaddr *cur_addr) const {
 bool Socket::IsLoopbackConnection() const {
   Sockaddr local, remote;
   if (!GetSocketAddress(&local).ok()) return false;
-  if (!GetSocketAddress(&remote).ok()) return false;
+  if (!GetPeerAddress(&remote).ok()) return false;
 
   // Compare without comparing ports.
   local.set_port(0);

Reply via email to