Re: [Freeipa-devel] [PATCH] 049 Make nsslib IPv6 aware
Jakub Hrozek wrote: On Thu, Feb 17, 2011 at 08:25:37PM +0100, Jakub Hrozek wrote: On Wed, Feb 09, 2011 at 10:23:27AM +0100, Jan Zelený wrote: Jakub Hrozekjhro...@redhat.com wrote: On Thu, Feb 03, 2011 at 02:23:11PM +0100, Jan Zelený wrote: Jakub Hrozekjhro...@redhat.com wrote: Hi, attached is a patch to nsslib.py that changes its semantics so it is able to work with different address families. It is the last piece of IPv6 support. Aside from the hunks in the patch, I still need to set Requires: in the patch (don't know the exact version yet). Also, the attached patch always tries IPv4 first and only falls back to IPv6. I think there should be a config option that tells IPA to prefer one of the address families or use it exclusively for performance reasons. Please note that the patch requires the latest changes to python-nss in order to work correctly. Since John is still working on python-nss packages, this patch should be treated as a preview and not pushed even if it is deemed OK. At this stage, I'd like to get at least the general approach and code reviewed so I can fix it tomorrow. Thank you, Jakub The patch looks ok, all my questions answered off-list. Also tested with IPv4 (latest python-nss installed) and IPv6, both work fine. ACK Jan Thanks for the review. But attached is a new version of the patch that changes the semantics a little based on what's recommended by the new version of python-nss: don't construct the NetworkAddress object manually, but rather resolve the hostname using the AddrInfo object and then try connecting to the list of of NetworkAddress object manually. Changes consulted off-list, the patch looks good. Will do some more testing on RHEL6. Unless I find some issues, this patch is ACKed. Jan One more change - bumped the minimum required version of python-nss to 0.11 which is in the nightly devel repo now. and now with the patch attached. ack, pushed to master ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 049 Make nsslib IPv6 aware
On Wed, Feb 09, 2011 at 10:23:27AM +0100, Jan Zelený wrote: Jakub Hrozek jhro...@redhat.com wrote: On Thu, Feb 03, 2011 at 02:23:11PM +0100, Jan Zelený wrote: Jakub Hrozek jhro...@redhat.com wrote: Hi, attached is a patch to nsslib.py that changes its semantics so it is able to work with different address families. It is the last piece of IPv6 support. Aside from the hunks in the patch, I still need to set Requires: in the patch (don't know the exact version yet). Also, the attached patch always tries IPv4 first and only falls back to IPv6. I think there should be a config option that tells IPA to prefer one of the address families or use it exclusively for performance reasons. Please note that the patch requires the latest changes to python-nss in order to work correctly. Since John is still working on python-nss packages, this patch should be treated as a preview and not pushed even if it is deemed OK. At this stage, I'd like to get at least the general approach and code reviewed so I can fix it tomorrow. Thank you, Jakub The patch looks ok, all my questions answered off-list. Also tested with IPv4 (latest python-nss installed) and IPv6, both work fine. ACK Jan Thanks for the review. But attached is a new version of the patch that changes the semantics a little based on what's recommended by the new version of python-nss: don't construct the NetworkAddress object manually, but rather resolve the hostname using the AddrInfo object and then try connecting to the list of of NetworkAddress object manually. Changes consulted off-list, the patch looks good. Will do some more testing on RHEL6. Unless I find some issues, this patch is ACKed. Jan One more change - bumped the minimum required version of python-nss to 0.11 which is in the nightly devel repo now. ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 049 Make nsslib IPv6 aware
On Thu, Feb 17, 2011 at 08:25:37PM +0100, Jakub Hrozek wrote: On Wed, Feb 09, 2011 at 10:23:27AM +0100, Jan Zelený wrote: Jakub Hrozek jhro...@redhat.com wrote: On Thu, Feb 03, 2011 at 02:23:11PM +0100, Jan Zelený wrote: Jakub Hrozek jhro...@redhat.com wrote: Hi, attached is a patch to nsslib.py that changes its semantics so it is able to work with different address families. It is the last piece of IPv6 support. Aside from the hunks in the patch, I still need to set Requires: in the patch (don't know the exact version yet). Also, the attached patch always tries IPv4 first and only falls back to IPv6. I think there should be a config option that tells IPA to prefer one of the address families or use it exclusively for performance reasons. Please note that the patch requires the latest changes to python-nss in order to work correctly. Since John is still working on python-nss packages, this patch should be treated as a preview and not pushed even if it is deemed OK. At this stage, I'd like to get at least the general approach and code reviewed so I can fix it tomorrow. Thank you, Jakub The patch looks ok, all my questions answered off-list. Also tested with IPv4 (latest python-nss installed) and IPv6, both work fine. ACK Jan Thanks for the review. But attached is a new version of the patch that changes the semantics a little based on what's recommended by the new version of python-nss: don't construct the NetworkAddress object manually, but rather resolve the hostname using the AddrInfo object and then try connecting to the list of of NetworkAddress object manually. Changes consulted off-list, the patch looks good. Will do some more testing on RHEL6. Unless I find some issues, this patch is ACKed. Jan One more change - bumped the minimum required version of python-nss to 0.11 which is in the nightly devel repo now. and now with the patch attached. From fd089113524c250c502eb2e4028affd29754dd77 Mon Sep 17 00:00:00 2001 From: Jakub Hrozek jhro...@redhat.com Date: Wed, 2 Feb 2011 13:57:16 +0100 Subject: [PATCH] Make nsslib IPv6 aware --- freeipa.spec.in |5 ++- ipapython/nsslib.py | 108 +++ 2 files changed, 96 insertions(+), 17 deletions(-) diff --git a/freeipa.spec.in b/freeipa.spec.in index f301aa2..0e54caf 100644 --- a/freeipa.spec.in +++ b/freeipa.spec.in @@ -177,7 +177,7 @@ Requires: python-kerberos = 1.1-3 Requires: authconfig Requires: gnupg Requires: pyOpenSSL -Requires: python-nss = 0.9-8 +Requires: python-nss = 0.11 Requires: python-lxml Requires: python-netaddr @@ -476,6 +476,9 @@ fi %ghost %attr(0644,root,apache) %config(noreplace) %{_sysconfdir}/ipa/default.conf %changelog +* Thu Feb 17 2011 Jakub Hrozek jhro...@redhat.com - 1.99-45 +- Set minimum version of python-nss to 0.11 to make sure IPv6 support is in + * Wed Feb 9 2011 Rob Crittenden rcrit...@redhat.com - 1.99-44 - Set minimum version of sssd to 1.5.1 diff --git a/ipapython/nsslib.py b/ipapython/nsslib.py index fad65a3..8d77863 100644 --- a/ipapython/nsslib.py +++ b/ipapython/nsslib.py @@ -21,12 +21,14 @@ import sys import httplib import getpass +import socket import logging from nss.error import NSPRError import nss.io as io import nss.nss as nss import nss.ssl as ssl +import nss.error as error def auth_certificate_callback(sock, check_sig, is_server, certdb): cert_is_valid = False @@ -113,11 +115,84 @@ def client_auth_data_callback(ca_names, chosen_nickname, password, certdb): return False return False -class NSSConnection(httplib.HTTPConnection): +class NSSAddressFamilyFallback(object): +def __init__(self, family): +self.sock_family = family +self.family = self._get_nss_family(self.sock_family) + +def _get_nss_family(self, sock_family): + +Translate a family from python socket module to nss family. + +if sock_family in [ socket.AF_INET, socket.AF_UNSPEC ]: +return io.PR_AF_INET +elif sock_family == socket.AF_INET6: +return io.PR_AF_INET6 +else: +raise ValueError('Uknown socket family %d\n', sock_family) + +def _get_next_family(self): +if self.sock_family == socket.AF_UNSPEC and \ + self.family == io.PR_AF_INET: +return io.PR_AF_INET6 + +return None + +def _create_socket(self): +self.sock = io.Socket(family=self.family) + +def _connect_socket_family(self, host, port, family): +logging.debug(connect_socket_family: host=%s port=%s family=%s, + host, port, io.addr_family_name(family)) +try: +addr_info = [ ai for ai in io.AddrInfo(host) if ai.family == family ] +# No suitable
Re: [Freeipa-devel] [PATCH] 049 Make nsslib IPv6 aware
Jakub Hrozek jhro...@redhat.com wrote: On Thu, Feb 03, 2011 at 02:23:11PM +0100, Jan Zelený wrote: Jakub Hrozek jhro...@redhat.com wrote: Hi, attached is a patch to nsslib.py that changes its semantics so it is able to work with different address families. It is the last piece of IPv6 support. Aside from the hunks in the patch, I still need to set Requires: in the patch (don't know the exact version yet). Also, the attached patch always tries IPv4 first and only falls back to IPv6. I think there should be a config option that tells IPA to prefer one of the address families or use it exclusively for performance reasons. Please note that the patch requires the latest changes to python-nss in order to work correctly. Since John is still working on python-nss packages, this patch should be treated as a preview and not pushed even if it is deemed OK. At this stage, I'd like to get at least the general approach and code reviewed so I can fix it tomorrow. Thank you, Jakub The patch looks ok, all my questions answered off-list. Also tested with IPv4 (latest python-nss installed) and IPv6, both work fine. ACK Jan Thanks for the review. But attached is a new version of the patch that changes the semantics a little based on what's recommended by the new version of python-nss: don't construct the NetworkAddress object manually, but rather resolve the hostname using the AddrInfo object and then try connecting to the list of of NetworkAddress object manually. Changes consulted off-list, the patch looks good. Will do some more testing on RHEL6. Unless I find some issues, this patch is ACKed. Jan ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 049 Make nsslib IPv6 aware
Jakub Hrozek jhro...@redhat.com wrote: Hi, attached is a patch to nsslib.py that changes its semantics so it is able to work with different address families. It is the last piece of IPv6 support. Aside from the hunks in the patch, I still need to set Requires: in the patch (don't know the exact version yet). Also, the attached patch always tries IPv4 first and only falls back to IPv6. I think there should be a config option that tells IPA to prefer one of the address families or use it exclusively for performance reasons. Please note that the patch requires the latest changes to python-nss in order to work correctly. Since John is still working on python-nss packages, this patch should be treated as a preview and not pushed even if it is deemed OK. At this stage, I'd like to get at least the general approach and code reviewed so I can fix it tomorrow. Thank you, Jakub The patch looks ok, all my questions answered off-list. Also tested with IPv4 (latest python-nss installed) and IPv6, both work fine. ACK Jan ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 049 Make nsslib IPv6 aware
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On 02/03/2011 02:23 PM, Jan Zelený wrote: The patch looks ok, all my questions answered off-list. Also tested with IPv4 (latest python-nss installed) and IPv6, both work fine. ACK Jan As noted in the original mail, please don't push until python-nss is in the repos we want. Currently this patch would break because there are new functions and constants used, but mainly nss.io.NetworkAddress changed its API. -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.11 (GNU/Linux) Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/ iEYEARECAAYFAk1KsDYACgkQHsardTLnvCUB5QCdEe+HK+VByOuC4nIFUCYWZjUV jxoAn1w24yOLWsmuj64wo4cZIh/J9bPf =vlIt -END PGP SIGNATURE- ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
[Freeipa-devel] [PATCH] 049 Make nsslib IPv6 aware
Hi, attached is a patch to nsslib.py that changes its semantics so it is able to work with different address families. It is the last piece of IPv6 support. Aside from the hunks in the patch, I still need to set Requires: in the patch (don't know the exact version yet). Also, the attached patch always tries IPv4 first and only falls back to IPv6. I think there should be a config option that tells IPA to prefer one of the address families or use it exclusively for performance reasons. Please note that the patch requires the latest changes to python-nss in order to work correctly. Since John is still working on python-nss packages, this patch should be treated as a preview and not pushed even if it is deemed OK. At this stage, I'd like to get at least the general approach and code reviewed so I can fix it tomorrow. Thank you, Jakub From 4b85251c303e8519939b702254ee0def932f8ed6 Mon Sep 17 00:00:00 2001 From: Jakub Hrozek jhro...@redhat.com Date: Wed, 2 Feb 2011 13:57:16 +0100 Subject: [PATCH] Make nsslib IPv6 aware --- ipapython/nsslib.py | 89 +- 1 files changed, 73 insertions(+), 16 deletions(-) diff --git a/ipapython/nsslib.py b/ipapython/nsslib.py index 129f1a0..7abbcf0 100644 --- a/ipapython/nsslib.py +++ b/ipapython/nsslib.py @@ -21,12 +21,14 @@ import sys import httplib import getpass +import socket import logging from nss.error import NSPRError import nss.io as io import nss.nss as nss import nss.ssl as ssl +import nss.error as error def auth_certificate_callback(sock, check_sig, is_server, certdb): cert_is_valid = False @@ -113,11 +115,65 @@ def client_auth_data_callback(ca_names, chosen_nickname, password, certdb): return False return False -class NSSConnection(httplib.HTTPConnection): +class NSSAddressFamilyFallback(object): +def __init__(self, family): +self.sock_family = family +self.family = self._get_nss_family(self.sock_family) + +def _get_nss_family(self, sock_family): + +Translate a family from python socket module to nss family. + +if sock_family in [ socket.AF_INET, socket.AF_UNSPEC ]: +return io.PR_AF_INET +elif sock_family == socket.AF_INET6: +return io.PR_AF_INET6 +else: +raise ValueError('Uknown socket family %d\n', sock_family) + +def _get_next_family(self): +if self.sock_family == socket.AF_UNSPEC and \ + self.family == io.PR_AF_INET: +return io.PR_AF_INET6 + +return None + +def _connect_socket_family(self, host, port, family): +logging.debug(connect_socket_family: host=%s port=%s family=%s, + host, port, io.addr_family_name(family)) +try: + net_addr = io.NetworkAddress(host, port, family) +except ValueError, e: + raise NSPRError(error.PR_ADDRESS_NOT_SUPPORTED_ERROR, e.message) +logging.debug(connect: %s, net_addr) +self.sock.connect(net_addr, family) + +def _create_socket(self): +self.sock = io.Socket(family=self.family) + +def connect_socket(self, host, port): +try: +self._connect_socket_family(host, port, self.family) +except NSPRError, e: +if e.errno == error.PR_ADDRESS_NOT_SUPPORTED_ERROR: +next_family = self._get_next_family() +if next_family: +self.family = next_family +self._create_socket() +self._connect_socket_family(host, port, self.family) +else: +logging.debug('No next family to try..') +raise e +else: +raise e + +class NSSConnection(httplib.HTTPConnection, NSSAddressFamilyFallback): default_port = httplib.HTTPSConnection.default_port -def __init__(self, host, port=None, strict=None, dbdir=None): +def __init__(self, host, port=None, strict=None, + dbdir=None, family=socket.AF_UNSPEC): httplib.HTTPConnection.__init__(self, host, port, strict) +NSSAddressFamilyFallback.__init__(self, family) if not dbdir: raise RuntimeError(dbdir is required) @@ -130,10 +186,12 @@ class NSSConnection(httplib.HTTPConnection): nss.nss_init(dbdir) ssl.set_domestic_policy() nss.set_password_callback(self.password_callback) +self._create_socket() +def _create_socket(self): # Create the socket here so we can do things like let the caller # override the NSS callbacks -self.sock = ssl.SSLSocket() +self.sock = ssl.SSLSocket(family=self.family) self.sock.set_ssl_option(ssl.SSL_SECURITY, True) self.sock.set_ssl_option(ssl.SSL_HANDSHAKE_AS_CLIENT, True) @@ -142,7 +200,8 @@ class NSSConnection(httplib.HTTPConnection): # Provide a callback to verify the servers