Cfengine Help: Re: cf_lastseen adding old key?

Wed, 26 Jan 2011 08:04:14 -0800 

Forum: Cfengine Help
Subject: Re: cf_lastseen adding old key?
Author: matter
Link to topic: https://cfengine.com/forum/read.php?3,20285,20292#msg-20292

So I am not so crazy, I did find a bug when cf-agent checks the keys. Consider 
the following cf-agent output:


cf3 No existing connection to 10.10.10.22 is established...
cf3 Set cfengine port number to 5308 = 5308
cf3 Set connection timeout to 10
cf3  -> Connect to a.acme.com = 10.10.10.22 on port 5308
cf3  -> Matched IP 10.10.10.22 to key MD5=196ca10f4a51520c745f76188c15268b
cf3  -> Going to secondary storage for key
cf3 BAD: Unspecified server refusal (see verbose server output)
cf3  !! Authentication dialogue with a.acme.com failed
cf3 Unable to establish connection a.acme.com
cf3  -> No suitable server responded to hail


Interesting, I don't recall that being the correct key. Lets check on that:


root # cf-key -s | grep a.acme.com
    10.10.10.22 a.acme.com        MD5=3699f51151a70fded7263


Nope, MD5=196ca10f4a51520c745f76188c15268b is not the right key. Whose key is 
that anyways:


root # cf-key -s | grep MD5=196ca10f4a51520
    10.10.10.221 b.acme.com      MD5=196ca10f4a51520c745f7


Okay, I see what is happening. There seems to be a comparison somewhere that is 
only extracting part of the IP:


    10.10.10.22  a.acme.com      MD5=3699f51151a70fded7263
    10.10.10.221 b.acme.com      MD5=196ca10f4a51520c745f7


So some function is looking for 10.10.10.22 and is matching 10.10.10.221. Oh 
look, here is (conversion.c ~line 77 - IPString2KeyDigest)


// Warning this is not 1:1

      if ( (strncmp(ipv4,MapAddress((char *)entry.address),strlen(ipv4)) == 0) 
         {
         CfOut(cf_verbose,""," -> Matched IP %s to key %s",ipv4,key+1);
         strncpy(result,key+1,CF_MAXVARSIZE-1);
         break;
         }
      }


So the warning is quite accurate  about 1:1. I  added a little more code to 
check for length and it seems to work:


// Warning this is not 1:1

      if ( (strncmp(ipv4,MapAddress((char *)entry.address),strlen(ipv4)) == 0) 
&&
           (strlen(ipv4) == strlen(entry.address)) )
         {
         CfOut(cf_verbose,""," -> Matched IP %s to key %s",ipv4,key+1);
         strncpy(result,key+1,CF_MAXVARSIZE-1);
         break;
         }
      }



I will post a bug on this.

_______________________________________________
Help-cfengine mailing list
Help-cfengine@cfengine.org
https://cfengine.org/mailman/listinfo/help-cfengine

Reply via email to