hcq/MaxScale
hcq/MaxScale
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

MXS-2483: Make server SSL private

Browse Source 
The old server_ssl member is now renamed and private. The ssl_context and
set_ssl_context methods provide access to it.
This commit is contained in:
Markus Mäkelä 2019-05-20 13:16:29 +03:00
parent f79e8b108c
commit 3b8e28392e
No known key found for this signature in database
GPG Key ID: 72D48FCE664F7B19
12 changed files with 42 additions and 34 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

22
include/maxscale/server.hh
View File

@ -181,9 +181,8 @@ public:
* routing sessions. */
// Base variables
bool is_active = false; /**< Server is active and has not been "destroyed" */
mxs::SSLContext* server_ssl = nullptr; /**< SSL data */
uint8_t charset = DEFAULT_CHARSET; /**< Character set. Read from backend and sent to client. */
bool is_active = false; /**< Server is active and has not been "destroyed" */
uint8_t charset = DEFAULT_CHARSET; /**< Character set. Read from backend and sent to client. */
// Statistics and events
ConnStats stats; /**< The server statistics, e.g. number of connections */
@ -518,13 +517,26 @@ public:
*/
void response_time_add(double ave, int num_samples);
mxs::SSLContext* ssl_context() const
{
return m_ssl_context;
}
void set_ssl_context(mxs::SSLContext* ssl)
{
m_ssl_context = ssl;
}
protected:
SERVER()
: m_response_time(maxbase::EMAverage {0.04, 0.35, 500})
SERVER(mxs::SSLContext* ssl_context = nullptr)
: m_response_time{0.04, 0.35, 500}
, m_ssl_context{ssl_context}
{
}
private:
static const int DEFAULT_CHARSET = 0x08; /**< The latin1 charset */
maxbase::EMAverage m_response_time; /**< Response time calculations for this server */
std::mutex m_average_write_mutex; /**< Protects response time from concurrent writing */
mxs::SSLContext* m_ssl_context; /**< SSL context */
};

8
server/core/config_runtime.cc
View File

@ -441,11 +441,7 @@ bool runtime_enable_server_ssl(Server* server,
if (ssl)
{
// TODO: Properly discard old SSL configurations
/** Sync to prevent reads on partially initialized server_ssl */
atomic_synchronize();
server->server_ssl = ssl;
server->set_ssl_context(ssl);
if (server->serialize())
{
@ -1902,7 +1898,7 @@ static bool validate_ssl_json(json_t* params, object_type type)
static bool process_ssl_parameters(Server* server, json_t* params)
{
mxb_assert(server->server_ssl == NULL);
mxb_assert(server->ssl_context() == NULL);
bool rval = true;
if (have_ssl_json(params))

6
server/core/dcb.cc
View File

@ -2227,10 +2227,10 @@ int dcb_connect_SSL(DCB* dcb)
int ssl_rval;
int return_code;
if ((NULL == dcb->server || NULL == dcb->server->server_ssl)
|| (NULL == dcb->ssl && dcb_create_SSL(dcb, dcb->server->server_ssl) != 0))
if ((NULL == dcb->server || NULL == dcb->server->ssl_context())
|| (NULL == dcb->ssl && dcb_create_SSL(dcb, dcb->server->ssl_context()) != 0))
{
mxb_assert((NULL != dcb->server) && (NULL != dcb->server->server_ssl));
mxb_assert((NULL != dcb->server) && (NULL != dcb->server->ssl_context()));
return -1;
}
dcb->ssl_state = SSL_HANDSHAKE_REQUIRED;

7
server/core/internal/server.hh
View File

@ -28,8 +28,11 @@
class Server : public SERVER
{
public:
Server(const std::string& name, const std::string& protocol = "", const std::string& authenticator = "")
: SERVER()
Server(const std::string& name,
const std::string& protocol = "",
const std::string& authenticator = "",
mxs::SSLContext* ssl = nullptr)
: SERVER(ssl)
, m_name(name)
{
m_settings.protocol = protocol;

2
server/core/mysql_utils.cc
View File

@ -155,7 +155,7 @@ char* mxs_lestr_consume(uint8_t** c, size_t* size)
MYSQL* mxs_mysql_real_connect(MYSQL* con, SERVER* server, const char* user, const char* passwd)
{
mxs::SSLContext* ssl = server->server_ssl;
mxs::SSLContext* ssl = server->ssl_context();
if (ssl)
{

7
server/core/server.cc
View File

@ -203,7 +203,7 @@ Server* Server::server_alloc(const char* name, const MXS_CONFIG_PARAMETER& param
return NULL;
}
Server* server = new(std::nothrow) Server(name, protocol, authenticator);
Server* server = new(std::nothrow) Server(name, protocol, authenticator, ssl);
DCB** persistent = (DCB**)MXS_CALLOC(config_threadcount(), sizeof(*persistent));
if (!server || !persistent)
@ -231,7 +231,6 @@ Server* Server::server_alloc(const char* name, const MXS_CONFIG_PARAMETER& param
server->proxy_protocol = params.get_bool(CN_PROXY_PROTOCOL);
server->is_active = true;
server->m_auth_instance = auth_instance;
server->server_ssl = ssl;
server->persistent = persistent;
server->last_event = SERVER_UP_EVENT;
server->status = SERVER_RUNNING;
@ -526,9 +525,9 @@ void Server::print_to_dcb(DCB* dcb) const
+ server->stats.n_from_pool + 1);
dcb_printf(dcb, "\tPool availability: %0.2lf%%\n", d * 100.0);
}
if (server->server_ssl)
if (server->ssl_context())
{
dcb_printf(dcb, "%s", server->server_ssl->to_string().c_str());
dcb_printf(dcb, "%s", server->ssl_context()->to_string().c_str());
}
if (server->proxy_protocol)
{

2
server/modules/authenticator/GSSAPI/GSSAPIBackendAuth/gssapi_backend_auth.cc
View File

@ -191,7 +191,7 @@ static bool gssapi_backend_auth_extract(DCB* dcb, GWBUF* buffer)
*/
static bool gssapi_backend_auth_connectssl(DCB* dcb)
{
return dcb->server->server_ssl != NULL;
return dcb->server->ssl_context() != NULL;
}
/**

2
server/modules/authenticator/MariaDBBackendAuth/mysql_backend_auth.cc
View File

@ -140,7 +140,7 @@ static int auth_backend_authenticate(DCB* dcb)
*/
static bool auth_backend_ssl(DCB* dcb)
{
return dcb->server->server_ssl != NULL;
return dcb->server->ssl_context() != NULL;
}
extern "C"

2
server/modules/authenticator/PAM/PAMBackendAuth/pam_backend_auth.cc
View File

@ -53,7 +53,7 @@ static bool pam_backend_auth_extract(DCB* dcb, GWBUF* buffer)
*/
static bool pam_backend_auth_connectssl(DCB* dcb)
{
return dcb->server->server_ssl != NULL;
return dcb->server->ssl_context() != NULL;
}
/**

4
server/modules/protocol/MySQL/mysql_common.cc
View File

@ -954,13 +954,13 @@ mxs_auth_state_t gw_send_backend_auth(DCB* dcb)
if (dcb->session == NULL
|| (dcb->session->state != SESSION_STATE_CREATED
&& dcb->session->state != SESSION_STATE_STARTED)
|| (dcb->server->server_ssl
|| (dcb->server->ssl_context()
&& dcb->ssl_state == SSL_HANDSHAKE_FAILED))
{
return rval;
}
bool with_ssl = dcb->server->server_ssl;
bool with_ssl = dcb->server->ssl_context();
bool ssl_established = dcb->ssl_state == SSL_ESTABLISHED;
MYSQL_session client;

8
server/modules/routing/binlogrouter/blr.cc
View File

@ -1477,9 +1477,9 @@ static void diagnostics(MXS_ROUTER* router, DCB* dcb)
}
/* SSL options */
if (router_inst->ssl_enabled)
if (auto ssl = router_inst->service->dbref->server->ssl_context())
{
dcb_printf(dcb, "%s", router_inst->service->dbref->server->server_ssl->to_string().c_str());
dcb_printf(dcb, "%s", ssl->to_string().c_str());
}
/* Binlog Encryption options */
@ -1954,9 +1954,9 @@ static json_t* diagnostics_json(const MXS_ROUTER* router)
min5 /= 5.0;
/* SSL options */
if (router_inst->ssl_enabled)
if (auto ssl = router_inst->service->dbref->server->ssl_context())
{
json_object_set_new(rval, "master_ssl", router_inst->service->dbref->server->server_ssl->to_json());
json_object_set_new(rval, "master_ssl", ssl->to_json());
}
/* Binlog Encryption options */

6
server/modules/routing/binlogrouter/blr_slave.cc
View File

@ -4850,9 +4850,8 @@ static void blr_master_get_config(ROUTER_INSTANCE* router, MasterServerConfig* c
curr_master->password = router->password;
curr_master->filestem = router->fileroot;
/* SSL options */
if (router->service->dbref->server->server_ssl)
if (auto server_ssl = router->service->dbref->server->ssl_context())
{
auto server_ssl = router->service->dbref->server->server_ssl;
curr_master->ssl_enabled = router->ssl_enabled;
if (router->ssl_version)
{
@ -6353,8 +6352,7 @@ static int blr_set_master_ssl(ROUTER_INSTANCE* router,
if (ssl)
{
updated = 1;
delete router->service->dbref->server->server_ssl;
router->service->dbref->server->server_ssl = ssl;
router->service->dbref->server->set_ssl_context(ssl);
/* Update options in router fields */
if (!config.ssl_key.empty())