hcq/MaxScale
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

MXS-2483: Take SSLContext into use

Browse Source 
SSLContext is now used everywhere except the binlogrouter which still
allocates the contexts itself. Fixing the binlogrouter's misuse of
internal structures is a rather large undertaking and for this reason the
SSLContext will be taken into use there in a separate commit.
This commit is contained in:
Markus Mäkelä
2019-05-17 16:35:22 +03:00
parent 73796be9d6
commit 82add11e86
8 changed files with 24 additions and 171 deletions
Download Patch File Download Diff File Expand all files Collapse all files

65
server/core/config.cc
View File

@ -2856,29 +2856,12 @@ bool config_can_modify_at_runtime(const char* name)
return static_params.count(name); return static_params.count(name);
} }
/**
* Free an SSL structure
*
* @param ssl SSL structure to free
*/
static void free_ssl_structure(mxs::SSLContext* ssl)
{
if (ssl)
{
SSL_CTX_free(ssl->ctx);
MXS_FREE(ssl->ssl_key);
MXS_FREE(ssl->ssl_cert);
MXS_FREE(ssl->ssl_ca_cert);
MXS_FREE(ssl);
}
}
bool config_create_ssl(const char* name, bool config_create_ssl(const char* name,
const MXS_CONFIG_PARAMETER& params, const MXS_CONFIG_PARAMETER& params,
bool require_cert, bool require_cert,
mxs::SSLContext** dest) mxs::SSLContext** dest)
{ {
mxs::SSLContext* ssl = NULL; bool ok = true;
// The enum values convert to bool // The enum values convert to bool
int value = params.get_enum(CN_SSL, ssl_values); int value = params.get_enum(CN_SSL, ssl_values);
@ -2886,71 +2869,43 @@ bool config_create_ssl(const char* name,
if (value) if (value)
{ {
bool error = false; if (!params.contains(CN_SSL_CA_CERT))
string ssl_cert = params.get_string(CN_SSL_CERT);
string ssl_key = params.get_string(CN_SSL_KEY);
string ssl_ca_cert = params.get_string(CN_SSL_CA_CERT);
if (ssl_ca_cert.empty())
{ {
MXS_ERROR("CA Certificate missing for '%s'." MXS_ERROR("CA Certificate missing for '%s'."
"Please provide the path to the certificate authority " "Please provide the path to the certificate authority "
"certificate by adding the ssl_ca_cert=<path> parameter", "certificate by adding the ssl_ca_cert=<path> parameter",
name); name);
error = true; ok = false;
} }
if (require_cert) if (require_cert)
{ {
if (ssl_cert.empty()) if (!params.contains(CN_SSL_CERT))
{ {
MXS_ERROR("Server certificate missing for listener '%s'." MXS_ERROR("Server certificate missing for listener '%s'."
"Please provide the path to the server certificate by adding " "Please provide the path to the server certificate by adding "
"the ssl_cert=<path> parameter", "the ssl_cert=<path> parameter",
name); name);
error = true; ok = false;
} }
if (ssl_key.empty()) if (!params.contains(CN_SSL_KEY))
{ {
MXS_ERROR("Server private key missing for listener '%s'. " MXS_ERROR("Server private key missing for listener '%s'. "
"Please provide the path to the server certificate key by " "Please provide the path to the server certificate key by "
"adding the ssl_key=<path> parameter", "adding the ssl_key=<path> parameter",
name); name);
error = true; ok = false;
} }
} }
if (error) if (ok)
{ {
return false; *dest = mxs::SSLContext::create(params);
}
ssl = (mxs::SSLContext*)MXS_CALLOC(1, sizeof(mxs::SSLContext));
MXS_ABORT_IF_NULL(ssl);
int ssl_version = params.get_enum(CN_SSL_VERSION, ssl_version_values);
ssl->ssl_method_type = (ssl_method_type_t)ssl_version;
ssl->ssl_init_done = false;
ssl->ssl_cert_verify_depth = params.get_integer(CN_SSL_CERT_VERIFY_DEPTH);
ssl->ssl_verify_peer_certificate = params.get_bool(CN_SSL_VERIFY_PEER_CERTIFICATE);
listener_set_certificates(ssl, ssl_cert, ssl_key, ssl_ca_cert);
mxb_assert(access(ssl_ca_cert.c_str(), F_OK) == 0);
mxb_assert(ssl_cert.empty() || access(ssl_cert.c_str(), F_OK) == 0);
mxb_assert(ssl_key.empty() || access(ssl_key.c_str(), F_OK) == 0);
if (!SSL_LISTENER_init(ssl))
{
SSL_LISTENER_free(ssl);
return false;
} }
} }
*dest = ssl; return ok;
return true;
} }
void config_set_global_defaults() void config_set_global_defaults()

4
server/core/dcb.cc
View File

@ -2120,7 +2120,9 @@ int dcb_count_by_usage(DCB_USAGE usage)
*/ */
static int dcb_create_SSL(DCB* dcb, mxs::SSLContext* ssl) static int dcb_create_SSL(DCB* dcb, mxs::SSLContext* ssl)
{ {
if ((dcb->ssl = SSL_new(ssl->ctx)) == NULL) dcb->ssl = ssl->open();
if (!dcb->ssl)
{ {
MXS_ERROR("Failed to initialize SSL for connection."); MXS_ERROR("Failed to initialize SSL for connection.");
return -1; return -1;

14
server/core/listener.cc
View File

@ -148,7 +148,7 @@ Listener::~Listener()
users_free(m_users); users_free(m_users);
} }
SSL_LISTENER_free(m_ssl); delete m_ssl;
} }
SListener Listener::create(const std::string& name, SListener Listener::create(const std::string& name,
@ -479,7 +479,7 @@ bool Listener::create_listener_config(const char* filename)
if (m_ssl) if (m_ssl)
{ {
write_ssl_config(file, m_ssl); dprintf(file, "%s", m_ssl->serialize().c_str());
} }
::close(file); ::close(file);
@ -540,15 +540,7 @@ json_t* Listener::to_json() const
if (m_ssl) if (m_ssl)
{ {
json_t* ssl = json_object(); json_object_set_new(param, "ssl", m_ssl->to_json());
const char* ssl_method = ssl_method_type_to_string(m_ssl->ssl_method_type);
json_object_set_new(ssl, "ssl_version", json_string(ssl_method));
json_object_set_new(ssl, "ssl_cert", json_string(m_ssl->ssl_cert));
json_object_set_new(ssl, "ssl_ca_cert", json_string(m_ssl->ssl_ca_cert));
json_object_set_new(ssl, "ssl_key", json_string(m_ssl->ssl_key));
json_object_set_new(param, "ssl", ssl);
} }
json_t* attr = json_object(); json_t* attr = json_object();

8
server/core/mysql_utils.cc
View File

@ -155,11 +155,11 @@ char* mxs_lestr_consume(uint8_t** c, size_t* size)
MYSQL* mxs_mysql_real_connect(MYSQL* con, SERVER* server, const char* user, const char* passwd) MYSQL* mxs_mysql_real_connect(MYSQL* con, SERVER* server, const char* user, const char* passwd)
{ {
mxs::SSLContext* listener = server->server_ssl; mxs::SSLContext* ssl = server->server_ssl;
if (listener) if (ssl)
{ {
mysql_ssl_set(con, listener->ssl_key, listener->ssl_cert, listener->ssl_ca_cert, NULL, NULL); mysql_ssl_set(con, ssl->ssl_key(), ssl->ssl_cert(), ssl->ssl_ca(), NULL, NULL);
} }
char yes = 1; char yes = 1;
@ -204,7 +204,7 @@ MYSQL* mxs_mysql_real_connect(MYSQL* con, SERVER* server, const char* user, cons
mysql_get_character_set_info(mysql, &cs_info); mysql_get_character_set_info(mysql, &cs_info);
server->charset = cs_info.number; server->charset = cs_info.number;
if (listener && mysql_get_ssl_cipher(con) == NULL) if (ssl && mysql_get_ssl_cipher(con) == NULL)
{ {
if (server->warn_ssl_not_enabled) if (server->warn_ssl_not_enabled)
{ {

21
server/core/server.cc
View File

@ -210,7 +210,7 @@ Server* Server::server_alloc(const char* name, const MXS_CONFIG_PARAMETER& param
{ {
delete server; delete server;
MXS_FREE(persistent); MXS_FREE(persistent);
SSL_LISTENER_free(ssl); delete ssl;
return NULL; return NULL;
} }
@ -528,24 +528,7 @@ void Server::print_to_dcb(DCB* dcb) const
} }
if (server->server_ssl) if (server->server_ssl)
{ {
mxs::SSLContext* l = server->server_ssl; dcb_printf(dcb, "%s", server->server_ssl->to_string().c_str());
dcb_printf(dcb,
"\tSSL initialized: %s\n",
l->ssl_init_done ? "yes" : "no");
dcb_printf(dcb,
"\tSSL method type: %s\n",
ssl_method_type_to_string(l->ssl_method_type));
dcb_printf(dcb, "\tSSL certificate verification depth: %d\n", l->ssl_cert_verify_depth);
dcb_printf(dcb, "\tSSL peer verification : %s\n", l->ssl_verify_peer_certificate ? "true" : "false");
dcb_printf(dcb,
"\tSSL certificate: %s\n",
l->ssl_cert ? l->ssl_cert : "null");
dcb_printf(dcb,
"\tSSL key: %s\n",
l->ssl_key ? l->ssl_key : "null");
dcb_printf(dcb,
"\tSSL CA certificate: %s\n",
l->ssl_ca_cert ? l->ssl_ca_cert : "null");
} }
if (server->proxy_protocol) if (server->proxy_protocol)
{ {

72
server/modules/routing/binlogrouter/blr.cc
View File

@ -81,7 +81,6 @@ static uint64_t getCapabilities(MXS_ROUTER* instance);
static int blr_load_dbusers(const ROUTER_INSTANCE* router); static int blr_load_dbusers(const ROUTER_INSTANCE* router);
static int blr_check_binlog(ROUTER_INSTANCE* router); static int blr_check_binlog(ROUTER_INSTANCE* router);
void blr_master_close(ROUTER_INSTANCE*); void blr_master_close(ROUTER_INSTANCE*);
void blr_free_ssl_data(ROUTER_INSTANCE* inst);
static void destroyInstance(MXS_ROUTER* instance); static void destroyInstance(MXS_ROUTER* instance);
bool blr_extract_key(const char* linebuf, bool blr_extract_key(const char* linebuf,
int nline, int nline,
@ -915,20 +914,6 @@ static MXS_ROUTER* createInstance(SERVICE* service, MXS_CONFIG_PARAMETER* params
{ {
MXS_INFO("%s: Replicating from master with SSL", service->name()); MXS_INFO("%s: Replicating from master with SSL", service->name());
} }
else
{
MXS_DEBUG("%s: Replicating from master without SSL", service->name());
/* Free the SSL struct because is not needed if MASTER_SSL = 0
* Provided options, if any, are kept in inst->ssl_* vars
* SHOW SLAVE STATUS can display those values
*/
/* Note: SSL struct in server should be freed by server_free() */
if (service->dbref && service->dbref->server)
{
blr_free_ssl_data(inst);
}
}
if (inst->master_state == BLRM_UNCONNECTED) if (inst->master_state == BLRM_UNCONNECTED)
{ {
@ -959,8 +944,6 @@ static MXS_ROUTER* createInstance(SERVICE* service, MXS_CONFIG_PARAMETER* params
if (service->dbref && service->dbref->server) if (service->dbref && service->dbref->server)
{ {
/* Free SSL data */
blr_free_ssl_data(inst);
MXS_FREE(service->dbref); MXS_FREE(service->dbref);
service->dbref = NULL; service->dbref = NULL;
} }
@ -1522,18 +1505,7 @@ static void diagnostics(MXS_ROUTER* router, DCB* dcb)
dcb_printf(dcb, "\tMaster SSL is ON:\n"); dcb_printf(dcb, "\tMaster SSL is ON:\n");
if (router_inst->service->dbref->server && router_inst->service->dbref->server->server_ssl) if (router_inst->service->dbref->server && router_inst->service->dbref->server->server_ssl)
{ {
dcb_printf(dcb, dcb_printf(dcb, "%s", router_inst->service->dbref->server->server_ssl->to_string().c_str());
"\t\tMaster SSL CA cert: %s\n",
router_inst->service->dbref->server->server_ssl->ssl_ca_cert);
dcb_printf(dcb,
"\t\tMaster SSL Cert: %s\n",
router_inst->service->dbref->server->server_ssl->ssl_cert);
dcb_printf(dcb,
"\t\tMaster SSL Key: %s\n",
router_inst->service->dbref->server->server_ssl->ssl_key);
dcb_printf(dcb,
"\t\tMaster SSL tls_ver: %s\n",
router_inst->ssl_version ? router_inst->ssl_version : "MAX");
} }
} }
@ -2011,22 +1983,7 @@ static json_t* diagnostics_json(const MXS_ROUTER* router)
/* SSL options */ /* SSL options */
if (router_inst->ssl_enabled) if (router_inst->ssl_enabled)
{ {
json_t* obj = json_object(); json_object_set_new(rval, "master_ssl", router_inst->service->dbref->server->server_ssl->to_json());
json_object_set_new(obj,
"ssl_ca_cert",
json_string(router_inst->service->dbref->server->server_ssl->ssl_ca_cert));
json_object_set_new(obj,
"ssl_cert",
json_string(router_inst->service->dbref->server->server_ssl->ssl_cert));
json_object_set_new(obj,
"ssl_key",
json_string(router_inst->service->dbref->server->server_ssl->ssl_key));
json_object_set_new(obj,
"ssl_version",
json_string(router_inst->ssl_version ? router_inst->ssl_version : "MAX"));
json_object_set_new(rval, "master_ssl", obj);
} }
/* Binlog Encryption options */ /* Binlog Encryption options */
@ -2934,31 +2891,6 @@ const char* blr_get_event_description(ROUTER_INSTANCE* router, uint8_t event)
return event_desc; return event_desc;
} }
/**
* Free SSL struct in server struct
*
* @param inst The router instance
*/
void blr_free_ssl_data(ROUTER_INSTANCE* inst)
{
mxs::SSLContext* server_ssl;
if (inst->service->dbref->server->server_ssl)
{
server_ssl = inst->service->dbref->server->server_ssl;
/*
* Free SSL struct
* Note: SSL struct in server should be freed by server_free()
*/
MXS_FREE(server_ssl->ssl_key);
MXS_FREE(server_ssl->ssl_ca_cert);
MXS_FREE(server_ssl->ssl_cert);
MXS_FREE(inst->service->dbref->server->server_ssl);
inst->service->dbref->server->server_ssl = NULL;
}
}
/** /**
* destroy binlog server instance * destroy binlog server instance
* *

1
server/modules/routing/binlogrouter/blr.hh
View File

@ -1103,7 +1103,6 @@ const char* blr_get_event_description(ROUTER_INSTANCE* router, uint8_t event);
void blr_file_append(ROUTER_INSTANCE* router, char* file); void blr_file_append(ROUTER_INSTANCE* router, char* file);
void blr_cache_response(ROUTER_INSTANCE* router, char* response, GWBUF* buf); void blr_cache_response(ROUTER_INSTANCE* router, char* response, GWBUF* buf);
const char* blr_last_event_description(ROUTER_INSTANCE* router); const char* blr_last_event_description(ROUTER_INSTANCE* router);
void blr_free_ssl_data(ROUTER_INSTANCE* inst);
extern bool blr_send_event(blr_thread_role_t role, extern bool blr_send_event(blr_thread_role_t role,
const char* binlog_name, const char* binlog_name,

10
server/modules/routing/binlogrouter/blr_file.cc
View File

@ -3453,16 +3453,6 @@ int blr_file_write_master_config(ROUTER_INSTANCE* router, char* error)
mxb_assert(current.user == router->user); mxb_assert(current.user == router->user);
mxb_assert(current.password == router->password); mxb_assert(current.password == router->password);
if (router->ssl_enabled)
{
mxb_assert(current.ssl_enabled);
mxb_assert(current.ssl_ca == router->service->dbref->server->server_ssl->ssl_ca_cert);
mxb_assert(current.ssl_cert == router->service->dbref->server->server_ssl->ssl_cert);
mxb_assert(current.ssl_key == router->service->dbref->server->server_ssl->ssl_key);
}
mxb_assert(!router->ssl_version || (current.ssl_version == router->ssl_version));
mxb_assert(current.heartbeat_period == (int)router->heartbeat); mxb_assert(current.heartbeat_period == (int)router->heartbeat);
mxb_assert(current.connect_retry == router->retry_interval); mxb_assert(current.connect_retry == router->retry_interval);
#endif #endif