hcq/MaxScale
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Changes to improve robustness of SSL processing, separate it so far as possible from protocols. Separate the detailed mechanism of authentication from the MySQL protocol with a view to making it into a module later.

Browse Source
This commit is contained in:
counterpoint
2016-02-15 09:29:07 +00:00
parent 971d1d5de2
commit 866e91c088
17 changed files with 1218 additions and 741 deletions
Download Patch File Download Diff File Expand all files Collapse all files

2
server/core/CMakeLists.txt
View File

@ -1,4 +1,4 @@
add_library(maxscale-common SHARED adminusers.c atomic.c buffer.c config.c dbusers.c dcb.c filter.c externcmd.c gwbitmask.c gwdirs.c gw_utils.c hashtable.c hint.c housekeeper.c listener.c load_utils.c maxscale_pcre2.c memlog.c modutil.c monitor.c poll.c random_jkiss.c resultset.c secrets.c server.c service.c session.c spinlock.c thread.c users.c utils.c ${CMAKE_SOURCE_DIR}/log_manager/log_manager.cc ${CMAKE_SOURCE_DIR}/utils/skygw_utils.cc)
add_library(maxscale-common SHARED adminusers.c atomic.c buffer.c config.c dbusers.c dcb.c filter.c externcmd.c gwbitmask.c gwdirs.c gw_ssl.c gw_utils.c hashtable.c hint.c housekeeper.c listener.c load_utils.c maxscale_pcre2.c memlog.c modutil.c monitor.c poll.c random_jkiss.c resultset.c secrets.c server.c service.c session.c spinlock.c thread.c users.c utils.c ${CMAKE_SOURCE_DIR}/log_manager/log_manager.cc ${CMAKE_SOURCE_DIR}/utils/skygw_utils.cc)
target_link_libraries(maxscale-common ${EMBEDDED_LIB} ${LZMA_LINK_FLAGS} ${PCRE2_LIBRARIES} ${PCRE_LINK_FLAGS} ${CURL_LIBRARIES} ssl aio pthread crypt dl crypto inih z rt m stdc++)

3
server/core/config.c
View File

@ -133,12 +133,14 @@ static char *service_params[] =
"version_string",
"filters",
"weightby",
/* These should no longer be required
"ssl_cert",
"ssl_ca_cert",
"ssl",
"ssl_key",
"ssl_version",
"ssl_cert_verify_depth",
* */
"ignore_databases",
"ignore_databases_regex",
"log_auth_warnings",
@ -1092,6 +1094,7 @@ make_ssl_structure (CONFIG_CONTEXT *obj, bool require_cert, int *error_count)
local_errors++;
}
}
else new_ssl->ssl_cert_verify_depth = 9;
listener_set_certificates(new_ssl, ssl_cert, ssl_key, ssl_ca_cert);

38
server/core/dcb.c
View File

@ -61,6 +61,8 @@
* 17/10/2015 Martin Brampton Add hangup for each and bitmask display MaxAdmin
* 15/12/2015 Martin Brampton Merge most of SSL write code into non-SSL,
* enhance SSL code
* 07/02/2016 Martin Brampton Make dcb_read_SSL & dcb_create_SSL internal,
* further small SSL logic changes
*
* @endverbatim
*/
@ -111,6 +113,8 @@ static bool dcb_maybe_add_persistent(DCB *);
static inline bool dcb_write_parameter_check(DCB *dcb, GWBUF *queue);
static int dcb_bytes_readable(DCB *dcb);
static int dcb_read_no_bytes_available(DCB *dcb, int nreadtotal);
static int dcb_create_SSL(DCB* dcb);
static int dcb_read_SSL(DCB *dcb, GWBUF **head);
static GWBUF *dcb_basic_read(DCB *dcb, int bytesavailable, int maxbytes, int nreadtotal, int *nsingleread);
static GWBUF *dcb_basic_read_SSL(DCB *dcb, int *nsingleread);
#if defined(FAKE_CODE)
@ -118,7 +122,6 @@ static inline void dcb_write_fake_code(DCB *dcb);
#endif
static void dcb_log_write_failure(DCB *dcb, GWBUF *queue, int eno);
static inline void dcb_write_tidy_up(DCB *dcb, bool below_water);
static void dcb_log_ssl_read_error(DCB *dcb, int ssl_errno, int rc);
static int gw_write(DCB *dcb, bool *stop_writing);
static int gw_write_SSL(DCB *dcb, bool *stop_writing);
static void dcb_log_errors_SSL (DCB *dcb, const char *called_by, int ret);
@ -853,6 +856,11 @@ int dcb_read(DCB *dcb,
int nsingleread = 0;
int nreadtotal = 0;
if (SSL_HANDSHAKE_DONE == dcb->ssl_state || SSL_ESTABLISHED == dcb->ssl_state)
{
return dcb_read_SSL(dcb, head);
}
CHK_DCB(dcb);
if (dcb->fd <= 0)
@ -1048,7 +1056,7 @@ dcb_basic_read(DCB *dcb, int bytesavailable, int maxbytes, int nreadtotal, int *
* @param head Pointer to linked list to append data to
* @return -1 on error, otherwise the total number of bytes read
*/
int
static int
dcb_read_SSL(DCB *dcb, GWBUF **head)
{
GWBUF *buffer = NULL;
@ -1075,7 +1083,7 @@ dcb_read_SSL(DCB *dcb, GWBUF **head)
nreadtotal += nsingleread;
*head = gwbuf_append(*head, buffer);
while (buffer || SSL_pending(dcb->ssl))
while (SSL_pending(dcb->ssl))
{
dcb->last_read = hkheartbeat;
buffer = dcb_basic_read_SSL(dcb, &nsingleread);
@ -1224,14 +1232,17 @@ dcb_log_errors_SSL (DCB *dcb, const char *called_by, int ret)
char errbuf[STRERROR_BUFLEN];
unsigned long ssl_errno;
MXS_ERROR("SSL operation failed in %s, dcb %p in state "
"%s fd %d. More details may follow.",
called_by,
dcb,
STRDCBSTATE(dcb->state),
dcb->fd);
ssl_errno = ERR_get_error();
if (ret || ssl_errno)
{
MXS_ERROR("SSL operation failed in %s, dcb %p in state "
"%s fd %d return code %d. More details may follow.",
called_by,
dcb,
STRDCBSTATE(dcb->state),
dcb->fd,
ret);
}
if (ret && !ssl_errno)
{
int local_errno = errno;
@ -2831,7 +2842,8 @@ dcb_count_by_usage(DCB_USAGE usage)
* @param dcb
* @return -1 on error, 0 otherwise.
*/
int dcb_create_SSL(DCB* dcb)
static int
dcb_create_SSL(DCB* dcb)
{
if (NULL == dcb->listen_ssl || listener_init_SSL(dcb->listen_ssl) != 0)
{
@ -2884,7 +2896,8 @@ int dcb_accept_SSL(DCB* dcb)
{
case SSL_ERROR_NONE:
MXS_DEBUG("SSL_accept done for %s@%s", user, remote);
dcb->ssl_state = SSL_HANDSHAKE_DONE;
dcb->ssl_state = SSL_ESTABLISHED;
dcb->ssl_read_want_write = false;
return 1;
break;
@ -2895,6 +2908,7 @@ int dcb_accept_SSL(DCB* dcb)
case SSL_ERROR_WANT_WRITE:
MXS_DEBUG("SSL_accept ongoing want write for %s@%s", user, remote);
dcb->ssl_read_want_write = true;
return 0;
break;

82
server/core/doxygen.c Normal file
View File

@ -0,0 +1,82 @@
/*
* This file is distributed as part of the MariaDB Corporation MaxScale. It is free
* software: you can redistribute it and/or modify it under the terms of the
* GNU General Public License as published by the Free Software Foundation,
* version 2.
*
* This program is distributed in the hope that it will be useful, but WITHOUT
* ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS
* FOR A PARTICULAR PURPOSE. See the GNU General Public License for more
* details.
*
* You should have received a copy of the GNU General Public License along with
* this program; if not, write to the Free Software Foundation, Inc., 51
* Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
*
* Copyright MariaDB Corporation Ab 2014
*/
/**
* @file doxygen.c - The MaxScale model for Doxygen directed comment blocks
*
* This file is not built in to MaxScale at all, it exists only as a model
* and is intended to have parts of it copied into new code, or existing
* code that is being upgraded.
*
* @verbatim
* Revision History
*
* Date Who Description
* 05/02/2016 Martin Brampton Initial implementation
* @endverbatim
*/
/**
* @brief Example showing how to document a function with Doxygen.
*
* Description of what the function does. This part may refer to the parameters
* of the function, like @p param1 or @p param2. A word of code can also be
* inserted like @c this which is equivalent to <tt>this</tt> and can be useful
* to say that the function returns a @c void or an @c int. If you want to have
* more than one word in typewriter font, then just use @<tt@>.
* We can also include text verbatim,
* @verbatim like this@endverbatim
* Sometimes it is also convenient to include an example of usage:
* @code
* BoxStruct *out = Box_The_Function_Name(param1, param2);
* printf("something...\n");
* @endcode
* Or,
* @code{.py}
* pyval = python_func(arg1, arg2)
* print pyval
* @endcode
* when the language is not the one used in the current source file (but
* <b>be careful</b> as this may be supported only by recent versions
* of Doxygen). By the way, <b>this is how you write bold text</b> or,
* if it is just one word, then you can just do @b this.
* @param param1 Description of the first parameter of the function.
* @param param2 The second one, which follows @p param1.
* @return Describe what the function returns.
* @see Box_The_Second_Function
* @see Box_The_Last_One
* @see http://website/
* @note Something to note.
* @warning Warning.
*/
BOXEXPORT BoxStruct *
Box_The_Function_Name(BoxParamType1 param1, BoxParamType2 param2 /*, ...*/);
/**
* @brief A simple stub function to show how links do work.
*
* Links are generated automatically for webpages (like http://www.google.co.uk)
* and for structures, like BoxStruct_struct. For typedef-ed types use
* #BoxStruct.
* For functions, automatic links are generated when the parenthesis () follow
* the name of the function, like Box_The_Function_Name().
* Alternatively, you can use #Box_The_Function_Name.
* @return @c NULL is always returned.
*/
BOXEXPORT void *
Box_The_Second_Function(void);

188
server/core/gw_ssl.c Normal file
View File

@ -0,0 +1,188 @@
/*
* This file is distributed as part of the MariaDB Corporation MaxScale. It is free
* software: you can redistribute it and/or modify it under the terms of the
* GNU General Public License as published by the Free Software Foundation,
* version 2.
*
* This program is distributed in the hope that it will be useful, but WITHOUT
* ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS
* FOR A PARTICULAR PURPOSE. See the GNU General Public License for more
* details.
*
* You should have received a copy of the GNU General Public License along with
* this program; if not, write to the Free Software Foundation, Inc., 51
* Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
*
* Copyright MariaDB Corporation Ab 2013-2014
*/
/**
* @file gw_ssl.c - SSL generic functions
*
* SSL is intended to be available in conjunction with a variety of protocols
* on either the client or server side.
*
* @verbatim
* Revision History
*
* Date Who Description
* 02/02/16 Martin Brampton Initial implementation
*
* @endverbatim
*/
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <stdbool.h>
#include <dcb.h>
#include <service.h>
#include <log_manager.h>
#include <sys/ioctl.h>
/**
* @brief Check client's SSL capability and start SSL if appropriate.
*
* The protocol should determine whether the client is SSL capable and pass
* the result as the second parameter. If the listener requires SSL but the
* client is not SSL capable, an error message is recorded and failure return
* given. If both sides want SSL, and SSL is not already established, the
* process is triggered by calling dcb_accept_SSL.
*
* @param dcb Request handler DCB connected to the client
* @param is_capable Indicates if the client can handle SSL
* @return 0 if ok, >0 if a problem - see return codes defined in gw_ssl.h
*/
int ssl_authenticate_client(DCB *dcb, bool is_capable)
{
char *user = dcb->user ? dcb->user : "";
char *remote = dcb->remote ? dcb->remote : "";
char *service = (dcb->service && dcb->service->name) ? dcb->service->name : "";
if (NULL == dcb->listen_ssl)
{
/* Not an SSL connection on account of listener configuration */
return SSL_AUTH_CHECKS_OK;
}
/* Now we require an SSL connection */
if (!is_capable)
{
/* Should be SSL, but client is not SSL capable */
MXS_INFO("User %s@%s connected to service '%s' without SSL when SSL was required.",
user ? user : "", remote ? remote : "", service ? service : "");
return SSL_ERROR_CLIENT_NOT_SSL;
}
/* Now we know SSL is required and client is capable */
if (dcb->ssl_state != SSL_HANDSHAKE_DONE && dcb->ssl_state != SSL_ESTABLISHED)
{
int return_code;
/** Do the SSL Handshake */
if (SSL_HANDSHAKE_UNKNOWN == dcb->ssl_state)
{
dcb->ssl_state = SSL_HANDSHAKE_REQUIRED;
}
/**
* Note that this will often fail to achieve its result, because further
* reading (or possibly writing) of SSL related information is needed.
* When that happens, there is a call in poll.c so that an EPOLLIN
* event that arrives while the SSL state is SSL_HANDSHAKE_REQUIRED
* will trigger dcb_accept_SSL. This situation does not result in a
* negative return code - that indicates a real failure.
*/
return_code = dcb_accept_SSL(dcb);
if (return_code < 0)
{
MXS_INFO("User %s@%s failed to connect to service '%s' with SSL.",
user, remote, service);
return SSL_ERROR_ACCEPT_FAILED;
}
else if (MXS_LOG_PRIORITY_IS_ENABLED(LOG_INFO))
{
if (1 == return_code)
{
MXS_INFO("User %s@%s connected to service '%s' with SSL.",
user, remote, service);
}
else
{
MXS_INFO("User %s@%s connect to service '%s' with SSL in progress.",
user, remote, service);
}
}
}
return SSL_AUTH_CHECKS_OK;
}
/**
* @brief If an SSL connection is required, check that it has been established.
*
* This is called at the end of the authentication of a new connection.
* If the result is not true, the data packet is abandoned with further
* data expected from the client.
*
* @param dcb Request handler DCB connected to the client
* @return Boolean to indicate whether connection is healthy
*/
bool
ssl_is_connection_healthy(DCB *dcb)
{
/**
* If SSL was never expected, or if the connection has state SSL_ESTABLISHED
* then everything is as we wish. Otherwise, either there is a problem or
* more to be done.
*/
return (NULL == dcb->listen_ssl || dcb->ssl_state == SSL_ESTABLISHED);
}
/* Looks to be redundant - can remove include for ioctl too */
bool
ssl_check_data_to_process(DCB *dcb)
{
/** SSL authentication is still going on, we need to call dcb_accept_SSL
* until it return 1 for success or -1 for error */
if (dcb->ssl_state == SSL_HANDSHAKE_REQUIRED && 1 == dcb_accept_SSL(dcb))
{
int b = 0;
ioctl(dcb->fd,FIONREAD,&b);
if (b != 0)
{
return true;
}
else
{
MXS_DEBUG("[gw_read_client_event] No data in socket after SSL auth");
}
}
return false;
}
/**
* @brief Check whether a DCB requires SSL.
*
* This is a very simple test, but is placed in an SSL function so that
* the knowledge of the SSL process is removed from the more general
* handling of a connection in the protocols.
*
* @param dcb Request handler DCB connected to the client
* @return Boolean indicating whether SSL is required.
*/
bool
ssl_required_by_dcb(DCB *dcb)
{
return NULL != dcb->listen_ssl;
}
/**
* @brief Check whether a DCB requires SSL, but SSL is not yet negotiated.
*
* This is a very simple test, but is placed in an SSL function so that
* the knowledge of the SSL process is removed from the more general
* handling of a connection in the protocols.
*
* @param dcb Request handler DCB connected to the client
* @return Boolean indicating whether SSL is required and not negotiated.
*/
bool
ssl_required_but_not_negotiated(DCB *dcb)
{
return (NULL != dcb->listen_ssl && SSL_HANDSHAKE_UNKNOWN == dcb->ssl_state);
}

1
server/core/listener.c
View File

@ -36,6 +36,7 @@
#include <stdlib.h>
#include <string.h>
#include <listener.h>
#include <gw_ssl.h>
#include <gw_protocol.h>
#include <log_manager.h>

15
server/core/poll.c
View File

@ -71,7 +71,8 @@ int max_poll_sleep;
* processing.
* 07/07/15 Martin Brampton Simplified add and remove DCB, improve error handling.
* 23/08/15 Martin Brampton Added test so only DCB with a session link can be added to the poll list
*
* 07/02/16 Martin Brampton Added a small piece of SSL logic to EPOLLIN
*
* @endverbatim
*/
@ -971,7 +972,17 @@ process_pollq(int thread_id)
if (poll_dcb_session_check(dcb, "read"))
{
dcb->func.read(dcb);
int return_code = 1;
/** SSL authentication is still going on, we need to call dcb_accept_SSL
* until it return 1 for success or -1 for error */
if (dcb->ssl_state == SSL_HANDSHAKE_REQUIRED)
{
return_code = dcb_accept_SSL(dcb);
}
if (1 == return_code)
{
dcb->func.read(dcb);
}
}
}
}