Merge branch 'MXS-544' into develop-MXS-544-merge

2016-03-03 21:39:39 +02:00
parent 1a2bd8b234 1ebb998056
commit d3da98b58f
42 changed files with 3075 additions and 2294 deletions
--- a/server/include/dcb.h
+++ b/server/include/dcb.h
@ -19,13 +19,12 @@
 */
 #include <spinlock.h>
 #include <buffer.h>
+#include <gw_protocol.h>
+#include <gw_ssl.h>
 #include <modinfo.h>
 #include <gwbitmask.h>
 #include <skygw_utils.h>
 #include <netinet/in.h>
-#include <openssl/crypto.h>
-#include <openssl/ssl.h>
-#include <openssl/err.h>

 #define ERRHANDLE

@ -59,50 +58,14 @@ struct service;
 * 27/08/2014   Mark Riddoch            Addition of write event queuing
 * 23/09/2014   Mark Riddoch            New poll processing queue
 * 19/06/2015   Martin Brampton         Provision of persistent connections
+ * 20/01/2016   Martin Brampton         Moved GWPROTOCOL to gw_protocol.h
+ * 01/02/2016   Martin Brampton         Added fields for SSL and authentication
 *
 * @endverbatim
 */

 struct dcb;

-/**
- * @verbatim
- * The operations that can be performed on the descriptor
- *
- *      read            EPOLLIN handler for the socket
- *      write           MaxScale data write entry point
- *      write_ready     EPOLLOUT handler for the socket, indicates
- *                      that the socket is ready to send more data
- *      error           EPOLLERR handler for the socket
- *      hangup          EPOLLHUP handler for the socket
- *      accept          Accept handler for listener socket only
- *      connect         Create a connection to the specified server
- *                      for the session pased in
- *      close           MaxScale close entry point for the socket
- *      listen          Create a listener for the protocol
- *      auth            Authentication entry point
- *  session         Session handling entry point
- * @endverbatim
- *
- * This forms the "module object" for protocol modules within the gateway.
- *
- * @see load_module
- */
-typedef struct gw_protocol
-{
-    int (*read)(struct dcb *);
-    int (*write)(struct dcb *, GWBUF *);
-    int (*write_ready)(struct dcb *);
-    int (*error)(struct dcb *);
-    int (*hangup)(struct dcb *);
-    int (*accept)(struct dcb *);
-    int (*connect)(struct dcb *, struct server *, struct session *);
-    int (*close)(struct dcb *);
-    int (*listen)(struct dcb *, char *);
-    int (*auth)(struct dcb *, struct server *, struct session *, GWBUF *);
-    int (*session)(struct dcb *, void *);
-} GWPROTOCOL;
-
 /**
 * The event queue structure used in the polling loop to maintain a queue
 * of events that need to be processed for the DCB.
@ -128,13 +91,6 @@ typedef struct
    unsigned long   started;
 } DCBEVENTQ;

-/**
- * The GWPROTOCOL version data. The following should be updated whenever
- * the GWPROTOCOL structure is changed. See the rules defined in modinfo.h
- * that define how these numbers should change.
- */
-#define GWPROTOCOL_VERSION      {1, 0, 0}
-
 #define DCBFD_CLOSED -1

 /**
@ -218,6 +174,17 @@ typedef struct dcb_callback
    struct dcb_callback  *next;          /*< Next callback for this DCB */
 } DCB_CALLBACK;

+/**
+ * State of SSL connection
+ */
+typedef enum
+{
+    SSL_HANDSHAKE_UNKNOWN,          /*< The DCB has unknown SSL status */
+    SSL_HANDSHAKE_REQUIRED,         /*< SSL handshake is needed */
+    SSL_HANDSHAKE_DONE,             /*< The SSL handshake completed OK */
+    SSL_ESTABLISHED,                /*< The SSL connection is in use */
+    SSL_HANDSHAKE_FAILED            /*< The SSL handshake failed */
+} SSL_STATE;

 /**
 * Descriptor Control Block
@ -240,6 +207,7 @@ typedef struct dcb
    DCBEVENTQ       evq;            /**< The event queue for this DCB */
    int             fd;             /**< The descriptor */
    dcb_state_t     state;          /**< Current descriptor state */
+    SSL_STATE       ssl_state;      /**< Current state of SSL if in use */
    int             flags;          /**< DCB flags */
    char            *remote;        /**< Address of remote end */
    char            *user;          /**< User name for connection */
@ -247,6 +215,7 @@ typedef struct dcb
    char            *protoname;     /**< Name of the protocol */
    void            *protocol;      /**< The protocol specific state */
    struct session  *session;       /**< The owning session */
+    SSL_LISTENER    *listen_ssl;    /**< For a client DCB, the SSL descriptor, if any */
    GWPROTOCOL      func;           /**< The functions for this descriptor */

    int             writeqlen;      /**< Current number of byes in the write queue */
@ -325,6 +294,7 @@ DCB *dcb_get_zombies(void);
 int dcb_write(DCB *, GWBUF *);
 DCB *dcb_alloc(dcb_role_t);
 void dcb_free(DCB *);
+void dcb_free_all_memory(DCB *dcb);
 DCB *dcb_connect(struct server *, struct session *, const char *);
 DCB *dcb_clone(DCB *);
 int dcb_read(DCB *, GWBUF **, int);
@ -353,11 +323,8 @@ void dcb_hangup_foreach (struct server* server);
 size_t dcb_get_session_id(DCB* dcb);
 bool dcb_get_ses_log_info(DCB* dcb, size_t* sesid, int* enabled_logs);
 char *dcb_role_name(DCB *);                  /* Return the name of a role */
-int dcb_create_SSL(DCB* dcb);
 int dcb_accept_SSL(DCB* dcb);
 int dcb_connect_SSL(DCB* dcb);
-int dcb_read_SSL(DCB   *dcb,GWBUF **head);
-

 /**
 * DCB flags values
--- a/server/include/gw_protocol.h
+++ b/server/include/gw_protocol.h
@ -0,0 +1,88 @@
+#ifndef GW_PROTOCOL_H
+#define GW_PROTOCOL_H
+/*
+ * This file is distributed as part of the MariaDB Corporation MaxScale.  It is free
+ * software: you can redistribute it and/or modify it under the terms of the
+ * GNU General Public License as published by the Free Software Foundation,
+ * version 2.
+ *
+ * This program is distributed in the hope that it will be useful, but WITHOUT
+ * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS
+ * FOR A PARTICULAR PURPOSE.  See the GNU General Public License for more
+ * details.
+ *
+ * You should have received a copy of the GNU General Public License along with
+ * this program; if not, write to the Free Software Foundation, Inc., 51
+ * Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+ *
+ * Copyright MariaDB Corporation Ab 2013-2014
+ */
+
+/**
+ * @file protocol.h
+ *
+ * The listener definitions for MaxScale
+ *
+ * @verbatim
+ * Revision History
+ *
+ * Date         Who                     Description
+ * 22/01/16     Martin Brampton         Initial implementation
+ *
+ * @endverbatim
+ */
+
+#include <buffer.h>
+
+struct dcb;
+struct server;
+struct session;
+
+/**
+ * @verbatim
+ * The operations that can be performed on the descriptor
+ *
+ *      read            EPOLLIN handler for the socket
+ *      write           MaxScale data write entry point
+ *      write_ready     EPOLLOUT handler for the socket, indicates
+ *                      that the socket is ready to send more data
+ *      error           EPOLLERR handler for the socket
+ *      hangup          EPOLLHUP handler for the socket
+ *      accept          Accept handler for listener socket only
+ *      connect         Create a connection to the specified server
+ *                      for the session pased in
+ *      close           MaxScale close entry point for the socket
+ *      listen          Create a listener for the protocol
+ *      auth            Authentication entry point
+ *  session         Session handling entry point
+ * @endverbatim
+ *
+ * This forms the "module object" for protocol modules within the gateway.
+ *
+ * @see load_module
+ */
+typedef struct gw_protocol
+{
+    int (*read)(struct dcb *);
+    int (*write)(struct dcb *, GWBUF *);
+    int (*write_ready)(struct dcb *);
+    int (*error)(struct dcb *);
+    int (*hangup)(struct dcb *);
+    int (*accept)(struct dcb *);
+    int (*connect)(struct dcb *, struct server *, struct session *);
+    int (*close)(struct dcb *);
+    int (*listen)(struct dcb *, char *);
+    int (*auth)(struct dcb *, struct server *, struct session *, GWBUF *);
+    int (*session)(struct dcb *, void *);
+} GWPROTOCOL;
+
+/**
+ * The GWPROTOCOL version data. The following should be updated whenever
+ * the GWPROTOCOL structure is changed. See the rules defined in modinfo.h
+ * that define how these numbers should change.
+ */
+#define GWPROTOCOL_VERSION      {1, 0, 0}
+
+
+#endif /* GW_PROTOCOL_H */
+
--- a/server/include/gw_ssl.h
+++ b/server/include/gw_ssl.h
@ -0,0 +1,86 @@
+#ifndef _GW_SSL_H
+#define _GW_SSL_H
+/*
+ * This file is distributed as part of the MariaDB Corporation MaxScale.  It is free
+ * software: you can redistribute it and/or modify it under the terms of the
+ * GNU General Public License as published by the Free Software Foundation,
+ * version 2.
+ *
+ * This program is distributed in the hope that it will be useful, but WITHOUT
+ * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS
+ * FOR A PARTICULAR PURPOSE.  See the GNU General Public License for more
+ * details.
+ *
+ * You should have received a copy of the GNU General Public License along with
+ * this program; if not, write to the Free Software Foundation, Inc., 51
+ * Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+ *
+ * Copyright MariaDB Corporation Ab 2013-2014
+ */
+
+/**
+ * @file gw_ssl.h
+ *
+ * The SSL definitions for MaxScale
+ *
+ * @verbatim
+ * Revision History
+ *
+ * Date         Who                     Description
+ * 27/01/16     Martin Brampton         Initial implementation
+ *
+ * @endverbatim
+ */
+
+#include <gw_protocol.h>
+#include <openssl/crypto.h>
+#include <openssl/ssl.h>
+#include <openssl/err.h>
+#include <openssl/dh.h>
+
+struct dcb;
+
+enum
+{
+    SERVICE_SSLV3,
+    SERVICE_TLS10,
+#ifdef OPENSSL_1_0
+    SERVICE_TLS11,
+    SERVICE_TLS12,
+#endif
+    SERVICE_SSL_MAX,
+    SERVICE_TLS_MAX,
+    SERVICE_SSL_TLS_MAX
+};
+
+/**
+ * Return codes for SSL authentication checks
+ */
+#define SSL_AUTH_CHECKS_OK 0
+#define SSL_ERROR_CLIENT_NOT_SSL 1
+#define SSL_ERROR_ACCEPT_FAILED 2
+
+/**
+ * The ssl_listener structure is used to aggregate the SSL configuration items
+ * and data for a particular listener
+ */
+typedef struct ssl_listener
+{
+    SSL_CTX *ctx;
+    SSL_METHOD *method;                 /*<  SSLv3 or TLS1.0/1.1/1.2 methods
+                                         * see: https://www.openssl.org/docs/ssl/SSL_CTX_new.html */
+    int ssl_cert_verify_depth;          /*< SSL certificate verification depth */
+    int ssl_method_type;                /*< Which of the SSLv3 or TLS1.0/1.1/1.2 methods to use */
+    char *ssl_cert;                     /*< SSL certificate */
+    char *ssl_key;                      /*< SSL private key */
+    char *ssl_ca_cert;                  /*< SSL CA certificate */
+    bool ssl_init_done;                 /*< If SSL has already been initialized for this service */
+} SSL_LISTENER;
+
+int ssl_authenticate_client(struct dcb *dcb, const char *user, bool is_capable);
+bool ssl_is_connection_healthy(struct dcb *dcb);
+bool ssl_check_data_to_process(struct dcb *dcb);
+bool ssl_required_by_dcb(struct dcb *dcb);
+bool ssl_required_but_not_negotiated(struct dcb *dcb);
+
+#endif /* _GW_SSL_H */
--- a/server/include/listener.h
+++ b/server/include/listener.h
@ -0,0 +1,61 @@
+#ifndef _LISTENER_H
+#define _LISTENER_H
+/*
+ * This file is distributed as part of the MariaDB Corporation MaxScale.  It is free
+ * software: you can redistribute it and/or modify it under the terms of the
+ * GNU General Public License as published by the Free Software Foundation,
+ * version 2.
+ *
+ * This program is distributed in the hope that it will be useful, but WITHOUT
+ * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS
+ * FOR A PARTICULAR PURPOSE.  See the GNU General Public License for more
+ * details.
+ *
+ * You should have received a copy of the GNU General Public License along with
+ * this program; if not, write to the Free Software Foundation, Inc., 51
+ * Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+ *
+ * Copyright MariaDB Corporation Ab 2013-2014
+ */
+
+/**
+ * @file listener.h
+ *
+ * The listener definitions for MaxScale
+ *
+ * @verbatim
+ * Revision History
+ *
+ * Date         Who                     Description
+ * 19/01/16     Martin Brampton         Initial implementation
+ *
+ * @endverbatim
+ */
+
+#include <gw_protocol.h>
+#include <gw_ssl.h>
+#include <dcb.h>
+
+/**
+ * The servlistener structure is used to link a service to the protocols that
+ * are used to support that service. It defines the name of the protocol module
+ * that should be loaded to support the client connection and the port that the
+ * protocol should use to listen for incoming client connections.
+ */
+typedef struct servlistener
+{
+    char *protocol;             /**< Protocol module to load */
+    unsigned short port;        /**< Port to listen on */
+    char *address;              /**< Address to listen with */
+    char *authenticator;        /**< Name of authenticator */
+    SSL_LISTENER *ssl;          /**< Structure of SSL data or NULL */
+    DCB *listener;              /**< The DCB for the listener */
+    struct  servlistener *next; /**< Next service protocol */
+} SERV_LISTENER;
+
+SERV_LISTENER *listener_alloc(char *protocol, char *address, unsigned short port, char *authenticator, SSL_LISTENER *ssl);
+int listener_set_ssl_version(SSL_LISTENER *ssl_listener, char* version);
+void listener_set_certificates(SSL_LISTENER *ssl_listener, char* cert, char* key, char* ca_cert);
+int listener_init_SSL(SSL_LISTENER *ssl_listener);
+
+#endif
--- a/server/include/server.h
+++ b/server/include/server.h
@ -89,6 +89,7 @@ typedef struct server {
    char           *name;          /**< Server name/IP address*/
    unsigned short port;           /**< Port to listen on */
    char           *protocol;      /**< Protocol module to use */
+    SSL_LISTENER   *server_ssl;    /**< SSL data structure for server, if any */
    unsigned int   status;         /**< Status flag bitmap for the server */
    char           *monuser;       /**< User name to use to monitor the db */
    char           *monpw;         /**< Password to use to monitor the db */
--- a/server/include/service.h
+++ b/server/include/service.h
@ -19,9 +19,11 @@
 */

 #include <time.h>
+#include <gw_protocol.h>
 #include <spinlock.h>
 #include <dcb.h>
 #include <server.h>
+#include <listener.h>
 #include <filter.h>
 #include <hashtable.h>
 #include <resultset.h>
@ -59,21 +61,6 @@ struct router;
 struct router_object;
 struct users;

-/**
- * The servprotocol structure is used to link a service to the protocols that
- * are used to support that service. It defines the name of the protocol module
- * that should be loaded to support the client connection and the port that the
- * protocol should use to listen for incoming client connections.
- */
-typedef struct servprotocol
-{
-    char *protocol;             /**< Protocol module to load */
-    unsigned short port;        /**< Port to listen on */
-    char *address;              /**< Address to listen with */
-    DCB *listener;              /**< The DCB for the listener */
-    struct  servprotocol *next; /**< Next service protocol */
-} SERV_PROTOCOL;
-
 /**
 * The service statistics structure
 */
@ -120,19 +107,6 @@ typedef enum
    SSL_REQUIRED
 } ssl_mode_t;

-enum
-{
-    SERVICE_SSLV3,
-    SERVICE_TLS10,
-#ifdef OPENSSL_1_0
-    SERVICE_TLS11,
-    SERVICE_TLS12,
-#endif
-    SERVICE_SSL_MAX,
-    SERVICE_TLS_MAX,
-    SERVICE_SSL_TLS_MAX
-};
-
 #define DEFAULT_SSL_CERT_VERIFY_DEPTH 100 /*< The default certificate verification depth */
 #define SERVICE_MAX_RETRY_INTERVAL 3600 /*< The maximum interval between service start retries */

@ -156,7 +130,7 @@ typedef struct service
 {
    char *name;                        /**< The service name */
    int state;                         /**< The service state */
-    SERV_PROTOCOL *ports;              /**< Linked list of ports and protocols
+    SERV_LISTENER *ports;              /**< Linked list of ports and protocols
                                        * that this service will listen on.
                                        */
    char *routerModule;                /**< Name of router module to use */
@ -218,7 +192,7 @@ extern SERVICE *service_alloc(const char *, const char *);
 extern int service_free(SERVICE *);
 extern SERVICE *service_find(char *);
 extern int service_isvalid(SERVICE *);
-extern int serviceAddProtocol(SERVICE *, char *, char *, unsigned short);
+extern int serviceAddProtocol(SERVICE *, char *, char *, unsigned short, char *, SSL_LISTENER *);
 extern int serviceHasProtocol(SERVICE *, char *, unsigned short);
 extern void serviceAddBackend(SERVICE *, SERVER *);
 extern int serviceHasBackend(SERVICE *, SERVER *);
@ -233,7 +207,6 @@ extern int serviceSetUser(SERVICE *, char *, char *);
 extern int serviceGetUser(SERVICE *, char **, char **);
 extern bool serviceSetFilters(SERVICE *, char *);
 extern int serviceSetSSL(SERVICE *service, char* action);
-extern int serviceInitSSL(SERVICE* service);
 extern int serviceSetSSLVersion(SERVICE *service, char* version);
 extern int serviceSetSSLVerifyDepth(SERVICE* service, int depth);
 extern void serviceSetCertificates(SERVICE *service, char* cert,char* key, char* ca_cert);
--- a/server/include/session.h
+++ b/server/include/session.h
@ -129,8 +129,7 @@ typedef struct session
    session_state_t state;            /*< Current descriptor state */
    size_t          ses_id;           /*< Unique session identifier */
    int             enabled_log_priorities; /*< Bitfield of enabled syslog priorities */
-    struct dcb      *client;          /*< The client connection */
-    void            *data;            /*< The session data */
+    struct dcb      *client_dcb;      /*< The client connection */
    void            *router_session;  /*< The router instance data */
    SESSION_STATS   stats;            /*< Session statistics */
    struct service  *service;         /*< The service this session is using */
@ -153,7 +152,7 @@ extern bool check_timeouts;
 * hk_heartbeat.h */
 extern long next_timeout_check;

-#define SESSION_PROTOCOL(x, type)       DCB_PROTOCOL((x)->client, type)
+#define SESSION_PROTOCOL(x, type)       DCB_PROTOCOL((x)->client_dcb, type)

 /**
 * A convenience macro that can be used by the protocol modules to route