hcq/MaxScale
hcq/MaxScale
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Moved SSL structure to the DCB instead of the MySQL protocol.

Browse Source 
This allows for non-MySQL SSL connections.
This commit is contained in:
Markus Makela 2015-06-01 20:51:26 +03:00
parent 4d5291c263
commit d7232d8b6e
6 changed files with 164 additions and 60 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

139
server/core/dcb.c
View File

@ -73,6 +73,8 @@
#include <hashtable.h>
#include <hk_heartbeat.h>
#include "mysql_client_server_protocol.h"
/** Defined in log_manager.cc */
extern int lm_enabled_logfiles_bitmask;
extern size_t log_ses_count[];
@ -433,7 +435,8 @@ DCB_CALLBACK *cb;
free(cb);
}
spinlock_release(&dcb->cb_lock);
if(dcb->ssl)
SSL_free(dcb->ssl);
bitmask_free(&dcb->memdata.bitmask);
free(dcb);
}
@ -894,7 +897,6 @@ return_n:
*/
int dcb_read_SSL(
DCB *dcb,
SSL* ssl,
GWBUF **head)
{
GWBUF *buffer = NULL;
@ -945,7 +947,7 @@ int dcb_read_SSL(
int r = -1;
/* try to read 1 byte, without consuming the socket buffer */
r = SSL_peek(ssl, &c, sizeof(char));
r = SSL_peek(dcb->ssl, &c, sizeof(char));
if (r <= 0)
{
n = -1;
@ -983,11 +985,18 @@ int dcb_read_SSL(
n = -1;
goto return_n;
}
n = SSL_read(ssl, GWBUF_DATA(buffer), bufsize);
dcb->stats.n_reads++;
int npending;
n = 0;
do
{
n += SSL_read(dcb->ssl, GWBUF_DATA(buffer), bufsize);
dcb->stats.n_reads++;
}while((npending = SSL_pending(dcb->ssl)) > 0);
int ssl_errno = 0;
if (n <= 0)
if (n <= 0)
{
ssl_errno = ERR_get_error();
@ -1006,6 +1015,15 @@ int dcb_read_SSL(
goto return_n;
}
}
if(n < b)
{
gwbuf_rtrim(buffer,b - n);
ss_dassert(gwbuf_length(buffer) == n);
LOGIF(LD,(skygw_log_write(LD,"[%lu] SSL: Truncated buffer to correct size from %d to %d bytes.\n",
b,gwbuf_length(buffer))));
}
nread += n;
LOGIF(LD, (skygw_log_write(
@ -1019,7 +1037,8 @@ int dcb_read_SSL(
dcb->fd)));
/*< Append read data to the gwbuf */
*head = gwbuf_append(*head, buffer);
if(ssl_errno == SSL_ERROR_WANT_READ || ssl_errno == SSL_ERROR_NONE)
if(ssl_errno == SSL_ERROR_WANT_READ || ssl_errno == SSL_ERROR_NONE ||
ssl_errno == SSL_ERROR_WANT_X509_LOOKUP || SSL_ERROR_WANT_WRITE)
break;
} /*< while (true) */
return_n:
@ -1270,7 +1289,7 @@ int below_water;
* @return 0 on failure, 1 on success
*/
int
dcb_write_SSL(DCB *dcb, SSL* ssl, GWBUF *queue)
dcb_write_SSL(DCB *dcb, GWBUF *queue)
{
int w;
int saved_errno = 0;
@ -1379,7 +1398,7 @@ dcb_write_SSL(DCB *dcb, SSL* ssl, GWBUF *queue)
#endif /* FAKE_CODE */
qlen = GWBUF_LENGTH(queue);
GW_NOINTR_CALL(
w = gw_write_SSL(ssl, GWBUF_DATA(queue), qlen);
w = gw_write_SSL(dcb->ssl, GWBUF_DATA(queue), qlen);
dcb->stats.n_writes++;
);
@ -1619,7 +1638,7 @@ int above_water;
* @return The number of bytes written
*/
int
dcb_drain_writeq_SSL(DCB *dcb, SSL* ssl)
dcb_drain_writeq_SSL(DCB *dcb)
{
int n = 0;
int w;
@ -1641,7 +1660,7 @@ dcb_drain_writeq_SSL(DCB *dcb, SSL* ssl)
while (dcb->writeq != NULL)
{
len = GWBUF_LENGTH(dcb->writeq);
GW_NOINTR_CALL(w = gw_write_SSL(ssl, GWBUF_DATA(dcb->writeq), len););
GW_NOINTR_CALL(w = gw_write_SSL(dcb->ssl, GWBUF_DATA(dcb->writeq), len););
if (w < 0)
{
@ -2728,3 +2747,101 @@ DCB *ptr;
spinlock_release(&dcbspin);
return rval;
}
/**
* Create the SSL structure for this DCB.
* This function creates the SSL structure for the given SSL context. This context
* should be the service's context
* @param dcb
* @param context
* @return
*/
int dcb_create_SSL(DCB* dcb)
{
if(serviceInitSSL(dcb->service) != 0)
{
return -1;
}
if((dcb->ssl = SSL_new(dcb->service->ctx)) == NULL)
{
skygw_log_write(LE,"Error: Failed to initialize SSL connection.");
return -1;
}
if(SSL_set_fd(dcb->ssl,dcb->fd) == 0)
{
skygw_log_write(LE,"Error: Failed to set file descriptor for SSL connection.");
return -1;
}
return 0;
}
/**
* Accept a SSL connection and do the SSL authentication handshake.
* This function accepts a client connection to a DCB. It assumes that the SSL
* structure has the underlying method of communication set and this method is ready
* for usage. It then proceeds with the SSL handshake and stops only if an error
* occurs or the client has not yet written enough data to complete the handshake.
* @param dcb DCB which should accept the SSL connection
* @return 1 if the handshake was successfully completed, 0 if the handshake is
* still ongoing and another call to dcb_SSL_accept should be made or -1 if an
* error occurred during the handshake and the connection should be terminated.
*/
int dcb_accept_SSL(DCB* dcb)
{
int rval,errnum;
rval = SSL_accept(dcb->ssl);
switch(rval)
{
case 0:
errnum = SSL_get_error(dcb->ssl,rval);
LOGIF(LD,(skygw_log_write_flush(LD,"SSL_accept shutdown for %s@%s",
dcb->user,
dcb->remote)));
return -1;
break;
case 1:
rval = 1;
LOGIF(LD,(skygw_log_write_flush(LD,"SSL_accept done for %s@%s",
dcb->user,
dcb->remote)));
break;
case -1:
errnum = SSL_get_error(dcb->ssl,rval);
if(errnum == SSL_ERROR_WANT_READ || errnum == SSL_ERROR_WANT_WRITE ||
errnum == SSL_ERROR_WANT_X509_LOOKUP)
{
/** Not all of the data has been read. Go back to the poll
queue and wait for more.*/
rval = 0;
LOGIF(LD,(skygw_log_write_flush(LD,"SSL_accept ongoing for %s@%s",
dcb->user,
dcb->remote)));
}
else
{
rval = -1;
skygw_log_write_flush(LE,
"Error: Fatal error in SSL_accept for %s@%s: %s",
dcb->user,
dcb->remote,
ERR_error_string(errnum,NULL));
}
break;
default:
skygw_log_write_flush(LE,
"Error: Fatal error in SSL_accept, returned value was %d.",
rval);
break;
}
return rval;
}

6
server/core/service.c
View File

@ -1818,24 +1818,28 @@ int serviceInitSSL(SERVICE* service)
{
service->method = (SSL_METHOD*)SSLv23_server_method();
service->ctx = SSL_CTX_new(service->method);
SSL_CTX_set_read_ahead(service->ctx,1);
if (SSL_CTX_use_certificate_file(service->ctx, service->ssl_cert, SSL_FILETYPE_PEM) <= 0) {
skygw_log_write(LE,"Error: Failed to set server SSL certificate.");
return -1;
}
/* Load the private-key corresponding to the server certificate */
if (SSL_CTX_use_PrivateKey_file(service->ctx, service->ssl_key, SSL_FILETYPE_PEM) <= 0) {
skygw_log_write(LE,"Error: Failed to set server SSL key.");
return -1;
}
/* Check if the server certificate and private-key matches */
if (!SSL_CTX_check_private_key(service->ctx)) {
skygw_log_write(LE,"Error: Server SSL certificate and key do not match.");
return -1;
}
/* Load the RSA CA certificate into the SSL_CTX structure */
if (!SSL_CTX_load_verify_locations(service->ctx, service->ssl_ca_cert, NULL)) {
skygw_log_write(LE,"Error: Failed to set Certificate Authority file.");
return -1;
}

9
server/include/dcb.h
View File

@ -268,6 +268,7 @@ typedef struct dcb {
unsigned int high_water; /**< High water mark */
unsigned int low_water; /**< Low water mark */
struct server *server; /**< The associated backend server */
SSL* ssl; /*< SSL struct for connection */
#if defined(SS_DEBUG)
int dcb_port; /**< port of target server */
skygw_chk_t dcb_chk_tail;
@ -340,10 +341,12 @@ bool dcb_set_state(DCB* dcb, dcb_state_t new_state, dcb_state_t* old_state);
void dcb_call_foreach (struct server* server, DCB_REASON reason);
size_t dcb_get_session_id(DCB* dcb);
bool dcb_get_ses_log_info(DCB* dcb, size_t* sesid, int* enabled_logs);
int dcb_create_SSL(DCB* dcb);
int dcb_accept_SSL(DCB* dcb);
int gw_write_SSL(SSL* ssl, const void *buf, size_t nbytes);
int dcb_write_SSL(DCB *dcb, SSL* ssl, GWBUF *queue);
int dcb_read_SSL(DCB *dcb,SSL* ssl,GWBUF **head);
int dcb_drain_writeq_SSL(DCB *dcb, SSL* ssl);
int dcb_write_SSL(DCB *dcb,GWBUF *queue);
int dcb_read_SSL(DCB *dcb,GWBUF **head);
int dcb_drain_writeq_SSL(DCB *dcb);
/**

1
server/modules/include/mysql_client_server_protocol.h
View File

@ -297,7 +297,6 @@ typedef struct {
unsigned long tid; /*< MySQL Thread ID, in
* handshake */
unsigned int charset; /*< MySQL character set at connect time */
SSL* ssl; /*< SSL struct for client connection */
bool use_ssl;
#if defined(SS_DEBUG)
skygw_chk_t protocol_chk_tail;

64
server/modules/protocol/mysql_client.c
View File

@ -490,14 +490,7 @@ static int gw_mysql_do_authentication(DCB *dcb, GWBUF *queue) {
/** Do the SSL Handshake */
if(ssl && protocol->owner_dcb->service->ssl_mode != SSL_DISABLED)
{
if(serviceInitSSL(protocol->owner_dcb->service) != 0)
{
skygw_log_write(LOGFILE_ERROR,"Error: SSL initialization for service '%s' failed.",
protocol->owner_dcb->service->name);
return 1;
}
protocol->ssl = SSL_new(protocol->owner_dcb->service->ctx);
SSL_set_fd(protocol->ssl,dcb->fd);
protocol->protocol_auth_state = MYSQL_AUTH_SSL_REQ;
if(do_ssl_accept(protocol) < 0)
@ -632,7 +625,7 @@ gw_MySQLWrite_client_SSL(DCB *dcb, GWBUF *queue)
CHK_DCB(dcb);
protocol = DCB_PROTOCOL(dcb, MySQLProtocol);
CHK_PROTOCOL(protocol);
return dcb_write_SSL(dcb, protocol->ssl, queue);
return dcb_write_SSL(dcb, queue);
}
/**
@ -681,7 +674,7 @@ int gw_read_client_event(
if(protocol->use_ssl)
{
rc = dcb_read_SSL(dcb,protocol->ssl, &read_buffer);
rc = dcb_read_SSL(dcb, &read_buffer);
}
else
{
@ -795,7 +788,7 @@ int gw_read_client_event(
dcb->dcb_readqueue = gwbuf_append(dcb->dcb_readqueue, read_buffer);
nbytes_read = gwbuf_length(dcb->dcb_readqueue);
data = (uint8_t *)GWBUF_DATA(dcb->dcb_readqueue);
int plen = MYSQL_GET_PACKET_LEN(data);
if (nbytes_read < 3 || nbytes_read < MYSQL_GET_PACKET_LEN(data))
{
rc = 0;
@ -1255,7 +1248,7 @@ int gw_write_client_event_SSL(DCB *dcb)
if (protocol->protocol_auth_state == MYSQL_IDLE)
{
dcb_drain_writeq_SSL(dcb,protocol->ssl);
dcb_drain_writeq_SSL(dcb);
goto return_1;
}
@ -1878,30 +1871,38 @@ return_rc:
/**
* Do the SSL authentication handshake.
* This functions
* @param protocol
* @return
* This creates the DCB SSL structure if one has not been created and starts the
* SSL handshake handling.
* @param protocol Protocol to connect with SSL
* @return 1 on success, 0 when the handshake is ongoing or -1 on error
*/
int do_ssl_accept(MySQLProtocol* protocol)
{
int rval,errnum;
char errbuf[2014];
DCB* dcb;
rval = SSL_accept(protocol->ssl);
DCB* dcb = protocol->owner_dcb;
if(dcb->ssl == NULL)
{
if(dcb_create_SSL(dcb) != 0)
return -1;
}
rval = dcb_accept_SSL(dcb);
switch(rval)
{
case 0:
errnum = SSL_get_error(protocol->ssl,rval);
skygw_log_write_flush(LT,"SSL_accept shutdown for %s@%s",
/** Not all of the data has been read. Go back to the poll
queue and wait for more.*/
rval = 0;
skygw_log_write_flush(LT,"SSL_accept ongoing for %s@%s",
protocol->owner_dcb->user,
protocol->owner_dcb->remote);
return -1;
return 0;
break;
case 1:
spinlock_acquire(&protocol->protocol_lock);
dcb = protocol->owner_dcb;
protocol->protocol_auth_state = MYSQL_AUTH_SSL_HANDSHAKE_DONE;
protocol->use_ssl = true;
spinlock_release(&protocol->protocol_lock);
@ -1919,32 +1920,15 @@ int do_ssl_accept(MySQLProtocol* protocol)
break;
case -1:
errnum = SSL_get_error(protocol->ssl,rval);
if(errnum == SSL_ERROR_WANT_READ || errnum == SSL_ERROR_WANT_WRITE ||
errnum == SSL_ERROR_WANT_X509_LOOKUP)
{
/** Not all of the data has been read. Go back to the poll
queue and wait for more.*/
rval = 0;
skygw_log_write_flush(LT,"SSL_accept ongoing for %s@%s",
protocol->owner_dcb->user,
protocol->owner_dcb->remote);
}
else
{
spinlock_acquire(&protocol->protocol_lock);
protocol->protocol_auth_state = MYSQL_AUTH_SSL_HANDSHAKE_FAILED;
spinlock_release(&protocol->protocol_lock);
rval = -1;
skygw_log_write_flush(LE,
"Error: Fatal error in SSL_accept for %s@%s: %s",
protocol->owner_dcb->user,
protocol->owner_dcb->remote,
ERR_error_string(errnum,NULL));
}
protocol->owner_dcb->remote);
break;
default:

5
server/modules/protocol/mysql_common.c
View File

@ -137,10 +137,7 @@ void mysql_protocol_done (
goto retblock;
}
scmd = p->protocol_cmd_history;
if(p->ssl)
{
SSL_free(p->ssl);
}
while (scmd != NULL)
{
scmd2 = scmd->scom_next;