Moved SSL structure to the DCB instead of the MySQL protocol.

This allows for non-MySQL SSL connections.
2015-06-01 20:51:26 +03:00
parent 4d5291c263
commit d7232d8b6e
6 changed files with 164 additions and 60 deletions
--- a/server/core/dcb.c
+++ b/server/core/dcb.c
@ -73,6 +73,8 @@
 #include <hashtable.h>
 #include <hk_heartbeat.h>
 #include "mysql_client_server_protocol.h"
 /** Defined in log_manager.cc */
 extern int            lm_enabled_logfiles_bitmask;
 extern size_t         log_ses_count[];
@ -433,7 +435,8 @@ DCB_CALLBACK		*cb;
 		free(cb);
 	}
 	spinlock_release(&dcb->cb_lock);
-
+	if(dcb->ssl)
 	    SSL_free(dcb->ssl);
 	bitmask_free(&dcb->memdata.bitmask);
 	free(dcb);
 }
@ -894,7 +897,6 @@ return_n:
 */
 int dcb_read_SSL(
        DCB   *dcb,
 	SSL* ssl,
        GWBUF **head)
 {
        GWBUF *buffer = NULL;
@ -945,7 +947,7 @@ int dcb_read_SSL(
                                int r = -1;
                                /* try to read 1 byte, without consuming the socket buffer */
-                                r = SSL_peek(ssl, &c, sizeof(char));
+                                r = SSL_peek(dcb->ssl, &c, sizeof(char));
                                if (r <= 0)
                                {
                                        n = -1;
@ -983,10 +985,17 @@ int dcb_read_SSL(
                        n = -1;
                        goto return_n;
                }
-                n = SSL_read(ssl, GWBUF_DATA(buffer), bufsize);
+
 		int npending;
 		n = 0;
 		do
 		{
 		    n += SSL_read(dcb->ssl, GWBUF_DATA(buffer), bufsize);
 		    dcb->stats.n_reads++;
 		}while((npending = SSL_pending(dcb->ssl)) > 0);
 		int ssl_errno = 0;
 		if (n <= 0)
                {
 		    ssl_errno = ERR_get_error();
@ -1006,6 +1015,15 @@ int dcb_read_SSL(
                        goto return_n;
 		    }
                }
 		if(n < b)
 		{
 		    gwbuf_rtrim(buffer,b - n);
 		    ss_dassert(gwbuf_length(buffer) == n);
 		    LOGIF(LD,(skygw_log_write(LD,"[%lu] SSL: Truncated buffer to correct size from %d to %d bytes.\n",
 		     b,gwbuf_length(buffer))));
 		}
                nread += n;
                LOGIF(LD, (skygw_log_write(
@ -1019,7 +1037,8 @@ int dcb_read_SSL(
                        dcb->fd)));
                /*< Append read data to the gwbuf */
                *head = gwbuf_append(*head, buffer);
-		if(ssl_errno == SSL_ERROR_WANT_READ || ssl_errno == SSL_ERROR_NONE)
+		if(ssl_errno == SSL_ERROR_WANT_READ || ssl_errno == SSL_ERROR_NONE ||
 		 ssl_errno == SSL_ERROR_WANT_X509_LOOKUP || SSL_ERROR_WANT_WRITE)
 		    break;
        } /*< while (true) */
 return_n:
@ -1270,7 +1289,7 @@ int	below_water;
 * @return 0 on failure, 1 on success
 */
 int
-dcb_write_SSL(DCB *dcb, SSL* ssl, GWBUF *queue)
+dcb_write_SSL(DCB *dcb, GWBUF *queue)
 {
    int	w;
    int	saved_errno = 0;
@ -1379,7 +1398,7 @@ dcb_write_SSL(DCB *dcb, SSL* ssl, GWBUF *queue)
 #endif /* FAKE_CODE */
 	    qlen = GWBUF_LENGTH(queue);
 	    GW_NOINTR_CALL(
-		    w = gw_write_SSL(ssl, GWBUF_DATA(queue), qlen);
+		    w = gw_write_SSL(dcb->ssl, GWBUF_DATA(queue), qlen);
 	    dcb->stats.n_writes++;
 	    );
@ -1619,7 +1638,7 @@ int	above_water;
 * @return The number of bytes written
 */
 int
-dcb_drain_writeq_SSL(DCB *dcb, SSL* ssl)
+dcb_drain_writeq_SSL(DCB *dcb)
 {
    int	n = 0;
    int	w;
@ -1641,7 +1660,7 @@ dcb_drain_writeq_SSL(DCB *dcb, SSL* ssl)
 	while (dcb->writeq != NULL)
 	{
 	    len = GWBUF_LENGTH(dcb->writeq);
-	    GW_NOINTR_CALL(w = gw_write_SSL(ssl, GWBUF_DATA(dcb->writeq), len););
+	    GW_NOINTR_CALL(w = gw_write_SSL(dcb->ssl, GWBUF_DATA(dcb->writeq), len););
 	    if (w < 0)
 	    {
@ -2728,3 +2747,101 @@ DCB	*ptr;
 	spinlock_release(&dcbspin);
 	return rval;
 }
 /**
 * Create the SSL structure for this DCB.
 * This function creates the SSL structure for the given SSL context. This context
 * should be the service's context
 * @param dcb
 * @param context
 * @return 
 */
 int dcb_create_SSL(DCB* dcb)
 {
    if(serviceInitSSL(dcb->service) != 0)
    {
 	return -1;
    }
    if((dcb->ssl = SSL_new(dcb->service->ctx)) == NULL)
    {
 	skygw_log_write(LE,"Error: Failed to initialize SSL connection.");
 	return -1;
    }
    if(SSL_set_fd(dcb->ssl,dcb->fd) == 0)
    {
 	skygw_log_write(LE,"Error: Failed to set file descriptor for SSL connection.");
 	return -1;
    }
    return 0;
 }
 /**
 * Accept a SSL connection and do the SSL authentication handshake.
 * This function accepts a client connection to a DCB. It assumes that the SSL
 * structure has the underlying method of communication set and this method is ready
 * for usage. It then proceeds with the SSL handshake and stops only if an error
 * occurs or the client has not yet written enough data to complete the handshake.
 * @param dcb DCB which should accept the SSL connection
 * @return 1 if the handshake was successfully completed, 0 if the handshake is
 * still ongoing and another call to dcb_SSL_accept should be made or -1 if an
 * error occurred during the handshake and the connection should be terminated.
 */
 int dcb_accept_SSL(DCB* dcb)
 {
    int rval,errnum;
    rval = SSL_accept(dcb->ssl);
    switch(rval)
    {
    case 0:
 	errnum = SSL_get_error(dcb->ssl,rval);
 	LOGIF(LD,(skygw_log_write_flush(LD,"SSL_accept shutdown for %s@%s",
 			 dcb->user,
 			 dcb->remote)));
 	return -1;
 	break;
    case 1:
 	rval = 1;
 	LOGIF(LD,(skygw_log_write_flush(LD,"SSL_accept done for %s@%s",
 			 dcb->user,
 			 dcb->remote)));
 	break;
    case -1:
 	errnum = SSL_get_error(dcb->ssl,rval);
 	if(errnum == SSL_ERROR_WANT_READ || errnum == SSL_ERROR_WANT_WRITE ||
 	 errnum == SSL_ERROR_WANT_X509_LOOKUP)
 	{
 	    /** Not all of the data has been read. Go back to the poll
 	     queue and wait for more.*/
 	    rval = 0;
 	    LOGIF(LD,(skygw_log_write_flush(LD,"SSL_accept ongoing for %s@%s",
 			     dcb->user,
 			     dcb->remote)));
 	}
 	else
 	{
 	    rval = -1;
 	    skygw_log_write_flush(LE,
 			     "Error: Fatal error in SSL_accept for %s@%s: %s",
 			     dcb->user,
 			     dcb->remote,
 			     ERR_error_string(errnum,NULL));
 	}
 	break;
    default:
 	skygw_log_write_flush(LE,
 			 "Error: Fatal error in SSL_accept, returned value was %d.",
 			 rval);
 	break;
    }
    return rval;
 }
--- a/server/core/service.c
+++ b/server/core/service.c
@ -1818,24 +1818,28 @@ int serviceInitSSL(SERVICE* service)
    {
 	service->method = (SSL_METHOD*)SSLv23_server_method();
 	service->ctx = SSL_CTX_new(service->method);
-
+	SSL_CTX_set_read_ahead(service->ctx,1);
 	if (SSL_CTX_use_certificate_file(service->ctx, service->ssl_cert, SSL_FILETYPE_PEM) <= 0) {
 	    skygw_log_write(LE,"Error: Failed to set server SSL certificate.");
 	    return -1;
 	}
 	/* Load the private-key corresponding to the server certificate */
 	if (SSL_CTX_use_PrivateKey_file(service->ctx, service->ssl_key, SSL_FILETYPE_PEM) <= 0) {
 	    skygw_log_write(LE,"Error: Failed to set server SSL key.");
 	    return -1;
 	}
 	/* Check if the server certificate and private-key matches */
 	if (!SSL_CTX_check_private_key(service->ctx)) {
 	    skygw_log_write(LE,"Error: Server SSL certificate and key do not match.");
 	    return -1;
 	}
 	/* Load the RSA CA certificate into the SSL_CTX structure */
 	if (!SSL_CTX_load_verify_locations(service->ctx, service->ssl_ca_cert, NULL)) {
 	    skygw_log_write(LE,"Error: Failed to set Certificate Authority file.");
 	    return -1;
 	}
--- a/server/include/dcb.h
+++ b/server/include/dcb.h
@ -268,6 +268,7 @@ typedef struct dcb {
 	unsigned int	high_water;	/**< High water mark */
 	unsigned int	low_water;	/**< Low water mark */
 	struct server	*server;	/**< The associated backend server */
        SSL* ssl; /*< SSL struct for connection */
 #if defined(SS_DEBUG)
        int             dcb_port;       /**< port of target server */
        skygw_chk_t     dcb_chk_tail;
@ -340,10 +341,12 @@ bool   dcb_set_state(DCB* dcb, dcb_state_t new_state, dcb_state_t* old_state);
 void   dcb_call_foreach (struct server* server, DCB_REASON reason);
 size_t dcb_get_session_id(DCB* dcb);
 bool   dcb_get_ses_log_info(DCB* dcb, size_t* sesid, int* enabled_logs);
 int dcb_create_SSL(DCB* dcb);
 int dcb_accept_SSL(DCB* dcb);
 int gw_write_SSL(SSL* ssl, const void *buf, size_t nbytes);
-int dcb_write_SSL(DCB *dcb, SSL* ssl, GWBUF *queue);
+int dcb_write_SSL(DCB *dcb,GWBUF *queue);
-int dcb_read_SSL(DCB   *dcb,SSL* ssl,GWBUF **head);
+int dcb_read_SSL(DCB   *dcb,GWBUF **head);
-int dcb_drain_writeq_SSL(DCB *dcb, SSL* ssl);
+int dcb_drain_writeq_SSL(DCB *dcb);
 /**
--- a/server/modules/include/mysql_client_server_protocol.h
+++ b/server/modules/include/mysql_client_server_protocol.h
@ -297,7 +297,6 @@ typedef struct {
        unsigned        long tid;                         /*< MySQL Thread ID, in
        * handshake */
        unsigned int    charset;                          /*< MySQL character set at connect time */
        SSL* ssl; /*< SSL struct for client connection */
        bool use_ssl;
 #if defined(SS_DEBUG)
        skygw_chk_t     protocol_chk_tail;
--- a/server/modules/protocol/mysql_client.c
+++ b/server/modules/protocol/mysql_client.c
@ -490,14 +490,7 @@ static int gw_mysql_do_authentication(DCB *dcb, GWBUF *queue) {
 	/** Do the SSL Handshake */
 	if(ssl && protocol->owner_dcb->service->ssl_mode != SSL_DISABLED)
 	{
-	    if(serviceInitSSL(protocol->owner_dcb->service) != 0)
+
 	    {
 		skygw_log_write(LOGFILE_ERROR,"Error: SSL initialization for service '%s' failed.",
 			 protocol->owner_dcb->service->name);
 		return 1;
 	    }
 	    protocol->ssl = SSL_new(protocol->owner_dcb->service->ctx);
 	    SSL_set_fd(protocol->ssl,dcb->fd);
 	    protocol->protocol_auth_state = MYSQL_AUTH_SSL_REQ;
 	    if(do_ssl_accept(protocol) < 0)
@ -632,7 +625,7 @@ gw_MySQLWrite_client_SSL(DCB *dcb, GWBUF *queue)
    CHK_DCB(dcb);
    protocol = DCB_PROTOCOL(dcb, MySQLProtocol);
    CHK_PROTOCOL(protocol);
-    return dcb_write_SSL(dcb, protocol->ssl, queue);
+    return dcb_write_SSL(dcb, queue);
 }
 /**
@ -681,7 +674,7 @@ int gw_read_client_event(
 	if(protocol->use_ssl)
 	{
-	    rc = dcb_read_SSL(dcb,protocol->ssl, &read_buffer);
+	    rc = dcb_read_SSL(dcb, &read_buffer);
 	}
 	else
 	{
@ -795,7 +788,7 @@ int gw_read_client_event(
 			dcb->dcb_readqueue = gwbuf_append(dcb->dcb_readqueue, read_buffer);
 			nbytes_read = gwbuf_length(dcb->dcb_readqueue);
 			data = (uint8_t *)GWBUF_DATA(dcb->dcb_readqueue);
-
+			int plen = MYSQL_GET_PACKET_LEN(data);
 			if (nbytes_read < 3 || nbytes_read < MYSQL_GET_PACKET_LEN(data))
 			{
 				rc = 0;
@ -1255,7 +1248,7 @@ int gw_write_client_event_SSL(DCB *dcb)
        if (protocol->protocol_auth_state == MYSQL_IDLE)
        {
-		dcb_drain_writeq_SSL(dcb,protocol->ssl);
+		dcb_drain_writeq_SSL(dcb);
                goto return_1;
 	}
@ -1878,30 +1871,38 @@ return_rc:
 /**
 * Do the SSL authentication handshake.
- * This functions
+ * This creates the DCB SSL structure if one has not been created and starts the
- * @param protocol
+ * SSL handshake handling.
- * @return
+ * @param protocol Protocol to connect with SSL
 * @return 1 on success, 0 when the handshake is ongoing or -1 on error
 */
 int do_ssl_accept(MySQLProtocol* protocol)
 {
    int rval,errnum;
    char errbuf[2014];
-    DCB* dcb;
+    DCB* dcb = protocol->owner_dcb;
    if(dcb->ssl == NULL)
    {
 	if(dcb_create_SSL(dcb) != 0)
 	    return -1;
    }
-    rval = SSL_accept(protocol->ssl);
+    rval = dcb_accept_SSL(dcb);
    switch(rval)
    {
    case 0:
-	errnum = SSL_get_error(protocol->ssl,rval);
+	/** Not all of the data has been read. Go back to the poll
-	skygw_log_write_flush(LT,"SSL_accept shutdown for %s@%s",
+	 queue and wait for more.*/
 	rval = 0;
 	skygw_log_write_flush(LT,"SSL_accept ongoing for %s@%s",
 			 protocol->owner_dcb->user,
 			 protocol->owner_dcb->remote);
-	return -1;
+	return 0;
 	break;
    case 1:
 	spinlock_acquire(&protocol->protocol_lock);
 	dcb = protocol->owner_dcb;
 	protocol->protocol_auth_state = MYSQL_AUTH_SSL_HANDSHAKE_DONE;
 	protocol->use_ssl = true;
 	spinlock_release(&protocol->protocol_lock);
@ -1919,32 +1920,15 @@ int do_ssl_accept(MySQLProtocol* protocol)
 	break;
    case -1:
 	errnum = SSL_get_error(protocol->ssl,rval);
 	if(errnum == SSL_ERROR_WANT_READ || errnum == SSL_ERROR_WANT_WRITE ||
 	 errnum == SSL_ERROR_WANT_X509_LOOKUP)
 	{
 	    /** Not all of the data has been read. Go back to the poll
 	     queue and wait for more.*/
 	    rval = 0;
 	    skygw_log_write_flush(LT,"SSL_accept ongoing for %s@%s",
 			     protocol->owner_dcb->user,
 			     protocol->owner_dcb->remote);
 	}
 	else
 	{
 	    spinlock_acquire(&protocol->protocol_lock);
 	    protocol->protocol_auth_state = MYSQL_AUTH_SSL_HANDSHAKE_FAILED;
 	    spinlock_release(&protocol->protocol_lock);
 	    rval = -1;
 	    skygw_log_write_flush(LE,
 			     "Error: Fatal error in SSL_accept for %s@%s: %s",
 			     protocol->owner_dcb->user,
-			     protocol->owner_dcb->remote,
+			     protocol->owner_dcb->remote);
 			     ERR_error_string(errnum,NULL));
 	}
 	break;
    default:
--- a/server/modules/protocol/mysql_common.c
+++ b/server/modules/protocol/mysql_common.c
@ -137,10 +137,7 @@ void mysql_protocol_done (
                goto retblock;
        }
        scmd = p->protocol_cmd_history;
-        if(p->ssl)
+
 	{
 	    SSL_free(p->ssl);
 	}
        while (scmd != NULL)
        {
                scmd2 = scmd->scom_next;