From e5a49a2f7b159f0b90321a9d6f74dc923b3e3f82 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Markus=20M=C3=A4kel=C3=A4?= Date: Fri, 17 May 2019 17:21:50 +0300 Subject: [PATCH] MXS-2483: Take SSLContext into use in binlogrouter --- server/modules/routing/binlogrouter/blr.cc | 29 +-- .../routing/binlogrouter/blr_master.cc | 18 +- .../modules/routing/binlogrouter/blr_slave.cc | 169 ++++++------------ 3 files changed, 56 insertions(+), 160 deletions(-) diff --git a/server/modules/routing/binlogrouter/blr.cc b/server/modules/routing/binlogrouter/blr.cc index aa5af9f99..59fe35b96 100644 --- a/server/modules/routing/binlogrouter/blr.cc +++ b/server/modules/routing/binlogrouter/blr.cc @@ -824,29 +824,6 @@ static MXS_ROUTER* createInstance(SERVICE* service, MXS_CONFIG_PARAMETER* params return NULL; } - mxs::SSLContext* ssl_cfg; - /* Allocate SSL struct for backend connection */ - if ((ssl_cfg = - static_cast(MXS_CALLOC(1, sizeof(mxs::SSLContext)))) == NULL) - { - MXS_ERROR("%s: Error allocating memory for SSL struct in createInstance", - inst->service->name()); - - MXS_FREE(service->dbref); - sqlite3_close_v2(inst->gtid_maps); - free_instance(inst); - return NULL; - } - - /* Set some SSL defaults */ - ssl_cfg->ssl_init_done = false; - ssl_cfg->ssl_method_type = SERVICE_SSL_TLS_MAX; - ssl_cfg->ssl_cert_verify_depth = 9; - ssl_cfg->ssl_verify_peer_certificate = true; - - /** Set SSL pointer in in server struct */ - server->server_ssl = ssl_cfg; - /* Add server to service backend list */ serviceAddBackend(inst->service, server); @@ -1502,11 +1479,7 @@ static void diagnostics(MXS_ROUTER* router, DCB* dcb) /* SSL options */ if (router_inst->ssl_enabled) { - dcb_printf(dcb, "\tMaster SSL is ON:\n"); - if (router_inst->service->dbref->server && router_inst->service->dbref->server->server_ssl) - { - dcb_printf(dcb, "%s", router_inst->service->dbref->server->server_ssl->to_string().c_str()); - } + dcb_printf(dcb, "%s", router_inst->service->dbref->server->server_ssl->to_string().c_str()); } /* Binlog Encryption options */ diff --git a/server/modules/routing/binlogrouter/blr_master.cc b/server/modules/routing/binlogrouter/blr_master.cc index 4c63af3e6..c3d00e401 100644 --- a/server/modules/routing/binlogrouter/blr_master.cc +++ b/server/modules/routing/binlogrouter/blr_master.cc @@ -3235,41 +3235,25 @@ void blr_master_set_config(ROUTER_INSTANCE* inst, const ChangeMasterConfig& conf if (!config.ssl_ca.empty()) { - MXS_FREE(backend_server->server_ssl->ssl_ca_cert); - backend_server->server_ssl->ssl_ca_cert = MXS_STRDUP_A(config.ssl_ca.c_str()); MXS_FREE(inst->ssl_ca); inst->ssl_ca = MXS_STRDUP_A(config.ssl_ca.c_str()); } if (!config.ssl_cert.empty()) { - MXS_FREE(backend_server->server_ssl->ssl_cert); - backend_server->server_ssl->ssl_cert = MXS_STRDUP_A(config.ssl_cert.c_str()); MXS_FREE(inst->ssl_cert); inst->ssl_cert = MXS_STRDUP_A(config.ssl_cert.c_str()); } if (!config.ssl_key.empty()) { - MXS_FREE(backend_server->server_ssl->ssl_key); - backend_server->server_ssl->ssl_key = MXS_STRDUP_A(config.ssl_key.c_str()); MXS_FREE(inst->ssl_key); inst->ssl_key = MXS_STRDUP_A(config.ssl_key.c_str()); } if (!config.ssl_version.empty()) { - if (listener_set_ssl_version(backend_server->server_ssl, config.ssl_version.c_str()) != 0) - { - MXS_ERROR("Found unknown optional parameter value for 'ssl_version' for" - " service '%s': %s, ignoring it.", - inst->service->name(), - config.ssl_version.c_str()); - } - else - { - inst->ssl_version = MXS_STRDUP_A(config.ssl_version.c_str()); - } + inst->ssl_version = MXS_STRDUP_A(config.ssl_version.c_str()); } if (config.heartbeat_period >= 0) diff --git a/server/modules/routing/binlogrouter/blr_slave.cc b/server/modules/routing/binlogrouter/blr_slave.cc index 1abf98750..df27c3fd2 100644 --- a/server/modules/routing/binlogrouter/blr_slave.cc +++ b/server/modules/routing/binlogrouter/blr_slave.cc @@ -4841,8 +4841,6 @@ static char* blr_set_master_logfile(ROUTER_INSTANCE* router, */ static void blr_master_get_config(ROUTER_INSTANCE* router, MasterServerConfig* curr_master) { - mxs::SSLContext* server_ssl; - curr_master->port = router->service->dbref->server->port; curr_master->host = router->service->dbref->server->address; curr_master->pos = router->current_pos; @@ -4854,23 +4852,23 @@ static void blr_master_get_config(ROUTER_INSTANCE* router, MasterServerConfig* c /* SSL options */ if (router->service->dbref->server->server_ssl) { - server_ssl = router->service->dbref->server->server_ssl; + auto server_ssl = router->service->dbref->server->server_ssl; curr_master->ssl_enabled = router->ssl_enabled; if (router->ssl_version) { curr_master->ssl_version = router->ssl_version; } - if (server_ssl->ssl_key) + if (!server_ssl->ssl_key().empty()) { - curr_master->ssl_key = server_ssl->ssl_key; + curr_master->ssl_key = server_ssl->ssl_key(); } - if (server_ssl->ssl_cert) + if (!server_ssl->ssl_cert().empty()) { - curr_master->ssl_cert = server_ssl->ssl_cert; + curr_master->ssl_cert = server_ssl->ssl_cert(); } - if (server_ssl->ssl_ca_cert) + if (!server_ssl->ssl_ca().empty()) { - curr_master->ssl_ca = server_ssl->ssl_ca_cert; + curr_master->ssl_ca = server_ssl->ssl_ca(); } } /* Connect options */ @@ -6330,126 +6328,67 @@ static int blr_set_master_ssl(ROUTER_INSTANCE* router, const ChangeMasterConfig& config, char* error_message) { - mxs::SSLContext* server_ssl = NULL; - int updated = 0; + bool updated = 0; if (config.ssl_enabled) { router->ssl_enabled = config.ssl_enabled; - updated++; } - if (router->ssl_enabled == false) + if (router->ssl_enabled) { - /* Free SSL struct */ - blr_free_ssl_data(router); - } - else - { - /* Check for existing SSL struct */ - if (router->service->dbref->server->server_ssl) + MXS_CONFIG_PARAMETER params; + params.set_from_list({ + {CN_SSL, CN_REQUIRED}, + {CN_SSL_KEY, config.ssl_key}, + {CN_SSL_CERT, config.ssl_cert}, + {CN_SSL_CA_CERT, config.ssl_ca}, + {CN_SSL_VERSION, config.ssl_version}, + {CN_SSL_CERT_VERIFY_DEPTH, "9"}, + {CN_SSL_VERIFY_PEER_CERTIFICATE, "true"} + }); + + auto ssl = mxs::SSLContext::create(params); + + if (ssl) { - server_ssl = router->service->dbref->server->server_ssl; - server_ssl->ssl_init_done = false; + updated = 1; + delete router->service->dbref->server->server_ssl; + router->service->dbref->server->server_ssl = ssl; + + /* Update options in router fields */ + if (!config.ssl_key.empty()) + { + mxb_assert((config.ssl_key.front() != '\'') && (config.ssl_key.front() != '"')); + MXS_FREE(router->ssl_key); + router->ssl_key = MXS_STRDUP_A(config.ssl_key.c_str()); + } + if (!config.ssl_ca.empty()) + { + mxb_assert((config.ssl_ca.front() != '\'') && (config.ssl_ca.front() != '"')); + MXS_FREE(router->ssl_ca); + router->ssl_ca = MXS_STRDUP_A(config.ssl_ca.c_str()); + } + if (!config.ssl_cert.empty()) + { + mxb_assert((config.ssl_cert.front() != '\'') && (config.ssl_cert.front() != '"')); + MXS_FREE(router->ssl_cert); + router->ssl_cert = MXS_STRDUP_A(config.ssl_cert.c_str()); + } + if (!config.ssl_version.empty()) + { + mxb_assert((config.ssl_version.front() != '\'') && (config.ssl_version.front() != '"')); + MXS_FREE(router->ssl_version); + router->ssl_version = MXS_STRDUP_A(config.ssl_version.c_str()); + } } else { - /* Allocate SSL struct for backend connection */ - server_ssl = static_cast(MXS_CALLOC(1, sizeof(mxs::SSLContext))); - if (server_ssl == NULL) - { - router->ssl_enabled = false; - - /* Report back the error */ - snprintf(error_message, - BINLOG_ERROR_MSG_LEN, - "CHANGE MASTER TO: Error allocating memory for SSL struct" - " in blr_set_master_ssl"); - - return -1; - } - - /* Set some SSL defaults */ - server_ssl->ssl_init_done = false; - server_ssl->ssl_method_type = SERVICE_SSL_TLS_MAX; - server_ssl->ssl_cert_verify_depth = 9; - - /* Set the pointer */ - router->service->dbref->server->server_ssl = server_ssl; + updated = -1; } } - /* Update options in router fields and in server_ssl struct, if present */ - if (!config.ssl_key.empty()) - { - mxb_assert((config.ssl_key.front() != '\'') && (config.ssl_key.front() != '"')); - - if (server_ssl) - { - MXS_FREE(server_ssl->ssl_key); - server_ssl->ssl_key = MXS_STRDUP_A(config.ssl_key.c_str()); - } - MXS_FREE(router->ssl_key); - router->ssl_key = MXS_STRDUP_A(config.ssl_key.c_str()); - updated++; - } - if (!config.ssl_ca.empty()) - { - mxb_assert((config.ssl_ca.front() != '\'') && (config.ssl_ca.front() != '"')); - - if (server_ssl) - { - MXS_FREE(server_ssl->ssl_ca_cert); - server_ssl->ssl_ca_cert = MXS_STRDUP_A(config.ssl_ca.c_str()); - } - MXS_FREE(router->ssl_ca); - router->ssl_ca = MXS_STRDUP_A(config.ssl_ca.c_str()); - updated++; - } - if (!config.ssl_cert.empty()) - { - mxb_assert((config.ssl_cert.front() != '\'') && (config.ssl_cert.front() != '"')); - - if (server_ssl) - { - MXS_FREE(server_ssl->ssl_cert); - server_ssl->ssl_cert = MXS_STRDUP_A(config.ssl_cert.c_str()); - } - MXS_FREE(router->ssl_cert); - router->ssl_cert = MXS_STRDUP_A(config.ssl_cert.c_str()); - updated++; - } - - if (!config.ssl_version.empty() && server_ssl) - { - mxb_assert((config.ssl_version.front() != '\'') && (config.ssl_version.front() != '"')); - - if (!config.ssl_version.empty()) - { - if (listener_set_ssl_version(server_ssl, config.ssl_version.c_str()) != 0) - { - /* Report back the error */ - snprintf(error_message, - BINLOG_ERROR_MSG_LEN, - "Unknown parameter value for 'ssl_version': %s", - config.ssl_version.c_str()); - return -1; - } - /* Set provided ssl_version in router SSL cfg anyway */ - MXS_FREE(router->ssl_version); - router->ssl_version = MXS_STRDUP_A(config.ssl_version.c_str()); - updated++; - } - } - - if (updated) - { - return 1; - } - else - { - return 0; - } + return updated; } /**