diff options
| author | Mohit Agrawal <moagrawa@redhat.com> | 2018-03-14 09:37:52 +0530 |
|---|---|---|
| committer | Jeff Darcy <jeff@pl.atyp.us> | 2018-03-19 19:00:03 +0000 |
| commit | cf06dd544004701ef43fa81c5b7a95353d5c1d65 (patch) | |
| tree | 7f52598cb402269c781d020686886bf28c481232 | |
| parent | de52876407040a8cae9656ede9f66084d4cb45ac (diff) | |
glusterd: TLS verification fails while using intermediate CA
Problem: TLS verification fails while using intermediate CA
if mgmt SSL is enabled.
Solution: There are two main issue of TLS verification failing
1) not calling ssl_api to set cert_depth
2) The current code does not allow to set certificate depth
while MGMT SSL is enabled.
After apply this patch to set certificate depth user
need to set parameter option transport.socket.ssl-cert-depth <depth>
in /var/lib/glusterd/secure_acccess instead to set in
/etc/glusterfs/glusterd.vol. At the time of set secure_mgmt in ctx
we will check the value of cert-depth and save the value of cert-depth
in ctx.If user does not provide any value in cert-depth in that case
it will consider default value is 1
BUG: 1555154
Change-Id: I89e9a9e1026e37efb5c20f9ec62b1989ef644f35
Signed-off-by: Mohit Agrawal <moagrawa@redhat.com>
| -rw-r--r-- | api/src/glfs-mgmt.c | 1 | ||||
| -rw-r--r-- | cli/src/cli.c | 1 | ||||
| -rw-r--r-- | glusterfsd/src/glusterfsd-mgmt.c | 2 | ||||
| -rw-r--r-- | glusterfsd/src/glusterfsd.c | 1 | ||||
| -rw-r--r-- | heal/src/glfs-heal.c | 1 | ||||
| -rw-r--r-- | libglusterfs/src/glusterfs.h | 6 | ||||
| -rw-r--r-- | libglusterfs/src/graph.c | 42 | ||||
| -rw-r--r-- | libglusterfs/src/libglusterfs.sym | 3 | ||||
| -rw-r--r-- | rpc/rpc-transport/socket/src/socket.c | 12 | ||||
| -rw-r--r-- | xlators/mgmt/glusterd/src/glusterd-handler.c | 3 |
10 files changed, 66 insertions, 6 deletions
diff --git a/api/src/glfs-mgmt.c b/api/src/glfs-mgmt.c index f709b54d49e..229caa98777 100644 --- a/api/src/glfs-mgmt.c +++ b/api/src/glfs-mgmt.c @@ -1040,6 +1040,7 @@ glfs_mgmt_init (struct glfs *fs) if (sys_access (SECURE_ACCESS_FILE, F_OK) == 0) { ctx->secure_mgmt = 1; + ctx->ssl_cert_depth = glusterfs_read_secure_access_file (); } rpc = rpc_clnt_new (options, THIS, THIS->name, 8); diff --git a/cli/src/cli.c b/cli/src/cli.c index 930182c65b7..b58f211d3dd 100644 --- a/cli/src/cli.c +++ b/cli/src/cli.c @@ -439,6 +439,7 @@ parse_cmdline (int argc, char *argv[], struct cli_state *state) /* Do this first so that an option can override. */ if (sys_access (SECURE_ACCESS_FILE, F_OK) == 0) { state->ctx->secure_mgmt = 1; + state->ctx->ssl_cert_depth = glusterfs_read_secure_access_file (); } if (state->argc > GEO_REP_CMD_CONFIG_INDEX && diff --git a/glusterfsd/src/glusterfsd-mgmt.c b/glusterfsd/src/glusterfsd-mgmt.c index bf55a0770b4..d2b39494e51 100644 --- a/glusterfsd/src/glusterfsd-mgmt.c +++ b/glusterfsd/src/glusterfsd-mgmt.c @@ -2650,6 +2650,8 @@ glusterfs_mgmt_init (glusterfs_ctx_t *ctx) goto out; } + + ctx->ssl_cert_depth = glusterfs_read_secure_access_file (); } rpc = rpc_clnt_new (options, THIS, THIS->name, 8); diff --git a/glusterfsd/src/glusterfsd.c b/glusterfsd/src/glusterfsd.c index 0cc46c78943..ef06ddfed31 100644 --- a/glusterfsd/src/glusterfsd.c +++ b/glusterfsd/src/glusterfsd.c @@ -1951,6 +1951,7 @@ parse_cmdline (int argc, char *argv[], glusterfs_ctx_t *ctx) /* Do this before argp_parse so it can be overridden. */ if (sys_access (SECURE_ACCESS_FILE, F_OK) == 0) { cmd_args->secure_mgmt = 1; + ctx->ssl_cert_depth = glusterfs_read_secure_access_file (); } argp_parse (&argp, argc, argv, ARGP_IN_ORDER, NULL, cmd_args); diff --git a/heal/src/glfs-heal.c b/heal/src/glfs-heal.c index 10d00e6d737..e86c76cde49 100644 --- a/heal/src/glfs-heal.c +++ b/heal/src/glfs-heal.c @@ -1661,6 +1661,7 @@ main (int argc, char **argv) if (sys_access(SECURE_ACCESS_FILE, F_OK) == 0) { fs->ctx->secure_mgmt = 1; + fs->ctx->ssl_cert_depth = glusterfs_read_secure_access_file (); } ret = glfs_set_volfile_server (fs, "unix", DEFAULT_GLUSTERD_SOCKFILE, 0); diff --git a/libglusterfs/src/glusterfs.h b/libglusterfs/src/glusterfs.h index 6b0df533e69..250d8e69a4f 100644 --- a/libglusterfs/src/glusterfs.h +++ b/libglusterfs/src/glusterfs.h @@ -593,6 +593,11 @@ struct _glusterfs_ctx { */ int secure_mgmt; + /* The option is use to set cert_depth while management connection + use SSL + */ + int ssl_cert_depth; + /* * Should *our* server/inbound connections use SSL? This is only true * if we're glusterd and secure_mgmt is set, or if we're glusterfsd @@ -700,4 +705,5 @@ int glusterfs_graph_parent_up (glusterfs_graph_t *graph); void gf_free_mig_locks (lock_migration_info_t *locks); +int glusterfs_read_secure_access_file (void); #endif /* _GLUSTERFS_H */ diff --git a/libglusterfs/src/graph.c b/libglusterfs/src/graph.c index db80e21272a..d36cf7b3da5 100644 --- a/libglusterfs/src/graph.c +++ b/libglusterfs/src/graph.c @@ -16,7 +16,7 @@ #include "defaults.h" #include <unistd.h> #include "syscall.h" - +#include <regex.h> #include "libglusterfs-messages.h" #if 0 @@ -68,7 +68,47 @@ _gf_dump_details (int argc, char **argv) } #endif +int +glusterfs_read_secure_access_file (void) +{ + FILE *fp = NULL; + char line[100] = {0,}; + int cert_depth = 1; /* Default SSL CERT DEPTH */ + regex_t regcmpl; + char *key = {"^option transport.socket.ssl-cert-depth"}; + char keyval[50] = {0,}; + int start = 0, end = 0, copy_len = 0; + regmatch_t result[1] = {{0} }; + + fp = fopen (SECURE_ACCESS_FILE, "r"); + if (!fp) + goto out; + /* Check if any line matches with key */ + while (fgets(line, sizeof(line), fp) != NULL) { + if (regcomp (®cmpl, key, REG_EXTENDED)) { + goto out; + } + if (!regexec (®cmpl, line, 1, result, 0)) { + start = result[0].rm_so; + end = result[0].rm_eo; + copy_len = end - start; + strcpy (keyval, line+copy_len); + if (keyval[0]) { + cert_depth = atoi(keyval); + if (cert_depth == 0) + cert_depth = 1; /* Default SSL CERT DEPTH */ + break; + } + } + regfree(®cmpl); + } + +out: + if (fp) + fclose (fp); + return cert_depth; +} int glusterfs_xlator_link (xlator_t *pxl, xlator_t *cxl) diff --git a/libglusterfs/src/libglusterfs.sym b/libglusterfs/src/libglusterfs.sym index df97a7fd89a..6340bc8a3a2 100644 --- a/libglusterfs/src/libglusterfs.sym +++ b/libglusterfs/src/libglusterfs.sym @@ -733,6 +733,7 @@ glusterfs_graph_deactivate glusterfs_graph_destroy glusterfs_graph_destroy_residual glusterfs_graph_prepare +glusterfs_read_secure_access_file glusterfs_graph_print_file glusterfs_graph_set_first glusterfs_is_local_pathinfo @@ -1107,4 +1108,4 @@ use_spinlocks dump_options glusterfs_leaseid_buf_get gf_replace_old_iatt_in_dict -gf_replace_new_iatt_in_dict
\ No newline at end of file +gf_replace_new_iatt_in_dict diff --git a/rpc/rpc-transport/socket/src/socket.c b/rpc/rpc-transport/socket/src/socket.c index e05b6f88799..a3917040069 100644 --- a/rpc/rpc-transport/socket/src/socket.c +++ b/rpc/rpc-transport/socket/src/socket.c @@ -4489,7 +4489,13 @@ socket_init (rpc_transport_t *this) "using %s polling thread", priv->own_thread ? "private" : "system"); - if (!dict_get_int32 (this->options, SSL_CERT_DEPTH_OPT, &cert_depth)) { + if (!priv->mgmt_ssl) { + if (!dict_get_int32 (this->options, SSL_CERT_DEPTH_OPT, &cert_depth)) { + gf_log (this->name, GF_LOG_INFO, + "using certificate depth %d", cert_depth); + } + } else { + cert_depth = this->ctx->ssl_cert_depth; gf_log (this->name, GF_LOG_INFO, "using certificate depth %d", cert_depth); } @@ -4628,9 +4634,7 @@ socket_init (rpc_transport_t *this) goto err; } -#if (OPENSSL_VERSION_NUMBER < 0x00905100L) - SSL_CTX_set_verify_depth(ctx, cert_depth); -#endif + SSL_CTX_set_verify_depth(priv->ssl_ctx, cert_depth); if (crl_path) { #ifdef X509_V_FLAG_CRL_CHECK_ALL diff --git a/xlators/mgmt/glusterd/src/glusterd-handler.c b/xlators/mgmt/glusterd/src/glusterd-handler.c index 2505fcff4de..26115a26b35 100644 --- a/xlators/mgmt/glusterd/src/glusterd-handler.c +++ b/xlators/mgmt/glusterd/src/glusterd-handler.c @@ -3475,6 +3475,9 @@ glusterd_friend_rpc_create (xlator_t *this, glusterd_peerinfo_t *peerinfo, "failed to set ssl-enabled in dict"); goto out; } + + this->ctx->ssl_cert_depth = glusterfs_read_secure_access_file (); + } ret = glusterd_rpc_create (&peerinfo->rpc, options, |