From ca5b466dcabc8432f68f2cf7a24fae770ad1c0cf Mon Sep 17 00:00:00 2001 From: Emmanuel Dreyfus Date: Thu, 30 Jul 2015 14:02:43 +0200 Subject: SSL improvements: ECDH, DH, CRL, and accessible options - Introduce ssl.dh-param option to specify a file containinf DH parameters. If it is provided, EDH ciphers are available. - Introduce ssl.ec-curve option to specify an elliptic curve name. If unspecified, ECDH ciphers are available using the prime256v1 curve. - Introduce ssl.crl-path option to specify the directory where the CRL hash file can be found. Setting to NULL disable CRL checking, just like the default. - Make all ssl.* options accessible through gluster volume set. - In default cipher list, exclude weak ciphers instead of listing the strong ones. - Enforce server cipher preference. - introduce RPC_SET_OPT macro to factor repetitive code in glusterd-volgen.c - Add ssl-ciphers.t test to check all the features touched by this change. Backport of I7bfd433df6bbf176f4a58e770e06bcdbe22a101a Change-Id: I2947eabe76ae0487ecad52a60befb7de473fc90c BUG: 1247153 Signed-off-by: Emmanuel Dreyfus @ Reviewed-on: http://review.gluster.org/11763 Tested-by: NetBSD Build System Reviewed-by: Jeff Darcy --- xlators/mgmt/glusterd/src/glusterd-volgen.c | 131 ++++++++++++---------------- 1 file changed, 54 insertions(+), 77 deletions(-) (limited to 'xlators/mgmt/glusterd/src/glusterd-volgen.c') diff --git a/xlators/mgmt/glusterd/src/glusterd-volgen.c b/xlators/mgmt/glusterd/src/glusterd-volgen.c index 79de941bda2..8f3e912fdab 100644 --- a/xlators/mgmt/glusterd/src/glusterd-volgen.c +++ b/xlators/mgmt/glusterd/src/glusterd-volgen.c @@ -42,6 +42,20 @@ extern struct volopt_map_entry glusterd_volopt_map[]; +#define RPC_SET_OPT(XL, CLI_OPT, XLATOR_OPT, ERROR_CMD) do { \ + char *_value = NULL; \ + \ + if (dict_get_str (set_dict, CLI_OPT, &_value) == 0) { \ + if (xlator_set_option (XL, \ + "transport.socket." XLATOR_OPT, _value) != 0) { \ + gf_msg ("glusterd", GF_LOG_WARNING, errno, \ + GD_MSG_XLATOR_SET_OPT_FAIL, \ + "failed to set " XLATOR_OPT); \ + ERROR_CMD; \ + } \ + } \ +} while (0 /* CONSTCOND */) + /********************************************* * * xlator generation / graph manipulation API @@ -2076,25 +2090,14 @@ brick_graph_add_server (volgen_graph_t *graph, glusterd_volinfo_t *volinfo, return -1; } - if (dict_get_str (set_dict, SSL_CERT_DEPTH_OPT, &value) == 0) { - ret = xlator_set_option (xl, "ssl-cert-depth", value); - if (ret) { - gf_msg ("glusterd", GF_LOG_WARNING, 0, - GD_MSG_XLATOR_SET_OPT_FAIL, - "failed to set ssl-cert-depth"); - return -1; - } - } - - if (dict_get_str (set_dict, SSL_CIPHER_LIST_OPT, &value) == 0) { - ret = xlator_set_option (xl, "ssl-cipher-list", value); - if (ret) { - gf_msg ("glusterd", GF_LOG_WARNING, 0, - GD_MSG_XLATOR_SET_OPT_FAIL, - "failed to set ssl-cipher-list"); - return -1; - } - } + RPC_SET_OPT(xl, SSL_OWN_CERT_OPT, "ssl-own-cert", return -1); + RPC_SET_OPT(xl, SSL_PRIVATE_KEY_OPT,"ssl-private-key", return -1); + RPC_SET_OPT(xl, SSL_CA_LIST_OPT, "ssl-ca-list", return -1); + RPC_SET_OPT(xl, SSL_CRL_PATH_OPT, "ssl-crl-path", return -1); + RPC_SET_OPT(xl, SSL_CERT_DEPTH_OPT, "ssl-cetificate-depth", return -1); + RPC_SET_OPT(xl, SSL_CIPHER_LIST_OPT,"ssl-cipher-list", return -1); + RPC_SET_OPT(xl, SSL_DH_PARAM_OPT, "ssl-dh-param", return -1); + RPC_SET_OPT(xl, SSL_EC_CURVE_OPT, "ssl-ec-curve", return -1); if (username) { memset (key, 0, sizeof (key)); @@ -2170,26 +2173,22 @@ brick_graph_add_pump (volgen_graph_t *graph, glusterd_volinfo_t *volinfo, if (NULL == ptranst) return -1; - if (dict_get_str (set_dict, SSL_CERT_DEPTH_OPT, &value) == 0) { - ret = xlator_set_option (rbxl, "ssl-cert-depth", value); - if (ret) { - gf_msg ("glusterd", GF_LOG_WARNING, errno, - GD_MSG_DICT_GET_FAILED, - "failed to set ssl-cert-depth"); - return -1; - } - } - - if (dict_get_str (set_dict, SSL_CIPHER_LIST_OPT, &value) == 0) { - ret = xlator_set_option (rbxl, "ssl-cipher-list", - value); - if (ret) { - gf_msg ("glusterd", GF_LOG_WARNING, errno, - GD_MSG_DICT_GET_FAILED, - "failed to set ssl-cipher-list"); - return -1; - } - } + RPC_SET_OPT(rbxl, SSL_OWN_CERT_OPT, "ssl-own-cert", + return -1); + RPC_SET_OPT(rbxl, SSL_PRIVATE_KEY_OPT,"ssl-private-key", + return -1); + RPC_SET_OPT(rbxl, SSL_CA_LIST_OPT, "ssl-ca-list", + return -1); + RPC_SET_OPT(rbxl, SSL_CRL_PATH_OPT, "ssl-crl-path", + return -1); + RPC_SET_OPT(rbxl, SSL_CERT_DEPTH_OPT, "ssl-cetificate-depth", + return -1); + RPC_SET_OPT(rbxl, SSL_CIPHER_LIST_OPT,"ssl-cipher-list", + return -1); + RPC_SET_OPT(rbxl, SSL_DH_PARAM_OPT, "ssl-dh-param", + return -1); + RPC_SET_OPT(rbxl, SSL_EC_CURVE_OPT, "ssl-ec-curve", + return -1); if (username) { ret = xlator_set_option (rbxl, "username", username); @@ -2748,25 +2747,14 @@ volgen_graph_build_client (volgen_graph_t *graph, glusterd_volinfo_t *volinfo, } } - if (dict_get_str (set_dict, SSL_CERT_DEPTH_OPT, &value) == 0) { - ret = xlator_set_option (xl, "ssl-cert-depth", value); - if (ret) { - gf_msg ("glusterd", GF_LOG_WARNING, errno, - GD_MSG_DICT_GET_FAILED, - "failed to set ssl-cert-depth"); - goto err; - } - } - - if (dict_get_str (set_dict, SSL_CIPHER_LIST_OPT, &value) == 0) { - ret = xlator_set_option (xl, "ssl-cipher-list", value); - if (ret) { - gf_msg ("glusterd", GF_LOG_WARNING, errno, - GD_MSG_DICT_GET_FAILED, - "failed to set ssl-cipher-list"); - goto err; - } - } + RPC_SET_OPT(xl, SSL_OWN_CERT_OPT, "ssl-own-cert", goto err); + RPC_SET_OPT(xl, SSL_PRIVATE_KEY_OPT,"ssl-private-key", goto err); + RPC_SET_OPT(xl, SSL_CA_LIST_OPT, "ssl-ca-list", goto err); + RPC_SET_OPT(xl, SSL_CRL_PATH_OPT, "ssl-crl-path", goto err); + RPC_SET_OPT(xl, SSL_CERT_DEPTH_OPT, "ssl-cetificate-depth", goto err); + RPC_SET_OPT(xl, SSL_CIPHER_LIST_OPT,"ssl-cipher-list", goto err); + RPC_SET_OPT(xl, SSL_DH_PARAM_OPT, "ssl-dh-param", goto err); + RPC_SET_OPT(xl, SSL_EC_CURVE_OPT, "ssl-ec-curve", goto err); return xl; err: @@ -4962,25 +4950,14 @@ glusterd_snapdsvc_generate_volfile (volgen_graph_t *graph, if (ret) return -1; - if (dict_get_str (set_dict, SSL_CERT_DEPTH_OPT, &value) == 0) { - ret = xlator_set_option (xl, "ssl-cert-depth", value); - if (ret) { - gf_msg ("glusterd", GF_LOG_WARNING, 0, - GD_MSG_XLATOR_SET_OPT_FAIL, - "failed to set ssl-cert-depth"); - return -1; - } - } - - if (dict_get_str (set_dict, SSL_CIPHER_LIST_OPT, &value) == 0) { - ret = xlator_set_option (xl, "ssl-cipher-list", value); - if (ret) { - gf_msg ("glusterd", GF_LOG_WARNING, 0, - GD_MSG_XLATOR_SET_OPT_FAIL, - "failed to set ssl-cipher-list"); - return -1; - } - } + RPC_SET_OPT(xl, SSL_OWN_CERT_OPT, "ssl-own-cert", return -1); + RPC_SET_OPT(xl, SSL_PRIVATE_KEY_OPT,"ssl-private-key", return -1); + RPC_SET_OPT(xl, SSL_CA_LIST_OPT, "ssl-ca-list", return -1); + RPC_SET_OPT(xl, SSL_CRL_PATH_OPT, "ssl-crl-path", return -1); + RPC_SET_OPT(xl, SSL_CERT_DEPTH_OPT, "ssl-cetificate-depth", return -1); + RPC_SET_OPT(xl, SSL_CIPHER_LIST_OPT,"ssl-cipher-list", return -1); + RPC_SET_OPT(xl, SSL_DH_PARAM_OPT, "ssl-dh-param", return -1); + RPC_SET_OPT(xl, SSL_EC_CURVE_OPT, "ssl-ec-curve", return -1); username = glusterd_auth_get_username (volinfo); passwd = glusterd_auth_get_password (volinfo); -- cgit