glusterfs.git/rpc/rpc-transport/socket, branch master glusterd: dump SSL error stack on disconnect 2020-08-13T19:38:10+00:00 Leonid Ishimnikov lishim@fastmail.com 2020-08-13T19:37:50+00:00 bb5801d1480314e09b4203d2525bd01aada5c683 Problem: When a non-SSL connection is attempted on an SSL-enabled management port, unrelated peers are subsequently disconnected from the node with a misleading error message. Cause: A non-SSL client causes OpenSSL to push a wrong version error into its thread-local error stack, but this error is never cleared, and it lingers in the stack until the thread is used by another SSL session, and a certain condition requires the error stack to be examined, at which time the old error is discovered and the connection is terminated. Solution: Log and clear the error stack upon terminating the connection. Change-Id: I82f3a723285df24dafc88850ae4fca65b69f6ae4 Fixes: #1418 Signed-off-by: Leonid Ishimnikov <lishim@fastmail.com> 
Problem:  When a non-SSL connection is attempted on an SSL-enabled
          management port, unrelated peers are subsequently disconnected
          from the node with a misleading error message.
Cause:    A non-SSL client causes OpenSSL to push a wrong version error
          into its thread-local error stack, but this error is never
          cleared, and it lingers in the stack until the thread is used
          by another SSL session, and a certain condition requires the error
          stack to be examined, at which time the old error is discovered and
          the connection is terminated.
Solution: Log and clear the error stack upon terminating the connection.

Change-Id: I82f3a723285df24dafc88850ae4fca65b69f6ae4
Fixes: #1418
Signed-off-by: Leonid Ishimnikov <lishim@fastmail.com>
socket: Use AES128 cipher in SSL if AES is supported by CPU 2020-05-26T02:58:12+00:00 Mohit Agrawal moagrawal@redhat.com 2020-01-02T04:53:52+00:00 177cc09d24515596eb51739ce0a276c26e3c52f1 SSL performance is improved after configuring AES128 cipher so use AES128 cipher as a default cipher on the CPU those enabled AES bits otherwise ssl use AES256 cipher Change-Id: I91c50fe987cbb22ed76f8012094730c592c63506 Fixes: #1050 Signed-off-by: Mohit Agrawal <moagrawal@redhat.com> 
SSL performance is improved after configuring AES128 cipher
so use AES128 cipher as a default cipher on the CPU those
enabled AES bits otherwise ssl use AES256 cipher

Change-Id: I91c50fe987cbb22ed76f8012094730c592c63506
Fixes: #1050
Signed-off-by: Mohit Agrawal <moagrawal@redhat.com>
socket: Resolve ssl_ctx leak for a brick while only mgmt SSL is enabled 2020-04-28T14:19:36+00:00 Mohit Agrawal moagrawal@redhat.com 2020-04-23T06:19:32+00:00 9873baee34afdf0c20f5fc98a7dbf2a9f07447e2 Problem: While only mgmt SSL is enabled for a brick process use_ssl flag is false for a brick process and socket api's cleanup ssl_ctx only while use_ssl and ssl_ctx both are valid Solution: To avoid a leak check only ssl_ctx, if it is valid cleanup ssl_ctx Fixes: #1196 Change-Id: I2f4295478f4149dcb7d608ea78ee5104f28812c3 Signed-off-by: Mohit Agrawal <moagrawal@redhat.com> 
Problem: While only mgmt SSL is enabled for a brick process use_ssl flag
         is false for a brick process and socket api's cleanup ssl_ctx only
         while use_ssl and ssl_ctx both are valid

Solution: To avoid a leak check only ssl_ctx, if it is valid cleanup
          ssl_ctx

Fixes: #1196
Change-Id: I2f4295478f4149dcb7d608ea78ee5104f28812c3
Signed-off-by: Mohit Agrawal <moagrawal@redhat.com>
rpc: Make ssl log more useful 2020-04-02T08:31:29+00:00 Mohit Agrawal moagrawal@redhat.com 2020-03-31T11:15:35+00:00 80dd8cceab3b860bf1bc2945c8e2d8d0b3913e48 Currently, ssl_setup_connection_params throws 4 messages for every rpc connection that irritates a user while reading the logs. The same info we can print in a single log with peerinfo to make it more useful.ssl_setup_connection_params try to load dh_param even user has not configured it and if a dh_param file is not available it throws a failure message.To avoid the message load dh_param only while the user has configured it. Change-Id: I9ddb57f86a3fa3e519180cb5d88828e59fe0e487 Fixes: #1141 Signed-off-by: Mohit Agrawal <moagrawal@redhat.com> 
Currently, ssl_setup_connection_params throws 4 messages for every
rpc connection that irritates a user while reading the logs. The same
info we can print in a single log with peerinfo to make it more
useful.ssl_setup_connection_params try to load dh_param even user
has not configured it and if a dh_param file is not available it throws
a failure message.To avoid the message load dh_param only while the user
has configured it.

Change-Id: I9ddb57f86a3fa3e519180cb5d88828e59fe0e487
Fixes: #1141
Signed-off-by: Mohit Agrawal <moagrawal@redhat.com>
name.c: fix Coverity issues 1412332/3 - strcat into uninitialized value 2020-01-19T16:37:00+00:00 Yaniv Kaul ykaul@redhat.com 2020-01-14T14:55:32+00:00 c7b546326092d060bf84b7c578a4f21bc679674a Check limit to 108 bytes before strcpy(). fixes: CID#1412332 updates: bz#1193929 Signed-off-by: Yaniv Kaul <ykaul@redhat.com> Change-Id: I8b26b1e1d2daca98ff36db531539bec0a405769c 
Check limit to 108 bytes before strcpy().

fixes: CID#1412332
updates: bz#1193929
Signed-off-by: Yaniv Kaul <ykaul@redhat.com>

Change-Id: I8b26b1e1d2daca98ff36db531539bec0a405769c
socket.c/name.c: minor changes 2020-01-13T07:29:25+00:00 Yaniv Kaul ykaul@redhat.com 2019-12-31T07:11:08+00:00 905db496aa622e421d807222dcc488488da9dbfe - Move functions to static - Remove redundant checks - Use dict_get_...sizen() where applicable - Remove unused variables. - Moved some code to be executed only if relevant. ~3% object size reduction. Change-Id: Id9b8414e0a17442f1dac10ba77014d565756c935 updates: bz#1193929 Signed-off-by: Yaniv Kaul <ykaul@redhat.com> 
- Move functions to static
- Remove redundant checks
- Use dict_get_...sizen() where applicable
- Remove unused variables.
- Moved some code to be executed only if relevant.

~3% object size reduction.

Change-Id: Id9b8414e0a17442f1dac10ba77014d565756c935
updates: bz#1193929
Signed-off-by: Yaniv Kaul <ykaul@redhat.com>
transport/socket: destroy notify mutex and condition variable 2019-12-31T05:39:30+00:00 Dmitry Antipov dmantipov@yandex.ru 2019-12-26T10:50:20+00:00 745f6534c514010cc69e2306e1621e9d14ff5dba Change-Id: Id74f829dc5c6a30d19e3c3ef42bcb938afc0d8e4 Updates: bz#1430623 Signed-off-by: Dmitry Antipov <dmantipov@yandex.ru> 
Change-Id: Id74f829dc5c6a30d19e3c3ef42bcb938afc0d8e4
Updates: bz#1430623
Signed-off-by: Dmitry Antipov <dmantipov@yandex.ru>
socket: fix typos and drop unused members/options 2019-12-27T17:01:33+00:00 Dmitry Antipov dmantipov@yandex.ru 2019-12-26T11:22:56+00:00 9937b9857472c346c071c3850b032ae9237721e5 Consistently fix 'configued' -> 'configured' typo, remove useless members from 'socket_private_t' and unused 'transport.socket.lowlat' option. Adjust tests as well. Change-Id: I285be196457763aec16b184acd26b90623074dec Updates: bz#1193929 Signed-off-by: Dmitry Antipov <dmantipov@yandex.ru> 
Consistently fix 'configued' -> 'configured' typo, remove useless
members from 'socket_private_t' and unused 'transport.socket.lowlat'
option. Adjust tests as well.

Change-Id: I285be196457763aec16b184acd26b90623074dec
Updates: bz#1193929
Signed-off-by: Dmitry Antipov <dmantipov@yandex.ru>
socket: fix error handling 2019-12-12T17:56:19+00:00 Xavi Hernandez xhernandez@redhat.com 2019-12-11T17:21:14+00:00 b202e0e01d0eb8085eb8006dfa77b7b4b06978e6 When __socket_proto_state_machine() detected a problem in the size of the request or it couldn't allocate an iobuf of the requested size, it returned -ENOMEM (-12). However the caller was expecting only -1 in case of error. For this reason the error passes undetected initially, adding back the socket to the epoll object. On further processing, however, the error is finally detected and the connection terminated. Meanwhile, another thread could receive a poll_in event from the same connection, which could cause races with the connection destruction. When this happened, the process crashed. To fix this, all error detection conditions have been hardened to be more strict on what is valid and what not. Also, we don't return -ENOMEM anymore. We always return -1 in case of error. An additional change has been done to prevent destruction of the transport object while it may still be needed. Change-Id: I6e59cd81cbf670f7adfdde942625d4e6c3fbc82d Fixes: bz#1782495 Signed-off-by: Xavi Hernandez <xhernandez@redhat.com> 
When __socket_proto_state_machine() detected a problem in the size of
the request or it couldn't allocate an iobuf of the requested size, it
returned -ENOMEM (-12). However the caller was expecting only -1 in
case of error. For this reason the error passes undetected initially,
adding back the socket to the epoll object. On further processing,
however, the error is finally detected and the connection terminated.
Meanwhile, another thread could receive a poll_in event from the same
connection, which could cause races with the connection destruction.
When this happened, the process crashed.

To fix this, all error detection conditions have been hardened to be
more strict on what is valid and what not. Also, we don't return
-ENOMEM anymore. We always return -1 in case of error.

An additional change has been done to prevent destruction of the
transport object while it may still be needed.

Change-Id: I6e59cd81cbf670f7adfdde942625d4e6c3fbc82d
Fixes: bz#1782495
Signed-off-by: Xavi Hernandez <xhernandez@redhat.com>
socket.c: minor changes 2019-11-19T05:46:56+00:00 Yaniv Kaul ykaul@redhat.com 2019-11-04T13:25:27+00:00 b9181e9212b6916ba1c8a269c1474e7aef144f6a 1. Remove dead code and declarations 2. Move some dict functions to use more efficient ones. 3. Use more constants, where possible. 4. Align messages - easier to grep the code for them. 5. Aligned structures and adding padding where needed. Change-Id: Ifc2639afe65a935fab5238d3e4a121b662836d3d updates: bz#1193929 Signed-off-by: Yaniv Kaul <ykaul@redhat.com> 
1. Remove dead code and declarations
2. Move some dict functions to use more efficient ones.
3. Use more constants, where possible.
4. Align messages - easier to grep the code for them.
5. Aligned structures and adding padding where needed.

Change-Id: Ifc2639afe65a935fab5238d3e4a121b662836d3d
updates: bz#1193929
Signed-off-by: Yaniv Kaul <ykaul@redhat.com>