diff options
author | Emmanuel Dreyfus <manu@netbsd.org> | 2015-07-30 13:54:51 +0200 |
---|---|---|
committer | Kaleb KEITHLEY <kkeithle@redhat.com> | 2015-08-05 04:51:43 -0700 |
commit | 28fc199d5dc92a69eb2b899bbea23548dc14a39b (patch) | |
tree | e56099991bcf6579651cc7b021b26e52ce1ebd26 /xlators/mgmt/glusterd/src | |
parent | a0919d638a889f03a5bd804cf4c3a63084680fce (diff) |
SSL improvements: ECDH, DH, CRL, and accessible options
- Introduce ssl.dh-param option to specify a file containinf DH parameters.
If it is provided, EDH ciphers are available.
- Introduce ssl.ec-curve option to specify an elliptic curve name. If
unspecified, ECDH ciphers are available using the prime256v1 curve.
- Introduce ssl.crl-path option to specify the directory where the
CRL hash file can be found. Setting to NULL disable CRL checking,
just like the default.
- Make all ssl.* options accessible through gluster volume set.
- In default cipher list, exclude weak ciphers instead of listing
the strong ones.
- Enforce server cipher preference.
- introduce RPC_SET_OPT macro to factor repetitive code in glusterd-volgen.c
- Add ssl-ciphers.t test to check all the features touched by this change.
Change-Id: I7bfd433df6bbf176f4a58e770e06bcdbe22a101a
BUG: 1247152
Signed-off-by: Emmanuel Dreyfus <manu@netbsd.org>
Reviewed-on: http://review.gluster.org/11735
Tested-by: NetBSD Build System <jenkins@build.gluster.org>
Reviewed-by: Kaushal M <kaushal@redhat.com>
Tested-by: Gluster Build System <jenkins@build.gluster.com>
Reviewed-by: Jeff Darcy <jdarcy@redhat.com>
Diffstat (limited to 'xlators/mgmt/glusterd/src')
-rw-r--r-- | xlators/mgmt/glusterd/src/glusterd-volgen.c | 131 | ||||
-rw-r--r-- | xlators/mgmt/glusterd/src/glusterd-volgen.h | 6 | ||||
-rw-r--r-- | xlators/mgmt/glusterd/src/glusterd-volume-set.c | 30 |
3 files changed, 90 insertions, 77 deletions
diff --git a/xlators/mgmt/glusterd/src/glusterd-volgen.c b/xlators/mgmt/glusterd/src/glusterd-volgen.c index 75f64fad2c0..5ac392c309e 100644 --- a/xlators/mgmt/glusterd/src/glusterd-volgen.c +++ b/xlators/mgmt/glusterd/src/glusterd-volgen.c @@ -37,6 +37,20 @@ extern struct volopt_map_entry glusterd_volopt_map[]; +#define RPC_SET_OPT(XL, CLI_OPT, XLATOR_OPT, ERROR_CMD) do { \ + char *_value = NULL; \ + \ + if (dict_get_str (set_dict, CLI_OPT, &_value) == 0) { \ + if (xlator_set_option (XL, \ + "transport.socket." XLATOR_OPT, _value) != 0) { \ + gf_msg ("glusterd", GF_LOG_WARNING, errno, \ + GD_MSG_XLATOR_SET_OPT_FAIL, \ + "failed to set " XLATOR_OPT); \ + ERROR_CMD; \ + } \ + } \ +} while (0 /* CONSTCOND */) + /********************************************* * * xlator generation / graph manipulation API @@ -2071,25 +2085,14 @@ brick_graph_add_server (volgen_graph_t *graph, glusterd_volinfo_t *volinfo, return -1; } - if (dict_get_str (set_dict, SSL_CERT_DEPTH_OPT, &value) == 0) { - ret = xlator_set_option (xl, "ssl-cert-depth", value); - if (ret) { - gf_msg ("glusterd", GF_LOG_WARNING, 0, - GD_MSG_XLATOR_SET_OPT_FAIL, - "failed to set ssl-cert-depth"); - return -1; - } - } - - if (dict_get_str (set_dict, SSL_CIPHER_LIST_OPT, &value) == 0) { - ret = xlator_set_option (xl, "ssl-cipher-list", value); - if (ret) { - gf_msg ("glusterd", GF_LOG_WARNING, 0, - GD_MSG_XLATOR_SET_OPT_FAIL, - "failed to set ssl-cipher-list"); - return -1; - } - } + RPC_SET_OPT(xl, SSL_OWN_CERT_OPT, "ssl-own-cert", return -1); + RPC_SET_OPT(xl, SSL_PRIVATE_KEY_OPT,"ssl-private-key", return -1); + RPC_SET_OPT(xl, SSL_CA_LIST_OPT, "ssl-ca-list", return -1); + RPC_SET_OPT(xl, SSL_CRL_PATH_OPT, "ssl-crl-path", return -1); + RPC_SET_OPT(xl, SSL_CERT_DEPTH_OPT, "ssl-cetificate-depth", return -1); + RPC_SET_OPT(xl, SSL_CIPHER_LIST_OPT,"ssl-cipher-list", return -1); + RPC_SET_OPT(xl, SSL_DH_PARAM_OPT, "ssl-dh-param", return -1); + RPC_SET_OPT(xl, SSL_EC_CURVE_OPT, "ssl-ec-curve", return -1); if (username) { memset (key, 0, sizeof (key)); @@ -2165,26 +2168,22 @@ brick_graph_add_pump (volgen_graph_t *graph, glusterd_volinfo_t *volinfo, if (NULL == ptranst) return -1; - if (dict_get_str (set_dict, SSL_CERT_DEPTH_OPT, &value) == 0) { - ret = xlator_set_option (rbxl, "ssl-cert-depth", value); - if (ret) { - gf_msg ("glusterd", GF_LOG_WARNING, errno, - GD_MSG_DICT_GET_FAILED, - "failed to set ssl-cert-depth"); - return -1; - } - } - - if (dict_get_str (set_dict, SSL_CIPHER_LIST_OPT, &value) == 0) { - ret = xlator_set_option (rbxl, "ssl-cipher-list", - value); - if (ret) { - gf_msg ("glusterd", GF_LOG_WARNING, errno, - GD_MSG_DICT_GET_FAILED, - "failed to set ssl-cipher-list"); - return -1; - } - } + RPC_SET_OPT(rbxl, SSL_OWN_CERT_OPT, "ssl-own-cert", + return -1); + RPC_SET_OPT(rbxl, SSL_PRIVATE_KEY_OPT,"ssl-private-key", + return -1); + RPC_SET_OPT(rbxl, SSL_CA_LIST_OPT, "ssl-ca-list", + return -1); + RPC_SET_OPT(rbxl, SSL_CRL_PATH_OPT, "ssl-crl-path", + return -1); + RPC_SET_OPT(rbxl, SSL_CERT_DEPTH_OPT, "ssl-cetificate-depth", + return -1); + RPC_SET_OPT(rbxl, SSL_CIPHER_LIST_OPT,"ssl-cipher-list", + return -1); + RPC_SET_OPT(rbxl, SSL_DH_PARAM_OPT, "ssl-dh-param", + return -1); + RPC_SET_OPT(rbxl, SSL_EC_CURVE_OPT, "ssl-ec-curve", + return -1); if (username) { ret = xlator_set_option (rbxl, "username", username); @@ -2743,25 +2742,14 @@ volgen_graph_build_client (volgen_graph_t *graph, glusterd_volinfo_t *volinfo, } } - if (dict_get_str (set_dict, SSL_CERT_DEPTH_OPT, &value) == 0) { - ret = xlator_set_option (xl, "ssl-cert-depth", value); - if (ret) { - gf_msg ("glusterd", GF_LOG_WARNING, errno, - GD_MSG_DICT_GET_FAILED, - "failed to set ssl-cert-depth"); - goto err; - } - } - - if (dict_get_str (set_dict, SSL_CIPHER_LIST_OPT, &value) == 0) { - ret = xlator_set_option (xl, "ssl-cipher-list", value); - if (ret) { - gf_msg ("glusterd", GF_LOG_WARNING, errno, - GD_MSG_DICT_GET_FAILED, - "failed to set ssl-cipher-list"); - goto err; - } - } + RPC_SET_OPT(xl, SSL_OWN_CERT_OPT, "ssl-own-cert", goto err); + RPC_SET_OPT(xl, SSL_PRIVATE_KEY_OPT,"ssl-private-key", goto err); + RPC_SET_OPT(xl, SSL_CA_LIST_OPT, "ssl-ca-list", goto err); + RPC_SET_OPT(xl, SSL_CRL_PATH_OPT, "ssl-crl-path", goto err); + RPC_SET_OPT(xl, SSL_CERT_DEPTH_OPT, "ssl-cetificate-depth", goto err); + RPC_SET_OPT(xl, SSL_CIPHER_LIST_OPT,"ssl-cipher-list", goto err); + RPC_SET_OPT(xl, SSL_DH_PARAM_OPT, "ssl-dh-param", goto err); + RPC_SET_OPT(xl, SSL_EC_CURVE_OPT, "ssl-ec-curve", goto err); return xl; err: @@ -5007,25 +4995,14 @@ glusterd_snapdsvc_generate_volfile (volgen_graph_t *graph, if (ret) return -1; - if (dict_get_str (set_dict, SSL_CERT_DEPTH_OPT, &value) == 0) { - ret = xlator_set_option (xl, "ssl-cert-depth", value); - if (ret) { - gf_msg ("glusterd", GF_LOG_WARNING, 0, - GD_MSG_XLATOR_SET_OPT_FAIL, - "failed to set ssl-cert-depth"); - return -1; - } - } - - if (dict_get_str (set_dict, SSL_CIPHER_LIST_OPT, &value) == 0) { - ret = xlator_set_option (xl, "ssl-cipher-list", value); - if (ret) { - gf_msg ("glusterd", GF_LOG_WARNING, 0, - GD_MSG_XLATOR_SET_OPT_FAIL, - "failed to set ssl-cipher-list"); - return -1; - } - } + RPC_SET_OPT(xl, SSL_OWN_CERT_OPT, "ssl-own-cert", return -1); + RPC_SET_OPT(xl, SSL_PRIVATE_KEY_OPT,"ssl-private-key", return -1); + RPC_SET_OPT(xl, SSL_CA_LIST_OPT, "ssl-ca-list", return -1); + RPC_SET_OPT(xl, SSL_CRL_PATH_OPT, "ssl-crl-path", return -1); + RPC_SET_OPT(xl, SSL_CERT_DEPTH_OPT, "ssl-cetificate-depth", return -1); + RPC_SET_OPT(xl, SSL_CIPHER_LIST_OPT,"ssl-cipher-list", return -1); + RPC_SET_OPT(xl, SSL_DH_PARAM_OPT, "ssl-dh-param", return -1); + RPC_SET_OPT(xl, SSL_EC_CURVE_OPT, "ssl-ec-curve", return -1); username = glusterd_auth_get_username (volinfo); passwd = glusterd_auth_get_password (volinfo); diff --git a/xlators/mgmt/glusterd/src/glusterd-volgen.h b/xlators/mgmt/glusterd/src/glusterd-volgen.h index 9a0c9798a9e..cbd3cf38d51 100644 --- a/xlators/mgmt/glusterd/src/glusterd-volgen.h +++ b/xlators/mgmt/glusterd/src/glusterd-volgen.h @@ -40,8 +40,14 @@ #define AUTH_REJECT_OPT_KEY "auth.addr.*.reject" #define NFS_DISABLE_OPT_KEY "nfs.*.disable" +#define SSL_OWN_CERT_OPT "ssl.own-cert" +#define SSL_PRIVATE_KEY_OPT "ssl.private-key" +#define SSL_CA_LIST_OPT "ssl.ca-list" +#define SSL_CRL_PATH_OPT "ssl.crl-path" #define SSL_CERT_DEPTH_OPT "ssl.certificate-depth" #define SSL_CIPHER_LIST_OPT "ssl.cipher-list" +#define SSL_DH_PARAM_OPT "ssl.dh-param" +#define SSL_EC_CURVE_OPT "ssl.ec-curve" typedef enum { diff --git a/xlators/mgmt/glusterd/src/glusterd-volume-set.c b/xlators/mgmt/glusterd/src/glusterd-volume-set.c index f1413dbf525..eb079d072b6 100644 --- a/xlators/mgmt/glusterd/src/glusterd-volume-set.c +++ b/xlators/mgmt/glusterd/src/glusterd-volume-set.c @@ -1077,6 +1077,26 @@ struct volopt_map_entry glusterd_volopt_map[] = { }, /* Generic transport options */ + { .key = SSL_OWN_CERT_OPT, + .voltype = "rpc-transport/socket", + .option = "!ssl-own-cert", + .op_version = GD_OP_VERSION_3_7_4, + }, + { .key = SSL_PRIVATE_KEY_OPT, + .voltype = "rpc-transport/socket", + .option = "!ssl-private-key", + .op_version = GD_OP_VERSION_3_7_4, + }, + { .key = SSL_CA_LIST_OPT, + .voltype = "rpc-transport/socket", + .option = "!ssl-ca-list", + .op_version = GD_OP_VERSION_3_7_4, + }, + { .key = SSL_CRL_PATH_OPT, + .voltype = "rpc-transport/socket", + .option = "!ssl-crl-path", + .op_version = GD_OP_VERSION_3_7_4, + }, { .key = SSL_CERT_DEPTH_OPT, .voltype = "rpc-transport/socket", .option = "!ssl-cert-depth", @@ -1087,6 +1107,16 @@ struct volopt_map_entry glusterd_volopt_map[] = { .option = "!ssl-cipher-list", .op_version = GD_OP_VERSION_3_6_0, }, + { .key = SSL_DH_PARAM_OPT, + .voltype = "rpc-transport/socket", + .option = "!ssl-dh-param", + .op_version = GD_OP_VERSION_3_7_4, + }, + { .key = SSL_EC_CURVE_OPT, + .voltype = "rpc-transport/socket", + .option = "!ssl-ec-curve", + .op_version = GD_OP_VERSION_3_7_4, + }, /* Performance xlators enable/disbable options */ { .key = "performance.write-behind", |