[Top][All Lists]
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Gluster-devel] [PATCH BUG:2999 1/1] Add SSL and multi-threading to sock
From: |
Jeff Darcy |
Subject: |
[Gluster-devel] [PATCH BUG:2999 1/1] Add SSL and multi-threading to socket transport. |
Date: |
Mon, 13 Jun 2011 15:49:53 -0400 |
User-agent: |
Mozilla/5.0 (X11; U; Linux x86_64; en-US; rv:1.9.1.9) Gecko/20100430 Fedora/3.0.4-2.fc11 Lightning/1.0b2pre Thunderbird/3.0.4 |
Signed-off-by: Jeff Darcy <address@hidden>
---
rpc/rpc-transport/socket/src/socket.c | 596
+++++++++++++++++++++++++++++----
rpc/rpc-transport/socket/src/socket.h | 15 +
2 files changed, 538 insertions(+), 73 deletions(-)
diff --git a/rpc/rpc-transport/socket/src/socket.c
b/rpc/rpc-transport/socket/src/socket.c
index 2948621..b52baaa 100644
--- a/rpc/rpc-transport/socket/src/socket.c
+++ b/rpc/rpc-transport/socket/src/socket.c
@@ -47,6 +47,14 @@
#define GF_LOG_ERRNO(errno) ((errno == ENOTCONN) ? GF_LOG_DEBUG :
GF_LOG_ERROR)
#define SA(ptr) ((struct sockaddr *)ptr)
+#define SSL_OWN_CERT_OPT "transport.socket.ssl-own-cert"
+#define SSL_PRIVATE_KEY_OPT "transport.socket.ssl-private-key"
+#define SSL_CA_LIST_OPT "transport.socket.ssl-ca-list"
+#define OWN_THREAD_OPT "transport.socket.own-thread"
+
+#define POLL_MASK_INPUT (POLLIN | POLLPRI)
+#define POLL_MASK_OUTPUT (POLLOUT)
+#define POLL_MASK_ERROR (POLLERR | POLLHUP | POLLNVAL)
#define __socket_proto_reset_pending(priv) do { \
memset (&priv->incoming.frag.vector, 0, \
@@ -133,9 +141,127 @@
__socket_proto_update_priv_after_read (priv, ret,
bytes_read); \
}
-
int socket_init (rpc_transport_t *this);
+int
+ssl_setup_connection (socket_private_t *priv, int server)
+{
+ X509 *peer;
+ char peer_CN[256];
+ int ret;
+
+ priv->ssl_ssl = SSL_new(priv->ssl_ctx);
+ priv->ssl_sbio = BIO_new_socket(priv->sock,BIO_NOCLOSE);
+ SSL_set_bio(priv->ssl_ssl,priv->ssl_sbio,priv->ssl_sbio);
+ if (server) {
+ ret = SSL_accept(priv->ssl_ssl);
+ }
+ else {
+ ret = SSL_connect(priv->ssl_ssl);
+ }
+ if (ret >= 0) {
+ gf_log(__func__,GF_LOG_DEBUG,"verify_result = %lu (%d)",
+ SSL_get_verify_result(priv->ssl_ssl), X509_V_OK);
+ peer = SSL_get_peer_certificate(priv->ssl_ssl);
+ if (peer) {
+ X509_NAME_get_text_by_NID(X509_get_subject_name(peer),
+ NID_commonName, peer_CN, sizeof(peer_CN)-1);
+ peer_CN[sizeof(peer_CN)-1] = '\0';
+ gf_log(__func__,GF_LOG_DEBUG,"peer CN = %s", peer_CN);
+ }
+ }
+ else {
+ unsigned long errnum;
+ char errbuf[120];
+
+ gf_log(__func__,GF_LOG_ERROR,"connect error %d",
+ SSL_get_error(priv->ssl_ssl,ret));
+ while ((errnum = ERR_get_error())) {
+ ERR_error_string(errnum,errbuf);
+ gf_log(__func__,GF_LOG_ERROR," %s",errbuf);
+ }
+ }
+ return ret;
+}
+
+int
+ssl_write_one (socket_private_t *priv, void *buf, size_t len)
+{
+ int r;
+ struct pollfd pfd;
+
+ for (;;) {
+ r = SSL_write(priv->ssl_ssl,buf,len);
+ switch (SSL_get_error(priv->ssl_ssl,r)) {
+ case SSL_ERROR_NONE:
+ return r;
+ case SSL_ERROR_WANT_READ:
+ pfd.fd = priv->sock;
+ pfd.events = POLLIN;
+ if (poll(&pfd,1,-1) < 0) {
+ gf_log(__func__,GF_LOG_ERROR,"poll error %d",
+ errno);
+ return -1;
+ }
+ break;
+ case SSL_ERROR_WANT_WRITE:
+ pfd.fd = priv->sock;
+ pfd.events = POLLOUT;
+ if (poll(&pfd,1,-1) < 0) {
+ gf_log(__func__,GF_LOG_ERROR,"poll error %d",
+ errno);
+ return -1;
+ }
+ break;
+ default:
+ gf_log(__func__,GF_LOG_ERROR,"SSL error %lu",
+ ERR_peek_error());
+ errno = EIO;
+ return -1;
+ }
+ }
+}
+
+int
+ssl_read_one (socket_private_t *priv, void *buf, size_t len)
+{
+ int r;
+ struct pollfd pfd;
+
+ for (;;) {
+ r = SSL_read(priv->ssl_ssl,buf,len);
+ switch (SSL_get_error(priv->ssl_ssl,r)) {
+ case SSL_ERROR_NONE:
+ return r;
+ case SSL_ERROR_ZERO_RETURN:
+ return 0;
+ case SSL_ERROR_WANT_READ:
+ pfd.fd = priv->sock;
+ pfd.events = POLLIN;
+ if (poll(&pfd,1,-1) < 0) {
+ gf_log(__func__,GF_LOG_ERROR,"poll error %d",
+ errno);
+ return -1;
+ }
+ break;
+ case SSL_ERROR_WANT_WRITE:
+ pfd.fd = priv->sock;
+ pfd.events = POLLOUT;
+ if (poll(&pfd,1,-1) < 0) {
+ gf_log(__func__,GF_LOG_ERROR,"poll error %d",
+ errno);
+ return -1;
+ }
+ break;
+ default:
+ gf_log(__func__,GF_LOG_ERROR,"SSL error %lu",
+ ERR_peek_error());
+ errno = EIO;
+ return -1;
+ }
+ }
+}
+
/*
* return value:
* 0 = success (completed)
@@ -170,7 +296,13 @@ __socket_rwv (rpc_transport_t *this, struct iovec
*vector, int count,
while (opcount) {
if (write) {
- ret = writev (sock, opvector, opcount);
+ if (priv->use_ssl) {
+ ret = ssl_write_one(priv,
+ opvector->iov_base, opvector->iov_len);
+ }
+ else {
+ ret = writev (sock, opvector, opcount);
+ }
if (ret == 0 || (ret == -1 && errno == EAGAIN)) {
/* done for now */
@@ -178,7 +310,13 @@ __socket_rwv (rpc_transport_t *this, struct iovec
*vector, int count,
}
this->total_bytes_write += ret;
} else {
- ret = readv (sock, opvector, opcount);
+ if (priv->use_ssl) {
+ ret = ssl_read_one(priv,
+ opvector->iov_base, opvector->iov_len);
+ }
+ else {
+ ret = readv (sock, opvector, opcount);
+ }
if (ret == -1 && errno == EAGAIN) {
/* done for now */
break;
@@ -288,6 +426,15 @@ __socket_disconnect (rpc_transport_t *this)
"shutdown() returned %d. %s",
ret, strerror (errno));
}
+ if (priv->own_thread) {
+ /* TBD: SSL shutdown */
+ /*
+ * Without this, reconnect (= disconnect + connect)
+ * won't work except by accident.
+ */
+ close(priv->sock);
+ priv->sock = -1;
+ }
}
out:
@@ -621,9 +768,11 @@ out:
int
-__socket_ioq_churn_entry (rpc_transport_t *this, struct ioq *entry)
+__socket_ioq_churn_entry (rpc_transport_t *this, struct ioq *entry, int
direct)
{
- int ret = -1;
+ int ret = -1;
+ socket_private_t *priv = NULL;
+ char a_byte = 0;
ret = __socket_writev (this, entry->pending_vector,
entry->pending_count,
@@ -634,6 +783,18 @@ __socket_ioq_churn_entry (rpc_transport_t *this,
struct ioq *entry)
/* current entry was completely written */
GF_ASSERT (entry->pending_count == 0);
__socket_ioq_entry_free (entry);
+ priv = this->private;
+ if (priv->own_thread) {
+ /*
+ * The pipe should only remain readable if there are
+ * more entries after this, so drain the byte
+ * representing this entry.
+ */
+ if (!direct && read(priv->pipe[0],&a_byte,1) < 1) {
+ gf_log(this->name,GF_LOG_WARNING,
+ "read error on pipe");
+ }
+ }
}
return ret;
@@ -656,13 +817,13 @@ __socket_ioq_churn (rpc_transport_t *this)
/* pick next entry */
entry = priv->ioq_next;
- ret = __socket_ioq_churn_entry (this, entry);
+ ret = __socket_ioq_churn_entry (this, entry, 0);
if (ret != 0)
break;
}
- if (list_empty (&priv->ioq)) {
+ if (!priv->own_thread && list_empty (&priv->ioq)) {
/* all pending writes done, not interested in POLLOUT */
priv->idx = event_select_on (this->ctx->event_pool,
priv->sock, priv->idx, -1, 0);
@@ -1640,13 +1801,13 @@ socket_event_poll_in (rpc_transport_t *this)
{
int ret = -1;
rpc_transport_pollin_t *pollin = NULL;
+ socket_private_t *priv = this->private;
ret = socket_proto_state_machine (this, &pollin);
if (pollin != NULL) {
ret = rpc_transport_notify (this,
RPC_TRANSPORT_MSG_RECEIVED,
pollin);
-
rpc_transport_pollin_destroy (pollin);
}
@@ -1731,9 +1892,9 @@ int
socket_event_handler (int fd, int idx, void *data,
int poll_in, int poll_out, int poll_err)
{
- rpc_transport_t *this = NULL;
+ rpc_transport_t *this = NULL;
socket_private_t *priv = NULL;
- int ret = 0;
+ int ret = -1;
this = data;
GF_VALIDATE_OR_GOTO ("socket", this, out);
@@ -1743,38 +1904,127 @@ socket_event_handler (int fd, int idx, void *data,
THIS = this->xl;
priv = this->private;
-
pthread_mutex_lock (&priv->lock);
{
priv->idx = idx;
}
pthread_mutex_unlock (&priv->lock);
- if (!priv->connected) {
- ret = socket_connect_finish (this);
- }
+ ret = priv->connected ? 0 : socket_connect_finish(this);
if (!ret && poll_out) {
ret = socket_event_poll_out (this);
}
-
+
if (!ret && poll_in) {
ret = socket_event_poll_in (this);
}
-
+
if ((ret < 0) || poll_err) {
/* Logging has happened already in earlier cases */
gf_log ("transport", ((ret >= 0) ? GF_LOG_INFO :
GF_LOG_DEBUG),
"disconnecting now");
socket_event_poll_err (this);
rpc_transport_unref (this);
- }
+ }
out:
- return 0;
+ return ret;
+}
+
+
+void *
+socket_poller (void *ctx)
+{
+ rpc_transport_t *this = ctx;
+ socket_private_t *priv = this->private;
+ struct pollfd pfd[2] = {{0,},};
+ gf_boolean_t to_write = _gf_false;
+ int ret = 0;
+ int orig_gen;
+
+ if (!priv->connected) {
+ THIS = this->xl;
+ ret = socket_connect_finish (this);
+ orig_gen = ++(priv->socket_gen);
+ }
+
+ for (;;) {
+ if (priv->socket_gen != orig_gen) {
+ gf_log(this->name,GF_LOG_DEBUG,
+ "redundant poller exiting");
+ return NULL;
+ }
+ pthread_mutex_lock(&priv->lock);
+ to_write = !list_empty(&priv->ioq);
+ pthread_mutex_unlock(&priv->lock);
+ pfd[0].fd = priv->pipe[0];
+ pfd[0].events = POLL_MASK_ERROR;
+ pfd[0].revents = 0;
+ pfd[1].fd = priv->sock;
+ pfd[1].events = POLL_MASK_INPUT | POLL_MASK_ERROR;
+ pfd[1].revents = 0;
+ if (to_write) {
+ pfd[1].events |= POLL_MASK_OUTPUT;
+ }
+ else {
+ pfd[0].events |= POLL_MASK_INPUT;
+ }
+ if (poll(pfd,2,-1) < 0) {
+ gf_log(this->name,GF_LOG_ERROR,"poll failed");
+ return NULL;
+ }
+ if (pfd[0].revents & POLL_MASK_ERROR) {
+ gf_log(this->name,GF_LOG_ERROR,
+ "poll error on pipe");
+ return NULL;
+ }
+ /* Only glusterd actually seems to need this. */
+ THIS = this->xl;
+ if (pfd[1].revents & POLL_MASK_INPUT) {
+ ret = socket_event_poll_in(this);
+ if (ret >= 0) {
+ /* Suppress errors while making progress. */
+ pfd[1].revents &= ~POLL_MASK_ERROR;
+ }
+ else if (errno == ENOTCONN) {
+ ret = 0;
+ }
+ }
+ else if (pfd[1].revents & POLL_MASK_OUTPUT) {
+ ret = socket_event_poll_out(this);
+ if (ret >= 0) {
+ /* Suppress errors while making progress. */
+ pfd[1].revents &= ~POLL_MASK_ERROR;
+ }
+ else if (errno == ENOTCONN) {
+ ret = 0;
+ }
+ }
+ else {
+ /*
+ * This usually means that we left poll() because
+ * somebody pushed a byte onto our pipe. That wakeup
+ * is why the pipe is there, but once awake we can do
+ * all the checking we need on the next iteration.
+ */
+ ret = 0;
+ }
+ if (pfd[1].revents & POLL_MASK_ERROR) {
+ gf_log(this->name,GF_LOG_ERROR,
+ "poll error on socket");
+ return NULL;
+ }
+ if (ret < 0) {
+ gf_log(this->name,GF_LOG_ERROR,
+ "unknown error in polling loop");
+ return NULL;
+ }
+ }
}
+
int
socket_server_event_handler (int fd, int idx, void *data,
int poll_in, int poll_out, int poll_err)
@@ -1813,19 +2063,6 @@ socket_server_event_handler (int fd, int idx,
void *data,
goto unlock;
}
- if (!priv->bio) {
- ret = __socket_nonblock (new_sock);
-
- if (ret == -1) {
- gf_log (this->name, GF_LOG_WARNING,
- "NBIO on %d failed (%s)",
- new_sock, strerror
(errno));
-
- close (new_sock);
- goto unlock;
- }
- }
-
if (priv->nodelay) {
ret = __socket_nodelay (new_sock);
if (ret == -1) {
@@ -1883,20 +2120,61 @@ socket_server_event_handler (int fd, int idx,
void *data,
new_trans->listener = this;
new_priv = new_trans->private;
+ new_priv->use_ssl = priv->use_ssl;
+ new_priv->sock = new_sock;
+ new_priv->own_thread = priv->own_thread;
+
+ if (priv->use_ssl) {
+ new_priv->ssl_ctx = priv->ssl_ctx;
+ if (ssl_setup_connection(new_priv,1) < 0) {
+ gf_log(this->name,GF_LOG_ERROR,
+ "server setup failed");
+ close(new_sock);
+ goto unlock;
+ }
+ }
+
+ if (!priv->bio) {
+ ret = __socket_nonblock (new_sock);
+
+ if (ret == -1) {
+ gf_log (this->name, GF_LOG_WARNING,
+ "NBIO on %d failed (%s)",
+ new_sock, strerror
(errno));
+
+ close (new_sock);
+ goto unlock;
+ }
+ }
+
pthread_mutex_lock (&new_priv->lock);
{
- new_priv->sock = new_sock;
new_priv->connected = 1;
rpc_transport_ref (new_trans);
- new_priv->idx =
- event_register (ctx->event_pool,
- new_sock,
-
socket_event_handler,
- new_trans, 1, 0);
+ if (new_priv->own_thread) {
+ if (pipe(new_priv->pipe) < 0) {
+ gf_log(this->name,GF_LOG_ERROR,
+ "could not create pipe");
+ }
+ if (pthread_create(&new_priv->thread,
+ NULL, socket_poller,
+ new_trans) != 0) {
+ gf_log(this->name,GF_LOG_ERROR,
+ "could not create poll
thread");
+ }
+ }
+ else {
+ new_priv->idx =
+ event_register (ctx->event_pool,
+ new_sock,
+
socket_event_handler,
+ new_trans,
+ 1, 0);
+ if (new_priv->idx == -1)
+ ret = -1;
+ }
- if (new_priv->idx == -1)
- ret = -1;
}
pthread_mutex_unlock (&new_priv->lock);
if (ret == -1) {
@@ -2036,19 +2314,6 @@ socket_connect (rpc_transport_t *this, int port)
}
}
- if (!priv->bio) {
- ret = __socket_nonblock (priv->sock);
-
- if (ret == -1) {
- gf_log (this->name, GF_LOG_ERROR,
- "NBIO on %d failed (%s)",
- priv->sock, strerror (errno));
- close (priv->sock);
- priv->sock = -1;
- goto unlock;
- }
- }
-
if (priv->keepalive) {
ret = __socket_keepalive (priv->sock,
priv->keepaliveintvl,
@@ -2084,17 +2349,55 @@ socket_connect (rpc_transport_t *this, int port)
goto unlock;
}
- priv->connected = 0;
+ if (priv->use_ssl) {
+ ret = ssl_setup_connection(priv,0);
+ if (ret < 0) {
+ gf_log(this->name,GF_LOG_ERROR,
+ "client setup failed");
+ close(priv->sock);
+ priv->sock = -1;
+ goto unlock;
+ }
+ }
- rpc_transport_ref (this);
+ if (!priv->bio) {
+ ret = __socket_nonblock (priv->sock);
- priv->idx = event_register (ctx->event_pool, priv->sock,
- socket_event_handler, this,
1, 1);
- if (priv->idx == -1) {
- gf_log ("", GF_LOG_WARNING,
- "failed to register the event");
- ret = -1;
+ if (ret == -1) {
+ gf_log (this->name, GF_LOG_ERROR,
+ "NBIO on %d failed (%s)",
+ priv->sock, strerror (errno));
+ close (priv->sock);
+ priv->sock = -1;
+ goto unlock;
+ }
}
+
+ priv->connected = 0;
+ rpc_transport_ref (this);
+
+ if (priv->own_thread) {
+ if (pipe(priv->pipe) < 0) {
+ gf_log(this->name,GF_LOG_ERROR,
+ "could not create pipe");
+ }
+
+ if (pthread_create(&priv->thread,NULL,
+ socket_poller, this) != 0) {
+ gf_log(this->name,GF_LOG_ERROR,
+ "could not create poll thread");
+ }
+ }
+ else {
+ priv->idx = event_register (ctx->event_pool, priv->sock,
+ socket_event_handler,
+ this, 1, 1);
+ if (priv->idx == -1) {
+ gf_log ("", GF_LOG_WARNING,
+ "failed to register the event");
+ ret = -1;
+ }
+ }
}
unlock:
pthread_mutex_unlock (&priv->lock);
@@ -2260,6 +2563,7 @@ socket_submit_request (rpc_transport_t *this,
rpc_transport_req_t *req)
char need_append = 1;
struct ioq *entry = NULL;
glusterfs_ctx_t *ctx = NULL;
+ char a_byte = 'j';
GF_VALIDATE_OR_GOTO ("socket", this, out);
GF_VALIDATE_OR_GOTO ("socket", this->private, out);
@@ -2285,21 +2589,31 @@ socket_submit_request (rpc_transport_t *this,
rpc_transport_req_t *req)
goto unlock;
if (list_empty (&priv->ioq)) {
- ret = __socket_ioq_churn_entry (this, entry);
+ ret = __socket_ioq_churn_entry (this, entry, 1);
- if (ret == 0)
+ if (ret == 0) {
need_append = 0;
-
- if (ret > 0)
+ }
+ if (ret > 0) {
need_poll_out = 1;
+ }
}
if (need_append) {
list_add_tail (&entry->list, &priv->ioq);
+ if (priv->own_thread) {
+ /*
+ * Make sure the polling thread wakes up, by
+ * writing a byte to represent this entry.
+ */
+ if (write(priv->pipe[1],&a_byte,1) < 1) {
+ gf_log(this->name,GF_LOG_WARNING,
+ "write error on pipe");
+ }
+ }
ret = 0;
}
-
- if (need_poll_out) {
+ if (!priv->own_thread && need_poll_out) {
/* first entry to wait. continue writing on
POLLOUT */
priv->idx = event_select_on (ctx->event_pool,
priv->sock,
@@ -2323,6 +2637,7 @@ socket_submit_reply (rpc_transport_t *this,
rpc_transport_reply_t *reply)
char need_append = 1;
struct ioq *entry = NULL;
glusterfs_ctx_t *ctx = NULL;
+ char a_byte = 'd';
GF_VALIDATE_OR_GOTO ("socket", this, out);
GF_VALIDATE_OR_GOTO ("socket", this->private, out);
@@ -2341,33 +2656,44 @@ socket_submit_reply (rpc_transport_t *this,
rpc_transport_reply_t *reply)
}
goto unlock;
}
+
priv->submit_log = 0;
entry = __socket_ioq_new (this, &reply->msg);
if (!entry)
goto unlock;
+
if (list_empty (&priv->ioq)) {
- ret = __socket_ioq_churn_entry (this, entry);
+ ret = __socket_ioq_churn_entry (this, entry, 1);
- if (ret == 0)
+ if (ret == 0) {
need_append = 0;
-
- if (ret > 0)
+ }
+ if (ret > 0) {
need_poll_out = 1;
+ }
}
if (need_append) {
list_add_tail (&entry->list, &priv->ioq);
+ if (priv->own_thread) {
+ /*
+ * Make sure the polling thread wakes up, by
+ * writing a byte to represent this entry.
+ */
+ if (write(priv->pipe[1],&a_byte,1) < 1) {
+ gf_log(this->name,GF_LOG_WARNING,
+ "write error on pipe");
+ }
+ }
ret = 0;
}
-
- if (need_poll_out) {
+ if (!priv->own_thread && need_poll_out) {
/* first entry to wait. continue writing on
POLLOUT */
priv->idx = event_select_on (ctx->event_pool,
priv->sock,
priv->idx, -1, 1);
}
}
-
unlock:
pthread_mutex_unlock (&priv->lock);
@@ -2515,6 +2841,8 @@ socket_init (rpc_transport_t *this)
char *optstr = NULL;
uint32_t keepalive = 0;
uint32_t backlog = 0;
+ int session_id = 0;
+ int ssl_opts = 0;
if (this->private) {
gf_log_callingfn (this->name, GF_LOG_ERROR,
@@ -2629,6 +2957,104 @@ socket_init (rpc_transport_t *this)
}
priv->windowsize = (int)windowsize;
+
+ if (dict_get_str(this->options,SSL_OWN_CERT_OPT,&optstr) == 0) {
+ priv->ssl_own_cert = gf_strdup(optstr);
+ ++ssl_opts;
+ }
+ if (dict_get_str(this->options,SSL_PRIVATE_KEY_OPT,&optstr) == 0) {
+ priv->ssl_private_key = gf_strdup(optstr);
+ ++ssl_opts;
+ }
+ if (dict_get_str(this->options,SSL_CA_LIST_OPT,&optstr) == 0) {
+ priv->ssl_ca_list = gf_strdup(optstr);
+ ++ssl_opts;
+ }
+ switch (ssl_opts) {
+ case 0:
+ /* Not using SSL. Boo hoo, but not an error. */
+ priv->use_ssl = _gf_false;
+ break;
+ case 3:
+ /* SSL is fully configured. Yay. */
+ gf_log(this->name,GF_LOG_INFO,"SSL support enabled.");
+ priv->use_ssl = _gf_true;
+ break;
+ default:
+ /*
+ * Tried to configure SSL, but something's missing. If they
+ * meant to secure the connection, continuing would violate
+ * their trust.
+ */
+ if (priv->ssl_own_cert) {
+ gf_log(this->name,GF_LOG_ERROR,
+ "own-cert given without private-key/ca-list");
+ GF_FREE(priv->ssl_own_cert);
+ }
+ if (priv->ssl_private_key) {
+ gf_log(this->name,GF_LOG_ERROR,
+ "private-key given without own-cert/ca-list");
+ GF_FREE(priv->ssl_private_key);
+ }
+ if (priv->ssl_ca_list) {
+ gf_log(this->name,GF_LOG_ERROR,
+ "ca-list given without own-cert/private-key");
+ GF_FREE(priv->ssl_ca_list);
+ }
+ GF_FREE(priv);
+ goto out;
+ }
+
+ priv->own_thread = priv->use_ssl;
+ if (dict_get_str(this->options,OWN_THREAD_OPT,&optstr) == 0) {
+ if (gf_string2boolean (optstr, &priv->own_thread) != 0) {
+ gf_log (this->name, GF_LOG_ERROR,
+ "invalid value given for own-thread boolean");
+ }
+ }
+ gf_log(this->name,GF_LOG_INFO,"using %s polling thread",
+ priv->own_thread ? "private" : "system");
+
+ if (priv->use_ssl) {
+ SSL_library_init();
+ SSL_load_error_strings();
+ priv->ssl_meth = SSLv23_method();
+ priv->ssl_ctx = SSL_CTX_new(priv->ssl_meth);
+
+ if (!SSL_CTX_use_certificate_chain_file(priv->ssl_ctx,
+ priv->ssl_own_cert)) {
+ gf_log(this->name,GF_LOG_ERROR,
+ "could not load our cert");
+ goto out;
+ }
+
+ if (!SSL_CTX_use_PrivateKey_file(priv->ssl_ctx,
+ priv->ssl_private_key,
+ SSL_FILETYPE_PEM)) {
+ gf_log(this->name,GF_LOG_ERROR,
+ "could not load private key");
+ goto out;
+ }
+
+ if (!SSL_CTX_load_verify_locations(priv->ssl_ctx,
+ priv->ssl_ca_list,0)) {
+ gf_log(this->name,GF_LOG_ERROR,
+ "could not load CA list");
+ goto out;
+ }
+
+#if (OPENSSL_VERSION_NUMBER < 0x00905100L)
+ SSL_CTX_set_verify_depth(ctx,1);
+#endif
+
+ priv->ssl_session_id = ++session_id;
+ SSL_CTX_set_session_id_context(priv->ssl_ctx,
+ (void *)&priv->ssl_session_id,
+ sizeof(priv->ssl_session_id));
+
+ SSL_CTX_set_verify(priv->ssl_ctx,SSL_VERIFY_PEER,0);
+ }
+
out:
this->private = priv;
@@ -2733,5 +3159,29 @@ struct volume_options options[] = {
{ .key = {"transport.socket.listen-backlog"},
.type = GF_OPTION_TYPE_INT
},
+ { .key = {SSL_OWN_CERT_OPT},
+ .type = GF_OPTION_TYPE_STR
+ },
+ { .key = {SSL_PRIVATE_KEY_OPT},
+ .type = GF_OPTION_TYPE_STR
+ },
+ { .key = {SSL_CA_LIST_OPT},
+ .type = GF_OPTION_TYPE_STR
+ },
+ { .key = {"transport.socket.listen-backlog"},
+ .type = GF_OPTION_TYPE_INT
+ },
+ { .key = {SSL_OWN_CERT_OPT},
+ .type = GF_OPTION_TYPE_STR
+ },
+ { .key = {SSL_PRIVATE_KEY_OPT},
+ .type = GF_OPTION_TYPE_STR
+ },
+ { .key = {SSL_CA_LIST_OPT},
+ .type = GF_OPTION_TYPE_STR
+ },
+ { .key = {OWN_THREAD_OPT},
+ .type = GF_OPTION_TYPE_BOOL
+ },
{ .key = {NULL} }
};
diff --git a/rpc/rpc-transport/socket/src/socket.h
b/rpc/rpc-transport/socket/src/socket.h
index 4acecab..19e5930 100644
--- a/rpc/rpc-transport/socket/src/socket.h
+++ b/rpc/rpc-transport/socket/src/socket.h
@@ -20,6 +20,8 @@
#ifndef _SOCKET_H
#define _SOCKET_H
+#include <openssl/ssl.h>
+#include <openssl/err.h>
#ifndef _CONFIG_H
#define _CONFIG_H
@@ -193,6 +195,19 @@ typedef struct {
int keepaliveidle;
int keepaliveintvl;
uint32_t backlog;
+ gf_boolean_t use_ssl;
+ const SSL_METHOD *ssl_meth;
+ SSL_CTX *ssl_ctx;
+ int ssl_session_id;
+ BIO *ssl_sbio;
+ SSL *ssl_ssl;
+ char *ssl_own_cert;
+ char *ssl_private_key;
+ char *ssl_ca_list;
+ pthread_t thread;
+ int pipe[2];
+ gf_boolean_t own_thread;
+ int socket_gen;
} socket_private_t;
--
1.7.3.4
[Prev in Thread] |
Current Thread |
[Next in Thread] |
- [Gluster-devel] [PATCH BUG:2999 1/1] Add SSL and multi-threading to socket transport.,
Jeff Darcy <=