14f8ab
From e3020e43344ddbc32e62e06bbbf88a4f5d7cdc82 Mon Sep 17 00:00:00 2001
14f8ab
From: Mohit Agrawal <moagrawa@redhat.com>
14f8ab
Date: Fri, 10 May 2019 11:13:45 +0530
14f8ab
Subject: [PATCH 141/141] socket/ssl: fix crl handling
14f8ab
14f8ab
Problem:
14f8ab
Just setting the path to the CRL directory in socket_init() wasn't working.
14f8ab
14f8ab
Solution:
14f8ab
Need to use special API to retrieve and set X509_VERIFY_PARAM and set
14f8ab
the CRL checking flags explicitly.
14f8ab
Also, setting the CRL checking flags is a big pain, since the connection
14f8ab
is declared as failed if any CRL isn't found in the designated file or
14f8ab
directory. A comment has been added to the code appropriately.
14f8ab
14f8ab
> Change-Id: I8a8ed2ddaf4b5eb974387d2f7b1a85c1ca39fe79
14f8ab
> fixes: bz#1687326
14f8ab
> Signed-off-by: Milind Changire <mchangir@redhat.com>
14f8ab
> (Cherry pick from commit 06fa261207f0f0625c52fa977b96e5875e9a91e0)
14f8ab
> (Reviewed on upstream link https://review.gluster.org/#/c/glusterfs/+/22334/)
14f8ab
14f8ab
Change-Id: I0958e9890035fd376f1e1eafc1452caf3edd184b
14f8ab
BUG: 1583585
14f8ab
Signed-off-by: Mohit Agrawal <moagrawa@redhat.com>
14f8ab
Reviewed-on: https://code.engineering.redhat.com/gerrit/166458
14f8ab
Tested-by: RHGS Build Bot <nigelb@redhat.com>
14f8ab
Reviewed-by: Sunil Kumar Heggodu Gopala Acharya <sheggodu@redhat.com>
14f8ab
---
14f8ab
 configure.ac                          |   2 +
14f8ab
 rpc/rpc-transport/socket/src/socket.c | 110 ++++++++++++++++++++++++++++------
14f8ab
 rpc/rpc-transport/socket/src/socket.h |   2 +
14f8ab
 tests/features/ssl-ciphers.t          |  13 +++-
14f8ab
 4 files changed, 107 insertions(+), 20 deletions(-)
14f8ab
14f8ab
diff --git a/configure.ac b/configure.ac
14f8ab
index 3065077..0e11d4c 100644
14f8ab
--- a/configure.ac
14f8ab
+++ b/configure.ac
14f8ab
@@ -491,6 +491,8 @@ AC_CHECK_HEADERS([openssl/dh.h])
14f8ab
 
14f8ab
 AC_CHECK_HEADERS([openssl/ecdh.h])
14f8ab
 
14f8ab
+AC_CHECK_LIB([ssl], [SSL_CTX_get0_param], [AC_DEFINE([HAVE_SSL_CTX_GET0_PARAM], [1], [define if found OpenSSL SSL_CTX_get0_param])])
14f8ab
+
14f8ab
 dnl Math library
14f8ab
 AC_CHECK_LIB([m], [pow], [MATH_LIB='-lm'], [MATH_LIB=''])
14f8ab
 AC_SUBST(MATH_LIB)
14f8ab
diff --git a/rpc/rpc-transport/socket/src/socket.c b/rpc/rpc-transport/socket/src/socket.c
14f8ab
index f6de1d3..bf2fa71 100644
14f8ab
--- a/rpc/rpc-transport/socket/src/socket.c
14f8ab
+++ b/rpc/rpc-transport/socket/src/socket.c
14f8ab
@@ -308,8 +308,65 @@ out:
14f8ab
 #define ssl_write_one(t, b, l)                                                 \
14f8ab
     ssl_do((t), (b), (l), (SSL_trinary_func *)SSL_write)
14f8ab
 
14f8ab
+/* set crl verify flags only for server */
14f8ab
+/* see man X509_VERIFY_PARAM_SET_FLAGS(3)
14f8ab
+ * X509_V_FLAG_CRL_CHECK enables CRL checking for the certificate chain
14f8ab
+ * leaf certificate. An error occurs if a suitable CRL cannot be found.
14f8ab
+ * Since we're never going to revoke a gluster node cert, we better disable
14f8ab
+ * CRL check for server certs to avoid getting error and failed connection
14f8ab
+ * attempts.
14f8ab
+ */
14f8ab
+static void
14f8ab
+ssl_clear_crl_verify_flags(SSL_CTX *ssl_ctx)
14f8ab
+{
14f8ab
+#ifdef X509_V_FLAG_CRL_CHECK_ALL
14f8ab
+#ifdef HAVE_SSL_CTX_GET0_PARAM
14f8ab
+    X509_VERIFY_PARAM *vpm;
14f8ab
+
14f8ab
+    vpm = SSL_CTX_get0_param(ssl_ctx);
14f8ab
+    if (vpm) {
14f8ab
+        X509_VERIFY_PARAM_clear_flags(
14f8ab
+            vpm, (X509_V_FLAG_CRL_CHECK | X509_V_FLAG_CRL_CHECK_ALL));
14f8ab
+    }
14f8ab
+#else
14f8ab
+    /* CRL verify flag need not be cleared for rhel6 kind of clients */
14f8ab
+#endif
14f8ab
+#else
14f8ab
+    gf_log(this->name, GF_LOG_ERROR, "OpenSSL version does not support CRL");
14f8ab
+#endif
14f8ab
+    return;
14f8ab
+}
14f8ab
+
14f8ab
+/* set crl verify flags only for server */
14f8ab
+static void
14f8ab
+ssl_set_crl_verify_flags(SSL_CTX *ssl_ctx)
14f8ab
+{
14f8ab
+#ifdef X509_V_FLAG_CRL_CHECK_ALL
14f8ab
+#ifdef HAVE_SSL_CTX_GET0_PARAM
14f8ab
+    X509_VERIFY_PARAM *vpm;
14f8ab
+
14f8ab
+    vpm = SSL_CTX_get0_param(ssl_ctx);
14f8ab
+    if (vpm) {
14f8ab
+        unsigned long flags;
14f8ab
+
14f8ab
+        flags = X509_VERIFY_PARAM_get_flags(vpm);
14f8ab
+        flags |= (X509_V_FLAG_CRL_CHECK | X509_V_FLAG_CRL_CHECK_ALL);
14f8ab
+        X509_VERIFY_PARAM_set_flags(vpm, flags);
14f8ab
+    }
14f8ab
+#else
14f8ab
+    X509_STORE *x509store;
14f8ab
+
14f8ab
+    x509store = SSL_CTX_get_cert_store(ssl_ctx);
14f8ab
+    X509_STORE_set_flags(x509store,
14f8ab
+                         X509_V_FLAG_CRL_CHECK | X509_V_FLAG_CRL_CHECK_ALL);
14f8ab
+#endif
14f8ab
+#else
14f8ab
+    gf_log(this->name, GF_LOG_ERROR, "OpenSSL version does not support CRL");
14f8ab
+#endif
14f8ab
+}
14f8ab
+
14f8ab
 int
14f8ab
-ssl_setup_connection_prefix(rpc_transport_t *this)
14f8ab
+ssl_setup_connection_prefix(rpc_transport_t *this, gf_boolean_t server)
14f8ab
 {
14f8ab
     int ret = -1;
14f8ab
     socket_private_t *priv = NULL;
14f8ab
@@ -332,6 +389,9 @@ ssl_setup_connection_prefix(rpc_transport_t *this)
14f8ab
     priv->ssl_accepted = _gf_false;
14f8ab
     priv->ssl_context_created = _gf_false;
14f8ab
 
14f8ab
+    if (!server && priv->crl_path)
14f8ab
+        ssl_clear_crl_verify_flags(priv->ssl_ctx);
14f8ab
+
14f8ab
     priv->ssl_ssl = SSL_new(priv->ssl_ctx);
14f8ab
     if (!priv->ssl_ssl) {
14f8ab
         gf_log(this->name, GF_LOG_ERROR, "SSL_new failed");
14f8ab
@@ -2664,7 +2724,7 @@ ssl_handle_server_connection_attempt(rpc_transport_t *this)
14f8ab
     fd = priv->sock;
14f8ab
 
14f8ab
     if (!priv->ssl_context_created) {
14f8ab
-        ret = ssl_setup_connection_prefix(this);
14f8ab
+        ret = ssl_setup_connection_prefix(this, _gf_true);
14f8ab
         if (ret < 0) {
14f8ab
             gf_log(this->name, GF_LOG_TRACE,
14f8ab
                    "> ssl_setup_connection_prefix() failed!");
14f8ab
@@ -2718,7 +2778,7 @@ ssl_handle_client_connection_attempt(rpc_transport_t *this)
14f8ab
         ret = -1;
14f8ab
     } else {
14f8ab
         if (!priv->ssl_context_created) {
14f8ab
-            ret = ssl_setup_connection_prefix(this);
14f8ab
+            ret = ssl_setup_connection_prefix(this, _gf_false);
14f8ab
             if (ret < 0) {
14f8ab
                 gf_log(this->name, GF_LOG_TRACE,
14f8ab
                        "> ssl_setup_connection_prefix() "
14f8ab
@@ -3085,7 +3145,30 @@ socket_server_event_handler(int fd, int idx, int gen, void *data, int poll_in,
14f8ab
         gf_log(this->name, GF_LOG_TRACE, "XXX server:%s, client:%s",
14f8ab
                new_trans->myinfo.identifier, new_trans->peerinfo.identifier);
14f8ab
 
14f8ab
+        /* Make options available to local socket_init() to create new
14f8ab
+         * SSL_CTX per transport. A separate SSL_CTX per transport is
14f8ab
+         * required to avoid setting crl checking options for client
14f8ab
+         * connections. The verification options eventually get copied
14f8ab
+         * to the SSL object. Unfortunately, there's no way to identify
14f8ab
+         * whether socket_init() is being called after a client-side
14f8ab
+         * connect() or a server-side accept(). Although, we could pass
14f8ab
+         * a flag from the transport init() to the socket_init() and
14f8ab
+         * from this place, this doesn't identify the case where the
14f8ab
+         * server-side transport loading is done for the first time.
14f8ab
+         * Also, SSL doesn't apply for UNIX sockets.
14f8ab
+         */
14f8ab
+        if (new_sockaddr.ss_family != AF_UNIX)
14f8ab
+            new_trans->options = dict_ref(this->options);
14f8ab
+        new_trans->ctx = this->ctx;
14f8ab
+
14f8ab
         ret = socket_init(new_trans);
14f8ab
+
14f8ab
+        /* reset options to NULL to avoid double free */
14f8ab
+        if (new_sockaddr.ss_family != AF_UNIX) {
14f8ab
+            dict_unref(new_trans->options);
14f8ab
+            new_trans->options = NULL;
14f8ab
+        }
14f8ab
+
14f8ab
         if (ret != 0) {
14f8ab
             gf_log(this->name, GF_LOG_WARNING,
14f8ab
                    "initialization of new_trans "
14f8ab
@@ -4150,7 +4233,6 @@ ssl_setup_connection_params(rpc_transport_t *this)
14f8ab
     char *cipher_list = DEFAULT_CIPHER_LIST;
14f8ab
     char *dh_param = DEFAULT_DH_PARAM;
14f8ab
     char *ec_curve = DEFAULT_EC_CURVE;
14f8ab
-    char *crl_path = NULL;
14f8ab
 
14f8ab
     priv = this->private;
14f8ab
 
14f8ab
@@ -4192,6 +4274,7 @@ ssl_setup_connection_params(rpc_transport_t *this)
14f8ab
     }
14f8ab
     priv->ssl_ca_list = gf_strdup(priv->ssl_ca_list);
14f8ab
 
14f8ab
+    optstr = NULL;
14f8ab
     if (dict_get_str(this->options, SSL_CRL_PATH_OPT, &optstr) == 0) {
14f8ab
         if (!priv->ssl_enabled) {
14f8ab
             gf_log(this->name, GF_LOG_WARNING,
14f8ab
@@ -4199,9 +4282,9 @@ ssl_setup_connection_params(rpc_transport_t *this)
14f8ab
                    SSL_ENABLED_OPT);
14f8ab
         }
14f8ab
         if (strcasecmp(optstr, "NULL") == 0)
14f8ab
-            crl_path = NULL;
14f8ab
+            priv->crl_path = NULL;
14f8ab
         else
14f8ab
-            crl_path = optstr;
14f8ab
+            priv->crl_path = gf_strdup(optstr);
14f8ab
     }
14f8ab
 
14f8ab
     gf_log(this->name, priv->ssl_enabled ? GF_LOG_INFO : GF_LOG_DEBUG,
14f8ab
@@ -4343,24 +4426,15 @@ ssl_setup_connection_params(rpc_transport_t *this)
14f8ab
         }
14f8ab
 
14f8ab
         if (!SSL_CTX_load_verify_locations(priv->ssl_ctx, priv->ssl_ca_list,
14f8ab
-                                           crl_path)) {
14f8ab
+                                           priv->crl_path)) {
14f8ab
             gf_log(this->name, GF_LOG_ERROR, "could not load CA list");
14f8ab
             goto err;
14f8ab
         }
14f8ab
 
14f8ab
         SSL_CTX_set_verify_depth(priv->ssl_ctx, cert_depth);
14f8ab
 
14f8ab
-        if (crl_path) {
14f8ab
-#ifdef X509_V_FLAG_CRL_CHECK_ALL
14f8ab
-            X509_STORE *x509store;
14f8ab
-
14f8ab
-            x509store = SSL_CTX_get_cert_store(priv->ssl_ctx);
14f8ab
-            X509_STORE_set_flags(
14f8ab
-                x509store, X509_V_FLAG_CRL_CHECK | X509_V_FLAG_CRL_CHECK_ALL);
14f8ab
-#else
14f8ab
-            gf_log(this->name, GF_LOG_ERROR,
14f8ab
-                   "OpenSSL version does not support CRL");
14f8ab
-#endif
14f8ab
+        if (priv->crl_path) {
14f8ab
+            ssl_set_crl_verify_flags(priv->ssl_ctx);
14f8ab
         }
14f8ab
 
14f8ab
         priv->ssl_session_id = session_id++;
14f8ab
diff --git a/rpc/rpc-transport/socket/src/socket.h b/rpc/rpc-transport/socket/src/socket.h
14f8ab
index e1ccae2..e7c0090 100644
14f8ab
--- a/rpc/rpc-transport/socket/src/socket.h
14f8ab
+++ b/rpc/rpc-transport/socket/src/socket.h
14f8ab
@@ -14,6 +14,7 @@
14f8ab
 #include <openssl/ssl.h>
14f8ab
 #include <openssl/err.h>
14f8ab
 #include <openssl/x509v3.h>
14f8ab
+#include <openssl/x509_vfy.h>
14f8ab
 #ifdef HAVE_OPENSSL_DH_H
14f8ab
 #include <openssl/dh.h>
14f8ab
 #endif
14f8ab
@@ -246,6 +247,7 @@ typedef struct {
14f8ab
     char *ssl_own_cert;
14f8ab
     char *ssl_private_key;
14f8ab
     char *ssl_ca_list;
14f8ab
+    char *crl_path;
14f8ab
     int pipe[2];
14f8ab
     struct gf_sock_incoming incoming;
14f8ab
     /* -1 = not connected. 0 = in progress. 1 = connected */
14f8ab
diff --git a/tests/features/ssl-ciphers.t b/tests/features/ssl-ciphers.t
14f8ab
index 563d37c..7e1e199 100644
14f8ab
--- a/tests/features/ssl-ciphers.t
14f8ab
+++ b/tests/features/ssl-ciphers.t
14f8ab
@@ -175,8 +175,6 @@ BRICK_PORT=`brick_port $V0`
14f8ab
 EXPECT "Y" openssl_connect -cipher EECDH -connect $H0:$BRICK_PORT
14f8ab
 
14f8ab
 # test revocation
14f8ab
-# no need to restart the volume since the options are used
14f8ab
-# by the client here.
14f8ab
 TEST $CLI volume set $V0 ssl.crl-path $TMPDIR
14f8ab
 EXPECT $TMPDIR volume_option $V0 ssl.crl-path
14f8ab
 $GFS --volfile-id=$V0 --volfile-server=$H0 $M0
14f8ab
@@ -189,14 +187,25 @@ TEST openssl ca -batch -config $SSL_CFG -revoke $SSL_CERT 2>&1
14f8ab
 TEST openssl ca -config $SSL_CFG -gencrl -out $SSL_CRL 2>&1
14f8ab
 
14f8ab
 # Failed once revoked
14f8ab
+# Although client fails to mount without restarting the server after crl-path
14f8ab
+# is set when no actual crl file is found on the client, it would also fail
14f8ab
+# when server is restarted for the same reason. Since the socket initialization
14f8ab
+# code is the same for client and server, the crl verification flags need to
14f8ab
+# be turned off for the client to avoid SSL searching for CRLs in the
14f8ab
+# ssl.crl-path. If no CRL files are found in the ssl.crl-path, SSL fails the
14f8ab
+# connect() attempt on the client.
14f8ab
+TEST $CLI volume stop $V0
14f8ab
+TEST $CLI volume start $V0
14f8ab
 $GFS --volfile-id=$V0 --volfile-server=$H0 $M0
14f8ab
 EXPECT "N" wait_mount $M0
14f8ab
 TEST ! test -f $TEST_FILE
14f8ab
 EXPECT_WITHIN $UMOUNT_TIMEOUT "Y" force_umount $M0
14f8ab
 
14f8ab
 # Succeed with CRL disabled
14f8ab
+TEST $CLI volume stop $V0
14f8ab
 TEST $CLI volume set $V0 ssl.crl-path NULL
14f8ab
 EXPECT NULL volume_option $V0 ssl.crl-path
14f8ab
+TEST $CLI volume start $V0
14f8ab
 $GFS --volfile-id=$V0 --volfile-server=$H0 $M0
14f8ab
 EXPECT "Y" wait_mount $M0
14f8ab
 TEST test -f $TEST_FILE
14f8ab
-- 
14f8ab
1.8.3.1
14f8ab