From 355e366ff59dfc2ecd4fdf1e5653664b9ac0c45f Mon Sep 17 00:00:00 2001 From: Mohit Agrawal Date: Wed, 14 Mar 2018 09:37:52 +0530 Subject: [PATCH 202/212] glusterd: TLS verification fails while using intermediate CA Problem: TLS verification fails while using intermediate CA if mgmt SSL is enabled. Solution: There are two main issue of TLS verification failing 1) not calling ssl_api to set cert_depth 2) The current code does not allow to set certificate depth while MGMT SSL is enabled. After apply this patch to set certificate depth user need to set parameter option transport.socket.ssl-cert-depth in /var/lib/glusterd/secure_acccess instead to set in /etc/glusterfs/glusterd.vol. At the time of set secure_mgmt in ctx we will check the value of cert-depth and save the value of cert-depth in ctx.If user does not provide any value in cert-depth in that case it will consider default value is 1 > BUG: 1555154 > Change-Id: I89e9a9e1026e37efb5c20f9ec62b1989ef644f35 > Reviewed on https://review.gluster.org/#/c/19708/ > (cherry pick from commit cf06dd544004701ef43fa81c5b7a95353d5c1d65) BUG: 1446046 Change-Id: I94000bc8741ceb5659ec9f376eac447ae84792ad Signed-off-by: Mohit Agrawal Reviewed-on: https://code.engineering.redhat.com/gerrit/133849 Tested-by: RHGS Build Bot Reviewed-by: Sunil Kumar Heggodu Gopala Acharya --- api/src/glfs-mgmt.c | 1 + cli/src/cli.c | 1 + glusterfsd/src/glusterfsd-mgmt.c | 2 ++ glusterfsd/src/glusterfsd.c | 1 + heal/src/glfs-heal.c | 1 + libglusterfs/src/glusterfs.h | 6 ++++ libglusterfs/src/graph.c | 42 +++++++++++++++++++++++++++- rpc/rpc-transport/socket/src/socket.c | 12 +++++--- xlators/mgmt/glusterd/src/glusterd-handler.c | 3 ++ 9 files changed, 64 insertions(+), 5 deletions(-) diff --git a/api/src/glfs-mgmt.c b/api/src/glfs-mgmt.c index 32b9dbd..b70dc35 100644 --- a/api/src/glfs-mgmt.c +++ b/api/src/glfs-mgmt.c @@ -996,6 +996,7 @@ glfs_mgmt_init (struct glfs *fs) if (sys_access (SECURE_ACCESS_FILE, F_OK) == 0) { ctx->secure_mgmt = 1; + ctx->ssl_cert_depth = glusterfs_read_secure_access_file (); } rpc = rpc_clnt_new (options, THIS, THIS->name, 8); diff --git a/cli/src/cli.c b/cli/src/cli.c index 52c1b67..b64d4ef 100644 --- a/cli/src/cli.c +++ b/cli/src/cli.c @@ -432,6 +432,7 @@ parse_cmdline (int argc, char *argv[], struct cli_state *state) /* Do this first so that an option can override. */ if (sys_access (SECURE_ACCESS_FILE, F_OK) == 0) { state->ctx->secure_mgmt = 1; + state->ctx->ssl_cert_depth = glusterfs_read_secure_access_file (); } if (state->argc > GEO_REP_CMD_CONFIG_INDEX && diff --git a/glusterfsd/src/glusterfsd-mgmt.c b/glusterfsd/src/glusterfsd-mgmt.c index 69d93f5..ef53d09 100644 --- a/glusterfsd/src/glusterfsd-mgmt.c +++ b/glusterfsd/src/glusterfsd-mgmt.c @@ -2467,6 +2467,8 @@ glusterfs_mgmt_init (glusterfs_ctx_t *ctx) goto out; } + + ctx->ssl_cert_depth = glusterfs_read_secure_access_file (); } rpc = rpc_clnt_new (options, THIS, THIS->name, 8); diff --git a/glusterfsd/src/glusterfsd.c b/glusterfsd/src/glusterfsd.c index 38b863c..3ae89a6 100644 --- a/glusterfsd/src/glusterfsd.c +++ b/glusterfsd/src/glusterfsd.c @@ -1917,6 +1917,7 @@ parse_cmdline (int argc, char *argv[], glusterfs_ctx_t *ctx) /* Do this before argp_parse so it can be overridden. */ if (sys_access (SECURE_ACCESS_FILE, F_OK) == 0) { cmd_args->secure_mgmt = 1; + ctx->ssl_cert_depth = glusterfs_read_secure_access_file (); } argp_parse (&argp, argc, argv, ARGP_IN_ORDER, NULL, cmd_args); diff --git a/heal/src/glfs-heal.c b/heal/src/glfs-heal.c index 532b6f9..153cd29 100644 --- a/heal/src/glfs-heal.c +++ b/heal/src/glfs-heal.c @@ -1617,6 +1617,7 @@ main (int argc, char **argv) if (sys_access(SECURE_ACCESS_FILE, F_OK) == 0) { fs->ctx->secure_mgmt = 1; + fs->ctx->ssl_cert_depth = glusterfs_read_secure_access_file (); } ret = glfs_set_volfile_server (fs, "unix", DEFAULT_GLUSTERD_SOCKFILE, 0); diff --git a/libglusterfs/src/glusterfs.h b/libglusterfs/src/glusterfs.h index 5abfafa..5d5f5c8 100644 --- a/libglusterfs/src/glusterfs.h +++ b/libglusterfs/src/glusterfs.h @@ -536,6 +536,11 @@ struct _glusterfs_ctx { */ int secure_mgmt; + /* The option is use to set cert_depth while management connection + use SSL + */ + int ssl_cert_depth; + /* * Should *our* server/inbound connections use SSL? This is only true * if we're glusterd and secure_mgmt is set, or if we're glusterfsd @@ -638,4 +643,5 @@ int glusterfs_graph_parent_up (glusterfs_graph_t *graph); void gf_free_mig_locks (lock_migration_info_t *locks); +int glusterfs_read_secure_access_file (void); #endif /* _GLUSTERFS_H */ diff --git a/libglusterfs/src/graph.c b/libglusterfs/src/graph.c index 738cd96..cdd7123 100644 --- a/libglusterfs/src/graph.c +++ b/libglusterfs/src/graph.c @@ -16,7 +16,7 @@ #include "defaults.h" #include #include "syscall.h" - +#include #include "libglusterfs-messages.h" #if 0 @@ -68,7 +68,47 @@ _gf_dump_details (int argc, char **argv) } #endif +int +glusterfs_read_secure_access_file (void) +{ + FILE *fp = NULL; + char line[100] = {0,}; + int cert_depth = 1; /* Default SSL CERT DEPTH */ + regex_t regcmpl; + char *key = {"^option transport.socket.ssl-cert-depth"}; + char keyval[50] = {0,}; + int start = 0, end = 0, copy_len = 0; + regmatch_t result[1] = {{0} }; + + fp = fopen (SECURE_ACCESS_FILE, "r"); + if (!fp) + goto out; + /* Check if any line matches with key */ + while (fgets(line, sizeof(line), fp) != NULL) { + if (regcomp (®cmpl, key, REG_EXTENDED)) { + goto out; + } + if (!regexec (®cmpl, line, 1, result, 0)) { + start = result[0].rm_so; + end = result[0].rm_eo; + copy_len = end - start; + strcpy (keyval, line+copy_len); + if (keyval[0]) { + cert_depth = atoi(keyval); + if (cert_depth == 0) + cert_depth = 1; /* Default SSL CERT DEPTH */ + break; + } + } + regfree(®cmpl); + } + +out: + if (fp) + fclose (fp); + return cert_depth; +} int glusterfs_xlator_link (xlator_t *pxl, xlator_t *cxl) diff --git a/rpc/rpc-transport/socket/src/socket.c b/rpc/rpc-transport/socket/src/socket.c index 590d465..157b5b7 100644 --- a/rpc/rpc-transport/socket/src/socket.c +++ b/rpc/rpc-transport/socket/src/socket.c @@ -4324,7 +4324,13 @@ socket_init (rpc_transport_t *this) "using %s polling thread", priv->own_thread ? "private" : "system"); - if (!dict_get_int32 (this->options, SSL_CERT_DEPTH_OPT, &cert_depth)) { + if (!priv->mgmt_ssl) { + if (!dict_get_int32 (this->options, SSL_CERT_DEPTH_OPT, &cert_depth)) { + gf_log (this->name, GF_LOG_INFO, + "using certificate depth %d", cert_depth); + } + } else { + cert_depth = this->ctx->ssl_cert_depth; gf_log (this->name, GF_LOG_INFO, "using certificate depth %d", cert_depth); } @@ -4463,9 +4469,7 @@ socket_init (rpc_transport_t *this) goto err; } -#if (OPENSSL_VERSION_NUMBER < 0x00905100L) - SSL_CTX_set_verify_depth(ctx,cert_depth); -#endif + SSL_CTX_set_verify_depth(priv->ssl_ctx, cert_depth); if (crl_path) { #ifdef X509_V_FLAG_CRL_CHECK_ALL diff --git a/xlators/mgmt/glusterd/src/glusterd-handler.c b/xlators/mgmt/glusterd/src/glusterd-handler.c index 16a3773..ddab159 100644 --- a/xlators/mgmt/glusterd/src/glusterd-handler.c +++ b/xlators/mgmt/glusterd/src/glusterd-handler.c @@ -3544,6 +3544,9 @@ glusterd_friend_rpc_create (xlator_t *this, glusterd_peerinfo_t *peerinfo, "failed to set ssl-enabled in dict"); goto out; } + + this->ctx->ssl_cert_depth = glusterfs_read_secure_access_file (); + } ret = glusterd_rpc_create (&peerinfo->rpc, options, -- 1.8.3.1