diff options
-rw-r--r-- | api/src/glfs-mgmt.c | 1 | ||||
-rw-r--r-- | cli/src/cli.c | 1 | ||||
-rw-r--r-- | glusterfsd/src/glusterfsd-mgmt.c | 2 | ||||
-rw-r--r-- | glusterfsd/src/glusterfsd.c | 1 | ||||
-rw-r--r-- | heal/src/glfs-heal.c | 1 | ||||
-rw-r--r-- | libglusterfs/src/glusterfs.h | 6 | ||||
-rw-r--r-- | libglusterfs/src/graph.c | 42 | ||||
-rw-r--r-- | libglusterfs/src/libglusterfs.sym | 3 | ||||
-rw-r--r-- | rpc/rpc-transport/socket/src/socket.c | 12 | ||||
-rw-r--r-- | xlators/mgmt/glusterd/src/glusterd-handler.c | 3 |
10 files changed, 66 insertions, 6 deletions
diff --git a/api/src/glfs-mgmt.c b/api/src/glfs-mgmt.c index f709b54d49..229caa9877 100644 --- a/api/src/glfs-mgmt.c +++ b/api/src/glfs-mgmt.c @@ -1040,6 +1040,7 @@ glfs_mgmt_init (struct glfs *fs) if (sys_access (SECURE_ACCESS_FILE, F_OK) == 0) { ctx->secure_mgmt = 1; + ctx->ssl_cert_depth = glusterfs_read_secure_access_file (); } rpc = rpc_clnt_new (options, THIS, THIS->name, 8); diff --git a/cli/src/cli.c b/cli/src/cli.c index 930182c65b..b58f211d3d 100644 --- a/cli/src/cli.c +++ b/cli/src/cli.c @@ -439,6 +439,7 @@ parse_cmdline (int argc, char *argv[], struct cli_state *state) /* Do this first so that an option can override. */ if (sys_access (SECURE_ACCESS_FILE, F_OK) == 0) { state->ctx->secure_mgmt = 1; + state->ctx->ssl_cert_depth = glusterfs_read_secure_access_file (); } if (state->argc > GEO_REP_CMD_CONFIG_INDEX && diff --git a/glusterfsd/src/glusterfsd-mgmt.c b/glusterfsd/src/glusterfsd-mgmt.c index bf55a0770b..d2b39494e5 100644 --- a/glusterfsd/src/glusterfsd-mgmt.c +++ b/glusterfsd/src/glusterfsd-mgmt.c @@ -2650,6 +2650,8 @@ glusterfs_mgmt_init (glusterfs_ctx_t *ctx) goto out; } + + ctx->ssl_cert_depth = glusterfs_read_secure_access_file (); } rpc = rpc_clnt_new (options, THIS, THIS->name, 8); diff --git a/glusterfsd/src/glusterfsd.c b/glusterfsd/src/glusterfsd.c index 0cc46c7894..ef06ddfed3 100644 --- a/glusterfsd/src/glusterfsd.c +++ b/glusterfsd/src/glusterfsd.c @@ -1951,6 +1951,7 @@ parse_cmdline (int argc, char *argv[], glusterfs_ctx_t *ctx) /* Do this before argp_parse so it can be overridden. */ if (sys_access (SECURE_ACCESS_FILE, F_OK) == 0) { cmd_args->secure_mgmt = 1; + ctx->ssl_cert_depth = glusterfs_read_secure_access_file (); } argp_parse (&argp, argc, argv, ARGP_IN_ORDER, NULL, cmd_args); diff --git a/heal/src/glfs-heal.c b/heal/src/glfs-heal.c index 10d00e6d73..e86c76cde4 100644 --- a/heal/src/glfs-heal.c +++ b/heal/src/glfs-heal.c @@ -1661,6 +1661,7 @@ main (int argc, char **argv) if (sys_access(SECURE_ACCESS_FILE, F_OK) == 0) { fs->ctx->secure_mgmt = 1; + fs->ctx->ssl_cert_depth = glusterfs_read_secure_access_file (); } ret = glfs_set_volfile_server (fs, "unix", DEFAULT_GLUSTERD_SOCKFILE, 0); diff --git a/libglusterfs/src/glusterfs.h b/libglusterfs/src/glusterfs.h index 6b0df533e6..250d8e69a4 100644 --- a/libglusterfs/src/glusterfs.h +++ b/libglusterfs/src/glusterfs.h @@ -593,6 +593,11 @@ struct _glusterfs_ctx { */ int secure_mgmt; + /* The option is use to set cert_depth while management connection + use SSL + */ + int ssl_cert_depth; + /* * Should *our* server/inbound connections use SSL? This is only true * if we're glusterd and secure_mgmt is set, or if we're glusterfsd @@ -700,4 +705,5 @@ int glusterfs_graph_parent_up (glusterfs_graph_t *graph); void gf_free_mig_locks (lock_migration_info_t *locks); +int glusterfs_read_secure_access_file (void); #endif /* _GLUSTERFS_H */ diff --git a/libglusterfs/src/graph.c b/libglusterfs/src/graph.c index db80e21272..d36cf7b3da 100644 --- a/libglusterfs/src/graph.c +++ b/libglusterfs/src/graph.c @@ -16,7 +16,7 @@ #include "defaults.h" #include <unistd.h> #include "syscall.h" - +#include <regex.h> #include "libglusterfs-messages.h" #if 0 @@ -68,7 +68,47 @@ _gf_dump_details (int argc, char **argv) } #endif +int +glusterfs_read_secure_access_file (void) +{ + FILE *fp = NULL; + char line[100] = {0,}; + int cert_depth = 1; /* Default SSL CERT DEPTH */ + regex_t regcmpl; + char *key = {"^option transport.socket.ssl-cert-depth"}; + char keyval[50] = {0,}; + int start = 0, end = 0, copy_len = 0; + regmatch_t result[1] = {{0} }; + + fp = fopen (SECURE_ACCESS_FILE, "r"); + if (!fp) + goto out; + /* Check if any line matches with key */ + while (fgets(line, sizeof(line), fp) != NULL) { + if (regcomp (®cmpl, key, REG_EXTENDED)) { + goto out; + } + if (!regexec (®cmpl, line, 1, result, 0)) { + start = result[0].rm_so; + end = result[0].rm_eo; + copy_len = end - start; + strcpy (keyval, line+copy_len); + if (keyval[0]) { + cert_depth = atoi(keyval); + if (cert_depth == 0) + cert_depth = 1; /* Default SSL CERT DEPTH */ + break; + } + } + regfree(®cmpl); + } + +out: + if (fp) + fclose (fp); + return cert_depth; +} int glusterfs_xlator_link (xlator_t *pxl, xlator_t *cxl) diff --git a/libglusterfs/src/libglusterfs.sym b/libglusterfs/src/libglusterfs.sym index df97a7fd89..6340bc8a3a 100644 --- a/libglusterfs/src/libglusterfs.sym +++ b/libglusterfs/src/libglusterfs.sym @@ -733,6 +733,7 @@ glusterfs_graph_deactivate glusterfs_graph_destroy glusterfs_graph_destroy_residual glusterfs_graph_prepare +glusterfs_read_secure_access_file glusterfs_graph_print_file glusterfs_graph_set_first glusterfs_is_local_pathinfo @@ -1107,4 +1108,4 @@ use_spinlocks dump_options glusterfs_leaseid_buf_get gf_replace_old_iatt_in_dict -gf_replace_new_iatt_in_dict
\ No newline at end of file +gf_replace_new_iatt_in_dict diff --git a/rpc/rpc-transport/socket/src/socket.c b/rpc/rpc-transport/socket/src/socket.c index e05b6f8879..a391704006 100644 --- a/rpc/rpc-transport/socket/src/socket.c +++ b/rpc/rpc-transport/socket/src/socket.c @@ -4489,7 +4489,13 @@ socket_init (rpc_transport_t *this) "using %s polling thread", priv->own_thread ? "private" : "system"); - if (!dict_get_int32 (this->options, SSL_CERT_DEPTH_OPT, &cert_depth)) { + if (!priv->mgmt_ssl) { + if (!dict_get_int32 (this->options, SSL_CERT_DEPTH_OPT, &cert_depth)) { + gf_log (this->name, GF_LOG_INFO, + "using certificate depth %d", cert_depth); + } + } else { + cert_depth = this->ctx->ssl_cert_depth; gf_log (this->name, GF_LOG_INFO, "using certificate depth %d", cert_depth); } @@ -4628,9 +4634,7 @@ socket_init (rpc_transport_t *this) goto err; } -#if (OPENSSL_VERSION_NUMBER < 0x00905100L) - SSL_CTX_set_verify_depth(ctx, cert_depth); -#endif + SSL_CTX_set_verify_depth(priv->ssl_ctx, cert_depth); if (crl_path) { #ifdef X509_V_FLAG_CRL_CHECK_ALL diff --git a/xlators/mgmt/glusterd/src/glusterd-handler.c b/xlators/mgmt/glusterd/src/glusterd-handler.c index 2505fcff4d..26115a26b3 100644 --- a/xlators/mgmt/glusterd/src/glusterd-handler.c +++ b/xlators/mgmt/glusterd/src/glusterd-handler.c @@ -3475,6 +3475,9 @@ glusterd_friend_rpc_create (xlator_t *this, glusterd_peerinfo_t *peerinfo, "failed to set ssl-enabled in dict"); goto out; } + + this->ctx->ssl_cert_depth = glusterfs_read_secure_access_file (); + } ret = glusterd_rpc_create (&peerinfo->rpc, options, |