glusterd: TLS verification fails while using intermediate CA

Problem: TLS verification fails while using intermediate CA if mgmt SSL is enabled. Solution: There are two main issue of TLS verification failing 1) not calling ssl_api to set cert_depth 2) The current code does not allow to set certificate depth while MGMT SSL is enabled. After apply this patch to set certificate depth user need to set parameter option transport.socket.ssl-cert-depth <depth> in /var/lib/glusterd/secure_acccess instead to set in /etc/glusterfs/glusterd.vol. At the time of set secure_mgmt in ctx we will check the value of cert-depth and save the value of cert-depth in ctx.If user does not provide any value in cert-depth in that case it will consider default value is 1 BUG: 1555154 Change-Id: I89e9a9e1026e37efb5c20f9ec62b1989ef644f35 Signed-off-by: Mohit Agrawal <moagrawa@redhat.com>
2018-03-14 09:37:52 +05:30 · 2018-03-14 09:37:52 +05:30 · cf06dd5440
commit cf06dd5440
parent de52876407
10 changed files with 66 additions and 6 deletions
--- a/api/src/glfs-mgmt.c
+++ b/api/src/glfs-mgmt.c
@ -1040,6 +1040,7 @@ glfs_mgmt_init (struct glfs *fs)

        if (sys_access (SECURE_ACCESS_FILE, F_OK) == 0) {
                ctx->secure_mgmt = 1;
+                ctx->ssl_cert_depth = glusterfs_read_secure_access_file ();
        }

 	rpc = rpc_clnt_new (options, THIS, THIS->name, 8);
--- a/cli/src/cli.c
+++ b/cli/src/cli.c
@ -439,6 +439,7 @@ parse_cmdline (int argc, char *argv[], struct cli_state *state)
        /* Do this first so that an option can override. */
        if (sys_access (SECURE_ACCESS_FILE, F_OK) == 0) {
                state->ctx->secure_mgmt = 1;
+                state->ctx->ssl_cert_depth = glusterfs_read_secure_access_file ();
        }

        if (state->argc > GEO_REP_CMD_CONFIG_INDEX &&
--- a/glusterfsd/src/glusterfsd-mgmt.c
+++ b/glusterfsd/src/glusterfsd-mgmt.c
@ -2650,6 +2650,8 @@ glusterfs_mgmt_init (glusterfs_ctx_t *ctx)
                        goto out;

                }
+
+                ctx->ssl_cert_depth = glusterfs_read_secure_access_file ();
        }

        rpc = rpc_clnt_new (options, THIS, THIS->name, 8);
--- a/glusterfsd/src/glusterfsd.c
+++ b/glusterfsd/src/glusterfsd.c
@ -1951,6 +1951,7 @@ parse_cmdline (int argc, char *argv[], glusterfs_ctx_t *ctx)
        /* Do this before argp_parse so it can be overridden. */
        if (sys_access (SECURE_ACCESS_FILE, F_OK) == 0) {
                cmd_args->secure_mgmt = 1;
+                ctx->ssl_cert_depth = glusterfs_read_secure_access_file ();
        }

        argp_parse (&argp, argc, argv, ARGP_IN_ORDER, NULL, cmd_args);
--- a/heal/src/glfs-heal.c
+++ b/heal/src/glfs-heal.c
@ -1661,6 +1661,7 @@ main (int argc, char **argv)

        if (sys_access(SECURE_ACCESS_FILE, F_OK) == 0) {
                fs->ctx->secure_mgmt = 1;
+                fs->ctx->ssl_cert_depth = glusterfs_read_secure_access_file ();
        }

        ret = glfs_set_volfile_server (fs, "unix", DEFAULT_GLUSTERD_SOCKFILE, 0);
--- a/libglusterfs/src/glusterfs.h
+++ b/libglusterfs/src/glusterfs.h
@ -593,6 +593,11 @@ struct _glusterfs_ctx {
         */
        int                secure_mgmt;

+        /* The option is use to set cert_depth while management connection
+           use SSL
+         */
+        int                ssl_cert_depth;
+
        /*
         * Should *our* server/inbound connections use SSL?  This is only true
         * if we're glusterd and secure_mgmt is set, or if we're glusterfsd
@ -700,4 +705,5 @@ int glusterfs_graph_parent_up (glusterfs_graph_t *graph);
 void
 gf_free_mig_locks (lock_migration_info_t *locks);

+int glusterfs_read_secure_access_file (void);
 #endif /* _GLUSTERFS_H */
--- a/libglusterfs/src/graph.c
+++ b/libglusterfs/src/graph.c
@ -16,7 +16,7 @@
 #include "defaults.h"
 #include <unistd.h>
 #include "syscall.h"
-
+#include <regex.h>
 #include "libglusterfs-messages.h"

 #if 0
@ -68,7 +68,47 @@ _gf_dump_details (int argc, char **argv)
 }
 #endif

+int
+glusterfs_read_secure_access_file (void)
+{
+        FILE *fp = NULL;
+        char  line[100] = {0,};
+        int   cert_depth = 1;   /* Default SSL CERT DEPTH */
+        regex_t regcmpl;
+        char *key = {"^option transport.socket.ssl-cert-depth"};
+        char  keyval[50] = {0,};
+        int start = 0, end = 0, copy_len = 0;
+        regmatch_t result[1] = {{0} };

+        fp = fopen (SECURE_ACCESS_FILE, "r");
+        if (!fp)
+                goto out;
+
+        /* Check if any line matches with key */
+        while (fgets(line, sizeof(line), fp) != NULL) {
+                if (regcomp (&regcmpl, key, REG_EXTENDED)) {
+                        goto out;
+                }
+                if (!regexec (&regcmpl, line, 1, result, 0)) {
+                        start = result[0].rm_so;
+                        end  = result[0].rm_eo;
+                        copy_len = end - start;
+                        strcpy (keyval, line+copy_len);
+                        if (keyval[0]) {
+                                cert_depth = atoi(keyval);
+                                if (cert_depth == 0)
+                                        cert_depth = 1; /* Default SSL CERT DEPTH */
+                                break;
+                        }
+                }
+                regfree(&regcmpl);
+        }
+
+out:
+        if (fp)
+                fclose (fp);
+        return cert_depth;
+}

 int
 glusterfs_xlator_link (xlator_t *pxl, xlator_t *cxl)
--- a/libglusterfs/src/libglusterfs.sym
+++ b/libglusterfs/src/libglusterfs.sym
@ -733,6 +733,7 @@ glusterfs_graph_deactivate
 glusterfs_graph_destroy
 glusterfs_graph_destroy_residual
 glusterfs_graph_prepare
+glusterfs_read_secure_access_file
 glusterfs_graph_print_file
 glusterfs_graph_set_first
 glusterfs_is_local_pathinfo
@ -1107,4 +1108,4 @@ use_spinlocks
 dump_options
 glusterfs_leaseid_buf_get
 gf_replace_old_iatt_in_dict
-gf_replace_new_iatt_in_dict
+gf_replace_new_iatt_in_dict
--- a/rpc/rpc-transport/socket/src/socket.c
+++ b/rpc/rpc-transport/socket/src/socket.c
@ -4489,7 +4489,13 @@ socket_init (rpc_transport_t *this)
               "using %s polling thread",
               priv->own_thread ? "private" : "system");

-        if (!dict_get_int32 (this->options, SSL_CERT_DEPTH_OPT, &cert_depth)) {
+        if (!priv->mgmt_ssl) {
+                if (!dict_get_int32 (this->options, SSL_CERT_DEPTH_OPT, &cert_depth)) {
+                        gf_log (this->name, GF_LOG_INFO,
+                                "using certificate depth %d", cert_depth);
+                }
+        } else {
+                cert_depth = this->ctx->ssl_cert_depth;
                gf_log (this->name, GF_LOG_INFO,
                        "using certificate depth %d", cert_depth);
        }
@ -4628,9 +4634,7 @@ socket_init (rpc_transport_t *this)
                        goto err;
                }

-#if (OPENSSL_VERSION_NUMBER < 0x00905100L)
-                SSL_CTX_set_verify_depth(ctx, cert_depth);
-#endif
+                SSL_CTX_set_verify_depth(priv->ssl_ctx, cert_depth);

                if (crl_path) {
 #ifdef X509_V_FLAG_CRL_CHECK_ALL
--- a/xlators/mgmt/glusterd/src/glusterd-handler.c
+++ b/xlators/mgmt/glusterd/src/glusterd-handler.c
@ -3475,6 +3475,9 @@ glusterd_friend_rpc_create (xlator_t *this, glusterd_peerinfo_t *peerinfo,
                                "failed to set ssl-enabled in dict");
                        goto out;
                }
+
+                this->ctx->ssl_cert_depth = glusterfs_read_secure_access_file ();
+
        }

        ret = glusterd_rpc_create (&peerinfo->rpc, options,