You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@kudu.apache.org by da...@apache.org on 2017/01/13 03:01:21 UTC
[2/2] kudu git commit: Add openssl_util
Add openssl_util
Also migrates the existing ssl_factory static initialization to use the
new openssl_util version.
Change-Id: I1fb8bc2fb4153eff7adf896e43a979783de6f4b8
Reviewed-on: http://gerrit.cloudera.org:8080/5704
Reviewed-by: Todd Lipcon <to...@apache.org>
Reviewed-by: Alexey Serbin <as...@cloudera.com>
Tested-by: Kudu Jenkins
Project: http://git-wip-us.apache.org/repos/asf/kudu/repo
Commit: http://git-wip-us.apache.org/repos/asf/kudu/commit/f907db13
Tree: http://git-wip-us.apache.org/repos/asf/kudu/tree/f907db13
Diff: http://git-wip-us.apache.org/repos/asf/kudu/diff/f907db13
Branch: refs/heads/master
Commit: f907db137c05da5e10353fb53f5a431efdac62c0
Parents: 71638f5
Author: Dan Burkert <da...@apache.org>
Authored: Thu Jan 12 16:04:39 2017 -0800
Committer: Dan Burkert <da...@apache.org>
Committed: Fri Jan 13 03:00:43 2017 +0000
----------------------------------------------------------------------
src/kudu/security/CMakeLists.txt | 1 +
src/kudu/security/openssl_util.cc | 111 +++++++++++++++++++++++++++++++++
src/kudu/security/openssl_util.h | 39 ++++++++++++
src/kudu/security/ssl_factory.cc | 37 +----------
src/kudu/security/ssl_factory.h | 4 +-
src/kudu/security/ssl_socket.h | 4 +-
6 files changed, 155 insertions(+), 41 deletions(-)
----------------------------------------------------------------------
http://git-wip-us.apache.org/repos/asf/kudu/blob/f907db13/src/kudu/security/CMakeLists.txt
----------------------------------------------------------------------
diff --git a/src/kudu/security/CMakeLists.txt b/src/kudu/security/CMakeLists.txt
index 2577771..2e0b3ee 100644
--- a/src/kudu/security/CMakeLists.txt
+++ b/src/kudu/security/CMakeLists.txt
@@ -31,6 +31,7 @@ endif()
set(SECURITY_SRCS
init.cc
+ openssl_util.cc
${PORTED_X509_CHECK_HOST_CC}
ssl_factory.cc
ssl_socket.cc)
http://git-wip-us.apache.org/repos/asf/kudu/blob/f907db13/src/kudu/security/openssl_util.cc
----------------------------------------------------------------------
diff --git a/src/kudu/security/openssl_util.cc b/src/kudu/security/openssl_util.cc
new file mode 100644
index 0000000..11d9b5c
--- /dev/null
+++ b/src/kudu/security/openssl_util.cc
@@ -0,0 +1,111 @@
+// Licensed to the Apache Software Foundation (ASF) under one
+// or more contributor license agreements. See the NOTICE file
+// distributed with this work for additional information
+// regarding copyright ownership. The ASF licenses this file
+// to you under the Apache License, Version 2.0 (the
+// "License"); you may not use this file except in compliance
+// with the License. You may obtain a copy of the License at
+//
+// http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing,
+// software distributed under the License is distributed on an
+// "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+// KIND, either express or implied. See the License for the
+// specific language governing permissions and limitations
+// under the License.
+
+#include "kudu/security/openssl_util.h"
+
+#include <mutex>
+#include <sstream>
+#include <string>
+#include <vector>
+
+#include <openssl/err.h>
+#include <openssl/rand.h>
+#include <openssl/ssl.h>
+
+#include "kudu/util/debug/leakcheck_disabler.h"
+#include "kudu/util/mutex.h"
+#include "kudu/util/thread.h"
+
+using std::ostringstream;
+using std::string;
+using std::vector;
+
+namespace kudu {
+namespace security {
+
+namespace {
+
+vector<Mutex*> kCryptoLocks;
+
+// Lock/Unlock the nth lock. Only to be used by OpenSSL.
+void LockingCB(int mode, int type, const char* /*file*/, int /*line*/) {
+ DCHECK(!kCryptoLocks.empty());
+ Mutex* m = kCryptoLocks[type];
+ DCHECK(m);
+ if (mode & CRYPTO_LOCK) {
+ m->lock();
+ } else {
+ m->unlock();
+ }
+}
+
+// Return the current pthread's tid. Only to be used by OpenSSL.
+void ThreadIdCB(CRYPTO_THREADID* tid) {
+ CRYPTO_THREADID_set_numeric(tid, Thread::UniqueThreadId());
+}
+
+void DoInitializeOpenSSL() {
+ SSL_library_init();
+ SSL_load_error_strings();
+ OpenSSL_add_all_algorithms();
+ RAND_poll();
+
+ // Initialize the OpenSSL mutexes. We intentionally leak these, so ignore
+ // LSAN warnings.
+ debug::ScopedLeakCheckDisabler d;
+ int num_locks = CRYPTO_num_locks();
+ kCryptoLocks.reserve(num_locks);
+ for (int i = 0; i < num_locks; i++) {
+ kCryptoLocks.emplace_back(new Mutex());
+ }
+
+ // Callbacks used by OpenSSL required in a multi-threaded setting.
+ CRYPTO_set_locking_callback(LockingCB);
+ CRYPTO_THREADID_set_callback(ThreadIdCB);
+}
+} // namespace
+
+void InitializeOpenSSL() {
+ static std::once_flag ssl_once;
+ std::call_once(ssl_once, DoInitializeOpenSSL);
+}
+
+string GetOpenSSLErrors() {
+ ostringstream serr;
+ uint32_t l;
+ int line, flags;
+ const char *file, *data;
+ bool is_first = true;
+ while ((l = ERR_get_error_line_data(&file, &line, &data, &flags)) != 0) {
+ if (is_first) {
+ is_first = false;
+ } else {
+ serr << " ";
+ }
+
+ char buf[256];
+ ERR_error_string_n(l, buf, sizeof(buf));
+ serr << buf << ":" << file << ":" << line;
+ if (flags & ERR_TXT_STRING) {
+ serr << ":" << data;
+ }
+ }
+ return serr.str();
+}
+
+} // namespace security
+} // namespace kudu
http://git-wip-us.apache.org/repos/asf/kudu/blob/f907db13/src/kudu/security/openssl_util.h
----------------------------------------------------------------------
diff --git a/src/kudu/security/openssl_util.h b/src/kudu/security/openssl_util.h
new file mode 100644
index 0000000..1bfdb0d
--- /dev/null
+++ b/src/kudu/security/openssl_util.h
@@ -0,0 +1,39 @@
+// Licensed to the Apache Software Foundation (ASF) under one
+// or more contributor license agreements. See the NOTICE file
+// distributed with this work for additional information
+// regarding copyright ownership. The ASF licenses this file
+// to you under the Apache License, Version 2.0 (the
+// "License"); you may not use this file except in compliance
+// with the License. You may obtain a copy of the License at
+//
+// http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing,
+// software distributed under the License is distributed on an
+// "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+// KIND, either express or implied. See the License for the
+// specific language governing permissions and limitations
+// under the License.
+
+#pragma once
+
+#include <string>
+
+// Forward declarations for the OpenSSL typedefs.
+typedef struct bio_st BIO;
+typedef struct ssl_ctx_st SSL_CTX;
+typedef struct ssl_st SSL;
+
+namespace kudu {
+namespace security {
+
+// Initializes static state required by the OpenSSL library.
+//
+// Safe to call multiple times.
+void InitializeOpenSSL();
+
+// Fetch the last error message from the OpenSSL library.
+std::string GetOpenSSLErrors();
+
+} // namespace security
+} // namespace kudu
http://git-wip-us.apache.org/repos/asf/kudu/blob/f907db13/src/kudu/security/ssl_factory.cc
----------------------------------------------------------------------
diff --git a/src/kudu/security/ssl_factory.cc b/src/kudu/security/ssl_factory.cc
index 97de04b..2d011bf 100644
--- a/src/kudu/security/ssl_factory.cc
+++ b/src/kudu/security/ssl_factory.cc
@@ -21,10 +21,10 @@
#include <vector>
#include <openssl/err.h>
-#include <openssl/rand.h>
#include <openssl/ssl.h>
#include <openssl/x509v3.h>
+#include "kudu/security/openssl_util.h"
#include "kudu/security/ssl_socket.h"
#include "kudu/util/debug/leakcheck_disabler.h"
#include "kudu/util/mutex.h"
@@ -32,41 +32,8 @@
namespace kudu {
-// These non-POD elements will be alive for the lifetime of the process, so don't allocate in
-// static storage.
-static Mutex* g_ssl_mutexes;
-
-// Lock/Unlock the nth lock. Only to be used by OpenSSL.
-static void CryptoLockingCallback(int mode, int n, const char* /*unused*/, int /*unused*/) {
- if (mode & CRYPTO_LOCK) {
- g_ssl_mutexes[n].Acquire();
- } else {
- g_ssl_mutexes[n].Release();
- }
-}
-
-// Return the current pthread's tid. Only to be used by OpenSSL.
-static void CryptoThreadIDCallback(CRYPTO_THREADID* id) {
- return CRYPTO_THREADID_set_numeric(id, Thread::UniqueThreadId());
-}
-
-void DoSSLInit() {
- SSL_library_init();
- SSL_load_error_strings();
- OpenSSL_add_all_algorithms();
- RAND_poll();
-
- debug::ScopedLeakCheckDisabler d;
- g_ssl_mutexes = new Mutex[CRYPTO_num_locks()];
-
- // Callbacks used by OpenSSL required in a multi-threaded setting.
- CRYPTO_set_locking_callback(CryptoLockingCallback);
- CRYPTO_THREADID_set_callback(CryptoThreadIDCallback);
-}
-
SSLFactory::SSLFactory() : ctx_(nullptr, SSL_CTX_free) {
- static std::once_flag ssl_once;
- std::call_once(ssl_once, DoSSLInit);
+ security::InitializeOpenSSL();
}
SSLFactory::~SSLFactory() {
http://git-wip-us.apache.org/repos/asf/kudu/blob/f907db13/src/kudu/security/ssl_factory.h
----------------------------------------------------------------------
diff --git a/src/kudu/security/ssl_factory.h b/src/kudu/security/ssl_factory.h
index 9d2dd31..02a3afb 100644
--- a/src/kudu/security/ssl_factory.h
+++ b/src/kudu/security/ssl_factory.h
@@ -22,12 +22,10 @@
#include "kudu/gutil/macros.h"
#include "kudu/gutil/strings/substitute.h"
+#include "kudu/security/openssl_util.h"
#include "kudu/util/errno.h"
#include "kudu/util/status.h"
-struct ssl_ctx_st;
-typedef ssl_ctx_st SSL_CTX;
-
namespace kudu {
class Sockaddr;
http://git-wip-us.apache.org/repos/asf/kudu/blob/f907db13/src/kudu/security/ssl_socket.h
----------------------------------------------------------------------
diff --git a/src/kudu/security/ssl_socket.h b/src/kudu/security/ssl_socket.h
index 91fe39f..4f67d48 100644
--- a/src/kudu/security/ssl_socket.h
+++ b/src/kudu/security/ssl_socket.h
@@ -22,12 +22,10 @@
#include <string>
#include "kudu/gutil/macros.h"
+#include "kudu/security/openssl_util.h"
#include "kudu/util/net/socket.h"
#include "kudu/util/status.h"
-struct ssl_st;
-typedef ssl_st SSL;
-
namespace kudu {
class Sockaddr;