diff options
| author | manu <manu> | 2015-08-02 02:48:34 +0000 |
|---|---|---|
| committer | manu <manu> | 2015-08-02 02:48:34 +0000 |
| commit | ce83f3428dc34c593e263a4bfe2b6a595dcf1676 (patch) | |
| tree | 5c65a8ac9768ca59e45f88be461a1828f5e2f718 /filesystems/glusterfs | |
| parent | 31e159dada16ec10d45581a8c1ecaebdff9140bd (diff) | |
| download | pkgsrc-ce83f3428dc34c593e263a4bfe2b6a595dcf1676.tar.gz | |
Upgrade glusterfs to 3.7.3
This is a maintenance upgrade, complete bugfix list is available
from distribution ChangeLog
Diffstat (limited to 'filesystems/glusterfs')
| -rw-r--r-- | filesystems/glusterfs/Makefile | 4 | ||||
| -rw-r--r-- | filesystems/glusterfs/PLIST | 156 | ||||
| -rw-r--r-- | filesystems/glusterfs/distinfo | 9 | ||||
| -rw-r--r-- | filesystems/glusterfs/patches/patch-11763 | 936 |
4 files changed, 1021 insertions, 84 deletions
diff --git a/filesystems/glusterfs/Makefile b/filesystems/glusterfs/Makefile index cd62153e16e..4bdbac9c039 100644 --- a/filesystems/glusterfs/Makefile +++ b/filesystems/glusterfs/Makefile @@ -1,6 +1,6 @@ -# $NetBSD: Makefile,v 1.52 2015/06/20 03:43:04 manu Exp $ +# $NetBSD: Makefile,v 1.53 2015/08/02 02:48:34 manu Exp $ -DISTNAME= glusterfs-3.7.2 +DISTNAME= glusterfs-3.7.3 #PKGREVISION= 1 CATEGORIES= filesystems MASTER_SITES= http://bits.gluster.org/pub/gluster/glusterfs/src/ diff --git a/filesystems/glusterfs/PLIST b/filesystems/glusterfs/PLIST index c8acf801fa2..c1fb3bd3c7c 100644 --- a/filesystems/glusterfs/PLIST +++ b/filesystems/glusterfs/PLIST @@ -1,4 +1,4 @@ -@comment $NetBSD: PLIST,v 1.25 2015/06/20 03:43:04 manu Exp $ +@comment $NetBSD: PLIST,v 1.26 2015/08/02 02:48:34 manu Exp $ ${PYSITELIB}/gluster/__init__.py ${PYSITELIB}/gluster/__init__.pyc ${PYSITELIB}/gluster/__init__.pyo @@ -22,83 +22,83 @@ include/glusterfs/gfdb/gfdb_data_store_types.h include/glusterfs/gfdb/gfdb_mem-types.h include/glusterfs/gfdb/gfdb_sqlite3.h include/glusterfs/gfdb/gfdb_sqlite3_helper.c -lib/glusterfs/3.7.2/auth/addr.la -lib/glusterfs/3.7.2/auth/login.la -lib/glusterfs/3.7.2/rpc-transport/socket.la -lib/glusterfs/3.7.2/xlator/cluster/afr.la -lib/glusterfs/3.7.2/xlator/cluster/dht.la -lib/glusterfs/3.7.2/xlator/cluster/disperse.so -lib/glusterfs/3.7.2/xlator/cluster/distribute.so -lib/glusterfs/3.7.2/xlator/cluster/ec.la -lib/glusterfs/3.7.2/xlator/cluster/nufa.la -lib/glusterfs/3.7.2/xlator/cluster/pump.la -lib/glusterfs/3.7.2/xlator/cluster/replicate.so -lib/glusterfs/3.7.2/xlator/cluster/stripe.la -lib/glusterfs/3.7.2/xlator/cluster/switch.la -lib/glusterfs/3.7.2/xlator/cluster/tier.la -lib/glusterfs/3.7.2/xlator/debug/error-gen.la -lib/glusterfs/3.7.2/xlator/debug/io-stats.la -lib/glusterfs/3.7.2/xlator/debug/trace.la -lib/glusterfs/3.7.2/xlator/encryption/crypt.la -lib/glusterfs/3.7.2/xlator/encryption/rot-13.la -lib/glusterfs/3.7.2/xlator/features/access-control.so -lib/glusterfs/3.7.2/xlator/features/arbiter.la -lib/glusterfs/3.7.2/xlator/features/barrier.la -lib/glusterfs/3.7.2/xlator/features/bit-rot.la -lib/glusterfs/3.7.2/xlator/features/bitrot-stub.la -lib/glusterfs/3.7.2/xlator/features/cdc.la -lib/glusterfs/3.7.2/xlator/features/changelog.la -lib/glusterfs/3.7.2/xlator/features/changetimerecorder.la -lib/glusterfs/3.7.2/xlator/features/ganesha.la -lib/glusterfs/3.7.2/xlator/features/gfid-access.la -lib/glusterfs/3.7.2/xlator/features/glupy.la -lib/glusterfs/3.7.2/xlator/features/glupy/debug-trace.py -lib/glusterfs/3.7.2/xlator/features/glupy/debug-trace.pyc -lib/glusterfs/3.7.2/xlator/features/glupy/debug-trace.pyo -lib/glusterfs/3.7.2/xlator/features/glupy/helloworld.py -lib/glusterfs/3.7.2/xlator/features/glupy/helloworld.pyc -lib/glusterfs/3.7.2/xlator/features/glupy/helloworld.pyo -lib/glusterfs/3.7.2/xlator/features/glupy/negative.py -lib/glusterfs/3.7.2/xlator/features/glupy/negative.pyc -lib/glusterfs/3.7.2/xlator/features/glupy/negative.pyo -lib/glusterfs/3.7.2/xlator/features/index.la -lib/glusterfs/3.7.2/xlator/features/locks.la -lib/glusterfs/3.7.2/xlator/features/mac-compat.la -lib/glusterfs/3.7.2/xlator/features/marker.la -lib/glusterfs/3.7.2/xlator/features/posix-locks.so -lib/glusterfs/3.7.2/xlator/features/prot_client.la -lib/glusterfs/3.7.2/xlator/features/prot_dht.la -lib/glusterfs/3.7.2/xlator/features/prot_server.la -lib/glusterfs/3.7.2/xlator/features/quiesce.la -lib/glusterfs/3.7.2/xlator/features/quota.la -lib/glusterfs/3.7.2/xlator/features/quotad.la -lib/glusterfs/3.7.2/xlator/features/read-only.la -lib/glusterfs/3.7.2/xlator/features/shard.la -lib/glusterfs/3.7.2/xlator/features/snapview-client.la -lib/glusterfs/3.7.2/xlator/features/snapview-server.la -lib/glusterfs/3.7.2/xlator/features/trash.la -lib/glusterfs/3.7.2/xlator/features/upcall.la -lib/glusterfs/3.7.2/xlator/features/worm.la -lib/glusterfs/3.7.2/xlator/meta.la -lib/glusterfs/3.7.2/xlator/mgmt/glusterd.la -lib/glusterfs/3.7.2/xlator/mount/api.la -lib/glusterfs/3.7.2/xlator/mount/fuse.la -lib/glusterfs/3.7.2/xlator/nfs/server.la -lib/glusterfs/3.7.2/xlator/performance/io-cache.la -lib/glusterfs/3.7.2/xlator/performance/io-threads.la -lib/glusterfs/3.7.2/xlator/performance/md-cache.la -lib/glusterfs/3.7.2/xlator/performance/open-behind.la -lib/glusterfs/3.7.2/xlator/performance/quick-read.la -lib/glusterfs/3.7.2/xlator/performance/read-ahead.la -lib/glusterfs/3.7.2/xlator/performance/readdir-ahead.la -lib/glusterfs/3.7.2/xlator/performance/stat-prefetch.so -lib/glusterfs/3.7.2/xlator/performance/write-behind.la -lib/glusterfs/3.7.2/xlator/protocol/client.la -lib/glusterfs/3.7.2/xlator/protocol/server.la -lib/glusterfs/3.7.2/xlator/storage/posix.la -lib/glusterfs/3.7.2/xlator/system/posix-acl.la -lib/glusterfs/3.7.2/xlator/testing/features/template.la -lib/glusterfs/3.7.2/xlator/testing/performance/symlink-cache.la +lib/glusterfs/3.7.3/auth/addr.la +lib/glusterfs/3.7.3/auth/login.la +lib/glusterfs/3.7.3/rpc-transport/socket.la +lib/glusterfs/3.7.3/xlator/cluster/afr.la +lib/glusterfs/3.7.3/xlator/cluster/dht.la +lib/glusterfs/3.7.3/xlator/cluster/disperse.so +lib/glusterfs/3.7.3/xlator/cluster/distribute.so +lib/glusterfs/3.7.3/xlator/cluster/ec.la +lib/glusterfs/3.7.3/xlator/cluster/nufa.la +lib/glusterfs/3.7.3/xlator/cluster/pump.la +lib/glusterfs/3.7.3/xlator/cluster/replicate.so +lib/glusterfs/3.7.3/xlator/cluster/stripe.la +lib/glusterfs/3.7.3/xlator/cluster/switch.la +lib/glusterfs/3.7.3/xlator/cluster/tier.la +lib/glusterfs/3.7.3/xlator/debug/error-gen.la +lib/glusterfs/3.7.3/xlator/debug/io-stats.la +lib/glusterfs/3.7.3/xlator/debug/trace.la +lib/glusterfs/3.7.3/xlator/encryption/crypt.la +lib/glusterfs/3.7.3/xlator/encryption/rot-13.la +lib/glusterfs/3.7.3/xlator/features/access-control.so +lib/glusterfs/3.7.3/xlator/features/arbiter.la +lib/glusterfs/3.7.3/xlator/features/barrier.la +lib/glusterfs/3.7.3/xlator/features/bit-rot.la +lib/glusterfs/3.7.3/xlator/features/bitrot-stub.la +lib/glusterfs/3.7.3/xlator/features/cdc.la +lib/glusterfs/3.7.3/xlator/features/changelog.la +lib/glusterfs/3.7.3/xlator/features/changetimerecorder.la +lib/glusterfs/3.7.3/xlator/features/ganesha.la +lib/glusterfs/3.7.3/xlator/features/gfid-access.la +lib/glusterfs/3.7.3/xlator/features/glupy.la +lib/glusterfs/3.7.3/xlator/features/glupy/debug-trace.py +lib/glusterfs/3.7.3/xlator/features/glupy/debug-trace.pyc +lib/glusterfs/3.7.3/xlator/features/glupy/debug-trace.pyo +lib/glusterfs/3.7.3/xlator/features/glupy/helloworld.py +lib/glusterfs/3.7.3/xlator/features/glupy/helloworld.pyc +lib/glusterfs/3.7.3/xlator/features/glupy/helloworld.pyo +lib/glusterfs/3.7.3/xlator/features/glupy/negative.py +lib/glusterfs/3.7.3/xlator/features/glupy/negative.pyc +lib/glusterfs/3.7.3/xlator/features/glupy/negative.pyo +lib/glusterfs/3.7.3/xlator/features/index.la +lib/glusterfs/3.7.3/xlator/features/locks.la +lib/glusterfs/3.7.3/xlator/features/mac-compat.la +lib/glusterfs/3.7.3/xlator/features/marker.la +lib/glusterfs/3.7.3/xlator/features/posix-locks.so +lib/glusterfs/3.7.3/xlator/features/prot_client.la +lib/glusterfs/3.7.3/xlator/features/prot_dht.la +lib/glusterfs/3.7.3/xlator/features/prot_server.la +lib/glusterfs/3.7.3/xlator/features/quiesce.la +lib/glusterfs/3.7.3/xlator/features/quota.la +lib/glusterfs/3.7.3/xlator/features/quotad.la +lib/glusterfs/3.7.3/xlator/features/read-only.la +lib/glusterfs/3.7.3/xlator/features/shard.la +lib/glusterfs/3.7.3/xlator/features/snapview-client.la +lib/glusterfs/3.7.3/xlator/features/snapview-server.la +lib/glusterfs/3.7.3/xlator/features/trash.la +lib/glusterfs/3.7.3/xlator/features/upcall.la +lib/glusterfs/3.7.3/xlator/features/worm.la +lib/glusterfs/3.7.3/xlator/meta.la +lib/glusterfs/3.7.3/xlator/mgmt/glusterd.la +lib/glusterfs/3.7.3/xlator/mount/api.la +lib/glusterfs/3.7.3/xlator/mount/fuse.la +lib/glusterfs/3.7.3/xlator/nfs/server.la +lib/glusterfs/3.7.3/xlator/performance/io-cache.la +lib/glusterfs/3.7.3/xlator/performance/io-threads.la +lib/glusterfs/3.7.3/xlator/performance/md-cache.la +lib/glusterfs/3.7.3/xlator/performance/open-behind.la +lib/glusterfs/3.7.3/xlator/performance/quick-read.la +lib/glusterfs/3.7.3/xlator/performance/read-ahead.la +lib/glusterfs/3.7.3/xlator/performance/readdir-ahead.la +lib/glusterfs/3.7.3/xlator/performance/stat-prefetch.so +lib/glusterfs/3.7.3/xlator/performance/write-behind.la +lib/glusterfs/3.7.3/xlator/protocol/client.la +lib/glusterfs/3.7.3/xlator/protocol/server.la +lib/glusterfs/3.7.3/xlator/storage/posix.la +lib/glusterfs/3.7.3/xlator/system/posix-acl.la +lib/glusterfs/3.7.3/xlator/testing/features/template.la +lib/glusterfs/3.7.3/xlator/testing/performance/symlink-cache.la lib/libgfapi.la lib/libgfchangelog.la lib/libgfdb.la diff --git a/filesystems/glusterfs/distinfo b/filesystems/glusterfs/distinfo index 7f9ba5b920a..db7a9dd3371 100644 --- a/filesystems/glusterfs/distinfo +++ b/filesystems/glusterfs/distinfo @@ -1,6 +1,7 @@ -$NetBSD: distinfo,v 1.40 2015/06/20 03:43:04 manu Exp $ +$NetBSD: distinfo,v 1.41 2015/08/02 02:48:34 manu Exp $ -SHA1 (glusterfs-3.7.2.tar.gz) = e67ef3dba8c841db4d36a102ae08faecb92bf8e9 -RMD160 (glusterfs-3.7.2.tar.gz) = f91df269340494e2e4efd0eff01ad2b551476e2d -Size (glusterfs-3.7.2.tar.gz) = 7283002 bytes +SHA1 (glusterfs-3.7.3.tar.gz) = ebb8e4cec3fe52634c09df6db55b338adb12c226 +RMD160 (glusterfs-3.7.3.tar.gz) = a7adea3bec9426ed9059768e07b0570e226bb982 +Size (glusterfs-3.7.3.tar.gz) = 7446956 bytes +SHA1 (patch-11763) = a583bb198ca7293293fe1b39e2e9a95ff782c40d SHA1 (patch-xlators_mgmt_glusterd_src_Makefile.in) = 188eab283bd7433c86e7767e594ba8fb97645e23 diff --git a/filesystems/glusterfs/patches/patch-11763 b/filesystems/glusterfs/patches/patch-11763 new file mode 100644 index 00000000000..63991c4be8b --- /dev/null +++ b/filesystems/glusterfs/patches/patch-11763 @@ -0,0 +1,936 @@ +$NetBSD: patch-11763,v 1.1 2015/08/02 02:48:34 manu Exp $ + +From upstream: http://review.gluster.org/11763 + +SSL improvements: ECDH, DH, CRL, and accessible options + +- Introduce ssl.dh-param option to specify a file containinf DH parameters. + If it is provided, EDH ciphers are available. + +- Introduce ssl.ec-curve option to specify an elliptic curve name. If + unspecified, ECDH ciphers are available using the prime256v1 curve. + +- Introduce ssl.crl-path option to specify the directory where the + CRL hash file can be found. Setting to NULL disable CRL checking, + just like the default. + +- Make all ssl.* options accessible through gluster volume set + +- In default cipher list, exclude weak ciphers instead of listing + the strong ones. + +- Enforce server cipher preference. + +- introduce RPC_SET_OPT macro to factor repetitive code in glusterd-volgen.c + +- Add ssl-ciphers.t test to check all the features touched by this change. + +Backport of I7bfd433df6bbf176f4a58e770e06bcdbe22a101a + +Change-Id: I2947eabe76ae0487ecad52a60befb7de473fc90c +BUG: 1247153 +Signed-off-by: Emmanuel Dreyfus <manu@netbsd.org> + +--- ./xlators/mgmt/glusterd/src/glusterd-volgen.c.orig 2015-07-28 08:28:31.000000000 +0200 ++++ ./xlators/mgmt/glusterd/src/glusterd-volgen.c 2015-07-28 10:36:56.000000000 +0200 +@@ -41,8 +41,22 @@ + #include "glusterd-snapd-svc-helper.h" + + extern struct volopt_map_entry glusterd_volopt_map[]; + ++#define RPC_SET_OPT(XL, CLI_OPT, XLATOR_OPT, ERROR_CMD) do { \ ++ char *_value = NULL; \ ++ \ ++ if (dict_get_str (set_dict, CLI_OPT, &_value) == 0) { \ ++ if (xlator_set_option (XL, \ ++ "transport.socket." XLATOR_OPT, _value) != 0) { \ ++ gf_msg ("glusterd", GF_LOG_WARNING, errno, \ ++ GD_MSG_XLATOR_SET_OPT_FAIL, \ ++ "failed to set " XLATOR_OPT); \ ++ ERROR_CMD; \ ++ } \ ++ } \ ++} while (0 /* CONSTCOND */) ++ + /********************************************* + * + * xlator generation / graph manipulation API + * +@@ -2075,27 +2089,16 @@ + if (ret) + return -1; + } + +- if (dict_get_str (set_dict, SSL_CERT_DEPTH_OPT, &value) == 0) { +- ret = xlator_set_option (xl, "ssl-cert-depth", value); +- if (ret) { +- gf_msg ("glusterd", GF_LOG_WARNING, 0, +- GD_MSG_XLATOR_SET_OPT_FAIL, +- "failed to set ssl-cert-depth"); +- return -1; +- } +- } +- +- if (dict_get_str (set_dict, SSL_CIPHER_LIST_OPT, &value) == 0) { +- ret = xlator_set_option (xl, "ssl-cipher-list", value); +- if (ret) { +- gf_msg ("glusterd", GF_LOG_WARNING, 0, +- GD_MSG_XLATOR_SET_OPT_FAIL, +- "failed to set ssl-cipher-list"); +- return -1; +- } +- } ++ RPC_SET_OPT(xl, SSL_OWN_CERT_OPT, "ssl-own-cert", return -1); ++ RPC_SET_OPT(xl, SSL_PRIVATE_KEY_OPT,"ssl-private-key", return -1); ++ RPC_SET_OPT(xl, SSL_CA_LIST_OPT, "ssl-ca-list", return -1); ++ RPC_SET_OPT(xl, SSL_CRL_PATH_OPT, "ssl-crl-path", return -1); ++ RPC_SET_OPT(xl, SSL_CERT_DEPTH_OPT, "ssl-cetificate-depth", return -1); ++ RPC_SET_OPT(xl, SSL_CIPHER_LIST_OPT,"ssl-cipher-list", return -1); ++ RPC_SET_OPT(xl, SSL_DH_PARAM_OPT, "ssl-dh-param", return -1); ++ RPC_SET_OPT(xl, SSL_EC_CURVE_OPT, "ssl-ec-curve", return -1); + + if (username) { + memset (key, 0, sizeof (key)); + snprintf (key, sizeof (key), "auth.login.%s.allow", +@@ -2169,28 +2172,24 @@ + ptranst = glusterd_get_trans_type_rb (volinfo->transport_type); + if (NULL == ptranst) + return -1; + +- if (dict_get_str (set_dict, SSL_CERT_DEPTH_OPT, &value) == 0) { +- ret = xlator_set_option (rbxl, "ssl-cert-depth", value); +- if (ret) { +- gf_msg ("glusterd", GF_LOG_WARNING, errno, +- GD_MSG_DICT_GET_FAILED, +- "failed to set ssl-cert-depth"); +- return -1; +- } +- } +- +- if (dict_get_str (set_dict, SSL_CIPHER_LIST_OPT, &value) == 0) { +- ret = xlator_set_option (rbxl, "ssl-cipher-list", +- value); +- if (ret) { +- gf_msg ("glusterd", GF_LOG_WARNING, errno, +- GD_MSG_DICT_GET_FAILED, +- "failed to set ssl-cipher-list"); +- return -1; +- } +- } ++ RPC_SET_OPT(rbxl, SSL_OWN_CERT_OPT, "ssl-own-cert", ++ return -1); ++ RPC_SET_OPT(rbxl, SSL_PRIVATE_KEY_OPT,"ssl-private-key", ++ return -1); ++ RPC_SET_OPT(rbxl, SSL_CA_LIST_OPT, "ssl-ca-list", ++ return -1); ++ RPC_SET_OPT(rbxl, SSL_CRL_PATH_OPT, "ssl-crl-path", ++ return -1); ++ RPC_SET_OPT(rbxl, SSL_CERT_DEPTH_OPT, "ssl-cetificate-depth", ++ return -1); ++ RPC_SET_OPT(rbxl, SSL_CIPHER_LIST_OPT,"ssl-cipher-list", ++ return -1); ++ RPC_SET_OPT(rbxl, SSL_DH_PARAM_OPT, "ssl-dh-param", ++ return -1); ++ RPC_SET_OPT(rbxl, SSL_EC_CURVE_OPT, "ssl-ec-curve", ++ return -1); + + if (username) { + ret = xlator_set_option (rbxl, "username", username); + if (ret) +@@ -2747,27 +2746,16 @@ + } + } + } + +- if (dict_get_str (set_dict, SSL_CERT_DEPTH_OPT, &value) == 0) { +- ret = xlator_set_option (xl, "ssl-cert-depth", value); +- if (ret) { +- gf_msg ("glusterd", GF_LOG_WARNING, errno, +- GD_MSG_DICT_GET_FAILED, +- "failed to set ssl-cert-depth"); +- goto err; +- } +- } +- +- if (dict_get_str (set_dict, SSL_CIPHER_LIST_OPT, &value) == 0) { +- ret = xlator_set_option (xl, "ssl-cipher-list", value); +- if (ret) { +- gf_msg ("glusterd", GF_LOG_WARNING, errno, +- GD_MSG_DICT_GET_FAILED, +- "failed to set ssl-cipher-list"); +- goto err; +- } +- } ++ RPC_SET_OPT(xl, SSL_OWN_CERT_OPT, "ssl-own-cert", goto err); ++ RPC_SET_OPT(xl, SSL_PRIVATE_KEY_OPT,"ssl-private-key", goto err); ++ RPC_SET_OPT(xl, SSL_CA_LIST_OPT, "ssl-ca-list", goto err); ++ RPC_SET_OPT(xl, SSL_CRL_PATH_OPT, "ssl-crl-path", goto err); ++ RPC_SET_OPT(xl, SSL_CERT_DEPTH_OPT, "ssl-cetificate-depth", goto err); ++ RPC_SET_OPT(xl, SSL_CIPHER_LIST_OPT,"ssl-cipher-list", goto err); ++ RPC_SET_OPT(xl, SSL_DH_PARAM_OPT, "ssl-dh-param", goto err); ++ RPC_SET_OPT(xl, SSL_EC_CURVE_OPT, "ssl-ec-curve", goto err); + + return xl; + err: + return NULL; +@@ -4961,27 +4949,16 @@ + ret = xlator_set_option (xl, "transport-type", "tcp"); + if (ret) + return -1; + +- if (dict_get_str (set_dict, SSL_CERT_DEPTH_OPT, &value) == 0) { +- ret = xlator_set_option (xl, "ssl-cert-depth", value); +- if (ret) { +- gf_msg ("glusterd", GF_LOG_WARNING, 0, +- GD_MSG_XLATOR_SET_OPT_FAIL, +- "failed to set ssl-cert-depth"); +- return -1; +- } +- } +- +- if (dict_get_str (set_dict, SSL_CIPHER_LIST_OPT, &value) == 0) { +- ret = xlator_set_option (xl, "ssl-cipher-list", value); +- if (ret) { +- gf_msg ("glusterd", GF_LOG_WARNING, 0, +- GD_MSG_XLATOR_SET_OPT_FAIL, +- "failed to set ssl-cipher-list"); +- return -1; +- } +- } ++ RPC_SET_OPT(xl, SSL_OWN_CERT_OPT, "ssl-own-cert", return -1); ++ RPC_SET_OPT(xl, SSL_PRIVATE_KEY_OPT,"ssl-private-key", return -1); ++ RPC_SET_OPT(xl, SSL_CA_LIST_OPT, "ssl-ca-list", return -1); ++ RPC_SET_OPT(xl, SSL_CRL_PATH_OPT, "ssl-crl-path", return -1); ++ RPC_SET_OPT(xl, SSL_CERT_DEPTH_OPT, "ssl-cetificate-depth", return -1); ++ RPC_SET_OPT(xl, SSL_CIPHER_LIST_OPT,"ssl-cipher-list", return -1); ++ RPC_SET_OPT(xl, SSL_DH_PARAM_OPT, "ssl-dh-param", return -1); ++ RPC_SET_OPT(xl, SSL_EC_CURVE_OPT, "ssl-ec-curve", return -1); + + username = glusterd_auth_get_username (volinfo); + passwd = glusterd_auth_get_password (volinfo); + +--- ./xlators/mgmt/glusterd/src/glusterd-volgen.h.orig 2015-07-28 08:28:31.000000000 +0200 ++++ ./xlators/mgmt/glusterd/src/glusterd-volgen.h 2015-07-28 10:36:56.000000000 +0200 +@@ -44,10 +44,16 @@ + #define AUTH_ALLOW_OPT_KEY "auth.addr.*.allow" + #define AUTH_REJECT_OPT_KEY "auth.addr.*.reject" + #define NFS_DISABLE_OPT_KEY "nfs.*.disable" + ++#define SSL_OWN_CERT_OPT "ssl.own-cert" ++#define SSL_PRIVATE_KEY_OPT "ssl.private-key" ++#define SSL_CA_LIST_OPT "ssl.ca-list" ++#define SSL_CRL_PATH_OPT "ssl.crl-path" + #define SSL_CERT_DEPTH_OPT "ssl.certificate-depth" + #define SSL_CIPHER_LIST_OPT "ssl.cipher-list" ++#define SSL_DH_PARAM_OPT "ssl.dh-param" ++#define SSL_EC_CURVE_OPT "ssl.ec-curve" + + + typedef enum { + GF_CLIENT_TRUSTED, +--- ./xlators/mgmt/glusterd/src/glusterd-volume-set.c.orig 2015-07-28 08:28:31.000000000 +0200 ++++ ./xlators/mgmt/glusterd/src/glusterd-volume-set.c 2015-07-28 10:36:56.000000000 +0200 +@@ -1081,8 +1081,28 @@ + .op_version = GD_OP_VERSION_3_7_0, + }, + + /* Generic transport options */ ++ { .key = SSL_OWN_CERT_OPT, ++ .voltype = "rpc-transport/socket", ++ .option = "!ssl-own-cert", ++ .op_version = GD_OP_VERSION_3_7_0, ++ }, ++ { .key = SSL_PRIVATE_KEY_OPT, ++ .voltype = "rpc-transport/socket", ++ .option = "!ssl-private-key", ++ .op_version = GD_OP_VERSION_3_7_0, ++ }, ++ { .key = SSL_CA_LIST_OPT, ++ .voltype = "rpc-transport/socket", ++ .option = "!ssl-ca-list", ++ .op_version = GD_OP_VERSION_3_7_0, ++ }, ++ { .key = SSL_CRL_PATH_OPT, ++ .voltype = "rpc-transport/socket", ++ .option = "!ssl-crl-path", ++ .op_version = GD_OP_VERSION_3_7_0, ++ }, + { .key = SSL_CERT_DEPTH_OPT, + .voltype = "rpc-transport/socket", + .option = "!ssl-cert-depth", + .op_version = GD_OP_VERSION_3_6_0, +@@ -1091,8 +1111,18 @@ + .voltype = "rpc-transport/socket", + .option = "!ssl-cipher-list", + .op_version = GD_OP_VERSION_3_6_0, + }, ++ { .key = SSL_DH_PARAM_OPT, ++ .voltype = "rpc-transport/socket", ++ .option = "!ssl-dh-param", ++ .op_version = GD_OP_VERSION_3_7_0, ++ }, ++ { .key = SSL_EC_CURVE_OPT, ++ .voltype = "rpc-transport/socket", ++ .option = "!ssl-ec-curve", ++ .op_version = GD_OP_VERSION_3_7_0, ++ }, + + /* Performance xlators enable/disbable options */ + { .key = "performance.write-behind", + .voltype = "performance/write-behind", +--- ./rpc/rpc-transport/socket/src/socket.c.orig 2015-07-28 08:28:30.000000000 +0200 ++++ ./rpc/rpc-transport/socket/src/socket.c 2015-07-28 10:36:56.000000000 +0200 +@@ -48,76 +48,15 @@ + #define SSL_ENABLED_OPT "transport.socket.ssl-enabled" + #define SSL_OWN_CERT_OPT "transport.socket.ssl-own-cert" + #define SSL_PRIVATE_KEY_OPT "transport.socket.ssl-private-key" + #define SSL_CA_LIST_OPT "transport.socket.ssl-ca-list" ++#define SSL_CERT_DEPTH_OPT "transport.socket.ssl-cert-depth" ++#define SSL_CIPHER_LIST_OPT "transport.socket.ssl-cipher-list" ++#define SSL_DH_PARAM_OPT "transport.socket.ssl-dh-param" ++#define SSL_EC_CURVE_OPT "transport.socket.ssl-ec-curve" ++#define SSL_CRL_PATH_OPT "transport.socket.ssl-crl-path" + #define OWN_THREAD_OPT "transport.socket.own-thread" + +-/* +- * This list was derived by taking the cipher list "HIGH:!SSLv2" (the previous +- * default) and excluding CBC entries to mitigate the "POODLE" attack. It +- * should be re-evaluated in light of each future vulnerability, as those are +- * discovered. +- */ +-static char *default_cipher_list = +- "ECDHE-RSA-AES256-GCM-SHA384:" +- "ECDHE-ECDSA-AES256-GCM-SHA384:" +- "ECDHE-RSA-AES256-SHA384:" +- "ECDHE-ECDSA-AES256-SHA384:" +- "ECDHE-RSA-AES256-SHA:" +- "ECDHE-ECDSA-AES256-SHA:" +- "DHE-DSS-AES256-GCM-SHA384:" +- "DHE-RSA-AES256-GCM-SHA384:" +- "DHE-RSA-AES256-SHA256:" +- "DHE-DSS-AES256-SHA256:" +- "DHE-RSA-AES256-SHA:" +- "DHE-DSS-AES256-SHA:" +- "DHE-RSA-CAMELLIA256-SHA:" +- "DHE-DSS-CAMELLIA256-SHA:" +- "AECDH-AES256-SHA:" +- "ADH-AES256-GCM-SHA384:" +- "ADH-AES256-SHA256:" +- "ADH-AES256-SHA:" +- "ADH-CAMELLIA256-SHA:" +- "ECDH-RSA-AES256-GCM-SHA384:" +- "ECDH-ECDSA-AES256-GCM-SHA384:" +- "ECDH-RSA-AES256-SHA384:" +- "ECDH-ECDSA-AES256-SHA384:" +- "ECDH-RSA-AES256-SHA:" +- "ECDH-ECDSA-AES256-SHA:" +- "AES256-GCM-SHA384:" +- "AES256-SHA256:" +- "AES256-SHA:" +- "CAMELLIA256-SHA:" +- "ECDHE-RSA-AES128-GCM-SHA256:" +- "ECDHE-ECDSA-AES128-GCM-SHA256:" +- "ECDHE-RSA-AES128-SHA256:" +- "ECDHE-ECDSA-AES128-SHA256:" +- "ECDHE-RSA-AES128-SHA:" +- "ECDHE-ECDSA-AES128-SHA:" +- "DHE-DSS-AES128-GCM-SHA256:" +- "DHE-RSA-AES128-GCM-SHA256:" +- "DHE-RSA-AES128-SHA256:" +- "DHE-DSS-AES128-SHA256:" +- "DHE-RSA-AES128-SHA:" +- "DHE-DSS-AES128-SHA:" +- "DHE-RSA-CAMELLIA128-SHA:" +- "DHE-DSS-CAMELLIA128-SHA:" +- "AECDH-AES128-SHA:" +- "ADH-AES128-GCM-SHA256:" +- "ADH-AES128-SHA256:" +- "ADH-AES128-SHA:" +- "ADH-CAMELLIA128-SHA:" +- "ECDH-RSA-AES128-GCM-SHA256:" +- "ECDH-ECDSA-AES128-GCM-SHA256:" +- "ECDH-RSA-AES128-SHA256:" +- "ECDH-ECDSA-AES128-SHA256:" +- "ECDH-RSA-AES128-SHA:" +- "ECDH-ECDSA-AES128-SHA:" +- "AES128-GCM-SHA256:" +- "AES128-SHA256:" +- "AES128-SHA:" +- "CAMELLIA128-SHA"; /* no colon for last entry */ +- + /* TBD: do automake substitutions etc. (ick) to set these. */ + #if !defined(DEFAULT_ETC_SSL) + # ifdef GF_LINUX_HOST_OS + # define DEFAULT_ETC_SSL "/etc/ssl" +@@ -131,8 +70,9 @@ + # if !defined(DEFAULT_ETC_SSL) + # define DEFAULT_ETC_SSL "/etc/ssl" + # endif + #endif ++ + #if !defined(DEFAULT_CERT_PATH) + #define DEFAULT_CERT_PATH DEFAULT_ETC_SSL "/glusterfs.pem" + #endif + #if !defined(DEFAULT_KEY_PATH) +@@ -140,8 +80,14 @@ + #endif + #if !defined(DEFAULT_CA_PATH) + #define DEFAULT_CA_PATH DEFAULT_ETC_SSL "/glusterfs.ca" + #endif ++#if !defined(DEFAULT_VERIFY_DEPTH) ++#define DEFAULT_VERIFY_DEPTH 1 ++#endif ++#define DEFAULT_CIPHER_LIST "EECDH:EDH:HIGH:!3DES:!RC4:!DES:!MD5:!aNULL:!eNULL" ++#define DEFAULT_DH_PARAM DEFAULT_ETC_SSL "/dhparam.pem" ++#define DEFAULT_EC_CURVE "prime256v1" + + #define POLL_MASK_INPUT (POLLIN | POLLPRI) + #define POLL_MASK_OUTPUT (POLLOUT) + #define POLL_MASK_ERROR (POLLERR | POLLHUP | POLLNVAL) +@@ -3778,11 +3724,13 @@ + uint32_t keepalive = 0; + uint32_t timeout = 0; + uint32_t backlog = 0; + int session_id = 0; +- int32_t cert_depth = 1; +- char *cipher_list = default_cipher_list; +- int ret; ++ int32_t cert_depth = DEFAULT_VERIFY_DEPTH; ++ char *cipher_list = DEFAULT_CIPHER_LIST; ++ char *dh_param = DEFAULT_DH_PARAM; ++ char *ec_curve = DEFAULT_EC_CURVE; ++ char *crl_path = NULL; + + if (this->private) { + gf_log_callingfn (this->name, GF_LOG_ERROR, + "double init attempted"); +@@ -3962,8 +3910,20 @@ + priv->ssl_ca_list = optstr; + } + priv->ssl_ca_list = gf_strdup(priv->ssl_ca_list); + ++ if (dict_get_str(this->options,SSL_CRL_PATH_OPT,&optstr) == 0) { ++ if (!priv->ssl_enabled) { ++ gf_log(this->name,GF_LOG_WARNING, ++ "%s specified without %s (ignored)", ++ SSL_CRL_PATH_OPT, SSL_ENABLED_OPT); ++ } ++ if (strcasecmp(optstr, "NULL") == 0) ++ crl_path = NULL; ++ else ++ crl_path = optstr; ++ } ++ + gf_log(this->name, priv->ssl_enabled ? GF_LOG_INFO: GF_LOG_DEBUG, + "SSL support on the I/O path is %s", + priv->ssl_enabled ? "ENABLED" : "NOT enabled"); + gf_log(this->name, priv->mgmt_ssl ? GF_LOG_INFO: GF_LOG_DEBUG, +@@ -3986,18 +3946,28 @@ + gf_log(this->name, priv->own_thread ? GF_LOG_INFO: GF_LOG_DEBUG, + "using %s polling thread", + priv->own_thread ? "private" : "system"); + +- if (!dict_get_int32 (this->options, "ssl-cert-depth", &cert_depth)) { ++ if (!dict_get_int32 (this->options, SSL_CERT_DEPTH_OPT, &cert_depth)) { + gf_log (this->name, GF_LOG_INFO, + "using certificate depth %d", cert_depth); + } +- if (!dict_get_str (this->options, "ssl-cipher-list", &cipher_list)) { ++ if (!dict_get_str (this->options, SSL_CIPHER_LIST_OPT, &cipher_list)) { + gf_log (this->name, GF_LOG_INFO, + "using cipher list %s", cipher_list); + } ++ if (!dict_get_str (this->options, SSL_DH_PARAM_OPT, &dh_param)) { ++ gf_log (this->name, GF_LOG_INFO, ++ "using DH parameters %s", dh_param); ++ } ++ if (!dict_get_str (this->options, SSL_EC_CURVE_OPT, &ec_curve)) { ++ gf_log (this->name, GF_LOG_INFO, ++ "using EC curve %s", ec_curve); ++ } + + if (priv->ssl_enabled || priv->mgmt_ssl) { ++ BIO *bio = NULL; ++ + /* + * The right time to check this is after all of our relevant + * fields have been set, but before we start issuing OpenSSL + * calls for the current translator. In other words, now. +@@ -4010,20 +3980,96 @@ + } + + #if HAVE_TLSV1_2_METHOD + priv->ssl_meth = (SSL_METHOD *)TLSv1_2_method(); +-#else /* old openssl */ +-#warning TLSv1.2 is not available, using insecure TLSv1 support +- priv->ssl_meth = (SSL_METHOD *)TLSv1_method(); ++#else ++/* ++ * Nobody should use an OpenSSL so old it does not support TLS 1.2. ++ * If that is really required, build with -DUSE_INSECURE_OPENSSL ++ */ ++#ifndef USE_INSECURE_OPENSSL ++#error Old and insecure OpenSSL, use -DUSE_INSECURE_OPENSSL to use it anyway ++#endif ++ /* SSLv23_method uses highest available protocol */ ++ priv->ssl_meth = (SSL_METHOD *)SSLv23_method(); + #endif + priv->ssl_ctx = SSL_CTX_new(priv->ssl_meth); + ++ SSL_CTX_set_options(priv->ssl_ctx, SSL_OP_NO_SSLv2); ++ SSL_CTX_set_options(priv->ssl_ctx, SSL_OP_NO_SSLv3); ++ SSL_CTX_set_options(priv->ssl_ctx, SSL_OP_NO_TICKET); ++ SSL_CTX_set_options(priv->ssl_ctx, SSL_OP_NO_COMPRESSION); ++ ++ if ((bio = BIO_new_file(dh_param, "r")) == NULL) { ++ gf_log(this->name,GF_LOG_ERROR, ++ "failed to open %s, " ++ "DH ciphers are disabled", dh_param); ++ } ++ ++ if (bio != NULL) { ++#ifdef ERR_R_DH_LIB ++ DH *dh; ++ unsigned long err; ++ ++ dh = PEM_read_bio_DHparams(bio, NULL, NULL, NULL); ++ BIO_free(bio); ++ if (dh != NULL) { ++ SSL_CTX_set_options(priv->ssl_ctx, ++ SSL_OP_SINGLE_DH_USE); ++ SSL_CTX_set_tmp_dh(priv->ssl_ctx, dh); ++ DH_free(dh); ++ } else { ++ err = ERR_get_error(); ++ gf_log(this->name,GF_LOG_ERROR, ++ "failed to read DH param from %s: %s " ++ "DH ciphers are disabled.", ++ dh_param, ERR_error_string(err, NULL)); ++ } ++#else /* ERR_R_DH_LIB */ ++ BIO_free(bio); ++ gf_log(this->name, GF_LOG_ERROR, ++ "OpenSSL has no DH support"); ++#endif /* ERR_R_DH_LIB */ ++ } ++ ++ if (ec_curve != NULL) { ++#ifdef ERR_R_ECDH_LIB ++ EC_KEY *ecdh = NULL; ++ int nid; ++ unsigned long err; ++ ++ nid = OBJ_sn2nid(ec_curve); ++ if (nid != 0) ++ ecdh = EC_KEY_new_by_curve_name(nid); ++ ++ if (ecdh != NULL) { ++ SSL_CTX_set_options(priv->ssl_ctx, ++ SSL_OP_SINGLE_ECDH_USE); ++ SSL_CTX_set_tmp_ecdh(priv->ssl_ctx, ecdh); ++ EC_KEY_free(ecdh); ++ } else { ++ err = ERR_get_error(); ++ gf_log(this->name, GF_LOG_ERROR, ++ "failed to load EC curve %s: %s. " ++ "ECDH ciphers are disabled.", ++ ec_curve, ERR_error_string(err, NULL)); ++ } ++#else /* ERR_R_ECDH_LIB */ ++ gf_log(this->name, GF_LOG_ERROR, ++ "OpenSSL has no ECDH support"); ++#endif /* ERR_R_ECDH_LIB */ ++ } ++ ++ /* This must be done after DH and ECDH setups */ + if (SSL_CTX_set_cipher_list(priv->ssl_ctx, cipher_list) == 0) { + gf_log(this->name,GF_LOG_ERROR, + "failed to find any valid ciphers"); + goto err; + } + ++ SSL_CTX_set_options(priv->ssl_ctx, ++ SSL_OP_CIPHER_SERVER_PREFERENCE); ++ + if (!SSL_CTX_use_certificate_chain_file(priv->ssl_ctx, + priv->ssl_own_cert)) { + gf_log(this->name,GF_LOG_ERROR, + "could not load our cert"); +@@ -4038,9 +4084,10 @@ + goto err; + } + + if (!SSL_CTX_load_verify_locations(priv->ssl_ctx, +- priv->ssl_ca_list,0)) { ++ priv->ssl_ca_list, ++ crl_path)) { + gf_log(this->name,GF_LOG_ERROR, + "could not load CA list"); + goto err; + } +@@ -4048,8 +4095,21 @@ + #if (OPENSSL_VERSION_NUMBER < 0x00905100L) + SSL_CTX_set_verify_depth(ctx,cert_depth); + #endif + ++ if (crl_path) { ++#ifdef X509_V_FLAG_CRL_CHECK_ALL ++ X509_STORE *x509store; ++ ++ x509store = SSL_CTX_get_cert_store(priv->ssl_ctx); ++ X509_STORE_set_flags(x509store, ++ X509_V_FLAG_CRL_CHECK|X509_V_FLAG_CRL_CHECK_ALL); ++#else ++ gf_log(this->name,GF_LOG_ERROR, ++ "OpenSSL version does not support CRL"); ++#endif ++ } ++ + priv->ssl_session_id = ++session_id; + SSL_CTX_set_session_id_context(priv->ssl_ctx, + (void *)&priv->ssl_session_id, + sizeof(priv->ssl_session_id)); +@@ -4201,21 +4261,61 @@ + }, + { .key = {SSL_CA_LIST_OPT}, + .type = GF_OPTION_TYPE_STR + }, ++ { .key = {SSL_CERT_DEPTH_OPT}, ++ .type = GF_OPTION_TYPE_STR ++ }, ++ { .key = {SSL_CIPHER_LIST_OPT}, ++ .type = GF_OPTION_TYPE_STR ++ }, ++ { .key = {SSL_DH_PARAM_OPT}, ++ .type = GF_OPTION_TYPE_STR ++ }, ++ { .key = {SSL_EC_CURVE_OPT}, ++ .type = GF_OPTION_TYPE_STR ++ }, ++ { .key = {SSL_CRL_PATH_OPT}, ++ .type = GF_OPTION_TYPE_STR ++ }, + { .key = {OWN_THREAD_OPT}, + .type = GF_OPTION_TYPE_BOOL + }, +- { .key = {"ssl-cert-depth"}, +- .type = GF_OPTION_TYPE_INT, ++ { .key = {"ssl-own-cert"}, ++ .type = GF_OPTION_TYPE_STR, ++ .description = "SSL certificate. Ignored if SSL is not enabled." ++ }, ++ { .key = {"ssl-private-key"}, ++ .type = GF_OPTION_TYPE_STR, ++ .description = "SSL private key. Ignored if SSL is not enabled." ++ }, ++ { .key = {"ssl-ca-list"}, ++ .type = GF_OPTION_TYPE_STR, ++ .description = "SSL CA list. Ignored if SSL is not enabled." ++ }, ++ { .key = {"ssl-cert-depth"}, ++ .type = GF_OPTION_TYPE_INT, + .description = "Maximum certificate-chain depth. If zero, the " + "peer's certificate itself must be in the local " + "certificate list. Otherwise, there may be up to N " + "signing certificates between the peer's and the " + "local list. Ignored if SSL is not enabled." + }, +- { .key = {"ssl-cipher-list"}, +- .type = GF_OPTION_TYPE_STR, +- .description = "Allowed SSL ciphers Ignored if SSL is not enabled." ++ { .key = {"ssl-cipher-list"}, ++ .type = GF_OPTION_TYPE_STR, ++ .description = "Allowed SSL ciphers. Ignored if SSL is not enabled." ++ }, ++ { .key = {"ssl-dh-param"}, ++ .type = GF_OPTION_TYPE_STR, ++ .description = "DH parameters file. Ignored if SSL is not enabled." ++ }, ++ { .key = {"ssl-ec-curve"}, ++ .type = GF_OPTION_TYPE_STR, ++ .description = "ECDH curve name. Ignored if SSL is not enabled." ++ }, ++ { .key = {"ssl-crl-path"}, ++ .type = GF_OPTION_TYPE_STR, ++ .description = "Path to directory containing CRL. " ++ "Ignored if SSL is not enabled." + }, + { .key = {NULL} } + }; +--- ./rpc/rpc-transport/socket/src/socket.h.orig 2015-07-28 08:28:30.000000000 +0200 ++++ ./rpc/rpc-transport/socket/src/socket.h 2015-07-28 10:36:56.000000000 +0200 +@@ -12,8 +12,15 @@ + #define _SOCKET_H + + #include <openssl/ssl.h> + #include <openssl/err.h> ++#ifdef ERR_R_DH_LIB ++#include <openssl/dh.h> ++#endif ++#ifdef ERR_R_ECDH_LIB ++#include <openssl/objects.h> ++#include <openssl/ecdh.h> ++#endif + + #ifndef _CONFIG_H + #define _CONFIG_H + #include "config.h" +--- ./tests/features/openssl.cnf.in.orig 2015-07-28 10:36:56.000000000 +0200 ++++ ./tests/features/openssl.cnf.in 2015-07-28 10:36:56.000000000 +0200 +@@ -0,0 +1,41 @@ ++[ req ] ++distinguished_name = req_distinguished_name ++x509_extensions = v3_ca ++[ req_distinguished_name ] ++commonName = Common Name ++commonName_max = 64 ++[ v3_ca ] ++subjectKeyIdentifier = hash ++authorityKeyIdentifier = keyid:always,issuer:always ++basicConstraints = CA:true ++[ ca ] ++default_ca = CA_default ++[ CA_default ] ++dir = @TMPDIR@ ++certs = $dir/certs ++crl_dir = $dir/crl ++database = $dir/index.txt ++unique_subjecta = no ++new_certs_dir = $dir/newcerts ++certificate = $dir/ca.crt ++serial = $dir/serial ++crl = $dir/crl.pem ++private_key = $dir/self.key ++x509_extensions = usr_cert ++name_opt = ca_default ++cert_opt = ca_default ++default_days = 365 ++default_crl_days = 30 ++crl_extensions = crl_ext ++default_md = sha256 ++preserve = no ++policy = policy_test ++[ policy_test ] ++commonName = supplied ++[ usr_cert ] ++basicConstraints = CA:FALSE ++subjectKeyIdentifier = hash ++authorityKeyIdentifier = keyid,issuer:always ++crlDistributionPoints = URI:file://@TMPDIR@/crl.pem ++[ crl_ext ] ++authorityKeyIdentifier = keyid:always,issuer:always +--- ./tests/features/dh1024.pem.orig 2015-07-28 10:36:56.000000000 +0200 ++++ ./tests/features/dh1024.pem 2015-07-28 10:36:56.000000000 +0200 +@@ -0,0 +1,5 @@ ++-----BEGIN DH PARAMETERS----- ++MIGHAoGBAL2k+efZ6g50PpL41G96IaRw2OTH921yhHMNSXBE/K+R6oTkJFcNJs1N ++q+a1Ko2xCBDa5MgvudqWep6PvE06rzEaJPW8ITdu8j3Eo9T1rorJ3CctpE/CaRl2 ++7v4DNe+Mho6q1MPlG5PfXEZWgbT7tjn/Y6lwD/B2CoMzAx+4DXgbAgEC ++-----END DH PARAMETERS----- +--- ./tests/features/ssl-ciphers.t.orig 2015-07-28 10:36:56.000000000 +0200 ++++ ./tests/features/ssl-ciphers.t 2015-07-28 10:36:56.000000000 +0200 +@@ -0,0 +1,204 @@ ++#!/bin/bash ++ ++. $(dirname $0)/../include.rc ++. $(dirname $0)/../volume.rc ++ ++brick_port() { ++ $CLI volume status $1 | awk ' ++ ($3 == "") { p = $0; next; } ++ { $0 = p $0; p = ""; } ++ /^Brick/ { print $3; } ++ ' ++} ++ ++wait_mount() { ++ i=1 ++ while [ $i -lt $CONFIG_UPDATE_TIMEOUT ] ; do ++ sleep 1 ++ i=$(( $i + 1 )) ++ mounted=`mount|awk -v m=$1 ' ++ BEGIN {r = "N";} ++ ($3 == m) {r = "Y"; exit;} ++ END {print r;} ++ '` ++ if [ "x${mounted}" = "xY" ] ; then ++ ls $M0 2>/dev/null || continue ++ break; ++ fi ++ done ++ ++ if [ "x${mounted}" = "xY" ] ; then ++ ls $M0 2>/dev/null || mounted="N" ++ fi ++ ++ echo $mounted ++} ++ ++openssl_connect() { ++ ssl_opt="-verify 3 -verify_return_error -CAfile $SSL_CA" ++ ssl_opt="$ssl_opt -crl_check_all -CApath $TMPDIR" ++ CIPHER=`echo "" | ++ openssl s_client $ssl_opt $@ 2>/dev/null | ++ awk '/^ Cipher/{print $3}'` ++ if [ "x${CIPHER}" = "x" -o "x${CIPHER}" = "x0000" ] ; then ++ echo "N" ++ else ++ echo "Y" ++ fi ++} ++ ++cleanup; ++mkdir -p $B0 ++mkdir -p $M0 ++ ++TMPDIR=`mktemp -d /tmp/${0##*/}.XXXXXX` ++TEST test -d $TMPDIR ++ ++SSL_KEY=$TMPDIR/self.key ++SSL_CSR=$TMPDIR/self.csr ++SSL_CERT=$TMPDIR/self.crt ++SSL_CA=$TMPDIR/ca.crt ++SSL_CFG=$TMPDIR/openssl.cnf ++SSL_CRL=$TMPDIR/crl.pem ++ ++sed "s|@TMPDIR@|${TMPDIR}|" `pwd`/`dirname $0`/openssl.cnf.in > $SSL_CFG ++ ++TEST glusterd ++TEST pidof glusterd ++TEST $CLI volume info; ++ ++TEST openssl genrsa -out $SSL_KEY 1024 2>/dev/null ++TEST openssl req -config $SSL_CFG -new -key $SSL_KEY -x509 \ ++ -subj /CN=CA -out $SSL_CA ++TEST openssl req -config $SSL_CFG -new -key $SSL_KEY \ ++ -subj /CN=$H0 -out $SSL_CSR ++ ++echo "01" > $TMPDIR/serial ++TEST touch $TMPDIR/index.txt $TMPDIR/index.txx.attr ++TEST mkdir -p $TMPDIR/certs $TMPDIR/newcerts $TMPDIR/crl ++TEST openssl ca -batch -config $SSL_CFG -in $SSL_CSR -out $SSL_CERT 2>&1 ++ ++touch $SSL_CRL ++CRLHASH=`openssl x509 -hash -fingerprint -noout -in $SSL_CA|sed -n '1s/$/.r0/p'` ++ln -sf $SSL_CRL $TMPDIR/$CRLHASH ++TEST openssl ca -config $SSL_CFG -gencrl -out $SSL_CRL 2>&1 ++ ++ ++TEST $CLI volume create $V0 $H0:$B0/1 ++TEST $CLI volume set $V0 server.ssl on ++TEST $CLI volume set $V0 client.ssl on ++TEST $CLI volume set $V0 ssl.private-key $SSL_KEY ++TEST $CLI volume set $V0 ssl.own-cert $SSL_CERT ++TEST $CLI volume set $V0 ssl.ca-list $SSL_CA ++TEST $CLI volume start $V0 ++EXPECT_WITHIN $CHILD_UP_TIMEOUT "1" online_brick_count ++ ++BRICK_PORT=`brick_port $V0` ++ ++# Test we can connect ++EXPECT "Y" openssl_connect -connect $H0:$BRICK_PORT ++ ++# Test SSLv2 protocol fails ++EXPECT "N" openssl_connect -ssl2 -connect $H0:$BRICK_PORT ++ ++# Test SSLv3 protocol fails ++EXPECT "N" openssl_connect -ssl3 -connect $H0:$BRICK_PORT ++ ++# Test TLSv1 protocol fails ++EXPECT "N" openssl_connect -tls1 -connect $H0:$BRICK_PORT ++ ++# Test a HIGH CBC cipher ++EXPECT "Y" openssl_connect -cipher AES256-SHA -connect $H0:$BRICK_PORT ++ ++# Test EECDH ++EXPECT "Y" openssl_connect -cipher EECDH -connect $H0:$BRICK_PORT ++ ++# test MD5 fails ++EXPECT "N" openssl_connect -cipher DES-CBC3-MD5 -connect $H0:$BRICK_PORT ++ ++# test RC4 fails ++EXPECT "N" openssl_connect -cipher RC4-SHA -connect $H0:$BRICK_PORT ++ ++# test eNULL fails ++EXPECT "N" openssl_connect -cipher NULL-SHA256 -connect $H0:$BRICK_PORT ++ ++# test SHA2 ++EXPECT "Y" openssl_connect -cipher AES256-SHA256 -connect $H0:$BRICK_PORT ++ ++# test GCM ++EXPECT "Y" openssl_connect -cipher AES256-GCM-SHA384 -connect $H0:$BRICK_PORT ++ ++# Test DH fails without DH params ++EXPECT "N" openssl_connect -cipher EDH -connect $H0:$BRICK_PORT ++ ++# Test DH with DH params ++TEST $CLI volume set $V0 ssl.dh-param `pwd`/`dirname $0`/dh1024.pem ++EXPECT "`pwd`/`dirname $0`/dh1024.pem" volume_option $V0 ssl.dh-param ++TEST $CLI volume stop $V0 ++TEST $CLI volume start $V0 ++EXPECT_WITHIN $CHILD_UP_TIMEOUT "1" online_brick_count ++EXPECT "Y" openssl_connect -cipher EDH -connect $H0:$BRICK_PORT ++ ++# Test the cipher-list option ++TEST $CLI volume set $V0 ssl.cipher-list AES256-SHA ++EXPECT AES256-SHA volume_option $V0 ssl.cipher-list ++TEST $CLI volume stop $V0 ++TEST $CLI volume start $V0 ++EXPECT_WITHIN $CHILD_UP_TIMEOUT "1" online_brick_count ++EXPECT "Y" openssl_connect -cipher AES256-SHA -connect $H0:$BRICK_PORT ++EXPECT "N" openssl_connect -cipher AES128-SHA -connect $H0:$BRICK_PORT ++ ++# Test the ec-curve option ++TEST $CLI volume set $V0 ssl.cipher-list EECDH:EDH:!TLSv1 ++EXPECT EECDH:EDH:!TLSv1 volume_option $V0 ssl.cipher-list ++TEST $CLI volume stop $V0 ++TEST $CLI volume start $V0 ++EXPECT_WITHIN $CHILD_UP_TIMEOUT "1" online_brick_count ++EXPECT "N" openssl_connect -cipher AES256-SHA -connect $H0:$BRICK_PORT ++EXPECT "Y" openssl_connect -cipher EECDH -connect $H0:$BRICK_PORT ++ ++TEST $CLI volume set $V0 ssl.ec-curve invalid ++EXPECT invalid volume_option $V0 ssl.ec-curve ++TEST $CLI volume stop $V0 ++TEST $CLI volume start $V0 ++EXPECT_WITHIN $CHILD_UP_TIMEOUT "1" online_brick_count ++EXPECT "N" openssl_connect -cipher EECDH -connect $H0:$BRICK_PORT ++ ++TEST $CLI volume set $V0 ssl.ec-curve secp521r1 ++EXPECT secp521r1 volume_option $V0 ssl.ec-curve ++TEST $CLI volume stop $V0 ++TEST $CLI volume start $V0 ++EXPECT_WITHIN $CHILD_UP_TIMEOUT "1" online_brick_count ++EXPECT "Y" openssl_connect -cipher EECDH -connect $H0:$BRICK_PORT ++ ++# test revocation ++# no need to restart the volume since the options are used ++# by the client here. ++TEST $CLI volume set $V0 ssl.crl-path $TMPDIR ++EXPECT $TMPDIR volume_option $V0 ssl.crl-path ++$GFS --volfile-id=$V0 --volfile-server=$H0 $M0 ++EXPECT "Y" wait_mount $M0 ++TEST_FILE=`mktemp $M0/${0##*/}.XXXXXX` ++TEST test -f $TEST_FILE ++EXPECT_WITHIN $UMOUNT_TIMEOUT "Y" force_umount $M0 ++ ++TEST openssl ca -batch -config $SSL_CFG -revoke $SSL_CERT 2>&1 ++TEST openssl ca -config $SSL_CFG -gencrl -out $SSL_CRL 2>&1 ++ ++# Failed once revoked ++$GFS --volfile-id=$V0 --volfile-server=$H0 $M0 ++EXPECT "N" wait_mount $M0 ++TEST ! test -f $TEST_FILE ++EXPECT_WITHIN $UMOUNT_TIMEOUT "Y" force_umount $M0 ++ ++# Succeed with CRL disabled ++TEST $CLI volume set $V0 ssl.crl-path NULL ++EXPECT NULL volume_option $V0 ssl.crl-path ++$GFS --volfile-id=$V0 --volfile-server=$H0 $M0 ++EXPECT "Y" wait_mount $M0 ++TEST test -f $TEST_FILE ++ ++EXPECT_WITHIN $UMOUNT_TIMEOUT "Y" force_umount $M0 ++ ++rm -rf $TMPDIR ++cleanup; |