Commit Graph

35 Commits

Author SHA1 Message Date
mpilman 7d17e5797a Fix dependency bug in FDBLibTLS 2019-02-07 15:37:04 -08:00
mpilman 00b25dcd08 Added missing boost dependency to FDBLibTLS 2019-02-07 15:37:04 -08:00
mpilman e45295a1f5 Added support for TLS 2019-02-07 15:37:04 -08:00
Evan Tschannen 4b5d0b4e2c Merge branch 'release-6.0'
# Conflicts:
#	documentation/sphinx/source/release-notes.rst
#	fdbclient/AsyncFileBlobStore.actor.cpp
#	fdbclient/AsyncFileBlobStore.actor.h
#	fdbclient/BlobStore.actor.cpp
#	fdbclient/BlobStore.h
#	fdbclient/HTTP.actor.cpp
#	fdbclient/ManagementAPI.actor.cpp
#	fdbclient/NativeAPI.actor.cpp
#	fdbrpc/LoadBalance.actor.h
#	fdbrpc/batcher.actor.h
#	fdbrpc/fdbrpc.vcxproj
#	fdbrpc/sim2.actor.cpp
#	fdbserver/DataDistribution.actor.cpp
#	fdbserver/DataDistributionTracker.actor.cpp
#	fdbserver/SimulatedCluster.actor.cpp
#	fdbserver/TLogServer.actor.cpp
#	fdbserver/masterserver.actor.cpp
2018-11-10 13:04:24 -08:00
Evan Tschannen fb9d05a4e2 suppressed a spammy trace event 2018-11-07 21:05:49 -08:00
Alex Miller e2fc1c9b95 Remove specifying non-root directory as a path to search for includes. 2018-10-19 18:56:45 -07:00
Alex Miller 7cd73468f1 Fix FDBLibTLS to specify includes from the root. 2018-10-19 18:56:36 -07:00
Alex Miller 896bde4a48 Fix fdbserver segfaulting if a mismatched certificate and key set.
This turned out to be a simple typo of two similar variables.  fdbserver
will still die as a result of this error, but it will die gracefully and
print out a slightly helpful error message.
2018-08-09 14:50:55 -07:00
Evan Tschannen 1c29275672 call all methods which could disable a trace event before it is initialized. In practice this means calling .error first, then .suppressFor, then all your details. 2018-08-01 14:30:57 -07:00
Alvin Moore bbee12f372 Moved includes to source files 2018-07-12 17:34:08 -07:00
Alvin Moore 6e4265fcc7 Changed logging to call TraceEvent directly 2018-07-12 13:24:40 -07:00
Alvin Moore a034acf3bd Replaced separate TLS Log function with FDB TraceEvent logger 2018-07-11 18:41:46 -07:00
Alex Miller 29f560bafe Fix a warning-turned-error about not returning from an unreachable point. 2018-07-02 14:31:06 -07:00
Alvin Moore c3f88dbfe1 Merge branch 'master' of github.com:apple/foundationdb into tls-static 2018-07-01 23:13:57 -07:00
Alex Miller 44694607e8 Fix Subject Alternative Name matching and add test cases.
The previous change was done in the optimistic hope that NID_subject_alt_name
could be handled in the same fashion as all the rest of the attributes we match
against.  However, X509 is not a place for optimisim.  Instead, it turns out
that the Subject Alternative Name is an X509v3 extension, and needs to be
handled separately.

Therefore, this change...

* Introduces the idea of Criteria matching against a location in the
  certificate, and not just against the entirety of the certificate.
* Extracts the Subject Alternative Name extension, and allows iteration and
  matching against its components.
* Extends our constraint language to sensibly match against SubjectAlternativeNames.

The `S.subjectAltName` syntax has been kept, but the value is now required to
provide what type of field the rest of the value is intended to match against.
The code currently supports DNS, EMAIL, URI, and IP.  Prefix and suffix
matching is supported.

Both verify-test and plugin-test were updated to cover Subject Alternative Name
matching.  I've additionally run plugin-test under valgrind to verify that I've
understood object lifetimes correctly.
2018-06-29 17:17:58 -07:00
Alex Miller 70d078021f Implement prefix and suffix matching for TLS certificate verification.
This extends our language for specifying verification rules from, e.g.

    S.O=XYZCorp

to also include two more operators

    S.O>=XYZ  # Prefix
    S.O<=Corp # Suffix

both of which would match against an Organization of XYZCorp (among others).
2018-06-27 18:11:07 -07:00
Alex Miller e39d2c702d Support Subject Alternative Name verification in TLS Plugin.
The TLS code understands three different things it can verify: the subject, the
issuer, and the root.  The existing code assumes that any attribute we can
verify against one of these is also verifyable against the others.

For Subject Alternative Name, this might not be true.  There exists both
Subject Alternative Name and Issuer Alternative Name.  This code change allows
one to write "I.subjectAltName=Foo", and we'll verifiy a Subject Alt Name
against the Issuer, which wouldn't be right.  Issuer Alternative Name isn't a
requested feature (yet?), so I'm punting on this problem.
2018-06-27 16:14:34 -07:00
Alvin Moore 65d8b38ae9 Changed generic plugin code to work as expected plugin code except for TLS use case
Defined TLS plugin name constant
Changed TLS plugin name to get_tls_plugin
Fixed link script
Removed compilation flags from info make target
2018-06-26 16:01:25 -07:00
Alvin Moore f8ce1de601 Added support for compiling TLS into binaries 2018-06-20 09:21:23 -07:00
Richard Low e0c72b31f4 Add UID and DC as additional subject fields for TLS peer validation 2018-06-19 13:42:18 -07:00
Evan Tschannen b071c5d81c fix: incorrect parsing logic 2018-06-11 15:56:22 -07:00
Evan Tschannen 69515e6b4d set_verify_peers now splits input based on the ‘|’ character 2018-06-11 15:52:04 -07:00
A.J. Beamon 026458baf3 Merge release-5.2 into master 2018-05-23 15:32:56 -07:00
Richard Low 84ed35b01f Only log TLS verify failures if all verification fails; log failures at SevInfo 2018-05-21 10:58:59 -07:00
Richard Low b6abd69596 Fix server/client cert check 2018-05-21 10:53:21 -07:00
Evan Tschannen d3450ce5b0
Merge pull request #343 from bnamasivayam/tls-plugin
Tls plugin
2018-05-09 16:35:53 -07:00
Balachandar Namasivayam 479dbf4c04 Addressed review comments.
Remove redundant FDBLibTLS/ITLSPlugin.h.
2018-05-09 16:16:09 -07:00
Balachandar Namasivayam 788e6acb32 Add FDBLibTLSVerify files to build system. 2018-05-08 16:45:57 -07:00
Balachandar Namasivayam f71e13fa4d TLS Plugin Changes. 2018-05-08 16:27:21 -07:00
Alvin Moore 05c1a887f2 Changed the name of the TLS artifact to fdb-libressl-plugin.so 2018-05-07 16:47:46 -07:00
Alec Grieser 55e0b2f399
change file name within comment to be, like, the correct name 2018-04-19 10:19:50 -07:00
Alec Grieser fced3c61b3
fix headers of FDBLibTLS files 2018-04-19 10:11:55 -07:00
Alex Miller 5efd9fe3c4 Integrate FDBLibTLS into the FoundationDB build system.
This includes...
 * A minimal vcxproj file to list all the source files required for the build.
   Some future Visual Studio user can come along and replace it with a real
   actual vcxproj file with all the other metadata that I didn't bother to copy.
 * A local.mk file to specify all the custom flags and libraries we need for
   the build/link of the TLS plugin.
 * Including the project in the list of all FDB sub-projects
 * Fixes `make clean` to wipe all of lib/, including libFDBLibTLS.so

And offers a target of `bin/FDBLibTLS.so` that can be built, and I have
verified that it works with simulation.

Note that this requires a build image that contains the previous Dockerfile changes.
2018-04-12 14:13:02 -07:00
Alex Miller 5c65584aac Explicitly export `get_plugin` from FDBLibTLS Plugin.
For some reason, on some platforms it ends up as a local symbol, even though we
point the linker at the symbol map to expose it.  Double-requesting its
exportation makes it appear, though there's possibly a better solution.
2018-04-12 14:13:02 -07:00
Alex Miller 53e8a84bef Import LibreSSL TLS Plugin.
This does not integrate it into the FoundationDB build system at all, though
the original Makefile exists and could be used to build this plugin.
2018-04-12 14:13:02 -07:00