Commit Graph

27 Commits

Author SHA1 Message Date
Steve Atherton 507c1f11e3 Add .log() to bare TraceEvent() invocations without any .detail()s to avoid clang-tidy warning about immediate destruction of object without use. 2021-07-26 19:55:10 -07:00
FDB Formatster df90cc89de apply clang-format to *.c, *.cpp, *.h, *.hpp files 2021-03-10 10:18:07 -08:00
sfc-gh-tclinkenbeard f8934664ee s/NULL/nullptr in FDBLibTLS 2020-12-08 09:09:31 -08:00
Balachandar Namasivayam 741aa523e6 Establishing TLS connection through the handshake process is expensive and the fdbserver process can get easily saturated with doing repeated TLS handshakes with only a few hundreds of clients have bad certificate. Hence throttle the number of handshakes done on the server per client ip if it has a bad certificate. 2020-01-10 16:19:41 -08:00
A.J. Beamon d29c7e4c9b Merge branch 'release-6.1' into merge-release-6.1-into-master
# Conflicts:
#	documentation/sphinx/source/release-notes.rst
#	fdbserver/QuietDatabase.actor.cpp
#	versions.target
2019-05-23 09:28:45 -07:00
A.J. Beamon d3c1f9afbd Suppress 'TraceEventFieldNotFound' event. Don't suppress simultaneous FDBLibTLSVerifyFailure events (this requires including flow.h and removing the copied version of Reference/ReferenceCounted in FDBLibTLS). 2019-05-20 15:12:28 -07:00
Evan Tschannen f4fbaac6b0 Merge branch 'release-6.1'
# Conflicts:
#	documentation/sphinx/source/release-notes.rst
#	versions.target
2019-05-19 10:27:59 -07:00
A.J. Beamon 8077a428c0 Fix invalid trace suppression 2019-05-16 09:30:34 -07:00
Evan Tschannen 8c3516951a Merge branch 'release-6.1'
# Conflicts:
#	documentation/sphinx/source/release-notes.rst
#	versions.target
2019-05-12 20:13:49 -07:00
A.J. Beamon c328b15d36 TLS was creating trace events with invalid types (containing spaces). 2019-05-10 14:51:20 -07:00
Andrew Noyes 6207d724f8 Fix all -Wunused-variable warnings 2019-04-15 18:13:00 -07:00
Evan Tschannen 4b5d0b4e2c Merge branch 'release-6.0'
# Conflicts:
#	documentation/sphinx/source/release-notes.rst
#	fdbclient/AsyncFileBlobStore.actor.cpp
#	fdbclient/AsyncFileBlobStore.actor.h
#	fdbclient/BlobStore.actor.cpp
#	fdbclient/BlobStore.h
#	fdbclient/HTTP.actor.cpp
#	fdbclient/ManagementAPI.actor.cpp
#	fdbclient/NativeAPI.actor.cpp
#	fdbrpc/LoadBalance.actor.h
#	fdbrpc/batcher.actor.h
#	fdbrpc/fdbrpc.vcxproj
#	fdbrpc/sim2.actor.cpp
#	fdbserver/DataDistribution.actor.cpp
#	fdbserver/DataDistributionTracker.actor.cpp
#	fdbserver/SimulatedCluster.actor.cpp
#	fdbserver/TLogServer.actor.cpp
#	fdbserver/masterserver.actor.cpp
2018-11-10 13:04:24 -08:00
Evan Tschannen fb9d05a4e2 suppressed a spammy trace event 2018-11-07 21:05:49 -08:00
Alex Miller 7cd73468f1 Fix FDBLibTLS to specify includes from the root. 2018-10-19 18:56:36 -07:00
Alex Miller 896bde4a48 Fix fdbserver segfaulting if a mismatched certificate and key set.
This turned out to be a simple typo of two similar variables.  fdbserver
will still die as a result of this error, but it will die gracefully and
print out a slightly helpful error message.
2018-08-09 14:50:55 -07:00
Evan Tschannen 1c29275672 call all methods which could disable a trace event before it is initialized. In practice this means calling .error first, then .suppressFor, then all your details. 2018-08-01 14:30:57 -07:00
Alvin Moore bbee12f372 Moved includes to source files 2018-07-12 17:34:08 -07:00
Alvin Moore 6e4265fcc7 Changed logging to call TraceEvent directly 2018-07-12 13:24:40 -07:00
Alvin Moore a034acf3bd Replaced separate TLS Log function with FDB TraceEvent logger 2018-07-11 18:41:46 -07:00
Alex Miller 29f560bafe Fix a warning-turned-error about not returning from an unreachable point. 2018-07-02 14:31:06 -07:00
Alex Miller 44694607e8 Fix Subject Alternative Name matching and add test cases.
The previous change was done in the optimistic hope that NID_subject_alt_name
could be handled in the same fashion as all the rest of the attributes we match
against.  However, X509 is not a place for optimisim.  Instead, it turns out
that the Subject Alternative Name is an X509v3 extension, and needs to be
handled separately.

Therefore, this change...

* Introduces the idea of Criteria matching against a location in the
  certificate, and not just against the entirety of the certificate.
* Extracts the Subject Alternative Name extension, and allows iteration and
  matching against its components.
* Extends our constraint language to sensibly match against SubjectAlternativeNames.

The `S.subjectAltName` syntax has been kept, but the value is now required to
provide what type of field the rest of the value is intended to match against.
The code currently supports DNS, EMAIL, URI, and IP.  Prefix and suffix
matching is supported.

Both verify-test and plugin-test were updated to cover Subject Alternative Name
matching.  I've additionally run plugin-test under valgrind to verify that I've
understood object lifetimes correctly.
2018-06-29 17:17:58 -07:00
Alex Miller 70d078021f Implement prefix and suffix matching for TLS certificate verification.
This extends our language for specifying verification rules from, e.g.

    S.O=XYZCorp

to also include two more operators

    S.O>=XYZ  # Prefix
    S.O<=Corp # Suffix

both of which would match against an Organization of XYZCorp (among others).
2018-06-27 18:11:07 -07:00
A.J. Beamon 026458baf3 Merge release-5.2 into master 2018-05-23 15:32:56 -07:00
Balachandar Namasivayam f71e13fa4d TLS Plugin Changes. 2018-05-08 16:27:21 -07:00
Alec Grieser 55e0b2f399
change file name within comment to be, like, the correct name 2018-04-19 10:19:50 -07:00
Alec Grieser fced3c61b3
fix headers of FDBLibTLS files 2018-04-19 10:11:55 -07:00
Alex Miller 53e8a84bef Import LibreSSL TLS Plugin.
This does not integrate it into the FoundationDB build system at all, though
the original Makefile exists and could be used to build this plugin.
2018-04-12 14:13:02 -07:00