2019-09-12 10:56:54 +03:00
/*
* Copyright ( c ) 2019 , Redis Labs
* All rights reserved .
*
* Redistribution and use in source and binary forms , with or without
* modification , are permitted provided that the following conditions are met :
*
* * Redistributions of source code must retain the above copyright notice ,
* this list of conditions and the following disclaimer .
* * Redistributions in binary form must reproduce the above copyright
* notice , this list of conditions and the following disclaimer in the
* documentation and / or other materials provided with the distribution .
* * Neither the name of Redis nor the names of its contributors may be used
* to endorse or promote products derived from this software without
* specific prior written permission .
*
* THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS " AS IS "
* AND ANY EXPRESS OR IMPLIED WARRANTIES , INCLUDING , BUT NOT LIMITED TO , THE
* IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
* ARE DISCLAIMED . IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE
* LIABLE FOR ANY DIRECT , INDIRECT , INCIDENTAL , SPECIAL , EXEMPLARY , OR
* CONSEQUENTIAL DAMAGES ( INCLUDING , BUT NOT LIMITED TO , PROCUREMENT OF
* SUBSTITUTE GOODS OR SERVICES ; LOSS OF USE , DATA , OR PROFITS ; OR BUSINESS
* INTERRUPTION ) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY , WHETHER IN
* CONTRACT , STRICT LIABILITY , OR TORT ( INCLUDING NEGLIGENCE OR OTHERWISE )
* ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE , EVEN IF ADVISED OF THE
* POSSIBILITY OF SUCH DAMAGE .
*/
# include "server.h"
# include "connhelpers.h"
2019-08-11 16:07:53 +03:00
# include "adlist.h"
2020-05-24 19:57:16 -04:00
# include "aelocker.h"
# include <mutex>
2019-09-12 10:56:54 +03:00
# ifdef USE_OPENSSL
2020-12-07 12:30:12 +00:00
# include <openssl/conf.h>
2019-09-12 10:56:54 +03:00
# include <openssl/ssl.h>
# include <openssl/err.h>
# include <openssl/rand.h>
2020-10-11 17:11:42 +03:00
# include <openssl/pem.h>
2022-03-03 13:59:07 -05:00
# include <openssl/x509.h>
# include <openssl/x509v3.h>
# include <cstring>
2019-09-12 10:56:54 +03:00
2022-02-02 14:20:19 -05:00
# include <sys/stat.h>
2022-03-03 13:59:07 -05:00
# include <arpa/inet.h>
Merge main with oss release sep29 2022 (#521)
* need to include stdint for uintptr_t
* need to include stdint for uintptr_t
* use atomic_load for g_pserver->mstime
* use atomic_load for g_pserver->mstime
* Integrate readwritelock with Pro Code
* Integrate readwritelock with Pro Code
* Defensive asserts for RWLock
* Defensive asserts for RWLock
* Save and restore master info in rdb to allow active replica partial sync (#371)
* save replid for all masters in rdb
* expanded rdbSaveInfo to hold multiple master structs
* parse repl-masters from rdb
* recover replid info from rdb in active replica mode, attempt partial sync
* save offset from rdb into correct variable
* don't change replid based on master in active rep
* save and load psync info from correct fields
* Save and restore master info in rdb to allow active replica partial sync (#371)
* save replid for all masters in rdb
* expanded rdbSaveInfo to hold multiple master structs
* parse repl-masters from rdb
* recover replid info from rdb in active replica mode, attempt partial sync
* save offset from rdb into correct variable
* don't change replid based on master in active rep
* save and load psync info from correct fields
* placement new instead of memcpy
* placement new instead of memcpy
* Remove asserts, RW lock can go below zero in cases of aeAcquireLock
* Remove asserts, RW lock can go below zero in cases of aeAcquireLock
* Inclusive language
* Inclusive language
* update packaging for OS merge
* update packaging for OS merge
* modify dockerfile to build within image
* modify dockerfile to build within image
* Make active client balancing a configurable option
* Make active client balancing a configurable option
* With TLS throttle accepts if server is under heavy load - do not change non TLS behavior
* With TLS throttle accepts if server is under heavy load - do not change non TLS behavior
* Only run the tls-name-validation test if --tls is passed into runtest
* Only run the tls-name-validation test if --tls is passed into runtest
* Fix KeyDB not building with TLS < 1.1.1
* Fix KeyDB not building with TLS < 1.1.1
* update changelog to use replica as terminology
* update changelog to use replica as terminology
* update copyright
* update copyright
* update deb copyright
* update deb copyright
* call aeThreadOnline() earlier
* call aeThreadOnline() earlier
* Removed mergeReplicationId
* Removed mergeReplicationId
* acceptTLS is threadsafe like the non TLS version
* acceptTLS is threadsafe like the non TLS version
* setup Machamp ci
* setup Machamp ci
* make build_test.sh executable
* make build_test.sh executable
* PSYNC production fixes
* PSYNC production fixes
* fix the Machamp build
* fix the Machamp build
* break into tests into steps
* break into tests into steps
* Added multimaster test
* Added multimaster test
* Update ci.yml
Change min tested version to 18.04
* Update ci.yml
Change min tested version to 18.04
* fork lock for all threads, use fastlock for readwritelock
* fork lock for all threads, use fastlock for readwritelock
* hide forklock object in ae
* hide forklock object in ae
* only need to include readwritelock in ae
* only need to include readwritelock in ae
* time thread lock uses fastlock instead of std::mutex
* time thread lock uses fastlock instead of std::mutex
* set thread as offline when waiting for time thread lock
* set thread as offline when waiting for time thread lock
* update README resource links
* update README resource links
* Fix MALLOC=memkind build issues
* Fix MALLOC=memkind build issues
* Fix module test break
* Fix module test break
* Eliminate firewall dialogs on mac for regular and cluster tests. There are still issues with the sentinel tests but attempting to bind only to localhost causes failures
* Eliminate firewall dialogs on mac for regular and cluster tests. There are still issues with the sentinel tests but attempting to bind only to localhost causes failures
* remove unused var in networking.cpp
* remove unused var in networking.cpp
* check ziplist len to avoid crash on empty ziplist convert
* check ziplist len to avoid crash on empty ziplist convert
* remove nullptr subtraction
* remove nullptr subtraction
* cannot mod a pointer
* cannot mod a pointer
* need to include stdint for uintptr_t
* need to include stdint for uintptr_t
* use atomic_load for g_pserver->mstime
* use atomic_load for g_pserver->mstime
* Integrate readwritelock with Pro Code
* Integrate readwritelock with Pro Code
* Defensive asserts for RWLock
* Defensive asserts for RWLock
* Save and restore master info in rdb to allow active replica partial sync (#371)
* save replid for all masters in rdb
* expanded rdbSaveInfo to hold multiple master structs
* parse repl-masters from rdb
* recover replid info from rdb in active replica mode, attempt partial sync
* save offset from rdb into correct variable
* don't change replid based on master in active rep
* save and load psync info from correct fields
* Save and restore master info in rdb to allow active replica partial sync (#371)
* save replid for all masters in rdb
* expanded rdbSaveInfo to hold multiple master structs
* parse repl-masters from rdb
* recover replid info from rdb in active replica mode, attempt partial sync
* save offset from rdb into correct variable
* don't change replid based on master in active rep
* save and load psync info from correct fields
* placement new instead of memcpy
* placement new instead of memcpy
* Remove asserts, RW lock can go below zero in cases of aeAcquireLock
* Remove asserts, RW lock can go below zero in cases of aeAcquireLock
* Inclusive language
* Inclusive language
* call aeThreadOnline() earlier
* call aeThreadOnline() earlier
* Removed mergeReplicationId
* Removed mergeReplicationId
* Make active client balancing a configurable option
* Make active client balancing a configurable option
* With TLS throttle accepts if server is under heavy load - do not change non TLS behavior
* With TLS throttle accepts if server is under heavy load - do not change non TLS behavior
* acceptTLS is threadsafe like the non TLS version
* acceptTLS is threadsafe like the non TLS version
* PSYNC production fixes
* PSYNC production fixes
* Ensure we are responsive during storagecache clears
* Ensure we are responsive during storagecache clears
* Ensure recreated tables use the same settings as ones made at boot
* Ensure recreated tables use the same settings as ones made at boot
* Converted some existing PSYNC tests for multimaster
* Converted some existing PSYNC tests for multimaster
* Inclusive language fix
* Inclusive language fix
* Cleanup test suite
* Cleanup test suite
* Updated test replica configs so tests make sense
* Updated test replica configs so tests make sense
* active-rep test reliability
* active-rep test reliability
* Quick fix to make psync tests work
* Quick fix to make psync tests work
* Fix PSYNC test crashes
* Fix PSYNC test crashes
* Ensure we force moves not copies when ingesting bulk insert files
* Ensure we force moves not copies when ingesting bulk insert files
* Disable async for hget commands as it is not ready
* Disable FLASH
* Fix crash in save of masterinfo
* Fix musl/Alpine build failures
* Remove unnecessary libs
* update readme
* update readme
* remove Enterprise references
* Limit max overage to 20% during RDB save
* Delete COPYING to replace with BSD license
* update deb master changelog
* Update license
* Fix Readme typo from github org transition
Replace mention of scratch-file-path with db-s3-object
* Fix reference counting failure in the dict. This is caused by std::swap also swapping refcounts
* Fix assertion in async rehash
* Prevent crash on shutdown by avoiding dtors (they are unnecessary anyways)
* Initialize noshrink, it was dangling
* Prevent us from starting a rehash when one wasn't already in progress. This can cause severe issues for snapshots
* Avoid unnecessary rehashing when a rehash is abandoned
* Dictionary use correct acquire/release semantics
* Add fence barriers for the repl backlog (important for AARCH64 and other weak memory models)
* Silence TSAN errors on ustime and mstime. Every CPU we support is atomic on aligned ints, but correctness matters
* Disable async commands by default
* Fix TSAN warnings on the repl backlog
* Merge OSS back into pro
* Fix unmerged files
* Fix O(n^2) algorithm in the GC cleanup logic
* Fix crash in expire when a snapshot is in flight. Caused by a perf optimization getting the expire map out of sync with the val
* On Alpine we must have a reasonable stack size
* Revert ci.yml to unstable branch version
* Implements the soft shutdown feature to allow clients to cooperatively disconnect preventing disruption during shutdown
* Ensure clean shutdown with multiple threads
* update dockerfiles
* update deb pkg references and changelog
* update gem reference
* lpGetInteger returns int64_t, avoid overflow (#10068)
Fix #9410
Crucial for the ms and sequence deltas, but I changed all
calls, just in case (e.g. "flags")
Before this commit:
`ms_delta` and `seq_delta` could have overflown, causing `currid` to be wrong,
which in turn would cause `streamTrim` to trim the entire rax node (see new test)
* Fix issue #454 (BSD build break)
* Do not allow commands to run in background when in eval, Issue #452
* Fix certificate leak during connection when tls-allowlists are used
* Fix issue #480
* Fix crash running INFO command while a disk based backlog is set
* check tracking per db
* fix warnings
* Fix a race when undoConnectWithMaster changes mi->repl_transfer_s but the connection is not yet closed and the event handler runs
* Fix a race in processChanges/trackChanges with rdbLoadRio by acquiring the lock when trackChanges is set
* Fix ASAN use after free
* Additional fixes
* Fix integer overflow of the track changes counter
* Fix P99 latency issue for TLS where we leave work for the next event loop
tlsProcessPendingData() needs to be called before we execute queued commands because it may enqueue more commands
* Fix race removing key cache
* Prevent crash on load in long running KeyDB instances
* Fixes a crash where the server assertion failed when the key exists in DB during RDB load
* Remove old assertion which is commented out.
* avoid from instatiating EpochHolder multiple times to improve performance and cpu utilization
* avoid from instatiating EpochHolder multiple times to improve performance and cpu utilization
* src\redis-cli.c: fix potential null pointer dereference found by cppcheck
src\redis-cli.c:5488:35: warning: Either the condition
'!table' is redundant or there is possible null pointer dereference:
table. [nullPointerRedundantCheck]
* Fix Issue #486
* Workaround bug in snapshot sync - abort don't crash
* Improve reliability of async parts of the soft shutdown tests
* Improve reliability of fragmentation tests
* Verify that partial syncs do indeed occur
* Fix O(n) algorithm in INFO command
* Remove incorrect assert that fires when the repl backlog is used fully
* Make building flash optional
* Remove unneeded gitlab CI file
* [BUG] Moves key to another DB, the source key was removed if the move failed due to the key exists in the destination db #497 (#498)
Co-authored-by: Paul Chen <mingchen@Mings-MacBook-Pro.local>
* trigger repl_curr_off!= master_repl_offset assert failure when having pending write case
* use debug for logging the message instead
* rocksdb log using up the diskspace on flash (#519)
* Fix OpenSSL 3.0.x related issues. (#10291)
* Drop obsolete initialization calls.
* Use decoder API for DH parameters.
* Enable auto DH parameters if not explicitly used, which should be the
preferred configuration going forward.
* remove unnecessary forward declaration
* remove internal ci stuff
* remove more internal ci/publishing
* submodule update step
* use with syntax instead
* bump ci ubuntu old ver as latest is now 22.04
* include submodules on all ci jobs
* install all deps for all ci jobs
Co-authored-by: Vivek Saini <vsaini@snapchat.com>
Co-authored-by: Christian Legge <christian@eqalpha.com>
Co-authored-by: benschermel <bschermel@snapchat.com>
Co-authored-by: John Sully <john@csquare.ca>
Co-authored-by: zliang <zliang@snapchat.com>
Co-authored-by: malavan <malavan@eqalpha.com>
Co-authored-by: John Sully <jsully@snapchat.com>
Co-authored-by: jfinity <38383673+jfinity@users.noreply.github.com>
Co-authored-by: benschermel <43507366+benschermel@users.noreply.github.com>
Co-authored-by: guybe7 <guy.benoish@redislabs.com>
Co-authored-by: Karthick Ariyaratnam (A) <k00809413@china.huawei.com>
Co-authored-by: root <paul.chen1@huawei.com>
Co-authored-by: Ilya Shipitsin <chipitsine@gmail.com>
Co-authored-by: Paul Chen <32553156+paulmchen@users.noreply.github.com>
Co-authored-by: Paul Chen <mingchen@Mings-MacBook-Pro.local>
Co-authored-by: Yossi Gottlieb <yossigo@gmail.com>
2022-12-14 12:17:36 -05:00
# if OPENSSL_VERSION_NUMBER >= 0x30000000L
# include <openssl/decoder.h>
# endif
2022-02-02 14:20:19 -05:00
2019-09-12 11:10:22 +03:00
# define REDIS_TLS_PROTO_TLSv1 (1<<0)
# define REDIS_TLS_PROTO_TLSv1_1 (1<<1)
# define REDIS_TLS_PROTO_TLSv1_2 (1<<2)
# define REDIS_TLS_PROTO_TLSv1_3 (1<<3)
/* Use safe defaults */
# ifdef TLS1_3_VERSION
# define REDIS_TLS_PROTO_DEFAULT (REDIS_TLS_PROTO_TLSv1_2|REDIS_TLS_PROTO_TLSv1_3)
# else
# define REDIS_TLS_PROTO_DEFAULT (REDIS_TLS_PROTO_TLSv1_2)
# endif
2019-09-12 10:56:54 +03:00
extern ConnectionType CT_Socket ;
2020-12-11 18:31:40 +02:00
SSL_CTX * redis_tls_ctx = NULL ;
SSL_CTX * redis_tls_client_ctx = NULL ;
2020-05-24 19:57:16 -04:00
fastlock g_ctxtlock ( " SSL CTX " ) ;
2019-09-12 10:56:54 +03:00
2019-09-12 11:10:22 +03:00
static int parseProtocolsConfig ( const char * str ) {
int i , count = 0 ;
int protocols = 0 ;
if ( ! str ) return REDIS_TLS_PROTO_DEFAULT ;
sds * tokens = sdssplitlen ( str , strlen ( str ) , " " , 1 , & count ) ;
if ( ! tokens ) {
serverLog ( LL_WARNING , " Invalid tls-protocols configuration string " ) ;
return - 1 ;
}
for ( i = 0 ; i < count ; i + + ) {
if ( ! strcasecmp ( tokens [ i ] , " tlsv1 " ) ) protocols | = REDIS_TLS_PROTO_TLSv1 ;
else if ( ! strcasecmp ( tokens [ i ] , " tlsv1.1 " ) ) protocols | = REDIS_TLS_PROTO_TLSv1_1 ;
else if ( ! strcasecmp ( tokens [ i ] , " tlsv1.2 " ) ) protocols | = REDIS_TLS_PROTO_TLSv1_2 ;
else if ( ! strcasecmp ( tokens [ i ] , " tlsv1.3 " ) ) {
# ifdef TLS1_3_VERSION
protocols | = REDIS_TLS_PROTO_TLSv1_3 ;
# else
serverLog ( LL_WARNING , " TLSv1.3 is specified in tls-protocols but not supported by OpenSSL. " ) ;
protocols = - 1 ;
break ;
# endif
} else {
serverLog ( LL_WARNING , " Invalid tls-protocols specified. "
" Use a combination of 'TLSv1', 'TLSv1.1', 'TLSv1.2' and 'TLSv1.3'. " ) ;
protocols = - 1 ;
break ;
}
}
sdsfreesplitres ( tokens , count ) ;
return protocols ;
}
2019-08-11 16:07:53 +03:00
/* list of connections with pending data already read from the socket, but not
* served to the reader yet . */
2020-05-24 19:57:16 -04:00
static thread_local list * pending_list = NULL ;
2019-08-11 16:07:53 +03:00
2020-05-10 17:35:27 +03:00
/**
* OpenSSL global initialization and locking handling callbacks .
* Note that this is only required for OpenSSL < 1.1 .0 .
*/
# if OPENSSL_VERSION_NUMBER < 0x10100000L
# define USE_CRYPTO_LOCKS
# endif
# ifdef USE_CRYPTO_LOCKS
static pthread_mutex_t * openssl_locks ;
static void sslLockingCallback ( int mode , int lock_id , const char * f , int line ) {
pthread_mutex_t * mt = openssl_locks + lock_id ;
if ( mode & CRYPTO_LOCK ) {
pthread_mutex_lock ( mt ) ;
} else {
pthread_mutex_unlock ( mt ) ;
}
( void ) f ;
( void ) line ;
}
static void initCryptoLocks ( void ) {
unsigned i , nlocks ;
if ( CRYPTO_get_locking_callback ( ) ! = NULL ) {
/* Someone already set the callback before us. Don't destroy it! */
return ;
}
nlocks = CRYPTO_num_locks ( ) ;
2020-05-29 22:23:48 -04:00
openssl_locks = ( pthread_mutex_t * ) zmalloc ( sizeof ( * openssl_locks ) * nlocks ) ;
2020-05-10 17:35:27 +03:00
for ( i = 0 ; i < nlocks ; i + + ) {
pthread_mutex_init ( openssl_locks + i , NULL ) ;
}
CRYPTO_set_locking_callback ( sslLockingCallback ) ;
}
# endif /* USE_CRYPTO_LOCKS */
2019-09-12 10:56:54 +03:00
void tlsInit ( void ) {
2020-12-07 12:30:12 +00:00
/* Enable configuring OpenSSL using the standard openssl.cnf
* OPENSSL_config ( ) / OPENSSL_init_crypto ( ) should be the first
* call to the OpenSSL * library .
* - OPENSSL_config ( ) should be used for OpenSSL versions < 1.1 .0
* - OPENSSL_init_crypto ( ) should be used for OpenSSL versions > = 1.1 .0
*/
# if OPENSSL_VERSION_NUMBER < 0x10100000L
OPENSSL_config ( NULL ) ;
Merge main with oss release sep29 2022 (#521)
* need to include stdint for uintptr_t
* need to include stdint for uintptr_t
* use atomic_load for g_pserver->mstime
* use atomic_load for g_pserver->mstime
* Integrate readwritelock with Pro Code
* Integrate readwritelock with Pro Code
* Defensive asserts for RWLock
* Defensive asserts for RWLock
* Save and restore master info in rdb to allow active replica partial sync (#371)
* save replid for all masters in rdb
* expanded rdbSaveInfo to hold multiple master structs
* parse repl-masters from rdb
* recover replid info from rdb in active replica mode, attempt partial sync
* save offset from rdb into correct variable
* don't change replid based on master in active rep
* save and load psync info from correct fields
* Save and restore master info in rdb to allow active replica partial sync (#371)
* save replid for all masters in rdb
* expanded rdbSaveInfo to hold multiple master structs
* parse repl-masters from rdb
* recover replid info from rdb in active replica mode, attempt partial sync
* save offset from rdb into correct variable
* don't change replid based on master in active rep
* save and load psync info from correct fields
* placement new instead of memcpy
* placement new instead of memcpy
* Remove asserts, RW lock can go below zero in cases of aeAcquireLock
* Remove asserts, RW lock can go below zero in cases of aeAcquireLock
* Inclusive language
* Inclusive language
* update packaging for OS merge
* update packaging for OS merge
* modify dockerfile to build within image
* modify dockerfile to build within image
* Make active client balancing a configurable option
* Make active client balancing a configurable option
* With TLS throttle accepts if server is under heavy load - do not change non TLS behavior
* With TLS throttle accepts if server is under heavy load - do not change non TLS behavior
* Only run the tls-name-validation test if --tls is passed into runtest
* Only run the tls-name-validation test if --tls is passed into runtest
* Fix KeyDB not building with TLS < 1.1.1
* Fix KeyDB not building with TLS < 1.1.1
* update changelog to use replica as terminology
* update changelog to use replica as terminology
* update copyright
* update copyright
* update deb copyright
* update deb copyright
* call aeThreadOnline() earlier
* call aeThreadOnline() earlier
* Removed mergeReplicationId
* Removed mergeReplicationId
* acceptTLS is threadsafe like the non TLS version
* acceptTLS is threadsafe like the non TLS version
* setup Machamp ci
* setup Machamp ci
* make build_test.sh executable
* make build_test.sh executable
* PSYNC production fixes
* PSYNC production fixes
* fix the Machamp build
* fix the Machamp build
* break into tests into steps
* break into tests into steps
* Added multimaster test
* Added multimaster test
* Update ci.yml
Change min tested version to 18.04
* Update ci.yml
Change min tested version to 18.04
* fork lock for all threads, use fastlock for readwritelock
* fork lock for all threads, use fastlock for readwritelock
* hide forklock object in ae
* hide forklock object in ae
* only need to include readwritelock in ae
* only need to include readwritelock in ae
* time thread lock uses fastlock instead of std::mutex
* time thread lock uses fastlock instead of std::mutex
* set thread as offline when waiting for time thread lock
* set thread as offline when waiting for time thread lock
* update README resource links
* update README resource links
* Fix MALLOC=memkind build issues
* Fix MALLOC=memkind build issues
* Fix module test break
* Fix module test break
* Eliminate firewall dialogs on mac for regular and cluster tests. There are still issues with the sentinel tests but attempting to bind only to localhost causes failures
* Eliminate firewall dialogs on mac for regular and cluster tests. There are still issues with the sentinel tests but attempting to bind only to localhost causes failures
* remove unused var in networking.cpp
* remove unused var in networking.cpp
* check ziplist len to avoid crash on empty ziplist convert
* check ziplist len to avoid crash on empty ziplist convert
* remove nullptr subtraction
* remove nullptr subtraction
* cannot mod a pointer
* cannot mod a pointer
* need to include stdint for uintptr_t
* need to include stdint for uintptr_t
* use atomic_load for g_pserver->mstime
* use atomic_load for g_pserver->mstime
* Integrate readwritelock with Pro Code
* Integrate readwritelock with Pro Code
* Defensive asserts for RWLock
* Defensive asserts for RWLock
* Save and restore master info in rdb to allow active replica partial sync (#371)
* save replid for all masters in rdb
* expanded rdbSaveInfo to hold multiple master structs
* parse repl-masters from rdb
* recover replid info from rdb in active replica mode, attempt partial sync
* save offset from rdb into correct variable
* don't change replid based on master in active rep
* save and load psync info from correct fields
* Save and restore master info in rdb to allow active replica partial sync (#371)
* save replid for all masters in rdb
* expanded rdbSaveInfo to hold multiple master structs
* parse repl-masters from rdb
* recover replid info from rdb in active replica mode, attempt partial sync
* save offset from rdb into correct variable
* don't change replid based on master in active rep
* save and load psync info from correct fields
* placement new instead of memcpy
* placement new instead of memcpy
* Remove asserts, RW lock can go below zero in cases of aeAcquireLock
* Remove asserts, RW lock can go below zero in cases of aeAcquireLock
* Inclusive language
* Inclusive language
* call aeThreadOnline() earlier
* call aeThreadOnline() earlier
* Removed mergeReplicationId
* Removed mergeReplicationId
* Make active client balancing a configurable option
* Make active client balancing a configurable option
* With TLS throttle accepts if server is under heavy load - do not change non TLS behavior
* With TLS throttle accepts if server is under heavy load - do not change non TLS behavior
* acceptTLS is threadsafe like the non TLS version
* acceptTLS is threadsafe like the non TLS version
* PSYNC production fixes
* PSYNC production fixes
* Ensure we are responsive during storagecache clears
* Ensure we are responsive during storagecache clears
* Ensure recreated tables use the same settings as ones made at boot
* Ensure recreated tables use the same settings as ones made at boot
* Converted some existing PSYNC tests for multimaster
* Converted some existing PSYNC tests for multimaster
* Inclusive language fix
* Inclusive language fix
* Cleanup test suite
* Cleanup test suite
* Updated test replica configs so tests make sense
* Updated test replica configs so tests make sense
* active-rep test reliability
* active-rep test reliability
* Quick fix to make psync tests work
* Quick fix to make psync tests work
* Fix PSYNC test crashes
* Fix PSYNC test crashes
* Ensure we force moves not copies when ingesting bulk insert files
* Ensure we force moves not copies when ingesting bulk insert files
* Disable async for hget commands as it is not ready
* Disable FLASH
* Fix crash in save of masterinfo
* Fix musl/Alpine build failures
* Remove unnecessary libs
* update readme
* update readme
* remove Enterprise references
* Limit max overage to 20% during RDB save
* Delete COPYING to replace with BSD license
* update deb master changelog
* Update license
* Fix Readme typo from github org transition
Replace mention of scratch-file-path with db-s3-object
* Fix reference counting failure in the dict. This is caused by std::swap also swapping refcounts
* Fix assertion in async rehash
* Prevent crash on shutdown by avoiding dtors (they are unnecessary anyways)
* Initialize noshrink, it was dangling
* Prevent us from starting a rehash when one wasn't already in progress. This can cause severe issues for snapshots
* Avoid unnecessary rehashing when a rehash is abandoned
* Dictionary use correct acquire/release semantics
* Add fence barriers for the repl backlog (important for AARCH64 and other weak memory models)
* Silence TSAN errors on ustime and mstime. Every CPU we support is atomic on aligned ints, but correctness matters
* Disable async commands by default
* Fix TSAN warnings on the repl backlog
* Merge OSS back into pro
* Fix unmerged files
* Fix O(n^2) algorithm in the GC cleanup logic
* Fix crash in expire when a snapshot is in flight. Caused by a perf optimization getting the expire map out of sync with the val
* On Alpine we must have a reasonable stack size
* Revert ci.yml to unstable branch version
* Implements the soft shutdown feature to allow clients to cooperatively disconnect preventing disruption during shutdown
* Ensure clean shutdown with multiple threads
* update dockerfiles
* update deb pkg references and changelog
* update gem reference
* lpGetInteger returns int64_t, avoid overflow (#10068)
Fix #9410
Crucial for the ms and sequence deltas, but I changed all
calls, just in case (e.g. "flags")
Before this commit:
`ms_delta` and `seq_delta` could have overflown, causing `currid` to be wrong,
which in turn would cause `streamTrim` to trim the entire rax node (see new test)
* Fix issue #454 (BSD build break)
* Do not allow commands to run in background when in eval, Issue #452
* Fix certificate leak during connection when tls-allowlists are used
* Fix issue #480
* Fix crash running INFO command while a disk based backlog is set
* check tracking per db
* fix warnings
* Fix a race when undoConnectWithMaster changes mi->repl_transfer_s but the connection is not yet closed and the event handler runs
* Fix a race in processChanges/trackChanges with rdbLoadRio by acquiring the lock when trackChanges is set
* Fix ASAN use after free
* Additional fixes
* Fix integer overflow of the track changes counter
* Fix P99 latency issue for TLS where we leave work for the next event loop
tlsProcessPendingData() needs to be called before we execute queued commands because it may enqueue more commands
* Fix race removing key cache
* Prevent crash on load in long running KeyDB instances
* Fixes a crash where the server assertion failed when the key exists in DB during RDB load
* Remove old assertion which is commented out.
* avoid from instatiating EpochHolder multiple times to improve performance and cpu utilization
* avoid from instatiating EpochHolder multiple times to improve performance and cpu utilization
* src\redis-cli.c: fix potential null pointer dereference found by cppcheck
src\redis-cli.c:5488:35: warning: Either the condition
'!table' is redundant or there is possible null pointer dereference:
table. [nullPointerRedundantCheck]
* Fix Issue #486
* Workaround bug in snapshot sync - abort don't crash
* Improve reliability of async parts of the soft shutdown tests
* Improve reliability of fragmentation tests
* Verify that partial syncs do indeed occur
* Fix O(n) algorithm in INFO command
* Remove incorrect assert that fires when the repl backlog is used fully
* Make building flash optional
* Remove unneeded gitlab CI file
* [BUG] Moves key to another DB, the source key was removed if the move failed due to the key exists in the destination db #497 (#498)
Co-authored-by: Paul Chen <mingchen@Mings-MacBook-Pro.local>
* trigger repl_curr_off!= master_repl_offset assert failure when having pending write case
* use debug for logging the message instead
* rocksdb log using up the diskspace on flash (#519)
* Fix OpenSSL 3.0.x related issues. (#10291)
* Drop obsolete initialization calls.
* Use decoder API for DH parameters.
* Enable auto DH parameters if not explicitly used, which should be the
preferred configuration going forward.
* remove unnecessary forward declaration
* remove internal ci stuff
* remove more internal ci/publishing
* submodule update step
* use with syntax instead
* bump ci ubuntu old ver as latest is now 22.04
* include submodules on all ci jobs
* install all deps for all ci jobs
Co-authored-by: Vivek Saini <vsaini@snapchat.com>
Co-authored-by: Christian Legge <christian@eqalpha.com>
Co-authored-by: benschermel <bschermel@snapchat.com>
Co-authored-by: John Sully <john@csquare.ca>
Co-authored-by: zliang <zliang@snapchat.com>
Co-authored-by: malavan <malavan@eqalpha.com>
Co-authored-by: John Sully <jsully@snapchat.com>
Co-authored-by: jfinity <38383673+jfinity@users.noreply.github.com>
Co-authored-by: benschermel <43507366+benschermel@users.noreply.github.com>
Co-authored-by: guybe7 <guy.benoish@redislabs.com>
Co-authored-by: Karthick Ariyaratnam (A) <k00809413@china.huawei.com>
Co-authored-by: root <paul.chen1@huawei.com>
Co-authored-by: Ilya Shipitsin <chipitsine@gmail.com>
Co-authored-by: Paul Chen <32553156+paulmchen@users.noreply.github.com>
Co-authored-by: Paul Chen <mingchen@Mings-MacBook-Pro.local>
Co-authored-by: Yossi Gottlieb <yossigo@gmail.com>
2022-12-14 12:17:36 -05:00
SSL_load_error_strings ( ) ;
SSL_library_init ( ) ;
2021-08-13 20:02:06 +00:00
# elif OPENSSL_VERSION_NUMBER < 0x10101000L
OPENSSL_init_crypto ( OPENSSL_INIT_LOAD_CONFIG , NULL ) ;
2020-12-07 12:30:12 +00:00
# else
2021-03-03 10:08:06 +02:00
OPENSSL_init_crypto ( OPENSSL_INIT_LOAD_CONFIG | OPENSSL_INIT_ATFORK , NULL ) ;
2020-12-07 12:30:12 +00:00
# endif
2019-09-12 10:56:54 +03:00
2020-05-10 17:35:27 +03:00
# ifdef USE_CRYPTO_LOCKS
initCryptoLocks ( ) ;
# endif
2019-09-12 10:56:54 +03:00
if ( ! RAND_poll ( ) ) {
serverLog ( LL_WARNING , " OpenSSL: Failed to seed random number generator. " ) ;
}
2019-08-11 16:07:53 +03:00
2020-05-24 19:57:16 -04:00
tlsInitThread ( ) ;
}
void tlsInitThread ( void )
{
serverAssert ( pending_list = = nullptr ) ;
pending_list = listCreate ( ) ;
2019-09-12 10:56:54 +03:00
}
2022-04-22 22:43:20 +00:00
void tlsCleanupThread ( void )
{
if ( pending_list )
listRelease ( pending_list ) ;
}
2021-03-03 10:08:06 +02:00
void tlsCleanup ( void ) {
if ( redis_tls_ctx ) {
SSL_CTX_free ( redis_tls_ctx ) ;
redis_tls_ctx = NULL ;
}
if ( redis_tls_client_ctx ) {
SSL_CTX_free ( redis_tls_client_ctx ) ;
redis_tls_client_ctx = NULL ;
}
2021-09-11 20:54:09 +01:00
# if OPENSSL_VERSION_NUMBER >= 0x10100000L && !defined(LIBRESSL_VERSION_NUMBER)
// unavailable on LibreSSL
2021-03-03 10:08:06 +02:00
OPENSSL_cleanup ( ) ;
# endif
}
2021-03-22 13:27:46 +02:00
/* Callback for passing a keyfile password stored as an sds to OpenSSL */
static int tlsPasswordCallback ( char * buf , int size , int rwflag , void * u ) {
UNUSED ( rwflag ) ;
2021-05-25 16:55:59 +00:00
const char * pass = ( const char * ) u ;
2021-03-22 13:27:46 +02:00
size_t pass_len ;
if ( ! pass ) return - 1 ;
pass_len = strlen ( pass ) ;
if ( pass_len > ( size_t ) size ) return - 1 ;
memcpy ( buf , pass , pass_len ) ;
return ( int ) pass_len ;
}
2022-02-02 14:20:19 -05:00
/* Given a path to a file, return the last time it was accessed (in seconds) */
time_t getLastModifiedTime ( const char * path ) {
struct stat path_stat ;
stat ( path , & path_stat ) ;
# ifdef __APPLE__
return path_stat . st_mtimespec . tv_sec ;
# else
return path_stat . st_mtime ;
# endif
}
2020-12-11 18:31:40 +02:00
/* Create a *base* SSL_CTX using the SSL configuration provided. The base context
* includes everything that ' s common for both client - side and server - side connections .
2019-09-12 10:56:54 +03:00
*/
2021-03-22 13:27:46 +02:00
static SSL_CTX * createSSLContext ( redisTLSContextConfig * ctx_config , int protocols , int client ) {
const char * cert_file = client ? ctx_config - > client_cert_file : ctx_config - > cert_file ;
const char * key_file = client ? ctx_config - > client_key_file : ctx_config - > key_file ;
const char * key_file_pass = client ? ctx_config - > client_key_file_pass : ctx_config - > key_file_pass ;
2019-09-12 10:56:54 +03:00
char errbuf [ 256 ] ;
SSL_CTX * ctx = NULL ;
2019-09-12 11:10:22 +03:00
ctx = SSL_CTX_new ( SSLv23_method ( ) ) ;
SSL_CTX_set_options ( ctx , SSL_OP_NO_SSLv2 | SSL_OP_NO_SSLv3 ) ;
# ifdef SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS
SSL_CTX_set_options ( ctx , SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS ) ;
# endif
if ( ! ( protocols & REDIS_TLS_PROTO_TLSv1 ) )
SSL_CTX_set_options ( ctx , SSL_OP_NO_TLSv1 ) ;
if ( ! ( protocols & REDIS_TLS_PROTO_TLSv1_1 ) )
SSL_CTX_set_options ( ctx , SSL_OP_NO_TLSv1_1 ) ;
# ifdef SSL_OP_NO_TLSv1_2
if ( ! ( protocols & REDIS_TLS_PROTO_TLSv1_2 ) )
SSL_CTX_set_options ( ctx , SSL_OP_NO_TLSv1_2 ) ;
# endif
# ifdef SSL_OP_NO_TLSv1_3
if ( ! ( protocols & REDIS_TLS_PROTO_TLSv1_3 ) )
SSL_CTX_set_options ( ctx , SSL_OP_NO_TLSv1_3 ) ;
# endif
# ifdef SSL_OP_NO_COMPRESSION
SSL_CTX_set_options ( ctx , SSL_OP_NO_COMPRESSION ) ;
# endif
2019-09-12 10:56:54 +03:00
SSL_CTX_set_mode ( ctx , SSL_MODE_ENABLE_PARTIAL_WRITE | SSL_MODE_ACCEPT_MOVING_WRITE_BUFFER ) ;
SSL_CTX_set_verify ( ctx , SSL_VERIFY_PEER | SSL_VERIFY_FAIL_IF_NO_PEER_CERT , NULL ) ;
2021-03-22 13:27:46 +02:00
SSL_CTX_set_default_passwd_cb ( ctx , tlsPasswordCallback ) ;
SSL_CTX_set_default_passwd_cb_userdata ( ctx , ( void * ) key_file_pass ) ;
2020-12-11 18:31:40 +02:00
if ( SSL_CTX_use_certificate_chain_file ( ctx , cert_file ) < = 0 ) {
2019-09-12 10:56:54 +03:00
ERR_error_string_n ( ERR_get_error ( ) , errbuf , sizeof ( errbuf ) ) ;
2020-12-11 18:31:40 +02:00
serverLog ( LL_WARNING , " Failed to load certificate: %s: %s " , cert_file , errbuf ) ;
2019-09-12 10:56:54 +03:00
goto error ;
}
2020-12-11 18:31:40 +02:00
if ( SSL_CTX_use_PrivateKey_file ( ctx , key_file , SSL_FILETYPE_PEM ) < = 0 ) {
2019-09-12 10:56:54 +03:00
ERR_error_string_n ( ERR_get_error ( ) , errbuf , sizeof ( errbuf ) ) ;
2020-12-11 18:31:40 +02:00
serverLog ( LL_WARNING , " Failed to load private key: %s: %s " , key_file , errbuf ) ;
2019-09-12 10:56:54 +03:00
goto error ;
}
2020-12-11 18:31:40 +02:00
2020-09-29 20:48:21 +03:00
if ( ( ctx_config - > ca_cert_file | | ctx_config - > ca_cert_dir ) & &
SSL_CTX_load_verify_locations ( ctx , ctx_config - > ca_cert_file , ctx_config - > ca_cert_dir ) < = 0 ) {
2019-09-12 10:56:54 +03:00
ERR_error_string_n ( ERR_get_error ( ) , errbuf , sizeof ( errbuf ) ) ;
2019-10-08 17:57:05 +03:00
serverLog ( LL_WARNING , " Failed to configure CA certificate(s) file/directory: %s " , errbuf ) ;
2019-09-12 10:56:54 +03:00
goto error ;
}
2020-12-11 18:31:40 +02:00
if ( ctx_config - > ciphers & & ! SSL_CTX_set_cipher_list ( ctx , ctx_config - > ciphers ) ) {
serverLog ( LL_WARNING , " Failed to configure ciphers: %s " , ctx_config - > ciphers ) ;
goto error ;
}
# ifdef TLS1_3_VERSION
if ( ctx_config - > ciphersuites & & ! SSL_CTX_set_ciphersuites ( ctx , ctx_config - > ciphersuites ) ) {
serverLog ( LL_WARNING , " Failed to configure ciphersuites: %s " , ctx_config - > ciphersuites ) ;
goto error ;
}
# endif
return ctx ;
error :
if ( ctx ) SSL_CTX_free ( ctx ) ;
return NULL ;
}
/* Attempt to configure/reconfigure TLS. This operation is atomic and will
* leave the SSL_CTX unchanged if fails .
*/
int tlsConfigure ( redisTLSContextConfig * ctx_config ) {
char errbuf [ 256 ] ;
SSL_CTX * ctx = NULL ;
SSL_CTX * client_ctx = NULL ;
2021-05-25 16:55:59 +00:00
int protocols ;
2020-12-11 18:31:40 +02:00
if ( ! ctx_config - > cert_file ) {
serverLog ( LL_WARNING , " No tls-cert-file configured! " ) ;
goto error ;
}
if ( ! ctx_config - > key_file ) {
serverLog ( LL_WARNING , " No tls-key-file configured! " ) ;
goto error ;
}
2021-05-25 16:55:59 +00:00
if ( ( ( g_pserver - > tls_auth_clients ! = TLS_CLIENT_AUTH_NO ) | | g_pserver - > tls_cluster | | g_pserver - > tls_replication ) & &
2020-12-11 18:31:40 +02:00
! ctx_config - > ca_cert_file & & ! ctx_config - > ca_cert_dir ) {
serverLog ( LL_WARNING , " Either tls-ca-cert-file or tls-ca-cert-dir must be specified when tls-cluster, tls-replication or tls-auth-clients are enabled! " ) ;
goto error ;
}
2022-02-02 14:20:19 -05:00
/* Update the last modified times for the TLS elements */
ctx_config - > key_file_last_modified = getLastModifiedTime ( ctx_config - > key_file ) ;
ctx_config - > cert_file_last_modified = getLastModifiedTime ( ctx_config - > cert_file ) ;
ctx_config - > client_cert_file_last_modified = getLastModifiedTime ( ctx_config - > client_cert_file ) ;
ctx_config - > client_key_file_last_modified = getLastModifiedTime ( ctx_config - > client_key_file ) ;
ctx_config - > ca_cert_dir_last_modified = getLastModifiedTime ( ctx_config - > ca_cert_dir ) ;
ctx_config - > ca_cert_file_last_modified = getLastModifiedTime ( ctx_config - > ca_cert_file ) ;
2021-05-25 16:55:59 +00:00
protocols = parseProtocolsConfig ( ctx_config - > protocols ) ;
2020-12-11 18:31:40 +02:00
if ( protocols = = - 1 ) goto error ;
/* Create server side/generla context */
2021-03-22 13:27:46 +02:00
ctx = createSSLContext ( ctx_config , protocols , 0 ) ;
2020-12-11 18:31:40 +02:00
if ( ! ctx ) goto error ;
if ( ctx_config - > session_caching ) {
SSL_CTX_set_session_cache_mode ( ctx , SSL_SESS_CACHE_SERVER ) ;
SSL_CTX_sess_set_cache_size ( ctx , ctx_config - > session_cache_size ) ;
SSL_CTX_set_timeout ( ctx , ctx_config - > session_cache_timeout ) ;
2021-05-25 16:55:59 +00:00
SSL_CTX_set_session_id_context ( ctx , ( const unsigned char * ) " KeyDB " , 5 ) ;
2020-12-11 18:31:40 +02:00
} else {
SSL_CTX_set_session_cache_mode ( ctx , SSL_SESS_CACHE_OFF ) ;
}
# ifdef SSL_OP_NO_CLIENT_RENEGOTIATION
SSL_CTX_set_options ( ctx , SSL_OP_NO_CLIENT_RENEGOTIATION ) ;
# endif
if ( ctx_config - > prefer_server_ciphers )
SSL_CTX_set_options ( ctx , SSL_OP_CIPHER_SERVER_PREFERENCE ) ;
Merge main with oss release sep29 2022 (#521)
* need to include stdint for uintptr_t
* need to include stdint for uintptr_t
* use atomic_load for g_pserver->mstime
* use atomic_load for g_pserver->mstime
* Integrate readwritelock with Pro Code
* Integrate readwritelock with Pro Code
* Defensive asserts for RWLock
* Defensive asserts for RWLock
* Save and restore master info in rdb to allow active replica partial sync (#371)
* save replid for all masters in rdb
* expanded rdbSaveInfo to hold multiple master structs
* parse repl-masters from rdb
* recover replid info from rdb in active replica mode, attempt partial sync
* save offset from rdb into correct variable
* don't change replid based on master in active rep
* save and load psync info from correct fields
* Save and restore master info in rdb to allow active replica partial sync (#371)
* save replid for all masters in rdb
* expanded rdbSaveInfo to hold multiple master structs
* parse repl-masters from rdb
* recover replid info from rdb in active replica mode, attempt partial sync
* save offset from rdb into correct variable
* don't change replid based on master in active rep
* save and load psync info from correct fields
* placement new instead of memcpy
* placement new instead of memcpy
* Remove asserts, RW lock can go below zero in cases of aeAcquireLock
* Remove asserts, RW lock can go below zero in cases of aeAcquireLock
* Inclusive language
* Inclusive language
* update packaging for OS merge
* update packaging for OS merge
* modify dockerfile to build within image
* modify dockerfile to build within image
* Make active client balancing a configurable option
* Make active client balancing a configurable option
* With TLS throttle accepts if server is under heavy load - do not change non TLS behavior
* With TLS throttle accepts if server is under heavy load - do not change non TLS behavior
* Only run the tls-name-validation test if --tls is passed into runtest
* Only run the tls-name-validation test if --tls is passed into runtest
* Fix KeyDB not building with TLS < 1.1.1
* Fix KeyDB not building with TLS < 1.1.1
* update changelog to use replica as terminology
* update changelog to use replica as terminology
* update copyright
* update copyright
* update deb copyright
* update deb copyright
* call aeThreadOnline() earlier
* call aeThreadOnline() earlier
* Removed mergeReplicationId
* Removed mergeReplicationId
* acceptTLS is threadsafe like the non TLS version
* acceptTLS is threadsafe like the non TLS version
* setup Machamp ci
* setup Machamp ci
* make build_test.sh executable
* make build_test.sh executable
* PSYNC production fixes
* PSYNC production fixes
* fix the Machamp build
* fix the Machamp build
* break into tests into steps
* break into tests into steps
* Added multimaster test
* Added multimaster test
* Update ci.yml
Change min tested version to 18.04
* Update ci.yml
Change min tested version to 18.04
* fork lock for all threads, use fastlock for readwritelock
* fork lock for all threads, use fastlock for readwritelock
* hide forklock object in ae
* hide forklock object in ae
* only need to include readwritelock in ae
* only need to include readwritelock in ae
* time thread lock uses fastlock instead of std::mutex
* time thread lock uses fastlock instead of std::mutex
* set thread as offline when waiting for time thread lock
* set thread as offline when waiting for time thread lock
* update README resource links
* update README resource links
* Fix MALLOC=memkind build issues
* Fix MALLOC=memkind build issues
* Fix module test break
* Fix module test break
* Eliminate firewall dialogs on mac for regular and cluster tests. There are still issues with the sentinel tests but attempting to bind only to localhost causes failures
* Eliminate firewall dialogs on mac for regular and cluster tests. There are still issues with the sentinel tests but attempting to bind only to localhost causes failures
* remove unused var in networking.cpp
* remove unused var in networking.cpp
* check ziplist len to avoid crash on empty ziplist convert
* check ziplist len to avoid crash on empty ziplist convert
* remove nullptr subtraction
* remove nullptr subtraction
* cannot mod a pointer
* cannot mod a pointer
* need to include stdint for uintptr_t
* need to include stdint for uintptr_t
* use atomic_load for g_pserver->mstime
* use atomic_load for g_pserver->mstime
* Integrate readwritelock with Pro Code
* Integrate readwritelock with Pro Code
* Defensive asserts for RWLock
* Defensive asserts for RWLock
* Save and restore master info in rdb to allow active replica partial sync (#371)
* save replid for all masters in rdb
* expanded rdbSaveInfo to hold multiple master structs
* parse repl-masters from rdb
* recover replid info from rdb in active replica mode, attempt partial sync
* save offset from rdb into correct variable
* don't change replid based on master in active rep
* save and load psync info from correct fields
* Save and restore master info in rdb to allow active replica partial sync (#371)
* save replid for all masters in rdb
* expanded rdbSaveInfo to hold multiple master structs
* parse repl-masters from rdb
* recover replid info from rdb in active replica mode, attempt partial sync
* save offset from rdb into correct variable
* don't change replid based on master in active rep
* save and load psync info from correct fields
* placement new instead of memcpy
* placement new instead of memcpy
* Remove asserts, RW lock can go below zero in cases of aeAcquireLock
* Remove asserts, RW lock can go below zero in cases of aeAcquireLock
* Inclusive language
* Inclusive language
* call aeThreadOnline() earlier
* call aeThreadOnline() earlier
* Removed mergeReplicationId
* Removed mergeReplicationId
* Make active client balancing a configurable option
* Make active client balancing a configurable option
* With TLS throttle accepts if server is under heavy load - do not change non TLS behavior
* With TLS throttle accepts if server is under heavy load - do not change non TLS behavior
* acceptTLS is threadsafe like the non TLS version
* acceptTLS is threadsafe like the non TLS version
* PSYNC production fixes
* PSYNC production fixes
* Ensure we are responsive during storagecache clears
* Ensure we are responsive during storagecache clears
* Ensure recreated tables use the same settings as ones made at boot
* Ensure recreated tables use the same settings as ones made at boot
* Converted some existing PSYNC tests for multimaster
* Converted some existing PSYNC tests for multimaster
* Inclusive language fix
* Inclusive language fix
* Cleanup test suite
* Cleanup test suite
* Updated test replica configs so tests make sense
* Updated test replica configs so tests make sense
* active-rep test reliability
* active-rep test reliability
* Quick fix to make psync tests work
* Quick fix to make psync tests work
* Fix PSYNC test crashes
* Fix PSYNC test crashes
* Ensure we force moves not copies when ingesting bulk insert files
* Ensure we force moves not copies when ingesting bulk insert files
* Disable async for hget commands as it is not ready
* Disable FLASH
* Fix crash in save of masterinfo
* Fix musl/Alpine build failures
* Remove unnecessary libs
* update readme
* update readme
* remove Enterprise references
* Limit max overage to 20% during RDB save
* Delete COPYING to replace with BSD license
* update deb master changelog
* Update license
* Fix Readme typo from github org transition
Replace mention of scratch-file-path with db-s3-object
* Fix reference counting failure in the dict. This is caused by std::swap also swapping refcounts
* Fix assertion in async rehash
* Prevent crash on shutdown by avoiding dtors (they are unnecessary anyways)
* Initialize noshrink, it was dangling
* Prevent us from starting a rehash when one wasn't already in progress. This can cause severe issues for snapshots
* Avoid unnecessary rehashing when a rehash is abandoned
* Dictionary use correct acquire/release semantics
* Add fence barriers for the repl backlog (important for AARCH64 and other weak memory models)
* Silence TSAN errors on ustime and mstime. Every CPU we support is atomic on aligned ints, but correctness matters
* Disable async commands by default
* Fix TSAN warnings on the repl backlog
* Merge OSS back into pro
* Fix unmerged files
* Fix O(n^2) algorithm in the GC cleanup logic
* Fix crash in expire when a snapshot is in flight. Caused by a perf optimization getting the expire map out of sync with the val
* On Alpine we must have a reasonable stack size
* Revert ci.yml to unstable branch version
* Implements the soft shutdown feature to allow clients to cooperatively disconnect preventing disruption during shutdown
* Ensure clean shutdown with multiple threads
* update dockerfiles
* update deb pkg references and changelog
* update gem reference
* lpGetInteger returns int64_t, avoid overflow (#10068)
Fix #9410
Crucial for the ms and sequence deltas, but I changed all
calls, just in case (e.g. "flags")
Before this commit:
`ms_delta` and `seq_delta` could have overflown, causing `currid` to be wrong,
which in turn would cause `streamTrim` to trim the entire rax node (see new test)
* Fix issue #454 (BSD build break)
* Do not allow commands to run in background when in eval, Issue #452
* Fix certificate leak during connection when tls-allowlists are used
* Fix issue #480
* Fix crash running INFO command while a disk based backlog is set
* check tracking per db
* fix warnings
* Fix a race when undoConnectWithMaster changes mi->repl_transfer_s but the connection is not yet closed and the event handler runs
* Fix a race in processChanges/trackChanges with rdbLoadRio by acquiring the lock when trackChanges is set
* Fix ASAN use after free
* Additional fixes
* Fix integer overflow of the track changes counter
* Fix P99 latency issue for TLS where we leave work for the next event loop
tlsProcessPendingData() needs to be called before we execute queued commands because it may enqueue more commands
* Fix race removing key cache
* Prevent crash on load in long running KeyDB instances
* Fixes a crash where the server assertion failed when the key exists in DB during RDB load
* Remove old assertion which is commented out.
* avoid from instatiating EpochHolder multiple times to improve performance and cpu utilization
* avoid from instatiating EpochHolder multiple times to improve performance and cpu utilization
* src\redis-cli.c: fix potential null pointer dereference found by cppcheck
src\redis-cli.c:5488:35: warning: Either the condition
'!table' is redundant or there is possible null pointer dereference:
table. [nullPointerRedundantCheck]
* Fix Issue #486
* Workaround bug in snapshot sync - abort don't crash
* Improve reliability of async parts of the soft shutdown tests
* Improve reliability of fragmentation tests
* Verify that partial syncs do indeed occur
* Fix O(n) algorithm in INFO command
* Remove incorrect assert that fires when the repl backlog is used fully
* Make building flash optional
* Remove unneeded gitlab CI file
* [BUG] Moves key to another DB, the source key was removed if the move failed due to the key exists in the destination db #497 (#498)
Co-authored-by: Paul Chen <mingchen@Mings-MacBook-Pro.local>
* trigger repl_curr_off!= master_repl_offset assert failure when having pending write case
* use debug for logging the message instead
* rocksdb log using up the diskspace on flash (#519)
* Fix OpenSSL 3.0.x related issues. (#10291)
* Drop obsolete initialization calls.
* Use decoder API for DH parameters.
* Enable auto DH parameters if not explicitly used, which should be the
preferred configuration going forward.
* remove unnecessary forward declaration
* remove internal ci stuff
* remove more internal ci/publishing
* submodule update step
* use with syntax instead
* bump ci ubuntu old ver as latest is now 22.04
* include submodules on all ci jobs
* install all deps for all ci jobs
Co-authored-by: Vivek Saini <vsaini@snapchat.com>
Co-authored-by: Christian Legge <christian@eqalpha.com>
Co-authored-by: benschermel <bschermel@snapchat.com>
Co-authored-by: John Sully <john@csquare.ca>
Co-authored-by: zliang <zliang@snapchat.com>
Co-authored-by: malavan <malavan@eqalpha.com>
Co-authored-by: John Sully <jsully@snapchat.com>
Co-authored-by: jfinity <38383673+jfinity@users.noreply.github.com>
Co-authored-by: benschermel <43507366+benschermel@users.noreply.github.com>
Co-authored-by: guybe7 <guy.benoish@redislabs.com>
Co-authored-by: Karthick Ariyaratnam (A) <k00809413@china.huawei.com>
Co-authored-by: root <paul.chen1@huawei.com>
Co-authored-by: Ilya Shipitsin <chipitsine@gmail.com>
Co-authored-by: Paul Chen <32553156+paulmchen@users.noreply.github.com>
Co-authored-by: Paul Chen <mingchen@Mings-MacBook-Pro.local>
Co-authored-by: Yossi Gottlieb <yossigo@gmail.com>
2022-12-14 12:17:36 -05:00
# if ((OPENSSL_VERSION_NUMBER < 0x30000000L) && defined(SSL_CTX_set_ecdh_auto))
2020-12-11 18:31:40 +02:00
SSL_CTX_set_ecdh_auto ( ctx , 1 ) ;
# endif
SSL_CTX_set_options ( ctx , SSL_OP_SINGLE_DH_USE ) ;
2019-09-12 11:10:22 +03:00
if ( ctx_config - > dh_params_file ) {
FILE * dhfile = fopen ( ctx_config - > dh_params_file , " r " ) ;
2019-09-12 10:56:54 +03:00
if ( ! dhfile ) {
2019-09-12 11:10:22 +03:00
serverLog ( LL_WARNING , " Failed to load %s: %s " , ctx_config - > dh_params_file , strerror ( errno ) ) ;
2019-09-12 10:56:54 +03:00
goto error ;
}
Merge main with oss release sep29 2022 (#521)
* need to include stdint for uintptr_t
* need to include stdint for uintptr_t
* use atomic_load for g_pserver->mstime
* use atomic_load for g_pserver->mstime
* Integrate readwritelock with Pro Code
* Integrate readwritelock with Pro Code
* Defensive asserts for RWLock
* Defensive asserts for RWLock
* Save and restore master info in rdb to allow active replica partial sync (#371)
* save replid for all masters in rdb
* expanded rdbSaveInfo to hold multiple master structs
* parse repl-masters from rdb
* recover replid info from rdb in active replica mode, attempt partial sync
* save offset from rdb into correct variable
* don't change replid based on master in active rep
* save and load psync info from correct fields
* Save and restore master info in rdb to allow active replica partial sync (#371)
* save replid for all masters in rdb
* expanded rdbSaveInfo to hold multiple master structs
* parse repl-masters from rdb
* recover replid info from rdb in active replica mode, attempt partial sync
* save offset from rdb into correct variable
* don't change replid based on master in active rep
* save and load psync info from correct fields
* placement new instead of memcpy
* placement new instead of memcpy
* Remove asserts, RW lock can go below zero in cases of aeAcquireLock
* Remove asserts, RW lock can go below zero in cases of aeAcquireLock
* Inclusive language
* Inclusive language
* update packaging for OS merge
* update packaging for OS merge
* modify dockerfile to build within image
* modify dockerfile to build within image
* Make active client balancing a configurable option
* Make active client balancing a configurable option
* With TLS throttle accepts if server is under heavy load - do not change non TLS behavior
* With TLS throttle accepts if server is under heavy load - do not change non TLS behavior
* Only run the tls-name-validation test if --tls is passed into runtest
* Only run the tls-name-validation test if --tls is passed into runtest
* Fix KeyDB not building with TLS < 1.1.1
* Fix KeyDB not building with TLS < 1.1.1
* update changelog to use replica as terminology
* update changelog to use replica as terminology
* update copyright
* update copyright
* update deb copyright
* update deb copyright
* call aeThreadOnline() earlier
* call aeThreadOnline() earlier
* Removed mergeReplicationId
* Removed mergeReplicationId
* acceptTLS is threadsafe like the non TLS version
* acceptTLS is threadsafe like the non TLS version
* setup Machamp ci
* setup Machamp ci
* make build_test.sh executable
* make build_test.sh executable
* PSYNC production fixes
* PSYNC production fixes
* fix the Machamp build
* fix the Machamp build
* break into tests into steps
* break into tests into steps
* Added multimaster test
* Added multimaster test
* Update ci.yml
Change min tested version to 18.04
* Update ci.yml
Change min tested version to 18.04
* fork lock for all threads, use fastlock for readwritelock
* fork lock for all threads, use fastlock for readwritelock
* hide forklock object in ae
* hide forklock object in ae
* only need to include readwritelock in ae
* only need to include readwritelock in ae
* time thread lock uses fastlock instead of std::mutex
* time thread lock uses fastlock instead of std::mutex
* set thread as offline when waiting for time thread lock
* set thread as offline when waiting for time thread lock
* update README resource links
* update README resource links
* Fix MALLOC=memkind build issues
* Fix MALLOC=memkind build issues
* Fix module test break
* Fix module test break
* Eliminate firewall dialogs on mac for regular and cluster tests. There are still issues with the sentinel tests but attempting to bind only to localhost causes failures
* Eliminate firewall dialogs on mac for regular and cluster tests. There are still issues with the sentinel tests but attempting to bind only to localhost causes failures
* remove unused var in networking.cpp
* remove unused var in networking.cpp
* check ziplist len to avoid crash on empty ziplist convert
* check ziplist len to avoid crash on empty ziplist convert
* remove nullptr subtraction
* remove nullptr subtraction
* cannot mod a pointer
* cannot mod a pointer
* need to include stdint for uintptr_t
* need to include stdint for uintptr_t
* use atomic_load for g_pserver->mstime
* use atomic_load for g_pserver->mstime
* Integrate readwritelock with Pro Code
* Integrate readwritelock with Pro Code
* Defensive asserts for RWLock
* Defensive asserts for RWLock
* Save and restore master info in rdb to allow active replica partial sync (#371)
* save replid for all masters in rdb
* expanded rdbSaveInfo to hold multiple master structs
* parse repl-masters from rdb
* recover replid info from rdb in active replica mode, attempt partial sync
* save offset from rdb into correct variable
* don't change replid based on master in active rep
* save and load psync info from correct fields
* Save and restore master info in rdb to allow active replica partial sync (#371)
* save replid for all masters in rdb
* expanded rdbSaveInfo to hold multiple master structs
* parse repl-masters from rdb
* recover replid info from rdb in active replica mode, attempt partial sync
* save offset from rdb into correct variable
* don't change replid based on master in active rep
* save and load psync info from correct fields
* placement new instead of memcpy
* placement new instead of memcpy
* Remove asserts, RW lock can go below zero in cases of aeAcquireLock
* Remove asserts, RW lock can go below zero in cases of aeAcquireLock
* Inclusive language
* Inclusive language
* call aeThreadOnline() earlier
* call aeThreadOnline() earlier
* Removed mergeReplicationId
* Removed mergeReplicationId
* Make active client balancing a configurable option
* Make active client balancing a configurable option
* With TLS throttle accepts if server is under heavy load - do not change non TLS behavior
* With TLS throttle accepts if server is under heavy load - do not change non TLS behavior
* acceptTLS is threadsafe like the non TLS version
* acceptTLS is threadsafe like the non TLS version
* PSYNC production fixes
* PSYNC production fixes
* Ensure we are responsive during storagecache clears
* Ensure we are responsive during storagecache clears
* Ensure recreated tables use the same settings as ones made at boot
* Ensure recreated tables use the same settings as ones made at boot
* Converted some existing PSYNC tests for multimaster
* Converted some existing PSYNC tests for multimaster
* Inclusive language fix
* Inclusive language fix
* Cleanup test suite
* Cleanup test suite
* Updated test replica configs so tests make sense
* Updated test replica configs so tests make sense
* active-rep test reliability
* active-rep test reliability
* Quick fix to make psync tests work
* Quick fix to make psync tests work
* Fix PSYNC test crashes
* Fix PSYNC test crashes
* Ensure we force moves not copies when ingesting bulk insert files
* Ensure we force moves not copies when ingesting bulk insert files
* Disable async for hget commands as it is not ready
* Disable FLASH
* Fix crash in save of masterinfo
* Fix musl/Alpine build failures
* Remove unnecessary libs
* update readme
* update readme
* remove Enterprise references
* Limit max overage to 20% during RDB save
* Delete COPYING to replace with BSD license
* update deb master changelog
* Update license
* Fix Readme typo from github org transition
Replace mention of scratch-file-path with db-s3-object
* Fix reference counting failure in the dict. This is caused by std::swap also swapping refcounts
* Fix assertion in async rehash
* Prevent crash on shutdown by avoiding dtors (they are unnecessary anyways)
* Initialize noshrink, it was dangling
* Prevent us from starting a rehash when one wasn't already in progress. This can cause severe issues for snapshots
* Avoid unnecessary rehashing when a rehash is abandoned
* Dictionary use correct acquire/release semantics
* Add fence barriers for the repl backlog (important for AARCH64 and other weak memory models)
* Silence TSAN errors on ustime and mstime. Every CPU we support is atomic on aligned ints, but correctness matters
* Disable async commands by default
* Fix TSAN warnings on the repl backlog
* Merge OSS back into pro
* Fix unmerged files
* Fix O(n^2) algorithm in the GC cleanup logic
* Fix crash in expire when a snapshot is in flight. Caused by a perf optimization getting the expire map out of sync with the val
* On Alpine we must have a reasonable stack size
* Revert ci.yml to unstable branch version
* Implements the soft shutdown feature to allow clients to cooperatively disconnect preventing disruption during shutdown
* Ensure clean shutdown with multiple threads
* update dockerfiles
* update deb pkg references and changelog
* update gem reference
* lpGetInteger returns int64_t, avoid overflow (#10068)
Fix #9410
Crucial for the ms and sequence deltas, but I changed all
calls, just in case (e.g. "flags")
Before this commit:
`ms_delta` and `seq_delta` could have overflown, causing `currid` to be wrong,
which in turn would cause `streamTrim` to trim the entire rax node (see new test)
* Fix issue #454 (BSD build break)
* Do not allow commands to run in background when in eval, Issue #452
* Fix certificate leak during connection when tls-allowlists are used
* Fix issue #480
* Fix crash running INFO command while a disk based backlog is set
* check tracking per db
* fix warnings
* Fix a race when undoConnectWithMaster changes mi->repl_transfer_s but the connection is not yet closed and the event handler runs
* Fix a race in processChanges/trackChanges with rdbLoadRio by acquiring the lock when trackChanges is set
* Fix ASAN use after free
* Additional fixes
* Fix integer overflow of the track changes counter
* Fix P99 latency issue for TLS where we leave work for the next event loop
tlsProcessPendingData() needs to be called before we execute queued commands because it may enqueue more commands
* Fix race removing key cache
* Prevent crash on load in long running KeyDB instances
* Fixes a crash where the server assertion failed when the key exists in DB during RDB load
* Remove old assertion which is commented out.
* avoid from instatiating EpochHolder multiple times to improve performance and cpu utilization
* avoid from instatiating EpochHolder multiple times to improve performance and cpu utilization
* src\redis-cli.c: fix potential null pointer dereference found by cppcheck
src\redis-cli.c:5488:35: warning: Either the condition
'!table' is redundant or there is possible null pointer dereference:
table. [nullPointerRedundantCheck]
* Fix Issue #486
* Workaround bug in snapshot sync - abort don't crash
* Improve reliability of async parts of the soft shutdown tests
* Improve reliability of fragmentation tests
* Verify that partial syncs do indeed occur
* Fix O(n) algorithm in INFO command
* Remove incorrect assert that fires when the repl backlog is used fully
* Make building flash optional
* Remove unneeded gitlab CI file
* [BUG] Moves key to another DB, the source key was removed if the move failed due to the key exists in the destination db #497 (#498)
Co-authored-by: Paul Chen <mingchen@Mings-MacBook-Pro.local>
* trigger repl_curr_off!= master_repl_offset assert failure when having pending write case
* use debug for logging the message instead
* rocksdb log using up the diskspace on flash (#519)
* Fix OpenSSL 3.0.x related issues. (#10291)
* Drop obsolete initialization calls.
* Use decoder API for DH parameters.
* Enable auto DH parameters if not explicitly used, which should be the
preferred configuration going forward.
* remove unnecessary forward declaration
* remove internal ci stuff
* remove more internal ci/publishing
* submodule update step
* use with syntax instead
* bump ci ubuntu old ver as latest is now 22.04
* include submodules on all ci jobs
* install all deps for all ci jobs
Co-authored-by: Vivek Saini <vsaini@snapchat.com>
Co-authored-by: Christian Legge <christian@eqalpha.com>
Co-authored-by: benschermel <bschermel@snapchat.com>
Co-authored-by: John Sully <john@csquare.ca>
Co-authored-by: zliang <zliang@snapchat.com>
Co-authored-by: malavan <malavan@eqalpha.com>
Co-authored-by: John Sully <jsully@snapchat.com>
Co-authored-by: jfinity <38383673+jfinity@users.noreply.github.com>
Co-authored-by: benschermel <43507366+benschermel@users.noreply.github.com>
Co-authored-by: guybe7 <guy.benoish@redislabs.com>
Co-authored-by: Karthick Ariyaratnam (A) <k00809413@china.huawei.com>
Co-authored-by: root <paul.chen1@huawei.com>
Co-authored-by: Ilya Shipitsin <chipitsine@gmail.com>
Co-authored-by: Paul Chen <32553156+paulmchen@users.noreply.github.com>
Co-authored-by: Paul Chen <mingchen@Mings-MacBook-Pro.local>
Co-authored-by: Yossi Gottlieb <yossigo@gmail.com>
2022-12-14 12:17:36 -05:00
# if (OPENSSL_VERSION_NUMBER >= 0x30000000L)
EVP_PKEY * pkey = NULL ;
OSSL_DECODER_CTX * dctx = OSSL_DECODER_CTX_new_for_pkey (
& pkey , " PEM " , NULL , " DH " , OSSL_KEYMGMT_SELECT_DOMAIN_PARAMETERS , NULL , NULL ) ;
if ( ! dctx ) {
serverLog ( LL_WARNING , " No decoder for DH params. " ) ;
fclose ( dhfile ) ;
goto error ;
}
if ( ! OSSL_DECODER_from_fp ( dctx , dhfile ) ) {
serverLog ( LL_WARNING , " %s: failed to read DH params. " , ctx_config - > dh_params_file ) ;
OSSL_DECODER_CTX_free ( dctx ) ;
fclose ( dhfile ) ;
goto error ;
}
OSSL_DECODER_CTX_free ( dctx ) ;
fclose ( dhfile ) ;
if ( SSL_CTX_set0_tmp_dh_pkey ( ctx , pkey ) < = 0 ) {
ERR_error_string_n ( ERR_get_error ( ) , errbuf , sizeof ( errbuf ) ) ;
serverLog ( LL_WARNING , " Failed to load DH params file: %s: %s " , ctx_config - > dh_params_file , errbuf ) ;
EVP_PKEY_free ( pkey ) ;
goto error ;
}
/* Not freeing pkey, it is owned by OpenSSL now */
# else
DH * dh = PEM_read_DHparams ( dhfile , NULL , NULL , NULL ) ;
2019-09-12 10:56:54 +03:00
fclose ( dhfile ) ;
if ( ! dh ) {
2019-09-12 11:10:22 +03:00
serverLog ( LL_WARNING , " %s: failed to read DH params. " , ctx_config - > dh_params_file ) ;
2019-09-12 10:56:54 +03:00
goto error ;
}
if ( SSL_CTX_set_tmp_dh ( ctx , dh ) < = 0 ) {
ERR_error_string_n ( ERR_get_error ( ) , errbuf , sizeof ( errbuf ) ) ;
2019-09-12 11:10:22 +03:00
serverLog ( LL_WARNING , " Failed to load DH params file: %s: %s " , ctx_config - > dh_params_file , errbuf ) ;
2019-09-12 10:56:54 +03:00
DH_free ( dh ) ;
goto error ;
}
DH_free ( dh ) ;
Merge main with oss release sep29 2022 (#521)
* need to include stdint for uintptr_t
* need to include stdint for uintptr_t
* use atomic_load for g_pserver->mstime
* use atomic_load for g_pserver->mstime
* Integrate readwritelock with Pro Code
* Integrate readwritelock with Pro Code
* Defensive asserts for RWLock
* Defensive asserts for RWLock
* Save and restore master info in rdb to allow active replica partial sync (#371)
* save replid for all masters in rdb
* expanded rdbSaveInfo to hold multiple master structs
* parse repl-masters from rdb
* recover replid info from rdb in active replica mode, attempt partial sync
* save offset from rdb into correct variable
* don't change replid based on master in active rep
* save and load psync info from correct fields
* Save and restore master info in rdb to allow active replica partial sync (#371)
* save replid for all masters in rdb
* expanded rdbSaveInfo to hold multiple master structs
* parse repl-masters from rdb
* recover replid info from rdb in active replica mode, attempt partial sync
* save offset from rdb into correct variable
* don't change replid based on master in active rep
* save and load psync info from correct fields
* placement new instead of memcpy
* placement new instead of memcpy
* Remove asserts, RW lock can go below zero in cases of aeAcquireLock
* Remove asserts, RW lock can go below zero in cases of aeAcquireLock
* Inclusive language
* Inclusive language
* update packaging for OS merge
* update packaging for OS merge
* modify dockerfile to build within image
* modify dockerfile to build within image
* Make active client balancing a configurable option
* Make active client balancing a configurable option
* With TLS throttle accepts if server is under heavy load - do not change non TLS behavior
* With TLS throttle accepts if server is under heavy load - do not change non TLS behavior
* Only run the tls-name-validation test if --tls is passed into runtest
* Only run the tls-name-validation test if --tls is passed into runtest
* Fix KeyDB not building with TLS < 1.1.1
* Fix KeyDB not building with TLS < 1.1.1
* update changelog to use replica as terminology
* update changelog to use replica as terminology
* update copyright
* update copyright
* update deb copyright
* update deb copyright
* call aeThreadOnline() earlier
* call aeThreadOnline() earlier
* Removed mergeReplicationId
* Removed mergeReplicationId
* acceptTLS is threadsafe like the non TLS version
* acceptTLS is threadsafe like the non TLS version
* setup Machamp ci
* setup Machamp ci
* make build_test.sh executable
* make build_test.sh executable
* PSYNC production fixes
* PSYNC production fixes
* fix the Machamp build
* fix the Machamp build
* break into tests into steps
* break into tests into steps
* Added multimaster test
* Added multimaster test
* Update ci.yml
Change min tested version to 18.04
* Update ci.yml
Change min tested version to 18.04
* fork lock for all threads, use fastlock for readwritelock
* fork lock for all threads, use fastlock for readwritelock
* hide forklock object in ae
* hide forklock object in ae
* only need to include readwritelock in ae
* only need to include readwritelock in ae
* time thread lock uses fastlock instead of std::mutex
* time thread lock uses fastlock instead of std::mutex
* set thread as offline when waiting for time thread lock
* set thread as offline when waiting for time thread lock
* update README resource links
* update README resource links
* Fix MALLOC=memkind build issues
* Fix MALLOC=memkind build issues
* Fix module test break
* Fix module test break
* Eliminate firewall dialogs on mac for regular and cluster tests. There are still issues with the sentinel tests but attempting to bind only to localhost causes failures
* Eliminate firewall dialogs on mac for regular and cluster tests. There are still issues with the sentinel tests but attempting to bind only to localhost causes failures
* remove unused var in networking.cpp
* remove unused var in networking.cpp
* check ziplist len to avoid crash on empty ziplist convert
* check ziplist len to avoid crash on empty ziplist convert
* remove nullptr subtraction
* remove nullptr subtraction
* cannot mod a pointer
* cannot mod a pointer
* need to include stdint for uintptr_t
* need to include stdint for uintptr_t
* use atomic_load for g_pserver->mstime
* use atomic_load for g_pserver->mstime
* Integrate readwritelock with Pro Code
* Integrate readwritelock with Pro Code
* Defensive asserts for RWLock
* Defensive asserts for RWLock
* Save and restore master info in rdb to allow active replica partial sync (#371)
* save replid for all masters in rdb
* expanded rdbSaveInfo to hold multiple master structs
* parse repl-masters from rdb
* recover replid info from rdb in active replica mode, attempt partial sync
* save offset from rdb into correct variable
* don't change replid based on master in active rep
* save and load psync info from correct fields
* Save and restore master info in rdb to allow active replica partial sync (#371)
* save replid for all masters in rdb
* expanded rdbSaveInfo to hold multiple master structs
* parse repl-masters from rdb
* recover replid info from rdb in active replica mode, attempt partial sync
* save offset from rdb into correct variable
* don't change replid based on master in active rep
* save and load psync info from correct fields
* placement new instead of memcpy
* placement new instead of memcpy
* Remove asserts, RW lock can go below zero in cases of aeAcquireLock
* Remove asserts, RW lock can go below zero in cases of aeAcquireLock
* Inclusive language
* Inclusive language
* call aeThreadOnline() earlier
* call aeThreadOnline() earlier
* Removed mergeReplicationId
* Removed mergeReplicationId
* Make active client balancing a configurable option
* Make active client balancing a configurable option
* With TLS throttle accepts if server is under heavy load - do not change non TLS behavior
* With TLS throttle accepts if server is under heavy load - do not change non TLS behavior
* acceptTLS is threadsafe like the non TLS version
* acceptTLS is threadsafe like the non TLS version
* PSYNC production fixes
* PSYNC production fixes
* Ensure we are responsive during storagecache clears
* Ensure we are responsive during storagecache clears
* Ensure recreated tables use the same settings as ones made at boot
* Ensure recreated tables use the same settings as ones made at boot
* Converted some existing PSYNC tests for multimaster
* Converted some existing PSYNC tests for multimaster
* Inclusive language fix
* Inclusive language fix
* Cleanup test suite
* Cleanup test suite
* Updated test replica configs so tests make sense
* Updated test replica configs so tests make sense
* active-rep test reliability
* active-rep test reliability
* Quick fix to make psync tests work
* Quick fix to make psync tests work
* Fix PSYNC test crashes
* Fix PSYNC test crashes
* Ensure we force moves not copies when ingesting bulk insert files
* Ensure we force moves not copies when ingesting bulk insert files
* Disable async for hget commands as it is not ready
* Disable FLASH
* Fix crash in save of masterinfo
* Fix musl/Alpine build failures
* Remove unnecessary libs
* update readme
* update readme
* remove Enterprise references
* Limit max overage to 20% during RDB save
* Delete COPYING to replace with BSD license
* update deb master changelog
* Update license
* Fix Readme typo from github org transition
Replace mention of scratch-file-path with db-s3-object
* Fix reference counting failure in the dict. This is caused by std::swap also swapping refcounts
* Fix assertion in async rehash
* Prevent crash on shutdown by avoiding dtors (they are unnecessary anyways)
* Initialize noshrink, it was dangling
* Prevent us from starting a rehash when one wasn't already in progress. This can cause severe issues for snapshots
* Avoid unnecessary rehashing when a rehash is abandoned
* Dictionary use correct acquire/release semantics
* Add fence barriers for the repl backlog (important for AARCH64 and other weak memory models)
* Silence TSAN errors on ustime and mstime. Every CPU we support is atomic on aligned ints, but correctness matters
* Disable async commands by default
* Fix TSAN warnings on the repl backlog
* Merge OSS back into pro
* Fix unmerged files
* Fix O(n^2) algorithm in the GC cleanup logic
* Fix crash in expire when a snapshot is in flight. Caused by a perf optimization getting the expire map out of sync with the val
* On Alpine we must have a reasonable stack size
* Revert ci.yml to unstable branch version
* Implements the soft shutdown feature to allow clients to cooperatively disconnect preventing disruption during shutdown
* Ensure clean shutdown with multiple threads
* update dockerfiles
* update deb pkg references and changelog
* update gem reference
* lpGetInteger returns int64_t, avoid overflow (#10068)
Fix #9410
Crucial for the ms and sequence deltas, but I changed all
calls, just in case (e.g. "flags")
Before this commit:
`ms_delta` and `seq_delta` could have overflown, causing `currid` to be wrong,
which in turn would cause `streamTrim` to trim the entire rax node (see new test)
* Fix issue #454 (BSD build break)
* Do not allow commands to run in background when in eval, Issue #452
* Fix certificate leak during connection when tls-allowlists are used
* Fix issue #480
* Fix crash running INFO command while a disk based backlog is set
* check tracking per db
* fix warnings
* Fix a race when undoConnectWithMaster changes mi->repl_transfer_s but the connection is not yet closed and the event handler runs
* Fix a race in processChanges/trackChanges with rdbLoadRio by acquiring the lock when trackChanges is set
* Fix ASAN use after free
* Additional fixes
* Fix integer overflow of the track changes counter
* Fix P99 latency issue for TLS where we leave work for the next event loop
tlsProcessPendingData() needs to be called before we execute queued commands because it may enqueue more commands
* Fix race removing key cache
* Prevent crash on load in long running KeyDB instances
* Fixes a crash where the server assertion failed when the key exists in DB during RDB load
* Remove old assertion which is commented out.
* avoid from instatiating EpochHolder multiple times to improve performance and cpu utilization
* avoid from instatiating EpochHolder multiple times to improve performance and cpu utilization
* src\redis-cli.c: fix potential null pointer dereference found by cppcheck
src\redis-cli.c:5488:35: warning: Either the condition
'!table' is redundant or there is possible null pointer dereference:
table. [nullPointerRedundantCheck]
* Fix Issue #486
* Workaround bug in snapshot sync - abort don't crash
* Improve reliability of async parts of the soft shutdown tests
* Improve reliability of fragmentation tests
* Verify that partial syncs do indeed occur
* Fix O(n) algorithm in INFO command
* Remove incorrect assert that fires when the repl backlog is used fully
* Make building flash optional
* Remove unneeded gitlab CI file
* [BUG] Moves key to another DB, the source key was removed if the move failed due to the key exists in the destination db #497 (#498)
Co-authored-by: Paul Chen <mingchen@Mings-MacBook-Pro.local>
* trigger repl_curr_off!= master_repl_offset assert failure when having pending write case
* use debug for logging the message instead
* rocksdb log using up the diskspace on flash (#519)
* Fix OpenSSL 3.0.x related issues. (#10291)
* Drop obsolete initialization calls.
* Use decoder API for DH parameters.
* Enable auto DH parameters if not explicitly used, which should be the
preferred configuration going forward.
* remove unnecessary forward declaration
* remove internal ci stuff
* remove more internal ci/publishing
* submodule update step
* use with syntax instead
* bump ci ubuntu old ver as latest is now 22.04
* include submodules on all ci jobs
* install all deps for all ci jobs
Co-authored-by: Vivek Saini <vsaini@snapchat.com>
Co-authored-by: Christian Legge <christian@eqalpha.com>
Co-authored-by: benschermel <bschermel@snapchat.com>
Co-authored-by: John Sully <john@csquare.ca>
Co-authored-by: zliang <zliang@snapchat.com>
Co-authored-by: malavan <malavan@eqalpha.com>
Co-authored-by: John Sully <jsully@snapchat.com>
Co-authored-by: jfinity <38383673+jfinity@users.noreply.github.com>
Co-authored-by: benschermel <43507366+benschermel@users.noreply.github.com>
Co-authored-by: guybe7 <guy.benoish@redislabs.com>
Co-authored-by: Karthick Ariyaratnam (A) <k00809413@china.huawei.com>
Co-authored-by: root <paul.chen1@huawei.com>
Co-authored-by: Ilya Shipitsin <chipitsine@gmail.com>
Co-authored-by: Paul Chen <32553156+paulmchen@users.noreply.github.com>
Co-authored-by: Paul Chen <mingchen@Mings-MacBook-Pro.local>
Co-authored-by: Yossi Gottlieb <yossigo@gmail.com>
2022-12-14 12:17:36 -05:00
# endif
} else {
# if (OPENSSL_VERSION_NUMBER >= 0x30000000L)
SSL_CTX_set_dh_auto ( ctx , 1 ) ;
# endif
2019-09-12 10:56:54 +03:00
}
2020-12-11 18:31:40 +02:00
/* If a client-side certificate is configured, create an explicit client context */
if ( ctx_config - > client_cert_file & & ctx_config - > client_key_file ) {
2021-03-22 13:27:46 +02:00
client_ctx = createSSLContext ( ctx_config , protocols , 1 ) ;
2020-12-11 18:31:40 +02:00
if ( ! client_ctx ) goto error ;
2019-09-12 10:56:54 +03:00
}
2020-05-24 19:57:16 -04:00
{
std : : unique_lock < fastlock > ul ( g_ctxtlock ) ;
2019-09-12 10:56:54 +03:00
SSL_CTX_free ( redis_tls_ctx ) ;
2020-12-11 18:31:40 +02:00
SSL_CTX_free ( redis_tls_client_ctx ) ;
2019-09-12 10:56:54 +03:00
redis_tls_ctx = ctx ;
2020-12-11 18:31:40 +02:00
redis_tls_client_ctx = client_ctx ;
2021-05-25 16:55:59 +00:00
}
2019-09-12 10:56:54 +03:00
return C_OK ;
error :
if ( ctx ) SSL_CTX_free ( ctx ) ;
2020-12-11 18:31:40 +02:00
if ( client_ctx ) SSL_CTX_free ( client_ctx ) ;
2019-09-12 10:56:54 +03:00
return C_ERR ;
}
2022-02-02 14:20:19 -05:00
/* Reload TLS certificate from disk, effectively rotating it */
void tlsReload ( void ) {
/* We will only bother checking keys and certs if TLS is enabled, otherwise we would be calling 'stat' for no reason */
if ( g_pserver - > tls_rotation & & ( g_pserver - > tls_port | | g_pserver - > tls_replication | | g_pserver - > tls_cluster ) ) {
bool cert_file_modified = getLastModifiedTime ( g_pserver - > tls_ctx_config . cert_file ) ! = g_pserver - > tls_ctx_config . cert_file_last_modified ;
bool key_file_modified = getLastModifiedTime ( g_pserver - > tls_ctx_config . key_file ) ! = g_pserver - > tls_ctx_config . key_file_last_modified ;
bool client_cert_file_modified = g_pserver - > tls_ctx_config . client_cert_file ! = NULL & & getLastModifiedTime ( g_pserver - > tls_ctx_config . client_cert_file ) ! = g_pserver - > tls_ctx_config . client_cert_file_last_modified ;
bool client_key_file_modified = g_pserver - > tls_ctx_config . client_key_file ! = NULL & & getLastModifiedTime ( g_pserver - > tls_ctx_config . client_key_file ) ! = g_pserver - > tls_ctx_config . client_key_file_last_modified ;
bool ca_cert_file_modified = g_pserver - > tls_ctx_config . ca_cert_file ! = NULL & & getLastModifiedTime ( g_pserver - > tls_ctx_config . ca_cert_file ) ! = g_pserver - > tls_ctx_config . ca_cert_file_last_modified ;
bool ca_cert_dir_modified = g_pserver - > tls_ctx_config . ca_cert_dir ! = NULL & & getLastModifiedTime ( g_pserver - > tls_ctx_config . ca_cert_dir ) ! = g_pserver - > tls_ctx_config . ca_cert_dir_last_modified ;
if ( cert_file_modified | | key_file_modified | | ca_cert_file_modified | | ca_cert_dir_modified | | client_cert_file_modified | | client_key_file_modified ) {
serverLog ( LL_NOTICE , " TLS certificates changed on disk, attempting to rotate. " ) ;
if ( tlsConfigure ( & g_pserver - > tls_ctx_config ) = = C_ERR ) {
serverLog ( LL_NOTICE , " Error trying to rotate TLS certificates, TLS credentials remain unchanged. " ) ;
} else {
serverLog ( LL_NOTICE , " TLS certificates rotated successfully. " ) ;
}
}
}
}
2019-09-12 10:56:54 +03:00
# ifdef TLS_DEBUGGING
# define TLSCONN_DEBUG(fmt, ...) \
serverLog ( LL_DEBUG , " TLSCONN: " fmt , __VA_ARGS__ )
# else
# define TLSCONN_DEBUG(fmt, ...)
# endif
2020-05-24 19:57:16 -04:00
extern ConnectionType CT_TLS ;
2019-09-12 10:56:54 +03:00
/* Normal socket connections have a simple events/handler correlation.
*
* With TLS connections we need to handle cases where during a logical read
* or write operation , the SSL library asks to block for the opposite
* socket operation .
*
* When this happens , we need to do two things :
2021-02-09 01:29:32 +08:00
* 1. Make sure we register for the event .
2019-09-12 10:56:54 +03:00
* 2. Make sure we know which handler needs to execute when the
* event fires . That is , if we notify the caller of a write operation
* that it blocks , and SSL asks for a read , we need to trigger the
* write handler again on the next read event .
*
*/
typedef enum {
2020-05-24 19:57:16 -04:00
WANT_INVALID = 0 ,
2019-09-12 10:56:54 +03:00
WANT_READ = 1 ,
WANT_WRITE
} WantIOType ;
# define TLS_CONN_FLAG_READ_WANT_WRITE (1<<0)
# define TLS_CONN_FLAG_WRITE_WANT_READ (1<<1)
# define TLS_CONN_FLAG_FD_SET (1<<2)
typedef struct tls_connection {
connection c ;
int flags ;
SSL * ssl ;
char * ssl_error ;
2019-08-11 16:07:53 +03:00
listNode * pending_list_node ;
2020-05-24 19:57:16 -04:00
aeEventLoop * el ;
2019-09-12 10:56:54 +03:00
} tls_connection ;
2023-06-27 16:23:20 -04:00
/* Check to see if a given client name is contained in the provided set (allowlist/blocklist)
2022-03-03 13:59:07 -05:00
* Return true if it does */
2023-06-27 16:23:20 -04:00
bool tlsCheckAgainstAllowlist ( const char * client , std : : set < sdsstring > set ) {
2022-03-03 13:59:07 -05:00
/* Because of wildcard matching, we need to iterate over the entire set.
* If we were doing simply straight matching , we could just directly
* check to see if the client name is in the set in O ( 1 ) time */
2023-06-27 16:23:20 -04:00
for ( auto & client_pattern : set ) {
2022-03-31 17:15:47 -04:00
if ( stringmatchlen ( client_pattern . get ( ) , client_pattern . size ( ) , client , strlen ( client ) , 1 ) )
2022-03-03 13:59:07 -05:00
return true ;
}
return false ;
}
2023-06-27 16:23:20 -04:00
/* Sets the sha256 certificate fingerprint on the connection
* Based on the example here https : //fm4dd.com/openssl/certfprint.shtm */
void tlsSetCertificateFingerprint ( tls_connection * conn , X509 * cert ) {
unsigned int fprint_size ;
unsigned char fprint [ EVP_MAX_MD_SIZE ] ;
const EVP_MD * fprint_type = EVP_sha256 ( ) ;
X509_digest ( cert , fprint_type , fprint , & fprint_size ) ;
if ( conn - > c . fprint ) zfree ( conn - > c . fprint ) ;
conn - > c . fprint = ( char * ) zcalloc ( fprint_size * 2 + 1 ) ;
/* Format fingerprint as hex string */
char tmp [ 3 ] ;
for ( unsigned int i = 0 ; i < fprint_size ; i + + ) {
snprintf ( tmp , 2 , " %02x " , ( unsigned int ) fprint [ i ] ) ;
strncat ( conn - > c . fprint , tmp , 2 ) ;
}
}
2022-04-20 01:21:11 +00:00
/* ASN1_STRING_get0_data was introduced in OPENSSL 1.1.1
* use ASN1_STRING_data for older versions where it is not available */
# if OPENSSL_VERSION_NUMBER < 0x10100000L
# define ASN1_STRING_get0_data ASN1_STRING_data
# endif
2022-07-14 04:36:51 +00:00
class TCleanup {
std : : function < void ( ) > fn ;
public :
TCleanup ( std : : function < void ( ) > fn )
: fn ( fn )
{ }
~ TCleanup ( ) {
fn ( ) ;
}
} ;
2023-06-27 16:23:20 -04:00
bool tlsCheckCertificateAgainstAllowlist ( tls_connection * conn , std : : set < sdsstring > allowlist , const char * * commonName ) {
if ( allowlist . empty ( ) ) {
// An empty list implies acceptance of all
return true ;
}
2022-03-31 17:15:47 -04:00
2022-03-03 13:59:07 -05:00
X509 * cert = SSL_get_peer_certificate ( conn - > ssl ) ;
2022-07-14 04:36:51 +00:00
TCleanup certClen ( [ cert ] { X509_free ( cert ) ; } ) ;
2023-06-27 16:23:20 -04:00
2022-03-03 13:59:07 -05:00
/* Check the common name (CN) of the certificate first */
X509_NAME_ENTRY * ne = X509_NAME_get_entry ( X509_get_subject_name ( cert ) , X509_NAME_get_index_by_NID ( X509_get_subject_name ( cert ) , NID_commonName , - 1 ) ) ;
2023-06-27 16:23:20 -04:00
* commonName = reinterpret_cast < const char * > ( ASN1_STRING_get0_data ( X509_NAME_ENTRY_get_data ( ne ) ) ) ;
tlsSetCertificateFingerprint ( conn , cert ) ;
if ( tlsCheckAgainstAllowlist ( * commonName , allowlist ) ) {
2022-03-03 13:59:07 -05:00
return true ;
2023-06-27 16:23:20 -04:00
}
2022-03-03 13:59:07 -05:00
/* If that fails, check through the subject alternative names (SANs) as well */
GENERAL_NAMES * subjectAltNames = ( GENERAL_NAMES * ) X509_get_ext_d2i ( cert , NID_subject_alt_name , NULL , NULL ) ;
if ( subjectAltNames ! = nullptr ) {
for ( int i = 0 ; i < sk_GENERAL_NAME_num ( subjectAltNames ) ; i + + )
{
GENERAL_NAME * generalName = sk_GENERAL_NAME_value ( subjectAltNames , i ) ;
/* Short circuit if one of the SANs match.
* We only support DNS , EMAIL , URI , and IP ( specifically IPv4 ) */
switch ( generalName - > type )
{
case GEN_EMAIL :
2023-06-27 16:23:20 -04:00
if ( tlsCheckAgainstAllowlist ( reinterpret_cast < const char * > ( ASN1_STRING_get0_data ( generalName - > d . rfc822Name ) ) , allowlist ) ) {
2022-03-03 13:59:07 -05:00
sk_GENERAL_NAME_pop_free ( subjectAltNames , GENERAL_NAME_free ) ;
return true ;
}
break ;
case GEN_DNS :
2023-06-27 16:23:20 -04:00
if ( tlsCheckAgainstAllowlist ( reinterpret_cast < const char * > ( ASN1_STRING_get0_data ( generalName - > d . dNSName ) ) , allowlist ) ) {
2022-03-03 13:59:07 -05:00
sk_GENERAL_NAME_pop_free ( subjectAltNames , GENERAL_NAME_free ) ;
return true ;
}
break ;
case GEN_URI :
2023-06-27 16:23:20 -04:00
if ( tlsCheckAgainstAllowlist ( reinterpret_cast < const char * > ( ASN1_STRING_get0_data ( generalName - > d . uniformResourceIdentifier ) ) , allowlist ) ) {
2022-03-03 13:59:07 -05:00
sk_GENERAL_NAME_pop_free ( subjectAltNames , GENERAL_NAME_free ) ;
return true ;
}
break ;
case GEN_IPADD :
{
int ipLen = ASN1_STRING_length ( generalName - > d . iPAddress ) ;
if ( ipLen = = 4 ) { //IPv4 case
char addr [ INET_ADDRSTRLEN ] ;
inet_ntop ( AF_INET , ASN1_STRING_get0_data ( generalName - > d . iPAddress ) , addr , INET_ADDRSTRLEN ) ;
2023-06-27 16:23:20 -04:00
if ( tlsCheckAgainstAllowlist ( addr , allowlist ) ) {
2022-03-03 13:59:07 -05:00
sk_GENERAL_NAME_pop_free ( subjectAltNames , GENERAL_NAME_free ) ;
return true ;
}
} else if ( ipLen = = 16 ) { // IPv6 case
/* We don't support IPv6 at the moment */
}
}
break ;
default :
break ;
}
}
sk_GENERAL_NAME_pop_free ( subjectAltNames , GENERAL_NAME_free ) ;
}
return false ;
}
2023-06-27 16:23:20 -04:00
bool tlsCertificateRequiresAuditLogging ( tls_connection * conn ) {
const char * cn = " " ;
if ( tlsCheckCertificateAgainstAllowlist ( conn , g_pserver - > tls_auditlog_blocklist , & cn ) ) {
// Certificate is in exclusion list, no need to audit log
serverLog ( LL_NOTICE , " Audit Log: disabled for %s " , conn - > c . fprint ) ;
return false ;
} else {
serverLog ( LL_NOTICE , " Audit Log: enabled for %s " , conn - > c . fprint ) ;
return true ;
}
}
bool tlsValidateCertificateName ( tls_connection * conn ) {
const char * cn = " " ;
if ( tlsCheckCertificateAgainstAllowlist ( conn , g_pserver - > tls_allowlist , & cn ) ) {
return true ;
} else {
/* If neither the CN nor the SANs match, update the SSL error and return false */
conn - > c . last_errno = 0 ;
if ( conn - > ssl_error ) zfree ( conn - > ssl_error ) ;
size_t bufsize = 512 ;
conn - > ssl_error = ( char * ) zmalloc ( bufsize ) ;
snprintf ( conn - > ssl_error , bufsize , " Client CN (%s) and SANs not found in allowlist. " , cn ) ;
return false ;
}
}
2020-12-13 01:11:29 -08:00
static connection * createTLSConnection ( int client_side ) {
2020-12-11 18:31:40 +02:00
SSL_CTX * ctx = redis_tls_ctx ;
if ( client_side & & redis_tls_client_ctx )
ctx = redis_tls_client_ctx ;
2021-05-19 02:59:48 +00:00
tls_connection * conn = ( tls_connection * ) zcalloc ( sizeof ( tls_connection ) ) ;
2019-09-12 10:56:54 +03:00
conn - > c . type = & CT_TLS ;
conn - > c . fd = - 1 ;
2020-05-24 19:57:16 -04:00
std : : unique_lock < fastlock > ul ( g_ctxtlock ) ;
2020-12-11 18:31:40 +02:00
conn - > ssl = SSL_new ( ctx ) ;
2020-05-24 19:57:16 -04:00
conn - > el = serverTL - > el ;
2019-09-12 10:56:54 +03:00
return ( connection * ) conn ;
}
2020-05-24 19:57:16 -04:00
void connTLSMarshalThread ( connection * c ) {
tls_connection * conn = ( tls_connection * ) c ;
2020-05-30 01:14:53 -04:00
serverAssert ( conn - > pending_list_node = = nullptr ) ;
2020-05-24 19:57:16 -04:00
conn - > el = serverTL - > el ;
}
2020-07-28 11:32:47 +03:00
/* Fetch the latest OpenSSL error and store it in the connection */
static void updateTLSError ( tls_connection * conn ) {
conn - > c . last_errno = 0 ;
if ( conn - > ssl_error ) zfree ( conn - > ssl_error ) ;
2020-09-30 19:47:55 +00:00
conn - > ssl_error = ( char * ) zmalloc ( 512 ) ;
2020-07-28 11:32:47 +03:00
ERR_error_string_n ( ERR_get_error ( ) , conn - > ssl_error , 512 ) ;
}
2020-12-11 18:31:40 +02:00
connection * connCreateTLS ( void ) {
2020-12-13 01:11:29 -08:00
return createTLSConnection ( 1 ) ;
2020-12-11 18:31:40 +02:00
}
2020-07-28 11:32:47 +03:00
/* Create a new TLS connection that is already associated with
* an accepted underlying file descriptor .
*
* The socket is not ready for I / O until connAccept ( ) was called and
* invoked the connection - level accept handler .
*
* Callers should use connGetState ( ) and verify the created connection
* is not in an error state .
*/
2019-09-12 10:56:54 +03:00
connection * connCreateAcceptedTLS ( int fd , int require_auth ) {
2020-12-13 01:11:29 -08:00
tls_connection * conn = ( tls_connection * ) createTLSConnection ( 0 ) ;
2019-09-12 10:56:54 +03:00
conn - > c . fd = fd ;
conn - > c . state = CONN_STATE_ACCEPTING ;
2020-07-28 11:32:47 +03:00
if ( ! conn - > ssl ) {
updateTLSError ( conn ) ;
conn - > c . state = CONN_STATE_ERROR ;
return ( connection * ) conn ;
}
2020-07-28 15:45:21 +08:00
switch ( require_auth ) {
case TLS_CLIENT_AUTH_NO :
SSL_set_verify ( conn - > ssl , SSL_VERIFY_NONE , NULL ) ;
break ;
case TLS_CLIENT_AUTH_OPTIONAL :
SSL_set_verify ( conn - > ssl , SSL_VERIFY_PEER , NULL ) ;
break ;
default : /* TLS_CLIENT_AUTH_YES, also fall-secure */
SSL_set_verify ( conn - > ssl , SSL_VERIFY_PEER | SSL_VERIFY_FAIL_IF_NO_PEER_CERT , NULL ) ;
break ;
2019-09-12 10:56:54 +03:00
}
SSL_set_fd ( conn - > ssl , conn - > c . fd ) ;
SSL_set_accept_state ( conn - > ssl ) ;
return ( connection * ) conn ;
}
static void tlsEventHandler ( struct aeEventLoop * el , int fd , void * clientData , int mask ) ;
/* Process the return code received from OpenSSL>
* Update the want parameter with expected I / O .
* Update the connection ' s error state if a real error has occured .
* Returns an SSL error code , or 0 if no further handling is required .
*/
static int handleSSLReturnCode ( tls_connection * conn , int ret_value , WantIOType * want ) {
if ( ret_value < = 0 ) {
int ssl_err = SSL_get_error ( conn - > ssl , ret_value ) ;
switch ( ssl_err ) {
case SSL_ERROR_WANT_WRITE :
* want = WANT_WRITE ;
return 0 ;
case SSL_ERROR_WANT_READ :
* want = WANT_READ ;
return 0 ;
case SSL_ERROR_SYSCALL :
conn - > c . last_errno = errno ;
if ( conn - > ssl_error ) zfree ( conn - > ssl_error ) ;
conn - > ssl_error = errno ? zstrdup ( strerror ( errno ) ) : NULL ;
break ;
default :
/* Error! */
2020-07-28 11:32:47 +03:00
updateTLSError ( conn ) ;
2019-09-12 10:56:54 +03:00
break ;
}
return ssl_err ;
}
return 0 ;
}
void registerSSLEvent ( tls_connection * conn , WantIOType want ) {
2020-05-24 19:57:16 -04:00
int mask = aeGetFileEvents ( serverTL - > el , conn - > c . fd ) ;
serverAssert ( conn - > el = = serverTL - > el ) ;
2019-09-12 10:56:54 +03:00
switch ( want ) {
case WANT_READ :
2020-05-24 19:57:16 -04:00
if ( mask & AE_WRITABLE ) aeDeleteFileEvent ( conn - > el , conn - > c . fd , AE_WRITABLE ) ;
if ( ! ( mask & AE_READABLE ) ) aeCreateFileEvent ( conn - > el , conn - > c . fd , AE_READABLE | AE_READ_THREADSAFE ,
2019-09-12 10:56:54 +03:00
tlsEventHandler , conn ) ;
break ;
case WANT_WRITE :
2020-05-24 19:57:16 -04:00
if ( mask & AE_READABLE ) aeDeleteFileEvent ( conn - > el , conn - > c . fd , AE_READABLE ) ;
if ( ! ( mask & AE_WRITABLE ) ) aeCreateFileEvent ( conn - > el , conn - > c . fd , AE_WRITABLE | AE_WRITE_THREADSAFE ,
2019-09-12 10:56:54 +03:00
tlsEventHandler , conn ) ;
break ;
default :
serverAssert ( 0 ) ;
break ;
}
}
2020-05-24 19:57:16 -04:00
void updateSSLEventCore ( tls_connection * conn ) {
int mask = aeGetFileEvents ( serverTL - > el , conn - > c . fd ) ;
2019-09-12 10:56:54 +03:00
int need_read = conn - > c . read_handler | | ( conn - > flags & TLS_CONN_FLAG_WRITE_WANT_READ ) ;
int need_write = conn - > c . write_handler | | ( conn - > flags & TLS_CONN_FLAG_READ_WANT_WRITE ) ;
2020-05-24 19:57:16 -04:00
serverAssert ( conn - > el = = serverTL - > el ) ;
2019-09-12 10:56:54 +03:00
if ( need_read & & ! ( mask & AE_READABLE ) )
2020-05-24 19:57:16 -04:00
aeCreateFileEvent ( serverTL - > el , conn - > c . fd , AE_READABLE | AE_READ_THREADSAFE , tlsEventHandler , conn ) ;
2019-09-12 10:56:54 +03:00
if ( ! need_read & & ( mask & AE_READABLE ) )
2020-05-24 19:57:16 -04:00
aeDeleteFileEvent ( serverTL - > el , conn - > c . fd , AE_READABLE ) ;
2019-09-12 10:56:54 +03:00
if ( need_write & & ! ( mask & AE_WRITABLE ) )
2020-05-24 19:57:16 -04:00
aeCreateFileEvent ( serverTL - > el , conn - > c . fd , AE_WRITABLE | AE_WRITE_THREADSAFE , tlsEventHandler , conn ) ;
2019-09-12 10:56:54 +03:00
if ( ! need_write & & ( mask & AE_WRITABLE ) )
2020-05-24 19:57:16 -04:00
aeDeleteFileEvent ( serverTL - > el , conn - > c . fd , AE_WRITABLE ) ;
}
void updateSSLEvent ( tls_connection * conn ) {
if ( conn - > el ! = serverTL - > el ) {
aePostFunction ( conn - > el , [ conn ] {
updateSSLEventCore ( conn ) ;
} ) ;
} else {
updateSSLEventCore ( conn ) ;
}
2019-09-12 10:56:54 +03:00
}
2020-05-24 19:57:16 -04:00
void tlsHandleEvent ( tls_connection * conn , int mask ) {
2020-09-23 11:30:24 +03:00
int ret , conn_error ;
2020-05-24 19:57:16 -04:00
serverAssert ( conn - > el = = serverTL - > el ) ;
2019-09-12 10:56:54 +03:00
TLSCONN_DEBUG ( " tlsEventHandler(): fd=%d, state=%d, mask=%d, r=%d, w=%d, flags=%d " ,
fd , conn - > c . state , mask , conn - > c . read_handler ! = NULL , conn - > c . write_handler ! = NULL ,
conn - > flags ) ;
ERR_clear_error ( ) ;
switch ( conn - > c . state ) {
case CONN_STATE_CONNECTING :
2020-09-23 11:30:24 +03:00
conn_error = connGetSocketError ( ( connection * ) conn ) ;
2020-09-22 17:53:36 +08:00
if ( conn_error ) {
conn - > c . last_errno = conn_error ;
2019-09-12 10:56:54 +03:00
conn - > c . state = CONN_STATE_ERROR ;
} else {
if ( ! ( conn - > flags & TLS_CONN_FLAG_FD_SET ) ) {
SSL_set_fd ( conn - > ssl , conn - > c . fd ) ;
conn - > flags | = TLS_CONN_FLAG_FD_SET ;
}
ret = SSL_connect ( conn - > ssl ) ;
if ( ret < = 0 ) {
2020-05-24 19:57:16 -04:00
WantIOType want = WANT_INVALID ;
2019-09-12 10:56:54 +03:00
if ( ! handleSSLReturnCode ( conn , ret , & want ) ) {
registerSSLEvent ( conn , want ) ;
/* Avoid hitting UpdateSSLEvent, which knows nothing
* of what SSL_connect ( ) wants and instead looks at our
* R / W handlers .
*/
return ;
}
/* If not handled, it's an error */
conn - > c . state = CONN_STATE_ERROR ;
} else {
conn - > c . state = CONN_STATE_CONNECTED ;
}
}
2020-05-24 19:57:16 -04:00
{
AeLocker locker ;
locker . arm ( nullptr ) ;
2019-09-12 10:56:54 +03:00
if ( ! callHandler ( ( connection * ) conn , conn - > c . conn_handler ) ) return ;
2020-05-24 19:57:16 -04:00
}
2019-09-12 10:56:54 +03:00
conn - > c . conn_handler = NULL ;
break ;
case CONN_STATE_ACCEPTING :
ret = SSL_accept ( conn - > ssl ) ;
if ( ret < = 0 ) {
2020-05-24 19:57:16 -04:00
WantIOType want = WANT_INVALID ;
2019-09-12 10:56:54 +03:00
if ( ! handleSSLReturnCode ( conn , ret , & want ) ) {
/* Avoid hitting UpdateSSLEvent, which knows nothing
* of what SSL_connect ( ) wants and instead looks at our
* R / W handlers .
*/
registerSSLEvent ( conn , want ) ;
return ;
}
/* If not handled, it's an error */
conn - > c . state = CONN_STATE_ERROR ;
} else {
2022-03-03 13:59:07 -05:00
/* Validate name */
2022-03-31 17:15:47 -04:00
if ( ! tlsValidateCertificateName ( conn ) ) {
2022-03-03 13:59:07 -05:00
conn - > c . state = CONN_STATE_ERROR ;
} else {
conn - > c . state = CONN_STATE_CONNECTED ;
2023-06-27 16:23:20 -04:00
if ( tlsCertificateRequiresAuditLogging ( conn ) ) {
conn - > c . flags | = CONN_FLAG_AUDIT_LOGGING_REQUIRED ;
}
2022-03-03 13:59:07 -05:00
}
2019-09-12 10:56:54 +03:00
}
2020-05-24 19:57:16 -04:00
{
AeLocker locker ;
locker . arm ( nullptr ) ;
2019-09-12 10:56:54 +03:00
if ( ! callHandler ( ( connection * ) conn , conn - > c . conn_handler ) ) return ;
2020-05-24 19:57:16 -04:00
}
2019-09-12 10:56:54 +03:00
conn - > c . conn_handler = NULL ;
break ;
case CONN_STATE_CONNECTED :
2019-08-19 12:18:25 +03:00
{
int call_read = ( ( mask & AE_READABLE ) & & conn - > c . read_handler ) | |
( ( mask & AE_WRITABLE ) & & ( conn - > flags & TLS_CONN_FLAG_READ_WANT_WRITE ) ) ;
int call_write = ( ( mask & AE_WRITABLE ) & & conn - > c . write_handler ) | |
( ( mask & AE_READABLE ) & & ( conn - > flags & TLS_CONN_FLAG_WRITE_WANT_READ ) ) ;
/* Normally we execute the readable event first, and the writable
* event laster . This is useful as sometimes we may be able
* to serve the reply of a query immediately after processing the
* query .
*
* However if WRITE_BARRIER is set in the mask , our application is
* asking us to do the reverse : never fire the writable event
* after the readable . In such a case , we invert the calls .
* This is useful when , for instance , we want to do things
* in the beforeSleep ( ) hook , like fsynching a file to disk ,
* before replying to a client . */
int invert = conn - > c . flags & CONN_FLAG_WRITE_BARRIER ;
if ( ! invert & & call_read ) {
2020-05-24 19:57:16 -04:00
AeLocker lock ;
if ( ! ( conn - > c . flags & CONN_FLAG_READ_THREADSAFE ) )
lock . arm ( nullptr ) ;
2019-08-19 12:18:25 +03:00
conn - > flags & = ~ TLS_CONN_FLAG_READ_WANT_WRITE ;
if ( ! callHandler ( ( connection * ) conn , conn - > c . read_handler ) ) return ;
}
/* Fire the writable event. */
if ( call_write ) {
2020-05-24 19:57:16 -04:00
AeLocker lock ;
if ( ! ( conn - > c . flags & CONN_FLAG_WRITE_THREADSAFE ) )
lock . arm ( nullptr ) ;
2019-09-12 10:56:54 +03:00
conn - > flags & = ~ TLS_CONN_FLAG_WRITE_WANT_READ ;
if ( ! callHandler ( ( connection * ) conn , conn - > c . write_handler ) ) return ;
}
2019-08-19 12:18:25 +03:00
/* If we have to invert the call, fire the readable event now
* after the writable one . */
if ( invert & & call_read ) {
2020-05-24 19:57:16 -04:00
AeLocker lock ;
if ( ! ( conn - > c . flags & CONN_FLAG_READ_THREADSAFE ) )
lock . arm ( nullptr ) ;
2019-09-12 10:56:54 +03:00
conn - > flags & = ~ TLS_CONN_FLAG_READ_WANT_WRITE ;
if ( ! callHandler ( ( connection * ) conn , conn - > c . read_handler ) ) return ;
}
2019-08-19 12:18:25 +03:00
/* If SSL has pending that, already read from the socket, we're at
* risk of not calling the read handler again , make sure to add it
* to a list of pending connection that should be handled anyway . */
if ( ( mask & AE_READABLE ) ) {
2019-09-12 11:10:22 +03:00
if ( SSL_pending ( conn - > ssl ) > 0 ) {
2019-08-11 16:07:53 +03:00
if ( ! conn - > pending_list_node ) {
listAddNodeTail ( pending_list , conn ) ;
conn - > pending_list_node = listLast ( pending_list ) ;
}
} else if ( conn - > pending_list_node ) {
listDelNode ( pending_list , conn - > pending_list_node ) ;
conn - > pending_list_node = NULL ;
}
2019-09-12 10:56:54 +03:00
}
break ;
2019-08-19 12:18:25 +03:00
}
2019-09-12 10:56:54 +03:00
default :
break ;
}
updateSSLEvent ( conn ) ;
}
2019-08-11 16:07:53 +03:00
static void tlsEventHandler ( struct aeEventLoop * el , int fd , void * clientData , int mask ) {
UNUSED ( el ) ;
UNUSED ( fd ) ;
2020-05-24 19:57:16 -04:00
tls_connection * conn = ( tls_connection * ) clientData ;
2019-08-11 16:07:53 +03:00
tlsHandleEvent ( conn , mask ) ;
}
2020-05-24 19:57:16 -04:00
static void connTLSCloseCore ( tls_connection * conn ) {
serverAssert ( conn - > el = = serverTL - > el ) ;
2019-09-12 10:56:54 +03:00
if ( conn - > ssl ) {
SSL_free ( conn - > ssl ) ;
conn - > ssl = NULL ;
}
if ( conn - > ssl_error ) {
zfree ( conn - > ssl_error ) ;
conn - > ssl_error = NULL ;
}
2019-08-11 16:07:53 +03:00
if ( conn - > pending_list_node ) {
listDelNode ( pending_list , conn - > pending_list_node ) ;
conn - > pending_list_node = NULL ;
}
2020-05-24 19:57:16 -04:00
CT_Socket . close ( & conn - > c ) ;
}
static void connTLSClose ( connection * conn_ ) {
tls_connection * conn = ( tls_connection * ) conn_ ;
if ( conn - > el ! = serverTL - > el ) {
aePostFunction ( conn - > el , [ conn ] {
connTLSCloseCore ( conn ) ;
} ) ;
} else {
connTLSCloseCore ( conn ) ;
}
2019-09-12 10:56:54 +03:00
}
static int connTLSAccept ( connection * _conn , ConnectionCallbackFunc accept_handler ) {
tls_connection * conn = ( tls_connection * ) _conn ;
int ret ;
2020-05-24 19:57:16 -04:00
serverAssert ( conn - > el = = serverTL - > el ) ;
2019-09-12 10:56:54 +03:00
if ( conn - > c . state ! = CONN_STATE_ACCEPTING ) return C_ERR ;
ERR_clear_error ( ) ;
/* Try to accept */
conn - > c . conn_handler = accept_handler ;
ret = SSL_accept ( conn - > ssl ) ;
if ( ret < = 0 ) {
2020-05-24 19:57:16 -04:00
WantIOType want = WANT_INVALID ;
2019-09-12 10:56:54 +03:00
if ( ! handleSSLReturnCode ( conn , ret , & want ) ) {
registerSSLEvent ( conn , want ) ; /* We'll fire back */
return C_OK ;
} else {
conn - > c . state = CONN_STATE_ERROR ;
return C_ERR ;
}
}
conn - > c . state = CONN_STATE_CONNECTED ;
if ( ! callHandler ( ( connection * ) conn , conn - > c . conn_handler ) ) return C_OK ;
conn - > c . conn_handler = NULL ;
return C_OK ;
}
static int connTLSConnect ( connection * conn_ , const char * addr , int port , const char * src_addr , ConnectionCallbackFunc connect_handler ) {
tls_connection * conn = ( tls_connection * ) conn_ ;
2020-05-24 19:57:16 -04:00
serverAssert ( conn - > el = = serverTL - > el ) ;
2019-09-12 10:56:54 +03:00
if ( conn - > c . state ! = CONN_STATE_NONE ) return C_ERR ;
ERR_clear_error ( ) ;
/* Initiate Socket connection first */
if ( CT_Socket . connect ( conn_ , addr , port , src_addr , connect_handler ) = = C_ERR ) return C_ERR ;
/* Return now, once the socket is connected we'll initiate
* TLS connection from the event handler .
*/
return C_OK ;
}
static int connTLSWrite ( connection * conn_ , const void * data , size_t data_len ) {
tls_connection * conn = ( tls_connection * ) conn_ ;
int ret , ssl_err ;
2022-01-06 19:15:31 -05:00
if ( data_len = = 0 )
return 0 ;
2019-09-12 10:56:54 +03:00
if ( conn - > c . state ! = CONN_STATE_CONNECTED ) return - 1 ;
ERR_clear_error ( ) ;
ret = SSL_write ( conn - > ssl , data , data_len ) ;
if ( ret < = 0 ) {
2020-05-24 19:57:16 -04:00
WantIOType want = WANT_INVALID ;
2019-09-12 10:56:54 +03:00
if ( ! ( ssl_err = handleSSLReturnCode ( conn , ret , & want ) ) ) {
if ( want = = WANT_READ ) conn - > flags | = TLS_CONN_FLAG_WRITE_WANT_READ ;
updateSSLEvent ( conn ) ;
errno = EAGAIN ;
return - 1 ;
} else {
if ( ssl_err = = SSL_ERROR_ZERO_RETURN | |
( ( ssl_err = = SSL_ERROR_SYSCALL & & ! errno ) ) ) {
conn - > c . state = CONN_STATE_CLOSED ;
return 0 ;
} else {
conn - > c . state = CONN_STATE_ERROR ;
return - 1 ;
}
}
}
return ret ;
}
static int connTLSRead ( connection * conn_ , void * buf , size_t buf_len ) {
tls_connection * conn = ( tls_connection * ) conn_ ;
int ret ;
int ssl_err ;
2020-05-24 19:57:16 -04:00
serverAssert ( conn - > el = = serverTL - > el ) ;
2019-09-12 10:56:54 +03:00
if ( conn - > c . state ! = CONN_STATE_CONNECTED ) return - 1 ;
ERR_clear_error ( ) ;
ret = SSL_read ( conn - > ssl , buf , buf_len ) ;
if ( ret < = 0 ) {
2020-05-24 19:57:16 -04:00
WantIOType want = WANT_INVALID ;
2019-09-12 10:56:54 +03:00
if ( ! ( ssl_err = handleSSLReturnCode ( conn , ret , & want ) ) ) {
if ( want = = WANT_WRITE ) conn - > flags | = TLS_CONN_FLAG_READ_WANT_WRITE ;
updateSSLEvent ( conn ) ;
errno = EAGAIN ;
return - 1 ;
} else {
if ( ssl_err = = SSL_ERROR_ZERO_RETURN | |
( ( ssl_err = = SSL_ERROR_SYSCALL ) & & ! errno ) ) {
conn - > c . state = CONN_STATE_CLOSED ;
return 0 ;
} else {
conn - > c . state = CONN_STATE_ERROR ;
return - 1 ;
}
}
}
return ret ;
}
static const char * connTLSGetLastError ( connection * conn_ ) {
tls_connection * conn = ( tls_connection * ) conn_ ;
if ( conn - > ssl_error ) return conn - > ssl_error ;
return NULL ;
}
2020-05-24 19:57:16 -04:00
int connTLSSetWriteHandler ( connection * conn , ConnectionCallbackFunc func , int barrier , bool fThreadSafe ) {
serverAssert ( ( ( tls_connection * ) conn ) - > el = = serverTL - > el ) ;
2019-09-12 10:56:54 +03:00
conn - > write_handler = func ;
2019-08-19 12:18:25 +03:00
if ( barrier )
conn - > flags | = CONN_FLAG_WRITE_BARRIER ;
else
conn - > flags & = ~ CONN_FLAG_WRITE_BARRIER ;
2020-05-24 19:57:16 -04:00
if ( fThreadSafe )
conn - > flags | = CONN_FLAG_WRITE_THREADSAFE ;
else
conn - > flags & = ~ CONN_FLAG_WRITE_THREADSAFE ;
2019-09-12 10:56:54 +03:00
updateSSLEvent ( ( tls_connection * ) conn ) ;
return C_OK ;
}
2020-05-24 19:57:16 -04:00
int connTLSSetReadHandler ( connection * conn , ConnectionCallbackFunc func , bool fThreadSafe ) {
serverAssert ( ( ( tls_connection * ) conn ) - > el = = serverTL - > el ) ;
2019-09-12 10:56:54 +03:00
conn - > read_handler = func ;
2020-05-24 19:57:16 -04:00
if ( fThreadSafe )
conn - > flags | = CONN_FLAG_READ_THREADSAFE ;
else
conn - > flags & = ~ CONN_FLAG_READ_THREADSAFE ;
2019-09-12 10:56:54 +03:00
updateSSLEvent ( ( tls_connection * ) conn ) ;
return C_OK ;
}
static void setBlockingTimeout ( tls_connection * conn , long long timeout ) {
anetBlock ( NULL , conn - > c . fd ) ;
anetSendTimeout ( NULL , conn - > c . fd , timeout ) ;
anetRecvTimeout ( NULL , conn - > c . fd , timeout ) ;
}
static void unsetBlockingTimeout ( tls_connection * conn ) {
anetNonBlock ( NULL , conn - > c . fd ) ;
anetSendTimeout ( NULL , conn - > c . fd , 0 ) ;
anetRecvTimeout ( NULL , conn - > c . fd , 0 ) ;
}
static int connTLSBlockingConnect ( connection * conn_ , const char * addr , int port , long long timeout ) {
tls_connection * conn = ( tls_connection * ) conn_ ;
int ret ;
2020-05-24 19:57:16 -04:00
serverAssert ( conn - > el = = serverTL - > el ) ;
2019-09-12 10:56:54 +03:00
if ( conn - > c . state ! = CONN_STATE_NONE ) return C_ERR ;
/* Initiate socket blocking connect first */
if ( CT_Socket . blocking_connect ( conn_ , addr , port , timeout ) = = C_ERR ) return C_ERR ;
/* Initiate TLS connection now. We set up a send/recv timeout on the socket,
* which means the specified timeout will not be enforced accurately . */
SSL_set_fd ( conn - > ssl , conn - > c . fd ) ;
setBlockingTimeout ( conn , timeout ) ;
if ( ( ret = SSL_connect ( conn - > ssl ) ) < = 0 ) {
conn - > c . state = CONN_STATE_ERROR ;
return C_ERR ;
}
unsetBlockingTimeout ( conn ) ;
conn - > c . state = CONN_STATE_CONNECTED ;
return C_OK ;
}
2020-05-24 19:57:16 -04:00
static ssize_t connTLSSyncWrite ( connection * conn_ , const char * ptr , ssize_t size , long long timeout ) {
2019-09-12 10:56:54 +03:00
tls_connection * conn = ( tls_connection * ) conn_ ;
2020-05-24 19:57:16 -04:00
serverAssert ( conn - > el = = serverTL - > el ) ;
2019-09-12 10:56:54 +03:00
setBlockingTimeout ( conn , timeout ) ;
SSL_clear_mode ( conn - > ssl , SSL_MODE_ENABLE_PARTIAL_WRITE ) ;
int ret = SSL_write ( conn - > ssl , ptr , size ) ;
SSL_set_mode ( conn - > ssl , SSL_MODE_ENABLE_PARTIAL_WRITE ) ;
unsetBlockingTimeout ( conn ) ;
return ret ;
}
static ssize_t connTLSSyncRead ( connection * conn_ , char * ptr , ssize_t size , long long timeout ) {
tls_connection * conn = ( tls_connection * ) conn_ ;
2020-05-24 19:57:16 -04:00
serverAssert ( conn - > el = = serverTL - > el ) ;
2019-09-12 10:56:54 +03:00
setBlockingTimeout ( conn , timeout ) ;
int ret = SSL_read ( conn - > ssl , ptr , size ) ;
unsetBlockingTimeout ( conn ) ;
return ret ;
}
static ssize_t connTLSSyncReadLine ( connection * conn_ , char * ptr , ssize_t size , long long timeout ) {
tls_connection * conn = ( tls_connection * ) conn_ ;
ssize_t nread = 0 ;
2020-05-24 19:57:16 -04:00
serverAssert ( conn - > el = = serverTL - > el ) ;
2019-09-12 10:56:54 +03:00
setBlockingTimeout ( conn , timeout ) ;
size - - ;
while ( size ) {
char c ;
if ( SSL_read ( conn - > ssl , & c , 1 ) < = 0 ) {
nread = - 1 ;
goto exit ;
}
if ( c = = ' \n ' ) {
* ptr = ' \0 ' ;
if ( nread & & * ( ptr - 1 ) = = ' \r ' ) * ( ptr - 1 ) = ' \0 ' ;
goto exit ;
} else {
* ptr + + = c ;
* ptr = ' \0 ' ;
nread + + ;
}
size - - ;
}
exit :
unsetBlockingTimeout ( conn ) ;
return nread ;
}
2020-08-17 17:46:54 +03:00
static int connTLSGetType ( connection * conn_ ) {
( void ) conn_ ;
return CONN_TYPE_TLS ;
}
2019-09-12 10:56:54 +03:00
ConnectionType CT_TLS = {
2020-05-24 19:57:16 -04:00
tlsEventHandler ,
connTLSConnect ,
connTLSWrite ,
connTLSRead ,
connTLSClose ,
connTLSAccept ,
connTLSSetWriteHandler ,
connTLSSetReadHandler ,
connTLSGetLastError ,
connTLSBlockingConnect ,
connTLSSyncWrite ,
connTLSSyncRead ,
connTLSSyncReadLine ,
connTLSMarshalThread ,
2020-09-30 19:47:55 +00:00
connTLSGetType
2019-09-12 10:56:54 +03:00
} ;
2019-08-11 16:07:53 +03:00
int tlsHasPendingData ( ) {
if ( ! pending_list )
return 0 ;
return listLength ( pending_list ) > 0 ;
}
2020-05-14 10:02:57 +02:00
int tlsProcessPendingData ( ) {
2019-08-11 16:07:53 +03:00
listIter li ;
listNode * ln ;
2020-05-28 23:13:15 -04:00
serverAssert ( ! GlobalLocksAcquired ( ) ) ;
2019-08-11 16:07:53 +03:00
2020-05-14 10:02:57 +02:00
int processed = listLength ( pending_list ) ;
2019-08-11 16:07:53 +03:00
listRewind ( pending_list , & li ) ;
while ( ( ln = listNext ( & li ) ) ) {
2020-05-24 19:57:16 -04:00
tls_connection * conn = ( tls_connection * ) listNodeValue ( ln ) ;
2019-08-11 16:07:53 +03:00
tlsHandleEvent ( conn , AE_READABLE ) ;
}
2020-05-14 10:02:57 +02:00
return processed ;
2019-08-11 16:07:53 +03:00
}
2020-10-11 17:11:42 +03:00
/* Fetch the peer certificate used for authentication on the specified
* connection and return it as a PEM - encoded sds .
*/
sds connTLSGetPeerCert ( connection * conn_ ) {
tls_connection * conn = ( tls_connection * ) conn_ ;
if ( conn_ - > type - > get_type ( conn_ ) ! = CONN_TYPE_TLS | | ! conn - > ssl ) return NULL ;
X509 * cert = SSL_get_peer_certificate ( conn - > ssl ) ;
if ( ! cert ) return NULL ;
BIO * bio = BIO_new ( BIO_s_mem ( ) ) ;
if ( bio = = NULL | | ! PEM_write_bio_X509 ( bio , cert ) ) {
if ( bio ! = NULL ) BIO_free ( bio ) ;
return NULL ;
}
const char * bio_ptr ;
long long bio_len = BIO_get_mem_data ( bio , & bio_ptr ) ;
sds cert_pem = sdsnewlen ( bio_ptr , bio_len ) ;
BIO_free ( bio ) ;
return cert_pem ;
}
2019-09-12 10:56:54 +03:00
# else /* USE_OPENSSL */
void tlsInit ( void ) {
}
2021-03-03 10:08:06 +02:00
void tlsCleanup ( void ) {
}
2019-09-12 11:10:22 +03:00
int tlsConfigure ( redisTLSContextConfig * ctx_config ) {
UNUSED ( ctx_config ) ;
2019-09-12 10:56:54 +03:00
return C_OK ;
}
2022-02-02 14:20:19 -05:00
void tlsReload ( void ) {
}
2019-09-12 10:56:54 +03:00
connection * connCreateTLS ( void ) {
return NULL ;
}
connection * connCreateAcceptedTLS ( int fd , int require_auth ) {
UNUSED ( fd ) ;
2019-09-12 11:10:22 +03:00
UNUSED ( require_auth ) ;
2019-09-12 10:56:54 +03:00
return NULL ;
}
2019-08-11 16:07:53 +03:00
int tlsHasPendingData ( ) {
return 0 ;
}
2020-05-14 10:02:57 +02:00
int tlsProcessPendingData ( ) {
return 0 ;
2019-08-11 16:07:53 +03:00
}
2020-05-24 19:57:16 -04:00
void tlsInitThread ( ) { }
2022-04-22 22:43:20 +00:00
void tlsCleanupThread ( void ) { }
2020-05-24 19:57:16 -04:00
2020-10-11 17:11:42 +03:00
sds connTLSGetPeerCert ( connection * conn_ ) {
( void ) conn_ ;
return NULL ;
}
2019-09-12 10:56:54 +03:00
# endif
