summaryrefslogtreecommitdiff
path: root/src/mongo
diff options
context:
space:
mode:
authorSpencer Jackson <spencer.jackson@mongodb.com>2015-03-16 15:21:12 -0400
committerSpencer Jackson <spencer.jackson@mongodb.com>2015-04-02 11:32:09 -0400
commit61e9a413e9c8f09a034557cfcae678f7a8527ae2 (patch)
tree6e1c2b1531a3ee6ce4403afd54c45bcb816242d9 /src/mongo
parenta0bb65b88e71c4f3cb1e2033b716716bae1a08f9 (diff)
downloadmongo-61e9a413e9c8f09a034557cfcae678f7a8527ae2.tar.gz
SERVER-17548: Refactor SSLManager's Param class
Diffstat (limited to 'src/mongo')
-rw-r--r--src/mongo/client/dbclient.cpp4
-rw-r--r--src/mongo/db/commands/parameters.cpp20
-rw-r--r--src/mongo/util/net/message_port.cpp4
-rw-r--r--src/mongo/util/net/ssl_manager.cpp99
-rw-r--r--src/mongo/util/net/ssl_options.cpp16
-rw-r--r--src/mongo/util/net/ssl_options.h6
6 files changed, 50 insertions, 99 deletions
diff --git a/src/mongo/client/dbclient.cpp b/src/mongo/client/dbclient.cpp
index b8e1f555dc5..bca7e7f348b 100644
--- a/src/mongo/client/dbclient.cpp
+++ b/src/mongo/client/dbclient.cpp
@@ -1077,8 +1077,8 @@ namespace mongo {
#ifdef MONGO_CONFIG_SSL
int sslModeVal = sslGlobalParams.sslMode.load();
- if (sslModeVal == SSLGlobalParams::SSLMode_preferSSL ||
- sslModeVal == SSLGlobalParams::SSLMode_requireSSL) {
+ if (sslModeVal == SSLParams::SSLMode_preferSSL ||
+ sslModeVal == SSLParams::SSLMode_requireSSL) {
return p->secure( sslManager(), _server.host() );
}
#endif
diff --git a/src/mongo/db/commands/parameters.cpp b/src/mongo/db/commands/parameters.cpp
index 048175dd109..168a981d1fc 100644
--- a/src/mongo/db/commands/parameters.cpp
+++ b/src/mongo/db/commands/parameters.cpp
@@ -425,13 +425,13 @@ namespace mongo {
std::string sslModeStr() {
switch (sslGlobalParams.sslMode.load()) {
- case SSLGlobalParams::SSLMode_disabled:
+ case SSLParams::SSLMode_disabled:
return "disabled";
- case SSLGlobalParams::SSLMode_allowSSL:
+ case SSLParams::SSLMode_allowSSL:
return "allowSSL";
- case SSLGlobalParams::SSLMode_preferSSL:
+ case SSLParams::SSLMode_preferSSL:
return "preferSSL";
- case SSLGlobalParams::SSLMode_requireSSL:
+ case SSLParams::SSLMode_requireSSL:
return "requireSSL";
default:
return "undefined";
@@ -468,11 +468,11 @@ namespace mongo {
}
int oldMode = sslGlobalParams.sslMode.load();
- if (str == "preferSSL" && oldMode == SSLGlobalParams::SSLMode_allowSSL) {
- sslGlobalParams.sslMode.store(SSLGlobalParams::SSLMode_preferSSL);
+ if (str == "preferSSL" && oldMode == SSLParams::SSLMode_allowSSL) {
+ sslGlobalParams.sslMode.store(SSLParams::SSLMode_preferSSL);
}
- else if (str == "requireSSL" && oldMode == SSLGlobalParams::SSLMode_preferSSL) {
- sslGlobalParams.sslMode.store(SSLGlobalParams::SSLMode_requireSSL);
+ else if (str == "requireSSL" && oldMode == SSLParams::SSLMode_preferSSL) {
+ sslGlobalParams.sslMode.store(SSLParams::SSLMode_requireSSL);
}
else {
return Status(ErrorCodes::BadValue, mongoutils::str::stream() <<
@@ -540,8 +540,8 @@ namespace mongo {
int sslMode = sslGlobalParams.sslMode.load();
if (str == "sendX509" &&
oldMode == ServerGlobalParams::ClusterAuthMode_sendKeyFile) {
- if (sslMode == SSLGlobalParams::SSLMode_disabled ||
- sslMode == SSLGlobalParams::SSLMode_allowSSL) {
+ if (sslMode == SSLParams::SSLMode_disabled ||
+ sslMode == SSLParams::SSLMode_allowSSL) {
return Status(ErrorCodes::BadValue, mongoutils::str::stream() <<
"Illegal state transition for clusterAuthMode, " <<
"need to enable SSL for outgoing connections");
diff --git a/src/mongo/util/net/message_port.cpp b/src/mongo/util/net/message_port.cpp
index 910749e24af..4a502d53280 100644
--- a/src/mongo/util/net/message_port.cpp
+++ b/src/mongo/util/net/message_port.cpp
@@ -214,14 +214,14 @@ again:
&& header.constView().getResponseTo() != -1) {
uassert(17132,
"SSL handshake received but server is started without SSL support",
- sslGlobalParams.sslMode.load() != SSLGlobalParams::SSLMode_disabled);
+ sslGlobalParams.sslMode.load() != SSLParams::SSLMode_disabled);
setX509SubjectName(psock->doSSLHandshake(
reinterpret_cast<const char*>(&header), sizeof(header)));
psock->setHandshakeReceived();
goto again;
}
uassert(17189, "The server is configured to only allow SSL connections",
- sslGlobalParams.sslMode.load() != SSLGlobalParams::SSLMode_requireSSL);
+ sslGlobalParams.sslMode.load() != SSLParams::SSLMode_requireSSL);
#endif // MONGO_CONFIG_SSL
}
if ( static_cast<size_t>(len) < sizeof(MSGHEADER::Value) ||
diff --git a/src/mongo/util/net/ssl_manager.cpp b/src/mongo/util/net/ssl_manager.cpp
index af87701a590..748ca80f5de 100644
--- a/src/mongo/util/net/ssl_manager.cpp
+++ b/src/mongo/util/net/ssl_manager.cpp
@@ -63,7 +63,7 @@ using std::endl;
namespace mongo {
- SSLGlobalParams sslGlobalParams;
+ SSLParams sslGlobalParams;
#ifndef MONGO_CONFIG_SSL
const std::string getSSLVersion(const std::string &prefix, const std::string &suffix) {
@@ -155,46 +155,9 @@ namespace mongo {
static const int BUFFER_SIZE = 8*1024;
static const int DATE_LEN = 128;
- struct Params {
- Params(const std::string& pemfile,
- const std::string& pempwd,
- const std::string& clusterfile,
- const std::string& clusterpwd,
- const std::string& cafile = "",
- const std::string& crlfile = "",
- const std::string& cipherConfig = "",
- bool weakCertificateValidation = false,
- bool allowInvalidCertificates = false,
- bool allowInvalidHostnames = false,
- bool fipsMode = false) :
- pemfile(pemfile),
- pempwd(pempwd),
- clusterfile(clusterfile),
- clusterpwd(clusterpwd),
- cafile(cafile),
- crlfile(crlfile),
- cipherConfig(cipherConfig),
- weakCertificateValidation(weakCertificateValidation),
- allowInvalidCertificates(allowInvalidCertificates),
- allowInvalidHostnames(allowInvalidHostnames),
- fipsMode(fipsMode) {};
-
- std::string pemfile;
- std::string pempwd;
- std::string clusterfile;
- std::string clusterpwd;
- std::string cafile;
- std::string crlfile;
- std::string cipherConfig;
- bool weakCertificateValidation;
- bool allowInvalidCertificates;
- bool allowInvalidHostnames;
- bool fipsMode;
- };
-
class SSLManager : public SSLManagerInterface {
public:
- explicit SSLManager(const Params& params, bool isServer);
+ explicit SSLManager(const SSLParams& params, bool isServer);
virtual ~SSLManager();
@@ -251,7 +214,7 @@ namespace mongo {
/*
* Init the SSL context using parameters provided in params.
*/
- bool _initSSLContext(SSL_CTX** context, const Params& params);
+ bool _initSSLContext(SSL_CTX** context, const SSLParams& params);
/*
* Converts time from OpenSSL return value to unsigned long long
@@ -325,20 +288,8 @@ namespace mongo {
MONGO_INITIALIZER(SSLManager)(InitializerContext* context) {
SimpleMutex::scoped_lock lck(sslManagerMtx);
- if (sslGlobalParams.sslMode.load() != SSLGlobalParams::SSLMode_disabled) {
- const Params params(
- sslGlobalParams.sslPEMKeyFile,
- sslGlobalParams.sslPEMKeyPassword,
- sslGlobalParams.sslClusterFile,
- sslGlobalParams.sslClusterPassword,
- sslGlobalParams.sslCAFile,
- sslGlobalParams.sslCRLFile,
- sslGlobalParams.sslCipherConfig,
- sslGlobalParams.sslWeakCertificateValidation,
- sslGlobalParams.sslAllowInvalidCertificates,
- sslGlobalParams.sslAllowInvalidHostnames,
- sslGlobalParams.sslFIPSMode);
- theSSLManager = new SSLManager(params, isSSLServer);
+ if (sslGlobalParams.sslMode.load() != SSLParams::SSLMode_disabled) {
+ theSSLManager = new SSLManager(sslGlobalParams, isSSLServer);
}
return Status::OK();
}
@@ -421,18 +372,18 @@ namespace mongo {
SSLManagerInterface::~SSLManagerInterface() {}
- SSLManager::SSLManager(const Params& params, bool isServer) :
+ SSLManager::SSLManager(const SSLParams& params, bool isServer) :
_serverContext(NULL),
_clientContext(NULL),
- _weakValidation(params.weakCertificateValidation),
- _allowInvalidCertificates(params.allowInvalidCertificates),
- _allowInvalidHostnames(params.allowInvalidHostnames) {
+ _weakValidation(params.sslWeakCertificateValidation),
+ _allowInvalidCertificates(params.sslAllowInvalidCertificates),
+ _allowInvalidHostnames(params.sslAllowInvalidHostnames) {
SSL_library_init();
SSL_load_error_strings();
ERR_load_crypto_strings();
- if (params.fipsMode) {
+ if (params.sslFIPSMode) {
_setupFIPS();
}
@@ -453,14 +404,14 @@ namespace mongo {
// pick the certificate for use in outgoing connections,
std::string clientPEM;
- if (!isServer || params.clusterfile.empty()) {
+ if (!isServer || params.sslClusterFile.empty()) {
// We are either a client, or a server without a cluster key,
// so use the PEM key file, if specified
- clientPEM = params.pemfile;
+ clientPEM = params.sslPEMKeyFile;
}
else {
// We are a server with a cluster key, so use the cluster key file
- clientPEM = params.clusterfile;
+ clientPEM = params.sslClusterFile;
}
if (!clientPEM.empty()) {
@@ -475,7 +426,7 @@ namespace mongo {
uasserted(16562, "ssl initialization problem");
}
- if (!_parseAndValidateCertificate(params.pemfile,
+ if (!_parseAndValidateCertificate(params.sslPEMKeyFile,
&_sslConfiguration.serverSubjectName,
&_sslConfiguration.serverCertificateExpirationDate)) {
uasserted(16942, "ssl initialization problem");
@@ -579,7 +530,7 @@ namespace mongo {
#endif
}
- bool SSLManager::_initSSLContext(SSL_CTX** context, const Params& params) {
+ bool SSLManager::_initSSLContext(SSL_CTX** context, const SSLParams& params) {
*context = SSL_CTX_new(SSLv23_method());
massert(15864,
mongoutils::str::stream() << "can't create SSL Context: " <<
@@ -598,8 +549,8 @@ namespace mongo {
std::string cipherConfig = "HIGH:!EXPORT:!aNULL@STRENGTH";
// Allow the cipher configuration string to be overriden by --sslCipherConfig
- if (!params.cipherConfig.empty()) {
- cipherConfig = params.cipherConfig;
+ if (!params.sslCipherConfig.empty()) {
+ cipherConfig = params.sslCipherConfig;
}
massert(28615, mongoutils::str::stream() << "can't set supported cipher suites: " <<
@@ -619,29 +570,29 @@ namespace mongo {
sizeof(*context)));
// Use the clusterfile for internal outgoing SSL connections if specified
- if (context == &_clientContext && !params.clusterfile.empty()) {
+ if (context == &_clientContext && !params.sslClusterFile.empty()) {
EVP_set_pw_prompt("Enter cluster certificate passphrase");
- if (!_setupPEM(*context, params.clusterfile, params.clusterpwd)) {
+ if (!_setupPEM(*context, params.sslClusterFile, params.sslClusterPassword)) {
return false;
}
}
// Use the pemfile for everything else
- else if (!params.pemfile.empty()) {
+ else if (!params.sslPEMKeyFile.empty()) {
EVP_set_pw_prompt("Enter PEM passphrase");
- if (!_setupPEM(*context, params.pemfile, params.pempwd)) {
+ if (!_setupPEM(*context, params.sslPEMKeyFile, params.sslPEMKeyPassword)) {
return false;
}
}
- if (!params.cafile.empty()) {
+ if (!params.sslCAFile.empty()) {
// Set up certificate validation with a certificate authority
- if (!_setupCA(*context, params.cafile)) {
+ if (!_setupCA(*context, params.sslCAFile)) {
return false;
}
}
- if (!params.crlfile.empty()) {
- if (!_setupCRL(*context, params.crlfile)) {
+ if (!params.sslCRLFile.empty()) {
+ if (!_setupCRL(*context, params.sslCRLFile)) {
return false;
}
}
diff --git a/src/mongo/util/net/ssl_options.cpp b/src/mongo/util/net/ssl_options.cpp
index c4ff4f2c48c..8369a1948b6 100644
--- a/src/mongo/util/net/ssl_options.cpp
+++ b/src/mongo/util/net/ssl_options.cpp
@@ -187,16 +187,16 @@ namespace mongo {
if (params.count("net.ssl.mode")) {
std::string sslModeParam = params["net.ssl.mode"].as<string>();
if (sslModeParam == "disabled") {
- sslGlobalParams.sslMode.store(SSLGlobalParams::SSLMode_disabled);
+ sslGlobalParams.sslMode.store(SSLParams::SSLMode_disabled);
}
else if (sslModeParam == "allowSSL") {
- sslGlobalParams.sslMode.store(SSLGlobalParams::SSLMode_allowSSL);
+ sslGlobalParams.sslMode.store(SSLParams::SSLMode_allowSSL);
}
else if (sslModeParam == "preferSSL") {
- sslGlobalParams.sslMode.store(SSLGlobalParams::SSLMode_preferSSL);
+ sslGlobalParams.sslMode.store(SSLParams::SSLMode_preferSSL);
}
else if (sslModeParam == "requireSSL") {
- sslGlobalParams.sslMode.store(SSLGlobalParams::SSLMode_requireSSL);
+ sslGlobalParams.sslMode.store(SSLParams::SSLMode_requireSSL);
}
else {
return Status(ErrorCodes::BadValue,
@@ -258,7 +258,7 @@ namespace mongo {
}
int clusterAuthMode = serverGlobalParams.clusterAuthMode.load();
- if (sslGlobalParams.sslMode.load() != SSLGlobalParams::SSLMode_disabled) {
+ if (sslGlobalParams.sslMode.load() != SSLParams::SSLMode_disabled) {
if (sslGlobalParams.sslPEMKeyFile.size() == 0) {
return Status(ErrorCodes::BadValue,
"need sslPEMKeyFile when SSL is enabled");
@@ -299,11 +299,11 @@ namespace mongo {
if (clusterAuthMode == ServerGlobalParams::ClusterAuthMode_sendKeyFile ||
clusterAuthMode == ServerGlobalParams::ClusterAuthMode_sendX509 ||
clusterAuthMode == ServerGlobalParams::ClusterAuthMode_x509) {
- if (sslGlobalParams.sslMode.load() == SSLGlobalParams::SSLMode_disabled) {
+ if (sslGlobalParams.sslMode.load() == SSLParams::SSLMode_disabled) {
return Status(ErrorCodes::BadValue, "need to enable SSL via the sslMode flag");
}
}
- if (sslGlobalParams.sslMode.load() == SSLGlobalParams::SSLMode_allowSSL) {
+ if (sslGlobalParams.sslMode.load() == SSLParams::SSLMode_allowSSL) {
if (clusterAuthMode == ServerGlobalParams::ClusterAuthMode_sendX509 ||
clusterAuthMode == ServerGlobalParams::ClusterAuthMode_x509) {
return Status(ErrorCodes::BadValue,
@@ -315,7 +315,7 @@ namespace mongo {
Status storeSSLClientOptions(const moe::Environment& params) {
if (params.count("ssl") && params["ssl"].as<bool>() == true) {
- sslGlobalParams.sslMode.store(SSLGlobalParams::SSLMode_requireSSL);
+ sslGlobalParams.sslMode.store(SSLParams::SSLMode_requireSSL);
}
if (params.count("ssl.PEMKeyFile")) {
sslGlobalParams.sslPEMKeyFile = params["ssl.PEMKeyFile"].as<std::string>();
diff --git a/src/mongo/util/net/ssl_options.h b/src/mongo/util/net/ssl_options.h
index f1b74c1f594..d2f2a79bc9a 100644
--- a/src/mongo/util/net/ssl_options.h
+++ b/src/mongo/util/net/ssl_options.h
@@ -39,7 +39,7 @@ namespace mongo {
namespace moe = mongo::optionenvironment;
- struct SSLGlobalParams {
+ struct SSLParams {
AtomicInt32 sslMode; // --sslMode - the SSL operation mode, see enum SSLModes
bool sslOnNormalPorts; // --sslOnNormalPorts (deprecated)
std::string sslPEMKeyFile; // --sslPEMKeyFile
@@ -54,7 +54,7 @@ namespace mongo {
bool sslAllowInvalidCertificates; // --sslAllowInvalidCertificates
bool sslAllowInvalidHostnames; // --sslAllowInvalidHostnames
- SSLGlobalParams() {
+ SSLParams() {
sslMode.store(SSLMode_disabled);
}
@@ -81,7 +81,7 @@ namespace mongo {
};
};
- extern SSLGlobalParams sslGlobalParams;
+ extern SSLParams sslGlobalParams;
Status addSSLServerOptions(moe::OptionSection* options);
View Lorry Controller Status