Build TLS as a loadable module

* Support BUILD_TLS=module to be loaded as a module via config file or command line. e.g. redis-server --loadmodule redis-tls.so * Updates to redismodule.h to allow it to be used side by side with server.h by defining REDISMODULE_CORE_MODULE * Changes to server.h, redismodule.h and module.c to avoid repeated type declarations (gcc 4.8 doesn't like these) * Add a mechanism for non-ABI neutral modules (ones who include server.h) to refuse loading if they detect not being built together with redis (release.c) * Fix wrong signature of RedisModuleDefragFunc, this could break compilation of a module, but not the ABI * Move initialization of listeners in server.c to be after loading the modules * Config TLS after initialization of listeners * Init cluster after initialization of listeners * Add TLS module to CI * Fix a test suite race conditions: Now that the listeners are initialized later, it's not sufficient to wait for the PID message in the log, we need to wait for the "Server Initialized" message. * Fix issues with moduleconfigs test as a result from start_server waiting for "Server Initialized" * Fix issues with modules/infra test as a result of an additional module present Notes about Sentinel: Sentinel can't really rely on the tls module, since it uses hiredis to initiate connections and depends on OpenSSL (won't be able to use any other connection modules for that), so it was decided that when TLS is built as a module, sentinel does not support TLS at all. This means that it keeps using redis_tls_ctx and redis_tls_client_ctx directly. Example code of config in redis-tls.so(may be use in the future): RedisModuleString *tls_cfg = NULL; void tlsInfo(RedisModuleInfoCtx *ctx, int for_crash_report) { UNUSED(for_crash_report); RedisModule_InfoAddSection(ctx, ""); RedisModule_InfoAddFieldLongLong(ctx, "var", 42); } int tlsCommand(RedisModuleCtx *ctx, RedisModuleString **argv, int argc) { if (argc != 2) return RedisModule_WrongArity(ctx); return RedisModule_ReplyWithString(ctx, argv[1]); } RedisModuleString *getStringConfigCommand(const char *name, void *privdata) { REDISMODULE_NOT_USED(name); REDISMODULE_NOT_USED(privdata); return tls_cfg; } int setStringConfigCommand(const char *name, RedisModuleString *new, void *privdata, RedisModuleString **err) { REDISMODULE_NOT_USED(name); REDISMODULE_NOT_USED(err); REDISMODULE_NOT_USED(privdata); if (tls_cfg) RedisModule_FreeString(NULL, tls_cfg); RedisModule_RetainString(NULL, new); tls_cfg = new; return REDISMODULE_OK; } int RedisModule_OnLoad(void *ctx, RedisModuleString **argv, int argc) { .... if (RedisModule_CreateCommand(ctx,"tls",tlsCommand,"",0,0,0) == REDISMODULE_ERR) return REDISMODULE_ERR; if (RedisModule_RegisterStringConfig(ctx, "cfg", "", REDISMODULE_CONFIG_DEFAULT, getStringConfigCommand, setStringConfigCommand, NULL, NULL) == REDISMODULE_ERR) return REDISMODULE_ERR; if (RedisModule_LoadConfigs(ctx) == REDISMODULE_ERR) { if (tls_cfg) { RedisModule_FreeString(ctx, tls_cfg); tls_cfg = NULL; } return REDISMODULE_ERR; } ... } Co-authored-by: zhenwei pi <pizhenwei@bytedance.com> Signed-off-by: zhenwei pi <pizhenwei@bytedance.com>
author: Oran Agra <oran@redislabs.com> 2022-08-22 15:53:56 +0800
committer: Oran Agra <oran@redislabs.com> 2022-08-23 12:37:56 +0300
commit: 4faddf18ca8ca3adb93cf1e4e620be9eaf0f6bf4 (patch)
tree: c2b70793b7052e4464d92849a21d308600ae7767 /src/tls.c
parent: 89e11486880a59dad3857499e69e54c0b27be689 (diff)
download: redis-4faddf18ca8ca3adb93cf1e4e620be9eaf0f6bf4.tar.gz
1 files changed, 45 insertions, 17 deletions
diff --git a/src/tls.c b/src/tls.c
index be6bf4e1b..99cbea5a2 100644
--- a/src/tls.c
+++ b/src/tls.c
@@ -27,12 +27,13 @@
  * POSSIBILITY OF SUCH DAMAGE.
  */
 
+#define REDISMODULE_CORE_MODULE /* A module that's part of the redis core, uses server.h too. */
 
 #include "server.h"
 #include "connhelpers.h"
 #include "adlist.h"
 
-#ifdef USE_OPENSSL
+#if (USE_OPENSSL == 1 /* BUILD_YES */ ) || ((USE_OPENSSL == 2 /* BUILD_MODULE */) && (BUILD_TLS_MODULE == 2))
 
 #include <openssl/conf.h>
 #include <openssl/ssl.h>
@@ -56,8 +57,8 @@
 #define REDIS_TLS_PROTO_DEFAULT     (REDIS_TLS_PROTO_TLSv1_2)
 #endif
 
-static SSL_CTX *redis_tls_ctx = NULL;
-static SSL_CTX *redis_tls_client_ctx = NULL;
+SSL_CTX *redis_tls_ctx = NULL;
+SSL_CTX *redis_tls_client_ctx = NULL;
 
 static int parseProtocolsConfig(const char *str) {
     int i, count = 0;
@@ -1087,14 +1088,6 @@ static sds connTLSGetPeerCert(connection *conn_) {
     return cert_pem;
 }
 
-static void *tlsGetCtx(void) {
-    return redis_tls_ctx;
-}
-
-static void *tlsGetClientCtx(void) {
-    return redis_tls_client_ctx;
-}
-
 static ConnectionType CT_TLS = {
     /* connection type */
     .get_type = connTLSGetType,
@@ -1137,20 +1130,55 @@ static ConnectionType CT_TLS = {
 
     /* TLS specified methods */
     .get_peer_cert = connTLSGetPeerCert,
-    .get_ctx = tlsGetCtx,
-    .get_client_ctx = tlsGetClientCtx
 };
 
-int RedisRegisterConnectionTypeTLS()
-{
+int RedisRegisterConnectionTypeTLS() {
     return connTypeRegister(&CT_TLS);
 }
 
 #else   /* USE_OPENSSL */
 
-int RedisRegisterConnectionTypeTLS()
-{
+int RedisRegisterConnectionTypeTLS() {
+    serverLog(LL_VERBOSE, "Connection type %s not builtin", CONN_TYPE_TLS);
     return C_ERR;
 }
 
 #endif
+
+#if BUILD_TLS_MODULE == 2 /* BUILD_MODULE */
+
+#include "release.h"
+
+int RedisModule_OnLoad(void *ctx, RedisModuleString **argv, int argc) {
+    UNUSED(argv);
+    UNUSED(argc);
+
+    /* Connection modules must be part of the same build as redis. */
+    if (strcmp(REDIS_BUILD_ID_RAW, redisBuildIdRaw())) {
+        serverLog(LL_NOTICE, "Connection type %s was not built together with the redis-server used.", CONN_TYPE_TLS);
+        return REDISMODULE_ERR;
+    }
+
+    if (RedisModule_Init(ctx,"tls",1,REDISMODULE_APIVER_1) == REDISMODULE_ERR)
+        return REDISMODULE_ERR;
+
+    /* Connection modules is available only bootup. */
+    if ((RedisModule_GetContextFlags(ctx) & REDISMODULE_CTX_FLAGS_SERVER_STARTUP) == 0) {
+        serverLog(LL_NOTICE, "Connection type %s can be loaded only during bootup", CONN_TYPE_TLS);
+        return REDISMODULE_ERR;
+    }
+
+    RedisModule_SetModuleOptions(ctx, REDISMODULE_OPTIONS_HANDLE_REPL_ASYNC_LOAD);
+
+    if(connTypeRegister(&CT_TLS) != C_OK)
+        return REDISMODULE_ERR;
+
+    return REDISMODULE_OK;
+}
+
+int RedisModule_OnUnload(void *arg) {
+    UNUSED(arg);
+    serverLog(LL_NOTICE, "Connection type %s can not be unloaded", CONN_TYPE_TLS);
+    return REDISMODULE_ERR;
+}
+#endif
author	Oran Agra <oran@redislabs.com>	2022-08-22 15:53:56 +0800
committer	Oran Agra <oran@redislabs.com>	2022-08-23 12:37:56 +0300
commit	4faddf18ca8ca3adb93cf1e4e620be9eaf0f6bf4 (patch)
tree	c2b70793b7052e4464d92849a21d308600ae7767 /src/tls.c
parent	89e11486880a59dad3857499e69e54c0b27be689 (diff)
download	redis-4faddf18ca8ca3adb93cf1e4e620be9eaf0f6bf4.tar.gz