[GitHub] thrift pull request #1185: Thrift 3369 - Third try to merge SSL c_glib
GitHub user gadLinux opened a pull request: https://github.com/apache/thrift/pull/1185 Thrift 3369 - Third try to merge SSL c_glib This pull request is the third try to merge against master. It implements SSL on c_glib with certificate pining included. The old pull request is 930. https://github.com/apache/thrift/pull/930 You can merge this pull request into a Git repository by running: $ git pull https://github.com/gadLinux/thrift thrift-3369 Alternatively you can review and apply these changes as the patch at: https://github.com/apache/thrift/pull/1185.patch To close this pull request, make a commit to your master/trunk branch with (at least) the following in the commit message: This closes #1185 commit b1815ec42f848798422765d955cea0a815fcb525 Author: Gonzalo Aguilar Delgado Date: 2016-03-07T12:42:44Z Implement basic version of the TLS transport commit d4c6207d9dabc138ff06a2b21a4477a5c440187c Author: Gonzalo Aguilar Delgado Date: 2016-03-07T14:27:22Z Certificate pinning features incorporated commit b691372edfadfc124152645ec527686a960cb84b Author: Gonzalo Aguilar Delgado Date: 2016-03-07T14:29:10Z Add test for certificate pinning commit f09d8eb55246638d8078857d7ef84459caf84c5d Author: Gonzalo Aguilar Delgado Date: 2016-03-07T14:30:10Z Add level2 test public key chain commit 2003ea188de1be4a13e8b2e859cc3b3d1a39e541 Author: Gonzalo Aguilar Delgado Date: 2016-03-07T20:49:42Z Fix dependency of ssl for tests commit 0f8699ddc3e7f5d2b8c8c36283b0c520d30f7ddf Author: Gonzalo Aguilar Delgado Date: 2016-08-04T23:33:29Z Enhace code, fix some issues and plug some bugs. Fix pull request #930 commit d0f2ac1a957912a59131b2e93028e3022d2a9f82 Author: Gonzalo Aguilar Delgado Date: 2016-08-04T23:40:57Z Fix style commit 01dcd95dda883f65ce6baa296815f964ce6f3904 Author: Gonzalo Aguilar Delgado Date: 2016-08-04T23:58:10Z Add file to cmake commit 5d9cb52119872f431f187f7166b374e6488b6229 Author: Gonzalo Aguilar Delgado Date: 2016-08-05T09:09:18Z Fix tests and the bug that produced it. commit d070e6dc6502e4e9cb8ba5ef3a68c0c00a09800f Author: Gonzalo Aguilar Delgado Date: 2016-12-29T11:42:04Z Fix tests so we don't include tests that require a server until server is ready. Fix compilation with cmake commit 40ec9d1bb9469a59ebfe9fea308cb9cebca8157d Author: Gonzalo Aguilar Delgado Date: 2016-12-29T11:46:30Z Fix tests in cmake commit cada6b8a8907ac00ed9c6995b1d88efd9f0471cc Author: Gonzalo Aguilar Delgado Date: 2017-01-26T16:18:16Z Remove the public key in favor of the existing one. Re-add the test that was unintentionally removed. --- If your project is set up for it, you can reply to this email and have your reply appear on GitHub as well. If your project does not have this feature enabled and wishes so, or if the feature is enabled but not working, please contact infrastructure at infrastruct...@apache.org or file a JIRA ticket with INFRA. ---
[GitHub] thrift pull request #1185: Thrift 3369 - Third try to merge SSL c_glib
Github user nsuke commented on a diff in the pull request:
https://github.com/apache/thrift/pull/1185#discussion_r100669633
--- Diff: test/c_glib/src/test_client.c ---
@@ -181,11 +194,22 @@ main (int argc, char **argv)
sigpipe_action.sa_flags = SA_RESETHAND;
sigaction (SIGPIPE, &sigpipe_action, NULL);
+ if (ssl) {
+thrift_ssl_socket_initialize_openssl();
+ }
+
/* Establish all our connection objects */
- socket = g_object_new (THRIFT_TYPE_SOCKET,
+ socket = g_object_new (socket_type,
"hostname", host,
"port", port,
+"ssl_accept_selfsigned", TRUE,
NULL);
+ if (ssl && !thrift_ssl_load_cert_from_file(THRIFT_SSL_SOCKET(socket),
"../keys/client.crt")) {
--- End diff --
client.crt is a client certificate file. What you want here is CA.pem.
---
If your project is set up for it, you can reply to this email and have your
reply appear on GitHub as well. If your project does not have this feature
enabled and wishes so, or if the feature is enabled but not working, please
contact infrastructure at infrastruct...@apache.org or file a JIRA ticket
with INFRA.
---
[GitHub] thrift pull request #1185: Thrift 3369 - Third try to merge SSL c_glib
Github user nsuke commented on a diff in the pull request:
https://github.com/apache/thrift/pull/1185#discussion_r100669840
--- Diff: lib/c_glib/src/thrift/c_glib/transport/thrift_ssl_socket.c ---
@@ -0,0 +1,772 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied. See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ */
+
+#include
+#include
+#include
+#include
+#include
+#include
+#include
+#include
+#include
+
+#include
+#include
+#include
+#include
+
+#if defined(WIN32)
+#define MUTEX_TYPEHANDLE
+#define MUTEX_SETUP(x)(x) = CreateMutex(NULL, FALSE, NULL)
+#define MUTEX_CLEANUP(x) CloseHandle(x)
+#define MUTEX_LOCK(x) WaitForSingleObject((x), INFINITE)
+#define MUTEX_UNLOCK(x) ReleaseMutex(x)
+#else
+#define MUTEX_TYPEpthread_mutex_t
+#define MUTEX_SETUP(x)pthread_mutex_init(&(x), NULL)
+#define MUTEX_CLEANUP(x) pthread_mutex_destroy(&(x))
+#define MUTEX_LOCK(x) pthread_mutex_lock(&(x))
+#define MUTEX_UNLOCK(x) pthread_mutex_unlock(&(x))
+#endif
+
+#define OPENSSL_VERSION_NO_THREAD_ID 0x1000L
+
+
+/* object properties */
+enum _ThriftSSLSocketProperties
+{
+ PROP_THRIFT_SSL_SOCKET_CONTEXT = 3,
+ PROP_THRIFT_SSL_SELF_SIGNED
+};
+
+/* To hold a global state management of openssl for all instances */
+static gboolean thrift_ssl_socket_openssl_initialized=FALSE;
+/* Should this be keept at class level? */
+static SSL_CTX* thrift_ssl_socket_global_context=NULL;
+/* This array will store all of the mutexes available to OpenSSL. */
+static MUTEX_TYPE *thrift_ssl_socket_global_mutex_buf=NULL;
+
+
+/**
+ * OpenSSL uniq id function.
+ *
+ * @returnthread id
+ */
+static unsigned long thrift_ssl_socket_static_id_function(void)
+{
+#if defined(WIN32)
+ return GetCurrentThreadId();
+#else
+ return ((unsigned long) pthread_self());
+#endif
+}
+
+static void thrift_ssl_socket_static_locking_callback(int mode, int n,
const char* unk, int id) {
+ if (mode & CRYPTO_LOCK)
+MUTEX_LOCK(thrift_ssl_socket_global_mutex_buf[n]);
+ else
+MUTEX_UNLOCK(thrift_ssl_socket_global_mutex_buf[n]);
+}
+
+static int thrift_ssl_socket_static_thread_setup(void)
+{
+ int i;
+
+ thrift_ssl_socket_global_mutex_buf = malloc(CRYPTO_num_locks() *
sizeof(MUTEX_TYPE));
+ if (!thrift_ssl_socket_global_mutex_buf)
+return 0;
+ for (i = 0; i < CRYPTO_num_locks( ); i++)
+MUTEX_SETUP(thrift_ssl_socket_global_mutex_buf[i]);
+ CRYPTO_set_id_callback(thrift_ssl_socket_static_id_function);
+ CRYPTO_set_locking_callback(thrift_ssl_socket_static_locking_callback);
+ return 1;
+}
+
+static int thrift_ssl_socket_static_thread_cleanup(void)
+{
+ int i;
+ if (!thrift_ssl_socket_global_mutex_buf)
+return 0;
+ CRYPTO_set_id_callback(NULL);
+ CRYPTO_set_locking_callback(NULL);
+ for (i = 0; i < CRYPTO_num_locks( ); i++)
+MUTEX_CLEANUP(thrift_ssl_socket_global_mutex_buf[i]);
+ free(thrift_ssl_socket_global_mutex_buf);
+ thrift_ssl_socket_global_mutex_buf = NULL;
+ return 1;
+}
+
+/*
+static void* thrift_ssl_socket_dyn_lock_create_callback(const char* unk,
int id) {
+ g_print("We should create a lock\n");
+ return NULL;
+}
+
+static void thrift_ssl_socket_dyn_lock_callback(int mode, void* lock,
const char* unk, int id) {
+ if (lock != NULL) {
+if (mode & CRYPTO_LOCK) {
+ g_printf("We should lock thread %d\n");
+} else {
+ g_printf("We should unlock thread %d\n");
+}
+ }
+}
+
+static void thrift_ssl_socket_dyn_lock_destroy_callback(void* lock, const
char* unk, int id) {
+ g_printf("We must destroy the lock\n");
+}
+ */
+
+
+G_DEFINE_TYPE(ThriftSSLSocket, thrift_ssl_socket, THRIFT_TYPE_SOCKET)
+
+
+/* implements thrift_tran
[GitHub] thrift pull request #1185: Thrift 3369 - Third try to merge SSL c_glib
Github user jeking3 commented on a diff in the pull request:
https://github.com/apache/thrift/pull/1185#discussion_r100670299
--- Diff: lib/c_glib/src/thrift/c_glib/transport/thrift_ssl_socket.c ---
@@ -0,0 +1,772 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied. See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ */
+
+#include
+#include
+#include
+#include
+#include
+#include
+#include
+#include
+#include
+
+#include
+#include
+#include
+#include
+
+#if defined(WIN32)
+#define MUTEX_TYPEHANDLE
+#define MUTEX_SETUP(x)(x) = CreateMutex(NULL, FALSE, NULL)
+#define MUTEX_CLEANUP(x) CloseHandle(x)
+#define MUTEX_LOCK(x) WaitForSingleObject((x), INFINITE)
+#define MUTEX_UNLOCK(x) ReleaseMutex(x)
+#else
+#define MUTEX_TYPEpthread_mutex_t
+#define MUTEX_SETUP(x)pthread_mutex_init(&(x), NULL)
+#define MUTEX_CLEANUP(x) pthread_mutex_destroy(&(x))
+#define MUTEX_LOCK(x) pthread_mutex_lock(&(x))
+#define MUTEX_UNLOCK(x) pthread_mutex_unlock(&(x))
+#endif
+
+#define OPENSSL_VERSION_NO_THREAD_ID 0x1000L
+
+
+/* object properties */
+enum _ThriftSSLSocketProperties
+{
+ PROP_THRIFT_SSL_SOCKET_CONTEXT = 3,
+ PROP_THRIFT_SSL_SELF_SIGNED
+};
+
+/* To hold a global state management of openssl for all instances */
+static gboolean thrift_ssl_socket_openssl_initialized=FALSE;
+/* Should this be keept at class level? */
+static SSL_CTX* thrift_ssl_socket_global_context=NULL;
+/* This array will store all of the mutexes available to OpenSSL. */
+static MUTEX_TYPE *thrift_ssl_socket_global_mutex_buf=NULL;
+
+
+/**
+ * OpenSSL uniq id function.
+ *
+ * @returnthread id
+ */
+static unsigned long thrift_ssl_socket_static_id_function(void)
+{
+#if defined(WIN32)
+ return GetCurrentThreadId();
+#else
+ return ((unsigned long) pthread_self());
+#endif
+}
+
+static void thrift_ssl_socket_static_locking_callback(int mode, int n,
const char* unk, int id) {
+ if (mode & CRYPTO_LOCK)
+MUTEX_LOCK(thrift_ssl_socket_global_mutex_buf[n]);
+ else
+MUTEX_UNLOCK(thrift_ssl_socket_global_mutex_buf[n]);
+}
+
+static int thrift_ssl_socket_static_thread_setup(void)
+{
+ int i;
+
+ thrift_ssl_socket_global_mutex_buf = malloc(CRYPTO_num_locks() *
sizeof(MUTEX_TYPE));
+ if (!thrift_ssl_socket_global_mutex_buf)
+return 0;
+ for (i = 0; i < CRYPTO_num_locks( ); i++)
+MUTEX_SETUP(thrift_ssl_socket_global_mutex_buf[i]);
+ CRYPTO_set_id_callback(thrift_ssl_socket_static_id_function);
+ CRYPTO_set_locking_callback(thrift_ssl_socket_static_locking_callback);
+ return 1;
+}
+
+static int thrift_ssl_socket_static_thread_cleanup(void)
+{
+ int i;
+ if (!thrift_ssl_socket_global_mutex_buf)
+return 0;
+ CRYPTO_set_id_callback(NULL);
+ CRYPTO_set_locking_callback(NULL);
+ for (i = 0; i < CRYPTO_num_locks( ); i++)
+MUTEX_CLEANUP(thrift_ssl_socket_global_mutex_buf[i]);
+ free(thrift_ssl_socket_global_mutex_buf);
+ thrift_ssl_socket_global_mutex_buf = NULL;
+ return 1;
+}
+
+/*
+static void* thrift_ssl_socket_dyn_lock_create_callback(const char* unk,
int id) {
+ g_print("We should create a lock\n");
+ return NULL;
+}
+
+static void thrift_ssl_socket_dyn_lock_callback(int mode, void* lock,
const char* unk, int id) {
+ if (lock != NULL) {
+if (mode & CRYPTO_LOCK) {
+ g_printf("We should lock thread %d\n");
+} else {
+ g_printf("We should unlock thread %d\n");
+}
+ }
+}
+
+static void thrift_ssl_socket_dyn_lock_destroy_callback(void* lock, const
char* unk, int id) {
+ g_printf("We must destroy the lock\n");
+}
+ */
+
+
+G_DEFINE_TYPE(ThriftSSLSocket, thrift_ssl_socket, THRIFT_TYPE_SOCKET)
+
+
+/* implements thrift_tr
[GitHub] thrift pull request #1185: Thrift 3369 - Third try to merge SSL c_glib
Github user jeking3 commented on a diff in the pull request:
https://github.com/apache/thrift/pull/1185#discussion_r100670306
--- Diff: test/c_glib/src/test_client.c ---
@@ -181,11 +194,22 @@ main (int argc, char **argv)
sigpipe_action.sa_flags = SA_RESETHAND;
sigaction (SIGPIPE, &sigpipe_action, NULL);
+ if (ssl) {
+thrift_ssl_socket_initialize_openssl();
+ }
+
/* Establish all our connection objects */
- socket = g_object_new (THRIFT_TYPE_SOCKET,
+ socket = g_object_new (socket_type,
"hostname", host,
"port", port,
+"ssl_accept_selfsigned", TRUE,
NULL);
+ if (ssl && !thrift_ssl_load_cert_from_file(THRIFT_SSL_SOCKET(socket),
"../keys/client.crt")) {
--- End diff --
My mistake - I added that line of code in my first pull request and it
caused the next issue to occur.
---
If your project is set up for it, you can reply to this email and have your
reply appear on GitHub as well. If your project does not have this feature
enabled and wishes so, or if the feature is enabled but not working, please
contact infrastructure at infrastruct...@apache.org or file a JIRA ticket
with INFRA.
---
[GitHub] thrift pull request #1185: Thrift 3369 - Third try to merge SSL c_glib
Github user gadLinux commented on a diff in the pull request:
https://github.com/apache/thrift/pull/1185#discussion_r100681388
--- Diff: lib/c_glib/src/thrift/c_glib/transport/thrift_ssl_socket.c ---
@@ -0,0 +1,772 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied. See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ */
+
+#include
+#include
+#include
+#include
+#include
+#include
+#include
+#include
+#include
+
+#include
+#include
+#include
+#include
+
+#if defined(WIN32)
+#define MUTEX_TYPEHANDLE
+#define MUTEX_SETUP(x)(x) = CreateMutex(NULL, FALSE, NULL)
+#define MUTEX_CLEANUP(x) CloseHandle(x)
+#define MUTEX_LOCK(x) WaitForSingleObject((x), INFINITE)
+#define MUTEX_UNLOCK(x) ReleaseMutex(x)
+#else
+#define MUTEX_TYPEpthread_mutex_t
+#define MUTEX_SETUP(x)pthread_mutex_init(&(x), NULL)
+#define MUTEX_CLEANUP(x) pthread_mutex_destroy(&(x))
+#define MUTEX_LOCK(x) pthread_mutex_lock(&(x))
+#define MUTEX_UNLOCK(x) pthread_mutex_unlock(&(x))
+#endif
+
+#define OPENSSL_VERSION_NO_THREAD_ID 0x1000L
+
+
+/* object properties */
+enum _ThriftSSLSocketProperties
+{
+ PROP_THRIFT_SSL_SOCKET_CONTEXT = 3,
+ PROP_THRIFT_SSL_SELF_SIGNED
+};
+
+/* To hold a global state management of openssl for all instances */
+static gboolean thrift_ssl_socket_openssl_initialized=FALSE;
+/* Should this be keept at class level? */
+static SSL_CTX* thrift_ssl_socket_global_context=NULL;
+/* This array will store all of the mutexes available to OpenSSL. */
+static MUTEX_TYPE *thrift_ssl_socket_global_mutex_buf=NULL;
+
+
+/**
+ * OpenSSL uniq id function.
+ *
+ * @returnthread id
+ */
+static unsigned long thrift_ssl_socket_static_id_function(void)
+{
+#if defined(WIN32)
+ return GetCurrentThreadId();
+#else
+ return ((unsigned long) pthread_self());
+#endif
+}
+
+static void thrift_ssl_socket_static_locking_callback(int mode, int n,
const char* unk, int id) {
+ if (mode & CRYPTO_LOCK)
+MUTEX_LOCK(thrift_ssl_socket_global_mutex_buf[n]);
+ else
+MUTEX_UNLOCK(thrift_ssl_socket_global_mutex_buf[n]);
+}
+
+static int thrift_ssl_socket_static_thread_setup(void)
+{
+ int i;
+
+ thrift_ssl_socket_global_mutex_buf = malloc(CRYPTO_num_locks() *
sizeof(MUTEX_TYPE));
+ if (!thrift_ssl_socket_global_mutex_buf)
+return 0;
+ for (i = 0; i < CRYPTO_num_locks( ); i++)
+MUTEX_SETUP(thrift_ssl_socket_global_mutex_buf[i]);
+ CRYPTO_set_id_callback(thrift_ssl_socket_static_id_function);
+ CRYPTO_set_locking_callback(thrift_ssl_socket_static_locking_callback);
+ return 1;
+}
+
+static int thrift_ssl_socket_static_thread_cleanup(void)
+{
+ int i;
+ if (!thrift_ssl_socket_global_mutex_buf)
+return 0;
+ CRYPTO_set_id_callback(NULL);
+ CRYPTO_set_locking_callback(NULL);
+ for (i = 0; i < CRYPTO_num_locks( ); i++)
+MUTEX_CLEANUP(thrift_ssl_socket_global_mutex_buf[i]);
+ free(thrift_ssl_socket_global_mutex_buf);
+ thrift_ssl_socket_global_mutex_buf = NULL;
+ return 1;
+}
+
+/*
+static void* thrift_ssl_socket_dyn_lock_create_callback(const char* unk,
int id) {
+ g_print("We should create a lock\n");
+ return NULL;
+}
+
+static void thrift_ssl_socket_dyn_lock_callback(int mode, void* lock,
const char* unk, int id) {
+ if (lock != NULL) {
+if (mode & CRYPTO_LOCK) {
+ g_printf("We should lock thread %d\n");
+} else {
+ g_printf("We should unlock thread %d\n");
+}
+ }
+}
+
+static void thrift_ssl_socket_dyn_lock_destroy_callback(void* lock, const
char* unk, int id) {
+ g_printf("We must destroy the lock\n");
+}
+ */
+
+
+G_DEFINE_TYPE(ThriftSSLSocket, thrift_ssl_socket, THRIFT_TYPE_SOCKET)
+
+
+/* implements thrift_t
[GitHub] thrift pull request #1185: Thrift 3369 - Third try to merge SSL c_glib
Github user asfgit closed the pull request at: https://github.com/apache/thrift/pull/1185 --- If your project is set up for it, you can reply to this email and have your reply appear on GitHub as well. If your project does not have this feature enabled and wishes so, or if the feature is enabled but not working, please contact infrastructure at infrastruct...@apache.org or file a JIRA ticket with INFRA. ---
