Commit 3e34ba5f authored by Leigh Stoller's avatar Leigh Stoller

More brutal hacks for elab-in-elab, although this one is actually

handy by itself; add -i option to tmcc (C and perl version) to turn
off SSL mode. So instead of a separate nossl binary, the SSL binary
can now operate in nossl mode. Like the previous revision, this is
also controlled by an environment variable so that rc.inelab can make
sure that all children use the nossl mode. Why? Cause the inner elab
will have its own set of certificates, and the outer elab tmcd will
reject the connections. Simpler to just speak nossl to the outer elab,
rather than try to mess with two sets of certs.
parent 52f2c3d0
......@@ -75,6 +75,7 @@ my $beproxy = 0;
"nocache" => 0,
"clrcache" => 0,
"noproxy" => 0,
"nossl" => 0,
);
# The cache directory is named by the vnodeid. This avoids some confusion.
......@@ -231,6 +232,9 @@ sub optionstring($%)
if ($opthash{"useudp"}) {
$options .= " -u";
}
if ($opthash{"nossl"}) {
$options .= " -i";
}
if ($opthash{"beproxy"}) {
$options .= " -x " . $opthash{"beproxy"};
$beproxy = 1;
......
......@@ -26,11 +26,12 @@ sub usage()
print STDERR " -t timeout Timeout waiting for the controller.\n";
print STDERR " -x path Be a proxy using the unix domain socket\n";
print STDERR " -o path Specify log file name for -x option\n";
print STDERR " -i Do not use SSL protocol\n";
print STDERR " -c Clear tmcc cache first (must be root)\n";
print STDERR " -D Force command to use a direct, UDP request\n";
exit(1);
}
my $optlist = "ds:p:v:n:k:ul:t:x:o:bcD";
my $optlist = "ds:p:v:n:k:ul:t:x:o:bcDi:";
my $debug = 0;
my $CMD;
my $ARGS;
......@@ -86,6 +87,9 @@ sub ParseOptions()
if (defined($options{"b"})) {
libtmcc::configtmcc("nocache", 1);
}
if (defined($options{"i"})) {
libtmcc::configtmcc("nossl", 1);
}
if (defined($options{"c"})) {
if ($UID) {
print STDERR "Must be root to use the -c option!\n";
......
/*
* EMULAB-COPYRIGHT
* Copyright (c) 2000-2003 University of Utah and the Flux Group.
* Copyright (c) 2000-2004 University of Utah and the Flux Group.
* All rights reserved.
*/
......@@ -54,6 +54,11 @@
*/
int isssl;
/*
* Client side; optional use of SSL.
*/
int nousessl;
/*
* On the client, we search a couple of dirs for the pem file.
*/
......@@ -83,7 +88,7 @@ int
tmcd_server_sslinit(void)
{
char buf[BUFSIZ];
client = 0;
SSL_library_init();
SSL_load_error_strings();
......@@ -222,6 +227,12 @@ tmcd_sslaccept(int sock, struct sockaddr *addr, socklen_t *addrlen)
if ((newsock = accept(sock, addr, addrlen)) < 0)
return -1;
/*
* Client side; optional use of SSL.
*/
if (nousessl)
return newsock;
/*
* Read the first bit. It indicates whether we need to SSL
* handshake or not. Clear the buffer to avoid confusing
......@@ -290,6 +301,12 @@ tmcd_sslconnect(int sock, const struct sockaddr *name, socklen_t namelen)
if (connect(sock, name, namelen) < 0)
return -1;
/*
* Client side; optional use of SSL.
*/
if (nousessl)
return 0;
/*
* Send our special tag which says we speak SSL.
*/
......@@ -358,6 +375,7 @@ tmcd_sslconnect(int sock, const struct sockaddr *name, socklen_t namelen)
cname, buf, inet_ntoa(cnameip));
goto badauth;
}
isssl = 1;
return 0;
badauth:
......@@ -441,7 +459,7 @@ tmcd_sslwrite(int sock, const void *buf, size_t nbytes)
int cc;
errno = 0;
if (isssl || client)
if (isssl)
cc = SSL_write(ssl, buf, nbytes);
else
cc = write(sock, buf, nbytes);
......@@ -493,7 +511,7 @@ tmcd_sslread(int sock, void *buf, size_t nbytes)
}
errno = 0;
if (isssl || client)
if (isssl)
cc = SSL_read(ssl, buf, nbytes);
else
cc = read(sock, buf, nbytes);
......
/*
* EMULAB-COPYRIGHT
* Copyright (c) 2000-2002 University of Utah and the Flux Group.
* Copyright (c) 2000-2002, 2004 University of Utah and the Flux Group.
* All rights reserved.
*/
......@@ -17,6 +17,7 @@ int tmcd_sslread(int sock, void *buf, size_t nbytes);
int tmcd_sslclose(int sock);
int tmcd_sslverify_client(char *, char *, char *, int);
int isssl;
int nousessl;
/*
* The client sends this tag to indicate that it is SSL capable.
......
......@@ -101,6 +101,7 @@ char *usagestr =
" -t timeout Timeout waiting for the controller.\n"
" -x path Be a tmcc proxy, using the named unix domain socket\n"
" -o logfile Specify log file name for -x option\n"
" -i Do not use SSL protocol\n"
"\n";
void
......@@ -155,7 +156,7 @@ main(int argc, char **argv)
WSADATA wsaData;
#endif
while ((ch = getopt(argc, argv, "v:s:p:un:t:k:x:l:do:")) != -1)
while ((ch = getopt(argc, argv, "v:s:p:un:t:k:x:l:do:i")) != -1)
switch(ch) {
case 'd':
debug++;
......@@ -191,6 +192,11 @@ main(int argc, char **argv)
case 'o':
logfile = optarg;
break;
case 'i':
#ifdef WITHSSL
nousessl = 1;
#endif
break;
default:
usage();
}
......@@ -216,6 +222,13 @@ main(int argc, char **argv)
exit(1);
}
#endif
#ifdef WITHSSL
/*
* Brutal hack for inner elab; see rc.inelab.
*/
if (getenv("TMCCNOSSL") != NULL)
nousessl = 1;
#endif
if (!bossnode) {
int port = 0;
......@@ -355,6 +368,9 @@ getbossnode(char **bossnode, int *portp)
FILE *fp;
char buf[BUFSIZ], **cp = bossnodedirs, *bp;
/*
* Brutal hack for inner elab; see rc.inelab.
*/
if ((bp = getenv("BOSSNAME")) != NULL) {
strcpy(buf, bp);
......@@ -426,7 +442,7 @@ dotcp(char *data, int outfd, struct in_addr serverip)
char *bp, buf[MYBUFSIZE];
#ifdef WITHSSL
if (tmcd_client_sslinit()) {
if (!nousessl && tmcd_client_sslinit()) {
printf("SSL initialization failed!\n");
return -1;
}
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment