[backend] implement TLS support for the redis connector

openSUSE · Mar 16, 2022 · 0e47a33 · 0e47a33
1 parent 06f316c
commit 0e47a33
Show file tree

Hide file tree

Showing 2 changed files with 28 additions and 4 deletions.
diff --git a/src/backend/BSRedis.pm b/src/backend/BSRedis.pm
@@ -28,17 +28,35 @@ use POSIX;
 
 use BSRPC;
 
+use strict;
+
+my $tossl;
+
+sub import {
+  if (grep {$_ eq ':tls'} @_) {
+    require BSSSL;
+    $tossl = \&BSSSL::tossl;
+  }
+}
+
 my $tcpproto = getprotobyname('tcp');
 
 sub new {
   my ($class, %opt) = @_;
   my $self = { %opt };
   die("need to specify a redis server\n") unless $self->{'server'};
-  $self->{'port'} ||= 6379;
+  $self->{'port'} ||= $self->{'tls'} ? 6380 : 6379;
   bless $self, $class || 'BSRedis';
   return $self;
 }
 
+sub verify_sslfingerprint {
+  my ($self, $sock) = @_;
+  die("bad sslpeerfingerprint '$self->{'sslpeerfingerprint'}'\n") unless $self->{'sslpeerfingerprint'} =~ /^(.*?):(.*)$/s;
+  my $pfp =  tied(*{$sock})->peerfingerprint($1);
+  die("peer fingerprint does not match: $2 != $pfp\n") if $2 ne $pfp;
+}
+
 sub connect {
   my ($self) = @_;
   return if $self->{'sock'};
@@ -48,6 +66,11 @@ sub connect {
   socket($sock, PF_INET, SOCK_STREAM, $tcpproto) || die("socket: $!\n");
   setsockopt($sock, SOL_SOCKET, SO_KEEPALIVE, pack("l",1));
   connect($sock, sockaddr_in($self->{'port'}, $hostaddr)) || die("connect to $self->{'server'}:$self->{'port'}: $!\n");
+  if ($self->{'tls'}) {
+    die("tls not supported\n") unless $self->{'tossl'} || $tossl;
+    ($self->{'tossl'} || $tossl)->($sock, $self->{'ssl_keyfile'}, $self->{'certfile'}, 1, $self->{'service'});
+    verify_sslfingerprint($self, $sock) if $self->{'sslpeerfingerprint'};
+  }
   $self->{'sock'} = $sock;
   $self->{'buf'} = '';
   $self->run('AUTH', $self->{'password'}) if defined $self->{'password'};
@@ -108,6 +131,7 @@ sub recv_blob {
   my $sock = $self->{'sock'};
   die unless $sock;
   while (length($self->{'buf'}) < $len) {
+    my $r = sysread($sock, $self->{'buf'}, 4096, length($self->{'buf'}));
     if (!$r) {
       $self->close_and_die("redis: received truncated answer: $!\n") if !defined($r) && $! != POSIX::EINTR && $! != POSIX::EWOULDBLOCK;
       $self->close_and_die("redis: received truncated answer\n") if defined $r;

diff --git a/src/backend/bs_redis b/src/backend/bs_redis
@@ -36,7 +36,7 @@ use Time::HiRes;
 
 use BSConfiguration;
 use BSUtil;
-use BSRedis;
+use BSRedis ':tls';
 
 use strict;
 
@@ -257,9 +257,9 @@ sysopen(PING, "$myeventdir/.ping", POSIX::O_RDWR) || die("$myeventdir/.ping: $!"
 my $retry;
 
 die("No redis server configured\n") unless $BSConfig::redisserver;
-die("Redis server must be of scheme redis://<server>[:port]\n") unless $BSConfig::redisserver =~ /^redis:\/\/(?:([^\/\@]*)\@)?([^\/:]+)(:\d+)?$/;
+die("Redis server must be of scheme redis[s]://<server>[:port]\n") unless $BSConfig::redisserver =~ /^(rediss?):\/\/(?:([^\/\@]*)\@)?([^\/:]+)(:\d+)?$/;
 
-$red = BSRedis->new('server' => $2, 'port' => $3, 'password' => $1);
+$red = BSRedis->new('server' => $3, 'port' => $4, 'password' => $2, 'tls' => ($1 eq 'rediss' ? 1 : 0));
 
 if (-e "$myeventdir/queue.send") {
   print "resuming transmission of old data\n";