WL#15154 patch #5 Establish TLS

On the client side, in Transporter::connect_client(), check the
TLS negotiation result, initiate the TLS handshake, and perform
certificate authorization checks.

On the server side, in TransporterService::newSession(), check the
TLS negotiation result and complete the TLS handshake. Then in
TransporterRegistry::connect_server(), after receiving the client's
hello message, perform certificate authorization checks.

The connect and disconnect impls in TCP_Transporter are responsible
for maintaining the m_encrypted flag and the certificate table. In
TCP_Transporter::connect_common(), locking is enabled around the
SSL object; the lock must be acquired in order to send data, receive
data, or close the socket.

Change-Id: I9758adc88e8f152760bab3df1485556681e88d07

Author: jdduncan

storage/ndb/src/common/transporter/TCP_Transporter.cpp

@@ -220,6 +220,15 @@ bool TCP_Transporter::connect_client_impl(NdbSocket & socket)
 
 bool TCP_Transporter::connect_common(NdbSocket & socket)
 {
+  struct x509_st * cert = socket.peer_certificate();
+  if(cert)
+  {
+    m_encrypted = true;
+    m_transporter_registry.getTlsKeyManager()->cert_table_set(remoteNodeId,
+                                                              cert);
+    socket.enable_locking();
+  }
+
   setSocketOptions(socket.ndb_socket());
   socket.set_nonblocking(true);
 
@@ -532,15 +541,13 @@ TCP_Transporter::shutdown()
 {
   if (theSocket.is_valid())
   {
-    DEB_MULTI_TRP(("Close socket for trp %u",
-                   getTransporterIndex()));
+    DEB_MULTI_TRP(("Close socket for trp %u", getTransporterIndex()));
     theSocket.close();
     theSocket.invalidate();
   }
   else
   {
-    DEB_MULTI_TRP(("Socket already closed for trp %u",
-                   getTransporterIndex()));
+    DEB_MULTI_TRP(("Socket already closed for trp %u", getTransporterIndex()));
   }
   m_connected = false;
 }
@@ -694,4 +701,7 @@ TCP_Transporter::disconnectImpl()
       report_error(TE_ERROR_CLOSING_SOCKET);
     }
   }
+
+  m_encrypted = false;
+  m_transporter_registry.getTlsKeyManager()->cert_table_clear(remoteNodeId);
 }

storage/ndb/src/common/transporter/Transporter.cpp

@@ -271,6 +271,11 @@ Transporter::connect_server(NdbSocket & sockfd,
   DBUG_RETURN(true);
 }
 
+inline static void
+tls_error(int code)
+{
+  g_eventLogger->error("TLS error %d '%s'", code, TlsKeyError::message(code));
+}
 
 bool
 Transporter::connect_client()
@@ -351,11 +356,41 @@ Transporter::connect_client()
     int auth = m_socket_client->authenticate(secureSocket);
     if(auth < SocketAuthenticator::AuthOk)
     {
-      DEBUG_FPRINTF((stderr, "Socket Authenticator failed\n"));
       DBUG_RETURN(false);
     }
     g_eventLogger->debug("Transporter client auth result: %d [%s]", auth,
                          SocketAuthenticator::error(auth));
+
+    if(auth == SocketAuthTls::negotiate_tls_ok) // Initiate TLS
+    {
+      struct ssl_ctx_st * ctx = m_transporter_registry.m_tls_keys.ctx();
+      struct ssl_st * ssl = NdbSocket::get_client_ssl(ctx);
+      if(ssl == nullptr)
+      {
+        tls_error(TlsKeyError::no_local_cert);
+        DBUG_RETURN(false);
+      }
+      if(! secureSocket.associate(ssl))
+      {
+        tls_error(TlsKeyError::openssl_error);
+        NdbSocket::free_ssl(ssl);
+        DBUG_RETURN(false);
+      }
+      if(! secureSocket.do_tls_handshake())
+      {
+        tls_error(TlsKeyError::authentication_failure);
+        DBUG_RETURN(false);
+      }
+
+      /* Certificate Authorization */
+      auth = TlsKeyManager::check_server_host_auth(secureSocket,
+                                                   remoteHostName);
+      if(auth)
+      {
+        tls_error(auth);
+        DBUG_RETURN(false);
+      }
+    }
   }
 
   DBUG_RETURN(connect_client(secureSocket));

storage/ndb/src/common/transporter/Transporter.hpp

@@ -295,7 +295,7 @@ class Transporter {
   // Sending/Receiving socket used by both client and server
   NdbSocket theSocket;
 private:
-  SocketClient *m_socket_client;
+  SocketClient *m_socket_client {nullptr};
   ndb_sockaddr m_connect_address;
 
   virtual bool send_is_possible(int timeout_millisec) const = 0;

storage/ndb/src/common/transporter/TransporterRegistry.cpp

@@ -126,12 +126,33 @@ SocketServer::Session * TransporterService::newSession(ndb_socket_t sockfd)
   DEBUG_FPRINTF((stderr, "New session created\n"));
   if(m_auth)
   {
-    int r = m_auth->server_authenticate(secureSocket);
-    if(r < SocketAuthenticator::AuthOk)
+    int auth_result = m_auth->server_authenticate(secureSocket);
+    g_eventLogger->debug("Transporter server auth result: %d [%s]",
+                         auth_result, SocketAuthenticator::error(auth_result));
+    if(auth_result < SocketAuthenticator::AuthOk)
     {
       DEBUG_FPRINTF((stderr, "Failed to authenticate new session\n"));
       secureSocket.close_with_reset(true); // Close with reset
-      DBUG_RETURN(0);
+      DBUG_RETURN(nullptr);
+    }
+
+    if(auth_result == SocketAuthTls::negotiate_tls_ok) // Intitate TLS
+    {
+      struct ssl_ctx_st * ctx = m_transporter_registry->m_tls_keys.ctx();
+      struct ssl_st * ssl = NdbSocket::get_server_ssl(ctx);
+      if(ssl == nullptr)
+      {
+        DBUG_RETURN(nullptr);
+      }
+      if(! secureSocket.associate(ssl))
+      {
+        NdbSocket::free_ssl(ssl);
+        DBUG_RETURN(nullptr);
+      }
+      if(! secureSocket.do_tls_handshake())
+      {
+        DBUG_RETURN(nullptr);
+      }
     }
   }
 
@@ -794,6 +815,23 @@ TransporterRegistry::connect_server(NdbSocket & socket,
     DBUG_RETURN(false);
   }
 
+  /* Client Certificate Authorization.
+  */
+  ClientAuthorization * clientAuth;
+  int authResult = TlsKeyManager::check_socket_for_auth(socket, & clientAuth);
+
+  if((authResult == 0)  && clientAuth) {
+    // This check may block, waiting for a DNS lookup
+    authResult = TlsKeyManager::perform_client_host_auth(clientAuth);
+  }
+
+  if(authResult)
+  {
+    msg.assfmt("TLS %s (for node %d [%s])",
+               TlsKeyError::message(authResult), nodeId, t->remoteHostName);
+    DBUG_RETURN(false);
+  }
+
   // Send reply to client
   SecureSocketOutputStream s_output(socket);
   if (s_output.println("%d %d", t->getLocalNodeId(), t->m_type) < 0)