WL#15154 patch #4 Transporter configuration

In class Transporter, add two new member variables:
  m_require_tls is a boolean TLS requirement
  m_encrypted is true only when TLS is actually in use

A corresponding change in struct TransporterConfiguration also
adds authMode.

Some application logic is added in IPConfig.cpp to configure
the new variables.

On the server side, TransporterRegistry always uses a TLS
authenticator. On the client side, all Transporter clients
initialize a SocketAuthSimple authenticator, but then TCP
Transporter clients delete this in the TCP_Transporter
constructor and replace it with a TLS authenticator.

Change-Id: I6392eecfc712f8a8f500697f34324eea01d29a8c

Author: jdduncan

storage/ndb/include/transporter/TransporterDefinitions.hpp

@@ -28,6 +28,7 @@
 #include <ndb_global.h> 
 #include <kernel_types.h> 
 #include <NdbOut.hpp>
+#include "SocketAuthenticator.hpp"   // TlsAuth
 
 /**
  * The sendbuffer limit after which the contents of the buffer is sent
@@ -92,6 +93,7 @@ struct TransporterConfiguration {
   NodeId remoteNodeId;
   NodeId localNodeId;
   NodeId serverNodeId;
+  bool requireTls;
   bool checksum;
   bool signalId;
   bool isMgmConnection; // is a mgm connection, requires transforming

storage/ndb/include/transporter/TransporterRegistry.hpp

@@ -541,10 +541,11 @@ class TransporterRegistry
     NodeId m_remote_nodeId;
     int m_s_service_port;			// signed port number
     const char *m_interface;
+    bool m_require_tls;
   };
   Vector<Transporter_interface> m_transporter_interface;
   void add_transporter_interface(NodeId remoteNodeId, const char *interf,
-		  		 int s_port);	// signed port. <0 is dynamic
+                                 int s_port, bool requireTls);
 
   int get_transporter_count() const;
   Transporter* get_transporter(TrpId id) const;

storage/ndb/src/common/mgmcommon/IPCConfig.cpp

@@ -162,10 +162,18 @@ IPCConfig::configureTransporters(Uint32 nodeId,
     Uint32 bindInAddrAny = 0;
     iter.get(CFG_TCP_BIND_INADDR_ANY, &bindInAddrAny);
 
+    bool requireTls = false;
+    if(type == CONNECTION_TYPE_TCP && (nodeId1 != nodeId2))
+    {
+      Uint32 useTls= 0;
+      iter.get(CFG_TCP_REQUIRE_TLS, &useTls);
+      requireTls = useTls;
+    }
+
     if (nodeId == nodeIdServer && !conf.isMgmConnection) {
-      tr.add_transporter_interface(remoteNodeId, 
-				   !bindInAddrAny ? localHostName : "", 
-				   server_port);
+      tr.add_transporter_interface(remoteNodeId,
+				   !bindInAddrAny ? localHostName : "",
+                                   server_port, requireTls);
     }
 
     DBUG_PRINT("info", ("Transporter between this node %d and node %d using port %d, signalId %d, checksum %d,"
@@ -191,6 +199,7 @@ IPCConfig::configureTransporters(Uint32 nodeId,
     conf.localHostName  = localHostName;
     conf.remoteHostName = remoteHostName;
     conf.serverNodeId   = nodeIdServer;
+    conf.requireTls     = requireTls;
 
     Uint32 spintime = 0;
     Uint32 shm_send_buffer_size = 2 * 1024 * 1024;
@@ -273,6 +282,8 @@ IPCConfig::configureTransporters(Uint32 nodeId,
     loopback_conf.tcp.tcpRcvBufSize = 0;
     loopback_conf.tcp.tcpMaxsegSize = 256*1024;
     loopback_conf.tcp.tcpOverloadLimit = 768*1024;
+    loopback_conf.requireTls = false;
+
     if (!tr.configureTransporter(&loopback_conf))
     {
       g_eventLogger->info("Failed to configure Loopback Transporter");

storage/ndb/src/common/transporter/TCP_Transporter.cpp

@@ -132,6 +132,10 @@ TCP_Transporter::TCP_Transporter(TransporterRegistry &t_reg,
    */
   m_slowdown_limit = m_overload_limit * 6 / 10;
 
+  m_require_tls = conf->requireTls;
+  if(! isServer)
+    use_tls_client_auth();
+
   send_checksum_state.init();
 }
 
@@ -164,6 +168,7 @@ TCP_Transporter::TCP_Transporter(TransporterRegistry &t_reg,
   sockOptTcpMaxSeg = t->sockOptTcpMaxSeg;
   m_overload_limit = t->m_overload_limit;
   m_slowdown_limit = t->m_slowdown_limit;
+  if(! isServer) use_tls_client_auth();
   send_checksum_state.init();
 }
 

storage/ndb/src/common/transporter/Transporter.cpp

@@ -84,6 +84,8 @@ Transporter::Transporter(TransporterRegistry &t_reg,
     isMgmConnection(_isMgmConnection),
     m_connected(false),
     m_type(_type),
+    m_require_tls(false),
+    m_encrypted(false),
     reportFreq(4096),
     receiveCount(0),
     receiveSize(0),
@@ -161,6 +163,16 @@ Transporter::Transporter(TransporterRegistry &t_reg,
   DBUG_VOID_RETURN;
 }
 
+void
+Transporter::use_tls_client_auth()
+{
+  delete m_socket_client;
+  SocketAuthTls * authTls =
+    new SocketAuthTls(& m_transporter_registry.m_tls_keys, m_require_tls);
+  m_socket_client= new SocketClient(authTls);
+  m_socket_client->set_connect_timeout(m_timeOutMillis);
+}
+
 Transporter::~Transporter()
 {
   delete m_socket_client;
@@ -199,6 +211,7 @@ Transporter::configure(const TransporterConfiguration* conf)
 {
   if (configure_derived(conf) &&
       conf->s_port == m_s_port &&
+      conf->requireTls == m_require_tls &&
       strcmp(conf->remoteHostName, remoteHostName) == 0 &&
       strcmp(conf->localHostName, localHostName) == 0 &&
       conf->remoteNodeId == remoteNodeId &&
@@ -335,12 +348,14 @@ Transporter::connect_client()
     m_socket_client->connect(secureSocket, remote_addr);
 
    /** Socket Authentication */
-    if(m_socket_client->authenticate(secureSocket) < SocketAuthSimple::AuthOk)
+    int auth = m_socket_client->authenticate(secureSocket);
+    if(auth < SocketAuthenticator::AuthOk)
     {
       DEBUG_FPRINTF((stderr, "Socket Authenticator failed\n"));
       DBUG_RETURN(false);
     }
-
+    g_eventLogger->debug("Transporter client auth result: %d [%s]", auth,
+                         SocketAuthenticator::error(auth));
   }
 
   DBUG_RETURN(connect_client(secureSocket));

storage/ndb/src/common/transporter/Transporter.hpp

@@ -241,6 +241,7 @@ class Transporter {
 
   virtual bool configure(const TransporterConfiguration* conf);
   virtual bool configure_derived(const TransporterConfiguration* conf) = 0;
+  void use_tls_client_auth();
 
   /**
    * Blocking, for max timeOut milli seconds
@@ -254,7 +255,7 @@ class Transporter {
    * Blocking
    */
   virtual void disconnectImpl() = 0;
-  
+
   /**
    * Remote host name/and address
    */
@@ -317,6 +318,8 @@ class Transporter {
   Uint32 m_timeOutMillis;
   bool m_connected;     // Are we connected
   TransporterType m_type;
+  bool m_require_tls;  // Configured mode
+  bool m_encrypted;    // Actual: true only if current connection is secure.
 
   /**
    * Statistics

storage/ndb/src/common/transporter/TransporterRegistry.cpp

@@ -3548,16 +3548,19 @@ TransporterRegistry::stop_clients()
 void
 TransporterRegistry::add_transporter_interface(NodeId remoteNodeId,
 					       const char *interf, 
-					       int s_port)
+					       int s_port, bool require_tls)
 {
   DBUG_ENTER("TransporterRegistry::add_transporter_interface");
   DBUG_PRINT("enter",("interface=%s, s_port= %d", interf, s_port));
   if (interf && strlen(interf) == 0)
     interf= nullptr;
 
+  // Iterate over m_transporter_interface. If an identical one
+  // already exists there, return without adding this one.
   for (unsigned i= 0; i < m_transporter_interface.size(); i++)
   {
     Transporter_interface &tmp= m_transporter_interface[i];
+    if (require_tls != tmp.m_require_tls) continue;
     if (s_port != tmp.m_s_service_port || tmp.m_s_service_port==0)
       continue;
     if (interf != nullptr && tmp.m_interface != nullptr &&
@@ -3570,10 +3573,12 @@ TransporterRegistry::add_transporter_interface(NodeId remoteNodeId,
       DBUG_VOID_RETURN; // found match, no need to insert
     }
   }
+
   Transporter_interface t;
   t.m_remote_nodeId= remoteNodeId;
   t.m_s_service_port= s_port;
   t.m_interface= interf;
+  t.m_require_tls= require_tls;
   m_transporter_interface.push_back(t);
   DBUG_PRINT("exit",("interface and port added"));
   DBUG_VOID_RETURN;
@@ -3597,8 +3602,7 @@ TransporterRegistry::start_service(SocketServer& socket_server)
     unsigned short port= (unsigned short)t.m_s_service_port;
     if(t.m_s_service_port<0)
       port= -t.m_s_service_port; // is a dynamic port
-    // FIXME, use t.m_require_tls in patch#4:
-    SocketAuthTls * auth = new SocketAuthTls(& m_tls_keys, false);
+    SocketAuthTls * auth = new SocketAuthTls(& m_tls_keys, t.m_require_tls);
     TransporterService *transporter_service = new TransporterService(auth);
     ndb_sockaddr addr;
     if (t.m_interface && Ndb_getAddr(&addr, t.m_interface))