WL#15154 post-push fixes

jdduncan · jdduncan · commit 8948014f6962 · 2023-07-21T10:00:36.000-07:00
Change-Id: I97e56e84392a49d0510ac8a408db6df8556c76cb
diff --git a/storage/ndb/src/common/mgmcommon/ConfigInfo.cpp b/storage/ndb/src/common/mgmcommon/ConfigInfo.cpp
@@ -28,6 +28,7 @@
 #include <cstring>
 #include <optional>
 #include <time.h>
+#include "openssl/ssl.h"
 
 #include "ConfigInfo.hpp"
 #include <mgmapi_config_parameters.h>
@@ -37,8 +38,9 @@
 #include <Bitmask.hpp>
 #include <ndb_opts.h>
 #include <ndb_version.h>
+#include "portlib/ndb_localtime.h"
+#include "portlib/ndb_openssl_version.h"
 #include "portlib/ndb_sockaddr.h"
-#include <portlib/ndb_localtime.h>
 #include <NdbTCP.h>
 
 #define KEY_INTERNAL 0
@@ -49,6 +51,9 @@
 #define _STR_VALUE(x) #x
 #define STR_VALUE(x) _STR_VALUE(x)
 
+static constexpr bool openssl_version_ok =
+  (OPENSSL_VERSION_NUMBER >= NDB_TLS_MINIMUM_OPENSSL);
+
 /****************************************************************************
  * Section names
  ****************************************************************************/
@@ -3513,7 +3518,7 @@ const ConfigInfo::ParamInfo ConfigInfo::m_ParamInfo[] = {
 
   {
     CFG_TCP_REQUIRE_TLS,
-    "RequireTls",
+    "RequireLinkTls",
     "TCP",
     "Use TLS authenticated secure connections for TCP transporter links",
     ConfigInfo::CI_INTERNAL,
@@ -6358,7 +6363,11 @@ add_a_connection(Vector<ConfigInfo::ConfigRuleSection>&sections,
       return ret == 0 ? true : false;
     }
   }
-  tmp->get("RequireTls", &reqTls1);
+
+  if(openssl_version_ok)
+  {
+    tmp->get("RequireTls", &reqTls1);
+  }
 
   require(ctx.m_config->get("Node", nodeId2, &tmp));
   tmp->get("HostName", &hostname2);
@@ -6386,7 +6395,11 @@ add_a_connection(Vector<ConfigInfo::ConfigRuleSection>&sections,
       return ret == 0 ? true : false;
     }
   }
-  tmp->get("RequireTls", &reqTls2);
+
+  if(openssl_version_ok)
+  {
+    tmp->get("RequireTls", &reqTls2);
+  }
 
   char buf[16];
   s.m_sectionData= new Properties(true);
@@ -6415,7 +6428,7 @@ add_a_connection(Vector<ConfigInfo::ConfigRuleSection>&sections,
       s.m_sectionData->put("TCP_MAXSEG_SIZE", 61440);
     }
 
-    s.m_sectionData->put("RequireTls", reqTls1 | reqTls2);
+    s.m_sectionData->put("RequireLinkTls", reqTls1 | reqTls2);
   }
   
   sections.push_back(s);
diff --git a/storage/ndb/src/common/transporter/Transporter.cpp b/storage/ndb/src/common/transporter/Transporter.cpp
@@ -354,12 +354,12 @@ Transporter::connect_client()
 
    /** Socket Authentication */
     int auth = m_socket_client->authenticate(secureSocket);
+    g_eventLogger->debug("Transporter client auth result: %d [%s]", auth,
+                         SocketAuthenticator::error(auth));
     if(auth < SocketAuthenticator::AuthOk)
     {
       DBUG_RETURN(false);
     }
-    g_eventLogger->debug("Transporter client auth result: %d [%s]", auth,
-                         SocketAuthenticator::error(auth));
 
     if(auth == SocketAuthTls::negotiate_tls_ok) // Initiate TLS
     {
diff --git a/storage/ndb/src/common/util/NodeCertificate.cpp b/storage/ndb/src/common/util/NodeCertificate.cpp
@@ -671,6 +671,12 @@ STACK_OF(X509) * Certificate::open(const char * path) {
     Certificate::read(certs, fp);
     fclose(fp);
   }
+
+  if(sk_X509_num(certs) == 0) {
+    sk_X509_free(certs);
+    certs = nullptr;
+  }
+
   return certs;
 }
 
diff --git a/storage/ndb/src/common/util/SocketAuthenticator.cpp b/storage/ndb/src/common/util/SocketAuthenticator.cpp
@@ -109,7 +109,7 @@ int SocketAuthTls::client_authenticate(NdbSocket & sockfd)
   const bool tls_enabled = m_tls_keys->ctx();
 
   // Write first line
-  if(tls_required)
+  if(tls_required && tls_enabled)
     s_output.println("ndbd TLS required");
   else if(tls_enabled)
     s_output.println("ndbd TLS enabled");
diff --git a/storage/ndb/src/kernel/ndbd.cpp b/storage/ndb/src/kernel/ndbd.cpp
@@ -57,8 +57,12 @@
 #include <LogBuffer.hpp>
 #include <OutputStream.hpp>
 
+#include "util/ndb_openssl3_compat.h"
+
 #define JAM_FILE_ID 484
 
+static constexpr bool openssl_version_ok =
+  (OPENSSL_VERSION_NUMBER >= NDB_TLS_MINIMUM_OPENSSL);
 
 static void
 systemInfo(const Configuration & config, const LogLevel & logLevel)
@@ -1175,16 +1179,23 @@ ndbd_run(bool foreground, int report_fd,
       globalEmulatorData.theConfiguration->getOwnConfigIterator();
   require(p != nullptr);
 
+  if(openssl_version_ok)
   {
-    Uint32 require_cert = 0;
+    Uint32 require_cert = 0, require_tls = 0;
     ndb_mgm_get_int_parameter(p, CFG_NODE_REQUIRE_CERT, &require_cert);
-    if(require_cert && ! globalTransporterRegistry.hasTlsCert())
+    ndb_mgm_get_int_parameter(p, CFG_DB_REQUIRE_TLS, &require_tls);
+    if((require_cert || require_tls) &&
+        ! globalTransporterRegistry.hasTlsCert())
     {
       g_eventLogger->error(
         "Shutting down. This node does not have a valid TLS certificate.");
       stop_async_log_func(log_threadvar, thread_args);
       ndbd_exit(-1);
     }
+    if(require_tls)
+    {
+      g_eventLogger->info("This node will require TLS for all connections.");
+    }
   }
 
   /**

Original file line number	Diff line number	Diff line change
`@@ -354,12 +354,12 @@ Transporter::connect_client()`
`354`	`354`
`355`	`355`	`/** Socket Authentication */`
`356`	`356`	`int auth = m_socket_client->authenticate(secureSocket);`
	`357`	`+ g_eventLogger->debug("Transporter client auth result: %d [%s]", auth,`
	`358`	`+ SocketAuthenticator::error(auth));`
`357`	`359`	`if(auth < SocketAuthenticator::AuthOk)`
`358`	`360`	`{`
`359`	`361`	`DBUG_RETURN(false);`
`360`	`362`	`}`
`361`		`- g_eventLogger->debug("Transporter client auth result: %d [%s]", auth,`
`362`		`- SocketAuthenticator::error(auth));`
`363`	`363`
`364`	`364`	`if(auth == SocketAuthTls::negotiate_tls_ok) // Initiate TLS`
`365`	`365`	`{`
Original file line number	Diff line number	Diff line change
`@@ -671,6 +671,12 @@ STACK_OF(X509) * Certificate::open(const char * path) {`
`671`	`671`	`Certificate::read(certs, fp);`
`672`	`672`	`fclose(fp);`
`673`	`673`	`}`
	`674`	`+`
	`675`	`+ if(sk_X509_num(certs) == 0) {`
	`676`	`+ sk_X509_free(certs);`
	`677`	`+ certs = nullptr;`
	`678`	`+ }`
	`679`	`+`
`674`	`680`	`return certs;`
`675`	`681`	`}`
`676`	`682`