WL#15135 patch #2: Class TlsKeyManager

Part of WL#15135 Certificate Architecture

This patch introduces class TlsKeyManager, containing all TLS
authentication and key management logic. A single instance of
TlsKeyManager in each node owns the local NodeCertificate, an
SSL_CTX, and a table holding the serial numbers and expiration
dates of all peer certificates.

A large set of TLS-related error codes is introduced in the file
TlsKeyErrors.h.

The unit test testTlsKeyManager-t tests TLS authentication over
client/server connections on localhost.

Change-Id: I2ee42efc268219639691f73a1d7638a336844d88

Author: jdduncan

storage/ndb/include/util/NdbSocket.h

@@ -129,9 +129,10 @@ class NdbSocket {
    */
   bool key_update_pending() const;
 
-  /* Get peer's TLS certificate
+  /* Get peer's TLS certificate, and update the certificate reference count.
    *
-   * Returns nullptr if socket does not have TLS enabled.
+   * The caller should free the returned pointer using Certificate::free().
+   * Returns nullptr if no certificate is available.
    */
   struct x509_st * peer_certificate() const;
 

storage/ndb/include/util/TlsKeyErrors.h

@@ -0,0 +1,140 @@
+/*
+   Copyright (c) 2022, 2023, Oracle and/or its affiliates.
+
+   This program is free software; you can redistribute it and/or modify
+   it under the terms of the GNU General Public License, version 2.0,
+   as published by the Free Software Foundation.
+
+   This program is also distributed with certain software (including
+   but not limited to OpenSSL) that is licensed under separate terms,
+   as designated in a particular file or component or in included license
+   documentation.  The authors of MySQL hereby grant you an additional
+   permission to link the program and your derivative works with the
+   separately licensed software that they have included with MySQL.
+
+   This program is distributed in the hope that it will be useful,
+   but WITHOUT ANY WARRANTY; without even the implied warranty of
+   MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+   GNU General Public License, version 2.0, for more details.
+
+   You should have received a copy of the GNU General Public License
+   along with this program; if not, write to the Free Software
+   Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301  USA
+*/
+
+#ifndef NDB_UTIL_TLS_KEY_ERRORS_H
+#define NDB_UTIL_TLS_KEY_ERRORS_H
+
+class TlsKeyError {
+public:
+  enum code {
+    no_error                        = 0,
+    negotiation_failure             = 1,
+    openssl_error                   = 2,
+    no_local_cert                   = 3,
+    authentication_failure          = 4,
+    auth2_bad_socket                = 5,
+    auth2_no_cert                   = 6,
+    auth2_bad_common_name           = 7,
+    auth2_bad_hostname              = 8,
+    auth2_resolver_error            = 9,
+    /* space for 3 more auth errors */
+    verification_error              = 13,
+    signing_error                   = 14,
+    lifetime_error                  = 15,
+    password_error                  = 16,
+    cannot_store_ca_key             = 17,
+    cannot_store_ca_cert            = 18,
+    failed_to_init_ca               = 19,
+    ca_key_not_found                = 20,
+    ca_cert_not_found               = 21,
+    cannot_read_ca_key              = 22,
+    cannot_read_ca_cert             = 23,
+    /* space for 3 more generic errors */
+    END_GENERIC_ERRORS              = 27,
+    cannot_store_pending_key        = 28,
+    pending_key_not_found           = 29,
+    active_key_not_found            = 30,
+    cannot_read_pending_key         = 31,
+    cannot_read_active_key          = 32,
+    cannot_promote_key              = 33,
+    cannot_store_signing_req        = 34,
+    cannot_read_signing_req         = 35,
+    cannot_remove_signing_req       = 36,
+    pending_cert_fails_auth         = 37,
+    cannot_store_pending_cert       = 38,
+    pending_cert_not_found          = 39,
+    active_cert_not_found           = 40,
+    cannot_read_pending_cert        = 41,
+    cannot_read_active_cert         = 42,
+    cannot_promote_cert             = 43,
+    active_cert_mismatch            = 44,
+    active_cert_invalid             = 45,
+    active_cert_expired             = 46,
+    no_writable_dir                 = 47,
+    END_ERRORS
+  };
+
+  static const char * message(int n) {
+    if(n > 0 && n < code::END_ERRORS)
+      return _message[n];
+    return "(unknown error code)";
+  }
+
+private:
+  static constexpr const char * _message[code::END_ERRORS] =
+  {
+    "(no error)",
+    "protocol negotiation failure",
+    "openssl error",
+    "no certificate",
+    "authentication failure",
+    "authorization failure: socket error",
+    "authorization failure: no peer certificate",
+    "authorization failure: subject common name is non-conforming",
+    "authorization failure: bad hostname",
+    "authorization failure: resolver error",
+    "(unused code 10)",
+    "(unused code 11)",
+    "(unused code 12)",
+
+    "signature verification error",
+    "signing error",
+    "invalid certificate lifetime parameters",
+    "password error",
+    "failed to store CA key file",
+    "failed to store CA certificate file",
+    "failed to initialize Certification Authority",
+    "CA key file not found",
+    "CA certificate file not found",
+    "cannot read CA key file",
+    "cannot read CA certificate file",
+    "(unused code 24)",
+    "(unused code 25)",
+    "(unused code 26)",
+    "(unused code 27)",  // END_GENERIC_ERRORS
+
+    "cannot store pending key file",
+    "pending key not found",
+    "active key not found",
+    "cannot read pending key file",
+    "cannot read active key file",
+    "error promoting pending key to active",
+    "cannot store signing request",
+    "cannot read signing request",
+    "cannot remove signing request",
+    "pending certificate fails authentication against active CA chain",
+    "cannot store pending certificate file",
+    "pending certificate not found",
+    "active certificate not found",
+    "cannot read pending certificate file",
+    "cannot read active certificate file",
+    "error promoting pending certificate to active",
+    "node certificate has wrong public key",
+    "active node certificate is not valid",
+    "active node certificate has expired",
+    "no writable directory found in TLS search path"
+  };
+};
+
+#endif

storage/ndb/include/util/TlsKeyManager.hpp

@@ -0,0 +1,172 @@
+/* Copyright (c) 2022, 2023, Oracle and/or its affiliates.
+
+   This program is free software; you can redistribute it and/or modify
+   it under the terms of the GNU General Public License, version 2.0,
+   as published by the Free Software Foundation.
+
+   This program is also distributed with certain software (including
+   but not limited to OpenSSL) that is licensed under separate terms,
+   as designated in a particular file or component or in included license
+   documentation.  The authors of MySQL hereby grant you an additional
+   permission to link the program and your derivative works with the
+   separately licensed software that they have included with MySQL.
+
+    This program is distributed in the hope that it will be useful,
+    but WITHOUT ANY WARRANTY; without even the implied warranty of
+    MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+    GNU General Public License, version 2.0, for more details.
+
+    You should have received a copy of the GNU General Public License
+    along with this program; if not, write to the Free Software
+    Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301  USA
+*/
+
+#ifndef NDB_UTIL_TLS_KEY_MANAGER_H
+#define NDB_UTIL_TLS_KEY_MANAGER_H
+
+#include "ndb_limits.h"   // MAX_NODES
+
+#include "portlib/NdbMutex.h"
+#include "util/NodeCertificate.hpp"
+#include "util/NdbSocket.h"
+#include "util/TlsKeyErrors.h"
+
+struct cert_table_entry {
+  time_t expires;
+  const char * name;
+  const char * serial;
+};
+
+class ClientAuthorization;
+
+class TlsKeyManager {
+public:
+  enum TlsVersion { Tls12, Tls13 };
+
+  TlsKeyManager();
+  ~TlsKeyManager();
+
+  /* TlsKeyManager::init() for NDB nodes.
+     All error and info messages are logged to g_EventLogger.
+     You can test whether init() has succeeded by calling ctx().
+  */
+  void init(const char * tls_search_path,
+            int node_id, int node_type, bool is_primary);
+
+  /* init() for MGM Clients that will not have a node ID */
+  void init_mgm_client(const char * tls_search_path,
+                       Node::Type type = Node::Type::Client);
+
+  /* Alternate versions of init() used for authentication testing */
+  void init(int node_id, const NodeCertificate *);
+  void init(int node_id, struct stack_st_X509 *, struct evp_pkey_st *);
+
+  /* Get SSL_CTX */
+  struct ssl_ctx_st * ctx() const { return m_ctx; }
+
+  void cert_table_set(int node_id, struct x509_st *);
+  void cert_table_clear(int node_id);
+  bool iterate_cert_table(int & node_id, cert_table_entry *);
+
+  // Check replacement date of our own node certificate
+  // pct should be a number between 0.0 and 1.0, where 0 represents the
+  // not-valid-before date 1 represents the not-valid-after date.
+  // Returns true if the current time is strictly less than pct.
+  bool check_replace_date(float pct);
+
+  /* Class method: TLS verification callback */
+  static int on_verify(int result, struct x509_store_ctx_st *);
+
+  /* Class methods: certificate hostname authorization checks.
+
+     The check of a server's certificate is a simple comparison between the
+     hostnames in the cert and the name the client used in order to reach the
+     server.
+
+     The check of a client's certificate requires a DNS lookup. It is divided
+     into a "fast" part, in check_socket_for_auth(), and a "slow" (blocking)
+     part, in perform_client_host_auth(). The API is designed to allow the
+     slow part to run asynchronously if needed.
+  */
+
+  // Client-side checks of server cert:
+  static int check_server_host_auth(const NdbSocket &, const char *name);
+  static int check_server_host_auth(struct x509_st *, const char *name);
+  static int check_server_host_auth(const NodeCertificate &, const char *);
+
+  /* Server-side check of client cert:
+
+     check_socket_for_auth() can return a non-zero TlsKeyError error code:
+        auth2_no_cert if socket has no client certificate;
+        auth2_bad_common_name if cert CN is not valid for NDB;
+        auth2_bad_socket if getpeername() fails.
+
+     Otherwise it returns zero, and the caller should check the contents
+     of pAuth. If *pAuth is null, the certificate is not bound to a
+     hostname, so authorization is complete. If *pAuth is non-null,
+     hostname authorization is required, and the user should call
+     perform_client_host_auth(*pAuth).
+  */
+  static int check_socket_for_auth(const NdbSocket & socket,
+                                   ClientAuthorization ** pAuth);
+
+  /* test harness */
+  static ClientAuthorization * test_client_auth(struct x509_st *,
+                                                const struct addrinfo *);
+
+  /* perform_client_host_auth() checks the socket peer against the certificate
+     hostname, using DNS lookup. It will block, synchronously waiting for
+     DNS. On return, the supplied ClientAuthorization will have been
+     deleted. Returns a TlsKeyError code.
+  */
+  static int perform_client_host_auth(ClientAuthorization *);
+
+
+protected:
+  void initialize_context();
+
+  void log_error(TlsKeyError::code);
+  void log_error() const;
+
+  bool open_active_cert();
+
+  static constexpr Node::Type cert_type[3] = {
+    /* indexed to NODE_TYPE_DB, NODE_TYPE_API, NODE_TYPE_MGM */
+    Node::Type::DB, Node::Type::Client, Node::Type::MGMD
+  };
+
+private:
+  enum UserType { Primary, SecondaryApi, MgmClient };
+
+  PkiFile::PathName m_key_file, m_cert_file;
+  char * m_path_string {nullptr};
+  TlsSearchPath * m_search_path {nullptr};
+  static constexpr size_t SN_buf_len = 30;
+  static constexpr size_t CN_buf_len = 65;
+  struct private_cert_table_entry {
+    char serial[SN_buf_len];
+    char name[CN_buf_len];
+    time_t expires {0};
+    bool active {false};
+  } m_cert_table[MAX_NODES];
+  NodeCertificate m_node_cert;
+  NdbMutex m_cert_table_mutex;
+  int m_error {0};
+  int m_node_id;
+  Node::Type m_type;
+  struct ssl_ctx_st * m_ctx {nullptr};
+
+  void init(const char *, int, Node::Type, UserType);
+
+  bool cert_table_get(const private_cert_table_entry &,
+                      cert_table_entry *) const;
+  void free_path_strings();
+};
+
+inline void TlsKeyManager::init_mgm_client(const char * tls_search_path,
+                                           Node::Type type)
+{
+  init(tls_search_path, 0, type, MgmClient);
+}
+
+#endif

storage/ndb/src/common/util/CMakeLists.txt

@@ -61,6 +61,7 @@ ADD_CONVENIENCE_LIBRARY(ndbgeneral
   SocketAuthenticator.cpp
   SocketClient.cpp
   SocketServer.cpp
+  TlsKeyManager.cpp
   Vector.cpp
   basename.cpp
   decimal_utils.cpp
@@ -81,7 +82,7 @@ ADD_CONVENIENCE_LIBRARY(ndbgeneral
 SET_TARGET_PROPERTIES(ndbgeneral PROPERTIES LINK_INTERFACE_MULTIPLICITY 3)
 
 FOREACH(tests BaseString Bitmask SparseBitmask Parser HashMap2 LinkedStack
-        NodeCertificate ndb_zlib cstrbuf span)
+        NodeCertificate TlsKeyManager ndb_zlib cstrbuf span)
   NDB_ADD_TEST("${tests}-t" "${tests}.cpp" LIBS ndbgeneral)
 ENDFOREACH(tests)
 
@@ -106,6 +107,7 @@ FOREACH(tests
     testProp
     testSecureSocket
     testConfigValues
+    testTlsKeyManager
     )
   NDB_ADD_TEST("${tests}-t" "${tests}.cpp" LIBS ndbmgmapi ndbgeneral ndbportlib)
 ENDFOREACH(tests)