WL#15524 Patch #1 "START TLS" for management API

zmur · zmur · commit b604adeb6beb · 2023-08-22T15:23:26.000+02:00
Post push fix.

Do not allow ndb_mgm_listen_event to return a socket that uses TLS since
user can not access the corresponding SSL object thorugh the public
MgmAPI.

Change-Id: I2a741efe4f80db750419101ecabb03fb5e025346
diff --git a/storage/ndb/src/mgmapi/mgmapi.cpp b/storage/ndb/src/mgmapi/mgmapi.cpp
@@ -2464,7 +2464,7 @@ ndb_mgm_set_loglevel_node(NdbMgmHandle handle, int nodeId,
 
 int
 ndb_mgm_listen_event_internal(NdbMgmHandle handle, const int filter[],
-                              int parsable, ndb_socket_t* sock)
+                              int parsable, ndb_socket_t* sock, bool allow_tls)
 {
   DBUG_ENTER("ndb_mgm_listen_event_internal");
   CHECK_HANDLE(handle, -1);
@@ -2561,7 +2561,7 @@ ndb_mgm_listen_event_internal(NdbMgmHandle handle, const int filter[],
     ndb_mgm::handle_ptr tmp_handle(ndb_mgm_create_handle());
     tmp_handle->socket.init_from_new(sockfd);
 
-    if(handle->ssl_ctx)
+    if(allow_tls && handle->ssl_ctx)
     {
       ndb_mgm_set_ssl_ctx(tmp_handle.get(), handle->ssl_ctx);
       ndb_mgm_start_tls(tmp_handle.get());
@@ -2588,7 +2588,8 @@ socket_t
 ndb_mgm_listen_event(NdbMgmHandle handle, const int filter[])
 {
   ndb_socket_t s;
-  if(ndb_mgm_listen_event_internal(handle,filter,0,&s)<0)
+  constexpr bool no_tls = false;
+  if(ndb_mgm_listen_event_internal(handle, filter, 0, &s, no_tls)<0)
     ndb_socket_invalidate(&s);
   return ndb_socket_get_native(s);
 }
diff --git a/storage/ndb/src/mgmapi/mgmapi_internal.h b/storage/ndb/src/mgmapi/mgmapi_internal.h
@@ -119,4 +119,7 @@ ndb_mgm_get_configuration2(NdbMgmHandle handle,
                            enum ndb_mgm_node_type nodetype,
                            int from_node = 0);
 
+int ndb_mgm_listen_event_internal(NdbMgmHandle, const int filter[], int,
+                                  ndb_socket_t*, bool allow_tls);
+
 #endif
diff --git a/storage/ndb/src/mgmapi/ndb_logevent.cpp b/storage/ndb/src/mgmapi/ndb_logevent.cpp
@@ -35,10 +35,6 @@
 
 #include "ndb_logevent.hpp"
 
-extern
-int ndb_mgm_listen_event_internal(NdbMgmHandle, const int filter[],
-                                  int, ndb_socket_t*);
-
 struct ndb_logevent_error_msg {
   enum ndb_logevent_handle_error code;
   const char *msg;
@@ -87,7 +83,8 @@ ndb_mgm_create_logevent_handle(NdbMgmHandle mh,
     return nullptr;
 
   ndb_socket_t sock;
-  if(ndb_mgm_listen_event_internal(mh, filter, 1, &sock) < 0)
+  constexpr bool allow_tls = true;
+  if(ndb_mgm_listen_event_internal(mh, filter, 1, &sock, allow_tls) < 0)
   {
     free(h);
     return nullptr;

Original file line number	Diff line number	Diff line change
`@@ -2464,7 +2464,7 @@ ndb_mgm_set_loglevel_node(NdbMgmHandle handle, int nodeId,`
`2464`	`2464`
`2465`	`2465`	`int`
`2466`	`2466`	`ndb_mgm_listen_event_internal(NdbMgmHandle handle, const int filter[],`
`2467`		`- int parsable, ndb_socket_t* sock)`
	`2467`	`+ int parsable, ndb_socket_t* sock, bool allow_tls)`
`2468`	`2468`	`{`
`2469`	`2469`	`DBUG_ENTER("ndb_mgm_listen_event_internal");`
`2470`	`2470`	`CHECK_HANDLE(handle, -1);`
`@@ -2561,7 +2561,7 @@ ndb_mgm_listen_event_internal(NdbMgmHandle handle, const int filter[],`
`2561`	`2561`	`ndb_mgm::handle_ptr tmp_handle(ndb_mgm_create_handle());`
`2562`	`2562`	`tmp_handle->socket.init_from_new(sockfd);`
`2563`	`2563`
`2564`		`- if(handle->ssl_ctx)`
	`2564`	`+ if(allow_tls && handle->ssl_ctx)`
`2565`	`2565`	`{`
`2566`	`2566`	`ndb_mgm_set_ssl_ctx(tmp_handle.get(), handle->ssl_ctx);`
`2567`	`2567`	`ndb_mgm_start_tls(tmp_handle.get());`
`@@ -2588,7 +2588,8 @@ socket_t`
`2588`	`2588`	`ndb_mgm_listen_event(NdbMgmHandle handle, const int filter[])`
`2589`	`2589`	`{`
`2590`	`2590`	`ndb_socket_t s;`
`2591`		`- if(ndb_mgm_listen_event_internal(handle,filter,0,&s)<0)`
	`2591`	`+ constexpr bool no_tls = false;`
	`2592`	`+ if(ndb_mgm_listen_event_internal(handle, filter, 0, &s, no_tls)<0)`
`2592`	`2593`	`ndb_socket_invalidate(&s);`
`2593`	`2594`	`return ndb_socket_get_native(s);`
`2594`	`2595`	`}`