WL#15135 second set of post-push fixes

jdduncan · jdduncan · commit b657b46c4512 · 2023-07-14T23:40:02.000-07:00
Add more stub functions for platforms with older versions of
OpenSSL.

Improve handling of environment variables in TLS Search Path.

Disable testTlsKeyManager-t on systems with OpenSSL 1.0.x.

Change-Id: Ide1662bc17cd365e7c270b42082ccaeb8b870ecb
diff --git a/storage/ndb/include/util/ndb_openssl3_compat.h b/storage/ndb/include/util/ndb_openssl3_compat.h
@@ -44,7 +44,7 @@ EVP_PKEY * EVP_EC_generate(const char * curve);
 
 #endif  /* OPENSSL_VERSION_NUMBER */
 
-/* These stub functions allow NodeCertificate.cpp to compile with old OpenSSL */
+/* These stub functions allow NDB TLS code to compile with OpenSSL 1.0.x */
 #if OPENSSL_VERSION_NUMBER < NDB_TLS_MINIMUM_OPENSSL
 #include <openssl/x509.h>
 #include <openssl/x509v3.h>
@@ -53,18 +53,24 @@ const ASN1_INTEGER *X509_get0_serialNumber(const X509 *);
 #ifndef X509_getm_notBefore
 #define X509_getm_notBefore X509_get_notBefore
 #define X509_getm_notAfter X509_get_notAfter
+#define __NEED_STUB_ASN1_TIME_GET0_FUNCTIONS 1
+const ASN1_TIME *X509_get0_notBefore(const X509 *);
+const ASN1_TIME *X509_get0_notAfter(const X509 *);
 #endif
 
-EVP_PKEY  *X509_REQ_get0_pubkey(X509_REQ *);
-void X509_get0_signature(const ASN1_BIT_STRING **, const X509_ALGOR **,
-                         const X509 *);
+EVP_PKEY *X509_get0_pubkey(X509 *);
+EVP_PKEY *X509_REQ_get0_pubkey(X509_REQ *);
+inline void X509_get0_signature(const ASN1_BIT_STRING **, const X509_ALGOR **,
+                                const X509 *) {}
 int X509_get_signature_info(X509 *, int *, int *, int *, uint32_t *);
 X509_EXTENSION *X509V3_EXT_conf_nid(LHASH_OF(CONF_VALUE) *,
                                     X509V3_CTX *, int, const char *);
 int ASN1_TIME_to_tm(const ASN1_TIME *, struct tm *);
 int EVP_PKEY_up_ref(EVP_PKEY *);
 int X509_up_ref(X509 *);
 
+inline SSL_METHOD * TLS_method() { return nullptr; }
+
 #endif
 
 #endif  /* NDB_PORTLIB_OPENSSL_COMPAT_H */
diff --git a/storage/ndb/src/common/util/NodeCertificate.cpp b/storage/ndb/src/common/util/NodeCertificate.cpp
@@ -84,10 +84,14 @@ static void expand(BaseString & result, const BaseString & path, int envStart) {
     c = item[envEnd];
   }
 
-  BaseString envVar = path.substr(envStart + 1, envEnd);
   if(envStart > 0)
     result.assign(path.substr(0, envStart));
-  result.append(getenv(envVar.c_str()));
+  if(envEnd - envStart > 1) {
+    BaseString envVar = path.substr(envStart + 1, envEnd);
+    result.append(getenv(envVar.c_str()));
+  } else {
+    result.append('$');
+  }
   result.append(path.substr(envEnd));
 }
 
@@ -112,6 +116,10 @@ TlsSearchPath::TlsSearchPath(const char * path_str) {
       expand(expansion, m_path[i], envStart);
       if(expansion.length())
         m_path[i] = expansion;
+      else {
+        m_path.erase(i);
+        i--;
+      }
     }
   }
 }
@@ -600,7 +608,7 @@ size_t Certificate::get_common_name(X509 * cert, char * buf, size_t len) {
 
 int Certificate::get_signature_prefix(X509 * cert) {
   int prefix = 0;
-  const ASN1_BIT_STRING * sig;
+  const ASN1_BIT_STRING * sig = nullptr;
   const X509_ALGOR * algorithm;
   X509_get0_signature(& sig, & algorithm, cert);
   if(sig && sig->data)
@@ -1624,7 +1632,7 @@ inline bool test_expansion(const char * path, const char * expansion) {
 }
 
 static int search_path_test() {
-  BaseString pathStr(isWin32 ? "$HOMEPATH" : "$HOME");
+  BaseString pathStr("$TMPDIR");
   pathStr.append(TlsSearchPath::Separator);
   pathStr.append(MYSQL_DATADIR);
   pathStr.append(TlsSearchPath::Separator);
@@ -1670,19 +1678,32 @@ static int search_path_test() {
   if(searchPath2.size() != 1) return 13;
   if(! searchPath2.first_writable()) return 14;
 
+  /* If the character following $ is not alnum or _, do not expand
+     $VAR expands correctly if VAR is set
+     $VAR expands to nothing if VAR is not set
+     a:my$SUFFIX expands to a:my if SUFFIX is not set
+     a:$VAR:b expands to a:b if $VAR is not set
+  */
   if(! test_expansion("$", "$")) return 15;
   if(! test_expansion("$$", "$$")) return 16;
   if(! test_expansion("$#", "$#")) return 17;
   if(isWin32) {
-    if(! test_expansion("f;abc$", "f;abc")) return 18;
+    if(! test_expansion("f;abc$", "f;abc$")) return 18;
     if(! test_expansion("a;$;b", "a;$;b")) return 19;
     if(! test_expansion("a;$", "a;$")) return 20;
-    _putenv("DRIVE=A");
-    if(! test_expansion("$DRIVE:/tls", "A:/tls")) return 21;
+    _putenv("ARMAGOGLYPOD=A");
+    if(! test_expansion("$ARMAGOGLYPOD:/tls", "A:/tls")) return 21;
+    _putenv("ARMAGOGLYPOD=");
+    if(! test_expansion("$ARMAGOGLYPOD", "")) return 22;
+    if(! test_expansion("a;$ARMAGOGLYPOD;b", "a;b")) return 23;
+    if(! test_expansion("a;my$ARMAGOGLYPOD", "a;my")) return 24;
   } else {
-    if(! test_expansion("f:abc$", "f:abc")) return 18;
+    if(! test_expansion("f:abc$", "f:abc$")) return 18;
     if(! test_expansion("a:$:b", "a:$:b")) return 19;
     if(! test_expansion("a:$", "a:$")) return 20;
+    if(! test_expansion("$ARMAGOGLYPOD", "")) return 22;
+    if(! test_expansion("a:$ARMAGOGLYPOD:b", "a:b")) return 23;
+    if(! test_expansion("a:my$ARMAGOGLYPOD", "a:my")) return 24;
   }
 
   return 0;
diff --git a/storage/ndb/src/common/util/TlsKeyManager.cpp b/storage/ndb/src/common/util/TlsKeyManager.cpp
@@ -48,16 +48,6 @@ static constexpr const char * cipher_list =
  "TLS_AES_128_GCM_SHA256:TLS_AES_128_CCM_SHA256:TLS_AES_128_CCM_8_SHA256:"
  "ECDHE-ECDSA-AES128-GCM-SHA256";
 
-static int error_callback(const char *str, size_t, void * vp) {
-  intptr_t r = reinterpret_cast<intptr_t>(vp);
-  g_eventLogger->error("NDB TLS [%" PRIuPTR "]: %s", r, str);
-  return 0;
-}
-
-static void log_openssl_errors(intptr_t r) {
-  ERR_print_errors_cb(error_callback, reinterpret_cast<void *>(r));
-}
-
 TlsKeyManager::TlsKeyManager() {
   NdbMutex_Init(& m_cert_table_mutex);
 }
@@ -88,17 +78,28 @@ void TlsKeyManager::log_error() const {
                          TlsKeyError::message(m_error), m_path_string);
 }
 
-
 #if OPENSSL_VERSION_NUMBER < NDB_TLS_MINIMUM_OPENSSL
-void TlsKeyManager::init(const char *, int node_id, Node::Type, UserType)
-{
-  if(node_id > 0)
-    g_eventLogger->error("NDB TLS: OpenSSL version '%s' is not supported",
-                         OPENSSL_VERSION_TEXT);
-}
+
+void TlsKeyManager::init(int, const NodeCertificate *) { }
+
+void TlsKeyManager::init(const char *, int, int, bool) { }
+
+void TlsKeyManager::init(const char *, int, Node::Type, UserType) { }
+
+void TlsKeyManager::init(int, struct stack_st_X509 *, struct evp_pkey_st *) { }
 
 #else
 
+static int error_callback(const char *str, size_t, void * vp) {
+  intptr_t r = reinterpret_cast<intptr_t>(vp);
+  g_eventLogger->error("NDB TLS [%" PRIuPTR "]: %s", r, str);
+  return 0;
+}
+
+static void log_openssl_errors(intptr_t r) {
+  ERR_print_errors_cb(error_callback, reinterpret_cast<void *>(r));
+}
+
 void TlsKeyManager::init(const char * tls_search_path, int node_id, 
                          int ndb_node_type, bool is_primary) {
   UserType userType = is_primary ? Primary : SecondaryApi;
@@ -137,7 +138,6 @@ void TlsKeyManager::init(const char * tls_search_path, int node_id,
                           "(node id %d)", node_id);
   }
 }
-#endif
 
 /* Versions of init() used by test harness */
 void TlsKeyManager::init(int node_id, STACK_OF(X509) * certs, EVP_PKEY * key) {
@@ -250,6 +250,8 @@ void TlsKeyManager::initialize_context() {
   cert_table_set(m_node_id, m_node_cert.cert());
 }
 
+#endif
+
 int TlsKeyManager::on_verify(int result, X509_STORE_CTX * store) {
   /* If result is 0, verification has failed, and this callback is
      our opportunity to write a log message.
diff --git a/storage/ndb/src/common/util/ndb_openssl3_compat.cpp b/storage/ndb/src/common/util/ndb_openssl3_compat.cpp
@@ -107,16 +107,18 @@ const ASN1_INTEGER *X509_get0_serialNumber(const X509 *x) {
   return X509_get_serialNumber(const_cast<X509 *>(x));
 }
 
-EVP_PKEY *X509_REQ_get0_pubkey(X509_REQ *csr) {
-  EVP_PKEY * key = X509_REQ_get_pubkey(csr);
+EVP_PKEY *X509_get0_pubkey(X509 *x) {
+  EVP_PKEY * key = X509_get_pubkey(x);
   if(key)
     EVP_PKEY_free(key);
   return key;
 }
 
-void X509_get0_signature(const ASN1_BIT_STRING ** sig, const X509_ALGOR ** alg,
-                         const X509 * x) {
-  X509_get0_signature(sig, const_cast<X509_ALGOR **>(alg), x);
+EVP_PKEY *X509_REQ_get0_pubkey(X509_REQ *csr) {
+  EVP_PKEY * key = X509_REQ_get_pubkey(csr);
+  if(key)
+    EVP_PKEY_free(key);
+  return key;
 }
 
 int X509_get_signature_info(X509 *, int *, int *, int *, uint32_t *) {
@@ -141,5 +143,14 @@ int X509_up_ref(X509 *) {
   return 0;
 }
 
+#ifdef __NEED_STUB_ASN1_TIME_GET0_FUNCTIONS
+const ASN1_TIME *X509_get0_notBefore(const X509 *x) {
+  return X509_get_notBefore(x);
+}
+
+const ASN1_TIME *X509_get0_notAfter(const X509 *x) {
+  return X509_get_notAfter(x);
+}
+#endif // __NEED_STUB_ASN1_TIME_GET0_FUNCTIONS
 
 #endif
diff --git a/storage/ndb/src/common/util/testTlsKeyManager.cpp b/storage/ndb/src/common/util/testTlsKeyManager.cpp
@@ -723,6 +723,8 @@ int main(int argc, char** argv) {
   int r = opts.handle_options();
   if(r) return r;
 
+#if OPENSSL_VERSION_NUMBER >= NDB_TLS_MINIMUM_OPENSSL
+
   Test::CertAuthority ca;
   ca.sign(ca); // self-signed
 
@@ -746,6 +748,12 @@ int main(int argc, char** argv) {
 
   test_key_replace(ca);
 
+#else
+
+  printf("Test disabled: OpenSSL version too old.\n");
+
+#endif
+
   ndb_end(0);
   return exit_status();
 }
