MDEV-31856 use ephemeral ssl certificates

if the server is started with --ssl but without neither --ssl-key nor --ssl-cert, let it automatically generate a self-signed certificate. It's generated in memory only and never saved to disk.
MariaDB · Feb 4, 2024 · 9f93630 · 9f93630
1 parent d33a8ab
commit 9f93630
Show file tree

Hide file tree

Showing 4 changed files with 82 additions and 4 deletions.
diff --git a/extra/wolfssl/user_settings.h.in b/extra/wolfssl/user_settings.h.in
@@ -28,6 +28,8 @@
 #define NO_OLD_TIMEVAL_NAME
 #define HAVE_SECURE_RENEGOTIATION
 #define HAVE_EXTENDED_MASTER
+#define WOLFSSL_KEY_GEN
+#define WOLFSSL_CERT_GEN
 
 /* TLSv1.3 definitions (all needed to build) */
 #define WOLFSSL_TLS13

diff --git a/mysql-test/main/ssl_autoverify.combinations b/mysql-test/main/ssl_autoverify.combinations
@@ -0,0 +1,8 @@
+[pem]
+loose-enable-named-pipe
+
+[auto]
+ssl-key=
+ssl-cert=
+ssl-ca=
+loose-enable-named-pipe
diff --git a/mysql-test/main/ssl_autoverify.opt b/mysql-test/main/ssl_autoverify.opt
diff --git a/vio/viosslfactories.c b/vio/viosslfactories.c
@@ -95,6 +95,59 @@ sslGetErrString(enum enum_ssl_init_error e)
   return ssl_error_string[e];
 }
 
+static EVP_PKEY *vio_keygen()
+{
+  EVP_PKEY_CTX *ctx;
+  EVP_PKEY *pkey = NULL;
+
+  if (!(ctx= EVP_PKEY_CTX_new_id(EVP_PKEY_RSA, NULL)))
+    return NULL;
+
+  if (EVP_PKEY_keygen_init(ctx) <= 0)
+    goto end;
+
+  if (EVP_PKEY_CTX_set_rsa_keygen_bits(ctx, 4096) <= 0)
+    goto end;
+
+  if (EVP_PKEY_keygen(ctx, &pkey) <= 0)
+    pkey= NULL; /* just in case */
+
+end:
+  EVP_PKEY_CTX_free(ctx);
+  return pkey;
+}
+
+static X509 *vio_gencert(EVP_PKEY *pkey)
+{
+  X509 *x;
+  X509_NAME *name;
+
+  if (!(x= X509_new()))
+    goto err;
+
+  if (!(name= X509_get_subject_name(x)))
+    goto err;
+  if (!X509_NAME_add_entry_by_txt(name, "CN", MBSTRING_ASC,
+         (uchar*)STRING_WITH_LEN("MariaDB Server"), -1, 0))
+    goto err;
+  if (!X509_set_issuer_name(x, name))
+    goto err;
+  if (!X509_gmtime_adj(X509_get_notBefore(x), 0))
+    goto err;
+  if (!X509_gmtime_adj(X509_get_notAfter(x), 60*60*24*365*10))
+    goto err;
+  if (!X509_set_pubkey(x, pkey))
+    goto err;
+  if (!X509_sign(x, pkey, EVP_sha256()))
+    goto err;
+
+  return x;
+
+err:
+  X509_free(x);
+  return NULL;
+}
+
 static int
 vio_set_cert_stuff(SSL_CTX *ctx, const char *cert_file, const char *key_file,
                    my_bool is_client, enum enum_ssl_init_error* error)
@@ -107,9 +160,23 @@ vio_set_cert_stuff(SSL_CTX *ctx, const char *cert_file, const char *key_file,
   {
     if (!is_client)
     {
-      *error= SSL_INITERR_CERT;
-      fprintf(stderr, "SSL error: %s\n", sslGetErrString(*error));
-      DBUG_RETURN(1);
+      EVP_PKEY *pkey;
+      X509 *x509;
+      if (!(pkey= vio_keygen()) || SSL_CTX_use_PrivateKey(ctx, pkey) < 1)
+      {
+        *error= SSL_INITERR_KEY;
+        fprintf(stderr, "SSL error: %s\n", sslGetErrString(*error));
+        DBUG_RETURN(1);
+      }
+
+      if (!(x509= vio_gencert(pkey)) || SSL_CTX_use_certificate(ctx, x509) < 1)
+      {
+        *error= SSL_INITERR_CERT;
+        fprintf(stderr, "SSL error: %s\n", sslGetErrString(*error));
+        DBUG_RETURN(1);
+      }
+      EVP_PKEY_free(pkey);      /* decrement refcnt */
+      X509_free(x509);          /* ditto */
     }
     DBUG_RETURN(0);
   }
@@ -250,6 +317,8 @@ new_VioSSLFd(const char *key_file, const char *cert_file, const char *ca_file,
   long ssl_ctx_options;
   DBUG_ENTER("new_VioSSLFd");
 
+  fix_value(key_file);
+  fix_value(cert_file);
   fix_value(ca_file);
   fix_value(ca_path);
   fix_value(crl_file);