MDEV-31856 use ephemeral ssl certificates

if the server is started with --ssl but without neither --ssl-key nor --ssl-cert, let it automatically generate a self-signed certificate. It's generated in memory only and never saved to disk.

MDEV-31856 use ephemeral ssl certificates
if the server is started with --ssl but without neither --ssl-key nor --ssl-cert, let it automatically generate a self-signed certificate. It's generated in memory only and never saved to disk.
9f93630d · Sergei Golubchik · d33a8ab1 · 9f93630d · 9f93630d · d33a8ab1
Commit 9f93630d authored Aug 23, 2023 by Sergei Golubchik
4 changed files
--- a/extra/wolfssl/user_settings.h.in
+++ b/extra/wolfssl/user_settings.h.in
@@ -28,6 +28,8 @@
 #define NO_OLD_TIMEVAL_NAME
 #define HAVE_SECURE_RENEGOTIATION
 #define HAVE_EXTENDED_MASTER
+#define WOLFSSL_KEY_GEN
+#define WOLFSSL_CERT_GEN
 /* TLSv1.3 definitions (all needed to build) */
 #define WOLFSSL_TLS13

--- a/mysql-test/main/ssl_autoverify.combinations
+++ b/mysql-test/main/ssl_autoverify.combinations
+[pem]
+loose-enable-named-pipe
+[auto]
+ssl-key=
+ssl-cert=
+ssl-ca=
+loose-enable-named-pipe
--- a/mysql-test/main/ssl_autoverify.opt
+++ b/mysql-test/main/ssl_autoverify.opt
--loose-enable-named-pipe
--- a/vio/viosslfactories.c
+++ b/vio/viosslfactories.c
@@ -95,6 +95,59 @@ sslGetErrString(enum enum_ssl_init_error e)
  return ssl_error_string[e];
 }
+static EVP_PKEY *vio_keygen()
+{
+  EVP_PKEY_CTX *ctx;
+  EVP_PKEY *pkey = NULL;
+  if (!(ctx= EVP_PKEY_CTX_new_id(EVP_PKEY_RSA, NULL)))
+    return NULL;
+  if (EVP_PKEY_keygen_init(ctx) <= 0)
+    goto end;
+  if (EVP_PKEY_CTX_set_rsa_keygen_bits(ctx, 4096) <= 0)
+    goto end;
+  if (EVP_PKEY_keygen(ctx, &pkey) <= 0)
+    pkey= NULL; /* just in case */
+end:
+  EVP_PKEY_CTX_free(ctx);
+  return pkey;
+}
+static X509 *vio_gencert(EVP_PKEY *pkey)
+{
+  X509 *x;
+  X509_NAME *name;
+  if (!(x= X509_new()))
+    goto err;
+  if (!(name= X509_get_subject_name(x)))
+    goto err;
+  if (!X509_NAME_add_entry_by_txt(name, "CN", MBSTRING_ASC,
+         (uchar*)STRING_WITH_LEN("MariaDB Server"), -1, 0))
+    goto err;
+  if (!X509_set_issuer_name(x, name))
+    goto err;
+  if (!X509_gmtime_adj(X509_get_notBefore(x), 0))
+    goto err;
+  if (!X509_gmtime_adj(X509_get_notAfter(x), 60*60*24*365*10))
+    goto err;
+  if (!X509_set_pubkey(x, pkey))
+    goto err;
+  if (!X509_sign(x, pkey, EVP_sha256()))
+    goto err;
+  return x;
+err:
+  X509_free(x);
+  return NULL;
+}
 static int
 vio_set_cert_stuff(SSL_CTX *ctx, const char *cert_file, const char *key_file,
                   my_bool is_client, enum enum_ssl_init_error* error)
@@ -107,9 +160,23 @@ vio_set_cert_stuff(SSL_CTX *ctx, const char *cert_file, const char *key_file,
  {
    if (!is_client)
    {
-      *error= SSL_INITERR_CERT;
+      EVP_PKEY *pkey;
-      fprintf(stderr, "SSL error: %s\n", sslGetErrString(*error));
+      X509 *x509;
-      DBUG_RETURN(1);
+      if (!(pkey= vio_keygen()) || SSL_CTX_use_PrivateKey(ctx, pkey) < 1)
+      {
+        *error= SSL_INITERR_KEY;
+        fprintf(stderr, "SSL error: %s\n", sslGetErrString(*error));
+        DBUG_RETURN(1);
+      }
+      if (!(x509= vio_gencert(pkey)) || SSL_CTX_use_certificate(ctx, x509) < 1)
+      {
+        *error= SSL_INITERR_CERT;
+        fprintf(stderr, "SSL error: %s\n", sslGetErrString(*error));
+        DBUG_RETURN(1);
+      }
+      EVP_PKEY_free(pkey);      /* decrement refcnt */
+      X509_free(x509);          /* ditto */
    }
    DBUG_RETURN(0);
  }
@@ -250,6 +317,8 @@ new_VioSSLFd(const char *key_file, const char *cert_file, const char *ca_file,
  long ssl_ctx_options;
  DBUG_ENTER("new_VioSSLFd");
+  fix_value(key_file);
+  fix_value(cert_file);
  fix_value(ca_file);
  fix_value(ca_path);
  fix_value(crl_file);