Commit 9f93630d authored by Sergei Golubchik's avatar Sergei Golubchik

MDEV-31856 use ephemeral ssl certificates

if the server is started with --ssl but without neither --ssl-key nor
--ssl-cert, let it automatically generate a self-signed certificate.
It's generated in memory only and never saved to disk.
parent d33a8ab1
......@@ -28,6 +28,8 @@
#define NO_OLD_TIMEVAL_NAME
#define HAVE_SECURE_RENEGOTIATION
#define HAVE_EXTENDED_MASTER
#define WOLFSSL_KEY_GEN
#define WOLFSSL_CERT_GEN
/* TLSv1.3 definitions (all needed to build) */
#define WOLFSSL_TLS13
......
[pem]
loose-enable-named-pipe
[auto]
ssl-key=
ssl-cert=
ssl-ca=
loose-enable-named-pipe
......@@ -95,6 +95,59 @@ sslGetErrString(enum enum_ssl_init_error e)
return ssl_error_string[e];
}
static EVP_PKEY *vio_keygen()
{
EVP_PKEY_CTX *ctx;
EVP_PKEY *pkey = NULL;
if (!(ctx= EVP_PKEY_CTX_new_id(EVP_PKEY_RSA, NULL)))
return NULL;
if (EVP_PKEY_keygen_init(ctx) <= 0)
goto end;
if (EVP_PKEY_CTX_set_rsa_keygen_bits(ctx, 4096) <= 0)
goto end;
if (EVP_PKEY_keygen(ctx, &pkey) <= 0)
pkey= NULL; /* just in case */
end:
EVP_PKEY_CTX_free(ctx);
return pkey;
}
static X509 *vio_gencert(EVP_PKEY *pkey)
{
X509 *x;
X509_NAME *name;
if (!(x= X509_new()))
goto err;
if (!(name= X509_get_subject_name(x)))
goto err;
if (!X509_NAME_add_entry_by_txt(name, "CN", MBSTRING_ASC,
(uchar*)STRING_WITH_LEN("MariaDB Server"), -1, 0))
goto err;
if (!X509_set_issuer_name(x, name))
goto err;
if (!X509_gmtime_adj(X509_get_notBefore(x), 0))
goto err;
if (!X509_gmtime_adj(X509_get_notAfter(x), 60*60*24*365*10))
goto err;
if (!X509_set_pubkey(x, pkey))
goto err;
if (!X509_sign(x, pkey, EVP_sha256()))
goto err;
return x;
err:
X509_free(x);
return NULL;
}
static int
vio_set_cert_stuff(SSL_CTX *ctx, const char *cert_file, const char *key_file,
my_bool is_client, enum enum_ssl_init_error* error)
......@@ -106,11 +159,25 @@ vio_set_cert_stuff(SSL_CTX *ctx, const char *cert_file, const char *key_file,
if (!cert_file && !key_file)
{
if (!is_client)
{
EVP_PKEY *pkey;
X509 *x509;
if (!(pkey= vio_keygen()) || SSL_CTX_use_PrivateKey(ctx, pkey) < 1)
{
*error= SSL_INITERR_KEY;
fprintf(stderr, "SSL error: %s\n", sslGetErrString(*error));
DBUG_RETURN(1);
}
if (!(x509= vio_gencert(pkey)) || SSL_CTX_use_certificate(ctx, x509) < 1)
{
*error= SSL_INITERR_CERT;
fprintf(stderr, "SSL error: %s\n", sslGetErrString(*error));
DBUG_RETURN(1);
}
EVP_PKEY_free(pkey); /* decrement refcnt */
X509_free(x509); /* ditto */
}
DBUG_RETURN(0);
}
......@@ -250,6 +317,8 @@ new_VioSSLFd(const char *key_file, const char *cert_file, const char *ca_file,
long ssl_ctx_options;
DBUG_ENTER("new_VioSSLFd");
fix_value(key_file);
fix_value(cert_file);
fix_value(ca_file);
fix_value(ca_path);
fix_value(crl_file);
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment