Allows SSL privake keys other than RSA , and implement PROXYSQL RELOAD TLS

include/proxysql_glovars.hpp

@@ -63,6 +63,8 @@ class ProxySQL_GlobalVariables {
 	char * sqlite3_plugin;
 	char * web_interface_plugin;
 	char * ldap_auth_plugin;
+	SSL * get_SSL_ctx();
+	void get_SSL_pem_mem(char **key, char **cert);
 	std::shared_ptr<prometheus::Registry> prometheus_registry { nullptr };
 	struct  {
 		unsigned long long start_time;
@@ -87,7 +89,12 @@ class ProxySQL_GlobalVariables {
 		char *pidfile;
 		bool restart_on_error;
 		int restart_delay;
+		std::mutex ssl_mutex;
 		SSL_CTX *ssl_ctx;	
+		SSL_CTX *tmp_ssl_ctx;
+		// these two buffers are used for the web interface
+		char * ssl_key_pem_mem;
+		char * ssl_cert_pem_mem;
 		bool sqlite3_server;
 #ifdef PROXYSQLCLICKHOUSE
 		bool clickhouse_server;

lib/MySQL_Session.cpp

@@ -4780,7 +4780,7 @@ void MySQL_Session::handler___status_CONNECTING_CLIENT___STATE_SERVER_HANDSHAKE(
 		client_myds->DSS=STATE_SSL_INIT;
 		client_myds->rbio_ssl = BIO_new(BIO_s_mem());
 		client_myds->wbio_ssl = BIO_new(BIO_s_mem());
-		client_myds->ssl=SSL_new(GloVars.global.ssl_ctx);
+		client_myds->ssl = GloVars.get_SSL_ctx();
 		SSL_set_fd(client_myds->ssl, client_myds->fd);
 		SSL_set_accept_state(client_myds->ssl); 
 		SSL_set_bio(client_myds->ssl, client_myds->rbio_ssl, client_myds->wbio_ssl);

lib/ProxySQL_Admin.cpp

@@ -82,6 +82,7 @@ char * proxysql_version = NULL;
 
 MARIADB_CHARSET_INFO * proxysql_find_charset_name(const char *name);
 
+/*
 static long
 get_file_size (const char *filename) {
 	FILE *fp;
@@ -119,7 +120,7 @@ static char * load_file (const char *filename) {
 	fclose (fp);
 	return buffer;
 }
-
+*/
 
 static int round_intv_to_time_interval(int& intv) {
 	if (intv > 300) {
@@ -297,6 +298,8 @@ extern SQLite3_Server *GloSQLite3Server;
 
 extern char * binary_sha1;
 
+extern int ProxySQL_create_or_load_TLS(bool bootstrap, std::string& msg);
+
 #define PANIC(msg)  { perror(msg); exit(EXIT_FAILURE); }
 
 pthread_mutex_t sock_mutex = PTHREAD_MUTEX_INITIALIZER;
@@ -1534,6 +1537,19 @@ bool admin_handler_command_proxysql(char *query_no_space, unsigned int query_no_
 		return false;
 	}
 
+	if (strcasecmp("PROXYSQL RELOAD TLS",query_no_space) == 0) {
+		proxy_info("Received %s command\n", query_no_space);
+		ProxySQL_Admin *SPA=(ProxySQL_Admin *)pa;
+		std::string s;
+		int rc = ProxySQL_create_or_load_TLS(false, s);
+		if (rc == 0) {
+			SPA->send_MySQL_OK(&sess->client_myds->myprot, s.length() ? (char *)s.c_str() : NULL);
+		} else {
+			SPA->send_MySQL_ERR(&sess->client_myds->myprot, s.length() ? (char *)s.c_str() : (char *)"RELOAD TLS failed");
+		}
+		return false;
+	}
+
 #ifndef NOJEM
 	if (query_no_space_length==strlen("PROXYSQL MEMPROFILE START") && !strncasecmp("PROXYSQL MEMPROFILE START",query_no_space, query_no_space_length)) {
 		bool en=true;
@@ -5990,8 +6006,7 @@ void ProxySQL_Admin::flush_admin_variables___database_to_runtime(SQLite3DB *db,
 					if (GloVars.web_interface_plugin == NULL) {
 						char *key_pem;
 						char *cert_pem;
-						key_pem = load_file(ssl_key_fp);
-						cert_pem = load_file(ssl_cert_fp);
+						GloVars.get_SSL_pem_mem(&key_pem, &cert_pem);
 						Admin_HTTP_Server = MHD_start_daemon(MHD_USE_AUTO | MHD_USE_INTERNAL_POLLING_THREAD | MHD_USE_ERROR_LOG | MHD_USE_SSL,
 							variables.web_port,
 							NULL, NULL, http_handler, NULL,
@@ -6054,8 +6069,7 @@ void ProxySQL_Admin::flush_admin_variables___database_to_runtime(SQLite3DB *db,
 							Admin_HTTP_Server = NULL;
 							char *key_pem;
 							char *cert_pem;
-							key_pem = load_file(ssl_key_fp);
-							cert_pem = load_file(ssl_cert_fp);
+							GloVars.get_SSL_pem_mem(&key_pem, &cert_pem);
 							Admin_HTTP_Server = MHD_start_daemon(MHD_USE_AUTO | MHD_USE_INTERNAL_POLLING_THREAD | MHD_USE_ERROR_LOG | MHD_USE_SSL,
 								variables.web_port,
 								NULL, NULL, http_handler, NULL,

lib/mysql_data_stream.cpp

@@ -167,26 +167,43 @@ enum sslstatus MySQL_Data_Stream::do_ssl_handshake() {
 	int n = SSL_do_handshake(ssl);
 	if (n == 1) {
 		//proxy_info("SSL handshake completed\n");
-		long rc = SSL_get_verify_result(ssl);
-		if (rc != X509_V_OK && rc != X509_V_ERR_SELF_SIGNED_CERT_IN_CHAIN && rc != X509_V_ERR_UNABLE_TO_VERIFY_LEAF_SIGNATURE) {
-			proxy_error("Disconnecting %s:%d: X509 client SSL certificate verify error: (%d:%s)\n" , addr.addr, addr.port, rc, X509_verify_cert_error_string(rc));
-			return SSLSTATUS_FAIL;
-		} else {
-			X509 *cert;
-			cert = SSL_get_peer_certificate(ssl);
-			if (cert) {
-				ASN1_STRING *str;
-				GENERAL_NAME *sanName;
-				STACK_OF(GENERAL_NAME) *san_names = NULL;
-				san_names = (stack_st_GENERAL_NAME *)X509_get_ext_d2i((X509 *) cert, NID_subject_alt_name, NULL, NULL);
-				if (san_names) {
-					sanName = sk_GENERAL_NAME_value(san_names, 0);
-					str = sanName->d.dNSName;
-					proxy_info("%s\n" , str->data);
-					x509_subject_alt_name = strdup((const char*)str->data);
+		X509 *cert;
+		cert = SSL_get_peer_certificate(ssl);
+		if (cert) {
+			GENERAL_NAMES *alt_names = (stack_st_GENERAL_NAME *)X509_get_ext_d2i((X509*)cert, NID_subject_alt_name, 0, 0);
+			int alt_name_count = sk_GENERAL_NAME_num(alt_names);
+
+			// Iterate all the SAN names, looking for SPIFFE identifier
+			for (int i = 0; i < alt_name_count; i++) {
+				GENERAL_NAME *san = sk_GENERAL_NAME_value(alt_names, i);
+
+				// We only care about URI names
+				if (san->type == GEN_URI) {
+					if (san->d.uniformResourceIdentifier->data) {
+						const char* resource_data =
+							reinterpret_cast<const char*>(san->d.uniformResourceIdentifier->data);
+						const char* spiffe_loc = strstr(resource_data, "spiffe");
+
+						// First name starting with 'spiffe' is considered the match.
+						if (spiffe_loc == resource_data) {
+							x509_subject_alt_name = strdup(resource_data);
+						}
+					}
 				}
-			} else {
-				proxy_error("X509 error: no required certificate sent by client\n");
+			}
+		} else {
+			// we currently disable this annoying error
+			// in future we can configure this as per user level, specifying if the certificate is mandatory or not
+			// see issue #3424
+			//proxy_error("X509 error: no required certificate sent by client\n");
+		}
+		// In case the supplied certificate has a 'SAN'-'URI' identifier
+		// starting with 'spiffe', client certificate verification is performed.
+		if (x509_subject_alt_name != NULL) {
+			long rc = SSL_get_verify_result(ssl);
+			if (rc != X509_V_OK) {
+				proxy_error("Disconnecting %s:%d: X509 client SSL certificate verify error: (%d:%s)\n" , addr.addr, addr.port, rc, X509_verify_cert_error_string(rc));
+				return SSLSTATUS_FAIL;
 			}
 		}
 	}
@@ -349,6 +366,14 @@ MySQL_Data_Stream::~MySQL_Data_Stream() {
 	}
 	if ( (myconn) && (myds_type==MYDS_FRONTEND) ) { delete myconn; myconn=NULL; }
 	if (encrypted) {
+		if (ssl) {
+			// NOTE: SSL standard requires a final 'close_notify' alert on socket
+			// shutdown. But for avoiding any kind of locking IO waiting for the
+			// other part, we perform a 'quiet' shutdown. For more context see
+			// MYSQL #29579.
+			SSL_set_quiet_shutdown(ssl, 1);
+			SSL_shutdown(ssl);
+		}
 		if (ssl) SSL_free(ssl);
 /*
 		SSL_free() should also take care of these
@@ -428,7 +453,12 @@ void MySQL_Data_Stream::shut_hard() {
 	proxy_debug(PROXY_DEBUG_NET, 4, "Shutdown hard fd=%d. Session=%p, DataStream=%p\n", fd, sess, this);
 	set_net_failure();
 	if (encrypted) {
+		// NOTE: SSL standard requires a final 'close_notify' alert on socket
+		// shutdown. But for avoiding any kind of locking IO waiting for the
+		// other part, we perform a 'quiet' shutdown. For more context see
+		// MYSQL #29579.
 		SSL_set_quiet_shutdown(ssl, 1);
+		SSL_shutdown(ssl);
 	}
 	if (fd >= 0) {
 		shutdown(fd, SHUT_RDWR);

src/Makefile

@@ -140,7 +140,7 @@ ODIR= obj
 
 EXECUTABLE=proxysql
 
-_OBJ = main.o proxysql_global.o SQLite3_Server.o
+_OBJ = main.o proxysql_global.o SQLite3_Server.o proxy_tls.o
 OBJ = $(patsubst %,$(ODIR)/%,$(_OBJ))
 
 $(ODIR)/%.o: %.cpp