Forward connection certificate to audit plugin

Summary:
Forward the connection certificate to the audit plugin. The connection certificate can then be parsed by the audit plugin and handled appropriately. It made more sense for the certificate to live in the connection events, since they generally don't change between every general event, so the move was done.

This is done by caching a BUF_MEM struct on the THD object. Since it's not possible to change certificates on the same connection, this caching should be correct. The BUF_MEM is released on THD::release_resources.

If upstream bumps the MYSQL_AUDIT_INTERFACE_VERSION, we should bump ours to be greater or equal to it.

Test Plan: Test with plugin to see that certificate information is present.

Reviewers: jtolmer, jkedgar

Reviewed By: jkedgar

Subscribers: webscalesql-eng, anca

Differential Revision: https://reviews.facebook.net/D52263

Author: lth

include/mysql/plugin_audit.h

@@ -25,7 +25,7 @@
 
 #define MYSQL_AUDIT_CLASS_MASK_SIZE 1
 
-#define MYSQL_AUDIT_INTERFACE_VERSION 0x0303
+#define MYSQL_AUDIT_INTERFACE_VERSION 0x0304
 
 
 /*************************************************************************
@@ -69,8 +69,6 @@ struct mysql_event_general
   unsigned int database_length;
   /* Added in version 0x303 */
   unsigned long long affected_rows;
-  const char *connection_certificate;
-  unsigned int connection_certificate_length;
   const char *query_attributes;
   unsigned int query_attributes_length;
 };
@@ -109,6 +107,9 @@ struct mysql_event_connection
   unsigned int ip_length;
   const char *database;
   unsigned int database_length;
+  /* Added in version 0x304 */
+  const char *connection_certificate;
+  unsigned int connection_certificate_length;
 };
 
 

include/mysql/plugin_audit.h.pp

@@ -287,8 +287,6 @@
   const char *database;
   unsigned int database_length;
   unsigned long long affected_rows;
-  const char *connection_certificate;
-  unsigned int connection_certificate_length;
   const char *query_attributes;
   unsigned int query_attributes_length;
 };
@@ -311,6 +309,8 @@
   unsigned int ip_length;
   const char *database;
   unsigned int database_length;
+  const char *connection_certificate;
+  unsigned int connection_certificate_length;
 };
 struct st_mysql_audit
 {

sql/sql_acl.cc

@@ -11265,6 +11265,10 @@ acl_authenticate(THD *thd, uint com_change_user_pkt_len)
       DBUG_RETURN(1);
     }
 
+#if defined(HAVE_OPENSSL) && !defined(EMBEDDED_LIBRARY)
+    thd->set_connection_certificate();
+#endif
+
     if (unlikely(mpvio.acl_user && mpvio.acl_user->password_expired
         && !(mpvio.client_capabilities & CLIENT_CAN_HANDLE_EXPIRED_PASSWORDS)
         && disconnect_on_expired_password))

sql/sql_audit.cc

@@ -90,8 +90,6 @@ static void general_class_handler(THD *thd, uint event_subtype, va_list ap)
   event.general_ip= va_arg(ap, MYSQL_LEX_STRING);
   event.database= va_arg(ap, const char *);
   event.database_length= va_arg(ap, unsigned int);
-  event.connection_certificate= va_arg(ap, const char*);
-  event.connection_certificate_length= va_arg(ap, unsigned int);
   event.query_attributes= va_arg(ap, const char*);
   event.query_attributes_length= va_arg(ap, unsigned int);
   event.query_id= (unsigned long long) thd->query_id;
@@ -119,6 +117,8 @@ static void connection_class_handler(THD *thd, uint event_subclass, va_list ap)
   event.ip_length= va_arg(ap, unsigned int);
   event.database= va_arg(ap, const char *);
   event.database_length= va_arg(ap, unsigned int);
+  event.connection_certificate= va_arg(ap, const char*);
+  event.connection_certificate_length= va_arg(ap, unsigned int);
   event_class_dispatch(thd, MYSQL_AUDIT_CONNECTION_CLASS, &event);
 }
 

sql/sql_audit.h

@@ -79,8 +79,8 @@ void mysql_audit_general_log(THD *thd, const char *cmd, uint cmdlen,
     longlong affectrows= 0;
     int error_code= 0; 
     char user_buff[MAX_USER_HOST_SIZE + 1];
-    uint userlen, databaselen, certlen, queryattrlen;
-    const char *user, *database, *cert, *queryattr;
+    uint userlen, databaselen, queryattrlen;
+    const char *user, *database, *queryattr;
     time_t time= (time_t) thd->start_time.tv_sec;
 
     if (thd)
@@ -113,8 +113,6 @@ void mysql_audit_general_log(THD *thd, const char *cmd, uint cmdlen,
       sql_command.length= sql_statement_names[thd->lex->sql_command].length;
       database= thd->db;
       databaselen= thd->db_length;
-      cert= 0;
-      certlen= 0;
       queryattr= thd->query_attrs();
       queryattrlen= thd->query_attrs_length();
     }
@@ -128,8 +126,6 @@ void mysql_audit_general_log(THD *thd, const char *cmd, uint cmdlen,
       sql_command= empty;
       database= 0;
       databaselen= 0;
-      cert= 0;
-      certlen= 0;
       queryattr= 0;
       queryattrlen= 0;
     }
@@ -140,7 +136,7 @@ void mysql_audit_general_log(THD *thd, const char *cmd, uint cmdlen,
                        error_code, time, user, userlen, cmd, cmdlen, query.str,
                        query.length, clientcs, resultrows, affectrows,
                        sql_command, host, external_user, ip, database,
-                       databaselen, cert, certlen, queryattr, queryattrlen);
+                       databaselen, queryattr, queryattrlen);
   }
 #endif
 }
@@ -167,8 +163,8 @@ void mysql_audit_general(THD *thd, uint event_subtype,
   {
     time_t time= my_time(0);
     uint msglen= msg ? strlen(msg) : 0;
-    uint userlen, databaselen, certlen, queryattrlen;
-    const char *user, *database, *cert, *queryattr;
+    uint userlen, databaselen, queryattrlen;
+    const char *user, *database, *queryattr;
     char user_buff[MAX_USER_HOST_SIZE];
     CSET_STRING query;
     MYSQL_LEX_STRING ip, host, external_user, sql_command;
@@ -213,8 +209,6 @@ void mysql_audit_general(THD *thd, uint event_subtype,
       sql_command.length= sql_statement_names[thd->lex->sql_command].length;
       database= thd->db;
       databaselen= thd->db_length;
-      cert= 0;
-      certlen= 0;
       queryattr= thd->query_attrs();
       queryattrlen= thd->query_attrs_length();
     }
@@ -230,8 +224,6 @@ void mysql_audit_general(THD *thd, uint event_subtype,
       affectrows= 0;
       database= 0;
       databaselen= 0;
-      cert= 0;
-      certlen= 0;
       queryattr= 0;
       queryattrlen= 0;
     }
@@ -241,7 +233,7 @@ void mysql_audit_general(THD *thd, uint event_subtype,
                        query.str(), query.length(), query.charset(),
                        resultrows, affectrows, sql_command, host,
                        external_user, ip, database, databaselen,
-                       cert, certlen, queryattr, queryattrlen);
+                       queryattr, queryattrlen);
   }
 #endif
 }
@@ -259,7 +251,10 @@ void mysql_audit_general(THD *thd, uint event_subtype,
   (thd)->security_ctx->get_host()->length(),\
   (thd)->security_ctx->get_ip()->ptr(),\
   (thd)->security_ctx->get_ip()->length(),\
-  (thd)->db, (thd)->db ? strlen((thd)->db) : 0)
+  (thd)->db, (thd)->db ? strlen((thd)->db) : 0,\
+  (thd)->connection_certificate(),\
+  (thd)->connection_certificate_length());
+
 
 #define MYSQL_AUDIT_NOTIFY_CONNECTION_DISCONNECT(thd, errcode)\
   mysql_audit_notify(\
@@ -275,7 +270,9 @@ void mysql_audit_general(THD *thd, uint event_subtype,
   (thd)->security_ctx->get_host()->length(),\
   (thd)->security_ctx->get_ip()->ptr(),\
   (thd)->security_ctx->get_ip()->length(),\
-  (thd)->db, (thd)->db ? strlen((thd)->db) : 0)
+  (thd)->db, (thd)->db ? strlen((thd)->db) : 0,\
+  (thd)->connection_certificate(),\
+  (thd)->connection_certificate_length());
 
 #define MYSQL_AUDIT_NOTIFY_CONNECTION_CHANGE_USER(thd) mysql_audit_notify(\
   (thd), MYSQL_AUDIT_CONNECTION_CLASS, MYSQL_AUDIT_CONNECTION_CHANGE_USER,\
@@ -290,6 +287,8 @@ void mysql_audit_general(THD *thd, uint event_subtype,
   (thd)->security_ctx->get_host()->length(),\
   (thd)->security_ctx->get_ip()->ptr(),\
   (thd)->security_ctx->get_ip()->length(),\
-  (thd)->db, (thd)->db ? strlen((thd)->db) : 0)
+  (thd)->db, (thd)->db ? strlen((thd)->db) : 0,\
+  (thd)->connection_certificate(),\
+  (thd)->connection_certificate_length());
 
 #endif /* SQL_AUDIT_INCLUDED */

sql/sql_class.cc

@@ -978,6 +978,7 @@ THD::THD(bool enable_plugins)
 #endif /* defined(ENABLED_DEBUG_SYNC) */
    m_enable_plugins(enable_plugins),
    owned_gtid_set(global_sid_map),
+   connection_certificate_buf(NULL),
    main_da(0, false),
    m_stmt_da(&main_da),
    conn_timeout_err_msg(NULL),
@@ -1550,6 +1551,9 @@ void THD::change_user(void)
                (my_hash_free_key) free_user_var, 0);
   sp_cache_clear(&sp_proc_cache);
   sp_cache_clear(&sp_func_cache);
+#if defined(HAVE_OPENSSL)
+  reset_connection_certificate();
+#endif
 }
 
 
@@ -1656,6 +1660,9 @@ void THD::release_resources()
     net_end(&net);
     net.vio= NULL;
   }
+#if defined(HAVE_OPENSSL)
+  reset_connection_certificate();
+#endif
 #endif
   mysql_mutex_unlock(&LOCK_thd_data);
 
@@ -4938,6 +4945,79 @@ void THD::get_definer(LEX_USER *definer)
     get_default_definer(this, definer);
 }
 
+#if defined(HAVE_OPENSSL) && !defined(EMBEDDED_LIBRARY)
+void THD::set_connection_certificate() {
+  DBUG_ASSERT(connection_certificate_buf == nullptr);
+  connection_certificate_buf = get_peer_cert_info(false);
+}
+
+void THD::reset_connection_certificate() {
+  if (connection_certificate_buf) {
+    BUF_MEM_free(connection_certificate_buf);
+    connection_certificate_buf = nullptr;
+  }
+}
+
+const char *THD::connection_certificate() const {
+  return connection_certificate_buf ?
+    connection_certificate_buf->data : nullptr;
+}
+
+uint32 THD::connection_certificate_length() const {
+  return connection_certificate_buf ? connection_certificate_buf->length : 0;
+}
+
+BUF_MEM *THD::get_peer_cert_info(bool display)
+{
+  if (!vio_ok() || !net.vio->ssl_arg) {
+    return NULL;
+  }
+
+  SSL *ssl= (SSL*) net.vio->ssl_arg;
+
+  // extract user cert ref from the thread
+  X509 *cert= SSL_get_peer_certificate(ssl);
+
+  if (!cert) {
+    return NULL;
+  }
+
+  // Create new X509 buffer abstraction
+  BIO *bio = BIO_new(BIO_s_mem());
+  if (!bio) {
+    X509_free(cert);
+    return NULL;
+  }
+
+  // Print the certificate to the buffer
+  int status;
+  if (display) {
+    status = X509_print(bio, cert);
+  } else {
+    status = PEM_write_bio_X509(bio, cert);
+  }
+
+  if (status != 1) {
+    BIO_free(bio);
+    X509_free(cert);
+    return NULL;
+  }
+
+  // decouple buffer and close bio object
+  BUF_MEM *bufmem;
+  BIO_get_mem_ptr(bio, &bufmem);
+  (void) BIO_set_close(bio, BIO_NOCLOSE);
+  BIO_free(bio);
+  X509_free(cert);
+
+  if (bufmem->length) {
+    return bufmem;
+  }
+
+  BUF_MEM_free(bufmem);
+  return NULL;
+}
+#endif
 
 /**
   Mark transaction to rollback and mark error as fatal to a sub-statement.

sql/sql_class.h

@@ -52,6 +52,8 @@
 #include "sql_data_change.h"
 #include "my_atomic.h"
 
+#include <openssl/pem.h>
+
 #define FLAGSTR(V,F) ((V)&(F)?#F" ":"")
 
 /**
@@ -4483,6 +4485,23 @@ class THD :public MDL_context_owner,
     return query_attrs_string.length();
   }
 
+private:
+  BUF_MEM *connection_certificate_buf;
+#if defined(HAVE_OPENSSL) && !defined(EMBEDDED_LIBRARY)
+  void reset_connection_certificate();
+public:
+  void set_connection_certificate();
+  const char *connection_certificate() const;
+  uint32 connection_certificate_length() const;
+  // The caller should take ownership of the BUF_MEM pointer.  If display is
+  // set to true, the buffer will contain the certificate encoded in a human
+  // readable format, which can be used for display in information schema.
+  // Otherwise, it is encoded in the PEM format.
+  //
+  // Free this using the function BUF_MEM_free.
+  BUF_MEM *get_peer_cert_info(bool display);
+#endif
+
 #ifndef DBUG_OFF
 private:
   int gis_debug; // Storage for "SELECT ST_GIS_DEBUG(param);"