Prevent cert/key mismatch is combined file replaced between cert load and key load

Summary:
MySQL was using the functions that take a file as input for setting the
ssl cert and key.
There is a race condition if the cert file gets replaced between the
moment the cert is loaded and the key is loaded.
Fix: open file once and load cert and key. Used BIO functions that work
on file descriptors.

Reference patch: 53d0673

Reviewed By: abal147

Differential Revision: D7299948

fbshipit-source-id: 96022f3

Author: lth

mysql-test/std_data/server-combined.pem

@@ -0,0 +1,50 @@
+-----BEGIN RSA PRIVATE KEY-----
+MIIEpQIBAAKCAQEA6SDnBVEHOki54mKiJEUf8VQ0IlxihpsB6MJFkACNTuSi6unX
+tZUlzhisGk+z5jBGryATQITfIdzfCeWgf4ESbh6EWFyhEduqtgTg/B4MES7zMGIa
++e7f/qPT1oNureiNmImxaWO4cvRa5iJec2SV71aSkgvhk6XXTEFH5zHtCWizxW7B
+GwE5u/GPv7r0AuLl5Z631pqylHabSNgnGA6fMJj1mj4j5jtKSO6lJuiAlDfkSrr/
+n0K5Mt16nWMRqCWZsR+G5XyxMeMSEQzr9h0CSx00y3Qdfy9AwIHiBNSO6pb4IjWO
+q7aZMzbvtYMRiG0GD3ZNv9uo32w8keK6c6BzRQIDAQABAoIBAQDUbdzVJV6Wp4pq
+VUI2Fp7iwr22ycQlr71voQbODxK0XvZtZKPgnIWUZTr9xr7A9CCUl3+zfN/t9Vtv
+o0Q6qxxmJ3ylH9LNeQL3VT7FvYN1bPjAj8TRFfAaEqKHh8AkzBGqe12kEPAUH8Fs
+jsjOEUvmiVaJqjXk2mty2tFwRDggJwCrN5bXkhkzwhDcMfH2Wgc4c4XkyUrciJQU
+ua4d0L354B3UmRYtrzwPr6WHLXCGPGhyWvXYpDjjdUGMVf2YcBSQdABF+mhCEb2b
+NP4dYUqKHjKn6p4B1/qfJtf0c9Lz229nz0WTzanmpXaNxQVce0sTbktp5A3itT+m
+NlQfDNoBAoGBAPvqSK7NqCrvFYEo+Cvl6fOhq9li2zAeaYO7D+AKiWSJzG9KK/Ts
+F+28nnWkBEdzAnmgWZ7UZlUwHqF6DNIGn+RLHDJ2MVRrZug2irCR8g2mxcHk2dss
+DcmUtsatjCbjLqVCcyuuQylP2GWK60JmRbdKEOfpHLntzGStpOhn5FPBAoGBAOzo
+okk2FWZlymJTkN2HYTqvUCYINDciTDm/ms7YGC6YKdDJ8PUVq6qJ2GO/M+zGPQtV
+A+qFWqx1kk3K5uLPnZLCPLORXPIm0X1ZGreG+rHsrJTnP6uh9OxrTyLNkvt6xcm7
+yA51QOWTuRbYhPwy05IqT3Z88HkHByMKr4xafPCFAoGADff1w8ufkZHkTV8qM7Tx
+/hJu5wT2RnrJOwa6YJ/08mA5t8oTGeelhAc7eiZ4HkYgUwIzNf1tFzgt2qJb56F6
+aDxJ+fpXzeiOsj2j/xp4o40l1hSMh/yvXwgiAm5JITbjtUI0BK4LB1VoGGlVlj75
+iqpOua1RbHXlKYf/Zuur24ECgYEAqXDFSWmGKsOY2XR9QwQltUxYHat2dQxxykfR
+GCmUOhcYqT0VuqSyL/oBK25AXBN465b1gxG3xWsdpcf+FLB7OdD0i1XnTUYYRPeq
+1SKUQRdOY/11G3Ntcn5ZjkHL41NvDRbiQfz42noqQj2/94T+rybVyKAZeeZd42Es
+J0082OUCgYEAnguGJxhfSryD3a2kAQ/6s+L303rgXkRt+/luoopdm7vu2AcnaP7L
+aK4dCDusp/DZyGn8/ebDCGNIaVEMJVHAPLFbhJA9E9HCjfC33RdklCO/aGDtXsiq
+kzg3mqPHTCPCpmpr5YAtuLONczP1qgB04/vqb2S5eANC+5k6mEifu2U=
+-----END RSA PRIVATE KEY-----
+-----BEGIN CERTIFICATE-----
+MIIDyzCCArOgAwIBAgIJAOG0pVw936YUMA0GCSqGSIb3DQEBCwUAMGMxCzAJBgNV
+BAYTAlNFMRIwEAYDVQQIDAlTdG9ja2hvbG0xEjAQBgNVBAcMCVN0b2NraG9sbTEP
+MA0GA1UECgwGT3JhY2xlMQ4wDAYDVQQLDAVNeVNRTDELMAkGA1UEAwwCQ0EwHhcN
+MTQxMjA1MDQ0ODQwWhcNMjkxMjAxMDQ0ODQwWjBqMQswCQYDVQQGEwJTRTESMBAG
+A1UECAwJU3RvY2tob2xtMRIwEAYDVQQHDAlTdG9ja2hvbG0xDzANBgNVBAoMBk9y
+YWNsZTEOMAwGA1UECwwFTXlTUUwxEjAQBgNVBAMMCWxvY2FsaG9zdDCCASIwDQYJ
+KoZIhvcNAQEBBQADggEPADCCAQoCggEBAOkg5wVRBzpIueJioiRFH/FUNCJcYoab
+AejCRZAAjU7kourp17WVJc4YrBpPs+YwRq8gE0CE3yHc3wnloH+BEm4ehFhcoRHb
+qrYE4PweDBEu8zBiGvnu3/6j09aDbq3ojZiJsWljuHL0WuYiXnNkle9WkpIL4ZOl
+10xBR+cx7Qlos8VuwRsBObvxj7+69ALi5eWet9aaspR2m0jYJxgOnzCY9Zo+I+Y7
+SkjupSbogJQ35Eq6/59CuTLdep1jEaglmbEfhuV8sTHjEhEM6/YdAksdNMt0HX8v
+QMCB4gTUjuqW+CI1jqu2mTM277WDEYhtBg92Tb/bqN9sPJHiunOgc0UCAwEAAaN7
+MHkwCQYDVR0TBAIwADAsBglghkgBhvhCAQ0EHxYdT3BlblNTTCBHZW5lcmF0ZWQg
+Q2VydGlmaWNhdGUwHQYDVR0OBBYEFOQx2NUG6sazovYBOY9YCDYsez/bMB8GA1Ud
+IwQYMBaAFJRloaOHz7/BdLvYhJe2a+6ykHOyMA0GCSqGSIb3DQEBCwUAA4IBAQBG
+782/we82qcuZtb7ip7ppDfWbYzl4MjUBqLnxcA610Y+ULnrLZdTQtK1SuFFfZC6o
+CKVx/sI1ig0oJuW+ytf0eVThJ4+HktMEchvMxH+LJgmSLchvJ9qXMYAPg4Sc4KSI
+yeOPNefevTHi+lKD3u5cYG6PpY1eU0EYQvMDCwULWQlCLhsLKbP+ETvVrT9NJOjA
+2kwNk5TszRgPZs0D0+6gsn9k1zlmGXKfZEM4tLaz6m855wmYkJ9s9eizLgmNe3Zl
+MPTEm44QTpuMk2NEnSuK8/DP+HtllTj7tJLobBEDoqIv6uAit83PDaWRIxRHDDSP
+8RHM6B43U+yhAYEgwCz1
+-----END CERTIFICATE-----

mysql-test/t/openssl_1.test

@@ -121,6 +121,7 @@ drop table t1;
 # Test that we can't open connection to server if we are using
 # a blank client-key
 #
+--replace_regex /Unable to get private key from '.*'/Unable to get private key from ''/
 --error 1
 --exec $MYSQL_TEST --ssl-mode=REQUIRED --ssl-key= --max-connect-retries=1 < $MYSQLTEST_VARDIR/tmp/test.sql 2>&1
 

mysql-test/t/ssl-big-packet-master.opt

@@ -1,5 +1,5 @@
 --ssl=1
 --ssl-ca=$MYSQL_TEST_DIR/std_data/cacert.pem
---ssl-cert=$MYSQL_TEST_DIR/std_data/server-cert.pem
---ssl-key=$MYSQL_TEST_DIR/std_data/server-key.pem
+--ssl-cert=$MYSQL_TEST_DIR/std_data/server-combined.pem
+--ssl-key=$MYSQL_TEST_DIR/std_data/server-combined.pem
 --max_allowed_packet=64M

vio/viosslfactories.cc

@@ -27,6 +27,7 @@
 
 #include "m_ctype.h"
 #include "my_dbug.h"
+#include "my_dir.h"
 #include "my_inttypes.h"
 #include "my_loglevel.h"
 #if !defined(HAVE_WOLFSSL) && !defined(HAVE_PSI_INTERFACE)
@@ -189,48 +190,117 @@ const char *sslGetErrString(enum enum_ssl_init_error e) {
   return ssl_error_string[e];
 }
 
+static bool check_same_file(const char *cert_file, const char *key_file) {
+  MY_STAT cert_stat;
+  MY_STAT key_stat;
+
+  if (!my_stat(cert_file, &cert_stat, MYF(0)) ||
+      !my_stat(key_file, &key_stat, MYF(0))) {
+    DBUG_PRINT("error", ("Unable to stat the files."));
+    return false;
+  }
+
+  return cert_stat.st_ino == key_stat.st_ino &&
+         cert_stat.st_dev == key_stat.st_dev;
+}
+
+static int vio_load_cert(SSL_CTX *ctx, const char *cert_file, BIO *bio) {
+  X509 *cert = NULL;
+
+  if (BIO_read_filename(bio, cert_file) != 1 ||
+      !PEM_read_bio_X509(bio, &cert, NULL, NULL)) {
+    return 1;
+  }
+
+  int ret = SSL_CTX_use_certificate(ctx, cert);
+  X509_free(cert);
+
+  return ret <= 0;
+}
+
+static int vio_load_key(SSL_CTX *ctx, const char *key_file, bool same_file,
+                        BIO *bio) {
+  // read key file if not in same file as cert
+  if (!same_file) {
+    if (BIO_read_filename(bio, key_file) != 1) {
+      DBUG_PRINT("error", ("BIO_WRITE for key %s failed", key_file));
+      return 1;
+    }
+  } else {
+    if (BIO_reset(bio) < 0) {
+      DBUG_PRINT("error", ("BIO_reset failed ret"));
+      return 1;
+    }
+  }
+
+  EVP_PKEY *key = NULL;
+  if (!PEM_read_bio_PrivateKey(bio, &key, NULL, NULL)) return 1;
+
+  int ret = SSL_CTX_use_PrivateKey(ctx, key);
+  EVP_PKEY_free(key);
+
+  return ret <= 0;
+}
+
 static int vio_set_cert_stuff(SSL_CTX *ctx, const char *cert_file,
                               const char *key_file,
                               enum enum_ssl_init_error *error) {
   DBUG_ENTER("vio_set_cert_stuff");
   DBUG_PRINT("enter", ("ctx: %p  cert_file: %s  key_file: %s", ctx, cert_file,
                        key_file));
 
-  if (!cert_file && key_file) cert_file = key_file;
+  *error = SSL_INITERR_NOERROR;
+  bool same_file = false;
 
-  if (!key_file && cert_file) key_file = cert_file;
+  if (cert_file == NULL) {
+    if (key_file == NULL) DBUG_RETURN(0);
 
-  if (cert_file &&
-      SSL_CTX_use_certificate_file(ctx, cert_file, SSL_FILETYPE_PEM) <= 0) {
-    *error = SSL_INITERR_CERT;
-    DBUG_PRINT("error",
-               ("%s from file '%s'", sslGetErrString(*error), cert_file));
-    DBUG_EXECUTE("error", ERR_print_errors_fp(DBUG_FILE););
-    my_message_local(ERROR_LEVEL, EE_SSL_ERROR_FROM_FILE,
-                     sslGetErrString(*error), cert_file);
-    DBUG_RETURN(1);
-  }
+    cert_file = key_file;
+    same_file = true;
+  } else if (key_file == NULL) {
+    key_file = cert_file;
+    same_file = true;
+  } else
+    same_file = check_same_file(key_file, cert_file);
 
-  if (key_file &&
-      SSL_CTX_use_PrivateKey_file(ctx, key_file, SSL_FILETYPE_PEM) <= 0) {
-    *error = SSL_INITERR_KEY;
-    DBUG_PRINT("error",
-               ("%s from file '%s'", sslGetErrString(*error), key_file));
-    DBUG_EXECUTE("error", ERR_print_errors_fp(DBUG_FILE););
-    my_message_local(ERROR_LEVEL, EE_SSL_ERROR_FROM_FILE,
-                     sslGetErrString(*error), key_file);
-    DBUG_RETURN(1);
+  const char *error_file = NULL;
+  BIO *bio = BIO_new(BIO_s_file());
+  if (bio == NULL)
+    *error = SSL_INITERR_MEMFAIL;
+  else {
+    // load the cert
+    if (vio_load_cert(ctx, cert_file, bio)) {
+      *error = SSL_INITERR_CERT;
+      error_file = cert_file;
+    }
+    // load the key
+    else if (vio_load_key(ctx, key_file, same_file, bio)) {
+      *error = SSL_INITERR_KEY;
+      error_file = key_file;
+    }
+
+    /*
+      If we are using DSA, we can copy the parameters from the private key
+      Now we know that a key and cert have been set against the SSL context
+    */
+    else if (!SSL_CTX_check_private_key(ctx)) {
+      *error = SSL_INITERR_NOMATCH;
+    }
+
+    BIO_free_all(bio);
   }
 
-  /*
-    If we are using DSA, we can copy the parameters from the private key
-    Now we know that a key and cert have been set against the SSL context
-  */
-  if (cert_file && !SSL_CTX_check_private_key(ctx)) {
-    *error = SSL_INITERR_NOMATCH;
-    DBUG_PRINT("error", ("%s", sslGetErrString(*error)));
+  if (*error != SSL_INITERR_NOERROR) {
+    char err_string[MYSQL_ERRMSG_SIZE];
+    if (error_file)
+      snprintf(err_string, sizeof(err_string), "%s from '%s'",
+               sslGetErrString(*error), error_file);
+    else
+      snprintf(err_string, sizeof(err_string), "%s", sslGetErrString(*error));
+    DBUG_PRINT("error", ("%s", err_string));
     DBUG_EXECUTE("error", ERR_print_errors_fp(DBUG_FILE););
-    my_message_local(ERROR_LEVEL, EE_SSL_ERROR, sslGetErrString(*error));
+    my_message_local(ERROR_LEVEL, EE_SSL_ERROR_FROM_FILE,
+                     sslGetErrString(*error), cert_file);
     DBUG_RETURN(1);
   }