Skip to content
Projects
Groups
Snippets
Help
Loading...
Help
Support
Keyboard shortcuts
?
Submit feedback
Contribute to GitLab
Sign in / Register
Toggle navigation
M
mariadb
Project overview
Project overview
Details
Activity
Releases
Repository
Repository
Files
Commits
Branches
Tags
Contributors
Graph
Compare
Issues
0
Issues
0
List
Boards
Labels
Milestones
Merge Requests
0
Merge Requests
0
Analytics
Analytics
Repository
Value Stream
Wiki
Wiki
Snippets
Snippets
Members
Members
Collapse sidebar
Close sidebar
Activity
Graph
Create a new issue
Commits
Issue Boards
Open sidebar
Kirill Smelkov
mariadb
Commits
56e42630
Commit
56e42630
authored
Apr 28, 2006
by
msvensson@neptunus.(none)
Browse files
Options
Browse Files
Download
Plain Diff
Merge neptunus.(none):/home/msvensson/mysql/tmp_jimw_federated
into neptunus.(none):/home/msvensson/mysql/mysql-5.0-maint
parents
b1c38010
cccc2c4b
Changes
27
Hide whitespace changes
Inline
Side-by-side
Showing
27 changed files
with
502 additions
and
562 deletions
+502
-562
SSL/server-cert.pem
SSL/server-cert.pem
+38
-40
client/client_priv.h
client/client_priv.h
+1
-1
client/mysql.cc
client/mysql.cc
+2
-0
client/mysqladmin.cc
client/mysqladmin.cc
+2
-0
client/mysqldump.c
client/mysqldump.c
+2
-0
client/mysqlimport.c
client/mysqlimport.c
+2
-0
client/mysqlshow.c
client/mysqlshow.c
+2
-0
client/mysqltest.c
client/mysqltest.c
+10
-1
extra/yassl/mySTL/helpers.hpp
extra/yassl/mySTL/helpers.hpp
+5
-0
extra/yassl/src/template_instnt.cpp
extra/yassl/src/template_instnt.cpp
+0
-1
extra/yassl/taocrypt/include/asn.hpp
extra/yassl/taocrypt/include/asn.hpp
+13
-6
extra/yassl/taocrypt/src/asn.cpp
extra/yassl/taocrypt/src/asn.cpp
+52
-12
extra/yassl/taocrypt/src/make.bat
extra/yassl/taocrypt/src/make.bat
+1
-1
extra/yassl/taocrypt/src/template_instnt.cpp
extra/yassl/taocrypt/src/template_instnt.cpp
+1
-1
extra/yassl/testsuite/test.hpp
extra/yassl/testsuite/test.hpp
+2
-2
include/mysql.h
include/mysql.h
+3
-1
include/sslopt-longopts.h
include/sslopt-longopts.h
+6
-1
include/sslopt-vars.h
include/sslopt-vars.h
+3
-0
include/violite.h
include/violite.h
+5
-16
sql-common/client.c
sql-common/client.c
+107
-19
sql/mysql_priv.h
sql/mysql_priv.h
+1
-1
sql/mysqld.cc
sql/mysqld.cc
+5
-2
sql/sql_acl.cc
sql/sql_acl.cc
+2
-2
vio/vio.c
vio/vio.c
+8
-8
vio/vio_priv.h
vio/vio_priv.h
+2
-20
vio/viossl.c
vio/viossl.c
+99
-255
vio/viosslfactories.c
vio/viosslfactories.c
+128
-172
No files found.
SSL/server-cert.pem
View file @
56e42630
Certificate:
Certificate:
Data:
Data:
Version: 3 (0x2)
Version: 3 (0x2)
Serial Number: 2 (0x2)
Serial Number:
e9:07:d1:01:94:ee:66:ca
Signature Algorithm: md5WithRSAEncryption
Signature Algorithm: md5WithRSAEncryption
Issuer: C=SE,
L=Uppsala, O=MySQL AB, CN=Abstract MySQL Developer/Email
=abstract.mysql.developer@mysql.com
Issuer: C=SE,
ST=Uppsala, L=Uppsala, O=MySQL AB, CN=localhost/emailAddress
=abstract.mysql.developer@mysql.com
Validity
Validity
Not Before:
Sep 12 16:22:06 2003
GMT
Not Before:
Apr 18 15:35:37 2006
GMT
Not After :
Sep 9 16:22:06 2013
GMT
Not After :
Jan 12 15:35:37 2009
GMT
Subject: C=SE,
L=Uppsala, O=MySQL AB, CN=MySQL Server/Email
=abstract.mysql.developer@mysql.com
Subject: C=SE,
ST=Uppsala, L=Uppsala, O=MySQL AB, CN=localhost/emailAddress
=abstract.mysql.developer@mysql.com
Subject Public Key Info:
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
Public Key Algorithm: rsaEncryption
RSA Public Key: (1024 bit)
RSA Public Key: (1024 bit)
...
@@ -23,45 +24,42 @@ Certificate:
...
@@ -23,45 +24,42 @@ Certificate:
3d:0e:4d:2a:a8:b8:ca:99:8d
3d:0e:4d:2a:a8:b8:ca:99:8d
Exponent: 65537 (0x10001)
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 extensions:
X509v3 Basic Constraints:
CA:FALSE
Netscape Comment:
OpenSSL Generated Certificate
X509v3 Subject Key Identifier:
X509v3 Subject Key Identifier:
6E:E4:9B:6A:C5:EA:E4:E6:C7:EF:D7:1E:C8:63:45:60:2B:1B:D4:D4
6E:E4:9B:6A:C5:EA:E4:E6:C7:EF:D7:1E:C8:63:45:60:2B:1B:D4:D4
X509v3 Authority Key Identifier:
X509v3 Authority Key Identifier:
keyid:
88:98:65:D9:F3:F2:8B:03:1D:66:60:61:23:FA:AD:73:6D:D3:68:92
keyid:
6E:E4:9B:6A:C5:EA:E4:E6:C7:EF:D7:1E:C8:63:45:60:2B:1B:D4:D4
DirName:/C=SE/
L=Uppsala/O=MySQL AB/CN=Abstract MySQL Developer/Email
=abstract.mysql.developer@mysql.com
DirName:/C=SE/
ST=Uppsala/L=Uppsala/O=MySQL AB/CN=localhost/emailAddress
=abstract.mysql.developer@mysql.com
serial:
00
serial:
E9:07:D1:01:94:EE:66:CA
X509v3 Basic Constraints:
CA:TRUE
Signature Algorithm: md5WithRSAEncryption
Signature Algorithm: md5WithRSAEncryption
31:77:69:b9:bd:ab:29:f3:fc:5a:09:16:6f:5d:42:ea:ba:01
:
1f:03:59:6e:ff:1f:9d:c7:19:9e:8e:b2:1a:c0:0b:9e:ee:94
:
55:69:e3:75:cf:b8:d1:b7:b9:bf:da:63:85:8c:48:92:06:60
:
35:77:2a:93:04:ea:d5:a8:fc:36:5a:5b:e3:1c:02:b8:cf:04
:
76:97:e0:00:78:4b:ad:da:ab:6a:90:6d:8b:03:a8:b1:e9:09
:
6e:21:b0:27:f6:96:6e:d6:8f:cd:02:cf:23:f3:e7:ff:6a:ee
:
78:e1:29:98:56:12:60:6b:42:fe:e8:a7:c4:f8:d6:15:07:e8
:
a9:09:c5:c9:07:81:b6:d2:bc:bd:13:47:0d:7b:76:f6:8a:c4
:
2b:c2:d8:8a:e5:1b:2e:51:08:9b:56:e3:b3:7a:4c:3e:e5:be
:
76:24:f8:4c:4e:26:fc:d8:c0:1f:3d:40:19:43:8e:41:ab:99
:
4a:4d:f8:65:7b:a8:21:e0:ca:fe:8b:ab:d7:ec:f2:2d:f7:d0
:
3a:99:9b:24:7c:ae:78:f3:df:2f:a2:ed:8f:27:0a:0a:0b:04
:
bf:
d7:c5:23:1c:08:d8:aa:57:c7:f3:5f:ba:33:3f:78:d1:f
4:
bf:
25:74:88:87:96:c8:68:d5:bc:5b:a0:ef:14:aa:53:6e:c
4:
8e:5e
a3:e3
-----BEGIN CERTIFICATE-----
-----BEGIN CERTIFICATE-----
MIIDkTCCAvqgAwIBAgIBAjANBgkqhkiG9w0BAQQFADCBiDELMAkGA1UEBhMCU0Ux
MIIDijCCAvOgAwIBAgIJAOkH0QGU7mbKMA0GCSqGSIb3DQEBBAUAMIGLMQswCQYD
EDAOBgNVBAcTB1VwcHNhbGExETAPBgNVBAoTCE15U1FMIEFCMSEwHwYDVQQDExhB
VQQGEwJTRTEQMA4GA1UECBMHVXBwc2FsYTEQMA4GA1UEBxMHVXBwc2FsYTERMA8G
YnN0cmFjdCBNeVNRTCBEZXZlbG9wZXIxMTAvBgkqhkiG9w0BCQEWImFic3RyYWN0
A1UEChMITXlTUUwgQUIxEjAQBgNVBAMTCWxvY2FsaG9zdDExMC8GCSqGSIb3DQEJ
Lm15c3FsLmRldmVsb3BlckBteXNxbC5jb20wHhcNMDMwOTEyMTYyMjA2WhcNMTMw
ARYiYWJzdHJhY3QubXlzcWwuZGV2ZWxvcGVyQG15c3FsLmNvbTAeFw0wNjA0MTgx
OTA5MTYyMjA2WjB8MQswCQYDVQQGEwJTRTEQMA4GA1UEBxMHVXBwc2FsYTERMA8G
NTM1MzdaFw0wOTAxMTIxNTM1MzdaMIGLMQswCQYDVQQGEwJTRTEQMA4GA1UECBMH
A1UEChMITXlTUUwgQUIxFTATBgNVBAMTDE15U1FMIFNlcnZlcjExMC8GCSqGSIb3
VXBwc2FsYTEQMA4GA1UEBxMHVXBwc2FsYTERMA8GA1UEChMITXlTUUwgQUIxEjAQ
DQEJARYiYWJzdHJhY3QubXlzcWwuZGV2ZWxvcGVyQG15c3FsLmNvbTCBnzANBgkq
BgNVBAMTCWxvY2FsaG9zdDExMC8GCSqGSIb3DQEJARYiYWJzdHJhY3QubXlzcWwu
hkiG9w0BAQEFAAOBjQAwgYkCgYEA6YZ6VYSITL6k+JJzMBJJC3qFhzk0OQ19C40Y
ZGV2ZWxvcGVyQG15c3FsLmNvbTCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEA
wheVE1LSP1UQV8g/WvWy+ovQZ0nMqoL8n84AtHPzNtI608KwDhTD1LIhdKHwMYFg
6YZ6VYSITL6k+JJzMBJJC3qFhzk0OQ19C40YwheVE1LSP1UQV8g/WvWy+ovQZ0nM
h5hzXBDBsRpN8fOwmD/w15ebK/3VIXmyL+tkFcmbnfyeLdT4BFvqqXVLQsM9Dk0q
qoL8n84AtHPzNtI608KwDhTD1LIhdKHwMYFgh5hzXBDBsRpN8fOwmD/w15ebK/3V
qLjKmY0CAwEAAaOCARQwggEQMAkGA1UdEwQCMAAwLAYJYIZIAYb4QgENBB8WHU9w
IXmyL+tkFcmbnfyeLdT4BFvqqXVLQsM9Dk0qqLjKmY0CAwEAAaOB8zCB8DAdBgNV
ZW5TU0wgR2VuZXJhdGVkIENlcnRpZmljYXRlMB0GA1UdDgQWBBRu5Jtqxerk5sfv
HQ4EFgQUbuSbasXq5ObH79ceyGNFYCsb1NQwgcAGA1UdIwSBuDCBtYAUbuSbasXq
1x7IY0VgKxvU1DCBtQYDVR0jBIGtMIGqgBSImGXZ8/KLAx1mYGEj+q1zbdNokqGB
5ObH79ceyGNFYCsb1NShgZGkgY4wgYsxCzAJBgNVBAYTAlNFMRAwDgYDVQQIEwdV
jqSBizCBiDELMAkGA1UEBhMCU0UxEDAOBgNVBAcTB1VwcHNhbGExETAPBgNVBAoT
cHBzYWxhMRAwDgYDVQQHEwdVcHBzYWxhMREwDwYDVQQKEwhNeVNRTCBBQjESMBAG
CE15U1FMIEFCMSEwHwYDVQQDExhBYnN0cmFjdCBNeVNRTCBEZXZlbG9wZXIxMTAv
A1UEAxMJbG9jYWxob3N0MTEwLwYJKoZIhvcNAQkBFiJhYnN0cmFjdC5teXNxbC5k
BgkqhkiG9w0BCQEWImFic3RyYWN0Lm15c3FsLmRldmVsb3BlckBteXNxbC5jb22C
ZXZlbG9wZXJAbXlzcWwuY29tggkA6QfRAZTuZsowDAYDVR0TBAUwAwEB/zANBgkq
AQAwDQYJKoZIhvcNAQEEBQADgYEAMXdpub2rKfP8WgkWb11C6roBVWnjdc+40be5
hkiG9w0BAQQFAAOBgQAfA1lu/x+dxxmejrIawAue7pQ1dyqTBOrVqPw2WlvjHAK4
v9pjhYxIkgZgdpfgAHhLrdqrapBtiwOosekJeOEpmFYSYGtC/uinxPjWFQfoK8LY
zwRuIbAn9pZu1o/NAs8j8+f/au6pCcXJB4G20ry9E0cNe3b2isR2JPhMTib82MAf
iuUbLlEIm1bjs3pMPuW+Sk34ZXuoIeDK/our1+zyLffQv9fFIxwI2KpXx/NfujM/
PUAZQ45Bq5k6mZskfK54898vou2PJwoKCwS/JXSIh5bIaNW8W6DvFKpTbsSj4w==
eNH0jl4=
-----END CERTIFICATE-----
-----END CERTIFICATE-----
client/client_priv.h
View file @
56e42630
...
@@ -51,5 +51,5 @@ enum options_client
...
@@ -51,5 +51,5 @@ enum options_client
#endif
#endif
OPT_TRIGGERS
,
OPT_TRIGGERS
,
OPT_IGNORE_TABLE
,
OPT_INSERT_IGNORE
,
OPT_SHOW_WARNINGS
,
OPT_DROP_DATABASE
,
OPT_IGNORE_TABLE
,
OPT_INSERT_IGNORE
,
OPT_SHOW_WARNINGS
,
OPT_DROP_DATABASE
,
OPT_TZ_UTC
,
OPT_AUTO_CLOSE
OPT_TZ_UTC
,
OPT_AUTO_CLOSE
,
OPT_SSL_VERIFY_SERVER_CERT
};
};
client/mysql.cc
View file @
56e42630
...
@@ -3118,6 +3118,8 @@ sql_real_connect(char *host,char *database,char *user,char *password,
...
@@ -3118,6 +3118,8 @@ sql_real_connect(char *host,char *database,char *user,char *password,
if
(
opt_use_ssl
)
if
(
opt_use_ssl
)
mysql_ssl_set
(
&
mysql
,
opt_ssl_key
,
opt_ssl_cert
,
opt_ssl_ca
,
mysql_ssl_set
(
&
mysql
,
opt_ssl_key
,
opt_ssl_cert
,
opt_ssl_ca
,
opt_ssl_capath
,
opt_ssl_cipher
);
opt_ssl_capath
,
opt_ssl_cipher
);
mysql_options
(
&
mysql
,
MYSQL_OPT_SSL_VERIFY_SERVER_CERT
,
(
char
*
)
&
opt_ssl_verify_server_cert
);
#endif
#endif
if
(
opt_protocol
)
if
(
opt_protocol
)
mysql_options
(
&
mysql
,
MYSQL_OPT_PROTOCOL
,(
char
*
)
&
opt_protocol
);
mysql_options
(
&
mysql
,
MYSQL_OPT_PROTOCOL
,(
char
*
)
&
opt_protocol
);
...
...
client/mysqladmin.cc
View file @
56e42630
...
@@ -340,6 +340,8 @@ int main(int argc,char *argv[])
...
@@ -340,6 +340,8 @@ int main(int argc,char *argv[])
if
(
opt_use_ssl
)
if
(
opt_use_ssl
)
mysql_ssl_set
(
&
mysql
,
opt_ssl_key
,
opt_ssl_cert
,
opt_ssl_ca
,
mysql_ssl_set
(
&
mysql
,
opt_ssl_key
,
opt_ssl_cert
,
opt_ssl_ca
,
opt_ssl_capath
,
opt_ssl_cipher
);
opt_ssl_capath
,
opt_ssl_cipher
);
mysql_options
(
&
mysql
,
MYSQL_OPT_SSL_VERIFY_SERVER_CERT
,
(
char
*
)
&
opt_ssl_verify_server_cert
);
#endif
#endif
if
(
opt_protocol
)
if
(
opt_protocol
)
mysql_options
(
&
mysql
,
MYSQL_OPT_PROTOCOL
,(
char
*
)
&
opt_protocol
);
mysql_options
(
&
mysql
,
MYSQL_OPT_PROTOCOL
,(
char
*
)
&
opt_protocol
);
...
...
client/mysqldump.c
View file @
56e42630
...
@@ -905,6 +905,8 @@ static int dbConnect(char *host, char *user,char *passwd)
...
@@ -905,6 +905,8 @@ static int dbConnect(char *host, char *user,char *passwd)
if
(
opt_use_ssl
)
if
(
opt_use_ssl
)
mysql_ssl_set
(
&
mysql_connection
,
opt_ssl_key
,
opt_ssl_cert
,
opt_ssl_ca
,
mysql_ssl_set
(
&
mysql_connection
,
opt_ssl_key
,
opt_ssl_cert
,
opt_ssl_ca
,
opt_ssl_capath
,
opt_ssl_cipher
);
opt_ssl_capath
,
opt_ssl_cipher
);
mysql_options
(
&
mysql_connection
,
MYSQL_OPT_SSL_VERIFY_SERVER_CERT
,
(
char
*
)
&
opt_ssl_verify_server_cert
);
#endif
#endif
if
(
opt_protocol
)
if
(
opt_protocol
)
mysql_options
(
&
mysql_connection
,
MYSQL_OPT_PROTOCOL
,(
char
*
)
&
opt_protocol
);
mysql_options
(
&
mysql_connection
,
MYSQL_OPT_PROTOCOL
,(
char
*
)
&
opt_protocol
);
...
...
client/mysqlimport.c
View file @
56e42630
...
@@ -384,6 +384,8 @@ static MYSQL *db_connect(char *host, char *database, char *user, char *passwd)
...
@@ -384,6 +384,8 @@ static MYSQL *db_connect(char *host, char *database, char *user, char *passwd)
if
(
opt_use_ssl
)
if
(
opt_use_ssl
)
mysql_ssl_set
(
&
mysql_connection
,
opt_ssl_key
,
opt_ssl_cert
,
opt_ssl_ca
,
mysql_ssl_set
(
&
mysql_connection
,
opt_ssl_key
,
opt_ssl_cert
,
opt_ssl_ca
,
opt_ssl_capath
,
opt_ssl_cipher
);
opt_ssl_capath
,
opt_ssl_cipher
);
mysql_options
(
&
mysql_connection
,
MYSQL_OPT_SSL_VERIFY_SERVER_CERT
,
(
char
*
)
&
opt_ssl_verify_server_cert
);
#endif
#endif
if
(
opt_protocol
)
if
(
opt_protocol
)
mysql_options
(
&
mysql_connection
,
MYSQL_OPT_PROTOCOL
,(
char
*
)
&
opt_protocol
);
mysql_options
(
&
mysql_connection
,
MYSQL_OPT_PROTOCOL
,(
char
*
)
&
opt_protocol
);
...
...
client/mysqlshow.c
View file @
56e42630
...
@@ -109,6 +109,8 @@ int main(int argc, char **argv)
...
@@ -109,6 +109,8 @@ int main(int argc, char **argv)
if
(
opt_use_ssl
)
if
(
opt_use_ssl
)
mysql_ssl_set
(
&
mysql
,
opt_ssl_key
,
opt_ssl_cert
,
opt_ssl_ca
,
mysql_ssl_set
(
&
mysql
,
opt_ssl_key
,
opt_ssl_cert
,
opt_ssl_ca
,
opt_ssl_capath
,
opt_ssl_cipher
);
opt_ssl_capath
,
opt_ssl_cipher
);
mysql_options
(
&
mysql
,
MYSQL_OPT_SSL_VERIFY_SERVER_CERT
,
(
char
*
)
&
opt_ssl_verify_server_cert
);
#endif
#endif
if
(
opt_protocol
)
if
(
opt_protocol
)
mysql_options
(
&
mysql
,
MYSQL_OPT_PROTOCOL
,(
char
*
)
&
opt_protocol
);
mysql_options
(
&
mysql
,
MYSQL_OPT_PROTOCOL
,(
char
*
)
&
opt_protocol
);
...
...
client/mysqltest.c
View file @
56e42630
...
@@ -108,7 +108,7 @@ enum {OPT_MANAGER_USER=256,OPT_MANAGER_HOST,OPT_MANAGER_PASSWD,
...
@@ -108,7 +108,7 @@ enum {OPT_MANAGER_USER=256,OPT_MANAGER_HOST,OPT_MANAGER_PASSWD,
OPT_MANAGER_PORT
,
OPT_MANAGER_WAIT_TIMEOUT
,
OPT_SKIP_SAFEMALLOC
,
OPT_MANAGER_PORT
,
OPT_MANAGER_WAIT_TIMEOUT
,
OPT_SKIP_SAFEMALLOC
,
OPT_SSL_SSL
,
OPT_SSL_KEY
,
OPT_SSL_CERT
,
OPT_SSL_CA
,
OPT_SSL_CAPATH
,
OPT_SSL_SSL
,
OPT_SSL_KEY
,
OPT_SSL_CERT
,
OPT_SSL_CA
,
OPT_SSL_CAPATH
,
OPT_SSL_CIPHER
,
OPT_PS_PROTOCOL
,
OPT_SP_PROTOCOL
,
OPT_CURSOR_PROTOCOL
,
OPT_SSL_CIPHER
,
OPT_PS_PROTOCOL
,
OPT_SP_PROTOCOL
,
OPT_CURSOR_PROTOCOL
,
OPT_VIEW_PROTOCOL
};
OPT_VIEW_PROTOCOL
,
OPT_SSL_VERIFY_SERVER_CERT
};
/* ************************************************************************ */
/* ************************************************************************ */
/*
/*
...
@@ -2378,8 +2378,12 @@ int do_connect(struct st_query *q)
...
@@ -2378,8 +2378,12 @@ int do_connect(struct st_query *q)
#ifdef HAVE_OPENSSL
#ifdef HAVE_OPENSSL
if
(
opt_use_ssl
||
con_ssl
)
if
(
opt_use_ssl
||
con_ssl
)
{
mysql_ssl_set
(
&
next_con
->
mysql
,
opt_ssl_key
,
opt_ssl_cert
,
opt_ssl_ca
,
mysql_ssl_set
(
&
next_con
->
mysql
,
opt_ssl_key
,
opt_ssl_cert
,
opt_ssl_ca
,
opt_ssl_capath
,
opt_ssl_cipher
);
opt_ssl_capath
,
opt_ssl_cipher
);
mysql_options
(
&
next_con
->
mysql
,
MYSQL_OPT_SSL_VERIFY_SERVER_CERT
,
&
opt_ssl_verify_server_cert
);
}
#endif
#endif
if
(
con_sock
&&
!
free_con_sock
&&
*
con_sock
&&
*
con_sock
!=
FN_LIBCHAR
)
if
(
con_sock
&&
!
free_con_sock
&&
*
con_sock
&&
*
con_sock
!=
FN_LIBCHAR
)
con_sock
=
fn_format
(
buff
,
con_sock
,
TMPDIR
,
""
,
0
);
con_sock
=
fn_format
(
buff
,
con_sock
,
TMPDIR
,
""
,
0
);
...
@@ -4604,9 +4608,14 @@ int main(int argc, char **argv)
...
@@ -4604,9 +4608,14 @@ int main(int argc, char **argv)
mysql_options
(
&
cur_con
->
mysql
,
MYSQL_SET_CHARSET_NAME
,
charset_name
);
mysql_options
(
&
cur_con
->
mysql
,
MYSQL_SET_CHARSET_NAME
,
charset_name
);
#ifdef HAVE_OPENSSL
#ifdef HAVE_OPENSSL
opt_ssl_verify_server_cert
=
TRUE
;
/* Always on in mysqltest */
if
(
opt_use_ssl
)
if
(
opt_use_ssl
)
{
mysql_ssl_set
(
&
cur_con
->
mysql
,
opt_ssl_key
,
opt_ssl_cert
,
opt_ssl_ca
,
mysql_ssl_set
(
&
cur_con
->
mysql
,
opt_ssl_key
,
opt_ssl_cert
,
opt_ssl_ca
,
opt_ssl_capath
,
opt_ssl_cipher
);
opt_ssl_capath
,
opt_ssl_cipher
);
mysql_options
(
&
cur_con
->
mysql
,
MYSQL_OPT_SSL_VERIFY_SERVER_CERT
,
&
opt_ssl_verify_server_cert
);
}
#endif
#endif
if
(
!
(
cur_con
->
name
=
my_strdup
(
"default"
,
MYF
(
MY_WME
))))
if
(
!
(
cur_con
->
name
=
my_strdup
(
"default"
,
MYF
(
MY_WME
))))
...
...
extra/yassl/mySTL/helpers.hpp
View file @
56e42630
...
@@ -44,6 +44,11 @@
...
@@ -44,6 +44,11 @@
return
static_cast
<
void
*>
(
d
);
return
static_cast
<
void
*>
(
d
);
}
}
// for compilers that want matching delete
inline
void
operator
delete
(
void
*
ptr
,
Dummy
*
d
)
{
}
typedef
Dummy
*
yassl_pointer
;
typedef
Dummy
*
yassl_pointer
;
namespace
mySTL
{
namespace
mySTL
{
...
...
extra/yassl/src/template_instnt.cpp
View file @
56e42630
...
@@ -31,7 +31,6 @@
...
@@ -31,7 +31,6 @@
#include "hmac.hpp"
#include "hmac.hpp"
#include "md5.hpp"
#include "md5.hpp"
#include "sha.hpp"
#include "sha.hpp"
#include "ripemd.hpp"
#include "openssl/ssl.h"
#include "openssl/ssl.h"
#ifdef HAVE_EXPLICIT_TEMPLATE_INSTANTIATION
#ifdef HAVE_EXPLICIT_TEMPLATE_INSTANTIATION
...
...
extra/yassl/taocrypt/include/asn.hpp
View file @
56e42630
...
@@ -79,7 +79,13 @@ enum ASNIdFlag
...
@@ -79,7 +79,13 @@ enum ASNIdFlag
enum
DNTags
enum
DNTags
{
{
COMMON_NAME
=
0x03
COMMON_NAME
=
0x03
,
// CN
SUR_NAME
=
0x04
,
// SN
COUNTRY_NAME
=
0x06
,
// C
LOCALITY_NAME
=
0x07
,
// L
STATE_NAME
=
0x08
,
// ST
ORG_NAME
=
0x0a
,
// O
ORGUNIT_NAME
=
0x0b
// OU
};
};
...
@@ -92,7 +98,8 @@ enum Constants
...
@@ -92,7 +98,8 @@ enum Constants
MAX_SEQ_SZ
=
5
,
// enum(seq|con) + length(4)
MAX_SEQ_SZ
=
5
,
// enum(seq|con) + length(4)
MAX_ALGO_SIZE
=
9
,
MAX_ALGO_SIZE
=
9
,
MAX_DIGEST_SZ
=
25
,
// SHA + enum(Bit or Octet) + length(4)
MAX_DIGEST_SZ
=
25
,
// SHA + enum(Bit or Octet) + length(4)
DSA_SIG_SZ
=
40
DSA_SIG_SZ
=
40
,
NAME_MAX
=
512
// max total of all included names
};
};
...
@@ -205,14 +212,14 @@ enum { SHA_SIZE = 20 };
...
@@ -205,14 +212,14 @@ enum { SHA_SIZE = 20 };
// A Signing Authority
// A Signing Authority
class
Signer
{
class
Signer
{
PublicKey
key_
;
PublicKey
key_
;
char
*
name_
;
char
name_
[
NAME_MAX
]
;
byte
hash_
[
SHA_SIZE
];
byte
hash_
[
SHA_SIZE
];
public:
public:
Signer
(
const
byte
*
k
,
word32
kSz
,
const
char
*
n
,
const
byte
*
h
);
Signer
(
const
byte
*
k
,
word32
kSz
,
const
char
*
n
,
const
byte
*
h
);
~
Signer
();
~
Signer
();
const
PublicKey
&
GetPublicKey
()
const
{
return
key_
;
}
const
PublicKey
&
GetPublicKey
()
const
{
return
key_
;
}
const
char
*
Get
CommonName
()
const
{
return
name_
;
}
const
char
*
Get
Name
()
const
{
return
name_
;
}
const
byte
*
GetHash
()
const
{
return
hash_
;
}
const
byte
*
GetHash
()
const
{
return
hash_
;
}
private:
private:
...
@@ -257,8 +264,8 @@ private:
...
@@ -257,8 +264,8 @@ private:
byte
subjectHash_
[
SHA_SIZE
];
// hash of all Names
byte
subjectHash_
[
SHA_SIZE
];
// hash of all Names
byte
issuerHash_
[
SHA_SIZE
];
// hash of all Names
byte
issuerHash_
[
SHA_SIZE
];
// hash of all Names
byte
*
signature_
;
byte
*
signature_
;
char
*
issuer_
;
// CommonName
char
issuer_
[
NAME_MAX
];
// Names
char
*
subject_
;
// CommonName
char
subject_
[
NAME_MAX
];
// Names
bool
verify_
;
// Default to yes, but could be off
bool
verify_
;
// Default to yes, but could be off
void
ReadHeader
();
void
ReadHeader
();
...
...
extra/yassl/taocrypt/src/asn.cpp
View file @
56e42630
...
@@ -213,21 +213,17 @@ void PublicKey::AddToEnd(const byte* data, word32 len)
...
@@ -213,21 +213,17 @@ void PublicKey::AddToEnd(const byte* data, word32 len)
Signer
::
Signer
(
const
byte
*
k
,
word32
kSz
,
const
char
*
n
,
const
byte
*
h
)
Signer
::
Signer
(
const
byte
*
k
,
word32
kSz
,
const
char
*
n
,
const
byte
*
h
)
:
key_
(
k
,
kSz
)
,
name_
(
0
)
:
key_
(
k
,
kSz
)
{
{
if
(
n
)
{
int
sz
=
strlen
(
n
);
int
sz
=
strlen
(
n
);
name_
=
NEW_TC
char
[
sz
+
1
];
memcpy
(
name_
,
n
,
sz
);
memcpy
(
name_
,
n
,
sz
);
name_
[
sz
]
=
0
;
name_
[
sz
]
=
0
;
}
memcpy
(
hash_
,
h
,
SHA
::
DIGEST_SIZE
);
memcpy
(
hash_
,
h
,
SHA
::
DIGEST_SIZE
);
}
}
Signer
::~
Signer
()
Signer
::~
Signer
()
{
{
tcArrayDelete
(
name_
);
}
}
...
@@ -424,17 +420,19 @@ void DH_Decoder::Decode(DH& key)
...
@@ -424,17 +420,19 @@ void DH_Decoder::Decode(DH& key)
CertDecoder
::
CertDecoder
(
Source
&
s
,
bool
decode
,
SignerList
*
signers
,
CertDecoder
::
CertDecoder
(
Source
&
s
,
bool
decode
,
SignerList
*
signers
,
bool
noVerify
,
CertType
ct
)
bool
noVerify
,
CertType
ct
)
:
BER_Decoder
(
s
),
certBegin_
(
0
),
sigIndex_
(
0
),
sigLength_
(
0
),
:
BER_Decoder
(
s
),
certBegin_
(
0
),
sigIndex_
(
0
),
sigLength_
(
0
),
signature_
(
0
),
issuer_
(
0
),
subject_
(
0
),
verify_
(
!
noVerify
)
signature_
(
0
),
verify_
(
!
noVerify
)
{
{
issuer_
[
0
]
=
0
;
subject_
[
0
]
=
0
;
if
(
decode
)
if
(
decode
)
Decode
(
signers
,
ct
);
Decode
(
signers
,
ct
);
}
}
CertDecoder
::~
CertDecoder
()
CertDecoder
::~
CertDecoder
()
{
{
tcArrayDelete
(
subject_
);
tcArrayDelete
(
issuer_
);
tcArrayDelete
(
signature_
);
tcArrayDelete
(
signature_
);
}
}
...
@@ -672,8 +670,12 @@ void CertDecoder::GetName(NameType nt)
...
@@ -672,8 +670,12 @@ void CertDecoder::GetName(NameType nt)
SHA
sha
;
SHA
sha
;
word32
length
=
GetSequence
();
// length of all distinguished names
word32
length
=
GetSequence
();
// length of all distinguished names
assert
(
length
<
NAME_MAX
);
length
+=
source_
.
get_index
();
length
+=
source_
.
get_index
();
char
*
ptr
=
(
nt
==
ISSUER
)
?
issuer_
:
subject_
;
word32
idx
=
0
;
while
(
source_
.
get_index
()
<
length
)
{
while
(
source_
.
get_index
()
<
length
)
{
GetSet
();
GetSet
();
GetSequence
();
GetSequence
();
...
@@ -694,13 +696,49 @@ void CertDecoder::GetName(NameType nt)
...
@@ -694,13 +696,49 @@ void CertDecoder::GetName(NameType nt)
byte
id
=
source_
.
next
();
byte
id
=
source_
.
next
();
b
=
source_
.
next
();
// strType
b
=
source_
.
next
();
// strType
word32
strLen
=
GetLength
(
source_
);
word32
strLen
=
GetLength
(
source_
);
bool
copy
=
false
;
if
(
id
==
COMMON_NAME
)
{
if
(
id
==
COMMON_NAME
)
{
char
*&
ptr
=
(
nt
==
ISSUER
)
?
issuer_
:
subject_
;
memcpy
(
&
ptr
[
idx
],
"/CN="
,
4
);
ptr
=
NEW_TC
char
[
strLen
+
1
];
idx
+=
4
;
memcpy
(
ptr
,
source_
.
get_current
(),
strLen
);
copy
=
true
;
ptr
[
strLen
]
=
0
;
}
else
if
(
id
==
SUR_NAME
)
{
memcpy
(
&
ptr
[
idx
],
"/SN="
,
4
);
idx
+=
4
;
copy
=
true
;
}
else
if
(
id
==
COUNTRY_NAME
)
{
memcpy
(
&
ptr
[
idx
],
"/C="
,
3
);
idx
+=
3
;
copy
=
true
;
}
else
if
(
id
==
LOCALITY_NAME
)
{
memcpy
(
&
ptr
[
idx
],
"/L="
,
3
);
idx
+=
3
;
copy
=
true
;
}
}
else
if
(
id
==
STATE_NAME
)
{
memcpy
(
&
ptr
[
idx
],
"/ST="
,
4
);
idx
+=
4
;
copy
=
true
;
}
else
if
(
id
==
ORG_NAME
)
{
memcpy
(
&
ptr
[
idx
],
"/O="
,
3
);
idx
+=
3
;
copy
=
true
;
}
else
if
(
id
==
ORGUNIT_NAME
)
{
memcpy
(
&
ptr
[
idx
],
"/OU="
,
4
);
idx
+=
4
;
copy
=
true
;
}
if
(
copy
)
{
memcpy
(
&
ptr
[
idx
],
source_
.
get_current
(),
strLen
);
idx
+=
strLen
;
}
sha
.
Update
(
source_
.
get_current
(),
strLen
);
sha
.
Update
(
source_
.
get_current
(),
strLen
);
source_
.
advance
(
strLen
);
source_
.
advance
(
strLen
);
}
}
...
@@ -711,6 +749,8 @@ void CertDecoder::GetName(NameType nt)
...
@@ -711,6 +749,8 @@ void CertDecoder::GetName(NameType nt)
source_
.
advance
(
length
);
source_
.
advance
(
length
);
}
}
}
}
ptr
[
idx
++
]
=
0
;
if
(
nt
==
ISSUER
)
if
(
nt
==
ISSUER
)
sha
.
Final
(
issuerHash_
);
sha
.
Final
(
issuerHash_
);
else
else
...
...
extra/yassl/taocrypt/src/make.bat
View file @
56e42630
#
quick
and
dirty
build
file
for
testing
different
MSDEVs
REM
quick and dirty build file for testing different MSDEVs
setlocal
setlocal
set
myFLAGS
=
/I
../include
/I
../../mySTL
/c /W
3
/G
6
/O
2
set
myFLAGS
=
/I
../include
/I
../../mySTL
/c /W
3
/G
6
/O
2
...
...
extra/yassl/taocrypt/src/template_instnt.cpp
View file @
56e42630
...
@@ -30,11 +30,11 @@
...
@@ -30,11 +30,11 @@
#include "sha.hpp"
#include "sha.hpp"
#include "md5.hpp"
#include "md5.hpp"
#include "hmac.hpp"
#include "hmac.hpp"
#include "ripemd.hpp"
#include "pwdbased.hpp"
#include "pwdbased.hpp"
#include "algebra.hpp"
#include "algebra.hpp"
#include "vector.hpp"
#include "vector.hpp"
#include "hash.hpp"
#include "hash.hpp"
#include "ripemd.hpp"
#ifdef HAVE_EXPLICIT_TEMPLATE_INSTANTIATION
#ifdef HAVE_EXPLICIT_TEMPLATE_INSTANTIATION
namespace
TaoCrypt
{
namespace
TaoCrypt
{
...
...
extra/yassl/testsuite/test.hpp
View file @
56e42630
...
@@ -305,8 +305,8 @@ inline void showPeer(SSL* ssl)
...
@@ -305,8 +305,8 @@ inline void showPeer(SSL* ssl)
char
*
subject
=
X509_NAME_oneline
(
X509_get_subject_name
(
peer
),
0
,
0
);
char
*
subject
=
X509_NAME_oneline
(
X509_get_subject_name
(
peer
),
0
,
0
);
printf
(
"peer's cert info:
\n
"
);
printf
(
"peer's cert info:
\n
"
);
printf
(
"issuer
is
: %s
\n
"
,
issuer
);
printf
(
"issuer : %s
\n
"
,
issuer
);
printf
(
"subject
is
: %s
\n
"
,
subject
);
printf
(
"subject: %s
\n
"
,
subject
);
free
(
subject
);
free
(
subject
);
free
(
issuer
);
free
(
issuer
);
...
...
include/mysql.h
View file @
56e42630
...
@@ -149,7 +149,8 @@ enum mysql_option
...
@@ -149,7 +149,8 @@ enum mysql_option
MYSQL_OPT_WRITE_TIMEOUT
,
MYSQL_OPT_USE_RESULT
,
MYSQL_OPT_WRITE_TIMEOUT
,
MYSQL_OPT_USE_RESULT
,
MYSQL_OPT_USE_REMOTE_CONNECTION
,
MYSQL_OPT_USE_EMBEDDED_CONNECTION
,
MYSQL_OPT_USE_REMOTE_CONNECTION
,
MYSQL_OPT_USE_EMBEDDED_CONNECTION
,
MYSQL_OPT_GUESS_CONNECTION
,
MYSQL_SET_CLIENT_IP
,
MYSQL_SECURE_AUTH
,
MYSQL_OPT_GUESS_CONNECTION
,
MYSQL_SET_CLIENT_IP
,
MYSQL_SECURE_AUTH
,
MYSQL_REPORT_DATA_TRUNCATION
,
MYSQL_OPT_RECONNECT
MYSQL_REPORT_DATA_TRUNCATION
,
MYSQL_OPT_RECONNECT
,
MYSQL_OPT_SSL_VERIFY_SERVER_CERT
};
};
struct
st_mysql_options
{
struct
st_mysql_options
{
...
@@ -164,6 +165,7 @@ struct st_mysql_options {
...
@@ -164,6 +165,7 @@ struct st_mysql_options {
char
*
ssl_ca
;
/* PEM CA file */
char
*
ssl_ca
;
/* PEM CA file */
char
*
ssl_capath
;
/* PEM directory of CA-s? */
char
*
ssl_capath
;
/* PEM directory of CA-s? */
char
*
ssl_cipher
;
/* cipher to use */
char
*
ssl_cipher
;
/* cipher to use */
my_bool
ssl_verify_server_cert
;
/* if to verify server cert */
char
*
shared_memory_base_name
;
char
*
shared_memory_base_name
;
unsigned
long
max_allowed_packet
;
unsigned
long
max_allowed_packet
;
my_bool
use_ssl
;
/* if to use SSL or not */
my_bool
use_ssl
;
/* if to use SSL or not */
...
...
include/sslopt-longopts.h
View file @
56e42630
...
@@ -37,5 +37,10 @@
...
@@ -37,5 +37,10 @@
{
"ssl-cipher"
,
OPT_SSL_CIPHER
,
"SSL cipher to use (implies --ssl)."
,
{
"ssl-cipher"
,
OPT_SSL_CIPHER
,
"SSL cipher to use (implies --ssl)."
,
(
gptr
*
)
&
opt_ssl_cipher
,
(
gptr
*
)
&
opt_ssl_cipher
,
0
,
GET_STR
,
REQUIRED_ARG
,
(
gptr
*
)
&
opt_ssl_cipher
,
(
gptr
*
)
&
opt_ssl_cipher
,
0
,
GET_STR
,
REQUIRED_ARG
,
0
,
0
,
0
,
0
,
0
,
0
},
0
,
0
,
0
,
0
,
0
,
0
},
#ifdef MYSQL_CLIENT
{
"ssl-verify-server-cert"
,
OPT_SSL_VERIFY_SERVER_CERT
,
"Verify servers
\"
Common Name
\"
in it's cert against hostname used when connecting. This option is disabled by default."
,
(
gptr
*
)
&
opt_ssl_verify_server_cert
,
(
gptr
*
)
&
opt_ssl_verify_server_cert
,
0
,
GET_BOOL
,
NO_ARG
,
0
,
0
,
0
,
0
,
0
,
0
},
#endif
#endif
/* HAVE_OPENSSL */
#endif
/* HAVE_OPENSSL */
include/sslopt-vars.h
View file @
56e42630
...
@@ -21,4 +21,7 @@ static char *opt_ssl_cert = 0;
...
@@ -21,4 +21,7 @@ static char *opt_ssl_cert = 0;
static
char
*
opt_ssl_ca
=
0
;
static
char
*
opt_ssl_ca
=
0
;
static
char
*
opt_ssl_capath
=
0
;
static
char
*
opt_ssl_capath
=
0
;
static
char
*
opt_ssl_cipher
=
0
;
static
char
*
opt_ssl_cipher
=
0
;
#ifdef MYSQL_CLIENT
static
my_bool
opt_ssl_verify_server_cert
=
0
;
#endif
#endif
#endif
include/violite.h
View file @
56e42630
...
@@ -105,33 +105,22 @@ void vio_timeout(Vio *vio,uint which, uint timeout);
...
@@ -105,33 +105,22 @@ void vio_timeout(Vio *vio,uint which, uint timeout);
#include <openssl/ssl.h>
#include <openssl/ssl.h>
#include <openssl/err.h>
#include <openssl/err.h>
struct
st_VioSSL
AcceptorFd
struct
st_VioSSL
Fd
{
{
SSL_CTX
*
ssl_context
;
SSL_CTX
*
ssl_context
;
SSL_METHOD
*
ssl_method
;
struct
st_VioSSLAcceptorFd
*
session_id_context
;
};
};
/* One copy for client */
int
sslaccept
(
struct
st_VioSSLFd
*
,
Vio
*
,
long
timeout
);
struct
st_VioSSLConnectorFd
int
sslconnect
(
struct
st_VioSSLFd
*
,
Vio
*
,
long
timeout
);
{
SSL_CTX
*
ssl_context
;
/* function pointers which are only once for SSL client */
SSL_METHOD
*
ssl_method
;
};
int
sslaccept
(
struct
st_VioSSLAcceptorFd
*
,
Vio
*
,
long
timeout
);
int
sslconnect
(
struct
st_VioSSLConnectorFd
*
,
Vio
*
,
long
timeout
);
struct
st_VioSSL
Connector
Fd
struct
st_VioSSLFd
*
new_VioSSLConnectorFd
(
const
char
*
key_file
,
const
char
*
cert_file
,
*
new_VioSSLConnectorFd
(
const
char
*
key_file
,
const
char
*
cert_file
,
const
char
*
ca_file
,
const
char
*
ca_path
,
const
char
*
ca_file
,
const
char
*
ca_path
,
const
char
*
cipher
);
const
char
*
cipher
);
struct
st_VioSSL
Acceptor
Fd
struct
st_VioSSLFd
*
new_VioSSLAcceptorFd
(
const
char
*
key_file
,
const
char
*
cert_file
,
*
new_VioSSLAcceptorFd
(
const
char
*
key_file
,
const
char
*
cert_file
,
const
char
*
ca_file
,
const
char
*
ca_path
,
const
char
*
ca_file
,
const
char
*
ca_path
,
const
char
*
cipher
);
const
char
*
cipher
);
Vio
*
new_VioSSL
(
struct
st_VioSSLAcceptorFd
*
fd
,
Vio
*
sd
,
int
state
);
#endif
/* HAVE_OPENSSL */
#endif
/* HAVE_OPENSSL */
#ifdef HAVE_SMEM
#ifdef HAVE_SMEM
...
...
sql-common/client.c
View file @
56e42630
...
@@ -1500,6 +1500,7 @@ mysql_ssl_set(MYSQL *mysql __attribute__((unused)) ,
...
@@ -1500,6 +1500,7 @@ mysql_ssl_set(MYSQL *mysql __attribute__((unused)) ,
mysql
->
options
.
ssl_ca
=
strdup_if_not_null
(
ca
);
mysql
->
options
.
ssl_ca
=
strdup_if_not_null
(
ca
);
mysql
->
options
.
ssl_capath
=
strdup_if_not_null
(
capath
);
mysql
->
options
.
ssl_capath
=
strdup_if_not_null
(
capath
);
mysql
->
options
.
ssl_cipher
=
strdup_if_not_null
(
cipher
);
mysql
->
options
.
ssl_cipher
=
strdup_if_not_null
(
cipher
);
mysql
->
options
.
ssl_verify_server_cert
=
FALSE
;
/* Off by default */
#endif
/* HAVE_OPENSSL */
#endif
/* HAVE_OPENSSL */
DBUG_RETURN
(
0
);
DBUG_RETURN
(
0
);
}
}
...
@@ -1514,17 +1515,16 @@ mysql_ssl_set(MYSQL *mysql __attribute__((unused)) ,
...
@@ -1514,17 +1515,16 @@ mysql_ssl_set(MYSQL *mysql __attribute__((unused)) ,
static
void
static
void
mysql_ssl_free
(
MYSQL
*
mysql
__attribute__
((
unused
)))
mysql_ssl_free
(
MYSQL
*
mysql
__attribute__
((
unused
)))
{
{
struct
st_VioSSLConnectorFd
*
st
=
struct
st_VioSSLFd
*
ssl_fd
=
(
struct
st_VioSSLFd
*
)
mysql
->
connector_fd
;
(
struct
st_VioSSLConnectorFd
*
)
mysql
->
connector_fd
;
DBUG_ENTER
(
"mysql_ssl_free"
);
DBUG_ENTER
(
"mysql_ssl_free"
);
my_free
(
mysql
->
options
.
ssl_key
,
MYF
(
MY_ALLOW_ZERO_PTR
));
my_free
(
mysql
->
options
.
ssl_key
,
MYF
(
MY_ALLOW_ZERO_PTR
));
my_free
(
mysql
->
options
.
ssl_cert
,
MYF
(
MY_ALLOW_ZERO_PTR
));
my_free
(
mysql
->
options
.
ssl_cert
,
MYF
(
MY_ALLOW_ZERO_PTR
));
my_free
(
mysql
->
options
.
ssl_ca
,
MYF
(
MY_ALLOW_ZERO_PTR
));
my_free
(
mysql
->
options
.
ssl_ca
,
MYF
(
MY_ALLOW_ZERO_PTR
));
my_free
(
mysql
->
options
.
ssl_capath
,
MYF
(
MY_ALLOW_ZERO_PTR
));
my_free
(
mysql
->
options
.
ssl_capath
,
MYF
(
MY_ALLOW_ZERO_PTR
));
my_free
(
mysql
->
options
.
ssl_cipher
,
MYF
(
MY_ALLOW_ZERO_PTR
));
my_free
(
mysql
->
options
.
ssl_cipher
,
MYF
(
MY_ALLOW_ZERO_PTR
));
if
(
s
t
)
if
(
s
sl_fd
)
SSL_CTX_free
(
s
t
->
ssl_context
);
SSL_CTX_free
(
s
sl_fd
->
ssl_context
);
my_free
(
mysql
->
connector_fd
,
MYF
(
MY_ALLOW_ZERO_PTR
));
my_free
(
mysql
->
connector_fd
,
MYF
(
MY_ALLOW_ZERO_PTR
));
mysql
->
options
.
ssl_key
=
0
;
mysql
->
options
.
ssl_key
=
0
;
mysql
->
options
.
ssl_cert
=
0
;
mysql
->
options
.
ssl_cert
=
0
;
...
@@ -1556,6 +1556,77 @@ mysql_get_ssl_cipher(MYSQL *mysql)
...
@@ -1556,6 +1556,77 @@ mysql_get_ssl_cipher(MYSQL *mysql)
DBUG_RETURN
(
NULL
);
DBUG_RETURN
(
NULL
);
}
}
/*
Check the server's (subject) Common Name against the
hostname we connected to
SYNOPSIS
ssl_verify_server_cert()
vio pointer to a SSL connected vio
server_hostname name of the server that we connected to
RETURN VALUES
0 Success
1 Failed to validate server
*/
static
int
ssl_verify_server_cert
(
Vio
*
vio
,
const
char
*
server_hostname
)
{
SSL
*
ssl
;
X509
*
server_cert
;
char
*
cp1
,
*
cp2
;
char
buf
[
256
];
DBUG_ENTER
(
"ssl_verify_server_cert"
);
DBUG_PRINT
(
"enter"
,
(
"server_hostname: %s"
,
server_hostname
));
if
(
!
(
ssl
=
(
SSL
*
)
vio
->
ssl_arg
))
{
DBUG_PRINT
(
"error"
,
(
"No SSL pointer found"
));
DBUG_RETURN
(
1
);
}
if
(
!
server_hostname
)
{
DBUG_PRINT
(
"error"
,
(
"No server hostname supplied"
));
DBUG_RETURN
(
1
);
}
if
(
!
(
server_cert
=
SSL_get_peer_certificate
(
ssl
)))
{
DBUG_PRINT
(
"error"
,
(
"Could not get server certificate"
));
DBUG_RETURN
(
1
);
}
/*
We already know that the certificate exchanged was valid; the SSL library
handled that. Now we need to verify that the contents of the certificate
are what we expect.
*/
X509_NAME_oneline
(
X509_get_subject_name
(
server_cert
),
buf
,
sizeof
(
buf
));
X509_free
(
server_cert
);
DBUG_PRINT
(
"info"
,
(
"hostname in cert: %s"
,
buf
));
cp1
=
strstr
(
buf
,
"/CN="
);
if
(
cp1
)
{
cp1
+=
4
;
// Skip the "/CN=" that we found
// Search for next / which might be the delimiter for email
cp2
=
strchr
(
cp1
,
'/'
);
if
(
cp2
)
*
cp2
=
'\0'
;
DBUG_PRINT
(
"info"
,
(
"Server hostname in cert: %s"
,
cp1
));
if
(
!
strcmp
(
cp1
,
server_hostname
))
{
/* Success */
DBUG_RETURN
(
0
);
}
}
DBUG_PRINT
(
"error"
,
(
"SSL certificate validation failure"
));
DBUG_RETURN
(
1
);
}
#endif
/* HAVE_OPENSSL */
#endif
/* HAVE_OPENSSL */
...
@@ -1589,7 +1660,6 @@ static MYSQL_METHODS client_methods=
...
@@ -1589,7 +1660,6 @@ static MYSQL_METHODS client_methods=
#endif
#endif
};
};
MYSQL
*
MYSQL
*
CLI_MYSQL_REAL_CONNECT
(
MYSQL
*
mysql
,
const
char
*
host
,
const
char
*
user
,
CLI_MYSQL_REAL_CONNECT
(
MYSQL
*
mysql
,
const
char
*
host
,
const
char
*
user
,
const
char
*
passwd
,
const
char
*
db
,
const
char
*
passwd
,
const
char
*
db
,
...
@@ -2034,37 +2104,52 @@ CLI_MYSQL_REAL_CONNECT(MYSQL *mysql,const char *host, const char *user,
...
@@ -2034,37 +2104,52 @@ CLI_MYSQL_REAL_CONNECT(MYSQL *mysql,const char *host, const char *user,
mysql
->
client_flag
=
client_flag
;
mysql
->
client_flag
=
client_flag
;
#ifdef HAVE_OPENSSL
#ifdef HAVE_OPENSSL
/*
Oops.. are we careful enough to not send ANY information without
encryption?
*/
if
(
client_flag
&
CLIENT_SSL
)
if
(
client_flag
&
CLIENT_SSL
)
{
{
/* Do the SSL layering. */
struct
st_mysql_options
*
options
=
&
mysql
->
options
;
struct
st_mysql_options
*
options
=
&
mysql
->
options
;
struct
st_VioSSLFd
*
ssl_fd
;
/*
Send client_flag, max_packet_size - unencrypted otherwise
the server does not know we want to do SSL
*/
if
(
my_net_write
(
net
,
buff
,(
uint
)
(
end
-
buff
))
||
net_flush
(
net
))
if
(
my_net_write
(
net
,
buff
,(
uint
)
(
end
-
buff
))
||
net_flush
(
net
))
{
{
set_mysql_error
(
mysql
,
CR_SERVER_LOST
,
unknown_sqlstate
);
set_mysql_error
(
mysql
,
CR_SERVER_LOST
,
unknown_sqlstate
);
goto
error
;
goto
error
;
}
}
/* Do the SSL layering. */
if
(
!
(
mysql
->
connector_fd
=
/* Create the VioSSLConnectorFd - init SSL and load certs */
(
gptr
)
new_VioSSLConnectorFd
(
options
->
ssl_key
,
if
(
!
(
ssl_fd
=
new_VioSSLConnectorFd
(
options
->
ssl_key
,
options
->
ssl_cert
,
options
->
ssl_cert
,
options
->
ssl_ca
,
options
->
ssl_ca
,
options
->
ssl_capath
,
options
->
ssl_capath
,
options
->
ssl_cipher
)))
options
->
ssl_cipher
)))
{
{
set_mysql_error
(
mysql
,
CR_SSL_CONNECTION_ERROR
,
unknown_sqlstate
);
set_mysql_error
(
mysql
,
CR_SSL_CONNECTION_ERROR
,
unknown_sqlstate
);
goto
error
;
goto
error
;
}
}
mysql
->
connector_fd
=
(
void
*
)
ssl_fd
;
/* Connect to the server */
DBUG_PRINT
(
"info"
,
(
"IO layer change in progress..."
));
DBUG_PRINT
(
"info"
,
(
"IO layer change in progress..."
));
if
(
sslconnect
(
(
struct
st_VioSSLConnectorFd
*
)(
mysql
->
connector_fd
)
,
if
(
sslconnect
(
ssl_fd
,
mysql
->
net
.
vio
,
mysql
->
net
.
vio
,
(
long
)
(
mysql
->
options
.
connect_timeout
)))
(
long
)
(
mysql
->
options
.
connect_timeout
)))
{
{
set_mysql_error
(
mysql
,
CR_SSL_CONNECTION_ERROR
,
unknown_sqlstate
);
set_mysql_error
(
mysql
,
CR_SSL_CONNECTION_ERROR
,
unknown_sqlstate
);
goto
error
;
goto
error
;
}
}
DBUG_PRINT
(
"info"
,
(
"IO layer change done!"
));
DBUG_PRINT
(
"info"
,
(
"IO layer change done!"
));
/* Verify server cert */
if
(
mysql
->
options
.
ssl_verify_server_cert
&&
ssl_verify_server_cert
(
mysql
->
net
.
vio
,
mysql
->
host
))
{
set_mysql_error
(
mysql
,
CR_SSL_CONNECTION_ERROR
,
unknown_sqlstate
);
goto
error
;
}
}
}
#endif
/* HAVE_OPENSSL */
#endif
/* HAVE_OPENSSL */
...
@@ -2804,6 +2889,9 @@ mysql_options(MYSQL *mysql,enum mysql_option option, const char *arg)
...
@@ -2804,6 +2889,9 @@ mysql_options(MYSQL *mysql,enum mysql_option option, const char *arg)
case
MYSQL_OPT_RECONNECT
:
case
MYSQL_OPT_RECONNECT
:
mysql
->
reconnect
=
*
(
my_bool
*
)
arg
;
mysql
->
reconnect
=
*
(
my_bool
*
)
arg
;
break
;
break
;
case
MYSQL_OPT_SSL_VERIFY_SERVER_CERT
:
mysql
->
options
.
ssl_verify_server_cert
=
*
(
my_bool
*
)
arg
;
break
;
default:
default:
DBUG_RETURN
(
1
);
DBUG_RETURN
(
1
);
}
}
...
...
sql/mysql_priv.h
View file @
56e42630
...
@@ -1310,7 +1310,7 @@ extern pthread_t signal_thread;
...
@@ -1310,7 +1310,7 @@ extern pthread_t signal_thread;
#endif
#endif
#ifdef HAVE_OPENSSL
#ifdef HAVE_OPENSSL
extern
struct
st_VioSSL
Acceptor
Fd
*
ssl_acceptor_fd
;
extern
struct
st_VioSSLFd
*
ssl_acceptor_fd
;
#endif
/* HAVE_OPENSSL */
#endif
/* HAVE_OPENSSL */
MYSQL_LOCK
*
mysql_lock_tables
(
THD
*
thd
,
TABLE
**
table
,
uint
count
,
MYSQL_LOCK
*
mysql_lock_tables
(
THD
*
thd
,
TABLE
**
table
,
uint
count
,
...
...
sql/mysqld.cc
View file @
56e42630
...
@@ -620,7 +620,7 @@ static void openssl_lock(int, openssl_lock_t *, const char *, int);
...
@@ -620,7 +620,7 @@ static void openssl_lock(int, openssl_lock_t *, const char *, int);
static
unsigned
long
openssl_id_function
();
static
unsigned
long
openssl_id_function
();
#endif
#endif
char
*
des_key_file
;
char
*
des_key_file
;
struct
st_VioSSL
Acceptor
Fd
*
ssl_acceptor_fd
;
struct
st_VioSSLFd
*
ssl_acceptor_fd
;
#endif
/* HAVE_OPENSSL */
#endif
/* HAVE_OPENSSL */
...
@@ -1131,7 +1131,10 @@ void clean_up(bool print_message)
...
@@ -1131,7 +1131,10 @@ void clean_up(bool print_message)
#endif
#endif
#ifdef HAVE_OPENSSL
#ifdef HAVE_OPENSSL
if
(
ssl_acceptor_fd
)
if
(
ssl_acceptor_fd
)
my_free
((
gptr
)
ssl_acceptor_fd
,
MYF
(
MY_ALLOW_ZERO_PTR
));
{
SSL_CTX_free
(
ssl_acceptor_fd
->
ssl_context
);
my_free
((
gptr
)
ssl_acceptor_fd
,
MYF
(
0
));
}
#endif
/* HAVE_OPENSSL */
#endif
/* HAVE_OPENSSL */
#ifdef USE_REGEX
#ifdef USE_REGEX
my_regex_end
();
my_regex_end
();
...
...
sql/sql_acl.cc
View file @
56e42630
...
@@ -858,8 +858,8 @@ int acl_getroot(THD *thd, USER_RESOURCES *mqh,
...
@@ -858,8 +858,8 @@ int acl_getroot(THD *thd, USER_RESOURCES *mqh,
if
(
acl_user
->
x509_issuer
)
if
(
acl_user
->
x509_issuer
)
{
{
DBUG_PRINT
(
"info"
,(
"checkpoint 3"
));
DBUG_PRINT
(
"info"
,(
"checkpoint 3"
));
char
*
ptr
=
X509_NAME_oneline
(
X509_get_issuer_name
(
cert
),
0
,
0
);
char
*
ptr
=
X509_NAME_oneline
(
X509_get_issuer_name
(
cert
),
0
,
0
);
DBUG_PRINT
(
"info"
,(
"comparing issuers: '%s' and '%s'"
,
DBUG_PRINT
(
"info"
,(
"comparing issuers: '%s' and '%s'"
,
acl_user
->
x509_issuer
,
ptr
));
acl_user
->
x509_issuer
,
ptr
));
if
(
strcmp
(
acl_user
->
x509_issuer
,
ptr
))
if
(
strcmp
(
acl_user
->
x509_issuer
,
ptr
))
{
{
...
...
vio/vio.c
View file @
56e42630
...
@@ -88,19 +88,19 @@ static void vio_init(Vio* vio, enum enum_vio_type type,
...
@@ -88,19 +88,19 @@ static void vio_init(Vio* vio, enum enum_vio_type type,
if
(
type
==
VIO_TYPE_SSL
)
if
(
type
==
VIO_TYPE_SSL
)
{
{
vio
->
viodelete
=
vio_delete
;
vio
->
viodelete
=
vio_delete
;
vio
->
vioerrno
=
vio_
ssl_
errno
;
vio
->
vioerrno
=
vio_errno
;
vio
->
read
=
vio_ssl_read
;
vio
->
read
=
vio_ssl_read
;
vio
->
write
=
vio_ssl_write
;
vio
->
write
=
vio_ssl_write
;
vio
->
fastsend
=
vio_
ssl_
fastsend
;
vio
->
fastsend
=
vio_fastsend
;
vio
->
viokeepalive
=
vio_
ssl_
keepalive
;
vio
->
viokeepalive
=
vio_keepalive
;
vio
->
should_retry
=
vio_s
sl_s
hould_retry
;
vio
->
should_retry
=
vio_should_retry
;
vio
->
was_interrupted
=
vio_
ssl_
was_interrupted
;
vio
->
was_interrupted
=
vio_was_interrupted
;
vio
->
vioclose
=
vio_ssl_close
;
vio
->
vioclose
=
vio_ssl_close
;
vio
->
peer_addr
=
vio_
ssl_
peer_addr
;
vio
->
peer_addr
=
vio_peer_addr
;
vio
->
in_addr
=
vio_
ssl_
in_addr
;
vio
->
in_addr
=
vio_in_addr
;
vio
->
vioblocking
=
vio_ssl_blocking
;
vio
->
vioblocking
=
vio_ssl_blocking
;
vio
->
is_blocking
=
vio_is_blocking
;
vio
->
is_blocking
=
vio_is_blocking
;
vio
->
timeout
=
vio_
ssl_
timeout
;
vio
->
timeout
=
vio_timeout
;
}
}
else
/* default is VIO_TYPE_TCPIP */
else
/* default is VIO_TYPE_TCPIP */
#endif
/* HAVE_OPENSSL */
#endif
/* HAVE_OPENSSL */
...
...
vio/vio_priv.h
View file @
56e42630
...
@@ -30,28 +30,10 @@ void vio_ignore_timeout(Vio *vio, uint which, uint timeout);
...
@@ -30,28 +30,10 @@ void vio_ignore_timeout(Vio *vio, uint which, uint timeout);
int
vio_ssl_read
(
Vio
*
vio
,
gptr
buf
,
int
size
);
int
vio_ssl_read
(
Vio
*
vio
,
gptr
buf
,
int
size
);
int
vio_ssl_write
(
Vio
*
vio
,
const
gptr
buf
,
int
size
);
int
vio_ssl_write
(
Vio
*
vio
,
const
gptr
buf
,
int
size
);
void
vio_ssl_timeout
(
Vio
*
vio
,
uint
which
,
uint
timeout
);
/* setsockopt TCP_NODELAY at IPPROTO_TCP level, when possible. */
int
vio_ssl_fastsend
(
Vio
*
vio
);
/* setsockopt SO_KEEPALIVE at SOL_SOCKET level, when possible. */
int
vio_ssl_keepalive
(
Vio
*
vio
,
my_bool
onoff
);
/* Whenever we should retry the last read/write operation. */
my_bool
vio_ssl_should_retry
(
Vio
*
vio
);
/* Check that operation was timed out */
my_bool
vio_ssl_was_interrupted
(
Vio
*
vio
);
/* When the workday is over... */
/* When the workday is over... */
int
vio_ssl_close
(
Vio
*
vio
);
int
vio_ssl_close
(
Vio
*
vio
);
/* Return last error number */
int
vio_ssl_errno
(
Vio
*
vio
);
my_bool
vio_ssl_peer_addr
(
Vio
*
vio
,
char
*
buf
,
uint16
*
port
);
void
vio_ssl_in_addr
(
Vio
*
vio
,
struct
in_addr
*
in
);
int
vio_ssl_blocking
(
Vio
*
vio
,
my_bool
set_blocking_mode
,
my_bool
*
old_mode
);
int
vio_ssl_blocking
(
Vio
*
vio
,
my_bool
set_blocking_mode
,
my_bool
*
old_mode
);
/* Single copy for server */
enum
vio_ssl_acceptorfd_state
{
state_connect
=
1
,
state_accept
=
2
};
#endif
/* HAVE_OPENSSL */
#endif
/* HAVE_OPENSSL */
vio/viossl.c
View file @
56e42630
...
@@ -54,12 +54,12 @@ static void
...
@@ -54,12 +54,12 @@ static void
report_errors
()
report_errors
()
{
{
unsigned
long
l
;
unsigned
long
l
;
const
char
*
file
;
const
char
*
file
;
const
char
*
data
;
const
char
*
data
;
int
line
,
flags
;
int
line
,
flags
;
DBUG_ENTER
(
"report_errors"
);
DBUG_ENTER
(
"report_errors"
);
while
((
l
=
ERR_get_error_line_data
(
&
file
,
&
line
,
&
data
,
&
flags
)))
while
((
l
=
ERR_get_error_line_data
(
&
file
,
&
line
,
&
data
,
&
flags
)))
{
{
char
buf
[
512
];
char
buf
[
512
];
DBUG_PRINT
(
"error"
,
(
"OpenSSL: %s:%s:%d:%s
\n
"
,
ERR_error_string
(
l
,
buf
),
DBUG_PRINT
(
"error"
,
(
"OpenSSL: %s:%s:%d:%s
\n
"
,
ERR_error_string
(
l
,
buf
),
...
@@ -70,13 +70,7 @@ report_errors()
...
@@ -70,13 +70,7 @@ report_errors()
}
}
int
vio_ssl_errno
(
Vio
*
vio
__attribute__
((
unused
)))
int
vio_ssl_read
(
Vio
*
vio
,
gptr
buf
,
int
size
)
{
return
socket_errno
;
/* On Win32 this mapped to WSAGetLastError() */
}
int
vio_ssl_read
(
Vio
*
vio
,
gptr
buf
,
int
size
)
{
{
int
r
;
int
r
;
DBUG_ENTER
(
"vio_ssl_read"
);
DBUG_ENTER
(
"vio_ssl_read"
);
...
@@ -94,7 +88,7 @@ int vio_ssl_read(Vio * vio, gptr buf, int size)
...
@@ -94,7 +88,7 @@ int vio_ssl_read(Vio * vio, gptr buf, int size)
}
}
int
vio_ssl_write
(
Vio
*
vio
,
const
gptr
buf
,
int
size
)
int
vio_ssl_write
(
Vio
*
vio
,
const
gptr
buf
,
int
size
)
{
{
int
r
;
int
r
;
DBUG_ENTER
(
"vio_ssl_write"
);
DBUG_ENTER
(
"vio_ssl_write"
);
...
@@ -107,183 +101,51 @@ int vio_ssl_write(Vio * vio, const gptr buf, int size)
...
@@ -107,183 +101,51 @@ int vio_ssl_write(Vio * vio, const gptr buf, int size)
}
}
int
vio_ssl_fastsend
(
Vio
*
vio
__attribute__
((
unused
)))
int
vio_ssl_close
(
Vio
*
vio
)
{
int
r
=
0
;
DBUG_ENTER
(
"vio_ssl_fastsend"
);
#if defined(IPTOS_THROUGHPUT) && !defined(__EMX__)
{
int
tos
=
IPTOS_THROUGHPUT
;
r
=
setsockopt
(
vio
->
sd
,
IPPROTO_IP
,
IP_TOS
,
(
void
*
)
&
tos
,
sizeof
(
tos
));
}
#endif
/* IPTOS_THROUGHPUT && !__EMX__ */
if
(
!
r
)
{
#ifdef __WIN__
BOOL
nodelay
=
1
;
r
=
setsockopt
(
vio
->
sd
,
IPPROTO_TCP
,
TCP_NODELAY
,
(
const
char
*
)
&
nodelay
,
sizeof
(
nodelay
));
#else
int
nodelay
=
1
;
r
=
setsockopt
(
vio
->
sd
,
IPPROTO_TCP
,
TCP_NODELAY
,
(
void
*
)
&
nodelay
,
sizeof
(
nodelay
));
#endif
/* __WIN__ */
}
if
(
r
)
{
DBUG_PRINT
(
"warning"
,
(
"Couldn't set socket option for fast send"
));
r
=
-
1
;
}
DBUG_PRINT
(
"exit"
,
(
"%d"
,
r
));
DBUG_RETURN
(
r
);
}
int
vio_ssl_keepalive
(
Vio
*
vio
,
my_bool
set_keep_alive
)
{
int
r
=
0
;
DBUG_ENTER
(
"vio_ssl_keepalive"
);
DBUG_PRINT
(
"enter"
,
(
"sd: %d, set_keep_alive: %d"
,
vio
->
sd
,
(
int
)
set_keep_alive
));
if
(
vio
->
type
!=
VIO_TYPE_NAMEDPIPE
)
{
uint
opt
=
(
set_keep_alive
)
?
1
:
0
;
r
=
setsockopt
(
vio
->
sd
,
SOL_SOCKET
,
SO_KEEPALIVE
,
(
char
*
)
&
opt
,
sizeof
(
opt
));
}
DBUG_RETURN
(
r
);
}
my_bool
vio_ssl_should_retry
(
Vio
*
vio
__attribute__
((
unused
)))
{
{
int
en
=
socket_errno
;
int
r
=
0
;
return
(
en
==
SOCKET_EAGAIN
||
en
==
SOCKET_EINTR
||
SSL
*
ssl
=
(
SSL
*
)
vio
->
ssl_arg
;
en
==
SOCKET_EWOULDBLOCK
);
}
my_bool
vio_ssl_was_interrupted
(
Vio
*
vio
__attribute__
((
unused
)))
{
int
en
=
socket_errno
;
return
(
en
==
SOCKET_EAGAIN
||
en
==
SOCKET_EINTR
||
en
==
SOCKET_EWOULDBLOCK
||
en
==
SOCKET_ETIMEDOUT
);
}
int
vio_ssl_close
(
Vio
*
vio
)
{
int
r
;
DBUG_ENTER
(
"vio_ssl_close"
);
DBUG_ENTER
(
"vio_ssl_close"
);
r
=
0
;
if
((
SSL
*
)
vio
->
ssl_arg
)
{
r
=
SSL_shutdown
((
SSL
*
)
vio
->
ssl_arg
);
SSL_free
((
SSL
*
)
vio
->
ssl_arg
);
vio
->
ssl_arg
=
0
;
}
if
(
vio
->
sd
>=
0
)
{
if
(
shutdown
(
vio
->
sd
,
2
))
r
=
-
1
;
if
(
closesocket
(
vio
->
sd
))
r
=
-
1
;
}
if
(
r
)
{
DBUG_PRINT
(
"error"
,
(
"close() failed, error: %d"
,
socket_errno
));
report_errors
();
/* FIXME: error handling (not critical for MySQL) */
}
vio
->
type
=
VIO_CLOSED
;
vio
->
sd
=
-
1
;
DBUG_RETURN
(
r
);
}
const
char
*
vio_ssl_description
(
Vio
*
vio
)
{
return
vio
->
desc
;
}
enum
enum_vio_type
vio_ssl_type
(
Vio
*
vio
)
{
return
vio
->
type
;
}
my_socket
vio_ssl_fd
(
Vio
*
vio
)
{
return
vio
->
sd
;
}
my_bool
vio_ssl_peer_addr
(
Vio
*
vio
,
char
*
buf
,
uint16
*
port
)
if
(
ssl
)
{
DBUG_ENTER
(
"vio_ssl_peer_addr"
);
DBUG_PRINT
(
"enter"
,
(
"sd: %d"
,
vio
->
sd
));
if
(
vio
->
localhost
)
{
strmov
(
buf
,
"127.0.0.1"
);
*
port
=
0
;
}
else
{
{
size_socket
addrLen
=
sizeof
(
struct
sockaddr
);
switch
((
r
=
SSL_shutdown
(
ssl
)))
if
(
getpeername
(
vio
->
sd
,
(
struct
sockaddr
*
)
(
&
(
vio
->
remote
)),
&
addrLen
)
!=
0
)
{
{
DBUG_PRINT
(
"exit"
,
(
"getpeername, error: %d"
,
socket_errno
));
case
1
:
/* Shutdown successful */
DBUG_RETURN
(
1
);
break
;
case
0
:
/* Shutdown not yet finished, call it again */
if
((
r
=
SSL_shutdown
(
ssl
)
>=
0
))
break
;
/* Fallthrough */
default:
/* Shutdown failed */
DBUG_PRINT
(
"vio_error"
,
(
"SSL_shutdown() failed, error: %s"
,
SSL_get_error
(
ssl
,
r
)));
break
;
}
}
#ifdef TO_BE_FIXED
SSL_free
(
ssl
);
my_inet_ntoa
(
vio
->
remote
.
sin_addr
,
buf
);
vio
->
ssl_arg
=
0
;
*
port
=
0
;
#else
strmov
(
buf
,
"unknown"
);
*
port
=
0
;
#endif
}
}
DBUG_PRINT
(
"exit"
,
(
"addr: %s"
,
buf
));
DBUG_RETURN
(
vio_close
(
vio
));
DBUG_RETURN
(
0
);
}
void
vio_ssl_in_addr
(
Vio
*
vio
,
struct
in_addr
*
in
)
{
DBUG_ENTER
(
"vio_ssl_in_addr"
);
if
(
vio
->
localhost
)
bzero
((
char
*
)
in
,
sizeof
(
*
in
));
else
*
in
=
vio
->
remote
.
sin_addr
;
DBUG_VOID_RETURN
;
}
}
/*
int
sslaccept
(
struct
st_VioSSLFd
*
ptr
,
Vio
*
vio
,
long
timeout
)
TODO: Add documentation
*/
int
sslaccept
(
struct
st_VioSSLAcceptorFd
*
ptr
,
Vio
*
vio
,
long
timeout
)
{
{
char
*
str
;
SSL
*
ssl
;
char
buf
[
1024
];
X509
*
client_cert
;
X509
*
client_cert
;
my_bool
unused
;
my_bool
unused
;
my_bool
net_blocking
;
my_bool
net_blocking
;
enum
enum_vio_type
old_type
;
enum
enum_vio_type
old_type
;
DBUG_ENTER
(
"sslaccept"
);
DBUG_ENTER
(
"sslaccept"
);
DBUG_PRINT
(
"enter"
,
(
"sd: %d ptr:
Ox
%p, timeout: %d"
,
DBUG_PRINT
(
"enter"
,
(
"sd: %d ptr: %p, timeout: %d"
,
vio
->
sd
,
ptr
,
timeout
));
vio
->
sd
,
ptr
,
timeout
));
old_type
=
vio
->
type
;
old_type
=
vio
->
type
;
net_blocking
=
vio_is_blocking
(
vio
);
net_blocking
=
vio_is_blocking
(
vio
);
vio_blocking
(
vio
,
1
,
&
unused
);
/* Must be called before reset */
vio_blocking
(
vio
,
1
,
&
unused
);
/* Must be called before reset */
vio_reset
(
vio
,
VIO_TYPE_SSL
,
vio
->
sd
,
0
,
FALSE
);
vio_reset
(
vio
,
VIO_TYPE_SSL
,
vio
->
sd
,
0
,
FALSE
);
vio
->
ssl_arg
=
0
;
if
(
!
(
vio
->
ssl_arg
=
(
void
*
)
SSL_new
(
ptr
->
ssl_context
)))
if
(
!
(
ssl
=
SSL_new
(
ptr
->
ssl_context
)))
{
{
DBUG_PRINT
(
"error"
,
(
"SSL_new failure"
));
DBUG_PRINT
(
"error"
,
(
"SSL_new failure"
));
report_errors
();
report_errors
();
...
@@ -291,144 +153,126 @@ int sslaccept(struct st_VioSSLAcceptorFd* ptr, Vio* vio, long timeout)
...
@@ -291,144 +153,126 @@ int sslaccept(struct st_VioSSLAcceptorFd* ptr, Vio* vio, long timeout)
vio_blocking
(
vio
,
net_blocking
,
&
unused
);
vio_blocking
(
vio
,
net_blocking
,
&
unused
);
DBUG_RETURN
(
1
);
DBUG_RETURN
(
1
);
}
}
DBUG_PRINT
(
"info"
,
(
"ssl_: Ox%p timeout: %ld"
,
vio
->
ssl_arg
=
(
void
*
)
ssl
;
(
SSL
*
)
vio
->
ssl_arg
,
timeout
));
DBUG_PRINT
(
"info"
,
(
"ssl_: %p timeout: %ld"
,
ssl
,
timeout
));
SSL_clear
(
(
SSL
*
)
vio
->
ssl_arg
);
SSL_clear
(
ssl
);
SSL_SESSION_set_timeout
(
SSL_get_session
(
(
SSL
*
)
vio
->
ssl_arg
),
timeout
);
SSL_SESSION_set_timeout
(
SSL_get_session
(
ssl
),
timeout
);
SSL_set_fd
(
(
SSL
*
)
vio
->
ssl_arg
,
vio
->
sd
);
SSL_set_fd
(
ssl
,
vio
->
sd
);
SSL_set_accept_state
(
(
SSL
*
)
vio
->
ssl_arg
);
SSL_set_accept_state
(
ssl
);
if
(
SSL_do_handshake
(
(
SSL
*
)
vio
->
ssl_arg
)
<
1
)
if
(
SSL_do_handshake
(
ssl
)
<
1
)
{
{
DBUG_PRINT
(
"error"
,
(
"SSL_do_handshake failure"
));
DBUG_PRINT
(
"error"
,
(
"SSL_do_handshake failure"
));
report_errors
();
report_errors
();
SSL_free
(
(
SSL
*
)
vio
->
ssl_arg
);
SSL_free
(
ssl
);
vio
->
ssl_arg
=
0
;
vio
->
ssl_arg
=
0
;
vio_reset
(
vio
,
old_type
,
vio
->
sd
,
0
,
FALSE
);
vio_reset
(
vio
,
old_type
,
vio
->
sd
,
0
,
FALSE
);
vio_blocking
(
vio
,
net_blocking
,
&
unused
);
vio_blocking
(
vio
,
net_blocking
,
&
unused
);
DBUG_RETURN
(
1
);
DBUG_RETURN
(
1
);
}
}
#ifndef DBUG_OFF
#ifndef DBUG_OFF
DBUG_PRINT
(
"info"
,(
"SSL_get_cipher_name() = '%s'"
,
SSL_get_cipher_name
((
SSL
*
)
vio
->
ssl_arg
)));
client_cert
=
SSL_get_peer_certificate
((
SSL
*
)
vio
->
ssl_arg
);
if
(
client_cert
!=
NULL
)
{
{
DBUG_PRINT
(
"info"
,(
"Client certificate:"
));
char
buf
[
1024
];
str
=
X509_NAME_oneline
(
X509_get_subject_name
(
client_cert
),
0
,
0
);
DBUG_PRINT
(
"info"
,(
"cipher_name= '%s'"
,
SSL_get_cipher_name
(
ssl
)));
DBUG_PRINT
(
"info"
,(
"
\t
subject: %s"
,
str
));
free
(
str
);
str
=
X509_NAME_oneline
(
X509_get_issuer_name
(
client_cert
),
0
,
0
);
if
((
client_cert
=
SSL_get_peer_certificate
(
ssl
)))
DBUG_PRINT
(
"info"
,(
"
\t
issuer: %s"
,
str
));
{
free
(
str
);
DBUG_PRINT
(
"info"
,(
"Client certificate:"
));
X509_NAME_oneline
(
X509_get_subject_name
(
client_cert
),
buf
,
sizeof
(
buf
));
DBUG_PRINT
(
"info"
,(
"
\t
subject: %s"
,
buf
));
X509_free
(
client_cert
);
X509_NAME_oneline
(
X509_get_issuer_name
(
client_cert
),
}
buf
,
sizeof
(
buf
));
else
DBUG_PRINT
(
"info"
,(
"
\t
issuer: %s"
,
buf
));
DBUG_PRINT
(
"info"
,(
"Client does not have certificate."
));
str
=
SSL_get_shared_ciphers
((
SSL
*
)
vio
->
ssl_arg
,
buf
,
sizeof
(
buf
));
X509_free
(
client_cert
);
if
(
str
)
}
{
else
DBUG_PRINT
(
"info"
,(
"SSL_get_shared_ciphers() returned '%s'"
,
str
));
DBUG_PRINT
(
"info"
,(
"Client does not have certificate."
));
}
else
{
DBUG_PRINT
(
"info"
,(
"no shared ciphers!"
));
}
if
(
SSL_get_shared_ciphers
(
ssl
,
buf
,
sizeof
(
buf
)))
{
DBUG_PRINT
(
"info"
,(
"shared_ciphers: '%s'"
,
buf
));
}
else
DBUG_PRINT
(
"info"
,(
"no shared ciphers!"
));
}
#endif
#endif
DBUG_RETURN
(
0
);
DBUG_RETURN
(
0
);
}
}
int
sslconnect
(
struct
st_VioSSL
ConnectorFd
*
ptr
,
Vio
*
vio
,
long
timeout
)
int
sslconnect
(
struct
st_VioSSL
Fd
*
ptr
,
Vio
*
vio
,
long
timeout
)
{
{
char
*
str
;
SSL
*
ssl
;
X509
*
server_cert
;
X509
*
server_cert
;
my_bool
unused
;
my_bool
unused
;
my_bool
net_blocking
;
my_bool
net_blocking
;
enum
enum_vio_type
old_type
;
enum
enum_vio_type
old_type
;
DBUG_ENTER
(
"sslconnect"
);
DBUG_ENTER
(
"sslconnect"
);
DBUG_PRINT
(
"enter"
,
(
"sd: %d
ptr: 0x%p ctx: 0x
%p"
,
DBUG_PRINT
(
"enter"
,
(
"sd: %d
, ptr: %p, ctx:
%p"
,
vio
->
sd
,
ptr
,
ptr
->
ssl_context
));
vio
->
sd
,
ptr
,
ptr
->
ssl_context
));
old_type
=
vio
->
type
;
old_type
=
vio
->
type
;
net_blocking
=
vio_is_blocking
(
vio
);
net_blocking
=
vio_is_blocking
(
vio
);
vio_blocking
(
vio
,
1
,
&
unused
);
/* Must be called before reset */
vio_blocking
(
vio
,
1
,
&
unused
);
/* Must be called before reset */
vio_reset
(
vio
,
VIO_TYPE_SSL
,
vio
->
sd
,
0
,
FALSE
);
vio_reset
(
vio
,
VIO_TYPE_SSL
,
vio
->
sd
,
0
,
FALSE
);
vio
->
ssl_arg
=
0
;
if
(
!
(
ssl
=
SSL_new
(
ptr
->
ssl_context
)))
if
(
!
(
vio
->
ssl_arg
=
SSL_new
(
ptr
->
ssl_context
)))
{
{
DBUG_PRINT
(
"error"
,
(
"SSL_new failure"
));
DBUG_PRINT
(
"error"
,
(
"SSL_new failure"
));
report_errors
();
report_errors
();
vio_reset
(
vio
,
old_type
,
vio
->
sd
,
0
,
FALSE
);
vio_reset
(
vio
,
old_type
,
vio
->
sd
,
0
,
FALSE
);
vio_blocking
(
vio
,
net_blocking
,
&
unused
);
vio_blocking
(
vio
,
net_blocking
,
&
unused
);
DBUG_RETURN
(
1
);
DBUG_RETURN
(
1
);
}
}
DBUG_PRINT
(
"info"
,
(
"ssl_: 0x%p timeout: %ld"
,
vio
->
ssl_arg
=
(
void
*
)
ssl
;
(
SSL
*
)
vio
->
ssl_arg
,
timeout
));
DBUG_PRINT
(
"info"
,
(
"ssl: %p, timeout: %ld"
,
ssl
,
timeout
));
SSL_clear
(
(
SSL
*
)
vio
->
ssl_arg
);
SSL_clear
(
ssl
);
SSL_SESSION_set_timeout
(
SSL_get_session
(
(
SSL
*
)
vio
->
ssl_arg
),
timeout
);
SSL_SESSION_set_timeout
(
SSL_get_session
(
ssl
),
timeout
);
SSL_set_fd
((
SSL
*
)
vio
->
ssl_arg
,
vio_ssl_fd
(
vio
)
);
SSL_set_fd
(
ssl
,
vio
->
sd
);
SSL_set_connect_state
(
(
SSL
*
)
vio
->
ssl_arg
);
SSL_set_connect_state
(
ssl
);
if
(
SSL_do_handshake
(
(
SSL
*
)
vio
->
ssl_arg
)
<
1
)
if
(
SSL_do_handshake
(
ssl
)
<
1
)
{
{
DBUG_PRINT
(
"error"
,
(
"SSL_do_handshake failure"
));
DBUG_PRINT
(
"error"
,
(
"SSL_do_handshake failure"
));
report_errors
();
report_errors
();
SSL_free
(
(
SSL
*
)
vio
->
ssl_arg
);
SSL_free
(
ssl
);
vio
->
ssl_arg
=
0
;
vio
->
ssl_arg
=
0
;
vio_reset
(
vio
,
old_type
,
vio
->
sd
,
0
,
FALSE
);
vio_reset
(
vio
,
old_type
,
vio
->
sd
,
0
,
FALSE
);
vio_blocking
(
vio
,
net_blocking
,
&
unused
);
vio_blocking
(
vio
,
net_blocking
,
&
unused
);
DBUG_RETURN
(
1
);
DBUG_RETURN
(
1
);
}
}
#ifndef DBUG_OFF
#ifndef DBUG_OFF
DBUG_PRINT
(
"info"
,(
"SSL_get_cipher_name() = '%s'"
DBUG_PRINT
(
"info"
,(
"cipher_name: '%s'"
,
SSL_get_cipher_name
(
ssl
)));
,
SSL_get_cipher_name
((
SSL
*
)
vio
->
ssl_arg
)));
server_cert
=
SSL_get_peer_certificate
((
SSL
*
)
vio
->
ssl_arg
);
if
((
server_cert
=
SSL_get_peer_certificate
(
ssl
)))
if
(
server_cert
!=
NULL
)
{
{
char
buf
[
256
];
DBUG_PRINT
(
"info"
,(
"Server certificate:"
));
DBUG_PRINT
(
"info"
,(
"Server certificate:"
));
str
=
X509_NAME_oneline
(
X509_get_subject_name
(
server_cert
),
0
,
0
);
X509_NAME_oneline
(
X509_get_subject_name
(
server_cert
),
buf
,
sizeof
(
buf
));
DBUG_PRINT
(
"info"
,(
"
\t
subject: %s"
,
str
));
DBUG_PRINT
(
"info"
,(
"
\t
subject: %s"
,
buf
));
free
(
str
);
X509_NAME_oneline
(
X509_get_issuer_name
(
server_cert
),
buf
,
sizeof
(
buf
));
DBUG_PRINT
(
"info"
,(
"
\t
issuer: %s"
,
buf
));
str
=
X509_NAME_oneline
(
X509_get_issuer_name
(
server_cert
),
0
,
0
);
DBUG_PRINT
(
"info"
,(
"
\t
issuer: %s"
,
str
));
free
(
str
);
/*
We could do all sorts of certificate verification stuff here before
deallocating the certificate.
*/
X509_free
(
server_cert
);
X509_free
(
server_cert
);
}
}
else
else
DBUG_PRINT
(
"info"
,(
"Server does not have certificate."
));
DBUG_PRINT
(
"info"
,(
"Server does not have certificate."
));
#endif
#endif
DBUG_RETURN
(
0
);
DBUG_RETURN
(
0
);
}
}
int
vio_ssl_blocking
(
Vio
*
vio
__attribute__
((
unused
)),
int
vio_ssl_blocking
(
Vio
*
vio
__attribute__
((
unused
)),
my_bool
set_blocking_mode
,
my_bool
set_blocking_mode
,
my_bool
*
old_mode
)
my_bool
*
old_mode
)
{
{
/* Mode is always blocking */
*
old_mode
=
1
;
/* Return error if we try to change to non_blocking mode */
/* Return error if we try to change to non_blocking mode */
*
old_mode
=
1
;
/* Mode is always blocking */
return
(
set_blocking_mode
?
0
:
1
);
return
set_blocking_mode
?
0
:
1
;
}
}
void
vio_ssl_timeout
(
Vio
*
vio
__attribute__
((
unused
)),
uint
which
__attribute__
((
unused
)),
uint
timeout
__attribute__
((
unused
)))
{
#ifdef __WIN__
ulong
wait_timeout
=
(
ulong
)
timeout
*
1000
;
(
void
)
setsockopt
(
vio
->
sd
,
SOL_SOCKET
,
which
?
SO_SNDTIMEO
:
SO_RCVTIMEO
,
(
char
*
)
&
wait_timeout
,
sizeof
(
wait_timeout
));
#endif
/* __WIN__ */
}
#endif
/* HAVE_OPENSSL */
#endif
/* HAVE_OPENSSL */
vio/viosslfactories.c
View file @
56e42630
...
@@ -21,7 +21,6 @@
...
@@ -21,7 +21,6 @@
static
bool
ssl_algorithms_added
=
FALSE
;
static
bool
ssl_algorithms_added
=
FALSE
;
static
bool
ssl_error_strings_loaded
=
FALSE
;
static
bool
ssl_error_strings_loaded
=
FALSE
;
static
int
verify_depth
=
0
;
static
int
verify_depth
=
0
;
static
int
verify_error
=
X509_V_OK
;
static
unsigned
char
dh512_p
[]
=
static
unsigned
char
dh512_p
[]
=
{
{
...
@@ -82,30 +81,31 @@ vio_set_cert_stuff(SSL_CTX *ctx, const char *cert_file, const char *key_file)
...
@@ -82,30 +81,31 @@ vio_set_cert_stuff(SSL_CTX *ctx, const char *cert_file, const char *key_file)
DBUG_ENTER
(
"vio_set_cert_stuff"
);
DBUG_ENTER
(
"vio_set_cert_stuff"
);
DBUG_PRINT
(
"enter"
,
(
"ctx: %p, cert_file: %s, key_file: %s"
,
DBUG_PRINT
(
"enter"
,
(
"ctx: %p, cert_file: %s, key_file: %s"
,
ctx
,
cert_file
,
key_file
));
ctx
,
cert_file
,
key_file
));
if
(
cert_file
!=
NULL
)
if
(
cert_file
)
{
{
if
(
SSL_CTX_use_certificate_file
(
ctx
,
cert_file
,
SSL_FILETYPE_PEM
)
<=
0
)
if
(
SSL_CTX_use_certificate_file
(
ctx
,
cert_file
,
SSL_FILETYPE_PEM
)
<=
0
)
{
{
DBUG_PRINT
(
"error"
,(
"unable to get certificate from '%s'
\n
"
,
cert_file
));
DBUG_PRINT
(
"error"
,(
"unable to get certificate from '%s'
\n
"
,
cert_file
));
/* FIX stderr */
/* FIX stderr */
fprintf
(
stderr
,
"Error when connection to server using SSL:"
);
fprintf
(
stderr
,
"Error when connection to server using SSL:"
);
ERR_print_errors_fp
(
stderr
);
ERR_print_errors_fp
(
stderr
);
fprintf
(
stderr
,
"Unable to get certificate from '%s'
\n
"
,
cert_file
);
fprintf
(
stderr
,
"Unable to get certificate from '%s'
\n
"
,
cert_file
);
fflush
(
stderr
);
fflush
(
stderr
);
DBUG_RETURN
(
0
);
DBUG_RETURN
(
1
);
}
}
if
(
key_file
==
NULL
)
key_file
=
cert_file
;
if
(
!
key_file
)
if
(
SSL_CTX_use_PrivateKey_file
(
ctx
,
key_file
,
key_file
=
cert_file
;
SSL_FILETYPE_PEM
)
<=
0
)
if
(
SSL_CTX_use_PrivateKey_file
(
ctx
,
key_file
,
SSL_FILETYPE_PEM
)
<=
0
)
{
{
DBUG_PRINT
(
"error"
,
(
"unable to get private key from '%s'
\n
"
,
key_file
));
DBUG_PRINT
(
"error"
,
(
"unable to get private key from '%s'
\n
"
,
key_file
));
/* FIX stderr */
/* FIX stderr */
fprintf
(
stderr
,
"Error when connection to server using SSL:"
);
fprintf
(
stderr
,
"Error when connection to server using SSL:"
);
ERR_print_errors_fp
(
stderr
);
ERR_print_errors_fp
(
stderr
);
fprintf
(
stderr
,
"Unable to get private key from '%s'
\n
"
,
cert_file
);
fprintf
(
stderr
,
"Unable to get private key from '%s'
\n
"
,
cert_file
);
fflush
(
stderr
);
fflush
(
stderr
);
DBUG_RETURN
(
0
);
DBUG_RETURN
(
1
);
}
}
/*
/*
...
@@ -116,45 +116,45 @@ vio_set_cert_stuff(SSL_CTX *ctx, const char *cert_file, const char *key_file)
...
@@ -116,45 +116,45 @@ vio_set_cert_stuff(SSL_CTX *ctx, const char *cert_file, const char *key_file)
{
{
DBUG_PRINT
(
"error"
,
DBUG_PRINT
(
"error"
,
(
"Private key does not match the certificate public key
\n
"
));
(
"Private key does not match the certificate public key
\n
"
));
DBUG_RETURN
(
0
);
DBUG_RETURN
(
1
);
}
}
}
}
DBUG_RETURN
(
1
);
DBUG_RETURN
(
0
);
}
}
static
int
static
int
vio_verify_callback
(
int
ok
,
X509_STORE_CTX
*
ctx
)
vio_verify_callback
(
int
ok
,
X509_STORE_CTX
*
ctx
)
{
{
char
buf
[
256
];
char
buf
[
256
];
X509
*
err_cert
;
X509
*
err_cert
;
int
err
,
depth
;
DBUG_ENTER
(
"vio_verify_callback"
);
DBUG_ENTER
(
"vio_verify_callback"
);
DBUG_PRINT
(
"enter"
,
(
"ok: %d, ctx: 0x%p"
,
ok
,
ctx
));
DBUG_PRINT
(
"enter"
,
(
"ok: %d, ctx: %p"
,
ok
,
ctx
));
err_cert
=
X509_STORE_CTX_get_current_cert
(
ctx
);
err
=
X509_STORE_CTX_get_error
(
ctx
);
depth
=
X509_STORE_CTX_get_error_depth
(
ctx
);
X509_NAME_oneline
(
X509_get_subject_name
(
err_cert
),
buf
,
sizeof
(
buf
));
err_cert
=
X509_STORE_CTX_get_current_cert
(
ctx
);
X509_NAME_oneline
(
X509_get_subject_name
(
err_cert
),
buf
,
sizeof
(
buf
));
DBUG_PRINT
(
"info"
,
(
"cert: %s"
,
buf
));
if
(
!
ok
)
if
(
!
ok
)
{
{
DBUG_PRINT
(
"error"
,(
"verify error: num: %d : '%s'
\n
"
,
err
,
int
err
,
depth
;
err
=
X509_STORE_CTX_get_error
(
ctx
);
depth
=
X509_STORE_CTX_get_error_depth
(
ctx
);
DBUG_PRINT
(
"error"
,(
"verify error: %d, '%s'"
,
err
,
X509_verify_cert_error_string
(
err
)));
X509_verify_cert_error_string
(
err
)));
/*
Approve cert if depth is greater then "verify_depth", currently
verify_depth is always 0 and there is no way to increase it.
*/
if
(
verify_depth
>=
depth
)
if
(
verify_depth
>=
depth
)
{
ok
=
1
;
ok
=
1
;
verify_error
=
X509_V_OK
;
}
else
{
verify_error
=
X509_V_ERR_CERT_CHAIN_TOO_LONG
;
}
}
}
switch
(
ctx
->
error
)
{
switch
(
ctx
->
error
)
{
case
X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT
:
case
X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT
:
X509_NAME_oneline
(
X509_get_issuer_name
(
ctx
->
current_cert
),
buf
,
256
);
X509_NAME_oneline
(
X509_get_issuer_name
(
ctx
->
current_cert
),
buf
,
256
);
DBUG_PRINT
(
"info"
,(
"issuer= %s
\n
"
,
buf
));
DBUG_PRINT
(
"info"
,(
"issuer= %s
\n
"
,
buf
));
break
;
break
;
case
X509_V_ERR_CERT_NOT_YET_VALID
:
case
X509_V_ERR_CERT_NOT_YET_VALID
:
case
X509_V_ERR_ERROR_IN_CERT_NOT_BEFORE_FIELD
:
case
X509_V_ERR_ERROR_IN_CERT_NOT_BEFORE_FIELD
:
...
@@ -198,193 +198,149 @@ static void netware_ssl_init()
...
@@ -198,193 +198,149 @@ static void netware_ssl_init()
#endif
/* __NETWARE__ */
#endif
/* __NETWARE__ */
/************************ VioSSLConnectorFd **********************************/
static
void
check_ssl_init
()
/*
TODO:
Add option --verify to mysql to be able to change verification mode
*/
struct
st_VioSSLConnectorFd
*
new_VioSSLConnectorFd
(
const
char
*
key_file
,
const
char
*
cert_file
,
const
char
*
ca_file
,
const
char
*
ca_path
,
const
char
*
cipher
)
{
{
int
verify
=
SSL_VERIFY_NONE
;
struct
st_VioSSLConnectorFd
*
ptr
;
int
result
;
DH
*
dh
;
DBUG_ENTER
(
"new_VioSSLConnectorFd"
);
if
(
!
(
ptr
=
((
struct
st_VioSSLConnectorFd
*
)
my_malloc
(
sizeof
(
struct
st_VioSSLConnectorFd
),
MYF
(
0
)))))
DBUG_RETURN
(
0
);
ptr
->
ssl_context
=
0
;
ptr
->
ssl_method
=
0
;
/* FIXME: constants! */
if
(
!
ssl_algorithms_added
)
if
(
!
ssl_algorithms_added
)
{
{
DBUG_PRINT
(
"info"
,
(
"todo: OpenSSL_add_all_algorithms()"
));
ssl_algorithms_added
=
TRUE
;
ssl_algorithms_added
=
TRUE
;
SSL_library_init
();
SSL_library_init
();
OpenSSL_add_all_algorithms
();
OpenSSL_add_all_algorithms
();
}
}
#ifdef __NETWARE__
#ifdef __NETWARE__
netware_ssl_init
();
netware_ssl_init
();
#endif
#endif
if
(
!
ssl_error_strings_loaded
)
if
(
!
ssl_error_strings_loaded
)
{
{
DBUG_PRINT
(
"info"
,
(
"todo:SSL_load_error_strings()"
));
ssl_error_strings_loaded
=
TRUE
;
ssl_error_strings_loaded
=
TRUE
;
SSL_load_error_strings
();
SSL_load_error_strings
();
}
}
ptr
->
ssl_method
=
TLSv1_client_method
();
}
ptr
->
ssl_context
=
SSL_CTX_new
(
ptr
->
ssl_method
);
DBUG_PRINT
(
"info"
,
(
"ssl_context: %p"
,
ptr
->
ssl_context
));
/************************ VioSSLFd **********************************/
if
(
ptr
->
ssl_context
==
0
)
struct
st_VioSSLFd
*
new_VioSSLFd
(
const
char
*
key_file
,
const
char
*
cert_file
,
const
char
*
ca_file
,
const
char
*
ca_path
,
const
char
*
cipher
,
SSL_METHOD
*
method
)
{
DH
*
dh
;
struct
st_VioSSLFd
*
ssl_fd
;
DBUG_ENTER
(
"new_VioSSLFd"
);
check_ssl_init
();
if
(
!
(
ssl_fd
=
((
struct
st_VioSSLFd
*
)
my_malloc
(
sizeof
(
struct
st_VioSSLFd
),
MYF
(
0
)))))
DBUG_RETURN
(
0
);
if
(
!
(
ssl_fd
->
ssl_context
=
SSL_CTX_new
(
method
)))
{
{
DBUG_PRINT
(
"error"
,
(
"SSL_CTX_new failed"
));
DBUG_PRINT
(
"error"
,
(
"SSL_CTX_new failed"
));
report_errors
();
report_errors
();
goto
ctor_failure
;
my_free
((
void
*
)
ssl_fd
,
MYF
(
0
));
DBUG_RETURN
(
0
);
}
}
/*
SSL_CTX_set_options
/* Set the ciphers that can be used */
SSL_CTX_set_info_callback
if
(
cipher
&&
SSL_CTX_set_cipher_list
(
ssl_fd
->
ssl_context
,
cipher
))
*/
if
(
cipher
)
{
{
result
=
SSL_CTX_set_cipher_list
(
ptr
->
ssl_context
,
cipher
);
DBUG_PRINT
(
"error"
,
(
"failed to set ciphers to use"
));
DBUG_PRINT
(
"info"
,(
"SSL_set_cipher_list() returned %d"
,
result
));
report_errors
();
my_free
((
void
*
)
ssl_fd
,
MYF
(
0
));
DBUG_RETURN
(
0
);
}
}
SSL_CTX_set_verify
(
ptr
->
ssl_context
,
verify
,
vio_verify_callback
);
if
(
vio_set_cert_stuff
(
ptr
->
ssl_context
,
cert_file
,
key_file
)
==
-
1
)
if
(
vio_set_cert_stuff
(
ssl_fd
->
ssl_context
,
cert_file
,
key_file
)
)
{
{
DBUG_PRINT
(
"error"
,
(
"vio_set_cert_stuff failed"
));
DBUG_PRINT
(
"error"
,
(
"vio_set_cert_stuff failed"
));
report_errors
();
report_errors
();
goto
ctor_failure
;
my_free
((
void
*
)
ssl_fd
,
MYF
(
0
));
DBUG_RETURN
(
0
);
}
}
if
(
SSL_CTX_load_verify_locations
(
ptr
->
ssl_context
,
ca_file
,
ca_path
)
==
0
)
if
(
SSL_CTX_load_verify_locations
(
ssl_fd
->
ssl_context
,
ca_file
,
ca_path
)
==
0
)
{
{
DBUG_PRINT
(
"warning"
,
(
"SSL_CTX_load_verify_locations failed"
));
DBUG_PRINT
(
"warning"
,
(
"SSL_CTX_load_verify_locations failed"
));
if
(
SSL_CTX_set_default_verify_paths
(
ptr
->
ssl_context
)
==
0
)
if
(
SSL_CTX_set_default_verify_paths
(
ssl_fd
->
ssl_context
)
==
0
)
{
{
DBUG_PRINT
(
"error"
,
(
"SSL_CTX_set_default_verify_paths failed"
));
DBUG_PRINT
(
"error"
,
(
"SSL_CTX_set_default_verify_paths failed"
));
report_errors
();
report_errors
();
goto
ctor_failure
;
my_free
((
void
*
)
ssl_fd
,
MYF
(
0
));
DBUG_RETURN
(
0
);
}
}
}
}
/* DH stuff */
/* DH stuff */
dh
=
get_dh512
();
dh
=
get_dh512
();
SSL_CTX_set_tmp_dh
(
ptr
->
ssl_context
,
dh
);
SSL_CTX_set_tmp_dh
(
ssl_fd
->
ssl_context
,
dh
);
DH_free
(
dh
);
DH_free
(
dh
);
DBUG_RETURN
(
ptr
);
DBUG_PRINT
(
"exit"
,
(
"OK 1"
));
ctor_failure:
DBUG_PRINT
(
"exit"
,
(
"there was an error"
));
DBUG_RETURN
(
ssl_fd
);
my_free
((
gptr
)
ptr
,
MYF
(
0
));
DBUG_RETURN
(
0
);
}
}
/************************ VioSSLAcceptorFd **********************************/
/************************ VioSSLConnectorFd **********************************/
/*
struct
st_VioSSLFd
*
TODO:
new_VioSSLConnectorFd
(
const
char
*
key_file
,
const
char
*
cert_file
,
Add option --verify to mysqld to be able to change verification mode
const
char
*
ca_file
,
const
char
*
ca_path
,
*/
const
char
*
cipher
)
struct
st_VioSSLAcceptorFd
*
new_VioSSLAcceptorFd
(
const
char
*
key_file
,
const
char
*
cert_file
,
const
char
*
ca_file
,
const
char
*
ca_path
,
const
char
*
cipher
)
{
{
int
verify
=
(
SSL_VERIFY_PEER
|
struct
st_VioSSLFd
*
ssl_fd
;
SSL_VERIFY_CLIENT_ONCE
);
int
verify
=
SSL_VERIFY_PEER
;
struct
st_VioSSLAcceptorFd
*
ptr
;
if
(
!
(
ssl_fd
=
new_VioSSLFd
(
key_file
,
cert_file
,
ca_file
,
int
result
;
ca_path
,
cipher
,
TLSv1_client_method
())))
DH
*
dh
;
{
DBUG_ENTER
(
"new_VioSSLAcceptorFd"
);
return
0
;
}
ptr
=
((
struct
st_VioSSLAcceptorFd
*
)
/* Init the the VioSSLFd as a "connector" ie. the client side */
my_malloc
(
sizeof
(
struct
st_VioSSLAcceptorFd
),
MYF
(
0
)));
ptr
->
ssl_context
=
0
;
ptr
->
ssl_method
=
0
;
/* FIXME: constants! */
ptr
->
session_id_context
=
ptr
;
if
(
!
ssl_algorithms_added
)
/*
{
The verify_callback function is used to control the behaviour
DBUG_PRINT
(
"info"
,
(
"todo: OpenSSL_add_all_algorithms()"
));
when the SSL_VERIFY_PEER flag is set.
ssl_algorithms_added
=
TRUE
;
*/
SSL_library_init
();
SSL_CTX_set_verify
(
ssl_fd
->
ssl_context
,
verify
,
vio_verify_callback
);
OpenSSL_add_all_algorithms
();
}
return
ssl_fd
;
#ifdef __NETWARE__
}
netware_ssl_init
();
#endif
if
(
!
ssl_error_strings_loaded
)
{
/************************ VioSSLAcceptorFd **********************************/
DBUG_PRINT
(
"info"
,
(
"todo: SSL_load_error_strings()"
));
struct
st_VioSSLFd
*
ssl_error_strings_loaded
=
TRUE
;
new_VioSSLAcceptorFd
(
const
char
*
key_file
,
const
char
*
cert_file
,
SSL_load_error_strings
();
const
char
*
ca_file
,
const
char
*
ca_path
,
}
const
char
*
cipher
)
ptr
->
ssl_method
=
TLSv1_server_method
();
{
ptr
->
ssl_context
=
SSL_CTX_new
(
ptr
->
ssl_method
);
struct
st_VioSSLFd
*
ssl_fd
;
if
(
ptr
->
ssl_context
==
0
)
int
verify
=
SSL_VERIFY_PEER
|
SSL_VERIFY_CLIENT_ONCE
;
{
if
(
!
(
ssl_fd
=
new_VioSSLFd
(
key_file
,
cert_file
,
ca_file
,
DBUG_PRINT
(
"error"
,
(
"SSL_CTX_new failed"
));
ca_path
,
cipher
,
TLSv1_server_method
())))
report_errors
();
goto
ctor_failure
;
}
if
(
cipher
)
{
{
result
=
SSL_CTX_set_cipher_list
(
ptr
->
ssl_context
,
cipher
);
return
0
;
DBUG_PRINT
(
"info"
,(
"SSL_set_cipher_list() returned %d"
,
result
));
}
}
/* SSL_CTX_set_quiet_shutdown(ctx,1); */
/* Init the the VioSSLFd as a "acceptor" ie. the server side */
SSL_CTX_sess_set_cache_size
(
ptr
->
ssl_context
,
128
);
/* DH? */
/* Set max number of cached sessions, returns the previous size */
SSL_CTX_set_verify
(
ptr
->
ssl_context
,
verify
,
vio_verify_callback
);
SSL_CTX_sess_set_cache_size
(
ssl_fd
->
ssl_context
,
128
);
SSL_CTX_set_session_id_context
(
ptr
->
ssl_context
,
(
const
uchar
*
)
&
(
ptr
->
session_id_context
),
sizeof
(
ptr
->
session_id_context
));
/*
/*
SSL_CTX_set_client_CA_list(ctx,SSL_load_client_CA_file(CAfile));
The verify_callback function is used to control the behaviour
when the SSL_VERIFY_PEER flag is set.
*/
*/
if
(
vio_set_cert_stuff
(
ptr
->
ssl_context
,
cert_file
,
key_file
)
==
-
1
)
SSL_CTX_set_verify
(
ssl_fd
->
ssl_context
,
verify
,
vio_verify_callback
);
{
DBUG_PRINT
(
"error"
,
(
"vio_set_cert_stuff failed"
));
report_errors
();
goto
ctor_failure
;
}
if
(
SSL_CTX_load_verify_locations
(
ptr
->
ssl_context
,
ca_file
,
ca_path
)
==
0
)
{
DBUG_PRINT
(
"warning"
,
(
"SSL_CTX_load_verify_locations failed"
));
if
(
SSL_CTX_set_default_verify_paths
(
ptr
->
ssl_context
)
==
0
)
{
DBUG_PRINT
(
"error"
,
(
"SSL_CTX_set_default_verify_paths failed"
));
report_errors
();
goto
ctor_failure
;
}
}
/* DH stuff */
dh
=
get_dh512
();
SSL_CTX_set_tmp_dh
(
ptr
->
ssl_context
,
dh
);
DH_free
(
dh
);
DBUG_RETURN
(
ptr
);
ctor_failure:
/*
DBUG_PRINT
(
"exit"
,
(
"there was an error"
));
Set session_id - an identifier for this server session
my_free
((
gptr
)
ptr
,
MYF
(
0
));
Use the ssl_fd pointer
DBUG_RETURN
(
0
);
*/
SSL_CTX_set_session_id_context
(
ssl_fd
->
ssl_context
,
ssl_fd
,
sizeof
(
ssl_fd
));
return
ssl_fd
;
}
}
#endif
/* HAVE_OPENSSL */
#endif
/* HAVE_OPENSSL */
Write
Preview
Markdown
is supported
0%
Try again
or
attach a new file
Attach a file
Cancel
You are about to add
0
people
to the discussion. Proceed with caution.
Finish editing this message first!
Cancel
Please
register
or
sign in
to comment