Commit 7a601d0c authored by unknown's avatar unknown

Merge bk-internal:/home/bk/mysql-5.0-maint

into  neptunus.(none):/home/msvensson/mysql/mysql-5.0-maint


client/mysql.cc:
  Auto merged
extra/yassl/src/template_instnt.cpp:
  Auto merged
extra/yassl/taocrypt/src/template_instnt.cpp:
  Auto merged
parents c357525e 88724885
Certificate: Certificate:
Data: Data:
Version: 3 (0x2) Version: 3 (0x2)
Serial Number: 2 (0x2) Serial Number:
e9:07:d1:01:94:ee:66:ca
Signature Algorithm: md5WithRSAEncryption Signature Algorithm: md5WithRSAEncryption
Issuer: C=SE, L=Uppsala, O=MySQL AB, CN=Abstract MySQL Developer/Email=abstract.mysql.developer@mysql.com Issuer: C=SE, ST=Uppsala, L=Uppsala, O=MySQL AB, CN=localhost/emailAddress=abstract.mysql.developer@mysql.com
Validity Validity
Not Before: Sep 12 16:22:06 2003 GMT Not Before: Apr 18 15:35:37 2006 GMT
Not After : Sep 9 16:22:06 2013 GMT Not After : Jan 12 15:35:37 2009 GMT
Subject: C=SE, L=Uppsala, O=MySQL AB, CN=MySQL Server/Email=abstract.mysql.developer@mysql.com Subject: C=SE, ST=Uppsala, L=Uppsala, O=MySQL AB, CN=localhost/emailAddress=abstract.mysql.developer@mysql.com
Subject Public Key Info: Subject Public Key Info:
Public Key Algorithm: rsaEncryption Public Key Algorithm: rsaEncryption
RSA Public Key: (1024 bit) RSA Public Key: (1024 bit)
...@@ -23,45 +24,42 @@ Certificate: ...@@ -23,45 +24,42 @@ Certificate:
3d:0e:4d:2a:a8:b8:ca:99:8d 3d:0e:4d:2a:a8:b8:ca:99:8d
Exponent: 65537 (0x10001) Exponent: 65537 (0x10001)
X509v3 extensions: X509v3 extensions:
X509v3 Basic Constraints:
CA:FALSE
Netscape Comment:
OpenSSL Generated Certificate
X509v3 Subject Key Identifier: X509v3 Subject Key Identifier:
6E:E4:9B:6A:C5:EA:E4:E6:C7:EF:D7:1E:C8:63:45:60:2B:1B:D4:D4 6E:E4:9B:6A:C5:EA:E4:E6:C7:EF:D7:1E:C8:63:45:60:2B:1B:D4:D4
X509v3 Authority Key Identifier: X509v3 Authority Key Identifier:
keyid:88:98:65:D9:F3:F2:8B:03:1D:66:60:61:23:FA:AD:73:6D:D3:68:92 keyid:6E:E4:9B:6A:C5:EA:E4:E6:C7:EF:D7:1E:C8:63:45:60:2B:1B:D4:D4
DirName:/C=SE/L=Uppsala/O=MySQL AB/CN=Abstract MySQL Developer/Email=abstract.mysql.developer@mysql.com DirName:/C=SE/ST=Uppsala/L=Uppsala/O=MySQL AB/CN=localhost/emailAddress=abstract.mysql.developer@mysql.com
serial:00 serial:E9:07:D1:01:94:EE:66:CA
X509v3 Basic Constraints:
CA:TRUE
Signature Algorithm: md5WithRSAEncryption Signature Algorithm: md5WithRSAEncryption
31:77:69:b9:bd:ab:29:f3:fc:5a:09:16:6f:5d:42:ea:ba:01: 1f:03:59:6e:ff:1f:9d:c7:19:9e:8e:b2:1a:c0:0b:9e:ee:94:
55:69:e3:75:cf:b8:d1:b7:b9:bf:da:63:85:8c:48:92:06:60: 35:77:2a:93:04:ea:d5:a8:fc:36:5a:5b:e3:1c:02:b8:cf:04:
76:97:e0:00:78:4b:ad:da:ab:6a:90:6d:8b:03:a8:b1:e9:09: 6e:21:b0:27:f6:96:6e:d6:8f:cd:02:cf:23:f3:e7:ff:6a:ee:
78:e1:29:98:56:12:60:6b:42:fe:e8:a7:c4:f8:d6:15:07:e8: a9:09:c5:c9:07:81:b6:d2:bc:bd:13:47:0d:7b:76:f6:8a:c4:
2b:c2:d8:8a:e5:1b:2e:51:08:9b:56:e3:b3:7a:4c:3e:e5:be: 76:24:f8:4c:4e:26:fc:d8:c0:1f:3d:40:19:43:8e:41:ab:99:
4a:4d:f8:65:7b:a8:21:e0:ca:fe:8b:ab:d7:ec:f2:2d:f7:d0: 3a:99:9b:24:7c:ae:78:f3:df:2f:a2:ed:8f:27:0a:0a:0b:04:
bf:d7:c5:23:1c:08:d8:aa:57:c7:f3:5f:ba:33:3f:78:d1:f4: bf:25:74:88:87:96:c8:68:d5:bc:5b:a0:ef:14:aa:53:6e:c4:
8e:5e a3:e3
-----BEGIN CERTIFICATE----- -----BEGIN CERTIFICATE-----
MIIDkTCCAvqgAwIBAgIBAjANBgkqhkiG9w0BAQQFADCBiDELMAkGA1UEBhMCU0Ux MIIDijCCAvOgAwIBAgIJAOkH0QGU7mbKMA0GCSqGSIb3DQEBBAUAMIGLMQswCQYD
EDAOBgNVBAcTB1VwcHNhbGExETAPBgNVBAoTCE15U1FMIEFCMSEwHwYDVQQDExhB VQQGEwJTRTEQMA4GA1UECBMHVXBwc2FsYTEQMA4GA1UEBxMHVXBwc2FsYTERMA8G
YnN0cmFjdCBNeVNRTCBEZXZlbG9wZXIxMTAvBgkqhkiG9w0BCQEWImFic3RyYWN0 A1UEChMITXlTUUwgQUIxEjAQBgNVBAMTCWxvY2FsaG9zdDExMC8GCSqGSIb3DQEJ
Lm15c3FsLmRldmVsb3BlckBteXNxbC5jb20wHhcNMDMwOTEyMTYyMjA2WhcNMTMw ARYiYWJzdHJhY3QubXlzcWwuZGV2ZWxvcGVyQG15c3FsLmNvbTAeFw0wNjA0MTgx
OTA5MTYyMjA2WjB8MQswCQYDVQQGEwJTRTEQMA4GA1UEBxMHVXBwc2FsYTERMA8G NTM1MzdaFw0wOTAxMTIxNTM1MzdaMIGLMQswCQYDVQQGEwJTRTEQMA4GA1UECBMH
A1UEChMITXlTUUwgQUIxFTATBgNVBAMTDE15U1FMIFNlcnZlcjExMC8GCSqGSIb3 VXBwc2FsYTEQMA4GA1UEBxMHVXBwc2FsYTERMA8GA1UEChMITXlTUUwgQUIxEjAQ
DQEJARYiYWJzdHJhY3QubXlzcWwuZGV2ZWxvcGVyQG15c3FsLmNvbTCBnzANBgkq BgNVBAMTCWxvY2FsaG9zdDExMC8GCSqGSIb3DQEJARYiYWJzdHJhY3QubXlzcWwu
hkiG9w0BAQEFAAOBjQAwgYkCgYEA6YZ6VYSITL6k+JJzMBJJC3qFhzk0OQ19C40Y ZGV2ZWxvcGVyQG15c3FsLmNvbTCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEA
wheVE1LSP1UQV8g/WvWy+ovQZ0nMqoL8n84AtHPzNtI608KwDhTD1LIhdKHwMYFg 6YZ6VYSITL6k+JJzMBJJC3qFhzk0OQ19C40YwheVE1LSP1UQV8g/WvWy+ovQZ0nM
h5hzXBDBsRpN8fOwmD/w15ebK/3VIXmyL+tkFcmbnfyeLdT4BFvqqXVLQsM9Dk0q qoL8n84AtHPzNtI608KwDhTD1LIhdKHwMYFgh5hzXBDBsRpN8fOwmD/w15ebK/3V
qLjKmY0CAwEAAaOCARQwggEQMAkGA1UdEwQCMAAwLAYJYIZIAYb4QgENBB8WHU9w IXmyL+tkFcmbnfyeLdT4BFvqqXVLQsM9Dk0qqLjKmY0CAwEAAaOB8zCB8DAdBgNV
ZW5TU0wgR2VuZXJhdGVkIENlcnRpZmljYXRlMB0GA1UdDgQWBBRu5Jtqxerk5sfv HQ4EFgQUbuSbasXq5ObH79ceyGNFYCsb1NQwgcAGA1UdIwSBuDCBtYAUbuSbasXq
1x7IY0VgKxvU1DCBtQYDVR0jBIGtMIGqgBSImGXZ8/KLAx1mYGEj+q1zbdNokqGB 5ObH79ceyGNFYCsb1NShgZGkgY4wgYsxCzAJBgNVBAYTAlNFMRAwDgYDVQQIEwdV
jqSBizCBiDELMAkGA1UEBhMCU0UxEDAOBgNVBAcTB1VwcHNhbGExETAPBgNVBAoT cHBzYWxhMRAwDgYDVQQHEwdVcHBzYWxhMREwDwYDVQQKEwhNeVNRTCBBQjESMBAG
CE15U1FMIEFCMSEwHwYDVQQDExhBYnN0cmFjdCBNeVNRTCBEZXZlbG9wZXIxMTAv A1UEAxMJbG9jYWxob3N0MTEwLwYJKoZIhvcNAQkBFiJhYnN0cmFjdC5teXNxbC5k
BgkqhkiG9w0BCQEWImFic3RyYWN0Lm15c3FsLmRldmVsb3BlckBteXNxbC5jb22C ZXZlbG9wZXJAbXlzcWwuY29tggkA6QfRAZTuZsowDAYDVR0TBAUwAwEB/zANBgkq
AQAwDQYJKoZIhvcNAQEEBQADgYEAMXdpub2rKfP8WgkWb11C6roBVWnjdc+40be5 hkiG9w0BAQQFAAOBgQAfA1lu/x+dxxmejrIawAue7pQ1dyqTBOrVqPw2WlvjHAK4
v9pjhYxIkgZgdpfgAHhLrdqrapBtiwOosekJeOEpmFYSYGtC/uinxPjWFQfoK8LY zwRuIbAn9pZu1o/NAs8j8+f/au6pCcXJB4G20ry9E0cNe3b2isR2JPhMTib82MAf
iuUbLlEIm1bjs3pMPuW+Sk34ZXuoIeDK/our1+zyLffQv9fFIxwI2KpXx/NfujM/ PUAZQ45Bq5k6mZskfK54898vou2PJwoKCwS/JXSIh5bIaNW8W6DvFKpTbsSj4w==
eNH0jl4=
-----END CERTIFICATE----- -----END CERTIFICATE-----
...@@ -51,5 +51,5 @@ enum options_client ...@@ -51,5 +51,5 @@ enum options_client
#endif #endif
OPT_TRIGGERS, OPT_TRIGGERS,
OPT_IGNORE_TABLE,OPT_INSERT_IGNORE,OPT_SHOW_WARNINGS,OPT_DROP_DATABASE, OPT_IGNORE_TABLE,OPT_INSERT_IGNORE,OPT_SHOW_WARNINGS,OPT_DROP_DATABASE,
OPT_TZ_UTC, OPT_AUTO_CLOSE OPT_TZ_UTC, OPT_AUTO_CLOSE, OPT_SSL_VERIFY_SERVER_CERT
}; };
...@@ -3118,6 +3118,8 @@ sql_real_connect(char *host,char *database,char *user,char *password, ...@@ -3118,6 +3118,8 @@ sql_real_connect(char *host,char *database,char *user,char *password,
if (opt_use_ssl) if (opt_use_ssl)
mysql_ssl_set(&mysql, opt_ssl_key, opt_ssl_cert, opt_ssl_ca, mysql_ssl_set(&mysql, opt_ssl_key, opt_ssl_cert, opt_ssl_ca,
opt_ssl_capath, opt_ssl_cipher); opt_ssl_capath, opt_ssl_cipher);
mysql_options(&mysql,MYSQL_OPT_SSL_VERIFY_SERVER_CERT,
(char*)&opt_ssl_verify_server_cert);
#endif #endif
if (opt_protocol) if (opt_protocol)
mysql_options(&mysql,MYSQL_OPT_PROTOCOL,(char*)&opt_protocol); mysql_options(&mysql,MYSQL_OPT_PROTOCOL,(char*)&opt_protocol);
......
...@@ -340,6 +340,8 @@ int main(int argc,char *argv[]) ...@@ -340,6 +340,8 @@ int main(int argc,char *argv[])
if (opt_use_ssl) if (opt_use_ssl)
mysql_ssl_set(&mysql, opt_ssl_key, opt_ssl_cert, opt_ssl_ca, mysql_ssl_set(&mysql, opt_ssl_key, opt_ssl_cert, opt_ssl_ca,
opt_ssl_capath, opt_ssl_cipher); opt_ssl_capath, opt_ssl_cipher);
mysql_options(&mysql,MYSQL_OPT_SSL_VERIFY_SERVER_CERT,
(char*)&opt_ssl_verify_server_cert);
#endif #endif
if (opt_protocol) if (opt_protocol)
mysql_options(&mysql,MYSQL_OPT_PROTOCOL,(char*)&opt_protocol); mysql_options(&mysql,MYSQL_OPT_PROTOCOL,(char*)&opt_protocol);
......
...@@ -905,6 +905,8 @@ static int dbConnect(char *host, char *user,char *passwd) ...@@ -905,6 +905,8 @@ static int dbConnect(char *host, char *user,char *passwd)
if (opt_use_ssl) if (opt_use_ssl)
mysql_ssl_set(&mysql_connection, opt_ssl_key, opt_ssl_cert, opt_ssl_ca, mysql_ssl_set(&mysql_connection, opt_ssl_key, opt_ssl_cert, opt_ssl_ca,
opt_ssl_capath, opt_ssl_cipher); opt_ssl_capath, opt_ssl_cipher);
mysql_options(&mysql_connection,MYSQL_OPT_SSL_VERIFY_SERVER_CERT,
(char*)&opt_ssl_verify_server_cert);
#endif #endif
if (opt_protocol) if (opt_protocol)
mysql_options(&mysql_connection,MYSQL_OPT_PROTOCOL,(char*)&opt_protocol); mysql_options(&mysql_connection,MYSQL_OPT_PROTOCOL,(char*)&opt_protocol);
......
...@@ -384,6 +384,8 @@ static MYSQL *db_connect(char *host, char *database, char *user, char *passwd) ...@@ -384,6 +384,8 @@ static MYSQL *db_connect(char *host, char *database, char *user, char *passwd)
if (opt_use_ssl) if (opt_use_ssl)
mysql_ssl_set(&mysql_connection, opt_ssl_key, opt_ssl_cert, opt_ssl_ca, mysql_ssl_set(&mysql_connection, opt_ssl_key, opt_ssl_cert, opt_ssl_ca,
opt_ssl_capath, opt_ssl_cipher); opt_ssl_capath, opt_ssl_cipher);
mysql_options(&mysql_connection,MYSQL_OPT_SSL_VERIFY_SERVER_CERT,
(char*)&opt_ssl_verify_server_cert);
#endif #endif
if (opt_protocol) if (opt_protocol)
mysql_options(&mysql_connection,MYSQL_OPT_PROTOCOL,(char*)&opt_protocol); mysql_options(&mysql_connection,MYSQL_OPT_PROTOCOL,(char*)&opt_protocol);
......
...@@ -109,6 +109,8 @@ int main(int argc, char **argv) ...@@ -109,6 +109,8 @@ int main(int argc, char **argv)
if (opt_use_ssl) if (opt_use_ssl)
mysql_ssl_set(&mysql, opt_ssl_key, opt_ssl_cert, opt_ssl_ca, mysql_ssl_set(&mysql, opt_ssl_key, opt_ssl_cert, opt_ssl_ca,
opt_ssl_capath, opt_ssl_cipher); opt_ssl_capath, opt_ssl_cipher);
mysql_options(&mysql,MYSQL_OPT_SSL_VERIFY_SERVER_CERT,
(char*)&opt_ssl_verify_server_cert);
#endif #endif
if (opt_protocol) if (opt_protocol)
mysql_options(&mysql,MYSQL_OPT_PROTOCOL,(char*)&opt_protocol); mysql_options(&mysql,MYSQL_OPT_PROTOCOL,(char*)&opt_protocol);
......
...@@ -108,7 +108,7 @@ enum {OPT_MANAGER_USER=256,OPT_MANAGER_HOST,OPT_MANAGER_PASSWD, ...@@ -108,7 +108,7 @@ enum {OPT_MANAGER_USER=256,OPT_MANAGER_HOST,OPT_MANAGER_PASSWD,
OPT_MANAGER_PORT,OPT_MANAGER_WAIT_TIMEOUT, OPT_SKIP_SAFEMALLOC, OPT_MANAGER_PORT,OPT_MANAGER_WAIT_TIMEOUT, OPT_SKIP_SAFEMALLOC,
OPT_SSL_SSL, OPT_SSL_KEY, OPT_SSL_CERT, OPT_SSL_CA, OPT_SSL_CAPATH, OPT_SSL_SSL, OPT_SSL_KEY, OPT_SSL_CERT, OPT_SSL_CA, OPT_SSL_CAPATH,
OPT_SSL_CIPHER,OPT_PS_PROTOCOL,OPT_SP_PROTOCOL,OPT_CURSOR_PROTOCOL, OPT_SSL_CIPHER,OPT_PS_PROTOCOL,OPT_SP_PROTOCOL,OPT_CURSOR_PROTOCOL,
OPT_VIEW_PROTOCOL}; OPT_VIEW_PROTOCOL, OPT_SSL_VERIFY_SERVER_CERT};
/* ************************************************************************ */ /* ************************************************************************ */
/* /*
...@@ -2378,8 +2378,12 @@ int do_connect(struct st_query *q) ...@@ -2378,8 +2378,12 @@ int do_connect(struct st_query *q)
#ifdef HAVE_OPENSSL #ifdef HAVE_OPENSSL
if (opt_use_ssl || con_ssl) if (opt_use_ssl || con_ssl)
{
mysql_ssl_set(&next_con->mysql, opt_ssl_key, opt_ssl_cert, opt_ssl_ca, mysql_ssl_set(&next_con->mysql, opt_ssl_key, opt_ssl_cert, opt_ssl_ca,
opt_ssl_capath, opt_ssl_cipher); opt_ssl_capath, opt_ssl_cipher);
mysql_options(&next_con->mysql, MYSQL_OPT_SSL_VERIFY_SERVER_CERT,
&opt_ssl_verify_server_cert);
}
#endif #endif
if (con_sock && !free_con_sock && *con_sock && *con_sock != FN_LIBCHAR) if (con_sock && !free_con_sock && *con_sock && *con_sock != FN_LIBCHAR)
con_sock=fn_format(buff, con_sock, TMPDIR, "",0); con_sock=fn_format(buff, con_sock, TMPDIR, "",0);
...@@ -4604,9 +4608,14 @@ int main(int argc, char **argv) ...@@ -4604,9 +4608,14 @@ int main(int argc, char **argv)
mysql_options(&cur_con->mysql, MYSQL_SET_CHARSET_NAME, charset_name); mysql_options(&cur_con->mysql, MYSQL_SET_CHARSET_NAME, charset_name);
#ifdef HAVE_OPENSSL #ifdef HAVE_OPENSSL
opt_ssl_verify_server_cert= TRUE; /* Always on in mysqltest */
if (opt_use_ssl) if (opt_use_ssl)
{
mysql_ssl_set(&cur_con->mysql, opt_ssl_key, opt_ssl_cert, opt_ssl_ca, mysql_ssl_set(&cur_con->mysql, opt_ssl_key, opt_ssl_cert, opt_ssl_ca,
opt_ssl_capath, opt_ssl_cipher); opt_ssl_capath, opt_ssl_cipher);
mysql_options(&cur_con->mysql, MYSQL_OPT_SSL_VERIFY_SERVER_CERT,
&opt_ssl_verify_server_cert);
}
#endif #endif
if (!(cur_con->name = my_strdup("default", MYF(MY_WME)))) if (!(cur_con->name = my_strdup("default", MYF(MY_WME))))
......
...@@ -44,6 +44,11 @@ ...@@ -44,6 +44,11 @@
return static_cast<void*>(d); return static_cast<void*>(d);
} }
// for compilers that want matching delete
inline void operator delete(void* ptr, Dummy* d)
{
}
typedef Dummy* yassl_pointer; typedef Dummy* yassl_pointer;
namespace mySTL { namespace mySTL {
......
...@@ -31,7 +31,6 @@ ...@@ -31,7 +31,6 @@
#include "hmac.hpp" #include "hmac.hpp"
#include "md5.hpp" #include "md5.hpp"
#include "sha.hpp" #include "sha.hpp"
#include "ripemd.hpp"
#include "openssl/ssl.h" #include "openssl/ssl.h"
#ifdef HAVE_EXPLICIT_TEMPLATE_INSTANTIATION #ifdef HAVE_EXPLICIT_TEMPLATE_INSTANTIATION
......
...@@ -79,7 +79,13 @@ enum ASNIdFlag ...@@ -79,7 +79,13 @@ enum ASNIdFlag
enum DNTags enum DNTags
{ {
COMMON_NAME = 0x03 COMMON_NAME = 0x03, // CN
SUR_NAME = 0x04, // SN
COUNTRY_NAME = 0x06, // C
LOCALITY_NAME = 0x07, // L
STATE_NAME = 0x08, // ST
ORG_NAME = 0x0a, // O
ORGUNIT_NAME = 0x0b // OU
}; };
...@@ -92,7 +98,8 @@ enum Constants ...@@ -92,7 +98,8 @@ enum Constants
MAX_SEQ_SZ = 5, // enum(seq|con) + length(4) MAX_SEQ_SZ = 5, // enum(seq|con) + length(4)
MAX_ALGO_SIZE = 9, MAX_ALGO_SIZE = 9,
MAX_DIGEST_SZ = 25, // SHA + enum(Bit or Octet) + length(4) MAX_DIGEST_SZ = 25, // SHA + enum(Bit or Octet) + length(4)
DSA_SIG_SZ = 40 DSA_SIG_SZ = 40,
NAME_MAX = 512 // max total of all included names
}; };
...@@ -205,14 +212,14 @@ enum { SHA_SIZE = 20 }; ...@@ -205,14 +212,14 @@ enum { SHA_SIZE = 20 };
// A Signing Authority // A Signing Authority
class Signer { class Signer {
PublicKey key_; PublicKey key_;
char* name_; char name_[NAME_MAX];
byte hash_[SHA_SIZE]; byte hash_[SHA_SIZE];
public: public:
Signer(const byte* k, word32 kSz, const char* n, const byte* h); Signer(const byte* k, word32 kSz, const char* n, const byte* h);
~Signer(); ~Signer();
const PublicKey& GetPublicKey() const { return key_; } const PublicKey& GetPublicKey() const { return key_; }
const char* GetCommonName() const { return name_; } const char* GetName() const { return name_; }
const byte* GetHash() const { return hash_; } const byte* GetHash() const { return hash_; }
private: private:
...@@ -257,8 +264,8 @@ private: ...@@ -257,8 +264,8 @@ private:
byte subjectHash_[SHA_SIZE]; // hash of all Names byte subjectHash_[SHA_SIZE]; // hash of all Names
byte issuerHash_[SHA_SIZE]; // hash of all Names byte issuerHash_[SHA_SIZE]; // hash of all Names
byte* signature_; byte* signature_;
char* issuer_; // CommonName char issuer_[NAME_MAX]; // Names
char* subject_; // CommonName char subject_[NAME_MAX]; // Names
bool verify_; // Default to yes, but could be off bool verify_; // Default to yes, but could be off
void ReadHeader(); void ReadHeader();
......
...@@ -213,21 +213,17 @@ void PublicKey::AddToEnd(const byte* data, word32 len) ...@@ -213,21 +213,17 @@ void PublicKey::AddToEnd(const byte* data, word32 len)
Signer::Signer(const byte* k, word32 kSz, const char* n, const byte* h) Signer::Signer(const byte* k, word32 kSz, const char* n, const byte* h)
: key_(k, kSz), name_(0) : key_(k, kSz)
{ {
if (n) {
int sz = strlen(n); int sz = strlen(n);
name_ = NEW_TC char[sz + 1];
memcpy(name_, n, sz); memcpy(name_, n, sz);
name_[sz] = 0; name_[sz] = 0;
}
memcpy(hash_, h, SHA::DIGEST_SIZE); memcpy(hash_, h, SHA::DIGEST_SIZE);
} }
Signer::~Signer() Signer::~Signer()
{ {
tcArrayDelete(name_);
} }
...@@ -424,17 +420,19 @@ void DH_Decoder::Decode(DH& key) ...@@ -424,17 +420,19 @@ void DH_Decoder::Decode(DH& key)
CertDecoder::CertDecoder(Source& s, bool decode, SignerList* signers, CertDecoder::CertDecoder(Source& s, bool decode, SignerList* signers,
bool noVerify, CertType ct) bool noVerify, CertType ct)
: BER_Decoder(s), certBegin_(0), sigIndex_(0), sigLength_(0), : BER_Decoder(s), certBegin_(0), sigIndex_(0), sigLength_(0),
signature_(0), issuer_(0), subject_(0), verify_(!noVerify) signature_(0), verify_(!noVerify)
{ {
issuer_[0] = 0;
subject_[0] = 0;
if (decode) if (decode)
Decode(signers, ct); Decode(signers, ct);
} }
CertDecoder::~CertDecoder() CertDecoder::~CertDecoder()
{ {
tcArrayDelete(subject_);
tcArrayDelete(issuer_);
tcArrayDelete(signature_); tcArrayDelete(signature_);
} }
...@@ -672,8 +670,12 @@ void CertDecoder::GetName(NameType nt) ...@@ -672,8 +670,12 @@ void CertDecoder::GetName(NameType nt)
SHA sha; SHA sha;
word32 length = GetSequence(); // length of all distinguished names word32 length = GetSequence(); // length of all distinguished names
assert (length < NAME_MAX);
length += source_.get_index(); length += source_.get_index();
char* ptr = (nt == ISSUER) ? issuer_ : subject_;
word32 idx = 0;
while (source_.get_index() < length) { while (source_.get_index() < length) {
GetSet(); GetSet();
GetSequence(); GetSequence();
...@@ -694,13 +696,49 @@ void CertDecoder::GetName(NameType nt) ...@@ -694,13 +696,49 @@ void CertDecoder::GetName(NameType nt)
byte id = source_.next(); byte id = source_.next();
b = source_.next(); // strType b = source_.next(); // strType
word32 strLen = GetLength(source_); word32 strLen = GetLength(source_);
bool copy = false;
if (id == COMMON_NAME) { if (id == COMMON_NAME) {
char*& ptr = (nt == ISSUER) ? issuer_ : subject_; memcpy(&ptr[idx], "/CN=", 4);
ptr = NEW_TC char[strLen + 1]; idx += 4;
memcpy(ptr, source_.get_current(), strLen); copy = true;
ptr[strLen] = 0; }
else if (id == SUR_NAME) {
memcpy(&ptr[idx], "/SN=", 4);
idx += 4;
copy = true;
}
else if (id == COUNTRY_NAME) {
memcpy(&ptr[idx], "/C=", 3);
idx += 3;
copy = true;
}
else if (id == LOCALITY_NAME) {
memcpy(&ptr[idx], "/L=", 3);
idx += 3;
copy = true;
} }
else if (id == STATE_NAME) {
memcpy(&ptr[idx], "/ST=", 4);
idx += 4;
copy = true;
}
else if (id == ORG_NAME) {
memcpy(&ptr[idx], "/O=", 3);
idx += 3;
copy = true;
}
else if (id == ORGUNIT_NAME) {
memcpy(&ptr[idx], "/OU=", 4);
idx += 4;
copy = true;
}
if (copy) {
memcpy(&ptr[idx], source_.get_current(), strLen);
idx += strLen;
}
sha.Update(source_.get_current(), strLen); sha.Update(source_.get_current(), strLen);
source_.advance(strLen); source_.advance(strLen);
} }
...@@ -711,6 +749,8 @@ void CertDecoder::GetName(NameType nt) ...@@ -711,6 +749,8 @@ void CertDecoder::GetName(NameType nt)
source_.advance(length); source_.advance(length);
} }
} }
ptr[idx++] = 0;
if (nt == ISSUER) if (nt == ISSUER)
sha.Final(issuerHash_); sha.Final(issuerHash_);
else else
......
# quick and dirty build file for testing different MSDEVs REM quick and dirty build file for testing different MSDEVs
setlocal setlocal
set myFLAGS= /I../include /I../../mySTL /c /W3 /G6 /O2 set myFLAGS= /I../include /I../../mySTL /c /W3 /G6 /O2
......
...@@ -30,11 +30,11 @@ ...@@ -30,11 +30,11 @@
#include "sha.hpp" #include "sha.hpp"
#include "md5.hpp" #include "md5.hpp"
#include "hmac.hpp" #include "hmac.hpp"
#include "ripemd.hpp"
#include "pwdbased.hpp" #include "pwdbased.hpp"
#include "algebra.hpp" #include "algebra.hpp"
#include "vector.hpp" #include "vector.hpp"
#include "hash.hpp" #include "hash.hpp"
#include "ripemd.hpp"
#ifdef HAVE_EXPLICIT_TEMPLATE_INSTANTIATION #ifdef HAVE_EXPLICIT_TEMPLATE_INSTANTIATION
namespace TaoCrypt { namespace TaoCrypt {
......
...@@ -305,8 +305,8 @@ inline void showPeer(SSL* ssl) ...@@ -305,8 +305,8 @@ inline void showPeer(SSL* ssl)
char* subject = X509_NAME_oneline(X509_get_subject_name(peer), 0, 0); char* subject = X509_NAME_oneline(X509_get_subject_name(peer), 0, 0);
printf("peer's cert info:\n"); printf("peer's cert info:\n");
printf("issuer is: %s\n", issuer); printf("issuer : %s\n", issuer);
printf("subject is: %s\n", subject); printf("subject: %s\n", subject);
free(subject); free(subject);
free(issuer); free(issuer);
......
...@@ -149,7 +149,8 @@ enum mysql_option ...@@ -149,7 +149,8 @@ enum mysql_option
MYSQL_OPT_WRITE_TIMEOUT, MYSQL_OPT_USE_RESULT, MYSQL_OPT_WRITE_TIMEOUT, MYSQL_OPT_USE_RESULT,
MYSQL_OPT_USE_REMOTE_CONNECTION, MYSQL_OPT_USE_EMBEDDED_CONNECTION, MYSQL_OPT_USE_REMOTE_CONNECTION, MYSQL_OPT_USE_EMBEDDED_CONNECTION,
MYSQL_OPT_GUESS_CONNECTION, MYSQL_SET_CLIENT_IP, MYSQL_SECURE_AUTH, MYSQL_OPT_GUESS_CONNECTION, MYSQL_SET_CLIENT_IP, MYSQL_SECURE_AUTH,
MYSQL_REPORT_DATA_TRUNCATION, MYSQL_OPT_RECONNECT MYSQL_REPORT_DATA_TRUNCATION, MYSQL_OPT_RECONNECT,
MYSQL_OPT_SSL_VERIFY_SERVER_CERT
}; };
struct st_mysql_options { struct st_mysql_options {
...@@ -164,6 +165,7 @@ struct st_mysql_options { ...@@ -164,6 +165,7 @@ struct st_mysql_options {
char *ssl_ca; /* PEM CA file */ char *ssl_ca; /* PEM CA file */
char *ssl_capath; /* PEM directory of CA-s? */ char *ssl_capath; /* PEM directory of CA-s? */
char *ssl_cipher; /* cipher to use */ char *ssl_cipher; /* cipher to use */
my_bool ssl_verify_server_cert; /* if to verify server cert */
char *shared_memory_base_name; char *shared_memory_base_name;
unsigned long max_allowed_packet; unsigned long max_allowed_packet;
my_bool use_ssl; /* if to use SSL or not */ my_bool use_ssl; /* if to use SSL or not */
......
...@@ -37,5 +37,10 @@ ...@@ -37,5 +37,10 @@
{"ssl-cipher", OPT_SSL_CIPHER, "SSL cipher to use (implies --ssl).", {"ssl-cipher", OPT_SSL_CIPHER, "SSL cipher to use (implies --ssl).",
(gptr*) &opt_ssl_cipher, (gptr*) &opt_ssl_cipher, 0, GET_STR, REQUIRED_ARG, (gptr*) &opt_ssl_cipher, (gptr*) &opt_ssl_cipher, 0, GET_STR, REQUIRED_ARG,
0, 0, 0, 0, 0, 0}, 0, 0, 0, 0, 0, 0},
#ifdef MYSQL_CLIENT
{"ssl-verify-server-cert", OPT_SSL_VERIFY_SERVER_CERT,
"Verify servers \"Common Name\" in it's cert against hostname used when connecting. This option is disabled by default.",
(gptr*) &opt_ssl_verify_server_cert, (gptr*) &opt_ssl_verify_server_cert,
0, GET_BOOL, NO_ARG, 0, 0, 0, 0, 0, 0},
#endif
#endif /* HAVE_OPENSSL */ #endif /* HAVE_OPENSSL */
...@@ -21,4 +21,7 @@ static char *opt_ssl_cert = 0; ...@@ -21,4 +21,7 @@ static char *opt_ssl_cert = 0;
static char *opt_ssl_ca = 0; static char *opt_ssl_ca = 0;
static char *opt_ssl_capath = 0; static char *opt_ssl_capath = 0;
static char *opt_ssl_cipher = 0; static char *opt_ssl_cipher = 0;
#ifdef MYSQL_CLIENT
static my_bool opt_ssl_verify_server_cert= 0;
#endif
#endif #endif
...@@ -105,33 +105,22 @@ void vio_timeout(Vio *vio,uint which, uint timeout); ...@@ -105,33 +105,22 @@ void vio_timeout(Vio *vio,uint which, uint timeout);
#include <openssl/ssl.h> #include <openssl/ssl.h>
#include <openssl/err.h> #include <openssl/err.h>
struct st_VioSSLAcceptorFd struct st_VioSSLFd
{ {
SSL_CTX *ssl_context; SSL_CTX *ssl_context;
SSL_METHOD *ssl_method;
struct st_VioSSLAcceptorFd *session_id_context;
}; };
/* One copy for client */ int sslaccept(struct st_VioSSLFd*, Vio *, long timeout);
struct st_VioSSLConnectorFd int sslconnect(struct st_VioSSLFd*, Vio *, long timeout);
{
SSL_CTX *ssl_context;
/* function pointers which are only once for SSL client */
SSL_METHOD *ssl_method;
};
int sslaccept(struct st_VioSSLAcceptorFd*, Vio *, long timeout);
int sslconnect(struct st_VioSSLConnectorFd*, Vio *, long timeout);
struct st_VioSSLConnectorFd struct st_VioSSLFd
*new_VioSSLConnectorFd(const char *key_file, const char *cert_file, *new_VioSSLConnectorFd(const char *key_file, const char *cert_file,
const char *ca_file, const char *ca_path, const char *ca_file, const char *ca_path,
const char *cipher); const char *cipher);
struct st_VioSSLAcceptorFd struct st_VioSSLFd
*new_VioSSLAcceptorFd(const char *key_file, const char *cert_file, *new_VioSSLAcceptorFd(const char *key_file, const char *cert_file,
const char *ca_file,const char *ca_path, const char *ca_file,const char *ca_path,
const char *cipher); const char *cipher);
Vio *new_VioSSL(struct st_VioSSLAcceptorFd *fd, Vio *sd, int state);
#endif /* HAVE_OPENSSL */ #endif /* HAVE_OPENSSL */
#ifdef HAVE_SMEM #ifdef HAVE_SMEM
......
...@@ -1500,6 +1500,7 @@ mysql_ssl_set(MYSQL *mysql __attribute__((unused)) , ...@@ -1500,6 +1500,7 @@ mysql_ssl_set(MYSQL *mysql __attribute__((unused)) ,
mysql->options.ssl_ca= strdup_if_not_null(ca); mysql->options.ssl_ca= strdup_if_not_null(ca);
mysql->options.ssl_capath= strdup_if_not_null(capath); mysql->options.ssl_capath= strdup_if_not_null(capath);
mysql->options.ssl_cipher= strdup_if_not_null(cipher); mysql->options.ssl_cipher= strdup_if_not_null(cipher);
mysql->options.ssl_verify_server_cert= FALSE; /* Off by default */
#endif /* HAVE_OPENSSL */ #endif /* HAVE_OPENSSL */
DBUG_RETURN(0); DBUG_RETURN(0);
} }
...@@ -1514,17 +1515,16 @@ mysql_ssl_set(MYSQL *mysql __attribute__((unused)) , ...@@ -1514,17 +1515,16 @@ mysql_ssl_set(MYSQL *mysql __attribute__((unused)) ,
static void static void
mysql_ssl_free(MYSQL *mysql __attribute__((unused))) mysql_ssl_free(MYSQL *mysql __attribute__((unused)))
{ {
struct st_VioSSLConnectorFd *st= struct st_VioSSLFd *ssl_fd= (struct st_VioSSLFd*) mysql->connector_fd;
(struct st_VioSSLConnectorFd*) mysql->connector_fd;
DBUG_ENTER("mysql_ssl_free"); DBUG_ENTER("mysql_ssl_free");
my_free(mysql->options.ssl_key, MYF(MY_ALLOW_ZERO_PTR)); my_free(mysql->options.ssl_key, MYF(MY_ALLOW_ZERO_PTR));
my_free(mysql->options.ssl_cert, MYF(MY_ALLOW_ZERO_PTR)); my_free(mysql->options.ssl_cert, MYF(MY_ALLOW_ZERO_PTR));
my_free(mysql->options.ssl_ca, MYF(MY_ALLOW_ZERO_PTR)); my_free(mysql->options.ssl_ca, MYF(MY_ALLOW_ZERO_PTR));
my_free(mysql->options.ssl_capath, MYF(MY_ALLOW_ZERO_PTR)); my_free(mysql->options.ssl_capath, MYF(MY_ALLOW_ZERO_PTR));
my_free(mysql->options.ssl_cipher, MYF(MY_ALLOW_ZERO_PTR)); my_free(mysql->options.ssl_cipher, MYF(MY_ALLOW_ZERO_PTR));
if (st) if (ssl_fd)
SSL_CTX_free(st->ssl_context); SSL_CTX_free(ssl_fd->ssl_context);
my_free(mysql->connector_fd,MYF(MY_ALLOW_ZERO_PTR)); my_free(mysql->connector_fd,MYF(MY_ALLOW_ZERO_PTR));
mysql->options.ssl_key = 0; mysql->options.ssl_key = 0;
mysql->options.ssl_cert = 0; mysql->options.ssl_cert = 0;
...@@ -1556,6 +1556,77 @@ mysql_get_ssl_cipher(MYSQL *mysql) ...@@ -1556,6 +1556,77 @@ mysql_get_ssl_cipher(MYSQL *mysql)
DBUG_RETURN(NULL); DBUG_RETURN(NULL);
} }
/*
Check the server's (subject) Common Name against the
hostname we connected to
SYNOPSIS
ssl_verify_server_cert()
vio pointer to a SSL connected vio
server_hostname name of the server that we connected to
RETURN VALUES
0 Success
1 Failed to validate server
*/
static int ssl_verify_server_cert(Vio *vio, const char* server_hostname)
{
SSL *ssl;
X509 *server_cert;
char *cp1, *cp2;
char buf[256];
DBUG_ENTER("ssl_verify_server_cert");
DBUG_PRINT("enter", ("server_hostname: %s", server_hostname));
if (!(ssl= (SSL*)vio->ssl_arg))
{
DBUG_PRINT("error", ("No SSL pointer found"));
DBUG_RETURN(1);
}
if (!server_hostname)
{
DBUG_PRINT("error", ("No server hostname supplied"));
DBUG_RETURN(1);
}
if (!(server_cert= SSL_get_peer_certificate(ssl)))
{
DBUG_PRINT("error", ("Could not get server certificate"));
DBUG_RETURN(1);
}
/*
We already know that the certificate exchanged was valid; the SSL library
handled that. Now we need to verify that the contents of the certificate
are what we expect.
*/
X509_NAME_oneline(X509_get_subject_name(server_cert), buf, sizeof(buf));
X509_free (server_cert);
DBUG_PRINT("info", ("hostname in cert: %s", buf));
cp1 = strstr(buf, "/CN=");
if (cp1)
{
cp1 += 4; // Skip the "/CN=" that we found
// Search for next / which might be the delimiter for email
cp2 = strchr(cp1, '/');
if (cp2)
*cp2 = '\0';
DBUG_PRINT("info", ("Server hostname in cert: %s", cp1));
if (!strcmp(cp1, server_hostname))
{
/* Success */
DBUG_RETURN(0);
}
}
DBUG_PRINT("error", ("SSL certificate validation failure"));
DBUG_RETURN(1);
}
#endif /* HAVE_OPENSSL */ #endif /* HAVE_OPENSSL */
...@@ -1589,7 +1660,6 @@ static MYSQL_METHODS client_methods= ...@@ -1589,7 +1660,6 @@ static MYSQL_METHODS client_methods=
#endif #endif
}; };
MYSQL * MYSQL *
CLI_MYSQL_REAL_CONNECT(MYSQL *mysql,const char *host, const char *user, CLI_MYSQL_REAL_CONNECT(MYSQL *mysql,const char *host, const char *user,
const char *passwd, const char *db, const char *passwd, const char *db,
...@@ -2034,37 +2104,52 @@ CLI_MYSQL_REAL_CONNECT(MYSQL *mysql,const char *host, const char *user, ...@@ -2034,37 +2104,52 @@ CLI_MYSQL_REAL_CONNECT(MYSQL *mysql,const char *host, const char *user,
mysql->client_flag=client_flag; mysql->client_flag=client_flag;
#ifdef HAVE_OPENSSL #ifdef HAVE_OPENSSL
/*
Oops.. are we careful enough to not send ANY information without
encryption?
*/
if (client_flag & CLIENT_SSL) if (client_flag & CLIENT_SSL)
{ {
/* Do the SSL layering. */
struct st_mysql_options *options= &mysql->options; struct st_mysql_options *options= &mysql->options;
struct st_VioSSLFd *ssl_fd;
/*
Send client_flag, max_packet_size - unencrypted otherwise
the server does not know we want to do SSL
*/
if (my_net_write(net,buff,(uint) (end-buff)) || net_flush(net)) if (my_net_write(net,buff,(uint) (end-buff)) || net_flush(net))
{ {
set_mysql_error(mysql, CR_SERVER_LOST, unknown_sqlstate); set_mysql_error(mysql, CR_SERVER_LOST, unknown_sqlstate);
goto error; goto error;
} }
/* Do the SSL layering. */
if (!(mysql->connector_fd= /* Create the VioSSLConnectorFd - init SSL and load certs */
(gptr) new_VioSSLConnectorFd(options->ssl_key, if (!(ssl_fd= new_VioSSLConnectorFd(options->ssl_key,
options->ssl_cert, options->ssl_cert,
options->ssl_ca, options->ssl_ca,
options->ssl_capath, options->ssl_capath,
options->ssl_cipher))) options->ssl_cipher)))
{ {
set_mysql_error(mysql, CR_SSL_CONNECTION_ERROR, unknown_sqlstate); set_mysql_error(mysql, CR_SSL_CONNECTION_ERROR, unknown_sqlstate);
goto error; goto error;
} }
mysql->connector_fd= (void*)ssl_fd;
/* Connect to the server */
DBUG_PRINT("info", ("IO layer change in progress...")); DBUG_PRINT("info", ("IO layer change in progress..."));
if (sslconnect((struct st_VioSSLConnectorFd*)(mysql->connector_fd), if (sslconnect(ssl_fd, mysql->net.vio,
mysql->net.vio, (long) (mysql->options.connect_timeout))) (long) (mysql->options.connect_timeout)))
{ {
set_mysql_error(mysql, CR_SSL_CONNECTION_ERROR, unknown_sqlstate); set_mysql_error(mysql, CR_SSL_CONNECTION_ERROR, unknown_sqlstate);
goto error; goto error;
} }
DBUG_PRINT("info", ("IO layer change done!")); DBUG_PRINT("info", ("IO layer change done!"));
/* Verify server cert */
if (mysql->options.ssl_verify_server_cert &&
ssl_verify_server_cert(mysql->net.vio, mysql->host))
{
set_mysql_error(mysql, CR_SSL_CONNECTION_ERROR, unknown_sqlstate);
goto error;
}
} }
#endif /* HAVE_OPENSSL */ #endif /* HAVE_OPENSSL */
...@@ -2804,6 +2889,9 @@ mysql_options(MYSQL *mysql,enum mysql_option option, const char *arg) ...@@ -2804,6 +2889,9 @@ mysql_options(MYSQL *mysql,enum mysql_option option, const char *arg)
case MYSQL_OPT_RECONNECT: case MYSQL_OPT_RECONNECT:
mysql->reconnect= *(my_bool *) arg; mysql->reconnect= *(my_bool *) arg;
break; break;
case MYSQL_OPT_SSL_VERIFY_SERVER_CERT:
mysql->options.ssl_verify_server_cert= *(my_bool *) arg;
break;
default: default:
DBUG_RETURN(1); DBUG_RETURN(1);
} }
......
...@@ -1310,7 +1310,7 @@ extern pthread_t signal_thread; ...@@ -1310,7 +1310,7 @@ extern pthread_t signal_thread;
#endif #endif
#ifdef HAVE_OPENSSL #ifdef HAVE_OPENSSL
extern struct st_VioSSLAcceptorFd * ssl_acceptor_fd; extern struct st_VioSSLFd * ssl_acceptor_fd;
#endif /* HAVE_OPENSSL */ #endif /* HAVE_OPENSSL */
MYSQL_LOCK *mysql_lock_tables(THD *thd, TABLE **table, uint count, MYSQL_LOCK *mysql_lock_tables(THD *thd, TABLE **table, uint count,
......
...@@ -620,7 +620,7 @@ static void openssl_lock(int, openssl_lock_t *, const char *, int); ...@@ -620,7 +620,7 @@ static void openssl_lock(int, openssl_lock_t *, const char *, int);
static unsigned long openssl_id_function(); static unsigned long openssl_id_function();
#endif #endif
char *des_key_file; char *des_key_file;
struct st_VioSSLAcceptorFd *ssl_acceptor_fd; struct st_VioSSLFd *ssl_acceptor_fd;
#endif /* HAVE_OPENSSL */ #endif /* HAVE_OPENSSL */
...@@ -1131,7 +1131,10 @@ void clean_up(bool print_message) ...@@ -1131,7 +1131,10 @@ void clean_up(bool print_message)
#endif #endif
#ifdef HAVE_OPENSSL #ifdef HAVE_OPENSSL
if (ssl_acceptor_fd) if (ssl_acceptor_fd)
my_free((gptr) ssl_acceptor_fd, MYF(MY_ALLOW_ZERO_PTR)); {
SSL_CTX_free(ssl_acceptor_fd->ssl_context);
my_free((gptr) ssl_acceptor_fd, MYF(0));
}
#endif /* HAVE_OPENSSL */ #endif /* HAVE_OPENSSL */
#ifdef USE_REGEX #ifdef USE_REGEX
my_regex_end(); my_regex_end();
......
...@@ -858,8 +858,8 @@ int acl_getroot(THD *thd, USER_RESOURCES *mqh, ...@@ -858,8 +858,8 @@ int acl_getroot(THD *thd, USER_RESOURCES *mqh,
if (acl_user->x509_issuer) if (acl_user->x509_issuer)
{ {
DBUG_PRINT("info",("checkpoint 3")); DBUG_PRINT("info",("checkpoint 3"));
char *ptr = X509_NAME_oneline(X509_get_issuer_name(cert), 0, 0); char *ptr = X509_NAME_oneline(X509_get_issuer_name(cert), 0, 0);
DBUG_PRINT("info",("comparing issuers: '%s' and '%s'", DBUG_PRINT("info",("comparing issuers: '%s' and '%s'",
acl_user->x509_issuer, ptr)); acl_user->x509_issuer, ptr));
if (strcmp(acl_user->x509_issuer, ptr)) if (strcmp(acl_user->x509_issuer, ptr))
{ {
......
...@@ -88,19 +88,19 @@ static void vio_init(Vio* vio, enum enum_vio_type type, ...@@ -88,19 +88,19 @@ static void vio_init(Vio* vio, enum enum_vio_type type,
if (type == VIO_TYPE_SSL) if (type == VIO_TYPE_SSL)
{ {
vio->viodelete =vio_delete; vio->viodelete =vio_delete;
vio->vioerrno =vio_ssl_errno; vio->vioerrno =vio_errno;
vio->read =vio_ssl_read; vio->read =vio_ssl_read;
vio->write =vio_ssl_write; vio->write =vio_ssl_write;
vio->fastsend =vio_ssl_fastsend; vio->fastsend =vio_fastsend;
vio->viokeepalive =vio_ssl_keepalive; vio->viokeepalive =vio_keepalive;
vio->should_retry =vio_ssl_should_retry; vio->should_retry =vio_should_retry;
vio->was_interrupted=vio_ssl_was_interrupted; vio->was_interrupted=vio_was_interrupted;
vio->vioclose =vio_ssl_close; vio->vioclose =vio_ssl_close;
vio->peer_addr =vio_ssl_peer_addr; vio->peer_addr =vio_peer_addr;
vio->in_addr =vio_ssl_in_addr; vio->in_addr =vio_in_addr;
vio->vioblocking =vio_ssl_blocking; vio->vioblocking =vio_ssl_blocking;
vio->is_blocking =vio_is_blocking; vio->is_blocking =vio_is_blocking;
vio->timeout =vio_ssl_timeout; vio->timeout =vio_timeout;
} }
else /* default is VIO_TYPE_TCPIP */ else /* default is VIO_TYPE_TCPIP */
#endif /* HAVE_OPENSSL */ #endif /* HAVE_OPENSSL */
......
...@@ -30,28 +30,10 @@ void vio_ignore_timeout(Vio *vio, uint which, uint timeout); ...@@ -30,28 +30,10 @@ void vio_ignore_timeout(Vio *vio, uint which, uint timeout);
int vio_ssl_read(Vio *vio,gptr buf, int size); int vio_ssl_read(Vio *vio,gptr buf, int size);
int vio_ssl_write(Vio *vio,const gptr buf,int size); int vio_ssl_write(Vio *vio,const gptr buf,int size);
void vio_ssl_timeout(Vio *vio, uint which, uint timeout);
/* setsockopt TCP_NODELAY at IPPROTO_TCP level, when possible. */
int vio_ssl_fastsend(Vio *vio);
/* setsockopt SO_KEEPALIVE at SOL_SOCKET level, when possible. */
int vio_ssl_keepalive(Vio *vio, my_bool onoff);
/* Whenever we should retry the last read/write operation. */
my_bool vio_ssl_should_retry(Vio *vio);
/* Check that operation was timed out */
my_bool vio_ssl_was_interrupted(Vio *vio);
/* When the workday is over... */ /* When the workday is over... */
int vio_ssl_close(Vio *vio); int vio_ssl_close(Vio *vio);
/* Return last error number */
int vio_ssl_errno(Vio *vio);
my_bool vio_ssl_peer_addr(Vio *vio, char *buf, uint16 *port);
void vio_ssl_in_addr(Vio *vio, struct in_addr *in);
int vio_ssl_blocking(Vio *vio, my_bool set_blocking_mode, my_bool *old_mode); int vio_ssl_blocking(Vio *vio, my_bool set_blocking_mode, my_bool *old_mode);
/* Single copy for server */
enum vio_ssl_acceptorfd_state
{
state_connect = 1,
state_accept = 2
};
#endif /* HAVE_OPENSSL */ #endif /* HAVE_OPENSSL */
...@@ -54,12 +54,12 @@ static void ...@@ -54,12 +54,12 @@ static void
report_errors() report_errors()
{ {
unsigned long l; unsigned long l;
const char* file; const char *file;
const char* data; const char *data;
int line,flags; int line,flags;
DBUG_ENTER("report_errors"); DBUG_ENTER("report_errors");
while ((l=ERR_get_error_line_data(&file,&line,&data,&flags))) while ((l= ERR_get_error_line_data(&file,&line,&data,&flags)))
{ {
char buf[512]; char buf[512];
DBUG_PRINT("error", ("OpenSSL: %s:%s:%d:%s\n", ERR_error_string(l,buf), DBUG_PRINT("error", ("OpenSSL: %s:%s:%d:%s\n", ERR_error_string(l,buf),
...@@ -70,13 +70,7 @@ report_errors() ...@@ -70,13 +70,7 @@ report_errors()
} }
int vio_ssl_errno(Vio *vio __attribute__((unused))) int vio_ssl_read(Vio *vio, gptr buf, int size)
{
return socket_errno; /* On Win32 this mapped to WSAGetLastError() */
}
int vio_ssl_read(Vio * vio, gptr buf, int size)
{ {
int r; int r;
DBUG_ENTER("vio_ssl_read"); DBUG_ENTER("vio_ssl_read");
...@@ -94,7 +88,7 @@ int vio_ssl_read(Vio * vio, gptr buf, int size) ...@@ -94,7 +88,7 @@ int vio_ssl_read(Vio * vio, gptr buf, int size)
} }
int vio_ssl_write(Vio * vio, const gptr buf, int size) int vio_ssl_write(Vio *vio, const gptr buf, int size)
{ {
int r; int r;
DBUG_ENTER("vio_ssl_write"); DBUG_ENTER("vio_ssl_write");
...@@ -107,183 +101,51 @@ int vio_ssl_write(Vio * vio, const gptr buf, int size) ...@@ -107,183 +101,51 @@ int vio_ssl_write(Vio * vio, const gptr buf, int size)
} }
int vio_ssl_fastsend(Vio * vio __attribute__((unused))) int vio_ssl_close(Vio *vio)
{
int r=0;
DBUG_ENTER("vio_ssl_fastsend");
#if defined(IPTOS_THROUGHPUT) && !defined(__EMX__)
{
int tos= IPTOS_THROUGHPUT;
r= setsockopt(vio->sd, IPPROTO_IP, IP_TOS, (void *) &tos, sizeof(tos));
}
#endif /* IPTOS_THROUGHPUT && !__EMX__ */
if (!r)
{
#ifdef __WIN__
BOOL nodelay= 1;
r= setsockopt(vio->sd, IPPROTO_TCP, TCP_NODELAY, (const char*) &nodelay,
sizeof(nodelay));
#else
int nodelay= 1;
r= setsockopt(vio->sd, IPPROTO_TCP, TCP_NODELAY, (void*) &nodelay,
sizeof(nodelay));
#endif /* __WIN__ */
}
if (r)
{
DBUG_PRINT("warning", ("Couldn't set socket option for fast send"));
r= -1;
}
DBUG_PRINT("exit", ("%d", r));
DBUG_RETURN(r);
}
int vio_ssl_keepalive(Vio* vio, my_bool set_keep_alive)
{
int r=0;
DBUG_ENTER("vio_ssl_keepalive");
DBUG_PRINT("enter", ("sd: %d, set_keep_alive: %d", vio->sd, (int)
set_keep_alive));
if (vio->type != VIO_TYPE_NAMEDPIPE)
{
uint opt = (set_keep_alive) ? 1 : 0;
r= setsockopt(vio->sd, SOL_SOCKET, SO_KEEPALIVE, (char *) &opt,
sizeof(opt));
}
DBUG_RETURN(r);
}
my_bool
vio_ssl_should_retry(Vio * vio __attribute__((unused)))
{ {
int en = socket_errno; int r= 0;
return (en == SOCKET_EAGAIN || en == SOCKET_EINTR || SSL *ssl= (SSL*)vio->ssl_arg;
en == SOCKET_EWOULDBLOCK);
}
my_bool
vio_ssl_was_interrupted(Vio *vio __attribute__((unused)))
{
int en= socket_errno;
return (en == SOCKET_EAGAIN || en == SOCKET_EINTR ||
en == SOCKET_EWOULDBLOCK || en == SOCKET_ETIMEDOUT);
}
int vio_ssl_close(Vio * vio)
{
int r;
DBUG_ENTER("vio_ssl_close"); DBUG_ENTER("vio_ssl_close");
r=0;
if ((SSL*) vio->ssl_arg)
{
r = SSL_shutdown((SSL*) vio->ssl_arg);
SSL_free((SSL*) vio->ssl_arg);
vio->ssl_arg= 0;
}
if (vio->sd >= 0)
{
if (shutdown(vio->sd, 2))
r= -1;
if (closesocket(vio->sd))
r= -1;
}
if (r)
{
DBUG_PRINT("error", ("close() failed, error: %d",socket_errno));
report_errors();
/* FIXME: error handling (not critical for MySQL) */
}
vio->type= VIO_CLOSED;
vio->sd= -1;
DBUG_RETURN(r);
}
const char *vio_ssl_description(Vio * vio)
{
return vio->desc;
}
enum enum_vio_type vio_ssl_type(Vio* vio)
{
return vio->type;
}
my_socket vio_ssl_fd(Vio* vio)
{
return vio->sd;
}
my_bool vio_ssl_peer_addr(Vio * vio, char *buf, uint16 *port) if (ssl)
{
DBUG_ENTER("vio_ssl_peer_addr");
DBUG_PRINT("enter", ("sd: %d", vio->sd));
if (vio->localhost)
{
strmov(buf,"127.0.0.1");
*port=0;
}
else
{ {
size_socket addrLen = sizeof(struct sockaddr); switch ((r= SSL_shutdown(ssl)))
if (getpeername(vio->sd, (struct sockaddr *) (& (vio->remote)),
&addrLen) != 0)
{ {
DBUG_PRINT("exit", ("getpeername, error: %d", socket_errno)); case 1: /* Shutdown successful */
DBUG_RETURN(1); break;
case 0: /* Shutdown not yet finished, call it again */
if ((r= SSL_shutdown(ssl) >= 0))
break;
/* Fallthrough */
default: /* Shutdown failed */
DBUG_PRINT("vio_error", ("SSL_shutdown() failed, error: %s",
SSL_get_error(ssl, r)));
break;
} }
#ifdef TO_BE_FIXED SSL_free(ssl);
my_inet_ntoa(vio->remote.sin_addr,buf); vio->ssl_arg= 0;
*port= 0;
#else
strmov(buf, "unknown");
*port= 0;
#endif
} }
DBUG_PRINT("exit", ("addr: %s", buf)); DBUG_RETURN(vio_close(vio));
DBUG_RETURN(0);
}
void vio_ssl_in_addr(Vio *vio, struct in_addr *in)
{
DBUG_ENTER("vio_ssl_in_addr");
if (vio->localhost)
bzero((char*) in, sizeof(*in));
else
*in=vio->remote.sin_addr;
DBUG_VOID_RETURN;
} }
/* int sslaccept(struct st_VioSSLFd *ptr, Vio *vio, long timeout)
TODO: Add documentation
*/
int sslaccept(struct st_VioSSLAcceptorFd* ptr, Vio* vio, long timeout)
{ {
char *str; SSL *ssl;
char buf[1024]; X509 *client_cert;
X509* client_cert;
my_bool unused; my_bool unused;
my_bool net_blocking; my_bool net_blocking;
enum enum_vio_type old_type; enum enum_vio_type old_type;
DBUG_ENTER("sslaccept"); DBUG_ENTER("sslaccept");
DBUG_PRINT("enter", ("sd: %d ptr: Ox%p, timeout: %d", DBUG_PRINT("enter", ("sd: %d ptr: %p, timeout: %d",
vio->sd, ptr, timeout)); vio->sd, ptr, timeout));
old_type= vio->type; old_type= vio->type;
net_blocking = vio_is_blocking(vio); net_blocking= vio_is_blocking(vio);
vio_blocking(vio, 1, &unused); /* Must be called before reset */ vio_blocking(vio, 1, &unused); /* Must be called before reset */
vio_reset(vio,VIO_TYPE_SSL,vio->sd,0,FALSE); vio_reset(vio, VIO_TYPE_SSL, vio->sd, 0, FALSE);
vio->ssl_arg= 0;
if (!(vio->ssl_arg= (void*) SSL_new(ptr->ssl_context))) if (!(ssl= SSL_new(ptr->ssl_context)))
{ {
DBUG_PRINT("error", ("SSL_new failure")); DBUG_PRINT("error", ("SSL_new failure"));
report_errors(); report_errors();
...@@ -291,144 +153,126 @@ int sslaccept(struct st_VioSSLAcceptorFd* ptr, Vio* vio, long timeout) ...@@ -291,144 +153,126 @@ int sslaccept(struct st_VioSSLAcceptorFd* ptr, Vio* vio, long timeout)
vio_blocking(vio, net_blocking, &unused); vio_blocking(vio, net_blocking, &unused);
DBUG_RETURN(1); DBUG_RETURN(1);
} }
DBUG_PRINT("info", ("ssl_: Ox%p timeout: %ld", vio->ssl_arg= (void*)ssl;
(SSL*) vio->ssl_arg, timeout)); DBUG_PRINT("info", ("ssl_: %p timeout: %ld", ssl, timeout));
SSL_clear((SSL*) vio->ssl_arg); SSL_clear(ssl);
SSL_SESSION_set_timeout(SSL_get_session((SSL*) vio->ssl_arg), timeout); SSL_SESSION_set_timeout(SSL_get_session(ssl), timeout);
SSL_set_fd((SSL*) vio->ssl_arg,vio->sd); SSL_set_fd(ssl, vio->sd);
SSL_set_accept_state((SSL*) vio->ssl_arg); SSL_set_accept_state(ssl);
if (SSL_do_handshake((SSL*) vio->ssl_arg) < 1) if (SSL_do_handshake(ssl) < 1)
{ {
DBUG_PRINT("error", ("SSL_do_handshake failure")); DBUG_PRINT("error", ("SSL_do_handshake failure"));
report_errors(); report_errors();
SSL_free((SSL*) vio->ssl_arg); SSL_free(ssl);
vio->ssl_arg= 0; vio->ssl_arg= 0;
vio_reset(vio, old_type,vio->sd,0,FALSE); vio_reset(vio, old_type,vio->sd,0,FALSE);
vio_blocking(vio, net_blocking, &unused); vio_blocking(vio, net_blocking, &unused);
DBUG_RETURN(1); DBUG_RETURN(1);
} }
#ifndef DBUG_OFF #ifndef DBUG_OFF
DBUG_PRINT("info",("SSL_get_cipher_name() = '%s'"
,SSL_get_cipher_name((SSL*) vio->ssl_arg)));
client_cert = SSL_get_peer_certificate ((SSL*) vio->ssl_arg);
if (client_cert != NULL)
{ {
DBUG_PRINT("info",("Client certificate:")); char buf[1024];
str = X509_NAME_oneline (X509_get_subject_name (client_cert), 0, 0); DBUG_PRINT("info",("cipher_name= '%s'", SSL_get_cipher_name(ssl)));
DBUG_PRINT("info",("\t subject: %s", str));
free (str);
str = X509_NAME_oneline (X509_get_issuer_name (client_cert), 0, 0); if ((client_cert= SSL_get_peer_certificate (ssl)))
DBUG_PRINT("info",("\t issuer: %s", str)); {
free (str); DBUG_PRINT("info",("Client certificate:"));
X509_NAME_oneline (X509_get_subject_name (client_cert),
buf, sizeof(buf));
DBUG_PRINT("info",("\t subject: %s", buf));
X509_free (client_cert); X509_NAME_oneline (X509_get_issuer_name (client_cert),
} buf, sizeof(buf));
else DBUG_PRINT("info",("\t issuer: %s", buf));
DBUG_PRINT("info",("Client does not have certificate."));
str=SSL_get_shared_ciphers((SSL*) vio->ssl_arg, buf, sizeof(buf)); X509_free (client_cert);
if (str) }
{ else
DBUG_PRINT("info",("SSL_get_shared_ciphers() returned '%s'",str)); DBUG_PRINT("info",("Client does not have certificate."));
}
else
{
DBUG_PRINT("info",("no shared ciphers!"));
}
if (SSL_get_shared_ciphers(ssl, buf, sizeof(buf)))
{
DBUG_PRINT("info",("shared_ciphers: '%s'", buf));
}
else
DBUG_PRINT("info",("no shared ciphers!"));
}
#endif #endif
DBUG_RETURN(0); DBUG_RETURN(0);
} }
int sslconnect(struct st_VioSSLConnectorFd* ptr, Vio* vio, long timeout) int sslconnect(struct st_VioSSLFd *ptr, Vio *vio, long timeout)
{ {
char *str; SSL *ssl;
X509* server_cert; X509 *server_cert;
my_bool unused; my_bool unused;
my_bool net_blocking; my_bool net_blocking;
enum enum_vio_type old_type; enum enum_vio_type old_type;
DBUG_ENTER("sslconnect"); DBUG_ENTER("sslconnect");
DBUG_PRINT("enter", ("sd: %d ptr: 0x%p ctx: 0x%p", DBUG_PRINT("enter", ("sd: %d, ptr: %p, ctx: %p",
vio->sd,ptr,ptr->ssl_context)); vio->sd, ptr, ptr->ssl_context));
old_type= vio->type; old_type= vio->type;
net_blocking = vio_is_blocking(vio); net_blocking= vio_is_blocking(vio);
vio_blocking(vio, 1, &unused); /* Must be called before reset */ vio_blocking(vio, 1, &unused); /* Must be called before reset */
vio_reset(vio,VIO_TYPE_SSL,vio->sd,0,FALSE); vio_reset(vio, VIO_TYPE_SSL, vio->sd, 0, FALSE);
vio->ssl_arg= 0; if (!(ssl= SSL_new(ptr->ssl_context)))
if (!(vio->ssl_arg = SSL_new(ptr->ssl_context)))
{ {
DBUG_PRINT("error", ("SSL_new failure")); DBUG_PRINT("error", ("SSL_new failure"));
report_errors(); report_errors();
vio_reset(vio, old_type,vio->sd,0,FALSE); vio_reset(vio, old_type, vio->sd, 0, FALSE);
vio_blocking(vio, net_blocking, &unused); vio_blocking(vio, net_blocking, &unused);
DBUG_RETURN(1); DBUG_RETURN(1);
} }
DBUG_PRINT("info", ("ssl_: 0x%p timeout: %ld", vio->ssl_arg= (void*)ssl;
(SSL*) vio->ssl_arg, timeout)); DBUG_PRINT("info", ("ssl: %p, timeout: %ld", ssl, timeout));
SSL_clear((SSL*) vio->ssl_arg); SSL_clear(ssl);
SSL_SESSION_set_timeout(SSL_get_session((SSL*) vio->ssl_arg), timeout); SSL_SESSION_set_timeout(SSL_get_session(ssl), timeout);
SSL_set_fd ((SSL*) vio->ssl_arg, vio_ssl_fd(vio)); SSL_set_fd(ssl, vio->sd);
SSL_set_connect_state((SSL*) vio->ssl_arg); SSL_set_connect_state(ssl);
if (SSL_do_handshake((SSL*) vio->ssl_arg) < 1) if (SSL_do_handshake(ssl) < 1)
{ {
DBUG_PRINT("error", ("SSL_do_handshake failure")); DBUG_PRINT("error", ("SSL_do_handshake failure"));
report_errors(); report_errors();
SSL_free((SSL*) vio->ssl_arg); SSL_free(ssl);
vio->ssl_arg= 0; vio->ssl_arg= 0;
vio_reset(vio, old_type,vio->sd,0,FALSE); vio_reset(vio, old_type, vio->sd, 0, FALSE);
vio_blocking(vio, net_blocking, &unused); vio_blocking(vio, net_blocking, &unused);
DBUG_RETURN(1); DBUG_RETURN(1);
} }
#ifndef DBUG_OFF #ifndef DBUG_OFF
DBUG_PRINT("info",("SSL_get_cipher_name() = '%s'" DBUG_PRINT("info",("cipher_name: '%s'" , SSL_get_cipher_name(ssl)));
,SSL_get_cipher_name((SSL*) vio->ssl_arg)));
server_cert = SSL_get_peer_certificate ((SSL*) vio->ssl_arg); if ((server_cert= SSL_get_peer_certificate (ssl)))
if (server_cert != NULL)
{ {
char buf[256];
DBUG_PRINT("info",("Server certificate:")); DBUG_PRINT("info",("Server certificate:"));
str = X509_NAME_oneline (X509_get_subject_name (server_cert), 0, 0); X509_NAME_oneline(X509_get_subject_name(server_cert), buf, sizeof(buf));
DBUG_PRINT("info",("\t subject: %s", str)); DBUG_PRINT("info",("\t subject: %s", buf));
free(str); X509_NAME_oneline (X509_get_issuer_name(server_cert), buf, sizeof(buf));
DBUG_PRINT("info",("\t issuer: %s", buf));
str = X509_NAME_oneline (X509_get_issuer_name (server_cert), 0, 0);
DBUG_PRINT("info",("\t issuer: %s", str));
free(str);
/*
We could do all sorts of certificate verification stuff here before
deallocating the certificate.
*/
X509_free (server_cert); X509_free (server_cert);
} }
else else
DBUG_PRINT("info",("Server does not have certificate.")); DBUG_PRINT("info",("Server does not have certificate."));
#endif #endif
DBUG_RETURN(0); DBUG_RETURN(0);
} }
int vio_ssl_blocking(Vio * vio __attribute__((unused)), int vio_ssl_blocking(Vio *vio __attribute__((unused)),
my_bool set_blocking_mode, my_bool set_blocking_mode,
my_bool *old_mode) my_bool *old_mode)
{ {
/* Mode is always blocking */
*old_mode= 1;
/* Return error if we try to change to non_blocking mode */ /* Return error if we try to change to non_blocking mode */
*old_mode=1; /* Mode is always blocking */ return (set_blocking_mode ? 0 : 1);
return set_blocking_mode ? 0 : 1;
} }
void vio_ssl_timeout(Vio *vio __attribute__((unused)),
uint which __attribute__((unused)),
uint timeout __attribute__((unused)))
{
#ifdef __WIN__
ulong wait_timeout= (ulong) timeout * 1000;
(void) setsockopt(vio->sd, SOL_SOCKET,
which ? SO_SNDTIMEO : SO_RCVTIMEO, (char*) &wait_timeout,
sizeof(wait_timeout));
#endif /* __WIN__ */
}
#endif /* HAVE_OPENSSL */ #endif /* HAVE_OPENSSL */
...@@ -21,7 +21,6 @@ ...@@ -21,7 +21,6 @@
static bool ssl_algorithms_added = FALSE; static bool ssl_algorithms_added = FALSE;
static bool ssl_error_strings_loaded= FALSE; static bool ssl_error_strings_loaded= FALSE;
static int verify_depth = 0; static int verify_depth = 0;
static int verify_error = X509_V_OK;
static unsigned char dh512_p[]= static unsigned char dh512_p[]=
{ {
...@@ -82,30 +81,31 @@ vio_set_cert_stuff(SSL_CTX *ctx, const char *cert_file, const char *key_file) ...@@ -82,30 +81,31 @@ vio_set_cert_stuff(SSL_CTX *ctx, const char *cert_file, const char *key_file)
DBUG_ENTER("vio_set_cert_stuff"); DBUG_ENTER("vio_set_cert_stuff");
DBUG_PRINT("enter", ("ctx: %p, cert_file: %s, key_file: %s", DBUG_PRINT("enter", ("ctx: %p, cert_file: %s, key_file: %s",
ctx, cert_file, key_file)); ctx, cert_file, key_file));
if (cert_file != NULL) if (cert_file)
{ {
if (SSL_CTX_use_certificate_file(ctx,cert_file,SSL_FILETYPE_PEM) <= 0) if (SSL_CTX_use_certificate_file(ctx, cert_file, SSL_FILETYPE_PEM) <= 0)
{ {
DBUG_PRINT("error",("unable to get certificate from '%s'\n",cert_file)); DBUG_PRINT("error",("unable to get certificate from '%s'\n", cert_file));
/* FIX stderr */ /* FIX stderr */
fprintf(stderr,"Error when connection to server using SSL:"); fprintf(stderr,"Error when connection to server using SSL:");
ERR_print_errors_fp(stderr); ERR_print_errors_fp(stderr);
fprintf(stderr,"Unable to get certificate from '%s'\n", cert_file); fprintf(stderr,"Unable to get certificate from '%s'\n", cert_file);
fflush(stderr); fflush(stderr);
DBUG_RETURN(0); DBUG_RETURN(1);
} }
if (key_file == NULL)
key_file = cert_file; if (!key_file)
if (SSL_CTX_use_PrivateKey_file(ctx,key_file, key_file= cert_file;
SSL_FILETYPE_PEM) <= 0)
if (SSL_CTX_use_PrivateKey_file(ctx, key_file, SSL_FILETYPE_PEM) <= 0)
{ {
DBUG_PRINT("error", ("unable to get private key from '%s'\n",key_file)); DBUG_PRINT("error", ("unable to get private key from '%s'\n", key_file));
/* FIX stderr */ /* FIX stderr */
fprintf(stderr,"Error when connection to server using SSL:"); fprintf(stderr,"Error when connection to server using SSL:");
ERR_print_errors_fp(stderr); ERR_print_errors_fp(stderr);
fprintf(stderr,"Unable to get private key from '%s'\n", cert_file); fprintf(stderr,"Unable to get private key from '%s'\n", cert_file);
fflush(stderr); fflush(stderr);
DBUG_RETURN(0); DBUG_RETURN(1);
} }
/* /*
...@@ -116,45 +116,45 @@ vio_set_cert_stuff(SSL_CTX *ctx, const char *cert_file, const char *key_file) ...@@ -116,45 +116,45 @@ vio_set_cert_stuff(SSL_CTX *ctx, const char *cert_file, const char *key_file)
{ {
DBUG_PRINT("error", DBUG_PRINT("error",
("Private key does not match the certificate public key\n")); ("Private key does not match the certificate public key\n"));
DBUG_RETURN(0); DBUG_RETURN(1);
} }
} }
DBUG_RETURN(1); DBUG_RETURN(0);
} }
static int static int
vio_verify_callback(int ok, X509_STORE_CTX *ctx) vio_verify_callback(int ok, X509_STORE_CTX *ctx)
{ {
char buf[256]; char buf[256];
X509* err_cert; X509 *err_cert;
int err,depth;
DBUG_ENTER("vio_verify_callback"); DBUG_ENTER("vio_verify_callback");
DBUG_PRINT("enter", ("ok: %d, ctx: 0x%p", ok, ctx)); DBUG_PRINT("enter", ("ok: %d, ctx: %p", ok, ctx));
err_cert=X509_STORE_CTX_get_current_cert(ctx);
err= X509_STORE_CTX_get_error(ctx);
depth= X509_STORE_CTX_get_error_depth(ctx);
X509_NAME_oneline(X509_get_subject_name(err_cert),buf,sizeof(buf)); err_cert= X509_STORE_CTX_get_current_cert(ctx);
X509_NAME_oneline(X509_get_subject_name(err_cert), buf, sizeof(buf));
DBUG_PRINT("info", ("cert: %s", buf));
if (!ok) if (!ok)
{ {
DBUG_PRINT("error",("verify error: num: %d : '%s'\n",err, int err, depth;
err= X509_STORE_CTX_get_error(ctx);
depth= X509_STORE_CTX_get_error_depth(ctx);
DBUG_PRINT("error",("verify error: %d, '%s'",err,
X509_verify_cert_error_string(err))); X509_verify_cert_error_string(err)));
/*
Approve cert if depth is greater then "verify_depth", currently
verify_depth is always 0 and there is no way to increase it.
*/
if (verify_depth >= depth) if (verify_depth >= depth)
{ ok= 1;
ok=1;
verify_error=X509_V_OK;
}
else
{
verify_error=X509_V_ERR_CERT_CHAIN_TOO_LONG;
}
} }
switch (ctx->error) { switch (ctx->error)
{
case X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT: case X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT:
X509_NAME_oneline(X509_get_issuer_name(ctx->current_cert),buf,256); X509_NAME_oneline(X509_get_issuer_name(ctx->current_cert), buf, 256);
DBUG_PRINT("info",("issuer= %s\n",buf)); DBUG_PRINT("info",("issuer= %s\n", buf));
break; break;
case X509_V_ERR_CERT_NOT_YET_VALID: case X509_V_ERR_CERT_NOT_YET_VALID:
case X509_V_ERR_ERROR_IN_CERT_NOT_BEFORE_FIELD: case X509_V_ERR_ERROR_IN_CERT_NOT_BEFORE_FIELD:
...@@ -198,193 +198,149 @@ static void netware_ssl_init() ...@@ -198,193 +198,149 @@ static void netware_ssl_init()
#endif /* __NETWARE__ */ #endif /* __NETWARE__ */
/************************ VioSSLConnectorFd **********************************/ static void check_ssl_init()
/*
TODO:
Add option --verify to mysql to be able to change verification mode
*/
struct st_VioSSLConnectorFd *
new_VioSSLConnectorFd(const char* key_file,
const char* cert_file,
const char* ca_file,
const char* ca_path,
const char* cipher)
{ {
int verify = SSL_VERIFY_NONE;
struct st_VioSSLConnectorFd* ptr;
int result;
DH *dh;
DBUG_ENTER("new_VioSSLConnectorFd");
if (!(ptr=((struct st_VioSSLConnectorFd*)
my_malloc(sizeof(struct st_VioSSLConnectorFd),MYF(0)))))
DBUG_RETURN(0);
ptr->ssl_context= 0;
ptr->ssl_method= 0;
/* FIXME: constants! */
if (!ssl_algorithms_added) if (!ssl_algorithms_added)
{ {
DBUG_PRINT("info", ("todo: OpenSSL_add_all_algorithms()")); ssl_algorithms_added= TRUE;
ssl_algorithms_added = TRUE;
SSL_library_init(); SSL_library_init();
OpenSSL_add_all_algorithms(); OpenSSL_add_all_algorithms();
} }
#ifdef __NETWARE__ #ifdef __NETWARE__
netware_ssl_init(); netware_ssl_init();
#endif #endif
if (!ssl_error_strings_loaded) if (!ssl_error_strings_loaded)
{ {
DBUG_PRINT("info", ("todo:SSL_load_error_strings()")); ssl_error_strings_loaded= TRUE;
ssl_error_strings_loaded = TRUE;
SSL_load_error_strings(); SSL_load_error_strings();
} }
ptr->ssl_method = TLSv1_client_method(); }
ptr->ssl_context = SSL_CTX_new(ptr->ssl_method);
DBUG_PRINT("info", ("ssl_context: %p",ptr->ssl_context)); /************************ VioSSLFd **********************************/
if (ptr->ssl_context == 0) struct st_VioSSLFd *
new_VioSSLFd(const char *key_file, const char *cert_file,
const char *ca_file, const char *ca_path,
const char *cipher, SSL_METHOD *method)
{
DH *dh;
struct st_VioSSLFd *ssl_fd;
DBUG_ENTER("new_VioSSLFd");
check_ssl_init();
if (!(ssl_fd= ((struct st_VioSSLFd*)
my_malloc(sizeof(struct st_VioSSLFd),MYF(0)))))
DBUG_RETURN(0);
if (!(ssl_fd->ssl_context= SSL_CTX_new(method)))
{ {
DBUG_PRINT("error", ("SSL_CTX_new failed")); DBUG_PRINT("error", ("SSL_CTX_new failed"));
report_errors(); report_errors();
goto ctor_failure; my_free((void*)ssl_fd,MYF(0));
DBUG_RETURN(0);
} }
/*
SSL_CTX_set_options /* Set the ciphers that can be used */
SSL_CTX_set_info_callback if (cipher && SSL_CTX_set_cipher_list(ssl_fd->ssl_context, cipher))
*/
if (cipher)
{ {
result=SSL_CTX_set_cipher_list(ptr->ssl_context, cipher); DBUG_PRINT("error", ("failed to set ciphers to use"));
DBUG_PRINT("info",("SSL_set_cipher_list() returned %d",result)); report_errors();
my_free((void*)ssl_fd,MYF(0));
DBUG_RETURN(0);
} }
SSL_CTX_set_verify(ptr->ssl_context, verify, vio_verify_callback);
if (vio_set_cert_stuff(ptr->ssl_context, cert_file, key_file) == -1) if (vio_set_cert_stuff(ssl_fd->ssl_context, cert_file, key_file))
{ {
DBUG_PRINT("error", ("vio_set_cert_stuff failed")); DBUG_PRINT("error", ("vio_set_cert_stuff failed"));
report_errors(); report_errors();
goto ctor_failure; my_free((void*)ssl_fd,MYF(0));
DBUG_RETURN(0);
} }
if (SSL_CTX_load_verify_locations( ptr->ssl_context, ca_file,ca_path) == 0)
if (SSL_CTX_load_verify_locations(ssl_fd->ssl_context, ca_file, ca_path) == 0)
{ {
DBUG_PRINT("warning", ("SSL_CTX_load_verify_locations failed")); DBUG_PRINT("warning", ("SSL_CTX_load_verify_locations failed"));
if (SSL_CTX_set_default_verify_paths(ptr->ssl_context) == 0) if (SSL_CTX_set_default_verify_paths(ssl_fd->ssl_context) == 0)
{ {
DBUG_PRINT("error", ("SSL_CTX_set_default_verify_paths failed")); DBUG_PRINT("error", ("SSL_CTX_set_default_verify_paths failed"));
report_errors(); report_errors();
goto ctor_failure; my_free((void*)ssl_fd,MYF(0));
DBUG_RETURN(0);
} }
} }
/* DH stuff */ /* DH stuff */
dh=get_dh512(); dh=get_dh512();
SSL_CTX_set_tmp_dh(ptr->ssl_context,dh); SSL_CTX_set_tmp_dh(ssl_fd->ssl_context, dh);
DH_free(dh); DH_free(dh);
DBUG_RETURN(ptr); DBUG_PRINT("exit", ("OK 1"));
ctor_failure:
DBUG_PRINT("exit", ("there was an error")); DBUG_RETURN(ssl_fd);
my_free((gptr)ptr,MYF(0));
DBUG_RETURN(0);
} }
/************************ VioSSLAcceptorFd **********************************/ /************************ VioSSLConnectorFd **********************************/
/* struct st_VioSSLFd *
TODO: new_VioSSLConnectorFd(const char *key_file, const char *cert_file,
Add option --verify to mysqld to be able to change verification mode const char *ca_file, const char *ca_path,
*/ const char *cipher)
struct st_VioSSLAcceptorFd*
new_VioSSLAcceptorFd(const char *key_file,
const char *cert_file,
const char *ca_file,
const char *ca_path,
const char *cipher)
{ {
int verify = (SSL_VERIFY_PEER | struct st_VioSSLFd *ssl_fd;
SSL_VERIFY_CLIENT_ONCE); int verify= SSL_VERIFY_PEER;
struct st_VioSSLAcceptorFd* ptr; if (!(ssl_fd= new_VioSSLFd(key_file, cert_file, ca_file,
int result; ca_path, cipher, TLSv1_client_method())))
DH *dh; {
DBUG_ENTER("new_VioSSLAcceptorFd"); return 0;
}
ptr= ((struct st_VioSSLAcceptorFd*) /* Init the the VioSSLFd as a "connector" ie. the client side */
my_malloc(sizeof(struct st_VioSSLAcceptorFd),MYF(0)));
ptr->ssl_context=0;
ptr->ssl_method=0;
/* FIXME: constants! */
ptr->session_id_context= ptr;
if (!ssl_algorithms_added) /*
{ The verify_callback function is used to control the behaviour
DBUG_PRINT("info", ("todo: OpenSSL_add_all_algorithms()")); when the SSL_VERIFY_PEER flag is set.
ssl_algorithms_added = TRUE; */
SSL_library_init(); SSL_CTX_set_verify(ssl_fd->ssl_context, verify, vio_verify_callback);
OpenSSL_add_all_algorithms();
} return ssl_fd;
#ifdef __NETWARE__ }
netware_ssl_init();
#endif
if (!ssl_error_strings_loaded)
{ /************************ VioSSLAcceptorFd **********************************/
DBUG_PRINT("info", ("todo: SSL_load_error_strings()")); struct st_VioSSLFd*
ssl_error_strings_loaded = TRUE; new_VioSSLAcceptorFd(const char *key_file, const char *cert_file,
SSL_load_error_strings(); const char *ca_file, const char *ca_path,
} const char *cipher)
ptr->ssl_method= TLSv1_server_method(); {
ptr->ssl_context= SSL_CTX_new(ptr->ssl_method); struct st_VioSSLFd *ssl_fd;
if (ptr->ssl_context == 0) int verify= SSL_VERIFY_PEER | SSL_VERIFY_CLIENT_ONCE;
{ if (!(ssl_fd= new_VioSSLFd(key_file, cert_file, ca_file,
DBUG_PRINT("error", ("SSL_CTX_new failed")); ca_path, cipher, TLSv1_server_method())))
report_errors();
goto ctor_failure;
}
if (cipher)
{ {
result=SSL_CTX_set_cipher_list(ptr->ssl_context, cipher); return 0;
DBUG_PRINT("info",("SSL_set_cipher_list() returned %d",result));
} }
/* SSL_CTX_set_quiet_shutdown(ctx,1); */ /* Init the the VioSSLFd as a "acceptor" ie. the server side */
SSL_CTX_sess_set_cache_size(ptr->ssl_context,128);
/* DH? */ /* Set max number of cached sessions, returns the previous size */
SSL_CTX_set_verify(ptr->ssl_context, verify, vio_verify_callback); SSL_CTX_sess_set_cache_size(ssl_fd->ssl_context, 128);
SSL_CTX_set_session_id_context(ptr->ssl_context,
(const uchar*) &(ptr->session_id_context),
sizeof(ptr->session_id_context));
/* /*
SSL_CTX_set_client_CA_list(ctx,SSL_load_client_CA_file(CAfile)); The verify_callback function is used to control the behaviour
when the SSL_VERIFY_PEER flag is set.
*/ */
if (vio_set_cert_stuff(ptr->ssl_context, cert_file, key_file) == -1) SSL_CTX_set_verify(ssl_fd->ssl_context, verify, vio_verify_callback);
{
DBUG_PRINT("error", ("vio_set_cert_stuff failed"));
report_errors();
goto ctor_failure;
}
if (SSL_CTX_load_verify_locations( ptr->ssl_context, ca_file, ca_path) == 0)
{
DBUG_PRINT("warning", ("SSL_CTX_load_verify_locations failed"));
if (SSL_CTX_set_default_verify_paths(ptr->ssl_context)==0)
{
DBUG_PRINT("error", ("SSL_CTX_set_default_verify_paths failed"));
report_errors();
goto ctor_failure;
}
}
/* DH stuff */
dh=get_dh512();
SSL_CTX_set_tmp_dh(ptr->ssl_context,dh);
DH_free(dh);
DBUG_RETURN(ptr);
ctor_failure: /*
DBUG_PRINT("exit", ("there was an error")); Set session_id - an identifier for this server session
my_free((gptr) ptr,MYF(0)); Use the ssl_fd pointer
DBUG_RETURN(0); */
SSL_CTX_set_session_id_context(ssl_fd->ssl_context,
ssl_fd,
sizeof(ssl_fd));
return ssl_fd;
} }
#endif /* HAVE_OPENSSL */ #endif /* HAVE_OPENSSL */
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment