Merge sgluhov@bk-internal.mysql.com:/home/bk/mysql-4.0

into gluh.mysql.r18.ru:/home/gluh/mysql-4.0.for_fix

Merge sgluhov@bk-internal.mysql.com:/home/bk/mysql-4.0
into gluh.mysql.r18.ru:/home/gluh/mysql-4.0.for_fix
8573bdbf · gluh@gluh.mysql.r18.ru · ad5cbc02 · 7d43750e · 8573bdbf · 8573bdbf
Commit 8573bdbf authored Jun 26, 2003 by gluh@gluh.mysql.r18.ru
Hide whitespace changes
Inline Side-by-side

Showing with 17 additions and 9 deletions

sql/sql_acl.cc sql/sql_acl.cc +5 -2

vio/viossl.c vio/viossl.c +2 -4

vio/viosslfactories.c vio/viosslfactories.c +10 -3

No files found.
--- a/sql/sql_acl.cc
+++ b/sql/sql_acl.cc
@@ -552,7 +552,9 @@ ulong acl_getroot(THD *thd, const char *host, const char *ip, const char *user,
 	      We need to check for absence of SSL because without SSL
 	      we should reject connection.
 	    */
-	    if (vio_type(vio) == VIO_TYPE_SSL && SSL_get_peer_certificate(vio->ssl_))
+	    if (vio_type(vio) == VIO_TYPE_SSL && 
+	        SSL_get_verify_result(vio->ssl_) == X509_V_OK &&
+	        SSL_get_peer_certificate(vio->ssl_))
 	      user_access=acl_user->access;
 	    break;
 	  case SSL_TYPE_SPECIFIED: /* Client should have specified attrib */
@@ -560,7 +562,8 @@ ulong acl_getroot(THD *thd, const char *host, const char *ip, const char *user,
 	      We need to check for absence of SSL because without SSL
 	      we should reject connection.
 	    */
-	    if (vio_type(vio) == VIO_TYPE_SSL)
+	    if (vio_type(vio) == VIO_TYPE_SSL && 
+	        SSL_get_verify_result(vio->ssl_) == X509_V_OK)
 	    {
 	      if (acl_user->ssl_cipher)
 	      {

--- a/vio/viossl.c
+++ b/vio/viossl.c
@@ -287,8 +287,7 @@ int sslaccept(struct st_VioSSLAcceptorFd* ptr, Vio* vio, long timeout)
  SSL_SESSION_set_timeout(SSL_get_session(vio->ssl_), timeout);
  SSL_set_fd(vio->ssl_,vio->sd);
  SSL_set_accept_state(vio->ssl_);
-  if (SSL_do_handshake(vio->ssl_) < 1 ||
-      SSL_get_verify_result(vio->ssl_) != X509_V_OK)
+  if (SSL_do_handshake(vio->ssl_) < 1)
  {
    DBUG_PRINT("error", ("SSL_do_handshake failure"));
    report_errors();
@@ -361,8 +360,7 @@ int sslconnect(struct st_VioSSLConnectorFd* ptr, Vio* vio, long timeout)
  SSL_SESSION_set_timeout(SSL_get_session(vio->ssl_), timeout);
  SSL_set_fd (vio->ssl_, vio->sd);
  SSL_set_connect_state(vio->ssl_);
-  if (SSL_do_handshake(vio->ssl_) < 1 ||
-      SSL_get_verify_result(vio->ssl_) != X509_V_OK)
+  if (SSL_do_handshake(vio->ssl_) < 1)
  {
    DBUG_PRINT("error", ("SSL_do_handshake failure"));
    report_errors();

--- a/vio/viosslfactories.c
+++ b/vio/viosslfactories.c
@@ -178,6 +178,11 @@ vio_verify_callback(int ok, X509_STORE_CTX *ctx)


 /************************ VioSSLConnectorFd **********************************/
+/*
+  TODO:
+       Add option --verify to mysql to be able to change verification mode
+*/
+
 struct st_VioSSLConnectorFd *
 new_VioSSLConnectorFd(const char* key_file,
 		      const char* cert_file,
@@ -185,7 +190,7 @@ new_VioSSLConnectorFd(const char* key_file,
 		      const char* ca_path,
 		      const char* cipher)
 {
-  int	verify = SSL_VERIFY_PEER;
+  int	verify = SSL_VERIFY_NONE;
  struct st_VioSSLConnectorFd* ptr;
  int result;
  DH *dh=NULL; 
@@ -264,7 +269,10 @@ ctor_failure:


 /************************ VioSSLAcceptorFd **********************************/
-
+/*
+  TODO:
+       Add option --verify to mysqld to be able to change verification mode
+*/
 struct st_VioSSLAcceptorFd*
 new_VioSSLAcceptorFd(const char *key_file,
 		     const char *cert_file,
@@ -273,7 +281,6 @@ new_VioSSLAcceptorFd(const char *key_file,
 		     const char *cipher)
 {
  int verify = (SSL_VERIFY_PEER			|
-		SSL_VERIFY_FAIL_IF_NO_PEER_CERT	|
 		SSL_VERIFY_CLIENT_ONCE);
  struct st_VioSSLAcceptorFd* ptr;
  int result;