Commit 2030ef48 authored by unknown's avatar unknown

Load CA certs before setting local certs.

Make it possible to get the yaSSL error message printed in the DBUG log file.


vio/viossl.c:
  Add possibility to print out the error from yaSSL.
vio/viosslfactories.c:
  Load the CA certs before loading the certs for this client or server.
  Improved comments.
parent a3ea7808
...@@ -51,20 +51,30 @@ static int SSL_set_fd_bsd(SSL *s, int fd) ...@@ -51,20 +51,30 @@ static int SSL_set_fd_bsd(SSL *s, int fd)
static void static void
report_errors() report_errors(SSL* ssl)
{ {
unsigned long l; unsigned long l;
const char *file; const char *file;
const char *data; const char *data;
int line,flags; int line,flags;
char buf[512];
DBUG_ENTER("report_errors"); DBUG_ENTER("report_errors");
while ((l= ERR_get_error_line_data(&file,&line,&data,&flags))) while ((l= ERR_get_error_line_data(&file,&line,&data,&flags)))
{ {
char buf[512];
DBUG_PRINT("error", ("OpenSSL: %s:%s:%d:%s\n", ERR_error_string(l,buf), DBUG_PRINT("error", ("OpenSSL: %s:%s:%d:%s\n", ERR_error_string(l,buf),
file,line,(flags&ERR_TXT_STRING)?data:"")) ; file,line,(flags&ERR_TXT_STRING)?data:"")) ;
} }
#ifdef HAVE_YASSL
/*
The above calls to ERR_* doesn't return any messages when we
are using yaSSL since error is stored in the SSL object we used.
*/
if (ssl)
DBUG_PRINT("error", ("yaSSL: %s", ERR_error_string(SSL_get_error(ssl, l), buf)));
#endif
DBUG_PRINT("info", ("errno: %d", socket_errno)); DBUG_PRINT("info", ("errno: %d", socket_errno));
DBUG_VOID_RETURN; DBUG_VOID_RETURN;
} }
...@@ -81,7 +91,7 @@ int vio_ssl_read(Vio *vio, gptr buf, int size) ...@@ -81,7 +91,7 @@ int vio_ssl_read(Vio *vio, gptr buf, int size)
{ {
int err= SSL_get_error((SSL*) vio->ssl_arg, r); int err= SSL_get_error((SSL*) vio->ssl_arg, r);
DBUG_PRINT("error",("SSL_read(): %d SSL_get_error(): %d", r, err)); DBUG_PRINT("error",("SSL_read(): %d SSL_get_error(): %d", r, err));
report_errors(); report_errors((SSL*) vio->ssl_arg);
} }
DBUG_PRINT("exit", ("%d", r)); DBUG_PRINT("exit", ("%d", r));
DBUG_RETURN(r); DBUG_RETURN(r);
...@@ -95,7 +105,7 @@ int vio_ssl_write(Vio *vio, const gptr buf, int size) ...@@ -95,7 +105,7 @@ int vio_ssl_write(Vio *vio, const gptr buf, int size)
DBUG_PRINT("enter", ("sd: %d, buf: 0x%p, size: %d", vio->sd, buf, size)); DBUG_PRINT("enter", ("sd: %d, buf: 0x%p, size: %d", vio->sd, buf, size));
if ((r= SSL_write((SSL*) vio->ssl_arg, buf, size)) < 0) if ((r= SSL_write((SSL*) vio->ssl_arg, buf, size)) < 0)
report_errors(); report_errors((SSL*) vio->ssl_arg);
DBUG_PRINT("exit", ("%d", r)); DBUG_PRINT("exit", ("%d", r));
DBUG_RETURN(r); DBUG_RETURN(r);
} }
...@@ -148,7 +158,7 @@ int sslaccept(struct st_VioSSLFd *ptr, Vio *vio, long timeout) ...@@ -148,7 +158,7 @@ int sslaccept(struct st_VioSSLFd *ptr, Vio *vio, long timeout)
if (!(ssl= SSL_new(ptr->ssl_context))) if (!(ssl= SSL_new(ptr->ssl_context)))
{ {
DBUG_PRINT("error", ("SSL_new failure")); DBUG_PRINT("error", ("SSL_new failure"));
report_errors(); report_errors(ssl);
vio_reset(vio, old_type,vio->sd,0,FALSE); vio_reset(vio, old_type,vio->sd,0,FALSE);
vio_blocking(vio, net_blocking, &unused); vio_blocking(vio, net_blocking, &unused);
DBUG_RETURN(1); DBUG_RETURN(1);
...@@ -162,7 +172,7 @@ int sslaccept(struct st_VioSSLFd *ptr, Vio *vio, long timeout) ...@@ -162,7 +172,7 @@ int sslaccept(struct st_VioSSLFd *ptr, Vio *vio, long timeout)
if (SSL_do_handshake(ssl) < 1) if (SSL_do_handshake(ssl) < 1)
{ {
DBUG_PRINT("error", ("SSL_do_handshake failure")); DBUG_PRINT("error", ("SSL_do_handshake failure"));
report_errors(); report_errors(ssl);
SSL_free(ssl); SSL_free(ssl);
vio->ssl_arg= 0; vio->ssl_arg= 0;
vio_reset(vio, old_type,vio->sd,0,FALSE); vio_reset(vio, old_type,vio->sd,0,FALSE);
...@@ -223,7 +233,7 @@ int sslconnect(struct st_VioSSLFd *ptr, Vio *vio, long timeout) ...@@ -223,7 +233,7 @@ int sslconnect(struct st_VioSSLFd *ptr, Vio *vio, long timeout)
if (!(ssl= SSL_new(ptr->ssl_context))) if (!(ssl= SSL_new(ptr->ssl_context)))
{ {
DBUG_PRINT("error", ("SSL_new failure")); DBUG_PRINT("error", ("SSL_new failure"));
report_errors(); report_errors(ssl);
vio_reset(vio, old_type, vio->sd, 0, FALSE); vio_reset(vio, old_type, vio->sd, 0, FALSE);
vio_blocking(vio, net_blocking, &unused); vio_blocking(vio, net_blocking, &unused);
DBUG_RETURN(1); DBUG_RETURN(1);
...@@ -237,7 +247,7 @@ int sslconnect(struct st_VioSSLFd *ptr, Vio *vio, long timeout) ...@@ -237,7 +247,7 @@ int sslconnect(struct st_VioSSLFd *ptr, Vio *vio, long timeout)
if (SSL_do_handshake(ssl) < 1) if (SSL_do_handshake(ssl) < 1)
{ {
DBUG_PRINT("error", ("SSL_do_handshake failure")); DBUG_PRINT("error", ("SSL_do_handshake failure"));
report_errors(); report_errors(ssl);
SSL_free(ssl); SSL_free(ssl);
vio->ssl_arg= 0; vio->ssl_arg= 0;
vio_reset(vio, old_type, vio->sd, 0, FALSE); vio_reset(vio, old_type, vio->sd, 0, FALSE);
......
...@@ -103,7 +103,7 @@ vio_set_cert_stuff(SSL_CTX *ctx, const char *cert_file, const char *key_file) ...@@ -103,7 +103,7 @@ vio_set_cert_stuff(SSL_CTX *ctx, const char *cert_file, const char *key_file)
/* FIX stderr */ /* FIX stderr */
fprintf(stderr,"Error when connection to server using SSL:"); fprintf(stderr,"Error when connection to server using SSL:");
ERR_print_errors_fp(stderr); ERR_print_errors_fp(stderr);
fprintf(stderr,"Unable to get private key from '%s'\n", cert_file); fprintf(stderr,"Unable to get private key from '%s'\n", key_file);
fflush(stderr); fflush(stderr);
DBUG_RETURN(1); DBUG_RETURN(1);
} }
...@@ -252,14 +252,7 @@ new_VioSSLFd(const char *key_file, const char *cert_file, ...@@ -252,14 +252,7 @@ new_VioSSLFd(const char *key_file, const char *cert_file,
DBUG_RETURN(0); DBUG_RETURN(0);
} }
if (vio_set_cert_stuff(ssl_fd->ssl_context, cert_file, key_file)) /* Load certs from the trusted ca */
{
DBUG_PRINT("error", ("vio_set_cert_stuff failed"));
report_errors();
my_free((void*)ssl_fd,MYF(0));
DBUG_RETURN(0);
}
if (SSL_CTX_load_verify_locations(ssl_fd->ssl_context, ca_file, ca_path) == 0) if (SSL_CTX_load_verify_locations(ssl_fd->ssl_context, ca_file, ca_path) == 0)
{ {
DBUG_PRINT("warning", ("SSL_CTX_load_verify_locations failed")); DBUG_PRINT("warning", ("SSL_CTX_load_verify_locations failed"));
...@@ -272,6 +265,14 @@ new_VioSSLFd(const char *key_file, const char *cert_file, ...@@ -272,6 +265,14 @@ new_VioSSLFd(const char *key_file, const char *cert_file,
} }
} }
if (vio_set_cert_stuff(ssl_fd->ssl_context, cert_file, key_file))
{
DBUG_PRINT("error", ("vio_set_cert_stuff failed"));
report_errors();
my_free((void*)ssl_fd,MYF(0));
DBUG_RETURN(0);
}
/* DH stuff */ /* DH stuff */
dh=get_dh512(); dh=get_dh512();
SSL_CTX_set_tmp_dh(ssl_fd->ssl_context, dh); SSL_CTX_set_tmp_dh(ssl_fd->ssl_context, dh);
...@@ -297,7 +298,7 @@ new_VioSSLConnectorFd(const char *key_file, const char *cert_file, ...@@ -297,7 +298,7 @@ new_VioSSLConnectorFd(const char *key_file, const char *cert_file,
return 0; return 0;
} }
/* Init the the VioSSLFd as a "connector" ie. the client side */ /* Init the VioSSLFd as a "connector" ie. the client side */
/* /*
The verify_callback function is used to control the behaviour The verify_callback function is used to control the behaviour
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment