Skip to content
Projects
Groups
Snippets
Help
Loading...
Help
Support
Keyboard shortcuts
?
Submit feedback
Contribute to GitLab
Sign in / Register
Toggle navigation
M
MariaDB
Project overview
Project overview
Details
Activity
Releases
Repository
Repository
Files
Commits
Branches
Tags
Contributors
Graph
Compare
Issues
0
Issues
0
List
Boards
Labels
Milestones
Merge Requests
0
Merge Requests
0
CI / CD
CI / CD
Pipelines
Jobs
Schedules
Analytics
Analytics
CI / CD
Repository
Value Stream
Wiki
Wiki
Snippets
Snippets
Members
Members
Collapse sidebar
Close sidebar
Activity
Graph
Create a new issue
Jobs
Commits
Issue Boards
Open sidebar
nexedi
MariaDB
Commits
3f8a9984
Commit
3f8a9984
authored
Aug 11, 2012
by
Venkata Sidagam
Browse files
Options
Browse Files
Download
Plain Diff
Bug #13115401: -SSL-KEY VALUE IS NOT VALIDATED AND IT ALLOWS INSECURE
CONNECTIONS IF SPE Merged from mysql-5.1 to mysql-5.5
parents
51672ec2
18087b04
Changes
4
Show whitespace changes
Inline
Side-by-side
Showing
4 changed files
with
65 additions
and
41 deletions
+65
-41
extra/yassl/src/ssl.cpp
extra/yassl/src/ssl.cpp
+1
-1
mysql-test/r/openssl_1.result
mysql-test/r/openssl_1.result
+3
-3
mysql-test/t/openssl_1.test
mysql-test/t/openssl_1.test
+6
-0
vio/viosslfactories.c
vio/viosslfactories.c
+55
-37
No files found.
extra/yassl/src/ssl.cpp
View file @
3f8a9984
...
@@ -746,7 +746,7 @@ void SSL_CTX_set_verify(SSL_CTX* ctx, int mode, VerifyCallback vc)
...
@@ -746,7 +746,7 @@ void SSL_CTX_set_verify(SSL_CTX* ctx, int mode, VerifyCallback vc)
int
SSL_CTX_load_verify_locations
(
SSL_CTX
*
ctx
,
const
char
*
file
,
int
SSL_CTX_load_verify_locations
(
SSL_CTX
*
ctx
,
const
char
*
file
,
const
char
*
path
)
const
char
*
path
)
{
{
int
ret
=
SSL_
SUCCESS
;
int
ret
=
SSL_
FAILURE
;
const
int
HALF_PATH
=
128
;
const
int
HALF_PATH
=
128
;
if
(
file
)
ret
=
read_file
(
ctx
,
file
,
SSL_FILETYPE_PEM
,
CA
);
if
(
file
)
ret
=
read_file
(
ctx
,
file
,
SSL_FILETYPE_PEM
,
CA
);
...
...
mysql-test/r/openssl_1.result
View file @
3f8a9984
...
@@ -44,9 +44,9 @@ ERROR 42000: DELETE command denied to user 'ssl_user4'@'localhost' for table 't1
...
@@ -44,9 +44,9 @@ ERROR 42000: DELETE command denied to user 'ssl_user4'@'localhost' for table 't1
drop user ssl_user1@localhost, ssl_user2@localhost,
drop user ssl_user1@localhost, ssl_user2@localhost,
ssl_user3@localhost, ssl_user4@localhost, ssl_user5@localhost;
ssl_user3@localhost, ssl_user4@localhost, ssl_user5@localhost;
drop table t1;
drop table t1;
mysqltest: Could not open connection 'default': 2026 SSL connection error:
ASN: bad other signature confirmation
mysqltest: Could not open connection 'default': 2026 SSL connection error:
xxxx
mysqltest: Could not open connection 'default': 2026 SSL connection error:
ASN: bad other signature confirmation
mysqltest: Could not open connection 'default': 2026 SSL connection error:
xxxx
mysqltest: Could not open connection 'default': 2026 SSL connection error:
ASN: bad other signature confirmation
mysqltest: Could not open connection 'default': 2026 SSL connection error:
xxxx
SSL error: Unable to get private key from ''
SSL error: Unable to get private key from ''
mysqltest: Could not open connection 'default': 2026 SSL connection error: Unable to get private key
mysqltest: Could not open connection 'default': 2026 SSL connection error: Unable to get private key
SSL error: Unable to get certificate from ''
SSL error: Unable to get certificate from ''
...
...
mysql-test/t/openssl_1.test
View file @
3f8a9984
...
@@ -73,22 +73,28 @@ drop table t1;
...
@@ -73,22 +73,28 @@ drop table t1;
# a different cacert
# a different cacert
#
#
--
exec
echo
"this query should not execute;"
>
$MYSQLTEST_VARDIR
/
tmp
/
test
.
sql
--
exec
echo
"this query should not execute;"
>
$MYSQLTEST_VARDIR
/
tmp
/
test
.
sql
--
replace_regex
/
2026
SSL
connection
error
.*/
2026
SSL
connection
error
:
xxxx
/
--
error
1
--
error
1
--
exec
$MYSQL_TEST
--
ssl
-
ca
=
$MYSQL_TEST_DIR
/
std_data
/
untrusted
-
cacert
.
pem
--
max
-
connect
-
retries
=
1
<
$MYSQLTEST_VARDIR
/
tmp
/
test
.
sql
2
>&
1
--
exec
$MYSQL_TEST
--
ssl
-
ca
=
$MYSQL_TEST_DIR
/
std_data
/
untrusted
-
cacert
.
pem
--
max
-
connect
-
retries
=
1
<
$MYSQLTEST_VARDIR
/
tmp
/
test
.
sql
2
>&
1
--
echo
#
#
# Test that we can't open connection to server if we are using
# Test that we can't open connection to server if we are using
# a blank ca
# a blank ca
#
#
--
replace_regex
/
2026
SSL
connection
error
.*/
2026
SSL
connection
error
:
xxxx
/
--
error
1
--
error
1
--
exec
$MYSQL_TEST
--
ssl
-
ca
=
--
max
-
connect
-
retries
=
1
<
$MYSQLTEST_VARDIR
/
tmp
/
test
.
sql
2
>&
1
--
exec
$MYSQL_TEST
--
ssl
-
ca
=
--
max
-
connect
-
retries
=
1
<
$MYSQLTEST_VARDIR
/
tmp
/
test
.
sql
2
>&
1
--
echo
#
#
# Test that we can't open connection to server if we are using
# Test that we can't open connection to server if we are using
# a nonexistent ca file
# a nonexistent ca file
#
#
--
replace_regex
/
2026
SSL
connection
error
.*/
2026
SSL
connection
error
:
xxxx
/
--
error
1
--
error
1
--
exec
$MYSQL_TEST
--
ssl
-
ca
=
nonexisting_file
.
pem
--
max
-
connect
-
retries
=
1
<
$MYSQLTEST_VARDIR
/
tmp
/
test
.
sql
2
>&
1
--
exec
$MYSQL_TEST
--
ssl
-
ca
=
nonexisting_file
.
pem
--
max
-
connect
-
retries
=
1
<
$MYSQLTEST_VARDIR
/
tmp
/
test
.
sql
2
>&
1
--
echo
#
#
# Test that we can't open connection to server if we are using
# Test that we can't open connection to server if we are using
...
...
vio/viosslfactories.c
View file @
3f8a9984
...
@@ -98,9 +98,15 @@ vio_set_cert_stuff(SSL_CTX *ctx, const char *cert_file, const char *key_file,
...
@@ -98,9 +98,15 @@ vio_set_cert_stuff(SSL_CTX *ctx, const char *cert_file, const char *key_file,
DBUG_ENTER
(
"vio_set_cert_stuff"
);
DBUG_ENTER
(
"vio_set_cert_stuff"
);
DBUG_PRINT
(
"enter"
,
(
"ctx: 0x%lx cert_file: %s key_file: %s"
,
DBUG_PRINT
(
"enter"
,
(
"ctx: 0x%lx cert_file: %s key_file: %s"
,
(
long
)
ctx
,
cert_file
,
key_file
));
(
long
)
ctx
,
cert_file
,
key_file
));
if
(
cert_file
)
{
if
(
!
cert_file
&&
key_file
)
if
(
SSL_CTX_use_certificate_file
(
ctx
,
cert_file
,
SSL_FILETYPE_PEM
)
<=
0
)
cert_file
=
key_file
;
if
(
!
key_file
&&
cert_file
)
key_file
=
cert_file
;
if
(
cert_file
&&
SSL_CTX_use_certificate_file
(
ctx
,
cert_file
,
SSL_FILETYPE_PEM
)
<=
0
)
{
{
*
error
=
SSL_INITERR_CERT
;
*
error
=
SSL_INITERR_CERT
;
DBUG_PRINT
(
"error"
,(
"%s from file '%s'"
,
sslGetErrString
(
*
error
),
cert_file
));
DBUG_PRINT
(
"error"
,(
"%s from file '%s'"
,
sslGetErrString
(
*
error
),
cert_file
));
...
@@ -111,10 +117,8 @@ vio_set_cert_stuff(SSL_CTX *ctx, const char *cert_file, const char *key_file,
...
@@ -111,10 +117,8 @@ vio_set_cert_stuff(SSL_CTX *ctx, const char *cert_file, const char *key_file,
DBUG_RETURN
(
1
);
DBUG_RETURN
(
1
);
}
}
if
(
!
key_file
)
if
(
key_file
&&
key_file
=
cert_file
;
SSL_CTX_use_PrivateKey_file
(
ctx
,
key_file
,
SSL_FILETYPE_PEM
)
<=
0
)
if
(
SSL_CTX_use_PrivateKey_file
(
ctx
,
key_file
,
SSL_FILETYPE_PEM
)
<=
0
)
{
{
*
error
=
SSL_INITERR_KEY
;
*
error
=
SSL_INITERR_KEY
;
DBUG_PRINT
(
"error"
,
(
"%s from file '%s'"
,
sslGetErrString
(
*
error
),
key_file
));
DBUG_PRINT
(
"error"
,
(
"%s from file '%s'"
,
sslGetErrString
(
*
error
),
key_file
));
...
@@ -129,7 +133,7 @@ vio_set_cert_stuff(SSL_CTX *ctx, const char *cert_file, const char *key_file,
...
@@ -129,7 +133,7 @@ vio_set_cert_stuff(SSL_CTX *ctx, const char *cert_file, const char *key_file,
If we are using DSA, we can copy the parameters from the private key
If we are using DSA, we can copy the parameters from the private key
Now we know that a key and cert have been set against the SSL context
Now we know that a key and cert have been set against the SSL context
*/
*/
if
(
!
SSL_CTX_check_private_key
(
ctx
))
if
(
cert_file
&&
!
SSL_CTX_check_private_key
(
ctx
))
{
{
*
error
=
SSL_INITERR_NOMATCH
;
*
error
=
SSL_INITERR_NOMATCH
;
DBUG_PRINT
(
"error"
,
(
"%s"
,
sslGetErrString
(
*
error
)));
DBUG_PRINT
(
"error"
,
(
"%s"
,
sslGetErrString
(
*
error
)));
...
@@ -138,7 +142,7 @@ vio_set_cert_stuff(SSL_CTX *ctx, const char *cert_file, const char *key_file,
...
@@ -138,7 +142,7 @@ vio_set_cert_stuff(SSL_CTX *ctx, const char *cert_file, const char *key_file,
fflush
(
stderr
);
fflush
(
stderr
);
DBUG_RETURN
(
1
);
DBUG_RETURN
(
1
);
}
}
}
DBUG_RETURN
(
0
);
DBUG_RETURN
(
0
);
}
}
...
@@ -216,6 +220,20 @@ new_VioSSLFd(const char *key_file, const char *cert_file,
...
@@ -216,6 +220,20 @@ new_VioSSLFd(const char *key_file, const char *cert_file,
if
(
SSL_CTX_load_verify_locations
(
ssl_fd
->
ssl_context
,
ca_file
,
ca_path
)
==
0
)
if
(
SSL_CTX_load_verify_locations
(
ssl_fd
->
ssl_context
,
ca_file
,
ca_path
)
==
0
)
{
{
DBUG_PRINT
(
"warning"
,
(
"SSL_CTX_load_verify_locations failed"
));
DBUG_PRINT
(
"warning"
,
(
"SSL_CTX_load_verify_locations failed"
));
if
(
ca_file
||
ca_path
)
{
/* fail only if ca file or ca path were supplied and looking into
them fails. */
*
error
=
SSL_INITERR_BAD_PATHS
;
DBUG_PRINT
(
"error"
,
(
"SSL_CTX_load_verify_locations failed : %s"
,
sslGetErrString
(
*
error
)));
report_errors
();
SSL_CTX_free
(
ssl_fd
->
ssl_context
);
my_free
(
ssl_fd
);
DBUG_RETURN
(
0
);
}
/* otherwise go use the defaults */
if
(
SSL_CTX_set_default_verify_paths
(
ssl_fd
->
ssl_context
)
==
0
)
if
(
SSL_CTX_set_default_verify_paths
(
ssl_fd
->
ssl_context
)
==
0
)
{
{
*
error
=
SSL_INITERR_BAD_PATHS
;
*
error
=
SSL_INITERR_BAD_PATHS
;
...
...
Write
Preview
Markdown
is supported
0%
Try again
or
attach a new file
Attach a file
Cancel
You are about to add
0
people
to the discussion. Proceed with caution.
Finish editing this message first!
Cancel
Please
register
or
sign in
to comment