Cleanup SSL implementation

Remove duplicate code
Merge common functions
Enforce MySQL coding standard


include/violite.h:
  Cleanup SSL implementation
sql-common/client.c:
  Cleanup SSL implementation
sql/mysql_priv.h:
  Cleanup SSL implementation
sql/mysqld.cc:
  Cleanup SSL implementation
sql/sql_acl.cc:
  Cleanup SSL implementation
vio/vio.c:
  Cleanup SSL implementation
vio/vio_priv.h:
  Cleanup SSL implementation
vio/viossl.c:
  Cleanup SSL implementation
vio/viosslfactories.c:
  Cleanup SSL implementation

include/violite.h

@@ -105,33 +105,22 @@ void	vio_timeout(Vio *vio,uint which, uint timeout);
 #include <openssl/ssl.h>
 #include <openssl/err.h>
 
-struct st_VioSSLAcceptorFd 
+struct st_VioSSLFd
 {
   SSL_CTX *ssl_context;
-  SSL_METHOD *ssl_method;
-  struct st_VioSSLAcceptorFd *session_id_context;
 };
 
-/* One copy for client */
-struct st_VioSSLConnectorFd
-{
-  SSL_CTX *ssl_context;
-  /* function pointers which are only once for SSL client */ 
-  SSL_METHOD *ssl_method;
-};
-
-int sslaccept(struct st_VioSSLAcceptorFd*, Vio *, long timeout);
-int sslconnect(struct st_VioSSLConnectorFd*, Vio *, long timeout);
+int sslaccept(struct st_VioSSLFd*, Vio *, long timeout);
+int sslconnect(struct st_VioSSLFd*, Vio *, long timeout);
 
-struct st_VioSSLConnectorFd
+struct st_VioSSLFd
 *new_VioSSLConnectorFd(const char *key_file, const char *cert_file,
 		       const char *ca_file,  const char *ca_path,
 		       const char *cipher);
-struct st_VioSSLAcceptorFd
+struct st_VioSSLFd
 *new_VioSSLAcceptorFd(const char *key_file, const char *cert_file,
 		      const char *ca_file,const char *ca_path,
 		      const char *cipher);
-Vio *new_VioSSL(struct st_VioSSLAcceptorFd *fd, Vio *sd, int state);
 #endif /* HAVE_OPENSSL */
 
 #ifdef HAVE_SMEM

sql-common/client.c

@@ -1514,8 +1514,7 @@ mysql_ssl_set(MYSQL *mysql __attribute__((unused)) ,
 static void
 mysql_ssl_free(MYSQL *mysql __attribute__((unused)))
 {
-  struct st_VioSSLConnectorFd *st= 
-    (struct st_VioSSLConnectorFd*) mysql->connector_fd;
+  struct st_VioSSLFd *ssl_fd= (struct st_VioSSLFd*) mysql->connector_fd;
   DBUG_ENTER("mysql_ssl_free");
 
   my_free(mysql->options.ssl_key, MYF(MY_ALLOW_ZERO_PTR));
@@ -1523,8 +1522,8 @@ mysql_ssl_free(MYSQL *mysql __attribute__((unused)))
   my_free(mysql->options.ssl_ca, MYF(MY_ALLOW_ZERO_PTR));
   my_free(mysql->options.ssl_capath, MYF(MY_ALLOW_ZERO_PTR));
   my_free(mysql->options.ssl_cipher, MYF(MY_ALLOW_ZERO_PTR));  
-  if (st)
-    SSL_CTX_free(st->ssl_context);
+  if (ssl_fd)
+    SSL_CTX_free(ssl_fd->ssl_context);
   my_free(mysql->connector_fd,MYF(MY_ALLOW_ZERO_PTR));
   mysql->options.ssl_key = 0;
   mysql->options.ssl_cert = 0;
@@ -1568,6 +1567,63 @@ static MYSQL_METHODS client_methods=
 #endif
 };
 
+int ssl_verify_server_cert(Vio *vio, const char* server_host)
+{
+  SSL *ssl;
+  X509 *server_cert;
+  char *cp1, *cp2;
+  char buf[256];
+  DBUG_ENTER("ssl_verify_server_cert");
+  DBUG_PRINT("enter", ("server_host: %s", server_host));
+
+  if (!(ssl= (SSL*)vio->ssl_arg))
+  {
+    DBUG_PRINT("error", ("No SSL pointer found"));
+    return 1;
+  }
+
+  if (!server_host)
+  {
+    DBUG_PRINT("error", ("No server hostname supplied"));
+    return 1;
+  }
+
+  if (!(server_cert= SSL_get_peer_certificate(ssl)))
+  {
+    DBUG_PRINT("error", ("Could not get server certificate"));
+    return 1;
+  }
+
+  /*
+    We already know that the certificate exchanged was valid; the SSL library
+    handled that. Now we need to verify that the contents of the certificate
+    are what we expect.
+  */
+
+  X509_NAME_oneline(X509_get_subject_name(server_cert), buf, sizeof(buf));
+  X509_free (server_cert);
+
+//  X509_NAME_get_text_by_NID(x509_get_subject_name(server_cert), NID_commonName, buf, sizeof(buf));... does the same thing
+
+  DBUG_PRINT("info", ("hostname in cert: %s", buf));
+  cp1 = strstr(buf, "/CN=");
+  if (cp1)
+  {
+    cp1 += 4; // Skip the "/CN=" that we found
+    cp2 = strchr(cp1, '/');
+    if (cp2)
+      *cp2 = '\0';
+    DBUG_PRINT("info", ("Server hostname in cert: ", cp1));
+    if (!strcmp(cp1, server_host))
+    {
+      /* Success */
+      DBUG_RETURN(0);
+    }
+  }
+  DBUG_PRINT("error", ("SSL certificate validation failure"));
+  DBUG_RETURN(1);
+}
+
 
 MYSQL *
 CLI_MYSQL_REAL_CONNECT(MYSQL *mysql,const char *host, const char *user,
@@ -2013,37 +2069,53 @@ CLI_MYSQL_REAL_CONNECT(MYSQL *mysql,const char *host, const char *user,
   mysql->client_flag=client_flag;
 
 #ifdef HAVE_OPENSSL
-  /*
-    Oops.. are we careful enough to not send ANY information without
-    encryption?
-  */
   if (client_flag & CLIENT_SSL)
   {
+    /* Do the SSL layering. */
     struct st_mysql_options *options= &mysql->options;
+    struct st_VioSSLFd *ssl_fd;
+
+    /*
+      Send client_flag, max_packet_size - unencrypted otherwise
+      the server does not know we want to do SSL
+    */
     if (my_net_write(net,buff,(uint) (end-buff)) || net_flush(net))
     {
       set_mysql_error(mysql, CR_SERVER_LOST, unknown_sqlstate);
       goto error;
     }
-    /* Do the SSL layering. */
-    if (!(mysql->connector_fd=
-	  (gptr) new_VioSSLConnectorFd(options->ssl_key,
-				       options->ssl_cert,
-				       options->ssl_ca,
-				       options->ssl_capath,
-				       options->ssl_cipher)))
+
+    /* Create the VioSSLConnectorFd - init SSL and load certs */
+    if (!(ssl_fd= new_VioSSLConnectorFd(options->ssl_key,
+                                        options->ssl_cert,
+                                        options->ssl_ca,
+                                        options->ssl_capath,
+                                        options->ssl_cipher)))
     {
       set_mysql_error(mysql, CR_SSL_CONNECTION_ERROR, unknown_sqlstate);
       goto error;
     }
+    mysql->connector_fd= (void*)ssl_fd;
+
+    /* Connect to the server */
     DBUG_PRINT("info", ("IO layer change in progress..."));
-    if (sslconnect((struct st_VioSSLConnectorFd*)(mysql->connector_fd),
-		   mysql->net.vio, (long) (mysql->options.connect_timeout)))
+    if (sslconnect(ssl_fd, mysql->net.vio,
+                   (long) (mysql->options.connect_timeout)))
     {
       set_mysql_error(mysql, CR_SSL_CONNECTION_ERROR, unknown_sqlstate);
       goto error;
     }
     DBUG_PRINT("info", ("IO layer change done!"));
+
+#if 0
+    /* Verify server cert */
+    if (mysql->options.ssl_verify_cert &&
+        ssl_verify_server_cert(mysql->net.vio, mysql->host))
+    {
+      set_mysql_error(mysql, CR_SSL_CONNECTION_ERROR, unknown_sqlstate);
+      goto error;
+    }
+#endif
   }
 #endif /* HAVE_OPENSSL */
 

sql/mysql_priv.h

@@ -1258,7 +1258,7 @@ extern pthread_t signal_thread;
 #endif
 
 #ifdef HAVE_OPENSSL
-extern struct st_VioSSLAcceptorFd * ssl_acceptor_fd;
+extern struct st_VioSSLFd * ssl_acceptor_fd;
 #endif /* HAVE_OPENSSL */
 
 MYSQL_LOCK *mysql_lock_tables(THD *thd, TABLE **table, uint count,

sql/mysqld.cc

@@ -599,7 +599,7 @@ static void openssl_lock(int, openssl_lock_t *, const char *, int);
 static unsigned long openssl_id_function();
 #endif
 char *des_key_file;
-struct st_VioSSLAcceptorFd *ssl_acceptor_fd;
+struct st_VioSSLFd *ssl_acceptor_fd;
 #endif /* HAVE_OPENSSL */
 
 
@@ -1110,7 +1110,10 @@ void clean_up(bool print_message)
 #endif
 #ifdef HAVE_OPENSSL
   if (ssl_acceptor_fd)
-    my_free((gptr) ssl_acceptor_fd, MYF(MY_ALLOW_ZERO_PTR));
+  {
+    SSL_CTX_free(ssl_acceptor_fd->ssl_context);
+    my_free((gptr) ssl_acceptor_fd, MYF(0));
+  }
 #endif /* HAVE_OPENSSL */
 #ifdef USE_REGEX
   my_regex_end();

sql/sql_acl.cc

@@ -858,8 +858,8 @@ int acl_getroot(THD *thd, USER_RESOURCES  *mqh,
       if (acl_user->x509_issuer)
       {
         DBUG_PRINT("info",("checkpoint 3"));
-	char *ptr = X509_NAME_oneline(X509_get_issuer_name(cert), 0, 0);
-	DBUG_PRINT("info",("comparing issuers: '%s' and '%s'",
+        char *ptr = X509_NAME_oneline(X509_get_issuer_name(cert), 0, 0);
+        DBUG_PRINT("info",("comparing issuers: '%s' and '%s'",
 			   acl_user->x509_issuer, ptr));
         if (strcmp(acl_user->x509_issuer, ptr))
         {

vio/vio.c

@@ -88,19 +88,19 @@ static void vio_init(Vio* vio, enum enum_vio_type type,
   if (type == VIO_TYPE_SSL)
   {
     vio->viodelete	=vio_delete;
-    vio->vioerrno	=vio_ssl_errno;
+    vio->vioerrno	=vio_errno;
     vio->read		=vio_ssl_read;
     vio->write		=vio_ssl_write;
-    vio->fastsend	=vio_ssl_fastsend;
-    vio->viokeepalive	=vio_ssl_keepalive;
-    vio->should_retry	=vio_ssl_should_retry;
-    vio->was_interrupted=vio_ssl_was_interrupted;
+    vio->fastsend	=vio_fastsend;
+    vio->viokeepalive	=vio_keepalive;
+    vio->should_retry	=vio_should_retry;
+    vio->was_interrupted=vio_was_interrupted;
     vio->vioclose	=vio_ssl_close;
-    vio->peer_addr	=vio_ssl_peer_addr;
-    vio->in_addr	=vio_ssl_in_addr;
+    vio->peer_addr	=vio_peer_addr;
+    vio->in_addr	=vio_in_addr;
     vio->vioblocking	=vio_ssl_blocking;
     vio->is_blocking	=vio_is_blocking;
-    vio->timeout	=vio_ssl_timeout;
+    vio->timeout	=vio_timeout;
   }
   else					/* default is VIO_TYPE_TCPIP */
 #endif /* HAVE_OPENSSL */

vio/vio_priv.h

@@ -30,28 +30,10 @@ void	vio_ignore_timeout(Vio *vio, uint which, uint timeout);
 
 int	vio_ssl_read(Vio *vio,gptr buf,	int size);
 int	vio_ssl_write(Vio *vio,const gptr buf,int size);
-void	vio_ssl_timeout(Vio *vio, uint which, uint timeout);
-
-/* setsockopt TCP_NODELAY at IPPROTO_TCP level, when possible. */
-int vio_ssl_fastsend(Vio *vio);
-/* setsockopt SO_KEEPALIVE at SOL_SOCKET level, when possible. */
-int vio_ssl_keepalive(Vio *vio, my_bool onoff);
-/* Whenever we should retry the last read/write operation. */
-my_bool vio_ssl_should_retry(Vio *vio);
-/* Check that operation was timed out */
-my_bool	vio_ssl_was_interrupted(Vio *vio);
+
 /* When the workday is over... */
 int vio_ssl_close(Vio *vio);
-/* Return last error number */
-int vio_ssl_errno(Vio *vio);
-my_bool vio_ssl_peer_addr(Vio *vio, char *buf, uint16 *port);
-void vio_ssl_in_addr(Vio *vio, struct in_addr *in);
+
 int vio_ssl_blocking(Vio *vio, my_bool set_blocking_mode, my_bool *old_mode);
 
-/* Single copy for server */
-enum vio_ssl_acceptorfd_state
-{
-  state_connect       = 1,
-  state_accept        = 2
-};
 #endif /* HAVE_OPENSSL */

vio/viossl.c

@@ -70,12 +70,6 @@ report_errors()
 }
 
 
-int vio_ssl_errno(Vio *vio __attribute__((unused)))
-{
-  return socket_errno;	/* On Win32 this mapped to WSAGetLastError() */
-}
-
-
 int vio_ssl_read(Vio * vio, gptr buf, int size)
 {
   int r;
@@ -107,183 +101,51 @@ int vio_ssl_write(Vio * vio, const gptr buf, int size)
 }
 
 
-int vio_ssl_fastsend(Vio * vio __attribute__((unused)))
-{
-  int r=0;
-  DBUG_ENTER("vio_ssl_fastsend");
-
-#if defined(IPTOS_THROUGHPUT) && !defined(__EMX__)
-  {
-    int tos= IPTOS_THROUGHPUT;
-    r= setsockopt(vio->sd, IPPROTO_IP, IP_TOS, (void *) &tos, sizeof(tos));
-  }
-#endif                                    /* IPTOS_THROUGHPUT && !__EMX__ */
-  if (!r)
-  {
-#ifdef __WIN__
-    BOOL nodelay= 1;
-    r= setsockopt(vio->sd, IPPROTO_TCP, TCP_NODELAY, (const char*) &nodelay,
-                  sizeof(nodelay));
-#else
-    int nodelay= 1;
-    r= setsockopt(vio->sd, IPPROTO_TCP, TCP_NODELAY, (void*) &nodelay,
-                  sizeof(nodelay));
-#endif                                          /* __WIN__ */
-  }
-  if (r)
-  {
-    DBUG_PRINT("warning", ("Couldn't set socket option for fast send"));
-    r= -1;
-  }
-  DBUG_PRINT("exit", ("%d", r));
-  DBUG_RETURN(r);
-}
-
-
-int vio_ssl_keepalive(Vio* vio, my_bool set_keep_alive)
-{
-  int r=0;
-  DBUG_ENTER("vio_ssl_keepalive");
-  DBUG_PRINT("enter", ("sd: %d, set_keep_alive: %d", vio->sd, (int)
-		       set_keep_alive));
-  if (vio->type != VIO_TYPE_NAMEDPIPE)
-  {
-    uint opt = (set_keep_alive) ? 1 : 0;
-    r= setsockopt(vio->sd, SOL_SOCKET, SO_KEEPALIVE, (char *) &opt,
-		  sizeof(opt));
-  }
-  DBUG_RETURN(r);
-}
-
-
-my_bool
-vio_ssl_should_retry(Vio * vio __attribute__((unused)))
-{
-  int en = socket_errno;
-  return (en == SOCKET_EAGAIN || en == SOCKET_EINTR ||
-	  en == SOCKET_EWOULDBLOCK);
-}
-
-
-my_bool
-vio_ssl_was_interrupted(Vio *vio __attribute__((unused)))
-{
-  int en= socket_errno;
-  return (en == SOCKET_EAGAIN || en == SOCKET_EINTR ||
-	  en == SOCKET_EWOULDBLOCK || en == SOCKET_ETIMEDOUT);
-}
-
-
 int vio_ssl_close(Vio * vio)
 {
-  int r;
+  int r= 0;
+  SSL* ssl= (SSL*)vio->ssl_arg;
   DBUG_ENTER("vio_ssl_close");
-  r=0;
-  if ((SSL*) vio->ssl_arg)
-  {
-    r = SSL_shutdown((SSL*) vio->ssl_arg);
-    SSL_free((SSL*) vio->ssl_arg);
-    vio->ssl_arg= 0;
-  }
-  if (vio->sd >= 0)
-  {
-    if (shutdown(vio->sd, 2))
-      r= -1;
-    if (closesocket(vio->sd))
-      r= -1;
-  }
-  if (r)
-  {
-    DBUG_PRINT("error", ("close() failed, error: %d",socket_errno));
-    report_errors();
-    /* FIXME: error handling (not critical for MySQL) */
-  }
-  vio->type= VIO_CLOSED;
-  vio->sd=   -1;
-  DBUG_RETURN(r);
-}
-
-
-const char *vio_ssl_description(Vio * vio)
-{
-  return vio->desc;
-}
-
-enum enum_vio_type vio_ssl_type(Vio* vio)
-{
-  return vio->type;
-}
-
-my_socket vio_ssl_fd(Vio* vio)
-{
-  return vio->sd;
-}
-
 
-my_bool vio_ssl_peer_addr(Vio * vio, char *buf, uint16 *port)
-{
-  DBUG_ENTER("vio_ssl_peer_addr");
-  DBUG_PRINT("enter", ("sd: %d", vio->sd));
-  if (vio->localhost)
-  {
-    strmov(buf,"127.0.0.1");
-    *port=0;
-  }
-  else
+  if (ssl)
   {
-    size_socket addrLen = sizeof(struct sockaddr);
-    if (getpeername(vio->sd, (struct sockaddr *) (& (vio->remote)),
-		    &addrLen) != 0)
+    switch ((r= SSL_shutdown(ssl)))
     {
-      DBUG_PRINT("exit", ("getpeername, error: %d", socket_errno));
-      DBUG_RETURN(1);
+    case 1: /* Shutdown successful */
+      break;
+    case 0: /* Shutdown not yet finished, call it again */
+      if ((r= SSL_shutdown(ssl) >= 0))
+        break;
+      /* Fallthrough */
+    default: /* Shutdown failed */
+      DBUG_PRINT("vio_error", ("SSL_shutdown() failed, error: %s",
+                               SSL_get_error(ssl, r)));
+      break;
     }
-#ifdef TO_BE_FIXED
-    my_inet_ntoa(vio->remote.sin_addr,buf);
-    *port= 0;
-#else
-    strmov(buf, "unknown");
-    *port= 0;
-#endif
+    SSL_free(ssl);
+    vio->ssl_arg= 0;
   }
-  DBUG_PRINT("exit", ("addr: %s", buf));
-  DBUG_RETURN(0);
-}
-
-
-void vio_ssl_in_addr(Vio *vio, struct in_addr *in)
-{
-  DBUG_ENTER("vio_ssl_in_addr");
-  if (vio->localhost)
-    bzero((char*) in, sizeof(*in));
-  else
-    *in=vio->remote.sin_addr;
-  DBUG_VOID_RETURN;
+  DBUG_RETURN(vio_close(vio));
 }
 
 
-/*
-  TODO: Add documentation
-*/
-
-int sslaccept(struct st_VioSSLAcceptorFd* ptr, Vio* vio, long timeout)
+int sslaccept(struct st_VioSSLFd* ptr, Vio* vio, long timeout)
 {
-  char *str;
-  char buf[1024];
+  SSL *ssl;
   X509* client_cert;
   my_bool unused;
   my_bool net_blocking;
   enum enum_vio_type old_type;
   DBUG_ENTER("sslaccept");
-  DBUG_PRINT("enter", ("sd: %d  ptr: Ox%p, timeout: %d",
+  DBUG_PRINT("enter", ("sd: %d  ptr: %p, timeout: %d",
                        vio->sd, ptr, timeout));
 
   old_type= vio->type;
-  net_blocking = vio_is_blocking(vio);
+  net_blocking= vio_is_blocking(vio);
   vio_blocking(vio, 1, &unused);	/* Must be called before reset */
-  vio_reset(vio,VIO_TYPE_SSL,vio->sd,0,FALSE);
-  vio->ssl_arg= 0;
-  if (!(vio->ssl_arg= (void*) SSL_new(ptr->ssl_context)))
+  vio_reset(vio, VIO_TYPE_SSL, vio->sd, 0, FALSE);
+
+  if (!(ssl= SSL_new(ptr->ssl_context)))
   {
     DBUG_PRINT("error", ("SSL_new failure"));
     report_errors();
@@ -291,121 +153,114 @@ int sslaccept(struct st_VioSSLAcceptorFd* ptr, Vio* vio, long timeout)
     vio_blocking(vio, net_blocking, &unused);
     DBUG_RETURN(1);
   }
-  DBUG_PRINT("info", ("ssl_: Ox%p  timeout: %ld",
-                      (SSL*) vio->ssl_arg, timeout));
-  SSL_clear((SSL*) vio->ssl_arg);
-  SSL_SESSION_set_timeout(SSL_get_session((SSL*) vio->ssl_arg), timeout);
-  SSL_set_fd((SSL*) vio->ssl_arg,vio->sd);
-  SSL_set_accept_state((SSL*) vio->ssl_arg);
-  if (SSL_do_handshake((SSL*) vio->ssl_arg) < 1)
+  vio->ssl_arg= (void*)ssl;
+  DBUG_PRINT("info", ("ssl_: %p  timeout: %ld", ssl, timeout));
+  SSL_clear(ssl);
+  SSL_SESSION_set_timeout(SSL_get_session(ssl), timeout);
+  SSL_set_fd(ssl, vio->sd);
+  SSL_set_accept_state(ssl);
+  if (SSL_do_handshake(ssl) < 1)
   {
     DBUG_PRINT("error", ("SSL_do_handshake failure"));
     report_errors();
-    SSL_free((SSL*) vio->ssl_arg);
+    SSL_free(ssl);
     vio->ssl_arg= 0;
     vio_reset(vio, old_type,vio->sd,0,FALSE);
     vio_blocking(vio, net_blocking, &unused);
     DBUG_RETURN(1);
   }
+
 #ifndef DBUG_OFF
-  DBUG_PRINT("info",("SSL_get_cipher_name() = '%s'"
-		     ,SSL_get_cipher_name((SSL*) vio->ssl_arg)));
-  client_cert = SSL_get_peer_certificate ((SSL*) vio->ssl_arg);
-  if (client_cert != NULL)
   {
-    DBUG_PRINT("info",("Client certificate:"));
-    str = X509_NAME_oneline (X509_get_subject_name (client_cert), 0, 0);
-    DBUG_PRINT("info",("\t subject: %s", str));
-    free (str);
+    char buf[1024];
+    DBUG_PRINT("info",("cipher_name= '%s'", SSL_get_cipher_name(ssl)));
 
-    str = X509_NAME_oneline (X509_get_issuer_name  (client_cert), 0, 0);
-    DBUG_PRINT("info",("\t issuer: %s", str));
-    free (str);
+    if ((client_cert= SSL_get_peer_certificate (ssl)))
+    {
+      DBUG_PRINT("info",("Client certificate:"));
+      X509_NAME_oneline (X509_get_subject_name (client_cert),
+                         buf, sizeof(buf));
+      DBUG_PRINT("info",("\t subject: %s", buf));
 
-    X509_free (client_cert);
-  }
-  else
-    DBUG_PRINT("info",("Client does not have certificate."));
+      X509_NAME_oneline (X509_get_issuer_name  (client_cert),
+                         buf, sizeof(buf));
+      DBUG_PRINT("info",("\t issuer: %s", buf));
 
-  str=SSL_get_shared_ciphers((SSL*) vio->ssl_arg, buf, sizeof(buf));
-  if (str)
-  {
-    DBUG_PRINT("info",("SSL_get_shared_ciphers() returned '%s'",str));
-  }
-  else
-  {
-    DBUG_PRINT("info",("no shared ciphers!"));
-  }
+      X509_free (client_cert);
+    }
+    else
+      DBUG_PRINT("info",("Client does not have certificate."));
 
+    if (SSL_get_shared_ciphers(ssl, buf, sizeof(buf)))
+    {
+      DBUG_PRINT("info",("shared_ciphers: '%s'", buf));
+    }
+    else
+      DBUG_PRINT("info",("no shared ciphers!"));
+  }
 #endif
+
   DBUG_RETURN(0);
 }
 
 
-int sslconnect(struct st_VioSSLConnectorFd* ptr, Vio* vio, long timeout)
+int sslconnect(struct st_VioSSLFd* ptr, Vio* vio, long timeout)
 {
-  char *str;
-  X509*    server_cert;
+  SSL *ssl;
+  X509 *server_cert;
   my_bool unused;
   my_bool net_blocking;
-  enum enum_vio_type old_type;  
+  enum enum_vio_type old_type;
+
   DBUG_ENTER("sslconnect");
-  DBUG_PRINT("enter", ("sd: %d  ptr: 0x%p  ctx: 0x%p",
-                       vio->sd,ptr,ptr->ssl_context));
+  DBUG_PRINT("enter", ("sd: %d,  ptr: %p, ctx: %p",
+                       vio->sd, ptr, ptr->ssl_context));
 
   old_type= vio->type;
-  net_blocking = vio_is_blocking(vio);
+  net_blocking= vio_is_blocking(vio);
   vio_blocking(vio, 1, &unused);	/* Must be called before reset */
-  vio_reset(vio,VIO_TYPE_SSL,vio->sd,0,FALSE);
-  vio->ssl_arg= 0;
-  if (!(vio->ssl_arg = SSL_new(ptr->ssl_context)))
+  vio_reset(vio, VIO_TYPE_SSL, vio->sd, 0, FALSE);
+  if (!(ssl= SSL_new(ptr->ssl_context)))
   {
     DBUG_PRINT("error", ("SSL_new failure"));
     report_errors();
-    vio_reset(vio, old_type,vio->sd,0,FALSE);
-    vio_blocking(vio, net_blocking, &unused);    
+    vio_reset(vio, old_type, vio->sd, 0, FALSE);
+    vio_blocking(vio, net_blocking, &unused);
     DBUG_RETURN(1);
   }
-  DBUG_PRINT("info", ("ssl_: 0x%p  timeout: %ld",
-                      (SSL*) vio->ssl_arg, timeout));
-  SSL_clear((SSL*) vio->ssl_arg);
-  SSL_SESSION_set_timeout(SSL_get_session((SSL*) vio->ssl_arg), timeout);
-  SSL_set_fd ((SSL*) vio->ssl_arg, vio_ssl_fd(vio));
-  SSL_set_connect_state((SSL*) vio->ssl_arg);
-  if (SSL_do_handshake((SSL*) vio->ssl_arg) < 1)
+  vio->ssl_arg= (void*)ssl;
+  DBUG_PRINT("info", ("ssl: %p, timeout: %ld", ssl, timeout));
+  SSL_clear(ssl);
+  SSL_SESSION_set_timeout(SSL_get_session(ssl), timeout);
+  SSL_set_fd(ssl, vio->sd);
+  SSL_set_connect_state(ssl);
+  if (SSL_do_handshake(ssl) < 1)
   {
     DBUG_PRINT("error", ("SSL_do_handshake failure"));
     report_errors();
-    SSL_free((SSL*) vio->ssl_arg);
+    SSL_free(ssl);
     vio->ssl_arg= 0;
-    vio_reset(vio, old_type,vio->sd,0,FALSE);
+    vio_reset(vio, old_type, vio->sd, 0, FALSE);
     vio_blocking(vio, net_blocking, &unused);
     DBUG_RETURN(1);
-  }  
+  }
 #ifndef DBUG_OFF
-  DBUG_PRINT("info",("SSL_get_cipher_name() = '%s'"
-		     ,SSL_get_cipher_name((SSL*) vio->ssl_arg)));
-  server_cert = SSL_get_peer_certificate ((SSL*) vio->ssl_arg);
-  if (server_cert != NULL)
+  DBUG_PRINT("info",("cipher_name: '%s'" , SSL_get_cipher_name(ssl)));
+
+  if ((server_cert= SSL_get_peer_certificate (ssl)))
   {
+    char buf[256];
     DBUG_PRINT("info",("Server certificate:"));
-    str = X509_NAME_oneline (X509_get_subject_name (server_cert), 0, 0);
-    DBUG_PRINT("info",("\t subject: %s", str));
-    free(str);
-
-    str = X509_NAME_oneline (X509_get_issuer_name  (server_cert), 0, 0);
-    DBUG_PRINT("info",("\t issuer: %s", str));
-    free(str);
-
-    /*
-      We could do all sorts of certificate verification stuff here before
-      deallocating the certificate.
-    */
+    X509_NAME_oneline(X509_get_subject_name(server_cert), buf, sizeof(buf));
+    DBUG_PRINT("info",("\t subject: %s", buf));
+    X509_NAME_oneline (X509_get_issuer_name(server_cert), buf, sizeof(buf));
+    DBUG_PRINT("info",("\t issuer: %s", buf));
     X509_free (server_cert);
   }
   else
     DBUG_PRINT("info",("Server does not have certificate."));
 #endif
+
   DBUG_RETURN(0);
 }
 
@@ -414,21 +269,10 @@ int vio_ssl_blocking(Vio * vio __attribute__((unused)),
 		     my_bool set_blocking_mode,
 		     my_bool *old_mode)
 {
+  /* Mode is always blocking */
+  *old_mode= 1;
   /* Return error if we try to change to non_blocking mode */
-  *old_mode=1;					/* Mode is always blocking */
-  return set_blocking_mode ? 0 : 1;
+  return (set_blocking_mode ? 0 : 1);
 }
 
-
-void vio_ssl_timeout(Vio *vio __attribute__((unused)),
-		     uint which __attribute__((unused)),
-                     uint timeout __attribute__((unused)))
-{
-#ifdef __WIN__
-  ulong wait_timeout= (ulong) timeout * 1000;
-  (void) setsockopt(vio->sd, SOL_SOCKET,
-	which ? SO_SNDTIMEO : SO_RCVTIMEO, (char*) &wait_timeout,
-        sizeof(wait_timeout));
-#endif /* __WIN__ */
-}
 #endif /* HAVE_OPENSSL */

vio/viosslfactories.c

@@ -21,7 +21,6 @@
 static bool     ssl_algorithms_added    = FALSE;
 static bool     ssl_error_strings_loaded= FALSE;
 static int      verify_depth = 0;
-static int      verify_error = X509_V_OK;
 
 static unsigned char dh512_p[]=
 {
@@ -82,30 +81,31 @@ vio_set_cert_stuff(SSL_CTX *ctx, const char *cert_file, const char *key_file)
   DBUG_ENTER("vio_set_cert_stuff");
   DBUG_PRINT("enter", ("ctx: %p, cert_file: %s, key_file: %s",
 		       ctx, cert_file, key_file));
-  if (cert_file != NULL)
+  if (cert_file)
   {
-    if (SSL_CTX_use_certificate_file(ctx,cert_file,SSL_FILETYPE_PEM) <= 0)
+    if (SSL_CTX_use_certificate_file(ctx, cert_file, SSL_FILETYPE_PEM) <= 0)
     {
-      DBUG_PRINT("error",("unable to get certificate from '%s'\n",cert_file));
+      DBUG_PRINT("error",("unable to get certificate from '%s'\n", cert_file));
       /* FIX stderr */
       fprintf(stderr,"Error when connection to server using SSL:");
       ERR_print_errors_fp(stderr);
       fprintf(stderr,"Unable to get certificate from '%s'\n", cert_file);
       fflush(stderr);
-      DBUG_RETURN(0);
+      DBUG_RETURN(1);
     }
-    if (key_file == NULL)
-      key_file = cert_file;
-    if (SSL_CTX_use_PrivateKey_file(ctx,key_file,
-				    SSL_FILETYPE_PEM) <= 0)
+
+    if (!key_file)
+      key_file= cert_file;
+
+    if (SSL_CTX_use_PrivateKey_file(ctx, key_file, SSL_FILETYPE_PEM) <= 0)
     {
-      DBUG_PRINT("error", ("unable to get private key from '%s'\n",key_file));
+      DBUG_PRINT("error", ("unable to get private key from '%s'\n", key_file));
       /* FIX stderr */
       fprintf(stderr,"Error when connection to server using SSL:");
       ERR_print_errors_fp(stderr);
       fprintf(stderr,"Unable to get private key from '%s'\n", cert_file);
-      fflush(stderr);      
-      DBUG_RETURN(0);
+      fflush(stderr);
+      DBUG_RETURN(1);
     }
 
     /*
@@ -116,45 +116,45 @@ vio_set_cert_stuff(SSL_CTX *ctx, const char *cert_file, const char *key_file)
     {
       DBUG_PRINT("error",
 		 ("Private key does not match the certificate public key\n"));
-      DBUG_RETURN(0);
+      DBUG_RETURN(1);
     }
   }
-  DBUG_RETURN(1);
+  DBUG_RETURN(0);
 }
 
 
 static int
 vio_verify_callback(int ok, X509_STORE_CTX *ctx)
 {
-  char	buf[256];
-  X509*	err_cert;
-  int	err,depth;
+  char buf[256];
+  X509 *err_cert;
 
   DBUG_ENTER("vio_verify_callback");
-  DBUG_PRINT("enter", ("ok: %d, ctx: 0x%p", ok, ctx));
-  err_cert=X509_STORE_CTX_get_current_cert(ctx);
-  err=	   X509_STORE_CTX_get_error(ctx);
-  depth=   X509_STORE_CTX_get_error_depth(ctx);
+  DBUG_PRINT("enter", ("ok: %d, ctx: %p", ok, ctx));
 
-  X509_NAME_oneline(X509_get_subject_name(err_cert),buf,sizeof(buf));
+  err_cert= X509_STORE_CTX_get_current_cert(ctx);
+  X509_NAME_oneline(X509_get_subject_name(err_cert), buf, sizeof(buf));
+  DBUG_PRINT("info", ("cert: %s", buf));
   if (!ok)
   {
-    DBUG_PRINT("error",("verify error: num: %d : '%s'\n",err,
+    int err, depth;
+    err= X509_STORE_CTX_get_error(ctx);
+    depth= X509_STORE_CTX_get_error_depth(ctx);
+
+    DBUG_PRINT("error",("verify error: %d, '%s'",err,
 			X509_verify_cert_error_string(err)));
+    /*
+      Approve cert if depth is greater then "verify_depth", currently
+      verify_depth is always 0 and there is no way to increase it.
+     */
     if (verify_depth >= depth)
-    {
-      ok=1;
-      verify_error=X509_V_OK;
-    }
-    else
-    {
-      verify_error=X509_V_ERR_CERT_CHAIN_TOO_LONG;
-    }
+      ok= 1;
   }
-  switch (ctx->error) {
+  switch (ctx->error)
+  {
   case X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT:
-    X509_NAME_oneline(X509_get_issuer_name(ctx->current_cert),buf,256);
-    DBUG_PRINT("info",("issuer= %s\n",buf));
+    X509_NAME_oneline(X509_get_issuer_name(ctx->current_cert), buf, 256);
+    DBUG_PRINT("info",("issuer= %s\n", buf));
     break;
   case X509_V_ERR_CERT_NOT_YET_VALID:
   case X509_V_ERR_ERROR_IN_CERT_NOT_BEFORE_FIELD:
@@ -198,193 +198,150 @@ static void netware_ssl_init()
 #endif /* __NETWARE__ */
 
 
-/************************ VioSSLConnectorFd **********************************/
-/*
-  TODO:
-       Add option --verify to mysql to be able to change verification mode
-*/
-
-struct st_VioSSLConnectorFd *
-new_VioSSLConnectorFd(const char* key_file,
-		      const char* cert_file,
-		      const char* ca_file,
-		      const char* ca_path,
-		      const char* cipher)
+static void check_ssl_init()
 {
-  int	verify = SSL_VERIFY_NONE;
-  struct st_VioSSLConnectorFd* ptr;
-  int result;
-  DH *dh;
-  DBUG_ENTER("new_VioSSLConnectorFd");
-
-  if (!(ptr=((struct st_VioSSLConnectorFd*)
-	     my_malloc(sizeof(struct st_VioSSLConnectorFd),MYF(0)))))
-    DBUG_RETURN(0);
-
-  ptr->ssl_context= 0;
-  ptr->ssl_method=  0;
-  /* FIXME: constants! */
-
   if (!ssl_algorithms_added)
   {
-    DBUG_PRINT("info", ("todo: OpenSSL_add_all_algorithms()"));
-    ssl_algorithms_added = TRUE;
+    ssl_algorithms_added= TRUE;
     SSL_library_init();
     OpenSSL_add_all_algorithms();
+
   }
+
 #ifdef __NETWARE__
+  /* MASV, should it be done everytime? */
   netware_ssl_init();
 #endif
 
   if (!ssl_error_strings_loaded)
   {
-    DBUG_PRINT("info", ("todo:SSL_load_error_strings()"));
-    ssl_error_strings_loaded = TRUE;
+    ssl_error_strings_loaded= TRUE;
     SSL_load_error_strings();
   }
-  ptr->ssl_method = TLSv1_client_method();
-  ptr->ssl_context = SSL_CTX_new(ptr->ssl_method);
-  DBUG_PRINT("info", ("ssl_context: %p",ptr->ssl_context));
-  if (ptr->ssl_context == 0)
+}
+
+/************************ VioSSLFd **********************************/
+struct st_VioSSLFd *
+new_VioSSLFd(const char *key_file, const char *cert_file,
+             const char *ca_file, const char *ca_path,
+             const char *cipher, SSL_METHOD *method)
+{
+  DH *dh;
+  struct st_VioSSLFd *ssl_fd;
+  DBUG_ENTER("new_VioSSLFd");
+
+  check_ssl_init();
+
+  if (!(ssl_fd= ((struct st_VioSSLFd*)
+                 my_malloc(sizeof(struct st_VioSSLFd),MYF(0)))))
+    DBUG_RETURN(0);
+
+  if (!(ssl_fd->ssl_context= SSL_CTX_new(method)))
   {
     DBUG_PRINT("error", ("SSL_CTX_new failed"));
     report_errors();
-    goto ctor_failure;
+    my_free((void*)ssl_fd,MYF(0));
+    DBUG_RETURN(0);
   }
-  /*
-    SSL_CTX_set_options
-    SSL_CTX_set_info_callback
-   */
-  if (cipher)
+
+  /* Set the ciphers that can be used */
+  if (cipher && SSL_CTX_set_cipher_list(ssl_fd->ssl_context, cipher))
   {
-    result=SSL_CTX_set_cipher_list(ptr->ssl_context, cipher);
-    DBUG_PRINT("info",("SSL_set_cipher_list() returned %d",result));
+    DBUG_PRINT("error", ("failed to set ciphers to use"));
+    report_errors();
+    my_free((void*)ssl_fd,MYF(0));
+    DBUG_RETURN(0);
   }
-  SSL_CTX_set_verify(ptr->ssl_context, verify, vio_verify_callback);
-  if (vio_set_cert_stuff(ptr->ssl_context, cert_file, key_file) == -1)
+
+  if (vio_set_cert_stuff(ssl_fd->ssl_context, cert_file, key_file))
   {
     DBUG_PRINT("error", ("vio_set_cert_stuff failed"));
     report_errors();
-    goto ctor_failure;
+    my_free((void*)ssl_fd,MYF(0));
+    DBUG_RETURN(0);
   }
-  if (SSL_CTX_load_verify_locations( ptr->ssl_context, ca_file,ca_path) == 0)
+
+  if (SSL_CTX_load_verify_locations(ssl_fd->ssl_context, ca_file, ca_path) == 0)
   {
     DBUG_PRINT("warning", ("SSL_CTX_load_verify_locations failed"));
-    if (SSL_CTX_set_default_verify_paths(ptr->ssl_context) == 0)
+    if (SSL_CTX_set_default_verify_paths(ssl_fd->ssl_context) == 0)
     {
       DBUG_PRINT("error", ("SSL_CTX_set_default_verify_paths failed"));
       report_errors();
-      goto ctor_failure;
+      my_free((void*)ssl_fd,MYF(0));
+      DBUG_RETURN(0);
     }
-  } 
+  }
 
   /* DH stuff */
   dh=get_dh512();
-  SSL_CTX_set_tmp_dh(ptr->ssl_context,dh);
+  SSL_CTX_set_tmp_dh(ssl_fd->ssl_context, dh);
   DH_free(dh);
 
-  DBUG_RETURN(ptr);
-ctor_failure:
-  DBUG_PRINT("exit", ("there was an error"));
-  my_free((gptr)ptr,MYF(0));
-  DBUG_RETURN(0);
+  DBUG_PRINT("exit", ("OK 1"));
+
+  DBUG_RETURN(ssl_fd);
 }
 
 
-/************************ VioSSLAcceptorFd **********************************/
-/*
-  TODO:
-       Add option --verify to mysqld to be able to change verification mode
-*/
-struct st_VioSSLAcceptorFd*
-new_VioSSLAcceptorFd(const char *key_file,
-		     const char *cert_file,
-		     const char *ca_file,
-		     const char *ca_path,
-		     const char *cipher)
+/************************ VioSSLConnectorFd **********************************/
+struct st_VioSSLFd *
+new_VioSSLConnectorFd(const char *key_file, const char *cert_file,
+                      const char *ca_file, const char *ca_path,
+                      const char *cipher)
 {
-  int verify = (SSL_VERIFY_PEER			|
-		SSL_VERIFY_CLIENT_ONCE);
-  struct st_VioSSLAcceptorFd* ptr;
-  int result;
-  DH *dh;
-  DBUG_ENTER("new_VioSSLAcceptorFd");
+  struct st_VioSSLFd *ssl_fd;
+  int verify= SSL_VERIFY_NONE;
+  if (!(ssl_fd= new_VioSSLFd(key_file, cert_file, ca_file,
+                             ca_path, cipher, TLSv1_client_method())))
+  {
+    return 0;
+  }
+  /* Init the the VioSSLFd as a "connector" ie. the client side */
 
-  ptr= ((struct st_VioSSLAcceptorFd*)
-	my_malloc(sizeof(struct st_VioSSLAcceptorFd),MYF(0)));
-  ptr->ssl_context=0;
-  ptr->ssl_method=0;
-  /* FIXME: constants! */
-  ptr->session_id_context= ptr;
+  /*
+    The verify_callback function is used to control the behaviour
+    when the SSL_VERIFY_PEER flag is set. Here it is SSL_VERIFY_NONE
+    and thus callback is set to NULL
+  */
+  SSL_CTX_set_verify(ssl_fd->ssl_context, verify, NULL);
 
-  if (!ssl_algorithms_added)
-  {
-    DBUG_PRINT("info", ("todo: OpenSSL_add_all_algorithms()"));
-    ssl_algorithms_added = TRUE;
-    SSL_library_init();
-    OpenSSL_add_all_algorithms();
+  return ssl_fd;
+}
 
-  }
-#ifdef __NETWARE__
-  netware_ssl_init();
-#endif
 
-  if (!ssl_error_strings_loaded)
-  {
-    DBUG_PRINT("info", ("todo: SSL_load_error_strings()"));
-    ssl_error_strings_loaded = TRUE;
-    SSL_load_error_strings();
-  }
-  ptr->ssl_method=  TLSv1_server_method();
-  ptr->ssl_context= SSL_CTX_new(ptr->ssl_method);
-  if (ptr->ssl_context == 0)
-  {
-    DBUG_PRINT("error", ("SSL_CTX_new failed"));
-    report_errors();
-    goto ctor_failure;
-  }
-  if (cipher)
+/************************ VioSSLAcceptorFd **********************************/
+struct st_VioSSLFd*
+new_VioSSLAcceptorFd(const char *key_file, const char *cert_file,
+		     const char *ca_file, const char *ca_path,
+		     const char *cipher)
+{
+  struct st_VioSSLFd *ssl_fd;
+  int verify= SSL_VERIFY_PEER | SSL_VERIFY_CLIENT_ONCE;
+  if (!(ssl_fd= new_VioSSLFd(key_file, cert_file, ca_file,
+                             ca_path, cipher, TLSv1_server_method())))
   {
-    result=SSL_CTX_set_cipher_list(ptr->ssl_context, cipher);
-    DBUG_PRINT("info",("SSL_set_cipher_list() returned %d",result));
+    return 0;
   }
-  /* SSL_CTX_set_quiet_shutdown(ctx,1); */
-  SSL_CTX_sess_set_cache_size(ptr->ssl_context,128);
+  /* Init the the VioSSLFd as a "acceptor" ie. the server side */
 
-  /* DH? */
-  SSL_CTX_set_verify(ptr->ssl_context, verify, vio_verify_callback);
-  SSL_CTX_set_session_id_context(ptr->ssl_context,
-				 (const uchar*) &(ptr->session_id_context),
-				 sizeof(ptr->session_id_context));
+  /* Set max number of cached sessions, returns the previous size */
+  SSL_CTX_sess_set_cache_size(ssl_fd->ssl_context, 128);
 
   /*
-    SSL_CTX_set_client_CA_list(ctx,SSL_load_client_CA_file(CAfile));
+    The verify_callback function is used to control the behaviour
+    when the SSL_VERIFY_PEER flag is set.
   */
-  if (vio_set_cert_stuff(ptr->ssl_context, cert_file, key_file) == -1)
-  {
-    DBUG_PRINT("error", ("vio_set_cert_stuff failed"));
-    report_errors();
-    goto ctor_failure;
-  }
-  if (SSL_CTX_load_verify_locations( ptr->ssl_context, ca_file, ca_path) == 0)
-  {
-    DBUG_PRINT("warning", ("SSL_CTX_load_verify_locations failed"));
-    if (SSL_CTX_set_default_verify_paths(ptr->ssl_context)==0)
-    {
-      DBUG_PRINT("error", ("SSL_CTX_set_default_verify_paths failed"));
-      report_errors();
-      goto ctor_failure;
-    }
-  }
-  /* DH stuff */
-  dh=get_dh512();
-  SSL_CTX_set_tmp_dh(ptr->ssl_context,dh);
-  DH_free(dh);
-  DBUG_RETURN(ptr);
+  SSL_CTX_set_verify(ssl_fd->ssl_context, verify, vio_verify_callback);
 
-ctor_failure:
-  DBUG_PRINT("exit", ("there was an error"));
-  my_free((gptr) ptr,MYF(0));
-  DBUG_RETURN(0);
+  /*
+    Set session_id - an identifier for this server session
+    Use the ssl_fd pointer
+   */
+  SSL_CTX_set_session_id_context(ssl_fd->ssl_context,
+				 ssl_fd,
+				 sizeof(ssl_fd));
+
+  return ssl_fd;
 }
 #endif /* HAVE_OPENSSL */