diff options
| author | unknown <tonu@volk.internalnet> | 2001-09-30 10:46:20 +0800 |
|---|---|---|
| committer | unknown <tonu@volk.internalnet> | 2001-09-30 10:46:20 +0800 |
| commit | d13f2dfdeb2b23c6abfb608885e8717878122a7b (patch) | |
| tree | c8e33b443fde74ad722536829cd56fa9403617cd /vio | |
| parent | 5e0851e1b37debb59dbe184fcc3485470872ac64 (diff) | |
| download | mariadb-git-d13f2dfdeb2b23c6abfb608885e8717878122a7b.tar.gz | |
SSL compiles and works as far as can see. Continue testing..
Docs/manual.ja.texi:
e-mail address fixed
include/mysqld_error.h:
Added 3 new errormessages related to SSL
mysql-test/install_test_db.sh:
SSL fix
scripts/mysql_install_db.sh:
mysql.user table changes to conform SSL ACL
sql/lex.h:
Fixed GRANT+SSL clause
sql/share/czech/errmsg.txt:
Added 3 new errormessages related to SSL
sql/share/danish/errmsg.txt:
Added 3 new errormessages related to SSL
sql/share/dutch/errmsg.txt:
Added 3 new errormessages related to SSL
sql/share/english/errmsg.txt:
Added 3 new errormessages related to SSL
sql/share/estonian/errmsg.txt:
Added 3 new errormessages related to SSL
sql/share/french/errmsg.txt:
Added 3 new errormessages related to SSL
sql/share/german/errmsg.txt:
Added 3 new errormessages related to SSL
sql/share/greek/errmsg.txt:
Added 3 new errormessages related to SSL
sql/share/hungarian/errmsg.txt:
Added 3 new errormessages related to SSL
sql/share/italian/errmsg.txt:
Added 3 new errormessages related to SSL
sql/share/japanese/errmsg.txt:
Added 3 new errormessages related to SSL
sql/share/korean/errmsg.txt:
Added 3 new errormessages related to SSL
sql/share/norwegian-ny/errmsg.txt:
Added 3 new errormessages related to SSL
sql/share/norwegian/errmsg.txt:
Added 3 new errormessages related to SSL
sql/share/polish/errmsg.txt:
Added 3 new errormessages related to SSL
sql/share/portuguese/errmsg.txt:
Added 3 new errormessages related to SSL
sql/share/romanian/errmsg.txt:
Added 3 new errormessages related to SSL
sql/share/russian/errmsg.txt:
Added 3 new errormessages related to SSL
sql/share/slovak/errmsg.txt:
Added 3 new errormessages related to SSL
sql/share/spanish/errmsg.txt:
Added 3 new errormessages related to SSL
sql/share/swedish/errmsg.txt:
Added 3 new errormessages related to SSL
sql/share/ukrainian/errmsg.txt:
Added 3 new errormessages related to SSL
Docs/manual.texi:
SSL fixes
BUILD/compile-pentium-max:
SSL was missing here
acinclude.m4:
typo fix
alignment fix
client/mysql.cc:
SSL fixes
client/mysqladmin.c:
SSL fixes
client/mysqlcheck.c:
SSL fixes
client/mysqldump.c:
SSL fixes
client/mysqlimport.c:
SSL fixes
client/mysqlshow.c:
SSL fixes
include/mysql.h:
SSL fixes
include/sslopt-case.h:
SSL fixes
include/sslopt-longopts.h:
SSL fixes
include/sslopt-usage.h:
SSL fixes
include/sslopt-vars.h:
SSL fixes
include/violite.h:
SSL fixes
cleanups
libmysql/libmysql.c:
SSL fixes
libmysqld/lib_sql.cc:
SSL fixes
sql/mini_client.cc:
SSL fixes
sql/mysqld.cc:
SSL fixes
cleanup
new variables to SHOW STATUS
sql/sql_acl.cc:
SSL fixes
sql/sql_acl.h:
SSL fixes
sql/sql_lex.h:
SSL fixes
sql/sql_parse.cc:
SSL fixes
sql/sql_show.cc:
New functions added
sql/structs.h:
New functions added
vio/test-ssl.c:
SSL fixes
vio/test-sslclient.c:
SSL fixes
vio/test-sslserver.c:
SSL fixes
vio/viosocket.c:
SSL fixes
vio/viossl.c:
SSL fixes
cleanup
vio/viosslfactories.c:
SSL fixes
sql/sql_yacc.yy:
SSL fixes
Diffstat (limited to 'vio')
| -rw-r--r-- | vio/test-ssl.c | 9 | ||||
| -rw-r--r-- | vio/test-sslclient.c | 6 | ||||
| -rw-r--r-- | vio/test-sslserver.c | 7 | ||||
| -rw-r--r-- | vio/viosocket.c | 2 | ||||
| -rw-r--r-- | vio/viossl.c | 122 | ||||
| -rw-r--r-- | vio/viosslfactories.c | 45 |
6 files changed, 61 insertions, 130 deletions
diff --git a/vio/test-ssl.c b/vio/test-ssl.c index 0ae90f5001f..61d92bb7b84 100644 --- a/vio/test-ssl.c +++ b/vio/test-ssl.c @@ -41,6 +41,7 @@ main( int argc, char* server_key = 0, *server_cert = 0; char* client_key = 0, *client_cert = 0; char* ca_file = 0, *ca_path = 0; + char* cipher=0; int child_pid,sv[2]; struct st_VioSSLAcceptorFd* ssl_acceptor=0; struct st_VioSSLConnectorFd* ssl_connector=0; @@ -74,17 +75,17 @@ main( int argc, if (socketpair(PF_UNIX, SOCK_STREAM, IPPROTO_IP, sv)==-1) fatal_error("socketpair"); - ssl_acceptor = new_VioSSLAcceptorFd(server_key, server_cert, ca_file, ca_path); - ssl_connector = new_VioSSLConnectorFd(client_key, client_cert, ca_file, ca_path); + ssl_acceptor = new_VioSSLAcceptorFd(server_key, server_cert, ca_file, ca_path, cipher); + ssl_connector = new_VioSSLConnectorFd(client_key, client_cert, ca_file, ca_path, cipher); client_vio = (struct st_vio*)my_malloc(sizeof(struct st_vio),MYF(0)); client_vio->sd = sv[0]; client_vio->vioblocking(client_vio,0); - sslconnect(ssl_connector,client_vio); + sslconnect(ssl_connector,client_vio,60L); server_vio = (struct st_vio*)my_malloc(sizeof(struct st_vio),MYF(0)); server_vio->sd = sv[1]; server_vio->vioblocking(client_vio,0); - sslaccept(ssl_acceptor,server_vio); + sslaccept(ssl_acceptor,server_vio,60L); printf("Socketpair: %d , %d\n", client_vio->sd, server_vio->sd); diff --git a/vio/test-sslclient.c b/vio/test-sslclient.c index c19a3589009..b50b0722b17 100644 --- a/vio/test-sslclient.c +++ b/vio/test-sslclient.c @@ -32,7 +32,7 @@ main( int argc __attribute__((unused)), char** argv) { char client_key[] = "../SSL/client-key.pem", client_cert[] = "../SSL/client-cert.pem"; - char ca_file[] = "../SSL/cacert.pem", *ca_path = 0; + char ca_file[] = "../SSL/cacert.pem", *ca_path = 0, *cipher=0; struct st_VioSSLConnectorFd* ssl_connector=0; struct sockaddr_in sa; Vio* client_vio=0; @@ -48,7 +48,7 @@ main( int argc __attribute__((unused)), if (ca_path!=0) printf("CApath : %s\n", ca_path); - ssl_connector = new_VioSSLConnectorFd(client_key, client_cert, ca_file, ca_path); + ssl_connector = new_VioSSLConnectorFd(client_key, client_cert, ca_file, ca_path, cipher); if(!ssl_connector) { fatal_error("client:new_VioSSLConnectorFd failed"); } @@ -69,7 +69,7 @@ main( int argc __attribute__((unused)), /* ----------------------------------------------- */ /* Now we have TCP conncetion. Start SSL negotiation. */ read(client_vio->sd,xbuf, sizeof(xbuf)); - sslconnect(ssl_connector,client_vio); + sslconnect(ssl_connector,client_vio,60L); err = client_vio->read(client_vio,xbuf, sizeof(xbuf)); if (err<=0) { my_free((gptr)ssl_connector,MYF(0)); diff --git a/vio/test-sslserver.c b/vio/test-sslserver.c index bad141dff17..610a4173875 100644 --- a/vio/test-sslserver.c +++ b/vio/test-sslserver.c @@ -46,7 +46,7 @@ do_ssl_stuff( TH_ARGS* args) /* TCP connection is ready. Do server side SSL. */ err = write(server_vio->sd,(gptr)s, strlen(s)); - sslaccept(args->ssl_acceptor,server_vio); + sslaccept(args->ssl_acceptor,server_vio,60L); err = server_vio->write(server_vio,(gptr)s, strlen(s)); DBUG_VOID_RETURN; } @@ -65,7 +65,8 @@ main( int argc __attribute__((unused)), char server_key[] = "../SSL/server-key.pem", server_cert[] = "../SSL/server-cert.pem"; char ca_file[] = "../SSL/cacert.pem", - *ca_path = 0; + *ca_path = 0, + *cipher = 0; struct st_VioSSLAcceptorFd* ssl_acceptor; pthread_t th; TH_ARGS th_args; @@ -89,7 +90,7 @@ main( int argc __attribute__((unused)), if (ca_path!=0) printf("CApath : %s\n", ca_path); - th_args.ssl_acceptor = ssl_acceptor = new_VioSSLAcceptorFd(server_key, server_cert, ca_file, ca_path); + th_args.ssl_acceptor = ssl_acceptor = new_VioSSLAcceptorFd(server_key, server_cert, ca_file, ca_path,cipher); /* ----------------------------------------------- */ /* Prepare TCP socket for receiving connections */ diff --git a/vio/viosocket.c b/vio/viosocket.c index 667e9b2b118..60272db3171 100644 --- a/vio/viosocket.c +++ b/vio/viosocket.c @@ -137,7 +137,7 @@ int vio_write(Vio * vio, const gptr buf, int size) } -int vio_blocking(Vio * vio, my_bool set_blocking_mode) +int vio_blocking(Vio * vio __attribute__((unused)), my_bool set_blocking_mode) { int r=0; DBUG_ENTER("vio_blocking"); diff --git a/vio/viossl.c b/vio/viossl.c index c6f70081d18..e80dc0ce807 100644 --- a/vio/viossl.c +++ b/vio/viossl.c @@ -118,8 +118,11 @@ int vio_ssl_read(Vio * vio, gptr buf, int size) #endif /* DBUG_OFF */ r = SSL_read(vio->ssl_, buf, size); #ifndef DBUG_OFF - if ( r< 0) + if ( r<= 0) { + r=SSL_get_error(vio->ssl_, r); + DBUG_PRINT("info",("SSL_get_error returned %d",r)); report_errors(); + } #endif /* DBUG_OFF */ DBUG_PRINT("exit", ("%d", r)); DBUG_RETURN(r); @@ -207,7 +210,6 @@ int vio_ssl_close(Vio * vio) r = SSL_shutdown(vio->ssl_); SSL_free(vio->ssl_); vio->ssl_= 0; - vio->bio_ = 0; } if (shutdown(vio->sd,2)) r= -1; @@ -298,12 +300,11 @@ my_bool vio_ssl_poll_read(Vio *vio,uint timeout) #endif } -void sslaccept(struct st_VioSSLAcceptorFd* ptr, Vio* vio) +void sslaccept(struct st_VioSSLAcceptorFd* ptr, Vio* vio, long timeout) { - X509* client_cert; + X509* client_cert; char *str; - int i; -// const int blocking = vio_is_blocking(vio); + char buf[1024]; DBUG_ENTER("sslaccept"); DBUG_PRINT("enter", ("sd=%d ptr=%p", vio->sd,ptr)); vio_reset(vio,VIO_TYPE_SSL,vio->sd,0,FALSE); @@ -316,49 +317,12 @@ void sslaccept(struct st_VioSSLAcceptorFd* ptr, Vio* vio) DBUG_VOID_RETURN; } DBUG_PRINT("info", ("ssl_=%p",vio->ssl_)); + SSL_clear(vio->ssl_); vio_blocking(vio, FALSE); + SSL_SESSION_set_timeout(SSL_get_session(vio->ssl_), timeout); SSL_set_fd(vio->ssl_,vio->sd); SSL_set_accept_state(vio->ssl_); - - /* FIXME possibly infinite loop */ - while (SSL_is_init_finished(vio->ssl_)) { - DBUG_PRINT("info",("SSL_is_init_finished(vio->ssl_) is not 1")); - if((i=SSL_do_handshake(vio->ssl_))!=SSL_ERROR_NONE) - { - DBUG_PRINT("info",("*** errno %d",errno)); - switch (SSL_get_error(vio->ssl_,i)) - { - case SSL_ERROR_NONE: - DBUG_PRINT("info",("SSL_ERROR_NONE: handshake finished")); - break; - case SSL_ERROR_SSL: - DBUG_PRINT("info",("SSL_ERROR_SSL: SSL protocol error ")); - break; - case SSL_ERROR_WANT_CONNECT: - DBUG_PRINT("info",("SSL_ERROR_WANT_CONNECT:If you are doing non-blocking connects call again when the connection is established")); - break; - case SSL_ERROR_WANT_READ: - DBUG_PRINT("info",("SSL_ERROR_WANT_READ: if non-blocking etc, call again when data is available")); - break; - case SSL_ERROR_WANT_WRITE: - DBUG_PRINT("info",("SSL_ERROR_WANT_WRITE: if non-blocking etc, call again when data is available to write")); - break; - case SSL_ERROR_WANT_X509_LOOKUP: - DBUG_PRINT("info",("SSL_ERROR_WANT_X509_LOOKUP: /* not used yet but could be :-) */")); - break; - case SSL_ERROR_SYSCALL: - DBUG_PRINT("info",("SSL_ERROR_SYSCALL: An error than the error code can be found in errno (%d)",errno)); - break; - case SSL_ERROR_ZERO_RETURN: - DBUG_PRINT("info",("SSL_ERROR_ZERO_RETURN: 0 returned on the read, normally means the socket is closed :-) */")); - break; - default: - DBUG_PRINT("info",("Unknown SSL error returned")); - break; - } - } - usleep(100); - } + SSL_do_handshake(vio->ssl_); vio->open_ = TRUE; #ifndef DBUF_OFF DBUG_PRINT("info",("SSL_get_cipher_name() = '%s'" @@ -374,23 +338,28 @@ void sslaccept(struct st_VioSSLAcceptorFd* ptr, Vio* vio) DBUG_PRINT("info",("\t issuer: %s", str)); free (str); - /* We could do all sorts of certificate verification stuff here before - * deallocating the certificate. */ - X509_free (client_cert); } else DBUG_PRINT("info",("Client does not have certificate.")); + + str=SSL_get_shared_ciphers(vio->ssl_, buf, sizeof(buf)); + if(str) + { + DBUG_PRINT("info",("SSL_get_shared_ciphers() returned '%s'",str)); + } + else + { + DBUG_PRINT("info",("no shared ciphers!")); + } + #endif DBUG_VOID_RETURN; } -void sslconnect(struct st_VioSSLConnectorFd* ptr, Vio* vio) +void sslconnect(struct st_VioSSLConnectorFd* ptr, Vio* vio, long timeout) { char *str; -// char s[]="abc"; -int i; X509* server_cert; - const int blocking = vio_is_blocking(vio); DBUG_ENTER("sslconnect"); DBUG_PRINT("enter", ("sd=%d ptr=%p ctx: %p", vio->sd,ptr,ptr->ssl_context_)); vio_reset(vio,VIO_TYPE_SSL,vio->sd,0,FALSE); @@ -403,50 +372,13 @@ int i; report_errors(); DBUG_VOID_RETURN; } - DBUG_PRINT("info", ("ssl_=%p",vio->ssl_)); + DBUG_PRINT("info",("ssl_=%p",vio->ssl_)); + SSL_clear(vio->ssl_); vio_blocking(vio, FALSE); + SSL_SESSION_set_timeout(SSL_get_session(vio->ssl_), timeout); SSL_set_fd (vio->ssl_, vio->sd); SSL_set_connect_state(vio->ssl_); - - /* FIXME possibly infinite loop */ - while (SSL_is_init_finished(vio->ssl_)) { - DBUG_PRINT("info",("SSL_is_init_finished(vio->ssl_) is not 1")); - if((i=SSL_do_handshake(vio->ssl_))!=SSL_ERROR_NONE) - { - DBUG_PRINT("info",("*** errno %d",errno)); - switch (SSL_get_error(vio->ssl_,i)) - { - case SSL_ERROR_NONE: - DBUG_PRINT("info",("SSL_ERROR_NONE: handshake finished")); - break; - case SSL_ERROR_SSL: - DBUG_PRINT("info",("SSL_ERROR_SSL: SSL protocol error ")); - break; - case SSL_ERROR_WANT_CONNECT: - DBUG_PRINT("info",("SSL_ERROR_WANT_CONNECT:If you are doing non-blocking connects call again when the connection is established")); - break; - case SSL_ERROR_WANT_READ: - DBUG_PRINT("info",("SSL_ERROR_WANT_READ: if non-blocking etc, call again when data is available")); - break; - case SSL_ERROR_WANT_WRITE: - DBUG_PRINT("info",("SSL_ERROR_WANT_WRITE: if non-blocking etc, call again when data is available to write")); - break; - case SSL_ERROR_WANT_X509_LOOKUP: - DBUG_PRINT("info",("SSL_ERROR_WANT_X509_LOOKUP: /* not used yet but could be :-) */")); - break; - case SSL_ERROR_SYSCALL: - DBUG_PRINT("info",("SSL_ERROR_SYSCALL: An error than the error code can be found in errno (%d)",errno)); - break; - case SSL_ERROR_ZERO_RETURN: - DBUG_PRINT("info",("SSL_ERROR_ZERO_RETURN: 0 returned on the read, normally means the socket is closed :-) */")); - break; - default: - DBUG_PRINT("info",("Unknown SSL error returned")); - break; - } - } - usleep(100); - } + SSL_do_handshake(vio->ssl_); vio->open_ = TRUE; #ifndef DBUG_OFF DBUG_PRINT("info",("SSL_get_cipher_name() = '%s'" @@ -469,9 +401,7 @@ int i; } else DBUG_PRINT("info",("Server does not have certificate.")); #endif - vio_blocking(vio, blocking); DBUG_VOID_RETURN; } - #endif /* HAVE_OPENSSL */ diff --git a/vio/viosslfactories.c b/vio/viosslfactories.c index 077807726fe..579f37f3dda 100644 --- a/vio/viosslfactories.c +++ b/vio/viosslfactories.c @@ -168,15 +168,17 @@ vio_verify_callback(int ok, X509_STORE_CTX *ctx) struct st_VioSSLConnectorFd* new_VioSSLConnectorFd(const char* key_file, const char* cert_file, const char* ca_file, - const char* ca_path) + const char* ca_path, + const char* cipher) { int verify = SSL_VERIFY_PEER; struct st_VioSSLConnectorFd* ptr; + int result; DH *dh=NULL; DBUG_ENTER("new_VioSSLConnectorFd"); DBUG_PRINT("enter", - ("key_file=%s, cert_file=%s, ca_path=%s, ca_file=%s", - key_file, cert_file, ca_path, ca_file)); + ("key_file=%s, cert_file=%s, ca_path=%s, ca_file=%s, cipher=%s", + key_file, cert_file, ca_path, ca_file, cipher)); ptr=(struct st_VioSSLConnectorFd*)my_malloc(sizeof(struct st_VioSSLConnectorFd),MYF(0)); ptr->ssl_context_=0; ptr->ssl_method_=0; @@ -206,8 +208,12 @@ struct st_VioSSLConnectorFd* new_VioSSLConnectorFd(const char* key_file, /* * SSL_CTX_set_options * SSL_CTX_set_info_callback - * SSL_CTX_set_cipher_list */ + if(cipher) + { + result=SSL_CTX_set_cipher_list(ptr->ssl_context_, cipher); + DBUG_PRINT("info",("SSL_set_cipher_list() returned %d",result)); + } SSL_CTX_set_verify(ptr->ssl_context_, verify, vio_verify_callback); if (vio_set_cert_stuff(ptr->ssl_context_, cert_file, key_file) == -1) { @@ -231,14 +237,6 @@ struct st_VioSSLConnectorFd* new_VioSSLConnectorFd(const char* key_file, SSL_CTX_set_tmp_dh(ptr->ssl_context_,dh); DH_free(dh); -/*if (cipher != NULL) - if(!SSL_CTX_set_cipher_list(ctx,cipher)) { - BIO_printf(bio_err,"error setting cipher list\n"); - ERR_print_errors(bio_err); - goto end; - } -*/ - DBUG_RETURN(ptr); ctor_failure: DBUG_PRINT("exit", ("there was an error")); @@ -253,18 +251,20 @@ struct st_VioSSLAcceptorFd* new_VioSSLAcceptorFd(const char* key_file, const char* cert_file, const char* ca_file, - const char* ca_path) + const char* ca_path, + const char* cipher) { int verify = (SSL_VERIFY_PEER | SSL_VERIFY_FAIL_IF_NO_PEER_CERT | SSL_VERIFY_CLIENT_ONCE); struct st_VioSSLAcceptorFd* ptr; + int result; DH *dh=NULL; DBUG_ENTER("new_VioSSLAcceptorFd"); DBUG_PRINT("enter", - ("key_file=%s, cert_file=%s, ca_path=%s, ca_file=%s", - key_file, cert_file, ca_path, ca_file)); + ("key_file=%s, cert_file=%s, ca_path=%s, ca_file=%s, cipher=%s", + key_file, cert_file, ca_path, ca_file, cipher)); ptr=(struct st_VioSSLAcceptorFd*)my_malloc(sizeof(struct st_VioSSLAcceptorFd),MYF(0)); ptr->ssl_context_=0; @@ -293,12 +293,19 @@ new_VioSSLAcceptorFd(const char* key_file, report_errors(); goto ctor_failure; } + if(cipher) + { + result=SSL_CTX_set_cipher_list(ptr->ssl_context_, cipher); + DBUG_PRINT("info",("SSL_set_cipher_list() returned %d",result)); + } /* * SSL_CTX_set_quiet_shutdown(ctx,1); * */ SSL_CTX_sess_set_cache_size(ptr->ssl_context_,128); + + /* DH? */ SSL_CTX_set_verify(ptr->ssl_context_, verify, vio_verify_callback); @@ -328,14 +335,6 @@ new_VioSSLAcceptorFd(const char* key_file, SSL_CTX_set_tmp_dh(ptr->ssl_context_,dh); DH_free(dh); -/*if (cipher != NULL) - if(!SSL_CTX_set_cipher_list(ctx,cipher)) { - BIO_printf(bio_err,"error setting cipher list\n"); - ERR_print_errors(bio_err); - goto end; - } -*/ - DBUG_RETURN(ptr); ctor_failure: DBUG_PRINT("exit", ("there was an error")); |