Bug #45770 errors reading server SSL files are printed, but

not logged Errors encountered during initialization of the SSL subsystem are printed to stderr, rather than to the error log. This patch adds a parameter to several SSL init functions to report the error (if any) out to the caller. The function init_ssl() in mysqld.cc is moved after the initialization of the log subsystem, so that any error messages can be logged to the error log. Printing of messages to stderr has been retained to get diagnostic output in a client context.
author: Staale Smedseng <staale.smedseng@sun.com> 2009-07-23 13:38:11 +0200
committer: Staale Smedseng <staale.smedseng@sun.com> 2009-07-23 13:38:11 +0200
commit: 63ab8415d907d105d2468a250c07b7c4214cb141 (patch)
tree: ae934dbe79d541f8b08519e804ac93753ee40498 /vio
parent: 7fff3efb46a733621ca63b0ec2bb590c12ad8856 (diff)
download: mariadb-git-63ab8415d907d105d2468a250c07b7c4214cb141.tar.gz
1 files changed, 42 insertions, 18 deletions
diff --git a/vio/viosslfactories.c b/vio/viosslfactories.c
index 4e3092b3b39..921fc111dc5 100644
--- a/vio/viosslfactories.c
+++ b/vio/viosslfactories.c
@@ -73,9 +73,28 @@ report_errors()
   DBUG_VOID_RETURN;
 }
 
+static const char*
+ssl_error_string[] = 
+{
+  "No error",
+  "Unable to get certificate",
+  "Unable to get private key",
+  "Private key does not match the certificate public key"
+  "SSL_CTX_set_default_verify_paths failed",
+  "Failed to set ciphers to use",
+  "SSL_CTX_new failed"
+};
+
+const char*
+sslGetErrString(enum enum_ssl_init_error e)
+{
+  DBUG_ASSERT(SSL_INITERR_NOERROR < e && e < SSL_INITERR_LASTERR);
+  return ssl_error_string[e];
+}
 
 static int
-vio_set_cert_stuff(SSL_CTX *ctx, const char *cert_file, const char *key_file)
+vio_set_cert_stuff(SSL_CTX *ctx, const char *cert_file, const char *key_file,
+                   enum enum_ssl_init_error* error)
 {
   DBUG_ENTER("vio_set_cert_stuff");
   DBUG_PRINT("enter", ("ctx: 0x%lx  cert_file: %s  key_file: %s",
@@ -84,9 +103,10 @@ vio_set_cert_stuff(SSL_CTX *ctx, const char *cert_file, const char *key_file)
   {
     if (SSL_CTX_use_certificate_file(ctx, cert_file, SSL_FILETYPE_PEM) <= 0)
     {
-      DBUG_PRINT("error",("unable to get certificate from '%s'", cert_file));
+      *error= SSL_INITERR_CERT;
+      DBUG_PRINT("error",("%s from file '%s'", sslGetErrString(*error), cert_file));
       DBUG_EXECUTE("error", ERR_print_errors_fp(DBUG_FILE););
-      fprintf(stderr, "SSL error: Unable to get certificate from '%s'\n",
+      fprintf(stderr, "SSL error: %s from '%s'\n", sslGetErrString(*error),
               cert_file);
       fflush(stderr);
       DBUG_RETURN(1);
@@ -97,9 +117,10 @@ vio_set_cert_stuff(SSL_CTX *ctx, const char *cert_file, const char *key_file)
 
     if (SSL_CTX_use_PrivateKey_file(ctx, key_file, SSL_FILETYPE_PEM) <= 0)
     {
-      DBUG_PRINT("error", ("unable to get private key from '%s'", key_file));
+      *error= SSL_INITERR_KEY;
+      DBUG_PRINT("error", ("%s from file '%s'", sslGetErrString(*error), key_file));
       DBUG_EXECUTE("error", ERR_print_errors_fp(DBUG_FILE););
-      fprintf(stderr, "SSL error: Unable to get private key from '%s'\n",
+      fprintf(stderr, "SSL error: %s from '%s'\n", sslGetErrString(*error),
               key_file);
       fflush(stderr);
       DBUG_RETURN(1);
@@ -111,12 +132,10 @@ vio_set_cert_stuff(SSL_CTX *ctx, const char *cert_file, const char *key_file)
     */
     if (!SSL_CTX_check_private_key(ctx))
     {
-      DBUG_PRINT("error",
-		 ("Private key does not match the certificate public key"));
+      *error= SSL_INITERR_NOMATCH;
+      DBUG_PRINT("error", ("%s",sslGetErrString(*error)));
       DBUG_EXECUTE("error", ERR_print_errors_fp(DBUG_FILE););
-      fprintf(stderr,
-              "SSL error: "
-              "Private key does not match the certificate public key\n");
+      fprintf(stderr, "SSL error: %s\n", sslGetErrString(*error));
       fflush(stderr);
       DBUG_RETURN(1);
     }
@@ -229,7 +248,8 @@ static void check_ssl_init()
 static struct st_VioSSLFd *
 new_VioSSLFd(const char *key_file, const char *cert_file,
              const char *ca_file, const char *ca_path,
-             const char *cipher, SSL_METHOD *method)
+             const char *cipher, SSL_METHOD *method, 
+             enum enum_ssl_init_error* error)
 {
   DH *dh;
   struct st_VioSSLFd *ssl_fd;
@@ -243,7 +263,8 @@ new_VioSSLFd(const char *key_file, const char *cert_file,
 
   if (!(ssl_fd->ssl_context= SSL_CTX_new(method)))
   {
-    DBUG_PRINT("error", ("SSL_CTX_new failed"));
+    *error= SSL_INITERR_MEMFAIL;
+    DBUG_PRINT("error", ("%s", sslGetErrString(*error)));
     report_errors();
     my_free((void*)ssl_fd,MYF(0));
     DBUG_RETURN(0);
@@ -257,7 +278,8 @@ new_VioSSLFd(const char *key_file, const char *cert_file,
   if (cipher &&
       SSL_CTX_set_cipher_list(ssl_fd->ssl_context, cipher) == 0)
   {
-    DBUG_PRINT("error", ("failed to set ciphers to use"));
+    *error= SSL_INITERR_CIPHERS;
+    DBUG_PRINT("error", ("%s", sslGetErrString(*error)));
     report_errors();
     SSL_CTX_free(ssl_fd->ssl_context);
     my_free((void*)ssl_fd,MYF(0));
@@ -270,7 +292,8 @@ new_VioSSLFd(const char *key_file, const char *cert_file,
     DBUG_PRINT("warning", ("SSL_CTX_load_verify_locations failed"));
     if (SSL_CTX_set_default_verify_paths(ssl_fd->ssl_context) == 0)
     {
-      DBUG_PRINT("error", ("SSL_CTX_set_default_verify_paths failed"));
+      *error= SSL_INITERR_BAD_PATHS;
+      DBUG_PRINT("error", ("%s", sslGetErrString(*error)));
       report_errors();
       SSL_CTX_free(ssl_fd->ssl_context);
       my_free((void*)ssl_fd,MYF(0));
@@ -278,7 +301,7 @@ new_VioSSLFd(const char *key_file, const char *cert_file,
     }
   }
 
-  if (vio_set_cert_stuff(ssl_fd->ssl_context, cert_file, key_file))
+  if (vio_set_cert_stuff(ssl_fd->ssl_context, cert_file, key_file, error))
   {
     DBUG_PRINT("error", ("vio_set_cert_stuff failed"));
     report_errors();
@@ -306,6 +329,7 @@ new_VioSSLConnectorFd(const char *key_file, const char *cert_file,
 {
   struct st_VioSSLFd *ssl_fd;
   int verify= SSL_VERIFY_PEER;
+  enum enum_ssl_init_error dummy;
 
   /*
     Turn off verification of servers certificate if both
@@ -315,7 +339,7 @@ new_VioSSLConnectorFd(const char *key_file, const char *cert_file,
     verify= SSL_VERIFY_NONE;
 
   if (!(ssl_fd= new_VioSSLFd(key_file, cert_file, ca_file,
-                             ca_path, cipher, TLSv1_client_method())))
+                             ca_path, cipher, TLSv1_client_method(), &dummy)))
   {
     return 0;
   }
@@ -336,12 +360,12 @@ new_VioSSLConnectorFd(const char *key_file, const char *cert_file,
 struct st_VioSSLFd*
 new_VioSSLAcceptorFd(const char *key_file, const char *cert_file,
 		     const char *ca_file, const char *ca_path,
-		     const char *cipher)
+		     const char *cipher, enum enum_ssl_init_error* error)
 {
   struct st_VioSSLFd *ssl_fd;
   int verify= SSL_VERIFY_PEER | SSL_VERIFY_CLIENT_ONCE;
   if (!(ssl_fd= new_VioSSLFd(key_file, cert_file, ca_file,
-                             ca_path, cipher, TLSv1_server_method())))
+                             ca_path, cipher, TLSv1_server_method(), error)))
   {
     return 0;
   }
author	Staale Smedseng <staale.smedseng@sun.com>	2009-07-23 13:38:11 +0200
committer	Staale Smedseng <staale.smedseng@sun.com>	2009-07-23 13:38:11 +0200
commit	63ab8415d907d105d2468a250c07b7c4214cb141 (patch)
tree	ae934dbe79d541f8b08519e804ac93753ee40498 /vio
parent	7fff3efb46a733621ca63b0ec2bb590c12ad8856 (diff)
download	mariadb-git-63ab8415d907d105d2468a250c07b7c4214cb141.tar.gz