diff options
author | Venkata Sidagam <venkata.sidagam@oracle.com> | 2012-08-11 15:52:11 +0530 |
---|---|---|
committer | Venkata Sidagam <venkata.sidagam@oracle.com> | 2012-08-11 15:52:11 +0530 |
commit | cd5a42085fc9596de66933c77cb2107b20331502 (patch) | |
tree | dc682d239d85526807f0e94dd3ebd655aa4afadb /vio | |
parent | ec766b5dabdd98f3e7ed03435706ca5962834063 (diff) | |
parent | 40319e9b44d778d570bd146d4a43e1d1842bb357 (diff) | |
download | mariadb-git-cd5a42085fc9596de66933c77cb2107b20331502.tar.gz |
Bug #13115401: -SSL-KEY VALUE IS NOT VALIDATED AND IT ALLOWS INSECURE
CONNECTIONS IF SPE
Merged from mysql-5.1 to mysql-5.5
Diffstat (limited to 'vio')
-rw-r--r-- | vio/viosslfactories.c | 92 |
1 files changed, 55 insertions, 37 deletions
diff --git a/vio/viosslfactories.c b/vio/viosslfactories.c index fd797e297ab..43975b9e3c4 100644 --- a/vio/viosslfactories.c +++ b/vio/viosslfactories.c @@ -98,47 +98,51 @@ vio_set_cert_stuff(SSL_CTX *ctx, const char *cert_file, const char *key_file, DBUG_ENTER("vio_set_cert_stuff"); DBUG_PRINT("enter", ("ctx: 0x%lx cert_file: %s key_file: %s", (long) ctx, cert_file, key_file)); - if (cert_file) - { - if (SSL_CTX_use_certificate_file(ctx, cert_file, SSL_FILETYPE_PEM) <= 0) - { - *error= SSL_INITERR_CERT; - DBUG_PRINT("error",("%s from file '%s'", sslGetErrString(*error), cert_file)); - DBUG_EXECUTE("error", ERR_print_errors_fp(DBUG_FILE);); - fprintf(stderr, "SSL error: %s from '%s'\n", sslGetErrString(*error), - cert_file); - fflush(stderr); - DBUG_RETURN(1); - } - if (!key_file) - key_file= cert_file; + if (!cert_file && key_file) + cert_file= key_file; + + if (!key_file && cert_file) + key_file= cert_file; - if (SSL_CTX_use_PrivateKey_file(ctx, key_file, SSL_FILETYPE_PEM) <= 0) - { - *error= SSL_INITERR_KEY; - DBUG_PRINT("error", ("%s from file '%s'", sslGetErrString(*error), key_file)); - DBUG_EXECUTE("error", ERR_print_errors_fp(DBUG_FILE);); - fprintf(stderr, "SSL error: %s from '%s'\n", sslGetErrString(*error), - key_file); - fflush(stderr); - DBUG_RETURN(1); - } + if (cert_file && + SSL_CTX_use_certificate_file(ctx, cert_file, SSL_FILETYPE_PEM) <= 0) + { + *error= SSL_INITERR_CERT; + DBUG_PRINT("error",("%s from file '%s'", sslGetErrString(*error), cert_file)); + DBUG_EXECUTE("error", ERR_print_errors_fp(DBUG_FILE);); + fprintf(stderr, "SSL error: %s from '%s'\n", sslGetErrString(*error), + cert_file); + fflush(stderr); + DBUG_RETURN(1); + } - /* - If we are using DSA, we can copy the parameters from the private key - Now we know that a key and cert have been set against the SSL context - */ - if (!SSL_CTX_check_private_key(ctx)) - { - *error= SSL_INITERR_NOMATCH; - DBUG_PRINT("error", ("%s",sslGetErrString(*error))); - DBUG_EXECUTE("error", ERR_print_errors_fp(DBUG_FILE);); - fprintf(stderr, "SSL error: %s\n", sslGetErrString(*error)); - fflush(stderr); - DBUG_RETURN(1); - } + if (key_file && + SSL_CTX_use_PrivateKey_file(ctx, key_file, SSL_FILETYPE_PEM) <= 0) + { + *error= SSL_INITERR_KEY; + DBUG_PRINT("error", ("%s from file '%s'", sslGetErrString(*error), key_file)); + DBUG_EXECUTE("error", ERR_print_errors_fp(DBUG_FILE);); + fprintf(stderr, "SSL error: %s from '%s'\n", sslGetErrString(*error), + key_file); + fflush(stderr); + DBUG_RETURN(1); + } + + /* + If we are using DSA, we can copy the parameters from the private key + Now we know that a key and cert have been set against the SSL context + */ + if (cert_file && !SSL_CTX_check_private_key(ctx)) + { + *error= SSL_INITERR_NOMATCH; + DBUG_PRINT("error", ("%s",sslGetErrString(*error))); + DBUG_EXECUTE("error", ERR_print_errors_fp(DBUG_FILE);); + fprintf(stderr, "SSL error: %s\n", sslGetErrString(*error)); + fflush(stderr); + DBUG_RETURN(1); } + DBUG_RETURN(0); } @@ -216,6 +220,20 @@ new_VioSSLFd(const char *key_file, const char *cert_file, if (SSL_CTX_load_verify_locations(ssl_fd->ssl_context, ca_file, ca_path) == 0) { DBUG_PRINT("warning", ("SSL_CTX_load_verify_locations failed")); + if (ca_file || ca_path) + { + /* fail only if ca file or ca path were supplied and looking into + them fails. */ + *error= SSL_INITERR_BAD_PATHS; + DBUG_PRINT("error", ("SSL_CTX_load_verify_locations failed : %s", + sslGetErrString(*error))); + report_errors(); + SSL_CTX_free(ssl_fd->ssl_context); + my_free(ssl_fd); + DBUG_RETURN(0); + } + + /* otherwise go use the defaults */ if (SSL_CTX_set_default_verify_paths(ssl_fd->ssl_context) == 0) { *error= SSL_INITERR_BAD_PATHS; |