summaryrefslogtreecommitdiff
path: root/vio
diff options
context:
space:
mode:
authorVenkata Sidagam <venkata.sidagam@oracle.com>2012-08-11 15:52:11 +0530
committerVenkata Sidagam <venkata.sidagam@oracle.com>2012-08-11 15:52:11 +0530
commitcd5a42085fc9596de66933c77cb2107b20331502 (patch)
treedc682d239d85526807f0e94dd3ebd655aa4afadb /vio
parentec766b5dabdd98f3e7ed03435706ca5962834063 (diff)
parent40319e9b44d778d570bd146d4a43e1d1842bb357 (diff)
downloadmariadb-git-cd5a42085fc9596de66933c77cb2107b20331502.tar.gz
Bug #13115401: -SSL-KEY VALUE IS NOT VALIDATED AND IT ALLOWS INSECURE
CONNECTIONS IF SPE Merged from mysql-5.1 to mysql-5.5
Diffstat (limited to 'vio')
-rw-r--r--vio/viosslfactories.c92
1 files changed, 55 insertions, 37 deletions
diff --git a/vio/viosslfactories.c b/vio/viosslfactories.c
index fd797e297ab..43975b9e3c4 100644
--- a/vio/viosslfactories.c
+++ b/vio/viosslfactories.c
@@ -98,47 +98,51 @@ vio_set_cert_stuff(SSL_CTX *ctx, const char *cert_file, const char *key_file,
DBUG_ENTER("vio_set_cert_stuff");
DBUG_PRINT("enter", ("ctx: 0x%lx cert_file: %s key_file: %s",
(long) ctx, cert_file, key_file));
- if (cert_file)
- {
- if (SSL_CTX_use_certificate_file(ctx, cert_file, SSL_FILETYPE_PEM) <= 0)
- {
- *error= SSL_INITERR_CERT;
- DBUG_PRINT("error",("%s from file '%s'", sslGetErrString(*error), cert_file));
- DBUG_EXECUTE("error", ERR_print_errors_fp(DBUG_FILE););
- fprintf(stderr, "SSL error: %s from '%s'\n", sslGetErrString(*error),
- cert_file);
- fflush(stderr);
- DBUG_RETURN(1);
- }
- if (!key_file)
- key_file= cert_file;
+ if (!cert_file && key_file)
+ cert_file= key_file;
+
+ if (!key_file && cert_file)
+ key_file= cert_file;
- if (SSL_CTX_use_PrivateKey_file(ctx, key_file, SSL_FILETYPE_PEM) <= 0)
- {
- *error= SSL_INITERR_KEY;
- DBUG_PRINT("error", ("%s from file '%s'", sslGetErrString(*error), key_file));
- DBUG_EXECUTE("error", ERR_print_errors_fp(DBUG_FILE););
- fprintf(stderr, "SSL error: %s from '%s'\n", sslGetErrString(*error),
- key_file);
- fflush(stderr);
- DBUG_RETURN(1);
- }
+ if (cert_file &&
+ SSL_CTX_use_certificate_file(ctx, cert_file, SSL_FILETYPE_PEM) <= 0)
+ {
+ *error= SSL_INITERR_CERT;
+ DBUG_PRINT("error",("%s from file '%s'", sslGetErrString(*error), cert_file));
+ DBUG_EXECUTE("error", ERR_print_errors_fp(DBUG_FILE););
+ fprintf(stderr, "SSL error: %s from '%s'\n", sslGetErrString(*error),
+ cert_file);
+ fflush(stderr);
+ DBUG_RETURN(1);
+ }
- /*
- If we are using DSA, we can copy the parameters from the private key
- Now we know that a key and cert have been set against the SSL context
- */
- if (!SSL_CTX_check_private_key(ctx))
- {
- *error= SSL_INITERR_NOMATCH;
- DBUG_PRINT("error", ("%s",sslGetErrString(*error)));
- DBUG_EXECUTE("error", ERR_print_errors_fp(DBUG_FILE););
- fprintf(stderr, "SSL error: %s\n", sslGetErrString(*error));
- fflush(stderr);
- DBUG_RETURN(1);
- }
+ if (key_file &&
+ SSL_CTX_use_PrivateKey_file(ctx, key_file, SSL_FILETYPE_PEM) <= 0)
+ {
+ *error= SSL_INITERR_KEY;
+ DBUG_PRINT("error", ("%s from file '%s'", sslGetErrString(*error), key_file));
+ DBUG_EXECUTE("error", ERR_print_errors_fp(DBUG_FILE););
+ fprintf(stderr, "SSL error: %s from '%s'\n", sslGetErrString(*error),
+ key_file);
+ fflush(stderr);
+ DBUG_RETURN(1);
+ }
+
+ /*
+ If we are using DSA, we can copy the parameters from the private key
+ Now we know that a key and cert have been set against the SSL context
+ */
+ if (cert_file && !SSL_CTX_check_private_key(ctx))
+ {
+ *error= SSL_INITERR_NOMATCH;
+ DBUG_PRINT("error", ("%s",sslGetErrString(*error)));
+ DBUG_EXECUTE("error", ERR_print_errors_fp(DBUG_FILE););
+ fprintf(stderr, "SSL error: %s\n", sslGetErrString(*error));
+ fflush(stderr);
+ DBUG_RETURN(1);
}
+
DBUG_RETURN(0);
}
@@ -216,6 +220,20 @@ new_VioSSLFd(const char *key_file, const char *cert_file,
if (SSL_CTX_load_verify_locations(ssl_fd->ssl_context, ca_file, ca_path) == 0)
{
DBUG_PRINT("warning", ("SSL_CTX_load_verify_locations failed"));
+ if (ca_file || ca_path)
+ {
+ /* fail only if ca file or ca path were supplied and looking into
+ them fails. */
+ *error= SSL_INITERR_BAD_PATHS;
+ DBUG_PRINT("error", ("SSL_CTX_load_verify_locations failed : %s",
+ sslGetErrString(*error)));
+ report_errors();
+ SSL_CTX_free(ssl_fd->ssl_context);
+ my_free(ssl_fd);
+ DBUG_RETURN(0);
+ }
+
+ /* otherwise go use the defaults */
if (SSL_CTX_set_default_verify_paths(ssl_fd->ssl_context) == 0)
{
*error= SSL_INITERR_BAD_PATHS;