Bug #13115401: -SSL-KEY VALUE IS NOT VALIDATED AND IT ALLOWS INSECURE

CONNECTIONS IF SPE Merged from mysql-5.1 to mysql-5.5
author: Venkata Sidagam <venkata.sidagam@oracle.com> 2012-08-11 15:52:11 +0530
committer: Venkata Sidagam <venkata.sidagam@oracle.com> 2012-08-11 15:52:11 +0530
commit: cd5a42085fc9596de66933c77cb2107b20331502 (patch)
tree: dc682d239d85526807f0e94dd3ebd655aa4afadb /vio
parent: ec766b5dabdd98f3e7ed03435706ca5962834063 (diff)
parent: 40319e9b44d778d570bd146d4a43e1d1842bb357 (diff)
download: mariadb-git-cd5a42085fc9596de66933c77cb2107b20331502.tar.gz
1 files changed, 55 insertions, 37 deletions
diff --git a/vio/viosslfactories.c b/vio/viosslfactories.c
index fd797e297ab..43975b9e3c4 100644
--- a/vio/viosslfactories.c
+++ b/vio/viosslfactories.c
@@ -98,47 +98,51 @@ vio_set_cert_stuff(SSL_CTX *ctx, const char *cert_file, const char *key_file,
   DBUG_ENTER("vio_set_cert_stuff");
   DBUG_PRINT("enter", ("ctx: 0x%lx  cert_file: %s  key_file: %s",
 		       (long) ctx, cert_file, key_file));
-  if (cert_file)
-  {
-    if (SSL_CTX_use_certificate_file(ctx, cert_file, SSL_FILETYPE_PEM) <= 0)
-    {
-      *error= SSL_INITERR_CERT;
-      DBUG_PRINT("error",("%s from file '%s'", sslGetErrString(*error), cert_file));
-      DBUG_EXECUTE("error", ERR_print_errors_fp(DBUG_FILE););
-      fprintf(stderr, "SSL error: %s from '%s'\n", sslGetErrString(*error),
-              cert_file);
-      fflush(stderr);
-      DBUG_RETURN(1);
-    }
 
-    if (!key_file)
-      key_file= cert_file;
+  if (!cert_file &&  key_file)
+    cert_file= key_file;
+  
+  if (!key_file &&  cert_file)
+    key_file= cert_file;
 
-    if (SSL_CTX_use_PrivateKey_file(ctx, key_file, SSL_FILETYPE_PEM) <= 0)
-    {
-      *error= SSL_INITERR_KEY;
-      DBUG_PRINT("error", ("%s from file '%s'", sslGetErrString(*error), key_file));
-      DBUG_EXECUTE("error", ERR_print_errors_fp(DBUG_FILE););
-      fprintf(stderr, "SSL error: %s from '%s'\n", sslGetErrString(*error),
-              key_file);
-      fflush(stderr);
-      DBUG_RETURN(1);
-    }
+  if (cert_file &&
+      SSL_CTX_use_certificate_file(ctx, cert_file, SSL_FILETYPE_PEM) <= 0)
+  {
+    *error= SSL_INITERR_CERT;
+    DBUG_PRINT("error",("%s from file '%s'", sslGetErrString(*error), cert_file));
+    DBUG_EXECUTE("error", ERR_print_errors_fp(DBUG_FILE););
+    fprintf(stderr, "SSL error: %s from '%s'\n", sslGetErrString(*error),
+            cert_file);
+    fflush(stderr);
+    DBUG_RETURN(1);
+  }
 
-    /*
-      If we are using DSA, we can copy the parameters from the private key
-      Now we know that a key and cert have been set against the SSL context
-    */
-    if (!SSL_CTX_check_private_key(ctx))
-    {
-      *error= SSL_INITERR_NOMATCH;
-      DBUG_PRINT("error", ("%s",sslGetErrString(*error)));
-      DBUG_EXECUTE("error", ERR_print_errors_fp(DBUG_FILE););
-      fprintf(stderr, "SSL error: %s\n", sslGetErrString(*error));
-      fflush(stderr);
-      DBUG_RETURN(1);
-    }
+  if (key_file &&
+      SSL_CTX_use_PrivateKey_file(ctx, key_file, SSL_FILETYPE_PEM) <= 0)
+  {
+    *error= SSL_INITERR_KEY;
+    DBUG_PRINT("error", ("%s from file '%s'", sslGetErrString(*error), key_file));
+    DBUG_EXECUTE("error", ERR_print_errors_fp(DBUG_FILE););
+    fprintf(stderr, "SSL error: %s from '%s'\n", sslGetErrString(*error),
+            key_file);
+    fflush(stderr);
+    DBUG_RETURN(1);
+  }
+
+  /*
+    If we are using DSA, we can copy the parameters from the private key
+    Now we know that a key and cert have been set against the SSL context
+  */
+  if (cert_file && !SSL_CTX_check_private_key(ctx))
+  {
+    *error= SSL_INITERR_NOMATCH;
+    DBUG_PRINT("error", ("%s",sslGetErrString(*error)));
+    DBUG_EXECUTE("error", ERR_print_errors_fp(DBUG_FILE););
+    fprintf(stderr, "SSL error: %s\n", sslGetErrString(*error));
+    fflush(stderr);
+    DBUG_RETURN(1);
   }
+
   DBUG_RETURN(0);
 }
 
@@ -216,6 +220,20 @@ new_VioSSLFd(const char *key_file, const char *cert_file,
   if (SSL_CTX_load_verify_locations(ssl_fd->ssl_context, ca_file, ca_path) == 0)
   {
     DBUG_PRINT("warning", ("SSL_CTX_load_verify_locations failed"));
+    if (ca_file || ca_path)
+    {
+      /* fail only if ca file or ca path were supplied and looking into 
+         them fails. */
+      *error= SSL_INITERR_BAD_PATHS;
+      DBUG_PRINT("error", ("SSL_CTX_load_verify_locations failed : %s", 
+                 sslGetErrString(*error)));
+      report_errors();
+      SSL_CTX_free(ssl_fd->ssl_context);
+      my_free(ssl_fd);
+      DBUG_RETURN(0);
+    }
+
+    /* otherwise go use the defaults */
     if (SSL_CTX_set_default_verify_paths(ssl_fd->ssl_context) == 0)
     {
       *error= SSL_INITERR_BAD_PATHS;
author	Venkata Sidagam <venkata.sidagam@oracle.com>	2012-08-11 15:52:11 +0530
committer	Venkata Sidagam <venkata.sidagam@oracle.com>	2012-08-11 15:52:11 +0530
commit	cd5a42085fc9596de66933c77cb2107b20331502 (patch)
tree	dc682d239d85526807f0e94dd3ebd655aa4afadb /vio
parent	ec766b5dabdd98f3e7ed03435706ca5962834063 (diff)
parent	40319e9b44d778d570bd146d4a43e1d1842bb357 (diff)
download	mariadb-git-cd5a42085fc9596de66933c77cb2107b20331502.tar.gz