diff options
91 files changed, 1862 insertions, 885 deletions
diff --git a/SSL/Makefile.am b/SSL/Makefile.am index bd3aad1e3b2..6edc6146a29 100644 --- a/SSL/Makefile.am +++ b/SSL/Makefile.am @@ -17,8 +17,8 @@ ## Process this file with automake to create Makefile.in EXTRA_DIST= NOTES cacert.pem client-cert.pem client-key.pem \ - client-req.pem run-client run-server server-cert.pem \ - server-key.pem server-req.pem + run-client run-server server-cert.pem \ + server-key.pem # Don't update the files from bitkeeper %::SCCS/s.% diff --git a/SSL/NOTES b/SSL/NOTES index 413c724c583..a1109db8c80 100644 --- a/SSL/NOTES +++ b/SSL/NOTES @@ -40,7 +40,69 @@ openssl s_server -port 1111 -cert ../SSL/server-cert.pem -key ../SSL/server-key. +------------------------------------------- +How to generate new keys: +First we need the private key of the CA cert. Since we always throw +away the old private key for the CA, we need to generate a totally new +CA cert. Our CA cert is self signed and we will use that to sign the +server and client keys. As long as we distibute the cacert.pem they can +b oth be validated against that. + + +1) openssl genrsa 512 > cecert.pem + +2) openssl req -new -x509 -nodes -md5 -days 1000 -key cacert.pem > cacert.pem + +We now have a cacert.pem which is the public key and a cakey.pem which is the +private key of the CA. + +Steps to generate the server key. + +3) openssl req -newkey rsa:512 -md5 -days 1000 -nodes -keyout server-key.pem > server-req.pem + +4) copy ca-key.pem ca-cert.srl + +5) openssl x509 -req -in server-req.pem -days 1000 -md5 -CA ca-cert.pem -CAkey ca-key.pem -set_serial 01 > server-cert.pem + + +-- adding metadata to beginning + +6) openssl x509 -in server-cert.pem -text > tmp.pem + +7) mv tmp.pem server-cert.pem + +-- And almost the same for the client. + +8) openssl req -newkey rsa:512 -md5 -days 1000 -nodes -keyout client-key.pem > client-req.pem + +9) openssl x509 -req -in client-req.pem -days 1000 -md5 -CA ca-cert.pem -CAkey ca-key.pem -set_serial 01 > client-cert.pem + + +-- adding metadata to beginning + +10) openssl x509 -in client-cert.pem -text > tmp.pem + +11) mv tmp.pem client-cert.pem + +The new certs are now generated. They can be verified against the cacert to test they are ok. This is actually what is done in the MySQL client and server. + +12) openssl verify -CAfile cacert.pem server-cert.pem +server-cert.pem: OK +13) openssl verify -CAfile cacert.pem client-cert.pm +client-cert.pem: OK + + +The files we add to our repository and thus distribute are +* cacert.pem - CA's public key, used to verify the client/servers pblic keys +* server-key.pem - servers private key +* server-cert.pem - servers public key +* client-key.pem - clients private key +* client-cert.pem - clients public key + + + +== OLD NOTES below == -------------------------------------------- CA stuff: diff --git a/SSL/cacert.pem b/SSL/cacert.pem index a63dae57767..b445e77d7c4 100644 --- a/SSL/cacert.pem +++ b/SSL/cacert.pem @@ -1,21 +1,17 @@ -----BEGIN CERTIFICATE----- -MIIDcTCCAtqgAwIBAgIBADANBgkqhkiG9w0BAQQFADCBiDELMAkGA1UEBhMCU0Ux -EDAOBgNVBAcTB1VwcHNhbGExETAPBgNVBAoTCE15U1FMIEFCMSEwHwYDVQQDExhB -YnN0cmFjdCBNeVNRTCBEZXZlbG9wZXIxMTAvBgkqhkiG9w0BCQEWImFic3RyYWN0 -Lm15c3FsLmRldmVsb3BlckBteXNxbC5jb20wHhcNMDMwOTEyMTYxNDE2WhcNMTMw -OTA5MTYxNDE2WjCBiDELMAkGA1UEBhMCU0UxEDAOBgNVBAcTB1VwcHNhbGExETAP -BgNVBAoTCE15U1FMIEFCMSEwHwYDVQQDExhBYnN0cmFjdCBNeVNRTCBEZXZlbG9w -ZXIxMTAvBgkqhkiG9w0BCQEWImFic3RyYWN0Lm15c3FsLmRldmVsb3BlckBteXNx -bC5jb20wgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBAKrT7zp5tp5djXp+TEQs -5ZEds1XUglp/EQUQ1FMMb1Xe6gqJsQ62O+jsUe0nrUjXBrUCUy49k6mcnmQtZREj -l1pWKmzx1fgcYpxTwxaY7IKB2jik5IWprhVPmSQ+AWss43oolXMZWR+csKehqm3j -+YNZc9NsR4ydE71l0VEtJEQvAgMBAAGjgegwgeUwHQYDVR0OBBYEFIiYZdnz8osD -HWZgYSP6rXNt02iSMIG1BgNVHSMEga0wgaqAFIiYZdnz8osDHWZgYSP6rXNt02iS -oYGOpIGLMIGIMQswCQYDVQQGEwJTRTEQMA4GA1UEBxMHVXBwc2FsYTERMA8GA1UE -ChMITXlTUUwgQUIxITAfBgNVBAMTGEFic3RyYWN0IE15U1FMIERldmVsb3BlcjEx -MC8GCSqGSIb3DQEJARYiYWJzdHJhY3QubXlzcWwuZGV2ZWxvcGVyQG15c3FsLmNv -bYIBADAMBgNVHRMEBTADAQH/MA0GCSqGSIb3DQEBBAUAA4GBAGIL22MCIU/0sKDp -pZIhoabvNVDTfuhtene+WBCrzCzGXPZjB4+b/KAJJNvOR4zi43Kk7euu+PENs9M7 -nKpInMdhvT1RcCnUHJ3jBCvDDzXab2msqn3rxhwetWWbfE0OeEn/PoQcwiZCe7x5 -h+Zz+oUbvsEe4DjtDVgG4UH9nSSS +MIICrTCCAhagAwIBAgIJAIAO/Ybiptv1MA0GCSqGSIb3DQEBBAUAMEQxCzAJBgNV +BAYTAlNFMRAwDgYDVQQIEwdVcHBzYWxhMRAwDgYDVQQHEwdVcHBzYWxhMREwDwYD +VQQKEwhNeVNRTCBBQjAeFw0wNjA1MDMwODQ4NTRaFw0wOTAxMjcwODQ4NTRaMEQx +CzAJBgNVBAYTAlNFMRAwDgYDVQQIEwdVcHBzYWxhMRAwDgYDVQQHEwdVcHBzYWxh +MREwDwYDVQQKEwhNeVNRTCBBQjCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEA ++C46EQl1u7tQ6gb9eqc8V079gr8YmDPCEqtjO8bCIbchpjOpDITx0WZz36Sn9E72 +GPJwNip4FxLaPRIA3xNQHM5cE5U53qznlRx1Fc4O3hcWCvyCqNDl/vzPAh3pI6Bl +Ku9hfHXpp93W812smVPe9haShEXGgbEPYGzvOfVdu/MCAwEAAaOBpjCBozAdBgNV +HQ4EFgQUjIy/6OCTmqtPHBFha6/qzVk3yTcwdAYDVR0jBG0wa4AUjIy/6OCTmqtP +HBFha6/qzVk3yTehSKRGMEQxCzAJBgNVBAYTAlNFMRAwDgYDVQQIEwdVcHBzYWxh +MRAwDgYDVQQHEwdVcHBzYWxhMREwDwYDVQQKEwhNeVNRTCBBQoIJAIAO/Ybiptv1 +MAwGA1UdEwQFMAMBAf8wDQYJKoZIhvcNAQEEBQADgYEA8lD9zyB820Oq1aj7ZafX +De/hbdt9RIl2tzgw2K3r1KZGdXJVL0vSt5fZ51Nq9lg7OPJy3iXf+caBJEp0IJpB +uf4Gfr6zfXw+UlY6ZthRtHQHoXKcbskECjH5/ps/Uaa+dpVQ9O+Ii1rPzmgo6ztM +s+xZ46ESBt4WiHXm8kwbU9Y= -----END CERTIFICATE----- diff --git a/SSL/client-cert.pem b/SSL/client-cert.pem index 4c81162c911..fdd5c86a23f 100644 --- a/SSL/client-cert.pem +++ b/SSL/client-cert.pem @@ -1,67 +1,42 @@ Certificate: Data: - Version: 3 (0x2) + Version: 1 (0x0) Serial Number: 1 (0x1) Signature Algorithm: md5WithRSAEncryption - Issuer: C=SE, L=Uppsala, O=MySQL AB, CN=Abstract MySQL Developer/Email=abstract.mysql.developer@mysql.com + Issuer: C=SE, ST=Uppsala, L=Uppsala, O=MySQL AB Validity - Not Before: Sep 12 16:21:19 2003 GMT - Not After : Sep 9 16:21:19 2013 GMT - Subject: C=SE, L=Uppsala, O=MySQL AB, CN=MySQL Client/Email=abstract.mysql.developer@mysql.com + Not Before: May 3 08:55:39 2006 GMT + Not After : Jan 27 08:55:39 2009 GMT + Subject: C=SE, ST=Uppsala, L=Uppsala, O=MySQL AB/emailAddress=abstract.mysql.developer@mysql.com Subject Public Key Info: Public Key Algorithm: rsaEncryption - RSA Public Key: (1024 bit) - Modulus (1024 bit): - 00:c4:03:0a:ee:e3:b1:12:fc:ee:b4:19:f4:e1:60: - 1d:e0:28:c3:96:2d:df:82:69:cd:74:7c:54:58:d0: - ae:b3:59:3f:0c:19:1c:99:10:a6:12:c9:cf:3a:64: - 05:43:8e:bf:d2:65:36:80:91:0b:65:b0:27:26:38: - c9:23:d8:36:a2:4a:f0:f7:c0:2f:68:38:70:01:27: - 29:ff:b2:c5:52:e1:6b:f1:c8:d7:c3:5c:ee:f0:37: - 6c:2a:9b:96:1a:05:9e:eb:33:a2:39:5a:77:66:62: - 27:75:1f:2f:6f:38:da:e5:9f:78:af:ca:6b:22:3f: - 57:2b:bc:a6:8f:47:d1:99:6f + RSA Public Key: (512 bit) + Modulus (512 bit): + 00:d8:db:68:28:49:84:4d:d6:0f:5c:bc:3d:9a:ab: + 70:d5:3e:f5:b5:17:ba:ef:e1:f8:87:54:30:22:1f: + 81:07:bf:f9:24:7f:8a:54:10:e9:5f:e6:99:50:04: + d4:3b:55:a9:f1:52:ad:12:2b:5a:da:5c:be:8c:3e: + 5b:9e:b0:5a:19 Exponent: 65537 (0x10001) - X509v3 extensions: - X509v3 Basic Constraints: - CA:FALSE - Netscape Comment: - OpenSSL Generated Certificate - X509v3 Subject Key Identifier: - 80:81:A9:22:EB:AB:D6:CA:7E:3F:8D:BB:D1:AC:2A:F4:87:9D:13:29 - X509v3 Authority Key Identifier: - keyid:88:98:65:D9:F3:F2:8B:03:1D:66:60:61:23:FA:AD:73:6D:D3:68:92 - DirName:/C=SE/L=Uppsala/O=MySQL AB/CN=Abstract MySQL Developer/Email=abstract.mysql.developer@mysql.com - serial:00 - Signature Algorithm: md5WithRSAEncryption - 86:17:1c:f3:9f:10:1b:75:47:03:ca:54:ea:ef:f7:15:54:8d: - 8f:58:c9:64:7d:de:2e:bf:ea:a6:5d:72:56:c9:81:be:bb:1c: - 78:a5:91:d6:f8:77:df:9d:d2:cb:94:d9:06:61:4f:05:21:22: - 2a:ea:9e:c3:8b:4d:fe:94:c7:98:61:cd:7e:88:19:c9:92:01: - 1f:10:5b:c6:16:95:99:9b:32:01:3a:89:df:fa:0a:89:ac:fa: - b5:40:55:7a:ca:0a:bd:5d:8b:06:d8:7e:e1:44:8c:70:c8:63: - c7:77:6a:37:3d:a4:ac:57:dc:00:c1:c1:f3:72:17:5b:50:95: - ee:b7 + 07:57:bf:07:92:c2:8e:86:24:6b:0a:bf:e5:31:21:44:c3:60: + 02:a6:ac:9e:f7:db:7a:6e:fc:4f:d4:7b:54:18:80:47:d2:4a: + 63:0e:e3:f8:af:6e:58:e3:97:5a:2b:82:5d:76:20:d1:33:a0: + f5:43:a1:d1:51:f4:ca:c8:b3:1a:66:4e:0e:55:df:d2:e8:fa: + 83:18:42:f5:ec:66:40:f0:39:e8:f9:d7:cf:f6:dd:e4:7b:69: + dd:0c:92:d8:52:95:43:6f:29:3d:f0:8d:4c:dd:52:ea:6b:a0: + 39:0f:dc:59:a7:5c:37:6b:8b:05:44:b7:69:ea:a3:58:e0:4e: + ce:d6 -----BEGIN CERTIFICATE----- -MIIDkTCCAvqgAwIBAgIBATANBgkqhkiG9w0BAQQFADCBiDELMAkGA1UEBhMCU0Ux -EDAOBgNVBAcTB1VwcHNhbGExETAPBgNVBAoTCE15U1FMIEFCMSEwHwYDVQQDExhB -YnN0cmFjdCBNeVNRTCBEZXZlbG9wZXIxMTAvBgkqhkiG9w0BCQEWImFic3RyYWN0 -Lm15c3FsLmRldmVsb3BlckBteXNxbC5jb20wHhcNMDMwOTEyMTYyMTE5WhcNMTMw -OTA5MTYyMTE5WjB8MQswCQYDVQQGEwJTRTEQMA4GA1UEBxMHVXBwc2FsYTERMA8G -A1UEChMITXlTUUwgQUIxFTATBgNVBAMTDE15U1FMIENsaWVudDExMC8GCSqGSIb3 -DQEJARYiYWJzdHJhY3QubXlzcWwuZGV2ZWxvcGVyQG15c3FsLmNvbTCBnzANBgkq -hkiG9w0BAQEFAAOBjQAwgYkCgYEAxAMK7uOxEvzutBn04WAd4CjDli3fgmnNdHxU -WNCus1k/DBkcmRCmEsnPOmQFQ46/0mU2gJELZbAnJjjJI9g2okrw98AvaDhwAScp -/7LFUuFr8cjXw1zu8DdsKpuWGgWe6zOiOVp3ZmIndR8vbzja5Z94r8prIj9XK7ym -j0fRmW8CAwEAAaOCARQwggEQMAkGA1UdEwQCMAAwLAYJYIZIAYb4QgENBB8WHU9w -ZW5TU0wgR2VuZXJhdGVkIENlcnRpZmljYXRlMB0GA1UdDgQWBBSAgaki66vWyn4/ -jbvRrCr0h50TKTCBtQYDVR0jBIGtMIGqgBSImGXZ8/KLAx1mYGEj+q1zbdNokqGB -jqSBizCBiDELMAkGA1UEBhMCU0UxEDAOBgNVBAcTB1VwcHNhbGExETAPBgNVBAoT -CE15U1FMIEFCMSEwHwYDVQQDExhBYnN0cmFjdCBNeVNRTCBEZXZlbG9wZXIxMTAv -BgkqhkiG9w0BCQEWImFic3RyYWN0Lm15c3FsLmRldmVsb3BlckBteXNxbC5jb22C -AQAwDQYJKoZIhvcNAQEEBQADgYEAhhcc858QG3VHA8pU6u/3FVSNj1jJZH3eLr/q -pl1yVsmBvrsceKWR1vh3353Sy5TZBmFPBSEiKuqew4tN/pTHmGHNfogZyZIBHxBb -xhaVmZsyATqJ3/oKiaz6tUBVesoKvV2LBth+4USMcMhjx3dqNz2krFfcAMHB83IX -W1CV7rc= +MIIB5jCCAU8CAQEwDQYJKoZIhvcNAQEEBQAwRDELMAkGA1UEBhMCU0UxEDAOBgNV +BAgTB1VwcHNhbGExEDAOBgNVBAcTB1VwcHNhbGExETAPBgNVBAoTCE15U1FMIEFC +MB4XDTA2MDUwMzA4NTUzOVoXDTA5MDEyNzA4NTUzOVowdzELMAkGA1UEBhMCU0Ux +EDAOBgNVBAgTB1VwcHNhbGExEDAOBgNVBAcTB1VwcHNhbGExETAPBgNVBAoTCE15 +U1FMIEFCMTEwLwYJKoZIhvcNAQkBFiJhYnN0cmFjdC5teXNxbC5kZXZlbG9wZXJA +bXlzcWwuY29tMFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBANjbaChJhE3WD1y8PZqr +cNU+9bUXuu/h+IdUMCIfgQe/+SR/ilQQ6V/mmVAE1DtVqfFSrRIrWtpcvow+W56w +WhkCAwEAATANBgkqhkiG9w0BAQQFAAOBgQAHV78HksKOhiRrCr/lMSFEw2ACpqye +99t6bvxP1HtUGIBH0kpjDuP4r25Y45daK4JddiDRM6D1Q6HRUfTKyLMaZk4OVd/S +6PqDGEL17GZA8Dno+dfP9t3ke2ndDJLYUpVDbyk98I1M3VLqa6A5D9xZp1w3a4sF +RLdp6qNY4E7O1g== -----END CERTIFICATE----- diff --git a/SSL/client-key.pem b/SSL/client-key.pem index 58fa805e620..22f8e23ab2a 100644 --- a/SSL/client-key.pem +++ b/SSL/client-key.pem @@ -1,15 +1,9 @@ -----BEGIN RSA PRIVATE KEY----- -MIICXQIBAAKBgQDEAwru47ES/O60GfThYB3gKMOWLd+Cac10fFRY0K6zWT8MGRyZ -EKYSyc86ZAVDjr/SZTaAkQtlsCcmOMkj2DaiSvD3wC9oOHABJyn/ssVS4WvxyNfD -XO7wN2wqm5YaBZ7rM6I5WndmYid1Hy9vONrln3ivymsiP1crvKaPR9GZbwIDAQAB -AoGAcR7IaoGhKbIrGGl6d67+zuT3q24h9aOV3Mn7653TlNHGnvbHGFcRYPpyy+H5 -X7m8XnHm+F+80hzNGzPecP9Q12oPOyoZgeQn6bTK73OFkNcX7FAkNdyH4xVhf2aK -YOzTcQfq3gRCqXtVIg4qBShTMjJLE31R8H430Or62XmJgFECQQDjP+Kz+ecQwuTB -HADLm+GQgceIB1kLgdQoZ3deUxGvqtVImuDRViSM0F2srfJ4GfkEDhc27UI5f6ir -ZTOw4ww7AkEA3M9wCPgWNtbOXbYjaNA0IzHcjMDxQDVvJAmb3EiZlKQp4EfrESxR -ly/u08TyfwrK6q5WS7xE0ad8+95G1af4XQJBAI9+3ME20SB1YItMCniHYwSj3oHX -2fN5NKWax/Zoz+c0IV+qZMHq+kNso2oRoOUTyXk1CJWndcTnBnPMALr2c9cCQQCZ -VL7Cq6uZVx6kemcqUHH0AprZbt3YLYLI7pc5p3xmeHzPzoEQQstBhjp8+aU+zPrN -blRkcQ8E2x5yNA7SLLrNAkAhzkA+EK8hc0f9W3ncy+py0Rn0i5Ay0N3T715vkThf -CfOHE3L91dLlmYpL5xVqOpugY/2sHyxwctv97DgS6tHZ +MIIBOgIBAAJBANjbaChJhE3WD1y8PZqrcNU+9bUXuu/h+IdUMCIfgQe/+SR/ilQQ +6V/mmVAE1DtVqfFSrRIrWtpcvow+W56wWhkCAwEAAQJAK27WT6tZylUjQomZNQ89 +TBiOEbUtBbqWklQ0R8FTkH9uKV+8KYQ+k+tMkoAEGFfChB0YfofNQ2KZYWWw4yOB +WQIhAPXXDQt73aou10s+cmKM3C3WzLmIZtrvm9wNBXWDGxgTAiEA4dG4cXrZfa1M +TTbjzNU1/Jf50/M8SvZDWMPQWxJ8oqMCIH6zBpYUkHlVCsBMvsbrsc4uFfTIx7mu +I7WVQGr/1sbhAiBf4uFirjtztgZUMx5/d3k5DH80lG/hlLf8FQl/4lWx6QIhAPHw +CXfPUbUFl4r/i9Br5+exGol50qX4F3aP5Sh5EnZT -----END RSA PRIVATE KEY----- diff --git a/SSL/client-req.pem b/SSL/client-req.pem deleted file mode 100644 index b3667fb5ec6..00000000000 --- a/SSL/client-req.pem +++ /dev/null @@ -1,12 +0,0 @@ ------BEGIN CERTIFICATE REQUEST----- -MIIBvDCCASUCAQAwfDELMAkGA1UEBhMCU0UxEDAOBgNVBAcTB1VwcHNhbGExETAP -BgNVBAoTCE15U1FMIEFCMRUwEwYDVQQDEwxNeVNRTCBDbGllbnQxMTAvBgkqhkiG -9w0BCQEWImFic3RyYWN0Lm15c3FsLmRldmVsb3BlckBteXNxbC5jb20wgZ8wDQYJ -KoZIhvcNAQEBBQADgY0AMIGJAoGBAMQDCu7jsRL87rQZ9OFgHeAow5Yt34JpzXR8 -VFjQrrNZPwwZHJkQphLJzzpkBUOOv9JlNoCRC2WwJyY4ySPYNqJK8PfAL2g4cAEn -Kf+yxVLha/HI18Nc7vA3bCqblhoFnuszojlad2ZiJ3UfL2842uWfeK/KayI/Vyu8 -po9H0ZlvAgMBAAGgADANBgkqhkiG9w0BAQQFAAOBgQAnKdk68dGJXvlj/GXwBUWN -oXWF7hq4fDmwyhmcFUqk8qZKPKFUxkcER0GLzYeUgvD2URSfaS3/YW0d7K7kXGwP -rB5edb+suaYf6mjm/w37xw/EJI9rdSKcB/3SSu8mALds7sUHDAO+MO0WkA/9d7t0 -LOsUqcDvMkKpZuYwNILwLw== ------END CERTIFICATE REQUEST----- diff --git a/SSL/server-cert.pem b/SSL/server-cert.pem index debf7026e3c..f420b4f3124 100644 --- a/SSL/server-cert.pem +++ b/SSL/server-cert.pem @@ -1,67 +1,42 @@ Certificate: Data: - Version: 3 (0x2) - Serial Number: 2 (0x2) + Version: 1 (0x0) + Serial Number: 1 (0x1) Signature Algorithm: md5WithRSAEncryption - Issuer: C=SE, L=Uppsala, O=MySQL AB, CN=Abstract MySQL Developer/Email=abstract.mysql.developer@mysql.com + Issuer: C=SE, ST=Uppsala, L=Uppsala, O=MySQL AB Validity - Not Before: Sep 12 16:22:06 2003 GMT - Not After : Sep 9 16:22:06 2013 GMT - Subject: C=SE, L=Uppsala, O=MySQL AB, CN=MySQL Server/Email=abstract.mysql.developer@mysql.com + Not Before: May 3 08:54:13 2006 GMT + Not After : Jan 27 08:54:13 2009 GMT + Subject: C=SE, ST=Uppsala, L=Uppsala, O=MySQL AB, CN=localhost/emailAddress=abstract.mysql.developer@mysql.com Subject Public Key Info: Public Key Algorithm: rsaEncryption - RSA Public Key: (1024 bit) - Modulus (1024 bit): - 00:e9:86:7a:55:84:88:4c:be:a4:f8:92:73:30:12: - 49:0b:7a:85:87:39:34:39:0d:7d:0b:8d:18:c2:17: - 95:13:52:d2:3f:55:10:57:c8:3f:5a:f5:b2:fa:8b: - d0:67:49:cc:aa:82:fc:9f:ce:00:b4:73:f3:36:d2: - 3a:d3:c2:b0:0e:14:c3:d4:b2:21:74:a1:f0:31:81: - 60:87:98:73:5c:10:c1:b1:1a:4d:f1:f3:b0:98:3f: - f0:d7:97:9b:2b:fd:d5:21:79:b2:2f:eb:64:15:c9: - 9b:9d:fc:9e:2d:d4:f8:04:5b:ea:a9:75:4b:42:c3: - 3d:0e:4d:2a:a8:b8:ca:99:8d + RSA Public Key: (512 bit) + Modulus (512 bit): + 00:d9:fd:da:b3:fb:7c:e0:b0:03:be:97:c6:a4:36: + ac:71:af:bb:2d:e5:84:ed:f3:8f:2b:eb:11:e5:aa: + 66:ed:bf:62:6b:e3:ce:fa:80:ed:90:ff:b9:4a:39: + 20:40:b6:f2:99:bf:2f:33:b5:f2:ec:3a:90:60:1d: + 9e:94:7e:a4:1b Exponent: 65537 (0x10001) - X509v3 extensions: - X509v3 Basic Constraints: - CA:FALSE - Netscape Comment: - OpenSSL Generated Certificate - X509v3 Subject Key Identifier: - 6E:E4:9B:6A:C5:EA:E4:E6:C7:EF:D7:1E:C8:63:45:60:2B:1B:D4:D4 - X509v3 Authority Key Identifier: - keyid:88:98:65:D9:F3:F2:8B:03:1D:66:60:61:23:FA:AD:73:6D:D3:68:92 - DirName:/C=SE/L=Uppsala/O=MySQL AB/CN=Abstract MySQL Developer/Email=abstract.mysql.developer@mysql.com - serial:00 - Signature Algorithm: md5WithRSAEncryption - 31:77:69:b9:bd:ab:29:f3:fc:5a:09:16:6f:5d:42:ea:ba:01: - 55:69:e3:75:cf:b8:d1:b7:b9:bf:da:63:85:8c:48:92:06:60: - 76:97:e0:00:78:4b:ad:da:ab:6a:90:6d:8b:03:a8:b1:e9:09: - 78:e1:29:98:56:12:60:6b:42:fe:e8:a7:c4:f8:d6:15:07:e8: - 2b:c2:d8:8a:e5:1b:2e:51:08:9b:56:e3:b3:7a:4c:3e:e5:be: - 4a:4d:f8:65:7b:a8:21:e0:ca:fe:8b:ab:d7:ec:f2:2d:f7:d0: - bf:d7:c5:23:1c:08:d8:aa:57:c7:f3:5f:ba:33:3f:78:d1:f4: - 8e:5e + de:5e:35:cd:7b:11:e6:7c:c5:7c:d6:27:4e:72:12:49:42:eb: + 6f:2c:96:f3:f4:00:78:a7:4f:9f:2d:7b:d7:30:39:af:49:4d: + df:b1:55:0d:30:be:23:6f:06:67:fd:dd:ba:98:66:36:c6:32: + b7:ed:63:fc:aa:49:cd:4f:72:98:3b:13:0e:f6:28:d7:d4:eb: + 04:6b:dc:e8:c7:04:80:92:e4:04:86:0b:ed:32:25:76:1d:a9: + 5c:a9:2c:18:2c:bd:bc:15:ed:e1:76:96:4d:bb:0d:41:44:06: + 2c:ad:45:bb:db:61:ad:17:11:cb:49:70:67:eb:c6:27:d3:91: + c8:f2 -----BEGIN CERTIFICATE----- -MIIDkTCCAvqgAwIBAgIBAjANBgkqhkiG9w0BAQQFADCBiDELMAkGA1UEBhMCU0Ux -EDAOBgNVBAcTB1VwcHNhbGExETAPBgNVBAoTCE15U1FMIEFCMSEwHwYDVQQDExhB -YnN0cmFjdCBNeVNRTCBEZXZlbG9wZXIxMTAvBgkqhkiG9w0BCQEWImFic3RyYWN0 -Lm15c3FsLmRldmVsb3BlckBteXNxbC5jb20wHhcNMDMwOTEyMTYyMjA2WhcNMTMw -OTA5MTYyMjA2WjB8MQswCQYDVQQGEwJTRTEQMA4GA1UEBxMHVXBwc2FsYTERMA8G -A1UEChMITXlTUUwgQUIxFTATBgNVBAMTDE15U1FMIFNlcnZlcjExMC8GCSqGSIb3 -DQEJARYiYWJzdHJhY3QubXlzcWwuZGV2ZWxvcGVyQG15c3FsLmNvbTCBnzANBgkq -hkiG9w0BAQEFAAOBjQAwgYkCgYEA6YZ6VYSITL6k+JJzMBJJC3qFhzk0OQ19C40Y -wheVE1LSP1UQV8g/WvWy+ovQZ0nMqoL8n84AtHPzNtI608KwDhTD1LIhdKHwMYFg -h5hzXBDBsRpN8fOwmD/w15ebK/3VIXmyL+tkFcmbnfyeLdT4BFvqqXVLQsM9Dk0q -qLjKmY0CAwEAAaOCARQwggEQMAkGA1UdEwQCMAAwLAYJYIZIAYb4QgENBB8WHU9w -ZW5TU0wgR2VuZXJhdGVkIENlcnRpZmljYXRlMB0GA1UdDgQWBBRu5Jtqxerk5sfv -1x7IY0VgKxvU1DCBtQYDVR0jBIGtMIGqgBSImGXZ8/KLAx1mYGEj+q1zbdNokqGB -jqSBizCBiDELMAkGA1UEBhMCU0UxEDAOBgNVBAcTB1VwcHNhbGExETAPBgNVBAoT -CE15U1FMIEFCMSEwHwYDVQQDExhBYnN0cmFjdCBNeVNRTCBEZXZlbG9wZXIxMTAv -BgkqhkiG9w0BCQEWImFic3RyYWN0Lm15c3FsLmRldmVsb3BlckBteXNxbC5jb22C -AQAwDQYJKoZIhvcNAQEEBQADgYEAMXdpub2rKfP8WgkWb11C6roBVWnjdc+40be5 -v9pjhYxIkgZgdpfgAHhLrdqrapBtiwOosekJeOEpmFYSYGtC/uinxPjWFQfoK8LY -iuUbLlEIm1bjs3pMPuW+Sk34ZXuoIeDK/our1+zyLffQv9fFIxwI2KpXx/NfujM/ -eNH0jl4= +MIIB+zCCAWQCAQEwDQYJKoZIhvcNAQEEBQAwRDELMAkGA1UEBhMCU0UxEDAOBgNV +BAgTB1VwcHNhbGExEDAOBgNVBAcTB1VwcHNhbGExETAPBgNVBAoTCE15U1FMIEFC +MB4XDTA2MDUwMzA4NTQxM1oXDTA5MDEyNzA4NTQxM1owgYsxCzAJBgNVBAYTAlNF +MRAwDgYDVQQIEwdVcHBzYWxhMRAwDgYDVQQHEwdVcHBzYWxhMREwDwYDVQQKEwhN +eVNRTCBBQjESMBAGA1UEAxMJbG9jYWxob3N0MTEwLwYJKoZIhvcNAQkBFiJhYnN0 +cmFjdC5teXNxbC5kZXZlbG9wZXJAbXlzcWwuY29tMFwwDQYJKoZIhvcNAQEBBQAD +SwAwSAJBANn92rP7fOCwA76XxqQ2rHGvuy3lhO3zjyvrEeWqZu2/YmvjzvqA7ZD/ +uUo5IEC28pm/LzO18uw6kGAdnpR+pBsCAwEAATANBgkqhkiG9w0BAQQFAAOBgQDe +XjXNexHmfMV81idOchJJQutvLJbz9AB4p0+fLXvXMDmvSU3fsVUNML4jbwZn/d26 +mGY2xjK37WP8qknNT3KYOxMO9ijX1OsEa9zoxwSAkuQEhgvtMiV2HalcqSwYLL28 +Fe3hdpZNuw1BRAYsrUW722GtFxHLSXBn68Yn05HI8g== -----END CERTIFICATE----- diff --git a/SSL/server-key.pem b/SSL/server-key.pem index 4292dc79929..a4842624c0c 100644 --- a/SSL/server-key.pem +++ b/SSL/server-key.pem @@ -1,15 +1,9 @@ -----BEGIN RSA PRIVATE KEY----- -MIICXgIBAAKBgQDphnpVhIhMvqT4knMwEkkLeoWHOTQ5DX0LjRjCF5UTUtI/VRBX -yD9a9bL6i9BnScyqgvyfzgC0c/M20jrTwrAOFMPUsiF0ofAxgWCHmHNcEMGxGk3x -87CYP/DXl5sr/dUhebIv62QVyZud/J4t1PgEW+qpdUtCwz0OTSqouMqZjQIDAQAB -AoGBALTq11nrjIEQbdSZ+R1z/R0kddB2U+wjdA3/6P9tr7PBxVsFdtzbKaI5mcib -iwCKX0J2qmrP+SHUdsexBZxLR4KV/Z55v9Pym99Dy+DxDA95zURyCMKRBIzlU5uN -F7USEQoltLUCsmZwNWdit0gfxSWdddkHNuI0uxTzHwuDcUlNAkEA/76zVremngNL -DlekM9NPn/8E/TXBHN1b1jdUKd7WymSJykdcm3viU98dFNZFWF8B0jiTcuBKXgpR -vTShNab/swJBAOnCGp554BLhioTyyk8qjRLt3xEsjsDljJULHVLYWcUqIkMf97GL -VLBhl6ZEI9i0WduqvgZ+Bacd0uHqIHz1Yb8CQQDm1CjqTDiGxlIoT9JVNJTZxEOs -h6gVdXY+kxHT+N3FL5luiZp8fAR7zxVgiUVtzdLG+2madfapiobcT3RyCJkhAkBI -64AaR7KasTjg2Ew7/e4cJZAcb2XozrLYG6t+GHeIhehCQEqoW+qDSy5fc4orI7eU -SuMUa2OgCjGqv7p6wKFJAkEAznmum/MbVOBpC4FsdnIGkxyFKIbh2OLY2aUb2KkK -Ouf4S8Y5Ldgszi0fnDPRaxWJzewwZKvcff2zj+mYZeAXbA== +MIIBOgIBAAJBANn92rP7fOCwA76XxqQ2rHGvuy3lhO3zjyvrEeWqZu2/YmvjzvqA +7ZD/uUo5IEC28pm/LzO18uw6kGAdnpR+pBsCAwEAAQJBAMieYdpmRoUaODf9wqh6 +ULXH/sG8i1vaXRcUHcJ50oRVfVK8/tGGvUuTDu6MeINTdahNDlYfjwOjKWVXys1w +h6ECIQDs6s7DfczK2bKCLt0zqg24mZL3rOpGmDU+TatwN1yVgwIhAOuMzdVTX39p +328+5WxJvBOFfxmSmqdDhIFpnRMvgguJAiByvKjT/km+970+1OllyvaIL0AA2OpA +tBgdC0p6tyUMdwIgKuHAWzTJbu28UolVxQgLaFZmVCZ/ZzIAfnrWsLZ2a1kCIBq/ +ywJ2cpyFlgazu8AH6KCQa0ok9s70ElaB6FEC85Al -----END RSA PRIVATE KEY----- diff --git a/SSL/server-req.pem b/SSL/server-req.pem deleted file mode 100644 index 7c3db0660ad..00000000000 --- a/SSL/server-req.pem +++ /dev/null @@ -1,12 +0,0 @@ ------BEGIN CERTIFICATE REQUEST----- -MIIBvDCCASUCAQAwfDELMAkGA1UEBhMCU0UxEDAOBgNVBAcTB1VwcHNhbGExETAP -BgNVBAoTCE15U1FMIEFCMRUwEwYDVQQDEwxNeVNRTCBTZXJ2ZXIxMTAvBgkqhkiG -9w0BCQEWImFic3RyYWN0Lm15c3FsLmRldmVsb3BlckBteXNxbC5jb20wgZ8wDQYJ -KoZIhvcNAQEBBQADgY0AMIGJAoGBAOmGelWEiEy+pPiSczASSQt6hYc5NDkNfQuN -GMIXlRNS0j9VEFfIP1r1svqL0GdJzKqC/J/OALRz8zbSOtPCsA4Uw9SyIXSh8DGB -YIeYc1wQwbEaTfHzsJg/8NeXmyv91SF5si/rZBXJm538ni3U+ARb6ql1S0LDPQ5N -Kqi4ypmNAgMBAAGgADANBgkqhkiG9w0BAQQFAAOBgQCagJxGHBC+G5aSh3OguFn6 -z+qAC7u3B181kPBgNv20zMgLeq7YiAh3iNx4XO2+QXRGzMznFKx1tFr/mavCpgLs -p3+dCvQt5FHEFFK1D1pDeXy4146X07hOTtC9jc/jSWeVnH4ujuX5gMtZqisOyYWV -/gpw6dBtkTYlhS+y86kM/Q== ------END CERTIFICATE REQUEST----- diff --git a/client/client_priv.h b/client/client_priv.h index a9d5364df49..9e011144836 100644 --- a/client/client_priv.h +++ b/client/client_priv.h @@ -51,5 +51,5 @@ enum options_client #endif OPT_TRIGGERS, OPT_IGNORE_TABLE,OPT_INSERT_IGNORE,OPT_SHOW_WARNINGS,OPT_DROP_DATABASE, - OPT_TZ_UTC, OPT_AUTO_CLOSE + OPT_TZ_UTC, OPT_AUTO_CLOSE, OPT_SSL_VERIFY_SERVER_CERT }; diff --git a/client/mysql.cc b/client/mysql.cc index 69a0e37b982..7b46aaf67ce 100644 --- a/client/mysql.cc +++ b/client/mysql.cc @@ -3118,6 +3118,8 @@ sql_real_connect(char *host,char *database,char *user,char *password, if (opt_use_ssl) mysql_ssl_set(&mysql, opt_ssl_key, opt_ssl_cert, opt_ssl_ca, opt_ssl_capath, opt_ssl_cipher); + mysql_options(&mysql,MYSQL_OPT_SSL_VERIFY_SERVER_CERT, + (char*)&opt_ssl_verify_server_cert); #endif if (opt_protocol) mysql_options(&mysql,MYSQL_OPT_PROTOCOL,(char*)&opt_protocol); diff --git a/client/mysqladmin.cc b/client/mysqladmin.cc index 5b52d524f8e..57ab4e071fb 100644 --- a/client/mysqladmin.cc +++ b/client/mysqladmin.cc @@ -340,6 +340,8 @@ int main(int argc,char *argv[]) if (opt_use_ssl) mysql_ssl_set(&mysql, opt_ssl_key, opt_ssl_cert, opt_ssl_ca, opt_ssl_capath, opt_ssl_cipher); + mysql_options(&mysql,MYSQL_OPT_SSL_VERIFY_SERVER_CERT, + (char*)&opt_ssl_verify_server_cert); #endif if (opt_protocol) mysql_options(&mysql,MYSQL_OPT_PROTOCOL,(char*)&opt_protocol); diff --git a/client/mysqldump.c b/client/mysqldump.c index 78f12593f46..ee6d7b9d12b 100644 --- a/client/mysqldump.c +++ b/client/mysqldump.c @@ -905,6 +905,8 @@ static int dbConnect(char *host, char *user,char *passwd) if (opt_use_ssl) mysql_ssl_set(&mysql_connection, opt_ssl_key, opt_ssl_cert, opt_ssl_ca, opt_ssl_capath, opt_ssl_cipher); + mysql_options(&mysql_connection,MYSQL_OPT_SSL_VERIFY_SERVER_CERT, + (char*)&opt_ssl_verify_server_cert); #endif if (opt_protocol) mysql_options(&mysql_connection,MYSQL_OPT_PROTOCOL,(char*)&opt_protocol); diff --git a/client/mysqlimport.c b/client/mysqlimport.c index 8694093f06b..1f9b96f91be 100644 --- a/client/mysqlimport.c +++ b/client/mysqlimport.c @@ -384,6 +384,8 @@ static MYSQL *db_connect(char *host, char *database, char *user, char *passwd) if (opt_use_ssl) mysql_ssl_set(&mysql_connection, opt_ssl_key, opt_ssl_cert, opt_ssl_ca, opt_ssl_capath, opt_ssl_cipher); + mysql_options(&mysql_connection,MYSQL_OPT_SSL_VERIFY_SERVER_CERT, + (char*)&opt_ssl_verify_server_cert); #endif if (opt_protocol) mysql_options(&mysql_connection,MYSQL_OPT_PROTOCOL,(char*)&opt_protocol); diff --git a/client/mysqlshow.c b/client/mysqlshow.c index 504f0d9844b..d090495ff81 100644 --- a/client/mysqlshow.c +++ b/client/mysqlshow.c @@ -109,6 +109,8 @@ int main(int argc, char **argv) if (opt_use_ssl) mysql_ssl_set(&mysql, opt_ssl_key, opt_ssl_cert, opt_ssl_ca, opt_ssl_capath, opt_ssl_cipher); + mysql_options(&mysql,MYSQL_OPT_SSL_VERIFY_SERVER_CERT, + (char*)&opt_ssl_verify_server_cert); #endif if (opt_protocol) mysql_options(&mysql,MYSQL_OPT_PROTOCOL,(char*)&opt_protocol); diff --git a/client/mysqltest.c b/client/mysqltest.c index ecf54e40400..fbbab4a0b3b 100644 --- a/client/mysqltest.c +++ b/client/mysqltest.c @@ -87,14 +87,6 @@ #endif #define MAX_SERVER_ARGS 64 -/* - Sometimes in a test the client starts before - the server - to solve the problem, we try again - after some sleep if connection fails the first - time -*/ -#define CON_RETRY_SLEEP 2 -#define MAX_CON_TRIES 5 #define SLAVE_POLL_INTERVAL 300000 /* 0.3 of a sec */ #define DEFAULT_DELIMITER ";" @@ -108,7 +100,7 @@ enum {OPT_MANAGER_USER=256,OPT_MANAGER_HOST,OPT_MANAGER_PASSWD, OPT_MANAGER_PORT,OPT_MANAGER_WAIT_TIMEOUT, OPT_SKIP_SAFEMALLOC, OPT_SSL_SSL, OPT_SSL_KEY, OPT_SSL_CERT, OPT_SSL_CA, OPT_SSL_CAPATH, OPT_SSL_CIPHER,OPT_PS_PROTOCOL,OPT_SP_PROTOCOL,OPT_CURSOR_PROTOCOL, - OPT_VIEW_PROTOCOL}; + OPT_VIEW_PROTOCOL, OPT_SSL_VERIFY_SERVER_CERT, OPT_MAX_CONNECT_RETRIES}; /* ************************************************************************ */ /* @@ -157,6 +149,7 @@ static int record= 0, opt_sleep= -1; static char *db = 0, *pass=0; const char *user = 0, *host = 0, *unix_sock = 0, *opt_basedir="./"; static int port = 0; +static int opt_max_connect_retries; static my_bool opt_big_test= 0, opt_compress= 0, silent= 0, verbose = 0; static my_bool tty_password= 0; static my_bool ps_protocol= 0, ps_protocol_enabled= 0; @@ -2126,9 +2119,16 @@ void init_manager() db, port, sock NOTE - This function will try to connect to the given server MAX_CON_TRIES - times and sleep CON_RETRY_SLEEP seconds between attempts before - finally giving up. This helps in situation when the client starts + + Sometimes in a test the client starts before + the server - to solve the problem, we try again + after some sleep if connection fails the first + time + + This function will try to connect to the given server + "opt_max_connect_retries" times and sleep "connection_retry_sleep" + seconds between attempts before finally giving up. + This helps in situation when the client starts before the server (which happens sometimes). It will ignore any errors during these retries. One should use connect_n_handle_errors() if he expects a connection error and wants @@ -2143,8 +2143,9 @@ int safe_connect(MYSQL* mysql, const char *host, const char *user, { int con_error= 1; my_bool reconnect= 1; + static int connection_retry_sleep= 2; /* Seconds */ int i; - for (i= 0; i < MAX_CON_TRIES; ++i) + for (i= 0; i < opt_max_connect_retries; i++) { if (mysql_real_connect(mysql, host,user, pass, db, port, sock, CLIENT_MULTI_STATEMENTS | CLIENT_REMEMBER_OPTIONS)) @@ -2152,7 +2153,7 @@ int safe_connect(MYSQL* mysql, const char *host, const char *user, con_error= 0; break; } - sleep(CON_RETRY_SLEEP); + sleep(connection_retry_sleep); } /* TODO: change this to 0 in future versions, but the 'kill' test relies on @@ -2379,8 +2380,12 @@ int do_connect(struct st_query *q) #ifdef HAVE_OPENSSL if (opt_use_ssl || con_ssl) + { mysql_ssl_set(&next_con->mysql, opt_ssl_key, opt_ssl_cert, opt_ssl_ca, opt_ssl_capath, opt_ssl_cipher); + mysql_options(&next_con->mysql, MYSQL_OPT_SSL_VERIFY_SERVER_CERT, + &opt_ssl_verify_server_cert); + } #endif if (con_sock && !free_con_sock && *con_sock && *con_sock != FN_LIBCHAR) con_sock=fn_format(buff, con_sock, TMPDIR, "",0); @@ -2912,6 +2917,10 @@ static struct my_option my_long_options[] = {"manager-wait-timeout", OPT_MANAGER_WAIT_TIMEOUT, "Undocumented: Used for debugging.", (gptr*) &manager_wait_timeout, (gptr*) &manager_wait_timeout, 0, GET_INT, REQUIRED_ARG, 3, 0, 0, 0, 0, 0}, + {"max-connect-retries", OPT_MAX_CONNECT_RETRIES, + "Max number of connection attempts when connecting to server", + (gptr*) &opt_max_connect_retries, (gptr*) &opt_max_connect_retries, 0, + GET_INT, REQUIRED_ARG, 5, 1, 10, 0, 0, 0}, {"password", 'p', "Password to use when connecting to server.", 0, 0, 0, GET_STR, OPT_ARG, 0, 0, 0, 0, 0, 0}, {"port", 'P', "Port number to use for connection.", (gptr*) &port, @@ -4605,9 +4614,14 @@ int main(int argc, char **argv) mysql_options(&cur_con->mysql, MYSQL_SET_CHARSET_NAME, charset_name); #ifdef HAVE_OPENSSL + opt_ssl_verify_server_cert= TRUE; /* Always on in mysqltest */ if (opt_use_ssl) + { mysql_ssl_set(&cur_con->mysql, opt_ssl_key, opt_ssl_cert, opt_ssl_ca, opt_ssl_capath, opt_ssl_cipher); + mysql_options(&cur_con->mysql, MYSQL_OPT_SSL_VERIFY_SERVER_CERT, + &opt_ssl_verify_server_cert); + } #endif if (!(cur_con->name = my_strdup("default", MYF(MY_WME)))) diff --git a/extra/yassl/README b/extra/yassl/README index ad59fe3965e..62209723f66 100644 --- a/extra/yassl/README +++ b/extra/yassl/README @@ -1,4 +1,37 @@ -yaSSL Release notes, version 1.2.2 (03/27/06) +yaSSL Release notes, version 1.3.0 (04/26/06) + + + This release of yaSSL contains minor bug fixes, portability enhancements, + and libcurl support. + +See normal build instructions below under 1.0.6. + + +--To build for libcurl on Linux, Solaris, *BSD, Mac OS X, or Cygwin: + + To build for libcurl the library needs to be built without C++ globals since + the linker will be called in a C context, also libcurl configure will expect + OpenSSL library names so some symbolic links are created. + + ./configure --enable-pure-c + make + make openssl-links + + (then go to your libcurl home and tell libcurl about yaSSL) + ./configure --with-ssl=/yaSSL-HomeDir + make + + +--To build for libcurl on Win32: + + Simply add the yaSSL project as a dependency to libcurl, add + yaSSL-Home\include and yaSSL-Home\include\openssl to the include list, and + define USE_SSLEAY and USE_OPENSSL + + please email todd@yassl.com if you have any questions. + + +*******************yaSSL Release notes, version 1.2.2 (03/27/06) This release of yaSSL contains minor bug fixes and portability enhancements. diff --git a/extra/yassl/certs/ca-cert.pem b/extra/yassl/certs/ca-cert.pem new file mode 100644 index 00000000000..981dd004fc6 --- /dev/null +++ b/extra/yassl/certs/ca-cert.pem @@ -0,0 +1,53 @@ +Certificate: + Data: + Version: 3 (0x2) + Serial Number: 0 (0x0) + Signature Algorithm: md5WithRSAEncryption + Issuer: C=US, ST=Oregon, L=Portland, O=sawtooth, CN=www.sawtooth-consulting.com/emailAddress=info@yassl.com + Validity + Not Before: Jan 18 20:12:32 2005 GMT + Not After : Oct 15 20:12:32 2007 GMT + Subject: C=US, ST=Oregon, L=Portland, O=sawtooth, CN=www.sawtooth-consulting.com/emailAddress=info@yassl.com + Subject Public Key Info: + Public Key Algorithm: rsaEncryption + RSA Public Key: (512 bit) + Modulus (512 bit): + 00:cf:2b:14:00:b0:3c:df:6f:9e:91:40:ec:c8:f6: + 90:b2:5b:b4:70:80:a5:a4:0a:73:c7:44:f3:2a:26: + c4:2f:f1:3a:f1:c3:c4:ac:fc:c3:d2:c3:bf:f5:d7: + 6a:38:42:ad:22:ab:c8:c4:4b:4c:1d:16:af:05:34: + 7d:79:97:5e:e1 + Exponent: 65537 (0x10001) + X509v3 extensions: + X509v3 Subject Key Identifier: + CB:0F:1F:E9:A2:76:71:C9:E6:E8:23:A6:C1:18:B7:CC:44:CF:B9:84 + X509v3 Authority Key Identifier: + keyid:CB:0F:1F:E9:A2:76:71:C9:E6:E8:23:A6:C1:18:B7:CC:44:CF:B9:84 + DirName:/C=US/ST=Oregon/L=Portland/O=sawtooth/CN=www.sawtooth-consulting.com/emailAddress=info@yassl.com + serial:00 + + X509v3 Basic Constraints: + CA:TRUE + Signature Algorithm: md5WithRSAEncryption + 27:f7:3d:fb:39:6f:73:a4:86:f3:a0:48:22:60:84:e9:5c:3d: + 28:36:05:16:44:98:07:87:e1:5d:b5:f3:a7:bc:33:5f:f4:29: + a9:5f:87:33:df:e6:8e:bd:e2:f3:0a:c8:00:69:ae:3d:41:47: + 03:ea:0b:4c:67:45:4b:ab:f3:39 +-----BEGIN CERTIFICATE----- +MIIC7zCCApmgAwIBAgIBADANBgkqhkiG9w0BAQQFADCBiTELMAkGA1UEBhMCVVMx +DzANBgNVBAgTBk9yZWdvbjERMA8GA1UEBxMIUG9ydGxhbmQxETAPBgNVBAoTCHNh +d3Rvb3RoMSQwIgYDVQQDExt3d3cuc2F3dG9vdGgtY29uc3VsdGluZy5jb20xHTAb +BgkqhkiG9w0BCQEWDmluZm9AeWFzc2wuY29tMB4XDTA1MDExODIwMTIzMloXDTA3 +MTAxNTIwMTIzMlowgYkxCzAJBgNVBAYTAlVTMQ8wDQYDVQQIEwZPcmVnb24xETAP +BgNVBAcTCFBvcnRsYW5kMREwDwYDVQQKEwhzYXd0b290aDEkMCIGA1UEAxMbd3d3 +LnNhd3Rvb3RoLWNvbnN1bHRpbmcuY29tMR0wGwYJKoZIhvcNAQkBFg5pbmZvQHlh +c3NsLmNvbTBcMA0GCSqGSIb3DQEBAQUAA0sAMEgCQQDPKxQAsDzfb56RQOzI9pCy +W7RwgKWkCnPHRPMqJsQv8Trxw8Ss/MPSw7/112o4Qq0iq8jES0wdFq8FNH15l17h +AgMBAAGjgekwgeYwHQYDVR0OBBYEFMsPH+midnHJ5ugjpsEYt8xEz7mEMIG2BgNV +HSMEga4wgauAFMsPH+midnHJ5ugjpsEYt8xEz7mEoYGPpIGMMIGJMQswCQYDVQQG +EwJVUzEPMA0GA1UECBMGT3JlZ29uMREwDwYDVQQHEwhQb3J0bGFuZDERMA8GA1UE +ChMIc2F3dG9vdGgxJDAiBgNVBAMTG3d3dy5zYXd0b290aC1jb25zdWx0aW5nLmNv +bTEdMBsGCSqGSIb3DQEJARYOaW5mb0B5YXNzbC5jb22CAQAwDAYDVR0TBAUwAwEB +/zANBgkqhkiG9w0BAQQFAANBACf3Pfs5b3OkhvOgSCJghOlcPSg2BRZEmAeH4V21 +86e8M1/0KalfhzPf5o694vMKyABprj1BRwPqC0xnRUur8zk= +-----END CERTIFICATE----- diff --git a/extra/yassl/certs/client-cert.der b/extra/yassl/certs/client-cert.der Binary files differnew file mode 100644 index 00000000000..b28e2753376 --- /dev/null +++ b/extra/yassl/certs/client-cert.der diff --git a/extra/yassl/certs/client-cert.pem b/extra/yassl/certs/client-cert.pem new file mode 100644 index 00000000000..81110f17252 --- /dev/null +++ b/extra/yassl/certs/client-cert.pem @@ -0,0 +1,52 @@ +Certificate: + Data: + Version: 3 (0x2) + Serial Number: 0 (0x0) + Signature Algorithm: md5WithRSAEncryption + Issuer: C=US, ST=Oregon, L=Portland, O=yaSSL, CN=www.yassl.com/emailAddress=info@yassl.com + Validity + Not Before: Jan 18 19:33:15 2005 GMT + Not After : Oct 15 19:33:15 2007 GMT + Subject: C=US, ST=Oregon, L=Portland, O=yaSSL, CN=www.yassl.com/emailAddress=info@yassl.com + Subject Public Key Info: + Public Key Algorithm: rsaEncryption + RSA Public Key: (512 bit) + Modulus (512 bit): + 00:cd:1f:78:47:f8:b8:d6:08:bf:bd:7c:23:61:86: + 36:28:ac:ee:3c:a8:9a:94:e6:d5:26:e8:71:50:b2: + 26:8b:1c:1e:3f:75:b2:d3:b3:67:95:0c:fd:76:28: + 65:d5:ce:12:82:9e:06:00:a2:09:dd:ce:3a:26:dd: + 46:2a:a0:45:71 + Exponent: 65537 (0x10001) + X509v3 extensions: + X509v3 Subject Key Identifier: + AE:25:5E:FA:4D:A3:5B:2B:87:DE:F1:2A:F5:42:C0:FF:CE:B5:B4:AD + X509v3 Authority Key Identifier: + keyid:AE:25:5E:FA:4D:A3:5B:2B:87:DE:F1:2A:F5:42:C0:FF:CE:B5:B4:AD + DirName:/C=US/ST=Oregon/L=Portland/O=yaSSL/CN=www.yassl.com/emailAddress=info@yassl.com + serial:00 + + X509v3 Basic Constraints: + CA:TRUE + Signature Algorithm: md5WithRSAEncryption + c5:82:26:0c:1f:61:01:14:b0:ce:18:99:64:91:0e:f1:f8:90: + 3e:a3:0e:be:38:7c:97:ba:05:c9:2a:dc:dd:62:2d:12:61:79: + 7a:86:b1:97:5d:1e:e8:f7:e8:32:34:f7:8f:b1:08:3d:13:71: + a6:3c:15:91:85:12:35:6e:78:87 +-----BEGIN CERTIFICATE----- +MIICtzCCAmGgAwIBAgIBADANBgkqhkiG9w0BAQQFADB4MQswCQYDVQQGEwJVUzEP +MA0GA1UECBMGT3JlZ29uMREwDwYDVQQHEwhQb3J0bGFuZDEOMAwGA1UEChMFeWFT +U0wxFjAUBgNVBAMTDXd3dy55YXNzbC5jb20xHTAbBgkqhkiG9w0BCQEWDmluZm9A +eWFzc2wuY29tMB4XDTA1MDExODE5MzMxNVoXDTA3MTAxNTE5MzMxNVoweDELMAkG +A1UEBhMCVVMxDzANBgNVBAgTBk9yZWdvbjERMA8GA1UEBxMIUG9ydGxhbmQxDjAM +BgNVBAoTBXlhU1NMMRYwFAYDVQQDEw13d3cueWFzc2wuY29tMR0wGwYJKoZIhvcN +AQkBFg5pbmZvQHlhc3NsLmNvbTBcMA0GCSqGSIb3DQEBAQUAA0sAMEgCQQDNH3hH ++LjWCL+9fCNhhjYorO48qJqU5tUm6HFQsiaLHB4/dbLTs2eVDP12KGXVzhKCngYA +ogndzjom3UYqoEVxAgMBAAGjgdUwgdIwHQYDVR0OBBYEFK4lXvpNo1srh97xKvVC +wP/OtbStMIGiBgNVHSMEgZowgZeAFK4lXvpNo1srh97xKvVCwP/OtbStoXykejB4 +MQswCQYDVQQGEwJVUzEPMA0GA1UECBMGT3JlZ29uMREwDwYDVQQHEwhQb3J0bGFu +ZDEOMAwGA1UEChMFeWFTU0wxFjAUBgNVBAMTDXd3dy55YXNzbC5jb20xHTAbBgkq +hkiG9w0BCQEWDmluZm9AeWFzc2wuY29tggEAMAwGA1UdEwQFMAMBAf8wDQYJKoZI +hvcNAQEEBQADQQDFgiYMH2EBFLDOGJlkkQ7x+JA+ow6+OHyXugXJKtzdYi0SYXl6 +hrGXXR7o9+gyNPePsQg9E3GmPBWRhRI1bniH +-----END CERTIFICATE----- diff --git a/extra/yassl/certs/client-key.der b/extra/yassl/certs/client-key.der Binary files differnew file mode 100644 index 00000000000..6e8b432a07c --- /dev/null +++ b/extra/yassl/certs/client-key.der diff --git a/extra/yassl/certs/client-key.pem b/extra/yassl/certs/client-key.pem new file mode 100644 index 00000000000..6898b2796fa --- /dev/null +++ b/extra/yassl/certs/client-key.pem @@ -0,0 +1,9 @@ +-----BEGIN RSA PRIVATE KEY----- +MIIBOgIBAAJBAM0feEf4uNYIv718I2GGNiis7jyompTm1SbocVCyJoscHj91stOz +Z5UM/XYoZdXOEoKeBgCiCd3OOibdRiqgRXECAwEAAQJAXwa6OVVvg7Bv63+MAI0l +n/hlMfLGEj9R9gFvJXwywPSEQhijOZmedpHALufFPNHtwba9dmbqMkBAw9JDaAgg +QQIhAO+mBaSmoG5AYVKYQZiASe/2wMZjaQSN+zFLyF97OX8ZAiEA2x5iRmXUkbOT +8Td/vx8R9mq9W5CJu+cN+SWGwTYhPBkCIGZFM6NQeKaUUvQshdHO7b66Twpa4jZP +YSNoc9pLe/4BAiB+jIvBkKo2A/rbg2waG32qTXdTXKTPiuA9Fnk/OV30cQIhANuA +uMdo+T+rYcNGJ1hCYKDe9JWBpNfSQ+H/A7sWuW8L +-----END RSA PRIVATE KEY----- diff --git a/extra/yassl/certs/dh1024.dat b/extra/yassl/certs/dh1024.dat new file mode 100644 index 00000000000..86a95518278 --- /dev/null +++ b/extra/yassl/certs/dh1024.dat @@ -0,0 +1 @@ +30818702818100DA9A18547FF03B385CC16508C173A7EF4EB61CB40EF8FEF3B31F145051676166BCDC3FE6B799FC394D08C26385F9413F896E09117E46209D6923602683CEA100924A6EE695281775C619DAA94EA8CB3691B4275B0183F1D39639EBC92995FE645D6C1BC28D409E585549BBD2C5DCDD6C208B04EADD8B7A6D997F72CBAD88390F020102
\ No newline at end of file diff --git a/extra/yassl/certs/dsa-cert.pem b/extra/yassl/certs/dsa-cert.pem new file mode 100644 index 00000000000..ecca18dae82 --- /dev/null +++ b/extra/yassl/certs/dsa-cert.pem @@ -0,0 +1,68 @@ +Certificate: + Data: + Version: 3 (0x2) + Serial Number: 0 (0x0) + Signature Algorithm: dsaWithSHA1 + Issuer: C=US, ST=Oregon, L=Portland, O=yaSSL DSA, CN=yaSSL DSA/emailAddress=info@yassl.com + Validity + Not Before: Jan 23 22:54:51 2005 GMT + Not After : Oct 20 22:54:51 2007 GMT + Subject: C=US, ST=Oregon, L=Portland, O=yaSSL DSA, CN=yaSSL DSA/emailAddress=info@yassl.com + Subject Public Key Info: + Public Key Algorithm: dsaEncryption + DSA Public Key: + pub: + 04:84:a0:26:31:72:0c:e8:4f:5d:53:17:62:b1:80: + ca:c0:16:5f:c3:1e:ea:c5:d9:98:38:f9:be:56:53: + 47:68:ce:08:22:57:1c:bb:0d:77:91:cf:5b:36:ed: + f3:24:82:90:8a:cd:90:7c:db:77:f9:17:2d:73:73: + ef:bb:b9:82 + P: + 00:99:29:69:80:c9:3c:98:68:45:a9:82:fe:67:eb: + 95:88:c5:b4:0c:d6:26:45:95:19:2c:a0:20:5b:7e: + df:69:e9:dc:c3:0f:f3:61:0a:25:9b:f2:21:01:6a: + cd:aa:8c:37:e7:ca:66:db:56:f4:0f:7d:7a:d1:18: + b9:42:fd:1b:11 + Q: + 00:ad:25:29:ab:0a:9f:09:1c:c1:ad:03:20:76:7f: + a6:b7:dd:4d:03:09 + G: + 12:88:99:da:e7:d0:0b:93:9b:e6:ee:3c:21:7f:9c: + b3:b4:8d:a5:8c:e2:37:80:3f:17:d1:81:4f:bd:f0: + 71:b6:32:08:54:dd:bf:01:e2:b3:77:06:64:75:8a: + 04:d6:79:39:b1:02:03:03:c6:06:74:e5:90:05:0a: + 10:46:19:31 + X509v3 extensions: + X509v3 Subject Key Identifier: + BE:F9:8C:5D:D6:1C:B4:EE:81:DD:36:56:0A:21:E4:61:44:73:E9:E2 + X509v3 Authority Key Identifier: + keyid:BE:F9:8C:5D:D6:1C:B4:EE:81:DD:36:56:0A:21:E4:61:44:73:E9:E2 + DirName:/C=US/ST=Oregon/L=Portland/O=yaSSL DSA/CN=yaSSL DSA/emailAddress=info@yassl.com + serial:00 + + X509v3 Basic Constraints: + CA:TRUE + Signature Algorithm: dsaWithSHA1 + 30:2b:02:14:74:46:9f:91:7b:24:17:3b:ee:0f:10:e3:76:62: + f4:dc:81:e6:fd:fe:02:13:08:f4:87:0a:ab:ba:9c:de:3a:69: + 72:59:b8:ec:e9:57:f4:bf:37 +-----BEGIN CERTIFICATE----- +MIIDMTCCAvKgAwIBAgIBADAJBgcqhkjOOAQDMHgxCzAJBgNVBAYTAlVTMQ8wDQYD +VQQIEwZPcmVnb24xETAPBgNVBAcTCFBvcnRsYW5kMRIwEAYDVQQKEwl5YVNTTCBE +U0ExEjAQBgNVBAMTCXlhU1NMIERTQTEdMBsGCSqGSIb3DQEJARYOaW5mb0B5YXNz +bC5jb20wHhcNMDUwMTIzMjI1NDUxWhcNMDcxMDIwMjI1NDUxWjB4MQswCQYDVQQG +EwJVUzEPMA0GA1UECBMGT3JlZ29uMREwDwYDVQQHEwhQb3J0bGFuZDESMBAGA1UE +ChMJeWFTU0wgRFNBMRIwEAYDVQQDEwl5YVNTTCBEU0ExHTAbBgkqhkiG9w0BCQEW +DmluZm9AeWFzc2wuY29tMIHwMIGoBgcqhkjOOAQBMIGcAkEAmSlpgMk8mGhFqYL+ +Z+uViMW0DNYmRZUZLKAgW37faencww/zYQolm/IhAWrNqow358pm21b0D3160Ri5 +Qv0bEQIVAK0lKasKnwkcwa0DIHZ/prfdTQMJAkASiJna59ALk5vm7jwhf5yztI2l +jOI3gD8X0YFPvfBxtjIIVN2/AeKzdwZkdYoE1nk5sQIDA8YGdOWQBQoQRhkxA0MA +AkAEhKAmMXIM6E9dUxdisYDKwBZfwx7qxdmYOPm+VlNHaM4IIlccuw13kc9bNu3z +JIKQis2QfNt3+Rctc3Pvu7mCo4HVMIHSMB0GA1UdDgQWBBS++Yxd1hy07oHdNlYK +IeRhRHPp4jCBogYDVR0jBIGaMIGXgBS++Yxd1hy07oHdNlYKIeRhRHPp4qF8pHow +eDELMAkGA1UEBhMCVVMxDzANBgNVBAgTBk9yZWdvbjERMA8GA1UEBxMIUG9ydGxh +bmQxEjAQBgNVBAoTCXlhU1NMIERTQTESMBAGA1UEAxMJeWFTU0wgRFNBMR0wGwYJ +KoZIhvcNAQkBFg5pbmZvQHlhc3NsLmNvbYIBADAMBgNVHRMEBTADAQH/MAkGByqG +SM44BAMDLgAwKwIUdEafkXskFzvuDxDjdmL03IHm/f4CEwj0hwqrupzeOmlyWbjs +6Vf0vzc= +-----END CERTIFICATE----- diff --git a/extra/yassl/certs/dsa512.der b/extra/yassl/certs/dsa512.der Binary files differnew file mode 100644 index 00000000000..fe79ccb612b --- /dev/null +++ b/extra/yassl/certs/dsa512.der diff --git a/extra/yassl/certs/dsa512.pem b/extra/yassl/certs/dsa512.pem new file mode 100644 index 00000000000..04a3dd94a77 --- /dev/null +++ b/extra/yassl/certs/dsa512.pem @@ -0,0 +1,8 @@ +-----BEGIN DSA PRIVATE KEY----- +MIH3AgEAAkEAmSlpgMk8mGhFqYL+Z+uViMW0DNYmRZUZLKAgW37faencww/zYQol +m/IhAWrNqow358pm21b0D3160Ri5Qv0bEQIVAK0lKasKnwkcwa0DIHZ/prfdTQMJ +AkASiJna59ALk5vm7jwhf5yztI2ljOI3gD8X0YFPvfBxtjIIVN2/AeKzdwZkdYoE +1nk5sQIDA8YGdOWQBQoQRhkxAkAEhKAmMXIM6E9dUxdisYDKwBZfwx7qxdmYOPm+ +VlNHaM4IIlccuw13kc9bNu3zJIKQis2QfNt3+Rctc3Pvu7mCAhQjg+e+aqykxwwc +E2V27tjDFY02uA== +-----END DSA PRIVATE KEY----- diff --git a/extra/yassl/certs/server-cert.pem b/extra/yassl/certs/server-cert.pem new file mode 100644 index 00000000000..403dabdf5fa --- /dev/null +++ b/extra/yassl/certs/server-cert.pem @@ -0,0 +1,38 @@ +Certificate: + Data: + Version: 1 (0x0) + Serial Number: 1 (0x1) + Signature Algorithm: md5WithRSAEncryption + Issuer: C=US, ST=Oregon, L=Portland, O=sawtooth, CN=www.sawtooth-consulting.com/emailAddress=info@yassl.com + Validity + Not Before: Jan 18 20:50:59 2005 GMT + Not After : Oct 15 20:50:59 2007 GMT + Subject: C=US, ST=Oregon, L=Portland, O=taoSoftDev, CN=www.taosoftdev.com/emailAddress=info@yassl.com + Subject Public Key Info: + Public Key Algorithm: rsaEncryption + RSA Public Key: (512 bit) + Modulus (512 bit): + 00:a4:68:bb:bc:b7:27:5f:3c:f5:78:c6:1a:af:b9: + 95:fc:7e:61:1f:a8:81:0a:ca:43:88:9a:03:e0:d0: + a6:79:70:16:34:b9:7c:75:54:ca:70:19:66:38:be: + 6e:28:7e:a5:ff:6b:3c:83:2f:39:42:c3:15:f3:bd: + f2:25:93:22:e7 + Exponent: 65537 (0x10001) + Signature Algorithm: md5WithRSAEncryption + 08:36:07:8c:3a:7f:f9:91:0a:82:d1:6a:c1:34:be:bc:2d:b2: + 20:98:dc:45:50:53:9c:66:e6:26:71:bd:fa:d2:b4:91:d3:53: + c0:20:05:c0:b6:84:9a:5f:3f:61:75:f5:fd:c6:ec:e2:f6:9f: + a2:13:17:a9:b7:83:60:cc:cb:eb +-----BEGIN CERTIFICATE----- +MIIB9zCCAaECAQEwDQYJKoZIhvcNAQEEBQAwgYkxCzAJBgNVBAYTAlVTMQ8wDQYD +VQQIEwZPcmVnb24xETAPBgNVBAcTCFBvcnRsYW5kMREwDwYDVQQKEwhzYXd0b290 +aDEkMCIGA1UEAxMbd3d3LnNhd3Rvb3RoLWNvbnN1bHRpbmcuY29tMR0wGwYJKoZI +hvcNAQkBFg5pbmZvQHlhc3NsLmNvbTAeFw0wNTAxMTgyMDUwNTlaFw0wNzEwMTUy +MDUwNTlaMIGCMQswCQYDVQQGEwJVUzEPMA0GA1UECBMGT3JlZ29uMREwDwYDVQQH +EwhQb3J0bGFuZDETMBEGA1UEChMKdGFvU29mdERldjEbMBkGA1UEAxMSd3d3LnRh +b3NvZnRkZXYuY29tMR0wGwYJKoZIhvcNAQkBFg5pbmZvQHlhc3NsLmNvbTBcMA0G +CSqGSIb3DQEBAQUAA0sAMEgCQQCkaLu8tydfPPV4xhqvuZX8fmEfqIEKykOImgPg +0KZ5cBY0uXx1VMpwGWY4vm4ofqX/azyDLzlCwxXzvfIlkyLnAgMBAAEwDQYJKoZI +hvcNAQEEBQADQQAINgeMOn/5kQqC0WrBNL68LbIgmNxFUFOcZuYmcb360rSR01PA +IAXAtoSaXz9hdfX9xuzi9p+iExept4NgzMvr +-----END CERTIFICATE----- diff --git a/extra/yassl/certs/server-key.pem b/extra/yassl/certs/server-key.pem new file mode 100644 index 00000000000..d6055c4cfd8 --- /dev/null +++ b/extra/yassl/certs/server-key.pem @@ -0,0 +1,9 @@ +-----BEGIN RSA PRIVATE KEY----- +MIIBOQIBAAJBAKRou7y3J1889XjGGq+5lfx+YR+ogQrKQ4iaA+DQpnlwFjS5fHVU +ynAZZji+bih+pf9rPIMvOULDFfO98iWTIucCAwEAAQJABLVvMw931DV1vljGKORC +1HF2LKbx0zJJzt7CX6z6J54vcE79K3NYXdU6o7/j1WTtfD47tFG+4ljGvSYPmrCI +2QIhANfiY6is6JUJGGgeMxyWeQRPXfaE9Yrk6OhxHhpYf5CTAiEAwvWraeLPy/NE +B+0w80mh8tCv2tpuKaYMOG53XpYX3N0CIDy/Bj3rUZLGOWjqvoUXzjupPY5lgVYw +7Vyin87YAiUjAiAgM8X5em5KSMc+6+2+8bWfTtsNMjEqDfRMyepLpE0SvQIgTSYL +WWfcZoRUPDM9GEuQ40nifVNjobzvjTW4aYyHCEI= +-----END RSA PRIVATE KEY----- diff --git a/extra/yassl/certs/taoCert.txt b/extra/yassl/certs/taoCert.txt new file mode 100644 index 00000000000..585293e4f2b --- /dev/null +++ b/extra/yassl/certs/taoCert.txt @@ -0,0 +1,50 @@ + +***** Create a self signed cert ************ + +1) openssl genrsa 512 > client-key.pem + +2) openssl req -new -x509 -nodes -md5 -days 1000 -key client-key.pem > client-cert.pem + +-- adding metadata to beginning + +3) openssl x509 -in client-cert.pem -text > tmp.pem + +4) mv tmp.pem client-cert.pem + + +***** Create a CA, signing authority ********** + +same as self signed, use ca prefix instead of client + + +***** Create a cert signed by CA ************** + +1) openssl req -newkey rsa:512 -md5 -days 1000 -nodes -keyout server-key.pem > server-req.pem + +2) copy ca-key.pem ca-cert.srl (why ????) + +3) openssl x509 -req -in server-req.pem -days 1000 -md5 -CA ca-cert.pem -CAkey ca-key.pem -set_serial 01 > server-cert.pem + + + +***** To create a dsa cert ******************** + +1) openssl dsaparam 512 > dsa512.param # creates group params + +2) openssl gendsa dsa512.param > dsa512.pem # creates private key + +3) openssl req -new -x509 -nodes -days 1000 -key dsa512.pem > dsa-cert.pem + + + + +***** To convert from PEM to DER ************** + +a) openssl x509 -in cert.pem -inform PEM -out cert.der -outform DER + +to convert rsa private PEM to DER : + +b) openssl rsa -in key.pem -outform DER -out key.der + + + diff --git a/extra/yassl/examples/client/client.cpp b/extra/yassl/examples/client/client.cpp index 704a8e76637..94bf753210b 100644 --- a/extra/yassl/examples/client/client.cpp +++ b/extra/yassl/examples/client/client.cpp @@ -33,10 +33,10 @@ void client_test(void* args) const char* cipher = 0; int index = 0; char list[1024]; - strcpy(list, "cipherlist"); + strncpy(list, "cipherlist", 11); while ( (cipher = SSL_get_cipher_list(ssl, index++)) ) { - strcat(list, ":"); - strcat(list, cipher); + strncat(list, ":", 2); + strncat(list, cipher, strlen(cipher) + 1); } printf("%s\n", list); printf("Using Cipher Suite %s\n", SSL_get_cipher(ssl)); @@ -89,6 +89,8 @@ void client_test(void* args) args.argv = argv; client_test(&args); + yaSSL_CleanUp(); + return args.return_code; } diff --git a/extra/yassl/examples/echoclient/echoclient.cpp b/extra/yassl/examples/echoclient/echoclient.cpp index ca557cca8af..fd3f7dd48a3 100644 --- a/extra/yassl/examples/echoclient/echoclient.cpp +++ b/extra/yassl/examples/echoclient/echoclient.cpp @@ -82,6 +82,7 @@ void echoclient_test(void* args) args.argv = argv; echoclient_test(&args); + yaSSL_CleanUp(); return args.return_code; } diff --git a/extra/yassl/examples/echoserver/echoserver.cpp b/extra/yassl/examples/echoserver/echoserver.cpp index 14a37a7e175..3243cc21a7c 100644 --- a/extra/yassl/examples/echoserver/echoserver.cpp +++ b/extra/yassl/examples/echoserver/echoserver.cpp @@ -15,6 +15,8 @@ args.argv = argv; echoserver_test(&args); + yaSSL_CleanUp(); + return args.return_code; } diff --git a/extra/yassl/examples/server/server.cpp b/extra/yassl/examples/server/server.cpp index 4d3f121cf2c..73cff19e371 100644 --- a/extra/yassl/examples/server/server.cpp +++ b/extra/yassl/examples/server/server.cpp @@ -67,6 +67,8 @@ THREAD_RETURN YASSL_API server_test(void* args) args.argv = argv; server_test(&args); + yaSSL_CleanUp(); + return args.return_code; } diff --git a/extra/yassl/include/openssl/err.h b/extra/yassl/include/openssl/err.h index 054d0940509..45ac1ca2469 100644 --- a/extra/yassl/include/openssl/err.h +++ b/extra/yassl/include/openssl/err.h @@ -1,6 +1,6 @@ /* err.h for openssl */ -#ifndef ysSSL_err_h__ +#ifndef yaSSL_err_h__ #define yaSSL_err_h__ diff --git a/extra/yassl/include/openssl/md4.h b/extra/yassl/include/openssl/md4.h new file mode 100644 index 00000000000..2e99f977fca --- /dev/null +++ b/extra/yassl/include/openssl/md4.h @@ -0,0 +1 @@ +/* md4.h for libcurl */ diff --git a/extra/yassl/include/openssl/md5.h b/extra/yassl/include/openssl/md5.h index a1025b92782..dfaf9799c44 100644 --- a/extra/yassl/include/openssl/md5.h +++ b/extra/yassl/include/openssl/md5.h @@ -1 +1,4 @@ /* md5.h for openssl */ + +#include "ssl.h" /* in there for now */ + diff --git a/extra/yassl/include/openssl/pem.h b/extra/yassl/include/openssl/pem.h new file mode 100644 index 00000000000..b4c63d56a4d --- /dev/null +++ b/extra/yassl/include/openssl/pem.h @@ -0,0 +1 @@ +/* pem.h for libcurl */ diff --git a/extra/yassl/include/openssl/ssl.h b/extra/yassl/include/openssl/ssl.h index b6840d006df..a7eca9138a2 100644 --- a/extra/yassl/include/openssl/ssl.h +++ b/extra/yassl/include/openssl/ssl.h @@ -29,8 +29,22 @@ #define yaSSL_openssl_h__ #include <stdio.h> /* ERR_print fp */ +#include "opensslv.h" /* for version number */ #include "rsa.h" +#if defined(__cplusplus) +extern "C" { +#endif + + void yaSSL_CleanUp(); /* call once at end of application use to + free static singleton memory holders, + not a leak per se, but helpful when + looking for them */ + +#if defined(__cplusplus) +} // extern +#endif + #if defined(__cplusplus) && !defined(YASSL_MYSQL_COMPATIBLE) namespace yaSSL { extern "C" { @@ -102,7 +116,6 @@ void X509_free(X509*); typedef struct BIO BIO; /* ASN stuff */ -typedef struct ASN1_TIME ASN1_TIME; @@ -345,8 +358,8 @@ long SSL_CTX_sess_set_cache_size(SSL_CTX*, long); long SSL_CTX_set_tmp_dh(SSL_CTX*, DH*); void OpenSSL_add_all_algorithms(void); -void SSL_library_init(); -void SSLeay_add_ssl_algorithms(void); +int SSL_library_init(); +int SSLeay_add_ssl_algorithms(void); SSL_CIPHER* SSL_get_current_cipher(SSL*); @@ -371,6 +384,10 @@ typedef unsigned char DES_cblock[8]; typedef const DES_cblock const_DES_cblock; typedef DES_cblock DES_key_schedule; +enum { + DES_ENCRYPT = 1, + DES_DECRYPT = 0 +}; const EVP_MD* EVP_md5(void); const EVP_CIPHER* EVP_des_ede3_cbc(void); @@ -392,6 +409,108 @@ int RAND_write_file(const char*); int RAND_load_file(const char*, long); +/* for libcurl */ +int RAND_status(void); + +int DES_set_key(const_DES_cblock*, DES_key_schedule*); +void DES_set_odd_parity(DES_cblock*); +void DES_ecb_encrypt(DES_cblock*, DES_cblock*, DES_key_schedule*, int); + +void SSL_CTX_set_default_passwd_cb_userdata(SSL_CTX*, void* userdata); +void SSL_SESSION_free(SSL_SESSION* session); + +X509* SSL_get_certificate(SSL* ssl); +EVP_PKEY* SSL_get_privatekey(SSL* ssl); +EVP_PKEY* X509_get_pubkey(X509* x); + +int EVP_PKEY_copy_parameters(EVP_PKEY* to, const EVP_PKEY* from); +void EVP_PKEY_free(EVP_PKEY* pkey); +void ERR_error_string_n(unsigned long e, char *buf, size_t len); +void ERR_free_strings(void); +void EVP_cleanup(void); + +void* X509_get_ext_d2i(X509* x, int nid, int* crit, int* idx); + +#define GEN_IPADD 7 +#define NID_subject_alt_name 85 +#define STACK_OF(x) x + + +/* defined here because libcurl dereferences */ +typedef struct ASN1_STRING { + int type; + int length; + unsigned char* data; +} ASN1_STRING; + + +typedef struct GENERAL_NAME { + int type; + union { + ASN1_STRING* ia5; + } d; +} GENERAL_NAME; + +void GENERAL_NAMES_free(STACK_OF(GENERAL_NAME) *x); + +int sk_GENERAL_NAME_num(STACK_OF(GENERAL_NAME) *x); +GENERAL_NAME* sk_GENERAL_NAME_value(STACK_OF(GENERAL_NAME) *x, int i); + + +unsigned char* ASN1_STRING_data(ASN1_STRING* x); +int ASN1_STRING_length(ASN1_STRING* x); +int ASN1_STRING_type(ASN1_STRING *x); + +typedef ASN1_STRING X509_NAME_ENTRY; + +int X509_NAME_get_index_by_NID(X509_NAME* name,int nid, int lastpos); + +ASN1_STRING* X509_NAME_ENTRY_get_data(X509_NAME_ENTRY* ne); +X509_NAME_ENTRY* X509_NAME_get_entry(X509_NAME* name, int loc); + +#define OPENSSL_malloc(x) malloc(x) +#define OPENSSL_free(x) free(x) + +int ASN1_STRING_to_UTF8(unsigned char** out, ASN1_STRING* in); + +SSL_METHOD* SSLv23_client_method(void); /* doesn't actually roll back */ +SSL_METHOD* SSLv2_client_method(void); /* will never work, no v 2 */ + + +SSL_SESSION* SSL_get1_session(SSL* ssl); /* what's ref count */ + + +#define CRYPTO_free(x) free(x) +#define ASN1_TIME ASN1_STRING + +ASN1_TIME* X509_get_notBefore(X509* x); +ASN1_TIME* X509_get_notAfter(X509* x); + + +#define ASN1_UTCTIME ASN1_STRING +#define NID_commonName 13 +#define V_ASN1_UTF8STRING 12 +#define GEN_DNS 2 + + +typedef struct MD4_CTX { + void* ptr; +} MD4_CTX; + +void MD4_Init(MD4_CTX*); +void MD4_Update(MD4_CTX*, const void*, unsigned long); +void MD4_Final(unsigned char*, MD4_CTX*); + + +typedef struct MD5_CTX { + int buffer[32]; /* big enough to hold, check size in Init */ +} MD5_CTX; + +void MD5_Init(MD5_CTX*); +void MD5_Update(MD5_CTX*, const void*, unsigned long); +void MD5_Final(unsigned char*, MD5_CTX*); + + #define SSL_DEFAULT_CIPHER_LIST "" /* default all */ diff --git a/extra/yassl/include/openssl/x509.h b/extra/yassl/include/openssl/x509.h new file mode 100644 index 00000000000..dcd847c0337 --- /dev/null +++ b/extra/yassl/include/openssl/x509.h @@ -0,0 +1 @@ +/* x509.h for libcurl */ diff --git a/extra/yassl/include/openssl/x509v3.h b/extra/yassl/include/openssl/x509v3.h new file mode 100644 index 00000000000..adf94af8f48 --- /dev/null +++ b/extra/yassl/include/openssl/x509v3.h @@ -0,0 +1 @@ +/* x509v3.h for libcurl */ diff --git a/extra/yassl/include/yassl_int.hpp b/extra/yassl/include/yassl_int.hpp index 935bae582ea..97ae468d2f9 100644 --- a/extra/yassl/include/yassl_int.hpp +++ b/extra/yassl/include/yassl_int.hpp @@ -34,6 +34,7 @@ #include "cert_wrapper.hpp" #include "log.hpp" #include "lock.hpp" +#include "openssl/ssl.h" // ASN1_STRING and DH namespace yaSSL { @@ -126,32 +127,70 @@ private: }; +// hold add crypt references provided to callers +class CryptProvider { + mySTL::list<Digest*> digestList_; + mySTL::list<BulkCipher*> cipherList_; + CryptProvider() {} // only GetCryptProvider creates +public: + ~CryptProvider(); + + Digest* NewMd5(); + BulkCipher* NewDesEde(); + + friend CryptProvider& GetCryptProvider(); +private: + CryptProvider(const CryptProvider&); // hide copy + CryptProvider& operator=(const CryptProvider&); // and assign +}; + +CryptProvider& GetCryptProvider(); + #undef X509_NAME // wincrypt.h clash // openSSL X509 names class X509_NAME { char* name_; + size_t sz_; + ASN1_STRING entry_; public: X509_NAME(const char*, size_t sz); ~X509_NAME(); char* GetName(); + ASN1_STRING* GetEntry(int i); private: X509_NAME(const X509_NAME&); // hide copy X509_NAME& operator=(const X509_NAME&); // and assign }; +class StringHolder { + ASN1_STRING asnString_; +public: + StringHolder(const char* str, int sz); + ~StringHolder(); + + ASN1_STRING* GetString(); +}; + + // openSSL X509 class X509 { X509_NAME issuer_; X509_NAME subject_; + StringHolder beforeDate_; // not valid before + StringHolder afterDate_; // not valid after public: - X509(const char* i, size_t, const char* s, size_t); + X509(const char* i, size_t, const char* s, size_t, + const char* b, int, const char* a, int); ~X509() {} X509_NAME* GetIssuer(); X509_NAME* GetSubject(); + + ASN1_STRING* GetBefore(); + ASN1_STRING* GetAfter(); private: X509(const X509&); // hide copy X509& operator=(const X509&); // and assign diff --git a/extra/yassl/include/yassl_types.hpp b/extra/yassl/include/yassl_types.hpp index bfb6467182b..76c807cd05f 100644 --- a/extra/yassl/include/yassl_types.hpp +++ b/extra/yassl/include/yassl_types.hpp @@ -35,10 +35,6 @@ namespace yaSSL { -// Delete static singleton memory holders -void CleanUp(); - - #ifdef YASSL_PURE_C // library allocation diff --git a/extra/yassl/lib/dummy b/extra/yassl/lib/dummy new file mode 100644 index 00000000000..85c1efd587f --- /dev/null +++ b/extra/yassl/lib/dummy @@ -0,0 +1 @@ +// this is a dummy file diff --git a/extra/yassl/mySTL/helpers.hpp b/extra/yassl/mySTL/helpers.hpp index 5aa14d838b1..df79025197a 100644 --- a/extra/yassl/mySTL/helpers.hpp +++ b/extra/yassl/mySTL/helpers.hpp @@ -44,6 +44,11 @@ return static_cast<void*>(d); } + // for compilers that want matching delete + inline void operator delete(void* ptr, Dummy* d) + { + } + typedef Dummy* yassl_pointer; namespace mySTL { diff --git a/extra/yassl/src/cert_wrapper.cpp b/extra/yassl/src/cert_wrapper.cpp index b98c7faf1d0..ae609b510ba 100644 --- a/extra/yassl/src/cert_wrapper.cpp +++ b/extra/yassl/src/cert_wrapper.cpp @@ -271,10 +271,13 @@ int CertManager::Validate() else peerKeyType_ = dsa_sa_algo; - int iSz = cert.GetIssuer() ? strlen(cert.GetIssuer()) + 1 : 0; - int sSz = cert.GetCommonName() ? strlen(cert.GetCommonName()) + 1 : 0; + int iSz = strlen(cert.GetIssuer()) + 1; + int sSz = strlen(cert.GetCommonName()) + 1; + int bSz = strlen(cert.GetBeforeDate()) + 1; + int aSz = strlen(cert.GetAfterDate()) + 1; peerX509_ = NEW_YS X509(cert.GetIssuer(), iSz, cert.GetCommonName(), - sSz); + sSz, cert.GetBeforeDate(), bSz, + cert.GetAfterDate(), aSz); } return 0; } diff --git a/extra/yassl/src/make.bat b/extra/yassl/src/make.bat index 4c79a9c6406..148427a6f41 100644 --- a/extra/yassl/src/make.bat +++ b/extra/yassl/src/make.bat @@ -1,4 +1,4 @@ -# quick and dirty build file for testing different MSDEVs +REM quick and dirty build file for testing different MSDEVs setlocal set myFLAGS= /I../include /I../mySTL /I../taocrypt/include /W3 /c /ZI diff --git a/extra/yassl/src/ssl.cpp b/extra/yassl/src/ssl.cpp index 1aab14009d3..66196514a87 100644 --- a/extra/yassl/src/ssl.cpp +++ b/extra/yassl/src/ssl.cpp @@ -1,4 +1,4 @@ -/* ssl.cpp + /* ssl.cpp * * Copyright (C) 2003 Sawtooth Consulting Ltd. * @@ -36,6 +36,7 @@ #include "openssl/ssl.h" #include "handshake.hpp" #include "yassl_int.hpp" +#include "md5.hpp" // for TaoCrypt MD5 size assert #include <stdio.h> #ifdef _WIN32 @@ -52,6 +53,53 @@ namespace yaSSL { using mySTL::min; +int read_file(SSL_CTX* ctx, const char* file, int format, CertType type) +{ + if (format != SSL_FILETYPE_ASN1 && format != SSL_FILETYPE_PEM) + return SSL_BAD_FILETYPE; + + FILE* input = fopen(file, "rb"); + if (!input) + return SSL_BAD_FILE; + + if (type == CA) { + x509* ptr = PemToDer(file, Cert); + if (!ptr) { + fclose(input); + return SSL_BAD_FILE; + } + ctx->AddCA(ptr); // takes ownership + } + else { + x509*& x = (type == Cert) ? ctx->certificate_ : ctx->privateKey_; + + if (format == SSL_FILETYPE_ASN1) { + fseek(input, 0, SEEK_END); + long sz = ftell(input); + rewind(input); + x = NEW_YS x509(sz); // takes ownership + size_t bytes = fread(x->use_buffer(), sz, 1, input); + if (bytes != 1) { + fclose(input); + return SSL_BAD_FILE; + } + } + else { + x = PemToDer(file, type); + if (!x) { + fclose(input); + return SSL_BAD_FILE; + } + } + } + fclose(input); + return SSL_SUCCESS; +} + + +extern "C" { + + SSL_METHOD* SSLv3_method() { return SSLv3_client_method(); @@ -448,50 +496,6 @@ long SSL_CTX_set_tmp_dh(SSL_CTX* ctx, DH* dh) } -int read_file(SSL_CTX* ctx, const char* file, int format, CertType type) -{ - if (format != SSL_FILETYPE_ASN1 && format != SSL_FILETYPE_PEM) - return SSL_BAD_FILETYPE; - - FILE* input = fopen(file, "rb"); - if (!input) - return SSL_BAD_FILE; - - if (type == CA) { - x509* ptr = PemToDer(file, Cert); - if (!ptr) { - fclose(input); - return SSL_BAD_FILE; - } - ctx->AddCA(ptr); // takes ownership - } - else { - x509*& x = (type == Cert) ? ctx->certificate_ : ctx->privateKey_; - - if (format == SSL_FILETYPE_ASN1) { - fseek(input, 0, SEEK_END); - long sz = ftell(input); - rewind(input); - x = NEW_YS x509(sz); // takes ownership - size_t bytes = fread(x->use_buffer(), sz, 1, input); - if (bytes != 1) { - fclose(input); - return SSL_BAD_FILE; - } - } - else { - x = PemToDer(file, type); - if (!x) { - fclose(input); - return SSL_BAD_FILE; - } - } - } - fclose(input); - return SSL_SUCCESS; -} - - int SSL_CTX_use_certificate_file(SSL_CTX* ctx, const char* file, int format) { return read_file(ctx, file, format, Cert); @@ -723,8 +727,10 @@ void OpenSSL_add_all_algorithms() // compatibility only {} -void SSL_library_init() // compatiblity only -{} +int SSL_library_init() // compatiblity only +{ + return 1; +} DH* DH_new(void) @@ -804,15 +810,13 @@ const char* X509_verify_cert_error_string(long /* error */) const EVP_MD* EVP_md5(void) { - // TODO: FIX add to some list for destruction - return NEW_YS MD5; + return GetCryptProvider().NewMd5(); } const EVP_CIPHER* EVP_des_ede3_cbc(void) { - // TODO: FIX add to some list for destruction - return NEW_YS DES_EDE; + return GetCryptProvider().NewDesEde(); } @@ -897,6 +901,275 @@ void DES_ede3_cbc_encrypt(const byte* input, byte* output, long sz, } +// functions for libcurl +int RAND_status() +{ + return 1; /* TaoCrypt provides enough seed */ +} + + +int DES_set_key(const_DES_cblock* key, DES_key_schedule* schedule) +{ + memcpy(schedule, key, sizeof(const_DES_cblock)); + return 1; +} + + +void DES_set_odd_parity(DES_cblock* key) +{ + // not needed now for TaoCrypt +} + + +void DES_ecb_encrypt(DES_cblock* input, DES_cblock* output, + DES_key_schedule* key, int enc) +{ + DES des; + + if (enc) { + des.set_encryptKey(*key, 0); + des.encrypt(*output, *input, DES_BLOCK); + } + else { + des.set_decryptKey(*key, 0); + des.decrypt(*output, *input, DES_BLOCK); + } +} + + +void SSL_CTX_set_default_passwd_cb_userdata(SSL_CTX*, void* userdata) +{ + // yaSSL doesn't support yet, unencrypt your PEM file with userdata + // before handing off to yaSSL +} + + +X509* SSL_get_certificate(SSL* ssl) +{ + // only used to pass to get_privatekey which isn't used + return 0; +} + + +EVP_PKEY* SSL_get_privatekey(SSL* ssl) +{ + // only called, not used + return 0; +} + + +void SSL_SESSION_free(SSL_SESSION* session) +{ + // managed by singleton +} + + + +EVP_PKEY* X509_get_pubkey(X509* x) +{ + // called, not used though + return 0; +} + + +int EVP_PKEY_copy_parameters(EVP_PKEY* to, const EVP_PKEY* from) +{ + // called, not used though + return 0; +} + + +void EVP_PKEY_free(EVP_PKEY* pkey) +{ + // never allocated from above +} + + +void ERR_error_string_n(unsigned long e, char *buf, size_t len) +{ + if (len) ERR_error_string(e, buf); +} + + +void ERR_free_strings(void) +{ + // handled internally +} + + +void EVP_cleanup(void) +{ + // nothing to do yet +} + + +ASN1_TIME* X509_get_notBefore(X509* x) +{ + if (x) return x->GetBefore(); + return 0; +} + + +ASN1_TIME* X509_get_notAfter(X509* x) +{ + if (x) return x->GetAfter(); + return 0; +} + + +SSL_METHOD* SSLv23_client_method(void) /* doesn't actually roll back */ +{ + return SSLv3_client_method(); +} + + +SSL_METHOD* SSLv2_client_method(void) /* will never work, no v 2 */ +{ + return 0; +} + + +SSL_SESSION* SSL_get1_session(SSL* ssl) /* what's ref count */ +{ + return SSL_get_session(ssl); +} + + +void GENERAL_NAMES_free(STACK_OF(GENERAL_NAME) *x) +{ + // no extension names supported yet +} + + +int sk_GENERAL_NAME_num(STACK_OF(GENERAL_NAME) *x) +{ + // no extension names supported yet + return 0; +} + + +GENERAL_NAME* sk_GENERAL_NAME_value(STACK_OF(GENERAL_NAME) *x, int i) +{ + // no extension names supported yet + return 0; +} + + +unsigned char* ASN1_STRING_data(ASN1_STRING* x) +{ + if (x) return x->data; + return 0; +} + + +int ASN1_STRING_length(ASN1_STRING* x) +{ + if (x) return x->length; + return 0; +} + + +int ASN1_STRING_type(ASN1_STRING *x) +{ + if (x) return x->type; + return 0; +} + + +int X509_NAME_get_index_by_NID(X509_NAME* name,int nid, int lastpos) +{ + int idx = -1; // not found + const char* start = &name->GetName()[lastpos + 1]; + + switch (nid) { + case NID_commonName: + const char* found = strstr(start, "/CN="); + if (found) { + found += 4; // advance to str + idx = found - start + lastpos + 1; + } + break; + } + + return idx; +} + + +ASN1_STRING* X509_NAME_ENTRY_get_data(X509_NAME_ENTRY* ne) +{ + // the same in yaSSL + return ne; +} + + +X509_NAME_ENTRY* X509_NAME_get_entry(X509_NAME* name, int loc) +{ + return name->GetEntry(loc); +} + + +// already formatted, caller responsible for freeing *out +int ASN1_STRING_to_UTF8(unsigned char** out, ASN1_STRING* in) +{ + if (!in) return 0; + + *out = (unsigned char*)malloc(in->length + 1); + if (*out) { + memcpy(*out, in->data, in->length); + (*out)[in->length] = 0; + } + return in->length; +} + + +void* X509_get_ext_d2i(X509* x, int nid, int* crit, int* idx) +{ + // no extensions supported yet + return 0; +} + + +void MD4_Init(MD4_CTX* md4) +{ + assert(0); // not yet supported, build compat. only +} + + +void MD4_Update(MD4_CTX* md4, const void* data, unsigned long sz) +{ +} + + +void MD4_Final(unsigned char* hash, MD4_CTX* md4) +{ +} + + +void MD5_Init(MD5_CTX* md5) +{ + // make sure we have a big enough buffer + typedef char ok[sizeof(md5->buffer) >= sizeof(TaoCrypt::MD5) ? 1 : -1]; + (void) sizeof(ok); + + // using TaoCrypt since no dynamic memory allocated + // and no destructor will be called + new (reinterpret_cast<yassl_pointer>(md5->buffer)) TaoCrypt::MD5(); +} + + +void MD5_Update(MD5_CTX* md5, const void* data, unsigned long sz) +{ + reinterpret_cast<TaoCrypt::MD5*>(md5->buffer)->Update( + static_cast<const byte*>(data), static_cast<unsigned int>(sz)); +} + + +void MD5_Final(unsigned char* hash, MD5_CTX* md5) +{ + reinterpret_cast<TaoCrypt::MD5*>(md5->buffer)->Final(hash); +} + + // functions for stunnel void RAND_screen() @@ -1098,8 +1371,10 @@ void DES_ede3_cbc_encrypt(const byte* input, byte* output, long sz, } - void SSLeay_add_ssl_algorithms() // compatibility only - {} + int SSLeay_add_ssl_algorithms() // compatibility only + { + return 1; + } void ERR_remove_state(unsigned long) @@ -1129,4 +1404,5 @@ void DES_ede3_cbc_encrypt(const byte* input, byte* output, long sz, // end stunnel needs +} // extern "C" } // namespace diff --git a/extra/yassl/src/template_instnt.cpp b/extra/yassl/src/template_instnt.cpp index 5782df213ea..43b80d59a4d 100644 --- a/extra/yassl/src/template_instnt.cpp +++ b/extra/yassl/src/template_instnt.cpp @@ -31,7 +31,6 @@ #include "hmac.hpp" #include "md5.hpp" #include "sha.hpp" -#include "ripemd.hpp" #include "openssl/ssl.h" #ifdef HAVE_EXPLICIT_TEMPLATE_INSTANTIATION @@ -51,12 +50,16 @@ template class list<yaSSL::SSL_SESSION*>; template class list<yaSSL::input_buffer*>; template class list<yaSSL::output_buffer*>; template class list<yaSSL::x509*>; +template class list<yaSSL::Digest*>; +template class list<yaSSL::BulkCipher*>; template void destroy<mySTL::pair<int, yaSSL::ClientKeyBase* (*)()>*>(mySTL::pair<int, yaSSL::ClientKeyBase* (*)()>*, mySTL::pair<int, yaSSL::ClientKeyBase* (*)()>*); template yaSSL::del_ptr_zero for_each<mySTL::list<TaoCrypt::Signer*>::iterator, yaSSL::del_ptr_zero>(mySTL::list<TaoCrypt::Signer*>::iterator, mySTL::list<TaoCrypt::Signer*>::iterator, yaSSL::del_ptr_zero); template yaSSL::del_ptr_zero for_each<mySTL::list<yaSSL::SSL_SESSION*>::iterator, yaSSL::del_ptr_zero>(mySTL::list<yaSSL::SSL_SESSION*>::iterator, mySTL::list<yaSSL::SSL_SESSION*>::iterator, yaSSL::del_ptr_zero); template yaSSL::del_ptr_zero for_each<mySTL::list<yaSSL::input_buffer*>::iterator, yaSSL::del_ptr_zero>(mySTL::list<yaSSL::input_buffer*>::iterator, mySTL::list<yaSSL::input_buffer*>::iterator, yaSSL::del_ptr_zero); template yaSSL::del_ptr_zero for_each<mySTL::list<yaSSL::output_buffer*>::iterator, yaSSL::del_ptr_zero>(mySTL::list<yaSSL::output_buffer*>::iterator, mySTL::list<yaSSL::output_buffer*>::iterator, yaSSL::del_ptr_zero); template yaSSL::del_ptr_zero for_each<mySTL::list<yaSSL::x509*>::iterator, yaSSL::del_ptr_zero>(mySTL::list<yaSSL::x509*>::iterator, mySTL::list<yaSSL::x509*>::iterator, yaSSL::del_ptr_zero); +template yaSSL::del_ptr_zero for_each<mySTL::list<yaSSL::Digest*>::iterator, yaSSL::del_ptr_zero>(mySTL::list<yaSSL::Digest*>::iterator, mySTL::list<yaSSL::Digest*>::iterator, yaSSL::del_ptr_zero); +template yaSSL::del_ptr_zero for_each<mySTL::list<yaSSL::BulkCipher*>::iterator, yaSSL::del_ptr_zero>(mySTL::list<yaSSL::BulkCipher*>::iterator, mySTL::list<yaSSL::BulkCipher*>::iterator, yaSSL::del_ptr_zero); } namespace yaSSL { @@ -82,6 +85,7 @@ template void ysDelete<X509>(X509*); template void ysDelete<Message>(Message*); template void ysDelete<sslFactory>(sslFactory*); template void ysDelete<Sessions>(Sessions*); +template void ysDelete<CryptProvider>(CryptProvider*); template void ysArrayDelete<unsigned char>(unsigned char*); template void ysArrayDelete<char>(char*); } diff --git a/extra/yassl/src/yassl_imp.cpp b/extra/yassl/src/yassl_imp.cpp index 1d2d5396ea0..4d6d1fc7aff 100644 --- a/extra/yassl/src/yassl_imp.cpp +++ b/extra/yassl/src/yassl_imp.cpp @@ -1975,7 +1975,9 @@ Connection::Connection(ProtocolVersion v, RandomPool& ran) : pre_master_secret_(0), sequence_number_(0), peer_sequence_number_(0), pre_secret_len_(0), send_server_key_(false), master_clean_(false), TLS_(v.major_ >= 3 && v.minor_ >= 1), version_(v), random_(ran) -{} +{ + memset(sessionID_, 0, sizeof(sessionID_)); +} Connection::~Connection() diff --git a/extra/yassl/src/yassl_int.cpp b/extra/yassl/src/yassl_int.cpp index 396461a6ed5..f7fb1abfa3f 100644 --- a/extra/yassl/src/yassl_int.cpp +++ b/extra/yassl/src/yassl_int.cpp @@ -28,7 +28,6 @@ #include "yassl_int.hpp" #include "handshake.hpp" #include "timer.hpp" -#include "openssl/ssl.h" // for DH #ifdef YASSL_PURE_C @@ -1375,16 +1374,51 @@ Sessions& GetSessions() static sslFactory* sslFactoryInstance = 0; -sslFactory& GetSSL_Factory(){ +sslFactory& GetSSL_Factory() +{ if (!sslFactoryInstance) sslFactoryInstance = NEW_YS sslFactory; return *sslFactoryInstance; } -void CleanUp() +static CryptProvider* cryptProviderInstance = 0; + +CryptProvider& GetCryptProvider() +{ + if (!cryptProviderInstance) + cryptProviderInstance = NEW_YS CryptProvider; + return *cryptProviderInstance; +} + + +CryptProvider::~CryptProvider() +{ + mySTL::for_each(digestList_.begin(), digestList_.end(), del_ptr_zero()); + mySTL::for_each(cipherList_.begin(), cipherList_.end(), del_ptr_zero()); +} + + +Digest* CryptProvider::NewMd5() +{ + Digest* ptr = NEW_YS MD5(); + digestList_.push_back(ptr); + return ptr; +} + + +BulkCipher* CryptProvider::NewDesEde() +{ + BulkCipher* ptr = NEW_YS DES_EDE(); + cipherList_.push_back(ptr); + return ptr; +} + + +extern "C" void yaSSL_CleanUp() { TaoCrypt::CleanUp(); + ysDelete(cryptProviderInstance); ysDelete(sslFactoryInstance); ysDelete(sessionsInstance); } @@ -1978,18 +2012,20 @@ void Security::set_resuming(bool b) X509_NAME::X509_NAME(const char* n, size_t sz) - : name_(0) + : name_(0), sz_(sz) { if (sz) { name_ = NEW_YS char[sz]; memcpy(name_, n, sz); } + entry_.data = 0; } X509_NAME::~X509_NAME() { ysArrayDelete(name_); + ysArrayDelete(entry_.data); } @@ -1999,8 +2035,10 @@ char* X509_NAME::GetName() } -X509::X509(const char* i, size_t iSz, const char* s, size_t sSz) - : issuer_(i, iSz), subject_(s, sSz) +X509::X509(const char* i, size_t iSz, const char* s, size_t sSz, + const char* b, int bSz, const char* a, int aSz) + : issuer_(i, iSz), subject_(s, sSz), + beforeDate_(b, bSz), afterDate_(a, aSz) {} @@ -2016,6 +2054,61 @@ X509_NAME* X509::GetSubject() } +ASN1_STRING* X509::GetBefore() +{ + return beforeDate_.GetString(); +} + + +ASN1_STRING* X509::GetAfter() +{ + return afterDate_.GetString(); +} + + +ASN1_STRING* X509_NAME::GetEntry(int i) +{ + if (i < 0 || i >= int(sz_)) + return 0; + + if (entry_.data) + ysArrayDelete(entry_.data); + entry_.data = NEW_YS byte[sz_]; // max size; + + memcpy(entry_.data, &name_[i], sz_ - i); + if (entry_.data[sz_ -i - 1]) { + entry_.data[sz_ - i] = 0; + entry_.length = sz_ - i; + } + else + entry_.length = sz_ - i - 1; + entry_.type = 0; + + return &entry_; +} + + +StringHolder::StringHolder(const char* str, int sz) +{ + asnString_.length = sz; + asnString_.data = NEW_YS byte[sz + 1]; + memcpy(asnString_.data, str, sz); + asnString_.type = 0; // not used for now +} + + +StringHolder::~StringHolder() +{ + ysArrayDelete(asnString_.data); +} + + +ASN1_STRING* StringHolder::GetString() +{ + return &asnString_; +} + + } // namespace diff --git a/extra/yassl/taocrypt/benchmark/make.bat b/extra/yassl/taocrypt/benchmark/make.bat index 63391578cfa..4ebe4b32417 100644 --- a/extra/yassl/taocrypt/benchmark/make.bat +++ b/extra/yassl/taocrypt/benchmark/make.bat @@ -1,10 +1,9 @@ -# quick and dirty build file for testing different MSDEVs +REM quick and dirty build file for testing different MSDEVs setlocal set myFLAGS= /I../include /I../../mySTL /c /W3 /G6 /O2 -#set myFLAGS= /I../include /I../../mySTL /c /W3 cl %myFLAGS% benchmark.cpp -link.exe /out:benchmark.exe ../src/taocrypt.lib benchmark.obj +link.exe /out:benchmark.exe ../src/taocrypt.lib benchmark.obj advapi32.lib diff --git a/extra/yassl/taocrypt/include/asn.hpp b/extra/yassl/taocrypt/include/asn.hpp index 6a1163fbb1c..da4c0ce1349 100644 --- a/extra/yassl/taocrypt/include/asn.hpp +++ b/extra/yassl/taocrypt/include/asn.hpp @@ -79,20 +79,27 @@ enum ASNIdFlag enum DNTags { - COMMON_NAME = 0x03 + COMMON_NAME = 0x03, // CN + SUR_NAME = 0x04, // SN + COUNTRY_NAME = 0x06, // C + LOCALITY_NAME = 0x07, // L + STATE_NAME = 0x08, // ST + ORG_NAME = 0x0a, // O + ORGUNIT_NAME = 0x0b // OU }; enum Constants { MIN_DATE_SZ = 13, - MAX_DATE_SZ = 15, + MAX_DATE_SZ = 16, MAX_ALGO_SZ = 16, MAX_LENGTH_SZ = 5, MAX_SEQ_SZ = 5, // enum(seq|con) + length(4) MAX_ALGO_SIZE = 9, MAX_DIGEST_SZ = 25, // SHA + enum(Bit or Octet) + length(4) - DSA_SIG_SZ = 40 + DSA_SIG_SZ = 40, + NAME_MAX = 512 // max total of all included names }; @@ -205,14 +212,14 @@ enum { SHA_SIZE = 20 }; // A Signing Authority class Signer { PublicKey key_; - char* name_; + char name_[NAME_MAX]; byte hash_[SHA_SIZE]; public: Signer(const byte* k, word32 kSz, const char* n, const byte* h); ~Signer(); const PublicKey& GetPublicKey() const { return key_; } - const char* GetCommonName() const { return name_; } + const char* GetName() const { return name_; } const byte* GetHash() const { return hash_; } private: @@ -245,6 +252,8 @@ public: const char* GetIssuer() const { return issuer_; } const char* GetCommonName() const { return subject_; } const byte* GetHash() const { return subjectHash_; } + const char* GetBeforeDate() const { return beforeDate_; } + const char* GetAfterDate() const { return afterDate_; } void DecodeToKey(); private: @@ -257,8 +266,10 @@ private: byte subjectHash_[SHA_SIZE]; // hash of all Names byte issuerHash_[SHA_SIZE]; // hash of all Names byte* signature_; - char* issuer_; // CommonName - char* subject_; // CommonName + char issuer_[NAME_MAX]; // Names + char subject_[NAME_MAX]; // Names + char beforeDate_[MAX_DATE_SZ]; // valid before date + char afterDate_[MAX_DATE_SZ]; // valid after date bool verify_; // Default to yes, but could be off void ReadHeader(); diff --git a/extra/yassl/taocrypt/src/asn.cpp b/extra/yassl/taocrypt/src/asn.cpp index 3efc26ab168..383fe65dea6 100644 --- a/extra/yassl/taocrypt/src/asn.cpp +++ b/extra/yassl/taocrypt/src/asn.cpp @@ -213,21 +213,17 @@ void PublicKey::AddToEnd(const byte* data, word32 len) Signer::Signer(const byte* k, word32 kSz, const char* n, const byte* h) - : key_(k, kSz), name_(0) + : key_(k, kSz) { - if (n) { int sz = strlen(n); - name_ = NEW_TC char[sz + 1]; memcpy(name_, n, sz); name_[sz] = 0; - } memcpy(hash_, h, SHA::DIGEST_SIZE); } Signer::~Signer() { - tcArrayDelete(name_); } @@ -424,17 +420,19 @@ void DH_Decoder::Decode(DH& key) CertDecoder::CertDecoder(Source& s, bool decode, SignerList* signers, bool noVerify, CertType ct) : BER_Decoder(s), certBegin_(0), sigIndex_(0), sigLength_(0), - signature_(0), issuer_(0), subject_(0), verify_(!noVerify) + signature_(0), verify_(!noVerify) { + issuer_[0] = 0; + subject_[0] = 0; + if (decode) Decode(signers, ct); + } CertDecoder::~CertDecoder() { - tcArrayDelete(subject_); - tcArrayDelete(issuer_); tcArrayDelete(signature_); } @@ -672,8 +670,12 @@ void CertDecoder::GetName(NameType nt) SHA sha; word32 length = GetSequence(); // length of all distinguished names + assert (length < NAME_MAX); length += source_.get_index(); + char* ptr = (nt == ISSUER) ? issuer_ : subject_; + word32 idx = 0; + while (source_.get_index() < length) { GetSet(); GetSequence(); @@ -694,13 +696,49 @@ void CertDecoder::GetName(NameType nt) byte id = source_.next(); b = source_.next(); // strType word32 strLen = GetLength(source_); + bool copy = false; if (id == COMMON_NAME) { - char*& ptr = (nt == ISSUER) ? issuer_ : subject_; - ptr = NEW_TC char[strLen + 1]; - memcpy(ptr, source_.get_current(), strLen); - ptr[strLen] = 0; + memcpy(&ptr[idx], "/CN=", 4); + idx += 4; + copy = true; + } + else if (id == SUR_NAME) { + memcpy(&ptr[idx], "/SN=", 4); + idx += 4; + copy = true; + } + else if (id == COUNTRY_NAME) { + memcpy(&ptr[idx], "/C=", 3); + idx += 3; + copy = true; + } + else if (id == LOCALITY_NAME) { + memcpy(&ptr[idx], "/L=", 3); + idx += 3; + copy = true; + } + else if (id == STATE_NAME) { + memcpy(&ptr[idx], "/ST=", 4); + idx += 4; + copy = true; } + else if (id == ORG_NAME) { + memcpy(&ptr[idx], "/O=", 3); + idx += 3; + copy = true; + } + else if (id == ORGUNIT_NAME) { + memcpy(&ptr[idx], "/OU=", 4); + idx += 4; + copy = true; + } + + if (copy) { + memcpy(&ptr[idx], source_.get_current(), strLen); + idx += strLen; + } + sha.Update(source_.get_current(), strLen); source_.advance(strLen); } @@ -711,6 +749,8 @@ void CertDecoder::GetName(NameType nt) source_.advance(length); } } + ptr[idx++] = 0; + if (nt == ISSUER) sha.Final(issuerHash_); else @@ -744,6 +784,16 @@ void CertDecoder::GetDate(DateType dt) source_.SetError(BEFORE_DATE_E); else source_.SetError(AFTER_DATE_E); + + // save for later use + if (dt == BEFORE) { + memcpy(beforeDate_, date, length); + beforeDate_[length] = 0; + } + else { // after + memcpy(afterDate_, date, length); + afterDate_[length] = 0; + } } diff --git a/extra/yassl/taocrypt/src/integer.cpp b/extra/yassl/taocrypt/src/integer.cpp index 82a248ff7da..885ddfbf630 100644 --- a/extra/yassl/taocrypt/src/integer.cpp +++ b/extra/yassl/taocrypt/src/integer.cpp @@ -2428,7 +2428,7 @@ void PositiveMultiply(Integer& product, const Integer& a, const Integer& b) product.reg_.CleanNew(RoundupSize(aSize + bSize)); product.sign_ = Integer::POSITIVE; - WordBlock workspace(aSize + bSize); + AlignedWordBlock workspace(aSize + bSize); AsymmetricMultiply(product.reg_.get_buffer(), workspace.get_buffer(), a.reg_.get_buffer(), aSize, b.reg_.get_buffer(), bSize); } @@ -3375,7 +3375,7 @@ void PositiveDivide(Integer& remainder, Integer& quotient, quotient.reg_.CleanNew(RoundupSize(aSize-bSize+2)); quotient.sign_ = Integer::POSITIVE; - WordBlock T(aSize+2*bSize+4); + AlignedWordBlock T(aSize+2*bSize+4); Divide(remainder.reg_.get_buffer(), quotient.reg_.get_buffer(), T.get_buffer(), a.reg_.get_buffer(), aSize, b.reg_.get_buffer(), bSize); @@ -3595,7 +3595,7 @@ Integer Integer::InverseMod(const Integer &m) const return !u ? Zero() : (m*(*this-u)+1)/(*this); } - WordBlock T(m.reg_.size() * 4); + AlignedWordBlock T(m.reg_.size() * 4); Integer r((word)0, m.reg_.size()); unsigned k = AlmostInverse(r.reg_.get_buffer(), T.get_buffer(), reg_.get_buffer(), reg_.size(), diff --git a/extra/yassl/taocrypt/src/make.bat b/extra/yassl/taocrypt/src/make.bat index 5a2ae580b76..ecf7e8f8469 100644 --- a/extra/yassl/taocrypt/src/make.bat +++ b/extra/yassl/taocrypt/src/make.bat @@ -1,8 +1,7 @@ -# quick and dirty build file for testing different MSDEVs +REM quick and dirty build file for testing different MSDEVs setlocal set myFLAGS= /I../include /I../../mySTL /c /W3 /G6 /O2 -#set myFLAGS= /I../include /I../../mySTL /c /W3 /O1 cl %myFLAGS% aes.cpp cl %myFLAGS% aestables.cpp diff --git a/extra/yassl/taocrypt/src/misc.cpp b/extra/yassl/taocrypt/src/misc.cpp index 3d0539187a7..4ef163a7f5d 100644 --- a/extra/yassl/taocrypt/src/misc.cpp +++ b/extra/yassl/taocrypt/src/misc.cpp @@ -25,6 +25,15 @@ #include "runtime.hpp" #include "misc.hpp" + +extern "C" { + + // for libcurl configure test, these are the signatures they use + // locking handled internally by library + char CRYPTO_lock() { return 0;} + char CRYPTO_add_lock() { return 0;} +} // extern "C" + #ifdef YASSL_PURE_C void* operator new(size_t sz, TaoCrypt::new_t) diff --git a/extra/yassl/taocrypt/src/template_instnt.cpp b/extra/yassl/taocrypt/src/template_instnt.cpp index 12bcd8238f2..5efd2d32a10 100644 --- a/extra/yassl/taocrypt/src/template_instnt.cpp +++ b/extra/yassl/taocrypt/src/template_instnt.cpp @@ -30,11 +30,11 @@ #include "sha.hpp" #include "md5.hpp" #include "hmac.hpp" -#include "ripemd.hpp" #include "pwdbased.hpp" #include "algebra.hpp" #include "vector.hpp" #include "hash.hpp" +#include "ripemd.hpp" #ifdef HAVE_EXPLICIT_TEMPLATE_INSTANTIATION namespace TaoCrypt { diff --git a/extra/yassl/taocrypt/taocrypt.dsp b/extra/yassl/taocrypt/taocrypt.dsp index 13b9a07419b..b741cef0096 100644 --- a/extra/yassl/taocrypt/taocrypt.dsp +++ b/extra/yassl/taocrypt/taocrypt.dsp @@ -64,7 +64,8 @@ LIB32=link.exe -lib # PROP Intermediate_Dir "Debug" # PROP Target_Dir "" # ADD BASE CPP /nologo /W3 /Gm /GX /ZI /Od /D "WIN32" /D "_DEBUG" /D "_MBCS" /D "_LIB" /YX /FD /GZ /c -# ADD CPP /nologo /MTd /W3 /Gm /ZI /Od /I "include" /I "..\mySTL" /D "WIN32" /D "_DEBUG" /D "_MBCS" /D "_LIB" /FR /YX /FD /GZ /c +# ADD CPP /nologo /MTd /W3 /Gm /ZI /Od /I "include" /I "..\mySTL" /D "WIN32" /D "_DEBUG" /D "_MBCS" /D "_LIB" /YX /FD /GZ /c +# SUBTRACT CPP /Fr # ADD BASE RSC /l 0x409 /d "_DEBUG" # ADD RSC /l 0x409 /d "_DEBUG" BSC32=bscmake.exe diff --git a/extra/yassl/taocrypt/test/make.bat b/extra/yassl/taocrypt/test/make.bat index e1a4cbce7cd..5f01db68d0d 100644 --- a/extra/yassl/taocrypt/test/make.bat +++ b/extra/yassl/taocrypt/test/make.bat @@ -1,4 +1,4 @@ -# quick and dirty build file for testing different MSDEVs +REM quick and dirty build file for testing different MSDEVs setlocal set myFLAGS= /I../include /I../../mySTL /c /W3 /G6 /O2 diff --git a/extra/yassl/testsuite/make.bat b/extra/yassl/testsuite/make.bat index d8a55b0d3af..1bc7ce0513d 100644 --- a/extra/yassl/testsuite/make.bat +++ b/extra/yassl/testsuite/make.bat @@ -1,4 +1,4 @@ -# quick and dirty build file for testing different MSDEVs +REM quick and dirty build file for testing different MSDEVs setlocal set myFLAGS= /I../include /I../taocrypt/include /I../mySTL /c /W3 /G6 /O2 /MT /D"WIN32" /D"NO_MAIN_DRIVER" diff --git a/extra/yassl/testsuite/test.hpp b/extra/yassl/testsuite/test.hpp index 79d02b63558..259975fba0b 100644 --- a/extra/yassl/testsuite/test.hpp +++ b/extra/yassl/testsuite/test.hpp @@ -27,7 +27,7 @@ #endif /* _WIN32 */ -#if defined(__MACH__) || defined(_WIN32) +#if !defined(_SOCKLEN_T) && (defined(__MACH__) || defined(_WIN32)) typedef int socklen_t; #endif @@ -305,8 +305,8 @@ inline void showPeer(SSL* ssl) char* subject = X509_NAME_oneline(X509_get_subject_name(peer), 0, 0); printf("peer's cert info:\n"); - printf("issuer is: %s\n", issuer); - printf("subject is: %s\n", subject); + printf("issuer : %s\n", issuer); + printf("subject: %s\n", subject); free(subject); free(issuer); diff --git a/extra/yassl/testsuite/testsuite.cpp b/extra/yassl/testsuite/testsuite.cpp index af988432a86..1cf6a78ebe7 100644 --- a/extra/yassl/testsuite/testsuite.cpp +++ b/extra/yassl/testsuite/testsuite.cpp @@ -91,6 +91,7 @@ int main(int argc, char** argv) assert(memcmp(input, output, sizeof(input)) == 0); printf("\nAll tests passed!\n"); + yaSSL_CleanUp(); return 0; } @@ -146,10 +147,10 @@ int test_openSSL_des() (byte*)key, iv); byte cipher[16]; - DES_ede3_cbc_encrypt((byte*)data, cipher, dataSz, &key[0], &key[8], - &key[16], &iv, true); + DES_ede3_cbc_encrypt((byte*)data, cipher, dataSz, &key[0], &key[1], + &key[2], &iv, true); byte plain[16]; - DES_ede3_cbc_encrypt(cipher, plain, 16, &key[0], &key[8], &key[16], + DES_ede3_cbc_encrypt(cipher, plain, 16, &key[0], &key[1], &key[2], &iv, false); return 0; } diff --git a/extra/yassl/testsuite/testsuite.dsp b/extra/yassl/testsuite/testsuite.dsp index f896aa7f020..24c325fa878 100644 --- a/extra/yassl/testsuite/testsuite.dsp +++ b/extra/yassl/testsuite/testsuite.dsp @@ -42,7 +42,7 @@ RSC=rc.exe # PROP Ignore_Export_Lib 0 # PROP Target_Dir "" # ADD BASE CPP /nologo /W3 /GX /O2 /D "WIN32" /D "NDEBUG" /D "_CONSOLE" /D "_MBCS" /YX /FD /c -# ADD CPP /nologo /MT /W3 /GX- /O2 /I "../taocrypt/include" /I "../include" /I "../mySTL" /D "NDEBUG" /D "WIN32" /D "_CONSOLE" /D "_MBCS" /D "NO_MAIN_DRIVER" /YX /FD /c +# ADD CPP /nologo /MT /W3 /O2 /I "../taocrypt/include" /I "../include" /I "../mySTL" /D "NDEBUG" /D "WIN32" /D "_CONSOLE" /D "_MBCS" /D "NO_MAIN_DRIVER" /YX /FD /c # ADD BASE RSC /l 0x409 /d "NDEBUG" # ADD RSC /l 0x409 /d "NDEBUG" BSC32=bscmake.exe @@ -67,7 +67,7 @@ LINK32=link.exe # PROP Ignore_Export_Lib 0 # PROP Target_Dir "" # ADD BASE CPP /nologo /W3 /Gm /GX /ZI /Od /D "WIN32" /D "_DEBUG" /D "_CONSOLE" /D "_MBCS" /YX /FD /GZ /c -# ADD CPP /nologo /MTd /W3 /Gm /GX- /ZI /Od /I "../taocrypt/include" /I "../include" /I "../mySTL" /D "_DEBUG" /D "WIN32" /D "_CONSOLE" /D "_MBCS" /D "NO_MAIN_DRIVER" /FR /YX /FD /GZ /c +# ADD CPP /nologo /MTd /W3 /Gm /ZI /Od /I "../taocrypt/include" /I "../include" /I "../mySTL" /D "_DEBUG" /D "WIN32" /D "_CONSOLE" /D "_MBCS" /D "NO_MAIN_DRIVER" /FR /YX /FD /GZ /c # ADD BASE RSC /l 0x409 /d "_DEBUG" # ADD RSC /l 0x409 /d "_DEBUG" BSC32=bscmake.exe diff --git a/include/mysql.h b/include/mysql.h index 6217ce631b5..3a71e47f414 100644 --- a/include/mysql.h +++ b/include/mysql.h @@ -149,7 +149,8 @@ enum mysql_option MYSQL_OPT_WRITE_TIMEOUT, MYSQL_OPT_USE_RESULT, MYSQL_OPT_USE_REMOTE_CONNECTION, MYSQL_OPT_USE_EMBEDDED_CONNECTION, MYSQL_OPT_GUESS_CONNECTION, MYSQL_SET_CLIENT_IP, MYSQL_SECURE_AUTH, - MYSQL_REPORT_DATA_TRUNCATION, MYSQL_OPT_RECONNECT + MYSQL_REPORT_DATA_TRUNCATION, MYSQL_OPT_RECONNECT, + MYSQL_OPT_SSL_VERIFY_SERVER_CERT }; struct st_mysql_options { @@ -164,6 +165,7 @@ struct st_mysql_options { char *ssl_ca; /* PEM CA file */ char *ssl_capath; /* PEM directory of CA-s? */ char *ssl_cipher; /* cipher to use */ + my_bool ssl_verify_server_cert; /* if to verify server cert */ char *shared_memory_base_name; unsigned long max_allowed_packet; my_bool use_ssl; /* if to use SSL or not */ diff --git a/include/sslopt-longopts.h b/include/sslopt-longopts.h index dc3b0922327..f444a7eb7ce 100644 --- a/include/sslopt-longopts.h +++ b/include/sslopt-longopts.h @@ -37,5 +37,10 @@ {"ssl-cipher", OPT_SSL_CIPHER, "SSL cipher to use (implies --ssl).", (gptr*) &opt_ssl_cipher, (gptr*) &opt_ssl_cipher, 0, GET_STR, REQUIRED_ARG, 0, 0, 0, 0, 0, 0}, - +#ifdef MYSQL_CLIENT + {"ssl-verify-server-cert", OPT_SSL_VERIFY_SERVER_CERT, + "Verify servers \"Common Name\" in it's cert against hostname used when connecting. This option is disabled by default.", + (gptr*) &opt_ssl_verify_server_cert, (gptr*) &opt_ssl_verify_server_cert, + 0, GET_BOOL, NO_ARG, 0, 0, 0, 0, 0, 0}, +#endif #endif /* HAVE_OPENSSL */ diff --git a/include/sslopt-vars.h b/include/sslopt-vars.h index 164cf541381..8e5f3434396 100644 --- a/include/sslopt-vars.h +++ b/include/sslopt-vars.h @@ -21,4 +21,7 @@ static char *opt_ssl_cert = 0; static char *opt_ssl_ca = 0; static char *opt_ssl_capath = 0; static char *opt_ssl_cipher = 0; +#ifdef MYSQL_CLIENT +static my_bool opt_ssl_verify_server_cert= 0; +#endif #endif diff --git a/include/violite.h b/include/violite.h index b48f3724f5b..fd870177c68 100644 --- a/include/violite.h +++ b/include/violite.h @@ -105,33 +105,22 @@ void vio_timeout(Vio *vio,uint which, uint timeout); #include <openssl/ssl.h> #include <openssl/err.h> -struct st_VioSSLAcceptorFd +struct st_VioSSLFd { SSL_CTX *ssl_context; - SSL_METHOD *ssl_method; - struct st_VioSSLAcceptorFd *session_id_context; }; -/* One copy for client */ -struct st_VioSSLConnectorFd -{ - SSL_CTX *ssl_context; - /* function pointers which are only once for SSL client */ - SSL_METHOD *ssl_method; -}; - -int sslaccept(struct st_VioSSLAcceptorFd*, Vio *, long timeout); -int sslconnect(struct st_VioSSLConnectorFd*, Vio *, long timeout); +int sslaccept(struct st_VioSSLFd*, Vio *, long timeout); +int sslconnect(struct st_VioSSLFd*, Vio *, long timeout); -struct st_VioSSLConnectorFd +struct st_VioSSLFd *new_VioSSLConnectorFd(const char *key_file, const char *cert_file, const char *ca_file, const char *ca_path, const char *cipher); -struct st_VioSSLAcceptorFd +struct st_VioSSLFd *new_VioSSLAcceptorFd(const char *key_file, const char *cert_file, const char *ca_file,const char *ca_path, const char *cipher); -Vio *new_VioSSL(struct st_VioSSLAcceptorFd *fd, Vio *sd, int state); #endif /* HAVE_OPENSSL */ #ifdef HAVE_SMEM @@ -140,6 +129,8 @@ int vio_write_shared_memory(Vio *vio, const gptr buf, int size); int vio_close_shared_memory(Vio * vio); #endif +void vio_end(void); + #ifdef __cplusplus } #endif @@ -204,7 +195,9 @@ struct st_vio my_bool (*was_interrupted)(Vio*); int (*vioclose)(Vio*); void (*timeout)(Vio*, unsigned int which, unsigned int timeout); +#ifdef HAVE_OPENSSL void *ssl_arg; +#endif #ifdef HAVE_SMEM HANDLE handle_file_map; char *handle_map; diff --git a/libmysql/libmysql.c b/libmysql/libmysql.c index bfec476fde3..7713fd8dd4d 100644 --- a/libmysql/libmysql.c +++ b/libmysql/libmysql.c @@ -188,6 +188,7 @@ void STDCALL mysql_server_end() mysql_thread_end(); finish_client_errs(); free_charsets(); + vio_end(); mysql_client_init= org_my_init_done= 0; #ifdef EMBEDDED_SERVER if (stderror_file) diff --git a/mysql-test/Makefile.am b/mysql-test/Makefile.am index 33598748397..73074397086 100644 --- a/mysql-test/Makefile.am +++ b/mysql-test/Makefile.am @@ -100,15 +100,15 @@ install-data-local: uninstall-local: @RM@ -f -r $(DESTDIR)$(testdir) -std_data/client-key.pem: +std_data/client-key.pem: $(top_srcdir)/SSL/$(@F) @CP@ $(top_srcdir)/SSL/$(@F) $(srcdir)/std_data -std_data/client-cert.pem: +std_data/client-cert.pem: $(top_srcdir)/SSL/$(@F) @CP@ $(top_srcdir)/SSL/$(@F) $(srcdir)/std_data -std_data/cacert.pem: +std_data/cacert.pem: $(top_srcdir)/SSL/$(@F) @CP@ $(top_srcdir)/SSL/$(@F) $(srcdir)/std_data -std_data/server-cert.pem: +std_data/server-cert.pem: $(top_srcdir)/SSL/$(@F) @CP@ $(top_srcdir)/SSL/$(@F) $(srcdir)/std_data -std_data/server-key.pem: +std_data/server-key.pem: $(top_srcdir)/SSL/$(@F) @CP@ $(top_srcdir)/SSL/$(@F) $(srcdir)/std_data SUFFIXES = .sh diff --git a/mysql-test/mysql-test-run.pl b/mysql-test/mysql-test-run.pl index 25c1f6c1ddc..e57a5da2c79 100755 --- a/mysql-test/mysql-test-run.pl +++ b/mysql-test/mysql-test-run.pl @@ -134,7 +134,6 @@ our $glob_win32= 0; # OS and native Win32 executables our $glob_win32_perl= 0; # ActiveState Win32 Perl our $glob_cygwin_perl= 0; # Cygwin Perl our $glob_cygwin_shell= undef; -our $glob_use_libtool= 1; our $glob_mysql_test_dir= undef; our $glob_mysql_bench_dir= undef; our $glob_hostname= undef; @@ -189,6 +188,7 @@ our $exe_slave_mysqld; our $exe_im; our $exe_my_print_defaults; our $lib_udf_example; +our $exe_libtool; our $opt_bench= 0; our $opt_small_bench= 0; @@ -376,7 +376,6 @@ sub main () { check_ndbcluster_support(); # We check whether to actually use it later check_ssl_support(); - check_running_as_root(); environment_setup(); signal_setup(); @@ -443,12 +442,6 @@ sub initial_setup () { $glob_cygwin_perl= ($^O eq "cygwin"); $glob_win32= ($glob_win32_perl or $glob_cygwin_perl); - # Use libtool on all platforms except windows - if ( $glob_win32 ) - { - $glob_use_libtool= 0; - } - # We require that we are in the "mysql-test" directory # to run mysql-test-run @@ -1000,6 +993,21 @@ sub snapshot_setup () { sub executable_setup () { + # + # Check if libtool is available in this distribution/clone + # we need it when valgrinding or debugging non installed binary + # Otherwise valgrind will valgrind the libtool wrapper or bash + # and gdb will not find the real executable to debug + # + if ( -x "../libtool") + { + $exe_libtool= "../libtool"; + if ($opt_valgrind or $glob_debugger) + { + mtr_report("Using \"$exe_libtool\" when running valgrind or debugger"); + } + } + if ( $opt_source_dist ) { if ( $glob_win32 ) @@ -1336,7 +1344,7 @@ sub kill_and_cleanup () { sub check_running_as_root () { # Check if running as root # i.e a file can be read regardless what mode we set it to - my $test_file= "test_running_as_root.txt"; + my $test_file= "$opt_vardir/test_running_as_root.txt"; mtr_tofile($test_file, "MySQL"); chmod(oct("0000"), $test_file); @@ -1653,6 +1661,7 @@ sub initialize_servers () { save_installed_db(); } } + check_running_as_root(); } } @@ -2625,6 +2634,15 @@ sub mysqld_start ($$$$$) { $exe= undef; } + if ($exe_libtool and $opt_valgrind) + { + # Add "libtool --mode-execute" + # if running in valgrind(to avoid valgrinding bash) + unshift(@$args, "--mode=execute", $exe); + $exe= $exe_libtool; + } + + if ( $type eq 'master' ) { if ( ! defined $exe or @@ -3122,12 +3140,12 @@ sub run_mysqltest ($) { debugger_arguments(\$args, \$exe, "client"); } - if ($glob_use_libtool and $opt_valgrind) + if ($exe_libtool and $opt_valgrind) { # Add "libtool --mode-execute" before the test to execute # if running in valgrind(to avoid valgrinding bash) unshift(@$args, "--mode=execute", $exe); - $exe= "libtool"; + $exe= $exe_libtool; } if ( $opt_check_testcases ) @@ -3197,9 +3215,9 @@ sub gdb_arguments { mtr_add_arg($$args, "$type"); mtr_add_arg($$args, "-e"); - if ( $glob_use_libtool ) + if ( $exe_libtool ) { - mtr_add_arg($$args, "libtool"); + mtr_add_arg($$args, $exe_libtool); mtr_add_arg($$args, "--mode=execute"); } @@ -3259,9 +3277,9 @@ sub ddd_arguments { my $save_exe= $$exe; $$args= []; - if ( $glob_use_libtool ) + if ( $exe_libtool ) { - $$exe= "libtool"; + $$exe= $exe_libtool; mtr_add_arg($$args, "--mode=execute"); mtr_add_arg($$args, "ddd"); } @@ -3282,6 +3300,8 @@ sub debugger_arguments { my $exe= shift; my $debugger= $opt_debugger || $opt_client_debugger; + # FIXME Need to change the below "eq"'s to + # "case unsensitive string contains" if ( $debugger eq "vcexpress" or $debugger eq "vc") { # vc[express] /debugexe exe arg1 .. argn diff --git a/mysql-test/r/information_schema.result b/mysql-test/r/information_schema.result index d5fb046d319..5224971890a 100644 --- a/mysql-test/r/information_schema.result +++ b/mysql-test/r/information_schema.result @@ -1083,11 +1083,6 @@ DROP TABLE t1; DROP VIEW v1; DROP FUNCTION func1; DROP FUNCTION func2; -create database mysqltest; -create table mysqltest.t1(a int); -select table_schema from information_schema.tables where table_schema='mysqltest'; -table_schema -drop database mysqltest; select column_type, group_concat(table_schema, '.', table_name), count(*) as num from information_schema.columns where table_schema='information_schema' and diff --git a/mysql-test/r/information_schema_chmod.result b/mysql-test/r/information_schema_chmod.result new file mode 100644 index 00000000000..36124559439 --- /dev/null +++ b/mysql-test/r/information_schema_chmod.result @@ -0,0 +1,5 @@ +create database mysqltest; +create table mysqltest.t1(a int); +select table_schema from information_schema.tables where table_schema='mysqltest'; +table_schema +drop database mysqltest; diff --git a/mysql-test/r/openssl_1.result b/mysql-test/r/openssl_1.result index 91382619b6c..1fcfb11525e 100644 --- a/mysql-test/r/openssl_1.result +++ b/mysql-test/r/openssl_1.result @@ -3,8 +3,8 @@ create table t1(f1 int); insert into t1 values (5); grant select on test.* to ssl_user1@localhost require SSL; grant select on test.* to ssl_user2@localhost require cipher "DHE-RSA-AES256-SHA"; -grant select on test.* to ssl_user3@localhost require cipher "DHE-RSA-AES256-SHA" AND SUBJECT "/C=SE/L=Uppsala/O=MySQL AB/CN=MySQL Client/Email=abstract.mysql.developer@mysql.com"; -grant select on test.* to ssl_user4@localhost require cipher "DHE-RSA-AES256-SHA" AND SUBJECT "/C=SE/L=Uppsala/O=MySQL AB/CN=MySQL Client/Email=abstract.mysql.developer@mysql.com" ISSUER "/C=SE/L=Uppsala/O=MySQL AB/CN=Abstract MySQL Developer/Email=abstract.mysql.developer@mysql.com"; +grant select on test.* to ssl_user3@localhost require cipher "DHE-RSA-AES256-SHA" AND SUBJECT "/C=SE/L=Uppsala/O=MySQL AB/CN=MySQL Client/emailAddress=abstract.mysql.developer@mysql.com"; +grant select on test.* to ssl_user4@localhost require cipher "DHE-RSA-AES256-SHA" AND SUBJECT "/C=SE/L=Uppsala/O=MySQL AB/CN=MySQL Client/emailAddress=abstract.mysql.developer@mysql.com" ISSUER "/C=SE/L=Uppsala/O=MySQL AB/CN=Abstract MySQL Developer/emailAddress=abstract.mysql.developer@mysql.com"; flush privileges; SHOW STATUS LIKE 'Ssl_cipher'; Variable_name Value @@ -41,3 +41,10 @@ ERROR 42000: DELETE command denied to user 'ssl_user4'@'localhost' for table 't1 drop user ssl_user1@localhost, ssl_user2@localhost, ssl_user3@localhost, ssl_user4@localhost; drop table t1; +mysqltest: Could not open connection 'default': 2026 SSL connection error +mysqltest: Could not open connection 'default': 2026 SSL connection error +mysqltest: Could not open connection 'default': 2026 SSL connection error +Error when connection to server using SSL:Unable to get private key from '' +mysqltest: Could not open connection 'default': 2026 SSL connection error +Error when connection to server using SSL:Unable to get certificate from '' +mysqltest: Could not open connection 'default': 2026 SSL connection error diff --git a/mysql-test/std_data/untrusted-cacert.pem b/mysql-test/std_data/untrusted-cacert.pem new file mode 100644 index 00000000000..981dd004fc6 --- /dev/null +++ b/mysql-test/std_data/untrusted-cacert.pem @@ -0,0 +1,53 @@ +Certificate: + Data: + Version: 3 (0x2) + Serial Number: 0 (0x0) + Signature Algorithm: md5WithRSAEncryption + Issuer: C=US, ST=Oregon, L=Portland, O=sawtooth, CN=www.sawtooth-consulting.com/emailAddress=info@yassl.com + Validity + Not Before: Jan 18 20:12:32 2005 GMT + Not After : Oct 15 20:12:32 2007 GMT + Subject: C=US, ST=Oregon, L=Portland, O=sawtooth, CN=www.sawtooth-consulting.com/emailAddress=info@yassl.com + Subject Public Key Info: + Public Key Algorithm: rsaEncryption + RSA Public Key: (512 bit) + Modulus (512 bit): + 00:cf:2b:14:00:b0:3c:df:6f:9e:91:40:ec:c8:f6: + 90:b2:5b:b4:70:80:a5:a4:0a:73:c7:44:f3:2a:26: + c4:2f:f1:3a:f1:c3:c4:ac:fc:c3:d2:c3:bf:f5:d7: + 6a:38:42:ad:22:ab:c8:c4:4b:4c:1d:16:af:05:34: + 7d:79:97:5e:e1 + Exponent: 65537 (0x10001) + X509v3 extensions: + X509v3 Subject Key Identifier: + CB:0F:1F:E9:A2:76:71:C9:E6:E8:23:A6:C1:18:B7:CC:44:CF:B9:84 + X509v3 Authority Key Identifier: + keyid:CB:0F:1F:E9:A2:76:71:C9:E6:E8:23:A6:C1:18:B7:CC:44:CF:B9:84 + DirName:/C=US/ST=Oregon/L=Portland/O=sawtooth/CN=www.sawtooth-consulting.com/emailAddress=info@yassl.com + serial:00 + + X509v3 Basic Constraints: + CA:TRUE + Signature Algorithm: md5WithRSAEncryption + 27:f7:3d:fb:39:6f:73:a4:86:f3:a0:48:22:60:84:e9:5c:3d: + 28:36:05:16:44:98:07:87:e1:5d:b5:f3:a7:bc:33:5f:f4:29: + a9:5f:87:33:df:e6:8e:bd:e2:f3:0a:c8:00:69:ae:3d:41:47: + 03:ea:0b:4c:67:45:4b:ab:f3:39 +-----BEGIN CERTIFICATE----- +MIIC7zCCApmgAwIBAgIBADANBgkqhkiG9w0BAQQFADCBiTELMAkGA1UEBhMCVVMx +DzANBgNVBAgTBk9yZWdvbjERMA8GA1UEBxMIUG9ydGxhbmQxETAPBgNVBAoTCHNh +d3Rvb3RoMSQwIgYDVQQDExt3d3cuc2F3dG9vdGgtY29uc3VsdGluZy5jb20xHTAb +BgkqhkiG9w0BCQEWDmluZm9AeWFzc2wuY29tMB4XDTA1MDExODIwMTIzMloXDTA3 +MTAxNTIwMTIzMlowgYkxCzAJBgNVBAYTAlVTMQ8wDQYDVQQIEwZPcmVnb24xETAP +BgNVBAcTCFBvcnRsYW5kMREwDwYDVQQKEwhzYXd0b290aDEkMCIGA1UEAxMbd3d3 +LnNhd3Rvb3RoLWNvbnN1bHRpbmcuY29tMR0wGwYJKoZIhvcNAQkBFg5pbmZvQHlh +c3NsLmNvbTBcMA0GCSqGSIb3DQEBAQUAA0sAMEgCQQDPKxQAsDzfb56RQOzI9pCy +W7RwgKWkCnPHRPMqJsQv8Trxw8Ss/MPSw7/112o4Qq0iq8jES0wdFq8FNH15l17h +AgMBAAGjgekwgeYwHQYDVR0OBBYEFMsPH+midnHJ5ugjpsEYt8xEz7mEMIG2BgNV +HSMEga4wgauAFMsPH+midnHJ5ugjpsEYt8xEz7mEoYGPpIGMMIGJMQswCQYDVQQG +EwJVUzEPMA0GA1UECBMGT3JlZ29uMREwDwYDVQQHEwhQb3J0bGFuZDERMA8GA1UE +ChMIc2F3dG9vdGgxJDAiBgNVBAMTG3d3dy5zYXd0b290aC1jb25zdWx0aW5nLmNv +bTEdMBsGCSqGSIb3DQEJARYOaW5mb0B5YXNzbC5jb22CAQAwDAYDVR0TBAUwAwEB +/zANBgkqhkiG9w0BAQQFAANBACf3Pfs5b3OkhvOgSCJghOlcPSg2BRZEmAeH4V21 +86e8M1/0KalfhzPf5o694vMKyABprj1BRwPqC0xnRUur8zk= +-----END CERTIFICATE----- diff --git a/mysql-test/t/disabled.def b/mysql-test/t/disabled.def index 1b587eea40f..007847fab37 100644 --- a/mysql-test/t/disabled.def +++ b/mysql-test/t/disabled.def @@ -11,4 +11,3 @@ ############################################################################## ndb_load : Bug#17233 -udf : Not yet diff --git a/mysql-test/t/information_schema.test b/mysql-test/t/information_schema.test index 90b0fd95eee..11178adbc9b 100644 --- a/mysql-test/t/information_schema.test +++ b/mysql-test/t/information_schema.test @@ -793,15 +793,6 @@ DROP VIEW v1; DROP FUNCTION func1; DROP FUNCTION func2; -# -# Bug #15851 Unlistable directories yield no info from information_schema -# -create database mysqltest; -create table mysqltest.t1(a int); ---exec chmod -r $MYSQLTEST_VARDIR/master-data/mysqltest -select table_schema from information_schema.tables where table_schema='mysqltest'; ---exec chmod +r $MYSQLTEST_VARDIR/master-data/mysqltest -drop database mysqltest; # # Bug#15307 GROUP_CONCAT() with ORDER BY returns empty set on information_schema diff --git a/mysql-test/t/information_schema_chmod.test b/mysql-test/t/information_schema_chmod.test new file mode 100644 index 00000000000..fb850b8e38d --- /dev/null +++ b/mysql-test/t/information_schema_chmod.test @@ -0,0 +1,20 @@ +# +# Due to "Bug#18474 Unlistable directories yield no info from +# information_schema, part2" this test can't be run on Window with our +# current test framework. When "chmod -r" is done within cygwin the +# MySQL Server can still read the directory. +# Manual testing shows the functionalty to skip unlistable directories +# works on windows +# +--source include/not_windows.inc + + +# +# Bug #15851 Unlistable directories yield no info from information_schema +# +create database mysqltest; +create table mysqltest.t1(a int); +--exec chmod -r $MYSQLTEST_VARDIR/master-data/mysqltest +select table_schema from information_schema.tables where table_schema='mysqltest'; +--exec chmod +r $MYSQLTEST_VARDIR/master-data/mysqltest +drop database mysqltest; diff --git a/mysql-test/t/openssl_1.test b/mysql-test/t/openssl_1.test index 4cc9113048f..afee381f5b7 100644 --- a/mysql-test/t/openssl_1.test +++ b/mysql-test/t/openssl_1.test @@ -10,8 +10,8 @@ insert into t1 values (5); grant select on test.* to ssl_user1@localhost require SSL; grant select on test.* to ssl_user2@localhost require cipher "DHE-RSA-AES256-SHA"; -grant select on test.* to ssl_user3@localhost require cipher "DHE-RSA-AES256-SHA" AND SUBJECT "/C=SE/L=Uppsala/O=MySQL AB/CN=MySQL Client/Email=abstract.mysql.developer@mysql.com"; -grant select on test.* to ssl_user4@localhost require cipher "DHE-RSA-AES256-SHA" AND SUBJECT "/C=SE/L=Uppsala/O=MySQL AB/CN=MySQL Client/Email=abstract.mysql.developer@mysql.com" ISSUER "/C=SE/L=Uppsala/O=MySQL AB/CN=Abstract MySQL Developer/Email=abstract.mysql.developer@mysql.com"; +grant select on test.* to ssl_user3@localhost require cipher "DHE-RSA-AES256-SHA" AND SUBJECT "/C=SE/L=Uppsala/O=MySQL AB/CN=MySQL Client/emailAddress=abstract.mysql.developer@mysql.com"; +grant select on test.* to ssl_user4@localhost require cipher "DHE-RSA-AES256-SHA" AND SUBJECT "/C=SE/L=Uppsala/O=MySQL AB/CN=MySQL Client/emailAddress=abstract.mysql.developer@mysql.com" ISSUER "/C=SE/L=Uppsala/O=MySQL AB/CN=Abstract MySQL Developer/emailAddress=abstract.mysql.developer@mysql.com"; flush privileges; connect (con1,localhost,ssl_user1,,,,,SSL); @@ -54,3 +54,41 @@ ssl_user3@localhost, ssl_user4@localhost; drop table t1; # End of 4.1 tests + +# +# Test that we can't open connection to server if we are using +# a different cacert +# +--exec echo "this query should not execute;" > $MYSQLTEST_VARDIR/tmp/test.sql +--error 1 +--exec $MYSQL_TEST --ssl-ca=$MYSQL_TEST_DIR/std_data/untrusted-cacert.pem --max-connect-retries=1 < $MYSQLTEST_VARDIR/tmp/test.sql 2>&1 + +# +# Test that we can't open connection to server if we are using +# a blank ca +# +--error 1 +--exec $MYSQL_TEST --ssl-ca= --max-connect-retries=1 < $MYSQLTEST_VARDIR/tmp/test.sql 2>&1 + +# +# Test that we can't open connection to server if we are using +# a nonexistent ca file +# +--error 1 +--exec $MYSQL_TEST --ssl-ca=nonexisting_file.pem --max-connect-retries=1 < $MYSQLTEST_VARDIR/tmp/test.sql 2>&1 + +# +# Test that we can't open connection to server if we are using +# a blank client-key +# +--error 1 +--exec $MYSQL_TEST --ssl-key= --max-connect-retries=1 < $MYSQLTEST_VARDIR/tmp/test.sql 2>&1 + +# +# Test that we can't open connection to server if we are using +# a blank client-cert +# +--error 1 +--exec $MYSQL_TEST --ssl-cert= --max-connect-retries=1 < $MYSQLTEST_VARDIR/tmp/test.sql 2>&1 + + diff --git a/sql-common/client.c b/sql-common/client.c index 72745d72b12..26ebc9cc6b0 100644 --- a/sql-common/client.c +++ b/sql-common/client.c @@ -1500,6 +1500,7 @@ mysql_ssl_set(MYSQL *mysql __attribute__((unused)) , mysql->options.ssl_ca= strdup_if_not_null(ca); mysql->options.ssl_capath= strdup_if_not_null(capath); mysql->options.ssl_cipher= strdup_if_not_null(cipher); + mysql->options.ssl_verify_server_cert= FALSE; /* Off by default */ #endif /* HAVE_OPENSSL */ DBUG_RETURN(0); } @@ -1514,17 +1515,16 @@ mysql_ssl_set(MYSQL *mysql __attribute__((unused)) , static void mysql_ssl_free(MYSQL *mysql __attribute__((unused))) { - struct st_VioSSLConnectorFd *st= - (struct st_VioSSLConnectorFd*) mysql->connector_fd; + struct st_VioSSLFd *ssl_fd= (struct st_VioSSLFd*) mysql->connector_fd; DBUG_ENTER("mysql_ssl_free"); my_free(mysql->options.ssl_key, MYF(MY_ALLOW_ZERO_PTR)); my_free(mysql->options.ssl_cert, MYF(MY_ALLOW_ZERO_PTR)); my_free(mysql->options.ssl_ca, MYF(MY_ALLOW_ZERO_PTR)); my_free(mysql->options.ssl_capath, MYF(MY_ALLOW_ZERO_PTR)); - my_free(mysql->options.ssl_cipher, MYF(MY_ALLOW_ZERO_PTR)); - if (st) - SSL_CTX_free(st->ssl_context); + my_free(mysql->options.ssl_cipher, MYF(MY_ALLOW_ZERO_PTR)); + if (ssl_fd) + SSL_CTX_free(ssl_fd->ssl_context); my_free(mysql->connector_fd,MYF(MY_ALLOW_ZERO_PTR)); mysql->options.ssl_key = 0; mysql->options.ssl_cert = 0; @@ -1556,6 +1556,77 @@ mysql_get_ssl_cipher(MYSQL *mysql) DBUG_RETURN(NULL); } + +/* + Check the server's (subject) Common Name against the + hostname we connected to + + SYNOPSIS + ssl_verify_server_cert() + vio pointer to a SSL connected vio + server_hostname name of the server that we connected to + + RETURN VALUES + 0 Success + 1 Failed to validate server + + */ +static int ssl_verify_server_cert(Vio *vio, const char* server_hostname) +{ + SSL *ssl; + X509 *server_cert; + char *cp1, *cp2; + char buf[256]; + DBUG_ENTER("ssl_verify_server_cert"); + DBUG_PRINT("enter", ("server_hostname: %s", server_hostname)); + + if (!(ssl= (SSL*)vio->ssl_arg)) + { + DBUG_PRINT("error", ("No SSL pointer found")); + DBUG_RETURN(1); + } + + if (!server_hostname) + { + DBUG_PRINT("error", ("No server hostname supplied")); + DBUG_RETURN(1); + } + + if (!(server_cert= SSL_get_peer_certificate(ssl))) + { + DBUG_PRINT("error", ("Could not get server certificate")); + DBUG_RETURN(1); + } + + /* + We already know that the certificate exchanged was valid; the SSL library + handled that. Now we need to verify that the contents of the certificate + are what we expect. + */ + + X509_NAME_oneline(X509_get_subject_name(server_cert), buf, sizeof(buf)); + X509_free (server_cert); + + DBUG_PRINT("info", ("hostname in cert: %s", buf)); + cp1= strstr(buf, "/CN="); + if (cp1) + { + cp1+= 4; /* Skip the "/CN=" that we found */ + /* Search for next / which might be the delimiter for email */ + cp2= strchr(cp1, '/'); + if (cp2) + *cp2= '\0'; + DBUG_PRINT("info", ("Server hostname in cert: %s", cp1)); + if (!strcmp(cp1, server_hostname)) + { + /* Success */ + DBUG_RETURN(0); + } + } + DBUG_PRINT("error", ("SSL certificate validation failure")); + DBUG_RETURN(1); +} + #endif /* HAVE_OPENSSL */ @@ -1589,7 +1660,6 @@ static MYSQL_METHODS client_methods= #endif }; - MYSQL * CLI_MYSQL_REAL_CONNECT(MYSQL *mysql,const char *host, const char *user, const char *passwd, const char *db, @@ -2034,37 +2104,52 @@ CLI_MYSQL_REAL_CONNECT(MYSQL *mysql,const char *host, const char *user, mysql->client_flag=client_flag; #ifdef HAVE_OPENSSL - /* - Oops.. are we careful enough to not send ANY information without - encryption? - */ if (client_flag & CLIENT_SSL) { + /* Do the SSL layering. */ struct st_mysql_options *options= &mysql->options; + struct st_VioSSLFd *ssl_fd; + + /* + Send client_flag, max_packet_size - unencrypted otherwise + the server does not know we want to do SSL + */ if (my_net_write(net,buff,(uint) (end-buff)) || net_flush(net)) { set_mysql_error(mysql, CR_SERVER_LOST, unknown_sqlstate); goto error; } - /* Do the SSL layering. */ - if (!(mysql->connector_fd= - (gptr) new_VioSSLConnectorFd(options->ssl_key, - options->ssl_cert, - options->ssl_ca, - options->ssl_capath, - options->ssl_cipher))) + + /* Create the VioSSLConnectorFd - init SSL and load certs */ + if (!(ssl_fd= new_VioSSLConnectorFd(options->ssl_key, + options->ssl_cert, + options->ssl_ca, + options->ssl_capath, + options->ssl_cipher))) { set_mysql_error(mysql, CR_SSL_CONNECTION_ERROR, unknown_sqlstate); goto error; } + mysql->connector_fd= (void*)ssl_fd; + + /* Connect to the server */ DBUG_PRINT("info", ("IO layer change in progress...")); - if (sslconnect((struct st_VioSSLConnectorFd*)(mysql->connector_fd), - mysql->net.vio, (long) (mysql->options.connect_timeout))) + if (sslconnect(ssl_fd, mysql->net.vio, + (long) (mysql->options.connect_timeout))) { set_mysql_error(mysql, CR_SSL_CONNECTION_ERROR, unknown_sqlstate); goto error; } DBUG_PRINT("info", ("IO layer change done!")); + + /* Verify server cert */ + if (mysql->options.ssl_verify_server_cert && + ssl_verify_server_cert(mysql->net.vio, mysql->host)) + { + set_mysql_error(mysql, CR_SSL_CONNECTION_ERROR, unknown_sqlstate); + goto error; + } + } #endif /* HAVE_OPENSSL */ @@ -2804,6 +2889,9 @@ mysql_options(MYSQL *mysql,enum mysql_option option, const char *arg) case MYSQL_OPT_RECONNECT: mysql->reconnect= *(my_bool *) arg; break; + case MYSQL_OPT_SSL_VERIFY_SERVER_CERT: + mysql->options.ssl_verify_server_cert= *(my_bool *) arg; + break; default: DBUG_RETURN(1); } diff --git a/sql/item_func.cc b/sql/item_func.cc index 0447ab115ec..f2f2cd9b4ed 100644 --- a/sql/item_func.cc +++ b/sql/item_func.cc @@ -2734,9 +2734,10 @@ String *udf_handler::val_str(String *str,String *save_str) { uchar is_null_tmp=0; ulong res_length; + DBUG_ENTER("udf_handler::val_str"); if (get_arguments()) - return 0; + DBUG_RETURN(0); char * (*func)(UDF_INIT *, UDF_ARGS *, char *, ulong *, uchar *, uchar *)= (char* (*)(UDF_INIT *, UDF_ARGS *, char *, ulong *, uchar *, uchar *)) u_d->func; @@ -2746,22 +2747,26 @@ String *udf_handler::val_str(String *str,String *save_str) if (str->alloc(MAX_FIELD_WIDTH)) { error=1; - return 0; + DBUG_RETURN(0); } } char *res=func(&initid, &f_args, (char*) str->ptr(), &res_length, &is_null_tmp, &error); + DBUG_PRINT("info", ("udf func returned, res_length: %lu", res_length)); if (is_null_tmp || !res || error) // The !res is for safety { - return 0; + DBUG_PRINT("info", ("Null or error")); + DBUG_RETURN(0); } if (res == str->ptr()) { str->length(res_length); - return str; + DBUG_PRINT("exit", ("str: %s", str->ptr())); + DBUG_RETURN(str); } save_str->set(res, res_length, str->charset()); - return save_str; + DBUG_PRINT("exit", ("save_str: %s", save_str->ptr())); + DBUG_RETURN(save_str); } diff --git a/sql/mysql_priv.h b/sql/mysql_priv.h index 779e2e277d5..1ce9dd78d2c 100644 --- a/sql/mysql_priv.h +++ b/sql/mysql_priv.h @@ -1310,7 +1310,7 @@ extern pthread_t signal_thread; #endif #ifdef HAVE_OPENSSL -extern struct st_VioSSLAcceptorFd * ssl_acceptor_fd; +extern struct st_VioSSLFd * ssl_acceptor_fd; #endif /* HAVE_OPENSSL */ MYSQL_LOCK *mysql_lock_tables(THD *thd, TABLE **table, uint count, diff --git a/sql/mysqld.cc b/sql/mysqld.cc index e84bcea8058..ef2f52a33df 100644 --- a/sql/mysqld.cc +++ b/sql/mysqld.cc @@ -620,7 +620,7 @@ static void openssl_lock(int, openssl_lock_t *, const char *, int); static unsigned long openssl_id_function(); #endif char *des_key_file; -struct st_VioSSLAcceptorFd *ssl_acceptor_fd; +struct st_VioSSLFd *ssl_acceptor_fd; #endif /* HAVE_OPENSSL */ @@ -1131,8 +1131,13 @@ void clean_up(bool print_message) #endif #ifdef HAVE_OPENSSL if (ssl_acceptor_fd) - my_free((gptr) ssl_acceptor_fd, MYF(MY_ALLOW_ZERO_PTR)); + { + SSL_CTX_free(ssl_acceptor_fd->ssl_context); + my_free((gptr) ssl_acceptor_fd, MYF(0)); + } #endif /* HAVE_OPENSSL */ + vio_end(); + #ifdef USE_REGEX my_regex_end(); #endif diff --git a/sql/sql_acl.cc b/sql/sql_acl.cc index d66a631dbcc..511c0ddbb2e 100644 --- a/sql/sql_acl.cc +++ b/sql/sql_acl.cc @@ -858,8 +858,8 @@ int acl_getroot(THD *thd, USER_RESOURCES *mqh, if (acl_user->x509_issuer) { DBUG_PRINT("info",("checkpoint 3")); - char *ptr = X509_NAME_oneline(X509_get_issuer_name(cert), 0, 0); - DBUG_PRINT("info",("comparing issuers: '%s' and '%s'", + char *ptr = X509_NAME_oneline(X509_get_issuer_name(cert), 0, 0); + DBUG_PRINT("info",("comparing issuers: '%s' and '%s'", acl_user->x509_issuer, ptr)); if (strcmp(acl_user->x509_issuer, ptr)) { diff --git a/sql/udf_example.cc b/sql/udf_example.cc index f4f936f34ef..6ad066eacc2 100644 --- a/sql/udf_example.cc +++ b/sql/udf_example.cc @@ -344,7 +344,7 @@ char *metaphon(UDF_INIT *initid, UDF_ARGS *args, char *result, KSflag = 0; /* state flag for KS translation */ for (metaph_end = result + MAXMETAPH, n_start = n; - n <= n_end && result < metaph_end; n++ ) + n < n_end && result < metaph_end; n++ ) { if ( KSflag ) diff --git a/vio/test-ssl.c b/vio/test-ssl.c index a94eb1a21ff..f8172426e38 100644 --- a/vio/test-ssl.c +++ b/vio/test-ssl.c @@ -57,8 +57,8 @@ main(int argc, char** argv) char* cipher=0; int child_pid,sv[2]; my_bool unused; - struct st_VioSSLAcceptorFd* ssl_acceptor=0; - struct st_VioSSLConnectorFd* ssl_connector=0; + struct st_VioSSLFd* ssl_acceptor= 0; + struct st_VioSSLFd* ssl_connector= 0; Vio* client_vio=0, *server_vio=0; MY_INIT(argv[0]); DBUG_PROCESS(argv[0]); diff --git a/vio/test-sslclient.c b/vio/test-sslclient.c index 3811ba0fb6a..49d6768c884 100644 --- a/vio/test-sslclient.c +++ b/vio/test-sslclient.c @@ -46,7 +46,7 @@ main( int argc __attribute__((unused)), { char client_key[] = "../SSL/client-key.pem", client_cert[] = "../SSL/client-cert.pem"; char ca_file[] = "../SSL/cacert.pem", *ca_path = 0, *cipher=0; - struct st_VioSSLConnectorFd* ssl_connector=0; + struct st_VioSSLFd* ssl_connector= 0; struct sockaddr_in sa; Vio* client_vio=0; int err; diff --git a/vio/test-sslserver.c b/vio/test-sslserver.c index e4d32a75264..daec3a6e6f9 100644 --- a/vio/test-sslserver.c +++ b/vio/test-sslserver.c @@ -44,7 +44,7 @@ fatal_error( const char* r) typedef struct { int sd; - struct st_VioSSLAcceptorFd* ssl_acceptor; + struct st_VioSSLFd* ssl_acceptor; } TH_ARGS; static void @@ -82,7 +82,7 @@ main(int argc __attribute__((unused)), char** argv) char ca_file[] = "../SSL/cacert.pem", *ca_path = 0, *cipher = 0; - struct st_VioSSLAcceptorFd* ssl_acceptor; + struct st_VioSSLFd* ssl_acceptor; pthread_t th; TH_ARGS th_args; diff --git a/vio/vio.c b/vio/vio.c index bc286b2d2bb..2b0a7f0d79b 100644 --- a/vio/vio.c +++ b/vio/vio.c @@ -88,19 +88,19 @@ static void vio_init(Vio* vio, enum enum_vio_type type, if (type == VIO_TYPE_SSL) { vio->viodelete =vio_delete; - vio->vioerrno =vio_ssl_errno; + vio->vioerrno =vio_errno; vio->read =vio_ssl_read; vio->write =vio_ssl_write; - vio->fastsend =vio_ssl_fastsend; - vio->viokeepalive =vio_ssl_keepalive; - vio->should_retry =vio_ssl_should_retry; - vio->was_interrupted=vio_ssl_was_interrupted; + vio->fastsend =vio_fastsend; + vio->viokeepalive =vio_keepalive; + vio->should_retry =vio_should_retry; + vio->was_interrupted=vio_was_interrupted; vio->vioclose =vio_ssl_close; - vio->peer_addr =vio_ssl_peer_addr; - vio->in_addr =vio_ssl_in_addr; + vio->peer_addr =vio_peer_addr; + vio->in_addr =vio_in_addr; vio->vioblocking =vio_ssl_blocking; vio->is_blocking =vio_is_blocking; - vio->timeout =vio_ssl_timeout; + vio->timeout =vio_timeout; } else /* default is VIO_TYPE_TCPIP */ #endif /* HAVE_OPENSSL */ @@ -233,3 +233,16 @@ void vio_delete(Vio* vio) my_free((gptr) vio,MYF(0)); } } + + +/* + Cleanup memory allocated by vio or the + components below it when application finish + +*/ +void vio_end(void) +{ +#ifdef HAVE_YASSL + yaSSL_CleanUp(); +#endif +} diff --git a/vio/vio_priv.h b/vio/vio_priv.h index eb495025ddd..db331abdea8 100644 --- a/vio/vio_priv.h +++ b/vio/vio_priv.h @@ -30,28 +30,10 @@ void vio_ignore_timeout(Vio *vio, uint which, uint timeout); int vio_ssl_read(Vio *vio,gptr buf, int size); int vio_ssl_write(Vio *vio,const gptr buf,int size); -void vio_ssl_timeout(Vio *vio, uint which, uint timeout); - -/* setsockopt TCP_NODELAY at IPPROTO_TCP level, when possible. */ -int vio_ssl_fastsend(Vio *vio); -/* setsockopt SO_KEEPALIVE at SOL_SOCKET level, when possible. */ -int vio_ssl_keepalive(Vio *vio, my_bool onoff); -/* Whenever we should retry the last read/write operation. */ -my_bool vio_ssl_should_retry(Vio *vio); -/* Check that operation was timed out */ -my_bool vio_ssl_was_interrupted(Vio *vio); + /* When the workday is over... */ int vio_ssl_close(Vio *vio); -/* Return last error number */ -int vio_ssl_errno(Vio *vio); -my_bool vio_ssl_peer_addr(Vio *vio, char *buf, uint16 *port); -void vio_ssl_in_addr(Vio *vio, struct in_addr *in); + int vio_ssl_blocking(Vio *vio, my_bool set_blocking_mode, my_bool *old_mode); -/* Single copy for server */ -enum vio_ssl_acceptorfd_state -{ - state_connect = 1, - state_accept = 2 -}; #endif /* HAVE_OPENSSL */ diff --git a/vio/viossl.c b/vio/viossl.c index 1273814c551..e869493c604 100644 --- a/vio/viossl.c +++ b/vio/viossl.c @@ -51,384 +51,240 @@ static int SSL_set_fd_bsd(SSL *s, int fd) static void -report_errors() +report_errors(SSL* ssl) { unsigned long l; - const char* file; - const char* data; - int line,flags; + const char *file; + const char *data; + int line, flags; +#ifndef DBUG_OFF + char buf[512]; +#endif + DBUG_ENTER("report_errors"); - while ((l=ERR_get_error_line_data(&file,&line,&data,&flags))) + while ((l= ERR_get_error_line_data(&file,&line,&data,&flags))) { - char buf[512]; DBUG_PRINT("error", ("OpenSSL: %s:%s:%d:%s\n", ERR_error_string(l,buf), file,line,(flags&ERR_TXT_STRING)?data:"")) ; } - DBUG_PRINT("info", ("errno: %d", socket_errno)); - DBUG_VOID_RETURN; -} + if (ssl) + DBUG_PRINT("error", ("error: %s", + ERR_error_string(SSL_get_error(ssl, l), buf))); -int vio_ssl_errno(Vio *vio __attribute__((unused))) -{ - return socket_errno; /* On Win32 this mapped to WSAGetLastError() */ + DBUG_PRINT("info", ("socket_errno: %d", socket_errno)); + DBUG_VOID_RETURN; } -int vio_ssl_read(Vio * vio, gptr buf, int size) +int vio_ssl_read(Vio *vio, gptr buf, int size) { int r; DBUG_ENTER("vio_ssl_read"); DBUG_PRINT("enter", ("sd: %d, buf: 0x%p, size: %d, ssl_: 0x%p", vio->sd, buf, size, vio->ssl_arg)); - if ((r= SSL_read((SSL*) vio->ssl_arg, buf, size)) < 0) - { - int err= SSL_get_error((SSL*) vio->ssl_arg, r); - DBUG_PRINT("error",("SSL_read(): %d SSL_get_error(): %d", r, err)); - report_errors(); - } + r= SSL_read((SSL*) vio->ssl_arg, buf, size); +#ifndef DBUG_OFF + if (r < 0) + report_errors((SSL*) vio->ssl_arg); +#endif DBUG_PRINT("exit", ("%d", r)); DBUG_RETURN(r); } -int vio_ssl_write(Vio * vio, const gptr buf, int size) +int vio_ssl_write(Vio *vio, const gptr buf, int size) { int r; DBUG_ENTER("vio_ssl_write"); DBUG_PRINT("enter", ("sd: %d, buf: 0x%p, size: %d", vio->sd, buf, size)); - if ((r= SSL_write((SSL*) vio->ssl_arg, buf, size)) < 0) - report_errors(); - DBUG_PRINT("exit", ("%d", r)); - DBUG_RETURN(r); -} - - -int vio_ssl_fastsend(Vio * vio __attribute__((unused))) -{ - int r=0; - DBUG_ENTER("vio_ssl_fastsend"); - -#if defined(IPTOS_THROUGHPUT) && !defined(__EMX__) - { - int tos= IPTOS_THROUGHPUT; - r= setsockopt(vio->sd, IPPROTO_IP, IP_TOS, (void *) &tos, sizeof(tos)); - } -#endif /* IPTOS_THROUGHPUT && !__EMX__ */ - if (!r) - { -#ifdef __WIN__ - BOOL nodelay= 1; - r= setsockopt(vio->sd, IPPROTO_TCP, TCP_NODELAY, (const char*) &nodelay, - sizeof(nodelay)); -#else - int nodelay= 1; - r= setsockopt(vio->sd, IPPROTO_TCP, TCP_NODELAY, (void*) &nodelay, - sizeof(nodelay)); -#endif /* __WIN__ */ - } - if (r) - { - DBUG_PRINT("warning", ("Couldn't set socket option for fast send")); - r= -1; - } + r= SSL_write((SSL*) vio->ssl_arg, buf, size); +#ifndef DBUG_OFF + if (r < 0) + report_errors((SSL*) vio->ssl_arg); +#endif DBUG_PRINT("exit", ("%d", r)); DBUG_RETURN(r); } -int vio_ssl_keepalive(Vio* vio, my_bool set_keep_alive) +int vio_ssl_close(Vio *vio) { - int r=0; - DBUG_ENTER("vio_ssl_keepalive"); - DBUG_PRINT("enter", ("sd: %d, set_keep_alive: %d", vio->sd, (int) - set_keep_alive)); - if (vio->type != VIO_TYPE_NAMEDPIPE) - { - uint opt = (set_keep_alive) ? 1 : 0; - r= setsockopt(vio->sd, SOL_SOCKET, SO_KEEPALIVE, (char *) &opt, - sizeof(opt)); - } - DBUG_RETURN(r); -} - - -my_bool -vio_ssl_should_retry(Vio * vio __attribute__((unused))) -{ - int en = socket_errno; - return (en == SOCKET_EAGAIN || en == SOCKET_EINTR || - en == SOCKET_EWOULDBLOCK); -} - - -my_bool -vio_ssl_was_interrupted(Vio *vio __attribute__((unused))) -{ - int en= socket_errno; - return (en == SOCKET_EAGAIN || en == SOCKET_EINTR || - en == SOCKET_EWOULDBLOCK || en == SOCKET_ETIMEDOUT); -} - - -int vio_ssl_close(Vio * vio) -{ - int r; + int r= 0; + SSL *ssl= (SSL*)vio->ssl_arg; DBUG_ENTER("vio_ssl_close"); - r=0; - if ((SSL*) vio->ssl_arg) - { - r = SSL_shutdown((SSL*) vio->ssl_arg); - SSL_free((SSL*) vio->ssl_arg); - vio->ssl_arg= 0; - } - if (vio->sd >= 0) - { - if (shutdown(vio->sd, 2)) - r= -1; - if (closesocket(vio->sd)) - r= -1; - } - if (r) - { - DBUG_PRINT("error", ("close() failed, error: %d",socket_errno)); - report_errors(); - /* FIXME: error handling (not critical for MySQL) */ - } - vio->type= VIO_CLOSED; - vio->sd= -1; - DBUG_RETURN(r); -} - -const char *vio_ssl_description(Vio * vio) -{ - return vio->desc; -} - -enum enum_vio_type vio_ssl_type(Vio* vio) -{ - return vio->type; -} - -my_socket vio_ssl_fd(Vio* vio) -{ - return vio->sd; -} - - -my_bool vio_ssl_peer_addr(Vio * vio, char *buf, uint16 *port) -{ - DBUG_ENTER("vio_ssl_peer_addr"); - DBUG_PRINT("enter", ("sd: %d", vio->sd)); - if (vio->localhost) - { - strmov(buf,"127.0.0.1"); - *port=0; - } - else + if (ssl) { - size_socket addrLen = sizeof(struct sockaddr); - if (getpeername(vio->sd, (struct sockaddr *) (& (vio->remote)), - &addrLen) != 0) + switch ((r= SSL_shutdown(ssl))) { - DBUG_PRINT("exit", ("getpeername, error: %d", socket_errno)); - DBUG_RETURN(1); + case 1: /* Shutdown successful */ + break; + case 0: /* Shutdown not yet finished, call it again */ + if ((r= SSL_shutdown(ssl) >= 0)) + break; + /* Fallthrough */ + default: /* Shutdown failed */ + DBUG_PRINT("vio_error", ("SSL_shutdown() failed, error: %s", + SSL_get_error(ssl, r))); + break; } -#ifdef TO_BE_FIXED - my_inet_ntoa(vio->remote.sin_addr,buf); - *port= 0; -#else - strmov(buf, "unknown"); - *port= 0; -#endif + SSL_free(ssl); + vio->ssl_arg= 0; } - DBUG_PRINT("exit", ("addr: %s", buf)); - DBUG_RETURN(0); + DBUG_RETURN(vio_close(vio)); } -void vio_ssl_in_addr(Vio *vio, struct in_addr *in) +int sslaccept(struct st_VioSSLFd *ptr, Vio *vio, long timeout) { - DBUG_ENTER("vio_ssl_in_addr"); - if (vio->localhost) - bzero((char*) in, sizeof(*in)); - else - *in=vio->remote.sin_addr; - DBUG_VOID_RETURN; -} - - -/* - TODO: Add documentation -*/ - -int sslaccept(struct st_VioSSLAcceptorFd* ptr, Vio* vio, long timeout) -{ - char *str; - char buf[1024]; - X509* client_cert; + SSL *ssl; my_bool unused; my_bool net_blocking; enum enum_vio_type old_type; DBUG_ENTER("sslaccept"); - DBUG_PRINT("enter", ("sd: %d ptr: Ox%p, timeout: %d", + DBUG_PRINT("enter", ("sd: %d ptr: %p, timeout: %d", vio->sd, ptr, timeout)); old_type= vio->type; - net_blocking = vio_is_blocking(vio); + net_blocking= vio_is_blocking(vio); vio_blocking(vio, 1, &unused); /* Must be called before reset */ - vio_reset(vio,VIO_TYPE_SSL,vio->sd,0,FALSE); - vio->ssl_arg= 0; - if (!(vio->ssl_arg= (void*) SSL_new(ptr->ssl_context))) + vio_reset(vio, VIO_TYPE_SSL, vio->sd, 0, FALSE); + + if (!(ssl= SSL_new(ptr->ssl_context))) { DBUG_PRINT("error", ("SSL_new failure")); - report_errors(); + report_errors(ssl); vio_reset(vio, old_type,vio->sd,0,FALSE); vio_blocking(vio, net_blocking, &unused); DBUG_RETURN(1); } - DBUG_PRINT("info", ("ssl_: Ox%p timeout: %ld", - (SSL*) vio->ssl_arg, timeout)); - SSL_clear((SSL*) vio->ssl_arg); - SSL_SESSION_set_timeout(SSL_get_session((SSL*) vio->ssl_arg), timeout); - SSL_set_fd((SSL*) vio->ssl_arg,vio->sd); - SSL_set_accept_state((SSL*) vio->ssl_arg); - if (SSL_do_handshake((SSL*) vio->ssl_arg) < 1) + vio->ssl_arg= (void*)ssl; + DBUG_PRINT("info", ("ssl_: %p timeout: %ld", ssl, timeout)); + SSL_clear(ssl); + SSL_SESSION_set_timeout(SSL_get_session(ssl), timeout); + SSL_set_fd(ssl, vio->sd); + SSL_set_accept_state(ssl); + if (SSL_do_handshake(ssl) < 1) { DBUG_PRINT("error", ("SSL_do_handshake failure")); - report_errors(); - SSL_free((SSL*) vio->ssl_arg); + report_errors(ssl); + SSL_free(ssl); vio->ssl_arg= 0; vio_reset(vio, old_type,vio->sd,0,FALSE); vio_blocking(vio, net_blocking, &unused); DBUG_RETURN(1); } + #ifndef DBUG_OFF - DBUG_PRINT("info",("SSL_get_cipher_name() = '%s'" - ,SSL_get_cipher_name((SSL*) vio->ssl_arg))); - client_cert = SSL_get_peer_certificate ((SSL*) vio->ssl_arg); - if (client_cert != NULL) { - DBUG_PRINT("info",("Client certificate:")); - str = X509_NAME_oneline (X509_get_subject_name (client_cert), 0, 0); - DBUG_PRINT("info",("\t subject: %s", str)); - free (str); + char buf[1024]; + X509 *client_cert; + DBUG_PRINT("info",("cipher_name= '%s'", SSL_get_cipher_name(ssl))); - str = X509_NAME_oneline (X509_get_issuer_name (client_cert), 0, 0); - DBUG_PRINT("info",("\t issuer: %s", str)); - free (str); + if ((client_cert= SSL_get_peer_certificate (ssl))) + { + DBUG_PRINT("info",("Client certificate:")); + X509_NAME_oneline (X509_get_subject_name (client_cert), + buf, sizeof(buf)); + DBUG_PRINT("info",("\t subject: %s", buf)); - X509_free (client_cert); - } - else - DBUG_PRINT("info",("Client does not have certificate.")); + X509_NAME_oneline (X509_get_issuer_name (client_cert), + buf, sizeof(buf)); + DBUG_PRINT("info",("\t issuer: %s", buf)); - str=SSL_get_shared_ciphers((SSL*) vio->ssl_arg, buf, sizeof(buf)); - if (str) - { - DBUG_PRINT("info",("SSL_get_shared_ciphers() returned '%s'",str)); - } - else - { - DBUG_PRINT("info",("no shared ciphers!")); - } + X509_free (client_cert); + } + else + DBUG_PRINT("info",("Client does not have certificate.")); + if (SSL_get_shared_ciphers(ssl, buf, sizeof(buf))) + { + DBUG_PRINT("info",("shared_ciphers: '%s'", buf)); + } + else + DBUG_PRINT("info",("no shared ciphers!")); + } #endif + DBUG_RETURN(0); } -int sslconnect(struct st_VioSSLConnectorFd* ptr, Vio* vio, long timeout) +int sslconnect(struct st_VioSSLFd *ptr, Vio *vio, long timeout) { - char *str; - X509* server_cert; + SSL *ssl; my_bool unused; my_bool net_blocking; - enum enum_vio_type old_type; + enum enum_vio_type old_type; + DBUG_ENTER("sslconnect"); - DBUG_PRINT("enter", ("sd: %d ptr: 0x%p ctx: 0x%p", - vio->sd,ptr,ptr->ssl_context)); + DBUG_PRINT("enter", ("sd: %d, ptr: %p, ctx: %p", + vio->sd, ptr, ptr->ssl_context)); old_type= vio->type; - net_blocking = vio_is_blocking(vio); + net_blocking= vio_is_blocking(vio); vio_blocking(vio, 1, &unused); /* Must be called before reset */ - vio_reset(vio,VIO_TYPE_SSL,vio->sd,0,FALSE); - vio->ssl_arg= 0; - if (!(vio->ssl_arg = SSL_new(ptr->ssl_context))) + vio_reset(vio, VIO_TYPE_SSL, vio->sd, 0, FALSE); + if (!(ssl= SSL_new(ptr->ssl_context))) { DBUG_PRINT("error", ("SSL_new failure")); - report_errors(); - vio_reset(vio, old_type,vio->sd,0,FALSE); - vio_blocking(vio, net_blocking, &unused); + report_errors(ssl); + vio_reset(vio, old_type, vio->sd, 0, FALSE); + vio_blocking(vio, net_blocking, &unused); DBUG_RETURN(1); } - DBUG_PRINT("info", ("ssl_: 0x%p timeout: %ld", - (SSL*) vio->ssl_arg, timeout)); - SSL_clear((SSL*) vio->ssl_arg); - SSL_SESSION_set_timeout(SSL_get_session((SSL*) vio->ssl_arg), timeout); - SSL_set_fd ((SSL*) vio->ssl_arg, vio_ssl_fd(vio)); - SSL_set_connect_state((SSL*) vio->ssl_arg); - if (SSL_do_handshake((SSL*) vio->ssl_arg) < 1) + vio->ssl_arg= (void*)ssl; + DBUG_PRINT("info", ("ssl: %p, timeout: %ld", ssl, timeout)); + SSL_clear(ssl); + SSL_SESSION_set_timeout(SSL_get_session(ssl), timeout); + SSL_set_fd(ssl, vio->sd); + SSL_set_connect_state(ssl); + if (SSL_do_handshake(ssl) < 1) { DBUG_PRINT("error", ("SSL_do_handshake failure")); - report_errors(); - SSL_free((SSL*) vio->ssl_arg); + report_errors(ssl); + SSL_free(ssl); vio->ssl_arg= 0; - vio_reset(vio, old_type,vio->sd,0,FALSE); + vio_reset(vio, old_type, vio->sd, 0, FALSE); vio_blocking(vio, net_blocking, &unused); DBUG_RETURN(1); - } + } #ifndef DBUG_OFF - DBUG_PRINT("info",("SSL_get_cipher_name() = '%s'" - ,SSL_get_cipher_name((SSL*) vio->ssl_arg))); - server_cert = SSL_get_peer_certificate ((SSL*) vio->ssl_arg); - if (server_cert != NULL) { - DBUG_PRINT("info",("Server certificate:")); - str = X509_NAME_oneline (X509_get_subject_name (server_cert), 0, 0); - DBUG_PRINT("info",("\t subject: %s", str)); - free(str); - - str = X509_NAME_oneline (X509_get_issuer_name (server_cert), 0, 0); - DBUG_PRINT("info",("\t issuer: %s", str)); - free(str); - - /* - We could do all sorts of certificate verification stuff here before - deallocating the certificate. - */ - X509_free (server_cert); + X509 *server_cert; + DBUG_PRINT("info",("cipher_name: '%s'" , SSL_get_cipher_name(ssl))); + + if ((server_cert= SSL_get_peer_certificate (ssl))) + { + char buf[256]; + DBUG_PRINT("info",("Server certificate:")); + X509_NAME_oneline(X509_get_subject_name(server_cert), buf, sizeof(buf)); + DBUG_PRINT("info",("\t subject: %s", buf)); + X509_NAME_oneline (X509_get_issuer_name(server_cert), buf, sizeof(buf)); + DBUG_PRINT("info",("\t issuer: %s", buf)); + X509_free (server_cert); + } + else + DBUG_PRINT("info",("Server does not have certificate.")); } - else - DBUG_PRINT("info",("Server does not have certificate.")); #endif + DBUG_RETURN(0); } -int vio_ssl_blocking(Vio * vio __attribute__((unused)), +int vio_ssl_blocking(Vio *vio __attribute__((unused)), my_bool set_blocking_mode, my_bool *old_mode) { + /* Mode is always blocking */ + *old_mode= 1; /* Return error if we try to change to non_blocking mode */ - *old_mode=1; /* Mode is always blocking */ - return set_blocking_mode ? 0 : 1; + return (set_blocking_mode ? 0 : 1); } - -void vio_ssl_timeout(Vio *vio __attribute__((unused)), - uint which __attribute__((unused)), - uint timeout __attribute__((unused))) -{ -#ifdef __WIN__ - ulong wait_timeout= (ulong) timeout * 1000; - (void) setsockopt(vio->sd, SOL_SOCKET, - which ? SO_SNDTIMEO : SO_RCVTIMEO, (char*) &wait_timeout, - sizeof(wait_timeout)); -#endif /* __WIN__ */ -} #endif /* HAVE_OPENSSL */ diff --git a/vio/viosslfactories.c b/vio/viosslfactories.c index 4ee27f1e491..2c528e9a2fc 100644 --- a/vio/viosslfactories.c +++ b/vio/viosslfactories.c @@ -21,7 +21,6 @@ static bool ssl_algorithms_added = FALSE; static bool ssl_error_strings_loaded= FALSE; static int verify_depth = 0; -static int verify_error = X509_V_OK; static unsigned char dh512_p[]= { @@ -82,30 +81,31 @@ vio_set_cert_stuff(SSL_CTX *ctx, const char *cert_file, const char *key_file) DBUG_ENTER("vio_set_cert_stuff"); DBUG_PRINT("enter", ("ctx: %p, cert_file: %s, key_file: %s", ctx, cert_file, key_file)); - if (cert_file != NULL) + if (cert_file) { - if (SSL_CTX_use_certificate_file(ctx,cert_file,SSL_FILETYPE_PEM) <= 0) + if (SSL_CTX_use_certificate_file(ctx, cert_file, SSL_FILETYPE_PEM) <= 0) { - DBUG_PRINT("error",("unable to get certificate from '%s'\n",cert_file)); + DBUG_PRINT("error",("unable to get certificate from '%s'\n", cert_file)); /* FIX stderr */ fprintf(stderr,"Error when connection to server using SSL:"); ERR_print_errors_fp(stderr); fprintf(stderr,"Unable to get certificate from '%s'\n", cert_file); fflush(stderr); - DBUG_RETURN(0); + DBUG_RETURN(1); } - if (key_file == NULL) - key_file = cert_file; - if (SSL_CTX_use_PrivateKey_file(ctx,key_file, - SSL_FILETYPE_PEM) <= 0) + + if (!key_file) + key_file= cert_file; + + if (SSL_CTX_use_PrivateKey_file(ctx, key_file, SSL_FILETYPE_PEM) <= 0) { - DBUG_PRINT("error", ("unable to get private key from '%s'\n",key_file)); + DBUG_PRINT("error", ("unable to get private key from '%s'\n", key_file)); /* FIX stderr */ fprintf(stderr,"Error when connection to server using SSL:"); ERR_print_errors_fp(stderr); - fprintf(stderr,"Unable to get private key from '%s'\n", cert_file); - fflush(stderr); - DBUG_RETURN(0); + fprintf(stderr,"Unable to get private key from '%s'\n", key_file); + fflush(stderr); + DBUG_RETURN(1); } /* @@ -116,45 +116,45 @@ vio_set_cert_stuff(SSL_CTX *ctx, const char *cert_file, const char *key_file) { DBUG_PRINT("error", ("Private key does not match the certificate public key\n")); - DBUG_RETURN(0); + DBUG_RETURN(1); } } - DBUG_RETURN(1); + DBUG_RETURN(0); } static int vio_verify_callback(int ok, X509_STORE_CTX *ctx) { - char buf[256]; - X509* err_cert; - int err,depth; + char buf[256]; + X509 *err_cert; DBUG_ENTER("vio_verify_callback"); - DBUG_PRINT("enter", ("ok: %d, ctx: 0x%p", ok, ctx)); - err_cert=X509_STORE_CTX_get_current_cert(ctx); - err= X509_STORE_CTX_get_error(ctx); - depth= X509_STORE_CTX_get_error_depth(ctx); + DBUG_PRINT("enter", ("ok: %d, ctx: %p", ok, ctx)); - X509_NAME_oneline(X509_get_subject_name(err_cert),buf,sizeof(buf)); + err_cert= X509_STORE_CTX_get_current_cert(ctx); + X509_NAME_oneline(X509_get_subject_name(err_cert), buf, sizeof(buf)); + DBUG_PRINT("info", ("cert: %s", buf)); if (!ok) { - DBUG_PRINT("error",("verify error: num: %d : '%s'\n",err, + int err, depth; + err= X509_STORE_CTX_get_error(ctx); + depth= X509_STORE_CTX_get_error_depth(ctx); + + DBUG_PRINT("error",("verify error: %d, '%s'",err, X509_verify_cert_error_string(err))); + /* + Approve cert if depth is greater then "verify_depth", currently + verify_depth is always 0 and there is no way to increase it. + */ if (verify_depth >= depth) - { - ok=1; - verify_error=X509_V_OK; - } - else - { - verify_error=X509_V_ERR_CERT_CHAIN_TOO_LONG; - } + ok= 1; } - switch (ctx->error) { + switch (ctx->error) + { case X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT: - X509_NAME_oneline(X509_get_issuer_name(ctx->current_cert),buf,256); - DBUG_PRINT("info",("issuer= %s\n",buf)); + X509_NAME_oneline(X509_get_issuer_name(ctx->current_cert), buf, 256); + DBUG_PRINT("info",("issuer= %s\n", buf)); break; case X509_V_ERR_CERT_NOT_YET_VALID: case X509_V_ERR_ERROR_IN_CERT_NOT_BEFORE_FIELD: @@ -198,193 +198,150 @@ static void netware_ssl_init() #endif /* __NETWARE__ */ -/************************ VioSSLConnectorFd **********************************/ -/* - TODO: - Add option --verify to mysql to be able to change verification mode -*/ - -struct st_VioSSLConnectorFd * -new_VioSSLConnectorFd(const char* key_file, - const char* cert_file, - const char* ca_file, - const char* ca_path, - const char* cipher) +static void check_ssl_init() { - int verify = SSL_VERIFY_NONE; - struct st_VioSSLConnectorFd* ptr; - int result; - DH *dh; - DBUG_ENTER("new_VioSSLConnectorFd"); - - if (!(ptr=((struct st_VioSSLConnectorFd*) - my_malloc(sizeof(struct st_VioSSLConnectorFd),MYF(0))))) - DBUG_RETURN(0); - - ptr->ssl_context= 0; - ptr->ssl_method= 0; - /* FIXME: constants! */ - if (!ssl_algorithms_added) { - DBUG_PRINT("info", ("todo: OpenSSL_add_all_algorithms()")); - ssl_algorithms_added = TRUE; + ssl_algorithms_added= TRUE; SSL_library_init(); OpenSSL_add_all_algorithms(); + } + #ifdef __NETWARE__ netware_ssl_init(); #endif if (!ssl_error_strings_loaded) { - DBUG_PRINT("info", ("todo:SSL_load_error_strings()")); - ssl_error_strings_loaded = TRUE; + ssl_error_strings_loaded= TRUE; SSL_load_error_strings(); } - ptr->ssl_method = TLSv1_client_method(); - ptr->ssl_context = SSL_CTX_new(ptr->ssl_method); - DBUG_PRINT("info", ("ssl_context: %p",ptr->ssl_context)); - if (ptr->ssl_context == 0) +} + +/************************ VioSSLFd **********************************/ +static struct st_VioSSLFd * +new_VioSSLFd(const char *key_file, const char *cert_file, + const char *ca_file, const char *ca_path, + const char *cipher, SSL_METHOD *method) +{ + DH *dh; + struct st_VioSSLFd *ssl_fd; + DBUG_ENTER("new_VioSSLFd"); + + check_ssl_init(); + + if (!(ssl_fd= ((struct st_VioSSLFd*) + my_malloc(sizeof(struct st_VioSSLFd),MYF(0))))) + DBUG_RETURN(0); + + if (!(ssl_fd->ssl_context= SSL_CTX_new(method))) { DBUG_PRINT("error", ("SSL_CTX_new failed")); report_errors(); - goto ctor_failure; - } - /* - SSL_CTX_set_options - SSL_CTX_set_info_callback - */ - if (cipher) - { - result=SSL_CTX_set_cipher_list(ptr->ssl_context, cipher); - DBUG_PRINT("info",("SSL_set_cipher_list() returned %d",result)); + my_free((void*)ssl_fd,MYF(0)); + DBUG_RETURN(0); } - SSL_CTX_set_verify(ptr->ssl_context, verify, vio_verify_callback); - if (vio_set_cert_stuff(ptr->ssl_context, cert_file, key_file) == -1) + + /* Set the ciphers that can be used */ + if (cipher && SSL_CTX_set_cipher_list(ssl_fd->ssl_context, cipher)) { - DBUG_PRINT("error", ("vio_set_cert_stuff failed")); + DBUG_PRINT("error", ("failed to set ciphers to use")); report_errors(); - goto ctor_failure; + my_free((void*)ssl_fd,MYF(0)); + DBUG_RETURN(0); } - if (SSL_CTX_load_verify_locations( ptr->ssl_context, ca_file,ca_path) == 0) + + /* Load certs from the trusted ca */ + if (SSL_CTX_load_verify_locations(ssl_fd->ssl_context, ca_file, ca_path) == 0) { DBUG_PRINT("warning", ("SSL_CTX_load_verify_locations failed")); - if (SSL_CTX_set_default_verify_paths(ptr->ssl_context) == 0) + if (SSL_CTX_set_default_verify_paths(ssl_fd->ssl_context) == 0) { DBUG_PRINT("error", ("SSL_CTX_set_default_verify_paths failed")); report_errors(); - goto ctor_failure; + my_free((void*)ssl_fd,MYF(0)); + DBUG_RETURN(0); } - } + } + + if (vio_set_cert_stuff(ssl_fd->ssl_context, cert_file, key_file)) + { + DBUG_PRINT("error", ("vio_set_cert_stuff failed")); + report_errors(); + my_free((void*)ssl_fd,MYF(0)); + DBUG_RETURN(0); + } /* DH stuff */ dh=get_dh512(); - SSL_CTX_set_tmp_dh(ptr->ssl_context,dh); + SSL_CTX_set_tmp_dh(ssl_fd->ssl_context, dh); DH_free(dh); - DBUG_RETURN(ptr); -ctor_failure: - DBUG_PRINT("exit", ("there was an error")); - my_free((gptr)ptr,MYF(0)); - DBUG_RETURN(0); + DBUG_PRINT("exit", ("OK 1")); + + DBUG_RETURN(ssl_fd); } -/************************ VioSSLAcceptorFd **********************************/ -/* - TODO: - Add option --verify to mysqld to be able to change verification mode -*/ -struct st_VioSSLAcceptorFd* -new_VioSSLAcceptorFd(const char *key_file, - const char *cert_file, - const char *ca_file, - const char *ca_path, - const char *cipher) +/************************ VioSSLConnectorFd **********************************/ +struct st_VioSSLFd * +new_VioSSLConnectorFd(const char *key_file, const char *cert_file, + const char *ca_file, const char *ca_path, + const char *cipher) { - int verify = (SSL_VERIFY_PEER | - SSL_VERIFY_CLIENT_ONCE); - struct st_VioSSLAcceptorFd* ptr; - int result; - DH *dh; - DBUG_ENTER("new_VioSSLAcceptorFd"); + struct st_VioSSLFd *ssl_fd; + int verify= SSL_VERIFY_PEER; + if (!(ssl_fd= new_VioSSLFd(key_file, cert_file, ca_file, + ca_path, cipher, TLSv1_client_method()))) + { + return 0; + } - ptr= ((struct st_VioSSLAcceptorFd*) - my_malloc(sizeof(struct st_VioSSLAcceptorFd),MYF(0))); - ptr->ssl_context=0; - ptr->ssl_method=0; - /* FIXME: constants! */ - ptr->session_id_context= ptr; + /* Init the VioSSLFd as a "connector" ie. the client side */ - if (!ssl_algorithms_added) - { - DBUG_PRINT("info", ("todo: OpenSSL_add_all_algorithms()")); - ssl_algorithms_added = TRUE; - SSL_library_init(); - OpenSSL_add_all_algorithms(); + /* + The verify_callback function is used to control the behaviour + when the SSL_VERIFY_PEER flag is set. + */ + SSL_CTX_set_verify(ssl_fd->ssl_context, verify, vio_verify_callback); - } -#ifdef __NETWARE__ - netware_ssl_init(); -#endif + return ssl_fd; +} - if (!ssl_error_strings_loaded) - { - DBUG_PRINT("info", ("todo: SSL_load_error_strings()")); - ssl_error_strings_loaded = TRUE; - SSL_load_error_strings(); - } - ptr->ssl_method= TLSv1_server_method(); - ptr->ssl_context= SSL_CTX_new(ptr->ssl_method); - if (ptr->ssl_context == 0) - { - DBUG_PRINT("error", ("SSL_CTX_new failed")); - report_errors(); - goto ctor_failure; - } - if (cipher) + +/************************ VioSSLAcceptorFd **********************************/ +struct st_VioSSLFd* +new_VioSSLAcceptorFd(const char *key_file, const char *cert_file, + const char *ca_file, const char *ca_path, + const char *cipher) +{ + struct st_VioSSLFd *ssl_fd; + int verify= SSL_VERIFY_PEER | SSL_VERIFY_CLIENT_ONCE; + if (!(ssl_fd= new_VioSSLFd(key_file, cert_file, ca_file, + ca_path, cipher, TLSv1_server_method()))) { - result=SSL_CTX_set_cipher_list(ptr->ssl_context, cipher); - DBUG_PRINT("info",("SSL_set_cipher_list() returned %d",result)); + return 0; } - /* SSL_CTX_set_quiet_shutdown(ctx,1); */ - SSL_CTX_sess_set_cache_size(ptr->ssl_context,128); + /* Init the the VioSSLFd as a "acceptor" ie. the server side */ - /* DH? */ - SSL_CTX_set_verify(ptr->ssl_context, verify, vio_verify_callback); - SSL_CTX_set_session_id_context(ptr->ssl_context, - (const uchar*) &(ptr->session_id_context), - sizeof(ptr->session_id_context)); + /* Set max number of cached sessions, returns the previous size */ + SSL_CTX_sess_set_cache_size(ssl_fd->ssl_context, 128); /* - SSL_CTX_set_client_CA_list(ctx,SSL_load_client_CA_file(CAfile)); + The verify_callback function is used to control the behaviour + when the SSL_VERIFY_PEER flag is set. */ - if (vio_set_cert_stuff(ptr->ssl_context, cert_file, key_file) == -1) - { - DBUG_PRINT("error", ("vio_set_cert_stuff failed")); - report_errors(); - goto ctor_failure; - } - if (SSL_CTX_load_verify_locations( ptr->ssl_context, ca_file, ca_path) == 0) - { - DBUG_PRINT("warning", ("SSL_CTX_load_verify_locations failed")); - if (SSL_CTX_set_default_verify_paths(ptr->ssl_context)==0) - { - DBUG_PRINT("error", ("SSL_CTX_set_default_verify_paths failed")); - report_errors(); - goto ctor_failure; - } - } - /* DH stuff */ - dh=get_dh512(); - SSL_CTX_set_tmp_dh(ptr->ssl_context,dh); - DH_free(dh); - DBUG_RETURN(ptr); + SSL_CTX_set_verify(ssl_fd->ssl_context, verify, vio_verify_callback); -ctor_failure: - DBUG_PRINT("exit", ("there was an error")); - my_free((gptr) ptr,MYF(0)); - DBUG_RETURN(0); + /* + Set session_id - an identifier for this server session + Use the ssl_fd pointer + */ + SSL_CTX_set_session_id_context(ssl_fd->ssl_context, + (const unsigned char *)ssl_fd, + sizeof(ssl_fd)); + + return ssl_fd; } #endif /* HAVE_OPENSSL */ |