summaryrefslogtreecommitdiff
path: root/sql-common/client.c
diff options
context:
space:
mode:
Diffstat (limited to 'sql-common/client.c')
-rw-r--r--sql-common/client.c42
1 files changed, 31 insertions, 11 deletions
diff --git a/sql-common/client.c b/sql-common/client.c
index 20ccd73596c..acfdd8531e2 100644
--- a/sql-common/client.c
+++ b/sql-common/client.c
@@ -1,5 +1,5 @@
-/* Copyright (c) 2003, 2013, Oracle and/or its affiliates.
- Copyright (c) 2009, 2013, Monty Program Ab
+/* Copyright (c) 2003, 2014, Oracle and/or its affiliates.
+ Copyright (c) 2009, 2015, MariaDB
This program is free software; you can redistribute it and/or modify
it under the terms of the GNU General Public License as published by
@@ -1848,6 +1848,7 @@ mysql_ssl_set(MYSQL *mysql __attribute__((unused)) ,
mysql_options(mysql, MYSQL_OPT_SSL_CAPATH, capath) |
mysql_options(mysql, MYSQL_OPT_SSL_CIPHER, cipher) ?
1 : 0);
+ mysql->options.use_ssl= TRUE;
#endif /* HAVE_OPENSSL && !EMBEDDED_LIBRARY */
DBUG_RETURN(result);
}
@@ -1942,7 +1943,7 @@ static int ssl_verify_server_cert(Vio *vio, const char* server_hostname, const c
SSL *ssl;
X509 *server_cert;
char *cp1, *cp2;
- char buf[256];
+ char *buf;
DBUG_ENTER("ssl_verify_server_cert");
DBUG_PRINT("enter", ("server_hostname: %s", server_hostname));
@@ -1976,9 +1977,15 @@ static int ssl_verify_server_cert(Vio *vio, const char* server_hostname, const c
are what we expect.
*/
- X509_NAME_oneline(X509_get_subject_name(server_cert), buf, sizeof(buf));
+ buf= X509_NAME_oneline(X509_get_subject_name(server_cert), 0, 0);
X509_free (server_cert);
+ if (!buf)
+ {
+ *errptr= "Out of memory";
+ DBUG_RETURN(1);
+ }
+
DBUG_PRINT("info", ("hostname in cert: %s", buf));
cp1= strstr(buf, "/CN=");
if (cp1)
@@ -1991,11 +1998,13 @@ static int ssl_verify_server_cert(Vio *vio, const char* server_hostname, const c
DBUG_PRINT("info", ("Server hostname in cert: %s", cp1));
if (!strcmp(cp1, server_hostname))
{
+ free(buf);
/* Success */
DBUG_RETURN(0);
}
}
*errptr= "SSL certificate validation failure";
+ free(buf);
DBUG_RETURN(1);
}
@@ -2644,16 +2653,10 @@ static int send_client_reply_packet(MCPVIO_EXT *mpvio,
mysql->client_flag|= CLIENT_MULTI_RESULTS;
#if defined(HAVE_OPENSSL) && !defined(EMBEDDED_LIBRARY)
- if (mysql->options.ssl_key || mysql->options.ssl_cert ||
- mysql->options.ssl_ca || mysql->options.ssl_capath ||
- mysql->options.ssl_cipher ||
- (mysql->options.extension &&
- (mysql->options.extension->ssl_crl ||
- mysql->options.extension->ssl_crlpath)))
- mysql->options.use_ssl= 1;
if (mysql->options.use_ssl)
mysql->client_flag|= CLIENT_SSL;
#endif /* HAVE_OPENSSL && !EMBEDDED_LIBRARY*/
+
if (mpvio->db)
mysql->client_flag|= CLIENT_CONNECT_WITH_DB;
@@ -2682,6 +2685,23 @@ static int send_client_reply_packet(MCPVIO_EXT *mpvio,
end= buff+5;
}
#ifdef HAVE_OPENSSL
+
+ /*
+ If client uses ssl and client also has to verify the server
+ certificate, a ssl connection is required.
+ If the server does not support ssl, we abort the connection.
+ */
+ if (mysql->options.use_ssl &&
+ (mysql->client_flag & CLIENT_SSL_VERIFY_SERVER_CERT) &&
+ !(mysql->server_capabilities & CLIENT_SSL))
+ {
+ set_mysql_extended_error(mysql, CR_SSL_CONNECTION_ERROR, unknown_sqlstate,
+ ER(CR_SSL_CONNECTION_ERROR),
+ "SSL is required, but the server does not "
+ "support it");
+ goto error;
+ }
+
if (mysql->client_flag & CLIENT_SSL)
{
/* Do the SSL layering. */