diff options
Diffstat (limited to 'sql-common/client.c')
-rw-r--r-- | sql-common/client.c | 42 |
1 files changed, 31 insertions, 11 deletions
diff --git a/sql-common/client.c b/sql-common/client.c index 20ccd73596c..acfdd8531e2 100644 --- a/sql-common/client.c +++ b/sql-common/client.c @@ -1,5 +1,5 @@ -/* Copyright (c) 2003, 2013, Oracle and/or its affiliates. - Copyright (c) 2009, 2013, Monty Program Ab +/* Copyright (c) 2003, 2014, Oracle and/or its affiliates. + Copyright (c) 2009, 2015, MariaDB This program is free software; you can redistribute it and/or modify it under the terms of the GNU General Public License as published by @@ -1848,6 +1848,7 @@ mysql_ssl_set(MYSQL *mysql __attribute__((unused)) , mysql_options(mysql, MYSQL_OPT_SSL_CAPATH, capath) | mysql_options(mysql, MYSQL_OPT_SSL_CIPHER, cipher) ? 1 : 0); + mysql->options.use_ssl= TRUE; #endif /* HAVE_OPENSSL && !EMBEDDED_LIBRARY */ DBUG_RETURN(result); } @@ -1942,7 +1943,7 @@ static int ssl_verify_server_cert(Vio *vio, const char* server_hostname, const c SSL *ssl; X509 *server_cert; char *cp1, *cp2; - char buf[256]; + char *buf; DBUG_ENTER("ssl_verify_server_cert"); DBUG_PRINT("enter", ("server_hostname: %s", server_hostname)); @@ -1976,9 +1977,15 @@ static int ssl_verify_server_cert(Vio *vio, const char* server_hostname, const c are what we expect. */ - X509_NAME_oneline(X509_get_subject_name(server_cert), buf, sizeof(buf)); + buf= X509_NAME_oneline(X509_get_subject_name(server_cert), 0, 0); X509_free (server_cert); + if (!buf) + { + *errptr= "Out of memory"; + DBUG_RETURN(1); + } + DBUG_PRINT("info", ("hostname in cert: %s", buf)); cp1= strstr(buf, "/CN="); if (cp1) @@ -1991,11 +1998,13 @@ static int ssl_verify_server_cert(Vio *vio, const char* server_hostname, const c DBUG_PRINT("info", ("Server hostname in cert: %s", cp1)); if (!strcmp(cp1, server_hostname)) { + free(buf); /* Success */ DBUG_RETURN(0); } } *errptr= "SSL certificate validation failure"; + free(buf); DBUG_RETURN(1); } @@ -2644,16 +2653,10 @@ static int send_client_reply_packet(MCPVIO_EXT *mpvio, mysql->client_flag|= CLIENT_MULTI_RESULTS; #if defined(HAVE_OPENSSL) && !defined(EMBEDDED_LIBRARY) - if (mysql->options.ssl_key || mysql->options.ssl_cert || - mysql->options.ssl_ca || mysql->options.ssl_capath || - mysql->options.ssl_cipher || - (mysql->options.extension && - (mysql->options.extension->ssl_crl || - mysql->options.extension->ssl_crlpath))) - mysql->options.use_ssl= 1; if (mysql->options.use_ssl) mysql->client_flag|= CLIENT_SSL; #endif /* HAVE_OPENSSL && !EMBEDDED_LIBRARY*/ + if (mpvio->db) mysql->client_flag|= CLIENT_CONNECT_WITH_DB; @@ -2682,6 +2685,23 @@ static int send_client_reply_packet(MCPVIO_EXT *mpvio, end= buff+5; } #ifdef HAVE_OPENSSL + + /* + If client uses ssl and client also has to verify the server + certificate, a ssl connection is required. + If the server does not support ssl, we abort the connection. + */ + if (mysql->options.use_ssl && + (mysql->client_flag & CLIENT_SSL_VERIFY_SERVER_CERT) && + !(mysql->server_capabilities & CLIENT_SSL)) + { + set_mysql_extended_error(mysql, CR_SSL_CONNECTION_ERROR, unknown_sqlstate, + ER(CR_SSL_CONNECTION_ERROR), + "SSL is required, but the server does not " + "support it"); + goto error; + } + if (mysql->client_flag & CLIENT_SSL) { /* Do the SSL layering. */ |