diff options
Diffstat (limited to 'vio')
| -rw-r--r-- | vio/CMakeLists.txt | 6 | ||||
| -rw-r--r-- | vio/Makefile.am | 20 | ||||
| -rw-r--r-- | vio/test-ssl.c | 4 | ||||
| -rw-r--r-- | vio/test-sslclient.c | 2 | ||||
| -rw-r--r-- | vio/test-sslserver.c | 11 | ||||
| -rw-r--r-- | vio/vio.c | 79 | ||||
| -rw-r--r-- | vio/vio_priv.h | 22 | ||||
| -rw-r--r-- | vio/viosocket.c | 103 | ||||
| -rw-r--r-- | vio/viossl.c | 406 | ||||
| -rw-r--r-- | vio/viosslfactories.c | 325 |
10 files changed, 431 insertions, 547 deletions
diff --git a/vio/CMakeLists.txt b/vio/CMakeLists.txt new file mode 100644 index 00000000000..a3cbb304289 --- /dev/null +++ b/vio/CMakeLists.txt @@ -0,0 +1,6 @@ +SET(CMAKE_CXX_FLAGS_DEBUG "${CMAKE_CXX_FLAGS_DEBUG} -D_DEBUG -DSAFEMALLOC -DSAFE_MUTEX") +SET(CMAKE_C_FLAGS_DEBUG "${CMAKE_C_FLAGS_DEBUG} -D_DEBUG -DSAFEMALLOC -DSAFE_MUTEX") + +ADD_DEFINITIONS(-DUSE_SYMDIR) +INCLUDE_DIRECTORIES(${CMAKE_SOURCE_DIR}/include ${CMAKE_SOURCE_DIR}/extra/yassl/include) +ADD_LIBRARY(vio vio.c viosocket.c viossl.c viosslfactories.c) diff --git a/vio/Makefile.am b/vio/Makefile.am index e27daa7ac35..b57f2453f41 100644 --- a/vio/Makefile.am +++ b/vio/Makefile.am @@ -14,25 +14,31 @@ # along with this program; if not, write to the Free Software # Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA +if HAVE_YASSL + yassl_dummy_link_fix= $(top_srcdir)/extra/yassl/src/dummy.cpp +else + yassl_dummy_link_fix= +endif INCLUDES= -I$(top_builddir)/include -I$(top_srcdir)/include \ $(openssl_includes) -LDADD= @CLIENT_EXTRA_LDFLAGS@ $(openssl_libs) +LDADD= @CLIENT_EXTRA_LDFLAGS@ $(openssl_libs) $(yassl_libs) pkglib_LIBRARIES= libvio.a noinst_PROGRAMS = test-ssl test-sslserver test-sslclient noinst_HEADERS= vio_priv.h -test_ssl_SOURCES= test-ssl.c +test_ssl_SOURCES= test-ssl.c $(yassl_dummy_link_fix) test_ssl_LDADD= @CLIENT_EXTRA_LDFLAGS@ ../dbug/libdbug.a libvio.a \ ../mysys/libmysys.a ../strings/libmystrings.a \ - $(openssl_libs) -test_sslserver_SOURCES= test-sslserver.c + $(openssl_libs) $(yassl_libs) +test_sslserver_SOURCES= test-sslserver.c $(yassl_dummy_link_fix) test_sslserver_LDADD= @CLIENT_EXTRA_LDFLAGS@ ../dbug/libdbug.a libvio.a \ ../mysys/libmysys.a ../strings/libmystrings.a \ - $(openssl_libs) -test_sslclient_SOURCES= test-sslclient.c + $(openssl_libs) $(yassl_libs) +test_sslclient_SOURCES= test-sslclient.c $(yassl_dummy_link_fix) test_sslclient_LDADD= @CLIENT_EXTRA_LDFLAGS@ ../dbug/libdbug.a libvio.a \ ../mysys/libmysys.a ../strings/libmystrings.a \ - $(openssl_libs) + $(openssl_libs) $(yassl_libs) libvio_a_SOURCES= vio.c viosocket.c viossl.c viosslfactories.c +EXTRA_DIST= CMakeLists.txt # Don't update the files from bitkeeper %::SCCS/s.% diff --git a/vio/test-ssl.c b/vio/test-ssl.c index a94eb1a21ff..f8172426e38 100644 --- a/vio/test-ssl.c +++ b/vio/test-ssl.c @@ -57,8 +57,8 @@ main(int argc, char** argv) char* cipher=0; int child_pid,sv[2]; my_bool unused; - struct st_VioSSLAcceptorFd* ssl_acceptor=0; - struct st_VioSSLConnectorFd* ssl_connector=0; + struct st_VioSSLFd* ssl_acceptor= 0; + struct st_VioSSLFd* ssl_connector= 0; Vio* client_vio=0, *server_vio=0; MY_INIT(argv[0]); DBUG_PROCESS(argv[0]); diff --git a/vio/test-sslclient.c b/vio/test-sslclient.c index 3811ba0fb6a..49d6768c884 100644 --- a/vio/test-sslclient.c +++ b/vio/test-sslclient.c @@ -46,7 +46,7 @@ main( int argc __attribute__((unused)), { char client_key[] = "../SSL/client-key.pem", client_cert[] = "../SSL/client-cert.pem"; char ca_file[] = "../SSL/cacert.pem", *ca_path = 0, *cipher=0; - struct st_VioSSLConnectorFd* ssl_connector=0; + struct st_VioSSLFd* ssl_connector= 0; struct sockaddr_in sa; Vio* client_vio=0; int err; diff --git a/vio/test-sslserver.c b/vio/test-sslserver.c index d05e50af16b..daec3a6e6f9 100644 --- a/vio/test-sslserver.c +++ b/vio/test-sslserver.c @@ -44,7 +44,7 @@ fatal_error( const char* r) typedef struct { int sd; - struct st_VioSSLAcceptorFd* ssl_acceptor; + struct st_VioSSLFd* ssl_acceptor; } TH_ARGS; static void @@ -82,7 +82,7 @@ main(int argc __attribute__((unused)), char** argv) char ca_file[] = "../SSL/cacert.pem", *ca_path = 0, *cipher = 0; - struct st_VioSSLAcceptorFd* ssl_acceptor; + struct st_VioSSLFd* ssl_acceptor; pthread_t th; TH_ARGS th_args; @@ -91,12 +91,7 @@ main(int argc __attribute__((unused)), char** argv) struct sockaddr_in sa_cli; int listen_sd; int err; - -#if defined(__sgi) && _NO_XOPEN4 && _NO_XOPEN5 - socklen_t client_len; -#else - size_t client_len; -#endif + size_socket client_len; int reuseaddr = 1; /* better testing, uh? */ MY_INIT(argv[0]); diff --git a/vio/vio.c b/vio/vio.c index 6174acd7024..f20acb249ef 100644 --- a/vio/vio.c +++ b/vio/vio.c @@ -27,19 +27,23 @@ * Helper to fill most of the Vio* with defaults. */ -void vio_reset(Vio* vio, enum enum_vio_type type, - my_socket sd, HANDLE hPipe, - my_bool localhost) +static void vio_init(Vio* vio, enum enum_vio_type type, + my_socket sd, HANDLE hPipe, uint flags) { - DBUG_ENTER("vio_reset"); - DBUG_PRINT("enter", ("type=%d sd=%d localhost=%d", type, sd, localhost)); + DBUG_ENTER("vio_init"); + DBUG_PRINT("enter", ("type: %d sd: %d flags: %d", type, sd, flags)); +#ifndef HAVE_VIO_READ_BUFF + flags&= ~VIO_BUFFERED_READ; +#endif bzero((char*) vio, sizeof(*vio)); vio->type = type; vio->sd = sd; vio->hPipe = hPipe; - vio->localhost= localhost; -#ifdef HAVE_VIO + vio->localhost= flags & VIO_LOCALHOST; + if ((flags & VIO_BUFFERED_READ) && + !(vio->read_buffer= (char*)my_malloc(VIO_READ_BUFFER_SIZE, MYF(MY_WME)))) + flags&= ~VIO_BUFFERED_READ; #ifdef __WIN__ if (type == VIO_TYPE_NAMEDPIPE) { @@ -84,26 +88,26 @@ void vio_reset(Vio* vio, enum enum_vio_type type, if (type == VIO_TYPE_SSL) { vio->viodelete =vio_delete; - vio->vioerrno =vio_ssl_errno; + vio->vioerrno =vio_errno; vio->read =vio_ssl_read; vio->write =vio_ssl_write; - vio->fastsend =vio_ssl_fastsend; - vio->viokeepalive =vio_ssl_keepalive; - vio->should_retry =vio_ssl_should_retry; - vio->was_interrupted=vio_ssl_was_interrupted; + vio->fastsend =vio_fastsend; + vio->viokeepalive =vio_keepalive; + vio->should_retry =vio_should_retry; + vio->was_interrupted=vio_was_interrupted; vio->vioclose =vio_ssl_close; - vio->peer_addr =vio_ssl_peer_addr; - vio->in_addr =vio_ssl_in_addr; + vio->peer_addr =vio_peer_addr; + vio->in_addr =vio_in_addr; vio->vioblocking =vio_ssl_blocking; vio->is_blocking =vio_is_blocking; - vio->timeout =vio_ssl_timeout; + vio->timeout =vio_timeout; } else /* default is VIO_TYPE_TCPIP */ #endif /* HAVE_OPENSSL */ { vio->viodelete =vio_delete; vio->vioerrno =vio_errno; - vio->read =vio_read; + vio->read= (flags & VIO_BUFFERED_READ) ? vio_read_buff : vio_read; vio->write =vio_write; vio->fastsend =vio_fastsend; vio->viokeepalive =vio_keepalive; @@ -116,25 +120,34 @@ void vio_reset(Vio* vio, enum enum_vio_type type, vio->is_blocking =vio_is_blocking; vio->timeout =vio_timeout; } -#endif /* HAVE_VIO */ DBUG_VOID_RETURN; } +/* Reset initialized VIO to use with another transport type */ + +void vio_reset(Vio* vio, enum enum_vio_type type, + my_socket sd, HANDLE hPipe, uint flags) +{ + my_free(vio->read_buffer, MYF(MY_ALLOW_ZERO_PTR)); + vio_init(vio, type, sd, hPipe, flags); +} + + /* Open the socket or TCP/IP connection and read the fnctl() status */ -Vio *vio_new(my_socket sd, enum enum_vio_type type, my_bool localhost) +Vio *vio_new(my_socket sd, enum enum_vio_type type, uint flags) { Vio *vio; DBUG_ENTER("vio_new"); - DBUG_PRINT("enter", ("sd=%d", sd)); + DBUG_PRINT("enter", ("sd: %d", sd)); if ((vio = (Vio*) my_malloc(sizeof(*vio),MYF(MY_WME)))) { - vio_reset(vio, type, sd, 0, localhost); + vio_init(vio, type, sd, 0, flags); sprintf(vio->desc, (vio->type == VIO_TYPE_SOCKET ? "socket (%d)" : "TCP/IP (%d)"), vio->sd); -#if !defined(__WIN__) && !defined(__EMX__) && !defined(OS2) +#if !defined(__WIN__) #if !defined(NO_FCNTL_NONBLOCK) /* We call fcntl() to set the flags and then immediately read them back @@ -153,7 +166,7 @@ Vio *vio_new(my_socket sd, enum enum_vio_type type, my_bool localhost) (void) ioctl(sd,FIOSNBIO,0); vio->fcntl_mode &= ~O_NONBLOCK; #endif -#else /* !defined(__WIN__) && !defined(__EMX__) */ +#else /* !defined(__WIN__) */ { /* set to blocking mode by default */ ulong arg=0, r; @@ -174,7 +187,7 @@ Vio *vio_new_win32pipe(HANDLE hPipe) DBUG_ENTER("vio_new_handle"); if ((vio = (Vio*) my_malloc(sizeof(Vio),MYF(MY_WME)))) { - vio_reset(vio, VIO_TYPE_NAMEDPIPE, 0, hPipe, TRUE); + vio_init(vio, VIO_TYPE_NAMEDPIPE, 0, hPipe, VIO_LOCALHOST); strmov(vio->desc, "named pipe"); } DBUG_RETURN(vio); @@ -190,7 +203,7 @@ Vio *vio_new_win32shared_memory(NET *net,HANDLE handle_file_map, HANDLE handle_m DBUG_ENTER("vio_new_win32shared_memory"); if ((vio = (Vio*) my_malloc(sizeof(Vio),MYF(MY_WME)))) { - vio_reset(vio, VIO_TYPE_SHARED_MEMORY, 0, 0, TRUE); + vio_init(vio, VIO_TYPE_SHARED_MEMORY, 0, 0, VIO_LOCALHOST); vio->handle_file_map= handle_file_map; vio->handle_map= handle_map; vio->event_server_wrote= event_server_wrote; @@ -215,11 +228,21 @@ void vio_delete(Vio* vio) if (vio) { if (vio->type != VIO_CLOSED) -#ifdef HAVE_VIO /*WAX*/ vio->vioclose(vio); -#else - vio_close(vio); -#endif + my_free((gptr) vio->read_buffer, MYF(MY_ALLOW_ZERO_PTR)); my_free((gptr) vio,MYF(0)); } } + + +/* + Cleanup memory allocated by vio or the + components below it when application finish + +*/ +void vio_end(void) +{ +#ifdef HAVE_YASSL + yaSSL_CleanUp(); +#endif +} diff --git a/vio/vio_priv.h b/vio/vio_priv.h index eb495025ddd..db331abdea8 100644 --- a/vio/vio_priv.h +++ b/vio/vio_priv.h @@ -30,28 +30,10 @@ void vio_ignore_timeout(Vio *vio, uint which, uint timeout); int vio_ssl_read(Vio *vio,gptr buf, int size); int vio_ssl_write(Vio *vio,const gptr buf,int size); -void vio_ssl_timeout(Vio *vio, uint which, uint timeout); - -/* setsockopt TCP_NODELAY at IPPROTO_TCP level, when possible. */ -int vio_ssl_fastsend(Vio *vio); -/* setsockopt SO_KEEPALIVE at SOL_SOCKET level, when possible. */ -int vio_ssl_keepalive(Vio *vio, my_bool onoff); -/* Whenever we should retry the last read/write operation. */ -my_bool vio_ssl_should_retry(Vio *vio); -/* Check that operation was timed out */ -my_bool vio_ssl_was_interrupted(Vio *vio); + /* When the workday is over... */ int vio_ssl_close(Vio *vio); -/* Return last error number */ -int vio_ssl_errno(Vio *vio); -my_bool vio_ssl_peer_addr(Vio *vio, char *buf, uint16 *port); -void vio_ssl_in_addr(Vio *vio, struct in_addr *in); + int vio_ssl_blocking(Vio *vio, my_bool set_blocking_mode, my_bool *old_mode); -/* Single copy for server */ -enum vio_ssl_acceptorfd_state -{ - state_connect = 1, - state_accept = 2 -}; #endif /* HAVE_OPENSSL */ diff --git a/vio/viosocket.c b/vio/viosocket.c index 847e036d3b2..0d472be7901 100644 --- a/vio/viosocket.c +++ b/vio/viosocket.c @@ -33,8 +33,11 @@ int vio_read(Vio * vio, gptr buf, int size) { int r; DBUG_ENTER("vio_read"); - DBUG_PRINT("enter", ("sd=%d, buf=%p, size=%d", vio->sd, buf, size)); + DBUG_PRINT("enter", ("sd: %d buf: 0x%lx size: %d", vio->sd, (long) buf, + size)); + /* Ensure nobody uses vio_read_buff and vio_read simultaneously */ + DBUG_ASSERT(vio->read_end == vio->read_pos); #ifdef __WIN__ r = recv(vio->sd, buf, size,0); #else @@ -52,11 +55,57 @@ int vio_read(Vio * vio, gptr buf, int size) } +/* + Buffered read: if average read size is small it may + reduce number of syscalls. +*/ + +int vio_read_buff(Vio *vio, gptr buf, int size) +{ + int rc; +#define VIO_UNBUFFERED_READ_MIN_SIZE 2048 + DBUG_ENTER("vio_read_buff"); + DBUG_PRINT("enter", ("sd: %d buf: 0x%lx size: %d", vio->sd, (long) buf, + size)); + + if (vio->read_pos < vio->read_end) + { + rc= min(vio->read_end - vio->read_pos, size); + memcpy(buf, vio->read_pos, rc); + vio->read_pos+= rc; + /* + Do not try to read from the socket now even if rc < size: + vio_read can return -1 due to an error or non-blocking mode, and + the safest way to handle it is to move to a separate branch. + */ + } + else if (size < VIO_UNBUFFERED_READ_MIN_SIZE) + { + rc= vio_read(vio, vio->read_buffer, VIO_READ_BUFFER_SIZE); + if (rc > 0) + { + if (rc > size) + { + vio->read_pos= vio->read_buffer + size; + vio->read_end= vio->read_buffer + rc; + rc= size; + } + memcpy(buf, vio->read_buffer, rc); + } + } + else + rc= vio_read(vio, buf, size); + DBUG_RETURN(rc); +#undef VIO_UNBUFFERED_READ_MIN_SIZE +} + + int vio_write(Vio * vio, const gptr buf, int size) { int r; DBUG_ENTER("vio_write"); - DBUG_PRINT("enter", ("sd=%d, buf=%p, size=%d", vio->sd, buf, size)); + DBUG_PRINT("enter", ("sd: %d buf: 0x%lx size: %d", vio->sd, (long) buf, + size)); #ifdef __WIN__ r = send(vio->sd, buf, size,0); #else @@ -82,7 +131,7 @@ int vio_blocking(Vio * vio __attribute__((unused)), my_bool set_blocking_mode, DBUG_PRINT("enter", ("set_blocking_mode: %d old_mode: %d", (int) set_blocking_mode, (int) *old_mode)); -#if !defined(__WIN__) && !defined(__EMX__) +#if !defined(__WIN__) #if !defined(NO_FCNTL_NONBLOCK) if (vio->sd >= 0) { @@ -104,10 +153,8 @@ int vio_blocking(Vio * vio __attribute__((unused)), my_bool set_blocking_mode, #else r= set_blocking_mode ? 0 : 1; #endif /* !defined(NO_FCNTL_NONBLOCK) */ -#else /* !defined(__WIN__) && !defined(__EMX__) */ -#ifndef __EMX__ +#else /* !defined(__WIN__) */ if (vio->type != VIO_TYPE_NAMEDPIPE && vio->type != VIO_TYPE_SHARED_MEMORY) -#endif { ulong arg; int old_fcntl=vio->fcntl_mode; @@ -124,11 +171,9 @@ int vio_blocking(Vio * vio __attribute__((unused)), my_bool set_blocking_mode, if (old_fcntl != vio->fcntl_mode) r = ioctlsocket(vio->sd,FIONBIO,(void*) &arg); } -#ifndef __EMX__ else r= test(!(vio->fcntl_mode & O_NONBLOCK)) != set_blocking_mode; -#endif /* __EMX__ */ -#endif /* !defined(__WIN__) && !defined(__EMX__) */ +#endif /* !defined(__WIN__) */ DBUG_PRINT("exit", ("%d", r)); DBUG_RETURN(r); } @@ -149,12 +194,12 @@ int vio_fastsend(Vio * vio __attribute__((unused))) int r=0; DBUG_ENTER("vio_fastsend"); -#if defined(IPTOS_THROUGHPUT) && !defined(__EMX__) +#if defined(IPTOS_THROUGHPUT) { int tos = IPTOS_THROUGHPUT; r= setsockopt(vio->sd, IPPROTO_IP, IP_TOS, (void *) &tos, sizeof(tos)); } -#endif /* IPTOS_THROUGHPUT && !__EMX__ */ +#endif /* IPTOS_THROUGHPUT */ if (!r) { #ifdef __WIN__ @@ -181,7 +226,7 @@ int vio_keepalive(Vio* vio, my_bool set_keep_alive) int r=0; uint opt = 0; DBUG_ENTER("vio_keepalive"); - DBUG_PRINT("enter", ("sd=%d, set_keep_alive=%d", vio->sd, (int) + DBUG_PRINT("enter", ("sd: %d set_keep_alive: %d", vio->sd, (int) set_keep_alive)); if (vio->type != VIO_TYPE_NAMEDPIPE) { @@ -365,7 +410,8 @@ int vio_read_pipe(Vio * vio, gptr buf, int size) { DWORD length; DBUG_ENTER("vio_read_pipe"); - DBUG_PRINT("enter", ("sd=%d, buf=%p, size=%d", vio->sd, buf, size)); + DBUG_PRINT("enter", ("sd: %d buf: 0x%lx size: %d", vio->sd, (long) buf, + size)); if (!ReadFile(vio->hPipe, buf, size, &length, NULL)) DBUG_RETURN(-1); @@ -379,7 +425,8 @@ int vio_write_pipe(Vio * vio, const gptr buf, int size) { DWORD length; DBUG_ENTER("vio_write_pipe"); - DBUG_PRINT("enter", ("sd=%d, buf=%p, size=%d", vio->sd, buf, size)); + DBUG_PRINT("enter", ("sd: %d buf: 0x%lx size: %d", vio->sd, (long) buf, + size)); if (!WriteFile(vio->hPipe, (char*) buf, size, &length, NULL)) DBUG_RETURN(-1); @@ -424,7 +471,8 @@ int vio_read_shared_memory(Vio * vio, gptr buf, int size) char *current_postion; DBUG_ENTER("vio_read_shared_memory"); - DBUG_PRINT("enter", ("sd=%d, buf=%p, size=%d", vio->sd, buf, size)); + DBUG_PRINT("enter", ("sd: %d buf: 0x%lx size: %d", vio->sd, (long) buf, + size)); remain_local = size; current_postion=buf; @@ -485,7 +533,8 @@ int vio_write_shared_memory(Vio * vio, const gptr buf, int size) char *current_postion; DBUG_ENTER("vio_write_shared_memory"); - DBUG_PRINT("enter", ("sd=%d, buf=%p, size=%d", vio->sd, buf, size)); + DBUG_PRINT("enter", ("sd: %d buf: 0x%lx size: %d", vio->sd, (long) buf, + size)); remain = size; current_postion = buf; @@ -528,14 +577,20 @@ int vio_close_shared_memory(Vio * vio) Close all handlers. UnmapViewOfFile and CloseHandle return non-zero result if they are success. */ - r= UnmapViewOfFile(vio->handle_map) || CloseHandle(vio->event_server_wrote) || - CloseHandle(vio->event_server_read) || CloseHandle(vio->event_client_wrote) || - CloseHandle(vio->event_client_read) || CloseHandle(vio->handle_file_map); - if (!r) - { - DBUG_PRINT("vio_error", ("close() failed, error: %d",r)); - /* FIXME: error handling (not critical for MySQL) */ - } + if (UnmapViewOfFile(vio->handle_map) == 0) + DBUG_PRINT("vio_error", ("UnmapViewOfFile() failed")); + if (CloseHandle(vio->event_server_wrote) == 0) + DBUG_PRINT("vio_error", ("CloseHandle(vio->esw) failed")); + if (CloseHandle(vio->event_server_read) == 0) + DBUG_PRINT("vio_error", ("CloseHandle(vio->esr) failed")); + if (CloseHandle(vio->event_client_wrote) == 0) + DBUG_PRINT("vio_error", ("CloseHandle(vio->ecw) failed")); + if (CloseHandle(vio->event_client_read) == 0) + DBUG_PRINT("vio_error", ("CloseHandle(vio->ecr) failed")); + if (CloseHandle(vio->handle_file_map) == 0) + DBUG_PRINT("vio_error", ("CloseHandle(vio->hfm) failed")); + if (CloseHandle(vio->event_conn_closed) == 0) + DBUG_PRINT("vio_error", ("CloseHandle(vio->ecc) failed")); } vio->type= VIO_CLOSED; vio->sd= -1; diff --git a/vio/viossl.c b/vio/viossl.c index 62145fe5006..e869493c604 100644 --- a/vio/viossl.c +++ b/vio/viossl.c @@ -51,380 +51,240 @@ static int SSL_set_fd_bsd(SSL *s, int fd) static void -report_errors() +report_errors(SSL* ssl) { unsigned long l; - const char* file; - const char* data; - int line,flags; + const char *file; + const char *data; + int line, flags; +#ifndef DBUG_OFF + char buf[512]; +#endif + DBUG_ENTER("report_errors"); - while ((l=ERR_get_error_line_data(&file,&line,&data,&flags))) + while ((l= ERR_get_error_line_data(&file,&line,&data,&flags))) { - char buf[512]; DBUG_PRINT("error", ("OpenSSL: %s:%s:%d:%s\n", ERR_error_string(l,buf), file,line,(flags&ERR_TXT_STRING)?data:"")) ; } - DBUG_PRINT("info", ("errno: %d", socket_errno)); - DBUG_VOID_RETURN; -} + if (ssl) + DBUG_PRINT("error", ("error: %s", + ERR_error_string(SSL_get_error(ssl, l), buf))); -int vio_ssl_errno(Vio *vio __attribute__((unused))) -{ - return socket_errno; /* On Win32 this mapped to WSAGetLastError() */ + DBUG_PRINT("info", ("socket_errno: %d", socket_errno)); + DBUG_VOID_RETURN; } -int vio_ssl_read(Vio * vio, gptr buf, int size) +int vio_ssl_read(Vio *vio, gptr buf, int size) { int r; DBUG_ENTER("vio_ssl_read"); - DBUG_PRINT("enter", ("sd=%d, buf=%p, size=%d, ssl_=%p", + DBUG_PRINT("enter", ("sd: %d, buf: 0x%p, size: %d, ssl_: 0x%p", vio->sd, buf, size, vio->ssl_arg)); - if ((r= SSL_read((SSL*) vio->ssl_arg, buf, size)) < 0) - { - int err= SSL_get_error((SSL*) vio->ssl_arg, r); - DBUG_PRINT("error",("SSL_read(): %d SSL_get_error(): %d", r, err)); - report_errors(); - } + r= SSL_read((SSL*) vio->ssl_arg, buf, size); +#ifndef DBUG_OFF + if (r < 0) + report_errors((SSL*) vio->ssl_arg); +#endif DBUG_PRINT("exit", ("%d", r)); DBUG_RETURN(r); } -int vio_ssl_write(Vio * vio, const gptr buf, int size) +int vio_ssl_write(Vio *vio, const gptr buf, int size) { int r; DBUG_ENTER("vio_ssl_write"); - DBUG_PRINT("enter", ("sd=%d, buf=%p, size=%d", vio->sd, buf, size)); - - if ((r= SSL_write((SSL*) vio->ssl_arg, buf, size)) < 0) - report_errors(); - DBUG_PRINT("exit", ("%d", r)); - DBUG_RETURN(r); -} + DBUG_PRINT("enter", ("sd: %d, buf: 0x%p, size: %d", vio->sd, buf, size)); - -int vio_ssl_fastsend(Vio * vio __attribute__((unused))) -{ - int r=0; - DBUG_ENTER("vio_ssl_fastsend"); - -#if defined(IPTOS_THROUGHPUT) && !defined(__EMX__) - { - int tos= IPTOS_THROUGHPUT; - r= setsockopt(vio->sd, IPPROTO_IP, IP_TOS, (void *) &tos, sizeof(tos)); - } -#endif /* IPTOS_THROUGHPUT && !__EMX__ */ - if (!r) - { -#ifdef __WIN__ - BOOL nodelay= 1; - r= setsockopt(vio->sd, IPPROTO_TCP, TCP_NODELAY, (const char*) &nodelay, - sizeof(nodelay)); -#else - int nodelay= 1; - r= setsockopt(vio->sd, IPPROTO_TCP, TCP_NODELAY, (void*) &nodelay, - sizeof(nodelay)); -#endif /* __WIN__ */ - } - if (r) - { - DBUG_PRINT("warning", ("Couldn't set socket option for fast send")); - r= -1; - } + r= SSL_write((SSL*) vio->ssl_arg, buf, size); +#ifndef DBUG_OFF + if (r < 0) + report_errors((SSL*) vio->ssl_arg); +#endif DBUG_PRINT("exit", ("%d", r)); DBUG_RETURN(r); } -int vio_ssl_keepalive(Vio* vio, my_bool set_keep_alive) +int vio_ssl_close(Vio *vio) { - int r=0; - DBUG_ENTER("vio_ssl_keepalive"); - DBUG_PRINT("enter", ("sd=%d, set_keep_alive=%d", vio->sd, (int) - set_keep_alive)); - if (vio->type != VIO_TYPE_NAMEDPIPE) - { - uint opt = (set_keep_alive) ? 1 : 0; - r= setsockopt(vio->sd, SOL_SOCKET, SO_KEEPALIVE, (char *) &opt, - sizeof(opt)); - } - DBUG_RETURN(r); -} - - -my_bool -vio_ssl_should_retry(Vio * vio __attribute__((unused))) -{ - int en = socket_errno; - return (en == SOCKET_EAGAIN || en == SOCKET_EINTR || - en == SOCKET_EWOULDBLOCK); -} - - -my_bool -vio_ssl_was_interrupted(Vio *vio __attribute__((unused))) -{ - int en= socket_errno; - return (en == SOCKET_EAGAIN || en == SOCKET_EINTR || - en == SOCKET_EWOULDBLOCK || en == SOCKET_ETIMEDOUT); -} - - -int vio_ssl_close(Vio * vio) -{ - int r; + int r= 0; + SSL *ssl= (SSL*)vio->ssl_arg; DBUG_ENTER("vio_ssl_close"); - r=0; - if ((SSL*) vio->ssl_arg) - { - r = SSL_shutdown((SSL*) vio->ssl_arg); - SSL_free((SSL*) vio->ssl_arg); - vio->ssl_arg= 0; - } - if (vio->sd >= 0) - { - if (shutdown(vio->sd, 2)) - r= -1; - if (closesocket(vio->sd)) - r= -1; - } - if (r) - { - DBUG_PRINT("error", ("close() failed, error: %d",socket_errno)); - report_errors(); - /* FIXME: error handling (not critical for MySQL) */ - } - vio->type= VIO_CLOSED; - vio->sd= -1; - DBUG_RETURN(r); -} - -const char *vio_ssl_description(Vio * vio) -{ - return vio->desc; -} - -enum enum_vio_type vio_ssl_type(Vio* vio) -{ - return vio->type; -} - -my_socket vio_ssl_fd(Vio* vio) -{ - return vio->sd; -} - - -my_bool vio_ssl_peer_addr(Vio * vio, char *buf, uint16 *port) -{ - DBUG_ENTER("vio_ssl_peer_addr"); - DBUG_PRINT("enter", ("sd=%d", vio->sd)); - if (vio->localhost) + if (ssl) { - strmov(buf,"127.0.0.1"); - *port=0; - } - else - { - size_socket addrLen = sizeof(struct sockaddr); - if (getpeername(vio->sd, (struct sockaddr *) (& (vio->remote)), - &addrLen) != 0) + switch ((r= SSL_shutdown(ssl))) { - DBUG_PRINT("exit", ("getpeername, error: %d", socket_errno)); - DBUG_RETURN(1); + case 1: /* Shutdown successful */ + break; + case 0: /* Shutdown not yet finished, call it again */ + if ((r= SSL_shutdown(ssl) >= 0)) + break; + /* Fallthrough */ + default: /* Shutdown failed */ + DBUG_PRINT("vio_error", ("SSL_shutdown() failed, error: %s", + SSL_get_error(ssl, r))); + break; } -#ifdef TO_BE_FIXED - my_inet_ntoa(vio->remote.sin_addr,buf); - *port= 0; -#else - strmov(buf, "unknown"); - *port= 0; -#endif + SSL_free(ssl); + vio->ssl_arg= 0; } - DBUG_PRINT("exit", ("addr=%s", buf)); - DBUG_RETURN(0); -} - - -void vio_ssl_in_addr(Vio *vio, struct in_addr *in) -{ - DBUG_ENTER("vio_ssl_in_addr"); - if (vio->localhost) - bzero((char*) in, sizeof(*in)); - else - *in=vio->remote.sin_addr; - DBUG_VOID_RETURN; + DBUG_RETURN(vio_close(vio)); } -/* - TODO: Add documentation -*/ - -int sslaccept(struct st_VioSSLAcceptorFd* ptr, Vio* vio, long timeout) +int sslaccept(struct st_VioSSLFd *ptr, Vio *vio, long timeout) { - char *str; - char buf[1024]; - X509* client_cert; + SSL *ssl; my_bool unused; my_bool net_blocking; - enum enum_vio_type old_type; + enum enum_vio_type old_type; DBUG_ENTER("sslaccept"); - DBUG_PRINT("enter", ("sd=%d ptr=%p", vio->sd,ptr)); + DBUG_PRINT("enter", ("sd: %d ptr: %p, timeout: %d", + vio->sd, ptr, timeout)); old_type= vio->type; - net_blocking = vio_is_blocking(vio); + net_blocking= vio_is_blocking(vio); vio_blocking(vio, 1, &unused); /* Must be called before reset */ - vio_reset(vio,VIO_TYPE_SSL,vio->sd,0,FALSE); - vio->ssl_arg= 0; - if (!(vio->ssl_arg= (void*) SSL_new(ptr->ssl_context))) + vio_reset(vio, VIO_TYPE_SSL, vio->sd, 0, FALSE); + + if (!(ssl= SSL_new(ptr->ssl_context))) { DBUG_PRINT("error", ("SSL_new failure")); - report_errors(); + report_errors(ssl); vio_reset(vio, old_type,vio->sd,0,FALSE); vio_blocking(vio, net_blocking, &unused); DBUG_RETURN(1); } - DBUG_PRINT("info", ("ssl_=%p timeout=%ld",(SSL*) vio->ssl_arg, timeout)); - SSL_clear((SSL*) vio->ssl_arg); - SSL_SESSION_set_timeout(SSL_get_session((SSL*) vio->ssl_arg), timeout); - SSL_set_fd((SSL*) vio->ssl_arg,vio->sd); - SSL_set_accept_state((SSL*) vio->ssl_arg); - if (SSL_do_handshake((SSL*) vio->ssl_arg) < 1) + vio->ssl_arg= (void*)ssl; + DBUG_PRINT("info", ("ssl_: %p timeout: %ld", ssl, timeout)); + SSL_clear(ssl); + SSL_SESSION_set_timeout(SSL_get_session(ssl), timeout); + SSL_set_fd(ssl, vio->sd); + SSL_set_accept_state(ssl); + if (SSL_do_handshake(ssl) < 1) { DBUG_PRINT("error", ("SSL_do_handshake failure")); - report_errors(); - SSL_free((SSL*) vio->ssl_arg); + report_errors(ssl); + SSL_free(ssl); vio->ssl_arg= 0; vio_reset(vio, old_type,vio->sd,0,FALSE); vio_blocking(vio, net_blocking, &unused); DBUG_RETURN(1); } + #ifndef DBUG_OFF - DBUG_PRINT("info",("SSL_get_cipher_name() = '%s'" - ,SSL_get_cipher_name((SSL*) vio->ssl_arg))); - client_cert = SSL_get_peer_certificate ((SSL*) vio->ssl_arg); - if (client_cert != NULL) { - DBUG_PRINT("info",("Client certificate:")); - str = X509_NAME_oneline (X509_get_subject_name (client_cert), 0, 0); - DBUG_PRINT("info",("\t subject: %s", str)); - free (str); + char buf[1024]; + X509 *client_cert; + DBUG_PRINT("info",("cipher_name= '%s'", SSL_get_cipher_name(ssl))); - str = X509_NAME_oneline (X509_get_issuer_name (client_cert), 0, 0); - DBUG_PRINT("info",("\t issuer: %s", str)); - free (str); + if ((client_cert= SSL_get_peer_certificate (ssl))) + { + DBUG_PRINT("info",("Client certificate:")); + X509_NAME_oneline (X509_get_subject_name (client_cert), + buf, sizeof(buf)); + DBUG_PRINT("info",("\t subject: %s", buf)); - X509_free (client_cert); - } - else - DBUG_PRINT("info",("Client does not have certificate.")); + X509_NAME_oneline (X509_get_issuer_name (client_cert), + buf, sizeof(buf)); + DBUG_PRINT("info",("\t issuer: %s", buf)); - str=SSL_get_shared_ciphers((SSL*) vio->ssl_arg, buf, sizeof(buf)); - if (str) - { - DBUG_PRINT("info",("SSL_get_shared_ciphers() returned '%s'",str)); - } - else - { - DBUG_PRINT("info",("no shared ciphers!")); - } + X509_free (client_cert); + } + else + DBUG_PRINT("info",("Client does not have certificate.")); + if (SSL_get_shared_ciphers(ssl, buf, sizeof(buf))) + { + DBUG_PRINT("info",("shared_ciphers: '%s'", buf)); + } + else + DBUG_PRINT("info",("no shared ciphers!")); + } #endif + DBUG_RETURN(0); } -int sslconnect(struct st_VioSSLConnectorFd* ptr, Vio* vio, long timeout) +int sslconnect(struct st_VioSSLFd *ptr, Vio *vio, long timeout) { - char *str; - X509* server_cert; + SSL *ssl; my_bool unused; my_bool net_blocking; - enum enum_vio_type old_type; + enum enum_vio_type old_type; + DBUG_ENTER("sslconnect"); - DBUG_PRINT("enter", ("sd=%d ptr=%p ctx: %p", vio->sd,ptr,ptr->ssl_context)); + DBUG_PRINT("enter", ("sd: %d, ptr: %p, ctx: %p", + vio->sd, ptr, ptr->ssl_context)); old_type= vio->type; - net_blocking = vio_is_blocking(vio); + net_blocking= vio_is_blocking(vio); vio_blocking(vio, 1, &unused); /* Must be called before reset */ - vio_reset(vio,VIO_TYPE_SSL,vio->sd,0,FALSE); - vio->ssl_arg= 0; - if (!(vio->ssl_arg = SSL_new(ptr->ssl_context))) + vio_reset(vio, VIO_TYPE_SSL, vio->sd, 0, FALSE); + if (!(ssl= SSL_new(ptr->ssl_context))) { DBUG_PRINT("error", ("SSL_new failure")); - report_errors(); - vio_reset(vio, old_type,vio->sd,0,FALSE); - vio_blocking(vio, net_blocking, &unused); + report_errors(ssl); + vio_reset(vio, old_type, vio->sd, 0, FALSE); + vio_blocking(vio, net_blocking, &unused); DBUG_RETURN(1); } - DBUG_PRINT("info", ("ssl_=%p timeout=%ld",(SSL*) vio->ssl_arg, timeout)); - SSL_clear((SSL*) vio->ssl_arg); - SSL_SESSION_set_timeout(SSL_get_session((SSL*) vio->ssl_arg), timeout); - SSL_set_fd ((SSL*) vio->ssl_arg, vio->sd); - SSL_set_connect_state((SSL*) vio->ssl_arg); - if (SSL_do_handshake((SSL*) vio->ssl_arg) < 1) + vio->ssl_arg= (void*)ssl; + DBUG_PRINT("info", ("ssl: %p, timeout: %ld", ssl, timeout)); + SSL_clear(ssl); + SSL_SESSION_set_timeout(SSL_get_session(ssl), timeout); + SSL_set_fd(ssl, vio->sd); + SSL_set_connect_state(ssl); + if (SSL_do_handshake(ssl) < 1) { DBUG_PRINT("error", ("SSL_do_handshake failure")); - report_errors(); - SSL_free((SSL*) vio->ssl_arg); + report_errors(ssl); + SSL_free(ssl); vio->ssl_arg= 0; - vio_reset(vio, old_type,vio->sd,0,FALSE); + vio_reset(vio, old_type, vio->sd, 0, FALSE); vio_blocking(vio, net_blocking, &unused); DBUG_RETURN(1); - } + } #ifndef DBUG_OFF - DBUG_PRINT("info",("SSL_get_cipher_name() = '%s'" - ,SSL_get_cipher_name((SSL*) vio->ssl_arg))); - server_cert = SSL_get_peer_certificate ((SSL*) vio->ssl_arg); - if (server_cert != NULL) { - DBUG_PRINT("info",("Server certificate:")); - str = X509_NAME_oneline (X509_get_subject_name (server_cert), 0, 0); - DBUG_PRINT("info",("\t subject: %s", str)); - free(str); - - str = X509_NAME_oneline (X509_get_issuer_name (server_cert), 0, 0); - DBUG_PRINT("info",("\t issuer: %s", str)); - free(str); - - /* - We could do all sorts of certificate verification stuff here before - deallocating the certificate. - */ - X509_free (server_cert); + X509 *server_cert; + DBUG_PRINT("info",("cipher_name: '%s'" , SSL_get_cipher_name(ssl))); + + if ((server_cert= SSL_get_peer_certificate (ssl))) + { + char buf[256]; + DBUG_PRINT("info",("Server certificate:")); + X509_NAME_oneline(X509_get_subject_name(server_cert), buf, sizeof(buf)); + DBUG_PRINT("info",("\t subject: %s", buf)); + X509_NAME_oneline (X509_get_issuer_name(server_cert), buf, sizeof(buf)); + DBUG_PRINT("info",("\t issuer: %s", buf)); + X509_free (server_cert); + } + else + DBUG_PRINT("info",("Server does not have certificate.")); } - else - DBUG_PRINT("info",("Server does not have certificate.")); #endif + DBUG_RETURN(0); } -int vio_ssl_blocking(Vio * vio __attribute__((unused)), +int vio_ssl_blocking(Vio *vio __attribute__((unused)), my_bool set_blocking_mode, my_bool *old_mode) { + /* Mode is always blocking */ + *old_mode= 1; /* Return error if we try to change to non_blocking mode */ - *old_mode=1; /* Mode is always blocking */ - return set_blocking_mode ? 0 : 1; + return (set_blocking_mode ? 0 : 1); } - -void vio_ssl_timeout(Vio *vio __attribute__((unused)), - uint which __attribute__((unused)), - uint timeout __attribute__((unused))) -{ -#ifdef __WIN__ - ulong wait_timeout= (ulong) timeout * 1000; - (void) setsockopt(vio->sd, SOL_SOCKET, - which ? SO_SNDTIMEO : SO_RCVTIMEO, (char*) &wait_timeout, - sizeof(wait_timeout)); -#endif /* __WIN__ */ -} #endif /* HAVE_OPENSSL */ diff --git a/vio/viosslfactories.c b/vio/viosslfactories.c index 46306cf48bb..ca7a96d5801 100644 --- a/vio/viosslfactories.c +++ b/vio/viosslfactories.c @@ -21,7 +21,6 @@ static bool ssl_algorithms_added = FALSE; static bool ssl_error_strings_loaded= FALSE; static int verify_depth = 0; -static int verify_error = X509_V_OK; static unsigned char dh512_p[]= { @@ -80,32 +79,33 @@ static int vio_set_cert_stuff(SSL_CTX *ctx, const char *cert_file, const char *key_file) { DBUG_ENTER("vio_set_cert_stuff"); - DBUG_PRINT("enter", ("ctx=%p, cert_file=%s, key_file=%s", + DBUG_PRINT("enter", ("ctx: %p, cert_file: %s, key_file: %s", ctx, cert_file, key_file)); - if (cert_file != NULL) + if (cert_file) { - if (SSL_CTX_use_certificate_file(ctx,cert_file,SSL_FILETYPE_PEM) <= 0) + if (SSL_CTX_use_certificate_file(ctx, cert_file, SSL_FILETYPE_PEM) <= 0) { - DBUG_PRINT("error",("unable to get certificate from '%s'\n",cert_file)); + DBUG_PRINT("error",("unable to get certificate from '%s'\n", cert_file)); /* FIX stderr */ fprintf(stderr,"Error when connection to server using SSL:"); ERR_print_errors_fp(stderr); fprintf(stderr,"Unable to get certificate from '%s'\n", cert_file); fflush(stderr); - DBUG_RETURN(0); + DBUG_RETURN(1); } - if (key_file == NULL) - key_file = cert_file; - if (SSL_CTX_use_PrivateKey_file(ctx,key_file, - SSL_FILETYPE_PEM) <= 0) + + if (!key_file) + key_file= cert_file; + + if (SSL_CTX_use_PrivateKey_file(ctx, key_file, SSL_FILETYPE_PEM) <= 0) { - DBUG_PRINT("error", ("unable to get private key from '%s'\n",key_file)); + DBUG_PRINT("error", ("unable to get private key from '%s'\n", key_file)); /* FIX stderr */ fprintf(stderr,"Error when connection to server using SSL:"); ERR_print_errors_fp(stderr); - fprintf(stderr,"Unable to get private key from '%s'\n", cert_file); - fflush(stderr); - DBUG_RETURN(0); + fprintf(stderr,"Unable to get private key from '%s'\n", key_file); + fflush(stderr); + DBUG_RETURN(1); } /* @@ -116,45 +116,45 @@ vio_set_cert_stuff(SSL_CTX *ctx, const char *cert_file, const char *key_file) { DBUG_PRINT("error", ("Private key does not match the certificate public key\n")); - DBUG_RETURN(0); + DBUG_RETURN(1); } } - DBUG_RETURN(1); + DBUG_RETURN(0); } static int vio_verify_callback(int ok, X509_STORE_CTX *ctx) { - char buf[256]; - X509* err_cert; - int err,depth; + char buf[256]; + X509 *err_cert; DBUG_ENTER("vio_verify_callback"); - DBUG_PRINT("enter", ("ok=%d, ctx=%p", ok, ctx)); - err_cert=X509_STORE_CTX_get_current_cert(ctx); - err= X509_STORE_CTX_get_error(ctx); - depth= X509_STORE_CTX_get_error_depth(ctx); + DBUG_PRINT("enter", ("ok: %d, ctx: %p", ok, ctx)); - X509_NAME_oneline(X509_get_subject_name(err_cert),buf,sizeof(buf)); + err_cert= X509_STORE_CTX_get_current_cert(ctx); + X509_NAME_oneline(X509_get_subject_name(err_cert), buf, sizeof(buf)); + DBUG_PRINT("info", ("cert: %s", buf)); if (!ok) { - DBUG_PRINT("error",("verify error: num: %d : '%s'\n",err, + int err, depth; + err= X509_STORE_CTX_get_error(ctx); + depth= X509_STORE_CTX_get_error_depth(ctx); + + DBUG_PRINT("error",("verify error: %d, '%s'",err, X509_verify_cert_error_string(err))); + /* + Approve cert if depth is greater then "verify_depth", currently + verify_depth is always 0 and there is no way to increase it. + */ if (verify_depth >= depth) - { - ok=1; - verify_error=X509_V_OK; - } - else - { - verify_error=X509_V_ERR_CERT_CHAIN_TOO_LONG; - } + ok= 1; } - switch (ctx->error) { + switch (ctx->error) + { case X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT: - X509_NAME_oneline(X509_get_issuer_name(ctx->current_cert),buf,256); - DBUG_PRINT("info",("issuer= %s\n",buf)); + X509_NAME_oneline(X509_get_issuer_name(ctx->current_cert), buf, 256); + DBUG_PRINT("info",("issuer= %s\n", buf)); break; case X509_V_ERR_CERT_NOT_YET_VALID: case X509_V_ERR_ERROR_IN_CERT_NOT_BEFORE_FIELD: @@ -198,199 +198,156 @@ static void netware_ssl_init() #endif /* __NETWARE__ */ -/************************ VioSSLConnectorFd **********************************/ -/* - TODO: - Add option --verify to mysql to be able to change verification mode -*/ - -struct st_VioSSLConnectorFd * -new_VioSSLConnectorFd(const char* key_file, - const char* cert_file, - const char* ca_file, - const char* ca_path, - const char* cipher) +static void check_ssl_init() { - int verify = SSL_VERIFY_NONE; - struct st_VioSSLConnectorFd* ptr; - int result; - DH *dh; - DBUG_ENTER("new_VioSSLConnectorFd"); - DBUG_PRINT("enter", - ("key_file=%s, cert_file=%s, ca_path=%s, ca_file=%s, cipher=%s", - key_file, cert_file, ca_path, ca_file, cipher)); - - if (!(ptr=((struct st_VioSSLConnectorFd*) - my_malloc(sizeof(struct st_VioSSLConnectorFd),MYF(0))))) - DBUG_RETURN(0); - - ptr->ssl_context= 0; - ptr->ssl_method= 0; - /* FIXME: constants! */ - if (!ssl_algorithms_added) { - DBUG_PRINT("info", ("todo: OpenSSL_add_all_algorithms()")); - ssl_algorithms_added = TRUE; + ssl_algorithms_added= TRUE; SSL_library_init(); OpenSSL_add_all_algorithms(); + } + #ifdef __NETWARE__ netware_ssl_init(); #endif if (!ssl_error_strings_loaded) { - DBUG_PRINT("info", ("todo:SSL_load_error_strings()")); - ssl_error_strings_loaded = TRUE; + ssl_error_strings_loaded= TRUE; SSL_load_error_strings(); } - ptr->ssl_method = TLSv1_client_method(); - ptr->ssl_context = SSL_CTX_new(ptr->ssl_method); - DBUG_PRINT("info", ("ssl_context: %p",ptr->ssl_context)); - if (ptr->ssl_context == 0) +} + +/************************ VioSSLFd **********************************/ +static struct st_VioSSLFd * +new_VioSSLFd(const char *key_file, const char *cert_file, + const char *ca_file, const char *ca_path, + const char *cipher, SSL_METHOD *method) +{ + DH *dh; + struct st_VioSSLFd *ssl_fd; + DBUG_ENTER("new_VioSSLFd"); + + check_ssl_init(); + + if (!(ssl_fd= ((struct st_VioSSLFd*) + my_malloc(sizeof(struct st_VioSSLFd),MYF(0))))) + DBUG_RETURN(0); + + if (!(ssl_fd->ssl_context= SSL_CTX_new(method))) { DBUG_PRINT("error", ("SSL_CTX_new failed")); report_errors(); - goto ctor_failure; - } - /* - SSL_CTX_set_options - SSL_CTX_set_info_callback - */ - if (cipher) - { - result=SSL_CTX_set_cipher_list(ptr->ssl_context, cipher); - DBUG_PRINT("info",("SSL_set_cipher_list() returned %d",result)); + my_free((void*)ssl_fd,MYF(0)); + DBUG_RETURN(0); } - SSL_CTX_set_verify(ptr->ssl_context, verify, vio_verify_callback); - if (vio_set_cert_stuff(ptr->ssl_context, cert_file, key_file) == -1) + + /* Set the ciphers that can be used */ + if (cipher && SSL_CTX_set_cipher_list(ssl_fd->ssl_context, cipher)) { - DBUG_PRINT("error", ("vio_set_cert_stuff failed")); + DBUG_PRINT("error", ("failed to set ciphers to use")); report_errors(); - goto ctor_failure; + my_free((void*)ssl_fd,MYF(0)); + DBUG_RETURN(0); } - if (SSL_CTX_load_verify_locations( ptr->ssl_context, ca_file,ca_path) == 0) + + /* Load certs from the trusted ca */ + if (SSL_CTX_load_verify_locations(ssl_fd->ssl_context, ca_file, ca_path) == 0) { DBUG_PRINT("warning", ("SSL_CTX_load_verify_locations failed")); - if (SSL_CTX_set_default_verify_paths(ptr->ssl_context) == 0) + if (SSL_CTX_set_default_verify_paths(ssl_fd->ssl_context) == 0) { DBUG_PRINT("error", ("SSL_CTX_set_default_verify_paths failed")); report_errors(); - goto ctor_failure; + my_free((void*)ssl_fd,MYF(0)); + DBUG_RETURN(0); } - } + } + + if (vio_set_cert_stuff(ssl_fd->ssl_context, cert_file, key_file)) + { + DBUG_PRINT("error", ("vio_set_cert_stuff failed")); + report_errors(); + my_free((void*)ssl_fd,MYF(0)); + DBUG_RETURN(0); + } /* DH stuff */ dh=get_dh512(); - SSL_CTX_set_tmp_dh(ptr->ssl_context,dh); + SSL_CTX_set_tmp_dh(ssl_fd->ssl_context, dh); DH_free(dh); - DBUG_RETURN(ptr); -ctor_failure: - DBUG_PRINT("exit", ("there was an error")); - my_free((gptr)ptr,MYF(0)); - DBUG_RETURN(0); + DBUG_PRINT("exit", ("OK 1")); + + DBUG_RETURN(ssl_fd); } -/************************ VioSSLAcceptorFd **********************************/ -/* - TODO: - Add option --verify to mysqld to be able to change verification mode -*/ -struct st_VioSSLAcceptorFd* -new_VioSSLAcceptorFd(const char *key_file, - const char *cert_file, - const char *ca_file, - const char *ca_path, - const char *cipher) +/************************ VioSSLConnectorFd **********************************/ +struct st_VioSSLFd * +new_VioSSLConnectorFd(const char *key_file, const char *cert_file, + const char *ca_file, const char *ca_path, + const char *cipher) { - int verify = (SSL_VERIFY_PEER | - SSL_VERIFY_CLIENT_ONCE); - struct st_VioSSLAcceptorFd* ptr; - int result; - DH *dh; - DBUG_ENTER("new_VioSSLAcceptorFd"); - DBUG_PRINT("enter", - ("key_file=%s, cert_file=%s, ca_path=%s, ca_file=%s, cipher=%s", - key_file, cert_file, ca_path, ca_file, cipher)); - - ptr= ((struct st_VioSSLAcceptorFd*) - my_malloc(sizeof(struct st_VioSSLAcceptorFd),MYF(0))); - ptr->ssl_context=0; - ptr->ssl_method=0; - /* FIXME: constants! */ - ptr->session_id_context= ptr; - - if (!ssl_algorithms_added) + struct st_VioSSLFd *ssl_fd; + int verify= SSL_VERIFY_PEER; + if (!(ssl_fd= new_VioSSLFd(key_file, cert_file, ca_file, + ca_path, cipher, TLSv1_client_method()))) { - DBUG_PRINT("info", ("todo: OpenSSL_add_all_algorithms()")); - ssl_algorithms_added = TRUE; - SSL_library_init(); - OpenSSL_add_all_algorithms(); - + return 0; } -#ifdef __NETWARE__ - netware_ssl_init(); -#endif - if (!ssl_error_strings_loaded) - { - DBUG_PRINT("info", ("todo: SSL_load_error_strings()")); - ssl_error_strings_loaded = TRUE; - SSL_load_error_strings(); - } - ptr->ssl_method= TLSv1_server_method(); - ptr->ssl_context= SSL_CTX_new(ptr->ssl_method); - if (ptr->ssl_context == 0) - { - DBUG_PRINT("error", ("SSL_CTX_new failed")); - report_errors(); - goto ctor_failure; - } - if (cipher) + /* Init the VioSSLFd as a "connector" ie. the client side */ + + /* + The verify_callback function is used to control the behaviour + when the SSL_VERIFY_PEER flag is set. + */ + SSL_CTX_set_verify(ssl_fd->ssl_context, verify, vio_verify_callback); + + return ssl_fd; +} + + +/************************ VioSSLAcceptorFd **********************************/ +struct st_VioSSLFd * +new_VioSSLAcceptorFd(const char *key_file, const char *cert_file, + const char *ca_file, const char *ca_path, + const char *cipher) +{ + struct st_VioSSLFd *ssl_fd; + int verify= SSL_VERIFY_PEER | SSL_VERIFY_CLIENT_ONCE; + if (!(ssl_fd= new_VioSSLFd(key_file, cert_file, ca_file, + ca_path, cipher, TLSv1_server_method()))) { - result=SSL_CTX_set_cipher_list(ptr->ssl_context, cipher); - DBUG_PRINT("info",("SSL_set_cipher_list() returned %d",result)); + return 0; } - /* SSL_CTX_set_quiet_shutdown(ctx,1); */ - SSL_CTX_sess_set_cache_size(ptr->ssl_context,128); + /* Init the the VioSSLFd as a "acceptor" ie. the server side */ - /* DH? */ - SSL_CTX_set_verify(ptr->ssl_context, verify, vio_verify_callback); - SSL_CTX_set_session_id_context(ptr->ssl_context, - (const uchar*) &(ptr->session_id_context), - sizeof(ptr->session_id_context)); + /* Set max number of cached sessions, returns the previous size */ + SSL_CTX_sess_set_cache_size(ssl_fd->ssl_context, 128); /* - SSL_CTX_set_client_CA_list(ctx,SSL_load_client_CA_file(CAfile)); + The verify_callback function is used to control the behaviour + when the SSL_VERIFY_PEER flag is set. */ - if (vio_set_cert_stuff(ptr->ssl_context, cert_file, key_file) == -1) - { - DBUG_PRINT("error", ("vio_set_cert_stuff failed")); - report_errors(); - goto ctor_failure; - } - if (SSL_CTX_load_verify_locations( ptr->ssl_context, ca_file, ca_path) == 0) - { - DBUG_PRINT("warning", ("SSL_CTX_load_verify_locations failed")); - if (SSL_CTX_set_default_verify_paths(ptr->ssl_context)==0) - { - DBUG_PRINT("error", ("SSL_CTX_set_default_verify_paths failed")); - report_errors(); - goto ctor_failure; - } - } - /* DH stuff */ - dh=get_dh512(); - SSL_CTX_set_tmp_dh(ptr->ssl_context,dh); - DH_free(dh); - DBUG_RETURN(ptr); + SSL_CTX_set_verify(ssl_fd->ssl_context, verify, vio_verify_callback); -ctor_failure: - DBUG_PRINT("exit", ("there was an error")); - my_free((gptr) ptr,MYF(0)); - DBUG_RETURN(0); + /* + Set session_id - an identifier for this server session + Use the ssl_fd pointer + */ + SSL_CTX_set_session_id_context(ssl_fd->ssl_context, + (const unsigned char *)ssl_fd, + sizeof(ssl_fd)); + + return ssl_fd; +} + +void free_vio_ssl_acceptor_fd(struct st_VioSSLFd *fd) +{ + SSL_CTX_free(fd->ssl_context); + my_free((gptr) fd, MYF(0)); } #endif /* HAVE_OPENSSL */ |