2001-12-06 14:10:51 +02:00
|
|
|
/* Copyright (C) 2000 MySQL AB
|
|
|
|
|
|
|
|
This program is free software; you can redistribute it and/or modify
|
|
|
|
it under the terms of the GNU General Public License as published by
|
2006-12-23 20:17:15 +01:00
|
|
|
the Free Software Foundation; version 2 of the License.
|
2001-12-06 14:10:51 +02:00
|
|
|
|
|
|
|
This program is distributed in the hope that it will be useful,
|
2001-05-20 14:04:46 +02:00
|
|
|
but WITHOUT ANY WARRANTY; without even the implied warranty of
|
2001-12-06 14:10:51 +02:00
|
|
|
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
|
|
|
|
GNU General Public License for more details.
|
|
|
|
|
|
|
|
You should have received a copy of the GNU General Public License
|
|
|
|
along with this program; if not, write to the Free Software
|
|
|
|
Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA */
|
2001-05-20 14:04:46 +02:00
|
|
|
|
|
|
|
/*
|
|
|
|
Note that we can't have assertion on file descriptors; The reason for
|
|
|
|
this is that during mysql shutdown, another thread can close a file
|
|
|
|
we are working on. In this case we should just return read errors from
|
|
|
|
the file descriptior.
|
|
|
|
*/
|
|
|
|
|
2003-08-27 02:51:39 +03:00
|
|
|
#include "vio_priv.h"
|
2001-07-24 14:07:46 +08:00
|
|
|
|
|
|
|
#ifdef HAVE_OPENSSL
|
|
|
|
|
2004-05-25 22:00:14 +03:00
|
|
|
#ifdef __NETWARE__
|
2006-10-24 10:43:15 +02:00
|
|
|
|
|
|
|
/* yaSSL already uses BSD sockets */
|
|
|
|
#ifndef HAVE_YASSL
|
|
|
|
|
2004-05-25 22:00:14 +03:00
|
|
|
/*
|
|
|
|
The default OpenSSL implementation on NetWare uses WinSock.
|
|
|
|
This code allows us to use the BSD sockets.
|
|
|
|
*/
|
|
|
|
|
|
|
|
static int SSL_set_fd_bsd(SSL *s, int fd)
|
|
|
|
{
|
|
|
|
int result= -1;
|
|
|
|
BIO_METHOD *BIO_s_bsdsocket();
|
|
|
|
BIO *bio;
|
|
|
|
|
|
|
|
if ((bio= BIO_new(BIO_s_bsdsocket())))
|
|
|
|
{
|
|
|
|
result= BIO_set_fd(bio, fd, BIO_NOCLOSE);
|
|
|
|
SSL_set_bio(s, bio, bio);
|
|
|
|
}
|
|
|
|
return result;
|
|
|
|
}
|
|
|
|
|
|
|
|
#define SSL_set_fd(A, B) SSL_set_fd_bsd((A), (B))
|
|
|
|
|
2006-10-24 10:43:15 +02:00
|
|
|
#endif /* HAVE_YASSL */
|
2004-05-25 22:00:14 +03:00
|
|
|
#endif /* __NETWARE__ */
|
|
|
|
|
|
|
|
|
2001-06-08 22:28:57 +03:00
|
|
|
static void
|
2006-05-03 14:09:08 +02:00
|
|
|
report_errors(SSL* ssl)
|
2001-06-08 22:28:57 +03:00
|
|
|
{
|
|
|
|
unsigned long l;
|
2006-04-12 14:06:05 +02:00
|
|
|
const char *file;
|
|
|
|
const char *data;
|
2006-05-04 10:30:08 +02:00
|
|
|
int line, flags;
|
|
|
|
#ifndef DBUG_OFF
|
2006-05-03 14:09:08 +02:00
|
|
|
char buf[512];
|
2006-05-04 10:30:08 +02:00
|
|
|
#endif
|
2006-05-03 14:09:08 +02:00
|
|
|
|
2001-06-08 22:28:57 +03:00
|
|
|
DBUG_ENTER("report_errors");
|
|
|
|
|
2006-04-12 14:06:05 +02:00
|
|
|
while ((l= ERR_get_error_line_data(&file,&line,&data,&flags)))
|
2001-06-08 22:28:57 +03:00
|
|
|
{
|
|
|
|
DBUG_PRINT("error", ("OpenSSL: %s:%s:%d:%s\n", ERR_error_string(l,buf),
|
|
|
|
file,line,(flags&ERR_TXT_STRING)?data:"")) ;
|
|
|
|
}
|
2006-05-03 14:09:08 +02:00
|
|
|
|
|
|
|
if (ssl)
|
2006-05-04 10:30:08 +02:00
|
|
|
DBUG_PRINT("error", ("error: %s",
|
|
|
|
ERR_error_string(SSL_get_error(ssl, l), buf)));
|
|
|
|
|
|
|
|
DBUG_PRINT("info", ("socket_errno: %d", socket_errno));
|
2001-06-08 22:28:57 +03:00
|
|
|
DBUG_VOID_RETURN;
|
|
|
|
}
|
|
|
|
|
2002-09-16 15:55:19 +03:00
|
|
|
|
2006-04-12 14:06:05 +02:00
|
|
|
int vio_ssl_read(Vio *vio, gptr buf, int size)
|
2001-05-20 14:04:46 +02:00
|
|
|
{
|
|
|
|
int r;
|
|
|
|
DBUG_ENTER("vio_ssl_read");
|
2006-11-20 22:42:06 +02:00
|
|
|
DBUG_PRINT("enter", ("sd: %d buf: 0x%lx size: %d ssl: 0x%lx",
|
|
|
|
vio->sd, (long) buf, size, (long) vio->ssl_arg));
|
2001-07-24 14:07:46 +08:00
|
|
|
|
2006-05-04 10:30:08 +02:00
|
|
|
r= SSL_read((SSL*) vio->ssl_arg, buf, size);
|
|
|
|
#ifndef DBUG_OFF
|
|
|
|
if (r < 0)
|
2006-05-03 14:09:08 +02:00
|
|
|
report_errors((SSL*) vio->ssl_arg);
|
2006-05-04 10:30:08 +02:00
|
|
|
#endif
|
2001-05-20 14:04:46 +02:00
|
|
|
DBUG_PRINT("exit", ("%d", r));
|
|
|
|
DBUG_RETURN(r);
|
|
|
|
}
|
|
|
|
|
|
|
|
|
2006-04-12 14:06:05 +02:00
|
|
|
int vio_ssl_write(Vio *vio, const gptr buf, int size)
|
2001-05-20 14:04:46 +02:00
|
|
|
{
|
|
|
|
int r;
|
|
|
|
DBUG_ENTER("vio_ssl_write");
|
2006-11-20 22:42:06 +02:00
|
|
|
DBUG_PRINT("enter", ("sd: %d buf: 0x%lx size: %d", vio->sd, (long) buf, size));
|
2001-08-27 03:34:52 +08:00
|
|
|
|
2006-05-04 10:30:08 +02:00
|
|
|
r= SSL_write((SSL*) vio->ssl_arg, buf, size);
|
|
|
|
#ifndef DBUG_OFF
|
|
|
|
if (r < 0)
|
2006-05-03 14:09:08 +02:00
|
|
|
report_errors((SSL*) vio->ssl_arg);
|
2006-05-04 10:30:08 +02:00
|
|
|
#endif
|
2001-05-20 14:04:46 +02:00
|
|
|
DBUG_PRINT("exit", ("%d", r));
|
|
|
|
DBUG_RETURN(r);
|
|
|
|
}
|
|
|
|
|
|
|
|
|
2006-04-12 14:06:05 +02:00
|
|
|
int vio_ssl_close(Vio *vio)
|
2001-05-20 14:04:46 +02:00
|
|
|
{
|
2006-03-10 16:41:14 +01:00
|
|
|
int r= 0;
|
2006-04-12 14:06:05 +02:00
|
|
|
SSL *ssl= (SSL*)vio->ssl_arg;
|
2001-05-20 14:04:46 +02:00
|
|
|
DBUG_ENTER("vio_ssl_close");
|
|
|
|
|
2006-03-10 16:41:14 +01:00
|
|
|
if (ssl)
|
2001-05-20 14:04:46 +02:00
|
|
|
{
|
2006-03-10 16:41:14 +01:00
|
|
|
switch ((r= SSL_shutdown(ssl)))
|
2001-05-20 14:04:46 +02:00
|
|
|
{
|
2006-12-22 00:05:40 +01:00
|
|
|
case 1:
|
|
|
|
/* Shutdown successful */
|
|
|
|
break;
|
|
|
|
case 0:
|
|
|
|
/*
|
|
|
|
Shutdown not yet finished - since the socket is going to
|
|
|
|
be closed there is no need to call SSL_shutdown() a second
|
|
|
|
time to wait for the other side to respond
|
|
|
|
*/
|
2006-03-10 16:41:14 +01:00
|
|
|
break;
|
|
|
|
default: /* Shutdown failed */
|
2006-11-20 22:42:06 +02:00
|
|
|
DBUG_PRINT("vio_error", ("SSL_shutdown() failed, error: %d",
|
2006-03-10 16:41:14 +01:00
|
|
|
SSL_get_error(ssl, r)));
|
|
|
|
break;
|
2001-05-20 14:04:46 +02:00
|
|
|
}
|
|
|
|
}
|
2006-03-10 16:41:14 +01:00
|
|
|
DBUG_RETURN(vio_close(vio));
|
2001-05-20 14:04:46 +02:00
|
|
|
}
|
|
|
|
|
|
|
|
|
2007-01-26 11:30:54 +01:00
|
|
|
void vio_ssl_delete(Vio *vio)
|
|
|
|
{
|
|
|
|
if (!vio)
|
|
|
|
return; /* It must be safe to delete null pointer */
|
|
|
|
|
|
|
|
if (vio->type == VIO_TYPE_SSL)
|
|
|
|
vio_ssl_close(vio); /* Still open, close connection first */
|
|
|
|
|
|
|
|
if (vio->ssl_arg)
|
|
|
|
{
|
|
|
|
SSL_free((SSL*) vio->ssl_arg);
|
|
|
|
vio->ssl_arg= 0;
|
|
|
|
}
|
|
|
|
|
|
|
|
vio_delete(vio);
|
|
|
|
}
|
|
|
|
|
|
|
|
|
2006-04-12 14:06:05 +02:00
|
|
|
int sslaccept(struct st_VioSSLFd *ptr, Vio *vio, long timeout)
|
2001-05-20 14:04:46 +02:00
|
|
|
{
|
2006-03-10 16:41:14 +01:00
|
|
|
SSL *ssl;
|
2002-08-08 03:12:02 +03:00
|
|
|
my_bool unused;
|
2002-11-05 12:05:58 +04:00
|
|
|
my_bool net_blocking;
|
2005-09-01 11:46:43 +02:00
|
|
|
enum enum_vio_type old_type;
|
2001-05-20 14:04:46 +02:00
|
|
|
DBUG_ENTER("sslaccept");
|
2006-11-20 22:42:06 +02:00
|
|
|
DBUG_PRINT("enter", ("sd: %d ptr: 0x%lx, timeout: %ld",
|
|
|
|
vio->sd, (long) ptr, timeout));
|
2002-08-08 03:12:02 +03:00
|
|
|
|
2002-11-05 12:05:58 +04:00
|
|
|
old_type= vio->type;
|
2006-03-10 16:41:14 +01:00
|
|
|
net_blocking= vio_is_blocking(vio);
|
2002-09-16 15:55:19 +03:00
|
|
|
vio_blocking(vio, 1, &unused); /* Must be called before reset */
|
2006-03-10 16:41:14 +01:00
|
|
|
vio_reset(vio, VIO_TYPE_SSL, vio->sd, 0, FALSE);
|
|
|
|
|
|
|
|
if (!(ssl= SSL_new(ptr->ssl_context)))
|
2001-05-20 14:04:46 +02:00
|
|
|
{
|
|
|
|
DBUG_PRINT("error", ("SSL_new failure"));
|
2006-05-03 14:09:08 +02:00
|
|
|
report_errors(ssl);
|
2002-11-05 12:05:58 +04:00
|
|
|
vio_reset(vio, old_type,vio->sd,0,FALSE);
|
|
|
|
vio_blocking(vio, net_blocking, &unused);
|
|
|
|
DBUG_RETURN(1);
|
2001-05-20 14:04:46 +02:00
|
|
|
}
|
2006-03-10 16:41:14 +01:00
|
|
|
vio->ssl_arg= (void*)ssl;
|
2006-11-20 22:42:06 +02:00
|
|
|
DBUG_PRINT("info", ("ssl: 0x%lx timeout: %ld", (long) ssl, timeout));
|
2006-03-10 16:41:14 +01:00
|
|
|
SSL_clear(ssl);
|
|
|
|
SSL_SESSION_set_timeout(SSL_get_session(ssl), timeout);
|
|
|
|
SSL_set_fd(ssl, vio->sd);
|
2006-09-28 16:21:21 +02:00
|
|
|
if (SSL_accept(ssl) < 1)
|
2002-11-05 12:05:58 +04:00
|
|
|
{
|
2006-09-28 16:21:21 +02:00
|
|
|
DBUG_PRINT("error", ("SSL_accept failure"));
|
2006-05-03 14:09:08 +02:00
|
|
|
report_errors(ssl);
|
2006-03-10 16:41:14 +01:00
|
|
|
SSL_free(ssl);
|
2003-08-27 02:51:39 +03:00
|
|
|
vio->ssl_arg= 0;
|
2002-11-05 12:05:58 +04:00
|
|
|
vio_reset(vio, old_type,vio->sd,0,FALSE);
|
|
|
|
vio_blocking(vio, net_blocking, &unused);
|
|
|
|
DBUG_RETURN(1);
|
|
|
|
}
|
2006-03-10 16:41:14 +01:00
|
|
|
|
2005-07-06 15:54:02 -07:00
|
|
|
#ifndef DBUG_OFF
|
2002-09-16 15:55:19 +03:00
|
|
|
{
|
2006-03-10 16:41:14 +01:00
|
|
|
char buf[1024];
|
2006-05-04 10:30:08 +02:00
|
|
|
X509 *client_cert;
|
2006-03-10 16:41:14 +01:00
|
|
|
DBUG_PRINT("info",("cipher_name= '%s'", SSL_get_cipher_name(ssl)));
|
2001-07-24 14:07:46 +08:00
|
|
|
|
2006-03-10 16:41:14 +01:00
|
|
|
if ((client_cert= SSL_get_peer_certificate (ssl)))
|
|
|
|
{
|
|
|
|
DBUG_PRINT("info",("Client certificate:"));
|
|
|
|
X509_NAME_oneline (X509_get_subject_name (client_cert),
|
|
|
|
buf, sizeof(buf));
|
|
|
|
DBUG_PRINT("info",("\t subject: %s", buf));
|
2001-07-24 14:07:46 +08:00
|
|
|
|
2006-03-10 16:41:14 +01:00
|
|
|
X509_NAME_oneline (X509_get_issuer_name (client_cert),
|
|
|
|
buf, sizeof(buf));
|
|
|
|
DBUG_PRINT("info",("\t issuer: %s", buf));
|
2001-12-06 14:10:51 +02:00
|
|
|
|
2006-03-10 16:41:14 +01:00
|
|
|
X509_free (client_cert);
|
|
|
|
}
|
|
|
|
else
|
|
|
|
DBUG_PRINT("info",("Client does not have certificate."));
|
2001-09-30 10:46:20 +08:00
|
|
|
|
2006-03-10 16:41:14 +01:00
|
|
|
if (SSL_get_shared_ciphers(ssl, buf, sizeof(buf)))
|
|
|
|
{
|
|
|
|
DBUG_PRINT("info",("shared_ciphers: '%s'", buf));
|
|
|
|
}
|
|
|
|
else
|
|
|
|
DBUG_PRINT("info",("no shared ciphers!"));
|
|
|
|
}
|
2001-08-27 03:34:52 +08:00
|
|
|
#endif
|
2006-03-10 16:41:14 +01:00
|
|
|
|
2002-11-05 12:05:58 +04:00
|
|
|
DBUG_RETURN(0);
|
2001-05-20 14:04:46 +02:00
|
|
|
}
|
|
|
|
|
2002-08-08 03:12:02 +03:00
|
|
|
|
2006-04-12 14:06:05 +02:00
|
|
|
int sslconnect(struct st_VioSSLFd *ptr, Vio *vio, long timeout)
|
2001-05-20 14:04:46 +02:00
|
|
|
{
|
2006-03-10 16:41:14 +01:00
|
|
|
SSL *ssl;
|
2002-08-08 03:12:02 +03:00
|
|
|
my_bool unused;
|
2002-11-05 12:05:58 +04:00
|
|
|
my_bool net_blocking;
|
2006-03-10 16:41:14 +01:00
|
|
|
enum enum_vio_type old_type;
|
|
|
|
|
2001-05-20 14:04:46 +02:00
|
|
|
DBUG_ENTER("sslconnect");
|
2006-11-20 22:42:06 +02:00
|
|
|
DBUG_PRINT("enter", ("sd: %d ptr: 0x%lx ctx: 0x%lx",
|
|
|
|
vio->sd, (long) ptr, (long) ptr->ssl_context));
|
2002-08-08 03:12:02 +03:00
|
|
|
|
2002-11-05 12:05:58 +04:00
|
|
|
old_type= vio->type;
|
2006-03-10 16:41:14 +01:00
|
|
|
net_blocking= vio_is_blocking(vio);
|
2002-09-16 15:55:19 +03:00
|
|
|
vio_blocking(vio, 1, &unused); /* Must be called before reset */
|
2006-03-10 16:41:14 +01:00
|
|
|
vio_reset(vio, VIO_TYPE_SSL, vio->sd, 0, FALSE);
|
|
|
|
if (!(ssl= SSL_new(ptr->ssl_context)))
|
2001-05-20 14:04:46 +02:00
|
|
|
{
|
|
|
|
DBUG_PRINT("error", ("SSL_new failure"));
|
2006-05-03 14:09:08 +02:00
|
|
|
report_errors(ssl);
|
2006-03-10 16:41:14 +01:00
|
|
|
vio_reset(vio, old_type, vio->sd, 0, FALSE);
|
|
|
|
vio_blocking(vio, net_blocking, &unused);
|
2002-09-16 15:55:19 +03:00
|
|
|
DBUG_RETURN(1);
|
2001-05-20 14:04:46 +02:00
|
|
|
}
|
2006-03-10 16:41:14 +01:00
|
|
|
vio->ssl_arg= (void*)ssl;
|
2006-11-20 22:42:06 +02:00
|
|
|
DBUG_PRINT("info", ("ssl: 0x%lx timeout: %ld", (long) ssl, timeout));
|
2006-03-10 16:41:14 +01:00
|
|
|
SSL_clear(ssl);
|
|
|
|
SSL_SESSION_set_timeout(SSL_get_session(ssl), timeout);
|
|
|
|
SSL_set_fd(ssl, vio->sd);
|
2006-09-28 16:21:21 +02:00
|
|
|
if (SSL_connect(ssl) < 1)
|
2002-11-05 12:05:58 +04:00
|
|
|
{
|
2006-09-28 16:21:21 +02:00
|
|
|
DBUG_PRINT("error", ("SSL_connect failure"));
|
2006-05-03 14:09:08 +02:00
|
|
|
report_errors(ssl);
|
2006-03-10 16:41:14 +01:00
|
|
|
SSL_free(ssl);
|
2003-08-27 02:51:39 +03:00
|
|
|
vio->ssl_arg= 0;
|
2006-03-10 16:41:14 +01:00
|
|
|
vio_reset(vio, old_type, vio->sd, 0, FALSE);
|
2002-11-05 12:05:58 +04:00
|
|
|
vio_blocking(vio, net_blocking, &unused);
|
|
|
|
DBUG_RETURN(1);
|
2006-03-10 16:41:14 +01:00
|
|
|
}
|
2001-08-27 03:34:52 +08:00
|
|
|
#ifndef DBUG_OFF
|
2002-09-16 15:55:19 +03:00
|
|
|
{
|
2006-05-04 10:30:08 +02:00
|
|
|
X509 *server_cert;
|
|
|
|
DBUG_PRINT("info",("cipher_name: '%s'" , SSL_get_cipher_name(ssl)));
|
|
|
|
|
|
|
|
if ((server_cert= SSL_get_peer_certificate (ssl)))
|
|
|
|
{
|
|
|
|
char buf[256];
|
|
|
|
DBUG_PRINT("info",("Server certificate:"));
|
|
|
|
X509_NAME_oneline(X509_get_subject_name(server_cert), buf, sizeof(buf));
|
|
|
|
DBUG_PRINT("info",("\t subject: %s", buf));
|
|
|
|
X509_NAME_oneline (X509_get_issuer_name(server_cert), buf, sizeof(buf));
|
|
|
|
DBUG_PRINT("info",("\t issuer: %s", buf));
|
|
|
|
X509_free (server_cert);
|
|
|
|
}
|
|
|
|
else
|
|
|
|
DBUG_PRINT("info",("Server does not have certificate."));
|
2002-09-16 15:55:19 +03:00
|
|
|
}
|
2001-08-27 03:34:52 +08:00
|
|
|
#endif
|
2006-03-10 16:41:14 +01:00
|
|
|
|
2002-09-16 15:55:19 +03:00
|
|
|
DBUG_RETURN(0);
|
2001-05-20 14:04:46 +02:00
|
|
|
}
|
|
|
|
|
2002-08-17 00:35:51 +03:00
|
|
|
|
2006-04-12 14:06:05 +02:00
|
|
|
int vio_ssl_blocking(Vio *vio __attribute__((unused)),
|
2002-08-17 00:35:51 +03:00
|
|
|
my_bool set_blocking_mode,
|
|
|
|
my_bool *old_mode)
|
|
|
|
{
|
2006-03-10 16:41:14 +01:00
|
|
|
/* Mode is always blocking */
|
|
|
|
*old_mode= 1;
|
2002-08-17 00:35:51 +03:00
|
|
|
/* Return error if we try to change to non_blocking mode */
|
2006-03-10 16:41:14 +01:00
|
|
|
return (set_blocking_mode ? 0 : 1);
|
2002-08-17 00:35:51 +03:00
|
|
|
}
|
|
|
|
|
2001-05-20 14:04:46 +02:00
|
|
|
#endif /* HAVE_OPENSSL */
|