diff --git a/sql-common/client.c b/sql-common/client.c index da38d022c4d..b24b92014d6 100644 --- a/sql-common/client.c +++ b/sql-common/client.c @@ -1567,64 +1567,6 @@ static MYSQL_METHODS client_methods= #endif }; -int ssl_verify_server_cert(Vio *vio, const char* server_host) -{ - SSL *ssl; - X509 *server_cert; - char *cp1, *cp2; - char buf[256]; - DBUG_ENTER("ssl_verify_server_cert"); - DBUG_PRINT("enter", ("server_host: %s", server_host)); - - if (!(ssl= (SSL*)vio->ssl_arg)) - { - DBUG_PRINT("error", ("No SSL pointer found")); - return 1; - } - - if (!server_host) - { - DBUG_PRINT("error", ("No server hostname supplied")); - return 1; - } - - if (!(server_cert= SSL_get_peer_certificate(ssl))) - { - DBUG_PRINT("error", ("Could not get server certificate")); - return 1; - } - - /* - We already know that the certificate exchanged was valid; the SSL library - handled that. Now we need to verify that the contents of the certificate - are what we expect. - */ - - X509_NAME_oneline(X509_get_subject_name(server_cert), buf, sizeof(buf)); - X509_free (server_cert); - -// X509_NAME_get_text_by_NID(x509_get_subject_name(server_cert), NID_commonName, buf, sizeof(buf));... does the same thing - - DBUG_PRINT("info", ("hostname in cert: %s", buf)); - cp1 = strstr(buf, "/CN="); - if (cp1) - { - cp1 += 4; // Skip the "/CN=" that we found - cp2 = strchr(cp1, '/'); - if (cp2) - *cp2 = '\0'; - DBUG_PRINT("info", ("Server hostname in cert: ", cp1)); - if (!strcmp(cp1, server_host)) - { - /* Success */ - DBUG_RETURN(0); - } - } - DBUG_PRINT("error", ("SSL certificate validation failure")); - DBUG_RETURN(1); -} - - MYSQL * CLI_MYSQL_REAL_CONNECT(MYSQL *mysql,const char *host, const char *user, const char *passwd, const char *db, @@ -2107,15 +2049,7 @@ CLI_MYSQL_REAL_CONNECT(MYSQL *mysql,const char *host, const char *user, } DBUG_PRINT("info", ("IO layer change done!")); -#if 0 - /* Verify server cert */ - if (mysql->options.ssl_verify_cert && - ssl_verify_server_cert(mysql->net.vio, mysql->host)) - { - set_mysql_error(mysql, CR_SSL_CONNECTION_ERROR, unknown_sqlstate); - goto error; - } -#endif + /* TODO Verify server cert */ } #endif /* HAVE_OPENSSL */ diff --git a/vio/viossl.c b/vio/viossl.c index 33b8f716b9e..aa4cdda9f01 100644 --- a/vio/viossl.c +++ b/vio/viossl.c @@ -54,12 +54,12 @@ static void report_errors() { unsigned long l; - const char* file; - const char* data; - int line,flags; + const char *file; + const char *data; + int line,flags; DBUG_ENTER("report_errors"); - while ((l=ERR_get_error_line_data(&file,&line,&data,&flags))) + while ((l= ERR_get_error_line_data(&file,&line,&data,&flags))) { char buf[512]; DBUG_PRINT("error", ("OpenSSL: %s:%s:%d:%s\n", ERR_error_string(l,buf), @@ -70,7 +70,7 @@ report_errors() } -int vio_ssl_read(Vio * vio, gptr buf, int size) +int vio_ssl_read(Vio *vio, gptr buf, int size) { int r; DBUG_ENTER("vio_ssl_read"); @@ -88,7 +88,7 @@ int vio_ssl_read(Vio * vio, gptr buf, int size) } -int vio_ssl_write(Vio * vio, const gptr buf, int size) +int vio_ssl_write(Vio *vio, const gptr buf, int size) { int r; DBUG_ENTER("vio_ssl_write"); @@ -101,10 +101,10 @@ int vio_ssl_write(Vio * vio, const gptr buf, int size) } -int vio_ssl_close(Vio * vio) +int vio_ssl_close(Vio *vio) { int r= 0; - SSL* ssl= (SSL*)vio->ssl_arg; + SSL *ssl= (SSL*)vio->ssl_arg; DBUG_ENTER("vio_ssl_close"); if (ssl) @@ -129,10 +129,10 @@ int vio_ssl_close(Vio * vio) } -int sslaccept(struct st_VioSSLFd* ptr, Vio* vio, long timeout) +int sslaccept(struct st_VioSSLFd *ptr, Vio *vio, long timeout) { SSL *ssl; - X509* client_cert; + X509 *client_cert; my_bool unused; my_bool net_blocking; enum enum_vio_type old_type; @@ -204,7 +204,7 @@ int sslaccept(struct st_VioSSLFd* ptr, Vio* vio, long timeout) } -int sslconnect(struct st_VioSSLFd* ptr, Vio* vio, long timeout) +int sslconnect(struct st_VioSSLFd *ptr, Vio *vio, long timeout) { SSL *ssl; X509 *server_cert; @@ -265,7 +265,7 @@ int sslconnect(struct st_VioSSLFd* ptr, Vio* vio, long timeout) } -int vio_ssl_blocking(Vio * vio __attribute__((unused)), +int vio_ssl_blocking(Vio *vio __attribute__((unused)), my_bool set_blocking_mode, my_bool *old_mode) { diff --git a/vio/viosslfactories.c b/vio/viosslfactories.c index c58fa449374..d6356f1adca 100644 --- a/vio/viosslfactories.c +++ b/vio/viosslfactories.c @@ -209,7 +209,6 @@ static void check_ssl_init() } #ifdef __NETWARE__ - /* MASV, should it be done everytime? */ netware_ssl_init(); #endif