mirror/mariadb
1
0
Fork 0
mirror of https://github.com/MariaDB/server.git synced 2025-01-28 17:54:16 +01:00
Code Issues Projects Releases Packages Wiki Activity Actions

cleanup

Browse source
This commit is contained in:
Sergei Golubchik 2023-08-23 15:23:22 +02:00
parent 68f0af2bf1
commit d772c4fb04
1 changed files with 27 additions and 101 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

128
vio/viosslfactories.c
View file

@ -137,7 +137,7 @@ vio_set_cert_stuff(SSL_CTX *ctx, const char *cert_file, const char *key_file,
If certificate is used check if private key matches.
Note, that server side has to use certificate.
*/
if ((cert_file != NULL || !is_client) && !SSL_CTX_check_private_key(ctx))
if ((cert_file || !is_client) && !SSL_CTX_check_private_key(ctx))
{
*error= SSL_INITERR_NOMATCH;
DBUG_PRINT("error", ("%s",sslGetErrString(*error)));
@ -221,52 +221,35 @@ static long vio_tls_protocol_options(ulonglong tls_version)
return (disabled_tls_protocols | disabled_ssl_protocols);
}
/*
If some optional parameters indicate empty strings, then
for compatibility with SSL libraries, replace them with NULL,
otherwise these libraries will try to open files with an empty
name, etc., and they will return an error code instead of performing
the necessary operations:
*/
#define fix_value(X) if (X && !X[0]) X= NULL
/************************ VioSSLFd **********************************/
static struct st_VioSSLFd *
new_VioSSLFd(const char *key_file, const char *cert_file,
const char *ca_file, const char *ca_path,
const char *cipher, my_bool is_client_method,
enum enum_ssl_init_error *error,
const char *crl_file, const char *crl_path, ulonglong tls_version)
new_VioSSLFd(const char *key_file, const char *cert_file, const char *ca_file,
const char *ca_path, const char *cipher, my_bool is_client_method,
enum enum_ssl_init_error *error, const char *crl_file,
const char *crl_path, ulonglong tls_version)
{
struct st_VioSSLFd *ssl_fd;
long ssl_ctx_options;
DBUG_ENTER("new_VioSSLFd");
/*
If some optional parameters indicate empty strings, then
for compatibility with SSL libraries, replace them with NULL,
otherwise these libraries will try to open files with an empty
name, etc., and they will return an error code instead performing
the necessary operations:
*/
if (ca_file && !ca_file[0])
{
ca_file = NULL;
}
if (ca_path && !ca_path[0])
{
ca_path = NULL;
}
if (crl_file && !crl_file[0])
{
crl_file = NULL;
}
if (crl_path && !crl_path[0])
{
crl_path = NULL;
}
fix_value(ca_file);
fix_value(ca_path);
fix_value(crl_file);
fix_value(crl_path);
DBUG_PRINT("enter",
("key_file: '%s' cert_file: '%s' ca_file: '%s' ca_path: '%s' "
"cipher: '%s' crl_file: '%s' crl_path: '%s'",
key_file ? key_file : "NULL",
cert_file ? cert_file : "NULL",
ca_file ? ca_file : "NULL",
ca_path ? ca_path : "NULL",
cipher ? cipher : "NULL",
crl_file ? crl_file : "NULL",
crl_path ? crl_path : "NULL"));
"cipher: '%s' crl_file: '%s' crl_path: '%s'", key_file,
cert_file, ca_file, ca_path, cipher, crl_file, crl_path));
vio_check_ssl_init();
@ -406,51 +389,20 @@ new_VioSSLConnectorFd(const char *key_file, const char *cert_file,
struct st_VioSSLFd *ssl_fd;
int verify= SSL_VERIFY_PEER;
if (ca_file && ! ca_file[0]) ca_file = NULL;
if (ca_path && ! ca_path[0]) ca_path = NULL;
if (crl_file && ! crl_file[0]) crl_file = NULL;
if (crl_path && ! crl_path[0]) crl_path = NULL;
/*
If some optional parameters indicate empty strings, then
for compatibility with SSL libraries, replace them with NULL,
otherwise these libraries will try to open files with an empty
name, etc., and they will return an error code instead performing
the necessary operations:
*/
if (ca_file && !ca_file[0])
{
ca_file = NULL;
}
if (ca_path && !ca_path[0])
{
ca_path = NULL;
}
if (crl_file && !crl_file[0])
{
crl_file = NULL;
}
if (crl_path && !crl_path[0])
{
crl_path = NULL;
}
/*
Turn off verification of servers certificate if both
ca_file and ca_path is set to NULL
*/
if (ca_file == 0 && ca_path == 0)
if ((ca_file == 0 || ca_file[0] == 0) && (ca_path == 0 || ca_path[0] == 0))
verify= SSL_VERIFY_NONE;
if (!(ssl_fd= new_VioSSLFd(key_file, cert_file, ca_file,
ca_path, cipher, TRUE, error,
crl_file, crl_path, 0)))
/* Init the VioSSLFd as a "connector" ie. the client side */
if (!(ssl_fd= new_VioSSLFd(key_file, cert_file, ca_file, ca_path, cipher,
TRUE, error, crl_file, crl_path, 0)))
{
return 0;
}
/* Init the VioSSLFd as a "connector" ie. the client side */
SSL_CTX_set_verify(ssl_fd->ssl_context, verify, NULL);
return ssl_fd;
@ -468,38 +420,12 @@ new_VioSSLAcceptorFd(const char *key_file, const char *cert_file,
struct st_VioSSLFd *ssl_fd;
int verify= SSL_VERIFY_PEER | SSL_VERIFY_CLIENT_ONCE;
/*
If some optional parameters indicate empty strings, then
for compatibility with SSL libraries, replace them with NULL,
otherwise these libraries will try to open files with an empty
name, etc., and they will return an error code instead performing
the necessary operations:
*/
if (ca_file && !ca_file[0])
{
ca_file = NULL;
}
if (ca_path && !ca_path[0])
{
ca_path = NULL;
}
if (crl_file && !crl_file[0])
{
crl_file = NULL;
}
if (crl_path && !crl_path[0])
{
crl_path = NULL;
}
if (!(ssl_fd= new_VioSSLFd(key_file, cert_file, ca_file,
ca_path, cipher, FALSE, error,
crl_file, crl_path, tls_version)))
/* Init the the VioSSLFd as a "acceptor" ie. the server side */
if (!(ssl_fd= new_VioSSLFd(key_file, cert_file, ca_file, ca_path, cipher,
FALSE, error, crl_file, crl_path, tls_version)))
{
return 0;
}
/* Init the the VioSSLFd as a "acceptor" ie. the server side */
/* Set max number of cached sessions, returns the previous size */
SSL_CTX_sess_set_cache_size(ssl_fd->ssl_context, 128);