Commit 74a99e4a authored by unknown's avatar unknown

Error code for ssl connection

Fix bug when server hang(with SSL, with modified libmysql)
Add options master-ssl-capath and master-ssl-cipher
Add some error checking(SSL) 


include/errmsg.h:
  Error code for SSL connection
include/violite.h:
  Change return value in sslaccept
  Remove unused variable open_
libmysql/errmsg.c:
  Add client side descriptive message when ssl handshake fail
libmysql/libmysql.c:
  Add ssl error code
  Add proper error checking
sql/mysqld.cc:
  Add options master-ssl-capath and master-ssl-cipher
sql/sql_parse.cc:
  Add error checking after sslaccept
vio/viossl.c:
  Add ssl handshake error cheking
vio/viosslfactories.c:
  Change error description when using wrong key or certificate
parent 5c491aca
......@@ -61,3 +61,4 @@ extern const char *client_errors[]; /* Error messages */
#define CR_PROBE_SLAVE_HOSTS 2023
#define CR_PROBE_SLAVE_CONNECT 2024
#define CR_PROBE_MASTER_CONNECT 2025
#define CR_SSL_CONNECTION_ERROR 2026
......@@ -174,7 +174,7 @@ struct st_VioSSLConnectorFd
SSL_METHOD* ssl_method_;
};
void sslaccept(struct st_VioSSLAcceptorFd*, Vio*, long timeout);
int sslaccept(struct st_VioSSLAcceptorFd*, Vio*, long timeout);
int sslconnect(struct st_VioSSLConnectorFd*, Vio*, long timeout);
struct st_VioSSLConnectorFd
......@@ -231,7 +231,6 @@ struct st_vio
#ifdef HAVE_OPENSSL
SSL* ssl_;
my_bool open_;
#endif /* HAVE_OPENSSL */
#endif /* HAVE_VIO */
};
......
......@@ -49,7 +49,8 @@ const char *client_errors[]=
"Error on SHOW SLAVE STATUS:",
"Error on SHOW SLAVE HOSTS:",
"Error connecting to slave:",
"Error connecting to master:"
"Error connecting to master:",
"SSL connection error"
};
/* Start of code added by Roberto M. Serqueira - martinsc@uol.com.br - 05.24.2001 */
......@@ -82,7 +83,8 @@ const char *client_errors[]=
"Error on SHOW SLAVE STATUS:",
"Error on SHOW SLAVE HOSTS:",
"Error connecting to slave:",
"Error connecting to master:"
"Error connecting to master:",
"SSL connection error"
};
#else /* ENGLISH */
......@@ -113,7 +115,8 @@ const char *client_errors[]=
"Error on SHOW SLAVE STATUS:",
"Error on SHOW SLAVE HOSTS:",
"Error connecting to slave:",
"Error connecting to master:"
"Error connecting to master:",
"SSL connection error"
};
#endif
......
......@@ -1872,15 +1872,18 @@ mysql_real_connect(MYSQL *mysql,const char *host, const char *user,
options->ssl_capath,
options->ssl_cipher)))
{
/* TODO: Change to SSL error */
net->last_errno= CR_SERVER_LOST;
net->last_errno= CR_SSL_CONNECTION_ERROR;
strmov(net->last_error,ER(net->last_errno));
goto error;
}
DBUG_PRINT("info", ("IO layer change in progress..."));
/* TODO: Add proper error checking here, with return error message */
sslconnect((struct st_VioSSLConnectorFd*)(mysql->connector_fd),
mysql->net.vio, (long) (mysql->options.connect_timeout));
if(sslconnect((struct st_VioSSLConnectorFd*)(mysql->connector_fd),
mysql->net.vio, (long) (mysql->options.connect_timeout)))
{
net->last_errno= CR_SSL_CONNECTION_ERROR;
strmov(net->last_error,ER(net->last_errno));
goto error;
}
DBUG_PRINT("info", ("IO layer change done!"));
}
#endif /* HAVE_OPENSSL */
......
......@@ -339,7 +339,7 @@ volatile ulong cached_thread_count=0;
my_string master_user = (char*) "test", master_password = 0, master_host=0,
master_info_file = (char*) "master.info",
relay_log_info_file = (char*) "relay-log.info",
master_ssl_key=0, master_ssl_cert=0;
master_ssl_key=0, master_ssl_cert=0, master_ssl_capath=0, master_ssl_cipher=0;
my_string report_user = 0, report_password = 0, report_host=0;
const char *localhost=LOCAL_HOST;
......@@ -2815,7 +2815,8 @@ enum options {
OPT_MASTER_INFO_FILE, OPT_MASTER_CONNECT_RETRY,
OPT_MASTER_RETRY_COUNT,
OPT_MASTER_SSL, OPT_MASTER_SSL_KEY,
OPT_MASTER_SSL_CERT,
OPT_MASTER_SSL_CERT, OPT_MASTER_SSL_CAPATH,
OPT_MASTER_SSL_CIPHER,
OPT_SQL_BIN_UPDATE_SAME, OPT_REPLICATE_DO_DB,
OPT_REPLICATE_IGNORE_DB, OPT_LOG_SLAVE_UPDATES,
OPT_BINLOG_DO_DB, OPT_BINLOG_IGNORE_DB,
......@@ -3124,6 +3125,14 @@ struct my_option my_long_options[] =
"Master SSL certificate file name. Only applies if you have enabled master-ssl.",
(gptr*) &master_ssl_cert, (gptr*) &master_ssl_cert, 0, GET_STR, OPT_ARG,
0, 0, 0, 0, 0, 0},
{"master-ssl-capath", OPT_MASTER_SSL_CAPATH,
"Master SSL CA path. Only applies if you have enabled master-ssl.",
(gptr*) &master_ssl_capath, (gptr*) &master_ssl_capath, 0, GET_STR, OPT_ARG,
0, 0, 0, 0, 0, 0},
{"master-ssl-cipher", OPT_MASTER_SSL_CIPHER,
"Master SSL cipher. Only applies if you have enabled master-ssl.",
(gptr*) &master_ssl_cipher, (gptr*) &master_ssl_capath, 0, GET_STR, OPT_ARG,
0, 0, 0, 0, 0, 0},
{"myisam-recover", OPT_MYISAM_RECOVER,
"Syntax: myisam-recover[=option[,option...]], where option can be DEFAULT, BACKUP or FORCE.",
(gptr*) &myisam_recover_options_str, (gptr*) &myisam_recover_options_str, 0,
......
......@@ -554,7 +554,13 @@ check_connections(THD *thd)
{
/* Do the SSL layering. */
DBUG_PRINT("info", ("IO layer change in progress..."));
sslaccept(ssl_acceptor_fd, net->vio, thd->variables.net_wait_timeout);
if (sslaccept(ssl_acceptor_fd, net->vio, thd->variables.net_wait_timeout))
{
DBUG_PRINT("error", ("Failed to read user information (pkt_len= %lu)",
pkt_len));
inc_host_errors(&thd->remote.sin_addr);
return(ER_HANDSHAKE_ERROR);
}
DBUG_PRINT("info", ("Reading user information over SSL layer"));
if ((pkt_len=my_net_read(net)) == packet_error ||
pkt_len < NORMAL_HANDSHAKE_SIZE)
......
......@@ -249,35 +249,48 @@ void vio_ssl_in_addr(Vio *vio, struct in_addr *in)
/*
TODO: Add documentation and error handling
TODO: Add documentation
*/
void sslaccept(struct st_VioSSLAcceptorFd* ptr, Vio* vio, long timeout)
int sslaccept(struct st_VioSSLAcceptorFd* ptr, Vio* vio, long timeout)
{
char *str;
char buf[1024];
X509* client_cert;
my_bool unused;
my_bool net_blocking;
enum enum_vio_type old_type;
DBUG_ENTER("sslaccept");
DBUG_PRINT("enter", ("sd=%d ptr=%p", vio->sd,ptr));
old_type= vio->type;
net_blocking = vio_is_blocking(vio);
vio_blocking(vio, 1, &unused); /* Must be called before reset */
vio_reset(vio,VIO_TYPE_SSL,vio->sd,0,FALSE);
vio->ssl_=0;
vio->open_=FALSE;
if (!(vio->ssl_ = SSL_new(ptr->ssl_context_)))
{
DBUG_PRINT("error", ("SSL_new failure"));
report_errors();
DBUG_VOID_RETURN;
vio_reset(vio, old_type,vio->sd,0,FALSE);
vio_blocking(vio, net_blocking, &unused);
DBUG_RETURN(1);
}
DBUG_PRINT("info", ("ssl_=%p timeout=%ld",vio->ssl_, timeout));
SSL_clear(vio->ssl_);
SSL_SESSION_set_timeout(SSL_get_session(vio->ssl_), timeout);
SSL_set_fd(vio->ssl_,vio->sd);
SSL_set_accept_state(vio->ssl_);
SSL_do_handshake(vio->ssl_);
vio->open_ = TRUE;
if (SSL_do_handshake(vio->ssl_) < 1)
{
DBUG_PRINT("error", ("SSL_do_handshake failure"));
report_errors();
SSL_free(vio->ssl_);
vio->ssl_=0;
vio_reset(vio, old_type,vio->sd,0,FALSE);
vio_blocking(vio, net_blocking, &unused);
DBUG_RETURN(1);
}
#ifndef DBUF_OFF
DBUG_PRINT("info",("SSL_get_cipher_name() = '%s'"
,SSL_get_cipher_name(vio->ssl_)));
......@@ -309,7 +322,7 @@ void sslaccept(struct st_VioSSLAcceptorFd* ptr, Vio* vio, long timeout)
}
#endif
DBUG_VOID_RETURN;
DBUG_RETURN(0);
}
......@@ -318,17 +331,22 @@ int sslconnect(struct st_VioSSLConnectorFd* ptr, Vio* vio, long timeout)
char *str;
X509* server_cert;
my_bool unused;
my_bool net_blocking;
enum enum_vio_type old_type;
DBUG_ENTER("sslconnect");
DBUG_PRINT("enter", ("sd=%d ptr=%p ctx: %p", vio->sd,ptr,ptr->ssl_context_));
old_type= vio->type;
net_blocking = vio_is_blocking(vio);
vio_blocking(vio, 1, &unused); /* Must be called before reset */
vio_reset(vio,VIO_TYPE_SSL,vio->sd,0,FALSE);
vio->ssl_=0;
vio->open_=FALSE;
if (!(vio->ssl_ = SSL_new(ptr->ssl_context_)))
{
DBUG_PRINT("error", ("SSL_new failure"));
report_errors();
vio_reset(vio, old_type,vio->sd,0,FALSE);
vio_blocking(vio, net_blocking, &unused);
DBUG_RETURN(1);
}
DBUG_PRINT("info", ("ssl_=%p timeout=%ld",vio->ssl_, timeout));
......@@ -336,8 +354,16 @@ int sslconnect(struct st_VioSSLConnectorFd* ptr, Vio* vio, long timeout)
SSL_SESSION_set_timeout(SSL_get_session(vio->ssl_), timeout);
SSL_set_fd (vio->ssl_, vio->sd);
SSL_set_connect_state(vio->ssl_);
SSL_do_handshake(vio->ssl_);
vio->open_ = TRUE;
if (SSL_do_handshake(vio->ssl_) < 1)
{
DBUG_PRINT("error", ("SSL_do_handshake failure"));
report_errors();
SSL_free(vio->ssl_);
vio->ssl_=0;
vio_reset(vio, old_type,vio->sd,0,FALSE);
vio_blocking(vio, net_blocking, &unused);
DBUG_RETURN(1);
}
#ifndef DBUG_OFF
DBUG_PRINT("info",("SSL_get_cipher_name() = '%s'"
,SSL_get_cipher_name(vio->ssl_)));
......
......@@ -93,7 +93,10 @@ vio_set_cert_stuff(SSL_CTX *ctx, const char *cert_file, const char *key_file)
{
DBUG_PRINT("error",("unable to get certificate from '%s'\n",cert_file));
/* FIX stderr */
fprintf(stderr,"Error when connection to server using SSL:");
ERR_print_errors_fp(stderr);
fprintf(stderr,"Unable to get certificate from '%s'\n", cert_file);
fflush(stderr);
DBUG_RETURN(0);
}
if (key_file == NULL)
......@@ -103,7 +106,10 @@ vio_set_cert_stuff(SSL_CTX *ctx, const char *cert_file, const char *key_file)
{
DBUG_PRINT("error", ("unable to get private key from '%s'\n",key_file));
/* FIX stderr */
fprintf(stderr,"Error when connection to server using SSL:");
ERR_print_errors_fp(stderr);
fprintf(stderr,"Unable to get private key from '%s'\n", cert_file);
fflush(stderr);
DBUG_RETURN(0);
}
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment