List:Commits« Previous MessageNext Message »
From:Georgi Kodinov Date:August 19 2011 1:35pm
Subject:bzr push into mysql-trunk branch (Georgi.Kodinov:3278 to 3279) Bug#11753167
View as plain text  
 3279 Georgi Kodinov	2011-07-22
      Bug #11753167: 44559: SSL KEYS WITH PASSPHRASES
      
      Implemented a default password reading callback for yaSSL
      using mysql client's get_tty_password().
      It does that by:
      - Implementing an extended version of get_tty_password()
      called get_tty_password_ext() that takes a strdup function 
      pointer.
      - Added a header file to keep the definition of the new 
      function out of ABI
      - Adds client/get_password.c to the yassl lib and uses the 
      C preprocessor to rename get_tty_passord() and 
      get_tty_password_ext() to names prefixed
      with yassl and internal to the yassl library. We need to keep
      the two versions of get_tty_password_ext() to keep yassl
      self sufficient (with no cross references to other libraries).
      
      Since the password can't be read from a file, only a manual
      test performed and no automatic test case added.

    added:
      include/mysql/get_password.h
    modified:
      client/get_password.c
      extra/yassl/CMakeLists.txt
      extra/yassl/src/yassl_int.cpp
 3278 Georgi Kodinov	2011-08-19
      Bug #11747191: 31224: SUPPORT FOR SSL CERTIFICATE REVOCATION LISTS 
             
      Added support for --ssl-crl and --ssl-crlpath to all client and server binaries 
      that work with OpenSSL.   You can specify none, one or both of the above. 
             
      --ssl-crl takes a file path for a PEM encoded Certificate revocation lists. 
      The relevant file is parsed and loaded into the X509 store of the SSL 
      context. 
             
      --ssl-crlpath takes a directory path. This directory must contain PEM 
      encoded CRL (or other) files that are named by their hash value, .e.g. 
      <hash_value>.r[0-9] 
             
      See OpenSSL's X509_STORE_load_locations() for more details of the above. 
      Note that if none of the --ssl-crl* options is specified no CRL checks 
      will be performed, even if the -capath contains certificate revocation lists. 
             
      Added Master_SSL_crl and Master_SSL_CRLPATH to CNANGE MASTER command. 
      Added new columns Ssl_crl and Ssl_crlpath to mysql.slave_master_info 
      system table. 
      Reengineered mysql_ssl_set() in the C API into a number of mysql_options calls 
      as follows (while keeping mysql_ssl_set()): 
             
      mysql_ssl_set(mysql, key, cert, ca, capath, cipher) 
      { 
        mysql_options(mysql, MYSQL_OPT_SSL_KEY,    key) 
        mysql_options(mysql, MYSQL_OPT_SSL_CERT,   cert) 
        mysql_options(mysql, MYSQL_OPT_SSL_CA,     ca) 
        mysql_options(mysql, MYSQL_OPT_SSL_CAPATH, capath) 
        mysql_options(mysql, MYSQL_OPT_SSL_CIPHER, cipher) 
      } 
             
      Added two new mysql_options that correspond to the command line calls : 
      
      MYSQL_OPT_SSL_CRL  and MYSQL_OPT_SSL_CRLPATH. 
      
      Made sure these play nicely with the ABI by using the extension. 
             
      Added tests and a set of cryptographic keys and crls to test the new 
      options. 
      
      Extended the mtr ssl check to find the new tests.
      Made sure that on yaSSL these options are a no-op for the server.

    added:
      mysql-test/include/have_openssl.inc
      mysql-test/r/openssl.require
      mysql-test/r/ssl-crl-revoked-crl.result
      mysql-test/r/ssl_crl.result
      mysql-test/r/ssl_crl_clients-valid.result
      mysql-test/r/ssl_crl_clients.result
      mysql-test/r/ssl_crl_clients_valid.result
      mysql-test/r/ssl_crl_clrpath.result
      mysql-test/std_data/crl-ca-cert.pem
      mysql-test/std_data/crl-client-cert.pem
      mysql-test/std_data/crl-client-key.pem
      mysql-test/std_data/crl-client-revoked.crl
      mysql-test/std_data/crl-server-cert.pem
      mysql-test/std_data/crl-server-key.pem
      mysql-test/std_data/crldir/
      mysql-test/std_data/crldir/fc725416.r0
      mysql-test/t/ssl_crl-master.opt
      mysql-test/t/ssl_crl.test
      mysql-test/t/ssl_crl_clients-master.opt
      mysql-test/t/ssl_crl_clients.test
      mysql-test/t/ssl_crl_clients_valid-master.opt
      mysql-test/t/ssl_crl_clients_valid.test
      mysql-test/t/ssl_crl_clrpath-master.opt
      mysql-test/t/ssl_crl_clrpath.test
    modified:
      client/client_priv.h
      client/mysql.cc
      client/mysqladmin.cc
      client/mysqlcheck.c
      client/mysqldump.c
      client/mysqlimport.c
      client/mysqlshow.c
      client/mysqlslap.c
      client/mysqltest.cc
      include/mysql.h
      include/mysql.h.pp
      include/sql_common.h
      include/sslopt-case.h
      include/sslopt-longopts.h
      include/sslopt-vars.h
      include/violite.h
      mysql-test/include/check-testcase.test
      mysql-test/lib/mtr_cases.pm
      mysql-test/r/variables.result
      mysql-test/suite/funcs_1/r/is_columns_mysql.result
      scripts/mysql_system_tables.sql
      scripts/mysql_system_tables_fix.sql
      sql-common/client.c
      sql/lex.h
      sql/mysqld.cc
      sql/mysqld.h
      sql/rpl_mi.cc
      sql/rpl_mi.h
      sql/rpl_slave.cc
      sql/sql_lex.h
      sql/sql_yacc.yy
      sql/sys_vars.cc
      vio/viosslfactories.c
=== modified file 'client/get_password.c'
--- a/client/get_password.c	2008-02-19 17:45:11 +0000
+++ b/client/get_password.c	2011-07-22 14:32:09 +0000
@@ -1,4 +1,4 @@
-/* Copyright (C) 2000 MySQL AB
+/* Copyright (c) 2000, 2011, Oracle and/or its affiliates. All rights reserved.
 
    This program is free software; you can redistribute it and/or modify
    it under the terms of the GNU General Public License as published by
@@ -11,7 +11,7 @@
 
    You should have received a copy of the GNU General Public License
    along with this program; if not, write to the Free Software
-   Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA  02111-1307  USA */
+   Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301  USA */
 
 /*
 ** Ask for a password from tty
@@ -22,6 +22,7 @@
 #include "mysql.h"
 #include <m_string.h>
 #include <m_ctype.h>
+#include <mysql/get_password.h>
 
 #if defined(HAVE_BROKEN_GETPASS) && !defined(HAVE_GETPASSPHRASE)
 #undef HAVE_GETPASS
@@ -63,12 +64,13 @@
 /* were just going to fake it here and get input from
    the keyboard */
 
-char *get_tty_password(const char *opt_message)
+char *get_tty_password_ext(const char *opt_message,
+                           strdup_handler_t strdup_function)
 {
   char to[80];
   char *pos=to,*end=to+sizeof(to)-1;
   int i=0;
-  DBUG_ENTER("get_tty_password");
+  DBUG_ENTER("get_tty_password_ext");
   _cputs(opt_message ? opt_message : "Enter password: ");
   for (;;)
   {
@@ -94,7 +96,7 @@ char *get_tty_password(const char *opt_m
     pos--;					/* Allow dummy space at end */
   *pos=0;
   _cputs("\n");
-  DBUG_RETURN(my_strdup(to,MYF(MY_FAE)));
+  DBUG_RETURN(strdup_function(to,MYF(MY_FAE)));
 }
 
 #else
@@ -149,7 +151,8 @@ static void get_password(char *to,uint l
 #endif /* ! HAVE_GETPASS */
 
 
-char *get_tty_password(const char *opt_message)
+char *get_tty_password_ext(const char *opt_message,
+                           strdup_handler_t strdup_function)
 {
 #ifdef HAVE_GETPASS
   char *passbuff;
@@ -158,7 +161,7 @@ char *get_tty_password(const char *opt_m
 #endif /* HAVE_GETPASS */
   char buff[80];
 
-  DBUG_ENTER("get_tty_password");
+  DBUG_ENTER("get_tty_password_ext");
 
 #ifdef HAVE_GETPASS
   passbuff = getpass(opt_message ? opt_message : "Enter password: ");
@@ -205,7 +208,12 @@ char *get_tty_password(const char *opt_m
     fputc('\n',stderr);
 #endif /* HAVE_GETPASS */
 
-  DBUG_RETURN(my_strdup(buff,MYF(MY_FAE)));
+  DBUG_RETURN(strdup_function(buff,MYF(MY_FAE)));
 }
 
 #endif /*__WIN__*/
+
+char *get_tty_password(const char *opt_message)
+{
+  return get_tty_password_ext(opt_message, my_strdup);
+}

=== modified file 'extra/yassl/CMakeLists.txt'
--- a/extra/yassl/CMakeLists.txt	2011-04-04 08:47:25 +0000
+++ b/extra/yassl/CMakeLists.txt	2011-07-22 14:32:09 +0000
@@ -21,9 +21,14 @@ INCLUDE_DIRECTORIES(
 
 ADD_DEFINITIONS(${SSL_DEFINES})
 
+# rename get_tty_password to avoid collisions with the main binary
+ADD_DEFINITIONS(-Dget_tty_password_ext=yassl_mysql_get_tty_password_ext)
+ADD_DEFINITIONS(-Dget_tty_password=yassl_mysql_get_tty_password)
+
 SET(YASSL_SOURCES  src/buffer.cpp src/cert_wrapper.cpp src/crypto_wrapper.cpp src/handshake.cpp src/lock.cpp 
 				src/log.cpp src/socket_wrapper.cpp src/ssl.cpp src/timer.cpp src/yassl_error.cpp 
-				src/yassl_imp.cpp src/yassl_int.cpp)
+				src/yassl_imp.cpp src/yassl_int.cpp
+                                ../../client/get_password.c )
 
 ADD_CONVENIENCE_LIBRARY(yassl ${YASSL_SOURCES})
 RESTRICT_SYMBOL_EXPORTS(yassl)

=== modified file 'extra/yassl/src/yassl_int.cpp'
--- a/extra/yassl/src/yassl_int.cpp	2011-07-04 00:25:46 +0000
+++ b/extra/yassl/src/yassl_int.cpp	2011-07-22 14:32:09 +0000
@@ -68,6 +68,8 @@
 
 #endif // YASSL_PURE_C
 
+/* for the definition of get_tty_password() */
+#include <mysql/get_password.h>
 
 namespace yaSSL {
 
@@ -1799,8 +1801,46 @@ bool SSL_METHOD::multipleProtocol() cons
 }
 
 
+/** Implement a my_strdup replacement, so we can reuse get_password() */
+extern "C" char *yassl_mysql_strdup(const char *from, int)
+{
+  return from ? strdup(from) : NULL;
+}
+
+
+static int
+default_password_callback(char * buffer, int size_arg, int rwflag,
+                          void * callback_data __attribute__((unused)))
+{
+  char *passwd;
+  size_t passwd_len, size= (size_t) size_arg;
+
+  passwd= ::yassl_mysql_get_tty_password_ext("Enter PEM pass phrase:", 
+                                             yassl_mysql_strdup);
+
+  if (!passwd)
+    return 0;
+
+  passwd_len= strlen(passwd);
+
+  if (!passwd_len)
+    return 0;
+
+  if (size > 0)
+  {
+    size_t result_len= size - 1 > passwd_len ? 
+      passwd_len : size - 1;
+    memcpy(buffer, passwd, result_len);
+    buffer[result_len]= 0;
+  }
+  free(passwd);
+  return passwd_len;
+}
+
+
 SSL_CTX::SSL_CTX(SSL_METHOD* meth) 
-    : method_(meth), certificate_(0), privateKey_(0), passwordCb_(0),
+    : method_(meth), certificate_(0), privateKey_(0), 
+      passwordCb_(default_password_callback),
       userData_(0), sessionCacheOff_(false), sessionCacheFlushOff_(false),
       verifyCallback_(0)
 {}

=== added file 'include/mysql/get_password.h'
--- a/include/mysql/get_password.h	1970-01-01 00:00:00 +0000
+++ b/include/mysql/get_password.h	2011-07-22 14:32:09 +0000
@@ -0,0 +1,36 @@
+/* Copyright (c) 2000, 2011, Oracle and/or its affiliates. All rights reserved.
+
+   This program is free software; you can redistribute it and/or modify
+   it under the terms of the GNU General Public License as published by
+   the Free Software Foundation; version 2 of the License.
+
+   This program is distributed in the hope that it will be useful,
+   but WITHOUT ANY WARRANTY; without even the implied warranty of
+   MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+   GNU General Public License for more details.
+
+   You should have received a copy of the GNU General Public License
+   along with this program; if not, write to the Free Software
+   Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301  USA */
+
+/*
+** Ask for a password from tty
+** This is an own file to avoid conflicts with curses
+*/
+
+#ifndef MYSQL_GET_PASSWORD_H_INCLUDED
+#define MYSQL_GET_PASSWORD_H_INCLUDED
+
+#ifdef __cplusplus
+extern "C" {
+#endif
+
+typedef char *(* strdup_handler_t)(const char *, int);
+char *get_tty_password_ext(const char *opt_message,
+                           strdup_handler_t strdup_function);
+
+#ifdef __cplusplus
+}
+#endif
+
+#endif /* ! MYSQL_GET_PASSWORD_H_INCLUDED */

No bundle (reason: useless for push emails).
Thread
bzr push into mysql-trunk branch (Georgi.Kodinov:3278 to 3279) Bug#11753167Georgi Kodinov22 Aug