3279 Georgi Kodinov 2011-07-22
Bug #11753167: 44559: SSL KEYS WITH PASSPHRASES
Implemented a default password reading callback for yaSSL
using mysql client's get_tty_password().
It does that by:
- Implementing an extended version of get_tty_password()
called get_tty_password_ext() that takes a strdup function
pointer.
- Added a header file to keep the definition of the new
function out of ABI
- Adds client/get_password.c to the yassl lib and uses the
C preprocessor to rename get_tty_passord() and
get_tty_password_ext() to names prefixed
with yassl and internal to the yassl library. We need to keep
the two versions of get_tty_password_ext() to keep yassl
self sufficient (with no cross references to other libraries).
Since the password can't be read from a file, only a manual
test performed and no automatic test case added.
added:
include/mysql/get_password.h
modified:
client/get_password.c
extra/yassl/CMakeLists.txt
extra/yassl/src/yassl_int.cpp
3278 Georgi Kodinov 2011-08-19
Bug #11747191: 31224: SUPPORT FOR SSL CERTIFICATE REVOCATION LISTS
Added support for --ssl-crl and --ssl-crlpath to all client and server binaries
that work with OpenSSL. You can specify none, one or both of the above.
--ssl-crl takes a file path for a PEM encoded Certificate revocation lists.
The relevant file is parsed and loaded into the X509 store of the SSL
context.
--ssl-crlpath takes a directory path. This directory must contain PEM
encoded CRL (or other) files that are named by their hash value, .e.g.
<hash_value>.r[0-9]
See OpenSSL's X509_STORE_load_locations() for more details of the above.
Note that if none of the --ssl-crl* options is specified no CRL checks
will be performed, even if the -capath contains certificate revocation lists.
Added Master_SSL_crl and Master_SSL_CRLPATH to CNANGE MASTER command.
Added new columns Ssl_crl and Ssl_crlpath to mysql.slave_master_info
system table.
Reengineered mysql_ssl_set() in the C API into a number of mysql_options calls
as follows (while keeping mysql_ssl_set()):
mysql_ssl_set(mysql, key, cert, ca, capath, cipher)
{
mysql_options(mysql, MYSQL_OPT_SSL_KEY, key)
mysql_options(mysql, MYSQL_OPT_SSL_CERT, cert)
mysql_options(mysql, MYSQL_OPT_SSL_CA, ca)
mysql_options(mysql, MYSQL_OPT_SSL_CAPATH, capath)
mysql_options(mysql, MYSQL_OPT_SSL_CIPHER, cipher)
}
Added two new mysql_options that correspond to the command line calls :
MYSQL_OPT_SSL_CRL and MYSQL_OPT_SSL_CRLPATH.
Made sure these play nicely with the ABI by using the extension.
Added tests and a set of cryptographic keys and crls to test the new
options.
Extended the mtr ssl check to find the new tests.
Made sure that on yaSSL these options are a no-op for the server.
added:
mysql-test/include/have_openssl.inc
mysql-test/r/openssl.require
mysql-test/r/ssl-crl-revoked-crl.result
mysql-test/r/ssl_crl.result
mysql-test/r/ssl_crl_clients-valid.result
mysql-test/r/ssl_crl_clients.result
mysql-test/r/ssl_crl_clients_valid.result
mysql-test/r/ssl_crl_clrpath.result
mysql-test/std_data/crl-ca-cert.pem
mysql-test/std_data/crl-client-cert.pem
mysql-test/std_data/crl-client-key.pem
mysql-test/std_data/crl-client-revoked.crl
mysql-test/std_data/crl-server-cert.pem
mysql-test/std_data/crl-server-key.pem
mysql-test/std_data/crldir/
mysql-test/std_data/crldir/fc725416.r0
mysql-test/t/ssl_crl-master.opt
mysql-test/t/ssl_crl.test
mysql-test/t/ssl_crl_clients-master.opt
mysql-test/t/ssl_crl_clients.test
mysql-test/t/ssl_crl_clients_valid-master.opt
mysql-test/t/ssl_crl_clients_valid.test
mysql-test/t/ssl_crl_clrpath-master.opt
mysql-test/t/ssl_crl_clrpath.test
modified:
client/client_priv.h
client/mysql.cc
client/mysqladmin.cc
client/mysqlcheck.c
client/mysqldump.c
client/mysqlimport.c
client/mysqlshow.c
client/mysqlslap.c
client/mysqltest.cc
include/mysql.h
include/mysql.h.pp
include/sql_common.h
include/sslopt-case.h
include/sslopt-longopts.h
include/sslopt-vars.h
include/violite.h
mysql-test/include/check-testcase.test
mysql-test/lib/mtr_cases.pm
mysql-test/r/variables.result
mysql-test/suite/funcs_1/r/is_columns_mysql.result
scripts/mysql_system_tables.sql
scripts/mysql_system_tables_fix.sql
sql-common/client.c
sql/lex.h
sql/mysqld.cc
sql/mysqld.h
sql/rpl_mi.cc
sql/rpl_mi.h
sql/rpl_slave.cc
sql/sql_lex.h
sql/sql_yacc.yy
sql/sys_vars.cc
vio/viosslfactories.c
=== modified file 'client/get_password.c'
--- a/client/get_password.c 2008-02-19 17:45:11 +0000
+++ b/client/get_password.c 2011-07-22 14:32:09 +0000
@@ -1,4 +1,4 @@
-/* Copyright (C) 2000 MySQL AB
+/* Copyright (c) 2000, 2011, Oracle and/or its affiliates. All rights reserved.
This program is free software; you can redistribute it and/or modify
it under the terms of the GNU General Public License as published by
@@ -11,7 +11,7 @@
You should have received a copy of the GNU General Public License
along with this program; if not, write to the Free Software
- Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA */
+ Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA */
/*
** Ask for a password from tty
@@ -22,6 +22,7 @@
#include "mysql.h"
#include <m_string.h>
#include <m_ctype.h>
+#include <mysql/get_password.h>
#if defined(HAVE_BROKEN_GETPASS) && !defined(HAVE_GETPASSPHRASE)
#undef HAVE_GETPASS
@@ -63,12 +64,13 @@
/* were just going to fake it here and get input from
the keyboard */
-char *get_tty_password(const char *opt_message)
+char *get_tty_password_ext(const char *opt_message,
+ strdup_handler_t strdup_function)
{
char to[80];
char *pos=to,*end=to+sizeof(to)-1;
int i=0;
- DBUG_ENTER("get_tty_password");
+ DBUG_ENTER("get_tty_password_ext");
_cputs(opt_message ? opt_message : "Enter password: ");
for (;;)
{
@@ -94,7 +96,7 @@ char *get_tty_password(const char *opt_m
pos--; /* Allow dummy space at end */
*pos=0;
_cputs("\n");
- DBUG_RETURN(my_strdup(to,MYF(MY_FAE)));
+ DBUG_RETURN(strdup_function(to,MYF(MY_FAE)));
}
#else
@@ -149,7 +151,8 @@ static void get_password(char *to,uint l
#endif /* ! HAVE_GETPASS */
-char *get_tty_password(const char *opt_message)
+char *get_tty_password_ext(const char *opt_message,
+ strdup_handler_t strdup_function)
{
#ifdef HAVE_GETPASS
char *passbuff;
@@ -158,7 +161,7 @@ char *get_tty_password(const char *opt_m
#endif /* HAVE_GETPASS */
char buff[80];
- DBUG_ENTER("get_tty_password");
+ DBUG_ENTER("get_tty_password_ext");
#ifdef HAVE_GETPASS
passbuff = getpass(opt_message ? opt_message : "Enter password: ");
@@ -205,7 +208,12 @@ char *get_tty_password(const char *opt_m
fputc('\n',stderr);
#endif /* HAVE_GETPASS */
- DBUG_RETURN(my_strdup(buff,MYF(MY_FAE)));
+ DBUG_RETURN(strdup_function(buff,MYF(MY_FAE)));
}
#endif /*__WIN__*/
+
+char *get_tty_password(const char *opt_message)
+{
+ return get_tty_password_ext(opt_message, my_strdup);
+}
=== modified file 'extra/yassl/CMakeLists.txt'
--- a/extra/yassl/CMakeLists.txt 2011-04-04 08:47:25 +0000
+++ b/extra/yassl/CMakeLists.txt 2011-07-22 14:32:09 +0000
@@ -21,9 +21,14 @@ INCLUDE_DIRECTORIES(
ADD_DEFINITIONS(${SSL_DEFINES})
+# rename get_tty_password to avoid collisions with the main binary
+ADD_DEFINITIONS(-Dget_tty_password_ext=yassl_mysql_get_tty_password_ext)
+ADD_DEFINITIONS(-Dget_tty_password=yassl_mysql_get_tty_password)
+
SET(YASSL_SOURCES src/buffer.cpp src/cert_wrapper.cpp src/crypto_wrapper.cpp src/handshake.cpp src/lock.cpp
src/log.cpp src/socket_wrapper.cpp src/ssl.cpp src/timer.cpp src/yassl_error.cpp
- src/yassl_imp.cpp src/yassl_int.cpp)
+ src/yassl_imp.cpp src/yassl_int.cpp
+ ../../client/get_password.c )
ADD_CONVENIENCE_LIBRARY(yassl ${YASSL_SOURCES})
RESTRICT_SYMBOL_EXPORTS(yassl)
=== modified file 'extra/yassl/src/yassl_int.cpp'
--- a/extra/yassl/src/yassl_int.cpp 2011-07-04 00:25:46 +0000
+++ b/extra/yassl/src/yassl_int.cpp 2011-07-22 14:32:09 +0000
@@ -68,6 +68,8 @@
#endif // YASSL_PURE_C
+/* for the definition of get_tty_password() */
+#include <mysql/get_password.h>
namespace yaSSL {
@@ -1799,8 +1801,46 @@ bool SSL_METHOD::multipleProtocol() cons
}
+/** Implement a my_strdup replacement, so we can reuse get_password() */
+extern "C" char *yassl_mysql_strdup(const char *from, int)
+{
+ return from ? strdup(from) : NULL;
+}
+
+
+static int
+default_password_callback(char * buffer, int size_arg, int rwflag,
+ void * callback_data __attribute__((unused)))
+{
+ char *passwd;
+ size_t passwd_len, size= (size_t) size_arg;
+
+ passwd= ::yassl_mysql_get_tty_password_ext("Enter PEM pass phrase:",
+ yassl_mysql_strdup);
+
+ if (!passwd)
+ return 0;
+
+ passwd_len= strlen(passwd);
+
+ if (!passwd_len)
+ return 0;
+
+ if (size > 0)
+ {
+ size_t result_len= size - 1 > passwd_len ?
+ passwd_len : size - 1;
+ memcpy(buffer, passwd, result_len);
+ buffer[result_len]= 0;
+ }
+ free(passwd);
+ return passwd_len;
+}
+
+
SSL_CTX::SSL_CTX(SSL_METHOD* meth)
- : method_(meth), certificate_(0), privateKey_(0), passwordCb_(0),
+ : method_(meth), certificate_(0), privateKey_(0),
+ passwordCb_(default_password_callback),
userData_(0), sessionCacheOff_(false), sessionCacheFlushOff_(false),
verifyCallback_(0)
{}
=== added file 'include/mysql/get_password.h'
--- a/include/mysql/get_password.h 1970-01-01 00:00:00 +0000
+++ b/include/mysql/get_password.h 2011-07-22 14:32:09 +0000
@@ -0,0 +1,36 @@
+/* Copyright (c) 2000, 2011, Oracle and/or its affiliates. All rights reserved.
+
+ This program is free software; you can redistribute it and/or modify
+ it under the terms of the GNU General Public License as published by
+ the Free Software Foundation; version 2 of the License.
+
+ This program is distributed in the hope that it will be useful,
+ but WITHOUT ANY WARRANTY; without even the implied warranty of
+ MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+ GNU General Public License for more details.
+
+ You should have received a copy of the GNU General Public License
+ along with this program; if not, write to the Free Software
+ Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA */
+
+/*
+** Ask for a password from tty
+** This is an own file to avoid conflicts with curses
+*/
+
+#ifndef MYSQL_GET_PASSWORD_H_INCLUDED
+#define MYSQL_GET_PASSWORD_H_INCLUDED
+
+#ifdef __cplusplus
+extern "C" {
+#endif
+
+typedef char *(* strdup_handler_t)(const char *, int);
+char *get_tty_password_ext(const char *opt_message,
+ strdup_handler_t strdup_function);
+
+#ifdef __cplusplus
+}
+#endif
+
+#endif /* ! MYSQL_GET_PASSWORD_H_INCLUDED */
No bundle (reason: useless for push emails).
| Thread |
|---|
| • bzr push into mysql-trunk branch (Georgi.Kodinov:3278 to 3279) Bug#11753167 | Georgi Kodinov | 22 Aug |
