#At file:///export/home/tmp/ss156133/z/45770-pe/ based on revid:epotemkin@stripped
3476 Staale Smedseng 2009-07-23 [merge]
Merge from 5.1
modified:
include/violite.h
sql/mysqld.cc
sql/sql_class.h
vio/viosslfactories.c
=== modified file 'include/violite.h'
--- a/include/violite.h 2009-05-22 17:09:16 +0000
+++ b/include/violite.h 2009-07-23 13:07:41 +0000
@@ -108,6 +108,15 @@ typedef my_socket YASSL_SOCKET_T;
#ifndef EMBEDDED_LIBRARY
+enum enum_ssl_init_error
+{
+ SSL_INITERR_NOERROR= 0, SSL_INITERR_CERT, SSL_INITERR_KEY,
+ SSL_INITERR_NOMATCH, SSL_INITERR_BAD_PATHS, SSL_INITERR_CIPHERS,
+ SSL_INITERR_MEMFAIL, SSL_INITERR_LASTERR
+};
+const char* sslGetErrString(enum enum_ssl_init_error err);
+
+
struct st_VioSSLFd
{
SSL_CTX *ssl_context;
@@ -123,7 +132,7 @@ struct st_VioSSLFd
struct st_VioSSLFd
*new_VioSSLAcceptorFd(const char *key_file, const char *cert_file,
const char *ca_file,const char *ca_path,
- const char *cipher);
+ const char *cipher, enum enum_ssl_init_error* error);
void free_vio_ssl_acceptor_fd(struct st_VioSSLFd *fd);
#endif /* ! EMBEDDED_LIBRARY */
#endif /* HAVE_OPENSSL */
=== modified file 'sql/mysqld.cc'
--- a/sql/mysqld.cc 2009-07-16 12:51:04 +0000
+++ b/sql/mysqld.cc 2009-07-23 13:07:41 +0000
@@ -3869,14 +3869,17 @@ static void init_ssl()
#ifndef EMBEDDED_LIBRARY
if (opt_use_ssl)
{
+ enum enum_ssl_init_error error= SSL_INITERR_NOERROR;
+
/* having ssl_acceptor_fd != 0 signals the use of SSL */
ssl_acceptor_fd= new_VioSSLAcceptorFd(opt_ssl_key, opt_ssl_cert,
opt_ssl_ca, opt_ssl_capath,
- opt_ssl_cipher);
+ opt_ssl_cipher, &error);
DBUG_PRINT("info",("ssl_acceptor_fd: %p", ssl_acceptor_fd));
if (!ssl_acceptor_fd)
{
sql_print_warning("Failed to setup SSL");
+ sql_print_warning("SSL error: %s", sslGetErrString(error));
opt_use_ssl = 0;
have_ssl= SHOW_OPTION_DISABLED;
}
@@ -4584,7 +4587,6 @@ int main(int argc, char **argv)
select_thread=pthread_self();
select_thread_in_use=1;
- init_ssl();
#ifdef HAVE_LIBWRAP
libwrapName= my_progname+dirname_length(my_progname);
@@ -4630,6 +4632,7 @@ int main(int argc, char **argv)
if (init_server_components())
unireg_abort(1);
+ init_ssl();
network_init();
#ifdef __WIN__
=== modified file 'sql/sql_class.h'
--- a/sql/sql_class.h 2009-07-10 12:31:32 +0000
+++ b/sql/sql_class.h 2009-07-23 13:07:41 +0000
@@ -1379,6 +1379,10 @@ public:
Set it using the thd_proc_info(THD *thread, const char *message)
macro/function.
+
+ This member is accessed and assigned without any synchronization.
+ Therefore, it may point only to constant (statically
+ allocated) strings, which memory won't go away over time.
*/
#ifndef DBUG_OFF
#define THD_SET_PROC_INFO(thd, info) \
=== modified file 'vio/viosslfactories.c'
--- a/vio/viosslfactories.c 2008-05-14 14:12:04 +0000
+++ b/vio/viosslfactories.c 2009-07-23 13:07:41 +0000
@@ -73,9 +73,28 @@ report_errors()
DBUG_VOID_RETURN;
}
+static const char*
+ssl_error_string[] =
+{
+ "No error",
+ "Unable to get certificate",
+ "Unable to get private key",
+ "Private key does not match the certificate public key"
+ "SSL_CTX_set_default_verify_paths failed",
+ "Failed to set ciphers to use",
+ "SSL_CTX_new failed"
+};
+
+const char*
+sslGetErrString(enum enum_ssl_init_error e)
+{
+ DBUG_ASSERT(SSL_INITERR_NOERROR < e && e < SSL_INITERR_LASTERR);
+ return ssl_error_string[e];
+}
static int
-vio_set_cert_stuff(SSL_CTX *ctx, const char *cert_file, const char *key_file)
+vio_set_cert_stuff(SSL_CTX *ctx, const char *cert_file, const char *key_file,
+ enum enum_ssl_init_error* error)
{
DBUG_ENTER("vio_set_cert_stuff");
DBUG_PRINT("enter", ("ctx: %p cert_file: %s key_file: %s",
@@ -84,9 +103,10 @@ vio_set_cert_stuff(SSL_CTX *ctx, const c
{
if (SSL_CTX_use_certificate_file(ctx, cert_file, SSL_FILETYPE_PEM) <= 0)
{
- DBUG_PRINT("error",("unable to get certificate from '%s'", cert_file));
+ *error= SSL_INITERR_CERT;
+ DBUG_PRINT("error",("%s from file '%s'", sslGetErrString(*error), cert_file));
DBUG_EXECUTE("error", ERR_print_errors_fp(DBUG_FILE););
- fprintf(stderr, "SSL error: Unable to get certificate from '%s'\n",
+ fprintf(stderr, "SSL error: %s from '%s'\n", sslGetErrString(*error),
cert_file);
fflush(stderr);
DBUG_RETURN(1);
@@ -97,9 +117,10 @@ vio_set_cert_stuff(SSL_CTX *ctx, const c
if (SSL_CTX_use_PrivateKey_file(ctx, key_file, SSL_FILETYPE_PEM) <= 0)
{
- DBUG_PRINT("error", ("unable to get private key from '%s'", key_file));
+ *error= SSL_INITERR_KEY;
+ DBUG_PRINT("error", ("%s from file '%s'", sslGetErrString(*error), key_file));
DBUG_EXECUTE("error", ERR_print_errors_fp(DBUG_FILE););
- fprintf(stderr, "SSL error: Unable to get private key from '%s'\n",
+ fprintf(stderr, "SSL error: %s from '%s'\n", sslGetErrString(*error),
key_file);
fflush(stderr);
DBUG_RETURN(1);
@@ -111,12 +132,10 @@ vio_set_cert_stuff(SSL_CTX *ctx, const c
*/
if (!SSL_CTX_check_private_key(ctx))
{
- DBUG_PRINT("error",
- ("Private key does not match the certificate public key"));
+ *error= SSL_INITERR_NOMATCH;
+ DBUG_PRINT("error", ("%s",sslGetErrString(*error)));
DBUG_EXECUTE("error", ERR_print_errors_fp(DBUG_FILE););
- fprintf(stderr,
- "SSL error: "
- "Private key does not match the certificate public key\n");
+ fprintf(stderr, "SSL error: %s\n", sslGetErrString(*error));
fflush(stderr);
DBUG_RETURN(1);
}
@@ -230,7 +249,8 @@ static void check_ssl_init()
static struct st_VioSSLFd *
new_VioSSLFd(const char *key_file, const char *cert_file,
const char *ca_file, const char *ca_path,
- const char *cipher, SSL_METHOD *method)
+ const char *cipher, SSL_METHOD *method,
+ enum enum_ssl_init_error* error)
{
DH *dh;
struct st_VioSSLFd *ssl_fd;
@@ -252,7 +272,8 @@ new_VioSSLFd(const char *key_file, const
if (!(ssl_fd->ssl_context= SSL_CTX_new(method)))
{
- DBUG_PRINT("error", ("SSL_CTX_new failed"));
+ *error= SSL_INITERR_MEMFAIL;
+ DBUG_PRINT("error", ("%s", sslGetErrString(*error)));
report_errors();
my_free((void*)ssl_fd,MYF(0));
DBUG_RETURN(0);
@@ -266,7 +287,8 @@ new_VioSSLFd(const char *key_file, const
if (cipher &&
SSL_CTX_set_cipher_list(ssl_fd->ssl_context, cipher) == 0)
{
- DBUG_PRINT("error", ("failed to set ciphers to use"));
+ *error= SSL_INITERR_CIPHERS;
+ DBUG_PRINT("error", ("%s", sslGetErrString(*error)));
report_errors();
SSL_CTX_free(ssl_fd->ssl_context);
my_free((void*)ssl_fd,MYF(0));
@@ -279,7 +301,8 @@ new_VioSSLFd(const char *key_file, const
DBUG_PRINT("warning", ("SSL_CTX_load_verify_locations failed"));
if (SSL_CTX_set_default_verify_paths(ssl_fd->ssl_context) == 0)
{
- DBUG_PRINT("error", ("SSL_CTX_set_default_verify_paths failed"));
+ *error= SSL_INITERR_BAD_PATHS;
+ DBUG_PRINT("error", ("%s", sslGetErrString(*error)));
report_errors();
SSL_CTX_free(ssl_fd->ssl_context);
my_free((void*)ssl_fd,MYF(0));
@@ -287,7 +310,7 @@ new_VioSSLFd(const char *key_file, const
}
}
- if (vio_set_cert_stuff(ssl_fd->ssl_context, cert_file, key_file))
+ if (vio_set_cert_stuff(ssl_fd->ssl_context, cert_file, key_file, error))
{
DBUG_PRINT("error", ("vio_set_cert_stuff failed"));
report_errors();
@@ -315,6 +338,7 @@ new_VioSSLConnectorFd(const char *key_fi
{
struct st_VioSSLFd *ssl_fd;
int verify= SSL_VERIFY_PEER;
+ enum enum_ssl_init_error dummy;
/*
Turn off verification of servers certificate if both
@@ -324,7 +348,7 @@ new_VioSSLConnectorFd(const char *key_fi
verify= SSL_VERIFY_NONE;
if (!(ssl_fd= new_VioSSLFd(key_file, cert_file, ca_file,
- ca_path, cipher, TLSv1_client_method())))
+ ca_path, cipher, TLSv1_client_method(), &dummy)))
{
return 0;
}
@@ -345,12 +369,12 @@ new_VioSSLConnectorFd(const char *key_fi
struct st_VioSSLFd *
new_VioSSLAcceptorFd(const char *key_file, const char *cert_file,
const char *ca_file, const char *ca_path,
- const char *cipher)
+ const char *cipher, enum enum_ssl_init_error* error)
{
struct st_VioSSLFd *ssl_fd;
int verify= SSL_VERIFY_PEER | SSL_VERIFY_CLIENT_ONCE;
if (!(ssl_fd= new_VioSSLFd(key_file, cert_file, ca_file,
- ca_path, cipher, TLSv1_server_method())))
+ ca_path, cipher, TLSv1_server_method(), error)))
{
return 0;
}
Attachment: [text/bzr-bundle] bzr/staale.smedseng@sun.com-20090723130741-omprvp0hi4ttyohx.bundle
| Thread |
|---|
| • bzr commit into mysql-5.4 branch (staale.smedseng:3476) | Staale Smedseng | 23 Jul |
