Fixed gnutls support

mariadb-corporation · Aug 13, 2015 · 23895fb · 23895fb
1 parent f2955a4
commit 23895fb
Show file tree

Hide file tree

Showing 17 changed files with 391 additions and 197 deletions.
diff --git a/CMakeLists.txt b/CMakeLists.txt
@@ -152,8 +152,7 @@ IF(WITH_SSL STREQUAL "OPENSSL")
   FIND_PACKAGE(OpenSSL)
   IF(OPENSSL_FOUND)
     ADD_DEFINITIONS(-DHAVE_OPENSSL -DHAVE_SSL)
-    ADD_DEFINITIONS(-DSSL_PLUGIN=cio_openssl_plugin)
-    SET(SSL_SOURCES "${CMAKE_SOURCE_DIR}/plugins/builtin/cio_openssl.c")
+    SET(SSL_SOURCES "${CMAKE_SOURCE_DIR}/libmariadb/secure/openssl.c")
     SET(SSL_LIBRARIES ${OPENSSL_LIBRARIES} ${OPENSSL_CRYPTO_LIBRARIES})
   ELSE()
     MESSAGE(FATAL "OpenSSL not found")
@@ -162,24 +161,23 @@ ENDIF()
 IF(WITH_SSL STREQUAL "GNUTLS")
   FIND_PACKAGE(GnuTLS)
   IF(GNUTLS_FOUND)
-    ADD_DEFINITIONS(-DSSL_PLUGIN=cio_gnutls_plugin)
     ADD_DEFINITIONS(-DHAVE_GNUTLS -DHAVE_SSL)
-    SET(SSL_SOURCES "${CMAKE_SOURCE_DIR}/plugins/builtin/cio_gnutls.c")
-    SET(SSL_LIBRARIES ${GNUTLS_LIBRARIES})
+    SET(SSL_SOURCES "${CMAKE_SOURCE_DIR}/libmariadb/secure/gnutls.c")
+    SET(SSL_LIBRARIES ${GNUTLS_LIBRARY})
   ELSE()
     MESSAGE(FATAL "GnuTLS not found")
   ENDIF()
 ENDIF()
 IF(WIN32)
   IF(WITH_SSL STREQUAL "SCHANNEL")
-    ADD_DEFINITIONS(-DSSL_PLUGIN=cio_schannel_plugin)
     MESSAGE(STATUS "SSL_TYPE ${SSL_TYPE}")
     ADD_DEFINITIONS(-DHAVE_SCHANNEL -DHAVE_SSL)
-    SET(SSL_SOURCES "${CMAKE_SOURCE_DIR}/plugins/builtin/cio_schannel.c" "${CMAKE_SOURCE_DIR}/plugins/builtin/ma_schannel.c")
+    SET(SSL_SOURCES "${CMAKE_SOURCE_DIR}/libmariadb/secure/schannel.c" "${CMAKE_SOURCE_DIR}/libmariadb/secure/ma_schannel.c")
     INCLUDE_DIRECTORIES("${CMAKE_SOURCE_DIR}/plugins/cio/")
   ENDIF()
 ENDIF()
 
+MARK_AS_ADVANCED(SSL_SOURCES)
 
 
 IF(WITH_SQLITE)
@@ -206,7 +204,7 @@ IF(WIN32)
 ELSE()
   SET(SYSTEM_LIBS ${LIBPTHREAD} ${LIBDL} ${LIBM} ${LIBICONV})
 ENDIF()
-IF(OPENSSL_FOUND)
+IF(WITH_SSL)
   SET(SYSTEM_LIBS ${SYSTEM_LIBS} ${SSL_LIBRARIES})
 ENDIF()
 
@@ -291,7 +289,7 @@ MESSAGE(STATUS "CPack generation: ${CPACK_GENERATOR}")
 IF(CLIENT_DOCS)
   MESSAGE(STATUS "Documentation included from ${CLIENT_DOCS}")
 ENDIF()
-MESSAGE(STATUS "SSL support: ${WITH_SSL} Sources: ${SSL_SOURCES}")
+MESSAGE(STATUS "SSL support: ${WITH_SSL} Libs: ${SSL_LIBRARIES}")
 MESSAGE(STATUS "Experimental Sqlite support: ${WITH_SQLITE}")
 IF(WITH_EXTERNAL_ZLIB)
   MESSAGE(STATUS "Zlib support: ${WITH_EXTERNAL_ZLIB}")

diff --git a/include/ma_ssl.h b/include/ma_ssl.h
@@ -1,10 +1,6 @@
 #ifndef _ma_ssl_h_
 #define _ma_ssl_h_
 
-struct st_ma_cio_ssl_methods;
-typedef struct st_ma_cio_ssl_methods CIO_SSL_METHODS;
-extern int ssl_default_plugin;
-
 enum enum_cio_ssl_type {
   SSL_TYPE_DEFAULT=0,
 #ifdef _WIN32
@@ -16,23 +12,117 @@ enum enum_cio_ssl_type {
 
 typedef struct st_ma_cio_ssl {
   void *data;
-  enum enum_cio_ssl_type type;
   MARIADB_CIO *cio;
-  CIO_SSL_METHODS *methods;
   void *ssl;
 } MARIADB_SSL;
 
-struct st_ma_cio_ssl_methods
-{
-  void *(*init)(MARIADB_SSL *cssl, MYSQL *mysql);
-  my_bool (*connect)(MARIADB_SSL *cssl);
-  size_t (*read)(MARIADB_SSL *cssl, const uchar* buffer, size_t length);
-  size_t (*write)(MARIADB_SSL *cssl, const uchar* buffer, size_t length);
-  my_bool (*close)(MARIADB_SSL *cssl);
-  int (*verify_server_cert)(MARIADB_SSL *ssl);
-  const char *(*cipher)(MARIADB_SSL *ssl);
-  my_bool (*check_fp)(MARIADB_SSL *cssl, const char *fp);
-};
+/* Function prototypes */
+
+/* ma_ssl_start
+   initializes the ssl library
+   Parameter:
+     errmsg      pointer to error message buffer
+     errmsg_len  length of error message buffer
+   Returns:
+     0           success
+     1           if an error occured
+   Notes:
+     On success the global variable ma_ssl_initialized will be set to 1
+*/
+int ma_ssl_start(char *errmsg, size_t errmsg_len);
+
+/* ma_ssl_end
+   unloads/deinitializes ssl library and unsets global variable
+   ma_ssl_initialized
+*/
+void ma_ssl_end(void);
+
+/* ma_ssl_init
+   creates a new SSL structure for a SSL connection and loads
+   client certificates
+
+   Parameters:
+     MYSQL        a mysql structure
+   Returns:
+     void *       a pointer to internal SSL structure
+*/
+void * ma_ssl_init(MYSQL *mysql);
+
+/* ma_ssl_connect
+   performs SSL handshake
+   Parameters:
+     MARIADB_SSL   MariaDB SSL container
+   Returns:
+     0             success
+     1             error
+*/
+my_bool ma_ssl_connect(MARIADB_SSL *cssl);
+
+/* ma_ssl_read
+   reads up to length bytes from socket
+   Parameters:
+     cssl         MariaDB SSL container
+     buffer       read buffer
+     length       buffer length
+   Returns:
+     0-n          bytes read
+     -1           if an error occured
+*/
+size_t ma_ssl_read(MARIADB_SSL *cssl, const uchar* buffer, size_t length);
+
+/* ma_ssl_write
+   write buffer to socket
+   Parameters:
+     cssl         MariaDB SSL container
+     buffer       write buffer
+     length       buffer length
+   Returns:
+     0-n          bytes written
+     -1           if an error occured
+*/
+size_t ma_ssl_write(MARIADB_SSL *cssl, const uchar* buffer, size_t length);
+
+/* ma_ssl_close
+   closes SSL connection and frees SSL structure which was previously
+   created by ma_ssl_init call
+   Parameters:
+     MARIADB_SSL  MariaDB SSL container
+   Returns:
+     0            success
+     1            error
+*/
+my_bool ma_ssl_close(MARIADB_SSL *cssl);
+
+/* ma_ssl_verify_server_cert
+   validation check of server certificate
+   Parameter:
+     MARIADB_SSL  MariaDB SSL container
+   Returns:
+     ß            success
+     1            error
+*/
+int ma_ssl_verify_server_cert(MARIADB_SSL *cssl);
+
+/* ma_ssl_get_cipher
+   returns cipher for current ssl connection
+   Parameter:
+     MARIADB_SSL  MariaDB SSL container
+   Returns: 
+     cipher in use or
+     NULL on error
+*/
+const char *ma_ssl_get_cipher(MARIADB_SSL *ssl);
+
+/* ma_ssl_get_finger_print
+   returns SHA1 finger print of server certificate
+   Parameter:
+     MARIADB_SSL  MariaDB SSL container
+     fp           buffer for fingerprint
+     fp_len       buffer length
+   Returns:
+     actual size of finger print
+*/
+unsigned int ma_ssl_get_finger_print(MARIADB_SSL *cssl, unsigned char *fp, unsigned int fp_len);
 
 /* Function prototypes */
 MARIADB_SSL *ma_cio_ssl_init(MYSQL *mysql);
@@ -42,6 +132,6 @@ size_t ma_cio_ssl_write(MARIADB_SSL *cssl, const uchar *buffer, size_t length);
 my_bool ma_cio_ssl_close(MARIADB_SSL *cssl);
 int ma_cio_ssl_verify_server_cert(MARIADB_SSL *cssl);
 const char *ma_cio_ssl_cipher(MARIADB_SSL *cssl);
-my_bool ma_cio_ssl_check_fp(MARIADB_SSL *cssl, const char *fp, size_t length);
+my_bool ma_cio_ssl_check_fp(MARIADB_SSL *cssl, const char *fp, const char *fp_list);
 
 #endif /* _ma_ssl_h_ */
diff --git a/libmariadb/CMakeLists.txt b/libmariadb/CMakeLists.txt
@@ -325,11 +325,10 @@ client_plugin.c
 ma_io.c
 ${CMAKE_SOURCE_DIR}/plugins/builtin/my_auth.c
 ${CMAKE_SOURCE_DIR}/plugins/builtin/cio_socket.c
+${SSL_SOURCES}
 )
 
-IF(SSL_SOURCES)
-  SET(LIBMARIADB_SOURCES ${LIBMARIADB_SOURCES} ${SSL_SOURCES})
-ENDIF()
+MESSAGE(STATUS "${LIBMARIADB_SOURCES}")
 
 IF(WIN32)
   INCLUDE_DIRECTORIES(${CMAKE_SOURCE_DIR}/win-iconv)

diff --git a/libmariadb/client_plugin.c b/libmariadb/client_plugin.c
@@ -84,18 +84,12 @@ extern struct st_mysql_client_plugin old_password_client_plugin;
 extern struct st_mysql_client_plugin native_password_client_plugin;
 
 extern MARIADB_CIO_PLUGIN cio_socket_plugin;
-#ifdef HAVE_SSL
-extern MARIADB_CIO_PLUGIN SSL_PLUGIN;
-#endif
 
 struct st_mysql_client_plugin *mysql_client_builtins[]=
 {
   (struct st_mysql_client_plugin *)&old_password_client_plugin,
   (struct st_mysql_client_plugin *)&native_password_client_plugin,
   (struct st_mysql_client_plugin *)&cio_socket_plugin,
-#ifdef HAVE_SSL
-  (struct st_mysql_client_plugin *)&SSL_PLUGIN,
-#endif
   0
 };
 

diff --git a/libmariadb/libmariadb.c b/libmariadb/libmariadb.c
@@ -62,10 +62,10 @@
 #define INADDR_NONE -1
 #endif
 #include <sha1.h>
-#include <ma_cio.h>
 #ifndef _WIN32
 #include <poll.h>
 #endif
+#include <ma_cio.h>
 #include <ma_dyncol.h>
 
 #define ASYNC_CONTEXT_DEFAULT_STACK_SIZE (4096*15)

diff --git a/libmariadb/ma_cio.c b/libmariadb/ma_cio.c
@@ -116,7 +116,7 @@ MARIADB_CIO *ma_cio_init(MA_CIO_CINFO *cinfo)
     cio->methods->set_timeout(cio, CIO_WRITE_TIMEOUT, cinfo->mysql->options.write_timeout);
   }
 
-  if (!(cio->cache= my_malloc(CIO_READ_AHEAD_CACHE_SIZE, MYF(MY_WME))))
+  if (!(cio->cache= my_malloc(CIO_READ_AHEAD_CACHE_SIZE, MYF(MY_ZEROFILL))))
   {
     CIO_SET_ERROR(cinfo->mysql, CR_OUT_OF_MEMORY, unknown_sqlstate, 0);
     return NULL;
@@ -405,7 +405,9 @@ my_bool ma_cio_start_ssl(MARIADB_CIO *cio)
     return 1;
   CLEAR_CLIENT_ERROR(cio->mysql);
   if (!(cio->cssl= ma_cio_ssl_init(cio->mysql)))
+  {
     return 1;
+  }
   if (ma_cio_ssl_connect(cio->cssl))
   {
     my_free((gptr)cio->cssl);
@@ -417,6 +419,16 @@ my_bool ma_cio_start_ssl(MARIADB_CIO *cio)
          ma_cio_ssl_verify_server_cert(cio->cssl))
     return 1;
 
+  if (cio->mysql->options.extension &&
+      (cio->mysql->options.extension->ssl_fp || cio->mysql->options.extension->ssl_fp_list))
+  {
+
+    if (ma_cio_ssl_check_fp(cio->cssl, 
+          cio->mysql->options.extension->ssl_fp,
+          cio->mysql->options.extension->ssl_fp_list))
+      return 1;
+  }
+
   return 0;
 }
 /* }}} */