database/mariadb-connector-c
1
0
Fork 0
mirror of https://github.com/mariadb-corporation/mariadb-connector-c.git synced 2025-08-07 02:42:49 +03:00
Code Activity

Since we use TLS and not SSL functions and structures were renamed

Browse Source 
from SSL to TLS
This commit is contained in:
Georg Richter
2016-03-16 18:20:08 +01:00
parent f68b89bc46
commit 4b1e94bccc
18 changed files with 329 additions and 1182 deletions
Download Patch File Download Diff File Expand all files Collapse all files

9
include/ma_common.h
View File

@@ -49,13 +49,14 @@ struct st_mysql_options_extension {
const char *proc_info, const char *proc_info,
unsigned int proc_info_length); unsigned int proc_info_length);
MARIADB_DB_DRIVER *db_driver; MARIADB_DB_DRIVER *db_driver;
char *ssl_fp; /* finger print of server certificate */ char *tls_fp; /* finger print of server certificate */
char *ssl_fp_list; /* white list of finger prints */ char *tls_fp_list; /* white list of finger prints */
char *ssl_pw; /* password for encrypted certificates */ char *tls_pw; /* password for encrypted certificates */
my_bool multi_command; /* indicates if client wants to send multiple my_bool multi_command; /* indicates if client wants to send multiple
commands in one packet */ commands in one packet */
char *url; /* for connection handler we need to save URL for reconnect */ char *url; /* for connection handler we need to save URL for reconnect */
unsigned int ssl_cipher_strength; unsigned int tls_cipher_strength;
char *tls_version;
my_bool read_only; my_bool read_only;
char *connection_handler; char *connection_handler;
my_bool (*set_option)(MYSQL *mysql, const char *config_option, const char *config_value); my_bool (*set_option)(MYSQL *mysql, const char *config_option, const char *config_value);

6
include/ma_pvio.h
View File

@@ -3,9 +3,9 @@
#define cio_defined #define cio_defined
#ifdef HAVE_SSL #ifdef HAVE_SSL
#include <ma_ssl.h> #include <ma_tls.h>
#else #else
#define MARIADB_SSL void #define MARIADB_TLS void
#endif #endif
#define PVIO_SET_ERROR if (pvio->set_error) \ #define PVIO_SET_ERROR if (pvio->set_error) \
@@ -78,7 +78,7 @@ struct st_ma_pvio {
enum enum_pvio_type type; enum enum_pvio_type type;
int timeout[3]; int timeout[3];
int ssl_type; /* todo: change to enum (ssl plugins) */ int ssl_type; /* todo: change to enum (ssl plugins) */
MARIADB_SSL *cssl; MARIADB_TLS *ctls;
MYSQL *mysql; MYSQL *mysql;
struct mysql_async_context *async_context; /* For non-blocking API */ struct mysql_async_context *async_context; /* For non-blocking API */
PVIO_METHODS *methods; PVIO_METHODS *methods;

98
include/ma_ssl.h → include/ma_tls.h
View File

@@ -1,7 +1,7 @@
#ifndef _ma_ssl_h_ #ifndef _ma_tls_h_
#define _ma_ssl_h_ #define _ma_tls_h_
enum enum_pvio_ssl_type { enum enum_pvio_tls_type {
SSL_TYPE_DEFAULT=0, SSL_TYPE_DEFAULT=0,
#ifdef _WIN32 #ifdef _WIN32
SSL_TYPE_SCHANNEL, SSL_TYPE_SCHANNEL,
@@ -10,11 +10,11 @@ enum enum_pvio_ssl_type {
SSL_TYPE_GNUTLS SSL_TYPE_GNUTLS
}; };
typedef struct st_ma_pvio_ssl { typedef struct st_ma_pvio_tls {
void *data; void *data;
MARIADB_PVIO *pvio; MARIADB_PVIO *pvio;
void *ssl; void *ssl;
} MARIADB_SSL; } MARIADB_TLS;
struct st_ssl_version { struct st_ssl_version {
unsigned int iversion; unsigned int iversion;
@@ -23,7 +23,7 @@ struct st_ssl_version {
/* Function prototypes */ /* Function prototypes */
/* ma_ssl_start /* ma_tls_start
initializes the ssl library initializes the ssl library
Parameter: Parameter:
errmsg pointer to error message buffer errmsg pointer to error message buffer
@@ -32,17 +32,17 @@ struct st_ssl_version {
0 success 0 success
1 if an error occured 1 if an error occured
Notes: Notes:
On success the global variable ma_ssl_initialized will be set to 1 On success the global variable ma_tls_initialized will be set to 1
*/ */
int ma_ssl_start(char *errmsg, size_t errmsg_len); int ma_tls_start(char *errmsg, size_t errmsg_len);
/* ma_ssl_end /* ma_tls_end
unloads/deinitializes ssl library and unsets global variable unloads/deinitializes ssl library and unsets global variable
ma_ssl_initialized ma_tls_initialized
*/ */
void ma_ssl_end(void); void ma_tls_end(void);
/* ma_ssl_init /* ma_tls_init
creates a new SSL structure for a SSL connection and loads creates a new SSL structure for a SSL connection and loads
client certificates client certificates
@@ -51,106 +51,106 @@ void ma_ssl_end(void);
Returns: Returns:
void * a pointer to internal SSL structure void * a pointer to internal SSL structure
*/ */
void * ma_ssl_init(MYSQL *mysql); void * ma_tls_init(MYSQL *mysql);
/* ma_ssl_connect /* ma_tls_connect
performs SSL handshake performs SSL handshake
Parameters: Parameters:
MARIADB_SSL MariaDB SSL container MARIADB_TLS MariaDB SSL container
Returns: Returns:
0 success 0 success
1 error 1 error
*/ */
my_bool ma_ssl_connect(MARIADB_SSL *cssl); my_bool ma_tls_connect(MARIADB_TLS *ctls);
/* ma_ssl_read /* ma_tls_read
reads up to length bytes from socket reads up to length bytes from socket
Parameters: Parameters:
cssl MariaDB SSL container ctls MariaDB SSL container
buffer read buffer buffer read buffer
length buffer length length buffer length
Returns: Returns:
0-n bytes read 0-n bytes read
-1 if an error occured -1 if an error occured
*/ */
size_t ma_ssl_read(MARIADB_SSL *cssl, const uchar* buffer, size_t length); size_t ma_tls_read(MARIADB_TLS *ctls, const uchar* buffer, size_t length);
/* ma_ssl_write /* ma_tls_write
write buffer to socket write buffer to socket
Parameters: Parameters:
cssl MariaDB SSL container ctls MariaDB SSL container
buffer write buffer buffer write buffer
length buffer length length buffer length
Returns: Returns:
0-n bytes written 0-n bytes written
-1 if an error occured -1 if an error occured
*/ */
size_t ma_ssl_write(MARIADB_SSL *cssl, const uchar* buffer, size_t length); size_t ma_tls_write(MARIADB_TLS *ctls, const uchar* buffer, size_t length);
/* ma_ssl_close /* ma_tls_close
closes SSL connection and frees SSL structure which was previously closes SSL connection and frees SSL structure which was previously
created by ma_ssl_init call created by ma_tls_init call
Parameters: Parameters:
MARIADB_SSL MariaDB SSL container MARIADB_TLS MariaDB SSL container
Returns: Returns:
0 success 0 success
1 error 1 error
*/ */
my_bool ma_ssl_close(MARIADB_SSL *cssl); my_bool ma_tls_close(MARIADB_TLS *ctls);
/* ma_ssl_verify_server_cert /* ma_tls_verify_server_cert
validation check of server certificate validation check of server certificate
Parameter: Parameter:
MARIADB_SSL MariaDB SSL container MARIADB_TLS MariaDB SSL container
Returns: Returns:
ß success ß success
1 error 1 error
*/ */
int ma_ssl_verify_server_cert(MARIADB_SSL *cssl); int ma_tls_verify_server_cert(MARIADB_TLS *ctls);
/* ma_ssl_get_cipher /* ma_tls_get_cipher
returns cipher for current ssl connection returns cipher for current ssl connection
Parameter: Parameter:
MARIADB_SSL MariaDB SSL container MARIADB_TLS MariaDB SSL container
Returns: Returns:
cipher in use or cipher in use or
NULL on error NULL on error
*/ */
const char *ma_ssl_get_cipher(MARIADB_SSL *ssl); const char *ma_tls_get_cipher(MARIADB_TLS *ssl);
/* ma_ssl_get_finger_print /* ma_tls_get_finger_print
returns SHA1 finger print of server certificate returns SHA1 finger print of server certificate
Parameter: Parameter:
MARIADB_SSL MariaDB SSL container MARIADB_TLS MariaDB SSL container
fp buffer for fingerprint fp buffer for fingerprint
fp_len buffer length fp_len buffer length
Returns: Returns:
actual size of finger print actual size of finger print
*/ */
unsigned int ma_ssl_get_finger_print(MARIADB_SSL *cssl, unsigned char *fp, unsigned int fp_len); unsigned int ma_tls_get_finger_print(MARIADB_TLS *ctls, unsigned char *fp, unsigned int fp_len);
/* ma_ssl_get_protocol_version /* ma_tls_get_protocol_version
returns protocol version in use returns protocol version in use
Parameter: Parameter:
MARIADB_SSL MariaDB SSL container MARIADB_TLS MariaDB SSL container
version pointer to ssl version info version pointer to ssl version info
Returns: Returns:
0 success 0 success
1 error 1 error
*/ */
my_bool ma_ssl_get_protocol_version(MARIADB_SSL *cssl, struct st_ssl_version *version); my_bool ma_tls_get_protocol_version(MARIADB_TLS *ctls, struct st_ssl_version *version);
/* Function prototypes */ /* Function prototypes */
MARIADB_SSL *ma_pvio_ssl_init(MYSQL *mysql); MARIADB_TLS *ma_pvio_tls_init(MYSQL *mysql);
my_bool ma_pvio_ssl_connect(MARIADB_SSL *cssl); my_bool ma_pvio_tls_connect(MARIADB_TLS *ctls);
size_t ma_pvio_ssl_read(MARIADB_SSL *cssl, const uchar *buffer, size_t length); size_t ma_pvio_tls_read(MARIADB_TLS *ctls, const uchar *buffer, size_t length);
size_t ma_pvio_ssl_write(MARIADB_SSL *cssl, const uchar *buffer, size_t length); size_t ma_pvio_tls_write(MARIADB_TLS *ctls, const uchar *buffer, size_t length);
my_bool ma_pvio_ssl_close(MARIADB_SSL *cssl); my_bool ma_pvio_tls_close(MARIADB_TLS *ctls);
int ma_pvio_ssl_verify_server_cert(MARIADB_SSL *cssl); int ma_pvio_tls_verify_server_cert(MARIADB_TLS *ctls);
const char *ma_pvio_ssl_cipher(MARIADB_SSL *cssl); const char *ma_pvio_tls_cipher(MARIADB_TLS *ctls);
my_bool ma_pvio_ssl_check_fp(MARIADB_SSL *cssl, const char *fp, const char *fp_list); my_bool ma_pvio_tls_check_fp(MARIADB_TLS *ctls, const char *fp, const char *fp_list);
my_bool ma_pvio_start_ssl(MARIADB_PVIO *pvio); my_bool ma_pvio_start_ssl(MARIADB_PVIO *pvio);
my_bool ma_pvio_ssl_get_protocol_version(MARIADB_SSL *cssl, struct st_ssl_version *version); my_bool ma_pvio_tls_get_protocol_version(MARIADB_TLS *ctls, struct st_ssl_version *version);
void ma_pvio_ssl_end(); void ma_pvio_tls_end();
#endif /* _ma_ssl_h_ */ #endif /* _ma_tls_h_ */

4
include/mariadb_async.h
View File

@@ -29,9 +29,9 @@ extern ssize_t my_send_async(MARIADB_PVIO *pvio,
extern my_bool my_io_wait_async(struct mysql_async_context *b, extern my_bool my_io_wait_async(struct mysql_async_context *b,
enum enum_pvio_io_event event, int timeout); enum enum_pvio_io_event event, int timeout);
#ifdef HAVE_SSL #ifdef HAVE_SSL
extern int my_ssl_read_async(struct mysql_async_context *b, MARIADB_SSL *ssl, extern int my_ssl_read_async(struct mysql_async_context *b, MARIADB_TLS *tls,
void *buf, int size); void *buf, int size);
extern int my_ssl_write_async(struct mysql_async_context *b, MARIADB_SSL *ssl, extern int my_ssl_write_async(struct mysql_async_context *b, MARIADB_TLS *tls,
const void *buf, int size); const void *buf, int size);
#endif #endif

19
include/mysql.h
View File

@@ -214,13 +214,16 @@ extern unsigned int mariadb_deinitialize_ssl;
MYSQL_OPT_NONBLOCK, MYSQL_OPT_NONBLOCK,
/* MariaDB Connector/C specific */ /* MariaDB Connector/C specific */
MYSQL_DATABASE_DRIVER=7000, MYSQL_DATABASE_DRIVER=7000,
MARIADB_OPT_SSL_FP, /* single finger print for server certificate verification */ MARIADB_OPT_SSL_FP, /* deprecated, use MARIADB_OPT_TLS_PEER_FP instead */
MARIADB_OPT_SSL_FP_LIST, /* finger print white list for server certificate verification */ MARIADB_OPT_SSL_FP_LIST, /* deprecated, use MARIADB_OPT_TLS_PEER_FP_LIST instead */
MARIADB_OPT_SSL_PASSPHRASE, /* passphrase for encrypted certificates */ MARIADB_OPT_TLS_PASSPHRASE, /* passphrase for encrypted certificates */
MARIADB_OPT_TLS_CIPHER_STRENGTH,
MARIADB_OPT_TLS_VERSION,
MARIADB_OPT_TLS_PEER_FP, /* single finger print for server certificate verification */
MARIADB_OPT_TLS_PEER_FP_LIST, /* finger print white list for server certificate verification */
MARIADB_OPT_CONNECTION_READ_ONLY, MARIADB_OPT_CONNECTION_READ_ONLY,
MYSQL_OPT_CONNECT_ATTRS, /* for mysql_get_optionv */ MYSQL_OPT_CONNECT_ATTRS, /* for mysql_get_optionv */
MARIADB_OPT_USERDATA, MARIADB_OPT_USERDATA,
MARIADB_OPT_SSL_CIPHER_STRENGTH,
MARIADB_OPT_CONNECTION_HANDLER, MARIADB_OPT_CONNECTION_HANDLER,
MARIADB_OPT_PORT, MARIADB_OPT_PORT,
MARIADB_OPT_UNIXSOCKET, MARIADB_OPT_UNIXSOCKET,
@@ -259,14 +262,14 @@ extern unsigned int mariadb_deinitialize_ssl;
MARIADB_CONNECTION_SOCKET, MARIADB_CONNECTION_SOCKET,
MARIADB_CONNECTION_SQLSTATE, MARIADB_CONNECTION_SQLSTATE,
MARIADB_CONNECTION_SSL_CIPHER, MARIADB_CONNECTION_SSL_CIPHER,
MARIADB_SSL_LIBRARY, MARIADB_TLS_LIBRARY,
MARIADB_CONNECTION_SSL_VERSION, MARIADB_CONNECTION_TLS_VERSION,
MARIADB_CONNECTION_SSL_VERSION_ID, MARIADB_CONNECTION_TLS_VERSION_ID,
MARIADB_CONNECTION_TYPE, MARIADB_CONNECTION_TYPE,
MARIADB_CONNECTION_UNIX_SOCKET, MARIADB_CONNECTION_UNIX_SOCKET,
MARIADB_CONNECTION_USER, MARIADB_CONNECTION_USER,
MARIADB_MAX_ALLOWED_PACKET, MARIADB_MAX_ALLOWED_PACKET,
MARIADB_NET_BUFFER_LENGTH MARIADB_NET_BUFFER_LENGTH,
}; };
enum mysql_status { MYSQL_STATUS_READY, enum mysql_status { MYSQL_STATUS_READY,

2
libmariadb/CMakeLists.txt
View File

@@ -251,7 +251,7 @@ ma_errmsg.c
mariadb_lib.c mariadb_lib.c
ma_list.c ma_list.c
ma_pvio.c ma_pvio.c
ma_ssl.c ma_tls.c
ma_alloc.c ma_alloc.c
ma_compress.c ma_compress.c
ma_init.c ma_init.c

861
libmariadb/ma_dtoa.c
View File

@@ -746,49 +746,6 @@ static Bigint *multadd(Bigint *b, int m, int a, Stack_alloc *alloc)
return b; return b;
} }
/**
Converts a string to Bigint.
Now we have nd0 digits, starting at s, followed by a
decimal point, followed by nd-nd0 digits.
Unless nd0 == nd, in which case we have a number of the form:
".xxxxxx" or "xxxxxx."
@param s Input string, already partially parsed by ma_strtod_int().
@param nd0 Number of digits before decimal point.
@param nd Total number of digits.
@param y9 Pre-computed value of the first nine digits.
@param alloc Stack allocator for Bigints.
*/
static Bigint *s2b(const char *s, int nd0, int nd, ULong y9, Stack_alloc *alloc)
{
Bigint *b;
int i, k;
Long x, y;
x= (nd + 8) / 9;
for (k= 0, y= 1; x > y; y <<= 1, k++) ;
b= Balloc(k, alloc);
b->p.x[0]= y9;
b->wds= 1;
i= 9;
if (9 < nd0)
{
s+= 9;
do
b= multadd(b, 10, *s++ - '0', alloc);
while (++i < nd0);
s++; /* skip '.' */
}
else
s+= 10;
/* now do the fractional part */
for(; i < nd; i++)
b= multadd(b, 10, *s++ - '0', alloc);
return b;
}
static int hi0bits(register ULong x) static int hi0bits(register ULong x)
{ {
@@ -1143,57 +1100,6 @@ static Bigint *diff(Bigint *a, Bigint *b, Stack_alloc *alloc)
} }
static double ulp(U *x)
{
register Long L;
U u;
L= (word0(x) & Exp_mask) - (P - 1)*Exp_msk1;
word0(&u) = L;
word1(&u) = 0;
return dval(&u);
}
static double b2d(Bigint *a, int *e)
{
ULong *xa, *xa0, w, y, z;
int k;
U d;
#define d0 word0(&d)
#define d1 word1(&d)
xa0= a->p.x;
xa= xa0 + a->wds;
y= *--xa;
k= hi0bits(y);
*e= 32 - k;
if (k < Ebits)
{
d0= Exp_1 | y >> (Ebits - k);
w= xa > xa0 ? *--xa : 0;
d1= y << ((32-Ebits) + k) | w >> (Ebits - k);
goto ret_d;
}
z= xa > xa0 ? *--xa : 0;
if (k-= Ebits)
{
d0= Exp_1 | y << k | z >> (32 - k);
y= xa > xa0 ? *--xa : 0;
d1= z << k | y >> (32 - k);
}
else
{
d0= Exp_1 | y;
d1= z;
}
ret_d:
#undef d0
#undef d1
return dval(&d);
}
static Bigint *d2b(U *d, int *e, int *bits, Stack_alloc *alloc) static Bigint *d2b(U *d, int *e, int *bits, Stack_alloc *alloc)
{ {
Bigint *b; Bigint *b;
@@ -1244,24 +1150,6 @@ static Bigint *d2b(U *d, int *e, int *bits, Stack_alloc *alloc)
} }
static double ratio(Bigint *a, Bigint *b)
{
U da, db;
int k, ka, kb;
dval(&da)= b2d(a, &ka);
dval(&db)= b2d(b, &kb);
k= ka - kb + 32*(a->wds - b->wds);
if (k > 0)
word0(&da)+= k*Exp_msk1;
else
{
k= -k;
word0(&db)+= k*Exp_msk1;
}
return dval(&da) / dval(&db);
}
static const double tens[] = static const double tens[] =
{ {
1e0, 1e1, 1e2, 1e3, 1e4, 1e5, 1e6, 1e7, 1e8, 1e9, 1e0, 1e1, 1e2, 1e3, 1e4, 1e5, 1e6, 1e7, 1e8, 1e9,
@@ -1281,755 +1169,6 @@ static const double tinytens[]=
#define Scale_Bit 0x10 #define Scale_Bit 0x10
#define n_bigtens 5 #define n_bigtens 5
/*
strtod for IEEE--arithmetic machines.
This strtod returns a nearest machine number to the input decimal
string (or sets errno to EOVERFLOW). Ties are broken by the IEEE round-even
rule.
Inspired loosely by William D. Clinger's paper "How to Read Floating
Point Numbers Accurately" [Proc. ACM SIGPLAN '90, pp. 92-101].
Modifications:
1. We only require IEEE (not IEEE double-extended).
2. We get by with floating-point arithmetic in a case that
Clinger missed -- when we're computing d * 10^n
for a small integer d and the integer n is not too
much larger than 22 (the maximum integer k for which
we can represent 10^k exactly), we may be able to
compute (d*10^k) * 10^(e-k) with just one roundoff.
3. Rather than a bit-at-a-time adjustment of the binary
result in the hard case, we use floating-point
arithmetic to determine the adjustment to within
one bit; only in really hard cases do we need to
compute a second residual.
4. Because of 3., we don't need a large table of powers of 10
for ten-to-e (just some small tables, e.g. of 10^k
for 0 <= k <= 22).
*/
static double ma_strtod_int(const char *s00, char **se, int *error, char *buf, size_t buf_size)
{
int scale;
int bb2, bb5, bbe, bd2, bd5, bbbits, bs2, UNINIT_VAR(c), dsign,
e, e1, esign, i, j, k, nd, nd0, nf, nz, nz0, sign;
const char *s, *s0, *s1, *end = *se;
double aadj, aadj1;
U aadj2, adj, rv, rv0;
Long L;
ULong y, z;
Bigint *bb, *bb1, *bd, *bd0, *bs, *delta;
#ifdef SET_INEXACT
int inexact, oldinexact;
#endif
#ifdef Honor_FLT_ROUNDS
int rounding;
#endif
Stack_alloc alloc;
*error= 0;
alloc.begin= alloc.free= buf;
alloc.end= buf + buf_size;
memset(alloc.freelist, 0, sizeof(alloc.freelist));
sign= nz0= nz= 0;
dval(&rv)= 0.;
for (s= s00; s < end; s++)
switch (*s) {
case '-':
sign= 1;
/* no break */
case '+':
s++;
goto break2;
case '\t':
case '\n':
case '\v':
case '\f':
case '\r':
case ' ':
continue;
default:
goto break2;
}
break2:
if (s >= end)
goto ret0;
if (*s == '0')
{
nz0= 1;
while (++s < end && *s == '0') ;
if (s >= end)
goto ret;
}
s0= s;
y= z= 0;
for (nd= nf= 0; s < end && (c= *s) >= '0' && c <= '9'; nd++, s++)
if (nd < 9)
y= 10*y + c - '0';
else if (nd < 16)
z= 10*z + c - '0';
nd0= nd;
if (s < end && c == '.')
{
++s;
if (!nd)
{
for (; s < end && (c= *s) == '0'; ++s)
nz++;
if (s < end && (c= *s) > '0' && c <= '9')
{
s0= s;
nf+= nz;
nz= 0;
goto have_dig;
}
goto dig_done;
}
for (; s < end && (c= *s) >= '0' && c <= '9'; ++s)
{
have_dig:
/*
Here we are parsing the fractional part.
We can stop counting digits after a while: the extra digits
will not contribute to the actual result produced by s2b().
We have to continue scanning, in case there is an exponent part.
*/
if (nd < 2 * DBL_DIG)
{
nz++;
if (c-= '0')
{
nf+= nz;
for (i= 1; i < nz; i++)
if (nd++ < 9)
y*= 10;
else if (nd <= DBL_DIG + 1)
z*= 10;
if (nd++ < 9)
y= 10*y + c;
else if (nd <= DBL_DIG + 1)
z= 10*z + c;
nz= 0;
}
}
}
}
dig_done:
e= 0;
if (s < end && (c == 'e' || c == 'E'))
{
if (!nd && !nz && !nz0)
goto ret0;
s00= s;
esign= 0;
if (++s < end)
switch (c= *s) {
case '-':
esign= 1;
case '+':
c= *++s;
}
if (s < end && c >= '0' && c <= '9')
{
while (s < end && c == '0')
c= *++s;
if (s < end && c > '0' && c <= '9') {
L= c - '0';
s1= s;
while (++s < end && (c= *s) >= '0' && c <= '9')
L= 10*L + c - '0';
if (s - s1 > 8 || L > 19999)
/* Avoid confusion from exponents
* so large that e might overflow.
*/
e= 19999; /* safe for 16 bit ints */
else
e= (int)L;
if (esign)
e= -e;
}
else
e= 0;
}
else
s= s00;
}
if (!nd)
{
if (!nz && !nz0)
{
ret0:
s= s00;
sign= 0;
}
goto ret;
}
e1= e -= nf;
/*
Now we have nd0 digits, starting at s0, followed by a
decimal point, followed by nd-nd0 digits. The number we're
after is the integer represented by those digits times
10**e
*/
if (!nd0)
nd0= nd;
k= nd < DBL_DIG + 1 ? nd : DBL_DIG + 1;
dval(&rv)= y;
if (k > 9)
{
#ifdef SET_INEXACT
if (k > DBL_DIG)
oldinexact = get_inexact();
#endif
dval(&rv)= tens[k - 9] * dval(&rv) + z;
}
bd0= 0;
if (nd <= DBL_DIG
#ifndef Honor_FLT_ROUNDS
&& Flt_Rounds == 1
#endif
)
{
if (!e)
goto ret;
if (e > 0)
{
if (e <= Ten_pmax)
{
#ifdef Honor_FLT_ROUNDS
/* round correctly FLT_ROUNDS = 2 or 3 */
if (sign)
{
rv.d= -rv.d;
sign= 0;
}
#endif
/* rv = */ rounded_product(dval(&rv), tens[e]);
goto ret;
}
i= DBL_DIG - nd;
if (e <= Ten_pmax + i)
{
/*
A fancier test would sometimes let us do
this for larger i values.
*/
#ifdef Honor_FLT_ROUNDS
/* round correctly FLT_ROUNDS = 2 or 3 */
if (sign)
{
rv.d= -rv.d;
sign= 0;
}
#endif
e-= i;
dval(&rv)*= tens[i];
/* rv = */ rounded_product(dval(&rv), tens[e]);
goto ret;
}
}
#ifndef Inaccurate_Divide
else if (e >= -Ten_pmax)
{
#ifdef Honor_FLT_ROUNDS
/* round correctly FLT_ROUNDS = 2 or 3 */
if (sign)
{
rv.d= -rv.d;
sign= 0;
}
#endif
/* rv = */ rounded_quotient(dval(&rv), tens[-e]);
goto ret;
}
#endif
}
e1+= nd - k;
#ifdef SET_INEXACT
inexact= 1;
if (k <= DBL_DIG)
oldinexact= get_inexact();
#endif
scale= 0;
#ifdef Honor_FLT_ROUNDS
if ((rounding= Flt_Rounds) >= 2)
{
if (sign)
rounding= rounding == 2 ? 0 : 2;
else
if (rounding != 2)
rounding= 0;
}
#endif
/* Get starting approximation = rv * 10**e1 */
if (e1 > 0)
{
if ((i= e1 & 15))
dval(&rv)*= tens[i];
if (e1&= ~15)
{
if (e1 > DBL_MAX_10_EXP)
{
ovfl:
*error= EOVERFLOW;
/* Can't trust HUGE_VAL */
#ifdef Honor_FLT_ROUNDS
switch (rounding)
{
case 0: /* toward 0 */
case 3: /* toward -infinity */
word0(&rv)= Big0;
word1(&rv)= Big1;
break;
default:
word0(&rv)= Exp_mask;
word1(&rv)= 0;
}
#else /*Honor_FLT_ROUNDS*/
word0(&rv)= Exp_mask;
word1(&rv)= 0;
#endif /*Honor_FLT_ROUNDS*/
#ifdef SET_INEXACT
/* set overflow bit */
dval(&rv0)= 1e300;
dval(&rv0)*= dval(&rv0);
#endif
if (bd0)
goto retfree;
goto ret;
}
e1>>= 4;
for(j= 0; e1 > 1; j++, e1>>= 1)
if (e1 & 1)
dval(&rv)*= bigtens[j];
/* The last multiplication could overflow. */
word0(&rv)-= P*Exp_msk1;
dval(&rv)*= bigtens[j];
if ((z= word0(&rv) & Exp_mask) > Exp_msk1 * (DBL_MAX_EXP + Bias - P))
goto ovfl;
if (z > Exp_msk1 * (DBL_MAX_EXP + Bias - 1 - P))
{
/* set to largest number (Can't trust DBL_MAX) */
word0(&rv)= Big0;
word1(&rv)= Big1;
}
else
word0(&rv)+= P*Exp_msk1;
}
}
else if (e1 < 0)
{
e1= -e1;
if ((i= e1 & 15))
dval(&rv)/= tens[i];
if ((e1>>= 4))
{
if (e1 >= 1 << n_bigtens)
goto undfl;
if (e1 & Scale_Bit)
scale= 2 * P;
for(j= 0; e1 > 0; j++, e1>>= 1)
if (e1 & 1)
dval(&rv)*= tinytens[j];
if (scale && (j = 2 * P + 1 - ((word0(&rv) & Exp_mask) >> Exp_shift)) > 0)
{
/* scaled rv is denormal; zap j low bits */
if (j >= 32)
{
word1(&rv)= 0;
if (j >= 53)
word0(&rv)= (P + 2) * Exp_msk1;
else
word0(&rv)&= 0xffffffff << (j - 32);
}
else
word1(&rv)&= 0xffffffff << j;
}
if (!dval(&rv))
{
undfl:
dval(&rv)= 0.;
if (bd0)
goto retfree;
goto ret;
}
}
}
/* Now the hard part -- adjusting rv to the correct value.*/
/* Put digits into bd: true value = bd * 10^e */
bd0= s2b(s0, nd0, nd, y, &alloc);
for(;;)
{
bd= Balloc(bd0->k, &alloc);
Bcopy(bd, bd0);
bb= d2b(&rv, &bbe, &bbbits, &alloc); /* rv = bb * 2^bbe */
bs= i2b(1, &alloc);
if (e >= 0)
{
bb2= bb5= 0;
bd2= bd5= e;
}
else
{
bb2= bb5= -e;
bd2= bd5= 0;
}
if (bbe >= 0)
bb2+= bbe;
else
bd2-= bbe;
bs2= bb2;
#ifdef Honor_FLT_ROUNDS
if (rounding != 1)
bs2++;
#endif
j= bbe - scale;
i= j + bbbits - 1; /* logb(rv) */
if (i < Emin) /* denormal */
j+= P - Emin;
else
j= P + 1 - bbbits;
bb2+= j;
bd2+= j;
bd2+= scale;
i= bb2 < bd2 ? bb2 : bd2;
if (i > bs2)
i= bs2;
if (i > 0)
{
bb2-= i;
bd2-= i;
bs2-= i;
}
if (bb5 > 0)
{
bs= pow5mult(bs, bb5, &alloc);
bb1= mult(bs, bb, &alloc);
Bfree(bb, &alloc);
bb= bb1;
}
if (bb2 > 0)
bb= lshift(bb, bb2, &alloc);
if (bd5 > 0)
bd= pow5mult(bd, bd5, &alloc);
if (bd2 > 0)
bd= lshift(bd, bd2, &alloc);
if (bs2 > 0)
bs= lshift(bs, bs2, &alloc);
delta= diff(bb, bd, &alloc);
dsign= delta->sign;
delta->sign= 0;
i= cmp(delta, bs);
#ifdef Honor_FLT_ROUNDS
if (rounding != 1)
{
if (i < 0)
{
/* Error is less than an ulp */
if (!delta->p.x[0] && delta->wds <= 1)
{
/* exact */
#ifdef SET_INEXACT
inexact= 0;
#endif
break;
}
if (rounding)
{
if (dsign)
{
adj.d= 1.;
goto apply_adj;
}
}
else if (!dsign)
{
adj.d= -1.;
if (!word1(&rv) && !(word0(&rv) & Frac_mask))
{
y= word0(&rv) & Exp_mask;
if (!scale || y > 2*P*Exp_msk1)
{
delta= lshift(delta, Log2P, &alloc);
if (cmp(delta, bs) <= 0)
adj.d= -0.5;
}
}
apply_adj:
if (scale && (y= word0(&rv) & Exp_mask) <= 2 * P * Exp_msk1)
word0(&adj)+= (2 * P + 1) * Exp_msk1 - y;
dval(&rv)+= adj.d * ulp(&rv);
}
break;
}
adj.d= ratio(delta, bs);
if (adj.d < 1.)
adj.d= 1.;
if (adj.d <= 0x7ffffffe)
{
/* adj = rounding ? ceil(adj) : floor(adj); */
y= adj.d;
if (y != adj.d)
{
if (!((rounding >> 1) ^ dsign))
y++;
adj.d= y;
}
}
if (scale && (y= word0(&rv) & Exp_mask) <= 2 * P * Exp_msk1)
word0(&adj)+= (2 * P + 1) * Exp_msk1 - y;
adj.d*= ulp(&rv);
if (dsign)
dval(&rv)+= adj.d;
else
dval(&rv)-= adj.d;
goto cont;
}
#endif /*Honor_FLT_ROUNDS*/
if (i < 0)
{
/*
Error is less than half an ulp -- check for special case of mantissa
a power of two.
*/
if (dsign || word1(&rv) || word0(&rv) & Bndry_mask ||
(word0(&rv) & Exp_mask) <= (2 * P + 1) * Exp_msk1)
{
#ifdef SET_INEXACT
if (!delta->x[0] && delta->wds <= 1)
inexact= 0;
#endif
break;
}
if (!delta->p.x[0] && delta->wds <= 1)
{
/* exact result */
#ifdef SET_INEXACT
inexact= 0;
#endif
break;
}
delta= lshift(delta, Log2P, &alloc);
if (cmp(delta, bs) > 0)
goto drop_down;
break;
}
if (i == 0)
{
/* exactly half-way between */
if (dsign)
{
if ((word0(&rv) & Bndry_mask1) == Bndry_mask1 &&
word1(&rv) ==
((scale && (y = word0(&rv) & Exp_mask) <= 2 * P * Exp_msk1) ?
(0xffffffff & (0xffffffff << (2*P+1-(y>>Exp_shift)))) :
0xffffffff))
{
/*boundary case -- increment exponent*/
word0(&rv)= (word0(&rv) & Exp_mask) + Exp_msk1;
word1(&rv) = 0;
dsign = 0;
break;
}
}
else if (!(word0(&rv) & Bndry_mask) && !word1(&rv))
{
drop_down:
/* boundary case -- decrement exponent */
if (scale)
{
L= word0(&rv) & Exp_mask;
if (L <= (2 *P + 1) * Exp_msk1)
{
if (L > (P + 2) * Exp_msk1)
/* round even ==> accept rv */
break;
/* rv = smallest denormal */
goto undfl;
}
}
L= (word0(&rv) & Exp_mask) - Exp_msk1;
word0(&rv)= L | Bndry_mask1;
word1(&rv)= 0xffffffff;
break;
}
if (!(word1(&rv) & LSB))
break;
if (dsign)
dval(&rv)+= ulp(&rv);
else
{
dval(&rv)-= ulp(&rv);
if (!dval(&rv))
goto undfl;
}
dsign= 1 - dsign;
break;
}
if ((aadj= ratio(delta, bs)) <= 2.)
{
if (dsign)
aadj= aadj1= 1.;
else if (word1(&rv) || word0(&rv) & Bndry_mask)
{
if (word1(&rv) == Tiny1 && !word0(&rv))
goto undfl;
aadj= 1.;
aadj1= -1.;
}
else
{
/* special case -- power of FLT_RADIX to be rounded down... */
if (aadj < 2. / FLT_RADIX)
aadj= 1. / FLT_RADIX;
else
aadj*= 0.5;
aadj1= -aadj;
}
}
else
{
aadj*= 0.5;
aadj1= dsign ? aadj : -aadj;
#ifdef Check_FLT_ROUNDS
switch (Rounding)
{
case 2: /* towards +infinity */
aadj1-= 0.5;
break;
case 0: /* towards 0 */
case 3: /* towards -infinity */
aadj1+= 0.5;
}
#else
if (Flt_Rounds == 0)
aadj1+= 0.5;
#endif /*Check_FLT_ROUNDS*/
}
y= word0(&rv) & Exp_mask;
/* Check for overflow */
if (y == Exp_msk1 * (DBL_MAX_EXP + Bias - 1))
{
dval(&rv0)= dval(&rv);
word0(&rv)-= P * Exp_msk1;
adj.d= aadj1 * ulp(&rv);
dval(&rv)+= adj.d;
if ((word0(&rv) & Exp_mask) >= Exp_msk1 * (DBL_MAX_EXP + Bias - P))
{
if (word0(&rv0) == Big0 && word1(&rv0) == Big1)
goto ovfl;
word0(&rv)= Big0;
word1(&rv)= Big1;
goto cont;
}
else
word0(&rv)+= P * Exp_msk1;
}
else
{
if (scale && y <= 2 * P * Exp_msk1)
{
if (aadj <= 0x7fffffff)
{
if ((z= (ULong) aadj) <= 0)
z= 1;
aadj= z;
aadj1= dsign ? aadj : -aadj;
}
dval(&aadj2) = aadj1;
word0(&aadj2)+= (2 * P + 1) * Exp_msk1 - y;
aadj1= dval(&aadj2);
adj.d= aadj1 * ulp(&rv);
dval(&rv)+= adj.d;
if (rv.d == 0.)
goto undfl;
}
else
{
adj.d= aadj1 * ulp(&rv);
dval(&rv)+= adj.d;
}
}
z= word0(&rv) & Exp_mask;
#ifndef SET_INEXACT
if (!scale)
if (y == z)
{
/* Can we stop now? */
L= (Long)aadj;
aadj-= L;
/* The tolerances below are conservative. */
if (dsign || word1(&rv) || word0(&rv) & Bndry_mask)
{
if (aadj < .4999999 || aadj > .5000001)
break;
}
else if (aadj < .4999999 / FLT_RADIX)
break;
}
#endif
cont:
Bfree(bb, &alloc);
Bfree(bd, &alloc);
Bfree(bs, &alloc);
Bfree(delta, &alloc);
}
#ifdef SET_INEXACT
if (inexact)
{
if (!oldinexact)
{
word0(&rv0)= Exp_1 + (70 << Exp_shift);
word1(&rv0)= 0;
dval(&rv0)+= 1.;
}
}
else if (!oldinexact)
clear_inexact();
#endif
if (scale)
{
word0(&rv0)= Exp_1 - 2 * P * Exp_msk1;
word1(&rv0)= 0;
dval(&rv)*= dval(&rv0);
}
#ifdef SET_INEXACT
if (inexact && !(word0(&rv) & Exp_mask))
{
/* set underflow bit */
dval(&rv0)= 1e-300;
dval(&rv0)*= dval(&rv0);
}
#endif
retfree:
Bfree(bb, &alloc);
Bfree(bd, &alloc);
Bfree(bs, &alloc);
Bfree(bd0, &alloc);
Bfree(delta, &alloc);
ret:
*se= (char *)s;
return sign ? -dval(&rv) : dval(&rv);
}
static int quorem(Bigint *b, Bigint *S) static int quorem(Bigint *b, Bigint *S)
{ {

34
libmariadb/ma_pvio.c
View File

@@ -243,9 +243,9 @@ size_t ma_pvio_read(MARIADB_PVIO *pvio, uchar *buffer, size_t length)
/* secure connection */ /* secure connection */
#ifdef HAVE_SSL #ifdef HAVE_SSL
if (pvio->cssl) if (pvio->ctls)
{ {
r= ma_pvio_ssl_read(pvio->cssl, buffer, length); r= ma_pvio_tls_read(pvio->ctls, buffer, length);
goto end; goto end;
} }
#endif #endif
@@ -348,9 +348,9 @@ size_t ma_pvio_write(MARIADB_PVIO *pvio, const uchar *buffer, size_t length)
/* secure connection */ /* secure connection */
#ifdef HAVE_SSL #ifdef HAVE_SSL
if (pvio->cssl) if (pvio->ctls)
{ {
r= ma_pvio_ssl_write(pvio->cssl, buffer, length); r= ma_pvio_tls_write(pvio->ctls, buffer, length);
goto end; goto end;
} }
else else
@@ -389,10 +389,10 @@ void ma_pvio_close(MARIADB_PVIO *pvio)
{ {
/* free internal structures and close connection */ /* free internal structures and close connection */
#ifdef HAVE_SSL #ifdef HAVE_SSL
if (pvio && pvio->cssl) if (pvio && pvio->ctls)
{ {
ma_pvio_ssl_close(pvio->cssl); ma_pvio_tls_close(pvio->ctls);
free(pvio->cssl); free(pvio->ctls);
} }
#endif #endif
if (pvio && pvio->methods->close) if (pvio && pvio->methods->close)
@@ -511,14 +511,14 @@ my_bool ma_pvio_start_ssl(MARIADB_PVIO *pvio)
if (!pvio || !pvio->mysql) if (!pvio || !pvio->mysql)
return 1; return 1;
CLEAR_CLIENT_ERROR(pvio->mysql); CLEAR_CLIENT_ERROR(pvio->mysql);
if (!(pvio->cssl= ma_pvio_ssl_init(pvio->mysql))) if (!(pvio->ctls= ma_pvio_tls_init(pvio->mysql)))
{ {
return 1; return 1;
} }
if (ma_pvio_ssl_connect(pvio->cssl)) if (ma_pvio_tls_connect(pvio->ctls))
{ {
free(pvio->cssl); free(pvio->ctls);
pvio->cssl= NULL; pvio->ctls= NULL;
return 1; return 1;
} }
@@ -529,17 +529,17 @@ my_bool ma_pvio_start_ssl(MARIADB_PVIO *pvio)
*/ */
if ((pvio->mysql->options.ssl_ca || pvio->mysql->options.ssl_capath) && if ((pvio->mysql->options.ssl_ca || pvio->mysql->options.ssl_capath) &&
(pvio->mysql->client_flag & CLIENT_SSL_VERIFY_SERVER_CERT) && (pvio->mysql->client_flag & CLIENT_SSL_VERIFY_SERVER_CERT) &&
ma_pvio_ssl_verify_server_cert(pvio->cssl)) ma_pvio_tls_verify_server_cert(pvio->ctls))
return 1; return 1;
if (pvio->mysql->options.extension && if (pvio->mysql->options.extension &&
(pvio->mysql->options.extension->ssl_fp && pvio->mysql->options.extension->ssl_fp[0]) || (pvio->mysql->options.extension->tls_fp && pvio->mysql->options.extension->tls_fp[0]) ||
(pvio->mysql->options.extension->ssl_fp_list && pvio->mysql->options.extension->ssl_fp_list[0])) (pvio->mysql->options.extension->tls_fp_list && pvio->mysql->options.extension->tls_fp_list[0]))
{ {
if (ma_pvio_ssl_check_fp(pvio->cssl, if (ma_pvio_tls_check_fp(pvio->ctls,
pvio->mysql->options.extension->ssl_fp, pvio->mysql->options.extension->tls_fp,
pvio->mysql->options.extension->ssl_fp_list)) pvio->mysql->options.extension->tls_fp_list))
return 1; return 1;
} }

60
libmariadb/ma_ssl.c → libmariadb/ma_tls.c
View File

@@ -38,7 +38,7 @@
#include <string.h> #include <string.h>
#include <ma_errmsg.h> #include <ma_errmsg.h>
#include <ma_pvio.h> #include <ma_pvio.h>
#include <ma_ssl.h> #include <ma_tls.h>
#include <mysql/client_plugin.h> #include <mysql/client_plugin.h>
#include <mariadb/ma_io.h> #include <mariadb/ma_io.h>
@@ -48,26 +48,26 @@
#endif #endif
/* Errors should be handled via pvio callback function */ /* Errors should be handled via pvio callback function */
my_bool ma_ssl_initialized= FALSE; my_bool ma_tls_initialized= FALSE;
unsigned int mariadb_deinitialize_ssl= 1; unsigned int mariadb_deinitialize_ssl= 1;
char *ssl_protocol_version[5]= {"unknown", "SSL3", "TLS1.0", "TLS1.1", "TLS1.2"}; char *ssl_protocol_version[5]= {"unknown", "SSL3", "TLS1.0", "TLS1.1", "TLS1.2"};
MARIADB_SSL *ma_pvio_ssl_init(MYSQL *mysql) MARIADB_TLS *ma_pvio_tls_init(MYSQL *mysql)
{ {
MARIADB_SSL *cssl= NULL; MARIADB_TLS *cssl= NULL;
if (!ma_ssl_initialized) if (!ma_tls_initialized)
ma_ssl_start(mysql->net.last_error, MYSQL_ERRMSG_SIZE); ma_tls_start(mysql->net.last_error, MYSQL_ERRMSG_SIZE);
if (!(cssl= (MARIADB_SSL *)calloc(1, sizeof(MARIADB_SSL)))) if (!(cssl= (MARIADB_TLS *)calloc(1, sizeof(MARIADB_TLS))))
{ {
return NULL; return NULL;
} }
/* register error routine and methods */ /* register error routine and methods */
cssl->pvio= mysql->net.pvio; cssl->pvio= mysql->net.pvio;
if (!(cssl->ssl= ma_ssl_init(mysql))) if (!(cssl->ssl= ma_tls_init(mysql)))
{ {
free(cssl); free(cssl);
cssl= NULL; cssl= NULL;
@@ -75,51 +75,51 @@ MARIADB_SSL *ma_pvio_ssl_init(MYSQL *mysql)
return cssl; return cssl;
} }
my_bool ma_pvio_ssl_connect(MARIADB_SSL *cssl) my_bool ma_pvio_tls_connect(MARIADB_TLS *cssl)
{ {
my_bool rc; my_bool rc;
if ((rc= ma_ssl_connect(cssl))) if ((rc= ma_tls_connect(cssl)))
ma_ssl_close(cssl); ma_tls_close(cssl);
return rc; return rc;
} }
size_t ma_pvio_ssl_read(MARIADB_SSL *cssl, const uchar* buffer, size_t length) size_t ma_pvio_tls_read(MARIADB_TLS *cssl, const uchar* buffer, size_t length)
{ {
return ma_ssl_read(cssl, buffer, length); return ma_tls_read(cssl, buffer, length);
} }
size_t ma_pvio_ssl_write(MARIADB_SSL *cssl, const uchar* buffer, size_t length) size_t ma_pvio_tls_write(MARIADB_TLS *cssl, const uchar* buffer, size_t length)
{ {
return ma_ssl_write(cssl, buffer, length); return ma_tls_write(cssl, buffer, length);
} }
my_bool ma_pvio_ssl_close(MARIADB_SSL *cssl) my_bool ma_pvio_tls_close(MARIADB_TLS *cssl)
{ {
return ma_ssl_close(cssl); return ma_tls_close(cssl);
} }
int ma_pvio_ssl_verify_server_cert(MARIADB_SSL *cssl) int ma_pvio_tls_verify_server_cert(MARIADB_TLS *cssl)
{ {
return ma_ssl_verify_server_cert(cssl); return ma_tls_verify_server_cert(cssl);
} }
const char *ma_pvio_ssl_cipher(MARIADB_SSL *cssl) const char *ma_pvio_tls_cipher(MARIADB_TLS *cssl)
{ {
return ma_ssl_get_cipher(cssl); return ma_tls_get_cipher(cssl);
} }
void ma_pvio_ssl_end() void ma_pvio_tls_end()
{ {
ma_ssl_end(); ma_tls_end();
} }
my_bool ma_pvio_ssl_get_protocol_version(MARIADB_SSL *cssl, struct st_ssl_version *version) my_bool ma_pvio_tls_get_protocol_version(MARIADB_TLS *cssl, struct st_ssl_version *version)
{ {
return ma_ssl_get_protocol_version(cssl, version); return ma_tls_get_protocol_version(cssl, version);
} }
static my_bool ma_pvio_ssl_compare_fp(char *fp1, unsigned int fp1_len, static my_bool ma_pvio_tls_compare_fp(char *fp1, unsigned int fp1_len,
char *fp2, unsigned int fp2_len) char *fp2, unsigned int fp2_len)
{ {
char hexstr[64]; char hexstr[64];
@@ -134,17 +134,17 @@ static my_bool ma_pvio_ssl_compare_fp(char *fp1, unsigned int fp1_len,
return 0; return 0;
} }
my_bool ma_pvio_ssl_check_fp(MARIADB_SSL *cssl, const char *fp, const char *fp_list) my_bool ma_pvio_tls_check_fp(MARIADB_TLS *cssl, const char *fp, const char *fp_list)
{ {
unsigned int cert_fp_len= 64; unsigned int cert_fp_len= 64;
unsigned char cert_fp[64]; unsigned char cert_fp[64];
my_bool rc=1; my_bool rc=1;
MYSQL *mysql= cssl->pvio->mysql; MYSQL *mysql= cssl->pvio->mysql;
if ((cert_fp_len= ma_ssl_get_finger_print(cssl, cert_fp, cert_fp_len)) < 1) if ((cert_fp_len= ma_tls_get_finger_print(cssl, cert_fp, cert_fp_len)) < 1)
goto end; goto end;
if (fp) if (fp)
rc= ma_pvio_ssl_compare_fp(cert_fp, cert_fp_len, (char *)fp, (unsigned int)strlen(fp)); rc= ma_pvio_tls_compare_fp(cert_fp, cert_fp_len, (char *)fp, (unsigned int)strlen(fp));
else if (fp_list) else if (fp_list)
{ {
MA_FILE *fp; MA_FILE *fp;
@@ -164,7 +164,7 @@ my_bool ma_pvio_ssl_check_fp(MARIADB_SSL *cssl, const char *fp, const char *fp_l
if (pos) if (pos)
*pos= '\0'; *pos= '\0';
if (!ma_pvio_ssl_compare_fp(cert_fp, cert_fp_len, buff, (unsigned int)strlen(buff))) if (!ma_pvio_tls_compare_fp(cert_fp, cert_fp_len, buff, (unsigned int)strlen(buff)))
{ {
/* finger print is valid: close file and exit */ /* finger print is valid: close file and exit */
ma_close(fp); ma_close(fp);

63
libmariadb/mariadb_lib.c
View File

@@ -64,7 +64,7 @@
#endif #endif
#include <ma_pvio.h> #include <ma_pvio.h>
#ifdef HAVE_SSL #ifdef HAVE_SSL
#include <ma_ssl.h> #include <ma_tls.h>
#endif #endif
#include <mysql/client_plugin.h> #include <mysql/client_plugin.h>
@@ -610,7 +610,7 @@ struct st_default_options mariadb_defaults[] =
{MARIADB_OPT_SSL_FP, MARIADB_OPTION_STR, "ssl-fp"}, {MARIADB_OPT_SSL_FP, MARIADB_OPTION_STR, "ssl-fp"},
{MARIADB_OPT_SSL_FP_LIST, MARIADB_OPTION_STR, "ssl-fp-list"}, {MARIADB_OPT_SSL_FP_LIST, MARIADB_OPTION_STR, "ssl-fp-list"},
{MARIADB_OPT_SSL_FP_LIST, MARIADB_OPTION_STR, "ssl-fplist"}, {MARIADB_OPT_SSL_FP_LIST, MARIADB_OPTION_STR, "ssl-fplist"},
{MARIADB_OPT_SSL_PASSPHRASE, MARIADB_OPTION_STR, "ssl_passphrase"}, {MARIADB_OPT_TLS_PASSPHRASE, MARIADB_OPTION_STR, "ssl_passphrase"},
{MYSQL_OPT_BIND, MARIADB_OPTION_STR, "bind-address"}, {MYSQL_OPT_BIND, MARIADB_OPTION_STR, "bind-address"},
{0, 0, NULL} {0, 0, NULL}
}; };
@@ -1014,9 +1014,9 @@ const char * STDCALL
mysql_get_ssl_cipher(MYSQL *mysql) mysql_get_ssl_cipher(MYSQL *mysql)
{ {
#ifdef HAVE_SSL #ifdef HAVE_SSL
if (mysql->net.pvio && mysql->net.pvio->cssl) if (mysql->net.pvio && mysql->net.pvio->ctls)
{ {
return ma_pvio_ssl_cipher(mysql->net.pvio->cssl); return ma_pvio_tls_cipher(mysql->net.pvio->ctls);
} }
#endif #endif
return(NULL); return(NULL);
@@ -1795,9 +1795,10 @@ static void mysql_close_options(MYSQL *mysql)
free(mysql->options.extension->db_driver); free(mysql->options.extension->db_driver);
free(mysql->options.extension->ssl_crl); free(mysql->options.extension->ssl_crl);
free(mysql->options.extension->ssl_crlpath); free(mysql->options.extension->ssl_crlpath);
free(mysql->options.extension->ssl_fp); free(mysql->options.extension->tls_fp);
free(mysql->options.extension->ssl_fp_list); free(mysql->options.extension->tls_fp_list);
free(mysql->options.extension->ssl_pw); free(mysql->options.extension->tls_pw);
free(mysql->options.extension->tls_version);
free(mysql->options.extension->url); free(mysql->options.extension->url);
free(mysql->options.extension->connection_handler); free(mysql->options.extension->connection_handler);
if(hash_inited(&mysql->options.extension->connect_attrs)) if(hash_inited(&mysql->options.extension->connect_attrs))
@@ -2776,17 +2777,19 @@ mysql_optionsv(MYSQL *mysql,enum mysql_option option, ...)
case MYSQL_OPT_BIND: case MYSQL_OPT_BIND:
OPT_SET_VALUE_STR(&mysql->options, bind_address, arg1); OPT_SET_VALUE_STR(&mysql->options, bind_address, arg1);
break; break;
case MARIADB_OPT_SSL_CIPHER_STRENGTH: case MARIADB_OPT_TLS_CIPHER_STRENGTH:
OPT_SET_EXTENDED_VALUE_INT(&mysql->options, ssl_cipher_strength, *((unsigned int *)arg1)); OPT_SET_EXTENDED_VALUE_INT(&mysql->options, tls_cipher_strength, *((unsigned int *)arg1));
break; break;
case MARIADB_OPT_SSL_FP: case MARIADB_OPT_SSL_FP:
OPT_SET_EXTENDED_VALUE_STR(&mysql->options, ssl_fp, (char *)arg1); case MARIADB_OPT_TLS_PEER_FP:
OPT_SET_EXTENDED_VALUE_STR(&mysql->options, tls_fp, (char *)arg1);
break; break;
case MARIADB_OPT_SSL_FP_LIST: case MARIADB_OPT_SSL_FP_LIST:
OPT_SET_EXTENDED_VALUE_STR(&mysql->options, ssl_fp_list, (char *)arg1); case MARIADB_OPT_TLS_PEER_FP_LIST:
OPT_SET_EXTENDED_VALUE_STR(&mysql->options, tls_fp_list, (char *)arg1);
break; break;
case MARIADB_OPT_SSL_PASSPHRASE: case MARIADB_OPT_TLS_PASSPHRASE:
OPT_SET_EXTENDED_VALUE_STR(&mysql->options, ssl_pw, (char *)arg1); OPT_SET_EXTENDED_VALUE_STR(&mysql->options, tls_pw, (char *)arg1);
break; break;
case MARIADB_OPT_COM_MULTI: case MARIADB_OPT_COM_MULTI:
if (&mysql->net.pvio && if (&mysql->net.pvio &&
@@ -3000,17 +3003,19 @@ mysql_get_optionv(MYSQL *mysql, enum mysql_option option, void *arg, ...)
case MYSQL_OPT_BIND: case MYSQL_OPT_BIND:
*((char **)arg)= mysql->options.bind_address; *((char **)arg)= mysql->options.bind_address;
break; break;
case MARIADB_OPT_SSL_CIPHER_STRENGTH: case MARIADB_OPT_TLS_CIPHER_STRENGTH:
*((unsigned int *)arg) = mysql->options.extension ? mysql->options.extension->ssl_cipher_strength : 0; *((unsigned int *)arg) = mysql->options.extension ? mysql->options.extension->tls_cipher_strength : 0;
break; break;
case MARIADB_OPT_SSL_FP: case MARIADB_OPT_SSL_FP:
*((char **)arg)= mysql->options.extension ? mysql->options.extension->ssl_fp : NULL; case MARIADB_OPT_TLS_PEER_FP:
*((char **)arg)= mysql->options.extension ? mysql->options.extension->tls_fp : NULL;
break; break;
case MARIADB_OPT_SSL_FP_LIST: case MARIADB_OPT_SSL_FP_LIST:
*((char **)arg)= mysql->options.extension ? mysql->options.extension->ssl_fp_list : NULL; case MARIADB_OPT_TLS_PEER_FP_LIST:
*((char **)arg)= mysql->options.extension ? mysql->options.extension->tls_fp_list : NULL;
break; break;
case MARIADB_OPT_SSL_PASSPHRASE: case MARIADB_OPT_TLS_PASSPHRASE:
*((char **)arg)= mysql->options.extension ? mysql->options.extension->ssl_pw : NULL; *((char **)arg)= mysql->options.extension ? mysql->options.extension->tls_pw : NULL;
break; break;
case MARIADB_OPT_CONNECTION_READ_ONLY: case MARIADB_OPT_CONNECTION_READ_ONLY:
*((my_bool *)arg)= mysql->options.extension ? mysql->options.extension->read_only : 0; *((my_bool *)arg)= mysql->options.extension ? mysql->options.extension->read_only : 0;
@@ -3340,7 +3345,7 @@ void STDCALL mysql_server_end(void)
if (ma_init_done) if (ma_init_done)
ma_end(0); ma_end(0);
#ifdef HAVE_SSL #ifdef HAVE_SSL
ma_pvio_ssl_end(); ma_pvio_tls_end();
#endif #endif
mysql_client_init= 0; mysql_client_init= 0;
ma_init_done= 0; ma_init_done= 0;
@@ -3461,31 +3466,31 @@ my_bool STDCALL mariadb_get_infov(MYSQL *mysql, enum mariadb_value value, void *
goto error; goto error;
*((char **)arg)= mysql->net.sqlstate; *((char **)arg)= mysql->net.sqlstate;
break; break;
case MARIADB_CONNECTION_SSL_VERSION: case MARIADB_CONNECTION_TLS_VERSION:
#ifdef HAVE_SSL #ifdef HAVE_SSL
if (mysql && mysql->net.pvio && mysql->net.pvio->cssl) if (mysql && mysql->net.pvio && mysql->net.pvio->ctls)
{ {
struct st_ssl_version version; struct st_ssl_version version;
if (!ma_pvio_ssl_get_protocol_version(mysql->net.pvio->cssl, &version)) if (!ma_pvio_tls_get_protocol_version(mysql->net.pvio->ctls, &version))
*((char **)arg)= version.cversion; *((char **)arg)= version.cversion;
} }
else else
#endif #endif
goto error; goto error;
break; break;
case MARIADB_CONNECTION_SSL_VERSION_ID: case MARIADB_CONNECTION_TLS_VERSION_ID:
#ifdef HAVE_SSL #ifdef HAVE_SSL
if (mysql && mysql->net.pvio && mysql->net.pvio->cssl) if (mysql && mysql->net.pvio && mysql->net.pvio->ctls)
{ {
struct st_ssl_version version; struct st_ssl_version version;
if (!ma_pvio_ssl_get_protocol_version(mysql->net.pvio->cssl, &version)) if (!ma_pvio_tls_get_protocol_version(mysql->net.pvio->ctls, &version))
*((unsigned int *)arg)= version.iversion; *((unsigned int *)arg)= version.iversion;
} }
else else
#endif #endif
goto error; goto error;
break; break;
case MARIADB_SSL_LIBRARY: case MARIADB_TLS_LIBRARY:
#ifdef HAVE_SSL #ifdef HAVE_SSL
#ifdef HAVE_GNUTLS #ifdef HAVE_GNUTLS
*((char **)arg)= "GNUTLS"; *((char **)arg)= "GNUTLS";
@@ -3579,8 +3584,8 @@ my_bool STDCALL mariadb_get_infov(MYSQL *mysql, enum mariadb_value value, void *
break; break;
case MARIADB_CONNECTION_SSL_CIPHER: case MARIADB_CONNECTION_SSL_CIPHER:
#ifdef HAVE_SSL #ifdef HAVE_SSL
if (mysql && mysql->net.pvio && mysql->net.pvio->cssl) if (mysql && mysql->net.pvio && mysql->net.pvio->ctls)
*((char **)arg)= (char *)ma_pvio_ssl_cipher(mysql->net.pvio->cssl); *((char **)arg)= (char *)ma_pvio_tls_cipher(mysql->net.pvio->ctls);
else else
#endif #endif
goto error; goto error;

90
libmariadb/secure/gnutls.c
View File

@@ -29,19 +29,19 @@
#include <ma_pthread.h> #include <ma_pthread.h>
#include <mysql/client_plugin.h> #include <mysql/client_plugin.h>
#include <string.h> #include <string.h>
#include <ma_ssl.h> #include <ma_tls.h>
pthread_mutex_t LOCK_gnutls_config; pthread_mutex_t LOCK_gnutls_config;
static gnutls_certificate_credentials_t GNUTLS_xcred; static gnutls_certificate_credentials_t GNUTLS_xcred;
extern my_bool ma_ssl_initialized; extern my_bool ma_tls_initialized;
extern unsigned int mariadb_deinitialize_ssl; extern unsigned int mariadb_deinitialize_ssl;
static int my_verify_callback(gnutls_session_t ssl); static int my_verify_callback(gnutls_session_t ssl);
#define MAX_SSL_ERR_LEN 100 #define MAX_SSL_ERR_LEN 100
static void ma_ssl_set_error(MYSQL *mysql, int ssl_errno) static void ma_tls_set_error(MYSQL *mysql, int ssl_errno)
{ {
char ssl_error[MAX_SSL_ERR_LEN]; char ssl_error[MAX_SSL_ERR_LEN];
const char *ssl_error_reason; const char *ssl_error_reason;
@@ -64,7 +64,7 @@ static void ma_ssl_set_error(MYSQL *mysql, int ssl_errno)
} }
static void ma_ssl_get_error(char *errmsg, size_t length, int ssl_errno) static void ma_tls_get_error(char *errmsg, size_t length, int ssl_errno)
{ {
const char *ssl_error_reason; const char *ssl_error_reason;
@@ -93,11 +93,11 @@ static void ma_ssl_get_error(char *errmsg, size_t length, int ssl_errno)
0 success 0 success
1 error 1 error
*/ */
int ma_ssl_start(char *errmsg, size_t errmsg_len) int ma_tls_start(char *errmsg, size_t errmsg_len)
{ {
int rc= 0; int rc= 0;
if (ma_ssl_initialized) if (ma_tls_initialized)
return 0; return 0;
pthread_mutex_init(&LOCK_gnutls_config,MY_MUTEX_INIT_FAST); pthread_mutex_init(&LOCK_gnutls_config,MY_MUTEX_INIT_FAST);
@@ -105,12 +105,12 @@ int ma_ssl_start(char *errmsg, size_t errmsg_len)
if ((rc= gnutls_global_init()) != GNUTLS_E_SUCCESS) if ((rc= gnutls_global_init()) != GNUTLS_E_SUCCESS)
{ {
ma_ssl_get_error(errmsg, errmsg_len, rc); ma_tls_get_error(errmsg, errmsg_len, rc);
goto end; goto end;
} }
/* Allocate a global context for credentials */ /* Allocate a global context for credentials */
rc= gnutls_certificate_allocate_credentials(&GNUTLS_xcred); rc= gnutls_certificate_allocate_credentials(&GNUTLS_xcred);
ma_ssl_initialized= TRUE; ma_tls_initialized= TRUE;
end: end:
pthread_mutex_unlock(&LOCK_gnutls_config); pthread_mutex_unlock(&LOCK_gnutls_config);
return rc; return rc;
@@ -128,9 +128,9 @@ end:
RETURN VALUES RETURN VALUES
void void
*/ */
void ma_ssl_end() void ma_tls_end()
{ {
if (ma_ssl_initialized) if (ma_tls_initialized)
{ {
pthread_mutex_lock(&LOCK_gnutls_config); pthread_mutex_lock(&LOCK_gnutls_config);
gnutls_certificate_free_keys(GNUTLS_xcred); gnutls_certificate_free_keys(GNUTLS_xcred);
@@ -140,14 +140,14 @@ void ma_ssl_end()
gnutls_certificate_free_credentials(GNUTLS_xcred); gnutls_certificate_free_credentials(GNUTLS_xcred);
if (mariadb_deinitialize_ssl) if (mariadb_deinitialize_ssl)
gnutls_global_deinit(); gnutls_global_deinit();
ma_ssl_initialized= FALSE; ma_tls_initialized= FALSE;
pthread_mutex_unlock(&LOCK_gnutls_config); pthread_mutex_unlock(&LOCK_gnutls_config);
pthread_mutex_destroy(&LOCK_gnutls_config); pthread_mutex_destroy(&LOCK_gnutls_config);
} }
return; return;
} }
static int ma_ssl_set_certs(MYSQL *mysql) static int ma_tls_set_certs(MYSQL *mysql)
{ {
char *certfile= mysql->options.ssl_cert, char *certfile= mysql->options.ssl_cert,
*keyfile= mysql->options.ssl_key; *keyfile= mysql->options.ssl_key;
@@ -179,7 +179,7 @@ static int ma_ssl_set_certs(MYSQL *mysql)
if ((ssl_error= gnutls_certificate_set_x509_key_file2(GNUTLS_xcred, if ((ssl_error= gnutls_certificate_set_x509_key_file2(GNUTLS_xcred,
certfile, keyfile, certfile, keyfile,
GNUTLS_X509_FMT_PEM, GNUTLS_X509_FMT_PEM,
OPT_HAS_EXT_VAL(mysql, ssl_pw) ? mysql->options.extension->ssl_pw : NULL, OPT_HAS_EXT_VAL(mysql, tls_pw) ? mysql->options.extension->tls_pw : NULL,
0)) < 0) 0)) < 0)
goto error; goto error;
} }
@@ -191,7 +191,7 @@ error:
return ssl_error; return ssl_error;
} }
void *ma_ssl_init(MYSQL *mysql) void *ma_tls_init(MYSQL *mysql)
{ {
gnutls_session_t ssl= NULL; gnutls_session_t ssl= NULL;
int ssl_error= 0; int ssl_error= 0;
@@ -199,7 +199,7 @@ void *ma_ssl_init(MYSQL *mysql)
pthread_mutex_lock(&LOCK_gnutls_config); pthread_mutex_lock(&LOCK_gnutls_config);
if ((ssl_error= ma_ssl_set_certs(mysql)) < 0) if ((ssl_error= ma_tls_set_certs(mysql)) < 0)
goto error; goto error;
if ((ssl_error = gnutls_init(&ssl, GNUTLS_CLIENT & GNUTLS_NONBLOCK)) < 0) if ((ssl_error = gnutls_init(&ssl, GNUTLS_CLIENT & GNUTLS_NONBLOCK)) < 0)
@@ -216,36 +216,36 @@ void *ma_ssl_init(MYSQL *mysql)
pthread_mutex_unlock(&LOCK_gnutls_config); pthread_mutex_unlock(&LOCK_gnutls_config);
return (void *)ssl; return (void *)ssl;
error: error:
ma_ssl_set_error(mysql, ssl_error); ma_tls_set_error(mysql, ssl_error);
if (ssl) if (ssl)
gnutls_deinit(ssl); gnutls_deinit(ssl);
pthread_mutex_unlock(&LOCK_gnutls_config); pthread_mutex_unlock(&LOCK_gnutls_config);
return NULL; return NULL;
} }
ssize_t ma_ssl_push(gnutls_transport_ptr_t ptr, const void* data, size_t len) ssize_t ma_tls_push(gnutls_transport_ptr_t ptr, const void* data, size_t len)
{ {
MARIADB_PVIO *pvio= (MARIADB_PVIO *)ptr; MARIADB_PVIO *pvio= (MARIADB_PVIO *)ptr;
ssize_t rc= pvio->methods->write(pvio, data, len); ssize_t rc= pvio->methods->write(pvio, data, len);
return rc; return rc;
} }
ssize_t ma_ssl_pull(gnutls_transport_ptr_t ptr, void* data, size_t len) ssize_t ma_tls_pull(gnutls_transport_ptr_t ptr, void* data, size_t len)
{ {
MARIADB_PVIO *pvio= (MARIADB_PVIO *)ptr; MARIADB_PVIO *pvio= (MARIADB_PVIO *)ptr;
ssize_t rc= pvio->methods->read(pvio, data, len); ssize_t rc= pvio->methods->read(pvio, data, len);
return rc; return rc;
} }
static int ma_ssl_pull_timeout(gnutls_transport_ptr_t ptr, unsigned int ms) static int ma_tls_pull_timeout(gnutls_transport_ptr_t ptr, unsigned int ms)
{ {
MARIADB_PVIO *pvio= (MARIADB_PVIO *)ptr; MARIADB_PVIO *pvio= (MARIADB_PVIO *)ptr;
return pvio->methods->wait_io_or_timeout(pvio, 0, ms); return pvio->methods->wait_io_or_timeout(pvio, 0, ms);
} }
my_bool ma_ssl_connect(MARIADB_SSL *cssl) my_bool ma_tls_connect(MARIADB_TLS *ctls)
{ {
gnutls_session_t ssl = (gnutls_session_t)cssl->ssl; gnutls_session_t ssl = (gnutls_session_t)ctls->ssl;
my_bool blocking; my_bool blocking;
MYSQL *mysql; MYSQL *mysql;
MARIADB_PVIO *pvio; MARIADB_PVIO *pvio;
@@ -263,9 +263,9 @@ my_bool ma_ssl_connect(MARIADB_SSL *cssl)
/* we don't use GnuTLS read/write functions */ /* we don't use GnuTLS read/write functions */
gnutls_transport_set_ptr(ssl, pvio); gnutls_transport_set_ptr(ssl, pvio);
gnutls_transport_set_push_function(ssl, ma_ssl_push); gnutls_transport_set_push_function(ssl, ma_tls_push);
gnutls_transport_set_pull_function(ssl, ma_ssl_pull); gnutls_transport_set_pull_function(ssl, ma_tls_pull);
gnutls_transport_set_pull_timeout_function(ssl, ma_ssl_pull_timeout); gnutls_transport_set_pull_timeout_function(ssl, ma_tls_pull_timeout);
gnutls_handshake_set_timeout(ssl, pvio->timeout[PVIO_CONNECT_TIMEOUT]); gnutls_handshake_set_timeout(ssl, pvio->timeout[PVIO_CONNECT_TIMEOUT]);
do { do {
@@ -274,47 +274,47 @@ my_bool ma_ssl_connect(MARIADB_SSL *cssl)
if (ret < 0) if (ret < 0)
{ {
ma_ssl_set_error(mysql, ret); ma_tls_set_error(mysql, ret);
/* restore blocking mode */ /* restore blocking mode */
if (!blocking) if (!blocking)
pvio->methods->blocking(pvio, FALSE, 0); pvio->methods->blocking(pvio, FALSE, 0);
return 1; return 1;
} }
cssl->ssl= (void *)ssl; ctls->ssl= (void *)ssl;
return 0; return 0;
} }
size_t ma_ssl_read(MARIADB_SSL *cssl, const uchar* buffer, size_t length) size_t ma_tls_read(MARIADB_TLS *ctls, const uchar* buffer, size_t length)
{ {
return gnutls_record_recv((gnutls_session_t )cssl->ssl, (void *)buffer, length); return gnutls_record_recv((gnutls_session_t )ctls->ssl, (void *)buffer, length);
} }
size_t ma_ssl_write(MARIADB_SSL *cssl, const uchar* buffer, size_t length) size_t ma_tls_write(MARIADB_TLS *ctls, const uchar* buffer, size_t length)
{ {
return gnutls_record_send((gnutls_session_t )cssl->ssl, (void *)buffer, length); return gnutls_record_send((gnutls_session_t )ctls->ssl, (void *)buffer, length);
} }
my_bool ma_ssl_close(MARIADB_SSL *cssl) my_bool ma_tls_close(MARIADB_TLS *ctls)
{ {
gnutls_bye((gnutls_session_t )cssl->ssl, GNUTLS_SHUT_WR); gnutls_bye((gnutls_session_t )ctls->ssl, GNUTLS_SHUT_WR);
gnutls_deinit((gnutls_session_t )cssl->ssl); gnutls_deinit((gnutls_session_t )ctls->ssl);
cssl->ssl= NULL; ctls->ssl= NULL;
return 0; return 0;
} }
int ma_ssl_verify_server_cert(MARIADB_SSL *cssl) int ma_tls_verify_server_cert(MARIADB_TLS *ctls)
{ {
/* server verification is already handled before */ /* server verification is already handled before */
return 0; return 0;
} }
const char *ma_ssl_get_cipher(MARIADB_SSL *cssl) const char *ma_tls_get_cipher(MARIADB_TLS *ctls)
{ {
if (!cssl || !cssl->ssl) if (!ctls || !ctls->ssl)
return NULL; return NULL;
return gnutls_cipher_get_name (gnutls_cipher_get((gnutls_session_t )cssl->ssl)); return gnutls_cipher_get_name (gnutls_cipher_get((gnutls_session_t )ctls->ssl));
} }
static int my_verify_callback(gnutls_session_t ssl) static int my_verify_callback(gnutls_session_t ssl)
@@ -388,19 +388,19 @@ static int my_verify_callback(gnutls_session_t ssl)
return 0; return 0;
} }
unsigned int ma_ssl_get_finger_print(MARIADB_SSL *cssl, unsigned char *fp, unsigned int len) unsigned int ma_tls_get_finger_print(MARIADB_TLS *ctls, unsigned char *fp, unsigned int len)
{ {
MYSQL *mysql; MYSQL *mysql;
size_t fp_len= len; size_t fp_len= len;
const gnutls_datum_t *cert_list; const gnutls_datum_t *cert_list;
unsigned int cert_list_size; unsigned int cert_list_size;
if (!cssl || !cssl->ssl) if (!ctls || !ctls->ssl)
return 0; return 0;
mysql= (MYSQL *)gnutls_session_get_ptr(cssl->ssl); mysql= (MYSQL *)gnutls_session_get_ptr(ctls->ssl);
cert_list = gnutls_certificate_get_peers (cssl->ssl, &cert_list_size); cert_list = gnutls_certificate_get_peers (ctls->ssl, &cert_list_size);
if (cert_list == NULL) if (cert_list == NULL)
{ {
my_set_error(mysql, CR_SSL_CONNECTION_ERROR, SQLSTATE_UNKNOWN, my_set_error(mysql, CR_SSL_CONNECTION_ERROR, SQLSTATE_UNKNOWN,
@@ -420,12 +420,12 @@ unsigned int ma_ssl_get_finger_print(MARIADB_SSL *cssl, unsigned char *fp, unsig
} }
} }
my_bool ma_ssl_get_protocol_version(MARIADB_SSL *cssl, struct st_ssl_version *version) my_bool ma_tls_get_protocol_version(MARIADB_TLS *ctls, struct st_ssl_version *version)
{ {
if (!cssl || !cssl->ssl) if (!ctls || !ctls->ssl)
return 1; return 1;
version->iversion= gnutls_protocol_get_version(cssl->ssl); version->iversion= gnutls_protocol_get_version(ctls->ssl);
version->cversion= (char *)gnutls_protocol_get_name(version->iversion); version->cversion= (char *)gnutls_protocol_get_name(version->iversion);
return 0; return 0;
} }

30
libmariadb/secure/ma_schannel.c
View File

@@ -396,8 +396,8 @@ SECURITY_STATUS ma_schannel_handshake_loop(MARIADB_PVIO *pvio, my_bool InitialRe
SECURITY_STATUS rc; SECURITY_STATUS rc;
PUCHAR IoBuffer; PUCHAR IoBuffer;
BOOL fDoRead; BOOL fDoRead;
MARIADB_SSL *cssl= pvio->cssl; MARIADB_TLS *ctls= pvio->ctls;
SC_CTX *sctx= (SC_CTX *)cssl->ssl; SC_CTX *sctx= (SC_CTX *)ctls->ssl;
dwSSPIFlags = ISC_REQ_SEQUENCE_DETECT | dwSSPIFlags = ISC_REQ_SEQUENCE_DETECT |
@@ -562,13 +562,13 @@ loopend:
} }
/* }}} */ /* }}} */
/* {{{ SECURITY_STATUS ma_schannel_client_handshake(MARIADB_SSL *cssl) */ /* {{{ SECURITY_STATUS ma_schannel_client_handshake(MARIADB_TLS *ctls) */
/* /*
performs client side handshake performs client side handshake
SYNOPSIS SYNOPSIS
ma_schannel_client_handshake() ma_schannel_client_handshake()
cssl Pointer to a MARIADB_SSL structure ctls Pointer to a MARIADB_TLS structure
DESCRIPTION DESCRIPTION
initiates a client/server handshake. This function can be used initiates a client/server handshake. This function can be used
@@ -578,7 +578,7 @@ loopend:
SEC_E_OK on success SEC_E_OK on success
*/ */
SECURITY_STATUS ma_schannel_client_handshake(MARIADB_SSL *cssl) SECURITY_STATUS ma_schannel_client_handshake(MARIADB_TLS *ctls)
{ {
MARIADB_PVIO *pvio; MARIADB_PVIO *pvio;
SECURITY_STATUS sRet; SECURITY_STATUS sRet;
@@ -594,11 +594,11 @@ SECURITY_STATUS ma_schannel_client_handshake(MARIADB_SSL *cssl)
SecBufferDesc BufferOut; SecBufferDesc BufferOut;
SecBuffer BuffersOut; SecBuffer BuffersOut;
if (!cssl || !cssl->pvio) if (!ctls || !ctls->pvio)
return 1; return 1;
pvio= cssl->pvio; pvio= ctls->pvio;
sctx= (SC_CTX *)cssl->ssl; sctx= (SC_CTX *)ctls->ssl;
/* Initialie securifty context */ /* Initialie securifty context */
BuffersOut.BufferType= SECBUFFER_TOKEN; BuffersOut.BufferType= SECBUFFER_TOKEN;
@@ -701,10 +701,10 @@ SECURITY_STATUS ma_schannel_read_decrypt(MARIADB_PVIO *pvio,
*pData, *pExtra; *pData, *pExtra;
int i; int i;
if (!pvio || !pvio->methods || !pvio->methods->read || !pvio->cssl || !DecryptLength) if (!pvio || !pvio->methods || !pvio->methods->read || !pvio->ctls || !DecryptLength)
return SEC_E_INTERNAL_ERROR; return SEC_E_INTERNAL_ERROR;
sctx= (SC_CTX *)pvio->cssl->ssl; sctx= (SC_CTX *)pvio->ctls->ssl;
*DecryptLength= 0; *DecryptLength= 0;
while (1) while (1)
@@ -880,7 +880,7 @@ size_t ma_schannel_write_encrypt(MARIADB_PVIO *pvio,
SecBuffer Buffers[4]; SecBuffer Buffers[4];
DWORD cbMessage; DWORD cbMessage;
PBYTE pbMessage; PBYTE pbMessage;
SC_CTX *sctx= (SC_CTX *)pvio->cssl->ssl; SC_CTX *sctx= (SC_CTX *)pvio->ctls->ssl;
size_t payload; size_t payload;
payload= MIN(WriteBufferSize, sctx->IoBufferSize); payload= MIN(WriteBufferSize, sctx->IoBufferSize);
@@ -920,15 +920,15 @@ size_t ma_schannel_write_encrypt(MARIADB_PVIO *pvio,
extern char *ssl_protocol_version[5]; extern char *ssl_protocol_version[5];
/* {{{ ma_ssl_get_protocol_version(MARIADB_SSL *cssl, struct st_ssl_version *version) */ /* {{{ ma_tls_get_protocol_version(MARIADB_TLS *ctls, struct st_ssl_version *version) */
my_bool ma_ssl_get_protocol_version(MARIADB_SSL *cssl, struct st_ssl_version *version) my_bool ma_tls_get_protocol_version(MARIADB_TLS *ctls, struct st_ssl_version *version)
{ {
SC_CTX *sctx; SC_CTX *sctx;
SecPkgContext_ConnectionInfo ConnectionInfo; SecPkgContext_ConnectionInfo ConnectionInfo;
if (!cssl->ssl) if (!ctls->ssl)
return 1; return 1;
sctx= (SC_CTX *)cssl->ssl; sctx= (SC_CTX *)ctls->ssl;
if (QueryContextAttributes(&sctx->ctxt, SECPKG_ATTR_CONNECTION_INFO, &ConnectionInfo) != SEC_E_OK) if (QueryContextAttributes(&sctx->ctxt, SECPKG_ATTR_CONNECTION_INFO, &ConnectionInfo) != SEC_E_OK)
return 1; return 1;

3
libmariadb/secure/ma_schannel.h
View File

@@ -56,7 +56,6 @@ struct st_schannel {
PUCHAR IoBuffer; PUCHAR IoBuffer;
DWORD IoBufferSize; DWORD IoBufferSize;
SecPkgContext_StreamSizes Sizes; SecPkgContext_StreamSizes Sizes;
CtxtHandle ctxt; CtxtHandle ctxt;
MYSQL *mysql; MYSQL *mysql;
}; };
@@ -67,7 +66,7 @@ extern HCERTSTORE ca_CertStore, crl_CertStore;
extern my_bool ca_Check, crl_Check; extern my_bool ca_Check, crl_Check;
CERT_CONTEXT *ma_schannel_create_cert_context(MARIADB_PVIO *pvio, const char *pem_file); CERT_CONTEXT *ma_schannel_create_cert_context(MARIADB_PVIO *pvio, const char *pem_file);
SECURITY_STATUS ma_schannel_client_handshake(MARIADB_SSL *cssl); SECURITY_STATUS ma_schannel_client_handshake(MARIADB_TLS *ctls);
SECURITY_STATUS ma_schannel_handshake_loop(MARIADB_PVIO *pvio, my_bool InitialRead, SecBuffer *pExtraData); SECURITY_STATUS ma_schannel_handshake_loop(MARIADB_PVIO *pvio, my_bool InitialRead, SecBuffer *pExtraData);
my_bool ma_schannel_load_private_key(MARIADB_PVIO *pvio, CERT_CONTEXT *ctx, char *key_file); my_bool ma_schannel_load_private_key(MARIADB_PVIO *pvio, CERT_CONTEXT *ctx, char *key_file);
PCCRL_CONTEXT ma_schannel_create_crl_context(MARIADB_PVIO *pvio, const char *pem_file); PCCRL_CONTEXT ma_schannel_create_crl_context(MARIADB_PVIO *pvio, const char *pem_file);

138
libmariadb/secure/openssl.c
View File

@@ -42,7 +42,7 @@
#endif #endif
#include <ma_pthread.h> #include <ma_pthread.h>
extern my_bool ma_ssl_initialized; extern my_bool ma_tls_initialized;
extern unsigned int mariadb_deinitialize_ssl; extern unsigned int mariadb_deinitialize_ssl;
static SSL_CTX *SSL_context= NULL; static SSL_CTX *SSL_context= NULL;
@@ -52,7 +52,7 @@ static pthread_mutex_t LOCK_openssl_config;
static pthread_mutex_t *LOCK_crypto= NULL; static pthread_mutex_t *LOCK_crypto= NULL;
static void ma_ssl_set_error(MYSQL *mysql) static void ma_tls_set_error(MYSQL *mysql)
{ {
ulong ssl_errno= ERR_get_error(); ulong ssl_errno= ERR_get_error();
char ssl_error[MAX_SSL_ERR_LEN]; char ssl_error[MAX_SSL_ERR_LEN];
@@ -76,7 +76,7 @@ static void ma_ssl_set_error(MYSQL *mysql)
} }
static void ma_ssl_get_error(char *errmsg, size_t length) static void ma_tls_get_error(char *errmsg, size_t length)
{ {
ulong ssl_errno= ERR_get_error(); ulong ssl_errno= ERR_get_error();
const char *ssl_error_reason; const char *ssl_error_reason;
@@ -113,13 +113,13 @@ static void my_cb_threadid(CRYPTO_THREADID *id)
#endif #endif
#ifdef HAVE_SSL_SESSION_CACHE #ifdef HAVE_SSL_SESSION_CACHE
typedef struct st_ma_ssl_session { typedef struct st_ma_tls_session {
char md4_hash[17]; char md4_hash[17];
SSL_SESSION *session; SSL_SESSION *session;
} MA_SSL_SESSION; } MA_SSL_SESSION;
MA_SSL_SESSION *ma_ssl_sessions= NULL; MA_SSL_SESSION *ma_tls_sessions= NULL;
unsigned int ma_ssl_session_cache_size= 128; unsigned int ma_tls_session_cache_size= 128;
static char *ma_md4_hash(const char *host, const char *user, unsigned int port, char *md4) static char *ma_md4_hash(const char *host, const char *user, unsigned int port, char *md4)
{ {
@@ -130,28 +130,28 @@ static char *ma_md4_hash(const char *host, const char *user, unsigned int port,
return md4; return md4;
} }
MA_SSL_SESSION *ma_ssl_get_session(MYSQL *mysql) MA_SSL_SESSION *ma_tls_get_session(MYSQL *mysql)
{ {
char md4[17]; char md4[17];
int i; int i;
if (!ma_ssl_sessions) if (!ma_tls_sessions)
return NULL; return NULL;
memset(md4, 0, 16); memset(md4, 0, 16);
ma_md4_hash(mysql->host, mysql->user, mysql->port, md4); ma_md4_hash(mysql->host, mysql->user, mysql->port, md4);
for (i=0; i < ma_ssl_session_cache_size; i++) for (i=0; i < ma_tls_session_cache_size; i++)
{ {
if (ma_ssl_sessions[i].session && if (ma_tls_sessions[i].session &&
!strncmp(ma_ssl_sessions[i].md4_hash, md4, 16)) !strncmp(ma_tls_sessions[i].md4_hash, md4, 16))
{ {
return &ma_ssl_sessions[i]; return &ma_tls_sessions[i];
} }
} }
return NULL; return NULL;
} }
static int ma_ssl_session_cb(SSL *ssl, SSL_SESSION *session) static int ma_tls_session_cb(SSL *ssl, SSL_SESSION *session)
{ {
MYSQL *mysql; MYSQL *mysql;
MA_SSL_SESSION *stored_session; MA_SSL_SESSION *stored_session;
@@ -160,34 +160,34 @@ static int ma_ssl_session_cb(SSL *ssl, SSL_SESSION *session)
mysql= (MYSQL *)SSL_get_app_data(ssl); mysql= (MYSQL *)SSL_get_app_data(ssl);
/* check if we already stored session key */ /* check if we already stored session key */
if ((stored_session= ma_ssl_get_session(mysql))) if ((stored_session= ma_tls_get_session(mysql)))
{ {
SSL_SESSION_free(stored_session->session); SSL_SESSION_free(stored_session->session);
stored_session->session= session; stored_session->session= session;
return 1; return 1;
} }
for (i=0; i < ma_ssl_session_cache_size; i++) for (i=0; i < ma_tls_session_cache_size; i++)
{ {
if (!ma_ssl_sessions[i].session) if (!ma_tls_sessions[i].session)
{ {
ma_md4_hash(mysql->host, mysql->user, mysql->port, ma_ssl_sessions[i].md4_hash); ma_md4_hash(mysql->host, mysql->user, mysql->port, ma_tls_sessions[i].md4_hash);
ma_ssl_sessions[i].session= session; ma_tls_sessions[i].session= session;
} }
return 1; return 1;
} }
return 0; return 0;
} }
static void ma_ssl_remove_session_cb(SSL_CTX* ctx, SSL_SESSION* session) static void ma_tls_remove_session_cb(SSL_CTX* ctx, SSL_SESSION* session)
{ {
int i; int i;
for (i=0; i < ma_ssl_session_cache_size; i++) for (i=0; i < ma_tls_session_cache_size; i++)
if (session == ma_ssl_sessions[i].session) if (session == ma_tls_sessions[i].session)
{ {
ma_ssl_sessions[i].md4_hash[0]= 0; ma_tls_sessions[i].md4_hash[0]= 0;
SSL_SESSION_free(ma_ssl_sessions[i].session); SSL_SESSION_free(ma_tls_sessions[i].session);
ma_ssl_sessions[i].session= NULL; ma_tls_sessions[i].session= NULL;
} }
} }
#endif #endif
@@ -238,10 +238,10 @@ static int ssl_thread_init()
0 success 0 success
1 error 1 error
*/ */
int ma_ssl_start(char *errmsg, size_t errmsg_len) int ma_tls_start(char *errmsg, size_t errmsg_len)
{ {
int rc= 1; int rc= 1;
if (ma_ssl_initialized) if (ma_tls_initialized)
return 0; return 0;
/* lock mutex to prevent multiple initialization */ /* lock mutex to prevent multiple initialization */
@@ -267,17 +267,17 @@ int ma_ssl_start(char *errmsg, size_t errmsg_len)
if (!(SSL_context= SSL_CTX_new(SSLv23_client_method()))) if (!(SSL_context= SSL_CTX_new(SSLv23_client_method())))
#endif #endif
{ {
ma_ssl_get_error(errmsg, errmsg_len); ma_tls_get_error(errmsg, errmsg_len);
goto end; goto end;
} }
#ifdef HAVE_SSL_SESSION_CACHE #ifdef HAVE_SSL_SESSION_CACHE
SSL_CTX_set_session_cache_mode(SSL_context, SSL_SESS_CACHE_CLIENT); SSL_CTX_set_session_cache_mode(SSL_context, SSL_SESS_CACHE_CLIENT);
ma_ssl_sessions= (MA_SSL_SESSION *)calloc(1, sizeof(struct st_ma_ssl_session) * ma_ssl_session_cache_size); ma_tls_sessions= (MA_SSL_SESSION *)calloc(1, sizeof(struct st_ma_tls_session) * ma_tls_session_cache_size);
SSL_CTX_sess_set_new_cb(SSL_context, ma_ssl_session_cb); SSL_CTX_sess_set_new_cb(SSL_context, ma_tls_session_cb);
SSL_CTX_sess_set_remove_cb(SSL_context, ma_ssl_remove_session_cb); SSL_CTX_sess_set_remove_cb(SSL_context, ma_tls_remove_session_cb);
#endif #endif
rc= 0; rc= 0;
ma_ssl_initialized= TRUE; ma_tls_initialized= TRUE;
end: end:
pthread_mutex_unlock(&LOCK_openssl_config); pthread_mutex_unlock(&LOCK_openssl_config);
return rc; return rc;
@@ -295,9 +295,9 @@ end:
RETURN VALUES RETURN VALUES
void void
*/ */
void ma_ssl_end() void ma_tls_end()
{ {
if (ma_ssl_initialized) if (ma_tls_initialized)
{ {
int i; int i;
pthread_mutex_lock(&LOCK_openssl_config); pthread_mutex_lock(&LOCK_openssl_config);
@@ -325,14 +325,14 @@ void ma_ssl_end()
CONF_modules_unload(1); CONF_modules_unload(1);
sk_SSL_COMP_free(SSL_COMP_get_compression_methods()); sk_SSL_COMP_free(SSL_COMP_get_compression_methods());
} }
ma_ssl_initialized= FALSE; ma_tls_initialized= FALSE;
pthread_mutex_unlock(&LOCK_openssl_config); pthread_mutex_unlock(&LOCK_openssl_config);
pthread_mutex_destroy(&LOCK_openssl_config); pthread_mutex_destroy(&LOCK_openssl_config);
} }
return; return;
} }
int ma_ssl_get_password(char *buf, int size, int rwflag, void *userdata) int ma_tls_get_password(char *buf, int size, int rwflag, void *userdata)
{ {
memset(buf, 0, size); memset(buf, 0, size);
if (userdata) if (userdata)
@@ -341,7 +341,7 @@ int ma_ssl_get_password(char *buf, int size, int rwflag, void *userdata)
} }
static int ma_ssl_set_certs(MYSQL *mysql) static int ma_tls_set_certs(MYSQL *mysql)
{ {
char *certfile= mysql->options.ssl_cert, char *certfile= mysql->options.ssl_cert,
*keyfile= mysql->options.ssl_key; *keyfile= mysql->options.ssl_key;
@@ -375,10 +375,10 @@ static int ma_ssl_set_certs(MYSQL *mysql)
/* If the private key file is encrypted, we need to register a callback function /* If the private key file is encrypted, we need to register a callback function
* for providing password. */ * for providing password. */
if (OPT_HAS_EXT_VAL(mysql, ssl_pw)) if (OPT_HAS_EXT_VAL(mysql, tls_pw))
{ {
SSL_CTX_set_default_passwd_cb_userdata(SSL_context, (void *)mysql->options.extension->ssl_pw); SSL_CTX_set_default_passwd_cb_userdata(SSL_context, (void *)mysql->options.extension->tls_pw);
SSL_CTX_set_default_passwd_cb(SSL_context, ma_ssl_get_password); SSL_CTX_set_default_passwd_cb(SSL_context, ma_tls_get_password);
} }
if (keyfile && keyfile[0]) if (keyfile && keyfile[0])
@@ -391,7 +391,7 @@ static int ma_ssl_set_certs(MYSQL *mysql)
goto error; goto error;
} }
} }
if (OPT_HAS_EXT_VAL(mysql, ssl_pw)) if (OPT_HAS_EXT_VAL(mysql, tls_pw))
{ {
SSL_CTX_set_default_passwd_cb_userdata(SSL_context, NULL); SSL_CTX_set_default_passwd_cb_userdata(SSL_context, NULL);
SSL_CTX_set_default_passwd_cb(SSL_context, NULL); SSL_CTX_set_default_passwd_cb(SSL_context, NULL);
@@ -416,7 +416,7 @@ static int ma_ssl_set_certs(MYSQL *mysql)
return 0; return 0;
error: error:
ma_ssl_set_error(mysql); ma_tls_set_error(mysql);
return 1; return 1;
} }
@@ -450,16 +450,16 @@ static int my_verify_callback(int ok, X509_STORE_CTX *ctx)
} }
void *ma_ssl_init(MYSQL *mysql) void *ma_tls_init(MYSQL *mysql)
{ {
int verify; int verify;
SSL *ssl= NULL; SSL *ssl= NULL;
#ifdef HAVE_SSL_SESSION_CACHE #ifdef HAVE_SSL_SESSION_CACHE
MA_SSL_SESSION *session= ma_ssl_get_session(mysql); MA_SSL_SESSION *session= ma_tls_get_session(mysql);
#endif #endif
pthread_mutex_lock(&LOCK_openssl_config); pthread_mutex_lock(&LOCK_openssl_config);
if (ma_ssl_set_certs(mysql)) if (ma_tls_set_certs(mysql))
{ {
goto error; goto error;
} }
@@ -490,9 +490,9 @@ error:
return NULL; return NULL;
} }
my_bool ma_ssl_connect(MARIADB_SSL *cssl) my_bool ma_tls_connect(MARIADB_TLS *ctls)
{ {
SSL *ssl = (SSL *)cssl->ssl; SSL *ssl = (SSL *)ctls->ssl;
my_bool blocking; my_bool blocking;
MYSQL *mysql; MYSQL *mysql;
MARIADB_PVIO *pvio; MARIADB_PVIO *pvio;
@@ -512,7 +512,7 @@ my_bool ma_ssl_connect(MARIADB_SSL *cssl)
if (SSL_connect(ssl) != 1) if (SSL_connect(ssl) != 1)
{ {
ma_ssl_set_error(mysql); ma_tls_set_error(mysql);
/* restore blocking mode */ /* restore blocking mode */
if (!blocking) if (!blocking)
pvio->methods->blocking(pvio, FALSE, 0); pvio->methods->blocking(pvio, FALSE, 0);
@@ -532,29 +532,29 @@ my_bool ma_ssl_connect(MARIADB_SSL *cssl)
return 1; return 1;
} }
} }
pvio->cssl->ssl= cssl->ssl= (void *)ssl; pvio->ctls->ssl= ctls->ssl= (void *)ssl;
return 0; return 0;
} }
size_t ma_ssl_read(MARIADB_SSL *cssl, const uchar* buffer, size_t length) size_t ma_tls_read(MARIADB_TLS *ctls, const uchar* buffer, size_t length)
{ {
return SSL_read((SSL *)cssl->ssl, (void *)buffer, (int)length); return SSL_read((SSL *)ctls->ssl, (void *)buffer, (int)length);
} }
size_t ma_ssl_write(MARIADB_SSL *cssl, const uchar* buffer, size_t length) size_t ma_tls_write(MARIADB_TLS *ctls, const uchar* buffer, size_t length)
{ {
return SSL_write((SSL *)cssl->ssl, (void *)buffer, (int)length); return SSL_write((SSL *)ctls->ssl, (void *)buffer, (int)length);
} }
my_bool ma_ssl_close(MARIADB_SSL *cssl) my_bool ma_tls_close(MARIADB_TLS *ctls)
{ {
int i, rc; int i, rc;
SSL *ssl; SSL *ssl;
if (!cssl || !cssl->ssl) if (!ctls || !ctls->ssl)
return 1; return 1;
ssl= (SSL *)cssl->ssl; ssl= (SSL *)ctls->ssl;
SSL_set_quiet_shutdown(ssl, 1); SSL_set_quiet_shutdown(ssl, 1);
/* 2 x pending + 2 * data = 4 */ /* 2 x pending + 2 * data = 4 */
@@ -563,12 +563,12 @@ my_bool ma_ssl_close(MARIADB_SSL *cssl)
break; break;
SSL_free(ssl); SSL_free(ssl);
cssl->ssl= NULL; ctls->ssl= NULL;
return rc; return rc;
} }
int ma_ssl_verify_server_cert(MARIADB_SSL *cssl) int ma_tls_verify_server_cert(MARIADB_TLS *ctls)
{ {
X509 *cert; X509 *cert;
MYSQL *mysql; MYSQL *mysql;
@@ -580,9 +580,9 @@ int ma_ssl_verify_server_cert(MARIADB_SSL *cssl)
SSL *ssl; SSL *ssl;
MARIADB_PVIO *pvio; MARIADB_PVIO *pvio;
if (!cssl || !cssl->ssl) if (!ctls || !ctls->ssl)
return 1; return 1;
ssl= (SSL *)cssl->ssl; ssl= (SSL *)ctls->ssl;
mysql= (MYSQL *)SSL_get_app_data(ssl); mysql= (MYSQL *)SSL_get_app_data(ssl);
pvio= mysql->net.pvio; pvio= mysql->net.pvio;
@@ -632,26 +632,26 @@ error:
return 1; return 1;
} }
const char *ma_ssl_get_cipher(MARIADB_SSL *cssl) const char *ma_tls_get_cipher(MARIADB_TLS *ctls)
{ {
if (!cssl || !cssl->ssl) if (!ctls || !ctls->ssl)
return NULL; return NULL;
return SSL_get_cipher_name(cssl->ssl); return SSL_get_cipher_name(ctls->ssl);
} }
unsigned int ma_ssl_get_finger_print(MARIADB_SSL *cssl, unsigned char *fp, unsigned int len) unsigned int ma_tls_get_finger_print(MARIADB_TLS *ctls, unsigned char *fp, unsigned int len)
{ {
EVP_MD *digest= (EVP_MD *)EVP_sha1(); EVP_MD *digest= (EVP_MD *)EVP_sha1();
X509 *cert; X509 *cert;
MYSQL *mysql; MYSQL *mysql;
unsigned int fp_len; unsigned int fp_len;
if (!cssl || !cssl->ssl) if (!ctls || !ctls->ssl)
return 0; return 0;
mysql= SSL_get_app_data(cssl->ssl); mysql= SSL_get_app_data(ctls->ssl);
if (!(cert= SSL_get_peer_certificate(cssl->ssl))) if (!(cert= SSL_get_peer_certificate(ctls->ssl)))
{ {
my_set_error(mysql, CR_SSL_CONNECTION_ERROR, SQLSTATE_UNKNOWN, my_set_error(mysql, CR_SSL_CONNECTION_ERROR, SQLSTATE_UNKNOWN,
ER(CR_SSL_CONNECTION_ERROR), ER(CR_SSL_CONNECTION_ERROR),
@@ -681,14 +681,14 @@ unsigned int ma_ssl_get_finger_print(MARIADB_SSL *cssl, unsigned char *fp, unsig
extern char *ssl_protocol_version[5]; extern char *ssl_protocol_version[5];
my_bool ma_ssl_get_protocol_version(MARIADB_SSL *cssl, struct st_ssl_version *version) my_bool ma_tls_get_protocol_version(MARIADB_TLS *ctls, struct st_ssl_version *version)
{ {
SSL *ssl; SSL *ssl;
if (!cssl || !cssl->ssl) if (!ctls || !ctls->ssl)
return 1; return 1;
ssl = (SSL *)cssl->ssl; ssl = (SSL *)ctls->ssl;
switch(ssl->version) switch(ssl->version)
{ {
#ifdef SSL3_VERSION #ifdef SSL3_VERSION

78
libmariadb/secure/schannel.c
View File

@@ -24,7 +24,7 @@
//#define VOID void //#define VOID void
extern my_bool ma_ssl_initialized; extern my_bool ma_tls_initialized;
static pthread_mutex_t LOCK_schannel_config; static pthread_mutex_t LOCK_schannel_config;
static pthread_mutex_t *LOCK_crypto= NULL; static pthread_mutex_t *LOCK_crypto= NULL;
@@ -97,15 +97,15 @@ static int ssl_thread_init()
context SSL_context context SSL_context
SYNOPSIS SYNOPSIS
ma_ssl_start ma_tls_start
RETURN VALUES RETURN VALUES
0 success 0 success
1 error 1 error
*/ */
int ma_ssl_start(char *errmsg, size_t errmsg_len) int ma_tls_start(char *errmsg, size_t errmsg_len)
{ {
if (!ma_ssl_initialized) if (!ma_tls_initialized)
{ {
pthread_mutex_init(&LOCK_schannel_config,MY_MUTEX_INIT_FAST); pthread_mutex_init(&LOCK_schannel_config,MY_MUTEX_INIT_FAST);
pthread_mutex_lock(&LOCK_schannel_config); pthread_mutex_lock(&LOCK_schannel_config);
@@ -119,7 +119,7 @@ int ma_ssl_start(char *errmsg, size_t errmsg_len)
} }
} }
ma_ssl_initialized = TRUE; ma_tls_initialized = TRUE;
pthread_mutex_unlock(&LOCK_schannel_config); pthread_mutex_unlock(&LOCK_schannel_config);
} }
return 0; return 0;
@@ -131,15 +131,15 @@ int ma_ssl_start(char *errmsg, size_t errmsg_len)
mysql_server_end() function mysql_server_end() function
SYNOPSIS SYNOPSIS
ma_ssl_end() ma_tls_end()
void void
RETURN VALUES RETURN VALUES
void void
*/ */
void ma_ssl_end() void ma_tls_end()
{ {
if (ma_ssl_initialized) if (ma_tls_initialized)
{ {
pthread_mutex_lock(&LOCK_schannel_config); pthread_mutex_lock(&LOCK_schannel_config);
if (ca_CertStore) if (ca_CertStore)
@@ -152,25 +152,25 @@ void ma_ssl_end()
CertCloseStore(crl_CertStore, 0); CertCloseStore(crl_CertStore, 0);
crl_CertStore = 0; crl_CertStore = 0;
} }
ma_ssl_initialized= FALSE; ma_tls_initialized= FALSE;
pthread_mutex_unlock(&LOCK_schannel_config); pthread_mutex_unlock(&LOCK_schannel_config);
pthread_mutex_destroy(&LOCK_schannel_config); pthread_mutex_destroy(&LOCK_schannel_config);
} }
return; return;
} }
/* {{{ static int ma_ssl_set_client_certs(MARIADB_SSL *cssl) */ /* {{{ static int ma_tls_set_client_certs(MARIADB_TLS *ctls) */
static int ma_ssl_set_client_certs(MARIADB_SSL *cssl) static int ma_tls_set_client_certs(MARIADB_TLS *ctls)
{ {
MYSQL *mysql= cssl->pvio->mysql; MYSQL *mysql= ctls->pvio->mysql;
char *certfile= mysql->options.ssl_cert, char *certfile= mysql->options.ssl_cert,
*keyfile= mysql->options.ssl_key, *keyfile= mysql->options.ssl_key,
*cafile= mysql->options.ssl_ca; *cafile= mysql->options.ssl_ca;
PCERT_CONTEXT ca_ctx= NULL; PCERT_CONTEXT ca_ctx= NULL;
PCRL_CONTEXT crl_ctx = NULL; PCRL_CONTEXT crl_ctx = NULL;
SC_CTX *sctx= (SC_CTX *)cssl->ssl; SC_CTX *sctx= (SC_CTX *)ctls->ssl;
MARIADB_PVIO *pvio= cssl->pvio; MARIADB_PVIO *pvio= ctls->pvio;
if (cafile) if (cafile)
{ {
@@ -194,7 +194,7 @@ static int ma_ssl_set_client_certs(MARIADB_SSL *cssl)
keyfile= certfile; keyfile= certfile;
if (certfile && certfile[0]) if (certfile && certfile[0])
if (!(sctx->client_cert_ctx = ma_schannel_create_cert_context(cssl->pvio, certfile))) if (!(sctx->client_cert_ctx = ma_schannel_create_cert_context(ctls->pvio, certfile)))
goto end; goto end;
if (sctx->client_cert_ctx && keyfile[0]) if (sctx->client_cert_ctx && keyfile[0])
@@ -229,8 +229,8 @@ end:
} }
/* }}} */ /* }}} */
/* {{{ void *ma_ssl_init(MARIADB_SSL *cssl, MYSQL *mysql) */ /* {{{ void *ma_tls_init(MARIADB_TLS *ctls, MYSQL *mysql) */
void *ma_ssl_init(MYSQL *mysql) void *ma_tls_init(MYSQL *mysql)
{ {
SC_CTX *sctx= NULL; SC_CTX *sctx= NULL;
@@ -249,7 +249,7 @@ void *ma_ssl_init(MYSQL *mysql)
my_bool ma_ssl_connect(MARIADB_SSL *cssl) my_bool ma_tls_connect(MARIADB_TLS *ctls)
{ {
my_bool blocking; my_bool blocking;
MYSQL *mysql; MYSQL *mysql;
@@ -262,11 +262,11 @@ my_bool ma_ssl_connect(MARIADB_SSL *cssl)
pLocalCertContext= NULL; pLocalCertContext= NULL;
ALG_ID AlgId[MAX_ALG_ID]= {0}; ALG_ID AlgId[MAX_ALG_ID]= {0};
if (!cssl || !cssl->pvio) if (!ctls || !ctls->pvio)
return 1;; return 1;;
pvio= cssl->pvio; pvio= ctls->pvio;
sctx= (SC_CTX *)cssl->ssl; sctx= (SC_CTX *)ctls->ssl;
/* Set socket to blocking if not already set */ /* Set socket to blocking if not already set */
if (!(blocking= pvio->methods->is_blocking(pvio))) if (!(blocking= pvio->methods->is_blocking(pvio)))
@@ -274,7 +274,7 @@ my_bool ma_ssl_connect(MARIADB_SSL *cssl)
mysql= pvio->mysql; mysql= pvio->mysql;
if (ma_ssl_set_client_certs(cssl)) if (ma_tls_set_client_certs(ctls))
goto end; goto end;
ZeroMemory(&Cred, sizeof(SCHANNEL_CRED)); ZeroMemory(&Cred, sizeof(SCHANNEL_CRED));
@@ -302,7 +302,7 @@ my_bool ma_ssl_connect(MARIADB_SSL *cssl)
Cred.dwVersion= SCHANNEL_CRED_VERSION; Cred.dwVersion= SCHANNEL_CRED_VERSION;
if (mysql->options.extension) if (mysql->options.extension)
Cred.dwMinimumCipherStrength = MAX(128, mysql->options.extension->ssl_cipher_strength); Cred.dwMinimumCipherStrength = MAX(128, mysql->options.extension->tls_cipher_strength);
else else
Cred.dwMinimumCipherStrength = 128; Cred.dwMinimumCipherStrength = 128;
Cred.dwFlags |= SCH_CRED_NO_SERVERNAME_CHECK | SCH_SEND_ROOT_CERT | Cred.dwFlags |= SCH_CRED_NO_SERVERNAME_CHECK | SCH_SEND_ROOT_CERT |
@@ -323,7 +323,7 @@ my_bool ma_ssl_connect(MARIADB_SSL *cssl)
} }
sctx->FreeCredHdl= 1; sctx->FreeCredHdl= 1;
if (ma_schannel_client_handshake(cssl) != SEC_E_OK) if (ma_schannel_client_handshake(ctls) != SEC_E_OK)
goto end; goto end;
sRet= QueryContextAttributes(&sctx->ctxt, SECPKG_ATTR_REMOTE_CERT_CONTEXT, (PVOID)&pRemoteCertContext); sRet= QueryContextAttributes(&sctx->ctxt, SECPKG_ATTR_REMOTE_CERT_CONTEXT, (PVOID)&pRemoteCertContext);
@@ -350,9 +350,9 @@ end:
return 1; return 1;
} }
size_t ma_ssl_read(MARIADB_SSL *cssl, const uchar* buffer, size_t length) size_t ma_tls_read(MARIADB_TLS *ctls, const uchar* buffer, size_t length)
{ {
SC_CTX *sctx= (SC_CTX *)cssl->ssl; SC_CTX *sctx= (SC_CTX *)ctls->ssl;
MARIADB_PVIO *pvio= sctx->mysql->net.pvio; MARIADB_PVIO *pvio= sctx->mysql->net.pvio;
DWORD dlength= -1; DWORD dlength= -1;
@@ -360,9 +360,9 @@ size_t ma_ssl_read(MARIADB_SSL *cssl, const uchar* buffer, size_t length)
return dlength; return dlength;
} }
size_t ma_ssl_write(MARIADB_SSL *cssl, const uchar* buffer, size_t length) size_t ma_tls_write(MARIADB_TLS *ctls, const uchar* buffer, size_t length)
{ {
SC_CTX *sctx= (SC_CTX *)cssl->ssl; SC_CTX *sctx= (SC_CTX *)ctls->ssl;
MARIADB_PVIO *pvio= sctx->mysql->net.pvio; MARIADB_PVIO *pvio= sctx->mysql->net.pvio;
size_t rc, wlength= 0; size_t rc, wlength= 0;
size_t remain= length; size_t remain= length;
@@ -377,10 +377,10 @@ size_t ma_ssl_write(MARIADB_SSL *cssl, const uchar* buffer, size_t length)
return length; return length;
} }
/* {{{ my_bool ma_ssl_close(MARIADB_PVIO *pvio) */ /* {{{ my_bool ma_tls_close(MARIADB_PVIO *pvio) */
my_bool ma_ssl_close(MARIADB_SSL *cssl) my_bool ma_tls_close(MARIADB_TLS *ctls)
{ {
SC_CTX *sctx= (SC_CTX *)cssl->ssl; SC_CTX *sctx= (SC_CTX *)ctls->ssl;
if (sctx) if (sctx)
{ {
@@ -396,10 +396,10 @@ my_bool ma_ssl_close(MARIADB_SSL *cssl)
} }
/* }}} */ /* }}} */
int ma_ssl_verify_server_cert(MARIADB_SSL *cssl) int ma_tls_verify_server_cert(MARIADB_TLS *ctls)
{ {
SC_CTX *sctx= (SC_CTX *)cssl->ssl; SC_CTX *sctx= (SC_CTX *)ctls->ssl;
MARIADB_PVIO *pvio= cssl->pvio; MARIADB_PVIO *pvio= ctls->pvio;
int rc= 1; int rc= 1;
char *szName= NULL; char *szName= NULL;
char *pszServerName= pvio->mysql->host; char *pszServerName= pvio->mysql->host;
@@ -461,17 +461,17 @@ end:
return rc; return rc;
} }
const char *ma_ssl_get_cipher(MARIADB_SSL *cssl) const char *ma_tls_get_cipher(MARIADB_TLS *ctls)
{ {
SecPkgContext_ConnectionInfo cinfo; SecPkgContext_ConnectionInfo cinfo;
SECURITY_STATUS sRet; SECURITY_STATUS sRet;
SC_CTX *sctx; SC_CTX *sctx;
DWORD i= 0; DWORD i= 0;
if (!cssl || !cssl->ssl) if (!ctls || !ctls->ssl)
return NULL; return NULL;
sctx= (SC_CTX *)cssl->ssl; sctx= (SC_CTX *)ctls->ssl;
sRet= QueryContextAttributes(&sctx->ctxt, SECPKG_ATTR_CONNECTION_INFO, (PVOID)&cinfo); sRet= QueryContextAttributes(&sctx->ctxt, SECPKG_ATTR_CONNECTION_INFO, (PVOID)&cinfo);
if (sRet != SEC_E_OK) if (sRet != SEC_E_OK)
@@ -486,9 +486,9 @@ const char *ma_ssl_get_cipher(MARIADB_SSL *cssl)
return NULL; return NULL;
} }
unsigned int ma_ssl_get_finger_print(MARIADB_SSL *cssl, unsigned char *fp, unsigned int len) unsigned int ma_tls_get_finger_print(MARIADB_TLS *ctls, unsigned char *fp, unsigned int len)
{ {
SC_CTX *sctx= (SC_CTX *)cssl->ssl; SC_CTX *sctx= (SC_CTX *)ctls->ssl;
PCCERT_CONTEXT pRemoteCertContext = NULL; PCCERT_CONTEXT pRemoteCertContext = NULL;
if (QueryContextAttributes(&sctx->ctxt, SECPKG_ATTR_REMOTE_CERT_CONTEXT, (PVOID)&pRemoteCertContext) != SEC_E_OK) if (QueryContextAttributes(&sctx->ctxt, SECPKG_ATTR_REMOTE_CERT_CONTEXT, (PVOID)&pRemoteCertContext) != SEC_E_OK)
return 0; return 0;

4
plugins/auth/my_auth.c
View File

@@ -189,8 +189,8 @@ static int send_client_reply_packet(MCPVIO_EXT *mpvio,
if (mysql->options.use_ssl && !(mysql->server_capabilities & CLIENT_SSL)) if (mysql->options.use_ssl && !(mysql->server_capabilities & CLIENT_SSL))
{ {
if ((mysql->client_flag & CLIENT_SSL_VERIFY_SERVER_CERT) || if ((mysql->client_flag & CLIENT_SSL_VERIFY_SERVER_CERT) ||
(mysql->options.extension && (mysql->options.extension->ssl_fp || (mysql->options.extension && (mysql->options.extension->tls_fp ||
mysql->options.extension->ssl_fp_list))) mysql->options.extension->tls_fp_list)))
{ {
my_set_error(mysql, CR_SSL_CONNECTION_ERROR, SQLSTATE_UNKNOWN, my_set_error(mysql, CR_SSL_CONNECTION_ERROR, SQLSTATE_UNKNOWN,
ER(CR_SSL_CONNECTION_ERROR), ER(CR_SSL_CONNECTION_ERROR),

2
unittest/libmariadb/connection.c
View File

@@ -841,7 +841,7 @@ static int test_get_options(MYSQL *my)
int options_char[]= {MYSQL_READ_DEFAULT_FILE, MYSQL_READ_DEFAULT_GROUP, MYSQL_SET_CHARSET_NAME, int options_char[]= {MYSQL_READ_DEFAULT_FILE, MYSQL_READ_DEFAULT_GROUP, MYSQL_SET_CHARSET_NAME,
MYSQL_OPT_SSL_KEY, MYSQL_OPT_SSL_CA, MYSQL_OPT_SSL_CERT, MYSQL_OPT_SSL_CAPATH, MYSQL_OPT_SSL_KEY, MYSQL_OPT_SSL_CA, MYSQL_OPT_SSL_CERT, MYSQL_OPT_SSL_CAPATH,
MYSQL_OPT_SSL_CIPHER, MYSQL_OPT_BIND, MARIADB_OPT_SSL_FP, MARIADB_OPT_SSL_FP_LIST, MYSQL_OPT_SSL_CIPHER, MYSQL_OPT_BIND, MARIADB_OPT_SSL_FP, MARIADB_OPT_SSL_FP_LIST,
MARIADB_OPT_SSL_PASSPHRASE, 0}; MARIADB_OPT_TLS_PASSPHRASE, 0};
char *init_command[3]= {"SET @a:=1", "SET @b:=2", "SET @c:=3"}; char *init_command[3]= {"SET @a:=1", "SET @b:=2", "SET @c:=3"};
int elements= 0; int elements= 0;

10
unittest/libmariadb/ssl.c.in
View File

@@ -379,7 +379,7 @@ static int test_password_protected(MYSQL *my)
"@CMAKE_SOURCE_DIR@/unittest/libmariadb/certs/client-cert.pem", "@CMAKE_SOURCE_DIR@/unittest/libmariadb/certs/client-cert.pem",
"@CMAKE_SOURCE_DIR@/unittest/libmariadb/certs/ca-cert.pem", 0, 0); "@CMAKE_SOURCE_DIR@/unittest/libmariadb/certs/ca-cert.pem", 0, 0);
mysql_options(mysql, MARIADB_OPT_SSL_PASSPHRASE, "qwerty"); mysql_options(mysql, MARIADB_OPT_TLS_PASSPHRASE, "qwerty");
FAIL_IF(!mysql_real_connect(mysql, hostname, ssluser, sslpw, schema, FAIL_IF(!mysql_real_connect(mysql, hostname, ssluser, sslpw, schema,
port, socketname, 0), mysql_error(mysql)); port, socketname, 0), mysql_error(mysql));
@@ -780,12 +780,12 @@ static int test_ssl_version(MYSQL *mysql)
port, socketname, 0), mysql_error(my)); port, socketname, 0), mysql_error(my));
diag("cipher: %s", mysql_get_ssl_cipher(my)); diag("cipher: %s", mysql_get_ssl_cipher(my));
mariadb_get_infov(my, MARIADB_CONNECTION_SSL_VERSION_ID, &iversion); mariadb_get_infov(my, MARIADB_CONNECTION_TLS_VERSION_ID, &iversion);
diag("protocol: %d", iversion); diag("protocol: %d", iversion);
mariadb_get_infov(my, MARIADB_CONNECTION_SSL_VERSION, &version); mariadb_get_infov(my, MARIADB_CONNECTION_TLS_VERSION, &version);
diag("protocol: %s", version); diag("protocol: %s", version);
mariadb_get_infov(my, MARIADB_SSL_LIBRARY, &library); mariadb_get_infov(my, MARIADB_TLS_LIBRARY, &library);
diag("library: %s", library); diag("library: %s", library);
mysql_close(my); mysql_close(my);
@@ -806,7 +806,7 @@ static int test_schannel_cipher(MYSQL *mysql)
FAIL_IF(!my, "mysql_init() failed"); FAIL_IF(!my, "mysql_init() failed");
mysql_ssl_set(my,0, 0, "@CMAKE_SOURCE_DIR@/unittest/libmariadb/certs/ca-cert.pem", 0, 0); mysql_ssl_set(my,0, 0, "@CMAKE_SOURCE_DIR@/unittest/libmariadb/certs/ca-cert.pem", 0, 0);
mysql_options(my, MARIADB_OPT_SSL_CIPHER_STRENGTH, &cipher_strength); mysql_options(my, MARIADB_OPT_TLS_CIPHER_STRENGTH, &cipher_strength);
FAIL_IF(!mysql_real_connect(my, hostname, ssluser, sslpw, schema, FAIL_IF(!mysql_real_connect(my, hostname, ssluser, sslpw, schema,
port, socketname, 0), mysql_error(my)); port, socketname, 0), mysql_error(my));