|
- /* Copyright (c) 2000, 2021, Oracle and/or its affiliates.
-
- This program is free software; you can redistribute it and/or modify
- it under the terms of the GNU General Public License, version 2.0,
- as published by the Free Software Foundation.
-
- This program is also distributed with certain software (including
- but not limited to OpenSSL) that is licensed under separate terms,
- as designated in a particular file or component or in included license
- documentation. The authors of MySQL hereby grant you an additional
- permission to link the program and your derivative works with the
- separately licensed software that they have included with MySQL.
-
- Without limiting anything contained in the foregoing, this file,
- which is part of C Driver for MySQL (Connector/C), is also subject to the
- Universal FOSS Exception, version 1.0, a copy of which can be found at
- http://oss.oracle.com/licenses/universal-foss-exception.
-
- This program is distributed in the hope that it will be useful,
- but WITHOUT ANY WARRANTY; without even the implied warranty of
- MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
- GNU General Public License, version 2.0, for more details.
-
- You should have received a copy of the GNU General Public License
- along with this program; if not, write to the Free Software
- Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA */
-
- #include "vio_priv.h"
- #include "my_openssl.h"
-
- #ifdef HAVE_OPENSSL
-
- #define TLS_VERSION_OPTION_SIZE 256
- #define SSL_CIPHER_LIST_SIZE 4096
-
- static const char tls_ciphers_list[]="ECDHE-ECDSA-AES128-GCM-SHA256:"
- "ECDHE-ECDSA-AES256-GCM-SHA384:"
- "ECDHE-RSA-AES128-GCM-SHA256:"
- "ECDHE-RSA-AES256-GCM-SHA384:"
- "ECDHE-ECDSA-AES128-SHA256:"
- "ECDHE-RSA-AES128-SHA256:"
- "ECDHE-ECDSA-AES256-SHA384:"
- "ECDHE-RSA-AES256-SHA384:"
- "DHE-RSA-AES128-GCM-SHA256:"
- "DHE-DSS-AES128-GCM-SHA256:"
- "DHE-RSA-AES128-SHA256:"
- "DHE-DSS-AES128-SHA256:"
- "DHE-DSS-AES256-GCM-SHA384:"
- "DHE-RSA-AES256-SHA256:"
- "DHE-DSS-AES256-SHA256:"
- "ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:"
- "ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:"
- "DHE-DSS-AES128-SHA:DHE-RSA-AES128-SHA:"
- "TLS_DHE_DSS_WITH_AES_256_CBC_SHA:DHE-RSA-AES256-SHA:"
- "AES128-GCM-SHA256:DH-DSS-AES128-GCM-SHA256:"
- "ECDH-ECDSA-AES128-GCM-SHA256:AES256-GCM-SHA384:"
- "DH-DSS-AES256-GCM-SHA384:ECDH-ECDSA-AES256-GCM-SHA384:"
- "AES128-SHA256:DH-DSS-AES128-SHA256:ECDH-ECDSA-AES128-SHA256:AES256-SHA256:"
- "DH-DSS-AES256-SHA256:ECDH-ECDSA-AES256-SHA384:AES128-SHA:"
- "DH-DSS-AES128-SHA:ECDH-ECDSA-AES128-SHA:AES256-SHA:"
- "DH-DSS-AES256-SHA:ECDH-ECDSA-AES256-SHA:DHE-RSA-AES256-GCM-SHA384:"
- "DH-RSA-AES128-GCM-SHA256:ECDH-RSA-AES128-GCM-SHA256:DH-RSA-AES256-GCM-SHA384:"
- "ECDH-RSA-AES256-GCM-SHA384:DH-RSA-AES128-SHA256:"
- "ECDH-RSA-AES128-SHA256:DH-RSA-AES256-SHA256:"
- "ECDH-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:"
- "ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA:"
- "ECDHE-ECDSA-AES256-SHA:DHE-DSS-AES128-SHA:DHE-RSA-AES128-SHA:"
- "TLS_DHE_DSS_WITH_AES_256_CBC_SHA:DHE-RSA-AES256-SHA:"
- "AES128-SHA:DH-DSS-AES128-SHA:ECDH-ECDSA-AES128-SHA:AES256-SHA:"
- "DH-DSS-AES256-SHA:ECDH-ECDSA-AES256-SHA:DH-RSA-AES128-SHA:"
- "ECDH-RSA-AES128-SHA:DH-RSA-AES256-SHA:ECDH-RSA-AES256-SHA:DES-CBC3-SHA";
- static const char tls_cipher_blocked[]= "!aNULL:!eNULL:!EXPORT:!LOW:!MD5:!DES:!RC2:!RC4:!PSK:"
- "!DHE-DSS-DES-CBC3-SHA:!DHE-RSA-DES-CBC3-SHA:"
- "!ECDH-RSA-DES-CBC3-SHA:!ECDH-ECDSA-DES-CBC3-SHA:"
- "!ECDHE-RSA-DES-CBC3-SHA:!ECDHE-ECDSA-DES-CBC3-SHA:";
-
- static my_bool ssl_initialized = FALSE;
-
- /*
- Diffie-Hellman key.
- Generated using: >openssl dhparam -5 -C 2048
-
- -----BEGIN DH PARAMETERS-----
- MIIBCAKCAQEAil36wGZ2TmH6ysA3V1xtP4MKofXx5n88xq/aiybmGnReZMviCPEJ
- 46+7VCktl/RZ5iaDH1XNG1dVQmznt9pu2G3usU+k1/VB4bQL4ZgW4u0Wzxh9PyXD
- glm99I9Xyj4Z5PVE4MyAsxCRGA1kWQpD9/zKAegUBPLNqSo886Uqg9hmn8ksyU9E
- BV5eAEciCuawh6V0O+Sj/C3cSfLhgA0GcXp3OqlmcDu6jS5gWjn3LdP1U0duVxMB
- h/neTSCSvtce4CAMYMjKNVh9P1nu+2d9ZH2Od2xhRIqMTfAS1KTqF3VmSWzPFCjG
- mjxx/bg6bOOjpgZapvB6ABWlWmRmAAWFtwIBBQ==
- -----END DH PARAMETERS-----
- */
- static unsigned char dh2048_p[]=
- {
- 0x8A, 0x5D, 0xFA, 0xC0, 0x66, 0x76, 0x4E, 0x61, 0xFA, 0xCA, 0xC0, 0x37,
- 0x57, 0x5C, 0x6D, 0x3F, 0x83, 0x0A, 0xA1, 0xF5, 0xF1, 0xE6, 0x7F, 0x3C,
- 0xC6, 0xAF, 0xDA, 0x8B, 0x26, 0xE6, 0x1A, 0x74, 0x5E, 0x64, 0xCB, 0xE2,
- 0x08, 0xF1, 0x09, 0xE3, 0xAF, 0xBB, 0x54, 0x29, 0x2D, 0x97, 0xF4, 0x59,
- 0xE6, 0x26, 0x83, 0x1F, 0x55, 0xCD, 0x1B, 0x57, 0x55, 0x42, 0x6C, 0xE7,
- 0xB7, 0xDA, 0x6E, 0xD8, 0x6D, 0xEE, 0xB1, 0x4F, 0xA4, 0xD7, 0xF5, 0x41,
- 0xE1, 0xB4, 0x0B, 0xE1, 0x98, 0x16, 0xE2, 0xED, 0x16, 0xCF, 0x18, 0x7D,
- 0x3F, 0x25, 0xC3, 0x82, 0x59, 0xBD, 0xF4, 0x8F, 0x57, 0xCA, 0x3E, 0x19,
- 0xE4, 0xF5, 0x44, 0xE0, 0xCC, 0x80, 0xB3, 0x10, 0x91, 0x18, 0x0D, 0x64,
- 0x59, 0x0A, 0x43, 0xF7, 0xFC, 0xCA, 0x01, 0xE8, 0x14, 0x04, 0xF2, 0xCD,
- 0xA9, 0x2A, 0x3C, 0xF3, 0xA5, 0x2A, 0x83, 0xD8, 0x66, 0x9F, 0xC9, 0x2C,
- 0xC9, 0x4F, 0x44, 0x05, 0x5E, 0x5E, 0x00, 0x47, 0x22, 0x0A, 0xE6, 0xB0,
- 0x87, 0xA5, 0x74, 0x3B, 0xE4, 0xA3, 0xFC, 0x2D, 0xDC, 0x49, 0xF2, 0xE1,
- 0x80, 0x0D, 0x06, 0x71, 0x7A, 0x77, 0x3A, 0xA9, 0x66, 0x70, 0x3B, 0xBA,
- 0x8D, 0x2E, 0x60, 0x5A, 0x39, 0xF7, 0x2D, 0xD3, 0xF5, 0x53, 0x47, 0x6E,
- 0x57, 0x13, 0x01, 0x87, 0xF9, 0xDE, 0x4D, 0x20, 0x92, 0xBE, 0xD7, 0x1E,
- 0xE0, 0x20, 0x0C, 0x60, 0xC8, 0xCA, 0x35, 0x58, 0x7D, 0x3F, 0x59, 0xEE,
- 0xFB, 0x67, 0x7D, 0x64, 0x7D, 0x8E, 0x77, 0x6C, 0x61, 0x44, 0x8A, 0x8C,
- 0x4D, 0xF0, 0x12, 0xD4, 0xA4, 0xEA, 0x17, 0x75, 0x66, 0x49, 0x6C, 0xCF,
- 0x14, 0x28, 0xC6, 0x9A, 0x3C, 0x71, 0xFD, 0xB8, 0x3A, 0x6C, 0xE3, 0xA3,
- 0xA6, 0x06, 0x5A, 0xA6, 0xF0, 0x7A, 0x00, 0x15, 0xA5, 0x5A, 0x64, 0x66,
- 0x00, 0x05, 0x85, 0xB7,
- };
-
- static unsigned char dh2048_g[]={
- 0x05,
- };
-
- static DH *get_dh2048(void)
- {
- DH *dh;
- if ((dh=DH_new()))
- {
- BIGNUM *p= BN_bin2bn(dh2048_p, sizeof(dh2048_p), NULL);
- BIGNUM *g= BN_bin2bn(dh2048_g, sizeof(dh2048_g), NULL);
- if (!p || !g
- #if OPENSSL_VERSION_NUMBER >= 0x10100000L
- || !DH_set0_pqg(dh, p, NULL, g)
- #endif /* OPENSSL_VERSION_NUMBER >= 0x10100000L */
- ) {
- /* DH_free() will free 'p' and 'g' at once. */
- DH_free(dh);
- return NULL;
- }
- #if OPENSSL_VERSION_NUMBER < 0x10100000L
- dh->p= p;
- dh->g= g;
- #endif /* OPENSSL_VERSION_NUMBER < 0x10100000L */
- }
- return(dh);
- }
-
-
- static void
- report_errors()
- {
- unsigned long l;
- const char* file;
- const char* data;
- int line,flags;
-
- DBUG_ENTER("report_errors");
-
- while ((l=ERR_get_error_line_data(&file,&line,&data,&flags)) != 0)
- {
- #ifndef NDEBUG /* Avoid warning */
- char buf[200];
- DBUG_PRINT("error", ("OpenSSL: %s:%s:%d:%s\n", ERR_error_string(l,buf),
- file,line,(flags & ERR_TXT_STRING) ? data : "")) ;
- #endif
- }
- DBUG_VOID_RETURN;
- }
-
- static const char*
- ssl_error_string[] =
- {
- "No error",
- "Unable to get certificate",
- "Unable to get private key",
- "Private key does not match the certificate public key",
- "SSL_CTX_set_default_verify_paths failed",
- "Failed to set ciphers to use",
- "SSL_CTX_new failed",
- "SSL context is not usable without certificate and private key",
- "SSL_CTX_set_tmp_dh failed",
- "TLS version is invalid"
- };
-
- const char*
- sslGetErrString(enum enum_ssl_init_error e)
- {
- assert(SSL_INITERR_NOERROR < e && e < SSL_INITERR_LASTERR);
- return ssl_error_string[e];
- }
-
- static int
- vio_set_cert_stuff(SSL_CTX *ctx, const char *cert_file, const char *key_file,
- enum enum_ssl_init_error* error)
- {
- DBUG_ENTER("vio_set_cert_stuff");
- DBUG_PRINT("enter", ("ctx: 0x%lx cert_file: %s key_file: %s",
- (long) ctx, cert_file, key_file));
-
- if (!cert_file && key_file)
- cert_file= key_file;
-
- if (!key_file && cert_file)
- key_file= cert_file;
-
- if (cert_file &&
- SSL_CTX_use_certificate_file(ctx, cert_file, SSL_FILETYPE_PEM) <= 0)
- {
- *error= SSL_INITERR_CERT;
- DBUG_PRINT("error",("%s from file '%s'", sslGetErrString(*error), cert_file));
- DBUG_EXECUTE("error", ERR_print_errors_fp(DBUG_FILE););
- my_message_local(ERROR_LEVEL, "SSL error: %s from '%s'",
- sslGetErrString(*error), cert_file);
- DBUG_RETURN(1);
- }
-
- if (key_file &&
- SSL_CTX_use_PrivateKey_file(ctx, key_file, SSL_FILETYPE_PEM) <= 0)
- {
- *error= SSL_INITERR_KEY;
- DBUG_PRINT("error", ("%s from file '%s'", sslGetErrString(*error), key_file));
- DBUG_EXECUTE("error", ERR_print_errors_fp(DBUG_FILE););
- my_message_local(ERROR_LEVEL, "SSL error: %s from '%s'",
- sslGetErrString(*error), key_file);
- DBUG_RETURN(1);
- }
-
- /*
- If we are using DSA, we can copy the parameters from the private key
- Now we know that a key and cert have been set against the SSL context
- */
- if (cert_file && !SSL_CTX_check_private_key(ctx))
- {
- *error= SSL_INITERR_NOMATCH;
- DBUG_PRINT("error", ("%s",sslGetErrString(*error)));
- DBUG_EXECUTE("error", ERR_print_errors_fp(DBUG_FILE););
- my_message_local(ERROR_LEVEL, "SSL error: %s", sslGetErrString(*error));
- DBUG_RETURN(1);
- }
-
- DBUG_RETURN(0);
- }
-
- /*
- OpenSSL 1.1 supports native platform threads,
- so we don't need the following callback functions.
- */
- #if OPENSSL_VERSION_NUMBER < 0x10100000L
- /* OpenSSL specific */
-
- #ifdef HAVE_PSI_INTERFACE
- static PSI_rwlock_key key_rwlock_openssl;
-
- static PSI_rwlock_info openssl_rwlocks[]=
- {
- { &key_rwlock_openssl, "CRYPTO_dynlock_value::lock", 0}
- };
- #endif
-
-
- typedef struct CRYPTO_dynlock_value
- {
- mysql_rwlock_t lock;
- } openssl_lock_t;
-
-
- /* Array of locks used by openssl internally for thread synchronization.
- The number of locks is equal to CRYPTO_num_locks.
- */
- static openssl_lock_t *openssl_stdlocks;
-
- /*OpenSSL callback functions for multithreading. We implement all the functions
- as we are using our own locking mechanism.
- */
- static void openssl_lock(int mode, openssl_lock_t *lock,
- const char *file MY_ATTRIBUTE((unused)),
- int line MY_ATTRIBUTE((unused)))
- {
- int err;
- char const *what;
-
- switch (mode) {
- case CRYPTO_LOCK|CRYPTO_READ:
- what = "read lock";
- err= mysql_rwlock_rdlock(&lock->lock);
- break;
- case CRYPTO_LOCK|CRYPTO_WRITE:
- what = "write lock";
- err= mysql_rwlock_wrlock(&lock->lock);
- break;
- case CRYPTO_UNLOCK|CRYPTO_READ:
- case CRYPTO_UNLOCK|CRYPTO_WRITE:
- what = "unlock";
- err= mysql_rwlock_unlock(&lock->lock);
- break;
- default:
- /* Unknown locking mode. */
- DBUG_PRINT("error",
- ("Fatal OpenSSL: %s:%d: interface problem (mode=0x%x)\n",
- file, line, mode));
-
- fprintf(stderr, "Fatal: OpenSSL interface problem (mode=0x%x)", mode);
- fflush(stderr);
- abort();
- }
- if (err)
- {
- DBUG_PRINT("error",
- ("Fatal OpenSSL: %s:%d: can't %s OpenSSL lock\n",
- file, line, what));
-
- fprintf(stderr, "Fatal: can't %s OpenSSL lock", what);
- fflush(stderr);
- abort();
- }
- }
-
- static void openssl_lock_function(int mode, int n,
- const char *file MY_ATTRIBUTE((unused)),
- int line MY_ATTRIBUTE((unused)))
- {
- if (n < 0 || n > CRYPTO_num_locks())
- {
- /* Lock number out of bounds. */
- DBUG_PRINT("error",
- ("Fatal OpenSSL: %s:%d: interface problem (n = %d)", file, line, n));
-
- fprintf(stderr, "Fatal: OpenSSL interface problem (n = %d)", n);
- fflush(stderr);
- abort();
- }
- openssl_lock(mode, &openssl_stdlocks[n], file, line);
- }
-
- static openssl_lock_t *openssl_dynlock_create(const char *file
- MY_ATTRIBUTE((unused)),
- int line MY_ATTRIBUTE((unused)))
- {
- openssl_lock_t *lock;
-
- DBUG_PRINT("info", ("openssl_dynlock_create: %s:%d", file, line));
-
- lock= (openssl_lock_t*)
- my_malloc(PSI_NOT_INSTRUMENTED,sizeof(openssl_lock_t),MYF(0));
-
- #ifdef HAVE_PSI_INTERFACE
- mysql_rwlock_init(key_rwlock_openssl, &lock->lock);
- #else
- mysql_rwlock_init(0, &lock->lock);
- #endif
- return lock;
- }
-
-
- static void openssl_dynlock_destroy(openssl_lock_t *lock,
- const char *file MY_ATTRIBUTE((unused)),
- int line MY_ATTRIBUTE((unused)))
- {
- DBUG_PRINT("info", ("openssl_dynlock_destroy: %s:%d", file, line));
-
- mysql_rwlock_destroy(&lock->lock);
- my_free(lock);
- }
-
- static unsigned long openssl_id_function()
- {
- return (unsigned long) my_thread_self();
- }
-
- //End of mutlithreading callback functions
-
- static void init_ssl_locks()
- {
- int i= 0;
- #ifdef HAVE_PSI_INTERFACE
- const char* category= "sql";
- int count= array_elements(openssl_rwlocks);
- mysql_rwlock_register(category, openssl_rwlocks, count);
- #endif
-
- openssl_stdlocks= (openssl_lock_t*) OPENSSL_malloc(CRYPTO_num_locks() *
- sizeof(openssl_lock_t));
- for (i= 0; i < CRYPTO_num_locks(); ++i)
- #ifdef HAVE_PSI_INTERFACE
- mysql_rwlock_init(key_rwlock_openssl, &openssl_stdlocks[i].lock);
- #else
- mysql_rwlock_init(0, &openssl_stdlocks[i].lock);
- #endif
- }
-
- static void set_lock_callback_functions(my_bool init)
- {
- CRYPTO_set_locking_callback(init ? openssl_lock_function : NULL);
- CRYPTO_set_id_callback(init ? openssl_id_function : NULL);
- CRYPTO_set_dynlock_create_callback(init ? openssl_dynlock_create : NULL);
- CRYPTO_set_dynlock_destroy_callback(init ? openssl_dynlock_destroy : NULL);
- CRYPTO_set_dynlock_lock_callback(init ? openssl_lock : NULL);
- }
-
- static void init_lock_callback_functions()
- {
- set_lock_callback_functions(TRUE);
- }
-
- static void deinit_lock_callback_functions()
- {
- set_lock_callback_functions(FALSE);
- }
-
- #endif /* OPENSSL_VERSION_NUMBER < 0x10100000L */
-
- void vio_ssl_end()
- {
- if (ssl_initialized) {
- #if OPENSSL_VERSION_NUMBER < 0x10100000L
- int i;
-
- ERR_remove_thread_state(0);
- #endif /* OPENSSL_VERSION_NUMBER < 0x10100000L */
- ERR_free_strings();
- EVP_cleanup();
-
- CRYPTO_cleanup_all_ex_data();
-
- #if OPENSSL_VERSION_NUMBER < 0x10100000L
- deinit_lock_callback_functions();
-
- for (i= 0; i < CRYPTO_num_locks(); ++i)
- mysql_rwlock_destroy(&openssl_stdlocks[i].lock);
- OPENSSL_free(openssl_stdlocks);
-
- #endif /* OPENSSL_VERSION_NUMBER < 0x10100000L */
- ssl_initialized= FALSE;
- }
- }
-
- void ssl_start()
- {
- if (!ssl_initialized)
- {
- ssl_initialized= TRUE;
-
- mysql_OPENSSL_init();
-
- OpenSSL_add_all_algorithms();
- SSL_load_error_strings();
-
- #if OPENSSL_VERSION_NUMBER < 0x10100000L
- init_ssl_locks();
- init_lock_callback_functions();
- #endif /* OPENSSL_VERSION_NUMBER < 0x10100000L */
- }
- }
-
- long process_tls_version(const char *tls_version)
- {
- const char *separator= ",";
- char *token, *lasts= NULL;
- unsigned int tls_versions_count= 3;
- const char *tls_version_name_list[3]= {"TLSv1", "TLSv1.1", "TLSv1.2"};
- const char ctx_flag_default[]= "TLSv1,TLSv1.1,TLSv1.2";
- const long tls_ctx_list[3]= {SSL_OP_NO_TLSv1, SSL_OP_NO_TLSv1_1, SSL_OP_NO_TLSv1_2};
- long tls_ctx_flag= SSL_OP_NO_TLSv1|SSL_OP_NO_TLSv1_1|SSL_OP_NO_TLSv1_2;
- unsigned int index= 0;
- char tls_version_option[TLS_VERSION_OPTION_SIZE]= "";
- int tls_found= 0;
-
- if (!tls_version || !my_strcasecmp(&my_charset_latin1, tls_version, ctx_flag_default))
- return 0;
-
- if (strlen(tls_version)-1 > sizeof(tls_version_option))
- return -1;
-
- strncpy(tls_version_option, tls_version, sizeof(tls_version_option));
- token= my_strtok_r(tls_version_option, separator, &lasts);
- while (token)
- {
- for (index=0; index < tls_versions_count; index++)
- {
- if (!my_strcasecmp(&my_charset_latin1, tls_version_name_list[index], token))
- {
- tls_found= 1;
- tls_ctx_flag= tls_ctx_flag & (~tls_ctx_list[index]);
- break;
- }
- }
- token= my_strtok_r(NULL, separator, &lasts);
- }
-
- if (!tls_found)
- return -1;
- else
- return tls_ctx_flag;
- }
-
- /************************ VioSSLFd **********************************/
- static struct st_VioSSLFd *
- new_VioSSLFd(const char *key_file, const char *cert_file,
- const char *ca_file, const char *ca_path,
- const char *cipher, my_bool is_client,
- enum enum_ssl_init_error *error,
- const char *crl_file, const char *crl_path, const long ssl_ctx_flags)
- {
- DH *dh;
- struct st_VioSSLFd *ssl_fd;
- /* MySQL 5.7 supports TLS up to v1.2, explicitly disable TLSv1.3. */
- long ssl_ctx_options= SSL_OP_NO_SSLv2 | SSL_OP_NO_SSLv3
- #ifdef HAVE_TLSv13
- | SSL_OP_NO_TLSv1_3
- #endif /* HAVE_TLSv13 */
- ;
- int ret_set_cipherlist= 0;
- char cipher_list[SSL_CIPHER_LIST_SIZE]= {0};
- DBUG_ENTER("new_VioSSLFd");
- DBUG_PRINT("enter",
- ("key_file: '%s' cert_file: '%s' ca_file: '%s' ca_path: '%s' "
- "cipher: '%s' crl_file: '%s' crl_path: '%s' ssl_ctx_flags: '%ld' ",
- key_file ? key_file : "NULL",
- cert_file ? cert_file : "NULL",
- ca_file ? ca_file : "NULL",
- ca_path ? ca_path : "NULL",
- cipher ? cipher : "NULL",
- crl_file ? crl_file : "NULL",
- crl_path ? crl_path : "NULL",
- ssl_ctx_flags));
-
- if (ssl_ctx_flags < 0)
- {
- *error= SSL_TLS_VERSION_INVALID;
- DBUG_PRINT("error", ("TLS version invalid : %s", sslGetErrString(*error)));
- report_errors();
- DBUG_RETURN(0);
- }
-
- ssl_ctx_options= (ssl_ctx_options | ssl_ctx_flags) &
- (SSL_OP_NO_SSLv2 |
- SSL_OP_NO_SSLv3 |
- SSL_OP_NO_TLSv1 |
- SSL_OP_NO_TLSv1_1
- | SSL_OP_NO_TLSv1_2
- #ifdef HAVE_TLSv13
- | SSL_OP_NO_TLSv1_3
- #endif /* HAVE_TLSv13 */
- | SSL_OP_NO_TICKET
- );
- if (!(ssl_fd= ((struct st_VioSSLFd*)
- my_malloc(key_memory_vio_ssl_fd,
- sizeof(struct st_VioSSLFd),MYF(0)))))
- DBUG_RETURN(0);
-
- if (!(ssl_fd->ssl_context= SSL_CTX_new(is_client ?
- SSLv23_client_method() :
- SSLv23_server_method())))
- {
- *error= SSL_INITERR_MEMFAIL;
- DBUG_PRINT("error", ("%s", sslGetErrString(*error)));
- report_errors();
- my_free(ssl_fd);
- DBUG_RETURN(0);
- }
-
- SSL_CTX_set_options(ssl_fd->ssl_context, ssl_ctx_options);
-
- #ifdef HAVE_TLSv13
- /*
- MySQL 5.7 doesn't support TLSv1.3 - set empty TLSv1.3 ciphersuites.
- */
- if (0 == SSL_CTX_set_ciphersuites(ssl_fd->ssl_context, ""))
- {
- *error = SSL_INITERR_CIPHERS;
- DBUG_PRINT("error", ("%s", sslGetErrString(*error)));
- report_errors();
- SSL_CTX_free(ssl_fd->ssl_context);
- my_free(ssl_fd);
- DBUG_RETURN(0);
- }
- #endif /* HAVE_TLSv13 */
-
- /*
- We explicitly prohibit weak ciphers.
- NOTE: SSL_CTX_set_cipher_list will return 0 if
- none of the provided ciphers could be selected
- */
- strncpy(cipher_list, tls_cipher_blocked, SSL_CIPHER_LIST_SIZE - 1);
-
- /*
- If ciphers are specified explicitly by caller, use them.
- Otherwise, fallback to the default list.
-
- In either case, we make sure we stay within the valid bounds.
- Note that we have already consumed tls_cipher_blocked
- worth of space.
- */
- strncat(cipher_list, cipher == 0 ? tls_ciphers_list : cipher,
- SSL_CIPHER_LIST_SIZE - strlen(cipher_list) - 1);
-
- if (ret_set_cipherlist == SSL_CTX_set_cipher_list(ssl_fd->ssl_context, cipher_list))
- {
- *error= SSL_INITERR_CIPHERS;
- DBUG_PRINT("error", ("%s", sslGetErrString(*error)));
- report_errors();
- SSL_CTX_free(ssl_fd->ssl_context);
- my_free(ssl_fd);
- DBUG_RETURN(0);
- }
-
- /* Load certs from the trusted ca */
- if (SSL_CTX_load_verify_locations(ssl_fd->ssl_context, ca_file, ca_path) <= 0)
- {
- DBUG_PRINT("warning", ("SSL_CTX_load_verify_locations failed"));
- if (ca_file || ca_path)
- {
- /* fail only if ca file or ca path were supplied and looking into
- them fails. */
- *error= SSL_INITERR_BAD_PATHS;
- DBUG_PRINT("error", ("SSL_CTX_load_verify_locations failed : %s",
- sslGetErrString(*error)));
- report_errors();
- SSL_CTX_free(ssl_fd->ssl_context);
- my_free(ssl_fd);
- DBUG_RETURN(0);
- }
-
- /* otherwise go use the defaults */
- if (SSL_CTX_set_default_verify_paths(ssl_fd->ssl_context) == 0)
- {
- *error= SSL_INITERR_BAD_PATHS;
- DBUG_PRINT("error", ("%s", sslGetErrString(*error)));
- report_errors();
- SSL_CTX_free(ssl_fd->ssl_context);
- my_free(ssl_fd);
- DBUG_RETURN(0);
- }
- }
-
- if (crl_file || crl_path)
- {
- X509_STORE *store= SSL_CTX_get_cert_store(ssl_fd->ssl_context);
- /* Load crls from the trusted ca */
- if (X509_STORE_load_locations(store, crl_file, crl_path) == 0 ||
- X509_STORE_set_flags(store,
- X509_V_FLAG_CRL_CHECK |
- X509_V_FLAG_CRL_CHECK_ALL) == 0)
- {
- DBUG_PRINT("warning", ("X509_STORE_load_locations for CRL failed"));
- *error= SSL_INITERR_BAD_PATHS;
- DBUG_PRINT("error", ("%s", sslGetErrString(*error)));
- report_errors();
- SSL_CTX_free(ssl_fd->ssl_context);
- my_free(ssl_fd);
- DBUG_RETURN(0);
- }
- }
-
- if (vio_set_cert_stuff(ssl_fd->ssl_context, cert_file, key_file, error))
- {
- DBUG_PRINT("error", ("vio_set_cert_stuff failed"));
- report_errors();
- SSL_CTX_free(ssl_fd->ssl_context);
- my_free(ssl_fd);
- DBUG_RETURN(0);
- }
-
- /* Server specific check : Must have certificate and key file */
- if (!is_client && !key_file && !cert_file)
- {
- *error= SSL_INITERR_NO_USABLE_CTX;
- DBUG_PRINT("error", ("%s", sslGetErrString(*error)));
- report_errors();
- SSL_CTX_free(ssl_fd->ssl_context);
- my_free(ssl_fd);
- DBUG_RETURN(0);
- }
-
- /* DH stuff */
- dh= get_dh2048();
- if (SSL_CTX_set_tmp_dh(ssl_fd->ssl_context, dh) == 0)
- {
- *error= SSL_INITERR_DHFAIL;
- DBUG_PRINT("error", ("%s", sslGetErrString(*error)));
- report_errors();
- DH_free(dh);
- SSL_CTX_free(ssl_fd->ssl_context);
- my_free(ssl_fd);
- DBUG_RETURN(0);
- }
- DH_free(dh);
-
- DBUG_PRINT("exit", ("OK 1"));
-
- DBUG_RETURN(ssl_fd);
- }
-
-
- /************************ VioSSLConnectorFd **********************************/
- struct st_VioSSLFd *
- new_VioSSLConnectorFd(const char *key_file, const char *cert_file,
- const char *ca_file, const char *ca_path,
- const char *cipher, enum enum_ssl_init_error* error,
- const char *crl_file, const char *crl_path, const long ssl_ctx_flags)
- {
- struct st_VioSSLFd *ssl_fd;
- int verify= SSL_VERIFY_PEER;
-
- /*
- Turn off verification of servers certificate if both
- ca_file and ca_path is set to NULL
- */
- if (ca_file == 0 && ca_path == 0)
- verify= SSL_VERIFY_NONE;
-
- if (!(ssl_fd= new_VioSSLFd(key_file, cert_file, ca_file,
- ca_path, cipher, TRUE, error,
- crl_file, crl_path, ssl_ctx_flags)))
- {
- return 0;
- }
-
- /* Init the VioSSLFd as a "connector" ie. the client side */
-
- SSL_CTX_set_verify(ssl_fd->ssl_context, verify, NULL);
-
- return ssl_fd;
- }
-
-
- /************************ VioSSLAcceptorFd **********************************/
- struct st_VioSSLFd *
- new_VioSSLAcceptorFd(const char *key_file, const char *cert_file,
- const char *ca_file, const char *ca_path,
- const char *cipher, enum enum_ssl_init_error* error,
- const char *crl_file, const char * crl_path, const long ssl_ctx_flags)
- {
- struct st_VioSSLFd *ssl_fd;
- int verify= SSL_VERIFY_PEER | SSL_VERIFY_CLIENT_ONCE;
- if (!(ssl_fd= new_VioSSLFd(key_file, cert_file, ca_file,
- ca_path, cipher, FALSE, error,
- crl_file, crl_path, ssl_ctx_flags)))
- {
- return 0;
- }
- /* Init the the VioSSLFd as a "acceptor" ie. the server side */
-
- /* Set max number of cached sessions, returns the previous size */
- SSL_CTX_sess_set_cache_size(ssl_fd->ssl_context, 128);
-
- SSL_CTX_set_verify(ssl_fd->ssl_context, verify, NULL);
-
- /*
- Set session_id - an identifier for this server session
- Use the ssl_fd pointer
- */
- SSL_CTX_set_session_id_context(ssl_fd->ssl_context,
- (const unsigned char *)ssl_fd,
- sizeof(ssl_fd));
-
- return ssl_fd;
- }
-
- void free_vio_ssl_acceptor_fd(struct st_VioSSLFd *fd)
- {
- SSL_CTX_free(fd->ssl_context);
- my_free(fd);
- }
- #endif /* HAVE_OPENSSL */
|