| Server IP : 104.21.38.3 / Your IP : 172.71.82.108 Web Server : Apache System : Linux krdc-ubuntu-s-2vcpu-4gb-amd-blr1-01.localdomain 5.15.0-142-generic #152-Ubuntu SMP Mon May 19 10:54:31 UTC 2025 x86_64 User : www ( 1000) PHP Version : 7.4.33 Disable Function : passthru,exec,system,putenv,chroot,chgrp,chown,shell_exec,popen,proc_open,pcntl_exec,ini_alter,ini_restore,dl,openlog,syslog,readlink,symlink,popepassthru,pcntl_alarm,pcntl_fork,pcntl_waitpid,pcntl_wait,pcntl_wifexited,pcntl_wifstopped,pcntl_wifsignaled,pcntl_wifcontinued,pcntl_wexitstatus,pcntl_wtermsig,pcntl_wstopsig,pcntl_signal,pcntl_signal_dispatch,pcntl_get_last_error,pcntl_strerror,pcntl_sigprocmask,pcntl_sigwaitinfo,pcntl_sigtimedwait,pcntl_exec,pcntl_getpriority,pcntl_setpriority,imap_open,apache_setenv MySQL : OFF | cURL : ON | WGET : ON | Perl : ON | Python : OFF | Sudo : ON | Pkexec : ON Directory : /www/server/mysql/src/vio/ |
Upload File : |
/* Copyright (c) 2000, 2023, Oracle and/or its affiliates.
This program is free software; you can redistribute it and/or modify
it under the terms of the GNU General Public License, version 2.0,
as published by the Free Software Foundation.
This program is also distributed with certain software (including
but not limited to OpenSSL) that is licensed under separate terms,
as designated in a particular file or component or in included license
documentation. The authors of MySQL hereby grant you an additional
permission to link the program and your derivative works with the
separately licensed software that they have included with MySQL.
Without limiting anything contained in the foregoing, this file,
which is part of C Driver for MySQL (Connector/C), is also subject to the
Universal FOSS Exception, version 1.0, a copy of which can be found at
http://oss.oracle.com/licenses/universal-foss-exception.
This program is distributed in the hope that it will be useful,
but WITHOUT ANY WARRANTY; without even the implied warranty of
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
GNU General Public License, version 2.0, for more details.
You should have received a copy of the GNU General Public License
along with this program; if not, write to the Free Software
Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA */
#include "vio_priv.h"
#include "my_openssl.h"
#ifdef HAVE_OPENSSL
#define TLS_VERSION_OPTION_SIZE 256
#define SSL_CIPHER_LIST_SIZE 4096
static const char tls_ciphers_list[]="ECDHE-ECDSA-AES128-GCM-SHA256:"
"ECDHE-ECDSA-AES256-GCM-SHA384:"
"ECDHE-RSA-AES128-GCM-SHA256:"
"ECDHE-RSA-AES256-GCM-SHA384:"
"ECDHE-ECDSA-AES128-SHA256:"
"ECDHE-RSA-AES128-SHA256:"
"ECDHE-ECDSA-AES256-SHA384:"
"ECDHE-RSA-AES256-SHA384:"
"DHE-RSA-AES128-GCM-SHA256:"
"DHE-DSS-AES128-GCM-SHA256:"
"DHE-RSA-AES128-SHA256:"
"DHE-DSS-AES128-SHA256:"
"DHE-DSS-AES256-GCM-SHA384:"
"DHE-RSA-AES256-SHA256:"
"DHE-DSS-AES256-SHA256:"
"ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:"
"ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:"
"DHE-DSS-AES128-SHA:DHE-RSA-AES128-SHA:"
"TLS_DHE_DSS_WITH_AES_256_CBC_SHA:DHE-RSA-AES256-SHA:"
"AES128-GCM-SHA256:DH-DSS-AES128-GCM-SHA256:"
"ECDH-ECDSA-AES128-GCM-SHA256:AES256-GCM-SHA384:"
"DH-DSS-AES256-GCM-SHA384:ECDH-ECDSA-AES256-GCM-SHA384:"
"AES128-SHA256:DH-DSS-AES128-SHA256:ECDH-ECDSA-AES128-SHA256:AES256-SHA256:"
"DH-DSS-AES256-SHA256:ECDH-ECDSA-AES256-SHA384:AES128-SHA:"
"DH-DSS-AES128-SHA:ECDH-ECDSA-AES128-SHA:AES256-SHA:"
"DH-DSS-AES256-SHA:ECDH-ECDSA-AES256-SHA:DHE-RSA-AES256-GCM-SHA384:"
"DH-RSA-AES128-GCM-SHA256:ECDH-RSA-AES128-GCM-SHA256:DH-RSA-AES256-GCM-SHA384:"
"ECDH-RSA-AES256-GCM-SHA384:DH-RSA-AES128-SHA256:"
"ECDH-RSA-AES128-SHA256:DH-RSA-AES256-SHA256:"
"ECDH-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:"
"ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA:"
"ECDHE-ECDSA-AES256-SHA:DHE-DSS-AES128-SHA:DHE-RSA-AES128-SHA:"
"TLS_DHE_DSS_WITH_AES_256_CBC_SHA:DHE-RSA-AES256-SHA:"
"AES128-SHA:DH-DSS-AES128-SHA:ECDH-ECDSA-AES128-SHA:AES256-SHA:"
"DH-DSS-AES256-SHA:ECDH-ECDSA-AES256-SHA:DH-RSA-AES128-SHA:"
"ECDH-RSA-AES128-SHA:DH-RSA-AES256-SHA:ECDH-RSA-AES256-SHA:DES-CBC3-SHA";
static const char tls_cipher_blocked[]= "!aNULL:!eNULL:!EXPORT:!LOW:!MD5:!DES:!RC2:!RC4:!PSK:"
"!DHE-DSS-DES-CBC3-SHA:!DHE-RSA-DES-CBC3-SHA:"
"!ECDH-RSA-DES-CBC3-SHA:!ECDH-ECDSA-DES-CBC3-SHA:"
"!ECDHE-RSA-DES-CBC3-SHA:!ECDHE-ECDSA-DES-CBC3-SHA:";
static my_bool ssl_initialized = FALSE;
/*
Diffie-Hellman key.
Generated using: >openssl dhparam -5 -C 2048
-----BEGIN DH PARAMETERS-----
MIIBCAKCAQEAil36wGZ2TmH6ysA3V1xtP4MKofXx5n88xq/aiybmGnReZMviCPEJ
46+7VCktl/RZ5iaDH1XNG1dVQmznt9pu2G3usU+k1/VB4bQL4ZgW4u0Wzxh9PyXD
glm99I9Xyj4Z5PVE4MyAsxCRGA1kWQpD9/zKAegUBPLNqSo886Uqg9hmn8ksyU9E
BV5eAEciCuawh6V0O+Sj/C3cSfLhgA0GcXp3OqlmcDu6jS5gWjn3LdP1U0duVxMB
h/neTSCSvtce4CAMYMjKNVh9P1nu+2d9ZH2Od2xhRIqMTfAS1KTqF3VmSWzPFCjG
mjxx/bg6bOOjpgZapvB6ABWlWmRmAAWFtwIBBQ==
-----END DH PARAMETERS-----
*/
static unsigned char dh2048_p[]=
{
0x8A, 0x5D, 0xFA, 0xC0, 0x66, 0x76, 0x4E, 0x61, 0xFA, 0xCA, 0xC0, 0x37,
0x57, 0x5C, 0x6D, 0x3F, 0x83, 0x0A, 0xA1, 0xF5, 0xF1, 0xE6, 0x7F, 0x3C,
0xC6, 0xAF, 0xDA, 0x8B, 0x26, 0xE6, 0x1A, 0x74, 0x5E, 0x64, 0xCB, 0xE2,
0x08, 0xF1, 0x09, 0xE3, 0xAF, 0xBB, 0x54, 0x29, 0x2D, 0x97, 0xF4, 0x59,
0xE6, 0x26, 0x83, 0x1F, 0x55, 0xCD, 0x1B, 0x57, 0x55, 0x42, 0x6C, 0xE7,
0xB7, 0xDA, 0x6E, 0xD8, 0x6D, 0xEE, 0xB1, 0x4F, 0xA4, 0xD7, 0xF5, 0x41,
0xE1, 0xB4, 0x0B, 0xE1, 0x98, 0x16, 0xE2, 0xED, 0x16, 0xCF, 0x18, 0x7D,
0x3F, 0x25, 0xC3, 0x82, 0x59, 0xBD, 0xF4, 0x8F, 0x57, 0xCA, 0x3E, 0x19,
0xE4, 0xF5, 0x44, 0xE0, 0xCC, 0x80, 0xB3, 0x10, 0x91, 0x18, 0x0D, 0x64,
0x59, 0x0A, 0x43, 0xF7, 0xFC, 0xCA, 0x01, 0xE8, 0x14, 0x04, 0xF2, 0xCD,
0xA9, 0x2A, 0x3C, 0xF3, 0xA5, 0x2A, 0x83, 0xD8, 0x66, 0x9F, 0xC9, 0x2C,
0xC9, 0x4F, 0x44, 0x05, 0x5E, 0x5E, 0x00, 0x47, 0x22, 0x0A, 0xE6, 0xB0,
0x87, 0xA5, 0x74, 0x3B, 0xE4, 0xA3, 0xFC, 0x2D, 0xDC, 0x49, 0xF2, 0xE1,
0x80, 0x0D, 0x06, 0x71, 0x7A, 0x77, 0x3A, 0xA9, 0x66, 0x70, 0x3B, 0xBA,
0x8D, 0x2E, 0x60, 0x5A, 0x39, 0xF7, 0x2D, 0xD3, 0xF5, 0x53, 0x47, 0x6E,
0x57, 0x13, 0x01, 0x87, 0xF9, 0xDE, 0x4D, 0x20, 0x92, 0xBE, 0xD7, 0x1E,
0xE0, 0x20, 0x0C, 0x60, 0xC8, 0xCA, 0x35, 0x58, 0x7D, 0x3F, 0x59, 0xEE,
0xFB, 0x67, 0x7D, 0x64, 0x7D, 0x8E, 0x77, 0x6C, 0x61, 0x44, 0x8A, 0x8C,
0x4D, 0xF0, 0x12, 0xD4, 0xA4, 0xEA, 0x17, 0x75, 0x66, 0x49, 0x6C, 0xCF,
0x14, 0x28, 0xC6, 0x9A, 0x3C, 0x71, 0xFD, 0xB8, 0x3A, 0x6C, 0xE3, 0xA3,
0xA6, 0x06, 0x5A, 0xA6, 0xF0, 0x7A, 0x00, 0x15, 0xA5, 0x5A, 0x64, 0x66,
0x00, 0x05, 0x85, 0xB7,
};
static unsigned char dh2048_g[]={
0x05,
};
static DH *get_dh2048(void)
{
DH *dh;
if ((dh=DH_new()))
{
BIGNUM *p= BN_bin2bn(dh2048_p, sizeof(dh2048_p), NULL);
BIGNUM *g= BN_bin2bn(dh2048_g, sizeof(dh2048_g), NULL);
if (!p || !g
#if OPENSSL_VERSION_NUMBER >= 0x10100000L
|| !DH_set0_pqg(dh, p, NULL, g)
#endif /* OPENSSL_VERSION_NUMBER >= 0x10100000L */
) {
/* DH_free() will free 'p' and 'g' at once. */
DH_free(dh);
return NULL;
}
#if OPENSSL_VERSION_NUMBER < 0x10100000L
dh->p= p;
dh->g= g;
#endif /* OPENSSL_VERSION_NUMBER < 0x10100000L */
}
return(dh);
}
static void
report_errors()
{
unsigned long l;
const char* file;
const char* data;
int line,flags;
DBUG_ENTER("report_errors");
while ((l=ERR_get_error_line_data(&file,&line,&data,&flags)) != 0)
{
#ifndef NDEBUG /* Avoid warning */
char buf[200];
DBUG_PRINT("error", ("OpenSSL: %s:%s:%d:%s\n", ERR_error_string(l,buf),
file,line,(flags & ERR_TXT_STRING) ? data : "")) ;
#endif
}
DBUG_VOID_RETURN;
}
static const char*
ssl_error_string[] =
{
"No error",
"Unable to get certificate",
"Unable to get private key",
"Private key does not match the certificate public key",
"SSL_CTX_set_default_verify_paths failed",
"Failed to set ciphers to use",
"SSL_CTX_new failed",
"SSL context is not usable without certificate and private key",
"SSL_CTX_set_tmp_dh failed",
"TLS version is invalid"
};
const char*
sslGetErrString(enum enum_ssl_init_error e)
{
assert(SSL_INITERR_NOERROR < e && e < SSL_INITERR_LASTERR);
return ssl_error_string[e];
}
static int
vio_set_cert_stuff(SSL_CTX *ctx, const char *cert_file, const char *key_file,
enum enum_ssl_init_error* error)
{
DBUG_ENTER("vio_set_cert_stuff");
DBUG_PRINT("enter", ("ctx: 0x%lx cert_file: %s key_file: %s",
(long) ctx, cert_file, key_file));
if (!cert_file && key_file)
cert_file= key_file;
if (!key_file && cert_file)
key_file= cert_file;
if (cert_file &&
SSL_CTX_use_certificate_file(ctx, cert_file, SSL_FILETYPE_PEM) <= 0)
{
*error= SSL_INITERR_CERT;
DBUG_PRINT("error",("%s from file '%s'", sslGetErrString(*error), cert_file));
DBUG_EXECUTE("error", ERR_print_errors_fp(DBUG_FILE););
my_message_local(ERROR_LEVEL, "SSL error: %s from '%s'",
sslGetErrString(*error), cert_file);
DBUG_RETURN(1);
}
if (key_file &&
SSL_CTX_use_PrivateKey_file(ctx, key_file, SSL_FILETYPE_PEM) <= 0)
{
*error= SSL_INITERR_KEY;
DBUG_PRINT("error", ("%s from file '%s'", sslGetErrString(*error), key_file));
DBUG_EXECUTE("error", ERR_print_errors_fp(DBUG_FILE););
my_message_local(ERROR_LEVEL, "SSL error: %s from '%s'",
sslGetErrString(*error), key_file);
DBUG_RETURN(1);
}
/*
If we are using DSA, we can copy the parameters from the private key
Now we know that a key and cert have been set against the SSL context
*/
if (cert_file && !SSL_CTX_check_private_key(ctx))
{
*error= SSL_INITERR_NOMATCH;
DBUG_PRINT("error", ("%s",sslGetErrString(*error)));
DBUG_EXECUTE("error", ERR_print_errors_fp(DBUG_FILE););
my_message_local(ERROR_LEVEL, "SSL error: %s", sslGetErrString(*error));
DBUG_RETURN(1);
}
DBUG_RETURN(0);
}
/*
OpenSSL 1.1 supports native platform threads,
so we don't need the following callback functions.
*/
#if OPENSSL_VERSION_NUMBER < 0x10100000L
/* OpenSSL specific */
#ifdef HAVE_PSI_INTERFACE
static PSI_rwlock_key key_rwlock_openssl;
static PSI_rwlock_info openssl_rwlocks[]=
{
{ &key_rwlock_openssl, "CRYPTO_dynlock_value::lock", 0}
};
#endif
typedef struct CRYPTO_dynlock_value
{
mysql_rwlock_t lock;
} openssl_lock_t;
/* Array of locks used by openssl internally for thread synchronization.
The number of locks is equal to CRYPTO_num_locks.
*/
static openssl_lock_t *openssl_stdlocks;
/*OpenSSL callback functions for multithreading. We implement all the functions
as we are using our own locking mechanism.
*/
static void openssl_lock(int mode, openssl_lock_t *lock,
const char *file MY_ATTRIBUTE((unused)),
int line MY_ATTRIBUTE((unused)))
{
int err;
char const *what;
switch (mode) {
case CRYPTO_LOCK|CRYPTO_READ:
what = "read lock";
err= mysql_rwlock_rdlock(&lock->lock);
break;
case CRYPTO_LOCK|CRYPTO_WRITE:
what = "write lock";
err= mysql_rwlock_wrlock(&lock->lock);
break;
case CRYPTO_UNLOCK|CRYPTO_READ:
case CRYPTO_UNLOCK|CRYPTO_WRITE:
what = "unlock";
err= mysql_rwlock_unlock(&lock->lock);
break;
default:
/* Unknown locking mode. */
DBUG_PRINT("error",
("Fatal OpenSSL: %s:%d: interface problem (mode=0x%x)\n",
file, line, mode));
fprintf(stderr, "Fatal: OpenSSL interface problem (mode=0x%x)", mode);
fflush(stderr);
abort();
}
if (err)
{
DBUG_PRINT("error",
("Fatal OpenSSL: %s:%d: can't %s OpenSSL lock\n",
file, line, what));
fprintf(stderr, "Fatal: can't %s OpenSSL lock", what);
fflush(stderr);
abort();
}
}
static void openssl_lock_function(int mode, int n,
const char *file MY_ATTRIBUTE((unused)),
int line MY_ATTRIBUTE((unused)))
{
if (n < 0 || n > CRYPTO_num_locks())
{
/* Lock number out of bounds. */
DBUG_PRINT("error",
("Fatal OpenSSL: %s:%d: interface problem (n = %d)", file, line, n));
fprintf(stderr, "Fatal: OpenSSL interface problem (n = %d)", n);
fflush(stderr);
abort();
}
openssl_lock(mode, &openssl_stdlocks[n], file, line);
}
static openssl_lock_t *openssl_dynlock_create(const char *file
MY_ATTRIBUTE((unused)),
int line MY_ATTRIBUTE((unused)))
{
openssl_lock_t *lock;
DBUG_PRINT("info", ("openssl_dynlock_create: %s:%d", file, line));
lock= (openssl_lock_t*)
my_malloc(PSI_NOT_INSTRUMENTED,sizeof(openssl_lock_t),MYF(0));
#ifdef HAVE_PSI_INTERFACE
mysql_rwlock_init(key_rwlock_openssl, &lock->lock);
#else
mysql_rwlock_init(0, &lock->lock);
#endif
return lock;
}
static void openssl_dynlock_destroy(openssl_lock_t *lock,
const char *file MY_ATTRIBUTE((unused)),
int line MY_ATTRIBUTE((unused)))
{
DBUG_PRINT("info", ("openssl_dynlock_destroy: %s:%d", file, line));
mysql_rwlock_destroy(&lock->lock);
my_free(lock);
}
static unsigned long openssl_id_function()
{
return (unsigned long) my_thread_self();
}
//End of mutlithreading callback functions
static void init_ssl_locks()
{
int i= 0;
#ifdef HAVE_PSI_INTERFACE
const char* category= "sql";
int count= array_elements(openssl_rwlocks);
mysql_rwlock_register(category, openssl_rwlocks, count);
#endif
openssl_stdlocks= (openssl_lock_t*) OPENSSL_malloc(CRYPTO_num_locks() *
sizeof(openssl_lock_t));
for (i= 0; i < CRYPTO_num_locks(); ++i)
#ifdef HAVE_PSI_INTERFACE
mysql_rwlock_init(key_rwlock_openssl, &openssl_stdlocks[i].lock);
#else
mysql_rwlock_init(0, &openssl_stdlocks[i].lock);
#endif
}
static void set_lock_callback_functions(my_bool init)
{
CRYPTO_set_locking_callback(init ? openssl_lock_function : NULL);
CRYPTO_set_id_callback(init ? openssl_id_function : NULL);
CRYPTO_set_dynlock_create_callback(init ? openssl_dynlock_create : NULL);
CRYPTO_set_dynlock_destroy_callback(init ? openssl_dynlock_destroy : NULL);
CRYPTO_set_dynlock_lock_callback(init ? openssl_lock : NULL);
}
static void init_lock_callback_functions()
{
set_lock_callback_functions(TRUE);
}
static void deinit_lock_callback_functions()
{
set_lock_callback_functions(FALSE);
}
#endif /* OPENSSL_VERSION_NUMBER < 0x10100000L */
void vio_ssl_end()
{
if (ssl_initialized) {
#if OPENSSL_VERSION_NUMBER < 0x10100000L
int i;
ERR_remove_thread_state(0);
#endif /* OPENSSL_VERSION_NUMBER < 0x10100000L */
ERR_free_strings();
EVP_cleanup();
CRYPTO_cleanup_all_ex_data();
#if OPENSSL_VERSION_NUMBER < 0x10100000L
deinit_lock_callback_functions();
for (i= 0; i < CRYPTO_num_locks(); ++i)
mysql_rwlock_destroy(&openssl_stdlocks[i].lock);
OPENSSL_free(openssl_stdlocks);
#endif /* OPENSSL_VERSION_NUMBER < 0x10100000L */
ssl_initialized= FALSE;
}
}
void ssl_start()
{
if (!ssl_initialized)
{
ssl_initialized= TRUE;
mysql_OPENSSL_init();
OpenSSL_add_all_algorithms();
SSL_load_error_strings();
#if OPENSSL_VERSION_NUMBER < 0x10100000L
init_ssl_locks();
init_lock_callback_functions();
#endif /* OPENSSL_VERSION_NUMBER < 0x10100000L */
}
}
long process_tls_version(const char *tls_version)
{
const char *separator= ",";
char *token, *lasts= NULL;
unsigned int tls_versions_count= 3;
const char *tls_version_name_list[3]= {"TLSv1", "TLSv1.1", "TLSv1.2"};
const char ctx_flag_default[]= "TLSv1,TLSv1.1,TLSv1.2";
const long tls_ctx_list[3]= {SSL_OP_NO_TLSv1, SSL_OP_NO_TLSv1_1, SSL_OP_NO_TLSv1_2};
long tls_ctx_flag= SSL_OP_NO_TLSv1|SSL_OP_NO_TLSv1_1|SSL_OP_NO_TLSv1_2;
unsigned int index= 0;
char tls_version_option[TLS_VERSION_OPTION_SIZE]= "";
int tls_found= 0;
if (!tls_version || !my_strcasecmp(&my_charset_latin1, tls_version, ctx_flag_default))
return 0;
if (strlen(tls_version)-1 > sizeof(tls_version_option))
return -1;
strncpy(tls_version_option, tls_version, sizeof(tls_version_option));
token= my_strtok_r(tls_version_option, separator, &lasts);
while (token)
{
for (index=0; index < tls_versions_count; index++)
{
if (!my_strcasecmp(&my_charset_latin1, tls_version_name_list[index], token))
{
tls_found= 1;
tls_ctx_flag= tls_ctx_flag & (~tls_ctx_list[index]);
break;
}
}
token= my_strtok_r(NULL, separator, &lasts);
}
if (!tls_found)
return -1;
else
return tls_ctx_flag;
}
/************************ VioSSLFd **********************************/
static struct st_VioSSLFd *
new_VioSSLFd(const char *key_file, const char *cert_file,
const char *ca_file, const char *ca_path,
const char *cipher, my_bool is_client,
enum enum_ssl_init_error *error,
const char *crl_file, const char *crl_path, const long ssl_ctx_flags)
{
DH *dh;
struct st_VioSSLFd *ssl_fd;
/* MySQL 5.7 supports TLS up to v1.2, explicitly disable TLSv1.3. */
long ssl_ctx_options= SSL_OP_NO_SSLv2 | SSL_OP_NO_SSLv3
#ifdef HAVE_TLSv13
| SSL_OP_NO_TLSv1_3
#endif /* HAVE_TLSv13 */
;
int ret_set_cipherlist= 0;
char cipher_list[SSL_CIPHER_LIST_SIZE]= {0};
DBUG_ENTER("new_VioSSLFd");
DBUG_PRINT("enter",
("key_file: '%s' cert_file: '%s' ca_file: '%s' ca_path: '%s' "
"cipher: '%s' crl_file: '%s' crl_path: '%s' ssl_ctx_flags: '%ld' ",
key_file ? key_file : "NULL",
cert_file ? cert_file : "NULL",
ca_file ? ca_file : "NULL",
ca_path ? ca_path : "NULL",
cipher ? cipher : "NULL",
crl_file ? crl_file : "NULL",
crl_path ? crl_path : "NULL",
ssl_ctx_flags));
if (ssl_ctx_flags < 0)
{
*error= SSL_TLS_VERSION_INVALID;
DBUG_PRINT("error", ("TLS version invalid : %s", sslGetErrString(*error)));
report_errors();
DBUG_RETURN(0);
}
ssl_ctx_options= (ssl_ctx_options | ssl_ctx_flags) &
(SSL_OP_NO_SSLv2 |
SSL_OP_NO_SSLv3 |
SSL_OP_NO_TLSv1 |
SSL_OP_NO_TLSv1_1
| SSL_OP_NO_TLSv1_2
#ifdef HAVE_TLSv13
| SSL_OP_NO_TLSv1_3
#endif /* HAVE_TLSv13 */
| SSL_OP_NO_TICKET
);
if (!(ssl_fd= ((struct st_VioSSLFd*)
my_malloc(key_memory_vio_ssl_fd,
sizeof(struct st_VioSSLFd),MYF(0)))))
DBUG_RETURN(0);
if (!(ssl_fd->ssl_context= SSL_CTX_new(is_client ?
SSLv23_client_method() :
SSLv23_server_method())))
{
*error= SSL_INITERR_MEMFAIL;
DBUG_PRINT("error", ("%s", sslGetErrString(*error)));
report_errors();
my_free(ssl_fd);
DBUG_RETURN(0);
}
SSL_CTX_set_options(ssl_fd->ssl_context, ssl_ctx_options);
#ifdef HAVE_TLSv13
/*
MySQL 5.7 doesn't support TLSv1.3 - set empty TLSv1.3 ciphersuites.
*/
if (0 == SSL_CTX_set_ciphersuites(ssl_fd->ssl_context, ""))
{
*error = SSL_INITERR_CIPHERS;
DBUG_PRINT("error", ("%s", sslGetErrString(*error)));
report_errors();
SSL_CTX_free(ssl_fd->ssl_context);
my_free(ssl_fd);
DBUG_RETURN(0);
}
#endif /* HAVE_TLSv13 */
/*
We explicitly prohibit weak ciphers.
NOTE: SSL_CTX_set_cipher_list will return 0 if
none of the provided ciphers could be selected
*/
strncpy(cipher_list, tls_cipher_blocked, SSL_CIPHER_LIST_SIZE - 1);
/*
If ciphers are specified explicitly by caller, use them.
Otherwise, fallback to the default list.
In either case, we make sure we stay within the valid bounds.
Note that we have already consumed tls_cipher_blocked
worth of space.
*/
strncat(cipher_list, cipher == 0 ? tls_ciphers_list : cipher,
SSL_CIPHER_LIST_SIZE - strlen(cipher_list) - 1);
if (ret_set_cipherlist == SSL_CTX_set_cipher_list(ssl_fd->ssl_context, cipher_list))
{
*error= SSL_INITERR_CIPHERS;
DBUG_PRINT("error", ("%s", sslGetErrString(*error)));
report_errors();
SSL_CTX_free(ssl_fd->ssl_context);
my_free(ssl_fd);
DBUG_RETURN(0);
}
/* Load certs from the trusted ca */
if (SSL_CTX_load_verify_locations(ssl_fd->ssl_context, ca_file, ca_path) <= 0)
{
DBUG_PRINT("warning", ("SSL_CTX_load_verify_locations failed"));
if (ca_file || ca_path)
{
/* fail only if ca file or ca path were supplied and looking into
them fails. */
*error= SSL_INITERR_BAD_PATHS;
DBUG_PRINT("error", ("SSL_CTX_load_verify_locations failed : %s",
sslGetErrString(*error)));
report_errors();
SSL_CTX_free(ssl_fd->ssl_context);
my_free(ssl_fd);
DBUG_RETURN(0);
}
/* otherwise go use the defaults */
if (SSL_CTX_set_default_verify_paths(ssl_fd->ssl_context) == 0)
{
*error= SSL_INITERR_BAD_PATHS;
DBUG_PRINT("error", ("%s", sslGetErrString(*error)));
report_errors();
SSL_CTX_free(ssl_fd->ssl_context);
my_free(ssl_fd);
DBUG_RETURN(0);
}
}
if (crl_file || crl_path)
{
X509_STORE *store= SSL_CTX_get_cert_store(ssl_fd->ssl_context);
/* Load crls from the trusted ca */
if (X509_STORE_load_locations(store, crl_file, crl_path) == 0 ||
X509_STORE_set_flags(store,
X509_V_FLAG_CRL_CHECK |
X509_V_FLAG_CRL_CHECK_ALL) == 0)
{
DBUG_PRINT("warning", ("X509_STORE_load_locations for CRL failed"));
*error= SSL_INITERR_BAD_PATHS;
DBUG_PRINT("error", ("%s", sslGetErrString(*error)));
report_errors();
SSL_CTX_free(ssl_fd->ssl_context);
my_free(ssl_fd);
DBUG_RETURN(0);
}
}
if (vio_set_cert_stuff(ssl_fd->ssl_context, cert_file, key_file, error))
{
DBUG_PRINT("error", ("vio_set_cert_stuff failed"));
report_errors();
SSL_CTX_free(ssl_fd->ssl_context);
my_free(ssl_fd);
DBUG_RETURN(0);
}
/* Server specific check : Must have certificate and key file */
if (!is_client && !key_file && !cert_file)
{
*error= SSL_INITERR_NO_USABLE_CTX;
DBUG_PRINT("error", ("%s", sslGetErrString(*error)));
report_errors();
SSL_CTX_free(ssl_fd->ssl_context);
my_free(ssl_fd);
DBUG_RETURN(0);
}
/* DH stuff */
dh= get_dh2048();
if (SSL_CTX_set_tmp_dh(ssl_fd->ssl_context, dh) == 0)
{
*error= SSL_INITERR_DHFAIL;
DBUG_PRINT("error", ("%s", sslGetErrString(*error)));
report_errors();
DH_free(dh);
SSL_CTX_free(ssl_fd->ssl_context);
my_free(ssl_fd);
DBUG_RETURN(0);
}
DH_free(dh);
DBUG_PRINT("exit", ("OK 1"));
DBUG_RETURN(ssl_fd);
}
/************************ VioSSLConnectorFd **********************************/
struct st_VioSSLFd *
new_VioSSLConnectorFd(const char *key_file, const char *cert_file,
const char *ca_file, const char *ca_path,
const char *cipher, enum enum_ssl_init_error* error,
const char *crl_file, const char *crl_path, const long ssl_ctx_flags)
{
struct st_VioSSLFd *ssl_fd;
int verify= SSL_VERIFY_PEER;
/*
Turn off verification of servers certificate if both
ca_file and ca_path is set to NULL
*/
if (ca_file == 0 && ca_path == 0)
verify= SSL_VERIFY_NONE;
if (!(ssl_fd= new_VioSSLFd(key_file, cert_file, ca_file,
ca_path, cipher, TRUE, error,
crl_file, crl_path, ssl_ctx_flags)))
{
return 0;
}
/* Init the VioSSLFd as a "connector" ie. the client side */
SSL_CTX_set_verify(ssl_fd->ssl_context, verify, NULL);
return ssl_fd;
}
/************************ VioSSLAcceptorFd **********************************/
struct st_VioSSLFd *
new_VioSSLAcceptorFd(const char *key_file, const char *cert_file,
const char *ca_file, const char *ca_path,
const char *cipher, enum enum_ssl_init_error* error,
const char *crl_file, const char * crl_path, const long ssl_ctx_flags)
{
struct st_VioSSLFd *ssl_fd;
int verify= SSL_VERIFY_PEER | SSL_VERIFY_CLIENT_ONCE;
if (!(ssl_fd= new_VioSSLFd(key_file, cert_file, ca_file,
ca_path, cipher, FALSE, error,
crl_file, crl_path, ssl_ctx_flags)))
{
return 0;
}
/* Init the the VioSSLFd as a "acceptor" ie. the server side */
/* Set max number of cached sessions, returns the previous size */
SSL_CTX_sess_set_cache_size(ssl_fd->ssl_context, 128);
SSL_CTX_set_verify(ssl_fd->ssl_context, verify, NULL);
/*
Set session_id - an identifier for this server session
Use the ssl_fd pointer
*/
SSL_CTX_set_session_id_context(ssl_fd->ssl_context,
(const unsigned char *)ssl_fd,
sizeof(ssl_fd));
return ssl_fd;
}
void free_vio_ssl_acceptor_fd(struct st_VioSSLFd *fd)
{
SSL_CTX_free(fd->ssl_context);
my_free(fd);
}
#endif /* HAVE_OPENSSL */