viossl.c 9.56 KB
Newer Older
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24
/* Copyright (C) 2000 MySQL AB & MySQL Finland AB & TCX DataKonsult AB
   
   This library is free software; you can redistribute it and/or
   modify it under the terms of the GNU Library General Public
   License as published by the Free Software Foundation; either
   version 2 of the License, or (at your option) any later version.
   
   This library is distributed in the hope that it will be useful,
   but WITHOUT ANY WARRANTY; without even the implied warranty of
   MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
   Library General Public License for more details.
   
   You should have received a copy of the GNU Library General Public
   License along with this library; if not, write to the Free
   Software Foundation, Inc., 59 Temple Place - Suite 330, Boston,
   MA 02111-1307, USA */

/*
  Note that we can't have assertion on file descriptors;  The reason for
  this is that during mysql shutdown, another thread can close a file
  we are working on.  In this case we should just return read errors from
  the file descriptior.
*/

unknown's avatar
unknown committed
25
#include <my_global.h>
26 27 28

#ifdef HAVE_OPENSSL

unknown's avatar
unknown committed
29
#include <mysql_com.h>
30 31 32

#include <errno.h>
#include <assert.h>
unknown's avatar
unknown committed
33
#include <violite.h>
34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66
#include <my_sys.h>
#include <my_net.h>
#include <m_string.h>
#ifdef HAVE_POLL
#include <sys/poll.h>
#endif
#ifdef HAVE_SYS_IOCTL_H
#include <sys/ioctl.h>
#endif

#if defined(__EMX__)
#define ioctlsocket ioctl
#endif	/* defined(__EMX__) */

#if defined(MSDOS) || defined(__WIN__)
#ifdef __WIN__
#undef errno
#undef EINTR
#undef EAGAIN
#define errno WSAGetLastError()
#define EINTR  WSAEINTR
#define EAGAIN WSAEINPROGRESS
#endif /* __WIN__ */
#define O_NONBLOCK 1    /* For emulation of fcntl() */
#endif
#ifndef EWOULDBLOCK
#define EWOULDBLOCK EAGAIN
#endif

#ifndef __WIN__
#define HANDLE void *
#endif

unknown's avatar
unknown committed
67 68 69 70 71 72
static void
report_errors()
{
  unsigned long	l;
  const char*	file;
  const char*	data;
unknown's avatar
unknown committed
73
  int		line,flags, any_ssl_error = 0;
unknown's avatar
unknown committed
74 75 76 77 78
  DBUG_ENTER("report_errors");

  while ((l=ERR_get_error_line_data(&file,&line,&data,&flags)) != 0)
  {
    char buf[200];
unknown's avatar
unknown committed
79
    any_ssl_error = 1;
unknown's avatar
unknown committed
80 81 82
    DBUG_PRINT("error", ("OpenSSL: %s:%s:%d:%s\n", ERR_error_string(l,buf),
			 file,line,(flags&ERR_TXT_STRING)?data:"")) ;
  }
unknown's avatar
unknown committed
83 84 85 86
  if (!any_ssl_error) {
    DBUG_PRINT("info", ("No OpenSSL errors."));
  }
  DBUG_PRINT("info", ("BTW, errno=%d", errno));
unknown's avatar
unknown committed
87 88 89 90
  DBUG_VOID_RETURN;
}


unknown's avatar
unknown committed
91
void vio_ssl_delete(Vio * vio)
92 93 94 95 96 97 98 99 100 101 102
{
  /* It must be safe to delete null pointers. */
  /* This matches the semantics of C++'s delete operator. */
  if (vio)
  {
    if (vio->type != VIO_CLOSED)
      vio_close(vio);
    my_free((gptr) vio,MYF(0));
  }
}

unknown's avatar
unknown committed
103
int vio_ssl_errno(Vio *vio __attribute__((unused)))
104 105 106 107 108
{
  return errno;			/* On Win32 this mapped to WSAGetLastError() */
}


unknown's avatar
unknown committed
109
int vio_ssl_read(Vio * vio, gptr buf, int size)
110 111 112
{
  int r;
  DBUG_ENTER("vio_ssl_read");
unknown's avatar
unknown committed
113 114
  DBUG_PRINT("enter", ("sd=%d, buf=%p, size=%d, ssl_=%p",
		       vio->sd, buf, size, vio->ssl_));
115

unknown's avatar
unknown committed
116 117 118
#ifndef DBUG_OFF
  errno = 0;
#endif /* DBUG_OFF */
119 120
  r = SSL_read(vio->ssl_, buf, size);
#ifndef DBUG_OFF
121 122 123
  if ( r<= 0) {
    r=SSL_get_error(vio->ssl_, r);
    DBUG_PRINT("info",("SSL_get_error returned %d",r));
124
    report_errors();
125
  }
126 127 128 129 130 131
#endif /* DBUG_OFF */
  DBUG_PRINT("exit", ("%d", r));
  DBUG_RETURN(r);
}


unknown's avatar
unknown committed
132
int vio_ssl_write(Vio * vio, const gptr buf, int size)
133 134 135 136
{
  int r;
  DBUG_ENTER("vio_ssl_write");
  DBUG_PRINT("enter", ("sd=%d, buf=%p, size=%d", vio->sd, buf, size));
unknown's avatar
unknown committed
137 138 139 140

#ifndef DBUG_OFF
  errno = 0;
#endif /* DBUG_OFF */
141 142 143 144 145 146 147 148 149 150
  r = SSL_write(vio->ssl_, buf, size);
#ifndef DBUG_OFF
  if (r<0)
    report_errors();
#endif /* DBUG_OFF */
  DBUG_PRINT("exit", ("%d", r));
  DBUG_RETURN(r);
}


unknown's avatar
unknown committed
151
int vio_ssl_fastsend(Vio * vio __attribute__((unused)))
152 153 154 155 156 157 158 159 160 161 162 163 164 165 166 167 168 169 170 171 172 173 174 175 176
{
  int r=0;
  DBUG_ENTER("vio_ssl_fastsend");

#ifdef IPTOS_THROUGHPUT
  {
#ifndef __EMX__
    int tos = IPTOS_THROUGHPUT;
    if (!setsockopt(vio->sd, IPPROTO_IP, IP_TOS, (void *) &tos, sizeof(tos)))
#endif				/* !__EMX__ */
    {
      int nodelay = 1;
      if (setsockopt(vio->sd, IPPROTO_TCP, TCP_NODELAY, (void *) &nodelay,
		     sizeof(nodelay))) {
	DBUG_PRINT("warning",
		   ("Couldn't set socket option for fast send"));
	r= -1;
      }
    }
  }
#endif	/* IPTOS_THROUGHPUT */
  DBUG_PRINT("exit", ("%d", r));
  DBUG_RETURN(r);
}

unknown's avatar
unknown committed
177
int vio_ssl_keepalive(Vio* vio, my_bool set_keep_alive)
178 179 180 181 182 183 184 185 186 187 188 189 190 191 192 193 194 195
{
  int r=0;
  uint opt = 0;
  DBUG_ENTER("vio_ssl_keepalive");
  DBUG_PRINT("enter", ("sd=%d, set_keep_alive=%d", vio->sd, (int)
		       set_keep_alive));
  if (vio->type != VIO_TYPE_NAMEDPIPE)
  {
    if (set_keep_alive)
      opt = 1;
    r = setsockopt(vio->sd, SOL_SOCKET, SO_KEEPALIVE, (char *) &opt,
		   sizeof(opt));
  }
  DBUG_RETURN(r);
}


my_bool
unknown's avatar
unknown committed
196
vio_ssl_should_retry(Vio * vio __attribute__((unused)))
197 198 199 200 201 202
{
  int en = errno;
  return en == EAGAIN || en == EINTR || en == EWOULDBLOCK;
}


unknown's avatar
unknown committed
203
int vio_ssl_close(Vio * vio)
204 205 206 207 208 209 210 211 212 213 214 215 216 217 218 219 220
{
  int r;
  DBUG_ENTER("vio_ssl_close");
  r=0;
  if (vio->ssl_)
  {
    r = SSL_shutdown(vio->ssl_);
    SSL_free(vio->ssl_);
    vio->ssl_= 0;
  }
  if (shutdown(vio->sd,2))
    r= -1;
  if (closesocket(vio->sd))
    r= -1;
  if (r)
  {
    DBUG_PRINT("error", ("close() failed, error: %d",errno));
221
    report_errors();
222 223 224 225 226 227 228 229
    /* FIXME: error handling (not critical for MySQL) */
  }
  vio->type= VIO_CLOSED;
  vio->sd=   -1;
  DBUG_RETURN(r);
}


unknown's avatar
unknown committed
230
const char *vio_ssl_description(Vio * vio)
231 232 233 234
{
  return vio->desc;
}

unknown's avatar
unknown committed
235
enum enum_vio_type vio_ssl_type(Vio* vio)
236 237 238 239
{
  return vio->type;
}

unknown's avatar
unknown committed
240
my_socket vio_ssl_fd(Vio* vio)
241 242 243 244 245
{
  return vio->sd;
}


unknown's avatar
unknown committed
246
my_bool vio_ssl_peer_addr(Vio * vio, char *buf)
247 248 249 250 251 252 253 254 255 256 257 258 259 260 261 262 263 264 265 266 267 268 269 270
{
  DBUG_ENTER("vio_ssl_peer_addr");
  DBUG_PRINT("enter", ("sd=%d", vio->sd));
  if (vio->localhost)
  {
    strmov(buf,"127.0.0.1");
  }
  else
  {
    size_socket addrLen = sizeof(struct sockaddr);
    if (getpeername(vio->sd, (struct sockaddr *) (& (vio->remote)),
		    &addrLen) != 0)
    {
      DBUG_PRINT("exit", ("getpeername, error: %d", errno));
      DBUG_RETURN(1);
    }
    /* FIXME */
/*    my_inet_ntoa(vio->remote.sin_addr,buf); */
  }
  DBUG_PRINT("exit", ("addr=%s", buf));
  DBUG_RETURN(0);
}


unknown's avatar
unknown committed
271
void vio_ssl_in_addr(Vio *vio, struct in_addr *in)
272 273 274 275 276 277 278 279 280 281 282 283
{
  DBUG_ENTER("vio_ssl_in_addr");
  if (vio->localhost)
    bzero((char*) in, sizeof(*in));	/* This should never be executed */
  else
    *in=vio->remote.sin_addr;
  DBUG_VOID_RETURN;
}


/* Return 0 if there is data to be read */

unknown's avatar
unknown committed
284
my_bool vio_ssl_poll_read(Vio *vio,uint timeout)
285 286 287 288 289 290 291 292 293 294 295 296 297 298 299 300 301 302
{
#ifndef HAVE_POLL
  return 0;
#else
  struct pollfd fds;
  int res;
  DBUG_ENTER("vio_ssl_poll");
  fds.fd=vio->sd;
  fds.events=POLLIN;
  fds.revents=0;
  if ((res=poll(&fds,1,(int) timeout*1000)) <= 0)
  {
    DBUG_RETURN(res < 0 ? 0 : 1);		/* Don't return 1 on errors */
  }
  DBUG_RETURN(fds.revents & POLLIN ? 0 : 1);
#endif
}

303
void sslaccept(struct st_VioSSLAcceptorFd* ptr, Vio* vio, long timeout)
304
{
305
  X509* client_cert;
306
  char *str;
307
  char buf[1024];
308
  DBUG_ENTER("sslaccept");
unknown's avatar
unknown committed
309 310 311 312 313
  DBUG_PRINT("enter", ("sd=%d ptr=%p", vio->sd,ptr));
  vio_reset(vio,VIO_TYPE_SSL,vio->sd,0,FALSE);
  vio->ssl_=0;
  vio->open_=FALSE; 
  if (!(vio->ssl_ = SSL_new(ptr->ssl_context_)))
314 315 316
  {
    DBUG_PRINT("error", ("SSL_new failure"));
    report_errors();
317
    DBUG_VOID_RETURN;
318
  }
unknown's avatar
unknown committed
319
  DBUG_PRINT("info", ("ssl_=%p",vio->ssl_));
320
  SSL_clear(vio->ssl_);
unknown's avatar
unknown committed
321
  vio_blocking(vio, FALSE);
322
  SSL_SESSION_set_timeout(SSL_get_session(vio->ssl_), timeout);
unknown's avatar
unknown committed
323 324
  SSL_set_fd(vio->ssl_,vio->sd);
  SSL_set_accept_state(vio->ssl_);
325
  SSL_do_handshake(vio->ssl_);
unknown's avatar
unknown committed
326 327 328 329 330
  vio->open_ = TRUE;
#ifndef DBUF_OFF
  DBUG_PRINT("info",("SSL_get_cipher_name() = '%s'"
		     ,SSL_get_cipher_name(vio->ssl_)));
  client_cert = SSL_get_peer_certificate (vio->ssl_);
331 332 333 334 335 336 337 338 339 340 341 342 343
  if (client_cert != NULL) {
    DBUG_PRINT("info",("Client certificate:"));
    str = X509_NAME_oneline (X509_get_subject_name (client_cert), 0, 0);
    DBUG_PRINT("info",("\t subject: %s", str));
    free (str);

    str = X509_NAME_oneline (X509_get_issuer_name  (client_cert), 0, 0);
    DBUG_PRINT("info",("\t issuer: %s", str));
    free (str);

    X509_free (client_cert);
  } else
    DBUG_PRINT("info",("Client does not have certificate."));
344 345 346 347 348 349 350 351 352 353 354
  
  str=SSL_get_shared_ciphers(vio->ssl_, buf, sizeof(buf));
  if(str)
  {
    DBUG_PRINT("info",("SSL_get_shared_ciphers() returned '%s'",str));
  }
  else
  {
    DBUG_PRINT("info",("no shared ciphers!"));
  }

unknown's avatar
unknown committed
355
#endif
356
  DBUG_VOID_RETURN;
357 358
}

359
void sslconnect(struct st_VioSSLConnectorFd* ptr, Vio* vio, long timeout)
360
{
361 362
  char *str;
  X509*    server_cert;
363
  DBUG_ENTER("sslconnect");
unknown's avatar
unknown committed
364 365
  DBUG_PRINT("enter", ("sd=%d ptr=%p ctx: %p", vio->sd,ptr,ptr->ssl_context_));
  vio_reset(vio,VIO_TYPE_SSL,vio->sd,0,FALSE);
366

unknown's avatar
unknown committed
367 368 369
  vio->ssl_=0;
  vio->open_=FALSE; 
  if (!(vio->ssl_ = SSL_new(ptr->ssl_context_)))
370 371 372
  {
    DBUG_PRINT("error", ("SSL_new failure"));
    report_errors();
373
    DBUG_VOID_RETURN;
374
  }
375 376
  DBUG_PRINT("info",("ssl_=%p",vio->ssl_));
  SSL_clear(vio->ssl_);
unknown's avatar
unknown committed
377
  vio_blocking(vio, FALSE);
378
  SSL_SESSION_set_timeout(SSL_get_session(vio->ssl_), timeout);
unknown's avatar
unknown committed
379 380
  SSL_set_fd (vio->ssl_, vio->sd);
  SSL_set_connect_state(vio->ssl_);
381
  SSL_do_handshake(vio->ssl_);
unknown's avatar
unknown committed
382 383 384 385 386
  vio->open_ = TRUE;
#ifndef DBUG_OFF
  DBUG_PRINT("info",("SSL_get_cipher_name() = '%s'"
		     ,SSL_get_cipher_name(vio->ssl_)));
  server_cert = SSL_get_peer_certificate (vio->ssl_);
387 388 389 390 391 392 393
  if (server_cert != NULL) {
    DBUG_PRINT("info",("Server certificate:"));
    str = X509_NAME_oneline (X509_get_subject_name (server_cert), 0, 0);
    DBUG_PRINT("info",("\t subject: %s", str));
    free (str);

    str = X509_NAME_oneline (X509_get_issuer_name  (server_cert), 0, 0);
unknown's avatar
unknown committed
394
    DBUG_PRINT("info",("\t issuer: %s", str));
395 396 397 398 399
    free (str);

    /* We could do all sorts of certificate verification stuff here before
     *        deallocating the certificate. */

unknown's avatar
unknown committed
400
    X509_free (server_cert);
401 402
  } else
    DBUG_PRINT("info",("Server does not have certificate."));
unknown's avatar
unknown committed
403
#endif
404
  DBUG_VOID_RETURN;
405 406 407
}

#endif /* HAVE_OPENSSL */