Load CA certs before setting local certs.

Make it possible to get the yaSSL error message printed in the DBUG log file. vio/viossl.c: Add possibility to print out the error from yaSSL. vio/viosslfactories.c: Load the CA certs before loading the certs for this client or server. Improved comments.

Load CA certs before setting local certs.
Make it possible to get the yaSSL error message printed in the DBUG log file. vio/viossl.c: Add possibility to print out the error from yaSSL. vio/viosslfactories.c: Load the CA certs before loading the certs for this client or server. Improved comments.
e5b7c41d · unknown · a524c8eb · e5b7c41d · e5b7c41d
Commit e5b7c41d authored May 03, 2006 by unknown
Show whitespace changes
Inline Side-by-side

Showing with 29 additions and 18 deletions

vio/viossl.c vio/viossl.c +18 -8

vio/viosslfactories.c vio/viosslfactories.c +11 -10

No files found.
--- a/vio/viossl.c
+++ b/vio/viossl.c
@@ -51,20 +51,30 @@ static int SSL_set_fd_bsd(SSL *s, int fd)


 static void
-report_errors()
+report_errors(SSL* ssl)
 {
  unsigned long	l;
  const char *file;
  const char *data;
  int line,flags;
+  char buf[512];
+
  DBUG_ENTER("report_errors");

  while ((l= ERR_get_error_line_data(&file,&line,&data,&flags)))
  {
-    char buf[512];
    DBUG_PRINT("error", ("OpenSSL: %s:%s:%d:%s\n", ERR_error_string(l,buf),
 			 file,line,(flags&ERR_TXT_STRING)?data:"")) ;
  }
+
+#ifdef HAVE_YASSL
+  /*
+    The above calls to ERR_* doesn't return any messages when we
+    are using yaSSL since error is stored in the SSL object we used.
+  */
+  if (ssl)
+    DBUG_PRINT("error", ("yaSSL: %s", ERR_error_string(SSL_get_error(ssl, l), buf)));
+#endif
  DBUG_PRINT("info", ("errno: %d", socket_errno));
  DBUG_VOID_RETURN;
 }
@@ -81,7 +91,7 @@ int vio_ssl_read(Vio *vio, gptr buf, int size)
  {
    int err= SSL_get_error((SSL*) vio->ssl_arg, r);
    DBUG_PRINT("error",("SSL_read(): %d  SSL_get_error(): %d", r, err));
-    report_errors();
+    report_errors((SSL*) vio->ssl_arg);
  }
  DBUG_PRINT("exit", ("%d", r));
  DBUG_RETURN(r);
@@ -95,7 +105,7 @@ int vio_ssl_write(Vio *vio, const gptr buf, int size)
  DBUG_PRINT("enter", ("sd: %d, buf: 0x%p, size: %d", vio->sd, buf, size));

  if ((r= SSL_write((SSL*) vio->ssl_arg, buf, size)) < 0)
-    report_errors();
+    report_errors((SSL*) vio->ssl_arg);
  DBUG_PRINT("exit", ("%d", r));
  DBUG_RETURN(r);
 }
@@ -148,7 +158,7 @@ int sslaccept(struct st_VioSSLFd *ptr, Vio *vio, long timeout)
  if (!(ssl= SSL_new(ptr->ssl_context)))
  {
    DBUG_PRINT("error", ("SSL_new failure"));
-    report_errors();
+    report_errors(ssl);
    vio_reset(vio, old_type,vio->sd,0,FALSE);
    vio_blocking(vio, net_blocking, &unused);
    DBUG_RETURN(1);
@@ -162,7 +172,7 @@ int sslaccept(struct st_VioSSLFd *ptr, Vio *vio, long timeout)
  if (SSL_do_handshake(ssl) < 1)
  {
    DBUG_PRINT("error", ("SSL_do_handshake failure"));
-    report_errors();
+    report_errors(ssl);
    SSL_free(ssl);
    vio->ssl_arg= 0;
    vio_reset(vio, old_type,vio->sd,0,FALSE);
@@ -223,7 +233,7 @@ int sslconnect(struct st_VioSSLFd *ptr, Vio *vio, long timeout)
  if (!(ssl= SSL_new(ptr->ssl_context)))
  {
    DBUG_PRINT("error", ("SSL_new failure"));
-    report_errors();
+    report_errors(ssl);
    vio_reset(vio, old_type, vio->sd, 0, FALSE);
    vio_blocking(vio, net_blocking, &unused);
    DBUG_RETURN(1);
@@ -237,7 +247,7 @@ int sslconnect(struct st_VioSSLFd *ptr, Vio *vio, long timeout)
  if (SSL_do_handshake(ssl) < 1)
  {
    DBUG_PRINT("error", ("SSL_do_handshake failure"));
-    report_errors();
+    report_errors(ssl);
    SSL_free(ssl);
    vio->ssl_arg= 0;
    vio_reset(vio, old_type, vio->sd, 0, FALSE);

--- a/vio/viosslfactories.c
+++ b/vio/viosslfactories.c
@@ -103,7 +103,7 @@ vio_set_cert_stuff(SSL_CTX *ctx, const char *cert_file, const char *key_file)
      /* FIX stderr */
      fprintf(stderr,"Error when connection to server using SSL:");
      ERR_print_errors_fp(stderr);
-      fprintf(stderr,"Unable to get private key from '%s'\n", cert_file);
+      fprintf(stderr,"Unable to get private key from '%s'\n", key_file);
      fflush(stderr);
      DBUG_RETURN(1);
    }
@@ -252,14 +252,7 @@ new_VioSSLFd(const char *key_file, const char *cert_file,
    DBUG_RETURN(0);
  }

-  if (vio_set_cert_stuff(ssl_fd->ssl_context, cert_file, key_file))
-  {
-    DBUG_PRINT("error", ("vio_set_cert_stuff failed"));
-    report_errors();
-    my_free((void*)ssl_fd,MYF(0));
-    DBUG_RETURN(0);
-  }
-
+  /* Load certs from the trusted ca */
  if (SSL_CTX_load_verify_locations(ssl_fd->ssl_context, ca_file, ca_path) == 0)
  {
    DBUG_PRINT("warning", ("SSL_CTX_load_verify_locations failed"));
@@ -272,6 +265,14 @@ new_VioSSLFd(const char *key_file, const char *cert_file,
    }
  }

+  if (vio_set_cert_stuff(ssl_fd->ssl_context, cert_file, key_file))
+  {
+    DBUG_PRINT("error", ("vio_set_cert_stuff failed"));
+    report_errors();
+    my_free((void*)ssl_fd,MYF(0));
+    DBUG_RETURN(0);
+  }
+
  /* DH stuff */
  dh=get_dh512();
  SSL_CTX_set_tmp_dh(ssl_fd->ssl_context, dh);
@@ -297,7 +298,7 @@ new_VioSSLConnectorFd(const char *key_file, const char *cert_file,
    return 0;
  }

-  /* Init the the VioSSLFd as a "connector" ie. the client side */
+  /* Init the VioSSLFd as a "connector" ie. the client side */

  /*
    The verify_callback function is used to control the behaviour