diff options
Diffstat (limited to 'vio/VioSSLFactoriesFd.cc')
| -rw-r--r-- | vio/VioSSLFactoriesFd.cc | 360 |
1 files changed, 0 insertions, 360 deletions
diff --git a/vio/VioSSLFactoriesFd.cc b/vio/VioSSLFactoriesFd.cc deleted file mode 100644 index bd64202770a..00000000000 --- a/vio/VioSSLFactoriesFd.cc +++ /dev/null @@ -1,360 +0,0 @@ -/* -** Virtual I/O library -** Written by Andrei Errapart <andreie@no.spam.ee> -*/ - -#include "vio-global.h" - -#ifdef VIO_HAVE_OPENSSL - -#ifdef __GNUC__ -#pragma implementation // gcc: Class implementation -#endif - -#include <netinet/in.h> -#include <openssl/x509.h> -#include <openssl/ssl.h> -#include <openssl/err.h> -#include <openssl/pem.h> -#include <openssl/asn1.h> - -VIO_NS_BEGIN - -#define this_ssl_method my_static_cast(SSL_METHOD*)(this->ssl_method_) -#define this_ssl_context my_static_cast(SSL_CTX*)(this->ssl_context_) -typedef unsigned char* ssl_data_ptr_t; - -static bool ssl_algorithms_added = FALSE; -static bool ssl_error_strings_loaded= FALSE; -static int verify_depth = 0; -static int verify_error = X509_V_OK; - -static int -vio_verify_callback(int ok, X509_STORE_CTX *ctx) -{ - DBUG_ENTER("vio_verify_callback"); - DBUG_PRINT("enter", ("ok=%d, ctx=%p", ok, ctx)); - char buf[256]; - X509* err_cert; - int err,depth; - - err_cert=X509_STORE_CTX_get_current_cert(ctx); - err= X509_STORE_CTX_get_error(ctx); - depth= X509_STORE_CTX_get_error_depth(ctx); - - X509_NAME_oneline(X509_get_subject_name(err_cert),buf,sizeof(buff)); - if (!ok) - { - DBUG_PRINT("error",("verify error:num=%d:%s\n",err, - X509_verify_cert_error_string(err))); - if (verify_depth >= depth) - { - ok=1; - verify_error=X509_V_OK; - } - else - { - ok=0; - verify_error=X509_V_ERR_CERT_CHAIN_TOO_LONG; - } - } - switch (ctx->error) { - case X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT: - X509_NAME_oneline(X509_get_issuer_name(ctx->current_cert),buf,256); - DBUG_PRINT("info",("issuer= %s\n",buf)); - break; - case X509_V_ERR_CERT_NOT_YET_VALID: - case X509_V_ERR_ERROR_IN_CERT_NOT_BEFORE_FIELD: - DBUG_PRINT("error", ("notBefore")); - //ASN1_TIME_print_fp(stderr,X509_get_notBefore(ctx->current_cert)); - break; - case X509_V_ERR_CERT_HAS_EXPIRED: - case X509_V_ERR_ERROR_IN_CERT_NOT_AFTER_FIELD: - DBUG_PRINT("error", ("notAfter error")); - //ASN1_TIME_print_fp(stderr,X509_get_notAfter(ctx->current_cert)); - break; - } - DBUG_PRINT("exit", ("r=%d", ok)); - DBUG_RETURN(ok); -} - - -static int -vio_set_cert_stuff(SSL_CTX *ctx, const char *cert_file, const char *key_file) -{ - DBUG_ENTER("vio_set_cert_stuff"); - DBUG_PRINT("enter", ("ctx=%p, cert_file=%p, key_file=%p", - ctx, cert_file, key_file)); - if (cert_file != NULL) - { - if (SSL_CTX_use_certificate_file(ctx,cert_file,SSL_FILETYPE_PEM) <= 0) - { - DBUG_PRINT("error",("unable to get certificate from '%s'\n",cert_file)); - /* FIX stderr */ - ERR_print_errors_fp(stderr); - DBUG_RETURN(0); - } - if (key_file == NULL) - key_file = cert_file; - if (SSL_CTX_use_PrivateKey_file(ctx,key_file, - SSL_FILETYPE_PEM) <= 0) - { - DBUG_PRINT("error", ("unable to get private key from '%s'\n",key_file)); - /* FIX stderr */ - ERR_print_errors_fp(stderr); - DBUG_RETURN(0); - } - - /* If we are using DSA, we can copy the parameters from - * the private key */ - /* Now we know that a key and cert have been set against - * the SSL context */ - if (!SSL_CTX_check_private_key(ctx)) - { - DBUG_PRINT("error", ("Private key does not match the certificate public key\n")); - DBUG_RETURN(0); - } - } - DBUG_RETURN(1); -} - -/************************ VioSSLConnectorFd **********************************/ -VioSSLConnectorFd::VioSSLConnectorFd(const char* key_file, - const char* cert_file, - const char* ca_file, - const char* ca_path) -:ssl_context_(0),ssl_method_(0) -{ - DBUG_ENTER("VioSSLConnectorFd::VioSSLConnectorFd"); - DBUG_PRINT("enter", - ("this=%p, key_file=%s, cert_file=%s, ca_path=%s, ca_file=%s", - this, key_file, cert_file, ca_path, ca_file)); - - /* FIXME: constants! */ - int verify = SSL_VERIFY_PEER; - - if (!ssl_algorithms_added) - { - DBUG_PRINT("info", ("todo: SSLeay_add_ssl_algorithms()")); - ssl_algorithms_added = true; - SSLeay_add_ssl_algorithms(); - } - if (!ssl_error_strings_loaded) - { - DBUG_PRINT("info", ("todo:SSL_load_error_strings()")); - ssl_error_strings_loaded = true; - SSL_load_error_strings(); - } - ssl_method_ = SSLv3_client_method(); - ssl_context_ = SSL_CTX_new(this_ssl_method); - if (ssl_context_ == 0) - { - DBUG_PRINT("error", ("SSL_CTX_new failed")); - report_errors(); - goto ctor_failure; - } - /* - * SSL_CTX_set_options - * SSL_CTX_set_info_callback - * SSL_CTX_set_cipher_list - */ - SSL_CTX_set_verify(this_ssl_context, verify, vio_verify_callback); - if (vio_set_cert_stuff(this_ssl_context, cert_file, key_file) == -1) - { - DBUG_PRINT("error", ("vio_set_cert_stuff failed")); - report_errors(); - goto ctor_failure; - } - if (SSL_CTX_load_verify_locations( this_ssl_context, ca_file,ca_path)==0) - { - DBUG_PRINT("warning", ("SSL_CTX_load_verify_locations failed")); - if (SSL_CTX_set_default_verify_paths(this_ssl_context)==0) - { - DBUG_PRINT("error", ("SSL_CTX_set_default_verify_paths failed")); - report_errors(); - goto ctor_failure; - } - } - DBUG_VOID_RETURN; -ctor_failure: - DBUG_PRINT("exit", ("there was an error")); - DBUG_VOID_RETURN; -} - -VioSSLConnectorFd::~VioSSLConnectorFd() -{ - DBUG_ENTER("VioSSLConnectorFd::~VioSSLConnectorFd"); - DBUG_PRINT("enter", ("this=%p", this)); - if (ssl_context_!=0) - SSL_CTX_free(this_ssl_context); - DBUG_VOID_RETURN; -} - -VioSSL* VioSSLConnectorFd::connect( int fd) -{ - DBUG_ENTER("VioSSLConnectorFd::connect"); - DBUG_PRINT("enter", ("this=%p, fd=%d", this, fd)); - DBUG_RETURN(new VioSSL(fd, ssl_context_, VioSSL::state_connect)); -} - -VioSSL* -VioSSLConnectorFd::connect( VioSocket* sd) -{ - DBUG_ENTER("VioSSLConnectorFd::connect"); - DBUG_PRINT("enter", ("this=%p, sd=%s", this, sd->description())); - DBUG_RETURN(new VioSSL(sd, ssl_context_, VioSSL::state_connect)); -} - -void -VioSSLConnectorFd::report_errors() -{ - unsigned long l; - const char* file; - const char* data; - int line,flags; - - DBUG_ENTER("VioSSLConnectorFd::report_errors"); - DBUG_PRINT("enter", ("this=%p", this)); - - while ((l=ERR_get_error_line_data(&file,&line,&data,&flags)) != 0) - { - char buf[200]; - DBUG_PRINT("error", ("OpenSSL: %s:%s:%d:%s\n", ERR_error_string(l,buf), - file,line,(flags&ERR_TXT_STRING)?data:"")) ; - } - DBUG_VOID_RETURN; -} - -/************************ VioSSLAcceptorFd **********************************/ - -VioSSLAcceptorFd::VioSSLAcceptorFd(const char* key_file, - const char* cert_file, - const char* ca_file, - const char* ca_path) - :ssl_context_(0), ssl_method_(0) -{ - DBUG_ENTER("VioSSLAcceptorFd::VioSSLAcceptorFd"); - DBUG_PRINT("enter", - ("this=%p, key_file=%s, cert_file=%s, ca_path=%s, ca_file=%s", - this, key_file, cert_file, ca_path, ca_file)); - - /* FIXME: constants! */ - int verify = (SSL_VERIFY_PEER | - SSL_VERIFY_FAIL_IF_NO_PEER_CERT | - SSL_VERIFY_CLIENT_ONCE); - session_id_context_ = static_cast<vio_ptr>(this); - - if (!ssl_algorithms_added) - { - DBUG_PRINT("info", ("todo: SSLeay_add_ssl_algorithms()")); - ssl_algorithms_added = true; - SSLeay_add_ssl_algorithms(); - } - if (!ssl_error_strings_loaded) - { - DBUG_PRINT("info", ("todo: SSL_load_error_strings()")); - ssl_error_strings_loaded = true; - SSL_load_error_strings(); - } - ssl_method_ = SSLv3_server_method(); - ssl_context_ = SSL_CTX_new(this_ssl_method); - if (ssl_context_==0) - { - DBUG_PRINT("error", ("SSL_CTX_new failed")); - report_errors(); - goto ctor_failure; - } - /* - * SSL_CTX_set_quiet_shutdown(ctx,1); - * - */ - SSL_CTX_sess_set_cache_size(this_ssl_context,128); - - /* DH? - */ - SSL_CTX_set_verify(this_ssl_context, verify, vio_verify_callback); - /* - * Double cast needed at least for egcs-1.1.2 to - * supress warnings: - * 1) ANSI C++ blaah implicit cast from 'void*' to 'unsigned char*' - * 2) static_cast from 'void**' to 'unsigned char*' - * Wish I had a copy of standard handy... - */ - SSL_CTX_set_session_id_context(this_ssl_context, - my_static_cast(ssl_data_ptr_t) - (my_static_cast(void*)(&session_id_context_)), - sizeof(session_id_context_)); - - /* - * SSL_CTX_set_client_CA_list(ctx,SSL_load_client_CA_file(CAfile)); - */ - if (vio_set_cert_stuff(this_ssl_context, cert_file, key_file) == -1) - { - DBUG_PRINT("error", ("vio_set_cert_stuff failed")); - report_errors(); - goto ctor_failure; - } - if (SSL_CTX_load_verify_locations( this_ssl_context, ca_file, ca_path)==0) - { - DBUG_PRINT("warning", ("SSL_CTX_load_verify_locations failed")); - if (SSL_CTX_set_default_verify_paths(this_ssl_context)==0) - { - DBUG_PRINT("error", ("SSL_CTX_set_default_verify_paths failed")); - report_errors(); - goto ctor_failure; - } - } - DBUG_VOID_RETURN; -ctor_failure: - DBUG_PRINT("exit", ("there was an error")); - DBUG_VOID_RETURN; -} - -VioSSLAcceptorFd::~VioSSLAcceptorFd() -{ - DBUG_ENTER("VioSSLAcceptorFd::~VioSSLAcceptorFd"); - DBUG_PRINT("enter", ("this=%p", this)); - if (ssl_context_!=0) - SSL_CTX_free(this_ssl_context); - DBUG_VOID_RETURN; -} - -VioSSL* -VioSSLAcceptorFd::accept(int fd) -{ - DBUG_ENTER("VioSSLAcceptorFd::accept"); - DBUG_PRINT("enter", ("this=%p, fd=%d", this, fd)); - DBUG_RETURN(new VioSSL(fd, ssl_context_, VioSSL::state_accept)); -} - -VioSSL* -VioSSLAcceptorFd::accept(VioSocket* sd) -{ - DBUG_ENTER("VioSSLAcceptorFd::accept"); - DBUG_PRINT("enter", ("this=%p, sd=%s", this, sd->description())); - DBUG_RETURN(new VioSSL(sd, ssl_context_, VioSSL::state_accept)); -} - -void -VioSSLAcceptorFd::report_errors() -{ - unsigned long l; - const char* file; - const char* data; - int line,flags; - - DBUG_ENTER("VioSSLConnectorFd::report_errors"); - DBUG_PRINT("enter", ("this=%p", this)); - - while ((l=ERR_get_error_line_data(&file,&line,&data,&flags)) != 0) - { - char buf[200]; - DBUG_PRINT("error", ("OpenSSL: %s:%s:%d:%s\n", ERR_error_string(l,buf), - file,line,(flags&ERR_TXT_STRING)?data:"")) ; - } - DBUG_VOID_RETURN; -} - -VIO_NS_END - -#endif /* VIO_HAVE_OPENSSL */ |