MySQL 5.6.14 Source Code Document
 All Classes Namespaces Files Functions Variables Typedefs Enumerations Enumerator Friends Macros Groups Pages
viossl.c
1 /* Copyright (c) 2000, 2013, Oracle and/or its affiliates. All rights reserved.
2 
3  This program is free software; you can redistribute it and/or modify
4  it under the terms of the GNU General Public License as published by
5  the Free Software Foundation; version 2 of the License.
6 
7  This program is distributed in the hope that it will be useful,
8  but WITHOUT ANY WARRANTY; without even the implied warranty of
9  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
10  GNU General Public License for more details.
11 
12  You should have received a copy of the GNU General Public License
13  along with this program; if not, write to the Free Software
14  Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA */
15 
16 /*
17  Note that we can't have assertion on file descriptors; The reason for
18  this is that during mysql shutdown, another thread can close a file
19  we are working on. In this case we should just return read errors from
20  the file descriptior.
21 */
22 
23 #include "vio_priv.h"
24 
25 #ifdef HAVE_OPENSSL
26 
27 #ifndef DBUG_OFF
28 
29 static void
30 report_errors(SSL* ssl)
31 {
32  unsigned long l;
33  const char *file;
34  const char *data;
35  int line, flags;
36  char buf[512];
37 
38  DBUG_ENTER("report_errors");
39 
40  while ((l= ERR_get_error_line_data(&file,&line,&data,&flags)))
41  {
42  DBUG_PRINT("error", ("OpenSSL: %s:%s:%d:%s\n", ERR_error_string(l,buf),
43  file,line,(flags&ERR_TXT_STRING)?data:"")) ;
44  }
45 
46  if (ssl)
47  DBUG_PRINT("error", ("error: %s",
48  ERR_error_string(SSL_get_error(ssl, l), buf)));
49 
50  DBUG_PRINT("info", ("socket_errno: %d", socket_errno));
51  DBUG_VOID_RETURN;
52 }
53 
54 #endif
55 
56 
63 static void ssl_set_sys_error(int ssl_error)
64 {
65  int error= 0;
66 
67  switch (ssl_error)
68  {
69  case SSL_ERROR_ZERO_RETURN:
70  error= SOCKET_ECONNRESET;
71  break;
72  case SSL_ERROR_WANT_READ:
73  case SSL_ERROR_WANT_WRITE:
74 #ifdef SSL_ERROR_WANT_CONNECT
75  case SSL_ERROR_WANT_CONNECT:
76 #endif
77 #ifdef SSL_ERROR_WANT_ACCEPT
78  case SSL_ERROR_WANT_ACCEPT:
79 #endif
80  error= SOCKET_EWOULDBLOCK;
81  break;
82  case SSL_ERROR_SSL:
83  /* Protocol error. */
84 #ifdef EPROTO
85  error= EPROTO;
86 #else
87  error= SOCKET_ECONNRESET;
88 #endif
89  break;
90  case SSL_ERROR_SYSCALL:
91  case SSL_ERROR_NONE:
92  default:
93  break;
94  };
95 
96  /* Set error status to a equivalent of the SSL error. */
97  if (error)
98  {
99 #ifdef _WIN32
100  WSASetLastError(error);
101 #else
102  errno= error;
103 #endif
104  }
105 }
106 
107 
124 static my_bool ssl_should_retry(Vio *vio, int ret,
125  enum enum_vio_io_event *event,
126  unsigned long *ssl_errno_holder)
127 {
128  int ssl_error;
129  SSL *ssl= vio->ssl_arg;
130  my_bool should_retry= TRUE;
131 
132  /* Retrieve the result for the SSL I/O operation. */
133  ssl_error= SSL_get_error(ssl, ret);
134 
135  /* Retrieve the result for the SSL I/O operation. */
136  switch (ssl_error)
137  {
138  case SSL_ERROR_WANT_READ:
139  *event= VIO_IO_EVENT_READ;
140  break;
141  case SSL_ERROR_WANT_WRITE:
142  *event= VIO_IO_EVENT_WRITE;
143  break;
144  default:
145 #ifndef DBUG_OFF /* Debug build */
146  /* Note: the OpenSSL error queue gets cleared in report_errors(). */
147  report_errors(ssl);
148 #else /* Release build */
149 # ifndef HAVE_YASSL
150  /* OpenSSL: clear the error queue. */
151  ERR_clear_error();
152 # endif
153 #endif
154  should_retry= FALSE;
155  ssl_set_sys_error(ssl_error);
156  break;
157  }
158 
159  *ssl_errno_holder= ssl_error;
160 
161  return should_retry;
162 }
163 
164 
165 size_t vio_ssl_read(Vio *vio, uchar *buf, size_t size)
166 {
167  int ret;
168  SSL *ssl= vio->ssl_arg;
169  unsigned long ssl_errno_not_used;
170 
171  DBUG_ENTER("vio_ssl_read");
172 
173  while (1)
174  {
175  enum enum_vio_io_event event;
176 
177 #ifndef HAVE_YASSL
178  /*
179  OpenSSL: check that the SSL thread's error queue is cleared. Otherwise
180  SSL_read() returns an error from the error queue, when SSL_read() failed
181  because it would block.
182  */
183  DBUG_ASSERT(ERR_peek_error() == 0);
184 #endif
185 
186  ret= SSL_read(ssl, buf, size);
187 
188  if (ret >= 0)
189  break;
190 
191  /* Process the SSL I/O error. */
192  if (!ssl_should_retry(vio, ret, &event, &ssl_errno_not_used))
193  break;
194 
195  /* Attempt to wait for an I/O event. */
196  if (vio_socket_io_wait(vio, event))
197  break;
198  }
199 
200  DBUG_RETURN(ret < 0 ? -1 : ret);
201 }
202 
203 
204 size_t vio_ssl_write(Vio *vio, const uchar *buf, size_t size)
205 {
206  int ret;
207  SSL *ssl= vio->ssl_arg;
208  unsigned long ssl_errno_not_used;
209 
210  DBUG_ENTER("vio_ssl_write");
211 
212  while (1)
213  {
214  enum enum_vio_io_event event;
215 
216 #ifndef HAVE_YASSL
217  /*
218  OpenSSL: check that the SSL thread's error queue is cleared. Otherwise
219  SSL_write() returns an error from the error queue, when SSL_write() failed
220  because it would block.
221  */
222  DBUG_ASSERT(ERR_peek_error() == 0);
223 #endif
224 
225  ret= SSL_write(ssl, buf, size);
226 
227  if (ret >= 0)
228  break;
229 
230  /* Process the SSL I/O error. */
231  if (!ssl_should_retry(vio, ret, &event, &ssl_errno_not_used))
232  break;
233 
234  /* Attempt to wait for an I/O event. */
235  if (vio_socket_io_wait(vio, event))
236  break;
237  }
238 
239  DBUG_RETURN(ret < 0 ? -1 : ret);
240 }
241 
242 #ifdef HAVE_YASSL
243 
244 /* Emulate a blocking recv() call with vio_read(). */
245 static long yassl_recv(void *ptr, void *buf, size_t len)
246 {
247  return vio_read(ptr, buf, len);
248 }
249 
250 
251 /* Emulate a blocking send() call with vio_write(). */
252 static long yassl_send(void *ptr, const void *buf, size_t len)
253 {
254  return vio_write(ptr, buf, len);
255 }
256 
257 #endif
258 
259 int vio_ssl_shutdown(Vio *vio)
260 {
261  int r= 0;
262  SSL *ssl= (SSL*)vio->ssl_arg;
263  DBUG_ENTER("vio_ssl_shutdown");
264 
265  if (ssl)
266  {
267  /*
268  THE SSL standard says that SSL sockets must send and receive a close_notify
269  alert on socket shutdown to avoid truncation attacks. However, this can
270  cause problems since we often hold a lock during shutdown and this IO can
271  take an unbounded amount of time to complete. Since our packets are self
272  describing with length, we aren't vunerable to these attacks. Therefore,
273  we just shutdown by closing the socket (quiet shutdown).
274  */
275  SSL_set_quiet_shutdown(ssl, 1);
276 
277  switch ((r= SSL_shutdown(ssl))) {
278  case 1:
279  /* Shutdown successful */
280  break;
281  case 0:
282  /*
283  Shutdown not yet finished - since the socket is going to
284  be closed there is no need to call SSL_shutdown() a second
285  time to wait for the other side to respond
286  */
287  break;
288  default: /* Shutdown failed */
289  DBUG_PRINT("vio_error", ("SSL_shutdown() failed, error: %d",
290  SSL_get_error(ssl, r)));
291  break;
292  }
293  }
294  DBUG_RETURN(vio_shutdown(vio));
295 }
296 
297 
298 void vio_ssl_delete(Vio *vio)
299 {
300  if (!vio)
301  return; /* It must be safe to delete null pointer */
302 
303  if (vio->inactive == FALSE)
304  vio_ssl_shutdown(vio); /* Still open, close connection first */
305 
306  if (vio->ssl_arg)
307  {
308  SSL_free((SSL*) vio->ssl_arg);
309  vio->ssl_arg= 0;
310  }
311 
312  vio_delete(vio);
313 }
314 
315 
317 typedef int (*ssl_handshake_func_t)(SSL*);
318 
319 
331 static int ssl_handshake_loop(Vio *vio, SSL *ssl,
332  ssl_handshake_func_t func,
333  unsigned long *ssl_errno_holder)
334 {
335  int ret;
336 
337  vio->ssl_arg= ssl;
338 
339  /* Initiate the SSL handshake. */
340  while (1)
341  {
342  enum enum_vio_io_event event;
343 
344 #ifndef HAVE_YASSL
345  /*
346  OpenSSL: check that the SSL thread's error queue is cleared. Otherwise
347  SSL-handshake-function returns an error from the error queue, when the
348  function failed because it would block.
349  */
350  DBUG_ASSERT(ERR_peek_error() == 0);
351 #endif
352 
353  ret= func(ssl);
354 
355  if (ret >= 1)
356  break;
357 
358  /* Process the SSL I/O error. */
359  if (!ssl_should_retry(vio, ret, &event, ssl_errno_holder))
360  break;
361 
362  /* Wait for I/O so that the handshake can proceed. */
363  if (vio_socket_io_wait(vio, event))
364  break;
365  }
366 
367  vio->ssl_arg= NULL;
368 
369  return ret;
370 }
371 
372 
373 static int ssl_do(struct st_VioSSLFd *ptr, Vio *vio, long timeout,
374  ssl_handshake_func_t func,
375  unsigned long *ssl_errno_holder)
376 {
377  int r;
378  SSL *ssl;
379  my_socket sd= mysql_socket_getfd(vio->mysql_socket);
380  DBUG_ENTER("ssl_do");
381  DBUG_PRINT("enter", ("ptr: 0x%lx, sd: %d ctx: 0x%lx",
382  (long) ptr, sd, (long) ptr->ssl_context));
383 
384  if (!(ssl= SSL_new(ptr->ssl_context)))
385  {
386  DBUG_PRINT("error", ("SSL_new failure"));
387  *ssl_errno_holder= ERR_get_error();
388  DBUG_RETURN(1);
389  }
390  DBUG_PRINT("info", ("ssl: 0x%lx timeout: %ld", (long) ssl, timeout));
391  SSL_clear(ssl);
392  SSL_SESSION_set_timeout(SSL_get_session(ssl), timeout);
393  SSL_set_fd(ssl, sd);
394 #ifndef HAVE_YASSL
395  SSL_set_options(ssl, SSL_OP_NO_COMPRESSION);
396 #endif
397 
398  /*
399  Since yaSSL does not support non-blocking send operations, use
400  special transport functions that properly handles non-blocking
401  sockets. These functions emulate the behavior of blocking I/O
402  operations by waiting for I/O to become available.
403  */
404 #ifdef HAVE_YASSL
405  /* Set first argument of the transport functions. */
406  yaSSL_transport_set_ptr(ssl, vio);
407  /* Set functions to use in order to send and receive data. */
408  yaSSL_transport_set_recv_function(ssl, yassl_recv);
409  yaSSL_transport_set_send_function(ssl, yassl_send);
410 #endif
411 
412  if ((r= ssl_handshake_loop(vio, ssl, func, ssl_errno_holder)) < 1)
413  {
414  DBUG_PRINT("error", ("SSL_connect/accept failure"));
415  SSL_free(ssl);
416  DBUG_RETURN(1);
417  }
418 
419  /*
420  Connection succeeded. Install new function handlers,
421  change type, set sd to the fd used when connecting
422  and set pointer to the SSL structure
423  */
424  if (vio_reset(vio, VIO_TYPE_SSL, SSL_get_fd(ssl), ssl, 0))
425  DBUG_RETURN(1);
426 
427 #ifndef DBUG_OFF
428  {
429  /* Print some info about the peer */
430  X509 *cert;
431  char buf[512];
432 
433  DBUG_PRINT("info",("SSL connection succeeded"));
434  DBUG_PRINT("info",("Using cipher: '%s'" , SSL_get_cipher_name(ssl)));
435 
436  if ((cert= SSL_get_peer_certificate (ssl)))
437  {
438  DBUG_PRINT("info",("Peer certificate:"));
439  X509_NAME_oneline(X509_get_subject_name(cert), buf, sizeof(buf));
440  DBUG_PRINT("info",("\t subject: '%s'", buf));
441  X509_NAME_oneline(X509_get_issuer_name(cert), buf, sizeof(buf));
442  DBUG_PRINT("info",("\t issuer: '%s'", buf));
443  X509_free(cert);
444  }
445  else
446  DBUG_PRINT("info",("Peer does not have certificate."));
447 
448  if (SSL_get_shared_ciphers(ssl, buf, sizeof(buf)))
449  {
450  DBUG_PRINT("info",("shared_ciphers: '%s'", buf));
451  }
452  else
453  DBUG_PRINT("info",("no shared ciphers!"));
454  }
455 #endif
456 
457  DBUG_RETURN(0);
458 }
459 
460 
461 int sslaccept(struct st_VioSSLFd *ptr, Vio *vio, long timeout,
462  unsigned long *ssl_errno_holder)
463 {
464  DBUG_ENTER("sslaccept");
465  DBUG_RETURN(ssl_do(ptr, vio, timeout, SSL_accept, ssl_errno_holder));
466 }
467 
468 
469 int sslconnect(struct st_VioSSLFd *ptr, Vio *vio, long timeout,
470  unsigned long *ssl_errno_holder)
471 {
472  DBUG_ENTER("sslconnect");
473  DBUG_RETURN(ssl_do(ptr, vio, timeout, SSL_connect, ssl_errno_holder));
474 }
475 
476 
477 my_bool vio_ssl_has_data(Vio *vio)
478 {
479  return SSL_pending(vio->ssl_arg) > 0 ? TRUE : FALSE;
480 }
481 
482 #endif /* HAVE_OPENSSL */