diff --git a/server/core/config.cc b/server/core/config.cc index d0f00be7d..11f44d10c 100644 --- a/server/core/config.cc +++ b/server/core/config.cc @@ -2856,29 +2856,12 @@ bool config_can_modify_at_runtime(const char* name) return static_params.count(name); } -/** - * Free an SSL structure - * - * @param ssl SSL structure to free - */ -static void free_ssl_structure(mxs::SSLContext* ssl) -{ - if (ssl) - { - SSL_CTX_free(ssl->ctx); - MXS_FREE(ssl->ssl_key); - MXS_FREE(ssl->ssl_cert); - MXS_FREE(ssl->ssl_ca_cert); - MXS_FREE(ssl); - } -} - bool config_create_ssl(const char* name, const MXS_CONFIG_PARAMETER& params, bool require_cert, mxs::SSLContext** dest) { - mxs::SSLContext* ssl = NULL; + bool ok = true; // The enum values convert to bool int value = params.get_enum(CN_SSL, ssl_values); @@ -2886,71 +2869,43 @@ bool config_create_ssl(const char* name, if (value) { - bool error = false; - string ssl_cert = params.get_string(CN_SSL_CERT); - string ssl_key = params.get_string(CN_SSL_KEY); - string ssl_ca_cert = params.get_string(CN_SSL_CA_CERT); - - if (ssl_ca_cert.empty()) + if (!params.contains(CN_SSL_CA_CERT)) { MXS_ERROR("CA Certificate missing for '%s'." "Please provide the path to the certificate authority " "certificate by adding the ssl_ca_cert= parameter", name); - error = true; + ok = false; } if (require_cert) { - if (ssl_cert.empty()) + if (!params.contains(CN_SSL_CERT)) { MXS_ERROR("Server certificate missing for listener '%s'." "Please provide the path to the server certificate by adding " "the ssl_cert= parameter", name); - error = true; + ok = false; } - if (ssl_key.empty()) + if (!params.contains(CN_SSL_KEY)) { MXS_ERROR("Server private key missing for listener '%s'. " "Please provide the path to the server certificate key by " "adding the ssl_key= parameter", name); - error = true; + ok = false; } } - if (error) + if (ok) { - return false; - } - - ssl = (mxs::SSLContext*)MXS_CALLOC(1, sizeof(mxs::SSLContext)); - MXS_ABORT_IF_NULL(ssl); - - int ssl_version = params.get_enum(CN_SSL_VERSION, ssl_version_values); - - ssl->ssl_method_type = (ssl_method_type_t)ssl_version; - ssl->ssl_init_done = false; - ssl->ssl_cert_verify_depth = params.get_integer(CN_SSL_CERT_VERIFY_DEPTH); - ssl->ssl_verify_peer_certificate = params.get_bool(CN_SSL_VERIFY_PEER_CERTIFICATE); - - listener_set_certificates(ssl, ssl_cert, ssl_key, ssl_ca_cert); - - mxb_assert(access(ssl_ca_cert.c_str(), F_OK) == 0); - mxb_assert(ssl_cert.empty() || access(ssl_cert.c_str(), F_OK) == 0); - mxb_assert(ssl_key.empty() || access(ssl_key.c_str(), F_OK) == 0); - - if (!SSL_LISTENER_init(ssl)) - { - SSL_LISTENER_free(ssl); - return false; + *dest = mxs::SSLContext::create(params); } } - *dest = ssl; - return true; + return ok; } void config_set_global_defaults() diff --git a/server/core/dcb.cc b/server/core/dcb.cc index a032788c2..445191a0d 100644 --- a/server/core/dcb.cc +++ b/server/core/dcb.cc @@ -2120,7 +2120,9 @@ int dcb_count_by_usage(DCB_USAGE usage) */ static int dcb_create_SSL(DCB* dcb, mxs::SSLContext* ssl) { - if ((dcb->ssl = SSL_new(ssl->ctx)) == NULL) + dcb->ssl = ssl->open(); + + if (!dcb->ssl) { MXS_ERROR("Failed to initialize SSL for connection."); return -1; diff --git a/server/core/listener.cc b/server/core/listener.cc index e8e77ff1f..184259449 100644 --- a/server/core/listener.cc +++ b/server/core/listener.cc @@ -148,7 +148,7 @@ Listener::~Listener() users_free(m_users); } - SSL_LISTENER_free(m_ssl); + delete m_ssl; } SListener Listener::create(const std::string& name, @@ -479,7 +479,7 @@ bool Listener::create_listener_config(const char* filename) if (m_ssl) { - write_ssl_config(file, m_ssl); + dprintf(file, "%s", m_ssl->serialize().c_str()); } ::close(file); @@ -540,15 +540,7 @@ json_t* Listener::to_json() const if (m_ssl) { - json_t* ssl = json_object(); - - const char* ssl_method = ssl_method_type_to_string(m_ssl->ssl_method_type); - json_object_set_new(ssl, "ssl_version", json_string(ssl_method)); - json_object_set_new(ssl, "ssl_cert", json_string(m_ssl->ssl_cert)); - json_object_set_new(ssl, "ssl_ca_cert", json_string(m_ssl->ssl_ca_cert)); - json_object_set_new(ssl, "ssl_key", json_string(m_ssl->ssl_key)); - - json_object_set_new(param, "ssl", ssl); + json_object_set_new(param, "ssl", m_ssl->to_json()); } json_t* attr = json_object(); diff --git a/server/core/mysql_utils.cc b/server/core/mysql_utils.cc index f6928c461..a0728d953 100644 --- a/server/core/mysql_utils.cc +++ b/server/core/mysql_utils.cc @@ -155,11 +155,11 @@ char* mxs_lestr_consume(uint8_t** c, size_t* size) MYSQL* mxs_mysql_real_connect(MYSQL* con, SERVER* server, const char* user, const char* passwd) { - mxs::SSLContext* listener = server->server_ssl; + mxs::SSLContext* ssl = server->server_ssl; - if (listener) + if (ssl) { - mysql_ssl_set(con, listener->ssl_key, listener->ssl_cert, listener->ssl_ca_cert, NULL, NULL); + mysql_ssl_set(con, ssl->ssl_key(), ssl->ssl_cert(), ssl->ssl_ca(), NULL, NULL); } char yes = 1; @@ -204,7 +204,7 @@ MYSQL* mxs_mysql_real_connect(MYSQL* con, SERVER* server, const char* user, cons mysql_get_character_set_info(mysql, &cs_info); server->charset = cs_info.number; - if (listener && mysql_get_ssl_cipher(con) == NULL) + if (ssl && mysql_get_ssl_cipher(con) == NULL) { if (server->warn_ssl_not_enabled) { diff --git a/server/core/server.cc b/server/core/server.cc index 1736ac8ce..22b934937 100644 --- a/server/core/server.cc +++ b/server/core/server.cc @@ -210,7 +210,7 @@ Server* Server::server_alloc(const char* name, const MXS_CONFIG_PARAMETER& param { delete server; MXS_FREE(persistent); - SSL_LISTENER_free(ssl); + delete ssl; return NULL; } @@ -528,24 +528,7 @@ void Server::print_to_dcb(DCB* dcb) const } if (server->server_ssl) { - mxs::SSLContext* l = server->server_ssl; - dcb_printf(dcb, - "\tSSL initialized: %s\n", - l->ssl_init_done ? "yes" : "no"); - dcb_printf(dcb, - "\tSSL method type: %s\n", - ssl_method_type_to_string(l->ssl_method_type)); - dcb_printf(dcb, "\tSSL certificate verification depth: %d\n", l->ssl_cert_verify_depth); - dcb_printf(dcb, "\tSSL peer verification : %s\n", l->ssl_verify_peer_certificate ? "true" : "false"); - dcb_printf(dcb, - "\tSSL certificate: %s\n", - l->ssl_cert ? l->ssl_cert : "null"); - dcb_printf(dcb, - "\tSSL key: %s\n", - l->ssl_key ? l->ssl_key : "null"); - dcb_printf(dcb, - "\tSSL CA certificate: %s\n", - l->ssl_ca_cert ? l->ssl_ca_cert : "null"); + dcb_printf(dcb, "%s", server->server_ssl->to_string().c_str()); } if (server->proxy_protocol) { diff --git a/server/modules/routing/binlogrouter/blr.cc b/server/modules/routing/binlogrouter/blr.cc index 7709b9f77..aa5af9f99 100644 --- a/server/modules/routing/binlogrouter/blr.cc +++ b/server/modules/routing/binlogrouter/blr.cc @@ -81,7 +81,6 @@ static uint64_t getCapabilities(MXS_ROUTER* instance); static int blr_load_dbusers(const ROUTER_INSTANCE* router); static int blr_check_binlog(ROUTER_INSTANCE* router); void blr_master_close(ROUTER_INSTANCE*); -void blr_free_ssl_data(ROUTER_INSTANCE* inst); static void destroyInstance(MXS_ROUTER* instance); bool blr_extract_key(const char* linebuf, int nline, @@ -915,20 +914,6 @@ static MXS_ROUTER* createInstance(SERVICE* service, MXS_CONFIG_PARAMETER* params { MXS_INFO("%s: Replicating from master with SSL", service->name()); } - else - { - MXS_DEBUG("%s: Replicating from master without SSL", service->name()); - /* Free the SSL struct because is not needed if MASTER_SSL = 0 - * Provided options, if any, are kept in inst->ssl_* vars - * SHOW SLAVE STATUS can display those values - */ - - /* Note: SSL struct in server should be freed by server_free() */ - if (service->dbref && service->dbref->server) - { - blr_free_ssl_data(inst); - } - } if (inst->master_state == BLRM_UNCONNECTED) { @@ -959,8 +944,6 @@ static MXS_ROUTER* createInstance(SERVICE* service, MXS_CONFIG_PARAMETER* params if (service->dbref && service->dbref->server) { - /* Free SSL data */ - blr_free_ssl_data(inst); MXS_FREE(service->dbref); service->dbref = NULL; } @@ -1522,18 +1505,7 @@ static void diagnostics(MXS_ROUTER* router, DCB* dcb) dcb_printf(dcb, "\tMaster SSL is ON:\n"); if (router_inst->service->dbref->server && router_inst->service->dbref->server->server_ssl) { - dcb_printf(dcb, - "\t\tMaster SSL CA cert: %s\n", - router_inst->service->dbref->server->server_ssl->ssl_ca_cert); - dcb_printf(dcb, - "\t\tMaster SSL Cert: %s\n", - router_inst->service->dbref->server->server_ssl->ssl_cert); - dcb_printf(dcb, - "\t\tMaster SSL Key: %s\n", - router_inst->service->dbref->server->server_ssl->ssl_key); - dcb_printf(dcb, - "\t\tMaster SSL tls_ver: %s\n", - router_inst->ssl_version ? router_inst->ssl_version : "MAX"); + dcb_printf(dcb, "%s", router_inst->service->dbref->server->server_ssl->to_string().c_str()); } } @@ -2011,22 +1983,7 @@ static json_t* diagnostics_json(const MXS_ROUTER* router) /* SSL options */ if (router_inst->ssl_enabled) { - json_t* obj = json_object(); - - json_object_set_new(obj, - "ssl_ca_cert", - json_string(router_inst->service->dbref->server->server_ssl->ssl_ca_cert)); - json_object_set_new(obj, - "ssl_cert", - json_string(router_inst->service->dbref->server->server_ssl->ssl_cert)); - json_object_set_new(obj, - "ssl_key", - json_string(router_inst->service->dbref->server->server_ssl->ssl_key)); - json_object_set_new(obj, - "ssl_version", - json_string(router_inst->ssl_version ? router_inst->ssl_version : "MAX")); - - json_object_set_new(rval, "master_ssl", obj); + json_object_set_new(rval, "master_ssl", router_inst->service->dbref->server->server_ssl->to_json()); } /* Binlog Encryption options */ @@ -2934,31 +2891,6 @@ const char* blr_get_event_description(ROUTER_INSTANCE* router, uint8_t event) return event_desc; } -/** - * Free SSL struct in server struct - * - * @param inst The router instance - */ -void blr_free_ssl_data(ROUTER_INSTANCE* inst) -{ - mxs::SSLContext* server_ssl; - - if (inst->service->dbref->server->server_ssl) - { - server_ssl = inst->service->dbref->server->server_ssl; - - /* - * Free SSL struct - * Note: SSL struct in server should be freed by server_free() - */ - MXS_FREE(server_ssl->ssl_key); - MXS_FREE(server_ssl->ssl_ca_cert); - MXS_FREE(server_ssl->ssl_cert); - MXS_FREE(inst->service->dbref->server->server_ssl); - inst->service->dbref->server->server_ssl = NULL; - } -} - /** * destroy binlog server instance * diff --git a/server/modules/routing/binlogrouter/blr.hh b/server/modules/routing/binlogrouter/blr.hh index c0d67ff56..18a80835b 100644 --- a/server/modules/routing/binlogrouter/blr.hh +++ b/server/modules/routing/binlogrouter/blr.hh @@ -1103,7 +1103,6 @@ const char* blr_get_event_description(ROUTER_INSTANCE* router, uint8_t event); void blr_file_append(ROUTER_INSTANCE* router, char* file); void blr_cache_response(ROUTER_INSTANCE* router, char* response, GWBUF* buf); const char* blr_last_event_description(ROUTER_INSTANCE* router); -void blr_free_ssl_data(ROUTER_INSTANCE* inst); extern bool blr_send_event(blr_thread_role_t role, const char* binlog_name, diff --git a/server/modules/routing/binlogrouter/blr_file.cc b/server/modules/routing/binlogrouter/blr_file.cc index 9c3eeb909..5354ff51f 100644 --- a/server/modules/routing/binlogrouter/blr_file.cc +++ b/server/modules/routing/binlogrouter/blr_file.cc @@ -3453,16 +3453,6 @@ int blr_file_write_master_config(ROUTER_INSTANCE* router, char* error) mxb_assert(current.user == router->user); mxb_assert(current.password == router->password); - if (router->ssl_enabled) - { - mxb_assert(current.ssl_enabled); - mxb_assert(current.ssl_ca == router->service->dbref->server->server_ssl->ssl_ca_cert); - mxb_assert(current.ssl_cert == router->service->dbref->server->server_ssl->ssl_cert); - mxb_assert(current.ssl_key == router->service->dbref->server->server_ssl->ssl_key); - } - - mxb_assert(!router->ssl_version || (current.ssl_version == router->ssl_version)); - mxb_assert(current.heartbeat_period == (int)router->heartbeat); mxb_assert(current.connect_retry == router->retry_interval); #endif