MXS-2483: Take SSLContext into use
SSLContext is now used everywhere except the binlogrouter which still allocates the contexts itself. Fixing the binlogrouter's misuse of internal structures is a rather large undertaking and for this reason the SSLContext will be taken into use there in a separate commit.
This commit is contained in:
Markus Mäkelä
@ -2856,29 +2856,12 @@ bool config_can_modify_at_runtime(const char* name)
|
||||
return static_params.count(name);
|
||||
}
|
||||
|
||||
/**
|
||||
* Free an SSL structure
|
||||
*
|
||||
* @param ssl SSL structure to free
|
||||
*/
|
||||
static void free_ssl_structure(mxs::SSLContext* ssl)
|
||||
{
|
||||
if (ssl)
|
||||
{
|
||||
SSL_CTX_free(ssl->ctx);
|
||||
MXS_FREE(ssl->ssl_key);
|
||||
MXS_FREE(ssl->ssl_cert);
|
||||
MXS_FREE(ssl->ssl_ca_cert);
|
||||
MXS_FREE(ssl);
|
||||
}
|
||||
}
|
||||
|
||||
bool config_create_ssl(const char* name,
|
||||
const MXS_CONFIG_PARAMETER& params,
|
||||
bool require_cert,
|
||||
mxs::SSLContext** dest)
|
||||
{
|
||||
mxs::SSLContext* ssl = NULL;
|
||||
bool ok = true;
|
||||
|
||||
// The enum values convert to bool
|
||||
int value = params.get_enum(CN_SSL, ssl_values);
|
||||
@ -2886,71 +2869,43 @@ bool config_create_ssl(const char* name,
|
||||
|
||||
if (value)
|
||||
{
|
||||
bool error = false;
|
||||
string ssl_cert = params.get_string(CN_SSL_CERT);
|
||||
string ssl_key = params.get_string(CN_SSL_KEY);
|
||||
string ssl_ca_cert = params.get_string(CN_SSL_CA_CERT);
|
||||
|
||||
if (ssl_ca_cert.empty())
|
||||
if (!params.contains(CN_SSL_CA_CERT))
|
||||
{
|
||||
MXS_ERROR("CA Certificate missing for '%s'."
|
||||
"Please provide the path to the certificate authority "
|
||||
"certificate by adding the ssl_ca_cert=<path> parameter",
|
||||
name);
|
||||
error = true;
|
||||
ok = false;
|
||||
}
|
||||
|
||||
if (require_cert)
|
||||
{
|
||||
if (ssl_cert.empty())
|
||||
if (!params.contains(CN_SSL_CERT))
|
||||
{
|
||||
MXS_ERROR("Server certificate missing for listener '%s'."
|
||||
"Please provide the path to the server certificate by adding "
|
||||
"the ssl_cert=<path> parameter",
|
||||
name);
|
||||
error = true;
|
||||
ok = false;
|
||||
}
|
||||
|
||||
if (ssl_key.empty())
|
||||
if (!params.contains(CN_SSL_KEY))
|
||||
{
|
||||
MXS_ERROR("Server private key missing for listener '%s'. "
|
||||
"Please provide the path to the server certificate key by "
|
||||
"adding the ssl_key=<path> parameter",
|
||||
name);
|
||||
error = true;
|
||||
ok = false;
|
||||
}
|
||||
}
|
||||
|
||||
if (error)
|
||||
if (ok)
|
||||
{
|
||||
return false;
|
||||
}
|
||||
|
||||
ssl = (mxs::SSLContext*)MXS_CALLOC(1, sizeof(mxs::SSLContext));
|
||||
MXS_ABORT_IF_NULL(ssl);
|
||||
|
||||
int ssl_version = params.get_enum(CN_SSL_VERSION, ssl_version_values);
|
||||
|
||||
ssl->ssl_method_type = (ssl_method_type_t)ssl_version;
|
||||
ssl->ssl_init_done = false;
|
||||
ssl->ssl_cert_verify_depth = params.get_integer(CN_SSL_CERT_VERIFY_DEPTH);
|
||||
ssl->ssl_verify_peer_certificate = params.get_bool(CN_SSL_VERIFY_PEER_CERTIFICATE);
|
||||
|
||||
listener_set_certificates(ssl, ssl_cert, ssl_key, ssl_ca_cert);
|
||||
|
||||
mxb_assert(access(ssl_ca_cert.c_str(), F_OK) == 0);
|
||||
mxb_assert(ssl_cert.empty() || access(ssl_cert.c_str(), F_OK) == 0);
|
||||
mxb_assert(ssl_key.empty() || access(ssl_key.c_str(), F_OK) == 0);
|
||||
|
||||
if (!SSL_LISTENER_init(ssl))
|
||||
{
|
||||
SSL_LISTENER_free(ssl);
|
||||
return false;
|
||||
*dest = mxs::SSLContext::create(params);
|
||||
}
|
||||
}
|
||||
|
||||
*dest = ssl;
|
||||
return true;
|
||||
return ok;
|
||||
}
|
||||
|
||||
void config_set_global_defaults()
|
||||
|
||||
@ -2120,7 +2120,9 @@ int dcb_count_by_usage(DCB_USAGE usage)
|
||||
*/
|
||||
static int dcb_create_SSL(DCB* dcb, mxs::SSLContext* ssl)
|
||||
{
|
||||
if ((dcb->ssl = SSL_new(ssl->ctx)) == NULL)
|
||||
dcb->ssl = ssl->open();
|
||||
|
||||
if (!dcb->ssl)
|
||||
{
|
||||
MXS_ERROR("Failed to initialize SSL for connection.");
|
||||
return -1;
|
||||
|
||||
@ -148,7 +148,7 @@ Listener::~Listener()
|
||||
users_free(m_users);
|
||||
}
|
||||
|
||||
SSL_LISTENER_free(m_ssl);
|
||||
delete m_ssl;
|
||||
}
|
||||
|
||||
SListener Listener::create(const std::string& name,
|
||||
@ -479,7 +479,7 @@ bool Listener::create_listener_config(const char* filename)
|
||||
|
||||
if (m_ssl)
|
||||
{
|
||||
write_ssl_config(file, m_ssl);
|
||||
dprintf(file, "%s", m_ssl->serialize().c_str());
|
||||
}
|
||||
|
||||
::close(file);
|
||||
@ -540,15 +540,7 @@ json_t* Listener::to_json() const
|
||||
|
||||
if (m_ssl)
|
||||
{
|
||||
json_t* ssl = json_object();
|
||||
|
||||
const char* ssl_method = ssl_method_type_to_string(m_ssl->ssl_method_type);
|
||||
json_object_set_new(ssl, "ssl_version", json_string(ssl_method));
|
||||
json_object_set_new(ssl, "ssl_cert", json_string(m_ssl->ssl_cert));
|
||||
json_object_set_new(ssl, "ssl_ca_cert", json_string(m_ssl->ssl_ca_cert));
|
||||
json_object_set_new(ssl, "ssl_key", json_string(m_ssl->ssl_key));
|
||||
|
||||
json_object_set_new(param, "ssl", ssl);
|
||||
json_object_set_new(param, "ssl", m_ssl->to_json());
|
||||
}
|
||||
|
||||
json_t* attr = json_object();
|
||||
|
||||
@ -155,11 +155,11 @@ char* mxs_lestr_consume(uint8_t** c, size_t* size)
|
||||
|
||||
MYSQL* mxs_mysql_real_connect(MYSQL* con, SERVER* server, const char* user, const char* passwd)
|
||||
{
|
||||
mxs::SSLContext* listener = server->server_ssl;
|
||||
mxs::SSLContext* ssl = server->server_ssl;
|
||||
|
||||
if (listener)
|
||||
if (ssl)
|
||||
{
|
||||
mysql_ssl_set(con, listener->ssl_key, listener->ssl_cert, listener->ssl_ca_cert, NULL, NULL);
|
||||
mysql_ssl_set(con, ssl->ssl_key(), ssl->ssl_cert(), ssl->ssl_ca(), NULL, NULL);
|
||||
}
|
||||
|
||||
char yes = 1;
|
||||
@ -204,7 +204,7 @@ MYSQL* mxs_mysql_real_connect(MYSQL* con, SERVER* server, const char* user, cons
|
||||
mysql_get_character_set_info(mysql, &cs_info);
|
||||
server->charset = cs_info.number;
|
||||
|
||||
if (listener && mysql_get_ssl_cipher(con) == NULL)
|
||||
if (ssl && mysql_get_ssl_cipher(con) == NULL)
|
||||
{
|
||||
if (server->warn_ssl_not_enabled)
|
||||
{
|
||||
|
||||
@ -210,7 +210,7 @@ Server* Server::server_alloc(const char* name, const MXS_CONFIG_PARAMETER& param
|
||||
{
|
||||
delete server;
|
||||
MXS_FREE(persistent);
|
||||
SSL_LISTENER_free(ssl);
|
||||
delete ssl;
|
||||
return NULL;
|
||||
}
|
||||
|
||||
@ -528,24 +528,7 @@ void Server::print_to_dcb(DCB* dcb) const
|
||||
}
|
||||
if (server->server_ssl)
|
||||
{
|
||||
mxs::SSLContext* l = server->server_ssl;
|
||||
dcb_printf(dcb,
|
||||
"\tSSL initialized: %s\n",
|
||||
l->ssl_init_done ? "yes" : "no");
|
||||
dcb_printf(dcb,
|
||||
"\tSSL method type: %s\n",
|
||||
ssl_method_type_to_string(l->ssl_method_type));
|
||||
dcb_printf(dcb, "\tSSL certificate verification depth: %d\n", l->ssl_cert_verify_depth);
|
||||
dcb_printf(dcb, "\tSSL peer verification : %s\n", l->ssl_verify_peer_certificate ? "true" : "false");
|
||||
dcb_printf(dcb,
|
||||
"\tSSL certificate: %s\n",
|
||||
l->ssl_cert ? l->ssl_cert : "null");
|
||||
dcb_printf(dcb,
|
||||
"\tSSL key: %s\n",
|
||||
l->ssl_key ? l->ssl_key : "null");
|
||||
dcb_printf(dcb,
|
||||
"\tSSL CA certificate: %s\n",
|
||||
l->ssl_ca_cert ? l->ssl_ca_cert : "null");
|
||||
dcb_printf(dcb, "%s", server->server_ssl->to_string().c_str());
|
||||
}
|
||||
if (server->proxy_protocol)
|
||||
{
|
||||
|
||||
@ -81,7 +81,6 @@ static uint64_t getCapabilities(MXS_ROUTER* instance);
|
||||
static int blr_load_dbusers(const ROUTER_INSTANCE* router);
|
||||
static int blr_check_binlog(ROUTER_INSTANCE* router);
|
||||
void blr_master_close(ROUTER_INSTANCE*);
|
||||
void blr_free_ssl_data(ROUTER_INSTANCE* inst);
|
||||
static void destroyInstance(MXS_ROUTER* instance);
|
||||
bool blr_extract_key(const char* linebuf,
|
||||
int nline,
|
||||
@ -915,20 +914,6 @@ static MXS_ROUTER* createInstance(SERVICE* service, MXS_CONFIG_PARAMETER* params
|
||||
{
|
||||
MXS_INFO("%s: Replicating from master with SSL", service->name());
|
||||
}
|
||||
else
|
||||
{
|
||||
MXS_DEBUG("%s: Replicating from master without SSL", service->name());
|
||||
/* Free the SSL struct because is not needed if MASTER_SSL = 0
|
||||
* Provided options, if any, are kept in inst->ssl_* vars
|
||||
* SHOW SLAVE STATUS can display those values
|
||||
*/
|
||||
|
||||
/* Note: SSL struct in server should be freed by server_free() */
|
||||
if (service->dbref && service->dbref->server)
|
||||
{
|
||||
blr_free_ssl_data(inst);
|
||||
}
|
||||
}
|
||||
|
||||
if (inst->master_state == BLRM_UNCONNECTED)
|
||||
{
|
||||
@ -959,8 +944,6 @@ static MXS_ROUTER* createInstance(SERVICE* service, MXS_CONFIG_PARAMETER* params
|
||||
|
||||
if (service->dbref && service->dbref->server)
|
||||
{
|
||||
/* Free SSL data */
|
||||
blr_free_ssl_data(inst);
|
||||
MXS_FREE(service->dbref);
|
||||
service->dbref = NULL;
|
||||
}
|
||||
@ -1522,18 +1505,7 @@ static void diagnostics(MXS_ROUTER* router, DCB* dcb)
|
||||
dcb_printf(dcb, "\tMaster SSL is ON:\n");
|
||||
if (router_inst->service->dbref->server && router_inst->service->dbref->server->server_ssl)
|
||||
{
|
||||
dcb_printf(dcb,
|
||||
"\t\tMaster SSL CA cert: %s\n",
|
||||
router_inst->service->dbref->server->server_ssl->ssl_ca_cert);
|
||||
dcb_printf(dcb,
|
||||
"\t\tMaster SSL Cert: %s\n",
|
||||
router_inst->service->dbref->server->server_ssl->ssl_cert);
|
||||
dcb_printf(dcb,
|
||||
"\t\tMaster SSL Key: %s\n",
|
||||
router_inst->service->dbref->server->server_ssl->ssl_key);
|
||||
dcb_printf(dcb,
|
||||
"\t\tMaster SSL tls_ver: %s\n",
|
||||
router_inst->ssl_version ? router_inst->ssl_version : "MAX");
|
||||
dcb_printf(dcb, "%s", router_inst->service->dbref->server->server_ssl->to_string().c_str());
|
||||
}
|
||||
}
|
||||
|
||||
@ -2011,22 +1983,7 @@ static json_t* diagnostics_json(const MXS_ROUTER* router)
|
||||
/* SSL options */
|
||||
if (router_inst->ssl_enabled)
|
||||
{
|
||||
json_t* obj = json_object();
|
||||
|
||||
json_object_set_new(obj,
|
||||
"ssl_ca_cert",
|
||||
json_string(router_inst->service->dbref->server->server_ssl->ssl_ca_cert));
|
||||
json_object_set_new(obj,
|
||||
"ssl_cert",
|
||||
json_string(router_inst->service->dbref->server->server_ssl->ssl_cert));
|
||||
json_object_set_new(obj,
|
||||
"ssl_key",
|
||||
json_string(router_inst->service->dbref->server->server_ssl->ssl_key));
|
||||
json_object_set_new(obj,
|
||||
"ssl_version",
|
||||
json_string(router_inst->ssl_version ? router_inst->ssl_version : "MAX"));
|
||||
|
||||
json_object_set_new(rval, "master_ssl", obj);
|
||||
json_object_set_new(rval, "master_ssl", router_inst->service->dbref->server->server_ssl->to_json());
|
||||
}
|
||||
|
||||
/* Binlog Encryption options */
|
||||
@ -2934,31 +2891,6 @@ const char* blr_get_event_description(ROUTER_INSTANCE* router, uint8_t event)
|
||||
return event_desc;
|
||||
}
|
||||
|
||||
/**
|
||||
* Free SSL struct in server struct
|
||||
*
|
||||
* @param inst The router instance
|
||||
*/
|
||||
void blr_free_ssl_data(ROUTER_INSTANCE* inst)
|
||||
{
|
||||
mxs::SSLContext* server_ssl;
|
||||
|
||||
if (inst->service->dbref->server->server_ssl)
|
||||
{
|
||||
server_ssl = inst->service->dbref->server->server_ssl;
|
||||
|
||||
/*
|
||||
* Free SSL struct
|
||||
* Note: SSL struct in server should be freed by server_free()
|
||||
*/
|
||||
MXS_FREE(server_ssl->ssl_key);
|
||||
MXS_FREE(server_ssl->ssl_ca_cert);
|
||||
MXS_FREE(server_ssl->ssl_cert);
|
||||
MXS_FREE(inst->service->dbref->server->server_ssl);
|
||||
inst->service->dbref->server->server_ssl = NULL;
|
||||
}
|
||||
}
|
||||
|
||||
/**
|
||||
* destroy binlog server instance
|
||||
*
|
||||
|
||||
@ -1103,7 +1103,6 @@ const char* blr_get_event_description(ROUTER_INSTANCE* router, uint8_t event);
|
||||
void blr_file_append(ROUTER_INSTANCE* router, char* file);
|
||||
void blr_cache_response(ROUTER_INSTANCE* router, char* response, GWBUF* buf);
|
||||
const char* blr_last_event_description(ROUTER_INSTANCE* router);
|
||||
void blr_free_ssl_data(ROUTER_INSTANCE* inst);
|
||||
|
||||
extern bool blr_send_event(blr_thread_role_t role,
|
||||
const char* binlog_name,
|
||||
|
||||
@ -3453,16 +3453,6 @@ int blr_file_write_master_config(ROUTER_INSTANCE* router, char* error)
|
||||
mxb_assert(current.user == router->user);
|
||||
mxb_assert(current.password == router->password);
|
||||
|
||||
if (router->ssl_enabled)
|
||||
{
|
||||
mxb_assert(current.ssl_enabled);
|
||||
mxb_assert(current.ssl_ca == router->service->dbref->server->server_ssl->ssl_ca_cert);
|
||||
mxb_assert(current.ssl_cert == router->service->dbref->server->server_ssl->ssl_cert);
|
||||
mxb_assert(current.ssl_key == router->service->dbref->server->server_ssl->ssl_key);
|
||||
}
|
||||
|
||||
mxb_assert(!router->ssl_version || (current.ssl_version == router->ssl_version));
|
||||
|
||||
mxb_assert(current.heartbeat_period == (int)router->heartbeat);
|
||||
mxb_assert(current.connect_retry == router->retry_interval);
|
||||
#endif
|
||||
|
||||
Reference in New Issue
Block a user