From f18e5460c4f15ed534908ce7fa6c25177069ef72 Mon Sep 17 00:00:00 2001 From: Markus Makela Date: Tue, 8 Mar 2016 15:23:42 +0200 Subject: [PATCH] Removed unused service SSL functions These have been made obsolete by the introduction of listener.c --- server/core/config.c | 194 ++++++++++++++++++++------------------- server/core/service.c | 139 ---------------------------- server/include/service.h | 18 ---- 3 files changed, 101 insertions(+), 250 deletions(-) diff --git a/server/core/config.c b/server/core/config.c index c8c9f81a2..03a55c87b 100644 --- a/server/core/config.c +++ b/server/core/config.c @@ -1036,107 +1036,115 @@ make_ssl_structure (CONFIG_CONTEXT *obj, bool require_cert, int *error_count) SSL_LISTENER *new_ssl; ssl = config_get_value(obj->parameters, "ssl"); - if (ssl && !strcmp(ssl, "required")) + + if (ssl) { - if ((new_ssl = calloc(1, sizeof(SSL_LISTENER))) == NULL) + if (!strcmp(ssl, "required")) { - return NULL; - } - new_ssl->ssl_method_type = SERVICE_SSL_TLS_MAX; - ssl_cert = config_get_value(obj->parameters, "ssl_cert"); - ssl_key = config_get_value(obj->parameters, "ssl_key"); - ssl_ca_cert = config_get_value(obj->parameters, "ssl_ca_cert"); - ssl_version = config_get_value(obj->parameters, "ssl_version"); - ssl_cert_verify_depth = config_get_value(obj->parameters, "ssl_cert_verify_depth"); - new_ssl->ssl_init_done = false; - - if (ssl_version) - { - if (listener_set_ssl_version(new_ssl, ssl_version) != 0) + if ((new_ssl = calloc(1, sizeof(SSL_LISTENER))) == NULL) { - MXS_ERROR("Unknown parameter value for 'ssl_version' for" - " service '%s': %s", obj->object, ssl_version); + return NULL; + } + new_ssl->ssl_method_type = SERVICE_SSL_TLS_MAX; + ssl_cert = config_get_value(obj->parameters, "ssl_cert"); + ssl_key = config_get_value(obj->parameters, "ssl_key"); + ssl_ca_cert = config_get_value(obj->parameters, "ssl_ca_cert"); + ssl_version = config_get_value(obj->parameters, "ssl_version"); + ssl_cert_verify_depth = config_get_value(obj->parameters, "ssl_cert_verify_depth"); + new_ssl->ssl_init_done = false; + + if (ssl_version) + { + if (listener_set_ssl_version(new_ssl, ssl_version) != 0) + { + MXS_ERROR("Unknown parameter value for 'ssl_version' for" + " service '%s': %s", obj->object, ssl_version); + local_errors++; + } + } + + if (ssl_cert_verify_depth) + { + new_ssl->ssl_cert_verify_depth = atoi(ssl_cert_verify_depth); + if (new_ssl->ssl_cert_verify_depth < 0) + { + MXS_ERROR("Invalid parameter value for 'ssl_cert_verify_depth" + " for service '%s': %s", obj->object, ssl_cert_verify_depth); + new_ssl->ssl_cert_verify_depth = 0; + local_errors++; + } + } + else + { + /** + * Default of 9 as per Linux man page + */ + new_ssl->ssl_cert_verify_depth = 9; + } + + listener_set_certificates(new_ssl, ssl_cert, ssl_key, ssl_ca_cert); + + if (require_cert && new_ssl->ssl_cert == NULL) + { + local_errors++; + MXS_ERROR("Server certificate missing for service '%s'." + "Please provide the path to the server certificate by adding " + "the ssl_cert= parameter", obj->object); + } + + if (new_ssl->ssl_ca_cert == NULL) + { + local_errors++; + MXS_ERROR("CA Certificate missing for service '%s'." + "Please provide the path to the certificate authority " + "certificate by adding the ssl_ca_cert= parameter", + obj->object); + } + + if (require_cert && new_ssl->ssl_key == NULL) + { + local_errors++; + MXS_ERROR("Server private key missing for service '%s'. " + "Please provide the path to the server certificate key by " + "adding the ssl_key= parameter", + obj->object); + } + + if (access(new_ssl->ssl_ca_cert, F_OK) != 0) + { + MXS_ERROR("Certificate authority file for service '%s' not found: %s", + obj->object, + new_ssl->ssl_ca_cert); local_errors++; } - } - if (ssl_cert_verify_depth) - { - new_ssl->ssl_cert_verify_depth = atoi(ssl_cert_verify_depth); - if (new_ssl->ssl_cert_verify_depth < 0) + if (require_cert && access(new_ssl->ssl_cert, F_OK) != 0) { - MXS_ERROR("Invalid parameter value for 'ssl_cert_verify_depth" - " for service '%s': %s", obj->object, ssl_cert_verify_depth); - new_ssl->ssl_cert_verify_depth = 0; + MXS_ERROR("Server certificate file for service '%s' not found: %s", + obj->object, + new_ssl->ssl_cert); local_errors++; } - } - else - { - /** - * Default of 9 as per Linux man page - */ - new_ssl->ssl_cert_verify_depth = 9; - } - listener_set_certificates(new_ssl, ssl_cert, ssl_key, ssl_ca_cert); + if (require_cert && access(new_ssl->ssl_key, F_OK) != 0) + { + MXS_ERROR("Server private key file for service '%s' not found: %s", + obj->object, + new_ssl->ssl_key); + local_errors++; + } - if (require_cert && new_ssl->ssl_cert == NULL) - { - local_errors++; - MXS_ERROR("Server certificate missing for service '%s'." - "Please provide the path to the server certificate by adding " - "the ssl_cert= parameter", obj->object); + if (0 == local_errors) + { + return new_ssl; + } + *error_count += local_errors; + free(new_ssl); } - - if (new_ssl->ssl_ca_cert == NULL) + else if (strcmp(ssl, "disabled") != 0) { - local_errors++; - MXS_ERROR("CA Certificate missing for service '%s'." - "Please provide the path to the certificate authority " - "certificate by adding the ssl_ca_cert= parameter", - obj->object); + MXS_ERROR("Unknown value for 'ssl': %s. Service will not use SSL.", ssl); } - - if (require_cert && new_ssl->ssl_key == NULL) - { - local_errors++; - MXS_ERROR("Server private key missing for service '%s'. " - "Please provide the path to the server certificate key by " - "adding the ssl_key= parameter", - obj->object); - } - - if (access(new_ssl->ssl_ca_cert, F_OK) != 0) - { - MXS_ERROR("Certificate authority file for service '%s' not found: %s", - obj->object, - new_ssl->ssl_ca_cert); - local_errors++; - } - - if (require_cert && access(new_ssl->ssl_cert, F_OK) != 0) - { - MXS_ERROR("Server certificate file for service '%s' not found: %s", - obj->object, - new_ssl->ssl_cert); - local_errors++; - } - - if (require_cert && access(new_ssl->ssl_key, F_OK) != 0) - { - MXS_ERROR("Server private key file for service '%s' not found: %s", - obj->object, - new_ssl->ssl_key); - local_errors++; - } - - if (0 == local_errors) - { - return new_ssl; - } - *error_count += local_errors; - free(new_ssl); } return NULL; } @@ -2139,21 +2147,21 @@ static int validate_ssl_parameters(CONFIG_CONTEXT* obj, char *ssl_cert, char *ss if (ssl_cert == NULL) { error_count++; - MXS_ERROR("Server certificate missing for service '%s'." + MXS_ERROR("Server certificate missing for listener '%s'." "Please provide the path to the server certificate by adding " "the ssl_cert= parameter", obj->object); } else if (access(ssl_cert, F_OK) != 0) { error_count++; - MXS_ERROR("Server certificate file for service '%s' not found: %s", + MXS_ERROR("Server certificate file for listener '%s' not found: %s", obj->object, ssl_cert); } if (ssl_ca_cert == NULL) { error_count++; - MXS_ERROR("CA Certificate missing for service '%s'." + MXS_ERROR("CA Certificate missing for listener '%s'." "Please provide the path to the certificate authority " "certificate by adding the ssl_ca_cert= parameter", obj->object); @@ -2161,21 +2169,21 @@ static int validate_ssl_parameters(CONFIG_CONTEXT* obj, char *ssl_cert, char *ss else if (access(ssl_ca_cert, F_OK) != 0) { error_count++; - MXS_ERROR("Certificate authority file for service '%s' " + MXS_ERROR("Certificate authority file for listener '%s' " "not found: %s", obj->object, ssl_ca_cert); } if (ssl_key == NULL) { error_count++; - MXS_ERROR("Server private key missing for service '%s'. " + MXS_ERROR("Server private key missing for listener '%s'. " "Please provide the path to the server certificate key by " "adding the ssl_key= parameter", obj->object); } else if (access(ssl_key, F_OK) != 0) { error_count++; - MXS_ERROR("Server private key file for service '%s' not found: %s", + MXS_ERROR("Server private key file for listener '%s' not found: %s", obj->object, ssl_key); } return error_count; diff --git a/server/core/service.c b/server/core/service.c index a112917f6..39ce39146 100644 --- a/server/core/service.c +++ b/server/core/service.c @@ -147,19 +147,10 @@ service_alloc(const char *servname, const char *router) service->credentials.authdata = NULL; service->credentials.name = NULL; service->version_string = NULL; - service->ctx = NULL; service->svc_config_param = NULL; service->users = NULL; service->routerOptions = NULL; - service->ssl_mode = SSL_DISABLED; - service->ssl_init_done = false; - service->ssl_ca_cert = NULL; - service->ssl_cert = NULL; - service->ssl_key = NULL; service->log_auth_warnings = true; - service->ssl_cert_verify_depth = DEFAULT_SSL_CERT_VERIFY_DEPTH; - /** Support the highest possible SSL/TLS methods available as the default */ - service->ssl_method_type = SERVICE_SSL_TLS_MAX; if (service->name == NULL || service->routerModule == NULL) { if (service->name) @@ -669,13 +660,9 @@ service_free(SERVICE *service) free(service->routerModule); free(service->weightby); free(service->version_string); - free(service->ssl_key); - free(service->ssl_cert); - free(service->ssl_ca_cert); free(service->credentials.name); free(service->credentials.authdata); - SSL_CTX_free(service->ctx); free_config_parameter(service->svc_config_param); users_free(service->users); hashtable_free(service->resources); @@ -957,128 +944,6 @@ serviceOptimizeWildcard(SERVICE *service, int action) return 1; } -/** - * Set the locations of the server's SSL certificate, server's private key and the CA - * certificate which both the client and the server should trust. - * @param service Service to configure - * @param cert SSL certificate - * @param key SSL private key - * @param ca_cert SSL CA certificate - */ -void -serviceSetCertificates(SERVICE *service, char* cert,char* key, char* ca_cert) -{ - if (service->ssl_cert) - { - free(service->ssl_cert); - } - service->ssl_cert = strdup(cert); - - if (service->ssl_key) - { - free(service->ssl_key); - } - service->ssl_key = strdup(key); - - if (service->ssl_ca_cert) - { - free(service->ssl_ca_cert); - } - service->ssl_ca_cert = strdup(ca_cert); -} - -/** - * Set the maximum SSL/TLS version the service will support - * @param service Service to configure - * @param version SSL/TLS version string - * @return 0 on success, -1 on invalid version string - */ -int -serviceSetSSLVersion(SERVICE *service, char* version) -{ - if (strcasecmp(version,"SSLV3") == 0) - { - service->ssl_method_type = SERVICE_SSLV3; - } - else if (strcasecmp(version,"TLSV10") == 0) - { - service->ssl_method_type = SERVICE_TLS10; - } -#ifdef OPENSSL_1_0 - else if (strcasecmp(version,"TLSV11") == 0) - { - service->ssl_method_type = SERVICE_TLS11; - } - else if (strcasecmp(version,"TLSV12") == 0) - { - service->ssl_method_type = SERVICE_TLS12; - } -#endif - else if (strcasecmp(version,"MAX") == 0) - { - service->ssl_method_type = SERVICE_SSL_TLS_MAX; - } - else - { - return -1; - } - return 0; -} - -/** - * Set the service's SSL certificate verification depth. Depth of 0 means the peer - * certificate, 1 is the CA and 2 is a higher CA and so on. - * @param service Service to configure - * @param depth Certificate verification depth - * @return 0 on success, -1 on incorrect depth value - */ -int serviceSetSSLVerifyDepth(SERVICE* service, int depth) -{ - if (depth < 0) - { - return -1; - } - - service->ssl_cert_verify_depth = depth; - return 0; -} - -/** - * Enable or disable the service SSL capability of a service. - * The SSL mode string passed as a parameter should be one of required, enabled - * or disabled. Required requires all connections to use SSL encryption, enabled - * allows both SSL and non-SSL connections and disabled does not use SSL encryption. - * If the service SSL mode is set to enabled, then the client will decide whether - * SSL encryption is used. - * @param service Service to configure - * @param action Mode string. One of required, enabled or disabled. - * @return 0 on success, -1 on error - */ -int -serviceSetSSL(SERVICE *service, char* action) -{ - int rval = 0; - - if (strcasecmp(action,"required") == 0) - { - service->ssl_mode = SSL_REQUIRED; - } - else if (strcasecmp(action,"enabled") == 0) - { - service->ssl_mode = SSL_ENABLED; - } - else if (strcasecmp(action,"disabled") == 0) - { - service->ssl_mode = SSL_DISABLED; - } - else - { - rval = -1; - } - - return rval; -} - /** * Whether to strip escape characters from the name of the database the client * is connecting to. @@ -1296,8 +1161,6 @@ printService(SERVICE *service) printf("\tUsers data: %p\n", (void *)service->users); printf("\tTotal connections: %d\n", service->stats.n_sessions); printf("\tCurrently connected: %d\n", service->stats.n_current); - printf("\tSSL: %s\n", service->ssl_mode == SSL_DISABLED ? "Disabled": - (service->ssl_mode == SSL_ENABLED ? "Enabled":"Required")); } /** @@ -1409,8 +1272,6 @@ void dprintService(DCB *dcb, SERVICE *service) service->stats.n_sessions); dcb_printf(dcb, "\tCurrently connected: %d\n", service->stats.n_current); - dcb_printf(dcb,"\tSSL: %s\n", service->ssl_mode == SSL_DISABLED ? "Disabled": - (service->ssl_mode == SSL_ENABLED ? "Enabled":"Required")); } /** diff --git a/server/include/service.h b/server/include/service.h index 004f6aa69..4b92cb135 100644 --- a/server/include/service.h +++ b/server/include/service.h @@ -100,14 +100,6 @@ typedef struct server_ref_t SERVER* server; }SERVER_REF; -typedef enum -{ - SSL_DISABLED, - SSL_ENABLED, - SSL_REQUIRED -} ssl_mode_t; - -#define DEFAULT_SSL_CERT_VERIFY_DEPTH 100 /*< The default certificate verification depth */ #define SERVICE_MAX_RETRY_INTERVAL 3600 /*< The maximum interval between service start retries */ /** Value of service timeout if timeout checks are disabled */ @@ -159,18 +151,8 @@ typedef struct service FILTER_DEF **filters; /**< Ordered list of filters */ int n_filters; /**< Number of filters */ long conn_idle_timeout; /**< Session timeout in seconds */ - ssl_mode_t ssl_mode; /*< one of DISABLED, ENABLED or REQUIRED */ char *weightby; struct service *next; /**< The next service in the linked list */ - SSL_CTX *ctx; - SSL_METHOD *method; /*< SSLv3 or TLS1.0/1.1/1.2 methods - * see: https://www.openssl.org/docs/ssl/SSL_CTX_new.html */ - int ssl_cert_verify_depth; /*< SSL certificate verification depth */ - int ssl_method_type; /*< Which of the SSLv3 or TLS1.0/1.1/1.2 methods to use */ - char* ssl_cert; /*< SSL certificate */ - char* ssl_key; /*< SSL private key */ - char* ssl_ca_cert; /*< SSL CA certificate */ - bool ssl_init_done; /*< If SSL has already been initialized for this service */ bool retry_start; /*< If starting of the service should be retried later */ bool log_auth_warnings; /*< Log authentication failures and warnings */ } SERVICE;