Skip to content

Commit ed672fb

Browse files
committed
WL14846: Align TLS option checking across connectors
1 parent 10e3dd3 commit ed672fb

File tree

10 files changed

+473
-202
lines changed

10 files changed

+473
-202
lines changed

cdk/core/session.cc

Lines changed: 0 additions & 5 deletions
Original file line numberDiff line numberDiff line change
@@ -307,11 +307,6 @@ Session_builder::tls_connect(Socket_base *connection, const TLS::Options &option
307307

308308
unique_ptr<Socket_base> conn_ptr(connection);
309309

310-
if (!options.get_ca().empty() &&
311-
options.ssl_mode() < TLS::Options::SSL_MODE::VERIFY_CA)
312-
throw Error(cdkerrc::generic_error,
313-
"ssl-ca set and ssl-mode different than VERIFY_CA or VERIFY_IDENTITY");
314-
315310
if (options.ssl_mode() >= TLS::Options::SSL_MODE::VERIFY_CA &&
316311
options.get_ca().empty())
317312
throw Error(cdkerrc::generic_error,

cdk/foundation/connection_openssl.cc

Lines changed: 14 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -609,6 +609,20 @@ void connection_TLS_impl::do_connect()
609609
m_options.get_ca_path().empty()
610610
? NULL : m_options.get_ca_path().c_str()) == 0)
611611
throw_openssl_error();
612+
613+
if (!m_options.get_crl().empty() || !m_options.get_crl_path().empty())
614+
{
615+
X509_STORE *store = SSL_CTX_get_cert_store(m_tls_ctx);
616+
/* Load crls from the trusted ca */
617+
if (X509_STORE_load_locations(
618+
store,
619+
m_options.get_crl().c_str(),
620+
m_options.get_crl_path().c_str()) == 0 ||
621+
X509_STORE_set_flags(
622+
store,
623+
X509_V_FLAG_CRL_CHECK | X509_V_FLAG_CRL_CHECK_ALL) == 0)
624+
throw_openssl_error();
625+
}
612626
}
613627
else
614628
{

cdk/include/mysql/cdk/foundation/connection_openssl.h

Lines changed: 7 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -146,8 +146,13 @@ class TLS::Options
146146
void set_ca(const string &ca) { m_ca = ca; }
147147
void set_ca_path(const string &ca_path) { m_ca_path = ca_path; }
148148

149+
void set_crl(const string &crl) { m_crl = crl; }
150+
void set_crl_path(const string &crl_path) { m_crl_path = crl_path; }
151+
149152
const std::string &get_ca() const { return m_ca; }
150153
const std::string &get_ca_path() const { return m_ca_path; }
154+
const std::string &get_crl() const { return m_crl; }
155+
const std::string &get_crl_path() const { return m_crl_path; }
151156
const std::string &get_host_name() const { return m_host_name; }
152157

153158
void set_host_name(const std::string &host_name)
@@ -181,6 +186,8 @@ class TLS::Options
181186
std::string m_key;
182187
std::string m_ca;
183188
std::string m_ca_path;
189+
std::string m_crl;
190+
std::string m_crl_path;
184191
std::string m_host_name;
185192
TLS_versions_list m_tls_versions;
186193
TLS_ciphersuites_list m_tls_ciphersuites;

common/session.cc

Lines changed: 9 additions & 10 deletions
Original file line numberDiff line numberDiff line change
@@ -323,8 +323,7 @@ void prepare_options(
323323
// Set TLS options
324324

325325
/*
326-
By default ssl-mode is REQUIRED. If ssl-mode was not explicitly set but
327-
ssl-ca was, then mode defaults to VERIFY_CA.
326+
By default ssl-mode is REQUIRED.
328327
*/
329328

330329
unsigned mode = unsigned(SSL_mode::REQUIRED);
@@ -335,25 +334,18 @@ void prepare_options(
335334
mode_set = true;
336335
mode = (unsigned)settings.get(Option::SSL_MODE).get_uint();
337336
}
338-
else if (settings.has_option(Option::SSL_CA))
339-
{
340-
mode_set = true;
341-
mode = unsigned(SSL_mode::VERIFY_CA);
342-
}
343337

344338
if (socket && mode_set && mode >= unsigned(SSL_mode::REQUIRED))
345339
{
346340
throw_error("SSL connection over Unix domain socket requested.");
347341
}
348342

343+
#ifdef WITH_SSL
349344
if (unsigned(SSL_mode::DISABLED) == mode)
350345
{
351-
#ifdef WITH_SSL
352346
opts.set_tls(TLS_options::SSL_MODE::DISABLED);
353-
#endif
354347
}
355348
else
356-
#ifdef WITH_SSL
357349
{
358350
socket = true; // so that PLAIN auth method is used below
359351

@@ -398,6 +390,13 @@ void prepare_options(
398390

399391
if (settings.has_option(Option::SSL_CA))
400392
tls_opt.set_ca(settings.get(Option::SSL_CA).get_string());
393+
if(settings.has_option(Option::SSL_CAPATH))
394+
tls_opt.set_ca_path(settings.get(Option::SSL_CAPATH).get_string());
395+
if (settings.has_option(Option::SSL_CRL))
396+
tls_opt.set_crl(settings.get(Option::SSL_CRL).get_string());
397+
if(settings.has_option(Option::SSL_CRLPATH))
398+
tls_opt.set_crl_path(settings.get(Option::SSL_CRLPATH).get_string());
399+
401400
opts.set_tls(tls_opt);
402401
}
403402
#endif

common/settings.h

Lines changed: 0 additions & 35 deletions
Original file line numberDiff line numberDiff line change
@@ -768,17 +768,6 @@ Settings_impl::Setter::set_option<Settings_impl::Session_option_impl::SSL_MODE>(
768768
throw_error("secure connection requested but SSL is not supported")
769769
#endif
770770

771-
switch (m_data.m_ssl_mode)
772-
{
773-
case SSL_mode::VERIFY_CA:
774-
case SSL_mode::VERIFY_IDENTITY:
775-
break;
776-
777-
default:
778-
if (m_data.m_ssl_ca)
779-
throw_error("SSL_MODE ... not valid when SSL_CA is set");
780-
}
781-
782771
add_option(Session_option_impl::SSL_MODE, val);
783772
}
784773

@@ -793,17 +782,6 @@ Settings_impl::Setter::set_option<Settings_impl::Session_option_impl::SSL_CA>(
793782
throw_error("SSL_CA option specified but SSL is not supported")
794783
#endif
795784

796-
switch (m_data.m_ssl_mode)
797-
{
798-
case SSL_mode::VERIFY_CA:
799-
case SSL_mode::VERIFY_IDENTITY:
800-
case SSL_mode::LAST:
801-
break;
802-
803-
default:
804-
throw_error("SSL_CA option is not compatible with SSL_MODE ...");
805-
}
806-
807785
m_data.m_ssl_ca = true;
808786
add_option(Session_option_impl::SSL_CA, val);
809787
}
@@ -1127,19 +1105,6 @@ void Settings_impl::Setter::add_option(int opt, const T &val)
11271105
m_opt_set.insert(opt); // needed for double check when m_multi is false
11281106
return;
11291107
}
1130-
// if multi mode not enabled, fall-through to check for doubled option
1131-
1132-
default:
1133-
// Check for doubled option
1134-
if (0 < m_opt_set.count(opt))
1135-
{
1136-
std::string msg = "Option ";
1137-
msg += option_name(opt);
1138-
msg += " defined twice";
1139-
throw_error(msg.c_str());
1140-
return;
1141-
}
1142-
m_opt_set.insert(opt);
11431108
}
11441109

11451110
auto it = options.begin();

0 commit comments

Comments
 (0)