TLS fixes:

  - don't use password in global context
  - load keys and certs via callback functions
  - don't use gnutls_bye since server is not able to detect dead socket
  - fixed valgrind errors in gnutls

Author: 9EOR9

libmariadb/ma_pvio.c

@@ -521,11 +521,11 @@ my_bool ma_pvio_start_ssl(MARIADB_PVIO *pvio)
          ma_pvio_tls_verify_server_cert(pvio->ctls))
     return 1;
 
+
   if (pvio->mysql->options.extension &&
       ((pvio->mysql->options.extension->tls_fp && pvio->mysql->options.extension->tls_fp[0]) ||
       (pvio->mysql->options.extension->tls_fp_list && pvio->mysql->options.extension->tls_fp_list[0])))
   {
-
     if (ma_pvio_tls_check_fp(pvio->ctls, 
           pvio->mysql->options.extension->tls_fp,
           pvio->mysql->options.extension->tls_fp_list))

libmariadb/ma_tls.c

@@ -124,10 +124,10 @@ static my_bool ma_pvio_tls_compare_fp(const char *fp1, unsigned int fp1_len,
 {
   char hexstr[64];
 
+  fp1_len= (unsigned int)mysql_hex_string(hexstr, fp1, fp1_len);
   if (fp1_len != fp2_len)
     return 1;
 
-  fp1_len= (unsigned int)mysql_hex_string(hexstr, fp1, fp1_len);
 #ifdef WIN32
   if (strnicmp(hexstr, fp2, fp1_len) != 0)
 #else
@@ -140,10 +140,12 @@ static my_bool ma_pvio_tls_compare_fp(const char *fp1, unsigned int fp1_len,
 my_bool ma_pvio_tls_check_fp(MARIADB_TLS *ctls, const char *fp, const char *fp_list)
 {
   unsigned int cert_fp_len= 64;
-  char cert_fp[64];
+  char *cert_fp= NULL;
   my_bool rc=1;
   MYSQL *mysql= ctls->pvio->mysql;
 
+  cert_fp= (char *)malloc(cert_fp_len);
+
   if ((cert_fp_len= ma_tls_get_finger_print(ctls, cert_fp, cert_fp_len)) < 1)
     goto end;
   if (fp)
@@ -154,9 +156,7 @@ my_bool ma_pvio_tls_check_fp(MARIADB_TLS *ctls, const char *fp, const char *fp_l
     char buff[255];
 
     if (!(fp = ma_open(fp_list, "r", mysql)))
-    {
-      return 1;
-    }
+      goto end;
 
     while (ma_gets(buff, sizeof(buff)-1, fp))
     {
@@ -181,6 +181,8 @@ my_bool ma_pvio_tls_check_fp(MARIADB_TLS *ctls, const char *fp, const char *fp_l
   }
 
 end:
+  if (cert_fp)
+    free(cert_fp);
   if (rc)
   {
     my_set_error(mysql, CR_SSL_CONNECTION_ERROR, SQLSTATE_UNKNOWN,

libmariadb/secure/gnutls.c

@@ -21,6 +21,7 @@
 
 #include <gnutls/gnutls.h>
 #include <gnutls/x509.h>
+#include <gnutls/abstract.h>
 #include <ma_global.h>
 #include <ma_sys.h>
 #include <ma_common.h>
@@ -39,6 +40,12 @@ extern unsigned int mariadb_deinitialize_ssl;
 
 static int my_verify_callback(gnutls_session_t ssl);
 
+struct st_gnutls_data {
+  MYSQL *mysql;
+  gnutls_privkey_t key;
+  gnutls_pcert_st cert;
+};
+
 struct st_cipher_map {
   const char *openssl_name;
   const char *priority;
@@ -96,6 +103,20 @@ const struct st_cipher_map gtls_ciphers[]=
   {NULL, NULL, 0, 0, 0}
 };
 
+/* free data assigned to the connection */
+static void free_gnutls_data(struct st_gnutls_data *data)
+{
+  if (data)
+  {
+    if (data->key)
+      gnutls_privkey_deinit(data->key);
+    gnutls_pcert_deinit(&data->cert);
+    free(data);
+  }
+}
+
+/* map the gnutls cipher suite (defined by key exchange algorithm, cipher
+   and mac algorithm) to the corresponding OpenSSL cipher name */
 static const char *openssl_cipher_name(gnutls_kx_algorithm_t kx,
                                        gnutls_cipher_algorithm_t cipher,
                                        gnutls_mac_algorithm_t mac)
@@ -112,6 +133,7 @@ static const char *openssl_cipher_name(gnutls_kx_algorithm_t kx,
   return NULL;
 }
 
+/* get priority string for a given openssl cipher name */
 static const char *get_priority(const char *cipher_name)
 {
   unsigned int i= 0;
@@ -126,7 +148,7 @@ static const char *get_priority(const char *cipher_name)
 
 #define MAX_SSL_ERR_LEN 100
 
-static void ma_tls_set_error(MYSQL *mysql, int ssl_errno)
+static void ma_tls_set_error(MYSQL *mysql, void *ssl, int ssl_errno)
 {
   char  ssl_error[MAX_SSL_ERR_LEN];
   const char *ssl_error_reason;
@@ -137,6 +159,21 @@ static void ma_tls_set_error(MYSQL *mysql, int ssl_errno)
     pvio->set_error(mysql, CR_SSL_CONNECTION_ERROR, SQLSTATE_UNKNOWN, "Unknown SSL error");
     return;
   }
+
+  /* give a more descriptive error message for alerts */
+  if (ssl_errno == GNUTLS_E_FATAL_ALERT_RECEIVED)
+  {
+    gnutls_alert_description_t alert_desc;
+    const char *alert_name;
+    alert_desc= gnutls_alert_get((gnutls_session_t)ssl);
+    alert_name= gnutls_alert_get_name(alert_desc);
+    snprintf(ssl_error, MAX_SSL_ERR_LEN, "fatal alert received: %s",
+             alert_name);
+    pvio->set_error(mysql, CR_SSL_CONNECTION_ERROR, SQLSTATE_UNKNOWN, 0, 
+                   ssl_error);
+    return;
+  }
+
   if ((ssl_error_reason= gnutls_strerror(ssl_errno)))
   {
     pvio->set_error(mysql, CR_SSL_CONNECTION_ERROR, SQLSTATE_UNKNOWN, 0, 
@@ -249,15 +286,7 @@ static int ma_gnutls_set_ciphers(gnutls_session_t ssl, char *cipher_str)
   while (token)
   {
     const char *p= get_priority(token);
-    /* if cipher was not found, we pass the original token to
-        the priority string, this will allow to specify gnutls
-        specific settings via cipher */
-    if (!p)
-    {
-      strncat(prio, ":", PRIO_SIZE - strlen(prio) - 1);
-      strncat(prio, token, PRIO_SIZE - strlen(prio) - 1);
-    }
-    else 
+    if (p)
       strncat(prio, p, PRIO_SIZE - strlen(prio) - 1);
     token = strtok(NULL, ":");
   }
@@ -266,8 +295,6 @@ static int ma_gnutls_set_ciphers(gnutls_session_t ssl, char *cipher_str)
 
 static int ma_tls_set_certs(MYSQL *mysql)
 {
-  char *certfile= mysql->options.ssl_cert,
-       *keyfile= mysql->options.ssl_key;
   int  ssl_error= 0;
 
   if (mysql->options.ssl_ca)
@@ -282,32 +309,78 @@ static int ma_tls_set_certs(MYSQL *mysql)
   gnutls_certificate_set_verify_function(GNUTLS_xcred,
                                          my_verify_callback);
 
-  /* GNUTLS doesn't support ca_path */
+  return 1;
+
+error:
+  return ssl_error;
+}
+
+static int
+client_cert_callback(gnutls_session_t session,
+                     const gnutls_datum_t * req_ca_rdn __attribute__((unused)),
+                     int nreqs __attribute__((unused)),
+                     const gnutls_pk_algorithm_t * sign_algos __attribute__((unused)),
+                     int sign_algos_length __attribute__((unused)), 
+                     gnutls_pcert_st ** pcert,
+                     unsigned int *pcert_length, gnutls_privkey_t * pkey)
+{
+  struct st_gnutls_data *session_data;
+  char *certfile, *keyfile;
+  gnutls_datum_t data;
+  MYSQL *mysql;
+  gnutls_certificate_type_t type= gnutls_certificate_type_get(session);
+
+  session_data= (struct st_gnutls_data *)gnutls_session_get_ptr(session);
+
+  if (!session_data->mysql ||
+      type != GNUTLS_CRT_X509)
+    return -1;
+
+  mysql= session_data->mysql;
 
+  certfile= session_data->mysql->options.ssl_cert;
+  keyfile= session_data->mysql->options.ssl_key;
+
+  if (!certfile && !keyfile)
+    return 0;
   if (keyfile && !certfile)
     certfile= keyfile;
   if (certfile && !keyfile)
     keyfile= certfile;
 
-  /* set key */
-  if (certfile || keyfile)
+  if (gnutls_load_file(certfile, &data) < 0)
+    return -1;
+  if (gnutls_pcert_import_x509_raw(&session_data->cert, &data, GNUTLS_X509_FMT_PEM, 0) < 0)
   {
-    if ((ssl_error= gnutls_certificate_set_x509_key_file2(GNUTLS_xcred,
-                      certfile, keyfile, GNUTLS_X509_FMT_PEM,
-                      OPT_HAS_EXT_VAL(mysql, tls_pw) ? mysql->options.extension->tls_pw : NULL,
-                      0)) < 0)
-      goto error;
+    gnutls_free(data.data);
+    return -1;
   }
-  return 1;
+  gnutls_free(data.data);
+
+  if (gnutls_load_file(keyfile, &data) < 0)
+    return -1;
+  gnutls_privkey_init(&session_data->key);
+  if (gnutls_privkey_import_x509_raw(session_data->key, &data, 
+            GNUTLS_X509_FMT_PEM,
+            mysql->options.extension ? mysql->options.extension->tls_pw : NULL,
+                                     0) < 0)
+  {
+    gnutls_free(data.data);
+    return -1;
+  }
+  gnutls_free(data.data);
 
-error:
-  return ssl_error;
+  *pcert_length= 1;
+  *pcert= &session_data->cert;
+  *pkey= session_data->key;
+  return 0;
 }
 
 void *ma_tls_init(MYSQL *mysql)
 {
   gnutls_session_t ssl= NULL;
   int ssl_error= 0;
+  struct st_gnutls_data *data= NULL;
 
   pthread_mutex_lock(&LOCK_gnutls_config);
 
@@ -316,19 +389,28 @@ void *ma_tls_init(MYSQL *mysql)
 
   if ((ssl_error = gnutls_init(&ssl, GNUTLS_CLIENT & GNUTLS_NONBLOCK)) < 0)
     goto error;
-  gnutls_session_set_ptr(ssl, (void *)mysql);
+
+  if (!(data= (struct st_gnutls_data *)calloc(1, sizeof(struct st_gnutls_data))))
+    goto error;
+
+  data->mysql= mysql;
+  gnutls_certificate_set_retrieve_function2(GNUTLS_xcred, client_cert_callback);
+  gnutls_session_set_ptr(ssl, (void *)data);
 
   ssl_error= ma_gnutls_set_ciphers(ssl, mysql->options.ssl_cipher);
   if (ssl_error < 0)
     goto error;
 
+  /* we don't load private key and cert by default - if the server requests
+     a client certificate we will send it via callback function */
   if ((ssl_error= gnutls_credentials_set(ssl, GNUTLS_CRD_CERTIFICATE, GNUTLS_xcred)) < 0)
     goto error;
 
   pthread_mutex_unlock(&LOCK_gnutls_config);
   return (void *)ssl;
 error:
-  ma_tls_set_error(mysql, ssl_error);
+  free_gnutls_data(data);
+  ma_tls_set_error(mysql, ssl, ssl_error);
   if (ssl)
     gnutls_deinit(ssl);
   pthread_mutex_unlock(&LOCK_gnutls_config);
@@ -362,7 +444,9 @@ my_bool ma_tls_connect(MARIADB_TLS *ctls)
   MYSQL *mysql;
   MARIADB_PVIO *pvio;
   int ret;
-  mysql= (MYSQL *)gnutls_session_get_ptr(ssl);
+  struct st_gnutls_data *data;
+  data= (struct st_gnutls_data *)gnutls_session_get_ptr(ssl);
+  mysql= data->mysql;
 
   if (!mysql)
     return 1;
@@ -386,16 +470,16 @@ my_bool ma_tls_connect(MARIADB_TLS *ctls)
 
   if (ret < 0)
   {
-    ma_tls_set_error(mysql, ret);
+    ma_tls_set_error(mysql, ssl, ret);
     /* restore blocking mode */
     gnutls_deinit((gnutls_session_t )ctls->ssl);
+    free_gnutls_data(data);
     ctls->ssl= NULL;
     if (!blocking)
       pvio->methods->blocking(pvio, FALSE, 0);
     return 1;
   }
   ctls->ssl= (void *)ssl;
-
   return 0;
 }
 
@@ -413,7 +497,15 @@ my_bool ma_tls_close(MARIADB_TLS *ctls)
 {
   if (ctls->ssl)
   {
-    gnutls_bye((gnutls_session_t )ctls->ssl, GNUTLS_SHUT_WR);
+    MARIADB_PVIO *pvio= ctls->pvio;
+    struct st_gnutls_data *data=
+      (struct st_gnutls_data *)gnutls_session_get_ptr(ctls->ssl);
+    /* this would be the correct way, however can't dectect afterwards
+       if the socket is closed or not, so we don't send encrypted 
+       finish alert.
+    rc= gnutls_bye((gnutls_session_t )ctls->ssl, GNUTLS_SHUT_WR);
+    */
+    free_gnutls_data(data);
     gnutls_deinit((gnutls_session_t )ctls->ssl);
     ctls->ssl= NULL;
   }
@@ -443,14 +535,19 @@ const char *ma_tls_get_cipher(MARIADB_TLS *ctls)
 
 static int my_verify_callback(gnutls_session_t ssl)
 {
-  unsigned int status;
+  unsigned int status= 0;
   const gnutls_datum_t *cert_list;
   unsigned int cert_list_size;
-  MYSQL *mysql= (MYSQL *)gnutls_session_get_ptr(ssl);
-  MARIADB_PVIO *pvio= mysql->net.pvio;
+  struct st_gnutls_data *data= (struct st_gnutls_data *)gnutls_session_get_ptr(ssl);
+  MYSQL *mysql;
+  MARIADB_PVIO *pvio;
+  
   gnutls_x509_crt_t cert;
   const char *hostname;
 
+  mysql= data->mysql;
+  pvio= mysql->net.pvio;
+
   /* read hostname */
   hostname = mysql->host;
 
@@ -518,11 +615,13 @@ unsigned int ma_tls_get_finger_print(MARIADB_TLS *ctls, char *fp, unsigned int l
   size_t fp_len= len;
   const gnutls_datum_t *cert_list;
   unsigned int cert_list_size;
+  struct st_gnutls_data *data;
 
   if (!ctls || !ctls->ssl)
     return 0;
 
-  mysql= (MYSQL *)gnutls_session_get_ptr(ctls->ssl);
+  data= (struct st_gnutls_data *)gnutls_session_get_ptr(ctls->ssl);
+  mysql= (MYSQL *)data->mysql;
 
   cert_list = gnutls_certificate_get_peers (ctls->ssl, &cert_list_size);
   if (cert_list == NULL)