Added MySQL SSL support.

--HG--
branch : HEAD

diff --git a/configure.in b/configure.in
index cc85ea4831ff0498a26efd7ae0ddd32f8bbbfe7a..176164d1c065415ee9bea3557d981a1fcdd0428e 100644 (file)
--- a/configure.in
+++ b/configure.in
@@ -1119,15 +1119,33 @@ if test $want_pgsql = yes; then
 fi
 
 if test $want_mysql = yes; then
+       mysql_header=mysql.h
        AC_CHECK_LIB(mysqlclient, mysql_init, [
                AC_CHECK_HEADER(mysql.h,, [
                        AC_CHECK_HEADER(mysql/mysql.h, [
+                               mysql_header=mysql/mysql.h
                                AUTH_CFLAGS="$AUTH_CFLAGS -DHAVE_MYSQL_MYSQL_H"
                        ], want_mysql=no)
                ])
        ], want_mysql=no)
 
        if test $want_mysql = yes; then
+               AC_CHECK_LIB(mysqlclient, mysql_ssl_set, [
+                       AC_DEFINE(HAVE_MYSQL_SSL,, Define if your MySQL library has SSL functions)
+                       if test "x$have_openssl" = "yes"; then
+                         ssl_define="#define HAVE_OPENSSL"
+                       else
+                         ssl_define=""
+                       fi
+                       AC_TRY_COMPILE([
+                         $ssl_define
+                         #include <$mysql_header>
+                       ], [
+                         mysql_set_ssl(0, 0, 0, 0, 0, 0);
+                       ], [
+                               AC_DEFINE(HAVE_MYSQL_SSL_CIPHER,, Define if your MySQL library supports setting cipher)
+                       ])
+               ])
                AUTH_LIBS="$AUTH_LIBS -lmysqlclient"
 
                AC_DEFINE(USERDB_MYSQL,, Build with MySQL support)

diff --git a/doc/dovecot-mysql.conf b/doc/dovecot-mysql.conf
index 60c774db14d88cecee7d78c81a96388359006c38..4ade5be36825618c72bc608db537953c0bc9fd79 100644 (file)
--- a/doc/dovecot-mysql.conf
+++ b/doc/dovecot-mysql.conf
@@ -28,6 +28,17 @@ db_user = dovecot-db
 db_passwd = opensesame
 db_client_flags = 0
 
+# Parameters for SSL connection to MySQL 4.x
+#
+# Only ssl_ca or ssl_ca_path is required. Set ssl_cert and ssl_key 
+# to use x509 authentication instead of username/password pair.
+
+#ssl_cert = /etc/mysql/ssl/client-cert.pem
+#ssl_key = /etc/mysql/ssl/client-key.pem
+#ssl_ca = /etc/mysql/ssl/cacert.pem
+#ssl_ca_path = /etc/mysql/ssl/
+#ssl_cipher = HIGH
+
 # Default password scheme.
 #
 # Currently supported schemes include PLAIN, PLAIN-MD5, DIGEST-MD5, and CRYPT.

diff --git a/src/auth/db-mysql.c b/src/auth/db-mysql.c
index 8f7ecee3d77c4e97364d887745f2c1f318556a3a..56163d16c557cf111ae73f81ae82c186c8079d58 100644 (file)
--- a/src/auth/db-mysql.c
+++ b/src/auth/db-mysql.c
@@ -3,7 +3,8 @@
 #include "config.h"
 #undef HAVE_CONFIG_H
 
-#if defined(PASSDB_MYSQL) || defined(USERDB_MYSQL)
+//#if defined(PASSDB_MYSQL) || defined(USERDB_MYSQL)
+#if 1
 #include "common.h"
 #include "network.h"
 #include "str.h"
@@ -24,6 +25,11 @@ static struct setting_def setting_defs[] = {
        DEF(SET_STR, db_user),
        DEF(SET_STR, db_passwd),
        DEF(SET_INT, db_client_flags),
+       DEF(SET_STR, ssl_key),
+       DEF(SET_STR, ssl_cert),
+       DEF(SET_STR, ssl_ca),
+       DEF(SET_STR, ssl_ca_path),
+       DEF(SET_STR, ssl_cipher),
        DEF(SET_STR, password_query),
        DEF(SET_STR, user_query),
        DEF(SET_STR, default_pass_scheme)
@@ -37,6 +43,11 @@ struct mysql_settings default_mysql_settings = {
        MEMBER(db_user) NULL,
        MEMBER(db_passwd) NULL,
        MEMBER(db_client_flags) 0,
+       MEMBER(ssl_key) NULL,
+       MEMBER(ssl_cert) NULL,
+       MEMBER(ssl_ca) NULL,
+       MEMBER(ssl_ca_path) NULL,
+       MEMBER(ssl_cipher) "HIGH",
        MEMBER(password_query) "SELECT password FROM users WHERE userid = '%u'",
        MEMBER(user_query) "SELECT home, uid, gid FROM users WHERE userid = '%u'",
        MEMBER(default_pass_scheme) "PLAIN-MD5"
@@ -102,6 +113,8 @@ void db_mysql_query(struct mysql_connection *conn, const char *query,
 
 static int mysql_conn_open(struct mysql_connection *conn)
 {
+       int use_ssl = FALSE;
+
        if (conn->connected)
                return TRUE;
 
@@ -113,6 +126,20 @@ static int mysql_conn_open(struct mysql_connection *conn)
                }
        }
 
+#ifdef HAVE_MYSQL_SSL
+       if (conn->set.ssl_ca != NULL || conn->set.ssl_ca_path != NULL) {
+               mysql_ssl_set(conn->mysql, conn->set.ssl_key,
+                             conn->set.ssl_cert,
+                             conn->set.ssl_ca,
+                             conn->set.ssl_ca_path
+#ifdef HAVE_MYSQL_SSL_CIPHER
+                             ,conn->set.ssl_cipher
+#endif
+                            );
+               use_ssl = TRUE;
+       }
+#endif
+
        if (mysql_real_connect(conn->mysql, conn->set.db_host,
                               conn->set.db_user, conn->set.db_passwd,
                               conn->set.db,
@@ -123,7 +150,8 @@ static int mysql_conn_open(struct mysql_connection *conn)
                        conn->set.db, mysql_error(conn->mysql));
        } else {
                conn->connected = TRUE;
-               i_info("MySQL: connected to %s", conn->set.db_host);
+               i_info("MySQL: connected to %s%s", conn->set.db_host,
+                      use_ssl ? "using SSL" : "");
        }
        
        return conn->connected;

diff --git a/src/auth/db-mysql.h b/src/auth/db-mysql.h
index 85f405103a26fb6021cc9760382f44b353630219..643411a2fb34165e062e8f77ea55f3998346edf1 100644 (file)
--- a/src/auth/db-mysql.h
+++ b/src/auth/db-mysql.h
@@ -24,6 +24,11 @@ struct mysql_settings {
        const char *db_user;
        const char *db_passwd;
        unsigned int db_client_flags;
+       const char *ssl_key;
+       const char *ssl_cert;
+       const char *ssl_ca;
+       const char *ssl_ca_path;
+       const char *ssl_cipher;
        const char *password_query;
        const char *user_query;
        const char *default_pass_scheme;