Add support for encrypted connections to mysql (gophish#1460)

Cloudstek · Jun 4, 2019 · 26d99b5 · 26d99b5
1 parent a1a2de1
commit 26d99b5
Show file tree

Hide file tree

Showing 2 changed files with 29 additions and 1 deletion.
diff --git a/config/config.go b/config/config.go
@@ -32,6 +32,7 @@ type Config struct {
 	PhishConf      PhishServer   `json:"phish_server"`
 	DBName         string        `json:"db_name"`
 	DBPath         string        `json:"db_path"`
+	DBSSLCaPath    string        `json:"db_sslca_path"`
 	MigrationsPath string        `json:"migrations_prefix"`
 	TestFlag       bool          `json:"test_flag"`
 	ContactAddress string        `json:"contact_address"`

diff --git a/models/models.go b/models/models.go
@@ -5,10 +5,13 @@ import (
 	"fmt"
 	"io"
 	"time"
+	"crypto/tls"
+	"crypto/x509"
+	"io/ioutil"
 
 	"bitbucket.org/liamstask/goose/lib/goose"
 
-	_ "github.com/go-sql-driver/mysql" // Blank import needed to import mysql
+	mysql "github.com/go-sql-driver/mysql"
 	"github.com/gophish/gophish/config"
 	log "github.com/gophish/gophish/logger"
 	"github.com/jinzhu/gorm"
@@ -96,6 +99,30 @@ func Setup(c *config.Config) error {
 		log.Error(err)
 		return err
 	}
+
+	// Register certificates for tls encrypted db connections
+	if conf.DBSSLCaPath != "" {
+		switch conf.DBName {
+		case "mysql":
+			rootCertPool := x509.NewCertPool()
+			pem, err := ioutil.ReadFile(conf.DBSSLCaPath)
+			if err != nil {
+				log.Error(err)
+				return err
+			}
+			if ok := rootCertPool.AppendCertsFromPEM(pem); !ok {
+				log.Error("Failed to append PEM.")
+				return err
+			}
+			mysql.RegisterTLSConfig("ssl_ca", &tls.Config{
+				RootCAs: rootCertPool,
+			})
+			// Default database is sqlite3, which supports no tls, as connection
+			// is file based
+		default:
+		}
+	}
+
 	// Open our database connection
 	i := 0
 	for {