CONC-413: Add test for checking IP in peer cert SAN

2025-08-07 02:42:49 +03:00 · 2024-12-09 13:13:22 +01:00
parent a7802f7979
commit 80ec04f116
2 changed files with 36 additions and 0 deletions
--- a/unittest/libmariadb/tls.c.in
+++ b/unittest/libmariadb/tls.c.in
@@ -781,12 +781,40 @@ end:
  return rc;
 }

+static int test_cert_ip(MYSQL *my __attribute((unused)))
+{
+  char dummy_options[128];
+  MYSQL *mysql= mysql_init(NULL);
+
+  snprintf(dummy_options, 128, "CMD:create_new=True SAN='IP.1:%s'", tls_dummy_host);
+  if (set_tls_dummy_options(dummy_options))
+  {
+    diag("Error when setting TLS options");
+    return FAIL;
+  }
+  mysql_ssl_set(mysql, NULL, NULL, NULL, NULL, NULL);
+  set_verify(mysql, 1);
+  mysql_optionsv(mysql, MARIADB_OPT_TLS_VERIFICATION_CALLBACK, tls_abort_after_handshake);
+
+  if (!my_test_connect(mysql, tls_dummy_host, "tlsuser", "foo", NULL, tls_dummy_port, NULL, 0, 0))
+  {
+    CHECK_NO_TLS_FLAG(mysql, MARIADB_TLS_VERIFY_HOST, "Hostname verification didn't pass");
+    mysql_close(mysql);
+  } else {
+    mysql_close(mysql);
+    return FAIL;
+  }
+
+  return OK;
+}
+

 struct my_tests_st my_tests[] = {
  /* Don't add test above, test_init needs to be run first */
  {"test_start_tls_server", test_start_tls_server, TEST_CONNECTION_NONE, 0, NULL, NULL},
  {"test_init", test_init, TEST_CONNECTION_NONE, 0, NULL, NULL},
  /* Here you can add more tests */
+  {"test_cert_ip", test_cert_ip, TEST_CONNECTION_NEW, 0, NULL, NULL},
  {"test_fp_and_verify", test_fp_and_verify, TEST_CONNECTION_NEW, 0, NULL, NULL},
  {"test_env_var", test_env_var, TEST_CONNECTION_NEW, 0, NULL, NULL},
  {"test_cert_wildcard", test_cert_wildcard, TEST_CONNECTION_NEW, 0, NULL, NULL},
--- a/unittest/libmariadb/tls_server.py
+++ b/unittest/libmariadb/tls_server.py
@@ -42,6 +42,7 @@ class TlsServer():
                      create_crl=False,
                      emailAddress="emailAddress",
                      commonName="commonName",
+                      SAN=None,
                      countryName="NT",
                      localityName="localityName",
                      stateOrProvinceName="stateOrProvinceName",
@@ -76,6 +77,13 @@ class TlsServer():
                cert.gmtime_adj_notBefore(validityStartInSeconds)
                cert.gmtime_adj_notAfter(validityEndInSeconds)
                cert.set_issuer(cert.get_subject())
+                if SAN:
+                   print(SAN)
+                   san_list= [SAN,]
+                   cert.add_extensions([
+                      crypto.X509Extension(
+                      b"subjectAltName", False, "," . join(san_list).encode()
+                   )])
                cert.set_pubkey(k)
                cert.sign(k, 'sha512')
                with open(CERT_FILE, "wt") as f: