diff --git a/.gitignore b/.gitignore index 5bfd5555..989cfd5a 100644 --- a/.gitignore +++ b/.gitignore @@ -84,7 +84,6 @@ unittest/libmariadb/rpl_api unittest/libmariadb/sp unittest/libmariadb/sqlite3 unittest/libmariadb/ssl -unittest/libmariadb/ssl.c unittest/libmariadb/t_aurora unittest/libmariadb/t_conc173 unittest/libmariadb/thread diff --git a/unittest/libmariadb/CMakeLists.txt b/unittest/libmariadb/CMakeLists.txt index 2805a1fb..1d47a06a 100644 --- a/unittest/libmariadb/CMakeLists.txt +++ b/unittest/libmariadb/CMakeLists.txt @@ -38,21 +38,11 @@ SET(MANUAL_TESTS "t_aurora" "t_conc173" "rpl_api") # Get finger print from server certificate IF(WITH_SSL) IF(CERT_PATH) - IF(EXISTS ${CERT_PATH}/server-cert.sha1) - FILE(READ ${CERT_PATH}/server-cert.sha1 CERT_FINGER_PRINT) - STRING(REPLACE "\n" "" CERT_FINGER_PRINT "${CERT_FINGER_PRINT}") - ADD_DEFINITIONS(-DTEST_SSL_SHA1) - ENDIF() - IF(EXISTS ${CERT_PATH}/client-key-enc.pem) - ADD_DEFINITIONS(-DTEST_SSL_PASSPHRASE) - ENDIF() SET(API_TESTS ${API_TESTS} "ssl") IF(WIN32) STRING(REPLACE "\\" "\\\\" CERT_PATH ${CERT_PATH}) ENDIF() - CONFIGURE_FILE(${CC_SOURCE_DIR}/unittest/libmariadb/ssl.c.in - ${CC_BINARY_DIR}/unittest/libmariadb/ssl.c) - ADD_EXECUTABLE(ssl ${CC_BINARY_DIR}/unittest/libmariadb/ssl.c) + ADD_DEFINITIONS(-DCERT_PATH="${CERT_PATH}") ENDIF() ENDIF() diff --git a/unittest/libmariadb/ssl.c.in b/unittest/libmariadb/ssl.c similarity index 97% rename from unittest/libmariadb/ssl.c.in rename to unittest/libmariadb/ssl.c index bd4760cd..51f358ee 100644 --- a/unittest/libmariadb/ssl.c.in +++ b/unittest/libmariadb/ssl.c @@ -44,9 +44,21 @@ char sslkey[FNLEN]; char sslkey_enc[FNLEN]; char sslca[FNLEN]; char sslcrl[FNLEN]; +char ssl_cert_finger_print[129]= {0}; +char bad_cert_finger_print[]= "00:11:22:33:44:55:66:77:88:99:AA:BB:CC:DD:EE:FF:01:23:45:67"; pthread_mutex_t LOCK_test; +void read_fingerprint() +{ + FILE *f= fopen(CERT_PATH "/server-cert.sha1", "r"); + if (f) + { + fscanf(f, "%128s", ssl_cert_finger_print); + fclose(f); + } +} + int check_skip_ssl() { const char *ssldir= NULL; @@ -61,7 +73,7 @@ int check_skip_ssl() } if (!(ssldir= getenv("SECURE_LOAD_PATH"))) { - ssldir= "@CERT_PATH@"; + ssldir= CERT_PATH; if (!strlen(ssldir)) { diag("certificate directory not found"); @@ -436,10 +448,6 @@ static int test_password_protected(MYSQL *unused __attribute__((unused))) if (check_skip_ssl()) return SKIP; -#ifndef TEST_SSL_PASSPHRASE - return SKIP; -#endif - mysql= mysql_init(NULL); FAIL_IF(!mysql, "Can't allocate memory"); @@ -784,8 +792,6 @@ static int test_conc_102(MYSQL *mysql) return OK; } -const char *ssl_cert_finger_print= "@CERT_FINGER_PRINT@"; - static int test_ssl_fp(MYSQL *unused __attribute__((unused))) { MYSQL *my; @@ -796,22 +802,16 @@ static int test_ssl_fp(MYSQL *unused __attribute__((unused))) if (check_skip_ssl()) return SKIP; -#ifndef TEST_SSL_SHA1 - diag("Fingerprint of server certificate not found"); - return SKIP; -#endif - - if (!ssl_cert_finger_print[0]) - { - diag("No fingerprint available"); - return SKIP; - } - my= mysql_init(NULL); FAIL_IF(!my, "mysql_init() failed"); mysql_ssl_set(my,0, 0, sslca, 0, 0); + mysql_options(my, MARIADB_OPT_SSL_FP, bad_cert_finger_print); + + FAIL_IF(mysql_real_connect(my, hostname, username, password, schema, + port, socketname, 0), mysql_error(my)); + mysql_options(my, MARIADB_OPT_SSL_FP, ssl_cert_finger_print); FAIL_IF(!mysql_real_connect(my, hostname, username, password, schema, @@ -843,21 +843,12 @@ static int test_ssl_fp_list(MYSQL *unused __attribute__((unused))) if (check_skip_ssl()) return SKIP; -#ifndef TEST_SSL_SHA1 - diag("Fingerprint of server certificate not found"); - return SKIP; -#endif - if (!ssl_cert_finger_print[0]) - { - diag("No fingerprint available"); - return SKIP; - } my= mysql_init(NULL); FAIL_IF(!my, "mysql_init() failed"); mysql_ssl_set(my,0, 0, sslca, 0, 0); - mysql_options(my, MARIADB_OPT_SSL_FP_LIST, "@CERT_PATH@/server-cert.sha1"); + mysql_options(my, MARIADB_OPT_SSL_FP_LIST, CERT_PATH "/server-cert.sha1"); if(!mysql_real_connect(my, hostname, username, password, schema, port, socketname, 0)) @@ -1200,16 +1191,6 @@ static int test_conc286(MYSQL *unused __attribute__((unused))) if (check_skip_ssl()) return SKIP; -#ifndef TEST_SSL_SHA1 - diag("Fingerprint of server certificate not found"); - return SKIP; -#endif - - if (!ssl_cert_finger_print[0]) - { - diag("No fingerprint available"); - return SKIP; - } my= mysql_init(NULL); FAIL_IF(!my, "mysql_init() failed"); @@ -1304,16 +1285,6 @@ static int test_mdev14101(MYSQL *my __attribute__((unused))) static int test_conc386(MYSQL *mysql) { -#ifdef WIN32 - if (_access(sslcombined, 0) == -1) -#else - if (access(sslcombined, R_OK) != 0) -#endif - { - diag("combined cert/key file not found"); - return SKIP; - } - mysql= mysql_init(NULL); mysql_ssl_set(mysql, sslcombined, @@ -1325,7 +1296,6 @@ static int test_conc386(MYSQL *mysql) port, socketname, 0), mysql_error(mysql)); FAIL_IF(check_cipher(mysql) != 0, "Invalid cipher"); mysql_close(mysql); - unlink(sslcombined); return OK; } @@ -1347,6 +1317,16 @@ static int test_ssl_verify(MYSQL *my __attribute__((unused))) diag("error expected: %s\n", mysql_error(mysql)); mysql_close(mysql); + /* verify, using system ca should pass */ + setenv("SSL_CERT_DIR", CERT_PATH, 1); + mysql= mysql_init(NULL); + mysql_options(mysql, MYSQL_OPT_SSL_ENFORCE, &enforce); + mysql_options(mysql, MYSQL_OPT_SSL_VERIFY_SERVER_CERT, &verify); + FAIL_IF(!mysql_real_connect(mysql, hostname, username, password, schema, + port, socketname, 0), mysql_error(mysql)); + mysql_close(mysql); + unsetenv("SSL_CERT_DIR"); + /* verify against local ca, this should pass */ mysql= mysql_init(NULL); mysql_ssl_set(mysql,0, 0, sslca, 0, 0); @@ -1423,6 +1403,7 @@ int main(int argc, char **argv) #endif get_envvars(); + read_fingerprint(); if (argc > 1) get_options(argc, argv);