database/mariadb-connector-c
1
0
Fork 0
mirror of https://github.com/mariadb-corporation/mariadb-connector-c.git synced 2025-08-07 02:42:49 +03:00
Code Activity

ssl unit test fixes

Browse Source 
* don't abuse CONFIGURE_FILE
  no need to generate ssl.c during the build
* don't skip tests when the input data is missing
  if the certificate is not found it is not OK
* run-time CERT_PATH is not the same as build-time CERT_PATH
  load server-cert.sha1 at run-time
* test an invalid fingerprint - it has to fail
* do not delete certificates at the end of the test
* test SSL_VERIFY_SERVER_CERT with a system CA
This commit is contained in:
Sergei Golubchik
2020-01-22 16:20:50 +01:00
committed by Georg Richter
parent 8e9c311610
commit 84dc415fce
3 changed files with 31 additions and 61 deletions
Download Patch File Download Diff File Expand all files Collapse all files

1
.gitignore vendored
View File

@@ -84,7 +84,6 @@ unittest/libmariadb/rpl_api
unittest/libmariadb/sp unittest/libmariadb/sp
unittest/libmariadb/sqlite3 unittest/libmariadb/sqlite3
unittest/libmariadb/ssl unittest/libmariadb/ssl
unittest/libmariadb/ssl.c
unittest/libmariadb/t_aurora unittest/libmariadb/t_aurora
unittest/libmariadb/t_conc173 unittest/libmariadb/t_conc173
unittest/libmariadb/thread unittest/libmariadb/thread

12
unittest/libmariadb/CMakeLists.txt
View File

@@ -38,21 +38,11 @@ SET(MANUAL_TESTS "t_aurora" "t_conc173" "rpl_api")
# Get finger print from server certificate # Get finger print from server certificate
IF(WITH_SSL) IF(WITH_SSL)
IF(CERT_PATH) IF(CERT_PATH)
IF(EXISTS ${CERT_PATH}/server-cert.sha1)
FILE(READ ${CERT_PATH}/server-cert.sha1 CERT_FINGER_PRINT)
STRING(REPLACE "\n" "" CERT_FINGER_PRINT "${CERT_FINGER_PRINT}")
ADD_DEFINITIONS(-DTEST_SSL_SHA1)
ENDIF()
IF(EXISTS ${CERT_PATH}/client-key-enc.pem)
ADD_DEFINITIONS(-DTEST_SSL_PASSPHRASE)
ENDIF()
SET(API_TESTS ${API_TESTS} "ssl") SET(API_TESTS ${API_TESTS} "ssl")
IF(WIN32) IF(WIN32)
STRING(REPLACE "\\" "\\\\" CERT_PATH ${CERT_PATH}) STRING(REPLACE "\\" "\\\\" CERT_PATH ${CERT_PATH})
ENDIF() ENDIF()
CONFIGURE_FILE(${CC_SOURCE_DIR}/unittest/libmariadb/ssl.c.in ADD_DEFINITIONS(-DCERT_PATH="${CERT_PATH}")
${CC_BINARY_DIR}/unittest/libmariadb/ssl.c)
ADD_EXECUTABLE(ssl ${CC_BINARY_DIR}/unittest/libmariadb/ssl.c)
ENDIF() ENDIF()
ENDIF() ENDIF()

79
unittest/libmariadb/ssl.c.in → unittest/libmariadb/ssl.c
View File

@@ -44,9 +44,21 @@ char sslkey[FNLEN];
char sslkey_enc[FNLEN]; char sslkey_enc[FNLEN];
char sslca[FNLEN]; char sslca[FNLEN];
char sslcrl[FNLEN]; char sslcrl[FNLEN];
char ssl_cert_finger_print[129]= {0};
char bad_cert_finger_print[]= "00:11:22:33:44:55:66:77:88:99:AA:BB:CC:DD:EE:FF:01:23:45:67";
pthread_mutex_t LOCK_test; pthread_mutex_t LOCK_test;
void read_fingerprint()
{
FILE *f= fopen(CERT_PATH "/server-cert.sha1", "r");
if (f)
{
fscanf(f, "%128s", ssl_cert_finger_print);
fclose(f);
}
}
int check_skip_ssl() int check_skip_ssl()
{ {
const char *ssldir= NULL; const char *ssldir= NULL;
@@ -61,7 +73,7 @@ int check_skip_ssl()
} }
if (!(ssldir= getenv("SECURE_LOAD_PATH"))) if (!(ssldir= getenv("SECURE_LOAD_PATH")))
{ {
ssldir= "@CERT_PATH@"; ssldir= CERT_PATH;
if (!strlen(ssldir)) if (!strlen(ssldir))
{ {
diag("certificate directory not found"); diag("certificate directory not found");
@@ -436,10 +448,6 @@ static int test_password_protected(MYSQL *unused __attribute__((unused)))
if (check_skip_ssl()) if (check_skip_ssl())
return SKIP; return SKIP;
#ifndef TEST_SSL_PASSPHRASE
return SKIP;
#endif
mysql= mysql_init(NULL); mysql= mysql_init(NULL);
FAIL_IF(!mysql, "Can't allocate memory"); FAIL_IF(!mysql, "Can't allocate memory");
@@ -784,8 +792,6 @@ static int test_conc_102(MYSQL *mysql)
return OK; return OK;
} }
const char *ssl_cert_finger_print= "@CERT_FINGER_PRINT@";
static int test_ssl_fp(MYSQL *unused __attribute__((unused))) static int test_ssl_fp(MYSQL *unused __attribute__((unused)))
{ {
MYSQL *my; MYSQL *my;
@@ -796,22 +802,16 @@ static int test_ssl_fp(MYSQL *unused __attribute__((unused)))
if (check_skip_ssl()) if (check_skip_ssl())
return SKIP; return SKIP;
#ifndef TEST_SSL_SHA1
diag("Fingerprint of server certificate not found");
return SKIP;
#endif
if (!ssl_cert_finger_print[0])
{
diag("No fingerprint available");
return SKIP;
}
my= mysql_init(NULL); my= mysql_init(NULL);
FAIL_IF(!my, "mysql_init() failed"); FAIL_IF(!my, "mysql_init() failed");
mysql_ssl_set(my,0, 0, sslca, 0, 0); mysql_ssl_set(my,0, 0, sslca, 0, 0);
mysql_options(my, MARIADB_OPT_SSL_FP, bad_cert_finger_print);
FAIL_IF(mysql_real_connect(my, hostname, username, password, schema,
port, socketname, 0), mysql_error(my));
mysql_options(my, MARIADB_OPT_SSL_FP, ssl_cert_finger_print); mysql_options(my, MARIADB_OPT_SSL_FP, ssl_cert_finger_print);
FAIL_IF(!mysql_real_connect(my, hostname, username, password, schema, FAIL_IF(!mysql_real_connect(my, hostname, username, password, schema,
@@ -843,21 +843,12 @@ static int test_ssl_fp_list(MYSQL *unused __attribute__((unused)))
if (check_skip_ssl()) if (check_skip_ssl())
return SKIP; return SKIP;
#ifndef TEST_SSL_SHA1
diag("Fingerprint of server certificate not found");
return SKIP;
#endif
if (!ssl_cert_finger_print[0])
{
diag("No fingerprint available");
return SKIP;
}
my= mysql_init(NULL); my= mysql_init(NULL);
FAIL_IF(!my, "mysql_init() failed"); FAIL_IF(!my, "mysql_init() failed");
mysql_ssl_set(my,0, 0, sslca, 0, 0); mysql_ssl_set(my,0, 0, sslca, 0, 0);
mysql_options(my, MARIADB_OPT_SSL_FP_LIST, "@CERT_PATH@/server-cert.sha1"); mysql_options(my, MARIADB_OPT_SSL_FP_LIST, CERT_PATH "/server-cert.sha1");
if(!mysql_real_connect(my, hostname, username, password, schema, if(!mysql_real_connect(my, hostname, username, password, schema,
port, socketname, 0)) port, socketname, 0))
@@ -1200,16 +1191,6 @@ static int test_conc286(MYSQL *unused __attribute__((unused)))
if (check_skip_ssl()) if (check_skip_ssl())
return SKIP; return SKIP;
#ifndef TEST_SSL_SHA1
diag("Fingerprint of server certificate not found");
return SKIP;
#endif
if (!ssl_cert_finger_print[0])
{
diag("No fingerprint available");
return SKIP;
}
my= mysql_init(NULL); my= mysql_init(NULL);
FAIL_IF(!my, "mysql_init() failed"); FAIL_IF(!my, "mysql_init() failed");
@@ -1304,16 +1285,6 @@ static int test_mdev14101(MYSQL *my __attribute__((unused)))
static int test_conc386(MYSQL *mysql) static int test_conc386(MYSQL *mysql)
{ {
#ifdef WIN32
if (_access(sslcombined, 0) == -1)
#else
if (access(sslcombined, R_OK) != 0)
#endif
{
diag("combined cert/key file not found");
return SKIP;
}
mysql= mysql_init(NULL); mysql= mysql_init(NULL);
mysql_ssl_set(mysql, mysql_ssl_set(mysql,
sslcombined, sslcombined,
@@ -1325,7 +1296,6 @@ static int test_conc386(MYSQL *mysql)
port, socketname, 0), mysql_error(mysql)); port, socketname, 0), mysql_error(mysql));
FAIL_IF(check_cipher(mysql) != 0, "Invalid cipher"); FAIL_IF(check_cipher(mysql) != 0, "Invalid cipher");
mysql_close(mysql); mysql_close(mysql);
unlink(sslcombined);
return OK; return OK;
} }
@@ -1347,6 +1317,16 @@ static int test_ssl_verify(MYSQL *my __attribute__((unused)))
diag("error expected: %s\n", mysql_error(mysql)); diag("error expected: %s\n", mysql_error(mysql));
mysql_close(mysql); mysql_close(mysql);
/* verify, using system ca should pass */
setenv("SSL_CERT_DIR", CERT_PATH, 1);
mysql= mysql_init(NULL);
mysql_options(mysql, MYSQL_OPT_SSL_ENFORCE, &enforce);
mysql_options(mysql, MYSQL_OPT_SSL_VERIFY_SERVER_CERT, &verify);
FAIL_IF(!mysql_real_connect(mysql, hostname, username, password, schema,
port, socketname, 0), mysql_error(mysql));
mysql_close(mysql);
unsetenv("SSL_CERT_DIR");
/* verify against local ca, this should pass */ /* verify against local ca, this should pass */
mysql= mysql_init(NULL); mysql= mysql_init(NULL);
mysql_ssl_set(mysql,0, 0, sslca, 0, 0); mysql_ssl_set(mysql,0, 0, sslca, 0, 0);
@@ -1423,6 +1403,7 @@ int main(int argc, char **argv)
#endif #endif
get_envvars(); get_envvars();
read_fingerprint();
if (argc > 1) if (argc > 1)
get_options(argc, argv); get_options(argc, argv);