ssl unit test fixes

* don't abuse CONFIGURE_FILE
  no need to generate ssl.c during the build
* don't skip tests when the input data is missing
  if the certificate is not found it is not OK
* run-time CERT_PATH is not the same as build-time CERT_PATH
  load server-cert.sha1 at run-time
* test an invalid fingerprint - it has to fail
* do not delete certificates at the end of the test
* test SSL_VERIFY_SERVER_CERT with a system CA

.gitignore

@@ -84,7 +84,6 @@ unittest/libmariadb/rpl_api
 unittest/libmariadb/sp
 unittest/libmariadb/sqlite3
 unittest/libmariadb/ssl
-unittest/libmariadb/ssl.c
 unittest/libmariadb/t_aurora
 unittest/libmariadb/t_conc173
 unittest/libmariadb/thread

unittest/libmariadb/CMakeLists.txt

@@ -38,21 +38,11 @@ SET(MANUAL_TESTS "t_aurora" "t_conc173" "rpl_api")
 # Get finger print from server certificate
 IF(WITH_SSL)
   IF(CERT_PATH)
-    IF(EXISTS ${CERT_PATH}/server-cert.sha1)
-      FILE(READ ${CERT_PATH}/server-cert.sha1 CERT_FINGER_PRINT)
-      STRING(REPLACE "\n" "" CERT_FINGER_PRINT "${CERT_FINGER_PRINT}")
-      ADD_DEFINITIONS(-DTEST_SSL_SHA1)
-    ENDIF()
-    IF(EXISTS ${CERT_PATH}/client-key-enc.pem)
-      ADD_DEFINITIONS(-DTEST_SSL_PASSPHRASE)
-    ENDIF()
     SET(API_TESTS ${API_TESTS} "ssl")
     IF(WIN32)
       STRING(REPLACE "\\" "\\\\" CERT_PATH ${CERT_PATH})
     ENDIF()
-    CONFIGURE_FILE(${CC_SOURCE_DIR}/unittest/libmariadb/ssl.c.in
-                   ${CC_BINARY_DIR}/unittest/libmariadb/ssl.c)
-    ADD_EXECUTABLE(ssl ${CC_BINARY_DIR}/unittest/libmariadb/ssl.c)
+    ADD_DEFINITIONS(-DCERT_PATH="${CERT_PATH}")
   ENDIF()
 ENDIF()
 

unittest/libmariadb/ssl.c

@@ -44,9 +44,21 @@ char sslkey[FNLEN];
 char sslkey_enc[FNLEN];
 char sslca[FNLEN];
 char sslcrl[FNLEN];
+char ssl_cert_finger_print[129]= {0};
+char bad_cert_finger_print[]= "00:11:22:33:44:55:66:77:88:99:AA:BB:CC:DD:EE:FF:01:23:45:67";
 
 pthread_mutex_t LOCK_test;
 
+void read_fingerprint()
+{
+  FILE *f= fopen(CERT_PATH "/server-cert.sha1", "r");
+  if (f)
+  {
+    fscanf(f, "%128s", ssl_cert_finger_print);
+    fclose(f);
+  }
+}
+
 int check_skip_ssl()
 {
   const char *ssldir= NULL;
@@ -61,7 +73,7 @@ int check_skip_ssl()
   }
   if (!(ssldir= getenv("SECURE_LOAD_PATH")))
   {
-    ssldir= "@CERT_PATH@";
+    ssldir= CERT_PATH;
     if (!strlen(ssldir))
     {
       diag("certificate directory not found");
@@ -436,10 +448,6 @@ static int test_password_protected(MYSQL *unused __attribute__((unused)))
   if (check_skip_ssl())
     return SKIP;
 
-#ifndef TEST_SSL_PASSPHRASE
-  return SKIP;
-#endif
-
   mysql= mysql_init(NULL);
   FAIL_IF(!mysql, "Can't allocate memory");
 
@@ -784,8 +792,6 @@ static int test_conc_102(MYSQL *mysql)
   return OK;
 }
 
-const char *ssl_cert_finger_print= "@CERT_FINGER_PRINT@";
-
 static int test_ssl_fp(MYSQL *unused __attribute__((unused)))
 {
   MYSQL *my;
@@ -796,22 +802,16 @@ static int test_ssl_fp(MYSQL *unused __attribute__((unused)))
   if (check_skip_ssl())
     return SKIP;
 
-#ifndef TEST_SSL_SHA1
-  diag("Fingerprint of server certificate not found");
-  return SKIP;
-#endif
-
-  if (!ssl_cert_finger_print[0])
-  {
-    diag("No fingerprint available");
-    return SKIP;
-  }
-
   my= mysql_init(NULL);
   FAIL_IF(!my, "mysql_init() failed");
 
   mysql_ssl_set(my,0, 0, sslca, 0, 0);
 
+  mysql_options(my, MARIADB_OPT_SSL_FP, bad_cert_finger_print);
+
+  FAIL_IF(mysql_real_connect(my, hostname, username, password, schema,
+                             port, socketname, 0), mysql_error(my));
+
   mysql_options(my, MARIADB_OPT_SSL_FP, ssl_cert_finger_print);
 
   FAIL_IF(!mysql_real_connect(my, hostname, username, password, schema,
@@ -843,21 +843,12 @@ static int test_ssl_fp_list(MYSQL *unused __attribute__((unused)))
   if (check_skip_ssl())
     return SKIP;
 
-#ifndef TEST_SSL_SHA1
-  diag("Fingerprint of server certificate not found");
-  return SKIP;
-#endif
-  if (!ssl_cert_finger_print[0])
-  {
-    diag("No fingerprint available");
-    return SKIP;
-  }
   my= mysql_init(NULL);
   FAIL_IF(!my, "mysql_init() failed");
 
   mysql_ssl_set(my,0, 0, sslca, 0, 0);
 
-  mysql_options(my, MARIADB_OPT_SSL_FP_LIST, "@CERT_PATH@/server-cert.sha1");
+  mysql_options(my, MARIADB_OPT_SSL_FP_LIST, CERT_PATH "/server-cert.sha1");
 
   if(!mysql_real_connect(my, hostname, username, password, schema,
                          port, socketname, 0))
@@ -1200,16 +1191,6 @@ static int test_conc286(MYSQL *unused __attribute__((unused)))
   if (check_skip_ssl())
     return SKIP;
 
-#ifndef TEST_SSL_SHA1
-  diag("Fingerprint of server certificate not found");
-  return SKIP;
-#endif
-
-  if (!ssl_cert_finger_print[0])
-  {
-    diag("No fingerprint available");
-    return SKIP;
-  }
   my= mysql_init(NULL);
   FAIL_IF(!my, "mysql_init() failed");
 
@@ -1304,16 +1285,6 @@ static int test_mdev14101(MYSQL *my __attribute__((unused)))
 
 static int test_conc386(MYSQL *mysql)
 {
-#ifdef WIN32
-  if (_access(sslcombined, 0) == -1)
-#else
-  if (access(sslcombined, R_OK) != 0)
-#endif
-  {
-    diag("combined cert/key file not found");
-    return SKIP;
-  }
-
   mysql= mysql_init(NULL);
   mysql_ssl_set(mysql,
                 sslcombined,
@@ -1325,7 +1296,6 @@ static int test_conc386(MYSQL *mysql)
                          port, socketname, 0), mysql_error(mysql));
   FAIL_IF(check_cipher(mysql) != 0, "Invalid cipher");
   mysql_close(mysql);
-  unlink(sslcombined);
   return OK;
 }
 
@@ -1347,6 +1317,16 @@ static int test_ssl_verify(MYSQL *my __attribute__((unused)))
   diag("error expected: %s\n", mysql_error(mysql));
   mysql_close(mysql);
 
+  /* verify, using system ca should pass */
+  setenv("SSL_CERT_DIR", CERT_PATH, 1);
+  mysql= mysql_init(NULL);
+  mysql_options(mysql, MYSQL_OPT_SSL_ENFORCE, &enforce);
+  mysql_options(mysql, MYSQL_OPT_SSL_VERIFY_SERVER_CERT, &verify);
+  FAIL_IF(!mysql_real_connect(mysql, hostname, username, password, schema,
+                         port, socketname, 0), mysql_error(mysql));
+  mysql_close(mysql);
+  unsetenv("SSL_CERT_DIR");
+
   /* verify against local ca, this should pass */
   mysql= mysql_init(NULL);
   mysql_ssl_set(mysql,0, 0, sslca, 0, 0);
@@ -1423,6 +1403,7 @@ int main(int argc, char **argv)
 #endif
 
   get_envvars();
+  read_fingerprint();
 
   if (argc > 1)
     get_options(argc, argv);