database/mariadb-connector-c
1
0
Fork 0
mirror of https://github.com/mariadb-corporation/mariadb-connector-c.git synced 2025-08-07 02:42:49 +03:00
Code Activity

MDEV-31857 enable MYSQL_OPT_SSL_VERIFY_SERVER_CERT by default

Browse Source 
because the default value of every option is 0
(option and option.extension are bzero-ed to reset),
tls_verify_server_cert was renamed to tls_allow_invalid_server_cert
with the default value of 0, "do not allow".

API didn't change, it's still MYSQL_OPT_SSL_VERIFY_SERVER_CERT
This commit is contained in:
Sergei Golubchik
2023-08-30 14:39:05 +02:00
parent fcef411ecb
commit 8dffd56936
8 changed files with 17 additions and 15 deletions
Download Patch File Download Diff File Expand all files Collapse all files

2
include/ma_common.h
View File

@@ -86,7 +86,7 @@ struct st_mysql_options_extension {
unsigned short rpl_port; unsigned short rpl_port;
void (*status_callback)(void *ptr, enum enum_mariadb_status_info type, ...); void (*status_callback)(void *ptr, enum enum_mariadb_status_info type, ...);
void *status_data; void *status_data;
my_bool tls_verify_server_cert; my_bool tls_allow_invalid_server_cert;
}; };
typedef struct st_connection_handler typedef struct st_connection_handler

2
libmariadb/ma_pvio.c
View File

@@ -544,7 +544,7 @@ my_bool ma_pvio_start_ssl(MARIADB_PVIO *pvio)
2. verify CN (requires option ssl_verify_check) 2. verify CN (requires option ssl_verify_check)
3. verrify finger print 3. verrify finger print
*/ */
if (pvio->mysql->options.extension->tls_verify_server_cert && if (!pvio->mysql->options.extension->tls_allow_invalid_server_cert &&
!pvio->mysql->net.tls_self_signed_error && !pvio->mysql->net.tls_self_signed_error &&
ma_pvio_tls_verify_server_cert(pvio->ctls)) ma_pvio_tls_verify_server_cert(pvio->ctls))
return 1; return 1;

4
libmariadb/mariadb_lib.c
View File

@@ -3550,7 +3550,7 @@ mysql_optionsv(MYSQL *mysql,enum mysql_option option, ...)
mysql->options.use_ssl= (*(my_bool *)arg1); mysql->options.use_ssl= (*(my_bool *)arg1);
break; break;
case MYSQL_OPT_SSL_VERIFY_SERVER_CERT: case MYSQL_OPT_SSL_VERIFY_SERVER_CERT:
OPT_SET_EXTENDED_VALUE(&mysql->options, tls_verify_server_cert, *(my_bool *)arg1); OPT_SET_EXTENDED_VALUE(&mysql->options, tls_allow_invalid_server_cert, !*(my_bool *)arg1);
break; break;
case MYSQL_OPT_SSL_KEY: case MYSQL_OPT_SSL_KEY:
OPT_SET_VALUE_STR(&mysql->options, ssl_key, (char *)arg1); OPT_SET_VALUE_STR(&mysql->options, ssl_key, (char *)arg1);
@@ -3916,7 +3916,7 @@ mysql_get_optionv(MYSQL *mysql, enum mysql_option option, void *arg, ...)
*((my_bool *)arg)= mysql->options.use_ssl; *((my_bool *)arg)= mysql->options.use_ssl;
break; break;
case MYSQL_OPT_SSL_VERIFY_SERVER_CERT: case MYSQL_OPT_SSL_VERIFY_SERVER_CERT:
*((my_bool*)arg) = mysql->options.extension ? mysql->options.extension->tls_verify_server_cert : 0; *((my_bool*)arg) = mysql->options.extension ? !mysql->options.extension->tls_allow_invalid_server_cert: 1;
break; break;
case MYSQL_OPT_SSL_KEY: case MYSQL_OPT_SSL_KEY:
*((char **)arg)= mysql->options.ssl_key; *((char **)arg)= mysql->options.ssl_key;

4
libmariadb/secure/gnutls.c
View File

@@ -1357,7 +1357,7 @@ static int my_verify_callback(gnutls_session_t ssl)
CLEAR_CLIENT_ERROR(mysql); CLEAR_CLIENT_ERROR(mysql);
if ((mysql->options.extension->tls_verify_server_cert)) if (!mysql->options.extension->tls_allow_invalid_server_cert)
{ {
const char *hostname= mysql->host; const char *hostname= mysql->host;
@@ -1375,7 +1375,7 @@ static int my_verify_callback(gnutls_session_t ssl)
if (status & GNUTLS_CERT_SIGNER_NOT_FOUND) if (status & GNUTLS_CERT_SIGNER_NOT_FOUND)
{ {
/* accept self signed certificates if we don't have to verify server cert */ /* accept self signed certificates if we don't have to verify server cert */
if (!mysql->options.extension->tls_verify_server_cert) if (mysql->options.extension->tls_allow_invalid_server_cert)
return 0; return 0;
/* postpone the error for self signed certificates if CA isn't set */ /* postpone the error for self signed certificates if CA isn't set */

2
libmariadb/secure/openssl.c
View File

@@ -506,7 +506,7 @@ my_bool ma_tls_connect(MARIADB_TLS *ctls)
/* In case handshake failed or if a root certificate (ca) was specified, /* In case handshake failed or if a root certificate (ca) was specified,
we need to check the result code of X509 verification. A detailed check we need to check the result code of X509 verification. A detailed check
of the peer certificate (hostname checking will follow later) */ of the peer certificate (hostname checking will follow later) */
if (rc != 1 || mysql->options.extension->tls_verify_server_cert || if (rc != 1 || !mysql->options.extension->tls_allow_invalid_server_cert ||
mysql->options.ssl_ca || mysql->options.ssl_capath) mysql->options.ssl_ca || mysql->options.ssl_capath)
{ {
long x509_err= SSL_get_verify_result(ssl); long x509_err= SSL_get_verify_result(ssl);

4
libmariadb/secure/schannel.c
View File

@@ -451,11 +451,11 @@ my_bool ma_tls_connect(MARIADB_TLS *ctls)
goto end; goto end;
verify_certs = mysql->options.ssl_ca || mysql->options.ssl_capath || verify_certs = mysql->options.ssl_ca || mysql->options.ssl_capath ||
(mysql->options.extension->tls_verify_server_cert); !mysql->options.extension->tls_allow_invalid_server_cert;
if (verify_certs) if (verify_certs)
{ {
if (!ma_schannel_verify_certs(ctls, mysql->options.extension->tls_verify_server_cert)) if (!ma_schannel_verify_certs(ctls, !mysql->options.extension->tls_allow_invalid_server_cert))
goto end; goto end;
} }

12
plugins/auth/my_auth.c
View File

@@ -253,7 +253,7 @@ static int send_client_reply_packet(MCPVIO_EXT *mpvio,
if (mysql->options.ssl_key || mysql->options.ssl_cert || if (mysql->options.ssl_key || mysql->options.ssl_cert ||
mysql->options.ssl_ca || mysql->options.ssl_capath || mysql->options.ssl_ca || mysql->options.ssl_capath ||
mysql->options.ssl_cipher || mysql->options.use_ssl || mysql->options.ssl_cipher || mysql->options.use_ssl ||
mysql->options.extension->tls_verify_server_cert) !mysql->options.extension->tls_allow_invalid_server_cert)
mysql->options.use_ssl= 1; mysql->options.use_ssl= 1;
if (mysql->options.use_ssl) if (mysql->options.use_ssl)
mysql->client_flag|= CLIENT_SSL; mysql->client_flag|= CLIENT_SSL;
@@ -273,16 +273,16 @@ static int send_client_reply_packet(MCPVIO_EXT *mpvio,
mysql->net.pvio->type == PVIO_TYPE_SHAREDMEM)) mysql->net.pvio->type == PVIO_TYPE_SHAREDMEM))
{ {
mysql->server_capabilities &= ~(CLIENT_SSL); mysql->server_capabilities &= ~(CLIENT_SSL);
mysql->options.extension->tls_verify_server_cert= 0; mysql->options.extension->tls_allow_invalid_server_cert= 1;
} }
/* if server doesn't support SSL and verification of server certificate /* if server doesn't support SSL and verification of server certificate
was set to mandatory, we need to return an error */ was set to mandatory, we need to return an error */
if (mysql->options.use_ssl && !(mysql->server_capabilities & CLIENT_SSL)) if (mysql->options.use_ssl && !(mysql->server_capabilities & CLIENT_SSL))
{ {
if (mysql->options.extension->tls_verify_server_cert || if (!mysql->options.extension->tls_allow_invalid_server_cert ||
(mysql->options.extension && (mysql->options.extension->tls_fp || mysql->options.extension->tls_fp ||
mysql->options.extension->tls_fp_list))) mysql->options.extension->tls_fp_list)
{ {
my_set_error(mysql, CR_SSL_CONNECTION_ERROR, SQLSTATE_UNKNOWN, my_set_error(mysql, CR_SSL_CONNECTION_ERROR, SQLSTATE_UNKNOWN,
ER(CR_SSL_CONNECTION_ERROR), ER(CR_SSL_CONNECTION_ERROR),
@@ -783,7 +783,7 @@ retry:
return 0; return 0;
assert(mysql->options.use_ssl); assert(mysql->options.use_ssl);
assert(mysql->options.extension->tls_verify_server_cert); assert(!mysql->options.extension->tls_allow_invalid_server_cert);
assert(!mysql->options.ssl_ca); assert(!mysql->options.ssl_ca);
assert(!mysql->options.ssl_capath); assert(!mysql->options.ssl_capath);
assert(!mysql->options.extension->tls_fp); assert(!mysql->options.extension->tls_fp);

2
unittest/libmariadb/connection.c
View File

@@ -686,6 +686,7 @@ int test_connection_timeout2(MYSQL *unused __attribute__((unused)))
unsigned int timeout= 5; unsigned int timeout= 5;
time_t start, elapsed; time_t start, elapsed;
MYSQL *mysql; MYSQL *mysql;
my_bool no= 0;
SKIP_SKYSQL; SKIP_SKYSQL;
SKIP_MAXSCALE; SKIP_MAXSCALE;
@@ -694,6 +695,7 @@ int test_connection_timeout2(MYSQL *unused __attribute__((unused)))
mysql= mysql_init(NULL); mysql= mysql_init(NULL);
mysql_options(mysql, MYSQL_OPT_CONNECT_TIMEOUT, (unsigned int *)&timeout); mysql_options(mysql, MYSQL_OPT_CONNECT_TIMEOUT, (unsigned int *)&timeout);
mysql_options(mysql, MYSQL_INIT_COMMAND, "set @a:=SLEEP(7)"); mysql_options(mysql, MYSQL_INIT_COMMAND, "set @a:=SLEEP(7)");
mysql_options(mysql, MYSQL_OPT_SSL_VERIFY_SERVER_CERT, &no);
start= time(NULL); start= time(NULL);
if (my_test_connect(mysql, hostname, username, password, schema, port, socketname, CLIENT_REMEMBER_OPTIONS)) if (my_test_connect(mysql, hostname, username, password, schema, port, socketname, CLIENT_REMEMBER_OPTIONS))
{ {