Provide details about TLS/SSL library in use

When calling mariadb_get_infov with option MARIADB_TLS_LIBRARY
the functioni now returns the correct version number and name
of the tls/ssl library in use.

CMakeLists.txt

@@ -287,6 +287,7 @@ IF(NOT WITH_SSL STREQUAL "OFF")
               COMPILE_DEFINITIONS "-I${OPENSSL_INCLUDE_DIR}"
               RUN_OUTPUT_VARIABLE LIBRESSL_VERSION)
       IF(HAVE_LIBRESSL)
+        ADD_DEFINITIONS(-DHAVE_LIBRESSL)
         SET(TLS_LIBRARY_VERSION ${LIBRESSL_VERSION})
       ELSE()
         SET(TLS_LIBRARY_VERSION "OpenSSL ${OPENSSL_VERSION}")
@@ -311,7 +312,7 @@ IF(NOT WITH_SSL STREQUAL "OFF")
       ADD_DEFINITIONS(-DHAVE_SCHANNEL -DHAVE_TLS)
       SET(SSL_SOURCES "${CC_SOURCE_DIR}/libmariadb/secure/schannel.c" "${CC_SOURCE_DIR}/libmariadb/secure/ma_schannel.c")
       INCLUDE_DIRECTORIES("${CC_SOURCE_DIR}/plugins/pvio/")
-      SET(SSL_LIBRARIES secur32)
+      SET(SSL_LIBRARIES secur32 version)
       SET(TLS_LIBRARY_VERSION "Schannel ${CMAKE_SYSTEM_VERSION}")
     ENDIF()
   ENDIF()

include/ma_tls.h

@@ -10,6 +10,9 @@ enum enum_pvio_tls_type {
   SSL_TYPE_GNUTLS
 };
 
+#define TLS_VERSION_LENGTH 64
+extern char tls_library_version[TLS_VERSION_LENGTH];
+
 typedef struct st_ma_pvio_tls {
   void *data;
   MARIADB_PVIO *pvio;

libmariadb/ma_tls.c

@@ -153,7 +153,7 @@ static my_bool ma_pvio_tls_compare_fp(const char *cert_fp,
     char d1, d2;
     if (*p == ':')
       p++;
-    if (p - fp > fp_len -1)
+    if (p - fp > (int)fp_len -1)
       return 1;
     if ((d1 = ma_hex2int(*p)) == - 1 ||
         (d2 = ma_hex2int(*(p+1))) == -1 ||

libmariadb/mariadb_lib.c

@@ -3708,15 +3708,9 @@ my_bool STDCALL mariadb_get_infov(MYSQL *mysql, enum mariadb_value value, void *
     break;
   case MARIADB_TLS_LIBRARY:
 #ifdef HAVE_TLS
-#ifdef HAVE_GNUTLS
+    *((const char **)arg)= tls_library_version;
-    *((const char **)arg)= "GNUTLS";
-#elif HAVE_OPENSSL
-    *((const char **)arg)= "OPENSSL";
-#elif HAVE_SCHANNEL
-    *((const char **)arg)= "SCHANNEL";
-#endif
 #else
-    *((char **)arg)= "OFF";
+    *((char **)arg)= "Off";
 #endif
     break;
   case MARIADB_CLIENT_VERSION:

libmariadb/secure/gnutls.c

@@ -46,6 +46,8 @@ enum ma_pem_type {
 
 static int my_verify_callback(gnutls_session_t ssl);
 
+char tls_library_version[TLS_VERSION_LENGTH];
+
 struct st_gnutls_data {
   MYSQL *mysql;
   gnutls_privkey_t key;
@@ -969,6 +971,9 @@ int ma_tls_start(char *errmsg, size_t errmsg_len)
     ma_tls_get_error(errmsg, errmsg_len, rc);
     goto end;
   }
+  snprintf(tls_library_version, TLS_VERSION_LENGTH - 1, "GnuTLS %s",
+          gnutls_check_version(NULL));
+
   ma_tls_initialized= TRUE;
 end:
   pthread_mutex_unlock(&LOCK_gnutls_config);

libmariadb/secure/openssl.c

@@ -60,6 +60,7 @@ extern my_bool ma_tls_initialized;
 extern unsigned int mariadb_deinitialize_ssl;
 
 #define MAX_SSL_ERR_LEN 100
+char tls_library_version[TLS_VERSION_LENGTH];
 
 static pthread_mutex_t LOCK_openssl_config;
 #ifndef HAVE_OPENSSL_1_1_API
@@ -286,6 +287,7 @@ static void disable_sigpipe()
 int ma_tls_start(char *errmsg __attribute__((unused)), size_t errmsg_len __attribute__((unused)))
 {
   int rc= 1;
+  char *p;
   if (ma_tls_initialized)
     return 0;
 
@@ -318,6 +320,15 @@ int ma_tls_start(char *errmsg __attribute__((unused)), size_t errmsg_len __attri
   ma_BIO_method.bread= ma_bio_read;
   ma_BIO_method.bwrite= ma_bio_write;
 #endif
+  snprintf(tls_library_version, TLS_VERSION_LENGTH - 1, "%s",
+#if defined(LIBRESSL_VERSION_NUMBER) || !defined(HAVE_OPENSSL_1_1_API)
+           SSLeay_version(SSLEAY_VERSION));
+#else
+           OpenSSL_version(OPENSSL_VERSION));
+#endif
+  /* remove date from version */
+  if ((p= strstr(tls_library_version, "  ")))
+    *p= 0;
   rc= 0;
   ma_tls_initialized= TRUE;
 end:

libmariadb/secure/schannel.c

@@ -22,9 +22,8 @@
 #pragma comment (lib, "crypt32.lib")
 #pragma comment (lib, "secur32.lib")
 
-//#define VOID void
-
 extern my_bool ma_tls_initialized;
+char tls_library_version[TLS_VERSION_LENGTH];
 
 #define PROT_SSL3 1
 #define PROT_TLS1_0 2
@@ -176,7 +175,31 @@ void ma_schannel_set_win_error(MYSQL *mysql);
 */
 int ma_tls_start(char *errmsg, size_t errmsg_len)
 {
+  DWORD size;
+  DWORD handle;
 
+  if ((size= GetFileVersionInfoSize("schannel.dll", &handle)))
+  {
+    LPBYTE VersionInfo;
+    if ((VersionInfo = (LPBYTE)malloc(size)))
+    {
+      unsigned int len;
+      VS_FIXEDFILEINFO *fileinfo;
+
+      GetFileVersionInfo("schannel.dll", 0, size, VersionInfo);
+      VerQueryValue(VersionInfo, "\\", (LPVOID *)&fileinfo, &len);
+      snprintf(tls_library_version, TLS_VERSION_LENGTH - 1, "Schannel %d.%d.%d.%d\n",
+        HIWORD(fileinfo->dwFileVersionMS),
+        LOWORD(fileinfo->dwFileVersionMS),
+        HIWORD(fileinfo->dwFileVersionLS),
+        LOWORD(fileinfo->dwFileVersionLS));
+      free(VersionInfo);
+      goto end;
+    }
+  }
+  /* this shouldn't happen anyway */
+  strcpy(tls_library_version, "Schannel 0.0.0.0");
+end:
   ma_tls_initialized = TRUE;
   return 0;
 }

unittest/libmariadb/ssl.c.in

@@ -19,6 +19,9 @@
 
 #include "my_test.h"
 #include <ma_pthread.h>
+#ifdef HAVE_OPENSSL
+#include <openssl/opensslv.h>
+#endif
 
 #define FNLEN 4096
 
@@ -107,6 +110,7 @@ static int test_ssl(MYSQL *mysql)
   int rc;
   MYSQL_RES *res;
   MYSQL_ROW row;
+  char *tls_library;
 
   rc= mysql_query(mysql, "SELECT @@have_ssl UNION SELECT @@have_openssl");
   check_mysql_rc(rc, mysql);
@@ -124,13 +128,8 @@ static int test_ssl(MYSQL *mysql)
   }
   mysql_free_result(res);
 
-#ifdef HAVE_GNUTLS
+  mariadb_get_infov(NULL, MARIADB_TLS_LIBRARY, &tls_library);
-  diag("SSL library: GNUTLS");
+  diag("SSL library: %s", tls_library);
-#elif HAVE_OPENSSL
-  diag("SSL library: OPENSSL");
-#elif HAVE_SCHANNEL
-  diag("SSL library: SCHANNEL");
-#endif
 
   sslhost[0]= 0;
 
@@ -1132,8 +1131,36 @@ static int test_conc286(MYSQL *unused __attribute__((unused)))
   return OK;
 }
 
+static int test_mdev14027(MYSQL *mysql __attribute__((unused)))
+{
+  char *tls_library;
+  const char *check_library=
+#if defined(HAVE_OPENSSL)
+#if defined(HAVE_LIBRESSL)
+    "LibreSSL";
+#else
+    "OpenSSL";
+#endif
+#elif defined(HAVE_GNUTLS)
+    "GnuTLS";
+#elif defined(HAVE_SCHANNEL)
+    "Schannel";
+#else
+    "Off";
+#endif
+  mariadb_get_infov(NULL, MARIADB_TLS_LIBRARY, &tls_library);
+  diag("TLS/SSL library in use: %s\n", tls_library);
+  if (!strstr(tls_library, check_library))
+  {
+    diag("expected %s, got %s", check_library, tls_library);
+    return FAIL;
+  }
+  return OK;
+}
+
 struct my_tests_st my_tests[] = {
   {"test_ssl", test_ssl, TEST_CONNECTION_NEW, 0,  NULL,  NULL},
+  {"test_mdev14027", test_mdev14027, TEST_CONNECTION_NEW, 0,  NULL,  NULL},
   {"test_conc286", test_conc286, TEST_CONNECTION_NEW, 0,  NULL,  NULL},
   {"test_ssl_timeout", test_ssl_timeout, TEST_CONNECTION_NEW, 0,  NULL,  NULL},
   {"test_openssl_1", test_openssl_1, TEST_CONNECTION_NEW, 0,  NULL,  NULL},