database/mariadb-connector-c
1
0
Fork 0
mirror of https://github.com/mariadb-corporation/mariadb-connector-c.git synced 2025-08-01 06:27:04 +03:00
Code Activity

CONC-748: Allow to set TLSv1.3 ciphers in GnuTLS

Browse Source 
- Added TLSv1.3 ciphers to cipher map.
- Fixed retrieval of cipher suite: Since gnutls_cipher_suite_get_name
  supports only TLSv1.2 (and lower) cipher suites, we have to call
  gnutls_ciphersuite_get() (requires GnuTLS 3.7.4 or newer).
This commit is contained in:
Georg Richter
2024-12-08 11:27:32 +01:00
parent 232e81f021
commit af44fc5c5e
2 changed files with 90 additions and 4 deletions
Download Patch File Download Diff File Expand all files Collapse all files

59
libmariadb/secure/gnutls.c
View File

@ -723,6 +723,26 @@ const struct st_cipher_map tls_ciphers[]=
"TLS_DH_anon_WITH_AES_256_GCM_SHA384", "TLS_DH_anon_WITH_AES_256_GCM_SHA384",
NULL, NULL,
"TLS_DH_ANON_AES_256_GCM_SHA384"}, "TLS_DH_ANON_AES_256_GCM_SHA384"},
{ {0x13, 0x01},
"TLS_AES_128_GCM_SHA256",
"TLS_AES_128_GCM_SHA256",
"TLS_AES_128_GCM_SHA256"},
{ {0x13, 0x02},
"TLS_AES_256_GCM_SHA384",
"TLS_AES_256_GCM_SHA384",
"TLS_AES_256_GCM_SHA384"},
{ {0x13, 0x03},
"TLS_CHACHA20_POLY1305_SHA256",
"TLS_CHACHA20_POLY1305_SHA256",
"TLS_CHACHA20_POLY1305_SHA256"},
{ {0x13, 0x04},
"TLS_AES_128_CCM_SHA256",
"TLS_AES_128_CCM_SHA256",
"TLS_AES_128_CCM_SHA256"},
{ {0x13, 0x05},
"TLS_AES_128_CCM_8_SHA256",
"TLS_AES_128_CCM_8_SHA256",
"TLS_AES_128_CCM_8_SHA256"},
{ {0xC0, 0x84}, { {0xC0, 0x84},
"TLS_DH_anon_WITH_CAMELLIA_128_GCM_SHA256", "TLS_DH_anon_WITH_CAMELLIA_128_GCM_SHA256",
NULL, NULL,
@ -793,6 +813,7 @@ const struct st_cipher_map tls_ciphers[]=
NULL} NULL}
}; };
#if GNUTLS_VERSION_NUMBER < 0x030704
/* map the gnutls cipher suite (defined by key exchange algorithm, cipher /* map the gnutls cipher suite (defined by key exchange algorithm, cipher
and mac algorithm) to the corresponding OpenSSL cipher name */ and mac algorithm) to the corresponding OpenSSL cipher name */
static const char *openssl_cipher_name(gnutls_kx_algorithm_t kx, static const char *openssl_cipher_name(gnutls_kx_algorithm_t kx,
@ -829,6 +850,7 @@ static const char *openssl_cipher_name(gnutls_kx_algorithm_t kx,
} }
return NULL; return NULL;
} }
#endif
/* get priority string for a given openssl cipher name */ /* get priority string for a given openssl cipher name */
static char *get_priority(const char *cipher_name, char *priority, size_t len) static char *get_priority(const char *cipher_name, char *priority, size_t len)
@ -857,10 +879,20 @@ static char *get_priority(const char *cipher_name, char *priority, size_t len)
{ {
if (!strcmp(name, tls_ciphers[i].gnutls_name)) if (!strcmp(name, tls_ciphers[i].gnutls_name))
{ {
snprintf(priority, len - 1, ":+%s:+%s:+%s", const char *p;
gnutls_cipher_get_name(cipher),
gnutls_mac_get_name(mac), if ((p= gnutls_cipher_get_name(cipher)))
gnutls_kx_get_name(kx)); snprintf(priority, len - 1, ":+%s",p);
if ((p= gnutls_mac_get_name(mac)))
{
strncat(priority, ":+", len - 1);
strncat(priority, p, len - 1);
}
if ((p= gnutls_kx_get_name(kx)))
{
strncat(priority, ":+", len - 1);
strncat(priority, p, len - 1);
}
return priority; return priority;
} }
} }
@ -1329,6 +1361,7 @@ int ma_tls_verify_server_cert(MARIADB_TLS *ctls __attribute__((unused)))
const char *ma_tls_get_cipher(MARIADB_TLS *ctls) const char *ma_tls_get_cipher(MARIADB_TLS *ctls)
{ {
#if GNUTLS_VERSION_NUMBER < 0x030704
gnutls_kx_algorithm_t kx; gnutls_kx_algorithm_t kx;
gnutls_cipher_algorithm_t cipher; gnutls_cipher_algorithm_t cipher;
gnutls_mac_algorithm_t mac; gnutls_mac_algorithm_t mac;
@ -1340,6 +1373,24 @@ const char *ma_tls_get_cipher(MARIADB_TLS *ctls)
cipher= gnutls_cipher_get((gnutls_session_t)ctls->ssl); cipher= gnutls_cipher_get((gnutls_session_t)ctls->ssl);
kx= gnutls_kx_get((gnutls_session_t)ctls->ssl); kx= gnutls_kx_get((gnutls_session_t)ctls->ssl);
return openssl_cipher_name(kx, cipher, mac); return openssl_cipher_name(kx, cipher, mac);
#else
const char *cs= gnutls_ciphersuite_get((gnutls_session_t)ctls->ssl);
int i=0;
while (tls_ciphers[i].iana_name)
{
if (!strcmp(tls_ciphers[i].gnutls_name, cs))
{
if (tls_ciphers[i].openssl_name)
return tls_ciphers[i].openssl_name;
if (tls_ciphers[i].gnutls_name)
return tls_ciphers[i].gnutls_name;
return tls_ciphers[i].iana_name;
}
i++;
}
return NULL;
#endif
} }
static int my_verify_callback(gnutls_session_t ssl) static int my_verify_callback(gnutls_session_t ssl)

35
unittest/libmariadb/connection.c
View File

@ -1966,7 +1966,42 @@ static int test_conc632(MYSQL *my __attribute__((unused)))
return OK; return OK;
} }
#if defined(HAVE_GNUTLS) || defined(HAVE_OPENSSL)
static int test_conc748(MYSQL *my __attribute__((unused)))
{
MYSQL *mysql;
int i;
const char *ciphers[3]= {"TLS_AES_128_GCM_SHA256", "TLS_AES_256_GCM_SHA384", "TLS_CHACHA20_POLY1305_SHA256"};
for (i=0; i < 3; i++)
{
const char *tls_version;
mysql= mysql_init(NULL);
mysql_ssl_set(mysql, NULL, NULL, NULL, NULL, NULL);
mysql_optionsv(mysql, MYSQL_OPT_SSL_CIPHER, ciphers[i]);
if (!my_test_connect(mysql, hostname, NULL,
NULL, schema, port, socketname, 0))
{
diag("error: %s", mysql_error(mysql));
return FAIL;
}
FAIL_IF(strcmp(ciphers[i], mysql_get_ssl_cipher(mysql)), "Cipher mismatch");
mariadb_get_infov(mysql, MARIADB_CONNECTION_TLS_VERSION, &tls_version);
FAIL_IF(strcmp(tls_version, "TLSv1.3"), "TLS version mismatch");
mysql_close(mysql);
}
return OK;
}
#endif
struct my_tests_st my_tests[] = { struct my_tests_st my_tests[] = {
#if defined(HAVE_GNUTLS) || defined(HAVE_OPENSSL)
{"test_conc748", test_conc748, TEST_CONNECTION_NONE, 0, NULL, NULL},
#endif
{"test_conc632", test_conc632, TEST_CONNECTION_NONE, 0, NULL, NULL}, {"test_conc632", test_conc632, TEST_CONNECTION_NONE, 0, NULL, NULL},
{"test_conc490", test_conc490, TEST_CONNECTION_NONE, 0, NULL, NULL}, {"test_conc490", test_conc490, TEST_CONNECTION_NONE, 0, NULL, NULL},
{"test_gtid", test_gtid, TEST_CONNECTION_DEFAULT, 0, NULL, NULL}, {"test_gtid", test_gtid, TEST_CONNECTION_DEFAULT, 0, NULL, NULL},