diff --git a/libmariadb/secure/gnutls.c b/libmariadb/secure/gnutls.c index e37e2fb8..e72df73c 100644 --- a/libmariadb/secure/gnutls.c +++ b/libmariadb/secure/gnutls.c @@ -34,10 +34,16 @@ pthread_mutex_t LOCK_gnutls_config; -static gnutls_certificate_credentials_t GNUTLS_xcred; extern my_bool ma_tls_initialized; extern unsigned int mariadb_deinitialize_ssl; +enum ma_pem_type { + MA_TLS_PEM_CERT= 0, + MA_TLS_PEM_KEY, + MA_TLS_PEM_CA, + MA_TLS_PEM_CRL +}; + static int my_verify_callback(gnutls_session_t ssl); struct st_gnutls_data { @@ -47,60 +53,746 @@ struct st_gnutls_data { }; struct st_cipher_map { + unsigned char sid[2]; + const char *iana_name; const char *openssl_name; - const char *priority; - gnutls_kx_algorithm_t kx; - gnutls_cipher_algorithm_t cipher; - gnutls_mac_algorithm_t mac; + const char *gnutls_name; }; -const struct st_cipher_map gtls_ciphers[]= +const struct st_cipher_map tls_ciphers[]= { - {"DHE-RSA-AES256-GCM-SHA384", ":+AEAD:+DHE-RSA:+AES-256-GCM", - GNUTLS_KX_DHE_RSA, GNUTLS_CIPHER_AES_256_GCM, GNUTLS_MAC_AEAD}, - {"DHE-RSA-AES256-SHA256", ":+SHA256:+DHE-RSA:+AES-256-CBC", - GNUTLS_KX_DHE_RSA, GNUTLS_CIPHER_AES_256_CBC, GNUTLS_MAC_SHA256}, - {"DHE-RSA-AES256-SHA", ":+SHA1:+DHE-RSA:+AES-256-CBC", - GNUTLS_KX_DHE_RSA, GNUTLS_CIPHER_AES_256_CBC, GNUTLS_MAC_SHA1}, - {"DHE-RSA-CAMELLIA256-SHA", ":+SHA1:+DHE-RSA:+CAMELLIA-256-CBC", - GNUTLS_KX_DHE_RSA, GNUTLS_CIPHER_CAMELLIA_256_CBC, GNUTLS_MAC_SHA1}, - {"AES256-GCM-SHA384", ":+AEAD:+RSA:+AES-256-GCM", - GNUTLS_KX_RSA, GNUTLS_CIPHER_AES_256_GCM, GNUTLS_MAC_AEAD}, - {"AES256-SHA256", ":+SHA256:+RSA:+AES-256-CBC", - GNUTLS_KX_RSA, GNUTLS_CIPHER_AES_256_CBC, GNUTLS_MAC_SHA256}, - {"AES256-SHA", ":+SHA1:+RSA:+AES-256-CBC", - GNUTLS_KX_RSA, GNUTLS_CIPHER_AES_256_CBC, GNUTLS_MAC_SHA1}, - {"CAMELLIA256-SHA", ":+SHA1:+RSA:+CAMELLIA-256-CBC", - GNUTLS_KX_RSA, GNUTLS_CIPHER_CAMELLIA_256_CBC, GNUTLS_MAC_SHA1}, - {"DHE-RSA-AES128-GCM-SHA256", ":+AEAD:+DHE-RSA:+AES-128-GCM", - GNUTLS_KX_DHE_RSA, GNUTLS_CIPHER_AES_128_GCM, GNUTLS_MAC_AEAD}, - {"DHE-RSA-AES128-SHA256", ":+SHA256:+DHE-RSA:+AES-128-CBC", - GNUTLS_KX_DHE_RSA, GNUTLS_CIPHER_AES_128_CBC, GNUTLS_MAC_SHA256}, - {"DHE-RSA-AES128-SHA", ":+SHA1:+DHE-RSA:+AES-128-CBC", - GNUTLS_KX_DHE_RSA, GNUTLS_CIPHER_AES_128_CBC, GNUTLS_MAC_SHA1}, - {"DHE-RSA-CAMELLIA128-SHA", ":+SHA1:+DHE-RSA:+CAMELLIA-128-CBC", - GNUTLS_KX_DHE_RSA, GNUTLS_CIPHER_CAMELLIA_128_CBC, GNUTLS_MAC_SHA1}, - {"AES128-GCM-SHA256", ":+AEAD:+RSA:+AES-128-GCM", - GNUTLS_KX_RSA, GNUTLS_CIPHER_AES_128_GCM, GNUTLS_MAC_AEAD}, - {"AES128-SHA256", ":+SHA256:+RSA:+AES-128-CBC", - GNUTLS_KX_RSA, GNUTLS_CIPHER_AES_128_CBC, GNUTLS_MAC_SHA256}, - {"AES128-SHA", ":+SHA1:+RSA:+AES-128-CBC", - GNUTLS_KX_RSA, GNUTLS_CIPHER_AES_128_CBC, GNUTLS_MAC_SHA1}, - {"CAMELLIA128-SHA", ":+SHA1:+RSA:+CAMELLIA-128-CBC", - GNUTLS_KX_RSA, GNUTLS_CIPHER_CAMELLIA_128_CBC, GNUTLS_MAC_SHA1}, - {"EDH-RSA-DES-CBC3-SHA", ":+SHA1:+DHE-RSA:+3DES-CBC", - GNUTLS_KX_DHE_RSA, GNUTLS_CIPHER_3DES_CBC, GNUTLS_MAC_SHA1}, - {"DES-CBC3-SHA", ":+SHA1:+RSA:+3DES-CBC", - GNUTLS_KX_RSA, GNUTLS_CIPHER_3DES_CBC, GNUTLS_MAC_SHA1}, - {"DHE-RSA-AES256-SHA", ":+SHA1:+DHE-RSA:+AES-256-CBC", - GNUTLS_KX_DHE_RSA, GNUTLS_CIPHER_AES_256_CBC, GNUTLS_MAC_SHA1}, - {"DHE-RSA-CAMELLIA256-SHA", ":+SHA1:+DHE-RSA:+CAMELLIA-256-CBC", - GNUTLS_KX_DHE_RSA, GNUTLS_CIPHER_CAMELLIA_256_CBC, GNUTLS_MAC_SHA1}, - {"AES256-SHA", ":+SHA1:+RSA:+AES-256-CBC", - GNUTLS_KX_RSA, GNUTLS_CIPHER_AES_256_CBC, GNUTLS_MAC_SHA1}, - {"CAMELLIA256-SHA", ":+SHA1:+RSA:+CAMELLIA-256-CBC:", - GNUTLS_KX_RSA, GNUTLS_CIPHER_CAMELLIA_256_CBC, GNUTLS_MAC_SHA1}, - {NULL, NULL, 0, 0, 0} + { {0x00, 0x01}, + "TLS_RSA_WITH_NULL_MD5", + NULL, + "TLS_RSA_NULL_MD5"}, + { {0x00, 0x02}, + "TLS_RSA_WITH_NULL_SHA", + NULL, + "TLS_RSA_NULL_SHA1"}, + { {0x00, 0x3B}, + "TLS_RSA_WITH_NULL_SHA256", + NULL, + "TLS_RSA_NULL_SHA256"}, + { {0x00, 0x05}, + "TLS_RSA_WITH_RC4_128_SHA", + NULL, + "TLS_RSA_ARCFOUR_128_SHA1"}, + { {0x00, 0x04}, + "TLS_RSA_WITH_RC4_128_MD5", + NULL, + "TLS_RSA_ARCFOUR_128_MD5"}, + { {0x00, 0x0A}, + "TLS_RSA_WITH_3DES_EDE_CBC_SHA", + "DES-CBC3-SHA", + "TLS_RSA_3DES_EDE_CBC_SHA1"}, + { {0x00, 0x2F}, + "TLS_RSA_WITH_AES_128_CBC_SHA", + "AES128-SHA", + "TLS_RSA_AES_128_CBC_SHA1"}, + { {0x00, 0x35}, + "TLS_RSA_WITH_AES_256_CBC_SHA", + "AES256-SHA", + "TLS_RSA_AES_256_CBC_SHA1"}, + { {0x00, 0xBA}, + "TLS_RSA_WITH_CAMELLIA_128_CBC_SHA256", + "CAMELLIA128-SHA256", + "TLS_RSA_CAMELLIA_128_CBC_SHA256"}, + { {0x00, 0xC0}, + "TLS_RSA_WITH_CAMELLIA_256_CBC_SHA256", + NULL, + "TLS_RSA_CAMELLIA_256_CBC_SHA256"}, + { {0x00, 0x41}, + "TLS_RSA_WITH_CAMELLIA_128_CBC_SHA", + "CAMELLIA128-SHA", + "TLS_RSA_CAMELLIA_128_CBC_SHA1"}, + { {0x00, 0x84}, + "TLS_RSA_WITH_CAMELLIA_256_CBC_SHA", + "CAMELLIA256-SHA", + "TLS_RSA_CAMELLIA_256_CBC_SHA1"}, + { {0x00, 0x3C}, + "TLS_RSA_WITH_AES_128_CBC_SHA256", + "AES128-SHA256", + "TLS_RSA_AES_128_CBC_SHA256"}, + { {0x00, 0x3D}, + "TLS_RSA_WITH_AES_256_CBC_SHA256", + "AES256-SHA256", + "TLS_RSA_AES_256_CBC_SHA256"}, + { {0x00, 0x9C}, + "TLS_RSA_WITH_AES_128_GCM_SHA256", + "AES128-GCM-SHA256", + "TLS_RSA_AES_128_GCM_SHA256"}, + { {0x00, 0x9D}, + "TLS_RSA_WITH_AES_256_GCM_SHA384", + "AES256-GCM-SHA384", + "TLS_RSA_AES_256_GCM_SHA384"}, + { {0xC0, 0x7A}, + "TLS_RSA_WITH_CAMELLIA_128_GCM_SHA256", + NULL, + "TLS_RSA_CAMELLIA_128_GCM_SHA256"}, + { {0xC0, 0x7B}, + "TLS_RSA_WITH_CAMELLIA_256_GCM_SHA384", + NULL, + "TLS_RSA_CAMELLIA_256_GCM_SHA384"}, + { {0xC0, 0x9C}, + "TLS_RSA_WITH_AES_128_CCM", + NULL, + "TLS_RSA_AES_128_CCM"}, + { {0xC0, 0x9D}, + "TLS_RSA_WITH_AES_256_CCM", + NULL, + "TLS_RSA_AES_256_CCM"}, + { {0xC0, 0xA0}, + "TLS_RSA_WITH_AES_128_CCM_8", + NULL, + "TLS_RSA_AES_128_CCM_8"}, + { {0xC0, 0xA1}, + "TLS_RSA_WITH_AES_256_CCM_8", + NULL, + "TLS_RSA_AES_256_CCM_8"}, + { {0x00, 0x66}, + "TLS_DHE_DSS_WITH_RC4_128_SHA", + NULL, + "TLS_DHE_DSS_ARCFOUR_128_SHA1"}, + { {0x00, 0x13}, + "TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA", + NULL, + "TLS_DHE_DSS_3DES_EDE_CBC_SHA1"}, + { {0x00, 0x32}, + "TLS_DHE_DSS_WITH_AES_128_CBC_SHA", + NULL, + "TLS_DHE_DSS_AES_128_CBC_SHA1"}, + { {0x00, 0x38}, + "TLS_DHE_DSS_WITH_AES_256_CBC_SHA", + NULL, + "TLS_DHE_DSS_AES_256_CBC_SHA1"}, + { {0x00, 0xBD}, + "TLS_DHE_DSS_WITH_CAMELLIA_128_CBC_SHA256", + NULL, + "TLS_DHE_DSS_CAMELLIA_128_CBC_SHA256"}, + { {0x00, 0xC3}, + "TLS_DHE_DSS_WITH_CAMELLIA_256_CBC_SHA256", + NULL, + "TLS_DHE_DSS_CAMELLIA_256_CBC_SHA256"}, + { {0x00, 0x44}, + "TLS_DHE_DSS_WITH_CAMELLIA_128_CBC_SHA", + NULL, + "TLS_DHE_DSS_CAMELLIA_128_CBC_SHA1"}, + { {0x00, 0x87}, + "TLS_DHE_DSS_WITH_CAMELLIA_256_CBC_SHA", + NULL, + "TLS_DHE_DSS_CAMELLIA_256_CBC_SHA1"}, + { {0x00, 0x40}, + "TLS_DHE_DSS_WITH_AES_128_CBC_SHA256", + NULL, + "TLS_DHE_DSS_AES_128_CBC_SHA256"}, + { {0x00, 0x6A}, + "TLS_DHE_DSS_WITH_AES_256_CBC_SHA256", + NULL, + "TLS_DHE_DSS_AES_256_CBC_SHA256"}, + { {0x00, 0xA2}, + "TLS_DHE_DSS_WITH_AES_128_GCM_SHA256", + NULL, + "TLS_DHE_DSS_AES_128_GCM_SHA256"}, + { {0x00, 0xA3}, + "TLS_DHE_DSS_WITH_AES_256_GCM_SHA384", + NULL, + "TLS_DHE_DSS_AES_256_GCM_SHA384"}, + { {0xC0, 0x80}, + "TLS_DHE_DSS_WITH_CAMELLIA_128_GCM_SHA256", + NULL, + "TLS_DHE_DSS_CAMELLIA_128_GCM_SHA256"}, + { {0xC0, 0x81}, + "TLS_DHE_DSS_WITH_CAMELLIA_256_GCM_SHA384", + NULL, + "TLS_DHE_DSS_CAMELLIA_256_GCM_SHA384"}, + { {0x00, 0x16}, + "TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA", + "EDH-RSA-DES-CBC3-SHA", + "TLS_DHE_RSA_3DES_EDE_CBC_SHA1"}, + { {0x00, 0x33}, + "TLS_DHE_RSA_WITH_AES_128_CBC_SHA", + "DHE-RSA-AES128-SHA", + "TLS_DHE_RSA_AES_128_CBC_SHA1"}, + { {0x00, 0x39}, + "TLS_DHE_RSA_WITH_AES_256_CBC_SHA", + "DHE-RSA-AES256-SHA", + "TLS_DHE_RSA_AES_256_CBC_SHA1"}, + { {0x00, 0xBE}, + "TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA256", + NULL, + "TLS_DHE_RSA_CAMELLIA_128_CBC_SHA256"}, + { {0x00, 0xC4}, + "TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA256", + NULL, + "TLS_DHE_RSA_CAMELLIA_256_CBC_SHA256"}, + { {0x00, 0x45}, + "TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA", + "DHE-RSA-CAMELLIA128-SHA", + "TLS_DHE_RSA_CAMELLIA_128_CBC_SHA1"}, + { {0x00, 0x88}, + "TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA", + "DHE-RSA-CAMELLIA256-SHA", + "TLS_DHE_RSA_CAMELLIA_256_CBC_SHA1"}, + { {0x00, 0x67}, + "TLS_DHE_RSA_WITH_AES_128_CBC_SHA256", + "DHE-RSA-AES128-SHA256", + "TLS_DHE_RSA_AES_128_CBC_SHA256"}, + { {0x00, 0x6B}, + "TLS_DHE_RSA_WITH_AES_256_CBC_SHA256", + "DHE-RSA-AES256-SHA256", + "TLS_DHE_RSA_AES_256_CBC_SHA256"}, + { {0x00, 0x9E}, + "TLS_DHE_RSA_WITH_AES_128_GCM_SHA256", + "DHE-RSA-AES128-GCM-SHA256", + "TLS_DHE_RSA_AES_128_GCM_SHA256"}, + { {0x00, 0x9F}, + "TLS_DHE_RSA_WITH_AES_256_GCM_SHA384", + "DHE-RSA-AES256-GCM-SHA384", + "TLS_DHE_RSA_AES_256_GCM_SHA384"}, + { {0xC0, 0x7C}, + "TLS_DHE_RSA_WITH_CAMELLIA_128_GCM_SHA256", + NULL, + "TLS_DHE_RSA_CAMELLIA_128_GCM_SHA256"}, + { {0xC0, 0x7D}, + "TLS_DHE_RSA_WITH_CAMELLIA_256_GCM_SHA384", + NULL, + "TLS_DHE_RSA_CAMELLIA_256_GCM_SHA384"}, + { {0xCC, 0xAA}, + "TLS_DHE_RSA_WITH_CHACHA20_POLY1305_SHA256", + "DHE-RSA-CHACHA20-POLY1305", + "TLS_DHE_RSA_CHACHA20_POLY1305"}, + { {0xC0, 0x9E}, + "TLS_DHE_RSA_WITH_AES_128_CCM", + NULL, + "TLS_DHE_RSA_AES_128_CCM"}, + { {0xC0, 0x9F}, + "TLS_DHE_RSA_WITH_AES_256_CCM", + NULL, + "TLS_DHE_RSA_AES_256_CCM"}, + { {0xC0, 0xA2}, + "TLS_DHE_RSA_WITH_AES_128_CCM_8", + NULL, + "TLS_DHE_RSA_AES_128_CCM_8"}, + { {0xC0, 0xA3}, + "TLS_DHE_RSA_WITH_AES_256_CCM_8", + NULL, + "TLS_DHE_RSA_AES_256_CCM_8"}, + { {0xC0, 0x10}, + "TLS_ECDHE_RSA_WITH_", + NULL, + "TLS_ECDHE_RSA_NULL_SHA1"}, + { {0xC0, 0x12}, + "TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA", + "ECDHE-RSA-DES-CBC3-SHA", + "TLS_ECDHE_RSA_3DES_EDE_CBC_SHA1"}, + { {0xC0, 0x13}, + "TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA", + "ECDHE-RSA-AES128-SHA", + "TLS_ECDHE_RSA_AES_128_CBC_SHA1"}, + { {0xC0, 0x14}, + "TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA", + "ECDHE-RSA-AES256-SHA", + "TLS_ECDHE_RSA_AES_256_CBC_SHA1"}, + { {0xC0, 0x28}, + "TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384", + "ECDHE-RSA-AES256-SHA384", + "TLS_ECDHE_RSA_AES_256_CBC_SHA384"}, + { {0xC0, 0x11}, + "TLS_ECDHE_RSA_WITH_RC4_128_SHA", + NULL, + "TLS_ECDHE_RSA_ARCFOUR_128_SHA1"}, + { {0xC0, 0x76}, + "TLS_ECDHE_RSA_WITH_CAMELLIA_128_CBC_SHA256", + NULL, + "TLS_ECDHE_RSA_CAMELLIA_128_CBC_SHA256"}, + { {0xC0, 0x77}, + "TLS_ECDHE_RSA_WITH_CAMELLIA_256_CBC_SHA384", + NULL, + "TLS_ECDHE_RSA_CAMELLIA_256_CBC_SHA384"}, + { {0xC0, 0x06}, + "TLS_ECDHE_ECDSA_WITH_", + NULL, + "TLS_ECDHE_ECDSA_NULL_SHA1"}, + { {0xC0, 0x08}, + "TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA", + "ECDHE-ECDSA-DES-CBC3-SHA", + "TLS_ECDHE_ECDSA_3DES_EDE_CBC_SHA1"}, + { {0xC0, 0x09}, + "TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA", + "ECDHE-ECDSA-AES128-SHA", + "TLS_ECDHE_ECDSA_AES_128_CBC_SHA1"}, + { {0xC0, 0x0A}, + "TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA", + "ECDHE-ECDSA-AES256-SHA", + "TLS_ECDHE_ECDSA_AES_256_CBC_SHA1"}, + { {0xC0, 0x07}, + "TLS_ECDHE_ECDSA_WITH_RC4_128_SHA", + NULL, + "TLS_ECDHE_ECDSA_ARCFOUR_128_SHA1"}, + { {0xC0, 0x72}, + "TLS_ECDHE_ECDSA_WITH_CAMELLIA_128_CBC_SHA256", + NULL, + "TLS_ECDHE_ECDSA_CAMELLIA_128_CBC_SHA256"}, + { {0xC0, 0x73}, + "TLS_ECDHE_ECDSA_WITH_CAMELLIA_256_CBC_SHA384", + NULL, + "TLS_ECDHE_ECDSA_CAMELLIA_256_CBC_SHA384"}, + { {0xC0, 0x23}, + "TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256", + "ECDHE-ECDSA-AES128-SHA256", + "TLS_ECDHE_ECDSA_AES_128_CBC_SHA256"}, + { {0xC0, 0x27}, + "TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256", + "ECDHE-RSA-AES128-SHA256", + "TLS_ECDHE_RSA_AES_128_CBC_SHA256"}, + { {0xC0, 0x86}, + "TLS_ECDHE_ECDSA_WITH_CAMELLIA_128_GCM_SHA256", + NULL, + "TLS_ECDHE_ECDSA_CAMELLIA_128_GCM_SHA256"}, + { {0xC0, 0x87}, + "TLS_ECDHE_ECDSA_WITH_CAMELLIA_256_GCM_SHA384", + NULL, + "TLS_ECDHE_ECDSA_CAMELLIA_256_GCM_SHA384"}, + { {0xC0, 0x2B}, + "TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256", + "ECDHE-ECDSA-AES128-GCM-SHA256", + "TLS_ECDHE_ECDSA_AES_128_GCM_SHA256"}, + { {0xC0, 0x2C}, + "TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384", + "ECDHE-ECDSA-AES256-GCM-SHA384", + "TLS_ECDHE_ECDSA_AES_256_GCM_SHA384"}, + { {0xC0, 0x2F}, + "TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256", + "ECDHE-RSA-AES128-GCM-SHA256", + "TLS_ECDHE_RSA_AES_128_GCM_SHA256"}, + { {0xC0, 0x30}, + "TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384", + "ECDHE-RSA-AES256-GCM-SHA384", + "TLS_ECDHE_RSA_AES_256_GCM_SHA384"}, + { {0xC0, 0x24}, + "TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384", + "ECDHE-ECDSA-AES256-SHA384", + "TLS_ECDHE_ECDSA_AES_256_CBC_SHA384"}, + { {0xC0, 0x8A}, + "TLS_ECDHE_RSA_WITH_CAMELLIA_128_GCM_SHA256", + NULL, + "TLS_ECDHE_RSA_CAMELLIA_128_GCM_SHA256"}, + { {0xC0, 0x8B}, + "TLS_ECDHE_RSA_WITH_CAMELLIA_256_GCM_SHA384", + NULL, + "TLS_ECDHE_RSA_CAMELLIA_256_GCM_SHA384"}, + { {0xCC, 0xA8}, + "TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256", + "ECDHE-RSA-CHACHA20-POLY1305", + "TLS_ECDHE_RSA_CHACHA20_POLY1305"}, + { {0xCC, 0xA9}, + "TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256", + "ECDHE-ECDSA-CHACHA20-POLY1305", + "TLS_ECDHE_ECDSA_CHACHA20_POLY1305"}, + { {0xC0, 0xAC}, + "TLS_ECDHE_ECDSA_WITH_AES_128_CCM", + NULL, + "TLS_ECDHE_ECDSA_AES_128_CCM"}, + { {0xC0, 0xAD}, + "TLS_ECDHE_ECDSA_WITH_AES_256_CCM", + NULL, + "TLS_ECDHE_ECDSA_AES_256_CCM"}, + { {0xC0, 0xAE}, + "TLS_ECDHE_ECDSA_WITH_AES_128_CCM_8", + NULL, + "TLS_ECDHE_ECDSA_AES_128_CCM_8"}, + { {0xC0, 0xAF}, + "TLS_ECDHE_ECDSA_WITH_AES_256_CCM_8", + NULL, + "TLS_ECDHE_ECDSA_AES_256_CCM_8"}, + { {0xC0, 0x34}, + "TLS_ECDHE_PSK_WITH_3DES_EDE_CBC_SHA", + "ECDHE-PSK-3DES-EDE-CBC-SHA", + "TLS_ECDHE_PSK_3DES_EDE_CBC_SHA1"}, + { {0xC0, 0x35}, + "TLS_ECDHE_PSK_WITH_AES_128_CBC_SHA", + "ECDHE-PSK-AES128-CBC-SHA", + "TLS_ECDHE_PSK_AES_128_CBC_SHA1"}, + { {0xC0, 0x36}, + "TLS_ECDHE_PSK_WITH_AES_256_CBC_SHA", + "ECDHE-PSK-AES256-CBC-SHA", + "TLS_ECDHE_PSK_AES_256_CBC_SHA1"}, + { {0xC0, 0x37}, + "TLS_ECDHE_PSK_WITH_AES_128_CBC_SHA256", + "ECDHE-PSK-AES128-CBC-SHA256", + "TLS_ECDHE_PSK_AES_128_CBC_SHA256"}, + { {0xC0, 0x38}, + "TLS_ECDHE_PSK_WITH_AES_256_CBC_SHA384", + "ECDHE-PSK-AES256-CBC-SHA384", + "TLS_ECDHE_PSK_AES_256_CBC_SHA384"}, + { {0xC0, 0x33}, + "TLS_ECDHE_PSK_WITH_RC4_128_SHA", + NULL, + "TLS_ECDHE_PSK_ARCFOUR_128_SHA1"}, + { {0xC0, 0x39}, + "TLS_ECDHE_PSK_WITH_NULL_SHA", + NULL, + "TLS_ECDHE_PSK_NULL_SHA1"}, + { {0xC0, 0x3A}, + "TLS_ECDHE_PSK_WITH_NULL_SHA256", + NULL, + "TLS_ECDHE_PSK_NULL_SHA256"}, + { {0xC0, 0x3B}, + "TLS_ECDHE_PSK_WITH_NULL_SHA384", + NULL, + "TLS_ECDHE_PSK_NULL_SHA384"}, + { {0xC0, 0x9A}, + "TLS_ECDHE_PSK_WITH_CAMELLIA_128_CBC_SHA256", + NULL, + "TLS_ECDHE_PSK_CAMELLIA_128_CBC_SHA256"}, + { {0xC0, 0x9B}, + "TLS_ECDHE_PSK_WITH_CAMELLIA_256_CBC_SHA384", + NULL, + "TLS_ECDHE_PSK_CAMELLIA_256_CBC_SHA384"}, + { {0x00, 0x8A}, + "TLS_PSK_WITH_RC4_128_SHA", + NULL, + "TLS_PSK_ARCFOUR_128_SHA1"}, + { {0x00, 0x8B}, + "TLS_PSK_WITH_3DES_EDE_CBC_SHA", + "PSK-3DES-EDE-CBC-SHA", + "TLS_PSK_3DES_EDE_CBC_SHA1"}, + { {0x00, 0x8C}, + "TLS_PSK_WITH_AES_128_CBC_SHA", + "PSK-AES128-CBC-SHA", + "TLS_PSK_AES_128_CBC_SHA1"}, + { {0x00, 0x8D}, + "TLS_PSK_WITH_AES_256_CBC_SHA", + "PSK-AES256-CBC-SHA", + "TLS_PSK_AES_256_CBC_SHA1"}, + { {0x00, 0xAE}, + "TLS_PSK_WITH_AES_128_CBC_SHA256", + "PSK-AES128-CBC-SHA256", + "TLS_PSK_AES_128_CBC_SHA256"}, + { {0x00, 0xA9}, + "TLS_PSK_WITH_AES_256_GCM_SHA384", + "PSK-AES256-GCM-SHA384", + "TLS_PSK_AES_256_GCM_SHA384"}, + { {0xC0, 0x8E}, + "TLS_PSK_WITH_CAMELLIA_128_GCM_SHA256", + NULL, + "TLS_PSK_CAMELLIA_128_GCM_SHA256"}, + { {0xC0, 0x8F}, + "TLS_PSK_WITH_CAMELLIA_256_GCM_SHA384", + NULL, + "TLS_PSK_CAMELLIA_256_GCM_SHA384"}, + { {0x00, 0xA8}, + "TLS_PSK_WITH_AES_128_GCM_SHA256", + "PSK-AES128-GCM-SHA256", + "TLS_PSK_AES_128_GCM_SHA256"}, + { {0x00, 0x2C}, + "TLS_PSK_WITH_", + NULL, + "TLS_PSK_NULL_SHA1"}, + { {0x00, 0xB0}, + "TLS_PSK_WITH_", + NULL, + "TLS_PSK_NULL_SHA256"}, + { {0xC0, 0x94}, + "TLS_PSK_WITH_CAMELLIA_128_CBC_SHA256", + NULL, + "TLS_PSK_CAMELLIA_128_CBC_SHA256"}, + { {0xC0, 0x95}, + "TLS_PSK_WITH_CAMELLIA_256_CBC_SHA384", + NULL, + "TLS_PSK_CAMELLIA_256_CBC_SHA384"}, + { {0x00, 0xAF}, + "TLS_PSK_WITH_AES_256_CBC_SHA384", + "PSK-AES256-CBC-SHA384", + "TLS_PSK_AES_256_CBC_SHA384"}, + { {0x00, 0xB1}, + "TLS_PSK_WITH_", + NULL, + "TLS_PSK_NULL_SHA384"}, + { {0x00, 0x92}, + "TLS_RSA_PSK_WITH_RC4_128_SHA", + NULL, + "TLS_RSA_PSK_ARCFOUR_128_SHA1"}, + { {0x00, 0x93}, + "TLS_RSA_PSK_WITH_3DES_EDE_CBC_SHA", + "RSA-PSK-3DES-EDE-CBC-SHA", + "TLS_RSA_PSK_3DES_EDE_CBC_SHA1"}, + { {0x00, 0x94}, + "TLS_RSA_PSK_WITH_AES_128_CBC_SHA", + "RSA-PSK-AES128-CBC-SHA", + "TLS_RSA_PSK_AES_128_CBC_SHA1"}, + { {0x00, 0x95}, + "TLS_RSA_PSK_WITH_AES_256_CBC_SHA", + "RSA-PSK-AES256-CBC-SHA", + "TLS_RSA_PSK_AES_256_CBC_SHA1"}, + { {0xC0, 0x92}, + "TLS_RSA_PSK_WITH_CAMELLIA_128_GCM_SHA256", + NULL, + "TLS_RSA_PSK_CAMELLIA_128_GCM_SHA256"}, + { {0xC0, 0x93}, + "TLS_RSA_PSK_WITH_CAMELLIA_256_GCM_SHA384", + NULL, + "TLS_RSA_PSK_CAMELLIA_256_GCM_SHA384"}, + { {0x00, 0xAC}, + "TLS_RSA_PSK_WITH_AES_128_GCM_SHA256", + "RSA-PSK-AES128-GCM-SHA256", + "TLS_RSA_PSK_AES_128_GCM_SHA256"}, + { {0x00, 0xB6}, + "TLS_RSA_PSK_WITH_AES_128_CBC_SHA256", + "RSA-PSK-AES128-CBC-SHA256", + "TLS_RSA_PSK_AES_128_CBC_SHA256"}, + { {0x00, 0x2E}, + "TLS_RSA_PSK_WITH_NULL_SHA", + NULL, + "TLS_RSA_PSK_NULL_SHA1"}, + { {0x00, 0xB8}, + "TLS_RSA_PSK_WITH_", + NULL, + "TLS_RSA_PSK_NULL_SHA256"}, + { {0x00, 0xAD}, + "TLS_RSA_PSK_WITH_AES_256_GCM_SHA384", + "RSA-PSK-AES256-GCM-SHA384", + "TLS_RSA_PSK_AES_256_GCM_SHA384"}, + { {0x00, 0xB7}, + "TLS_RSA_PSK_WITH_AES_256_CBC_SHA384", + "RSA-PSK-AES256-CBC-SHA384", + "TLS_RSA_PSK_AES_256_CBC_SHA384"}, + { {0x00, 0xB9}, + "TLS_RSA_PSK_WITH_", + NULL, + "TLS_RSA_PSK_NULL_SHA384"}, + { {0xC0, 0x98}, + "TLS_RSA_PSK_WITH_CAMELLIA_128_CBC_SHA256", + NULL, + "TLS_RSA_PSK_CAMELLIA_128_CBC_SHA256"}, + { {0xC0, 0x99}, + "TLS_RSA_PSK_WITH_CAMELLIA_256_CBC_SHA384", + NULL, + "TLS_RSA_PSK_CAMELLIA_256_CBC_SHA384"}, + { {0x00, 0x8E}, + "TLS_DHE_PSK_WITH_RC4_128_SHA", + NULL, + "TLS_DHE_PSK_ARCFOUR_128_SHA1"}, + { {0x00, 0x8F}, + "TLS_DHE_PSK_WITH_3DES_EDE_CBC_SHA", + "DHE-PSK-3DES-EDE-CBC-SHA", + "TLS_DHE_PSK_3DES_EDE_CBC_SHA1"}, + { {0x00, 0x90}, + "TLS_DHE_PSK_WITH_AES_128_CBC_SHA", + "DHE-PSK-AES128-CBC-SHA", + "TLS_DHE_PSK_AES_128_CBC_SHA1"}, + { {0x00, 0x91}, + "TLS_DHE_PSK_WITH_AES_256_CBC_SHA", + "DHE-PSK-AES256-CBC-SHA", + "TLS_DHE_PSK_AES_256_CBC_SHA1"}, + { {0x00, 0xB2}, + "TLS_DHE_PSK_WITH_AES_128_CBC_SHA256", + "DHE-PSK-AES128-CBC-SHA256", + "TLS_DHE_PSK_AES_128_CBC_SHA256"}, + { {0x00, 0xAA}, + "TLS_DHE_PSK_WITH_AES_128_GCM_SHA256", + "DHE-PSK-AES128-GCM-SHA256", + "TLS_DHE_PSK_AES_128_GCM_SHA256"}, + { {0x00, 0x2D}, + "TLS_DHE_PSK_WITH_", + NULL, + "TLS_DHE_PSK_NULL_SHA1"}, + { {0x00, 0xB4}, + "TLS_DHE_PSK_WITH_", + NULL, + "TLS_DHE_PSK_NULL_SHA256"}, + { {0x00, 0xB5}, + "TLS_DHE_PSK_WITH_", + NULL, + "TLS_DHE_PSK_NULL_SHA384"}, + { {0x00, 0xB3}, + "TLS_DHE_PSK_WITH_AES_256_CBC_SHA384", + "DHE-PSK-AES256-CBC-SHA384", + "TLS_DHE_PSK_AES_256_CBC_SHA384"}, + { {0x00, 0xAB}, + "TLS_DHE_PSK_WITH_AES_256_GCM_SHA384", + "DHE-PSK-AES256-GCM-SHA384", + "TLS_DHE_PSK_AES_256_GCM_SHA384"}, + { {0xC0, 0x96}, + "TLS_DHE_PSK_WITH_CAMELLIA_128_CBC_SHA256", + NULL, + "TLS_DHE_PSK_CAMELLIA_128_CBC_SHA256"}, + { {0xC0, 0x97}, + "TLS_DHE_PSK_WITH_CAMELLIA_256_CBC_SHA384", + NULL, + "TLS_DHE_PSK_CAMELLIA_256_CBC_SHA384"}, + { {0xC0, 0x90}, + "TLS_DHE_PSK_WITH_CAMELLIA_128_GCM_SHA256", + NULL, + "TLS_DHE_PSK_CAMELLIA_128_GCM_SHA256"}, + { {0xC0, 0x91}, + "TLS_DHE_PSK_WITH_CAMELLIA_256_GCM_SHA384", + NULL, + "TLS_DHE_PSK_CAMELLIA_256_GCM_SHA384"}, + { {0xC0, 0xA4}, + "TLS_PSK_WITH_AES_128_CCM", + NULL, + "TLS_PSK_AES_128_CCM"}, + { {0xC0, 0xA5}, + "TLS_PSK_WITH_AES_256_CCM", + NULL, + "TLS_PSK_AES_256_CCM"}, + { {0xC0, 0xA6}, + "TLS_DHE_PSK_WITH_AES_128_CCM", + NULL, + "TLS_DHE_PSK_AES_128_CCM"}, + { {0xC0, 0xA7}, + "TLS_DHE_PSK_WITH_AES_256_CCM", + NULL, + "TLS_DHE_PSK_AES_256_CCM"}, + { {0xC0, 0xA8}, + "TLS_PSK_WITH_AES_128_CCM_8", + NULL, + "TLS_PSK_AES_128_CCM_8"}, + { {0xC0, 0xA9}, + "TLS_PSK_WITH_AES_256_CCM_8", + NULL, + "TLS_PSK_AES_256_CCM_8"}, + { {0xC0, 0xAA}, + "TLS_PSK_DHE_WITH_AES_128_CCM_8", + NULL, + "TLS_DHE_PSK_AES_128_CCM_8"}, + { {0xC0, 0xAB}, + "TLS_PSK_DHE_WITH_AES_256_CCM_8", + NULL, + "TLS_DHE_PSK_AES_256_CCM_8"}, + { {0xCC, 0xAD}, + "TLS_DHE_PSK_WITH_CHACHA20_POLY1305_SHA256", + "DHE-PSK-CHACHA20-POLY1305", + "TLS_DHE_PSK_CHACHA20_POLY1305"}, + { {0xCC, 0xAC}, + "TLS_ECDHE_PSK_WITH_CHACHA20_POLY1305_SHA256", + "ECDHE-PSK-CHACHA20-POLY1305", + "TLS_ECDHE_PSK_CHACHA20_POLY1305"}, + { {0xCC, 0xAE}, + "TLS_RSA_PSK_WITH_CHACHA20_POLY1305_SHA256", + "RSA-PSK-CHACHA20-POLY1305", + "TLS_RSA_PSK_CHACHA20_POLY1305"}, + { {0xCC, 0xAB}, + "TLS_PSK_WITH_CHACHA20_POLY1305_SHA256", + "PSK-CHACHA20-POLY1305", + "TLS_PSK_CHACHA20_POLY1305"}, + { {0x00, 0x18}, + "TLS_DH_anon_WITH_RC4_128_MD5", + NULL, + "TLS_DH_ANON_ARCFOUR_128_MD5"}, + { {0x00, 0x1B}, + "TLS_DH_anon_WITH_3DES_EDE_CBC_SHA", + NULL, + "TLS_DH_ANON_3DES_EDE_CBC_SHA1"}, + { {0x00, 0x34}, + "TLS_DH_anon_WITH_AES_128_CBC_SHA", + NULL, + "TLS_DH_ANON_AES_128_CBC_SHA1"}, + { {0x00, 0x3A}, + "TLS_DH_anon_WITH_AES_256_CBC_SHA", + NULL, + "TLS_DH_ANON_AES_256_CBC_SHA1"}, + { {0x00, 0xBF}, + "TLS_DH_anon_WITH_CAMELLIA_128_CBC_SHA256", + NULL, + "TLS_DH_ANON_CAMELLIA_128_CBC_SHA256"}, + { {0x00, 0xC5}, + "TLS_DH_anon_WITH_CAMELLIA_256_CBC_SHA256", + NULL, + "TLS_DH_ANON_CAMELLIA_256_CBC_SHA256"}, + { {0x00, 0x46}, + "TLS_DH_anon_WITH_CAMELLIA_128_CBC_SHA", + NULL, + "TLS_DH_ANON_CAMELLIA_128_CBC_SHA1"}, + { {0x00, 0x89}, + "TLS_DH_anon_WITH_CAMELLIA_256_CBC_SHA", + NULL, + "TLS_DH_ANON_CAMELLIA_256_CBC_SHA1"}, + { {0x00, 0x6C}, + "TLS_DH_anon_WITH_AES_128_CBC_SHA256", + NULL, + "TLS_DH_ANON_AES_128_CBC_SHA256"}, + { {0x00, 0x6D}, + "TLS_DH_anon_WITH_AES_256_CBC_SHA256", + NULL, + "TLS_DH_ANON_AES_256_CBC_SHA256"}, + { {0x00, 0xA6}, + "TLS_DH_anon_WITH_AES_128_GCM_SHA256", + NULL, + "TLS_DH_ANON_AES_128_GCM_SHA256"}, + { {0x00, 0xA7}, + "TLS_DH_anon_WITH_AES_256_GCM_SHA384", + NULL, + "TLS_DH_ANON_AES_256_GCM_SHA384"}, + { {0xC0, 0x84}, + "TLS_DH_anon_WITH_CAMELLIA_128_GCM_SHA256", + NULL, + "TLS_DH_ANON_CAMELLIA_128_GCM_SHA256"}, + { {0xC0, 0x85}, + "TLS_DH_anon_WITH_CAMELLIA_256_GCM_SHA384", + NULL, + "TLS_DH_ANON_CAMELLIA_256_GCM_SHA384"}, + { {0xC0, 0x15}, + "TLS_ECDH_anon_WITH_", + NULL, + "TLS_ECDH_ANON_NULL_SHA1"}, + { {0xC0, 0x17}, + "TLS_ECDH_anon_WITH_3DES_EDE_CBC_SHA", + NULL, + "TLS_ECDH_ANON_3DES_EDE_CBC_SHA1"}, + { {0xC0, 0x18}, + "TLS_ECDH_anon_WITH_AES_128_CBC_SHA", + NULL, + "TLS_ECDH_ANON_AES_128_CBC_SHA1"}, + { {0xC0, 0x19}, + "TLS_ECDH_anon_WITH_AES_256_CBC_SHA", + NULL, + "TLS_ECDH_ANON_AES_256_CBC_SHA1"}, + { {0xC0, 0x16}, + "TLS_ECDH_anon_WITH_RC4_128_SHA", + NULL, + "TLS_ECDH_ANON_ARCFOUR_128_SHA1"}, + { {0xC0, 0x1A}, + "TLS_SRP_SHA_WITH_3DES_EDE_CBC_SHA", + "SRP-3DES-EDE-CBC-SHA", + "TLS_SRP_SHA_3DES_EDE_CBC_SHA1"}, + { {0xC0, 0x1D}, + "TLS_SRP_SHA_WITH_AES_128_CBC_SHA", + "SRP-AES-128-CBC-SHA", + "TLS_SRP_SHA_AES_128_CBC_SHA1"}, + { {0xC0, 0x20}, + "TLS_SRP_SHA_WITH_AES_256_CBC_SHA", + "SRP-AES-256-CBC-SHA", + "TLS_SRP_SHA_AES_256_CBC_SHA1"}, + { {0xC0, 0x1C}, + "TLS_SRP_SHA_DSS_WITH_3DES_EDE_CBC_SHA", + NULL, + "TLS_SRP_SHA_DSS_3DES_EDE_CBC_SHA1"}, + { {0xC0, 0x1B}, + "TLS_SRP_SHA_RSA_WITH_3DES_EDE_CBC_SHA", + "SRP-RSA-3DES-EDE-CBC-SHA", + "TLS_SRP_SHA_RSA_3DES_EDE_CBC_SHA1"}, + { {0xC0, 0x1F}, + "TLS_SRP_SHA_DSS_WITH_AES_128_CBC_SHA", + NULL, + "TLS_SRP_SHA_DSS_AES_128_CBC_SHA1"}, + { {0xC0, 0x1E}, + "TLS_SRP_SHA_RSA_WITH_AES_128_CBC_SHA", + "SRP-RSA-AES-128-CBC-SHA", + "TLS_SRP_SHA_RSA_AES_128_CBC_SHA1"}, + { {0xC0, 0x22}, + "TLS_SRP_SHA_DSS_WITH_AES_256_CBC_SHA", + NULL, + "TLS_SRP_SHA_DSS_AES_256_CBC_SHA1"}, + { {0xC0, 0x21}, + "TLS_SRP_SHA_RSA_WITH_AES_256_CBC_SHA", + "SRP-RSA-AES-256-CBC-SHA", + "TLS_SRP_SHA_RSA_AES_256_CBC_SHA1"}, + { {0x00, 0x00}, + NULL, + NULL, + NULL} }; /* free data assigned to the connection */ @@ -122,25 +814,72 @@ static const char *openssl_cipher_name(gnutls_kx_algorithm_t kx, gnutls_mac_algorithm_t mac) { unsigned int i=0; - while (gtls_ciphers[i].openssl_name) + const char *name= 0; + unsigned char sid[2]; + gnutls_kx_algorithm_t lkx; + gnutls_cipher_algorithm_t lcipher; + gnutls_mac_algorithm_t lmac; + + while ((name= gnutls_cipher_suite_info(i++, (unsigned char *)&sid, &lkx, &lcipher, &lmac, NULL))) { - if (gtls_ciphers[i].kx == kx && - gtls_ciphers[i].cipher == cipher && - gtls_ciphers[i].mac == mac) - return gtls_ciphers[i].openssl_name; - i++; + if (lkx == kx && + lcipher == cipher && + lmac == mac) + { + i=0; + while (tls_ciphers[i].iana_name) + { + if (!memcmp(tls_ciphers[i].sid, &sid, 2)) + { + if (tls_ciphers[i].openssl_name) + return tls_ciphers[i].openssl_name; + if (tls_ciphers[i].gnutls_name) + return tls_ciphers[i].gnutls_name; + return tls_ciphers[i].iana_name; + } + i++; + } + } } return NULL; } /* get priority string for a given openssl cipher name */ -static const char *get_priority(const char *cipher_name) +static char *get_priority(const char *cipher_name, char *priority, size_t len) { unsigned int i= 0; - while (gtls_ciphers[i].openssl_name) + while (tls_ciphers[i].iana_name) { - if (strcmp(gtls_ciphers[i].openssl_name, cipher_name) == 0) - return gtls_ciphers[i].priority; + if (strcmp(tls_ciphers[i].iana_name, cipher_name) == 0 || + (tls_ciphers[i].openssl_name && + strcmp(tls_ciphers[i].openssl_name, cipher_name) == 0) || + (tls_ciphers[i].gnutls_name && + strcmp(tls_ciphers[i].gnutls_name, cipher_name) == 0)) + { + const char *name; + gnutls_kx_algorithm_t kx; + gnutls_cipher_algorithm_t cipher; + gnutls_mac_algorithm_t mac; + gnutls_protocol_t min_version; + unsigned j= 0; + + if (!tls_ciphers[i].gnutls_name) + return NULL; + + while ((name= gnutls_cipher_suite_info(j++, NULL, &kx, &cipher, + &mac, &min_version))) + { + if (!strcmp(name, tls_ciphers[i].gnutls_name)) + { + snprintf(priority, len - 1, ":+%s:+%s:+%s", + gnutls_cipher_get_name(cipher), + gnutls_mac_get_name(mac), + gnutls_kx_get_name(kx)); + return priority; + } + } + return NULL; + } i++; } return NULL; @@ -230,8 +969,6 @@ int ma_tls_start(char *errmsg, size_t errmsg_len) ma_tls_get_error(errmsg, errmsg_len, rc); goto end; } - /* Allocate a global context for credentials */ - rc= gnutls_certificate_allocate_credentials(&GNUTLS_xcred); ma_tls_initialized= TRUE; end: pthread_mutex_unlock(&LOCK_gnutls_config); @@ -255,11 +992,6 @@ void ma_tls_end() if (ma_tls_initialized) { pthread_mutex_lock(&LOCK_gnutls_config); - gnutls_certificate_free_keys(GNUTLS_xcred); - gnutls_certificate_free_cas(GNUTLS_xcred); - gnutls_certificate_free_crls(GNUTLS_xcred); - gnutls_certificate_free_ca_names(GNUTLS_xcred); - gnutls_certificate_free_credentials(GNUTLS_xcred); if (mariadb_deinitialize_ssl) gnutls_global_deinit(); ma_tls_initialized= FALSE; @@ -285,7 +1017,8 @@ static int ma_gnutls_set_ciphers(gnutls_session_t ssl, char *cipher_str) while (token) { - const char *p= get_priority(token); + char priority[1024]; + char *p= get_priority(token, priority, 1024); if (p) strncat(prio, p, PRIO_SIZE - strlen(prio) - 1); token = strtok(NULL, ":"); @@ -293,98 +1026,142 @@ static int ma_gnutls_set_ciphers(gnutls_session_t ssl, char *cipher_str) return gnutls_priority_set_direct(ssl, prio , &err); } -static int ma_tls_set_certs(MYSQL *mysql) +static int ma_tls_load_cert(const char *filename, + enum ma_pem_type type, + const char *password, + void *ptr) +{ + gnutls_datum_t data; + int rc; + + data.data= 0; + + if ((rc= gnutls_load_file(filename, &data)) < 0) + goto error; + + switch(type) { + case MA_TLS_PEM_CERT: + { + gnutls_x509_crt_t cert; + if ((rc= gnutls_x509_crt_init(&cert)) < 0) + goto error; + if ((rc= gnutls_x509_crt_import(cert, &data, GNUTLS_X509_FMT_PEM))) + { + gnutls_x509_crt_deinit(cert); + goto error; + } + *((gnutls_x509_crt_t *)ptr)= cert; + return 0; + } + case MA_TLS_PEM_KEY: + { + gnutls_x509_privkey_t key; + if ((rc= gnutls_x509_privkey_init(&key)) < 0) + goto error; + if ((rc= gnutls_x509_privkey_import2(key, &data, + GNUTLS_X509_FMT_PEM, + password, 0)) < 0) + { + gnutls_x509_privkey_deinit(key); + goto error; + } + *((gnutls_x509_privkey_t *)ptr)= key; + } + default: + break; + } +error: + if (data.data) + gnutls_free(data.data); + return rc; +} + +static int ma_tls_set_certs(MYSQL *mysql, + gnutls_certificate_credentials_t ctx) { int ssl_error= 0; + gnutls_x509_privkey_t key= 0; + gnutls_x509_crt_t cert= 0; if (mysql->options.ssl_ca) { - ssl_error= gnutls_certificate_set_x509_trust_file(GNUTLS_xcred, + ssl_error= gnutls_certificate_set_x509_trust_file(ctx, mysql->options.ssl_ca, GNUTLS_X509_FMT_PEM); if (ssl_error < 0) goto error; } - gnutls_certificate_set_verify_function(GNUTLS_xcred, + gnutls_certificate_set_verify_function(ctx, my_verify_callback); - return 1; + if (mysql->options.ssl_key || mysql->options.ssl_cert) + { + char *keyfile= mysql->options.ssl_key; + char *certfile= mysql->options.ssl_cert; + unsigned char key_id1[65], key_id2[65]; + size_t key_id1_len, key_id2_len; + + if (!certfile) + certfile= keyfile; + else if (!keyfile) + keyfile= certfile; + + if ((ssl_error= ma_tls_load_cert(keyfile, MA_TLS_PEM_KEY, + mysql->options.extension ? + mysql->options.extension->tls_pw : NULL, + &key)) < 0) + goto error; + if ((ssl_error= ma_tls_load_cert(certfile, MA_TLS_PEM_CERT, + NULL, &cert)) < 0) + goto error; + + /* check if private key corresponds to certificate */ + key_id1_len= key_id2_len= sizeof(key_id1); + if ((ssl_error= gnutls_x509_crt_get_key_id(cert, 0, + key_id1, &key_id1_len)) < 0 || + (ssl_error= gnutls_x509_privkey_get_key_id(key, 0, + key_id2, &key_id2_len)) < 0) + goto error; + + if (key_id1_len != key_id2_len || + memcmp(key_id1, key_id2, key_id1_len) != 0) + { + ssl_error= GNUTLS_E_CERTIFICATE_KEY_MISMATCH; + goto error; + } + + /* load cert/key into context */ + if ((ssl_error= gnutls_certificate_set_x509_key(ctx, + &cert, + 1, + key)) < 0) + goto error; + } + -error: return ssl_error; -} - -static int -client_cert_callback(gnutls_session_t session, - const gnutls_datum_t * req_ca_rdn __attribute__((unused)), - int nreqs __attribute__((unused)), - const gnutls_pk_algorithm_t * sign_algos __attribute__((unused)), - int sign_algos_length __attribute__((unused)), - gnutls_pcert_st ** pcert, - unsigned int *pcert_length, gnutls_privkey_t * pkey) -{ - struct st_gnutls_data *session_data; - char *certfile, *keyfile; - gnutls_datum_t data; - MYSQL *mysql; - gnutls_certificate_type_t type= gnutls_certificate_type_get(session); - - session_data= (struct st_gnutls_data *)gnutls_session_get_ptr(session); - - if (!session_data->mysql || - type != GNUTLS_CRT_X509) - return -1; - - mysql= session_data->mysql; - - certfile= session_data->mysql->options.ssl_cert; - keyfile= session_data->mysql->options.ssl_key; - - if (!certfile && !keyfile) - return 0; - if (keyfile && !certfile) - certfile= keyfile; - if (certfile && !keyfile) - keyfile= certfile; - - if (gnutls_load_file(certfile, &data) < 0) - return -1; - if (gnutls_pcert_import_x509_raw(&session_data->cert, &data, GNUTLS_X509_FMT_PEM, 0) < 0) - { - gnutls_free(data.data); - return -1; - } - gnutls_free(data.data); - - if (gnutls_load_file(keyfile, &data) < 0) - return -1; - gnutls_privkey_init(&session_data->key); - if (gnutls_privkey_import_x509_raw(session_data->key, &data, - GNUTLS_X509_FMT_PEM, - mysql->options.extension ? mysql->options.extension->tls_pw : NULL, - 0) < 0) - { - gnutls_free(data.data); - return -1; - } - gnutls_free(data.data); - - *pcert_length= 1; - *pcert= &session_data->cert; - *pkey= session_data->key; - return 0; +error: + if (key) + gnutls_x509_privkey_deinit(key); + if (cert) + gnutls_x509_crt_deinit(cert); + return ssl_error; } void *ma_tls_init(MYSQL *mysql) { gnutls_session_t ssl= NULL; + gnutls_certificate_credentials_t ctx; int ssl_error= 0; struct st_gnutls_data *data= NULL; pthread_mutex_lock(&LOCK_gnutls_config); - if ((ssl_error= ma_tls_set_certs(mysql)) < 0) + if (gnutls_certificate_allocate_credentials(&ctx) != GNUTLS_E_SUCCESS) + goto error; + + if ((ssl_error= ma_tls_set_certs(mysql, ctx)) < 0) goto error; if ((ssl_error = gnutls_init(&ssl, GNUTLS_CLIENT & GNUTLS_NONBLOCK)) < 0) @@ -394,16 +1171,17 @@ void *ma_tls_init(MYSQL *mysql) goto error; data->mysql= mysql; - gnutls_certificate_set_retrieve_function2(GNUTLS_xcred, client_cert_callback); gnutls_session_set_ptr(ssl, (void *)data); - + /* + gnutls_certificate_set_retrieve_function2(GNUTLS_xcred, client_cert_callback); + */ ssl_error= ma_gnutls_set_ciphers(ssl, mysql->options.ssl_cipher); if (ssl_error < 0) goto error; /* we don't load private key and cert by default - if the server requests a client certificate we will send it via callback function */ - if ((ssl_error= gnutls_credentials_set(ssl, GNUTLS_CRD_CERTIFICATE, GNUTLS_xcred)) < 0) + if ((ssl_error= gnutls_credentials_set(ssl, GNUTLS_CRD_CERTIFICATE, ctx)) < 0) goto error; pthread_mutex_unlock(&LOCK_gnutls_config); @@ -497,7 +1275,7 @@ my_bool ma_tls_close(MARIADB_TLS *ctls) { if (ctls->ssl) { - MARIADB_PVIO *pvio= ctls->pvio; + gnutls_certificate_credentials_t ctx; struct st_gnutls_data *data= (struct st_gnutls_data *)gnutls_session_get_ptr(ctls->ssl); /* this would be the correct way, however can't dectect afterwards @@ -506,6 +1284,12 @@ my_bool ma_tls_close(MARIADB_TLS *ctls) rc= gnutls_bye((gnutls_session_t )ctls->ssl, GNUTLS_SHUT_WR); */ free_gnutls_data(data); + gnutls_credentials_get(ctls->ssl, GNUTLS_CRD_CERTIFICATE, (void **)&ctx); + gnutls_certificate_free_keys(ctx); + gnutls_certificate_free_cas(ctx); + gnutls_certificate_free_crls(ctx); + gnutls_certificate_free_ca_names(ctx); + gnutls_certificate_free_credentials(ctx); gnutls_deinit((gnutls_session_t )ctls->ssl); ctls->ssl= NULL; } @@ -561,8 +1345,6 @@ static int my_verify_callback(gnutls_session_t ssl) return GNUTLS_E_CERTIFICATE_ERROR; } -// mysql->net.vio->status= status; - if (status & GNUTLS_CERT_INVALID) { return GNUTLS_E_CERTIFICATE_ERROR; diff --git a/libmariadb/secure/openssl.c b/libmariadb/secure/openssl.c index 1b671ae0..2861fbcc 100644 --- a/libmariadb/secure/openssl.c +++ b/libmariadb/secure/openssl.c @@ -49,7 +49,6 @@ extern my_bool ma_tls_initialized; extern unsigned int mariadb_deinitialize_ssl; -static SSL_CTX *SSL_context= NULL; #define MAX_SSL_ERR_LEN 100 @@ -287,8 +286,7 @@ static void disable_sigpipe() #endif /* - Initializes SSL and allocate global - context SSL_context + Initializes SSL SYNOPSIS my_ssl_start @@ -325,22 +323,7 @@ int ma_tls_start(char *errmsg, size_t errmsg_len) SSL_load_error_strings(); /* digests and ciphers */ OpenSSL_add_all_algorithms(); -#if OPENSSL_VERSION_NUMBER >= 0x10100000L - if (!(SSL_context= SSL_CTX_new(TLS_client_method()))) -#else - if (!(SSL_context= SSL_CTX_new(SSLv23_client_method()))) -#endif - { - ma_tls_get_error(errmsg, errmsg_len); - goto end; - } - SSL_CTX_set_options(SSL_context, SSL_OP_ALL); -#ifdef HAVE_TLS_SESSION_CACHE - SSL_CTX_set_session_cache_mode(SSL_context, SSL_SESS_CACHE_CLIENT); - ma_tls_sessions= (MA_SSL_SESSION *)calloc(1, sizeof(struct st_ma_tls_session) * ma_tls_session_cache_size); - SSL_CTX_sess_set_new_cb(SSL_context, ma_tls_session_cb); - SSL_CTX_sess_set_remove_cb(SSL_context, ma_tls_remove_session_cb); -#endif + disable_sigpipe(); #if OPENSSL_USE_BIOMETHOD memcpy(&ma_BIO_method, BIO_s_socket(), sizeof(BIO_METHOD)); @@ -382,12 +365,6 @@ void ma_tls_end() ma_free((gptr)LOCK_crypto); LOCK_crypto= NULL; #endif - - if (SSL_context) - { - SSL_CTX_free(SSL_context); - SSL_context= NULL; - } if (mariadb_deinitialize_ssl) { #if OPENSSL_VERSION_NUMBER < 0x10100000L @@ -423,6 +400,7 @@ static int ma_tls_set_certs(MYSQL *mysql, SSL *ssl) *keyfile= mysql->options.ssl_key; char *pw= (mysql->options.extension) ? mysql->options.extension->tls_pw : NULL; + SSL_CTX *ctx= SSL_get_SSL_CTX(ssl); /* add cipher */ @@ -432,13 +410,15 @@ static int ma_tls_set_certs(MYSQL *mysql, SSL *ssl) goto error; /* ca_file and ca_path */ - if (SSL_CTX_load_verify_locations(SSL_context, + SSL_CTX_set_verify(ctx, (mysql->options.ssl_ca || mysql->options.ssl_capath)? + SSL_VERIFY_NONE : SSL_VERIFY_NONE, NULL); + if (SSL_CTX_load_verify_locations(ctx, mysql->options.ssl_ca, - mysql->options.ssl_capath) == 0) + mysql->options.ssl_capath) <= 0) { if (mysql->options.ssl_ca || mysql->options.ssl_capath) goto error; - if (SSL_CTX_set_default_verify_paths(SSL_context) == 0) + if (SSL_CTX_set_default_verify_paths(ctx) == 0) goto error; } @@ -450,7 +430,7 @@ static int ma_tls_set_certs(MYSQL *mysql, SSL *ssl) /* set cert */ if (certfile && certfile[0] != 0) { - if (SSL_CTX_use_certificate_chain_file(SSL_context, certfile) != 1 || + if (SSL_CTX_use_certificate_chain_file(ctx, certfile) != 1 || SSL_use_certificate_file(ssl, certfile, SSL_FILETYPE_PEM) != 1) goto error; } @@ -486,7 +466,7 @@ static int ma_tls_set_certs(MYSQL *mysql, SSL *ssl) { X509_STORE *certstore; - if ((certstore= SSL_CTX_get_cert_store(SSL_context))) + if ((certstore= SSL_CTX_get_cert_store(ctx))) { if (X509_STORE_load_locations(certstore, mysql->options.extension->ssl_crl, mysql->options.extension->ssl_crlpath) == 0) @@ -505,12 +485,27 @@ error: void *ma_tls_init(MYSQL *mysql) { SSL *ssl= NULL; + SSL_CTX *ctx= NULL; #ifdef HAVE_TLS_SESSION_CACHE MA_SSL_SESSION *session= ma_tls_get_session(mysql); #endif pthread_mutex_lock(&LOCK_openssl_config); - if (!(ssl= SSL_new(SSL_context))) + #if OPENSSL_VERSION_NUMBER >= 0x10100000L + if (!(ctx= SSL_CTX_new(TLS_client_method()))) +#else + if (!(ctx= SSL_CTX_new(SSLv23_client_method()))) +#endif + goto error; + SSL_CTX_set_options(ctx, SSL_OP_ALL); +#ifdef HAVE_TLS_SESSION_CACHE + SSL_CTX_set_session_cache_mode(ctx, SSL_SESS_CACHE_CLIENT); + ma_tls_sessions= (MA_SSL_SESSION *)calloc(1, sizeof(struct st_ma_tls_session) * ma_tls_session_cache_size); + SSL_CTX_sess_set_new_cb(ctx, ma_tls_session_cb); + SSL_CTX_sess_set_remove_cb(ctx, ma_tls_remove_session_cb); +#endif + + if (!(ssl= SSL_new(ctx))) goto error; if (ma_tls_set_certs(mysql, ssl)) @@ -530,6 +525,8 @@ void *ma_tls_init(MYSQL *mysql) return (void *)ssl; error: pthread_mutex_unlock(&LOCK_openssl_config); + if (ctx) + SSL_CTX_free(ctx); if (ssl) SSL_free(ssl); return NULL; @@ -625,6 +622,9 @@ my_bool ma_tls_close(MARIADB_TLS *ctls) if (!ctls || !ctls->ssl) return 1; ssl= (SSL *)ctls->ssl; + SSL_CTX *ctx= SSL_get_SSL_CTX(ssl); + if (ctx) + SSL_CTX_free(ctx); SSL_set_quiet_shutdown(ssl, 1); /* 2 x pending + 2 * data = 4 */ diff --git a/unittest/libmariadb/bulk1.c b/unittest/libmariadb/bulk1.c index 9454af71..6b083b23 100644 --- a/unittest/libmariadb/bulk1.c +++ b/unittest/libmariadb/bulk1.c @@ -128,26 +128,32 @@ static int bulk2(MYSQL *mysql) { MYSQL_STMT *stmt= mysql_stmt_init(mysql); int rc; - MYSQL_BIND bind; + MYSQL_BIND bind[2]; unsigned int i; unsigned int array_size=1024; char indicator[1024]; + long lval[1024]; rc= mysql_query(mysql, "DROP TABLE IF EXISTS bulk2"); check_mysql_rc(rc, mysql); - rc= mysql_query(mysql, "CREATE TABLE bulk2 (a int default 4)"); + rc= mysql_query(mysql, "CREATE TABLE bulk2 (a int default 4, b default 2)"); check_mysql_rc(rc, mysql); - rc= mysql_stmt_prepare(stmt, "INSERT INTO bulk2 VALUES (?)", -1); + rc= mysql_stmt_prepare(stmt, "INSERT INTO bulk2 VALUES (?,1)", -1); check_stmt_rc(rc, stmt); - memset(&bind, 0, sizeof(MYSQL_BIND)); + memset(bind, 0, 2 * sizeof(MYSQL_BIND)); for (i=0; i < array_size; i++) + { indicator[i]= STMT_INDICATOR_DEFAULT; + lval[i]= i; + } - bind.buffer_type= MYSQL_TYPE_LONG; - bind.u.indicator= indicator; + bind[0].buffer_type= MYSQL_TYPE_LONG; + bind[0].u.indicator= indicator; + bind[1].buffer_type= MYSQL_TYPE_LONG; + bind[1].buffer= &lval; rc= mysql_stmt_attr_set(stmt, STMT_ATTR_ARRAY_SIZE, &array_size); check_stmt_rc(rc, stmt); diff --git a/unittest/libmariadb/certs/ca-cert.pem b/unittest/libmariadb/certs/ca-cert.pem new file mode 100644 index 00000000..e934823e --- /dev/null +++ b/unittest/libmariadb/certs/ca-cert.pem @@ -0,0 +1,78 @@ +Certificate: + Data: + Version: 3 (0x2) + Serial Number: 11580370790696127632 (0xa0b5bde0f2c08c90) + Signature Algorithm: sha1WithRSAEncryption + Issuer: CN=cacert, C=FI, ST=Helsinki, L=Helsinki, O=MariaDB + Validity + Not Before: Apr 25 14:55:05 2015 GMT + Not After : Apr 20 14:55:05 2035 GMT + Subject: CN=cacert, C=FI, ST=Helsinki, L=Helsinki, O=MariaDB + Subject Public Key Info: + Public Key Algorithm: rsaEncryption + Public-Key: (2048 bit) + Modulus: + 00:c0:1f:90:7c:2b:c2:ea:01:93:ce:e0:c5:72:e8: + 1c:06:bd:63:4e:b6:d2:c6:00:32:13:27:42:9e:c9: + 3c:91:33:4d:15:90:67:7d:9d:d8:be:9b:12:e2:f6: + 1b:46:81:4a:8b:10:c5:b8:14:53:ab:6a:2c:c3:7f: + 66:87:6c:0e:18:51:4e:9c:93:7a:6d:a1:d4:06:47: + 58:61:a6:04:21:2c:bd:74:7a:e4:68:45:fe:91:fe: + fb:a6:29:47:ec:c5:c3:88:c8:c9:e7:d7:c6:1a:0d: + b8:f5:c5:02:57:25:01:cc:d5:8c:37:46:58:c6:71: + 30:ee:63:38:99:84:5e:9e:3c:af:40:d4:f0:f2:12: + 44:6e:2f:4d:cd:f9:da:4d:0e:1f:a6:fe:35:c3:9d: + 40:08:82:5e:6f:7d:4d:09:16:7d:a1:78:d6:9f:9f: + 44:d6:b1:ad:e7:50:25:1a:f3:4e:16:92:4a:17:5e: + 0b:e1:c8:9f:62:22:c4:e2:01:96:63:ed:37:a2:e5: + 70:b9:dc:c8:8e:c4:fe:00:21:f5:b9:48:c0:43:55: + 4a:d8:0c:9d:ce:d6:60:30:bb:81:31:c8:e9:0e:aa: + 1c:18:3d:e4:10:47:42:17:c0:4d:fb:f5:d9:c2:e4: + 07:33:f7:15:94:63:6d:11:ad:4f:d4:1d:11:41:c1: + e2:dd + Exponent: 65537 (0x10001) + X509v3 extensions: + X509v3 Subject Key Identifier: + C7:2C:01:95:1A:F5:3E:CD:04:A6:24:35:35:04:D9:A7:16:01:2A:79 + X509v3 Authority Key Identifier: + keyid:C7:2C:01:95:1A:F5:3E:CD:04:A6:24:35:35:04:D9:A7:16:01:2A:79 + + X509v3 Basic Constraints: + CA:TRUE + Signature Algorithm: sha1WithRSAEncryption + 40:6f:6a:54:f3:29:30:48:46:bd:da:46:71:64:52:14:a7:c2: + 34:b7:5e:1e:42:3d:e7:47:92:cd:87:e7:9d:5d:1a:82:77:82: + 62:32:d4:9d:b6:44:11:dc:88:78:38:a5:d3:1f:1e:be:c2:d6: + 14:b0:58:35:cd:66:22:43:97:ba:bb:e3:44:4f:9d:75:14:9f: + 6f:37:d3:50:07:09:36:bc:58:92:e8:fe:c0:a8:ba:29:55:65: + e2:6f:8f:ab:a5:1d:4f:56:37:de:c7:b4:39:20:4c:a8:4c:db: + 56:51:12:7e:e7:7f:83:9d:c4:c7:72:8f:6f:83:f0:af:e3:37: + 1c:40:fe:5e:38:26:2f:05:46:a7:0c:a5:81:79:d6:9c:9c:d7: + 56:eb:96:fe:c7:ae:8e:4f:5e:4a:6c:3a:fa:68:be:65:60:a2: + d3:3f:07:76:45:b3:95:3e:11:ef:3a:0e:6f:73:47:4c:90:dd: + 0b:36:b4:22:df:62:8d:58:d2:a6:34:5b:f0:06:5d:cd:bf:52: + fa:ee:9b:4f:e8:79:18:6e:1c:6e:5f:96:10:6d:2f:02:1b:dd: + bf:14:c9:32:3c:83:a5:6e:56:56:78:9d:ce:84:50:a4:df:cc: + b5:a9:b1:ec:09:07:74:02:27:7a:9d:d2:96:a9:80:95:9a:f2: + 8c:e9:ef:99 +-----BEGIN CERTIFICATE----- +MIIDfzCCAmegAwIBAgIJAKC1veDywIyQMA0GCSqGSIb3DQEBBQUAMFYxDzANBgNV +BAMMBmNhY2VydDELMAkGA1UEBhMCRkkxETAPBgNVBAgMCEhlbHNpbmtpMREwDwYD +VQQHDAhIZWxzaW5raTEQMA4GA1UECgwHTWFyaWFEQjAeFw0xNTA0MjUxNDU1MDVa +Fw0zNTA0MjAxNDU1MDVaMFYxDzANBgNVBAMMBmNhY2VydDELMAkGA1UEBhMCRkkx +ETAPBgNVBAgMCEhlbHNpbmtpMREwDwYDVQQHDAhIZWxzaW5raTEQMA4GA1UECgwH +TWFyaWFEQjCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAMAfkHwrwuoB +k87gxXLoHAa9Y0620sYAMhMnQp7JPJEzTRWQZ32d2L6bEuL2G0aBSosQxbgUU6tq +LMN/ZodsDhhRTpyTem2h1AZHWGGmBCEsvXR65GhF/pH++6YpR+zFw4jIyefXxhoN +uPXFAlclAczVjDdGWMZxMO5jOJmEXp48r0DU8PISRG4vTc352k0OH6b+NcOdQAiC +Xm99TQkWfaF41p+fRNaxredQJRrzThaSShdeC+HIn2IixOIBlmPtN6LlcLncyI7E +/gAh9blIwENVStgMnc7WYDC7gTHI6Q6qHBg95BBHQhfATfv12cLkBzP3FZRjbRGt +T9QdEUHB4t0CAwEAAaNQME4wHQYDVR0OBBYEFMcsAZUa9T7NBKYkNTUE2acWASp5 +MB8GA1UdIwQYMBaAFMcsAZUa9T7NBKYkNTUE2acWASp5MAwGA1UdEwQFMAMBAf8w +DQYJKoZIhvcNAQEFBQADggEBAEBvalTzKTBIRr3aRnFkUhSnwjS3Xh5CPedHks2H +551dGoJ3gmIy1J22RBHciHg4pdMfHr7C1hSwWDXNZiJDl7q740RPnXUUn28301AH +CTa8WJLo/sCouilVZeJvj6ulHU9WN97HtDkgTKhM21ZREn7nf4OdxMdyj2+D8K/j +NxxA/l44Ji8FRqcMpYF51pyc11brlv7Hro5PXkpsOvpovmVgotM/B3ZFs5U+Ee86 +Dm9zR0yQ3Qs2tCLfYo1Y0qY0W/AGXc2/Uvrum0/oeRhuHG5flhBtLwIb3b8UyTI8 +g6VuVlZ4nc6EUKTfzLWpsewJB3QCJ3qd0papgJWa8ozp75k= +-----END CERTIFICATE----- diff --git a/unittest/libmariadb/certs/cacert.pem b/unittest/libmariadb/certs/cacert.pem new file mode 100644 index 00000000..e934823e --- /dev/null +++ b/unittest/libmariadb/certs/cacert.pem @@ -0,0 +1,78 @@ +Certificate: + Data: + Version: 3 (0x2) + Serial Number: 11580370790696127632 (0xa0b5bde0f2c08c90) + Signature Algorithm: sha1WithRSAEncryption + Issuer: CN=cacert, C=FI, ST=Helsinki, L=Helsinki, O=MariaDB + Validity + Not Before: Apr 25 14:55:05 2015 GMT + Not After : Apr 20 14:55:05 2035 GMT + Subject: CN=cacert, C=FI, ST=Helsinki, L=Helsinki, O=MariaDB + Subject Public Key Info: + Public Key Algorithm: rsaEncryption + Public-Key: (2048 bit) + Modulus: + 00:c0:1f:90:7c:2b:c2:ea:01:93:ce:e0:c5:72:e8: + 1c:06:bd:63:4e:b6:d2:c6:00:32:13:27:42:9e:c9: + 3c:91:33:4d:15:90:67:7d:9d:d8:be:9b:12:e2:f6: + 1b:46:81:4a:8b:10:c5:b8:14:53:ab:6a:2c:c3:7f: + 66:87:6c:0e:18:51:4e:9c:93:7a:6d:a1:d4:06:47: + 58:61:a6:04:21:2c:bd:74:7a:e4:68:45:fe:91:fe: + fb:a6:29:47:ec:c5:c3:88:c8:c9:e7:d7:c6:1a:0d: + b8:f5:c5:02:57:25:01:cc:d5:8c:37:46:58:c6:71: + 30:ee:63:38:99:84:5e:9e:3c:af:40:d4:f0:f2:12: + 44:6e:2f:4d:cd:f9:da:4d:0e:1f:a6:fe:35:c3:9d: + 40:08:82:5e:6f:7d:4d:09:16:7d:a1:78:d6:9f:9f: + 44:d6:b1:ad:e7:50:25:1a:f3:4e:16:92:4a:17:5e: + 0b:e1:c8:9f:62:22:c4:e2:01:96:63:ed:37:a2:e5: + 70:b9:dc:c8:8e:c4:fe:00:21:f5:b9:48:c0:43:55: + 4a:d8:0c:9d:ce:d6:60:30:bb:81:31:c8:e9:0e:aa: + 1c:18:3d:e4:10:47:42:17:c0:4d:fb:f5:d9:c2:e4: + 07:33:f7:15:94:63:6d:11:ad:4f:d4:1d:11:41:c1: + e2:dd + Exponent: 65537 (0x10001) + X509v3 extensions: + X509v3 Subject Key Identifier: + C7:2C:01:95:1A:F5:3E:CD:04:A6:24:35:35:04:D9:A7:16:01:2A:79 + X509v3 Authority Key Identifier: + keyid:C7:2C:01:95:1A:F5:3E:CD:04:A6:24:35:35:04:D9:A7:16:01:2A:79 + + X509v3 Basic Constraints: + CA:TRUE + Signature Algorithm: sha1WithRSAEncryption + 40:6f:6a:54:f3:29:30:48:46:bd:da:46:71:64:52:14:a7:c2: + 34:b7:5e:1e:42:3d:e7:47:92:cd:87:e7:9d:5d:1a:82:77:82: + 62:32:d4:9d:b6:44:11:dc:88:78:38:a5:d3:1f:1e:be:c2:d6: + 14:b0:58:35:cd:66:22:43:97:ba:bb:e3:44:4f:9d:75:14:9f: + 6f:37:d3:50:07:09:36:bc:58:92:e8:fe:c0:a8:ba:29:55:65: + e2:6f:8f:ab:a5:1d:4f:56:37:de:c7:b4:39:20:4c:a8:4c:db: + 56:51:12:7e:e7:7f:83:9d:c4:c7:72:8f:6f:83:f0:af:e3:37: + 1c:40:fe:5e:38:26:2f:05:46:a7:0c:a5:81:79:d6:9c:9c:d7: + 56:eb:96:fe:c7:ae:8e:4f:5e:4a:6c:3a:fa:68:be:65:60:a2: + d3:3f:07:76:45:b3:95:3e:11:ef:3a:0e:6f:73:47:4c:90:dd: + 0b:36:b4:22:df:62:8d:58:d2:a6:34:5b:f0:06:5d:cd:bf:52: + fa:ee:9b:4f:e8:79:18:6e:1c:6e:5f:96:10:6d:2f:02:1b:dd: + bf:14:c9:32:3c:83:a5:6e:56:56:78:9d:ce:84:50:a4:df:cc: + b5:a9:b1:ec:09:07:74:02:27:7a:9d:d2:96:a9:80:95:9a:f2: + 8c:e9:ef:99 +-----BEGIN CERTIFICATE----- +MIIDfzCCAmegAwIBAgIJAKC1veDywIyQMA0GCSqGSIb3DQEBBQUAMFYxDzANBgNV +BAMMBmNhY2VydDELMAkGA1UEBhMCRkkxETAPBgNVBAgMCEhlbHNpbmtpMREwDwYD +VQQHDAhIZWxzaW5raTEQMA4GA1UECgwHTWFyaWFEQjAeFw0xNTA0MjUxNDU1MDVa +Fw0zNTA0MjAxNDU1MDVaMFYxDzANBgNVBAMMBmNhY2VydDELMAkGA1UEBhMCRkkx +ETAPBgNVBAgMCEhlbHNpbmtpMREwDwYDVQQHDAhIZWxzaW5raTEQMA4GA1UECgwH +TWFyaWFEQjCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAMAfkHwrwuoB +k87gxXLoHAa9Y0620sYAMhMnQp7JPJEzTRWQZ32d2L6bEuL2G0aBSosQxbgUU6tq +LMN/ZodsDhhRTpyTem2h1AZHWGGmBCEsvXR65GhF/pH++6YpR+zFw4jIyefXxhoN +uPXFAlclAczVjDdGWMZxMO5jOJmEXp48r0DU8PISRG4vTc352k0OH6b+NcOdQAiC +Xm99TQkWfaF41p+fRNaxredQJRrzThaSShdeC+HIn2IixOIBlmPtN6LlcLncyI7E +/gAh9blIwENVStgMnc7WYDC7gTHI6Q6qHBg95BBHQhfATfv12cLkBzP3FZRjbRGt +T9QdEUHB4t0CAwEAAaNQME4wHQYDVR0OBBYEFMcsAZUa9T7NBKYkNTUE2acWASp5 +MB8GA1UdIwQYMBaAFMcsAZUa9T7NBKYkNTUE2acWASp5MAwGA1UdEwQFMAMBAf8w +DQYJKoZIhvcNAQEFBQADggEBAEBvalTzKTBIRr3aRnFkUhSnwjS3Xh5CPedHks2H +551dGoJ3gmIy1J22RBHciHg4pdMfHr7C1hSwWDXNZiJDl7q740RPnXUUn28301AH +CTa8WJLo/sCouilVZeJvj6ulHU9WN97HtDkgTKhM21ZREn7nf4OdxMdyj2+D8K/j +NxxA/l44Ji8FRqcMpYF51pyc11brlv7Hro5PXkpsOvpovmVgotM/B3ZFs5U+Ee86 +Dm9zR0yQ3Qs2tCLfYo1Y0qY0W/AGXc2/Uvrum0/oeRhuHG5flhBtLwIb3b8UyTI8 +g6VuVlZ4nc6EUKTfzLWpsewJB3QCJ3qd0papgJWa8ozp75k= +-----END CERTIFICATE----- diff --git a/unittest/libmariadb/certs/client-cert.pem b/unittest/libmariadb/certs/client-cert.pem new file mode 100644 index 00000000..cbe8bc2c --- /dev/null +++ b/unittest/libmariadb/certs/client-cert.pem @@ -0,0 +1,69 @@ +Certificate: + Data: + Version: 3 (0x2) + Serial Number: 3 (0x3) + Signature Algorithm: sha1WithRSAEncryption + Issuer: CN=cacert, C=FI, ST=Helsinki, L=Helsinki, O=MariaDB + Validity + Not Before: Apr 25 14:55:16 2015 GMT + Not After : Apr 20 14:55:16 2035 GMT + Subject: C=FI, ST=Helsinki, L=Helsinki, O=MariaDB, CN=client + Subject Public Key Info: + Public Key Algorithm: rsaEncryption + Public-Key: (1024 bit) + Modulus: + 00:ce:a0:3d:3c:a4:bb:4f:a1:4f:91:0d:05:ac:5b: + 8a:15:7f:d7:aa:0c:a3:a7:9f:b2:c7:26:9d:65:28: + b1:84:d3:a0:ef:9e:b1:45:0f:33:df:98:6e:71:ff: + 2b:66:9c:9c:c1:25:13:27:42:b6:20:46:e7:e7:47: + a1:88:47:c2:9e:e2:45:25:99:9f:f9:28:1a:9a:13: + 67:5d:3e:b3:b8:fe:40:25:ac:26:49:46:2c:03:43: + 83:67:d8:0f:41:ae:2e:f4:d8:71:60:3c:8e:e7:91: + d0:bb:2c:ca:12:da:71:1a:7b:e3:fa:8c:8f:c3:bb: + 62:55:89:b3:bf:85:45:01:61 + Exponent: 65537 (0x10001) + X509v3 extensions: + X509v3 Basic Constraints: + CA:FALSE + Netscape Comment: + OpenSSL Generated Certificate + X509v3 Subject Key Identifier: + 5A:73:74:8E:14:29:C3:FB:B4:19:0F:97:8F:AA:6F:E1:E1:A8:F7:5B + X509v3 Authority Key Identifier: + keyid:C7:2C:01:95:1A:F5:3E:CD:04:A6:24:35:35:04:D9:A7:16:01:2A:79 + + Signature Algorithm: sha1WithRSAEncryption + 32:42:4b:36:44:a5:6c:fb:70:d8:08:2b:cb:16:34:15:db:39: + 60:7b:7e:b4:4a:bc:fb:e5:16:04:97:0d:eb:f5:68:95:da:2f: + 23:57:4c:c9:29:2b:d1:1b:1b:9f:bd:f4:79:75:df:62:7f:63: + b4:84:7a:95:5c:c4:ee:f3:77:16:e4:0b:8a:5e:c9:64:bd:7c: + 04:50:ac:ff:9a:41:6b:b1:6a:9f:cd:45:10:72:83:10:8a:26: + 1d:7f:6c:84:34:5a:41:79:72:91:ee:87:5d:1d:3a:55:ff:91: + 7e:52:85:ff:42:41:eb:76:56:23:e5:bc:bc:79:b1:aa:4e:4c: + bf:7b:df:63:8b:1a:3c:4b:01:72:89:35:bb:0d:92:97:16:6e: + ae:50:cb:89:ee:c6:7a:d0:d3:32:22:0f:19:33:1e:ee:ff:41: + a5:a1:25:c5:4c:ce:8f:98:4c:b5:2c:1f:ec:cc:f1:21:e2:3a: + ff:7d:6a:87:fe:89:fd:2c:20:3e:fb:9b:b8:c0:f9:09:99:ce: + 45:63:82:09:1c:bb:79:d8:a8:40:21:46:c7:ae:3e:dd:89:9d: + 56:46:4a:f4:ed:7d:5b:a6:1e:a6:1b:26:f9:ec:26:b4:51:3a: + 87:b6:50:13:84:33:22:1a:8a:20:c5:44:64:b8:bb:de:32:ec: + 6b:58:db:17 +-----BEGIN CERTIFICATE----- +MIIDHjCCAgagAwIBAgIBAzANBgkqhkiG9w0BAQUFADBWMQ8wDQYDVQQDDAZjYWNl +cnQxCzAJBgNVBAYTAkZJMREwDwYDVQQIDAhIZWxzaW5raTERMA8GA1UEBwwISGVs +c2lua2kxEDAOBgNVBAoMB01hcmlhREIwHhcNMTUwNDI1MTQ1NTE2WhcNMzUwNDIw +MTQ1NTE2WjBWMQswCQYDVQQGEwJGSTERMA8GA1UECAwISGVsc2lua2kxETAPBgNV +BAcMCEhlbHNpbmtpMRAwDgYDVQQKDAdNYXJpYURCMQ8wDQYDVQQDDAZjbGllbnQw +gZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBAM6gPTyku0+hT5ENBaxbihV/16oM +o6efsscmnWUosYTToO+esUUPM9+YbnH/K2acnMElEydCtiBG5+dHoYhHwp7iRSWZ +n/koGpoTZ10+s7j+QCWsJklGLANDg2fYD0GuLvTYcWA8jueR0LssyhLacRp74/qM +j8O7YlWJs7+FRQFhAgMBAAGjezB5MAkGA1UdEwQCMAAwLAYJYIZIAYb4QgENBB8W +HU9wZW5TU0wgR2VuZXJhdGVkIENlcnRpZmljYXRlMB0GA1UdDgQWBBRac3SOFCnD ++7QZD5ePqm/h4aj3WzAfBgNVHSMEGDAWgBTHLAGVGvU+zQSmJDU1BNmnFgEqeTAN +BgkqhkiG9w0BAQUFAAOCAQEAMkJLNkSlbPtw2AgryxY0Fds5YHt+tEq8++UWBJcN +6/VoldovI1dMySkr0Rsbn730eXXfYn9jtIR6lVzE7vN3FuQLil7JZL18BFCs/5pB +a7Fqn81FEHKDEIomHX9shDRaQXlyke6HXR06Vf+RflKF/0JB63ZWI+W8vHmxqk5M +v3vfY4saPEsBcok1uw2SlxZurlDLie7GetDTMiIPGTMe7v9BpaElxUzOj5hMtSwf +7MzxIeI6/31qh/6J/SwgPvubuMD5CZnORWOCCRy7edioQCFGx64+3YmdVkZK9O19 +W6Yephsm+ewmtFE6h7ZQE4QzIhqKIMVEZLi73jLsa1jbFw== +-----END CERTIFICATE----- diff --git a/unittest/libmariadb/certs/client-key-enc.pem b/unittest/libmariadb/certs/client-key-enc.pem new file mode 100644 index 00000000..5037c6e2 --- /dev/null +++ b/unittest/libmariadb/certs/client-key-enc.pem @@ -0,0 +1,15 @@ +-----BEGIN RSA PRIVATE KEY----- +MIICXAIBAAKBgQDOoD08pLtPoU+RDQWsW4oVf9eqDKOnn7LHJp1lKLGE06DvnrFF +DzPfmG5x/ytmnJzBJRMnQrYgRufnR6GIR8Ke4kUlmZ/5KBqaE2ddPrO4/kAlrCZJ +RiwDQ4Nn2A9Bri702HFgPI7nkdC7LMoS2nEae+P6jI/Du2JVibO/hUUBYQIDAQAB +AoGAa/FgLFcul3oA9BjmdtVXfMXNp8N0l3QhVFLC9P7eRjK8p5GysA4yHkQmpp0U +UkXMykYRDHiYZqJEMhnEtEowzBmodi7go+gpwAR2eUKwESmJoBhPvqDJAbS/fL5D +H2Wk6FGsdKoPhEpigWefu6ZqlX5GCGa601eMYLMR9i+6bbUCQQDspD4j2q8oihTU +RQt/XpF1l+5ZRHjQOokwRekuHdq0powtNxZ+X3V8Qy8JbDRNCM2YtfKMX4gXAfZp +JWs7HoPvAkEA34doY3AKxZSpXD84m4dnJ0/Ubfk3+tcC1EPYyDJ1DHpfz7fy6aoX +z8TWCQXtSBGaEa9Dgbz+EFXuctLbUR8/rwJACDjIo+xEK69oe9uOQ7WgbiqCMH3N +iMaP36p+KIkHAUHMGwIP+QIODewzpSsqQgbtRcIElFX5X3tE+XBAYoRz5wJAKH3/ +CwRg7ynfBDbvqjz9EsIDWWisG2SXvpwLyThau8fvU1GfT3Tgm2Ks4zWPpl6J6mo1 +cGssGwl2CJbp4+glQQJBAJAwvKufpB+M6OjvKh89GGsCEaV1ENJ41FPcQwJ2pjed +Fcq28ZP59v7bfBH2IkNu3pfEzmvQnmRlTEtXGjNn+i8= +-----END RSA PRIVATE KEY----- diff --git a/unittest/libmariadb/certs/client-key.pem b/unittest/libmariadb/certs/client-key.pem new file mode 100644 index 00000000..5037c6e2 --- /dev/null +++ b/unittest/libmariadb/certs/client-key.pem @@ -0,0 +1,15 @@ +-----BEGIN RSA PRIVATE KEY----- +MIICXAIBAAKBgQDOoD08pLtPoU+RDQWsW4oVf9eqDKOnn7LHJp1lKLGE06DvnrFF +DzPfmG5x/ytmnJzBJRMnQrYgRufnR6GIR8Ke4kUlmZ/5KBqaE2ddPrO4/kAlrCZJ +RiwDQ4Nn2A9Bri702HFgPI7nkdC7LMoS2nEae+P6jI/Du2JVibO/hUUBYQIDAQAB +AoGAa/FgLFcul3oA9BjmdtVXfMXNp8N0l3QhVFLC9P7eRjK8p5GysA4yHkQmpp0U +UkXMykYRDHiYZqJEMhnEtEowzBmodi7go+gpwAR2eUKwESmJoBhPvqDJAbS/fL5D +H2Wk6FGsdKoPhEpigWefu6ZqlX5GCGa601eMYLMR9i+6bbUCQQDspD4j2q8oihTU +RQt/XpF1l+5ZRHjQOokwRekuHdq0powtNxZ+X3V8Qy8JbDRNCM2YtfKMX4gXAfZp +JWs7HoPvAkEA34doY3AKxZSpXD84m4dnJ0/Ubfk3+tcC1EPYyDJ1DHpfz7fy6aoX +z8TWCQXtSBGaEa9Dgbz+EFXuctLbUR8/rwJACDjIo+xEK69oe9uOQ7WgbiqCMH3N +iMaP36p+KIkHAUHMGwIP+QIODewzpSsqQgbtRcIElFX5X3tE+XBAYoRz5wJAKH3/ +CwRg7ynfBDbvqjz9EsIDWWisG2SXvpwLyThau8fvU1GfT3Tgm2Ks4zWPpl6J6mo1 +cGssGwl2CJbp4+glQQJBAJAwvKufpB+M6OjvKh89GGsCEaV1ENJ41FPcQwJ2pjed +Fcq28ZP59v7bfBH2IkNu3pfEzmvQnmRlTEtXGjNn+i8= +-----END RSA PRIVATE KEY----- diff --git a/unittest/libmariadb/certs/server-cert.pem b/unittest/libmariadb/certs/server-cert.pem new file mode 100644 index 00000000..1cc1519a --- /dev/null +++ b/unittest/libmariadb/certs/server-cert.pem @@ -0,0 +1,74 @@ +Certificate: + Data: + Version: 3 (0x2) + Serial Number: 1 (0x1) + Signature Algorithm: sha1WithRSAEncryption + Issuer: CN=cacert, C=FI, ST=Helsinki, L=Helsinki, O=MariaDB + Validity + Not Before: Apr 25 14:55:05 2015 GMT + Not After : Apr 20 14:55:05 2035 GMT + Subject: C=FI, ST=state or province within country, in other certificates in this file it is the same as L, L=location, usually an address but often ambiguously used, O=organization name, typically a company name, OU=organizational unit name, a division name within an organization, CN=localhost + Subject Public Key Info: + Public Key Algorithm: rsaEncryption + Public-Key: (1024 bit) + Modulus: + 00:aa:e6:54:bd:dd:52:1e:16:f7:24:52:37:58:2b: + a7:af:49:e1:cd:75:2a:18:52:e1:48:f0:59:82:c0: + 7a:d9:66:b3:97:04:b3:77:f4:39:fd:d1:c0:1a:c5: + a6:ab:44:84:d2:17:39:53:25:63:9b:c3:24:78:51: + 5c:77:6b:df:b4:82:1d:e4:43:f4:67:0a:5d:89:a2: + fe:b0:ea:64:3a:1d:9d:49:78:c8:7f:79:a5:cd:45: + 4b:0c:ad:ae:4f:e2:d4:5d:ec:e8:73:06:ed:98:92: + 85:49:b2:9c:31:3b:44:38:5f:bb:5a:f1:68:84:a9: + c3:5b:31:39:d4:47:98:38:55 + Exponent: 65537 (0x10001) + X509v3 extensions: + X509v3 Basic Constraints: + CA:FALSE + Netscape Comment: + OpenSSL Generated Certificate + X509v3 Subject Key Identifier: + E5:72:8F:57:72:D6:75:63:28:7F:E2:BF:00:B7:1D:B8:AA:FE:94:59 + X509v3 Authority Key Identifier: + keyid:C7:2C:01:95:1A:F5:3E:CD:04:A6:24:35:35:04:D9:A7:16:01:2A:79 + + Signature Algorithm: sha1WithRSAEncryption + 88:44:46:fa:7d:16:ae:9d:16:5b:95:26:03:3c:71:f4:29:3d: + df:cb:f4:14:20:9f:87:24:b4:29:17:2d:7a:12:48:76:ac:00: + 44:26:ba:93:83:ad:58:7e:b7:77:e4:b0:32:0d:e5:dd:fb:cc: + 0e:9b:88:e0:24:82:e4:41:43:47:5a:4e:d3:b4:5b:47:4b:57: + eb:67:02:63:bb:dd:05:12:f5:95:01:0b:89:81:ca:c2:91:14: + 21:9a:9e:c9:84:91:46:35:0e:26:44:1e:91:88:74:4f:fe:d3: + 19:9e:65:fa:46:e2:46:04:ad:91:79:4c:70:1b:68:b2:49:e9: + 6c:f4:58:44:3b:43:15:85:56:64:1b:84:74:49:95:9f:cd:93: + 9d:8e:69:ab:ca:46:97:b6:74:e9:2a:83:85:62:cd:e5:be:c3: + 52:bd:cf:90:cc:60:27:76:ee:1b:3c:da:69:73:e2:11:68:14: + dc:7d:9f:b8:6f:20:a2:0c:b7:8e:33:40:89:d1:a3:89:e2:60: + 6a:ec:b5:9f:e8:c5:55:10:40:b2:95:5e:54:8a:10:8e:d5:90: + d9:98:86:d8:f9:b6:01:41:8c:d7:0d:0e:86:0e:50:6d:a2:64: + 00:2a:91:5e:35:64:15:e3:86:34:3a:39:eb:0f:4f:56:c7:15: + 4c:74:2e:91 +-----BEGIN CERTIFICATE----- +MIIEETCCAvmgAwIBAgIBATANBgkqhkiG9w0BAQUFADBWMQ8wDQYDVQQDDAZjYWNl +cnQxCzAJBgNVBAYTAkZJMREwDwYDVQQIDAhIZWxzaW5raTERMA8GA1UEBwwISGVs +c2lua2kxEDAOBgNVBAoMB01hcmlhREIwHhcNMTUwNDI1MTQ1NTA1WhcNMzUwNDIw +MTQ1NTA1WjCCAUcxCzAJBgNVBAYTAkZJMWEwXwYDVQQIDFhzdGF0ZSBvciBwcm92 +aW5jZSB3aXRoaW4gY291bnRyeSwgaW4gb3RoZXIgY2VydGlmaWNhdGVzIGluIHRo +aXMgZmlsZSBpdCBpcyB0aGUgc2FtZSBhcyBMMUAwPgYDVQQHDDdsb2NhdGlvbiwg +dXN1YWxseSBhbiBhZGRyZXNzIGJ1dCBvZnRlbiBhbWJpZ3VvdXNseSB1c2VkMTQw +MgYDVQQKDCtvcmdhbml6YXRpb24gbmFtZSwgdHlwaWNhbGx5IGEgY29tcGFueSBu +YW1lMUkwRwYDVQQLDEBvcmdhbml6YXRpb25hbCB1bml0IG5hbWUsIGEgZGl2aXNp +b24gbmFtZSB3aXRoaW4gYW4gb3JnYW5pemF0aW9uMRIwEAYDVQQDDAlsb2NhbGhv +c3QwgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBAKrmVL3dUh4W9yRSN1grp69J +4c11KhhS4UjwWYLAetlms5cEs3f0Of3RwBrFpqtEhNIXOVMlY5vDJHhRXHdr37SC +HeRD9GcKXYmi/rDqZDodnUl4yH95pc1FSwytrk/i1F3s6HMG7ZiShUmynDE7RDhf +u1rxaISpw1sxOdRHmDhVAgMBAAGjezB5MAkGA1UdEwQCMAAwLAYJYIZIAYb4QgEN +BB8WHU9wZW5TU0wgR2VuZXJhdGVkIENlcnRpZmljYXRlMB0GA1UdDgQWBBTlco9X +ctZ1Yyh/4r8Atx24qv6UWTAfBgNVHSMEGDAWgBTHLAGVGvU+zQSmJDU1BNmnFgEq +eTANBgkqhkiG9w0BAQUFAAOCAQEAiERG+n0Wrp0WW5UmAzxx9Ck938v0FCCfhyS0 +KRctehJIdqwARCa6k4OtWH63d+SwMg3l3fvMDpuI4CSC5EFDR1pO07RbR0tX62cC +Y7vdBRL1lQELiYHKwpEUIZqeyYSRRjUOJkQekYh0T/7TGZ5l+kbiRgStkXlMcBto +sknpbPRYRDtDFYVWZBuEdEmVn82TnY5pq8pGl7Z06SqDhWLN5b7DUr3PkMxgJ3bu +GzzaaXPiEWgU3H2fuG8gogy3jjNAidGjieJgauy1n+jFVRBAspVeVIoQjtWQ2ZiG +2Pm2AUGM1w0Ohg5QbaJkACqRXjVkFeOGNDo56w9PVscVTHQukQ== +-----END CERTIFICATE----- diff --git a/unittest/libmariadb/certs/server-key.pem b/unittest/libmariadb/certs/server-key.pem new file mode 100644 index 00000000..3125ae88 --- /dev/null +++ b/unittest/libmariadb/certs/server-key.pem @@ -0,0 +1,15 @@ +-----BEGIN RSA PRIVATE KEY----- +MIICXAIBAAKBgQCq5lS93VIeFvckUjdYK6evSeHNdSoYUuFI8FmCwHrZZrOXBLN3 +9Dn90cAaxaarRITSFzlTJWObwyR4UVx3a9+0gh3kQ/RnCl2Jov6w6mQ6HZ1JeMh/ +eaXNRUsMra5P4tRd7OhzBu2YkoVJspwxO0Q4X7ta8WiEqcNbMTnUR5g4VQIDAQAB +AoGAblQWXyBzdBN1Z5BgRF6ieYpj6OT70QoogJMR5lRmutUPma4iQo17pr3znBT/ +nU+1w3/UtTXNEXCwqbA01q/gkbP2PaW/sbHLVow1B7u/o42WW6I3Btnl3ClnCNjD +Mo7/Gj027hhp7mC61r81JeJVh8fJUgxdNqoH7AkDnA+FJAECQQDjIl3k6W2P+bHb +bp+8eyY7ITQbppZh+3hFJKRL7DZKFYL5J6gejiBURnG9DKnhoSP2nqzqdrRhWZhB +ZHr+ciEBAkEAwJ5rMpFoIwRzgPD4Q4iSqHcBbFcJE7dK1XLq6MYUVNQGfDU8pBvI +EocXphpsJ8CbR35dGDY19rmO2LjG3RBDVQJAetRN9Inrjw2YCjNzvKjYTuew1zcq +YghszO94zfoKjdu+PWEdwJBZmVmTDoo3oGXVHfxHRHA3MeISvWJKRSmRAQJAHL9H +9msXJKrEZkkQdFvMr5HbR4UR2LxxUbvt7UGqxSJDuYPkggWXbZR15hdpbuFjC1+D +m1pz4Ve+RwAExfdoZQJBANfmuWtlLU+SMpDG4zOyC7u4dz+TtnEOfDUECFNZtqvU +MWz98MIXAjiBDYU1Z0BrA7b0/FVsPR3t6JZFQWWI2y8= +-----END RSA PRIVATE KEY----- diff --git a/unittest/libmariadb/fetch.c b/unittest/libmariadb/fetch.c index ea6574e5..948ed970 100644 --- a/unittest/libmariadb/fetch.c +++ b/unittest/libmariadb/fetch.c @@ -32,7 +32,7 @@ static int bind_fetch(MYSQL *mysql, int row_count) int32 data[10]; int8 i8_data; int16 i16_data; - long i32_data; + int i32_data; longlong i64_data; float f_data; double d_data; @@ -316,7 +316,7 @@ static int test_fetch_offset(MYSQL *mysql) rc= mysql_stmt_store_result(stmt); check_stmt_rc(rc,stmt); - +diag("truncation: %d", mysql->options.report_data_truncation); rc= mysql_stmt_fetch(stmt); FAIL_UNLESS(rc == MYSQL_DATA_TRUNCATED, "rc != MYSQL_DATA_TRUNCATED"); @@ -567,7 +567,7 @@ static int test_fetch_null(MYSQL *mysql) MYSQL_STMT *stmt; int rc; int i; - long nData= 0; + int nData= 0; MYSQL_BIND my_bind[11]; ulong length[11]; my_bool is_null[11]; diff --git a/unittest/libmariadb/misc.c b/unittest/libmariadb/misc.c index befac8d8..814416d3 100644 --- a/unittest/libmariadb/misc.c +++ b/unittest/libmariadb/misc.c @@ -231,7 +231,6 @@ static int test_frm_bug(MYSQL *mysql) char test_frm[FN_REFLEN]; int rc; - return SKIP; mysql_autocommit(mysql, TRUE); rc= mysql_query(mysql, "drop table if exists test_frm_bug"); diff --git a/unittest/libmariadb/my_test.h b/unittest/libmariadb/my_test.h index f5c7b762..045d2a82 100644 --- a/unittest/libmariadb/my_test.h +++ b/unittest/libmariadb/my_test.h @@ -401,7 +401,7 @@ MYSQL *test_connect(struct my_tests_st *test) MYSQL *mysql; int i= 0; int timeout= 10; - int truncation_report= 1; + my_bool truncation_report= 1; if (!(mysql = mysql_init(NULL))) { diag("%s", "mysql_init failed - exiting"); return(NULL); diff --git a/unittest/libmariadb/ps_bugs.c b/unittest/libmariadb/ps_bugs.c index 58b4a4e3..25d93b8b 100644 --- a/unittest/libmariadb/ps_bugs.c +++ b/unittest/libmariadb/ps_bugs.c @@ -4405,8 +4405,91 @@ static int test_conc198(MYSQL *mysql) return OK; } +static int test_conc205(MYSQL *mysql) +{ + MYSQL_STMT *stmt; + MYSQL_BIND my_bind[3]; + char data[8]; + ulong length[3]; + int rc, int_col; + short smint_col; + my_bool is_null[3]; + const char *query = "SELECT text_col, smint_col, int_col FROM test_conc205"; + + rc= mysql_query(mysql, "drop table if exists test_conc205"); + check_mysql_rc(rc, mysql); + rc= mysql_query(mysql, "CREATE TABLE test_conc205 (text_col TEXT, smint_col SMALLINT, int_col INT)"); + check_mysql_rc(rc, mysql); + rc= mysql_query(mysql, "INSERT INTO test_conc205 VALUES('data01', 21893, 1718038908), ('data2', -25734, -1857802040)"); + check_mysql_rc(rc, mysql); + + stmt= mysql_stmt_init(mysql); + FAIL_IF(!stmt, mysql_error(mysql)); + + rc= mysql_stmt_prepare(stmt, query, (unsigned long)strlen(query)); + check_stmt_rc(rc, stmt); + + memset(my_bind, '\0', sizeof(my_bind)); + my_bind[0].buffer_type= MYSQL_TYPE_STRING; + my_bind[0].buffer= (void *)data; + my_bind[0].buffer_length= sizeof(data); + my_bind[0].is_null= &is_null[0]; + my_bind[0].length= &length[0]; + + my_bind[1].buffer_type= MYSQL_TYPE_SHORT; + my_bind[1].buffer= &smint_col; + my_bind[1].buffer_length= 2; + my_bind[1].is_null= &is_null[1]; + my_bind[1].length= &length[1]; + + my_bind[2].buffer_type= MYSQL_TYPE_LONG; + my_bind[2].buffer= &int_col; + my_bind[2].buffer_length= 4; + my_bind[2].is_null= &is_null[2]; + my_bind[2].length= &length[2]; + + rc= mysql_stmt_execute(stmt); + check_stmt_rc(rc, stmt); + + rc= mysql_stmt_bind_result(stmt, my_bind); + check_stmt_rc(rc, stmt); + + rc= mysql_stmt_fetch(stmt); + check_stmt_rc(rc, stmt); + + FAIL_IF(length[0] != 6, "Wrong fetched string length"); + FAIL_IF(length[1] != 2, "Wrong fetched short length"); + FAIL_IF(length[2] != 4, "Wrong fetched int length"); + + FAIL_IF(strncmp(data, "data01", length[0] + 1) != 0, "Wrong string value"); + FAIL_IF(smint_col != 21893, "Expected 21893"); + FAIL_IF(int_col != 1718038908, "Expected 1718038908"); + + rc= mysql_stmt_fetch(stmt); + check_stmt_rc(rc, stmt); + + FAIL_IF(length[0] != 5, "Wrong fetched string length"); + FAIL_IF(length[1] != 2, "Wrong fetched short length"); + FAIL_IF(length[2] != 4, "Wrong fetched int length"); + + FAIL_IF(strncmp(data, "data2", length[0] + 1) != 0, "Wrong string value"); + FAIL_IF(smint_col != -25734, "Expected 21893"); + FAIL_IF(int_col != -1857802040, "Expected 1718038908"); + + rc= mysql_stmt_fetch(stmt); + FAIL_IF(rc != MYSQL_NO_DATA, "Expected MYSQL_NO_DATA"); + + mysql_stmt_close(stmt); + + rc= mysql_query(mysql, "drop table test_conc205"); + check_mysql_rc(rc, mysql); + + return OK; +} + struct my_tests_st my_tests[] = { + {"test_conc205", test_conc205, TEST_CONNECTION_DEFAULT, 0, NULL, NULL}, {"test_conc198", test_conc198, TEST_CONNECTION_DEFAULT, 0, NULL, NULL}, {"test_conc182", test_conc182, TEST_CONNECTION_DEFAULT, 0, NULL, NULL}, {"test_conc181", test_conc181, TEST_CONNECTION_DEFAULT, 0, NULL, NULL}, diff --git a/unittest/libmariadb/ssl.c.in b/unittest/libmariadb/ssl.c.in index f46f8397..7d477f9c 100644 --- a/unittest/libmariadb/ssl.c.in +++ b/unittest/libmariadb/ssl.c.in @@ -140,7 +140,7 @@ static int test_ssl_cipher(MYSQL *unused __attribute__((unused))) my= mysql_init(NULL); FAIL_IF(!my, "mysql_init() failed"); - mysql_ssl_set(my,0, 0, "@CMAKE_SOURCE_DIR@/unittest/libmariadb/certs/ca-cert.pem", 0, 0); + mysql_ssl_set(my,0, 0, "@CMAKE_SOURCE_DIR@/unittest/libmariadb/certs/cacert.pem", 0, 0); FAIL_IF(!mysql_real_connect(my, hostname, ssluser, sslpw, schema, port, socketname, 0), mysql_error(my)); @@ -220,7 +220,7 @@ static int test_multi_ssl_connections(MYSQL *unused __attribute__((unused))) mysql[i]= mysql_init(NULL); FAIL_IF(!mysql[i],"mysql_init() failed"); - mysql_ssl_set(mysql[i], 0, 0, "@CMAKE_SOURCE_DIR@/unittest/libmariadb/certs/ca-cert.pem", 0, 0); + mysql_ssl_set(mysql[i], 0, 0, "@CMAKE_SOURCE_DIR@/unittest/libmariadb/certs/cacert.pem", 0, 0); mysql_real_connect(mysql[i], hostname, ssluser, sslpw, schema, port, socketname, 0); @@ -264,7 +264,7 @@ DWORD WINAPI ssl_thread(void *dummy) { goto end; } - mysql_ssl_set(mysql, 0, 0, "@CMAKE_SOURCE_DIR@/unittest/libmariadb/certs/ca-cert.pem", 0, 0); + mysql_ssl_set(mysql, 0, 0, "@CMAKE_SOURCE_DIR@/unittest/libmariadb/certs/cacert.pem", 0, 0); if(!mysql_real_connect(mysql, hostname, ssluser, sslpw, schema, port, socketname, 0)) @@ -352,7 +352,7 @@ static int test_phpbug51647(MYSQL *unused __attribute__((unused))) mysql_ssl_set(mysql, "@CMAKE_SOURCE_DIR@/unittest/libmariadb/certs/client-key.pem", "@CMAKE_SOURCE_DIR@/unittest/libmariadb/certs/client-cert.pem", - "@CMAKE_SOURCE_DIR@/unittest/libmariadb/certs/ca-cert.pem", 0, 0); + "@CMAKE_SOURCE_DIR@/unittest/libmariadb/certs/cacert.pem", 0, 0); FAIL_IF(!mysql_real_connect(mysql, hostname, ssluser, sslpw, schema, port, socketname, 0), mysql_error(mysql)); @@ -374,7 +374,7 @@ static int test_password_protected(MYSQL *unused __attribute__((unused))) mysql_ssl_set(mysql, "@CMAKE_SOURCE_DIR@/unittest/libmariadb/certs/client-key-enc.pem", "@CMAKE_SOURCE_DIR@/unittest/libmariadb/certs/client-cert.pem", - "@CMAKE_SOURCE_DIR@/unittest/libmariadb/certs/ca-cert.pem", 0, 0); + "@CMAKE_SOURCE_DIR@/unittest/libmariadb/certs/cacert.pem", 0, 0); mysql_options(mysql, MARIADB_OPT_TLS_PASSPHRASE, "qwerty"); @@ -418,7 +418,7 @@ static int test_conc50_1(MYSQL *unused __attribute__((unused))) mysql= mysql_init(NULL); FAIL_IF(!mysql, "Can't allocate memory"); - mysql_ssl_set(mysql, NULL, NULL, "@CMAKE_SOURCE_DIR@/unittest/libmariadb/certs/ca-cert.pem", NULL, NULL); + mysql_ssl_set(mysql, NULL, NULL, "@CMAKE_SOURCE_DIR@/unittest/libmariadb/certs/cacert.pem", NULL, NULL); mysql_real_connect(mysql, hostname, ssluser, sslpw, schema, port, socketname, 0); @@ -486,8 +486,6 @@ static int test_conc50_3(MYSQL *unused __attribute__((unused))) mysql= mysql_init(NULL); FAIL_IF(!mysql, "Can't allocate memory"); - mysql_ssl_set(mysql, NULL, NULL, NULL, NULL, NULL); - mysql_real_connect(mysql, hostname, ssluser, sslpw, schema, port, socketname, 0); FAIL_IF(!mysql_errno(mysql), "Error expected, SSL connection required!"); @@ -496,7 +494,7 @@ static int test_conc50_3(MYSQL *unused __attribute__((unused))) mysql= mysql_init(NULL); FAIL_IF(!mysql, "Can't allocate memory"); - mysql_ssl_set(mysql, NULL, NULL, "@CMAKE_SOURCE_DIR@/unittest/libmariadb/certs/ca-cert.pem", NULL, NULL); + mysql_ssl_set(mysql, NULL, NULL, "@CMAKE_SOURCE_DIR@/unittest/libmariadb/certs/cacert.pem", NULL, NULL); mysql_real_connect(mysql, hostname, ssluser, sslpw, schema, port, socketname, 0); @@ -517,7 +515,7 @@ static int test_conc50_4(MYSQL *unused __attribute__((unused))) mysql= mysql_init(NULL); FAIL_IF(!mysql, "Can't allocate memory"); - mysql_ssl_set(mysql, NULL, "@CMAKE_SOURCE_DIR@/unittest/libmariadb/certs/ca-cert.pem", NULL, NULL, NULL); + mysql_ssl_set(mysql, NULL, "@CMAKE_SOURCE_DIR@/unittest/libmariadb/certs/cacert.pem", NULL, NULL, NULL); mysql_real_connect(mysql, hostname, ssluser, sslpw, schema, port, socketname, 0); @@ -535,6 +533,9 @@ static int verify_ssl_server_cert(MYSQL *unused __attribute__((unused))) if (check_skip_ssl()) return SKIP; + if (!hostname || !strcmp(hostname, "localhost")) + return SKIP; + mysql= mysql_init(NULL); FAIL_IF(!mysql, "Can't allocate memory"); @@ -619,9 +620,9 @@ DWORD WINAPI thread_conc102(void) mysql_ssl_set(mysql, "@CMAKE_SOURCE_DIR@/unitt/libmariadb/certs/client-key.pem", "@CMAKE_SOURCE_DIR@/unittest/libmariadb/certs/client-cert.pem", - "@CMAKE_SOURCE_DIR@/unittest/libmariadb/certs/ca-cert.pem", + "@CMAKE_SOURCE_DIR@/unittest/libmariadb/certs/cacert.pem", NULL, NULL); - mysql_ssl_set(mysql,0, 0, "@CMAKE_SOURCE_DIR@/unittest/libmariadb/certs/ca-cert.pem", 0, 0); + mysql_ssl_set(mysql,0, 0, "@CMAKE_SOURCE_DIR@/unittest/libmariadb/certs/cacert.pem", 0, 0); if(!mysql_real_connect(mysql, hostname, username, password, schema, port, socketname, 0)) @@ -716,7 +717,7 @@ static int test_ssl_fp(MYSQL *unused __attribute__((unused))) my= mysql_init(NULL); FAIL_IF(!my, "mysql_init() failed"); - mysql_ssl_set(my,0, 0, "@CMAKE_SOURCE_DIR@/unittest/libmariadb/certs/ca-cert.pem", 0, 0); + mysql_ssl_set(my,0, 0, "@CMAKE_SOURCE_DIR@/unittest/libmariadb/certs/cacert.pem", 0, 0); mysql_options(my, MARIADB_OPT_SSL_FP, ssl_cert_finger_print); @@ -752,7 +753,7 @@ static int test_ssl_fp_list(MYSQL *unused __attribute__((unused))) my= mysql_init(NULL); FAIL_IF(!my, "mysql_init() failed"); - mysql_ssl_set(my,0, 0, "@CMAKE_SOURCE_DIR@/unittest/libmariadb/certs/ca-cert.pem", 0, 0); + mysql_ssl_set(my,0, 0, "@CMAKE_SOURCE_DIR@/unittest/libmariadb/certs/cacert.pem", 0, 0); mysql_options(my, MARIADB_OPT_SSL_FP_LIST, "./fingerprint.list"); @@ -781,7 +782,7 @@ static int test_ssl_version(MYSQL *unused __attribute__((unused))) my= mysql_init(NULL); FAIL_IF(!my, "mysql_init() failed"); - mysql_ssl_set(my,0, 0, "@CMAKE_SOURCE_DIR@/unittest/libmariadb/certs/ca-cert.pem", 0, 0); + mysql_ssl_set(my,0, 0, "@CMAKE_SOURCE_DIR@/unittest/libmariadb/certs/cacert.pem", 0, 0); FAIL_IF(!mysql_real_connect(my, hostname, ssluser, sslpw, schema, port, socketname, 0), mysql_error(my)); @@ -811,7 +812,7 @@ static int test_schannel_cipher(MYSQL *unused __attribute__((unused))) my= mysql_init(NULL); FAIL_IF(!my, "mysql_init() failed"); - mysql_ssl_set(my,0, 0, "@CMAKE_SOURCE_DIR@/unittest/libmariadb/certs/ca-cert.pem", 0, 0); + mysql_ssl_set(my,0, 0, "@CMAKE_SOURCE_DIR@/unittest/libmariadb/certs/cacert.pem", 0, 0); mysql_options(my, MARIADB_OPT_TLS_CIPHER_STRENGTH, &cipher_strength); FAIL_IF(!mysql_real_connect(my, hostname, ssluser, sslpw, schema, port, socketname, 0), mysql_error(my)); @@ -849,6 +850,7 @@ static int test_cipher_mapping(MYSQL *unused __attribute__((unused))) MYSQL_RES *res; char c[100]; int rc; + const char *cipher; mysql_ssl_set(mysql, NULL, NULL, NULL, NULL, ciphers[i]); diag("%s", ciphers[i]); @@ -856,12 +858,12 @@ static int test_cipher_mapping(MYSQL *unused __attribute__((unused))) mysql->options.use_ssl= 1; FAIL_IF(!mysql_real_connect(mysql, hostname, username, password, schema, port, socketname, 0), mysql_error(mysql)); - if (!mysql_get_ssl_cipher(mysql) || - strcmp(ciphers[i], mysql_get_ssl_cipher(mysql)) != 0) + if (!(cipher= mysql_get_ssl_cipher(mysql)) || + strcmp(ciphers[i], cipher) != 0) { - diag("cipher %s failed", ciphers[i]); + diag("cipher %s differs: (%s)", ciphers[i], cipher); mysql_close(mysql); - return FAIL; + goto cont; } else { @@ -875,9 +877,11 @@ static int test_cipher_mapping(MYSQL *unused __attribute__((unused))) if (strcmp(ciphers[i], c) != 0) { diag("expected: %s instead of %s", ciphers[i], c); - return FAIL; + /* depending if server supports ECC, ciphers may differ, + so we don't return failure here */ } } +cont: i++; } return OK; @@ -956,7 +960,7 @@ static int test_openssl_1(MYSQL *mysql) sprintf(query, "grant select on %s.* to 'ssluser3'@'%s' require cipher 'AES256-SHA' AND " - " SUBJECT '/DC=com/DC=example/CN=client'", schema, sslhost); + " SUBJECT '/C=FI/ST=Helsinki/L=Helsinki/O=MariaDB/CN=client'", schema, sslhost); rc= mysql_query(mysql, query); check_mysql_rc(rc, mysql); @@ -971,7 +975,7 @@ static int test_openssl_1(MYSQL *mysql) my= mysql_init(NULL); mysql_ssl_set(my, "@CMAKE_SOURCE_DIR@/unittest/libmariadb/certs/client-key.pem", "@CMAKE_SOURCE_DIR@/unittest/libmariadb/certs/client-cert.pem", - "@CMAKE_SOURCE_DIR@/unittest/libmariadb/certs/ca-cert.pem", + "@CMAKE_SOURCE_DIR@/unittest/libmariadb/certs/cacert.pem", NULL, "AES256-SHA"); FAIL_IF(!mysql_real_connect(my, hostname, "ssluser3", NULL, schema, @@ -980,7 +984,7 @@ static int test_openssl_1(MYSQL *mysql) mysql_close(my); sprintf(query, "grant select on %s.* to 'ssluser4'@'%s' require cipher 'AES256-SHA' AND " - " ISSUER '/DC=com/DC=example/CN=client'", schema, sslhost); + " ISSUER '/CN=cacert/C=FI/ST=Helsinki/L=Helsinki/O=MariaDB'", schema, sslhost); rc= mysql_query(mysql, query); check_mysql_rc(rc, mysql); @@ -995,7 +999,7 @@ static int test_openssl_1(MYSQL *mysql) my= mysql_init(NULL); mysql_ssl_set(my, "@CMAKE_SOURCE_DIR@/unittest/libmariadb/certs/client-key.pem", "@CMAKE_SOURCE_DIR@/unittest/libmariadb/certs/client-cert.pem", - "@CMAKE_SOURCE_DIR@/unittest/libmariadb/certs/ca-cert.pem", + "@CMAKE_SOURCE_DIR@/unittest/libmariadb/certs/cacert.pem", NULL, "AES256-SHA"); FAIL_IF(!mysql_real_connect(my, hostname, "ssluser4", NULL, schema,