From c9c40a37a4ade2f688997cebacf3aa7e7f7bb091 Mon Sep 17 00:00:00 2001 From: Georg Richter Date: Tue, 9 Jan 2018 18:13:54 +0100 Subject: [PATCH] TLS/SSL fixes: - don't run fingerprint and passphrase protected tests if the corresponding files (sha1 and encrypted client key) are not found in CERT_PATH - don't overwrite SSL errors if handshake failed - Use gnutls read/write instead of pvio --- libmariadb/secure/gnutls.c | 6 ++++++ plugins/auth/my_auth.c | 7 ++++++- unittest/libmariadb/CMakeLists.txt | 10 ++++++++-- unittest/libmariadb/ssl.c.in | 10 +++++++++- 4 files changed, 29 insertions(+), 4 deletions(-) diff --git a/libmariadb/secure/gnutls.c b/libmariadb/secure/gnutls.c index 3fea3603..cbacb14a 100644 --- a/libmariadb/secure/gnutls.c +++ b/libmariadb/secure/gnutls.c @@ -1229,6 +1229,7 @@ error: return NULL; } +#ifdef GNUTLS_EXTERNAL_TRANSPORT ssize_t ma_tls_push(gnutls_transport_ptr_t ptr, const void* data, size_t len) { MARIADB_PVIO *pvio= (MARIADB_PVIO *)ptr; @@ -1248,6 +1249,7 @@ static int ma_tls_pull_timeout(gnutls_transport_ptr_t ptr, unsigned int ms) MARIADB_PVIO *pvio= (MARIADB_PVIO *)ptr; return pvio->methods->wait_io_or_timeout(pvio, 0, ms); } +#endif my_bool ma_tls_connect(MARIADB_TLS *ctls) { @@ -1269,12 +1271,16 @@ my_bool ma_tls_connect(MARIADB_TLS *ctls) if (!(blocking= pvio->methods->is_blocking(pvio))) pvio->methods->blocking(pvio, TRUE, 0); +#ifdef GNUTLS_EXTERNAL_TRANSPORT /* we don't use GnuTLS read/write functions */ gnutls_transport_set_ptr(ssl, pvio); gnutls_transport_set_push_function(ssl, ma_tls_push); gnutls_transport_set_pull_function(ssl, ma_tls_pull); gnutls_transport_set_pull_timeout_function(ssl, ma_tls_pull_timeout); gnutls_handshake_set_timeout(ssl, pvio->timeout[PVIO_CONNECT_TIMEOUT]); +#else + gnutls_transport_set_int(ssl, mysql_get_socket(mysql)); +#endif do { ret = gnutls_handshake(ssl); diff --git a/plugins/auth/my_auth.c b/plugins/auth/my_auth.c index c89f03c7..7f754523 100644 --- a/plugins/auth/my_auth.c +++ b/plugins/auth/my_auth.c @@ -408,7 +408,12 @@ static int client_mpvio_write_packet(struct st_plugin_vio *mpv, res= 1; /* no chit-chat in embedded */ else res= ma_net_write(net, (unsigned char *)pkt, pkt_len) || ma_net_flush(net); - if (res) + } + + if (res) + { + /* don't overwrite errors */ + if (!mysql_errno(mpvio->mysql)) my_set_error(mpvio->mysql, CR_SERVER_LOST, SQLSTATE_UNKNOWN, ER(CR_SERVER_LOST_EXTENDED), "sending authentication information", diff --git a/unittest/libmariadb/CMakeLists.txt b/unittest/libmariadb/CMakeLists.txt index f7793a94..92bd442b 100644 --- a/unittest/libmariadb/CMakeLists.txt +++ b/unittest/libmariadb/CMakeLists.txt @@ -38,8 +38,14 @@ SET(MANUAL_TESTS "t_aurora" "t_conc173") # Get finger print from server certificate IF(WITH_SSL) IF(CERT_PATH) - FILE(READ ${CERT_PATH}/server-cert.sha1 CERT_FINGER_PRINT) - STRING(REPLACE "\n" "" CERT_FINGER_PRINT "${CERT_FINGER_PRINT}") + IF(EXISTS ${CERT_PATH}/server-cert.sha1) + FILE(READ ${CERT_PATH}/server-cert.sha1 CERT_FINGER_PRINT) + STRING(REPLACE "\n" "" CERT_FINGER_PRINT "${CERT_FINGER_PRINT}") + ADD_DEFINITIONS(-DTEST_SSL_SHA1) + ENDIF() + IF(EXISTS ${CERT_PATH}/client-key-enc.pem) + ADD_DEFINITIONS(-DTEST_SSL_PASSPHRASE) + ENDIF() SET(API_TESTS ${API_TESTS} "ssl") IF(WIN32) STRING(REPLACE "\\" "\\\\" CERT_PATH ${CERT_PATH}) diff --git a/unittest/libmariadb/ssl.c.in b/unittest/libmariadb/ssl.c.in index c0b4c362..48d61051 100644 --- a/unittest/libmariadb/ssl.c.in +++ b/unittest/libmariadb/ssl.c.in @@ -394,6 +394,10 @@ static int test_password_protected(MYSQL *unused __attribute__((unused))) if (check_skip_ssl()) return SKIP; +#ifndef TEST_SSL_PASSPHRASE + return SKIP; +#endif + mysql= mysql_init(NULL); FAIL_IF(!mysql, "Can't allocate memory"); @@ -785,10 +789,14 @@ static int test_ssl_fp(MYSQL *unused __attribute__((unused))) static int test_ssl_fp_list(MYSQL *unused __attribute__((unused))) { MYSQL *my; - + if (check_skip_ssl()) return SKIP; +#ifndef TEST_SSL_SHA1 + return SKIP; +#endif + if (!ssl_cert_finger_print[0]) { diag("No fingerprint available");