database/mariadb-connector-c
1
0
Fork 0
mirror of https://github.com/mariadb-corporation/mariadb-connector-c.git synced 2025-08-08 14:02:17 +03:00
Code Activity

TLS test fix:

Browse Source 
We always need to set verification flag in tls test, to avoid
failing tests if Connector/C was built with option
DEFAULT_SSL_VERIFY_SERVER_CERT=OFF
This commit is contained in:
Georg Richter
2024-09-25 08:28:56 +02:00
parent 7cb4b05d99
commit d358547dd0
2 changed files with 26 additions and 12 deletions
Download Patch File Download Diff File Expand all files Collapse all files

2
plugins/auth/my_auth.c
View File

@@ -290,6 +290,7 @@ static int send_client_reply_packet(MCPVIO_EXT *mpvio,
if (mysql->options.ssl_key || mysql->options.ssl_cert || if (mysql->options.ssl_key || mysql->options.ssl_cert ||
mysql->options.ssl_ca || mysql->options.ssl_capath || mysql->options.ssl_ca || mysql->options.ssl_capath ||
mysql->options.ssl_cipher || mysql->options.use_ssl || mysql->options.ssl_cipher || mysql->options.use_ssl ||
mysql->options.extension->tls_fp || mysql->options.extension->tls_fp_list ||
!mysql->options.extension->tls_allow_invalid_server_cert) !mysql->options.extension->tls_allow_invalid_server_cert)
mysql->options.use_ssl= 1; mysql->options.use_ssl= 1;
if (mysql->options.use_ssl) if (mysql->options.use_ssl)
@@ -429,6 +430,7 @@ static int send_client_reply_packet(MCPVIO_EXT *mpvio,
verify_flags|= MARIADB_TLS_VERIFY_FINGERPRINT; verify_flags|= MARIADB_TLS_VERIFY_FINGERPRINT;
} else { } else {
verify_flags|= MARIADB_TLS_VERIFY_TRUST; verify_flags|= MARIADB_TLS_VERIFY_TRUST;
/* Don't check host name on local (non globally resolvable) addresses */
if (!is_local_connection(mysql->net.pvio)) if (!is_local_connection(mysql->net.pvio))
verify_flags |= MARIADB_TLS_VERIFY_HOST; verify_flags |= MARIADB_TLS_VERIFY_HOST;
} }

36
unittest/libmariadb/tls.c.in
View File

@@ -37,6 +37,12 @@ with this program; if not, write to the Free Software Foundation, Inc.,
static const char *strong_pwd= "!1_5rd_D%A1$f48Hk1$"; static const char *strong_pwd= "!1_5rd_D%A1$f48Hk1$";
static void set_verify(MYSQL *mysql, my_bool onoff)
{
mysql_options(mysql, MYSQL_OPT_SSL_VERIFY_SERVER_CERT, &onoff);
return;
}
#define CHECK_TLS_FLAGS(m, flag, text) \ #define CHECK_TLS_FLAGS(m, flag, text) \
{\ {\
unsigned int status;\ unsigned int status;\
@@ -178,6 +184,8 @@ static int set_tls_dummy_options(const char *options)
cinfo.port= tls_dummy_port; cinfo.port= tls_dummy_port;
cinfo.mysql = mysql; cinfo.mysql = mysql;
set_verify(mysql, 1);
if (!(pvio= ma_pvio_init(&cinfo))) if (!(pvio= ma_pvio_init(&cinfo)))
{ {
diag("pvio_init failed"); diag("pvio_init failed");
@@ -209,7 +217,6 @@ static int set_tls_dummy_options(const char *options)
static int test_init(MYSQL *my __attribute__((unused))) static int test_init(MYSQL *my __attribute__((unused)))
{ {
MYSQL *mysql= mysql_init(NULL); MYSQL *mysql= mysql_init(NULL);
my_bool verify= 0;
int rc; int rc;
int ret= FAIL; int ret= FAIL;
MYSQL_RES *result; MYSQL_RES *result;
@@ -221,7 +228,7 @@ static int test_init(MYSQL *my __attribute__((unused)))
mysql_ssl_set(mysql, NULL, NULL, NULL, NULL, NULL); mysql_ssl_set(mysql, NULL, NULL, NULL, NULL, NULL);
/* Don't verify peer certificate */ /* Don't verify peer certificate */
mysql_optionsv(mysql, MYSQL_OPT_SSL_VERIFY_SERVER_CERT, &verify); set_verify(mysql, 0);
FAIL_IF(!my_test_connect(mysql, hostname, username, password, schema, FAIL_IF(!my_test_connect(mysql, hostname, username, password, schema,
port, socketname, 0, 0), mysql_error(my)); port, socketname, 0, 0), mysql_error(my));
@@ -249,13 +256,12 @@ static int test_init(MYSQL *my __attribute__((unused)))
static int test_no_cert_check(MYSQL *my __attribute__((unused))) static int test_no_cert_check(MYSQL *my __attribute__((unused)))
{ {
MYSQL *mysql= mysql_init(NULL); MYSQL *mysql= mysql_init(NULL);
my_bool verify= 0;
/* Force use of TLS */ /* Force use of TLS */
mysql_ssl_set(mysql, NULL, NULL, NULL, NULL, NULL); mysql_ssl_set(mysql, NULL, NULL, NULL, NULL, NULL);
/* Don't verify peer certificate */ /* Don't verify peer certificate */
mysql_optionsv(mysql, MYSQL_OPT_SSL_VERIFY_SERVER_CERT, &verify); set_verify(mysql, 0);
FAIL_IF(!my_test_connect(mysql, hostname, username, password, schema, FAIL_IF(!my_test_connect(mysql, hostname, username, password, schema,
port, socketname, 0, 0), mysql_error(my)); port, socketname, 0, 0), mysql_error(my));
@@ -278,6 +284,7 @@ static int test_conc712(MYSQL *my __attribute__((unused)))
} }
/* Force use of TLS with faked ca, which contains the server /* Force use of TLS with faked ca, which contains the server
certificate */ certificate */
set_verify(mysql, 1);
mysql_ssl_set(mysql, NULL, NULL, "./selfsigned.pem", NULL, NULL); mysql_ssl_set(mysql, NULL, NULL, "./selfsigned.pem", NULL, NULL);
mysql_optionsv(mysql, MARIADB_OPT_TLS_VERIFICATION_CALLBACK, tls_abort_after_handshake); mysql_optionsv(mysql, MARIADB_OPT_TLS_VERIFICATION_CALLBACK, tls_abort_after_handshake);
@@ -298,7 +305,6 @@ static int test_fp(MYSQL *my __attribute__((unused)))
{ {
unsigned int hash_size[3] = {256, 384, 512}; unsigned int hash_size[3] = {256, 384, 512};
int i; int i;
my_bool verify= 0;
MYSQL *mysql= mysql_init(NULL); MYSQL *mysql= mysql_init(NULL);
@@ -306,7 +312,7 @@ static int test_fp(MYSQL *my __attribute__((unused)))
mysql_ssl_set(mysql, NULL, NULL, NULL, NULL, NULL); mysql_ssl_set(mysql, NULL, NULL, NULL, NULL, NULL);
/* Don't verify peer certificate */ /* Don't verify peer certificate */
mysql_optionsv(mysql, MYSQL_OPT_SSL_VERIFY_SERVER_CERT, &verify); set_verify(mysql, 0);
FAIL_IF(!my_test_connect(mysql, hostname, username, password, schema, FAIL_IF(!my_test_connect(mysql, hostname, username, password, schema,
port, socketname, 0, 1), mysql_error(my)); port, socketname, 0, 1), mysql_error(my));
@@ -335,7 +341,6 @@ static int test_fp_colon(MYSQL *my __attribute__((unused)))
{ {
unsigned int hash_size[3] = {256, 384, 512}; unsigned int hash_size[3] = {256, 384, 512};
int i; int i;
my_bool verify= 0;
MYSQL *mysql= mysql_init(NULL); MYSQL *mysql= mysql_init(NULL);
char fp[200]; char fp[200];
@@ -344,7 +349,7 @@ static int test_fp_colon(MYSQL *my __attribute__((unused)))
mysql_ssl_set(mysql, NULL, NULL, NULL, NULL, NULL); mysql_ssl_set(mysql, NULL, NULL, NULL, NULL, NULL);
/* Don't verify peer certificate */ /* Don't verify peer certificate */
mysql_optionsv(mysql, MYSQL_OPT_SSL_VERIFY_SERVER_CERT, &verify); set_verify(mysql, 0);
FAIL_IF(!my_test_connect(mysql, hostname, username, password, schema, FAIL_IF(!my_test_connect(mysql, hostname, username, password, schema,
port, socketname, 0, 0), mysql_error(my)); port, socketname, 0, 0), mysql_error(my));
@@ -388,7 +393,6 @@ static int test_fp_colon(MYSQL *my __attribute__((unused)))
static int test_peer_cert_info_fp(MYSQL *my __attribute__((unused))) static int test_peer_cert_info_fp(MYSQL *my __attribute__((unused)))
{ {
MYSQL *mysql= mysql_init(NULL); MYSQL *mysql= mysql_init(NULL);
my_bool verify= 0;
MARIADB_X509_INFO *info; MARIADB_X509_INFO *info;
char old_fp[129] = {0}; char old_fp[129] = {0};
int i; int i;
@@ -398,7 +402,7 @@ static int test_peer_cert_info_fp(MYSQL *my __attribute__((unused)))
mysql_ssl_set(mysql, NULL, NULL, NULL, NULL, NULL); mysql_ssl_set(mysql, NULL, NULL, NULL, NULL, NULL);
/* Don't verify peer certificate */ /* Don't verify peer certificate */
mysql_optionsv(mysql, MYSQL_OPT_SSL_VERIFY_SERVER_CERT, &verify); set_verify(mysql, 0);
FAIL_IF(!my_test_connect(mysql, hostname, username, password, schema, FAIL_IF(!my_test_connect(mysql, hostname, username, password, schema,
port, socketname, 0, 0), mysql_error(my)); port, socketname, 0, 0), mysql_error(my));
@@ -458,6 +462,8 @@ static int test_pw_check(MYSQL *my)
rc= mysql_query(my, query); rc= mysql_query(my, query);
check_mysql_rc(rc, my); check_mysql_rc(rc, my);
set_verify(mysql, 1);
diag("expected to pass with self signed"); diag("expected to pass with self signed");
if (!my_test_connect(mysql, hostname, "tlsuser", strong_pwd, NULL, port, socketname, 0, 0)) if (!my_test_connect(mysql, hostname, "tlsuser", strong_pwd, NULL, port, socketname, 0, 0))
{ {
@@ -528,6 +534,7 @@ static int test_cert_expired(MYSQL *my __attribute__((unused)))
mysql= mysql_init(NULL); mysql= mysql_init(NULL);
mysql_ssl_set(mysql, NULL, NULL, NULL, NULL, NULL); mysql_ssl_set(mysql, NULL, NULL, NULL, NULL, NULL);
set_verify(mysql, 1);
if (my_test_connect(mysql, tls_dummy_host, "tlsuser", "foo", NULL, tls_dummy_port, NULL, 0, 0)) if (my_test_connect(mysql, tls_dummy_host, "tlsuser", "foo", NULL, tls_dummy_port, NULL, 0, 0))
{ {
@@ -544,6 +551,7 @@ static int test_cert_expired(MYSQL *my __attribute__((unused)))
} }
mysql= mysql_init(NULL); mysql= mysql_init(NULL);
set_verify(mysql, 1);
mysql_ssl_set(mysql, NULL, NULL, NULL, NULL, NULL); mysql_ssl_set(mysql, NULL, NULL, NULL, NULL, NULL);
@@ -564,6 +572,7 @@ static int test_wrong_ca(MYSQL *my __attribute__((unused)))
MYSQL *mysql= mysql_init(NULL); MYSQL *mysql= mysql_init(NULL);
mysql_ssl_set(mysql, NULL, NULL, "selfsigned.pem", NULL, NULL); mysql_ssl_set(mysql, NULL, NULL, "selfsigned.pem", NULL, NULL);
set_verify(mysql, 1);
if (my_test_connect(mysql, hostname, "tlsuser", "foo", NULL, port, socketname, 0, 0)) if (my_test_connect(mysql, hostname, "tlsuser", "foo", NULL, port, socketname, 0, 0))
{ {
diag("self signed error expected"); diag("self signed error expected");
@@ -586,6 +595,7 @@ static int test_crl(MYSQL *my __attribute__((unused)))
} }
mysql= mysql_init(NULL); mysql= mysql_init(NULL);
set_verify(mysql, 1);
mysql_optionsv(mysql, MYSQL_OPT_SSL_CRL, "@CC_BINARY_DIR@/unittest/libmariadb/certs/server-cert.crl"); mysql_optionsv(mysql, MYSQL_OPT_SSL_CRL, "@CC_BINARY_DIR@/unittest/libmariadb/certs/server-cert.crl");
mysql_ssl_set(mysql, NULL, NULL, "@CC_BINARY_DIR@/unittest/libmariadb/certs/cacert.pem", NULL, NULL); mysql_ssl_set(mysql, NULL, NULL, "@CC_BINARY_DIR@/unittest/libmariadb/certs/cacert.pem", NULL, NULL);
@@ -667,6 +677,7 @@ static int test_cert_wildcard(MYSQL *my __attribute((unused)))
return FAIL; return FAIL;
} }
mysql_ssl_set(mysql, NULL, NULL, NULL, NULL, NULL); mysql_ssl_set(mysql, NULL, NULL, NULL, NULL, NULL);
set_verify(mysql, 1);
mysql_optionsv(mysql, MARIADB_OPT_TLS_VERIFICATION_CALLBACK, tls_wildcard_callback); mysql_optionsv(mysql, MARIADB_OPT_TLS_VERIFICATION_CALLBACK, tls_wildcard_callback);
if (!my_test_connect(mysql, tls_dummy_host, "tlsuser", "foo", NULL, tls_dummy_port, NULL, 0, 0)) if (!my_test_connect(mysql, tls_dummy_host, "tlsuser", "foo", NULL, tls_dummy_port, NULL, 0, 0))
@@ -688,6 +699,7 @@ static int test_cert_wildcard(MYSQL *my __attribute((unused)))
return FAIL; return FAIL;
} }
mysql_ssl_set(mysql, NULL, NULL, NULL, NULL, NULL); mysql_ssl_set(mysql, NULL, NULL, NULL, NULL, NULL);
set_verify(mysql, 1);
mysql_optionsv(mysql, MARIADB_OPT_TLS_VERIFICATION_CALLBACK, tls_wildcard_callback); mysql_optionsv(mysql, MARIADB_OPT_TLS_VERIFICATION_CALLBACK, tls_wildcard_callback);
if (!my_test_connect(mysql, tls_dummy_host, "tlsuser", "foo", NULL, tls_dummy_port, NULL, 0, 0)) if (!my_test_connect(mysql, tls_dummy_host, "tlsuser", "foo", NULL, tls_dummy_port, NULL, 0, 0))
@@ -712,6 +724,7 @@ static int test_env_var(MYSQL *my __attribute__((unused)))
#else #else
setenv("MARIADB_TLS_DISABLE_PEER_VERIFICATION", "1", 1); setenv("MARIADB_TLS_DISABLE_PEER_VERIFICATION", "1", 1);
#endif #endif
set_verify(mysql, 1);
if (!my_test_connect(mysql, hostname, username, password, schema, if (!my_test_connect(mysql, hostname, username, password, schema,
port, socketname, 0, 0)) port, socketname, 0, 0))
@@ -747,10 +760,9 @@ static int test_fp_and_verify(MYSQL *my __attribute__((unused)))
#ifndef HAVE_SCHANNEL #ifndef HAVE_SCHANNEL
unsigned int status; unsigned int status;
#endif #endif
my_bool verify= 1;
mysql_options(mysql, MARIADB_OPT_SSL_FP, fingerprint); mysql_options(mysql, MARIADB_OPT_SSL_FP, fingerprint);
mysql_options(mysql, MYSQL_OPT_SSL_VERIFY_SERVER_CERT, &verify); set_verify(mysql, 1);
if (!my_test_connect(mysql, hostname, username, password, schema, if (!my_test_connect(mysql, hostname, username, password, schema,
port, socketname, 0, 0)) port, socketname, 0, 0))