diff --git a/include/ma_common.h b/include/ma_common.h index 48b893fc..b88ef8a9 100644 --- a/include/ma_common.h +++ b/include/ma_common.h @@ -88,7 +88,7 @@ struct st_mysql_options_extension { void (*status_callback)(void *ptr, enum enum_mariadb_status_info type, ...); void *status_data; my_bool tls_allow_invalid_server_cert; - my_bool (*tls_verification_callback)(MYSQL *mysql, unsigned int *verification_flags, my_bool verified); + int (*tls_verification_callback)(MARIADB_TLS *ctls, unsigned int flags); }; typedef struct st_connection_handler diff --git a/libmariadb/ma_tls.c b/libmariadb/ma_tls.c index 408f558e..26951b4b 100644 --- a/libmariadb/ma_tls.c +++ b/libmariadb/ma_tls.c @@ -119,17 +119,7 @@ int ma_pvio_tls_verify_server_cert(MARIADB_TLS *ctls, unsigned int flags) return 0; } - if (mysql->options.extension->tls_verification_callback && - mysql->options.extension->tls_verification_callback(mysql, &flags, 0)) - rc= 1; - else { - rc= ma_tls_verify_server_cert(ctls, flags); - if (mysql->options.extension->tls_verification_callback && - mysql->options.extension->tls_verification_callback(mysql, &flags, 1)) - { - rc= 1; - } - } + rc= ma_tls_verify_server_cert(ctls, flags); /* Set error messages */ if (!mysql->net.last_errno) diff --git a/libmariadb/mariadb_lib.c b/libmariadb/mariadb_lib.c index 6ac20c94..47d5c706 100644 --- a/libmariadb/mariadb_lib.c +++ b/libmariadb/mariadb_lib.c @@ -1318,6 +1318,7 @@ mysql_init(MYSQL *mysql) mysql->extension->auto_local_infile= ENABLED_LOCAL_INFILE == LOCAL_INFILE_MODE_AUTO ? WAIT_FOR_QUERY : ALWAYS_ACCEPT; mysql->options.reconnect= 0; + mysql_optionsv(mysql, MARIADB_OPT_TLS_VERIFICATION_CALLBACK, ma_pvio_tls_verify_server_cert); return mysql; error: if (mysql->free_me) @@ -3854,7 +3855,12 @@ mysql_optionsv(MYSQL *mysql,enum mysql_option option, ...) OPT_SET_EXTENDED_VALUE_INT(&mysql->options, bulk_unit_results, *(my_bool *)arg1); break; case MARIADB_OPT_TLS_VERIFICATION_CALLBACK: - OPT_SET_EXTENDED_VALUE(&mysql->options, tls_verification_callback, arg1); + if (!arg1) + { + OPT_SET_EXTENDED_VALUE(&mysql->options, tls_verification_callback, ma_pvio_tls_verify_server_cert); + } else { + OPT_SET_EXTENDED_VALUE(&mysql->options, tls_verification_callback, arg1); + } break; default: va_end(ap); diff --git a/plugins/auth/my_auth.c b/plugins/auth/my_auth.c index 61d8cb85..3f466b17 100644 --- a/plugins/auth/my_auth.c +++ b/plugins/auth/my_auth.c @@ -433,7 +433,7 @@ static int send_client_reply_packet(MCPVIO_EXT *mpvio, verify_flags |= MARIADB_TLS_VERIFY_HOST; } - if (ma_pvio_tls_verify_server_cert(mysql->net.pvio->ctls, verify_flags)) + if (mysql->options.extension->tls_verification_callback(mysql->net.pvio->ctls, verify_flags)) { /* Save original verification result */ mysql->extension->tls_validation= mysql->net.tls_verify_status; diff --git a/unittest/libmariadb/my_test.h b/unittest/libmariadb/my_test.h index f7d08a6b..d31bd4d1 100644 --- a/unittest/libmariadb/my_test.h +++ b/unittest/libmariadb/my_test.h @@ -664,7 +664,6 @@ MYSQL *my_test_connect(MYSQL *mysql, mysql_get_optionv(mysql, MARIADB_OPT_SSL_FP, &have_fp); if (fingerprint[0] && auto_fingerprint) { - printf("setting fingerprint\n"); mysql_options(mysql, MARIADB_OPT_SSL_FP, fingerprint); } if (!mysql_real_connect(mysql, host, user, passwd, db, port, unix_socket, clientflag)) diff --git a/unittest/libmariadb/tls.c.in b/unittest/libmariadb/tls.c.in index 691d0ded..220b2979 100644 --- a/unittest/libmariadb/tls.c.in +++ b/unittest/libmariadb/tls.c.in @@ -35,6 +35,8 @@ with this program; if not, write to the Free Software Foundation, Inc., #include #endif +static const char *strong_pwd= "!1_5rd_D%A1$f48Hk1$"; + #define CHECK_TLS_FLAGS(m, flag, text) \ {\ unsigned int status;\ @@ -101,17 +103,17 @@ static my_bool ignore_self_signed_cert_error(MYSQL *mysql) return FALSE; } -static my_bool tls_abort_after_handhake_cb(MYSQL *mysql, unsigned int *flags __attribute((unused)), my_bool verified) +static my_bool tls_abort_after_handshake(MARIADB_TLS *ctls, unsigned int flags) { - if (verified) - { - mysql->net.tls_verify_status|= MARIADB_TLS_VERIFY_ERROR; - my_set_error(mysql, CR_SSL_CONNECTION_ERROR, SQLSTATE_UNKNOWN, - ER(CR_SSL_CONNECTION_ERROR), - "Certificate verification aborted by callback"); - return 1; - } - return 0; + MYSQL *mysql= ctls->pvio->mysql; + + ma_pvio_tls_verify_server_cert(ctls, flags); + + mysql->net.tls_verify_status|= MARIADB_TLS_VERIFY_ERROR; + my_set_error(mysql, CR_SSL_CONNECTION_ERROR, SQLSTATE_UNKNOWN, + ER(CR_SSL_CONNECTION_ERROR), + "Certificate verification aborted."); + return 1; } static int test_start_tls_server(MYSQL *my __attribute__((unused))) @@ -212,7 +214,6 @@ static int test_init(MYSQL *my __attribute__((unused))) int ret= FAIL; MYSQL_RES *result; MYSQL_ROW row; - char query[1024]; diag("test_init"); @@ -241,14 +242,6 @@ static int test_init(MYSQL *my __attribute__((unused))) ret= OK; - sprintf(query, "CREATE OR REPLACE USER 'tls_user1'@'%s' IDENTIFIED BY 'tls_password'", hostname); - rc= mysql_query(mysql, query); - check_mysql_rc(rc, mysql); - - sprintf(query, "CREATE OR REPLACE USER 'tls_user2'@'%s'", hostname); - rc= mysql_query(mysql, query); - check_mysql_rc(rc, mysql); - mysql_close(mysql); return ret; } @@ -286,7 +279,7 @@ static int test_conc712(MYSQL *my __attribute__((unused))) /* Force use of TLS with faked ca, which contains the server certificate */ mysql_ssl_set(mysql, NULL, NULL, "./selfsigned.pem", NULL, NULL); - mysql_optionsv(mysql, MARIADB_OPT_TLS_VERIFICATION_CALLBACK, tls_abort_after_handhake_cb); + mysql_optionsv(mysql, MARIADB_OPT_TLS_VERIFICATION_CALLBACK, tls_abort_after_handshake); if (my_test_connect(mysql, tls_dummy_host, username, password, schema, tls_dummy_port, socketname, 0, 0)) @@ -461,12 +454,12 @@ static int test_pw_check(MYSQL *my) int ret= FAIL; /* connect with password */ - sprintf(query, "CREATE OR REPLACE USER '%s'@'%s' IDENTIFIED BY '%s'", "tlsuser", this_host, "mypw"); + sprintf(query, "CREATE OR REPLACE USER '%s'@'%s' IDENTIFIED BY '%s'", "tlsuser", this_host, strong_pwd); rc= mysql_query(my, query); check_mysql_rc(rc, my); diag("expected to pass with self signed"); - if (!my_test_connect(mysql, hostname, "tlsuser", "mypw", NULL, port, socketname, 0, 0)) + if (!my_test_connect(mysql, hostname, "tlsuser", strong_pwd, NULL, port, socketname, 0, 0)) { /* We connected to a pre 11.4 server, so skip further tests */ CHECK_TLS_FLAGS(mysql, MARIADB_TLS_VERIFY_TRUST, "trust validation flag not set"); @@ -646,21 +639,22 @@ static int stop_tls_server(MYSQL *my __attribute__((unused))) return OK; } -static my_bool tls_wildcard_callback(MYSQL *mysql, unsigned int *flags, my_bool verified) +static my_bool tls_wildcard_callback(MARIADB_TLS *ctls, unsigned int flags) { - if (!verified) - { - free(mysql->host); - mysql->host= strdup("test.example.com"); - *flags= MARIADB_TLS_VERIFY_HOST; - return 0; - } + MYSQL *mysql= ctls->pvio->mysql; + + free(mysql->host); + mysql->host= strdup("test.example.com"); + flags= MARIADB_TLS_VERIFY_HOST; + + ma_pvio_tls_verify_server_cert(ctls, flags); + /* Indicate error, since the dummy server can't handle further client server communication after TLS handshake */ mysql->net.tls_verify_status|= MARIADB_TLS_VERIFY_ERROR; my_set_error(mysql, CR_SSL_CONNECTION_ERROR, SQLSTATE_UNKNOWN, ER(CR_SSL_CONNECTION_ERROR), - "Certificate verification aborted by callback"); + "Certificate verification aborted."); return 1; }