Simplify tls_verification_callback

include/ma_common.h

@@ -88,7 +88,7 @@ struct st_mysql_options_extension {
   void (*status_callback)(void *ptr, enum enum_mariadb_status_info type, ...);
   void *status_data;
   my_bool tls_allow_invalid_server_cert;
-  my_bool (*tls_verification_callback)(MYSQL *mysql, unsigned int *verification_flags, my_bool verified);
+  int (*tls_verification_callback)(MARIADB_TLS *ctls, unsigned int flags);
 };
 
 typedef struct st_connection_handler

libmariadb/ma_tls.c

@@ -119,17 +119,7 @@ int ma_pvio_tls_verify_server_cert(MARIADB_TLS *ctls, unsigned int flags)
     return 0;
   }
 
-  if (mysql->options.extension->tls_verification_callback &&
+  rc= ma_tls_verify_server_cert(ctls, flags);
-      mysql->options.extension->tls_verification_callback(mysql, &flags, 0))
-    rc= 1;
-  else {
-    rc= ma_tls_verify_server_cert(ctls, flags);
-    if (mysql->options.extension->tls_verification_callback &&
-        mysql->options.extension->tls_verification_callback(mysql, &flags, 1))
-    {
-      rc= 1;
-    }
-  }
 
   /* Set error messages */
   if (!mysql->net.last_errno)

libmariadb/mariadb_lib.c

@@ -1318,6 +1318,7 @@ mysql_init(MYSQL *mysql)
   mysql->extension->auto_local_infile= ENABLED_LOCAL_INFILE == LOCAL_INFILE_MODE_AUTO
                                        ? WAIT_FOR_QUERY : ALWAYS_ACCEPT;
   mysql->options.reconnect= 0;
+  mysql_optionsv(mysql, MARIADB_OPT_TLS_VERIFICATION_CALLBACK, ma_pvio_tls_verify_server_cert);
   return mysql;
 error:
   if (mysql->free_me)
@@ -3854,7 +3855,12 @@ mysql_optionsv(MYSQL *mysql,enum mysql_option option, ...)
     OPT_SET_EXTENDED_VALUE_INT(&mysql->options, bulk_unit_results, *(my_bool *)arg1);
     break;
   case MARIADB_OPT_TLS_VERIFICATION_CALLBACK:
-    OPT_SET_EXTENDED_VALUE(&mysql->options, tls_verification_callback, arg1);
+    if (!arg1)
+    {
+      OPT_SET_EXTENDED_VALUE(&mysql->options, tls_verification_callback, ma_pvio_tls_verify_server_cert);
+    } else {
+      OPT_SET_EXTENDED_VALUE(&mysql->options, tls_verification_callback, arg1);
+    }
     break;
   default:
     va_end(ap);

plugins/auth/my_auth.c

@@ -433,7 +433,7 @@ static int send_client_reply_packet(MCPVIO_EXT *mpvio,
         verify_flags |= MARIADB_TLS_VERIFY_HOST;
     }
 
-    if (ma_pvio_tls_verify_server_cert(mysql->net.pvio->ctls, verify_flags))
+    if (mysql->options.extension->tls_verification_callback(mysql->net.pvio->ctls, verify_flags))
     {
       /* Save original verification result */
       mysql->extension->tls_validation= mysql->net.tls_verify_status;

unittest/libmariadb/my_test.h

@@ -664,7 +664,6 @@ MYSQL *my_test_connect(MYSQL *mysql,
   mysql_get_optionv(mysql, MARIADB_OPT_SSL_FP, &have_fp);
   if (fingerprint[0] && auto_fingerprint)
   {
-    printf("setting fingerprint\n");
     mysql_options(mysql, MARIADB_OPT_SSL_FP, fingerprint);
   }
   if (!mysql_real_connect(mysql, host, user, passwd, db, port, unix_socket, clientflag))

unittest/libmariadb/tls.c.in

@@ -35,6 +35,8 @@ with this program; if not, write to the Free Software Foundation, Inc.,
 #include <openssl/ssl.h>
 #endif
 
+static const char *strong_pwd= "!1_5rd_D%A1$f48Hk1$";
+
 #define CHECK_TLS_FLAGS(m, flag, text) \
 {\
   unsigned int status;\
@@ -101,17 +103,17 @@ static my_bool ignore_self_signed_cert_error(MYSQL *mysql)
   return FALSE;
 }
 
-static my_bool tls_abort_after_handhake_cb(MYSQL *mysql, unsigned int *flags __attribute((unused)), my_bool verified)
+static my_bool tls_abort_after_handshake(MARIADB_TLS *ctls, unsigned int flags)
 {
-  if (verified)
+  MYSQL *mysql= ctls->pvio->mysql;
-  {
+
-    mysql->net.tls_verify_status|= MARIADB_TLS_VERIFY_ERROR;
+  ma_pvio_tls_verify_server_cert(ctls, flags);
-    my_set_error(mysql, CR_SSL_CONNECTION_ERROR, SQLSTATE_UNKNOWN,
+
-                 ER(CR_SSL_CONNECTION_ERROR),
+  mysql->net.tls_verify_status|= MARIADB_TLS_VERIFY_ERROR;
-                 "Certificate verification aborted by callback");
+  my_set_error(mysql, CR_SSL_CONNECTION_ERROR, SQLSTATE_UNKNOWN,
-    return 1;
+               ER(CR_SSL_CONNECTION_ERROR),
-  }
+               "Certificate verification aborted.");
-  return 0;
+  return 1;
 }
 
 static int test_start_tls_server(MYSQL *my __attribute__((unused)))
@@ -212,7 +214,6 @@ static int test_init(MYSQL *my __attribute__((unused)))
   int ret= FAIL;
   MYSQL_RES *result;
   MYSQL_ROW row;
-  char query[1024];
 
   diag("test_init");
 
@@ -241,14 +242,6 @@ static int test_init(MYSQL *my __attribute__((unused)))
 
   ret= OK;
 
-  sprintf(query, "CREATE OR REPLACE USER 'tls_user1'@'%s' IDENTIFIED BY 'tls_password'", hostname);
-  rc= mysql_query(mysql, query);
-  check_mysql_rc(rc, mysql);
-
-  sprintf(query, "CREATE OR REPLACE USER 'tls_user2'@'%s'", hostname);
-  rc= mysql_query(mysql, query);
-  check_mysql_rc(rc, mysql);
-
   mysql_close(mysql);
   return ret;
 }
@@ -286,7 +279,7 @@ static int test_conc712(MYSQL *my __attribute__((unused)))
   /* Force use of TLS with faked ca, which contains the server
      certificate */
   mysql_ssl_set(mysql, NULL, NULL, "./selfsigned.pem", NULL, NULL);
-  mysql_optionsv(mysql, MARIADB_OPT_TLS_VERIFICATION_CALLBACK, tls_abort_after_handhake_cb);
+  mysql_optionsv(mysql, MARIADB_OPT_TLS_VERIFICATION_CALLBACK, tls_abort_after_handshake);
 
   if (my_test_connect(mysql, tls_dummy_host, username, password, schema,
                       tls_dummy_port, socketname, 0, 0))
@@ -461,12 +454,12 @@ static int test_pw_check(MYSQL *my)
   int ret= FAIL;
 
   /* connect with password */
-  sprintf(query, "CREATE OR REPLACE USER '%s'@'%s' IDENTIFIED BY '%s'", "tlsuser", this_host, "mypw");
+  sprintf(query, "CREATE OR REPLACE USER '%s'@'%s' IDENTIFIED BY '%s'", "tlsuser", this_host, strong_pwd);
   rc= mysql_query(my, query);
   check_mysql_rc(rc, my);
 
   diag("expected to pass with self signed");
-  if (!my_test_connect(mysql, hostname, "tlsuser", "mypw", NULL, port, socketname, 0, 0))
+  if (!my_test_connect(mysql, hostname, "tlsuser", strong_pwd, NULL, port, socketname, 0, 0))
   {
     /* We connected to a pre 11.4 server, so skip further tests */
     CHECK_TLS_FLAGS(mysql, MARIADB_TLS_VERIFY_TRUST, "trust validation flag not set");
@@ -646,21 +639,22 @@ static int stop_tls_server(MYSQL *my __attribute__((unused)))
   return OK;
 }
 
-static my_bool tls_wildcard_callback(MYSQL *mysql, unsigned int *flags, my_bool verified)
+static my_bool tls_wildcard_callback(MARIADB_TLS *ctls, unsigned int flags)
 {
-  if (!verified)
+  MYSQL *mysql= ctls->pvio->mysql;
-  {
+  
-    free(mysql->host);
+  free(mysql->host);
-    mysql->host= strdup("test.example.com");
+  mysql->host= strdup("test.example.com");
-    *flags= MARIADB_TLS_VERIFY_HOST;
+  flags= MARIADB_TLS_VERIFY_HOST;
-    return 0;
+
-  }
+  ma_pvio_tls_verify_server_cert(ctls, flags);
+
   /* Indicate error, since the dummy server can't handle further client server
      communication after TLS handshake */
   mysql->net.tls_verify_status|= MARIADB_TLS_VERIFY_ERROR;
   my_set_error(mysql, CR_SSL_CONNECTION_ERROR, SQLSTATE_UNKNOWN,
                ER(CR_SSL_CONNECTION_ERROR),
-               "Certificate verification aborted by callback");
+               "Certificate verification aborted.");
   return 1;
 }