You've already forked mariadb-connector-c
mirror of
https://github.com/mariadb-corporation/mariadb-connector-c.git
synced 2025-08-08 14:02:17 +03:00
Simplify tls_verification_callback
This commit is contained in:
Georg Richter
@@ -88,7 +88,7 @@ struct st_mysql_options_extension {
|
||||
void (*status_callback)(void *ptr, enum enum_mariadb_status_info type, ...);
|
||||
void *status_data;
|
||||
my_bool tls_allow_invalid_server_cert;
|
||||
my_bool (*tls_verification_callback)(MYSQL *mysql, unsigned int *verification_flags, my_bool verified);
|
||||
int (*tls_verification_callback)(MARIADB_TLS *ctls, unsigned int flags);
|
||||
};
|
||||
|
||||
typedef struct st_connection_handler
|
||||
|
||||
@@ -119,17 +119,7 @@ int ma_pvio_tls_verify_server_cert(MARIADB_TLS *ctls, unsigned int flags)
|
||||
return 0;
|
||||
}
|
||||
|
||||
if (mysql->options.extension->tls_verification_callback &&
|
||||
mysql->options.extension->tls_verification_callback(mysql, &flags, 0))
|
||||
rc= 1;
|
||||
else {
|
||||
rc= ma_tls_verify_server_cert(ctls, flags);
|
||||
if (mysql->options.extension->tls_verification_callback &&
|
||||
mysql->options.extension->tls_verification_callback(mysql, &flags, 1))
|
||||
{
|
||||
rc= 1;
|
||||
}
|
||||
}
|
||||
rc= ma_tls_verify_server_cert(ctls, flags);
|
||||
|
||||
/* Set error messages */
|
||||
if (!mysql->net.last_errno)
|
||||
|
||||
@@ -1318,6 +1318,7 @@ mysql_init(MYSQL *mysql)
|
||||
mysql->extension->auto_local_infile= ENABLED_LOCAL_INFILE == LOCAL_INFILE_MODE_AUTO
|
||||
? WAIT_FOR_QUERY : ALWAYS_ACCEPT;
|
||||
mysql->options.reconnect= 0;
|
||||
mysql_optionsv(mysql, MARIADB_OPT_TLS_VERIFICATION_CALLBACK, ma_pvio_tls_verify_server_cert);
|
||||
return mysql;
|
||||
error:
|
||||
if (mysql->free_me)
|
||||
@@ -3854,7 +3855,12 @@ mysql_optionsv(MYSQL *mysql,enum mysql_option option, ...)
|
||||
OPT_SET_EXTENDED_VALUE_INT(&mysql->options, bulk_unit_results, *(my_bool *)arg1);
|
||||
break;
|
||||
case MARIADB_OPT_TLS_VERIFICATION_CALLBACK:
|
||||
OPT_SET_EXTENDED_VALUE(&mysql->options, tls_verification_callback, arg1);
|
||||
if (!arg1)
|
||||
{
|
||||
OPT_SET_EXTENDED_VALUE(&mysql->options, tls_verification_callback, ma_pvio_tls_verify_server_cert);
|
||||
} else {
|
||||
OPT_SET_EXTENDED_VALUE(&mysql->options, tls_verification_callback, arg1);
|
||||
}
|
||||
break;
|
||||
default:
|
||||
va_end(ap);
|
||||
|
||||
@@ -433,7 +433,7 @@ static int send_client_reply_packet(MCPVIO_EXT *mpvio,
|
||||
verify_flags |= MARIADB_TLS_VERIFY_HOST;
|
||||
}
|
||||
|
||||
if (ma_pvio_tls_verify_server_cert(mysql->net.pvio->ctls, verify_flags))
|
||||
if (mysql->options.extension->tls_verification_callback(mysql->net.pvio->ctls, verify_flags))
|
||||
{
|
||||
/* Save original verification result */
|
||||
mysql->extension->tls_validation= mysql->net.tls_verify_status;
|
||||
|
||||
@@ -664,7 +664,6 @@ MYSQL *my_test_connect(MYSQL *mysql,
|
||||
mysql_get_optionv(mysql, MARIADB_OPT_SSL_FP, &have_fp);
|
||||
if (fingerprint[0] && auto_fingerprint)
|
||||
{
|
||||
printf("setting fingerprint\n");
|
||||
mysql_options(mysql, MARIADB_OPT_SSL_FP, fingerprint);
|
||||
}
|
||||
if (!mysql_real_connect(mysql, host, user, passwd, db, port, unix_socket, clientflag))
|
||||
|
||||
@@ -35,6 +35,8 @@ with this program; if not, write to the Free Software Foundation, Inc.,
|
||||
#include <openssl/ssl.h>
|
||||
#endif
|
||||
|
||||
static const char *strong_pwd= "!1_5rd_D%A1$f48Hk1$";
|
||||
|
||||
#define CHECK_TLS_FLAGS(m, flag, text) \
|
||||
{\
|
||||
unsigned int status;\
|
||||
@@ -101,17 +103,17 @@ static my_bool ignore_self_signed_cert_error(MYSQL *mysql)
|
||||
return FALSE;
|
||||
}
|
||||
|
||||
static my_bool tls_abort_after_handhake_cb(MYSQL *mysql, unsigned int *flags __attribute((unused)), my_bool verified)
|
||||
static my_bool tls_abort_after_handshake(MARIADB_TLS *ctls, unsigned int flags)
|
||||
{
|
||||
if (verified)
|
||||
{
|
||||
mysql->net.tls_verify_status|= MARIADB_TLS_VERIFY_ERROR;
|
||||
my_set_error(mysql, CR_SSL_CONNECTION_ERROR, SQLSTATE_UNKNOWN,
|
||||
ER(CR_SSL_CONNECTION_ERROR),
|
||||
"Certificate verification aborted by callback");
|
||||
return 1;
|
||||
}
|
||||
return 0;
|
||||
MYSQL *mysql= ctls->pvio->mysql;
|
||||
|
||||
ma_pvio_tls_verify_server_cert(ctls, flags);
|
||||
|
||||
mysql->net.tls_verify_status|= MARIADB_TLS_VERIFY_ERROR;
|
||||
my_set_error(mysql, CR_SSL_CONNECTION_ERROR, SQLSTATE_UNKNOWN,
|
||||
ER(CR_SSL_CONNECTION_ERROR),
|
||||
"Certificate verification aborted.");
|
||||
return 1;
|
||||
}
|
||||
|
||||
static int test_start_tls_server(MYSQL *my __attribute__((unused)))
|
||||
@@ -212,7 +214,6 @@ static int test_init(MYSQL *my __attribute__((unused)))
|
||||
int ret= FAIL;
|
||||
MYSQL_RES *result;
|
||||
MYSQL_ROW row;
|
||||
char query[1024];
|
||||
|
||||
diag("test_init");
|
||||
|
||||
@@ -241,14 +242,6 @@ static int test_init(MYSQL *my __attribute__((unused)))
|
||||
|
||||
ret= OK;
|
||||
|
||||
sprintf(query, "CREATE OR REPLACE USER 'tls_user1'@'%s' IDENTIFIED BY 'tls_password'", hostname);
|
||||
rc= mysql_query(mysql, query);
|
||||
check_mysql_rc(rc, mysql);
|
||||
|
||||
sprintf(query, "CREATE OR REPLACE USER 'tls_user2'@'%s'", hostname);
|
||||
rc= mysql_query(mysql, query);
|
||||
check_mysql_rc(rc, mysql);
|
||||
|
||||
mysql_close(mysql);
|
||||
return ret;
|
||||
}
|
||||
@@ -286,7 +279,7 @@ static int test_conc712(MYSQL *my __attribute__((unused)))
|
||||
/* Force use of TLS with faked ca, which contains the server
|
||||
certificate */
|
||||
mysql_ssl_set(mysql, NULL, NULL, "./selfsigned.pem", NULL, NULL);
|
||||
mysql_optionsv(mysql, MARIADB_OPT_TLS_VERIFICATION_CALLBACK, tls_abort_after_handhake_cb);
|
||||
mysql_optionsv(mysql, MARIADB_OPT_TLS_VERIFICATION_CALLBACK, tls_abort_after_handshake);
|
||||
|
||||
if (my_test_connect(mysql, tls_dummy_host, username, password, schema,
|
||||
tls_dummy_port, socketname, 0, 0))
|
||||
@@ -461,12 +454,12 @@ static int test_pw_check(MYSQL *my)
|
||||
int ret= FAIL;
|
||||
|
||||
/* connect with password */
|
||||
sprintf(query, "CREATE OR REPLACE USER '%s'@'%s' IDENTIFIED BY '%s'", "tlsuser", this_host, "mypw");
|
||||
sprintf(query, "CREATE OR REPLACE USER '%s'@'%s' IDENTIFIED BY '%s'", "tlsuser", this_host, strong_pwd);
|
||||
rc= mysql_query(my, query);
|
||||
check_mysql_rc(rc, my);
|
||||
|
||||
diag("expected to pass with self signed");
|
||||
if (!my_test_connect(mysql, hostname, "tlsuser", "mypw", NULL, port, socketname, 0, 0))
|
||||
if (!my_test_connect(mysql, hostname, "tlsuser", strong_pwd, NULL, port, socketname, 0, 0))
|
||||
{
|
||||
/* We connected to a pre 11.4 server, so skip further tests */
|
||||
CHECK_TLS_FLAGS(mysql, MARIADB_TLS_VERIFY_TRUST, "trust validation flag not set");
|
||||
@@ -646,21 +639,22 @@ static int stop_tls_server(MYSQL *my __attribute__((unused)))
|
||||
return OK;
|
||||
}
|
||||
|
||||
static my_bool tls_wildcard_callback(MYSQL *mysql, unsigned int *flags, my_bool verified)
|
||||
static my_bool tls_wildcard_callback(MARIADB_TLS *ctls, unsigned int flags)
|
||||
{
|
||||
if (!verified)
|
||||
{
|
||||
free(mysql->host);
|
||||
mysql->host= strdup("test.example.com");
|
||||
*flags= MARIADB_TLS_VERIFY_HOST;
|
||||
return 0;
|
||||
}
|
||||
MYSQL *mysql= ctls->pvio->mysql;
|
||||
|
||||
free(mysql->host);
|
||||
mysql->host= strdup("test.example.com");
|
||||
flags= MARIADB_TLS_VERIFY_HOST;
|
||||
|
||||
ma_pvio_tls_verify_server_cert(ctls, flags);
|
||||
|
||||
/* Indicate error, since the dummy server can't handle further client server
|
||||
communication after TLS handshake */
|
||||
mysql->net.tls_verify_status|= MARIADB_TLS_VERIFY_ERROR;
|
||||
my_set_error(mysql, CR_SSL_CONNECTION_ERROR, SQLSTATE_UNKNOWN,
|
||||
ER(CR_SSL_CONNECTION_ERROR),
|
||||
"Certificate verification aborted by callback");
|
||||
"Certificate verification aborted.");
|
||||
return 1;
|
||||
}
|
||||
|
||||
|
||||
Reference in New Issue
Block a user