diff --git a/CMakeLists.txt b/CMakeLists.txt index 6150fed3..9e7b50d2 100644 --- a/CMakeLists.txt +++ b/CMakeLists.txt @@ -305,8 +305,7 @@ IF(NOT WITH_SSL STREQUAL "OFF") ENDIF() IF(OPENSSL_FOUND) ADD_DEFINITIONS(-DHAVE_OPENSSL -DHAVE_TLS) - SET(SSL_SOURCES "${CC_SOURCE_DIR}/libmariadb/secure/openssl.c" - "${CC_SOURCE_DIR}/libmariadb/secure/openssl_crypt.c") + SET(SSL_SOURCES "${CC_SOURCE_DIR}/libmariadb/secure/openssl.c") SET(SSL_LIBRARIES ${OPENSSL_SSL_LIBRARY} ${OPENSSL_CRYPTO_LIBRARY}) IF(WIN32) CHECK_INCLUDE_FILES (${OPENSSL_INCLUDE_DIR}/openssl/applink.c HAVE_OPENSSL_APPLINK_C) @@ -333,8 +332,7 @@ IF(NOT WITH_SSL STREQUAL "OFF") FIND_PACKAGE(GnuTLS "3.3.24" REQUIRED) IF(GNUTLS_FOUND) ADD_DEFINITIONS(-DHAVE_GNUTLS -DHAVE_TLS) - SET(SSL_SOURCES "${CC_SOURCE_DIR}/libmariadb/secure/gnutls.c" - "${CC_SOURCE_DIR}/libmariadb/secure/gnutls_crypt.c") + SET(SSL_SOURCES "${CC_SOURCE_DIR}/libmariadb/secure/gnutls.c") SET(SSL_LIBRARIES ${GNUTLS_LIBRARY}) SET(TLS_LIBRARY_VERSION "GnuTLS ${GNUTLS_VERSION_STRING}") INCLUDE_DIRECTORIES(${GNUTLS_INCLUDE_DIR}) @@ -344,13 +342,12 @@ IF(NOT WITH_SSL STREQUAL "OFF") ENDIF() IF(WIN32) IF(WITH_SSL STREQUAL "SCHANNEL") - ADD_DEFINITIONS(-DHAVE_SCHANNEL -DHAVE_TLS -DHAVE_WINCRYPT) + ADD_DEFINITIONS(-DHAVE_SCHANNEL -DHAVE_TLS) SET(SSL_SOURCES "${CC_SOURCE_DIR}/libmariadb/secure/schannel.c" - "${CC_SOURCE_DIR}/libmariadb/secure/win_crypt.c" "${CC_SOURCE_DIR}/libmariadb/secure/ma_schannel.c" "${CC_SOURCE_DIR}/libmariadb/secure/schannel_certs.c") INCLUDE_DIRECTORIES("${CC_SOURCE_DIR}/plugins/pvio/") - SET(SSL_LIBRARIES secur32 crypt32 bcrypt) + SET(SSL_LIBRARIES secur32) SET(TLS_LIBRARY_VERSION "Schannel ${CMAKE_SYSTEM_VERSION}") ENDIF() ENDIF() @@ -385,7 +382,7 @@ CONFIGURE_FILE(${CC_SOURCE_DIR}/include/mariadb_version.h.in INCLUDE_DIRECTORIES(${CC_BINARY_DIR}/include) IF(WIN32) - SET(SYSTEM_LIBS ws2_32 advapi32 kernel32 shlwapi crypt32 bcrypt ${LIBZ}) + SET(SYSTEM_LIBS ws2_32 advapi32 kernel32 shlwapi crypt32 ${LIBZ}) ELSE() SET(SYSTEM_LIBS ${SYSTEM_LIBS} ${LIBPTHREAD} ${CMAKE_DL_LIBS} ${LIBM}) IF(ICONV_EXTERNAL) diff --git a/include/ma_common.h b/include/ma_common.h index 41ddd31b..1ac0cb68 100644 --- a/include/ma_common.h +++ b/include/ma_common.h @@ -86,7 +86,7 @@ struct st_mysql_options_extension { unsigned short rpl_port; void (*status_callback)(void *ptr, enum enum_mariadb_status_info type, ...); void *status_data; - my_bool tls_allow_invalid_server_cert; + my_bool tls_verify_server_cert; }; typedef struct st_connection_handler @@ -129,16 +129,3 @@ typedef struct st_mariadb_field_extension { MARIADB_CONST_STRING metadata[MARIADB_FIELD_ATTR_LAST+1]; /* 10.5 */ } MA_FIELD_EXTENSION; - -#if defined(HAVE_SCHANNEL) || defined(HAVE_GNUTLS) -#define reset_tls_self_signed_error(mysql) \ - do { \ - free((char*)mysql->net.tls_self_signed_error); \ - mysql->net.tls_self_signed_error= 0; \ - } while(0) -#else -#define reset_tls_self_signed_error(mysql) \ - do { \ - mysql->net.tls_self_signed_error= 0; \ - } while(0) -#endif diff --git a/include/ma_crypt.h b/include/ma_crypt.h index b4d2a09f..367488fa 100644 --- a/include/ma_crypt.h +++ b/include/ma_crypt.h @@ -17,20 +17,34 @@ 51 Franklin St., Fifth Floor, Boston, MA 02110, USA */ -#ifndef _ma_crypt_h_ -#define _ma_crypt_h_ +#ifndef _ma_hash_h_ +#define _ma_hash_h_ -#include #include #include /*! Hash algorithms */ +#define MA_HASH_MD5 1 +#define MA_HASH_SHA1 2 +#define MA_HASH_SHA224 3 +#define MA_HASH_SHA256 4 +#define MA_HASH_SHA384 5 +#define MA_HASH_SHA512 6 #define MA_HASH_RIPEMD160 7 #define MA_HASH_MAX 8 /*! Hash digest sizes */ +#define MA_MD5_HASH_SIZE 16 +#define MA_SHA1_HASH_SIZE 20 +#define MA_SHA224_HASH_SIZE 28 +#define MA_SHA256_HASH_SIZE 32 +#define MA_SHA384_HASH_SIZE 48 +#define MA_SHA512_HASH_SIZE 64 #define MA_RIPEMD160_HASH_SIZE 20 +#define MA_MAX_HASH_SIZE 64 +/** \typedef MRL hash context */ + #if defined(HAVE_WINCRYPT) typedef void MA_HASH_CTX; #elif defined(HAVE_OPENSSL) @@ -109,6 +123,8 @@ static inline size_t ma_hash_digest_size(unsigned int hash_alg) return MA_SHA384_HASH_SIZE; case MA_HASH_SHA512: return MA_SHA512_HASH_SIZE; + case MA_HASH_RIPEMD160: + return MA_RIPEMD160_HASH_SIZE; default: return 0; } @@ -136,4 +152,4 @@ static inline void ma_hash(unsigned int algorithm, ma_hash_free(ctx); } -#endif /* _ma_crypt_h_ */ +#endif /* _ma_hash_h_ */ diff --git a/include/ma_tls.h b/include/ma_tls.h index 616124c0..ec8bc239 100644 --- a/include/ma_tls.h +++ b/include/ma_tls.h @@ -1,8 +1,6 @@ #ifndef _ma_tls_h_ #define _ma_tls_h_ -#include - enum enum_pvio_tls_type { SSL_TYPE_DEFAULT=0, #ifdef _WIN32 @@ -130,14 +128,12 @@ const char *ma_tls_get_cipher(MARIADB_TLS *ssl); returns SHA1 finger print of server certificate Parameter: MARIADB_TLS MariaDB SSL container - hash_type hash_type as defined in ma_hash.h fp buffer for fingerprint fp_len buffer length - Returns: actual size of finger print */ -unsigned int ma_tls_get_finger_print(MARIADB_TLS *ctls, uint hash_type, char *fp, unsigned int fp_len); +unsigned int ma_tls_get_finger_print(MARIADB_TLS *ctls, char *fp, unsigned int fp_len); /* ma_tls_get_protocol_version returns protocol version number in use diff --git a/include/mariadb_com.h b/include/mariadb_com.h index 7dc18383..67461b4f 100644 --- a/include/mariadb_com.h +++ b/include/mariadb_com.h @@ -288,7 +288,7 @@ typedef struct st_net { my_bool unused_2; my_bool compress; my_bool unused_3; - const char *tls_self_signed_error; + void *unused_4; unsigned int last_errno; unsigned char error; my_bool unused_5; diff --git a/include/mysql/client_plugin.h b/include/mysql/client_plugin.h index aa7e5363..667074ce 100644 --- a/include/mysql/client_plugin.h +++ b/include/mysql/client_plugin.h @@ -43,7 +43,7 @@ #define MYSQL_CLIENT_PLUGIN_RESERVED2 1 #define MYSQL_CLIENT_AUTHENTICATION_PLUGIN 2 /* authentication */ -#define MYSQL_CLIENT_AUTHENTICATION_PLUGIN_INTERFACE_VERSION 0x0101 +#define MYSQL_CLIENT_AUTHENTICATION_PLUGIN_INTERFACE_VERSION 0x0100 #define MYSQL_CLIENT_MAX_PLUGINS 3 /* Connector/C specific plugin types */ @@ -128,7 +128,6 @@ struct st_mysql_client_plugin_AUTHENTICATION { MYSQL_CLIENT_PLUGIN_HEADER int (*authenticate_user)(MYSQL_PLUGIN_VIO *vio, struct st_mysql *mysql); - int (*hash_password_bin)(struct st_mysql *mysql, unsigned char *hash, size_t *hash_length); }; /******** trace plugin *******/ diff --git a/libmariadb/CMakeLists.txt b/libmariadb/CMakeLists.txt index 852be8dc..43ed67b4 100644 --- a/libmariadb/CMakeLists.txt +++ b/libmariadb/CMakeLists.txt @@ -344,10 +344,6 @@ IF(WIN32) ${CC_SOURCE_DIR}/win-iconv/win_iconv.c win32_errmsg.c win32_errmsg.h) - IF(WITH_SSL STREQUAL "SCHANNEL") - SET(LIBMARIADB_SOURCES ${LIBMARIADB_SOURCES} - secure/win_crypt.c) - ENDIF() ELSE() IF(ICONV_INCLUDE_DIR) INCLUDE_DIRECTORIES(BEFORE ${ICONV_INCLUDE_DIR}) diff --git a/libmariadb/ma_client_plugin.c.in b/libmariadb/ma_client_plugin.c.in index 573feb4e..6e0433b3 100644 --- a/libmariadb/ma_client_plugin.c.in +++ b/libmariadb/ma_client_plugin.c.in @@ -111,7 +111,8 @@ static int get_plugin_nr(uint type) static const char *check_plugin_version(struct st_mysql_client_plugin *plugin, unsigned int version) { - if (plugin->interface_version >> 8 != version >> 8) + if (plugin->interface_version < version || + (plugin->interface_version >> 8) > (version >> 8)) return "Incompatible client plugin interface"; return 0; } diff --git a/libmariadb/ma_pvio.c b/libmariadb/ma_pvio.c index 6f726dbd..a8a653b6 100644 --- a/libmariadb/ma_pvio.c +++ b/libmariadb/ma_pvio.c @@ -522,44 +522,6 @@ my_bool ma_pvio_has_data(MARIADB_PVIO *pvio, ssize_t *data_len) /* }}} */ #ifdef HAVE_TLS -/** - Checks if self-signed certificate error should be ignored. -*/ -static my_bool ignore_self_signed_cert_error(MARIADB_PVIO *pvio) -{ - const char *hostname= pvio->mysql->host; - const char *local_host_names[]= { -#ifdef _WIN32 - /* - On Unix, we consider TCP connections with "localhost" - an insecure transport, for the single reason to run tests for - insecure transport on CI.This is artificial, but should be ok. - Default client connections use unix sockets anyway, so it - would not hurt much. - - On Windows, the situation is quite different. - Default connections type is TCP, default host name is "localhost", - non-password plugin gssapi is common (every installation) - In this environment, there would be a lot of faux/disruptive - "self-signed certificates" errors there. Thus, "localhost" TCP - needs to be considered secure transport. - */ - "localhost", -#endif - "127.0.0.1", "::1", NULL}; - int i; - if (pvio->type != PVIO_TYPE_SOCKET) - return TRUE; - if (!hostname) - return FALSE; - for (i= 0; local_host_names[i]; i++) - { - if (strcmp(hostname, local_host_names[i]) == 0) - return TRUE; - } - return FALSE; -} - /* {{{ my_bool ma_pvio_start_ssl */ my_bool ma_pvio_start_ssl(MARIADB_PVIO *pvio) { @@ -582,8 +544,7 @@ my_bool ma_pvio_start_ssl(MARIADB_PVIO *pvio) 2. verify CN (requires option ssl_verify_check) 3. verrify finger print */ - if (!pvio->mysql->options.extension->tls_allow_invalid_server_cert && - !pvio->mysql->net.tls_self_signed_error && + if (pvio->mysql->options.extension->tls_verify_server_cert && ma_pvio_tls_verify_server_cert(pvio->ctls)) return 1; @@ -595,12 +556,8 @@ my_bool ma_pvio_start_ssl(MARIADB_PVIO *pvio) pvio->mysql->options.extension->tls_fp, pvio->mysql->options.extension->tls_fp_list)) return 1; - reset_tls_self_signed_error(pvio->mysql); // validated } - if (pvio->mysql->net.tls_self_signed_error && ignore_self_signed_cert_error(pvio)) - reset_tls_self_signed_error(pvio->mysql); - return 0; } /* }}} */ diff --git a/libmariadb/ma_tls.c b/libmariadb/ma_tls.c index 432a0f4a..3f48ad8b 100644 --- a/libmariadb/ma_tls.c +++ b/libmariadb/ma_tls.c @@ -41,15 +41,12 @@ #include #include #include -#include #ifdef HAVE_NONBLOCK #include #include #endif -#define MAX_FINGERPRINT_LEN 128; - /* Errors should be handled via pvio callback function */ my_bool ma_tls_initialized= FALSE; unsigned int mariadb_deinitialize_ssl= 1; @@ -144,96 +141,62 @@ static signed char ma_hex2int(char c) return -1; } -#ifndef EVP_MAX_MD_SIZE -#define EVP_MAX_MD_SIZE 64 -#endif - -static my_bool ma_pvio_tls_compare_fp(MARIADB_TLS *ctls, - const char *cert_fp, - unsigned int cert_fp_len -) +static my_bool ma_pvio_tls_compare_fp(const char *cert_fp, + unsigned int cert_fp_len, + const char *fp, unsigned int fp_len) { - const char fp[EVP_MAX_MD_SIZE]; - unsigned int fp_len= EVP_MAX_MD_SIZE; - unsigned int hash_type; + char *p= (char *)fp, + *c; - char *p, *c; - uint hash_len; - - /* check length without colons */ - if (strchr(cert_fp, ':')) - hash_len= (uint)((strlen(cert_fp) + 1) / 3) * 2; - else - hash_len= (uint)strlen(cert_fp); - - /* check hash size */ - switch (hash_len) { -#ifndef DISABLE_WEAK_HASH - case MA_SHA1_HASH_SIZE * 2: - hash_type = MA_HASH_SHA1; - break; -#endif - case MA_SHA224_HASH_SIZE * 2: - hash_type = MA_HASH_SHA224; - break; - case MA_SHA256_HASH_SIZE * 2: - hash_type = MA_HASH_SHA256; - break; - case MA_SHA384_HASH_SIZE * 2: - hash_type = MA_HASH_SHA384; - break; - case MA_SHA512_HASH_SIZE * 2: - hash_type = MA_HASH_SHA512; - break; - default: - { - MYSQL* mysql = ctls->pvio->mysql; - my_set_error(mysql, CR_SSL_CONNECTION_ERROR, SQLSTATE_UNKNOWN, - ER(CR_SSL_CONNECTION_ERROR), - "Unknown or invalid fingerprint hash size detected"); - return 1; - } - } - - if (!ma_tls_get_finger_print(ctls, hash_type, (char *)fp, fp_len)) + /* check length */ + if (cert_fp_len != 20) return 1; - p= (char *)cert_fp; - c = (char *)fp; + /* We support two formats: + 2 digits hex numbers, separated by colons (length=59) + 20 * 2 digits hex numbers without separators (length = 40) + */ + if (fp_len != (strchr(fp, ':') ? 59 : 40)) + return 1; - for (p = (char*)cert_fp; p < cert_fp + cert_fp_len; c++, p += 2) + for(c= (char *)cert_fp; c < cert_fp + cert_fp_len; c++) { signed char d1, d2; if (*p == ':') p++; - if (p - cert_fp > (int)fp_len - 1) + if (p - fp > (int)fp_len -1) return 1; - if ((d1 = ma_hex2int(*p)) == -1 || - (d2 = ma_hex2int(*(p + 1))) == -1 || - (char)(d1 * 16 + d2) != *c) + if ((d1 = ma_hex2int(*p)) == - 1 || + (d2 = ma_hex2int(*(p+1))) == -1 || + (char)(d1 * 16 + d2) != *c) return 1; + p+= 2; } return 0; } my_bool ma_pvio_tls_check_fp(MARIADB_TLS *ctls, const char *fp, const char *fp_list) { + unsigned int cert_fp_len= 64; + char *cert_fp= NULL; my_bool rc=1; MYSQL *mysql= ctls->pvio->mysql; + cert_fp= (char *)malloc(cert_fp_len); + + if ((cert_fp_len= ma_tls_get_finger_print(ctls, cert_fp, cert_fp_len)) < 1) + goto end; if (fp) - { - rc = ma_pvio_tls_compare_fp(ctls, fp, (uint)strlen(fp)); - } + rc= ma_pvio_tls_compare_fp(cert_fp, cert_fp_len, fp, (unsigned int)strlen(fp)); else if (fp_list) { - MA_FILE *f; + MA_FILE *fp; char buff[255]; - if (!(f = ma_open(fp_list, "r", mysql))) + if (!(fp = ma_open(fp_list, "r", mysql))) goto end; - while (ma_gets(buff, sizeof(buff)-1, f)) + while (ma_gets(buff, sizeof(buff)-1, fp)) { /* remove trailing new line character */ char *pos= strchr(buff, '\r'); @@ -242,20 +205,22 @@ my_bool ma_pvio_tls_check_fp(MARIADB_TLS *ctls, const char *fp, const char *fp_l if (pos) *pos= '\0'; - if (!ma_pvio_tls_compare_fp(ctls, buff, (uint)strlen(buff))) + if (!ma_pvio_tls_compare_fp(cert_fp, cert_fp_len, buff, (unsigned int)strlen(buff))) { /* finger print is valid: close file and exit */ - ma_close(f); + ma_close(fp); rc= 0; goto end; } } /* No finger print matched - close file and return error */ - ma_close(f); + ma_close(fp); } end: + if (cert_fp) + free(cert_fp); if (rc) { my_set_error(mysql, CR_SSL_CONNECTION_ERROR, SQLSTATE_UNKNOWN, diff --git a/libmariadb/mariadb_lib.c b/libmariadb/mariadb_lib.c index dd6587a7..c9253ec1 100644 --- a/libmariadb/mariadb_lib.c +++ b/libmariadb/mariadb_lib.c @@ -1440,8 +1440,6 @@ mysql_real_connect(MYSQL *mysql, const char *host, const char *user, if (!mysql->options.extension || !mysql->options.extension->status_callback) mysql_optionsv(mysql, MARIADB_OPT_STATUS_CALLBACK, NULL, NULL); - reset_tls_self_signed_error(mysql); - /* if host contains a semicolon, we need to parse connection string */ if (host && strchr(host, ';')) { @@ -2446,7 +2444,6 @@ mysql_close(MYSQL *mysql) mysql_close_memory(mysql); mysql_close_options(mysql); ma_clear_session_state(mysql); - reset_tls_self_signed_error(mysql); if (mysql->net.extension) { @@ -3550,7 +3547,7 @@ mysql_optionsv(MYSQL *mysql,enum mysql_option option, ...) mysql->options.use_ssl= (*(my_bool *)arg1); break; case MYSQL_OPT_SSL_VERIFY_SERVER_CERT: - OPT_SET_EXTENDED_VALUE(&mysql->options, tls_allow_invalid_server_cert, !*(my_bool *)arg1); + OPT_SET_EXTENDED_VALUE(&mysql->options, tls_verify_server_cert, *(my_bool *)arg1); break; case MYSQL_OPT_SSL_KEY: OPT_SET_VALUE_STR(&mysql->options, ssl_key, (char *)arg1); @@ -3916,7 +3913,7 @@ mysql_get_optionv(MYSQL *mysql, enum mysql_option option, void *arg, ...) *((my_bool *)arg)= mysql->options.use_ssl; break; case MYSQL_OPT_SSL_VERIFY_SERVER_CERT: - *((my_bool*)arg) = mysql->options.extension ? !mysql->options.extension->tls_allow_invalid_server_cert: 1; + *((my_bool*)arg) = mysql->options.extension ? mysql->options.extension->tls_verify_server_cert : 0; break; case MYSQL_OPT_SSL_KEY: *((char **)arg)= mysql->options.ssl_key; diff --git a/libmariadb/secure/gnutls.c b/libmariadb/secure/gnutls.c index 34341baf..4782be62 100644 --- a/libmariadb/secure/gnutls.c +++ b/libmariadb/secure/gnutls.c @@ -1357,7 +1357,7 @@ static int my_verify_callback(gnutls_session_t ssl) CLEAR_CLIENT_ERROR(mysql); - if (!mysql->options.extension->tls_allow_invalid_server_cert) + if ((mysql->options.extension->tls_verify_server_cert)) { const char *hostname= mysql->host; @@ -1371,22 +1371,10 @@ static int my_verify_callback(gnutls_session_t ssl) { gnutls_datum_t out; int type; - - if (status & GNUTLS_CERT_SIGNER_NOT_FOUND) - { - /* accept self signed certificates if we don't have to verify server cert */ - if (mysql->options.extension->tls_allow_invalid_server_cert) - return 0; - - /* postpone the error for self signed certificates if CA isn't set */ - if (!mysql->options.ssl_ca && !mysql->options.ssl_capath) - { - type= gnutls_certificate_type_get(ssl); - gnutls_certificate_verification_status_print(status, type, &out, 0); - mysql->net.tls_self_signed_error= (char*)out.data; - return 0; - } - } + /* accept self signed certificates if we don't have to verify server cert */ + if (!(mysql->options.extension->tls_verify_server_cert) && + (status & GNUTLS_CERT_SIGNER_NOT_FOUND)) + return 0; /* gnutls default error message "certificate validation failed" isn't very descriptive, so we provide more information about the error here */ @@ -1403,43 +1391,18 @@ static int my_verify_callback(gnutls_session_t ssl) return 0; } -unsigned int ma_tls_get_finger_print(MARIADB_TLS *ctls, uint hash_type, char *fp, unsigned int len) +unsigned int ma_tls_get_finger_print(MARIADB_TLS *ctls, char *fp, unsigned int len) { MYSQL *mysql; size_t fp_len= len; const gnutls_datum_t *cert_list; unsigned int cert_list_size; - gnutls_digest_algorithm_t hash_alg; if (!ctls || !ctls->ssl) return 0; mysql= (MYSQL *)gnutls_session_get_ptr(ctls->ssl); - switch (hash_type) - { - case MA_HASH_SHA1: - hash_alg = GNUTLS_DIG_SHA1; - break; - case MA_HASH_SHA224: - hash_alg = GNUTLS_DIG_SHA224; - break; - case MA_HASH_SHA256: - hash_alg = GNUTLS_DIG_SHA256; - break; - case MA_HASH_SHA384: - hash_alg = GNUTLS_DIG_SHA384; - break; - case MA_HASH_SHA512: - hash_alg = GNUTLS_DIG_SHA512; - break; - default: - my_set_error(mysql, CR_SSL_CONNECTION_ERROR, SQLSTATE_UNKNOWN, - ER(CR_SSL_CONNECTION_ERROR), - "Cannot detect hash algorithm for fingerprint verification"); - return 0; - } - cert_list = gnutls_certificate_get_peers (ctls->ssl, &cert_list_size); if (cert_list == NULL) { @@ -1449,7 +1412,7 @@ unsigned int ma_tls_get_finger_print(MARIADB_TLS *ctls, uint hash_type, char *fp return 0; } - if (gnutls_fingerprint(hash_alg, &cert_list[0], fp, &fp_len) == 0) + if (gnutls_fingerprint(GNUTLS_DIG_SHA1, &cert_list[0], fp, &fp_len) == 0) return fp_len; else { diff --git a/libmariadb/secure/gnutls_crypt.c b/libmariadb/secure/gnutls_crypt.c index 222e5585..a669e88e 100644 --- a/libmariadb/secure/gnutls_crypt.c +++ b/libmariadb/secure/gnutls_crypt.c @@ -34,6 +34,8 @@ static gnutls_digest_algorithm_t ma_hash_get_algorithm(unsigned int alg) return GNUTLS_DIG_SHA384; case MA_HASH_SHA512: return GNUTLS_DIG_SHA512; + case MA_HASH_RIPEMD160: + return GNUTLS_DIG_RMD160; default: return GNUTLS_DIG_UNKNOWN; } diff --git a/libmariadb/secure/ma_schannel.c b/libmariadb/secure/ma_schannel.c index 10ea3318..be4148c7 100644 --- a/libmariadb/secure/ma_schannel.c +++ b/libmariadb/secure/ma_schannel.c @@ -526,13 +526,6 @@ my_bool ma_schannel_verify_certs(MARIADB_TLS *ctls, BOOL verify_server_name) end: if (!ret) { - /* postpone the error for self signed certificates if CA isn't set */ - if (status == CERT_E_UNTRUSTEDROOT && !ca_file && !ca_path) - { - mysql->net.tls_self_signed_error= strdup(errmsg); - ret= 1; - } - else pvio->set_error(mysql, CR_SSL_CONNECTION_ERROR, SQLSTATE_UNKNOWN, 0, errmsg); } if (pServerCert) diff --git a/libmariadb/secure/ma_schannel.h b/libmariadb/secure/ma_schannel.h index 562dae1f..af7fc602 100644 --- a/libmariadb/secure/ma_schannel.h +++ b/libmariadb/secure/ma_schannel.h @@ -28,7 +28,6 @@ #include #include #include -#include #include @@ -36,7 +35,6 @@ #include -#include #include #undef SECURITY_WIN32 @@ -59,7 +57,7 @@ struct st_schannel { DWORD IoBufferSize; SecPkgContext_StreamSizes Sizes; CtxtHandle hCtxt; - BCRYPT_ALG_HANDLE HashProv[MA_MAX_HASH_SIZE]; + /* Cached data from the last read/decrypt call.*/ SecBuffer extraBuf; /* encrypted data read from server. */ SecBuffer dataBuf; /* decrypted but still unread data from server.*/ diff --git a/libmariadb/secure/openssl.c b/libmariadb/secure/openssl.c index 0fdb040c..2a272504 100644 --- a/libmariadb/secure/openssl.c +++ b/libmariadb/secure/openssl.c @@ -29,7 +29,6 @@ #include /* error reporting */ #include #include -#include #if defined(_WIN32) && !defined(_OPENSSL_Applink) && defined(HAVE_OPENSSL_APPLINK_C) #include @@ -506,15 +505,11 @@ my_bool ma_tls_connect(MARIADB_TLS *ctls) /* In case handshake failed or if a root certificate (ca) was specified, we need to check the result code of X509 verification. A detailed check of the peer certificate (hostname checking will follow later) */ - if (rc != 1 || !mysql->options.extension->tls_allow_invalid_server_cert || + if (rc != 1 || mysql->options.extension->tls_verify_server_cert || mysql->options.ssl_ca || mysql->options.ssl_capath) { long x509_err= SSL_get_verify_result(ssl); - if ((x509_err == X509_V_ERR_DEPTH_ZERO_SELF_SIGNED_CERT || - x509_err == X509_V_ERR_SELF_SIGNED_CERT_IN_CHAIN) && rc == 1 && - !mysql->options.ssl_ca && !mysql->options.ssl_capath) - mysql->net.tls_self_signed_error= X509_verify_cert_error_string(x509_err); - else if (x509_err != X509_V_OK) + if (x509_err != X509_V_OK) { my_set_error(mysql, CR_SSL_CONNECTION_ERROR, SQLSTATE_UNKNOWN, ER(CR_SSL_CONNECTION_ERROR), X509_verify_cert_error_string(x509_err)); @@ -734,50 +729,17 @@ const char *ma_tls_get_cipher(MARIADB_TLS *ctls) return SSL_get_cipher_name(ctls->ssl); } -unsigned int ma_tls_get_finger_print(MARIADB_TLS *ctls, uint hash_type, char *fp, unsigned int len) +unsigned int ma_tls_get_finger_print(MARIADB_TLS *ctls, char *fp, unsigned int len) { X509 *cert= NULL; MYSQL *mysql; unsigned int fp_len; - const EVP_MD *hash_alg; if (!ctls || !ctls->ssl) return 0; - mysql = SSL_get_app_data(ctls->ssl); + mysql= SSL_get_app_data(ctls->ssl); - if (len < EVP_MAX_MD_SIZE) - { - my_set_error(mysql, CR_SSL_CONNECTION_ERROR, SQLSTATE_UNKNOWN, - ER(CR_SSL_CONNECTION_ERROR), - "Finger print buffer too small"); - return 0; - } - - switch (hash_type) - { - case MA_HASH_SHA1: - hash_alg = EVP_sha1(); - break; - case MA_HASH_SHA224: - hash_alg = EVP_sha224(); - break; - case MA_HASH_SHA256: - hash_alg = EVP_sha256(); - break; - case MA_HASH_SHA384: - hash_alg = EVP_sha384(); - break; - case MA_HASH_SHA512: - hash_alg = EVP_sha512(); - break; - default: - my_set_error(mysql, CR_SSL_CONNECTION_ERROR, SQLSTATE_UNKNOWN, - ER(CR_SSL_CONNECTION_ERROR), - "Cannot detect hash algorithm for fingerprint verification"); - return 0; - } - if (!(cert= SSL_get_peer_certificate(ctls->ssl))) { my_set_error(mysql, CR_SSL_CONNECTION_ERROR, SQLSTATE_UNKNOWN, @@ -786,7 +748,14 @@ unsigned int ma_tls_get_finger_print(MARIADB_TLS *ctls, uint hash_type, char *fp goto end; } - if (!X509_digest(cert, hash_alg, (unsigned char *)fp, &fp_len)) + if (len < EVP_MAX_MD_SIZE) + { + my_set_error(mysql, CR_SSL_CONNECTION_ERROR, SQLSTATE_UNKNOWN, + ER(CR_SSL_CONNECTION_ERROR), + "Finger print buffer too small"); + goto end; + } + if (!X509_digest(cert, EVP_sha1(), (unsigned char *)fp, &fp_len)) { my_set_error(mysql, CR_SSL_CONNECTION_ERROR, SQLSTATE_UNKNOWN, ER(CR_SSL_CONNECTION_ERROR), diff --git a/libmariadb/secure/openssl_crypt.c b/libmariadb/secure/openssl_crypt.c index fd3538ba..faf755c9 100644 --- a/libmariadb/secure/openssl_crypt.c +++ b/libmariadb/secure/openssl_crypt.c @@ -36,6 +36,8 @@ static const EVP_MD *ma_hash_get_algorithm(unsigned int alg) return EVP_sha384(); case MA_HASH_SHA512: return EVP_sha512(); + case MA_HASH_RIPEMD160: + return EVP_ripemd160(); default: return NULL; } diff --git a/libmariadb/secure/schannel.c b/libmariadb/secure/schannel.c index 7fa564fb..8069af53 100644 --- a/libmariadb/secure/schannel.c +++ b/libmariadb/secure/schannel.c @@ -20,9 +20,6 @@ #include "ma_schannel.h" #include "schannel_certs.h" #include -#include -#include -#include extern my_bool ma_tls_initialized; char tls_library_version[] = "Schannel"; @@ -451,11 +448,11 @@ my_bool ma_tls_connect(MARIADB_TLS *ctls) goto end; verify_certs = mysql->options.ssl_ca || mysql->options.ssl_capath || - !mysql->options.extension->tls_allow_invalid_server_cert; + (mysql->options.extension->tls_verify_server_cert); if (verify_certs) { - if (!ma_schannel_verify_certs(ctls, !mysql->options.extension->tls_allow_invalid_server_cert)) + if (!ma_schannel_verify_certs(ctls, mysql->options.extension->tls_verify_server_cert)) goto end; } @@ -553,33 +550,15 @@ const char *ma_tls_get_cipher(MARIADB_TLS *ctls) return cipher_name(&CipherInfo); } -unsigned int ma_tls_get_finger_print(MARIADB_TLS *ctls, uint hash_type, char *fp, unsigned int len) +unsigned int ma_tls_get_finger_print(MARIADB_TLS *ctls, char *fp, unsigned int len) { - MA_HASH_CTX* hash_ctx; - SC_CTX *sctx= (SC_CTX *)ctls->ssl; PCCERT_CONTEXT pRemoteCertContext = NULL; - int rc= 0; - - if (hash_type == MA_HASH_SHA224) - { - MYSQL *mysql = ctls->pvio->mysql; - my_set_error(mysql, CR_SSL_CONNECTION_ERROR, SQLSTATE_UNKNOWN, - ER(CR_SSL_CONNECTION_ERROR), - "SHA224 hash for fingerprint verification is not supported in Schannel"); - return 0; - } - if (QueryContextAttributes(&sctx->hCtxt, SECPKG_ATTR_REMOTE_CERT_CONTEXT, (PVOID)&pRemoteCertContext) != SEC_E_OK) return 0; - - hash_ctx = ma_hash_new(hash_type); - ma_hash_input(hash_ctx, pRemoteCertContext->pbCertEncoded, pRemoteCertContext->cbCertEncoded); - ma_hash_result(hash_ctx, fp); - ma_hash_free(hash_ctx); - + CertGetCertificateContextProperty(pRemoteCertContext, CERT_HASH_PROP_ID, fp, (DWORD *)&len); CertFreeCertificateContext(pRemoteCertContext); - return (uint)ma_hash_digest_size(hash_type); + return len; } void ma_tls_set_connection(MYSQL *mysql __attribute__((unused))) diff --git a/plugins/auth/auth_gssapi_client.c b/plugins/auth/auth_gssapi_client.c index 19cdf246..6f6c6ceb 100644 --- a/plugins/auth/auth_gssapi_client.c +++ b/plugins/auth/auth_gssapi_client.c @@ -117,6 +117,5 @@ struct st_mysql_client_plugin_AUTHENTICATION _mysql_client_plugin_declaration_ = NULL, NULL, NULL, - gssapi_auth_client, - NULL + gssapi_auth_client }; diff --git a/plugins/auth/caching_sha2_pw.c b/plugins/auth/caching_sha2_pw.c index 14abb0c8..b442e477 100644 --- a/plugins/auth/caching_sha2_pw.c +++ b/plugins/auth/caching_sha2_pw.c @@ -145,8 +145,7 @@ struct st_mysql_client_plugin_AUTHENTICATION _mysql_client_plugin_declaration_ = auth_caching_sha2_init, auth_caching_sha2_deinit, NULL, - auth_caching_sha2_client, - NULL + auth_caching_sha2_client }; #ifdef HAVE_WINCRYPT diff --git a/plugins/auth/dialog.c b/plugins/auth/dialog.c index 8513e9ac..31d7b7d8 100644 --- a/plugins/auth/dialog.c +++ b/plugins/auth/dialog.c @@ -58,8 +58,7 @@ struct st_mysql_client_plugin_AUTHENTICATION _mysql_client_plugin_declaration_ = auth_dialog_init, NULL, NULL, - auth_dialog_open, - NULL + auth_dialog_open }; diff --git a/plugins/auth/ed25519.c b/plugins/auth/ed25519.c index c6dd122b..38b896f8 100644 --- a/plugins/auth/ed25519.c +++ b/plugins/auth/ed25519.c @@ -64,7 +64,6 @@ static int auth_ed25519_init(char *unused1, size_t unused2, int unused3, va_list); -static int auth_ed25519_hash(MYSQL *, unsigned char *out, size_t *outlen); #ifndef PLUGIN_DYNAMIC @@ -78,24 +77,21 @@ struct st_mysql_client_plugin_AUTHENTICATION _mysql_client_plugin_declaration_ = "client_ed25519", "Sergei Golubchik, Georg Richter", "Ed25519 Authentication Plugin", - {0,1,1}, + {0,1,0}, "LGPL", NULL, auth_ed25519_init, auth_ed25519_deinit, NULL, - auth_ed25519_client, - auth_ed25519_hash + auth_ed25519_client }; static int auth_ed25519_client(MYSQL_PLUGIN_VIO *vio, MYSQL *mysql) { unsigned char *packet, - signature[CRYPTO_BYTES + NONCE_BYTES], - pk[CRYPTO_PUBLICKEYBYTES]; - unsigned long long pkt_len, pwlen= strlen(mysql->passwd); - char *newpw; + signature[CRYPTO_BYTES + NONCE_BYTES]; + int pkt_len; /* Step 1: Server sends nonce @@ -110,36 +106,16 @@ static int auth_ed25519_client(MYSQL_PLUGIN_VIO *vio, MYSQL *mysql) return CR_SERVER_HANDSHAKE_ERR; /* Sign nonce: the crypto_sign function is part of ref10 */ - ma_crypto_sign(signature, pk, packet, NONCE_BYTES, (unsigned char*)mysql->passwd, pwlen); + ma_crypto_sign(signature, packet, NONCE_BYTES, (unsigned char*)mysql->passwd, strlen(mysql->passwd)); /* send signature to server */ if (vio->write_packet(vio, signature, CRYPTO_BYTES)) return CR_ERROR; - /* save pk for the future auth_ed25519_hash() call */ - if ((newpw= realloc(mysql->passwd, pwlen + 1 + sizeof(pk)))) - { - memcpy(newpw + pwlen + 1, pk, sizeof(pk)); - mysql->passwd= newpw; - } - return CR_OK; } /* }}} */ -/* {{{ static int auth_ed25519_hash */ -static int auth_ed25519_hash(MYSQL *mysql, unsigned char *out, size_t *outlen) -{ - if (*outlen < CRYPTO_PUBLICKEYBYTES) - return 1; - *outlen= CRYPTO_PUBLICKEYBYTES; - - /* use the cached value */ - memcpy(out, mysql->passwd + strlen(mysql->passwd) + 1, CRYPTO_PUBLICKEYBYTES); - return 0; -} -/* }}} */ - /* {{{ static int auth_ed25519_init */ static int auth_ed25519_init(char *unused1 __attribute__((unused)), size_t unused2 __attribute__((unused)), diff --git a/plugins/auth/mariadb_cleartext.c b/plugins/auth/mariadb_cleartext.c index 92e56547..b63c1d3b 100644 --- a/plugins/auth/mariadb_cleartext.c +++ b/plugins/auth/mariadb_cleartext.c @@ -70,8 +70,7 @@ struct st_mysql_client_plugin_AUTHENTICATION _mysql_client_plugin_declaration_ = NULL, NULL, NULL, - clear_password_auth_client, - NULL + clear_password_auth_client }; diff --git a/plugins/auth/my_auth.c b/plugins/auth/my_auth.c index 1195f1cd..72773079 100644 --- a/plugins/auth/my_auth.c +++ b/plugins/auth/my_auth.c @@ -3,29 +3,17 @@ #include #include #include -#include #include typedef struct st_mysql_client_plugin_AUTHENTICATION auth_plugin_t; static int client_mpvio_write_packet(struct st_plugin_vio*, const uchar*, size_t); static int native_password_auth_client(MYSQL_PLUGIN_VIO *vio, MYSQL *mysql); -static int native_password_hash(MYSQL *mysql, unsigned char *out, size_t *outlen); static int dummy_fallback_auth_client(MYSQL_PLUGIN_VIO *vio, MYSQL *mysql __attribute__((unused))); extern void read_user_name(char *name); extern char *ma_send_connect_attr(MYSQL *mysql, unsigned char *buffer); extern int ma_read_ok_packet(MYSQL *mysql, uchar *pos, ulong length); extern unsigned char *mysql_net_store_length(unsigned char *packet, ulonglong length); -#define hashing(p) (p->interface_version >= 0x0101 && p->hash_password_bin) - -static int set_error_from_tls_self_signed_error(MYSQL *mysql) -{ - my_set_error(mysql, CR_SSL_CONNECTION_ERROR, SQLSTATE_UNKNOWN, - ER(CR_SSL_CONNECTION_ERROR), mysql->net.tls_self_signed_error); - reset_tls_self_signed_error(mysql); - return 1; -} - typedef struct { int (*read_packet)(struct st_plugin_vio *vio, uchar **buf); int (*write_packet)(struct st_plugin_vio *vio, const uchar *pkt, size_t pkt_len); @@ -56,14 +44,13 @@ auth_plugin_t mysql_native_password_client_plugin= native_password_plugin_name, "R.J.Silk, Sergei Golubchik", "Native MySQL authentication", - {1, 0, 1}, + {1, 0, 0}, "LGPL", NULL, NULL, NULL, NULL, - native_password_auth_client, - native_password_hash + native_password_auth_client }; @@ -110,22 +97,6 @@ static int native_password_auth_client(MYSQL_PLUGIN_VIO *vio, MYSQL *mysql) return CR_OK; } -static int native_password_hash(MYSQL *mysql, unsigned char *out, size_t *out_length) -{ - unsigned char digest[MA_SHA1_HASH_SIZE]; - - if (*out_length < MA_SHA1_HASH_SIZE) - return 1; - *out_length= MA_SHA1_HASH_SIZE; - - /* would it be better to reuse instead of recalculating here? see ed25519 */ - ma_hash(MA_HASH_SHA1, (unsigned char*)mysql->passwd, strlen(mysql->passwd), - digest); - ma_hash(MA_HASH_SHA1, digest, sizeof(digest), out); - - return 0; -} - auth_plugin_t dummy_fallback_client_plugin= { MYSQL_CLIENT_AUTHENTICATION_PLUGIN, @@ -139,8 +110,7 @@ auth_plugin_t dummy_fallback_client_plugin= NULL, NULL, NULL, - dummy_fallback_auth_client, - NULL + dummy_fallback_auth_client }; @@ -253,7 +223,7 @@ static int send_client_reply_packet(MCPVIO_EXT *mpvio, if (mysql->options.ssl_key || mysql->options.ssl_cert || mysql->options.ssl_ca || mysql->options.ssl_capath || mysql->options.ssl_cipher || mysql->options.use_ssl || - !mysql->options.extension->tls_allow_invalid_server_cert) + mysql->options.extension->tls_verify_server_cert) mysql->options.use_ssl= 1; if (mysql->options.use_ssl) mysql->client_flag|= CLIENT_SSL; @@ -273,16 +243,15 @@ static int send_client_reply_packet(MCPVIO_EXT *mpvio, mysql->net.pvio->type == PVIO_TYPE_SHAREDMEM)) { mysql->server_capabilities &= ~(CLIENT_SSL); - mysql->options.extension->tls_allow_invalid_server_cert= 1; } /* if server doesn't support SSL and verification of server certificate was set to mandatory, we need to return an error */ if (mysql->options.use_ssl && !(mysql->server_capabilities & CLIENT_SSL)) { - if (!mysql->options.extension->tls_allow_invalid_server_cert || - mysql->options.extension->tls_fp || - mysql->options.extension->tls_fp_list) + if (mysql->options.extension->tls_verify_server_cert || + (mysql->options.extension && (mysql->options.extension->tls_fp || + mysql->options.extension->tls_fp_list))) { my_set_error(mysql, CR_SSL_CONNECTION_ERROR, SQLSTATE_UNKNOWN, ER(CR_SSL_CONNECTION_ERROR), @@ -381,13 +350,6 @@ static int send_client_reply_packet(MCPVIO_EXT *mpvio, } if (ma_pvio_start_ssl(mysql->net.pvio)) goto error; - if (mysql->net.tls_self_signed_error && - (!mysql->passwd || !mysql->passwd[0] || !hashing(mpvio->plugin))) - { - /* cannot use auth to validate the cert */ - set_error_from_tls_self_signed_error(mysql); - goto error; - } } #endif /* HAVE_TLS */ @@ -765,62 +727,15 @@ retry: auth_plugin_name, MYSQL_CLIENT_AUTHENTICATION_PLUGIN))) auth_plugin= &dummy_fallback_client_plugin; - /* can we use this plugin with this tls server cert ? */ - if (mysql->net.tls_self_signed_error && !hashing(auth_plugin)) - return set_error_from_tls_self_signed_error(mysql); goto retry; + } /* net->read_pos[0] should always be 0 here if the server implements the protocol correctly */ - if (mysql->net.read_pos[0] != 0) - return 1; - if (ma_read_ok_packet(mysql, mysql->net.read_pos + 1, pkt_length)) - return -1; - - if (!mysql->net.tls_self_signed_error) - return 0; - - assert(mysql->options.use_ssl); - assert(!mysql->options.extension->tls_allow_invalid_server_cert); - assert(!mysql->options.ssl_ca); - assert(!mysql->options.ssl_capath); - assert(!mysql->options.extension->tls_fp); - assert(!mysql->options.extension->tls_fp_list); - assert(hashing(auth_plugin)); - assert(mysql->passwd[0]); - if (mysql->info && mysql->info[0] == '\1') - { - MA_HASH_CTX *ctx = NULL; - unsigned char buf[1024], digest[MA_SHA256_HASH_SIZE]; - char fp[128], hexdigest[sizeof(digest)*2+1], *hexsig= mysql->info + 1; - size_t buflen= sizeof(buf) - 1, fplen; - - mysql->info= NULL; /* no need to confuse the client with binary info */ - - if (!(fplen= ma_tls_get_finger_print(mysql->net.pvio->ctls, MA_HASH_SHA256, - fp, sizeof(fp)))) - return 1; /* error is already set */ - - if (auth_plugin->hash_password_bin(mysql, buf, &buflen) || - !(ctx= ma_hash_new(MA_HASH_SHA256))) - { - SET_CLIENT_ERROR(mysql, CR_OUT_OF_MEMORY, SQLSTATE_UNKNOWN, 0); - return 1; - } - - ma_hash_input(ctx, (unsigned char*)buf, buflen); - ma_hash_input(ctx, (unsigned char*)mysql->scramble_buff, SCRAMBLE_LENGTH); - ma_hash_input(ctx, (unsigned char*)fp, fplen); - ma_hash_result(ctx, digest); - ma_hash_free(ctx); - - mysql_hex_string(hexdigest, (char*)digest, sizeof(digest)); - if (strcmp(hexdigest, hexsig) == 0) - return 0; /* phew. self-signed certificate is validated! */ - } - - return set_error_from_tls_self_signed_error(mysql); + if (mysql->net.read_pos[0] == 0) + return ma_read_ok_packet(mysql, mysql->net.read_pos + 1, pkt_length); + return 1; } diff --git a/plugins/auth/old_password.c b/plugins/auth/old_password.c index 3f7d533c..07756e92 100644 --- a/plugins/auth/old_password.c +++ b/plugins/auth/old_password.c @@ -63,8 +63,7 @@ struct st_mysql_client_plugin_AUTHENTICATION _mysql_client_plugin_declaration_ = NULL, NULL, NULL, - auth_old_password, - NULL + auth_old_password }; /** diff --git a/plugins/auth/ref10/crypto_sign.h b/plugins/auth/ref10/crypto_sign.h index 3c676885..5f9b3437 100644 --- a/plugins/auth/ref10/crypto_sign.h +++ b/plugins/auth/ref10/crypto_sign.h @@ -3,7 +3,7 @@ int crypto_sign_keypair( unsigned char *pw, unsigned long long pwlen ); int ma_crypto_sign( - unsigned char *sm, unsigned char *pk, + unsigned char *sm, const unsigned char *m, unsigned long long mlen, const unsigned char *pw, unsigned long long pwlen ); diff --git a/plugins/auth/ref10/sign.c b/plugins/auth/ref10/sign.c index 421a0aed..b4153201 100644 --- a/plugins/auth/ref10/sign.c +++ b/plugins/auth/ref10/sign.c @@ -5,7 +5,7 @@ #include "sc.h" int ma_crypto_sign( - unsigned char *sm, unsigned char *pk, + unsigned char *sm, const unsigned char *m,unsigned long long mlen, const unsigned char *pw,unsigned long long pwlen ) @@ -26,7 +26,6 @@ int ma_crypto_sign( ge_scalarmult_base(&A,az); ge_p3_tobytes(sm + 32,&A); - memmove(pk, sm + 32, 32); sc_reduce(nonce); ge_scalarmult_base(&R,nonce); diff --git a/plugins/auth/sha256_pw.c b/plugins/auth/sha256_pw.c index 66fb1071..79febf1a 100644 --- a/plugins/auth/sha256_pw.c +++ b/plugins/auth/sha256_pw.c @@ -76,8 +76,7 @@ struct st_mysql_client_plugin_AUTHENTICATION _mysql_client_plugin_declaration_ = auth_sha256_init, NULL, NULL, - auth_sha256_client, - NULL + auth_sha256_client }; #ifdef HAVE_WINCRYPT diff --git a/unittest/libmariadb/connection.c b/unittest/libmariadb/connection.c index 761e6394..fa232cad 100644 --- a/unittest/libmariadb/connection.c +++ b/unittest/libmariadb/connection.c @@ -686,7 +686,6 @@ int test_connection_timeout2(MYSQL *unused __attribute__((unused))) unsigned int timeout= 5; time_t start, elapsed; MYSQL *mysql; - my_bool no= 0; SKIP_SKYSQL; SKIP_MAXSCALE; @@ -695,7 +694,6 @@ int test_connection_timeout2(MYSQL *unused __attribute__((unused))) mysql= mysql_init(NULL); mysql_options(mysql, MYSQL_OPT_CONNECT_TIMEOUT, (unsigned int *)&timeout); mysql_options(mysql, MYSQL_INIT_COMMAND, "set @a:=SLEEP(7)"); - mysql_options(mysql, MYSQL_OPT_SSL_VERIFY_SERVER_CERT, &no); start= time(NULL); if (my_test_connect(mysql, hostname, username, password, schema, port, socketname, CLIENT_REMEMBER_OPTIONS)) {