Due to required cryptographic functions which are part of the TLS
libraries it is no longer possible to build MariaDB Connector/C
without crypto libraries.
Follow-up patch to fix copy-paste error that causes incorrect restore of
registers in my_context_continue which can cause crashes on arm64.
Signed-off-by: Kristian Nielsen <knielsen@knielsen-hq.org>
declare plugin structures using their correct type.
Fixes errors like
./libmariadb/libmariadb/ma_client_plugin.c:86:39: error: type of ‘pvio_socket_client_plugin’ does not match original declaration [-Werror=lto-type-mismatch]
./libmariadb/plugins/pvio/pvio_socket.c:141:21: note: type ‘struct MARIADB_PVIO_PLUGIN’ should match type ‘struct st_mysql_client_plugin’
Approved by: Georg Richter <georg@mariadb.com>
The non-blocking API has native (assembler) implementations for x86_64,
i386, and (with recent patch) aarch64; these implementations are the most
efficient. For other architectures, a fallback to ucontext is supported.
But ucontext is not the most efficient, and it is not available on all
platforms (it has been deprecated in POSIX). The boost::context library
provides an alternative fallback that is available on more architectures and
should be more efficient than ucontext (if still not quite as fast as the
native support).
This patch adds a CMake option -DWITH_BOOST_CONTEXT=ON that adds
boost::context as a dependency of libmariadb to provide a fallback on
non-natively supported architectures. Boost::context is preferred over
ucontext when both are available.
The option is off by default and must be explicitly enabled by the
user. This avoids introducing a C++ dependency (including dependency
on a C++ compiler and on libstdc++) unless explicitly requested by the
user (libmariadb is otherwise C-only).
Tested-by: Brad Smith <brad@comstyle.com>
Signed-off-by: Kristian Nielsen <knielsen@knielsen-hq.org>
Implement native my_context for arm64 (aarch64). This is more
efficient than ucontext, and also makes the non-blocking API available
on arm64 platforms that do not have ucontext such as OpenBSD.
Tested-by: Brad Smith <brad@comstyle.com>
Signed-off-by: Kristian Nielsen <knielsen@knielsen-hq.org>
If peer certificate verification was disabled, we also need
to set the verification callback function to avoid output
from OpenSSL's internal fallback function.
- moved fingerprint verification to ma_tls.c
- don't verify cert again if fingerprint check
succeeded.
- Disable self signed check in fingerprint tests
(Schannel only).
Since timeout was already set via setsockopt, we call wait_io_or_timeout()
with a very small timeout (5ms) to get a more precise errno, which is used
by OpenSSL's error function.
To build manpages run cmake with option -DWITH_DOCS=ON.
Creation of man pages requires Python3 and Docygen.
The bundled manpaes were removed from repository.
For testing purposes (the python3 dummy server can't handle
further communication after TLS handshake succeeded) support
for verification callback was added.
my_bool callback(MYSQL *mysql, unsigned int *flags, my_bool verified)
Parameter:
- mysql connection handle for current connection
- flags verification flags
- verified true if callback was called after verification,
otherwise false
Return value:
- False (0) to continue
- True (1) to abort tls connection
The callback function can be registered via
mysql_optionsv(mysql, MARIADB_OPT_TLS_VERIFICATION_CALLBACK, callback);
Since the MARIADB_TLS_VERIFY_TRUST flag might be cleared in my_auth,
we store the original result of peer certificate verification in
mysql->extension->tls_validation.
This value can be obtained via mariadb_get_infov API function
using option MARIADB_TLS_VERIFY_STATUS.
