From 4eac842c8f9814ffabf14c8074717d7c4511a72e Mon Sep 17 00:00:00 2001
From: Vladislav Vaintroub <vvaintroub@gmail.com>
Date: Fri, 9 Feb 2024 02:18:32 +0100
Subject: [PATCH] MDEV-33430 - Fix self-signed certificate errors on Windows

Adjust test after fixing the C/C.

On Windows, use --host=127.0.0.2 to fake "insecure" transport
with TCP connection for test purposes. 127.0.0.2 is loopback address,
that can be used instead of usual 127.0.0.1

Unfortunately, this technique does not work on all *nixes the same,
notably neither on BSDs nor Solaris. Thus default --host=localhost
remains "insecure" transport,when TCP is used. but it is not that critical,
the "self-signed" is not nearly as annoying on *nixes as it is on Windows.
---
 libmariadb                               |  2 +-
 mysql-test/main/ssl_7937.test            |  8 +++++-
 mysql-test/main/ssl_autoverify,win.rdiff | 10 ++++----
 mysql-test/main/ssl_autoverify.result    |  3 +++
 mysql-test/main/ssl_autoverify.test      | 32 ++++++++++++++++++------
 mysql-test/main/ssl_fp.test              | 12 ++++++---
 6 files changed, 49 insertions(+), 18 deletions(-)

diff --git a/libmariadb b/libmariadb
index 8dffd56936d..536d9e2b9e5 160000
--- a/libmariadb
+++ b/libmariadb
@@ -1 +1 @@
-Subproject commit 8dffd56936df3d03eeccf47904773860a0cdeb57
+Subproject commit 536d9e2b9e5b74428ddef8b3ac0fa2168d3d33c0
diff --git a/mysql-test/main/ssl_7937.test b/mysql-test/main/ssl_7937.test
index 17a4c2894c4..444e3ec6a1b 100644
--- a/mysql-test/main/ssl_7937.test
+++ b/mysql-test/main/ssl_7937.test
@@ -20,9 +20,15 @@ create procedure have_ssl()
 --echo mysql --ssl-ca=cacert.pem --ssl-verify-server-cert -e "call test.have_ssl()"
 --exec $MYSQL --protocol tcp --ssl-ca=$MYSQL_TEST_DIR/std_data/cacert.pem --ssl-verify-server-cert -e "call test.have_ssl()" 2>&1
 
+let $is_win = `select convert(@@version_compile_os using latin1) IN ("Win32","Win64","Windows")`;
+let $host=;
+if($is_win)
+{
+  let $host=--host=127.0.0.2;
+}
 --echo mysql --ssl --ssl-verify-server-cert -e "call test.have_ssl()"
 --replace_regex /TLS\/SSL error.*certificate[^\n]*/TLS\/SSL error: Failed to verify the server certificate/
---exec $MYSQL --protocol tcp --ssl --ssl-verify-server-cert -e "call test.have_ssl()" 2>&1
+--exec $MYSQL --protocol tcp $host --ssl --ssl-verify-server-cert -e "call test.have_ssl()" 2>&1
 
 --echo #
 --echo # MDEV-27105 --ssl option set as default for mariadb CLI
diff --git a/mysql-test/main/ssl_autoverify,win.rdiff b/mysql-test/main/ssl_autoverify,win.rdiff
index 541870f117f..78d1df17106 100644
--- a/mysql-test/main/ssl_autoverify,win.rdiff
+++ b/mysql-test/main/ssl_autoverify,win.rdiff
@@ -1,6 +1,6 @@
---- a/mysql-test/main/ssl_autoverify.result
-+++ b/mysql-test/main/ssl_autoverify.result
-@@ -22,9 +22,9 @@ ERROR 2026 (HY000): TLS/SSL error: Failed to verify the server certificate
+--- ssl_autoverify.result	2024-02-08 23:55:13.779166100 +0100
++++ ssl_autoverify,win.reject	2024-02-08 23:55:46.988212400 +0100
+@@ -22,9 +22,9 @@
  WARNING: option --ssl-verify-server-cert is disabled, because of an insecure passwordless login.
  test.have_ssl()
  yes
@@ -9,10 +9,10 @@
  test.have_ssl()
 -yes
 +no
- # mysql -unative -pfoo --ssl-verify-server-cert -e "select test.have_ssl()"
+ # mysql --protocol tcp --host 127.0.0.1 -uroot --ssl-verify-server-cert -e "select test.have_ssl()"
  test.have_ssl()
  yes
-@@ -42,16 +42,6 @@ yes
+@@ -45,16 +45,6 @@
  # mysql -umulti -ppw2 --ssl-verify-server-cert -e "select test.have_ssl()"
  test.have_ssl()
  yes
diff --git a/mysql-test/main/ssl_autoverify.result b/mysql-test/main/ssl_autoverify.result
index 551e817819f..8c78a21d6f9 100644
--- a/mysql-test/main/ssl_autoverify.result
+++ b/mysql-test/main/ssl_autoverify.result
@@ -25,6 +25,9 @@ yes
 # mysql --protocol socket -uroot --ssl-verify-server-cert -e "select test.have_ssl()"
 test.have_ssl()
 yes
+# mysql --protocol tcp --host 127.0.0.1 -uroot --ssl-verify-server-cert -e "select test.have_ssl()"
+test.have_ssl()
+yes
 # mysql -unative -pfoo --ssl-verify-server-cert -e "select test.have_ssl()"
 test.have_ssl()
 yes
diff --git a/mysql-test/main/ssl_autoverify.test b/mysql-test/main/ssl_autoverify.test
index e042e42855b..0417f6eb76b 100644
--- a/mysql-test/main/ssl_autoverify.test
+++ b/mysql-test/main/ssl_autoverify.test
@@ -25,6 +25,15 @@ create function have_ssl() returns char(3)
   from information_schema.session_status
   where variable_name='ssl_cipher');
 
+let host=;
+if ($MTR_COMBINATION_WIN) {
+  # 127.0.0.2 (and generally 127.0.0.0/8) works on Windows the same as 127.0.0.1,
+  # i.e client can connect if server listens on IPv4 loopback
+  #
+  # We use 127.0.0.2 as it does not match any of "localhost","127.0.0.1","::1"
+  # thus it is not considered "secure transport" by the connector/C
+  let host=--host=127.0.0.2;
+}
 #
 # root user, no password, so cannot validate cert.
 #
@@ -33,13 +42,13 @@ create function have_ssl() returns char(3)
 --echo # mysql -uroot --ssl-verify-server-cert -e "select test.have_ssl()"
 --replace_regex /TLS\/SSL error.*certificate[^\n]*/TLS\/SSL error: Failed to verify the server certificate/
 --error 1
---exec $MYSQL --protocol tcp -uroot --ssl-verify-server-cert -e "select test.have_ssl()" 2>&1
+--exec $MYSQL --protocol tcp $host -uroot --ssl-verify-server-cert -e "select test.have_ssl()" 2>&1
 #
 # except if ssl-verify-server-cert is left on default (not explicitly enabled)
 #
 --let $csd=`select @@character_sets_dir`
 --echo # mysql -uroot -e "select test.have_ssl()"
---exec $EXE_MYSQL --no-defaults --character-sets-dir=$csd --protocol tcp --port $MASTER_MYPORT -uroot -e "select test.have_ssl()" 2>&1
+--exec $EXE_MYSQL --no-defaults --character-sets-dir=$csd --protocol tcp $host --port $MASTER_MYPORT -uroot -e "select test.have_ssl()" 2>&1
 #
 # or unless using a secure transport, like unix_socket or named pipes
 #
@@ -52,34 +61,41 @@ if ($MTR_COMBINATION_WIN) {
 }
 --echo # mysql --protocol $proto -uroot --ssl-verify-server-cert -e "select test.have_ssl()"
 --exec $MYSQL --protocol $proto -uroot --ssl-verify-server-cert -e "select test.have_ssl()" 2>&1
+
+#
+# same for tcp via localhost
+#
+--echo # mysql --protocol tcp --host 127.0.0.1 -uroot --ssl-verify-server-cert -e "select test.have_ssl()"
+--exec $MYSQL --protocol tcp --host 127.0.0.1 -uroot --ssl-verify-server-cert -e "select test.have_ssl()" 2>&1
+
 #
 # mysql_native_password with password works fine
 #
 --echo # mysql -unative -pfoo --ssl-verify-server-cert -e "select test.have_ssl()"
---exec $MYSQL --protocol tcp -unative -pfoo --ssl-verify-server-cert -e "select test.have_ssl()" 2>&1
+--exec $MYSQL --protocol tcp $host -unative -pfoo --ssl-verify-server-cert -e "select test.have_ssl()" 2>&1
 #
 # ed25519 with password works fine
 #
 --echo # mysql -ued -pbar --ssl-verify-server-cert -e "select test.have_ssl()"
---exec $MYSQL --protocol tcp -ued -pbar --ssl-verify-server-cert -e "select test.have_ssl()" 2>&1
+--exec $MYSQL --protocol tcp $host -ued -pbar --ssl-verify-server-cert -e "select test.have_ssl()" 2>&1
 #
 # three_attempts uses auth string as is, doesn't hash.
 # so it's not safe over untrusted connection and thus cannot validate cert
 #
 --echo # mysql -unohash -ponetwothree --disable-ssl-verify-server-cert -e "select test.have_ssl()"
---exec $MYSQL --protocol tcp -unohash -ponetwothree --disable-ssl-verify-server-cert -e "select test.have_ssl()" 2>&1
+--exec $MYSQL --protocol tcp $host -unohash -ponetwothree --disable-ssl-verify-server-cert -e "select test.have_ssl()" 2>&1
 --echo # mysql -unohash -ponetwothree --ssl-verify-server-cert -e "select test.have_ssl()"
 --replace_regex /TLS\/SSL error.*certificate[^\n]*/TLS\/SSL error: Failed to verify the server certificate/
 --error 1
---exec $MYSQL --protocol tcp -unohash -ponetwothree --ssl-verify-server-cert -e "select test.have_ssl()" 2>&1
+--exec $MYSQL --protocol tcp $host -unohash -ponetwothree --ssl-verify-server-cert -e "select test.have_ssl()" 2>&1
 #
 # multi-auth case, both client and server must use
 # the same plugin for cert validation
 #
 --echo # mysql -umulti -ppw1 --ssl-verify-server-cert -e "select test.have_ssl()"
---exec $MYSQL --protocol tcp -umulti -ppw1 --ssl-verify-server-cert -e "select test.have_ssl()" 2>&1
+--exec $MYSQL --protocol tcp $host -umulti -ppw1 --ssl-verify-server-cert -e "select test.have_ssl()" 2>&1
 --echo # mysql -umulti -ppw2 --ssl-verify-server-cert -e "select test.have_ssl()"
---exec $MYSQL --protocol tcp -umulti -ppw2 --ssl-verify-server-cert -e "select test.have_ssl()" 2>&1
+--exec $MYSQL --protocol tcp $host -umulti -ppw2 --ssl-verify-server-cert -e "select test.have_ssl()" 2>&1
 
 #
 # Now try MitM
diff --git a/mysql-test/main/ssl_fp.test b/mysql-test/main/ssl_fp.test
index b3c50ff9508..9f3685c4593 100644
--- a/mysql-test/main/ssl_fp.test
+++ b/mysql-test/main/ssl_fp.test
@@ -5,23 +5,29 @@ create function have_ssl() returns char(3)
   from information_schema.session_status
   where variable_name='ssl_cipher');
 
+let $is_win = `select convert(@@version_compile_os using latin1) IN ("Win32","Win64","Windows")`;
+let $host=;
+if($is_win)
+{
+  let $host=--host=127.0.0.2;
+}
 #
 # passwordless root cannot connect w/o fingerprint:
 #
 --echo # mysql --protocol tcp -uroot --ssl-verify-server-cert -e "select test.have_ssl()"
 --replace_regex /TLS\/SSL error.*certificate[^\n]*/TLS\/SSL error: Failed to verify the server certificate/
 --error 1
---exec $MYSQL --protocol tcp -uroot --ssl-verify-server-cert -e "select test.have_ssl()" 2>&1
+--exec $MYSQL --protocol tcp $host -uroot --ssl-verify-server-cert -e "select test.have_ssl()" 2>&1
 #
 # fingerprint based cert verification:
 #
 --echo # mysql --protocol tcp -uroot --ssl-fp=F1:D0:08:AF:A1:D2:F4:15:79:B4:39:06:41:F4:20:96:F1:90:A9:65 --ssl-verify-server-cert -e "select test.have_ssl()"
---exec $MYSQL --protocol tcp -uroot --ssl-fp=F1:D0:08:AF:A1:D2:F4:15:79:B4:39:06:41:F4:20:96:F1:90:A9:65 --ssl-verify-server-cert -e "select test.have_ssl()" 2>&1
+--exec $MYSQL --protocol tcp $host -uroot --ssl-fp=F1:D0:08:AF:A1:D2:F4:15:79:B4:39:06:41:F4:20:96:F1:90:A9:65 --ssl-verify-server-cert -e "select test.have_ssl()" 2>&1
 #
 # wrong fingerprint fails even with --disable-ssl-verify-server-cert
 #
 --echo # mysql --protocol tcp -uroot --ssl-fp=00:11:22:33:44:55:66:77:88:99:AA:BB:CC:DD:EE:FF:00:11:22:33 --disable-ssl-verify-server-cert -e "select test.have_ssl()"
 --error 1
---exec $MYSQL --protocol tcp -uroot --ssl-fp=00:11:22:33:44:55:66:77:88:99:AA:BB:CC:DD:EE:FF:00:11:22:33 --disable-ssl-verify-server-cert -e "select test.have_ssl()" 2>&1
+--exec $MYSQL --protocol tcp $host -uroot --ssl-fp=00:11:22:33:44:55:66:77:88:99:AA:BB:CC:DD:EE:FF:00:11:22:33 --disable-ssl-verify-server-cert -e "select test.have_ssl()" 2>&1
 
 drop function have_ssl;