mirror/mariadb
1
0
Fork 0
mirror of https://github.com/MariaDB/server.git synced 2025-01-29 02:05:57 +01:00
Code Issues Projects Releases Packages Wiki Activity Actions

cleanup: X509_check_host() in the internal client

Browse source 
X509_check_host() and X509_check_ip_asc() exist in all
supported SSL libraries

in OpenSSL >= 1.0.2 and in the bundled WolfSSL

And X509_free() handles NULL pointers all right.
This commit is contained in:
Sergei Golubchik 2023-09-02 21:43:36 +02:00
parent f4e174e113
commit 05a421eb36
3 changed files with 4 additions and 69 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

3
cmake/ssl.cmake
View file

@ -59,7 +59,6 @@ MACRO (MYSQL_USE_BUNDLED_SSL)
SET(HAVE_ERR_remove_thread_state ON CACHE INTERNAL "wolfssl doesn't have ERR_remove_thread_state") SET(HAVE_ERR_remove_thread_state ON CACHE INTERNAL "wolfssl doesn't have ERR_remove_thread_state")
SET(HAVE_EncryptAes128Ctr ON CACHE INTERNAL "wolfssl does support AES-CTR") SET(HAVE_EncryptAes128Ctr ON CACHE INTERNAL "wolfssl does support AES-CTR")
SET(HAVE_EncryptAes128Gcm OFF CACHE INTERNAL "wolfssl does not support AES-GCM") SET(HAVE_EncryptAes128Gcm OFF CACHE INTERNAL "wolfssl does not support AES-GCM")
SET(HAVE_X509_check_host ON CACHE INTERNAL "wolfssl does support X509_check_host")
SET(HAVE_hkdf ON CACHE INTERNAL "wolfssl does support EVP_PKEY API") SET(HAVE_hkdf ON CACHE INTERNAL "wolfssl does support EVP_PKEY API")
CHANGE_SSL_SETTINGS("bundled") CHANGE_SSL_SETTINGS("bundled")
ADD_SUBDIRECTORY(extra/wolfssl) ADD_SUBDIRECTORY(extra/wolfssl)
@ -157,8 +156,6 @@ MACRO (MYSQL_CHECK_SSL)
HAVE_EncryptAes128Ctr) HAVE_EncryptAes128Ctr)
CHECK_SYMBOL_EXISTS(EVP_aes_128_gcm "openssl/evp.h" CHECK_SYMBOL_EXISTS(EVP_aes_128_gcm "openssl/evp.h"
HAVE_EncryptAes128Gcm) HAVE_EncryptAes128Gcm)
CHECK_SYMBOL_EXISTS(X509_check_host "openssl/x509v3.h"
HAVE_X509_check_host)
CHECK_SYMBOL_EXISTS(EVP_PKEY_CTX_set_hkdf_md "string.h;stdarg.h;openssl/kdf.h" CHECK_SYMBOL_EXISTS(EVP_PKEY_CTX_set_hkdf_md "string.h;stdarg.h;openssl/kdf.h"
HAVE_hkdf) HAVE_hkdf)
SET(CMAKE_REQUIRED_INCLUDES) SET(CMAKE_REQUIRED_INCLUDES)

7
mysql-test/suite.pm
View file

@ -80,15 +80,8 @@ sub skip_combinations {
$skip{'main/openssl_6975.test'} = 'no or wrong openssl version' $skip{'main/openssl_6975.test'} = 'no or wrong openssl version'
unless $openssl_ver ge "1.0.1d" and $openssl_ver lt "1.1.1"; unless $openssl_ver ge "1.0.1d" and $openssl_ver lt "1.1.1";
$skip{'main/ssl_7937.combinations'} = [ 'x509v3' ]
unless $ssl_lib =~ /WolfSSL/ or $openssl_ver ge "1.0.2";
$skip{'main/func_kdf.combinations'} = [ $ssl_lib =~ /OpenSSL 1\.0\./ ? 'new' : 'old' ]; $skip{'main/func_kdf.combinations'} = [ $ssl_lib =~ /OpenSSL 1\.0\./ ? 'new' : 'old' ];
$skip{'main/ssl_verify_ip.test'} = 'x509v3 support required'
unless $openssl_ver ge "1.0.2";
sub utf8_command_line_ok() { sub utf8_command_line_ok() {
if (IS_WINDOWS) { if (IS_WINDOWS) {
# Can use UTF8 on command line since Windows 10 1903 (10.0.18362) # Can use UTF8 on command line since Windows 10 1903 (10.0.18362)

63
sql-common/client.c
View file

@ -1583,21 +1583,12 @@ mysql_get_ssl_cipher(MYSQL *mysql __attribute__((unused)))
#if defined(HAVE_OPENSSL) #if defined(HAVE_OPENSSL)
#ifdef HAVE_X509_check_host
#include <openssl/x509v3.h> #include <openssl/x509v3.h>
#endif
static int ssl_verify_server_cert(Vio *vio, const char* server_hostname, const char **errptr) static int ssl_verify_server_cert(Vio *vio, const char* server_hostname, const char **errptr)
{ {
SSL *ssl; SSL *ssl;
X509 *server_cert= NULL; X509 *server_cert= NULL;
#ifndef HAVE_X509_check_host
char *cn= NULL;
int cn_loc= -1;
ASN1_STRING *cn_asn1= NULL;
X509_NAME_ENTRY *cn_entry= NULL;
X509_NAME *subject= NULL;
#endif
int ret_validation= 1; int ret_validation= 1;
DBUG_ENTER("ssl_verify_server_cert"); DBUG_ENTER("ssl_verify_server_cert");
@ -1632,59 +1623,13 @@ static int ssl_verify_server_cert(Vio *vio, const char* server_hostname, const c
are what we expect. are what we expect.
*/ */
#ifdef HAVE_X509_check_host ret_validation= X509_check_host(server_cert, server_hostname,
ret_validation= strlen(server_hostname), 0, 0) != 1 &&
X509_check_host(server_cert, server_hostname, X509_check_ip_asc(server_cert, server_hostname, 0) != 1;
strlen(server_hostname), 0, 0) != 1;
#ifndef HAVE_WOLFSSL
if (ret_validation)
{
ret_validation=
X509_check_ip_asc(server_cert, server_hostname, 0) != 1;
}
#endif
#else
subject= X509_get_subject_name(server_cert);
cn_loc= X509_NAME_get_index_by_NID(subject, NID_commonName, -1);
if (cn_loc < 0)
{
*errptr= "Failed to get CN location in the certificate subject";
goto error;
}
cn_entry= X509_NAME_get_entry(subject, cn_loc);
if (cn_entry == NULL)
{
*errptr= "Failed to get CN entry using CN location";
goto error;
}
cn_asn1 = X509_NAME_ENTRY_get_data(cn_entry);
if (cn_asn1 == NULL)
{
*errptr= "Failed to get CN from CN entry";
goto error;
}
cn= (char *) ASN1_STRING_get0_data(cn_asn1);
if ((size_t)ASN1_STRING_length(cn_asn1) != strlen(cn))
{
*errptr= "NULL embedded in the certificate CN";
goto error;
}
DBUG_PRINT("info", ("Server hostname in cert: %s", cn));
if (!strcmp(cn, server_hostname))
{
/* Success */
ret_validation= 0;
}
#endif
*errptr= "SSL certificate validation failure"; *errptr= "SSL certificate validation failure";
error: error:
if (server_cert != NULL) X509_free(server_cert);
X509_free (server_cert);
DBUG_RETURN(ret_validation); DBUG_RETURN(ret_validation);
} }