mariadb/mysql-test/main/ssl_autoverify.test

source include/platform.inc;
source include/not_embedded.inc;
if (!$AUTH_ED25519_SO) {
  skip No auth_ed25519 plugin;
}
if (!$DIALOG_EXAMPLES_SO) {
  skip No dialog_examples plugin;
}

install soname 'auth_ed25519';
install plugin three_attempts soname 'dialog_examples';

create user native@'%' identified via mysql_native_password using password('foo');
create user ed@'%' identified via ed25519 using password('bar');
create user nohash@'%' identified via three_attempts using 'onetwothree';
create user multi@'%' identified via mysql_native_password using password('pw1')
                                  or ed25519 using password('pw2');
grant all privileges on test.* to native@'%';
grant all privileges on test.* to ed@'%';
grant all privileges on test.* to nohash@'%';
grant all privileges on test.* to multi@'%';

create function have_ssl() returns char(3)
  return (select if(variable_value > '','yes','no') as 'have_ssl'
  from information_schema.session_status
  where variable_name='ssl_cipher');

let host=;
if ($MTR_COMBINATION_WIN) {
  # 127.0.0.2 (and generally 127.0.0.0/8) works on Windows the same as 127.0.0.1,
  # i.e client can connect if server listens on IPv4 loopback
  #
  # We use 127.0.0.2 as it does not match any of "localhost","127.0.0.1","::1"
  # thus it is not considered "secure transport" by the connector/C
  let host=--host=127.0.0.2;
}
#
# root user, no password, so cannot validate cert.
#
--echo # mysql -uroot --disable-ssl-verify-server-cert -e "select test.have_ssl()"
--exec $MYSQL --protocol tcp -uroot --disable-ssl-verify-server-cert -e "select test.have_ssl()" 2>&1
--echo # mysql -uroot --ssl-verify-server-cert -e "select test.have_ssl()"
--replace_regex /TLS\/SSL error.*certificate[^\n]*/TLS\/SSL error: Failed to verify the server certificate/
--error 1
--exec $MYSQL --protocol tcp $host -uroot --ssl-verify-server-cert -e "select test.have_ssl()" 2>&1
#
# except if ssl-verify-server-cert is left on default (not explicitly enabled)
#
--let $csd=`select @@character_sets_dir`
--echo # mysql -uroot -e "select test.have_ssl()"
--exec $EXE_MYSQL --no-defaults --character-sets-dir=$csd --protocol tcp $host --port $MASTER_MYPORT -uroot -e "select test.have_ssl()" 2>&1
#
# or unless using a secure transport, like unix_socket or named pipes
#
# note that SSL works over unix_socket, and it doesn't work over named pipes
# but the connection is allowed either way, as the transport is secure
#
let proto=socket;
if ($MTR_COMBINATION_WIN) {
  let proto=pipe;
}
--echo # mysql --protocol $proto -uroot --ssl-verify-server-cert -e "select test.have_ssl()"
--exec $MYSQL --protocol $proto -uroot --ssl-verify-server-cert -e "select test.have_ssl()" 2>&1

#
# same for tcp via localhost
#
--echo # mysql --protocol tcp --host 127.0.0.1 -uroot --ssl-verify-server-cert -e "select test.have_ssl()"
--exec $MYSQL --protocol tcp --host 127.0.0.1 -uroot --ssl-verify-server-cert -e "select test.have_ssl()" 2>&1

#
# mysql_native_password with password works fine
#
--echo # mysql -unative -pfoo --ssl-verify-server-cert -e "select test.have_ssl()"
--exec $MYSQL --protocol tcp $host -unative -pfoo --ssl-verify-server-cert -e "select test.have_ssl()" 2>&1
#
# ed25519 with password works fine
#
--echo # mysql -ued -pbar --ssl-verify-server-cert -e "select test.have_ssl()"
--exec $MYSQL --protocol tcp $host -ued -pbar --ssl-verify-server-cert -e "select test.have_ssl()" 2>&1
#
# three_attempts uses auth string as is, doesn't hash.
# so it's not safe over untrusted connection and thus cannot validate cert
#
--echo # mysql -unohash -ponetwothree --disable-ssl-verify-server-cert -e "select test.have_ssl()"
--exec $MYSQL --protocol tcp $host -unohash -ponetwothree --disable-ssl-verify-server-cert -e "select test.have_ssl()" 2>&1
--echo # mysql -unohash -ponetwothree --ssl-verify-server-cert -e "select test.have_ssl()"
--replace_regex /TLS\/SSL error.*certificate[^\n]*/TLS\/SSL error: Failed to verify the server certificate/
--error 1
--exec $MYSQL --protocol tcp $host -unohash -ponetwothree --ssl-verify-server-cert -e "select test.have_ssl()" 2>&1
#
# multi-auth case, both client and server must use
# the same plugin for cert validation
#
--echo # mysql -umulti -ppw1 --ssl-verify-server-cert -e "select test.have_ssl()"
--exec $MYSQL --protocol tcp $host -umulti -ppw1 --ssl-verify-server-cert -e "select test.have_ssl()" 2>&1
--echo # mysql -umulti -ppw2 --ssl-verify-server-cert -e "select test.have_ssl()"
--exec $MYSQL --protocol tcp $host -umulti -ppw2 --ssl-verify-server-cert -e "select test.have_ssl()" 2>&1

#
# Now try MitM
#
if (!$MTR_COMBINATION_WIN) {
let mitm_port=$MASTER_MYPORT;
inc $mitm_port;
--exec perl lib/ssl-mitm.pl --listen-on $mitm_port --connect-to $MASTER_MYPORT --ssl-ca std_data/cacert.pem --ssl-key std_data/server-new-key.pem --ssl-cert std_data/server-new-cert.pem
--echo # mysql -uroot --disable-ssl-verify-server-cert -e "select 'Detecting MitM' as MitM, test.have_ssl()"
--exec $MYSQL --port $mitm_port --disable-ssl-verify-server-cert -uroot -e "select 'Detecting MitM' as MitM, test.have_ssl()" 2>&1

--exec perl lib/ssl-mitm.pl --listen-on $mitm_port --connect-to $MASTER_MYPORT --ssl-ca std_data/cacert.pem --ssl-key std_data/server-new-key.pem --ssl-cert std_data/server-new-cert.pem
--echo # mysql -unative -pfoo --ssl-verify-server-cert -e "select 'Detecting MitM', test.have_ssl()"
--replace_regex /TLS\/SSL error.*certificate[^\n]*/TLS\/SSL error: Failed to verify the server certificate/
--error 1
--exec $MYSQL --port $mitm_port -unative -pfoo --ssl-verify-server-cert -e "select 'Detecting MitM', test.have_ssl()" 2>&1

--exec perl lib/ssl-mitm.pl --listen-on $mitm_port --connect-to $MASTER_MYPORT --ssl-ca std_data/cacert.pem --ssl-key std_data/server-new-key.pem --ssl-cert std_data/server-new-cert.pem
--echo # mysql -ued -pbar --ssl-verify-server-cert -e "select 'Detecting MitM', test.have_ssl()"
--replace_regex /TLS\/SSL error.*certificate[^\n]*/TLS\/SSL error: Failed to verify the server certificate/
--error 1
--exec $MYSQL --port $mitm_port -ued -pbar --ssl-verify-server-cert -e "select 'Detecting MitM', test.have_ssl()" 2>&1
}

drop function have_ssl;
--disable_warnings
drop user native@'%';
drop user ed@'%';
drop user nohash@'%';
drop user multi@'%';
--enable_warnings
uninstall plugin ed25519;
uninstall plugin three_attempts;