mirror of
https://github.com/MariaDB/server.git
synced 2025-01-22 14:54:20 +01:00
918a8c469f
using crashes server When the server is configured to use a RSA key, and when the client sends a cipher-suite list that contains a non-RSA key as acceptable, the server would try to process that key even though it was impossible. Now, yaSSL sets its own acceptable-cipher list according to what kind of key the server is started with, and will never explore and try to pair impossible combinations. This involves a partial import of the current YaSSL tree, not the whole thing, so as to try to avoid introducing new bugs. (Updated to avoid many whitespace changes and make diff smaller.)
231 lines
7.9 KiB
Text
231 lines
7.9 KiB
Text
# Tests for SSL connections, only run if mysqld is compiled
|
|
# with support for SSL.
|
|
|
|
-- source include/have_ssl.inc
|
|
|
|
--disable_warnings
|
|
drop table if exists t1;
|
|
--enable_warnings
|
|
create table t1(f1 int);
|
|
insert into t1 values (5);
|
|
|
|
grant select on test.* to ssl_user1@localhost require SSL;
|
|
grant select on test.* to ssl_user2@localhost require cipher "DHE-RSA-AES256-SHA";
|
|
grant select on test.* to ssl_user3@localhost require cipher "DHE-RSA-AES256-SHA" AND SUBJECT "/C=SE/ST=Uppsala/L=Uppsala/O=MySQL AB/emailAddress=abstract.mysql.developer@mysql.com";
|
|
grant select on test.* to ssl_user4@localhost require cipher "DHE-RSA-AES256-SHA" AND SUBJECT "/C=SE/ST=Uppsala/L=Uppsala/O=MySQL AB/emailAddress=abstract.mysql.developer@mysql.com" ISSUER "/C=SE/ST=Uppsala/L=Uppsala/O=MySQL AB";
|
|
grant select on test.* to ssl_user5@localhost require cipher "DHE-RSA-AES256-SHA" AND SUBJECT "xxx";
|
|
flush privileges;
|
|
|
|
connect (con1,localhost,ssl_user1,,,,,SSL);
|
|
connect (con2,localhost,ssl_user2,,,,,SSL);
|
|
connect (con3,localhost,ssl_user3,,,,,SSL);
|
|
connect (con4,localhost,ssl_user4,,,,,SSL);
|
|
--replace_result $MASTER_MYSOCK MASTER_SOCKET $MASTER_MYPORT MASTER_PORT
|
|
--error 1045
|
|
connect (con5,localhost,ssl_user5,,,,,SSL);
|
|
|
|
connection con1;
|
|
# Check ssl turned on
|
|
SHOW STATUS LIKE 'Ssl_cipher';
|
|
select * from t1;
|
|
--error 1142
|
|
delete from t1;
|
|
|
|
connection con2;
|
|
# Check ssl turned on
|
|
SHOW STATUS LIKE 'Ssl_cipher';
|
|
select * from t1;
|
|
--error 1142
|
|
delete from t1;
|
|
|
|
connection con3;
|
|
# Check ssl turned on
|
|
SHOW STATUS LIKE 'Ssl_cipher';
|
|
select * from t1;
|
|
--error 1142
|
|
delete from t1;
|
|
|
|
connection con4;
|
|
# Check ssl turned on
|
|
SHOW STATUS LIKE 'Ssl_cipher';
|
|
select * from t1;
|
|
--error 1142
|
|
delete from t1;
|
|
|
|
connection default;
|
|
drop user ssl_user1@localhost, ssl_user2@localhost,
|
|
ssl_user3@localhost, ssl_user4@localhost, ssl_user5@localhost;
|
|
|
|
drop table t1;
|
|
|
|
# End of 4.1 tests
|
|
|
|
#
|
|
# Test that we can't open connection to server if we are using
|
|
# a different cacert
|
|
#
|
|
--exec echo "this query should not execute;" > $MYSQLTEST_VARDIR/tmp/test.sql
|
|
--error 1
|
|
--exec $MYSQL_TEST --ssl-ca=$MYSQL_TEST_DIR/std_data/untrusted-cacert.pem --max-connect-retries=1 < $MYSQLTEST_VARDIR/tmp/test.sql 2>&1
|
|
|
|
#
|
|
# Test that we can't open connection to server if we are using
|
|
# a blank ca
|
|
#
|
|
--error 1
|
|
--exec $MYSQL_TEST --ssl-ca= --max-connect-retries=1 < $MYSQLTEST_VARDIR/tmp/test.sql 2>&1
|
|
|
|
#
|
|
# Test that we can't open connection to server if we are using
|
|
# a nonexistent ca file
|
|
#
|
|
--error 1
|
|
--exec $MYSQL_TEST --ssl-ca=nonexisting_file.pem --max-connect-retries=1 < $MYSQLTEST_VARDIR/tmp/test.sql 2>&1
|
|
|
|
#
|
|
# Test that we can't open connection to server if we are using
|
|
# a blank client-key
|
|
#
|
|
--error 1
|
|
--exec $MYSQL_TEST --ssl-key= --max-connect-retries=1 < $MYSQLTEST_VARDIR/tmp/test.sql 2>&1
|
|
|
|
#
|
|
# Test that we can't open connection to server if we are using
|
|
# a blank client-cert
|
|
#
|
|
--error 1
|
|
--exec $MYSQL_TEST --ssl-cert= --max-connect-retries=1 < $MYSQLTEST_VARDIR/tmp/test.sql 2>&1
|
|
|
|
#
|
|
# BUG#21611 Slave can't connect when master-ssl-cipher specified
|
|
# - Apparently selecting a cipher doesn't work at all
|
|
# - Usa a cipher that both yaSSL and OpenSSL supports
|
|
#
|
|
--exec echo "SHOW STATUS LIKE 'Ssl_cipher';" > $MYSQLTEST_VARDIR/tmp/test.sql
|
|
--exec $MYSQL_TEST --ssl-cipher=DHE-RSA-AES256-SHA < $MYSQLTEST_VARDIR/tmp/test.sql 2>&1
|
|
|
|
#
|
|
# Bug#25309 SSL connections without CA certificate broken since MySQL 5.0.23
|
|
#
|
|
# Test that we can open encrypted connection to server without
|
|
# verification of servers certificate by setting both ca certificate
|
|
# and ca path to NULL
|
|
#
|
|
--exec $MYSQL --ssl --ssl-key=$MYSQL_TEST_DIR/std_data/client-key.pem --ssl-cert=$MYSQL_TEST_DIR/std_data/client-cert.pem -e "SHOW STATUS LIKE 'ssl_Cipher'" 2>&1
|
|
--echo End of 5.0 tests
|
|
|
|
#
|
|
# Bug #26174 Server Crash: INSERT ... SELECT ... FROM I_S.GLOBAL_STATUS in
|
|
# Event (see also information_schema.test for the other part of test for
|
|
# this bug).
|
|
#
|
|
--disable_warnings
|
|
DROP TABLE IF EXISTS thread_status;
|
|
DROP EVENT IF EXISTS event_status;
|
|
--enable_warnings
|
|
|
|
SET GLOBAL event_scheduler=1;
|
|
|
|
DELIMITER $$;
|
|
|
|
CREATE EVENT event_status
|
|
ON SCHEDULE AT NOW()
|
|
ON COMPLETION NOT PRESERVE
|
|
DO
|
|
BEGIN
|
|
CREATE TABLE thread_status
|
|
SELECT variable_name, variable_value
|
|
FROM information_schema.session_status
|
|
WHERE variable_name LIKE 'SSL_ACCEPTS' OR
|
|
variable_name LIKE 'SSL_CALLBACK_CACHE_HITS';
|
|
END$$
|
|
|
|
DELIMITER ;$$
|
|
|
|
let $wait_condition=select count(*) = 0 from information_schema.events where event_name='event_status';
|
|
--source include/wait_condition.inc
|
|
|
|
# The actual value doesn't matter and can vary based on test ordering and on ssl library.
|
|
--replace_column 2 #
|
|
SELECT variable_name, variable_value FROM thread_status;
|
|
|
|
DROP TABLE thread_status;
|
|
SET GLOBAL event_scheduler=0;
|
|
|
|
#
|
|
# Test to connect using a list of ciphers
|
|
#
|
|
--exec echo "SHOW STATUS LIKE 'Ssl_cipher';" > $MYSQLTEST_VARDIR/tmp/test.sql
|
|
--exec $MYSQL_TEST --ssl-cipher=UNKNOWN-CIPHER:AES128-SHA < $MYSQLTEST_VARDIR/tmp/test.sql 2>&1
|
|
|
|
|
|
# Test to connect using a specifi cipher
|
|
#
|
|
--exec echo "SHOW STATUS LIKE 'Ssl_cipher';" > $MYSQLTEST_VARDIR/tmp/test.sql
|
|
--exec $MYSQL_TEST --ssl-cipher=AES128-SHA < $MYSQLTEST_VARDIR/tmp/test.sql 2>&1
|
|
|
|
# Test to connect using an unknown cipher
|
|
#
|
|
--exec echo "SHOW STATUS LIKE 'Ssl_cipher';" > $MYSQLTEST_VARDIR/tmp/test.sql
|
|
--error 1
|
|
--exec $MYSQL_TEST --ssl-cipher=UNKNOWN-CIPHER < $MYSQLTEST_VARDIR/tmp/test.sql 2>&1
|
|
|
|
#
|
|
# Bug #27669 mysqldump: SSL connection error when trying to connect
|
|
#
|
|
|
|
CREATE TABLE t1(a int);
|
|
INSERT INTO t1 VALUES (1), (2);
|
|
|
|
# Run mysqldump
|
|
--exec $MYSQL_DUMP --skip-create --skip-comments --ssl-key=$MYSQL_TEST_DIR/std_data/client-key.pem --ssl-cert=$MYSQL_TEST_DIR/std_data/client-cert.pem test t1
|
|
|
|
--exec $MYSQL_DUMP --skip-create --skip-comments --ssl-ca=$MYSQL_TEST_DIR/std_data/cacert.pem --ssl-key=$MYSQL_TEST_DIR/std_data/client-key.pem --ssl-cert=$MYSQL_TEST_DIR/std_data/client-cert.pem test
|
|
|
|
--exec $MYSQL_DUMP --skip-create --skip-comments --ssl --ssl-ca=$MYSQL_TEST_DIR/std_data/cacert.pem --ssl-key=$MYSQL_TEST_DIR/std_data/client-key.pem --ssl-cert=$MYSQL_TEST_DIR/std_data/client-cert.pem test
|
|
|
|
# With wrong parameters
|
|
--replace_result $MYSQL_TEST_DIR MYSQL_TEST_DIR
|
|
--error 2
|
|
--exec $MYSQL_DUMP --skip-create --skip-comments --ssl --ssl-cert=$MYSQL_TEST_DIR/std_data/client-cert.pem test 2>&1
|
|
|
|
DROP TABLE t1;
|
|
|
|
#
|
|
# Bug#39172: Asking for DH+non-RSA key with server set to use other key caused
|
|
# YaSSL to crash the server.
|
|
#
|
|
|
|
# Common ciphers to openssl and yassl
|
|
--exec $MYSQL --host=localhost -e "SHOW STATUS LIKE 'Ssl_cipher';" --ssl-cipher=DHE-RSA-AES256-SHA
|
|
--exec $MYSQL --host=localhost -e "SHOW STATUS LIKE 'Ssl_cipher';" --ssl-cipher=EDH-RSA-DES-CBC3-SHA
|
|
--exec $MYSQL --host=localhost -e "SHOW STATUS LIKE 'Ssl_cipher';" --ssl-cipher=EDH-RSA-DES-CBC-SHA
|
|
--exec $MYSQL --host=localhost -e "SHOW STATUS LIKE 'Ssl_cipher';" --ssl-cipher=RC4-SHA
|
|
--disable_output
|
|
|
|
# Below here caused crashes. ################
|
|
--error 1,0
|
|
--exec $MYSQL --host=localhost -e "SHOW STATUS LIKE 'Ssl-cipher';" --ssl-cipher=NOT----EXIST
|
|
# These probably exist but the server's keys can't be used to accept these kinds of connections.
|
|
--error 1,0
|
|
--exec $MYSQL --host=localhost -e "SHOW STATUS LIKE 'Ssl-cipher';" --ssl-cipher=DHE-DSS-AES128-RMD
|
|
--error 1,0
|
|
--exec $MYSQL --host=localhost -e "SHOW STATUS LIKE 'Ssl-cipher';" --ssl-cipher=DHE-DSS-AES128-SHA
|
|
--error 1,0
|
|
--exec $MYSQL --host=localhost -e "SHOW STATUS LIKE 'Ssl-cipher';" --ssl-cipher=DHE-DSS-AES256-RMD
|
|
--error 1,0
|
|
--exec $MYSQL --host=localhost -e "SHOW STATUS LIKE 'Ssl-cipher';" --ssl-cipher=DHE-DSS-AES256-SHA
|
|
--error 1,0
|
|
--exec $MYSQL --host=localhost -e "SHOW STATUS LIKE 'Ssl-cipher';" --ssl-cipher=DHE-DSS-DES-CBC3-RMD
|
|
--error 1,0
|
|
--exec $MYSQL --host=localhost -e "SHOW STATUS LIKE 'Ssl-cipher';" --ssl-cipher=EDH-DSS-DES-CBC3-SHA
|
|
--error 1,0
|
|
--exec $MYSQL --host=localhost -e "SHOW STATUS LIKE 'Ssl-cipher';" --ssl-cipher=EDH-DSS-DES-CBC-SHA
|
|
# End of crashers. ##########################
|
|
|
|
# If this gives a result, then the bug is fixed.
|
|
--enable_output
|
|
select 'is still running; no cipher request crashed the server' as result from dual;
|
|
|
|
##
|
|
--echo End of 5.1 tests
|