mirror of
https://github.com/MariaDB/server.git
synced 2025-01-16 12:02:42 +01:00
d42c2efbaa
Summary of changes - MD_CTX_SIZE is increased - EVP_CIPHER_CTX_buf_noconst(ctx) does not work anymore, points to nobody knows where. The assumption made previously was that (since the function does not seem to be documented) was that it points to the last partial source block. Add own partial block buffer for NOPAD encryption instead - SECLEVEL in CipherString in openssl.cnf had been downgraded to 0, from 1, to make TLSv1.0 and TLSv1.1 possible (according to https://github.com/openssl/openssl/blob/openssl-3.0.0/NEWS.md even though the manual for SSL_CTX_get_security_level claims that it should not be necessary) - Workaround Ssl_cipher_list issue, it now returns TLSv1.3 ciphers, in addition to what was set in --ssl-cipher - ctx_buf buffer now must be aligned to 16 bytes with openssl( previously with WolfSSL only), ot crashes will happen - updated aes-t , to be better debuggable using function, rather than a huge multiline macro added test that does "nopad" encryption piece-wise, to test replacement of EVP_CIPHER_CTX_buf_noconst
103 lines
4.1 KiB
Text
103 lines
4.1 KiB
Text
#
|
|
# Various tests that require setting of a specific ssl_cipher
|
|
# which currently doesn't work in OpenSSL 1.1.1
|
|
#
|
|
--source include/have_ssl_communication.inc
|
|
|
|
if (`select @@version_ssl_library like 'OpenSSL 1.1.1%'`) {
|
|
skip OpenSSL 1.1.1;
|
|
}
|
|
|
|
create user ssl_user1@localhost require SSL;
|
|
create user ssl_user2@localhost require cipher 'AES256-SHA';
|
|
create user ssl_user3@localhost require cipher 'AES256-SHA' AND SUBJECT '/C=FI/ST=Helsinki/L=Helsinki/O=MariaDB/CN=client';
|
|
create user ssl_user4@localhost require cipher 'AES256-SHA' AND SUBJECT '/C=FI/ST=Helsinki/L=Helsinki/O=MariaDB/CN=client' ISSUER '/CN=cacert/C=FI/ST=Helsinki/L=Helsinki/O=MariaDB';
|
|
create user ssl_user5@localhost require cipher 'AES256-SHA' AND SUBJECT 'xxx';
|
|
|
|
connect (con1,localhost,ssl_user1,,,,,SSL-CIPHER=AES256-SHA);
|
|
--replace_result $MASTER_MYSOCK MASTER_SOCKET $MASTER_MYPORT MASTER_PORT
|
|
--error ER_ACCESS_DENIED_ERROR
|
|
connect (con2,localhost,ssl_user2,,,,,SSL-CIPHER=AES128-SHA);
|
|
connect (con2,localhost,ssl_user2,,,,,SSL-CIPHER=AES256-SHA);
|
|
connect (con3,localhost,ssl_user3,,,,,SSL-CIPHER=AES256-SHA);
|
|
connect (con4,localhost,ssl_user4,,,,,SSL-CIPHER=AES256-SHA);
|
|
--replace_result $MASTER_MYSOCK MASTER_SOCKET $MASTER_MYPORT MASTER_PORT
|
|
--error ER_ACCESS_DENIED_ERROR
|
|
connect (con5,localhost,ssl_user5,,,,,SSL-CIPHER=AES256-SHA);
|
|
|
|
connection con1;
|
|
SHOW STATUS LIKE 'Ssl_cipher';
|
|
disconnect con1;
|
|
connection con2;
|
|
SHOW STATUS LIKE 'Ssl_cipher';
|
|
disconnect con2;
|
|
connection con3;
|
|
SHOW STATUS LIKE 'Ssl_cipher';
|
|
disconnect con3;
|
|
connection con4;
|
|
SHOW STATUS LIKE 'Ssl_cipher';
|
|
disconnect con4;
|
|
connection default;
|
|
drop user ssl_user1@localhost, ssl_user2@localhost, ssl_user3@localhost, ssl_user4@localhost, ssl_user5@localhost;
|
|
|
|
#
|
|
# Bug#21611 Slave can't connect when master-ssl-cipher specified
|
|
# - Apparently selecting a cipher doesn't work at all
|
|
# - Use a cipher that both WolfSSL and OpenSSL supports
|
|
#
|
|
--write_file $MYSQLTEST_VARDIR/tmp/test.sql
|
|
SHOW STATUS LIKE 'Ssl_cipher';
|
|
EOF
|
|
--exec $MYSQL_TEST --ssl-cipher=AES256-SHA < $MYSQLTEST_VARDIR/tmp/test.sql 2>&1
|
|
# Test to connect using a list of ciphers
|
|
--exec $MYSQL_TEST --ssl-cipher=UNKNOWN-CIPHER:AES128-SHA < $MYSQLTEST_VARDIR/tmp/test.sql 2>&1
|
|
# Test to connect using a specifi cipher
|
|
--exec $MYSQL_TEST --ssl-cipher=AES128-SHA < $MYSQLTEST_VARDIR/tmp/test.sql 2>&1
|
|
# Test to connect using an unknown cipher
|
|
--replace_regex /2026 SSL connection error.*/2026 SSL connection error: xxxx/
|
|
--error 1
|
|
--exec $MYSQL_TEST --ssl-cipher=UNKNOWN-CIPHER < $MYSQLTEST_VARDIR/tmp/test.sql 2>&1
|
|
--remove_file $MYSQLTEST_VARDIR/tmp/test.sql
|
|
|
|
#
|
|
# Bug#39172 Asking for DH+non-RSA key with server set to use other key caused
|
|
# YaSSL to crash the server.
|
|
#
|
|
|
|
# Common ciphers to openssl and yassl
|
|
--exec $MYSQL --host=localhost -e "SHOW STATUS LIKE 'Ssl_cipher';" --ssl-cipher=AES256-SHA
|
|
--exec $MYSQL --host=localhost -e "SHOW STATUS LIKE 'Ssl_cipher';" --ssl-cipher=AES128-SHA
|
|
--disable_query_log
|
|
--disable_result_log
|
|
|
|
# Below here caused crashes. ################
|
|
--error 0,1
|
|
--exec $MYSQL --host=localhost -e "SHOW STATUS LIKE 'Ssl-cipher';" --ssl-cipher=NOT----EXIST
|
|
# These probably exist but the server's keys can't be used to accept these kinds of connections.
|
|
--error 0,1
|
|
--exec $MYSQL --host=localhost -e "SHOW STATUS LIKE 'Ssl-cipher';" --ssl-cipher=AES128-RMD
|
|
|
|
# If this gives a result, then the bug is fixed.
|
|
--enable_result_log
|
|
--enable_query_log
|
|
select 'is still running; no cipher request crashed the server' as result from dual;
|
|
|
|
#
|
|
# MDEV-10054 Secure login fails when CIPHER is required
|
|
#
|
|
create user mysqltest_1@localhost;
|
|
grant usage on mysqltest.* to mysqltest_1@localhost require cipher "AES256-SHA";
|
|
--exec $MYSQL -umysqltest_1 --ssl-cipher=AES256-SHA -e "show status like 'ssl_cipher'" 2>&1
|
|
drop user mysqltest_1@localhost;
|
|
|
|
#
|
|
# BUG#11760210 - SSL_CIPHER_LIST NOT SET OR RETURNED FOR "SHOW STATUS LIKE 'SSL_CIPHER_LIST'"
|
|
# it was a bug in yaSSL, fixed in d2e36e4258bb
|
|
#
|
|
let $restart_parameters=--ssl-cipher=AES128-SHA;
|
|
source include/restart_mysqld.inc;
|
|
connect (ssl_con,localhost,root,,,,,SSL);
|
|
SHOW STATUS LIKE 'Ssl_cipher';
|
|
SELECT VARIABLE_VALUE like '%AES128-SHA%' FROM INFORMATION_SCHEMA.SESSION_STATUS WHERE VARIABLE_NAME='Ssl_cipher_list';
|
|
disconnect ssl_con;
|
|
connection default;
|