/************************************************************************************
Copyright (C) 2012 Monty Program AB
This library is free software; you can redistribute it and/or
modify it under the terms of the GNU Library General Public
License as published by the Free Software Foundation; either
version 2 of the License, or (at your option) any later version.
This library is distributed in the hope that it will be useful,
but WITHOUT ANY WARRANTY; without even the implied warranty of
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
Library General Public License for more details.
You should have received a copy of the GNU Library General Public
License along with this library; if not see <http://www.gnu.org/licenses>
or write to the Free Software Foundation, Inc.,
51 Franklin St., Fifth Floor, Boston, MA 02110, USA
*************************************************************************************/
#if defined(WIN32) && defined(HEAP_CHECK)
#define _CRTDBG_MAP_ALLOC
#include <stdlib.h>
#include <crtdbg.h>
#endif
#include "my_test.h"
#include <ma_pthread.h>
#ifdef HAVE_OPENSSL
#include <openssl/opensslv.h>
#include <openssl/ssl.h>
#endif
#define FNLEN 4096
static int skip_ssl= 1;
static uchar have_openssl= 1;
static unsigned char have_tls13= 0;
const char *ssluser= "ssluser";
const char *sslpw= "sslpw";
char sslhost[128];
char sslcert[FNLEN];
char sslcombined[FNLEN];
char sslkey[FNLEN];
char sslkey_enc[FNLEN];
char sslca[FNLEN];
char sslcrl[FNLEN];
char ssl_cert_finger_print[129]= {0};
char bad_cert_finger_print[]= "00:11:22:33:44:55:66:77:88:99:AA:BB:CC:DD:EE:FF:01:23:45:67";
pthread_mutex_t LOCK_test;
void read_fingerprint()
{
FILE *f= fopen(CERT_PATH "/server-cert.sha1", "r");
if (f)
{
if (!fscanf(f, "%128s", ssl_cert_finger_print))
ssl_cert_finger_print[0]= 0;
fclose(f);
}
}
int check_skip_ssl()
{
const char *ssldir= NULL;
#ifndef HAVE_TLS
diag("client library built without OpenSSL support -> skip");
return 1;
#endif
if (skip_ssl)
{
diag("server doesn't support SSL -> skip");
return 1;
}
if (!(ssldir= getenv("SECURE_LOAD_PATH")))
{
ssldir= CERT_PATH;
if (!strlen(ssldir))
{
diag("certificate directory not found");
return 1;
}
}
snprintf(sslcert, FNLEN - 1, "%s/%s", ssldir, "client-cert.pem");
snprintf(sslcombined, FNLEN - 1, "%s/%s", ssldir, "client-certkey.pem");
snprintf(sslkey, FNLEN - 1, "%s/%s", ssldir, "client-key.pem");
snprintf(sslkey_enc, FNLEN - 1, "%s/%s", ssldir, "client-key-enc.pem");
snprintf(sslca, FNLEN - 1, "%s/%s", ssldir, "cacert.pem");
return 0;
}
static int check_cipher(MYSQL *mysql)
{
char *cipher= (char *)mysql_get_ssl_cipher(mysql);
if (!cipher)
return 1;
diag("cipher: %s", cipher);
return 0;
}
static int create_ssl_user(const char *ssluser, my_bool is_X509)
{
int rc;
char query[1024];
MYSQL *mysql= mysql_init(NULL);
FAIL_IF(!mysql_real_connect(mysql, hostname, username, password, schema,
port, socketname, 0), mysql_error(mysql));
sprintf(query, "DROP USER '%s'@'%s'", ssluser, this_host);
rc= mysql_query(mysql, query);
sprintf(query, "CREATE USER '%s'@'%s' IDENTIFIED BY '%s'", ssluser, this_host, sslpw);
rc= mysql_query(mysql, query);
check_mysql_rc(rc,mysql);
sprintf(query, "GRANT ALL ON %s.* TO '%s'@'%s' REQUIRE %s", schema, ssluser, this_host, is_X509 ? "X509" : "SSL");
rc= mysql_query(mysql, query);
check_mysql_rc(rc,mysql);
rc= mysql_query(mysql, "FLUSH PRIVILEGES");
check_mysql_rc(rc,mysql);
mysql_close(mysql);
return rc;
}
static int test_ssl(MYSQL *mysql)
{
int rc;
unsigned int iversion;
MYSQL_RES *res;
MYSQL_ROW row;
char *tls_library;
MYSQL *my= mysql_init(NULL);
mysql_ssl_set(my,0, 0, 0, 0, 0);
create_ssl_user("ssluser", 0);
FAIL_IF(!mysql_real_connect(my, hostname, ssluser, sslpw, schema,
ssl_port, socketname, 0), mysql_error(my));
mariadb_get_infov(my, MARIADB_CONNECTION_TLS_VERSION_ID, &iversion);
diag("iversion: %d", iversion);
if (iversion == 4)
have_tls13= 1;
mysql_close(my);
rc= mysql_query(mysql, "SELECT @@have_ssl, @@have_openssl");
check_mysql_rc(rc, mysql);
res= mysql_store_result(mysql);
FAIL_IF(!res, mysql_error(mysql));
while ((row= mysql_fetch_row(res)))
{
if (!strcmp(row[0], "YES"))
skip_ssl= 0;
if (strcmp(row[1], "YES"))
have_openssl= 0;
diag("SSL: %s", row[0]);
}
mysql_free_result(res);
/* In MySQL we need to check tls_version */
if (!mariadb_connection(mysql))
{
rc= mysql_query(mysql, "select locate('v1.2', @@tls_version) > 0");
check_mysql_rc(rc, mysql);
res= mysql_store_result(mysql);
FAIL_IF(!res, mysql_error(mysql));
if ((row= mysql_fetch_row(res)))
{
if (row[0] && row[0][0] == '0')
have_openssl= 0;
}
mysql_free_result(res);
}
diag("OpenSSL: %d", have_openssl);
mariadb_get_infov(NULL, MARIADB_TLS_LIBRARY, &tls_library);
diag("SSL library: %s", tls_library);
sslhost[0]= 0;
if (!skip_ssl)
{
char *p;
rc= mysql_query(mysql, "SELECT CURRENT_USER()");
check_mysql_rc(rc, mysql);
res= mysql_store_result(mysql);
row= mysql_fetch_row(res);
diag("user: %s", row[0]);
if ((p= strchr(row[0], '@')))
strcpy(sslhost, p+1);
mysql_free_result(res);
}
return OK;
}
static int test_ssl_cipher(MYSQL *unused __attribute__((unused)))
{
MYSQL *my;
MYSQL_RES *res;
MYSQL_ROW row;
int rc;
if (check_skip_ssl())
return SKIP;
my= mysql_init(NULL);
FAIL_IF(!my, "mysql_init() failed");
mysql_ssl_set(my,0, 0, sslca, 0, 0);
FAIL_IF(!mysql_real_connect(my, hostname, ssluser, sslpw, schema,
ssl_port, socketname, 0), mysql_error(my));
rc= mysql_query(my, "SHOW session status like 'Ssl_version'");
check_mysql_rc(rc, my);
res= mysql_store_result(my);
row= mysql_fetch_row(res);
diag("%s: %s", row[0], row[1]);
diag("cipher: %s", mysql_get_ssl_cipher(my));
mysql_free_result(res);
FAIL_IF(check_cipher(my) != 0, "Invalid cipher");
mysql_close(my);
return OK;
}
static int test_conc95(MYSQL *unused __attribute__((unused)))
{
MYSQL *mysql;
if (check_skip_ssl())
return SKIP;
create_ssl_user("ssluser1", 1);
mysql= mysql_init(NULL);
mysql_ssl_set(mysql,
sslkey,
sslcert,
NULL,
NULL,
NULL);
if (!mysql_real_connect(mysql, hostname, "ssluser1", sslpw, schema,
ssl_port, socketname, 0))
{
diag("could not establish x509 connection. Error: %s", mysql_error(mysql));
mysql_close(mysql);
return FAIL;
}
mysql_close(mysql);
return OK;
}
static int test_multi_ssl_connections(MYSQL *unused __attribute__((unused)))
{
MYSQL *mysql[50], *my;
int i, rc;
int old_connections= 0, new_connections= 0;
MYSQL_RES *res;
MYSQL_ROW row;
if (check_skip_ssl())
return SKIP;
diag("Test doesn't work with yassl");
return SKIP;
create_ssl_user(ssluser, 0);
my= mysql_init(NULL);
FAIL_IF(!my,"mysql_init() failed");
FAIL_IF(!mysql_real_connect(my, hostname, ssluser, sslpw, schema,
ssl_port, socketname, 0), mysql_error(my));
rc= mysql_query(my, "SHOW STATUS LIKE 'Ssl_accepts'");
check_mysql_rc(rc, my);
res= mysql_store_result(my);
if ((row= mysql_fetch_row(res)))
old_connections= atoi(row[1]);
mysql_free_result(res);
for (i=0; i < 50; i++)
{
mysql[i]= mysql_init(NULL);
FAIL_IF(!mysql[i],"mysql_init() failed");
mysql_ssl_set(mysql[i], 0, 0, sslca, 0, 0);
mysql_real_connect(mysql[i], hostname, ssluser, sslpw, schema,
ssl_port, socketname, 0);
if (mysql_errno(mysql[i]))
{
diag("loop: %d error: %d %s", i, mysql_errno(mysql[i]), mysql_error(mysql[i]));
return FAIL;
}
FAIL_IF(check_cipher(mysql[i]) != 0, "Invalid cipher");
}
for (i=0; i < 50; i++)
mysql_close(mysql[i]);
rc= mysql_query(my, "SHOW STATUS LIKE 'Ssl_accepts'");
check_mysql_rc(rc, my);
res= mysql_store_result(my);
if ((row= mysql_fetch_row(res)))
new_connections= atoi(row[1]);
mysql_free_result(res);
mysql_close(my);
diag("%d SSL connections processed", new_connections - old_connections);
FAIL_IF(new_connections - old_connections < 50, "new_connections should be at least old_connections + 50");
return OK;
}
#ifndef WIN32
static void ssl_thread(void *unused __attribute__((unused)))
#else
DWORD WINAPI ssl_thread(void *dummy)
#endif
{
MYSQL *mysql= NULL;
mysql_thread_init();
if (!(mysql= mysql_init(NULL)))
{
goto end;
}
mysql_ssl_set(mysql, 0, 0, sslca, 0, 0);
if(!mysql_real_connect(mysql, hostname, ssluser, sslpw, schema,
ssl_port, socketname, 0))
{
diag(">Error: %s", mysql_error(mysql));
goto end;
}
pthread_mutex_lock(&LOCK_test);
mysql_query(mysql, "UPDATE ssltest SET a=a+1");
pthread_mutex_unlock(&LOCK_test);
end:
if(mysql)
mysql_close(mysql);
mysql_thread_end();
#ifdef _WIN32
return 0;
#endif
}
static int test_ssl_threads(MYSQL *mysql)
{
int i, rc;
#ifndef WIN32
pthread_t threads[50];
#else
HANDLE hthreads[50];
DWORD dthreads[50];
#endif
MYSQL_RES *res;
MYSQL_ROW row;
if (check_skip_ssl())
return SKIP;
rc= mysql_query(mysql, "DROP TABLE IF exists ssltest");
check_mysql_rc(rc, mysql);
rc= mysql_query(mysql, "CREATE TABLE ssltest (a int)");
check_mysql_rc(rc, mysql);
rc= mysql_query(mysql, "INSERT into ssltest VALUES (0)");
check_mysql_rc(rc, mysql);
pthread_mutex_init(&LOCK_test, NULL);
pthread_mutex_init(&LOCK_test, NULL);
for (i=0; i < 50; i++)
{
#ifndef WIN32
pthread_create(&threads[i], NULL, (void *)ssl_thread, NULL);
#else
hthreads[i]= CreateThread(NULL, 0, (LPTHREAD_START_ROUTINE)ssl_thread, NULL, 0, &dthreads[i]);
if (hthreads[i]==NULL)
diag("error while starting thread");
#endif
}
for (i=0; i < 50; i++)
#ifndef WIN32
pthread_join(threads[i], NULL);
#else
WaitForSingleObject(hthreads[i], INFINITE);
#endif
pthread_mutex_destroy(&LOCK_test);
rc= mysql_query(mysql, "SELECT a FROM ssltest");
check_mysql_rc(rc, mysql);
res= mysql_store_result(mysql);
row= mysql_fetch_row(res);
diag("Found: %s", row[0]);
FAIL_IF(strcmp(row[0], "50") != 0, "Expected 50");
mysql_free_result(res);
rc= mysql_query(mysql, "DROP TABLE IF exists ssltest");
check_mysql_rc(rc, mysql);
return OK;
}
static int test_phpbug51647(MYSQL *unused __attribute__((unused)))
{
MYSQL* mysql;
if (check_skip_ssl())
return SKIP;
mysql= mysql_init(NULL);
FAIL_IF(!mysql, "Can't allocate memory");
mysql_ssl_set(mysql, sslkey,
sslcert,
sslca, 0, 0);
FAIL_IF(!mysql_real_connect(mysql, hostname, ssluser, sslpw, schema,
ssl_port, socketname, 0), mysql_error(mysql));
diag("%s", mysql_get_ssl_cipher(mysql));
mysql_close(mysql);
return OK;
}
static int test_password_protected(MYSQL *unused __attribute__((unused)))
{
MYSQL* mysql;
if (check_skip_ssl())
return SKIP;
mysql= mysql_init(NULL);
FAIL_IF(!mysql, "Can't allocate memory");
mysql_ssl_set(mysql, sslkey_enc,
sslcert,
sslca, 0, 0);
mysql_options(mysql, MARIADB_OPT_TLS_PASSPHRASE, "qwerty");
FAIL_IF(!mysql_real_connect(mysql, hostname, ssluser, sslpw, schema,
ssl_port, socketname, 0), mysql_error(mysql));
diag("%s", mysql_get_ssl_cipher(mysql));
mysql_close(mysql);
return OK;
}
static int test_conc50(MYSQL *unused __attribute__((unused)))
{
MYSQL *mysql;
if (check_skip_ssl())
return SKIP;
mysql= mysql_init(NULL);
FAIL_IF(!mysql, "Can't allocate memory");
mysql_ssl_set(mysql, NULL, NULL, "./non_exisiting_cert.pem", NULL, NULL);
mysql_real_connect(mysql, hostname, ssluser, sslpw, schema,
ssl_port, socketname, 0);
diag("Error: %d %s", mysql_errno(mysql), mysql_error(mysql));
FAIL_IF(mysql_errno(mysql) != 2026, "Expected errno 2026");
mysql_close(mysql);
return OK;
}
static int test_conc50_1(MYSQL *unused __attribute__((unused)))
{
MYSQL *mysql;
if (check_skip_ssl())
return SKIP;
if (!have_openssl)
{
diag("Server with OpenSSL required");
return SKIP;
}
create_ssl_user(ssluser, 0);
mysql= mysql_init(NULL);
FAIL_IF(!mysql, "Can't allocate memory");
mysql_ssl_set(mysql, NULL, NULL, sslca, NULL, NULL);
mysql_real_connect(mysql, hostname, ssluser, sslpw, schema,
ssl_port, socketname, 0);
if (mysql_errno(mysql))
diag("Error: %d %s", mysql_errno(mysql), mysql_error(mysql));
FAIL_IF(mysql_errno(mysql), "No error expected");
mysql_close(mysql);
return OK;
}
static int test_conc50_2(MYSQL *unused __attribute__((unused)))
{
MYSQL *mysql;
if (check_skip_ssl())
return SKIP;
mysql= mysql_init(NULL);
FAIL_IF(!mysql, "Can't allocate memory");
mysql_ssl_set(mysql, NULL, NULL, "./non_exisiting_cert.pem", NULL, NULL);
mysql_real_connect(mysql, hostname, ssluser, sslpw, schema,
ssl_port, socketname, 0);
FAIL_IF(mysql_errno(mysql) != 2026, "Expected errno 2026");
mysql_close(mysql);
return OK;
}
static int test_conc127(MYSQL *unused __attribute__((unused)))
{
MYSQL *mysql;
diag("test disabled - for testing disable other tests or run this test as first test");
return SKIP;
if (check_skip_ssl())
return SKIP;
mysql= mysql_init(NULL);
FAIL_IF(!mysql, "Can't allocate memory");
mysql_ssl_set(mysql, NULL, NULL, "./non_exisiting.pem", NULL, NULL);
mysql_real_connect(mysql, hostname, ssluser, sslpw, schema,
ssl_port, socketname, 0);
diag("Error: %s", mysql_error(mysql));
FAIL_IF(mysql_errno(mysql) == 0, "Error expected (invalid certificate)");
mysql_close(mysql);
return OK;
}
static int test_conc50_3(MYSQL *unused __attribute__((unused)))
{
MYSQL *mysql;
if (check_skip_ssl())
return SKIP;
create_ssl_user(ssluser, 0);
mysql= mysql_init(NULL);
FAIL_IF(!mysql, "Can't allocate memory");
mysql_real_connect(mysql, hostname, ssluser, sslpw, schema,
ssl_port, socketname, 0);
FAIL_IF(!mysql_errno(mysql), "Error expected, SSL connection required!");
mysql_close(mysql);
mysql= mysql_init(NULL);
FAIL_IF(!mysql, "Can't allocate memory");
mysql_ssl_set(mysql, NULL, NULL, sslca, NULL, NULL);
mysql_real_connect(mysql, hostname, ssluser, sslpw, schema,
ssl_port, socketname, 0);
diag("Error: %s<", mysql_error(mysql));
FAIL_IF(mysql_errno(mysql), "No error expected");
mysql_close(mysql);
return OK;
}
static int test_conc50_4(MYSQL *unused __attribute__((unused)))
{
MYSQL *mysql;
if (check_skip_ssl())
return SKIP;
mysql= mysql_init(NULL);
FAIL_IF(!mysql, "Can't allocate memory");
mysql_ssl_set(mysql, NULL, sslca, NULL, NULL, NULL);
mysql_real_connect(mysql, hostname, ssluser, sslpw, schema,
ssl_port, socketname, 0);
FAIL_IF(!mysql_errno(mysql) , "Error expected");
mysql_close(mysql);
return OK;
}
static int verify_ssl_server_cert(MYSQL *unused __attribute__((unused)))
{
MYSQL *mysql;
uint verify= 1;
if (check_skip_ssl())
return SKIP;
if (!hostname || !strcmp(hostname, "localhost"))
return SKIP;
SKIP_TRAVIS();
mysql= mysql_init(NULL);
FAIL_IF(!mysql, "Can't allocate memory");
mysql_ssl_set(mysql, NULL, NULL, sslca, NULL, NULL);
mysql_options(mysql, MYSQL_OPT_SSL_VERIFY_SERVER_CERT, &verify);
mysql_real_connect(mysql, hostname, ssluser, sslpw, schema,
ssl_port, socketname, 0);
FAIL_IF(!mysql_errno(mysql), "Expected error");
diag("Error (expected): %s", mysql_error(mysql));
mysql_close(mysql);
return OK;
}
static int test_bug62743(MYSQL *unused __attribute__((unused)))
{
MYSQL *mysql;
if (check_skip_ssl())
return SKIP;
mysql= mysql_init(NULL);
FAIL_IF(!mysql, "Can't allocate memory");
mysql_ssl_set(mysql, "dummykey", NULL, NULL, NULL, NULL);
mysql_real_connect(mysql, hostname, ssluser, sslpw, schema,
ssl_port, socketname, 0);
diag("Error: %s", mysql_error(mysql));
FAIL_IF(mysql_errno(mysql) != 2026, "Expected errno 2026");
mysql_close(mysql);
mysql= mysql_init(NULL);
FAIL_IF(!mysql, "Can't allocate memory");
mysql_ssl_set(mysql, sslkey, NULL, NULL, NULL, NULL);
mysql_real_connect(mysql, hostname, ssluser, sslpw, schema,
ssl_port, socketname, 0);
diag("Error with key: %s", mysql_error(mysql));
FAIL_IF(mysql_errno(mysql) != 2026, "Expected errno 2026");
mysql_close(mysql);
mysql= mysql_init(NULL);
FAIL_IF(!mysql, "Can't allocate memory");
mysql_ssl_set(mysql, sslkey,
sslcert, NULL, NULL, NULL);
mysql_real_connect(mysql, hostname, ssluser, sslpw, schema,
ssl_port, socketname, 0);
FAIL_IF(mysql_errno(mysql) != 0, "Expected no error");
mysql_close(mysql);
mysql= mysql_init(NULL);
FAIL_IF(!mysql, "Can't allocate memory");
mysql_ssl_set(mysql, sslkey, "blablubb", NULL, NULL, NULL);
mysql_real_connect(mysql, hostname, ssluser, sslpw, schema,
ssl_port, socketname, 0);
diag("Error with cert: %s", mysql_error(mysql));
FAIL_IF(mysql_errno(mysql) == 0, "Expected error");
mysql_close(mysql);
return OK;
}
#ifndef WIN32
int thread_conc102(void)
#else
DWORD WINAPI thread_conc102(void)
#endif
{
MYSQL *mysql;
int rc;
MYSQL_RES *res;
mysql_thread_init();
mysql= mysql_init(NULL);
mysql_ssl_set(mysql, sslkey,
sslcert,
sslca,
NULL, NULL);
mysql_ssl_set(mysql,0, 0, sslca, 0, 0);
if(!mysql_real_connect(mysql, hostname, username, password, schema,
ssl_port, socketname, 0))
{
diag(">Error: %s", mysql_error(mysql));
goto end;
}
if (!mysql_get_ssl_cipher(mysql))
{
diag("Error: No ssl connection");
goto end;
}
pthread_mutex_lock(&LOCK_test);
rc= mysql_query(mysql, "UPDATE t_conc102 SET a=a+1");
check_mysql_rc(rc, mysql);
pthread_mutex_unlock(&LOCK_test);
check_mysql_rc(rc, mysql);
if ((res= mysql_store_result(mysql)))
mysql_free_result(res);
end:
mysql_close(mysql);
mysql_thread_end();
return 0;
}
static int test_conc_102(MYSQL *mysql)
{
int rc;
int i;
MYSQL_ROW row;
MYSQL_RES *res;
#ifndef WIN32
pthread_t threads[50];
#else
HANDLE hthreads[50];
DWORD threads[50];
#endif
if (check_skip_ssl())
return SKIP;
rc= mysql_query(mysql, "DROP TABLE IF EXISTS t_conc102");
check_mysql_rc(rc, mysql);
rc= mysql_query(mysql, "CREATE TABLE t_conc102 ( a int)");
check_mysql_rc(rc, mysql);
rc= mysql_query(mysql, "INSERT INTO t_conc102 VALUES (0)");
check_mysql_rc(rc, mysql);
pthread_mutex_init(&LOCK_test, NULL);
for (i=0; i < 50; i++)
{
#ifndef WIN32
pthread_create(&threads[i], NULL, (void *)thread_conc102, NULL);
#else
hthreads[i]= CreateThread(NULL, 0, (LPTHREAD_START_ROUTINE)thread_conc102, NULL, 0, &threads[i]);
if (hthreads[i]==NULL)
diag("error while starting thread");
#endif
}
for (i=0; i < 50; i++)
{
#ifndef WIN32
pthread_join(threads[i], NULL);
#else
WaitForSingleObject(hthreads[i], INFINITE);
#endif
}
pthread_mutex_destroy(&LOCK_test);
rc= mysql_query(mysql, "SELECT a FROM t_conc102");
check_mysql_rc(rc, mysql);
res= mysql_store_result(mysql);
row= mysql_fetch_row(res);
diag("Found: %s", row[0]);
FAIL_IF(strcmp(row[0], "50") != 0, "Expected 50");
mysql_free_result(res);
rc= mysql_query(mysql, "DROP TABLE IF EXISTS t_conc102");
check_mysql_rc(rc, mysql);
return OK;
}
static int test_ssl_fp(MYSQL *unused __attribute__((unused)))
{
MYSQL *my;
MYSQL_RES *res;
MYSQL_ROW row;
int rc;
if (check_skip_ssl())
return SKIP;
my= mysql_init(NULL);
FAIL_IF(!my, "mysql_init() failed");
mysql_ssl_set(my,0, 0, sslca, 0, 0);
mysql_options(my, MARIADB_OPT_SSL_FP, bad_cert_finger_print);
FAIL_IF(mysql_real_connect(my, hostname, username, password, schema,
ssl_port, socketname, 0), mysql_error(my));
mysql_options(my, MARIADB_OPT_SSL_FP, ssl_cert_finger_print);
FAIL_IF(!mysql_real_connect(my, hostname, username, password, schema,
ssl_port, socketname, 0), mysql_error(my));
FAIL_IF(check_cipher(my) != 0, "Invalid cipher");
rc= mysql_query(my, "SET @a:=1");
check_mysql_rc(rc, my);
rc= mysql_query(my, "SELECT @a");
check_mysql_rc(rc, my);
if ((res= mysql_store_result(my)))
{
row= mysql_fetch_row(res);
diag("@a:=%s", row[0]);
mysql_free_result(res);
}
mysql_close(my);
return OK;
}
static int test_ssl_fp_list(MYSQL *unused __attribute__((unused)))
{
MYSQL *my;
if (check_skip_ssl())
return SKIP;
my= mysql_init(NULL);
FAIL_IF(!my, "mysql_init() failed");
mysql_ssl_set(my,0, 0, sslca, 0, 0);
mysql_options(my, MARIADB_OPT_SSL_FP_LIST, CERT_PATH "/server-cert.sha1");
if(!mysql_real_connect(my, hostname, username, password, schema,
ssl_port, socketname, 0))
{
diag("Error: %s", mysql_error(my));
mysql_close(my);
return FAIL;
}
FAIL_IF(check_cipher(my) != 0, "Invalid cipher");
mysql_close(my);
return OK;
}
static int test_ssl_version(MYSQL *unused __attribute__((unused)))
{
unsigned int iversion;
char *version, *library;
MYSQL *my;
if (check_skip_ssl())
return SKIP;
my= mysql_init(NULL);
FAIL_IF(!my, "mysql_init() failed");
mysql_ssl_set(my,0, 0, sslca, 0, 0);
FAIL_IF(!mysql_real_connect(my, hostname, ssluser, sslpw, schema,
ssl_port, socketname, 0), mysql_error(my));
diag("cipher: %s", mysql_get_ssl_cipher(my));
mariadb_get_infov(my, MARIADB_CONNECTION_TLS_VERSION_ID, &iversion);
diag("protocol: %d", iversion);
mariadb_get_infov(my, MARIADB_CONNECTION_TLS_VERSION, &version);
diag("protocol: %s", version);
mariadb_get_infov(my, MARIADB_TLS_LIBRARY, &library);
diag("library: %s", library);
mysql_close(my);
return OK;
}
#ifdef HAVE_SCHANNEL
static int test_schannel_cipher(MYSQL *unused __attribute__((unused)))
{
MYSQL *my;
unsigned int cipher_strength= 256;
if (check_skip_ssl())
return SKIP;
my= mysql_init(NULL);
FAIL_IF(!my, "mysql_init() failed");
mysql_ssl_set(my,0, 0, sslca, 0, 0);
mysql_options(my, MARIADB_OPT_TLS_CIPHER_STRENGTH, &cipher_strength);
FAIL_IF(!mysql_real_connect(my, hostname, ssluser, sslpw, schema,
ssl_port, socketname, 0), mysql_error(my));
diag("cipher: %s", mysql_get_ssl_cipher(my));
mysql_close(my);
return OK;
}
#endif
#if defined(HAVE_GNUTLS) || defined(HAVE_OPENSSL)
static int test_cipher_mapping(MYSQL *unused __attribute__((unused)))
{
unsigned int i=0;
const char *ciphers[]= { "DHE-RSA-AES256-GCM-SHA384", "DHE-RSA-AES256-SHA256", "DHE-RSA-AES256-SHA",
#ifdef TEST_CAMELLIA_CIPHER
"DHE-RSA-CAMELLIA256-SHA", "CAMELLIA256-SHA",
"DHE-RSA-CAMELLIA128-SHA", "CAMELLIA128-SHA",
#endif
#ifdef TEST_DES_CIPHER
"EDH-RSA-DES-CBC3-SHA",
"DES-CBC3-SHA",
#endif
"AES256-GCM-SHA384", "AES256-SHA256", "AES256-SHA",
"DHE-RSA-AES128-GCM-SHA256", "DHE-RSA-AES128-SHA256", "DHE-RSA-AES128-SHA",
"AES128-GCM-SHA256", "AES128-SHA256", "AES128-SHA",
"DHE-RSA-AES256-SHA", "AES256-SHA",
NULL };
diag("This test depends on OpenSSL version - since several ciphers might not be available");
return SKIP;
if (check_skip_ssl())
return SKIP;
if (!have_openssl)
{
diag("test requires Server with OpenSSL");
return SKIP;
}
while (ciphers[i] != NULL)
{
MYSQL *mysql= mysql_init(NULL);
MYSQL_ROW row;
MYSQL_RES *res;
char c[100];
int rc;
const char *cipher;
mysql_options(mysql, MYSQL_OPT_TLS_VERSION, "TLSv1.0,TLSv1.1,TLSv1.2");
mysql_ssl_set(mysql, NULL, NULL, NULL, NULL, ciphers[i]);
diag("%s", ciphers[i]);
mysql->options.use_ssl= 1;
FAIL_IF(!mysql_real_connect(mysql, hostname, username, password, schema,
ssl_port, socketname, 0), mysql_error(mysql));
if (!(cipher= mysql_get_ssl_cipher(mysql)) ||
strcmp(ciphers[i], cipher) != 0)
{
diag("cipher %s differs: (%s)", ciphers[i], cipher);
mysql_close(mysql);
goto cont;
}
else
{
rc= mysql_query(mysql, "SHOW STATUS LIKE 'ssl_cipher'");
check_mysql_rc(rc, mysql);
res= mysql_store_result(mysql);
row= mysql_fetch_row(res);
strcpy(c, row[1]);
mysql_free_result(res);
mysql_close(mysql);
if (strcmp(ciphers[i], c) != 0)
{
diag("expected: %s instead of %s", ciphers[i], c);
/* depending if server supports ECC, ciphers may differ,
so we don't return failure here */
}
}
cont:
i++;
}
return OK;
}
#endif
static int test_openssl_1(MYSQL *mysql)
{
int rc;
MYSQL *my;
uchar val= 1;
char query[1024];
int i;
if (check_skip_ssl())
return SKIP;
if (have_tls13)
return SKIP;
if (!mariadb_connection(mysql))
return SKIP;
for (i=1; i < 6; i++)
{
sprintf(query, "DROP USER 'ssluser%d'@'%s'", i, this_host);
rc= mysql_query(mysql, query);
sprintf(query, "CREATE USER 'ssluser%d'@'%s'", i, this_host);
rc= mysql_query(mysql, query);
check_mysql_rc(rc, mysql);
}
rc= mysql_query(mysql, "FLUSH PRIVILEGES");
check_mysql_rc(rc, mysql);
diag("sslusers created");
diag("ssluser1");
sprintf(query, "grant select on %s.* to 'ssluser1'@'%s' require ssl", schema, this_host);
rc= mysql_query(mysql, query);
check_mysql_rc(rc, mysql);
my= mysql_init(NULL);
mysql_ssl_set(my, NULL, NULL, NULL, NULL, "AES128-SHA");
FAIL_IF(!mysql_real_connect(my, hostname, "ssluser1", NULL, schema,
ssl_port, socketname, 0), mysql_error(my));
FAIL_IF(!mysql_get_ssl_cipher(my), "No TLS connection");
mysql_close(my);
my= mysql_init(NULL);
mysql_options(my, MYSQL_OPT_SSL_ENFORCE, &val);
FAIL_IF(!mysql_real_connect(my, hostname, "ssluser1", NULL, schema,
ssl_port, socketname, 0), mysql_error(my));
FAIL_IF(!mysql_get_ssl_cipher(my), "No TLS connection");
mysql_close(my);
diag("ssluser2");
sprintf(query, "grant select on %s.* to 'ssluser2'@'%s' require cipher 'AES256-SHA'", schema, this_host);
rc= mysql_query(mysql, query);
check_mysql_rc(rc, mysql);
#ifdef TEST_RANDOM_RESULT
/* ssl_user2: connect with enforce should work */
my= mysql_init(NULL);
mysql_options(my, MYSQL_OPT_SSL_ENFORCE, &val);
mysql_real_connect(my, hostname, "ssluser2", NULL, schema,
ssl_port, socketname, 0);
if (!mysql_error(my) &&
strcmp(mysql_get_ssl_cipher(my), "AES256-SHA"))
{
diag("Expected error or correct cipher");
return FAIL;
}
mysql_close(my);
#endif
/* ssl_user2: connect with correct cipher */
diag("ssluser2");
if (mysql_get_server_version(mysql) >= 100100)
{
my= mysql_init(NULL);
mysql_ssl_set(my, NULL, NULL, NULL, NULL, "AES256-SHA");
FAIL_IF(!mysql_real_connect(my, hostname, "ssluser2", NULL, schema,
ssl_port, socketname, 0), mysql_error(my));
FAIL_IF(strcmp("AES256-SHA", mysql_get_ssl_cipher(my)) != 0, "expected cipher AES256-SHA");
mysql_close(my);
}
/* ssl_user2: connect with wrong cipher should not work */
diag("ssluser2");
my= mysql_init(NULL);
mysql_ssl_set(my, NULL, NULL, NULL, NULL, "AES128-SHA");
FAIL_IF(mysql_real_connect(my, hostname, "ssluser2", NULL, schema,
ssl_port, socketname, 0), "Error expected");
mysql_close(my);
if (!travis_test)
{
sprintf(query, "grant select on %s.* to 'ssluser3'@'%s' require cipher 'AES256-SHA' AND "
" SUBJECT '/C=FI/ST=Helsinki/L=Helsinki/O=MariaDB/CN=client'", schema, this_host);
rc= mysql_query(mysql, query);
check_mysql_rc(rc, mysql);
/* ssluser3: connect with cipher only */
my= mysql_init(NULL);
mysql_ssl_set(my, NULL, NULL, NULL, NULL, "AES256-SHA");
FAIL_IF(mysql_real_connect(my, hostname, "ssluser3", NULL, schema,
ssl_port, socketname, 0), "Error expected");
mysql_close(my);
/* ssluser3 connect with cipher and certs */
my= mysql_init(NULL);
mysql_ssl_set(my, sslkey,
sslcert,
sslca,
NULL,
"AES256-SHA");
FAIL_IF(!mysql_real_connect(my, hostname, "ssluser3", NULL, schema,
ssl_port, socketname, 0), mysql_error(my));
mysql_close(my);
sprintf(query, "grant select on %s.* to 'ssluser4'@'%s' require cipher 'AES256-SHA' AND "
" ISSUER '/CN=cacert/C=FI/ST=Helsinki/L=Helsinki/O=MariaDB'", schema, this_host);
rc= mysql_query(mysql, query);
check_mysql_rc(rc, mysql);
/* ssluser4: connect with cipher only */
my= mysql_init(NULL);
mysql_ssl_set(my, NULL, NULL, NULL, NULL, "AES256-SHA");
FAIL_IF(mysql_real_connect(my, hostname, "ssluser4", NULL, schema,
ssl_port, socketname, 0), "Error expected");
mysql_close(my);
/* ssluser4 connect with cipher and certs */
my= mysql_init(NULL);
mysql_ssl_set(my, sslkey,
sslcert,
sslca,
NULL,
"AES256-SHA");
FAIL_IF(!mysql_real_connect(my, hostname, "ssluser4", NULL, schema,
ssl_port, socketname, 0), mysql_error(my));
mysql_close(my);
}
diag("drop users");
for (i=1; i < 6; i++)
{
sprintf(query, "DROP USER 'ssluser%d'@'%s'", i, this_host);
rc= mysql_query(mysql, query);
}
return OK;
}
static int test_ssl_timeout(MYSQL *unused __attribute__((unused)))
{
MYSQL *mysql;
my_bool enforce= 1;
int read_timeout= 1;
int rc;
if (check_skip_ssl())
return SKIP;
mysql= mysql_init(NULL);
mysql_options(mysql, MYSQL_OPT_SSL_ENFORCE, &enforce);
mysql_options(mysql, MYSQL_OPT_READ_TIMEOUT, &read_timeout);
mysql->options.use_ssl= 1;
FAIL_IF(!mysql_real_connect(mysql, hostname, username, password, schema,
ssl_port, socketname, 0), mysql_error(mysql));
diag("cipher: %s\n", mysql_get_ssl_cipher(mysql));
rc= mysql_query(mysql, "SELECT SLEEP(600)");
if (!rc)
{
diag("error expected (timeout)");
return FAIL;
}
mysql_close(mysql);
return OK;
}
static int drop_ssl_user(MYSQL *mysql)
{
int rc;
rc= mysql_query(mysql, "DELETE FROM mysql.user where user like 'ssl%'");
check_mysql_rc(rc, mysql);
rc= mysql_query(mysql, "DELETE FROM mysql.db where user like 'ssl%'");
check_mysql_rc(rc, mysql);
return OK;
}
static int test_conc286(MYSQL *unused __attribute__((unused)))
{
MYSQL *my;
if (check_skip_ssl())
return SKIP;
my= mysql_init(NULL);
FAIL_IF(!my, "mysql_init() failed");
mysql_options(my, MARIADB_OPT_SSL_FP, ssl_cert_finger_print);
FAIL_IF(!mysql_real_connect(my, hostname, username, password, schema,
ssl_port, socketname, 0), mysql_error(my));
FAIL_IF(check_cipher(my) != 0, "Invalid cipher");
mysql_close(my);
return OK;
}
static int test_mdev14027(MYSQL *mysql __attribute__((unused)))
{
char *tls_library;
const char *check_library=
#if defined(HAVE_OPENSSL)
#if defined(HAVE_LIBRESSL)
"LibreSSL";
#else
"OpenSSL";
#endif
#elif defined(HAVE_GNUTLS)
"GnuTLS";
#elif defined(HAVE_SCHANNEL)
"Schannel";
#else
"Off";
#endif
mariadb_get_infov(NULL, MARIADB_TLS_LIBRARY, &tls_library);
diag("TLS/SSL library in use: %s\n", tls_library);
if (!strstr(tls_library, check_library))
{
diag("expected %s, got %s", check_library, tls_library);
return FAIL;
}
return OK;
}
static int test_mdev14101(MYSQL *my __attribute__((unused)))
{
struct {
bool do_yassl;
const char *opt_tls_version;
const char *expected;
} combinations[]= {
{1, "TLSv1.1", "TLSv1.1"},
{1, "TLSv1,TLSv1.1", "TLSv1.1"},
{0, "TLSv1.2", "TLSv1.2"},
{0, "TLSv1.1,TLSv1.2", "TLSv1.2"},
{1, NULL, NULL}
};
int i;
#ifdef HAVE_SCHANNEL
bool skip_tlsv12= 1;
#else
bool skip_tlsv12= !have_openssl;
#endif
#if defined(HAVE_OPENSSL) && defined(TLS1_3_VERSION)
diag("Test fails with TLS v1.3");
return(SKIP);
#endif
for (i=0; combinations[i].expected; i++)
{
MYSQL *mysql;
bool val=1;
char *tls_version;
if (!combinations[i].do_yassl && skip_tlsv12)
break;
diag("combination %d: %s", i, combinations[i].opt_tls_version);
mysql= mysql_init(NULL);
mysql_options(mysql, MYSQL_OPT_SSL_ENFORCE, &val);
mysql_options(mysql, MARIADB_OPT_TLS_VERSION, combinations[i].opt_tls_version);
FAIL_IF(!mysql_real_connect(mysql, hostname, username, password, schema,
ssl_port, socketname, 0), mysql_error(mysql));
mariadb_get_infov(mysql, MARIADB_CONNECTION_TLS_VERSION, &tls_version);
diag("options: %s", combinations[i].opt_tls_version);
diag("protocol: %s expected: %s", tls_version, combinations[i].expected);
FAIL_IF(strcmp(combinations[i].expected, tls_version), "Wrong tls_version");
mysql_close(mysql);
}
return OK;
}
static int test_conc386(MYSQL *mysql)
{
mysql= mysql_init(NULL);
mysql_ssl_set(mysql,
sslcombined,
NULL,
NULL,
NULL,
NULL);
FAIL_IF(!mysql_real_connect(mysql, hostname, username, password, schema,
ssl_port, socketname, 0), mysql_error(mysql));
FAIL_IF(check_cipher(mysql) != 0, "Invalid cipher");
mysql_close(mysql);
return OK;
}
#ifndef HAVE_SCHANNEL
static int test_ssl_verify(MYSQL *my __attribute__((unused)))
{
MYSQL *mysql;
my_bool verify= 1, enforce= 1;
if (check_skip_ssl())
return SKIP;
/* verify, using system ca should fail with self signed certificate */
mysql= mysql_init(NULL);
mysql_options(mysql, MYSQL_OPT_SSL_ENFORCE, &enforce);
mysql_options(mysql, MYSQL_OPT_SSL_VERIFY_SERVER_CERT, &verify);
FAIL_IF(mysql_real_connect(mysql, hostname, username, password, schema,
ssl_port, socketname, 0), "Error expected");
diag("error expected: %s\n", mysql_error(mysql));
mysql_close(mysql);
/* verify, using system ca should pass */
/* Disable this for now, since for some unknown reason it fails on travis
setenv("SSL_CERT_DIR", CERT_PATH, 1);
mysql= mysql_init(NULL);
mysql_options(mysql, MYSQL_OPT_SSL_ENFORCE, &enforce);
mysql_options(mysql, MYSQL_OPT_SSL_VERIFY_SERVER_CERT, &verify);
FAIL_IF(!mysql_real_connect(mysql, hostname, username, password, schema,
port, socketname, 0), mysql_error(mysql));
mysql_close(mysql);
unsetenv("SSL_CERT_DIR");
*/
/* verify against local ca, this should pass */
mysql= mysql_init(NULL);
mysql_ssl_set(mysql,0, 0, sslca, 0, 0);
mysql_options(mysql, MYSQL_OPT_SSL_VERIFY_SERVER_CERT, &verify);
FAIL_IF(!mysql_real_connect(mysql, hostname, username, password, schema,
ssl_port, socketname, 0), mysql_error(mysql));
mysql_close(mysql);
mysql= mysql_init(NULL);
mysql_options(mysql, MYSQL_OPT_SSL_ENFORCE, &enforce);
FAIL_IF(!mysql_real_connect(mysql, hostname, username, password, schema,
ssl_port, socketname, 0), mysql_error(mysql));
diag("cipher: %s", mysql_get_ssl_cipher(mysql));
mysql_close(mysql);
return OK;
}
#endif
struct my_tests_st my_tests[] = {
{"test_ssl", test_ssl, TEST_CONNECTION_NEW, 0, NULL, NULL},
#ifndef HAVE_SCHANNEL
{"test_ssl_verify", test_ssl_verify, TEST_CONNECTION_NEW, 0, NULL, NULL},
#endif
{"test_mdev14101", test_mdev14101, TEST_CONNECTION_NEW, 0, NULL, NULL},
{"test_mdev14027", test_mdev14027, TEST_CONNECTION_NEW, 0, NULL, NULL},
{"test_conc286", test_conc286, TEST_CONNECTION_NEW, 0, NULL, NULL},
{"test_ssl_timeout", test_ssl_timeout, TEST_CONNECTION_NEW, 0, NULL, NULL},
{"test_openssl_1", test_openssl_1, TEST_CONNECTION_NEW, 0, NULL, NULL},
#ifndef HAVE_SCHANNEL
{"test_cipher_mapping", test_cipher_mapping, TEST_CONNECTION_NONE, 0, NULL, NULL},
#endif
{"test_conc127", test_conc127, TEST_CONNECTION_NEW, 0, NULL, NULL},
/* Both tests work with GNU tls, however we can't create fingerprints with
gnutls-cli in CMakeLists.txt */
#ifndef HAVE_SCHANNEL
{"test_ssl_fp", test_ssl_fp, TEST_CONNECTION_NEW, 0, NULL, NULL},
{"test_ssl_fp_list", test_ssl_fp_list, TEST_CONNECTION_NEW, 0, NULL, NULL},
#endif
{"test_conc50", test_conc50, TEST_CONNECTION_NEW, 0, NULL, NULL},
{"test_conc50_1", test_conc50_1, TEST_CONNECTION_NEW, 0, NULL, NULL},
{"test_conc50_2", test_conc50_2, TEST_CONNECTION_NEW, 0, NULL, NULL},
{"test_conc50_3", test_conc50_3, TEST_CONNECTION_NEW, 0, NULL, NULL},
{"test_conc50_4", test_conc50_4, TEST_CONNECTION_NEW, 0, NULL, NULL},
{"test_conc95", test_conc95, TEST_CONNECTION_NEW, 0, NULL, NULL},
{"verify_ssl_server_cert", verify_ssl_server_cert, TEST_CONNECTION_NEW, 0, NULL, NULL},
{"test_bug62743", test_bug62743, TEST_CONNECTION_NEW, 0, NULL, NULL},
{"test_phpbug51647", test_phpbug51647, TEST_CONNECTION_NONE, 0, NULL, NULL},
{"test_ssl_cipher", test_ssl_cipher, TEST_CONNECTION_NONE, 0, NULL, NULL},
{"test_multi_ssl_connections", test_multi_ssl_connections, TEST_CONNECTION_NONE, 0, NULL, NULL},
{"test_conc_102", test_conc_102, TEST_CONNECTION_NEW, 0, NULL, NULL},
{"test_ssl_version", test_ssl_version, TEST_CONNECTION_NEW, 0, NULL, NULL},
{"test_ssl_threads", test_ssl_threads, TEST_CONNECTION_NEW, 0, NULL, NULL},
#ifndef HAVE_SCHANNEL
{"test_password_protected", test_password_protected, TEST_CONNECTION_NEW, 0, NULL, NULL},
#else
{"test_schannel_cipher", test_schannel_cipher, TEST_CONNECTION_NEW, 0, NULL, NULL},
#endif
{"test_conc386", test_conc386, TEST_CONNECTION_NEW, 0, NULL, NULL},
{"drop_ssl_user", drop_ssl_user, TEST_CONNECTION_NEW, 0, NULL, NULL},
{NULL, NULL, 0, 0, NULL, NULL}
};
int main(int argc, char **argv)
{
#if defined(WIN32) && defined(HEAP_CHECK)
_CrtSetReportMode( _CRT_WARN, _CRTDBG_MODE_FILE );
_CrtSetReportFile( _CRT_WARN, _CRTDBG_FILE_STDOUT );
_CrtSetReportMode( _CRT_ERROR, _CRTDBG_MODE_FILE );
_CrtSetReportFile( _CRT_ERROR, _CRTDBG_FILE_STDOUT );
_CrtSetReportMode( _CRT_ASSERT, _CRTDBG_MODE_FILE );
_CrtSetReportFile( _CRT_ASSERT, _CRTDBG_FILE_STDOUT );
#endif
get_envvars();
read_fingerprint();
if (argc > 1)
get_options(argc, argv);
run_tests(my_tests);
mysql_server_end();
#if defined(WIN32) && defined(HEAP_CHECK)
_CrtDumpMemoryLeaks();
#endif
return(exit_status());
}