1 /************************************************************************************
2 Copyright (C) 2012 Monty Program AB
3
4 This library is free software; you can redistribute it and/or
5 modify it under the terms of the GNU Library General Public
6 License as published by the Free Software Foundation; either
7 version 2 of the License, or (at your option) any later version.
8
9 This library is distributed in the hope that it will be useful,
10 but WITHOUT ANY WARRANTY; without even the implied warranty of
11 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
12 Library General Public License for more details.
13
14 You should have received a copy of the GNU Library General Public
15 License along with this library; if not see <http://www.gnu.org/licenses>
16 or write to the Free Software Foundation, Inc.,
17 51 Franklin St., Fifth Floor, Boston, MA 02110, USA
18 *************************************************************************************/
19 #if defined(WIN32) && defined(HEAP_CHECK)
20 #define _CRTDBG_MAP_ALLOC
21 #include <stdlib.h>
22 #include <crtdbg.h>
23 #endif
24
25 #include "my_test.h"
26 #include <ma_pthread.h>
27 #ifdef HAVE_OPENSSL
28 #include <openssl/opensslv.h>
29 #include <openssl/ssl.h>
30 #endif
31
32 #define FNLEN 4096
33
34 static int skip_ssl= 1;
35 static uchar have_openssl= 1;
36 static unsigned char have_tls13= 0;
37
38 const char *ssluser= "ssluser";
39 const char *sslpw= "sslpw";
40 char sslhost[128];
41 char sslcert[FNLEN];
42 char sslcombined[FNLEN];
43 char sslkey[FNLEN];
44 char sslkey_enc[FNLEN];
45 char sslca[FNLEN];
46 char sslcrl[FNLEN];
47 char ssl_cert_finger_print[129]= {0};
48 char bad_cert_finger_print[]= "00:11:22:33:44:55:66:77:88:99:AA:BB:CC:DD:EE:FF:01:23:45:67";
49
50 pthread_mutex_t LOCK_test;
51
read_fingerprint()52 void read_fingerprint()
53 {
54 FILE *f= fopen(CERT_PATH "/server-cert.sha1", "r");
55 if (f)
56 {
57 if (!fscanf(f, "%128s", ssl_cert_finger_print))
58 ssl_cert_finger_print[0]= 0;
59 fclose(f);
60 }
61 }
62
check_skip_ssl()63 int check_skip_ssl()
64 {
65 const char *ssldir= NULL;
66 #ifndef HAVE_TLS
67 diag("client library built without OpenSSL support -> skip");
68 return 1;
69 #endif
70 if (skip_ssl)
71 {
72 diag("server doesn't support SSL -> skip");
73 return 1;
74 }
75 if (!(ssldir= getenv("SECURE_LOAD_PATH")))
76 {
77 ssldir= CERT_PATH;
78 if (!strlen(ssldir))
79 {
80 diag("certificate directory not found");
81 return 1;
82 }
83 }
84 snprintf(sslcert, FNLEN - 1, "%s/%s", ssldir, "client-cert.pem");
85 snprintf(sslcombined, FNLEN - 1, "%s/%s", ssldir, "client-certkey.pem");
86 snprintf(sslkey, FNLEN - 1, "%s/%s", ssldir, "client-key.pem");
87 snprintf(sslkey_enc, FNLEN - 1, "%s/%s", ssldir, "client-key-enc.pem");
88 snprintf(sslca, FNLEN - 1, "%s/%s", ssldir, "cacert.pem");
89 return 0;
90 }
91
check_cipher(MYSQL * mysql)92 static int check_cipher(MYSQL *mysql)
93 {
94 char *cipher= (char *)mysql_get_ssl_cipher(mysql);
95 if (!cipher)
96 return 1;
97 diag("cipher: %s", cipher);
98
99 return 0;
100 }
101
create_ssl_user(const char * ssluser,my_bool is_X509)102 static int create_ssl_user(const char *ssluser, my_bool is_X509)
103 {
104 int rc;
105 char query[1024];
106 MYSQL *mysql= mysql_init(NULL);
107
108 FAIL_IF(!mysql_real_connect(mysql, hostname, username, password, schema,
109 port, socketname, 0), mysql_error(mysql));
110
111 sprintf(query, "DROP USER '%s'@'%s'", ssluser, this_host);
112 rc= mysql_query(mysql, query);
113
114 sprintf(query, "CREATE USER '%s'@'%s' IDENTIFIED BY '%s'", ssluser, this_host, sslpw);
115 rc= mysql_query(mysql, query);
116 check_mysql_rc(rc,mysql);
117
118 sprintf(query, "GRANT ALL ON %s.* TO '%s'@'%s' REQUIRE %s", schema, ssluser, this_host, is_X509 ? "X509" : "SSL");
119 rc= mysql_query(mysql, query);
120 check_mysql_rc(rc,mysql);
121 rc= mysql_query(mysql, "FLUSH PRIVILEGES");
122 check_mysql_rc(rc,mysql);
123
124 mysql_close(mysql);
125
126 return rc;
127 }
128
test_ssl(MYSQL * mysql)129 static int test_ssl(MYSQL *mysql)
130 {
131 int rc;
132 unsigned int iversion;
133 MYSQL_RES *res;
134 MYSQL_ROW row;
135 char *tls_library;
136 MYSQL *my= mysql_init(NULL);
137
138 mysql_ssl_set(my,0, 0, 0, 0, 0);
139
140 create_ssl_user("ssluser", 0);
141
142 FAIL_IF(!mysql_real_connect(my, hostname, ssluser, sslpw, schema,
143 ssl_port, socketname, 0), mysql_error(my));
144
145 mariadb_get_infov(my, MARIADB_CONNECTION_TLS_VERSION_ID, &iversion);
146 diag("iversion: %d", iversion);
147 if (iversion == 4)
148 have_tls13= 1;
149
150 mysql_close(my);
151
152 rc= mysql_query(mysql, "SELECT @@have_ssl, @@have_openssl");
153 check_mysql_rc(rc, mysql);
154
155 res= mysql_store_result(mysql);
156 FAIL_IF(!res, mysql_error(mysql));
157
158 while ((row= mysql_fetch_row(res)))
159 {
160 if (!strcmp(row[0], "YES"))
161 skip_ssl= 0;
162 if (strcmp(row[1], "YES"))
163 have_openssl= 0;
164 diag("SSL: %s", row[0]);
165 }
166 mysql_free_result(res);
167
168 /* In MySQL we need to check tls_version */
169 if (!mariadb_connection(mysql))
170 {
171 rc= mysql_query(mysql, "select locate('v1.2', @@tls_version) > 0");
172 check_mysql_rc(rc, mysql);
173
174 res= mysql_store_result(mysql);
175 FAIL_IF(!res, mysql_error(mysql));
176
177 if ((row= mysql_fetch_row(res)))
178 {
179 if (row[0] && row[0][0] == '0')
180 have_openssl= 0;
181 }
182 mysql_free_result(res);
183 }
184 diag("OpenSSL: %d", have_openssl);
185
186 mariadb_get_infov(NULL, MARIADB_TLS_LIBRARY, &tls_library);
187 diag("SSL library: %s", tls_library);
188
189 sslhost[0]= 0;
190
191 if (!skip_ssl)
192 {
193 char *p;
194
195 rc= mysql_query(mysql, "SELECT CURRENT_USER()");
196 check_mysql_rc(rc, mysql);
197 res= mysql_store_result(mysql);
198 row= mysql_fetch_row(res);
199 diag("user: %s", row[0]);
200 if ((p= strchr(row[0], '@')))
201 strcpy(sslhost, p+1);
202 mysql_free_result(res);
203 }
204
205 return OK;
206 }
207
test_ssl_cipher(MYSQL * unused)208 static int test_ssl_cipher(MYSQL *unused __attribute__((unused)))
209 {
210 MYSQL *my;
211 MYSQL_RES *res;
212 MYSQL_ROW row;
213 int rc;
214
215 if (check_skip_ssl())
216 return SKIP;
217
218 my= mysql_init(NULL);
219 FAIL_IF(!my, "mysql_init() failed");
220
221 mysql_ssl_set(my,0, 0, sslca, 0, 0);
222
223 FAIL_IF(!mysql_real_connect(my, hostname, ssluser, sslpw, schema,
224 ssl_port, socketname, 0), mysql_error(my));
225
226 rc= mysql_query(my, "SHOW session status like 'Ssl_version'");
227 check_mysql_rc(rc, my);
228 res= mysql_store_result(my);
229 row= mysql_fetch_row(res);
230 diag("%s: %s", row[0], row[1]);
231 diag("cipher: %s", mysql_get_ssl_cipher(my));
232 mysql_free_result(res);
233
234 FAIL_IF(check_cipher(my) != 0, "Invalid cipher");
235 mysql_close(my);
236 return OK;
237 }
238
test_conc95(MYSQL * unused)239 static int test_conc95(MYSQL *unused __attribute__((unused)))
240 {
241 MYSQL *mysql;
242
243 if (check_skip_ssl())
244 return SKIP;
245
246 create_ssl_user("ssluser1", 1);
247
248 mysql= mysql_init(NULL);
249 mysql_ssl_set(mysql,
250 sslkey,
251 sslcert,
252 NULL,
253 NULL,
254 NULL);
255
256 if (!mysql_real_connect(mysql, hostname, "ssluser1", sslpw, schema,
257 ssl_port, socketname, 0))
258 {
259 diag("could not establish x509 connection. Error: %s", mysql_error(mysql));
260 mysql_close(mysql);
261 return FAIL;
262 }
263 mysql_close(mysql);
264 return OK;
265 }
266
test_multi_ssl_connections(MYSQL * unused)267 static int test_multi_ssl_connections(MYSQL *unused __attribute__((unused)))
268 {
269 MYSQL *mysql[50], *my;
270 int i, rc;
271 int old_connections= 0, new_connections= 0;
272 MYSQL_RES *res;
273 MYSQL_ROW row;
274
275 if (check_skip_ssl())
276 return SKIP;
277
278 diag("Test doesn't work with yassl");
279 return SKIP;
280
281 create_ssl_user(ssluser, 0);
282
283 my= mysql_init(NULL);
284 FAIL_IF(!my,"mysql_init() failed");
285 FAIL_IF(!mysql_real_connect(my, hostname, ssluser, sslpw, schema,
286 ssl_port, socketname, 0), mysql_error(my));
287
288 rc= mysql_query(my, "SHOW STATUS LIKE 'Ssl_accepts'");
289 check_mysql_rc(rc, my);
290
291 res= mysql_store_result(my);
292 if ((row= mysql_fetch_row(res)))
293 old_connections= atoi(row[1]);
294 mysql_free_result(res);
295
296 for (i=0; i < 50; i++)
297 {
298 mysql[i]= mysql_init(NULL);
299 FAIL_IF(!mysql[i],"mysql_init() failed");
300
301 mysql_ssl_set(mysql[i], 0, 0, sslca, 0, 0);
302
303 mysql_real_connect(mysql[i], hostname, ssluser, sslpw, schema,
304 ssl_port, socketname, 0);
305 if (mysql_errno(mysql[i]))
306 {
307 diag("loop: %d error: %d %s", i, mysql_errno(mysql[i]), mysql_error(mysql[i]));
308 return FAIL;
309 }
310
311 FAIL_IF(check_cipher(mysql[i]) != 0, "Invalid cipher");
312 }
313 for (i=0; i < 50; i++)
314 mysql_close(mysql[i]);
315
316 rc= mysql_query(my, "SHOW STATUS LIKE 'Ssl_accepts'");
317 check_mysql_rc(rc, my);
318
319 res= mysql_store_result(my);
320 if ((row= mysql_fetch_row(res)))
321 new_connections= atoi(row[1]);
322 mysql_free_result(res);
323
324 mysql_close(my);
325
326 diag("%d SSL connections processed", new_connections - old_connections);
327 FAIL_IF(new_connections - old_connections < 50, "new_connections should be at least old_connections + 50");
328 return OK;
329 }
330
331 #ifndef WIN32
ssl_thread(void * unused)332 static void ssl_thread(void *unused __attribute__((unused)))
333 #else
334 DWORD WINAPI ssl_thread(void *dummy)
335 #endif
336 {
337 MYSQL *mysql= NULL;
338
339 mysql_thread_init();
340
341 if (!(mysql= mysql_init(NULL)))
342 {
343 goto end;
344 }
345 mysql_ssl_set(mysql, 0, 0, sslca, 0, 0);
346
347 if(!mysql_real_connect(mysql, hostname, ssluser, sslpw, schema,
348 ssl_port, socketname, 0))
349 {
350 diag(">Error: %s", mysql_error(mysql));
351 goto end;
352 }
353
354 pthread_mutex_lock(&LOCK_test);
355 mysql_query(mysql, "UPDATE ssltest SET a=a+1");
356 pthread_mutex_unlock(&LOCK_test);
357
358 end:
359 if(mysql)
360 mysql_close(mysql);
361 mysql_thread_end();
362 #ifdef _WIN32
363 return 0;
364 #endif
365 }
366
test_ssl_threads(MYSQL * mysql)367 static int test_ssl_threads(MYSQL *mysql)
368 {
369 int i, rc;
370 #ifndef WIN32
371 pthread_t threads[50];
372 #else
373 HANDLE hthreads[50];
374 DWORD dthreads[50];
375 #endif
376 MYSQL_RES *res;
377 MYSQL_ROW row;
378
379 if (check_skip_ssl())
380 return SKIP;
381
382 rc= mysql_query(mysql, "DROP TABLE IF exists ssltest");
383 check_mysql_rc(rc, mysql);
384 rc= mysql_query(mysql, "CREATE TABLE ssltest (a int)");
385 check_mysql_rc(rc, mysql);
386 rc= mysql_query(mysql, "INSERT into ssltest VALUES (0)");
387 check_mysql_rc(rc, mysql);
388 pthread_mutex_init(&LOCK_test, NULL);
389
390 pthread_mutex_init(&LOCK_test, NULL);
391
392 for (i=0; i < 50; i++)
393 {
394 #ifndef WIN32
395 pthread_create(&threads[i], NULL, (void *)ssl_thread, NULL);
396 #else
397 hthreads[i]= CreateThread(NULL, 0, (LPTHREAD_START_ROUTINE)ssl_thread, NULL, 0, &dthreads[i]);
398 if (hthreads[i]==NULL)
399 diag("error while starting thread");
400 #endif
401 }
402 for (i=0; i < 50; i++)
403 #ifndef WIN32
404 pthread_join(threads[i], NULL);
405 #else
406 WaitForSingleObject(hthreads[i], INFINITE);
407 #endif
408
409 pthread_mutex_destroy(&LOCK_test);
410
411 rc= mysql_query(mysql, "SELECT a FROM ssltest");
412 check_mysql_rc(rc, mysql);
413 res= mysql_store_result(mysql);
414 row= mysql_fetch_row(res);
415 diag("Found: %s", row[0]);
416 FAIL_IF(strcmp(row[0], "50") != 0, "Expected 50");
417 mysql_free_result(res);
418 rc= mysql_query(mysql, "DROP TABLE IF exists ssltest");
419 check_mysql_rc(rc, mysql);
420 return OK;
421 }
422
test_phpbug51647(MYSQL * unused)423 static int test_phpbug51647(MYSQL *unused __attribute__((unused)))
424 {
425 MYSQL* mysql;
426
427 if (check_skip_ssl())
428 return SKIP;
429
430 mysql= mysql_init(NULL);
431 FAIL_IF(!mysql, "Can't allocate memory");
432
433 mysql_ssl_set(mysql, sslkey,
434 sslcert,
435 sslca, 0, 0);
436
437 FAIL_IF(!mysql_real_connect(mysql, hostname, ssluser, sslpw, schema,
438 ssl_port, socketname, 0), mysql_error(mysql));
439 diag("%s", mysql_get_ssl_cipher(mysql));
440 mysql_close(mysql);
441
442 return OK;
443 }
444
test_password_protected(MYSQL * unused)445 static int test_password_protected(MYSQL *unused __attribute__((unused)))
446 {
447 MYSQL* mysql;
448
449 if (check_skip_ssl())
450 return SKIP;
451
452 mysql= mysql_init(NULL);
453 FAIL_IF(!mysql, "Can't allocate memory");
454
455 mysql_ssl_set(mysql, sslkey_enc,
456 sslcert,
457 sslca, 0, 0);
458
459 mysql_options(mysql, MARIADB_OPT_TLS_PASSPHRASE, "qwerty");
460
461 FAIL_IF(!mysql_real_connect(mysql, hostname, ssluser, sslpw, schema,
462 ssl_port, socketname, 0), mysql_error(mysql));
463 diag("%s", mysql_get_ssl_cipher(mysql));
464 mysql_close(mysql);
465
466 return OK;
467 }
468
469
test_conc50(MYSQL * unused)470 static int test_conc50(MYSQL *unused __attribute__((unused)))
471 {
472 MYSQL *mysql;
473
474 if (check_skip_ssl())
475 return SKIP;
476
477 mysql= mysql_init(NULL);
478 FAIL_IF(!mysql, "Can't allocate memory");
479
480 mysql_ssl_set(mysql, NULL, NULL, "./non_exisiting_cert.pem", NULL, NULL);
481
482 mysql_real_connect(mysql, hostname, ssluser, sslpw, schema,
483 ssl_port, socketname, 0);
484 diag("Error: %d %s", mysql_errno(mysql), mysql_error(mysql));
485 FAIL_IF(mysql_errno(mysql) != 2026, "Expected errno 2026");
486 mysql_close(mysql);
487
488 return OK;
489 }
490
test_conc50_1(MYSQL * unused)491 static int test_conc50_1(MYSQL *unused __attribute__((unused)))
492 {
493 MYSQL *mysql;
494
495 if (check_skip_ssl())
496 return SKIP;
497
498 if (!have_openssl)
499 {
500 diag("Server with OpenSSL required");
501 return SKIP;
502 }
503
504 create_ssl_user(ssluser, 0);
505
506 mysql= mysql_init(NULL);
507 FAIL_IF(!mysql, "Can't allocate memory");
508
509 mysql_ssl_set(mysql, NULL, NULL, sslca, NULL, NULL);
510
511 mysql_real_connect(mysql, hostname, ssluser, sslpw, schema,
512 ssl_port, socketname, 0);
513 if (mysql_errno(mysql))
514 diag("Error: %d %s", mysql_errno(mysql), mysql_error(mysql));
515 FAIL_IF(mysql_errno(mysql), "No error expected");
516
517 mysql_close(mysql);
518
519 return OK;
520 }
521
test_conc50_2(MYSQL * unused)522 static int test_conc50_2(MYSQL *unused __attribute__((unused)))
523 {
524 MYSQL *mysql;
525
526 if (check_skip_ssl())
527 return SKIP;
528
529 mysql= mysql_init(NULL);
530 FAIL_IF(!mysql, "Can't allocate memory");
531
532 mysql_ssl_set(mysql, NULL, NULL, "./non_exisiting_cert.pem", NULL, NULL);
533
534 mysql_real_connect(mysql, hostname, ssluser, sslpw, schema,
535 ssl_port, socketname, 0);
536 FAIL_IF(mysql_errno(mysql) != 2026, "Expected errno 2026");
537 mysql_close(mysql);
538
539 return OK;
540 }
541
test_conc127(MYSQL * unused)542 static int test_conc127(MYSQL *unused __attribute__((unused)))
543 {
544 MYSQL *mysql;
545
546 diag("test disabled - for testing disable other tests or run this test as first test");
547 return SKIP;
548
549 if (check_skip_ssl())
550 return SKIP;
551
552 mysql= mysql_init(NULL);
553 FAIL_IF(!mysql, "Can't allocate memory");
554
555 mysql_ssl_set(mysql, NULL, NULL, "./non_exisiting.pem", NULL, NULL);
556
557 mysql_real_connect(mysql, hostname, ssluser, sslpw, schema,
558 ssl_port, socketname, 0);
559 diag("Error: %s", mysql_error(mysql));
560 FAIL_IF(mysql_errno(mysql) == 0, "Error expected (invalid certificate)");
561 mysql_close(mysql);
562
563 return OK;
564 }
565
test_conc50_3(MYSQL * unused)566 static int test_conc50_3(MYSQL *unused __attribute__((unused)))
567 {
568 MYSQL *mysql;
569
570 if (check_skip_ssl())
571 return SKIP;
572
573 create_ssl_user(ssluser, 0);
574
575 mysql= mysql_init(NULL);
576 FAIL_IF(!mysql, "Can't allocate memory");
577
578 mysql_real_connect(mysql, hostname, ssluser, sslpw, schema,
579 ssl_port, socketname, 0);
580 FAIL_IF(!mysql_errno(mysql), "Error expected, SSL connection required!");
581 mysql_close(mysql);
582
583 mysql= mysql_init(NULL);
584 FAIL_IF(!mysql, "Can't allocate memory");
585
586 mysql_ssl_set(mysql, NULL, NULL, sslca, NULL, NULL);
587
588 mysql_real_connect(mysql, hostname, ssluser, sslpw, schema,
589 ssl_port, socketname, 0);
590 diag("Error: %s<", mysql_error(mysql));
591 FAIL_IF(mysql_errno(mysql), "No error expected");
592 mysql_close(mysql);
593
594 return OK;
595 }
596
test_conc50_4(MYSQL * unused)597 static int test_conc50_4(MYSQL *unused __attribute__((unused)))
598 {
599 MYSQL *mysql;
600
601 if (check_skip_ssl())
602 return SKIP;
603
604 mysql= mysql_init(NULL);
605 FAIL_IF(!mysql, "Can't allocate memory");
606
607 mysql_ssl_set(mysql, NULL, sslca, NULL, NULL, NULL);
608
609 mysql_real_connect(mysql, hostname, ssluser, sslpw, schema,
610 ssl_port, socketname, 0);
611 FAIL_IF(!mysql_errno(mysql) , "Error expected");
612 mysql_close(mysql);
613
614 return OK;
615 }
616
verify_ssl_server_cert(MYSQL * unused)617 static int verify_ssl_server_cert(MYSQL *unused __attribute__((unused)))
618 {
619 MYSQL *mysql;
620 uint verify= 1;
621
622 if (check_skip_ssl())
623 return SKIP;
624
625 if (!hostname || !strcmp(hostname, "localhost"))
626 return SKIP;
627
628 SKIP_TRAVIS();
629
630 mysql= mysql_init(NULL);
631 FAIL_IF(!mysql, "Can't allocate memory");
632
633 mysql_ssl_set(mysql, NULL, NULL, sslca, NULL, NULL);
634 mysql_options(mysql, MYSQL_OPT_SSL_VERIFY_SERVER_CERT, &verify);
635
636 mysql_real_connect(mysql, hostname, ssluser, sslpw, schema,
637 ssl_port, socketname, 0);
638
639 FAIL_IF(!mysql_errno(mysql), "Expected error");
640 diag("Error (expected): %s", mysql_error(mysql));
641 mysql_close(mysql);
642
643 return OK;
644 }
645
test_bug62743(MYSQL * unused)646 static int test_bug62743(MYSQL *unused __attribute__((unused)))
647 {
648 MYSQL *mysql;
649
650 if (check_skip_ssl())
651 return SKIP;
652
653 mysql= mysql_init(NULL);
654 FAIL_IF(!mysql, "Can't allocate memory");
655
656 mysql_ssl_set(mysql, "dummykey", NULL, NULL, NULL, NULL);
657
658 mysql_real_connect(mysql, hostname, ssluser, sslpw, schema,
659 ssl_port, socketname, 0);
660 diag("Error: %s", mysql_error(mysql));
661 FAIL_IF(mysql_errno(mysql) != 2026, "Expected errno 2026");
662 mysql_close(mysql);
663
664 mysql= mysql_init(NULL);
665 FAIL_IF(!mysql, "Can't allocate memory");
666
667 mysql_ssl_set(mysql, sslkey, NULL, NULL, NULL, NULL);
668
669 mysql_real_connect(mysql, hostname, ssluser, sslpw, schema,
670 ssl_port, socketname, 0);
671 diag("Error with key: %s", mysql_error(mysql));
672 FAIL_IF(mysql_errno(mysql) != 2026, "Expected errno 2026");
673 mysql_close(mysql);
674
675 mysql= mysql_init(NULL);
676 FAIL_IF(!mysql, "Can't allocate memory");
677
678 mysql_ssl_set(mysql, sslkey,
679 sslcert, NULL, NULL, NULL);
680
681 mysql_real_connect(mysql, hostname, ssluser, sslpw, schema,
682 ssl_port, socketname, 0);
683 FAIL_IF(mysql_errno(mysql) != 0, "Expected no error");
684 mysql_close(mysql);
685
686 mysql= mysql_init(NULL);
687 FAIL_IF(!mysql, "Can't allocate memory");
688
689 mysql_ssl_set(mysql, sslkey, "blablubb", NULL, NULL, NULL);
690
691 mysql_real_connect(mysql, hostname, ssluser, sslpw, schema,
692 ssl_port, socketname, 0);
693 diag("Error with cert: %s", mysql_error(mysql));
694 FAIL_IF(mysql_errno(mysql) == 0, "Expected error");
695 mysql_close(mysql);
696
697 return OK;
698 }
699
700 #ifndef WIN32
thread_conc102(void)701 int thread_conc102(void)
702 #else
703 DWORD WINAPI thread_conc102(void)
704 #endif
705 {
706 MYSQL *mysql;
707 int rc;
708 MYSQL_RES *res;
709 mysql_thread_init();
710 mysql= mysql_init(NULL);
711
712 mysql_ssl_set(mysql, sslkey,
713 sslcert,
714 sslca,
715 NULL, NULL);
716 mysql_ssl_set(mysql,0, 0, sslca, 0, 0);
717
718 if(!mysql_real_connect(mysql, hostname, username, password, schema,
719 ssl_port, socketname, 0))
720 {
721 diag(">Error: %s", mysql_error(mysql));
722 goto end;
723 }
724 if (!mysql_get_ssl_cipher(mysql))
725 {
726 diag("Error: No ssl connection");
727 goto end;
728 }
729 pthread_mutex_lock(&LOCK_test);
730 rc= mysql_query(mysql, "UPDATE t_conc102 SET a=a+1");
731 check_mysql_rc(rc, mysql);
732 pthread_mutex_unlock(&LOCK_test);
733 check_mysql_rc(rc, mysql);
734 if ((res= mysql_store_result(mysql)))
735 mysql_free_result(res);
736 end:
737 mysql_close(mysql);
738 mysql_thread_end();
739 return 0;
740 }
741
test_conc_102(MYSQL * mysql)742 static int test_conc_102(MYSQL *mysql)
743 {
744
745 int rc;
746 int i;
747 MYSQL_ROW row;
748 MYSQL_RES *res;
749 #ifndef WIN32
750 pthread_t threads[50];
751 #else
752 HANDLE hthreads[50];
753 DWORD threads[50];
754 #endif
755
756 if (check_skip_ssl())
757 return SKIP;
758
759 rc= mysql_query(mysql, "DROP TABLE IF EXISTS t_conc102");
760 check_mysql_rc(rc, mysql);
761 rc= mysql_query(mysql, "CREATE TABLE t_conc102 ( a int)");
762 check_mysql_rc(rc, mysql);
763 rc= mysql_query(mysql, "INSERT INTO t_conc102 VALUES (0)");
764 check_mysql_rc(rc, mysql);
765 pthread_mutex_init(&LOCK_test, NULL);
766
767 for (i=0; i < 50; i++)
768 {
769 #ifndef WIN32
770 pthread_create(&threads[i], NULL, (void *)thread_conc102, NULL);
771 #else
772 hthreads[i]= CreateThread(NULL, 0, (LPTHREAD_START_ROUTINE)thread_conc102, NULL, 0, &threads[i]);
773 if (hthreads[i]==NULL)
774 diag("error while starting thread");
775 #endif
776 }
777 for (i=0; i < 50; i++)
778 {
779 #ifndef WIN32
780 pthread_join(threads[i], NULL);
781 #else
782 WaitForSingleObject(hthreads[i], INFINITE);
783 #endif
784 }
785 pthread_mutex_destroy(&LOCK_test);
786 rc= mysql_query(mysql, "SELECT a FROM t_conc102");
787 check_mysql_rc(rc, mysql);
788 res= mysql_store_result(mysql);
789 row= mysql_fetch_row(res);
790 diag("Found: %s", row[0]);
791 FAIL_IF(strcmp(row[0], "50") != 0, "Expected 50");
792 mysql_free_result(res);
793 rc= mysql_query(mysql, "DROP TABLE IF EXISTS t_conc102");
794 check_mysql_rc(rc, mysql);
795 return OK;
796 }
797
test_ssl_fp(MYSQL * unused)798 static int test_ssl_fp(MYSQL *unused __attribute__((unused)))
799 {
800 MYSQL *my;
801 MYSQL_RES *res;
802 MYSQL_ROW row;
803 int rc;
804
805 if (check_skip_ssl())
806 return SKIP;
807
808 my= mysql_init(NULL);
809 FAIL_IF(!my, "mysql_init() failed");
810
811 mysql_ssl_set(my,0, 0, sslca, 0, 0);
812
813 mysql_options(my, MARIADB_OPT_SSL_FP, bad_cert_finger_print);
814
815 FAIL_IF(mysql_real_connect(my, hostname, username, password, schema,
816 ssl_port, socketname, 0), mysql_error(my));
817
818 mysql_options(my, MARIADB_OPT_SSL_FP, ssl_cert_finger_print);
819
820 FAIL_IF(!mysql_real_connect(my, hostname, username, password, schema,
821 ssl_port, socketname, 0), mysql_error(my));
822
823 FAIL_IF(check_cipher(my) != 0, "Invalid cipher");
824
825 rc= mysql_query(my, "SET @a:=1");
826 check_mysql_rc(rc, my);
827
828 rc= mysql_query(my, "SELECT @a");
829 check_mysql_rc(rc, my);
830
831 if ((res= mysql_store_result(my)))
832 {
833 row= mysql_fetch_row(res);
834 diag("@a:=%s", row[0]);
835 mysql_free_result(res);
836 }
837
838 mysql_close(my);
839 return OK;
840 }
841
test_ssl_fp_list(MYSQL * unused)842 static int test_ssl_fp_list(MYSQL *unused __attribute__((unused)))
843 {
844 MYSQL *my;
845
846 if (check_skip_ssl())
847 return SKIP;
848
849 my= mysql_init(NULL);
850 FAIL_IF(!my, "mysql_init() failed");
851
852 mysql_ssl_set(my,0, 0, sslca, 0, 0);
853
854 mysql_options(my, MARIADB_OPT_SSL_FP_LIST, CERT_PATH "/server-cert.sha1");
855
856 if(!mysql_real_connect(my, hostname, username, password, schema,
857 ssl_port, socketname, 0))
858 {
859 diag("Error: %s", mysql_error(my));
860 mysql_close(my);
861 return FAIL;
862 }
863
864 FAIL_IF(check_cipher(my) != 0, "Invalid cipher");
865 mysql_close(my);
866 return OK;
867 }
868
test_ssl_version(MYSQL * unused)869 static int test_ssl_version(MYSQL *unused __attribute__((unused)))
870 {
871 unsigned int iversion;
872 char *version, *library;
873 MYSQL *my;
874
875 if (check_skip_ssl())
876 return SKIP;
877
878 my= mysql_init(NULL);
879 FAIL_IF(!my, "mysql_init() failed");
880
881 mysql_ssl_set(my,0, 0, sslca, 0, 0);
882 FAIL_IF(!mysql_real_connect(my, hostname, ssluser, sslpw, schema,
883 ssl_port, socketname, 0), mysql_error(my));
884
885 diag("cipher: %s", mysql_get_ssl_cipher(my));
886 mariadb_get_infov(my, MARIADB_CONNECTION_TLS_VERSION_ID, &iversion);
887 diag("protocol: %d", iversion);
888 mariadb_get_infov(my, MARIADB_CONNECTION_TLS_VERSION, &version);
889 diag("protocol: %s", version);
890
891 mariadb_get_infov(my, MARIADB_TLS_LIBRARY, &library);
892 diag("library: %s", library);
893
894 mysql_close(my);
895
896 return OK;
897 }
898
899 #ifdef HAVE_SCHANNEL
test_schannel_cipher(MYSQL * unused)900 static int test_schannel_cipher(MYSQL *unused __attribute__((unused)))
901 {
902 MYSQL *my;
903 unsigned int cipher_strength= 256;
904
905 if (check_skip_ssl())
906 return SKIP;
907
908 my= mysql_init(NULL);
909 FAIL_IF(!my, "mysql_init() failed");
910
911 mysql_ssl_set(my,0, 0, sslca, 0, 0);
912 mysql_options(my, MARIADB_OPT_TLS_CIPHER_STRENGTH, &cipher_strength);
913 FAIL_IF(!mysql_real_connect(my, hostname, ssluser, sslpw, schema,
914 ssl_port, socketname, 0), mysql_error(my));
915
916 diag("cipher: %s", mysql_get_ssl_cipher(my));
917
918 mysql_close(my);
919
920 return OK;
921 }
922
923 #endif
924
925 #if defined(HAVE_GNUTLS) || defined(HAVE_OPENSSL)
926
test_cipher_mapping(MYSQL * unused)927 static int test_cipher_mapping(MYSQL *unused __attribute__((unused)))
928 {
929 unsigned int i=0;
930 const char *ciphers[]= { "DHE-RSA-AES256-GCM-SHA384", "DHE-RSA-AES256-SHA256", "DHE-RSA-AES256-SHA",
931 #ifdef TEST_CAMELLIA_CIPHER
932 "DHE-RSA-CAMELLIA256-SHA", "CAMELLIA256-SHA",
933 "DHE-RSA-CAMELLIA128-SHA", "CAMELLIA128-SHA",
934 #endif
935 #ifdef TEST_DES_CIPHER
936 "EDH-RSA-DES-CBC3-SHA",
937 "DES-CBC3-SHA",
938 #endif
939 "AES256-GCM-SHA384", "AES256-SHA256", "AES256-SHA",
940 "DHE-RSA-AES128-GCM-SHA256", "DHE-RSA-AES128-SHA256", "DHE-RSA-AES128-SHA",
941 "AES128-GCM-SHA256", "AES128-SHA256", "AES128-SHA",
942 "DHE-RSA-AES256-SHA", "AES256-SHA",
943 NULL };
944
945 diag("This test depends on OpenSSL version - since several ciphers might not be available");
946 return SKIP;
947
948 if (check_skip_ssl())
949 return SKIP;
950
951 if (!have_openssl)
952 {
953 diag("test requires Server with OpenSSL");
954 return SKIP;
955 }
956
957 while (ciphers[i] != NULL)
958 {
959 MYSQL *mysql= mysql_init(NULL);
960 MYSQL_ROW row;
961 MYSQL_RES *res;
962 char c[100];
963 int rc;
964 const char *cipher;
965
966 mysql_options(mysql, MYSQL_OPT_TLS_VERSION, "TLSv1.0,TLSv1.1,TLSv1.2");
967 mysql_ssl_set(mysql, NULL, NULL, NULL, NULL, ciphers[i]);
968 diag("%s", ciphers[i]);
969
970 mysql->options.use_ssl= 1;
971 FAIL_IF(!mysql_real_connect(mysql, hostname, username, password, schema,
972 ssl_port, socketname, 0), mysql_error(mysql));
973 if (!(cipher= mysql_get_ssl_cipher(mysql)) ||
974 strcmp(ciphers[i], cipher) != 0)
975 {
976 diag("cipher %s differs: (%s)", ciphers[i], cipher);
977 mysql_close(mysql);
978 goto cont;
979 }
980 else
981 {
982 rc= mysql_query(mysql, "SHOW STATUS LIKE 'ssl_cipher'");
983 check_mysql_rc(rc, mysql);
984 res= mysql_store_result(mysql);
985 row= mysql_fetch_row(res);
986 strcpy(c, row[1]);
987 mysql_free_result(res);
988 mysql_close(mysql);
989 if (strcmp(ciphers[i], c) != 0)
990 {
991 diag("expected: %s instead of %s", ciphers[i], c);
992 /* depending if server supports ECC, ciphers may differ,
993 so we don't return failure here */
994 }
995 }
996 cont:
997 i++;
998 }
999 return OK;
1000 }
1001 #endif
1002
test_openssl_1(MYSQL * mysql)1003 static int test_openssl_1(MYSQL *mysql)
1004 {
1005 int rc;
1006 MYSQL *my;
1007 uchar val= 1;
1008 char query[1024];
1009 int i;
1010
1011 if (check_skip_ssl())
1012 return SKIP;
1013
1014 if (have_tls13)
1015 return SKIP;
1016
1017 if (!mariadb_connection(mysql))
1018 return SKIP;
1019
1020 for (i=1; i < 6; i++)
1021 {
1022 sprintf(query, "DROP USER 'ssluser%d'@'%s'", i, this_host);
1023 rc= mysql_query(mysql, query);
1024 sprintf(query, "CREATE USER 'ssluser%d'@'%s'", i, this_host);
1025 rc= mysql_query(mysql, query);
1026 check_mysql_rc(rc, mysql);
1027 }
1028 rc= mysql_query(mysql, "FLUSH PRIVILEGES");
1029 check_mysql_rc(rc, mysql);
1030 diag("sslusers created");
1031
1032 diag("ssluser1");
1033 sprintf(query, "grant select on %s.* to 'ssluser1'@'%s' require ssl", schema, this_host);
1034 rc= mysql_query(mysql, query);
1035 check_mysql_rc(rc, mysql);
1036
1037
1038 my= mysql_init(NULL);
1039 mysql_ssl_set(my, NULL, NULL, NULL, NULL, "AES128-SHA");
1040 FAIL_IF(!mysql_real_connect(my, hostname, "ssluser1", NULL, schema,
1041 ssl_port, socketname, 0), mysql_error(my));
1042 FAIL_IF(!mysql_get_ssl_cipher(my), "No TLS connection");
1043 mysql_close(my);
1044
1045 my= mysql_init(NULL);
1046 mysql_options(my, MYSQL_OPT_SSL_ENFORCE, &val);
1047 FAIL_IF(!mysql_real_connect(my, hostname, "ssluser1", NULL, schema,
1048 ssl_port, socketname, 0), mysql_error(my));
1049 FAIL_IF(!mysql_get_ssl_cipher(my), "No TLS connection");
1050 mysql_close(my);
1051
1052 diag("ssluser2");
1053 sprintf(query, "grant select on %s.* to 'ssluser2'@'%s' require cipher 'AES256-SHA'", schema, this_host);
1054 rc= mysql_query(mysql, query);
1055 check_mysql_rc(rc, mysql);
1056
1057 #ifdef TEST_RANDOM_RESULT
1058 /* ssl_user2: connect with enforce should work */
1059 my= mysql_init(NULL);
1060 mysql_options(my, MYSQL_OPT_SSL_ENFORCE, &val);
1061 mysql_real_connect(my, hostname, "ssluser2", NULL, schema,
1062 ssl_port, socketname, 0);
1063 if (!mysql_error(my) &&
1064 strcmp(mysql_get_ssl_cipher(my), "AES256-SHA"))
1065 {
1066 diag("Expected error or correct cipher");
1067 return FAIL;
1068 }
1069 mysql_close(my);
1070 #endif
1071 /* ssl_user2: connect with correct cipher */
1072 diag("ssluser2");
1073 if (mysql_get_server_version(mysql) >= 100100)
1074 {
1075 my= mysql_init(NULL);
1076 mysql_ssl_set(my, NULL, NULL, NULL, NULL, "AES256-SHA");
1077 FAIL_IF(!mysql_real_connect(my, hostname, "ssluser2", NULL, schema,
1078 ssl_port, socketname, 0), mysql_error(my));
1079 FAIL_IF(strcmp("AES256-SHA", mysql_get_ssl_cipher(my)) != 0, "expected cipher AES256-SHA");
1080 mysql_close(my);
1081 }
1082
1083 /* ssl_user2: connect with wrong cipher should not work */
1084 diag("ssluser2");
1085 my= mysql_init(NULL);
1086 mysql_ssl_set(my, NULL, NULL, NULL, NULL, "AES128-SHA");
1087 FAIL_IF(mysql_real_connect(my, hostname, "ssluser2", NULL, schema,
1088 ssl_port, socketname, 0), "Error expected");
1089 mysql_close(my);
1090
1091
1092 if (!travis_test)
1093 {
1094 sprintf(query, "grant select on %s.* to 'ssluser3'@'%s' require cipher 'AES256-SHA' AND "
1095 " SUBJECT '/C=FI/ST=Helsinki/L=Helsinki/O=MariaDB/CN=client'", schema, this_host);
1096 rc= mysql_query(mysql, query);
1097 check_mysql_rc(rc, mysql);
1098
1099 /* ssluser3: connect with cipher only */
1100 my= mysql_init(NULL);
1101 mysql_ssl_set(my, NULL, NULL, NULL, NULL, "AES256-SHA");
1102 FAIL_IF(mysql_real_connect(my, hostname, "ssluser3", NULL, schema,
1103 ssl_port, socketname, 0), "Error expected");
1104 mysql_close(my);
1105
1106 /* ssluser3 connect with cipher and certs */
1107 my= mysql_init(NULL);
1108 mysql_ssl_set(my, sslkey,
1109 sslcert,
1110 sslca,
1111 NULL,
1112 "AES256-SHA");
1113 FAIL_IF(!mysql_real_connect(my, hostname, "ssluser3", NULL, schema,
1114 ssl_port, socketname, 0), mysql_error(my));
1115
1116 mysql_close(my);
1117
1118 sprintf(query, "grant select on %s.* to 'ssluser4'@'%s' require cipher 'AES256-SHA' AND "
1119 " ISSUER '/CN=cacert/C=FI/ST=Helsinki/L=Helsinki/O=MariaDB'", schema, this_host);
1120 rc= mysql_query(mysql, query);
1121 check_mysql_rc(rc, mysql);
1122
1123 /* ssluser4: connect with cipher only */
1124 my= mysql_init(NULL);
1125 mysql_ssl_set(my, NULL, NULL, NULL, NULL, "AES256-SHA");
1126 FAIL_IF(mysql_real_connect(my, hostname, "ssluser4", NULL, schema,
1127 ssl_port, socketname, 0), "Error expected");
1128 mysql_close(my);
1129
1130 /* ssluser4 connect with cipher and certs */
1131 my= mysql_init(NULL);
1132 mysql_ssl_set(my, sslkey,
1133 sslcert,
1134 sslca,
1135 NULL,
1136 "AES256-SHA");
1137 FAIL_IF(!mysql_real_connect(my, hostname, "ssluser4", NULL, schema,
1138 ssl_port, socketname, 0), mysql_error(my));
1139 mysql_close(my);
1140 }
1141 diag("drop users");
1142 for (i=1; i < 6; i++)
1143 {
1144 sprintf(query, "DROP USER 'ssluser%d'@'%s'", i, this_host);
1145 rc= mysql_query(mysql, query);
1146 }
1147
1148 return OK;
1149 }
1150
test_ssl_timeout(MYSQL * unused)1151 static int test_ssl_timeout(MYSQL *unused __attribute__((unused)))
1152 {
1153 MYSQL *mysql;
1154 my_bool enforce= 1;
1155 int read_timeout= 1;
1156 int rc;
1157
1158 if (check_skip_ssl())
1159 return SKIP;
1160
1161 mysql= mysql_init(NULL);
1162 mysql_options(mysql, MYSQL_OPT_SSL_ENFORCE, &enforce);
1163 mysql_options(mysql, MYSQL_OPT_READ_TIMEOUT, &read_timeout);
1164 mysql->options.use_ssl= 1;
1165 FAIL_IF(!mysql_real_connect(mysql, hostname, username, password, schema,
1166 ssl_port, socketname, 0), mysql_error(mysql));
1167 diag("cipher: %s\n", mysql_get_ssl_cipher(mysql));
1168 rc= mysql_query(mysql, "SELECT SLEEP(600)");
1169 if (!rc)
1170 {
1171 diag("error expected (timeout)");
1172 return FAIL;
1173 }
1174
1175 mysql_close(mysql);
1176 return OK;
1177 }
1178
drop_ssl_user(MYSQL * mysql)1179 static int drop_ssl_user(MYSQL *mysql)
1180 {
1181 int rc;
1182
1183 rc= mysql_query(mysql, "DELETE FROM mysql.user where user like 'ssl%'");
1184 check_mysql_rc(rc, mysql);
1185 rc= mysql_query(mysql, "DELETE FROM mysql.db where user like 'ssl%'");
1186 check_mysql_rc(rc, mysql);
1187 return OK;
1188 }
1189
test_conc286(MYSQL * unused)1190 static int test_conc286(MYSQL *unused __attribute__((unused)))
1191 {
1192 MYSQL *my;
1193
1194 if (check_skip_ssl())
1195 return SKIP;
1196
1197 my= mysql_init(NULL);
1198 FAIL_IF(!my, "mysql_init() failed");
1199
1200 mysql_options(my, MARIADB_OPT_SSL_FP, ssl_cert_finger_print);
1201
1202 FAIL_IF(!mysql_real_connect(my, hostname, username, password, schema,
1203 ssl_port, socketname, 0), mysql_error(my));
1204
1205 FAIL_IF(check_cipher(my) != 0, "Invalid cipher");
1206
1207 mysql_close(my);
1208 return OK;
1209 }
1210
test_mdev14027(MYSQL * mysql)1211 static int test_mdev14027(MYSQL *mysql __attribute__((unused)))
1212 {
1213 char *tls_library;
1214 const char *check_library=
1215 #if defined(HAVE_OPENSSL)
1216 #if defined(HAVE_LIBRESSL)
1217 "LibreSSL";
1218 #else
1219 "OpenSSL";
1220 #endif
1221 #elif defined(HAVE_GNUTLS)
1222 "GnuTLS";
1223 #elif defined(HAVE_SCHANNEL)
1224 "Schannel";
1225 #else
1226 "Off";
1227 #endif
1228 mariadb_get_infov(NULL, MARIADB_TLS_LIBRARY, &tls_library);
1229 diag("TLS/SSL library in use: %s\n", tls_library);
1230 if (!strstr(tls_library, check_library))
1231 {
1232 diag("expected %s, got %s", check_library, tls_library);
1233 return FAIL;
1234 }
1235 return OK;
1236 }
1237
test_mdev14101(MYSQL * my)1238 static int test_mdev14101(MYSQL *my __attribute__((unused)))
1239 {
1240 struct {
1241 bool do_yassl;
1242 const char *opt_tls_version;
1243 const char *expected;
1244 } combinations[]= {
1245 {1, "TLSv1.1", "TLSv1.1"},
1246 {1, "TLSv1,TLSv1.1", "TLSv1.1"},
1247 {0, "TLSv1.2", "TLSv1.2"},
1248 {0, "TLSv1.1,TLSv1.2", "TLSv1.2"},
1249 {1, NULL, NULL}
1250 };
1251
1252 int i;
1253 #ifdef HAVE_SCHANNEL
1254 bool skip_tlsv12= 1;
1255 #else
1256 bool skip_tlsv12= !have_openssl;
1257 #endif
1258
1259 #if defined(HAVE_OPENSSL) && defined(TLS1_3_VERSION)
1260 diag("Test fails with TLS v1.3");
1261 return(SKIP);
1262 #endif
1263
1264 for (i=0; combinations[i].expected; i++)
1265 {
1266 MYSQL *mysql;
1267 bool val=1;
1268 char *tls_version;
1269
1270 if (!combinations[i].do_yassl && skip_tlsv12)
1271 break;
1272
1273 diag("combination %d: %s", i, combinations[i].opt_tls_version);
1274
1275 mysql= mysql_init(NULL);
1276 mysql_options(mysql, MYSQL_OPT_SSL_ENFORCE, &val);
1277 mysql_options(mysql, MARIADB_OPT_TLS_VERSION, combinations[i].opt_tls_version);
1278 FAIL_IF(!mysql_real_connect(mysql, hostname, username, password, schema,
1279 ssl_port, socketname, 0), mysql_error(mysql));
1280 mariadb_get_infov(mysql, MARIADB_CONNECTION_TLS_VERSION, &tls_version);
1281 diag("options: %s", combinations[i].opt_tls_version);
1282 diag("protocol: %s expected: %s", tls_version, combinations[i].expected);
1283 FAIL_IF(strcmp(combinations[i].expected, tls_version), "Wrong tls_version");
1284 mysql_close(mysql);
1285 }
1286 return OK;
1287 }
1288
test_conc386(MYSQL * mysql)1289 static int test_conc386(MYSQL *mysql)
1290 {
1291 mysql= mysql_init(NULL);
1292 mysql_ssl_set(mysql,
1293 sslcombined,
1294 NULL,
1295 NULL,
1296 NULL,
1297 NULL);
1298 FAIL_IF(!mysql_real_connect(mysql, hostname, username, password, schema,
1299 ssl_port, socketname, 0), mysql_error(mysql));
1300 FAIL_IF(check_cipher(mysql) != 0, "Invalid cipher");
1301 mysql_close(mysql);
1302 return OK;
1303 }
1304
1305 #ifndef HAVE_SCHANNEL
test_ssl_verify(MYSQL * my)1306 static int test_ssl_verify(MYSQL *my __attribute__((unused)))
1307 {
1308 MYSQL *mysql;
1309 my_bool verify= 1, enforce= 1;
1310
1311 if (check_skip_ssl())
1312 return SKIP;
1313
1314 /* verify, using system ca should fail with self signed certificate */
1315 mysql= mysql_init(NULL);
1316 mysql_options(mysql, MYSQL_OPT_SSL_ENFORCE, &enforce);
1317 mysql_options(mysql, MYSQL_OPT_SSL_VERIFY_SERVER_CERT, &verify);
1318 FAIL_IF(mysql_real_connect(mysql, hostname, username, password, schema,
1319 ssl_port, socketname, 0), "Error expected");
1320 diag("error expected: %s\n", mysql_error(mysql));
1321 mysql_close(mysql);
1322
1323 /* verify, using system ca should pass */
1324
1325 /* Disable this for now, since for some unknown reason it fails on travis
1326 setenv("SSL_CERT_DIR", CERT_PATH, 1);
1327 mysql= mysql_init(NULL);
1328 mysql_options(mysql, MYSQL_OPT_SSL_ENFORCE, &enforce);
1329 mysql_options(mysql, MYSQL_OPT_SSL_VERIFY_SERVER_CERT, &verify);
1330 FAIL_IF(!mysql_real_connect(mysql, hostname, username, password, schema,
1331 port, socketname, 0), mysql_error(mysql));
1332 mysql_close(mysql);
1333 unsetenv("SSL_CERT_DIR");
1334 */
1335
1336 /* verify against local ca, this should pass */
1337 mysql= mysql_init(NULL);
1338 mysql_ssl_set(mysql,0, 0, sslca, 0, 0);
1339 mysql_options(mysql, MYSQL_OPT_SSL_VERIFY_SERVER_CERT, &verify);
1340 FAIL_IF(!mysql_real_connect(mysql, hostname, username, password, schema,
1341 ssl_port, socketname, 0), mysql_error(mysql));
1342 mysql_close(mysql);
1343
1344 mysql= mysql_init(NULL);
1345 mysql_options(mysql, MYSQL_OPT_SSL_ENFORCE, &enforce);
1346 FAIL_IF(!mysql_real_connect(mysql, hostname, username, password, schema,
1347 ssl_port, socketname, 0), mysql_error(mysql));
1348
1349 diag("cipher: %s", mysql_get_ssl_cipher(mysql));
1350 mysql_close(mysql);
1351 return OK;
1352 }
1353 #endif
1354
1355 struct my_tests_st my_tests[] = {
1356 {"test_ssl", test_ssl, TEST_CONNECTION_NEW, 0, NULL, NULL},
1357 #ifndef HAVE_SCHANNEL
1358 {"test_ssl_verify", test_ssl_verify, TEST_CONNECTION_NEW, 0, NULL, NULL},
1359 #endif
1360 {"test_mdev14101", test_mdev14101, TEST_CONNECTION_NEW, 0, NULL, NULL},
1361 {"test_mdev14027", test_mdev14027, TEST_CONNECTION_NEW, 0, NULL, NULL},
1362 {"test_conc286", test_conc286, TEST_CONNECTION_NEW, 0, NULL, NULL},
1363 {"test_ssl_timeout", test_ssl_timeout, TEST_CONNECTION_NEW, 0, NULL, NULL},
1364 {"test_openssl_1", test_openssl_1, TEST_CONNECTION_NEW, 0, NULL, NULL},
1365 #ifndef HAVE_SCHANNEL
1366 {"test_cipher_mapping", test_cipher_mapping, TEST_CONNECTION_NONE, 0, NULL, NULL},
1367 #endif
1368 {"test_conc127", test_conc127, TEST_CONNECTION_NEW, 0, NULL, NULL},
1369 /* Both tests work with GNU tls, however we can't create fingerprints with
1370 gnutls-cli in CMakeLists.txt */
1371 #ifndef HAVE_SCHANNEL
1372 {"test_ssl_fp", test_ssl_fp, TEST_CONNECTION_NEW, 0, NULL, NULL},
1373 {"test_ssl_fp_list", test_ssl_fp_list, TEST_CONNECTION_NEW, 0, NULL, NULL},
1374 #endif
1375 {"test_conc50", test_conc50, TEST_CONNECTION_NEW, 0, NULL, NULL},
1376 {"test_conc50_1", test_conc50_1, TEST_CONNECTION_NEW, 0, NULL, NULL},
1377 {"test_conc50_2", test_conc50_2, TEST_CONNECTION_NEW, 0, NULL, NULL},
1378 {"test_conc50_3", test_conc50_3, TEST_CONNECTION_NEW, 0, NULL, NULL},
1379 {"test_conc50_4", test_conc50_4, TEST_CONNECTION_NEW, 0, NULL, NULL},
1380 {"test_conc95", test_conc95, TEST_CONNECTION_NEW, 0, NULL, NULL},
1381 {"verify_ssl_server_cert", verify_ssl_server_cert, TEST_CONNECTION_NEW, 0, NULL, NULL},
1382 {"test_bug62743", test_bug62743, TEST_CONNECTION_NEW, 0, NULL, NULL},
1383 {"test_phpbug51647", test_phpbug51647, TEST_CONNECTION_NONE, 0, NULL, NULL},
1384 {"test_ssl_cipher", test_ssl_cipher, TEST_CONNECTION_NONE, 0, NULL, NULL},
1385 {"test_multi_ssl_connections", test_multi_ssl_connections, TEST_CONNECTION_NONE, 0, NULL, NULL},
1386 {"test_conc_102", test_conc_102, TEST_CONNECTION_NEW, 0, NULL, NULL},
1387 {"test_ssl_version", test_ssl_version, TEST_CONNECTION_NEW, 0, NULL, NULL},
1388 {"test_ssl_threads", test_ssl_threads, TEST_CONNECTION_NEW, 0, NULL, NULL},
1389 #ifndef HAVE_SCHANNEL
1390 {"test_password_protected", test_password_protected, TEST_CONNECTION_NEW, 0, NULL, NULL},
1391 #else
1392 {"test_schannel_cipher", test_schannel_cipher, TEST_CONNECTION_NEW, 0, NULL, NULL},
1393 #endif
1394 {"test_conc386", test_conc386, TEST_CONNECTION_NEW, 0, NULL, NULL},
1395 {"drop_ssl_user", drop_ssl_user, TEST_CONNECTION_NEW, 0, NULL, NULL},
1396 {NULL, NULL, 0, 0, NULL, NULL}
1397 };
1398
1399
main(int argc,char ** argv)1400 int main(int argc, char **argv)
1401 {
1402 #if defined(WIN32) && defined(HEAP_CHECK)
1403 _CrtSetReportMode( _CRT_WARN, _CRTDBG_MODE_FILE );
1404 _CrtSetReportFile( _CRT_WARN, _CRTDBG_FILE_STDOUT );
1405 _CrtSetReportMode( _CRT_ERROR, _CRTDBG_MODE_FILE );
1406 _CrtSetReportFile( _CRT_ERROR, _CRTDBG_FILE_STDOUT );
1407 _CrtSetReportMode( _CRT_ASSERT, _CRTDBG_MODE_FILE );
1408 _CrtSetReportFile( _CRT_ASSERT, _CRTDBG_FILE_STDOUT );
1409 #endif
1410
1411 get_envvars();
1412 read_fingerprint();
1413
1414 if (argc > 1)
1415 get_options(argc, argv);
1416 run_tests(my_tests);
1417
1418 mysql_server_end();
1419 #if defined(WIN32) && defined(HEAP_CHECK)
1420 _CrtDumpMemoryLeaks();
1421 #endif
1422 return(exit_status());
1423 }
1424
1425