Skip to content
Projects
Groups
Snippets
Help
Loading...
Help
Support
Keyboard shortcuts
?
Submit feedback
Contribute to GitLab
Sign in / Register
Toggle navigation
M
MariaDB
Project overview
Project overview
Details
Activity
Releases
Repository
Repository
Files
Commits
Branches
Tags
Contributors
Graph
Compare
Issues
0
Issues
0
List
Boards
Labels
Milestones
Merge Requests
0
Merge Requests
0
CI / CD
CI / CD
Pipelines
Jobs
Schedules
Analytics
Analytics
CI / CD
Repository
Value Stream
Wiki
Wiki
Snippets
Snippets
Members
Members
Collapse sidebar
Close sidebar
Activity
Graph
Create a new issue
Jobs
Commits
Issue Boards
Open sidebar
nexedi
MariaDB
Commits
13380bf8
Commit
13380bf8
authored
Jan 11, 2016
by
Yashwant Sahu
Browse files
Options
Browse Files
Download
Email Patches
Plain Diff
Bug #22295186: CERTIFICATE VALIDATION BUG IN MYSQL MAY ALLOW MITM
parent
863f7ceb
Changes
8
Hide whitespace changes
Inline
Side-by-side
Showing
8 changed files
with
230 additions
and
26 deletions
+230
-26
mysql-test/std_data/ca-cert-verify.pem
mysql-test/std_data/ca-cert-verify.pem
+20
-0
mysql-test/std_data/server-cert-verify-fail.pem
mysql-test/std_data/server-cert-verify-fail.pem
+19
-0
mysql-test/std_data/server-cert-verify-pass.pem
mysql-test/std_data/server-cert-verify-pass.pem
+19
-0
mysql-test/std_data/server-key-verify-fail.pem
mysql-test/std_data/server-key-verify-fail.pem
+27
-0
mysql-test/std_data/server-key-verify-pass.pem
mysql-test/std_data/server-key-verify-pass.pem
+27
-0
mysql-test/suite/auth_sec/r/cert_verify.result
mysql-test/suite/auth_sec/r/cert_verify.result
+5
-0
mysql-test/suite/auth_sec/t/cert_verify.test
mysql-test/suite/auth_sec/t/cert_verify.test
+49
-0
sql-common/client.c
sql-common/client.c
+64
-26
No files found.
mysql-test/std_data/ca-cert-verify.pem
0 → 100644
View file @
13380bf8
-----BEGIN CERTIFICATE-----
MIIDWzCCAkOgAwIBAgIJAO/QdKLEDQdXMA0GCSqGSIb3DQEBCwUAMEQxCzAJBgNV
BAYTAklOMREwDwYDVQQIDAhLYXJuYXRrYTESMBAGA1UEBwwJQmFuZ2Fsb3JlMQ4w
DAYDVQQKDAVNeVNRTDAeFw0xNjAxMDUxMDA1MDhaFw0yNTExMTMxMDA1MDhaMEQx
CzAJBgNVBAYTAklOMREwDwYDVQQIDAhLYXJuYXRrYTESMBAGA1UEBwwJQmFuZ2Fs
b3JlMQ4wDAYDVQQKDAVNeVNRTDCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoC
ggEBAKdOCuS2CzfBTJ2x8SAzY0J7cYJfNJvMDF1cvANnhkIhtnkWt/HZ5DJ9NxeX
q5h7FJLAi4gddqdk/tvQJw0V6gZepJr/mKVnMPivF5+oHPc9ZJQMX6B3FBNwWylm
ACd5GKx8I/H/MXyuhQTcoV//Ab+2pI8RHeYbBsm3lHH+tX7bRU6mUFjneqMpiCkb
JHt6BWZiWR10O6pMuGQ9+dDdsLhEV1fj3CctEPwW6rs4IZzD8xl5n+8cy7qu6eYH
Wt/snwsTzkrufeMRqTtqelxON9eoQwYOR1oH3vNEVlcbuoJAvaWOqBROUBdf12SP
TYSdP9nlRh7lTKQOywN4kYt6LqUCAwEAAaNQME4wHQYDVR0OBBYEFJ4c9tKaUU0P
EjBq5G207jjXI7RAMB8GA1UdIwQYMBaAFJ4c9tKaUU0PEjBq5G207jjXI7RAMAwG
A1UdEwQFMAMBAf8wDQYJKoZIhvcNAQELBQADggEBABRnUyj21oFi0SGJg/K5+8Lc
4n6OwVU/NgLOysIB0baIP/Rqeaze59xG/v9FPQgBlWcJK3RabOywx5bxAxdcus+1
yp5j4h37Qq1/qkgqmevvdSAPa0OBQbLb+58/naV+ywUpCYZ6flLdCMH3fXuDSlSq
qrCznextjojtWbnzrBmCmJmXWGd2gSaJDvb90ZZp/Elt3vN1sgjW0M/JEkb4MJ1r
6nfD/FHr2lUwBHm2yk7Blovx7x4d/Ip3pglk63cNO/Rn0SBTdoVDS2LB9du3Phq2
TZiL3NrRMGUNwmdaavyrJxaPq5D+Sfa4LYP3MMYD4KhLogNzIl299n5joyizlJw=
-----END CERTIFICATE-----
mysql-test/std_data/server-cert-verify-fail.pem
0 → 100644
View file @
13380bf8
-----BEGIN CERTIFICATE-----
MIIDJzCCAg8CAQEwDQYJKoZIhvcNAQELBQAwRDELMAkGA1UEBhMCSU4xETAPBgNV
BAgMCEthcm5hdGthMRIwEAYDVQQHDAlCYW5nYWxvcmUxDjAMBgNVBAoMBU15U1FM
MB4XDTE2MDEwNTEwMDgyN1oXDTI1MTExMzEwMDgyN1owbzELMAkGA1UEBhMCSU4x
EjAQBgNVBAgMCTpLYXJuYXRrYTETMBEGA1UEBwwKOkJhbmdhbG9yZTEPMA0GA1UE
CgwGOk15U1FMMRcwFQYDVQQLDA4vQ049bG9jYWxob3N0LzENMAsGA1UEAwwEZmFp
bDCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAL3wnWuJodzZYq9TAJRm
HU7995FA3TEWdUinYTgGP79aTVQ4M9aeINlB6whWXOI8seh9Ja7C6kMzqOgYbgCl
WlDPAVJWktFYeWXOLxbpzh1KWkS6jBkWT02t7H7JcYbil7xjlJUxLz4UOOUDUDIP
6yqdA9VE3osESttjzj57Zm2xPqzbIHVJfORn7EexH4pryS7439p6i4XtfL31NJ8V
07M3j3a8GqbcEqXYvcUCrLnywDQ1igP817b6ta52nbgYWiqdn0mJs535UJ/p/rSl
D4Ae/6G3BSEY7whir6xY6vsd4KJ6w+wRCHnY0ky6OdDJVJLH1iqh7si7P3RBGkxw
Y7MCAwEAATANBgkqhkiG9w0BAQsFAAOCAQEAggbw1jj2b7H5KDdeGJGIoOGkQAcs
GNSJussCfdk7qnzYXKmjyNppC86jjaOrXona5f+SNCuujdu86Tv8V69EH57k4lUc
DW7J4AD3vUb/tBzB0tsI/76Z4gm1XoCsnCGGpWd8GQAg/QNn/ZfJB2Vb/9ObN6rH
0HV7ouB6OGZSsb71+grKiN6mDyB1lZynCGvqBxOCKFISfcRbCNFHo/pONlHaNGPE
vjDH1bPZbEHj8owYgkdcQe0a8EbJYeQfm6fH8V8bmUcG7N60DrCnq4l1qwwVkh1S
7RpIDgrWkU+esIIdYZIIbtDxQP1Sm7kUh++7b+bcHnyw3KtDVSCw7MIedA==
-----END CERTIFICATE-----
mysql-test/std_data/server-cert-verify-pass.pem
0 → 100644
View file @
13380bf8
-----BEGIN CERTIFICATE-----
MIIDEzCCAfsCAQEwDQYJKoZIhvcNAQELBQAwRDELMAkGA1UEBhMCSU4xETAPBgNV
BAgMCEthcm5hdGthMRIwEAYDVQQHDAlCYW5nYWxvcmUxDjAMBgNVBAoMBU15U1FM
MB4XDTE2MDEwNTEwMDU1OVoXDTI1MTExMzEwMDU1OVowWzELMAkGA1UEBhMCSU4x
EjAQBgNVBAgMCTpLYXJuYXRrYTETMBEGA1UEBwwKOkJhbmdhbG9yZTEPMA0GA1UE
CgwGOk15U1FMMRIwEAYDVQQDDAlsb2NhbGhvc3QwggEiMA0GCSqGSIb3DQEBAQUA
A4IBDwAwggEKAoIBAQDAmkbUwDe+nrqL8A8uwlIZk74HHCDjUAWrskKF9leEIQsB
5exFZ8JEo1u6mdR4laQWsxizGdTPqIEidkDyyEMh4+joHgyQEPD/G3rFVW8yEFHb
42O04O96BEPFXNPDRuX3MxI+lGbYDjxTS/WhVub4/3SqLjC28FJmEUXIHA0/A+c5
hlYXK0u+aPAqXxHIjBgB4BxxHXZKqecmvR3LhXoVmhJmndsVfKajB27nDKc8/OTI
H2SXb6h3nRPDXRfwB/C5i+004tEsVeIgkYshcCgLSyDdeVieUP2pm3EAmDSjmtLF
6CgY/EBSfH+JCKFUk75bA4k8CCGzBfIeOcsKHwgFAgMBAAEwDQYJKoZIhvcNAQEL
BQADggEBAInDuHtDkeT6dkWmRJCP56c4xiQqib2QuYUuMSrAhf07xlLHc6iHnD2X
hCWCrja6uwF90DnPjeouKMAUe5txq/uKA8/Y/NfXN6nPiAeHLI0qnTv7Mr9TQ8zU
DNDwRz6onlI2cS4GhrwAnlpiaxu7AjMUWHtfBFGFrgn3PawjDQpsBZNcxw1QsLc0
E0hFrWLOd0vDETEhoRge88N7a0jqK0Rd9cvRWnvjI+IsjQMLZzKufivIHPzI9K+9
Wtp8iRHcaBr5DpsBjgsO7dqVRbsNyaWsdHdLt+CQSGXpv7P6fq3K6nJFTBeIgSfS
gflrHVKYZRkKDDDpX4yHNdnIqrvy4RU=
-----END CERTIFICATE-----
mysql-test/std_data/server-key-verify-fail.pem
0 → 100644
View file @
13380bf8
-----BEGIN RSA PRIVATE KEY-----
MIIEpQIBAAKCAQEAvfCda4mh3Nlir1MAlGYdTv33kUDdMRZ1SKdhOAY/v1pNVDgz
1p4g2UHrCFZc4jyx6H0lrsLqQzOo6BhuAKVaUM8BUlaS0Vh5Zc4vFunOHUpaRLqM
GRZPTa3sfslxhuKXvGOUlTEvPhQ45QNQMg/rKp0D1UTeiwRK22POPntmbbE+rNsg
dUl85GfsR7EfimvJLvjf2nqLhe18vfU0nxXTszePdrwaptwSpdi9xQKsufLANDWK
A/zXtvq1rnaduBhaKp2fSYmznflQn+n+tKUPgB7/obcFIRjvCGKvrFjq+x3gonrD
7BEIedjSTLo50MlUksfWKqHuyLs/dEEaTHBjswIDAQABAoIBAQCSUyNzDPydXvsf
hhoUOParPAvU4tuETYDdD9Vdi7Lgf3jDQOjulbNIq/ec3KuBvrBwIrk9APvn+YxO
AUP9S2Vgi5jBDeDdVgNv4n90b3pSJk2UVQJI8V72wN5Ibnf/KeErSKvWo6V5daq/
AuZtKsZIdd3WFtA62HuyuBjTGc23Alj1C0EKnN0Rx1uBwDvx/OVQ266Us/x8jJqW
ZxIOfcvfNzBQEa5hAzbQCReVaC+rBLRAcMM2yGP7aDa+8cRkwuVlSqpX8CXBdLoU
PqmU49etcW72Rb1AFt9WgEu1Oh9UYbHFSB+FEbO8IGcGBsuYHf9zkxQyjpy/iKyT
H5dTu7YBAoGBAOWqEGepZVrfB+P6X18n3vbJhgYmF0sa0mCmwkFYgk36yNqsZ8at
lQjm5mbn4wjEKHIcQ/T1taq73W471M+PxMnn0WTwoG5jsyarZGgy6/95YXiyZtQe
qgA4P3aKkCteRP22DjG7uxmm9Hoqx8Z31vfRTLAHN1IEHPHHkg/J3gPTAoGBANO4
aqKeY4vcDvVkvxVbADrw++tZGwA+RuxfO4HKKru59VdA2PsAxhXwb3Dfejwj7hYW
yE9edHjGpMr1+dpf8YJYs7qjajHe1HxBOYqQGHycIdw+Gv56R4HpaS9eW3x8l/Pi
b4xnAodv2qIriACOe7br+rll4wKX46Wt64zdvpShAoGAT0r3HQM0Vjp4u/J+qRjX
9za+yjKuiiS5i9snaG5JlujGHhG2Rrc5pHgsBk17alRnbnZp1BJdZZQ1MFEB+aO2
mssp1YLqsRJFEU3NfdhO+MaMq6JUtFnd8fN5ndDbU83ZXgtUPUGGqKWm9OL+VHyd
wLQHmSL0q6F16Ngxirf0qjcCgYEAtSmiJVA+gdhk/FmeoBlkEwtNpM50Kjsf2PaM
Jrzk4Al5A5Y7lFvPI8q+sOio4XklKsWH1VJPe2EOdZUQnGlocE6SS+u03MN9Mm1l
XUl7inTXDGwgEQx0z5b4KE4nHlhGdauWI5+pLFbrz8RL9Z32AkneGnIyU2/AnW46
lijQAMECgYEAmgp/88ndIw49RCtMhYhtXQ87AsEAP6kzXQyKppDkn0os+xI5igIL
i/UDxB33hx3yjrUZwoGDV9MwlMhZNX5Tf5bwjPmmh1NR6KdEpPt5AkklX4s6uil2
Bxl1P5l1jl/PbEYtv5LDZKIPANWRzViMSIWqjUWlbdqE7/vjx+Oo+cc=
-----END RSA PRIVATE KEY-----
mysql-test/std_data/server-key-verify-pass.pem
0 → 100644
View file @
13380bf8
-----BEGIN RSA PRIVATE KEY-----
MIIEowIBAAKCAQEAwJpG1MA3vp66i/APLsJSGZO+Bxwg41AFq7JChfZXhCELAeXs
RWfCRKNbupnUeJWkFrMYsxnUz6iBInZA8shDIePo6B4MkBDw/xt6xVVvMhBR2+Nj
tODvegRDxVzTw0bl9zMSPpRm2A48U0v1oVbm+P90qi4wtvBSZhFFyBwNPwPnOYZW
FytLvmjwKl8RyIwYAeAccR12SqnnJr0dy4V6FZoSZp3bFXymowdu5wynPPzkyB9k
l2+od50Tw10X8AfwuYvtNOLRLFXiIJGLIXAoC0sg3XlYnlD9qZtxAJg0o5rSxego
GPxAUnx/iQihVJO+WwOJPAghswXyHjnLCh8IBQIDAQABAoIBAHPQUSc9LkgBSks7
XuXPE28t1+aOk3gcdkx4NGg5aQaal/PcPea+LaL4WAAs4AZidPjxWLjZn43+1SfT
09opcbS/Rx3Mc+FtTn0YGQrwBJ0mExMV+K6bU2Ubi2TyHKQfzciHfUEEG5Nve/ba
hikuCFVRxuVOQRzABcw6NqvNsmlg892lfw6/+RDwMBcz7ocwzmiOUoIxgjyFo9G4
aJvRmHLij5892H6qveik+A/Xr+8leGQHiQET2wW/F9MFP5ypIT7aeE6remeZH7fG
f4/Zfei/TE4xK2ElNR/91byzeKIVY4vjtTndAiBuqpfYuICb40MC02LNW5Oe6VN2
3mQ6EgECgYEA7O4ndBnbs/00gyTGyNg6I+3wRTibhNH4R8RZFJiLfKRKOlUiLhUo
+bQeO4bCQ6YY++TYDvMEXTlA3jow9R9Mj2AWc6bNmQmJd/065QyFHftywT66I+V4
rz1ohSJyHXcv4DxqNk3o3Vb4N8GFjZKcodSgTv2Lk+9ipDYFcQiZop0CgYEA0BrF
SIyLTnjoVht/7RbIGEqhMQUiz5mx7qQ1TPB+YTG77G2xXJNg5d6S7WT4LN+cqbxN
YdndIbW4NdV7bH7FlG9q7jfkuZ+AY2BPU047tcDeyO0HYYEhVY+EyZqHci/26mvt
JrawdqS5HQS1y/rKfytm7YBGTvqoNZHvOHc6aokCgYEAxcjlbJkte+pyzMuFmiJP
HrFBczeXM+BoJ9j0GCpjvvAS+vEYsGl/pDvFRSHwx7I/hv/5kTkzOnNSAHGJbwbq
zYGEHJVxakC43k6pvI2gDnBa0pD/qHmmLnvP5dvkcU6Oy90DOUP+kc9JNJo7V/y8
/qdWD7q+qwcaTETAdCSexE0CgYA/DN1Y7bwHOnqqHArWOmDFe1b7EyNI4rgWJYpA
lVy09eyJ5XInKj/hZV3+rujCL723b2XCj89/tx7osJWEeaRDJL6xDh4uXzT25uch
xkIw/w6Asc/aqtT+p00EB92hqwaUX76qTA+K4r1zHUo3UvSnMu8sZgDnTOpJ0L05
zmXUgQKBgDT+IFrAzOty4B0mJncTCC/TulpW704bEZwNJfQSdtiBQr/vqoXygBQc
bHfpncpSfhzHB5lhRUv02TqXgl53D70nM7JD5nx98WYTTBxsbvxPlt4gBRZkfgq5
tHKclAArc1SbfW5Z8oYyl7h33LQJK116QSyiIIGieH5VXNPwnqUs
-----END RSA PRIVATE KEY-----
mysql-test/suite/auth_sec/r/cert_verify.result
0 → 100644
View file @
13380bf8
#T1: Host name (/CN=localhost/) as OU name in the server certificate, server certificate verification should fail.
#T2: Host name (localhost) as common name in the server certificate, server certificate verification should pass.
Variable_name Value
Ssl_version TLS_VERSION
# restart server using restart
mysql-test/suite/auth_sec/t/cert_verify.test
0 → 100644
View file @
13380bf8
# Want to skip this test from Valgrind execution
--
source
include
/
no_valgrind_without_big
.
inc
# This test should work in embedded server after we fix mysqltest
--
source
include
/
not_embedded
.
inc
--
source
include
/
have_ssl_communication
.
inc
# Save the initial number of concurrent sessions
--
source
include
/
count_sessions
.
inc
let
$ssl_verify_fail_path
=
--
ssl
--
ssl
-
ca
=
$MYSQL_TEST_DIR
/
std_data
/
ca
-
cert
-
verify
.
pem
--
ssl
-
key
=
$MYSQL_TEST_DIR
/
std_data
/
server
-
key
-
verify
-
fail
.
pem
--
ssl
-
cert
=
$MYSQL_TEST_DIR
/
std_data
/
server
-
cert
-
verify
-
fail
.
pem
;
let
$ssl_verify_pass_path
=
--
ssl
--
ssl
-
ca
=
$MYSQL_TEST_DIR
/
std_data
/
ca
-
cert
-
verify
.
pem
--
ssl
-
key
=
$MYSQL_TEST_DIR
/
std_data
/
server
-
key
-
verify
-
pass
.
pem
--
ssl
-
cert
=
$MYSQL_TEST_DIR
/
std_data
/
server
-
cert
-
verify
-
pass
.
pem
;
let
$tls_default
=
TLSv1
.
1
;
let
$openssl
=
query_get_value
(
"SHOW STATUS LIKE 'Rsa_public_key'"
,
Variable_name
,
1
);
if
(
$openssl
==
'Rsa_public_key'
){
let
$tls_default
=
TLSv1
.
2
;
}
--
echo
#T1: Host name (/CN=localhost/) as OU name in the server certificate, server certificate verification should fail.
--
exec
echo
"wait"
>
$MYSQLTEST_VARDIR
/
tmp
/
mysqld
.
1.
expect
--
shutdown_server
--
source
include
/
wait_until_disconnected
.
inc
--
exec
echo
"restart:"
$ssl_verify_fail_path
>
$MYSQLTEST_VARDIR
/
tmp
/
mysqld
.
1.
expect
--
enable_reconnect
--
source
include
/
wait_until_connected_again
.
inc
--
error
1
--
exec
$MYSQL
--
protocol
=
tcp
--
ssl
-
verify
-
server
-
cert
-
e
"SHOW STATUS like 'Ssl_version'"
--
echo
#T2: Host name (localhost) as common name in the server certificate, server certificate verification should pass.
--
exec
echo
"wait"
>
$MYSQLTEST_VARDIR
/
tmp
/
mysqld
.
1.
expect
--
shutdown_server
--
source
include
/
wait_until_disconnected
.
inc
--
exec
echo
"restart:"
$ssl_verify_pass_path
>
$MYSQLTEST_VARDIR
/
tmp
/
mysqld
.
1.
expect
--
enable_reconnect
--
source
include
/
wait_until_connected_again
.
inc
--
replace_result
$tls_default
TLS_VERSION
--
exec
$MYSQL
--
protocol
=
tcp
--
ssl
-
verify
-
server
-
cert
-
e
"SHOW STATUS like 'Ssl_version'"
--
echo
# restart server using restart
--
exec
echo
"wait"
>
$MYSQLTEST_VARDIR
/
tmp
/
mysqld
.
1.
expect
--
shutdown_server
--
source
include
/
wait_until_disconnected
.
inc
--
exec
echo
"restart: "
>
$MYSQLTEST_VARDIR
/
tmp
/
mysqld
.
1.
expect
--
enable_reconnect
--
source
include
/
wait_until_connected_again
.
inc
sql-common/client.c
View file @
13380bf8
/* Copyright (c) 2003, 201
4
, Oracle and/or its affiliates. All rights reserved.
/* Copyright (c) 2003, 201
6
, Oracle and/or its affiliates. All rights reserved.
This program is free software; you can redistribute it and/or modify
This program is free software; you can redistribute it and/or modify
it under the terms of the GNU General Public License as published by
it under the terms of the GNU General Public License as published by
...
@@ -1885,35 +1885,39 @@ mysql_get_ssl_cipher(MYSQL *mysql __attribute__((unused)))
...
@@ -1885,35 +1885,39 @@ mysql_get_ssl_cipher(MYSQL *mysql __attribute__((unused)))
static
int
ssl_verify_server_cert
(
Vio
*
vio
,
const
char
*
server_hostname
,
const
char
**
errptr
)
static
int
ssl_verify_server_cert
(
Vio
*
vio
,
const
char
*
server_hostname
,
const
char
**
errptr
)
{
{
SSL
*
ssl
;
SSL
*
ssl
;
X509
*
server_cert
;
X509
*
server_cert
=
NULL
;
char
*
cp1
,
*
cp2
;
char
*
cn
=
NULL
;
char
buf
[
256
];
int
cn_loc
=
-
1
;
ASN1_STRING
*
cn_asn1
=
NULL
;
X509_NAME_ENTRY
*
cn_entry
=
NULL
;
X509_NAME
*
subject
=
NULL
;
int
ret_validation
=
1
;
DBUG_ENTER
(
"ssl_verify_server_cert"
);
DBUG_ENTER
(
"ssl_verify_server_cert"
);
DBUG_PRINT
(
"enter"
,
(
"server_hostname: %s"
,
server_hostname
));
DBUG_PRINT
(
"enter"
,
(
"server_hostname: %s"
,
server_hostname
));
if
(
!
(
ssl
=
(
SSL
*
)
vio
->
ssl_arg
))
if
(
!
(
ssl
=
(
SSL
*
)
vio
->
ssl_arg
))
{
{
*
errptr
=
"No SSL pointer found"
;
*
errptr
=
"No SSL pointer found"
;
DBUG_RETURN
(
1
)
;
goto
error
;
}
}
if
(
!
server_hostname
)
if
(
!
server_hostname
)
{
{
*
errptr
=
"No server hostname supplied"
;
*
errptr
=
"No server hostname supplied"
;
DBUG_RETURN
(
1
)
;
goto
error
;
}
}
if
(
!
(
server_cert
=
SSL_get_peer_certificate
(
ssl
)))
if
(
!
(
server_cert
=
SSL_get_peer_certificate
(
ssl
)))
{
{
*
errptr
=
"Could not get server certificate"
;
*
errptr
=
"Could not get server certificate"
;
DBUG_RETURN
(
1
)
;
goto
error
;
}
}
if
(
X509_V_OK
!=
SSL_get_verify_result
(
ssl
))
if
(
X509_V_OK
!=
SSL_get_verify_result
(
ssl
))
{
{
*
errptr
=
"Failed to verify the server certificate"
;
*
errptr
=
"Failed to verify the server certificate"
;
X509_free
(
server_cert
);
goto
error
;
DBUG_RETURN
(
1
);
}
}
/*
/*
We already know that the certificate exchanged was valid; the SSL library
We already know that the certificate exchanged was valid; the SSL library
...
@@ -1921,27 +1925,61 @@ static int ssl_verify_server_cert(Vio *vio, const char* server_hostname, const c
...
@@ -1921,27 +1925,61 @@ static int ssl_verify_server_cert(Vio *vio, const char* server_hostname, const c
are what we expect.
are what we expect.
*/
*/
X509_NAME_oneline
(
X509_get_subject_name
(
server_cert
),
buf
,
sizeof
(
buf
));
/*
X509_free
(
server_cert
);
Some notes for future development
We should check host name in alternative name first and then if needed check in common name.
Currently yssl doesn't support alternative name.
openssl 1.0.2 support X509_check_host method for host name validation, we may need to start using
X509_check_host in the future.
*/
DBUG_PRINT
(
"info"
,
(
"hostname in cert: %s"
,
buf
));
subject
=
X509_get_subject_name
((
X509
*
)
server_cert
);
cp1
=
strstr
(
buf
,
"/CN="
);
// Find the CN location in the subject
if
(
cp1
)
cn_loc
=
X509_NAME_get_index_by_NID
(
subject
,
NID_commonName
,
-
1
);
if
(
cn_loc
<
0
)
{
{
cp1
+=
4
;
/* Skip the "/CN=" that we found */
*
errptr
=
"Failed to get CN location in the certificate subject"
;
/* Search for next / which might be the delimiter for email */
goto
error
;
cp2
=
strchr
(
cp1
,
'/'
);
}
if
(
cp2
)
*
cp2
=
'\0'
;
// Get the CN entry for given location
DBUG_PRINT
(
"info"
,
(
"Server hostname in cert: %s"
,
cp1
));
cn_entry
=
X509_NAME_get_entry
(
subject
,
cn_loc
);
if
(
!
strcmp
(
cp1
,
server_hostname
))
if
(
cn_entry
==
NULL
)
{
{
/* Success */
*
errptr
=
"Failed to get CN entry using CN location"
;
DBUG_RETURN
(
0
);
goto
error
;
}
}
}
// Get CN from common name entry
cn_asn1
=
X509_NAME_ENTRY_get_data
(
cn_entry
);
if
(
cn_asn1
==
NULL
)
{
*
errptr
=
"Failed to get CN from CN entry"
;
goto
error
;
}
cn
=
(
char
*
)
ASN1_STRING_data
(
cn_asn1
);
// There should not be any NULL embedded in the CN
if
((
size_t
)
ASN1_STRING_length
(
cn_asn1
)
!=
strlen
(
cn
))
{
*
errptr
=
"NULL embedded in the certificate CN"
;
goto
error
;
}
DBUG_PRINT
(
"info"
,
(
"Server hostname in cert: %s"
,
cn
));
if
(
!
strcmp
(
cn
,
server_hostname
))
{
/* Success */
ret_validation
=
0
;
}
*
errptr
=
"SSL certificate validation failure"
;
*
errptr
=
"SSL certificate validation failure"
;
DBUG_RETURN
(
1
);
error:
if
(
server_cert
!=
NULL
)
X509_free
(
server_cert
);
DBUG_RETURN
(
ret_validation
);
}
}
#endif
/* HAVE_OPENSSL && !EMBEDDED_LIBRARY */
#endif
/* HAVE_OPENSSL && !EMBEDDED_LIBRARY */
...
...
Write
Preview
Markdown
is supported
0%
Try again
or
attach a new file
Attach a file
Cancel
You are about to add
0
people
to the discussion. Proceed with caution.
Finish editing this message first!
Cancel
Please
register
or
sign in
to comment