cleanup: X509_check_host() in the internal client

X509_check_host() and X509_check_ip_asc() exist in all supported SSL libraries in OpenSSL >= 1.0.2 and in the bundled WolfSSL And X509_free() handles NULL pointers all right.

cleanup: X509_check_host() in the internal client
X509_check_host() and X509_check_ip_asc() exist in all supported SSL libraries in OpenSSL >= 1.0.2 and in the bundled WolfSSL And X509_free() handles NULL pointers all right.
05a421eb · Sergei Golubchik · f4e174e1 · 05a421eb · 05a421eb · 05a421eb
Commit 05a421eb authored Sep 02, 2023 by Sergei Golubchik
Hide whitespace changes
Inline Side-by-side

Showing with 4 additions and 69 deletions

cmake/ssl.cmake cmake/ssl.cmake +0 -3

mysql-test/suite.pm mysql-test/suite.pm +0 -7

sql-common/client.c sql-common/client.c +4 -59

No files found.
--- a/cmake/ssl.cmake
+++ b/cmake/ssl.cmake
@@ -59,7 +59,6 @@ MACRO (MYSQL_USE_BUNDLED_SSL)
  SET(HAVE_ERR_remove_thread_state ON CACHE INTERNAL "wolfssl doesn't have ERR_remove_thread_state")
  SET(HAVE_EncryptAes128Ctr ON CACHE INTERNAL "wolfssl does support AES-CTR")
  SET(HAVE_EncryptAes128Gcm OFF CACHE INTERNAL "wolfssl does not support AES-GCM")
-  SET(HAVE_X509_check_host ON CACHE INTERNAL  "wolfssl does support X509_check_host")
  SET(HAVE_hkdf ON CACHE INTERNAL "wolfssl does support EVP_PKEY API")
  CHANGE_SSL_SETTINGS("bundled")
  ADD_SUBDIRECTORY(extra/wolfssl)
@@ -157,8 +156,6 @@ MACRO (MYSQL_CHECK_SSL)
                          HAVE_EncryptAes128Ctr)
      CHECK_SYMBOL_EXISTS(EVP_aes_128_gcm "openssl/evp.h"
                          HAVE_EncryptAes128Gcm)
-      CHECK_SYMBOL_EXISTS(X509_check_host "openssl/x509v3.h"
-                          HAVE_X509_check_host)
      CHECK_SYMBOL_EXISTS(EVP_PKEY_CTX_set_hkdf_md "string.h;stdarg.h;openssl/kdf.h"
                          HAVE_hkdf)
      SET(CMAKE_REQUIRED_INCLUDES)

--- a/mysql-test/suite.pm
+++ b/mysql-test/suite.pm
@@ -80,15 +80,8 @@ sub skip_combinations {

  $skip{'main/openssl_6975.test'} = 'no or wrong openssl version'
    unless $openssl_ver ge "1.0.1d" and $openssl_ver lt "1.1.1";
-
-  $skip{'main/ssl_7937.combinations'} = [ 'x509v3' ]
-    unless $ssl_lib =~ /WolfSSL/ or $openssl_ver ge "1.0.2";
-
  $skip{'main/func_kdf.combinations'} = [ $ssl_lib =~ /OpenSSL 1\.0\./ ? 'new' : 'old' ];

-  $skip{'main/ssl_verify_ip.test'} = 'x509v3 support required'
-    unless $openssl_ver ge "1.0.2";
-
  sub utf8_command_line_ok() {
   if (IS_WINDOWS) {
     # Can use UTF8 on command line since Windows 10 1903 (10.0.18362)

--- a/sql-common/client.c
+++ b/sql-common/client.c
@@ -1583,21 +1583,12 @@ mysql_get_ssl_cipher(MYSQL *mysql __attribute__((unused)))

 #if defined(HAVE_OPENSSL)

-#ifdef HAVE_X509_check_host
 #include <openssl/x509v3.h>
-#endif

 static int ssl_verify_server_cert(Vio *vio, const char* server_hostname, const char **errptr)
 {
  SSL *ssl;
  X509 *server_cert= NULL;
-#ifndef HAVE_X509_check_host
-  char *cn= NULL;
-  int cn_loc= -1;
-  ASN1_STRING *cn_asn1= NULL;
-  X509_NAME_ENTRY *cn_entry= NULL;
-  X509_NAME *subject= NULL;
-#endif
  int ret_validation= 1;

  DBUG_ENTER("ssl_verify_server_cert");
@@ -1632,59 +1623,13 @@ static int ssl_verify_server_cert(Vio *vio, const char* server_hostname, const c
    are what we expect.
  */

-#ifdef HAVE_X509_check_host
-  ret_validation=
-    X509_check_host(server_cert, server_hostname,
-       strlen(server_hostname), 0, 0) != 1;
-#ifndef HAVE_WOLFSSL
-   if (ret_validation)
-   {
-     ret_validation=
-         X509_check_ip_asc(server_cert, server_hostname, 0) != 1;
-   }
-#endif
-#else
-  subject= X509_get_subject_name(server_cert);
-  cn_loc= X509_NAME_get_index_by_NID(subject, NID_commonName, -1);
-  if (cn_loc < 0)
-  {
-    *errptr= "Failed to get CN location in the certificate subject";
-    goto error;
-  }
-  cn_entry= X509_NAME_get_entry(subject, cn_loc);
-  if (cn_entry == NULL)
-  {
-    *errptr= "Failed to get CN entry using CN location";
-    goto error;
-  }
-
-  cn_asn1 = X509_NAME_ENTRY_get_data(cn_entry);
-  if (cn_asn1 == NULL)
-  {
-    *errptr= "Failed to get CN from CN entry";
-    goto error;
-  }
-
-  cn= (char *) ASN1_STRING_get0_data(cn_asn1);
-
-  if ((size_t)ASN1_STRING_length(cn_asn1) != strlen(cn))
-  {
-    *errptr= "NULL embedded in the certificate CN";
-    goto error;
-  }
-
-  DBUG_PRINT("info", ("Server hostname in cert: %s", cn));
-  if (!strcmp(cn, server_hostname))
-  {
-    /* Success */
-    ret_validation= 0;
-  }
-#endif
+  ret_validation= X509_check_host(server_cert, server_hostname,
+                                  strlen(server_hostname), 0, 0) != 1 &&
+                  X509_check_ip_asc(server_cert, server_hostname, 0) != 1;
  *errptr= "SSL certificate validation failure";

 error:
-  if (server_cert != NULL)
-    X509_free (server_cert);
+  X509_free(server_cert);
  DBUG_RETURN(ret_validation);
 }