Merge branch 'mysql-8.0' into mysql-trunk

mysql · Mar 6, 2018 · 3d0c6db · 3d0c6db
2 parents c2c845b + 1425374
commit 3d0c6db
Show file tree

Hide file tree

Showing 3 changed files with 22 additions and 57 deletions.
diff --git a/cmake/ssl.cmake b/cmake/ssl.cmake
@@ -1,5 +1,5 @@
 # Copyright (c) 2009, 2018, Oracle and/or its affiliates. All rights reserved.
-# 
+#
 # This program is free software; you can redistribute it and/or modify
 # it under the terms of the GNU General Public License, version 2.0,
 # as published by the Free Software Foundation.
@@ -18,7 +18,7 @@
 #
 # You should have received a copy of the GNU General Public License
 # along with this program; if not, write to the Free Software
-# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301  USA 
+# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301  USA
 
 # We support different versions of SSL:
 # - "system"  (typically) uses headers/libraries in /usr/lib and /usr/lib64
@@ -113,6 +113,9 @@ MACRO (MYSQL_USE_WOLFSSL)
     -DWOLFSSL_SHA384
     -DWOLFSSL_SHA512
     -DWOLFSSL_STATIC_RSA
+    -DWOLFSSL_NGINX
+    -DHAVE_TLS_EXTENSIONS
+    -DHAVE_CERTIFICATE_STATUS_REQUEST
     )
   CHANGE_SSL_SETTINGS("wolfssl")
   ADD_SUBDIRECTORY(${WOLFSSL_SOURCE_DIR})
@@ -355,7 +358,7 @@ MACRO (MYSQL_CHECK_SSL)
 
     INCLUDE(CheckSymbolExists)
     SET(CMAKE_REQUIRED_INCLUDES ${OPENSSL_INCLUDE_DIR})
-    CHECK_SYMBOL_EXISTS(SHA512_DIGEST_LENGTH "openssl/sha.h" 
+    CHECK_SYMBOL_EXISTS(SHA512_DIGEST_LENGTH "openssl/sha.h"
                         HAVE_SHA512_DIGEST_LENGTH)
     IF(OPENSSL_FOUND AND HAVE_SHA512_DIGEST_LENGTH)
       SET(SSL_SOURCES "")

diff --git a/mysql-test/std_data/server-cert.pem b/mysql-test/std_data/server-cert.pem
@@ -7,7 +7,7 @@ Certificate:
         Validity
             Not Before: Dec  5 04:48:40 2014 GMT
             Not After : Dec  1 04:48:40 2029 GMT
-        Subject: C=SE, ST=Stockholm, L=Stockholm, O=Oracle, OU=MySQL, CN=localhost
+        Subject: C=SE, ST=Stockholm, L=Stockholm, O=Oracle, OU=MySQL, CN=nonexistent.example.com
         Subject Public Key Info:
             Public Key Algorithm: rsaEncryption
                 Public-Key: (2048 bit)
@@ -32,14 +32,16 @@ Certificate:
                     73:45
                 Exponent: 65537 (0x10001)
         X509v3 extensions:
-            X509v3 Basic Constraints: 
+            X509v3 Basic Constraints:
                 CA:FALSE
-            Netscape Comment: 
+            Netscape Comment:
                 OpenSSL Generated Certificate
-            X509v3 Subject Key Identifier: 
+            X509v3 Subject Key Identifier:
                 E4:31:D8:D5:06:EA:C6:B3:A2:F6:01:39:8F:58:08:36:2C:7B:3F:DB
-            X509v3 Authority Key Identifier: 
+            X509v3 Authority Key Identifier:
                 keyid:94:65:A1:A3:87:CF:BF:C1:74:BB:D8:84:97:B6:6B:EE:B2:90:73:B2
+            X509v3 Subject Alternative Name:
+              DNS:localhost
 
     Signature Algorithm: sha256WithRSAEncryption
          46:ef:cd:bf:c1:ef:36:a9:cb:99:b5:be:e2:a7:ba:69:0d:f5:

diff --git a/sql-common/client.cc b/sql-common/client.cc
@@ -110,6 +110,10 @@
 #define SOCKET_ERROR -1
 #endif
 
+#ifdef HAVE_OPENSSL
+#include <openssl/x509v3.h>
+#endif
+
 #include <mysql/client_plugin.h>
 #include <new>
 
@@ -2584,11 +2588,6 @@ static int ssl_verify_server_cert(Vio *vio, const char *server_hostname,
                                   const char **errptr) {
   SSL *ssl;
   X509 *server_cert = NULL;
-  char *cn = NULL;
-  int cn_loc = -1;
-  ASN1_STRING *cn_asn1 = NULL;
-  X509_NAME_ENTRY *cn_entry = NULL;
-  X509_NAME *subject = NULL;
   int ret_validation = 1;
 
   DBUG_ENTER("ssl_verify_server_cert");
@@ -2619,54 +2618,15 @@ static int ssl_verify_server_cert(Vio *vio, const char *server_hostname,
     are what we expect.
   */
 
-  /*
-   Some notes for future development
-   We should check host name in alternative name first and then if needed check
-   in common name. Currently yssl doesn't support alternative name.
-   openssl 1.0.2 support X509_check_host method for host name validation, we may
-   need to start using X509_check_host in the future.
-  */
-
-  subject = X509_get_subject_name((X509 *)server_cert);
-  // Find the CN location in the subject
-  cn_loc = X509_NAME_get_index_by_NID(subject, NID_commonName, -1);
-  if (cn_loc < 0) {
-    *errptr = "Failed to get CN location in the certificate subject";
-    goto error;
-  }
-
-  // Get the CN entry for given location
-  cn_entry = X509_NAME_get_entry(subject, cn_loc);
-  if (cn_entry == NULL) {
-    *errptr = "Failed to get CN entry using CN location";
-    goto error;
-  }
-
-  // Get CN from common name entry
-  cn_asn1 = X509_NAME_ENTRY_get_data(cn_entry);
-  if (cn_asn1 == NULL) {
-    *errptr = "Failed to get CN from CN entry";
-    goto error;
-  }
-
-#if OPENSSL_VERSION_NUMBER < 0x10100000L
-  cn = (char *)ASN1_STRING_data(cn_asn1);
-#else  /* OPENSSL_VERSION_NUMBER < 0x10100000L */
-  cn = (char *)ASN1_STRING_get0_data(cn_asn1);
-#endif /* OPENSSL_VERSION_NUMBER < 0x10100000L */
-
-  // There should not be any NULL embedded in the CN
-  if ((size_t)ASN1_STRING_length(cn_asn1) != strlen(cn)) {
-    *errptr = "NULL embedded in the certificate CN";
+  /* Use OpenSSL host check instead of our own if we have OpenSSL */
+  if (X509_check_host(server_cert, server_hostname, strlen(server_hostname),
+                      X509_CHECK_FLAG_NO_WILDCARDS, 0) != 1) {
+    *errptr = "Failed to verify the server certificate via X509_check_host";
     goto error;
-  }
-
-  DBUG_PRINT("info", ("Server hostname in cert: %s", cn));
-  if (!strcmp(cn, server_hostname)) {
+  } else {
     /* Success */
     ret_validation = 0;
   }
-
   *errptr = "SSL certificate validation failure";
 
 error: