TLS/SSL changes (major rework)

Peer certificate validation:

Since version 3.4 peer certificate verification is enabled by default.
It can be disabled via `mysql_optionsv`, using option
MYSQL_OPT_SSL_VERIFY_SERVER_CERT:

    my_bool verify= 0;
    mysql_options(mariadb, MYSQL_OPT_SSL_VERIFY_SERVER_CERT, &verify);

Self signed certificates

If the client obtained a self signed peer certificate from MariaDB server
the verification will fail, with the following exceptions:

* If the connection between client and server is considered to be secure:, e.g.
  * a unix_socket is used for client server communication
  * hostname is localhost (Windows operating system), 127.0.0.1 or ::1
* a specified fingerprint matches the fingerprint of the peer certificate (see below)
* a client can verify the certificate using account password, it's possible if
  * account has a password
  * authentication plugin is "secure without TLS", that is, one of
    mysql_native_password, ed25519 or parsec.

Fingerprint verification of the peer certificate

A fingerprint is a cryptographic hash (SHA-256, SHA-384 or SHA-512) of the peer
certificate's binary data. Even if the fingerprint matches, an expired or
revoked certificate will not be accepted.

For security reasons support for MD5 and SHA1 has been removed.

Technical details:
==================

- Peer certificate verification call was removed from ma_tls_connect, instead it
  will be called directly after the handshake succeeded (my_auth.c)

- mysql->net.tls_self_signed_error was replaced by mysql->net.tls_verify_status which
  contains the result of the peer certfificate verification:

  The verification status can be obtained with mariadb_get_infov using new parameter
  MARIADB_TLS_VERIFY_STATUS.

  unsigned int tls_verify_status;
  mariadb_get_infov(mysql, MARIADB_TLS_VERIFY_STATUS, &tls_verify_status);

  The result is a combination of the following flags:

  MARIADB_TLS_VERIFY_OK                  0
  MARIADB_TLS_VERIFY_TRUST               1
  MARIADB_TLS_VERIFY_HOST                2
  MARIADB_TLS_VERIFY_PERIOD              4
  MARIADB_TLS_VERIFY_FINGERPRINT         8
  MARIADB_TLS_VERIFY_REVOKED            16
  MARIADB_TLS_VERIFY_UNKNOWN            32

- GnuTLS peer certificate verification callback was removed and replaced by
  gnutls_verify_peers2() api function, so the peer certificate validation
  will happen after handshake.

- OpenSSL implementation will no longer use SSL_verify_result to check the
  validity of the peer certificate. Instead a callback function will be called
  during the handshake, which collects all certificate validation errors.

- If the peer certificate is not trusted, hostname verification will be
  skipped.

- Testing
  Added new test tls, which implements a python based dummy server, which allows
  to set different certificates and TLS options. Please note. that tests are
  expected to fail, since the server doesn't support further steps like user
  authentication etc. after the handshake. Prerequisite for running the tls test
  is Python3.

Author: 9EOR9

.travis.yml

@@ -7,6 +7,16 @@ cache:
   directories:
     - $HOME/docker
 
+before_install:
+  - |-
+    if [ -z "$server_branch" ] ; then
+      case $TRAVIS_OS_NAME in
+        windows)
+          choco install python --version=3.12.0
+          ;;
+      esac
+    fi
+
 env:
   global: local=0 DB=testc CLEAR_TEXT=0
 

CMakeLists.txt

@@ -37,7 +37,7 @@ SET(CC_BINARY_DIR ${CMAKE_CURRENT_BINARY_DIR})
 
 SET(CPACK_PACKAGE_VERSION_MAJOR 3)
 SET(CPACK_PACKAGE_VERSION_MINOR 4)
-SET(CPACK_PACKAGE_VERSION_PATCH 0)
+SET(CPACK_PACKAGE_VERSION_PATCH 1)
 SET(CPACK_PACKAGE_VERSION "${CPACK_PACKAGE_VERSION_MAJOR}.${CPACK_PACKAGE_VERSION_MINOR}.${CPACK_PACKAGE_VERSION_PATCH}")
 MATH(EXPR MARIADB_PACKAGE_VERSION_ID "${CPACK_PACKAGE_VERSION_MAJOR} * 10000 +
                             ${CPACK_PACKAGE_VERSION_MINOR} * 100   +

include/ma_common.h

@@ -131,15 +131,9 @@ typedef struct st_mariadb_field_extension
   MARIADB_CONST_STRING metadata[MARIADB_FIELD_ATTR_LAST+1]; /* 10.5 */
 } MA_FIELD_EXTENSION;
 
-#if defined(HAVE_SCHANNEL) || defined(HAVE_GNUTLS)
-#define reset_tls_self_signed_error(mysql)              \
-  do {                                                  \
-    free((char*)mysql->net.tls_self_signed_error);      \
-    mysql->net.tls_self_signed_error= 0;                \
-  } while(0)
-#else
-#define reset_tls_self_signed_error(mysql)              \
-  do {                                                  \
-    mysql->net.tls_self_signed_error= 0;                \
+#ifdef HAVE_TLS
+#define reset_tls_error(mysql) \
+  do {                         \
+    mysql->net.tls_verify_status= 0; \
   } while(0)
 #endif

include/ma_tls.h

@@ -21,6 +21,12 @@ enum enum_pvio_tls_type {
 #define PROTOCOL_MAX PROTOCOL_TLS_1_3
 
 #define TLS_VERSION_LENGTH 64
+
+#define have_fingerprint(m) \
+((m)->options.extension) && \
+(((m)->options.extension->tls_fp && (m)->options.extension->tls_fp[0]) ||\
+((m)->options.extension->tls_fp_list && (m)->options.extension->tls_fp_list[0]))
+
 extern char tls_library_version[TLS_VERSION_LENGTH];
 
 typedef struct st_ma_pvio_tls {
@@ -111,11 +117,12 @@ my_bool ma_tls_close(MARIADB_TLS *ctls);
    validation check of server certificate
    Parameter:
      MARIADB_TLS  MariaDB SSL container
+     flags        verification flags
    Returns:
-     ß            success
+     0            success
      1            error
 */
-int ma_tls_verify_server_cert(MARIADB_TLS *ctls);
+int ma_tls_verify_server_cert(MARIADB_TLS *ctls, unsigned int flags);
 
 /* ma_tls_get_cipher
    returns cipher for current ssl connection
@@ -134,6 +141,7 @@ const char *ma_tls_get_cipher(MARIADB_TLS *ssl);
      hash_type    hash_type as defined in ma_hash.h
      fp           buffer for fingerprint
      fp_len       buffer length
+     my_bool      verify_period
 
    Returns:
      actual size of finger print
@@ -150,7 +158,7 @@ unsigned int ma_tls_get_finger_print(MARIADB_TLS *ctls, uint hash_type, char *fp
 int ma_tls_get_protocol_version(MARIADB_TLS *ctls);
 const char *ma_pvio_tls_get_protocol_version(MARIADB_TLS *ctls);
 int ma_pvio_tls_get_protocol_version_id(MARIADB_TLS *ctls);
-unsigned int ma_tls_get_peer_cert_info(MARIADB_TLS *ctls);
+unsigned int ma_tls_get_peer_cert_info(MARIADB_TLS *ctls, unsigned int size);
 void ma_tls_set_connection(MYSQL *mysql);
 
 /* Function prototypes */
@@ -159,12 +167,12 @@ my_bool ma_pvio_tls_connect(MARIADB_TLS *ctls);
 ssize_t ma_pvio_tls_read(MARIADB_TLS *ctls, const uchar *buffer, size_t length);
 ssize_t ma_pvio_tls_write(MARIADB_TLS *ctls, const uchar *buffer, size_t length);
 my_bool ma_pvio_tls_close(MARIADB_TLS *ctls);
-int ma_pvio_tls_verify_server_cert(MARIADB_TLS *ctls);
+int ma_pvio_tls_verify_server_cert(MARIADB_TLS *ctls, unsigned int flags);
 const char *ma_pvio_tls_cipher(MARIADB_TLS *ctls);
 my_bool ma_pvio_tls_check_fp(MARIADB_TLS *ctls, const char *fp, const char *fp_list);
 my_bool ma_pvio_start_ssl(MARIADB_PVIO *pvio);
 void ma_pvio_tls_set_connection(MYSQL *mysql);
 void ma_pvio_tls_end();
-unsigned int ma_pvio_tls_get_peer_cert_info(MARIADB_TLS *ctls);
+unsigned int ma_pvio_tls_get_peer_cert_info(MARIADB_TLS *ctls, unsigned int size);
 
 #endif /* _ma_tls_h_ */

include/mariadb_com.h

@@ -297,10 +297,10 @@ typedef struct st_net {
   unsigned char reading_or_writing;
   char save_char;
   char unused_1;
-  my_bool unused_2;
+  my_bool tls_verify_status;
   my_bool compress;
-  my_bool unused_3;
-  const char *tls_self_signed_error;
+  my_bool unused_2;
+  char *unused_3;
   unsigned int last_errno;
   unsigned char error;
   my_bool unused_5;

include/mysql.h

@@ -300,6 +300,7 @@ extern const char *SQLSTATE_UNKNOWN;
     MARIADB_CONNECTION_BYTES_READ,
     MARIADB_CONNECTION_BYTES_SENT,
     MARIADB_TLS_PEER_CERT_INFO,
+    MARIADB_TLS_VERIFY_STATUS
   };
 
   enum mysql_status { MYSQL_STATUS_READY,
@@ -448,6 +449,16 @@ typedef struct st_mysql_time
 #define MYSQL_WAIT_EXCEPT    4
 #define MYSQL_WAIT_TIMEOUT   8
 
+#define MARIADB_TLS_VERIFY_OK                  0
+#define MARIADB_TLS_VERIFY_TRUST               1
+#define MARIADB_TLS_VERIFY_HOST                2
+#define MARIADB_TLS_VERIFY_PERIOD              4
+#define MARIADB_TLS_VERIFY_FINGERPRINT         8
+#define MARIADB_TLS_VERIFY_REVOKED            16
+#define MARIADB_TLS_VERIFY_UNKNOWN            32
+#define MARIADB_TLS_VERIFY_ERROR             128  /* last */
+
+
 typedef struct character_set
 {
   unsigned int      number;     /* character set number              */
@@ -497,7 +508,7 @@ typedef struct
   int version;
   char *issuer;
   char *subject;
-  char fingerprint[65];
+  char fingerprint[129];
   struct tm not_before;
   struct tm not_after;
 } MARIADB_X509_INFO;

libmariadb/ma_pvio.c

@@ -522,47 +522,6 @@ my_bool ma_pvio_has_data(MARIADB_PVIO *pvio, ssize_t *data_len)
 /* }}} */
 
 #ifdef HAVE_TLS
-/**
-  Checks if self-signed certificate error should be ignored.
-*/
-static my_bool ignore_self_signed_cert_error(MARIADB_PVIO *pvio)
-{
-  const char *hostname= pvio->mysql->host;
-  const char *local_host_names[]= {
-#ifdef _WIN32
-  /*
-   On Unix, we consider TCP connections with "localhost"
-   an insecure transport, for the single reason to run tests for
-   insecure transport on CI.This is artificial, but should be ok.
-   Default client connections use unix sockets anyway, so it
-   would not hurt much.
-
-   On Windows, the situation is quite different.
-   Default connections type is TCP, default host name is "localhost",
-   non-password plugin gssapi is common (every installation)
-   In this environment, there would be a lot of faux/disruptive
-   "self-signed certificates" errors there. Thus, "localhost" TCP
-   needs to be considered secure transport.
-  */
-  "localhost",
-#endif
-  "127.0.0.1", "::1", NULL};
-  int i;
-  if (pvio->type != PVIO_TYPE_SOCKET)
-  {
-    return TRUE;
-  }
-  if (!hostname)
-    return FALSE;
-  for (i= 0; local_host_names[i]; i++)
-  {
-    if (strcmp(hostname, local_host_names[i]) == 0)
-    {
-      return TRUE;
-    }
-  }
-  return FALSE;
-}
 
 /* {{{ my_bool ma_pvio_start_ssl */
 my_bool ma_pvio_start_ssl(MARIADB_PVIO *pvio)
@@ -580,32 +539,6 @@ my_bool ma_pvio_start_ssl(MARIADB_PVIO *pvio)
     pvio->ctls= NULL;
     return 1;
   }
-
-  /* default behaviour:
-     1. peer certificate verification
-     2. verify CN (requires option ssl_verify_check)
-     3. verrify finger print
-  */
-  if (!pvio->mysql->options.extension->tls_allow_invalid_server_cert &&
-         !pvio->mysql->net.tls_self_signed_error &&
-         ma_pvio_tls_verify_server_cert(pvio->ctls))
-    return 1;
-
-  if (pvio->mysql->options.extension &&
-      ((pvio->mysql->options.extension->tls_fp && pvio->mysql->options.extension->tls_fp[0]) ||
-      (pvio->mysql->options.extension->tls_fp_list && pvio->mysql->options.extension->tls_fp_list[0])))
-  {
-    if (ma_pvio_tls_check_fp(pvio->ctls, 
-        pvio->mysql->options.extension->tls_fp,
-        pvio->mysql->options.extension->tls_fp_list))
-      return 1;
-    reset_tls_self_signed_error(pvio->mysql); // validated
-    return 0;
-  }
-
-  if (pvio->mysql->net.tls_self_signed_error && ignore_self_signed_cert_error(pvio))
-    reset_tls_self_signed_error(pvio->mysql);
-
   return 0;
 }
 /* }}} */

libmariadb/ma_tls.c

@@ -103,9 +103,54 @@ my_bool ma_pvio_tls_close(MARIADB_TLS *ctls)
   return ma_tls_close(ctls);
 }
 
-int ma_pvio_tls_verify_server_cert(MARIADB_TLS *ctls)
+int ma_pvio_tls_verify_server_cert(MARIADB_TLS *ctls, unsigned int flags)
 {
-  return ma_tls_verify_server_cert(ctls);
+  MYSQL *mysql;
+  int rc;
+
+  if (!ctls || !ctls->pvio || !ctls->pvio->mysql)
+    return 0;
+
+  mysql= ctls->pvio->mysql;
+
+  /* Skip peer certificate verification */
+  if (ctls->pvio->mysql->options.extension->tls_allow_invalid_server_cert)
+  {
+    return 0;
+  }
+
+  rc= ma_tls_verify_server_cert(ctls, flags);
+
+  /* Set error messages */
+  if (!mysql->net.last_errno)
+  {
+    if (mysql->net.tls_verify_status & MARIADB_TLS_VERIFY_PERIOD)
+      my_set_error(mysql, CR_SSL_CONNECTION_ERROR, SQLSTATE_UNKNOWN,
+        ER(CR_SSL_CONNECTION_ERROR),
+        "Certificate not yet valid or expired");
+    else if (mysql->net.tls_verify_status & MARIADB_TLS_VERIFY_FINGERPRINT)
+      my_set_error(mysql, CR_SSL_CONNECTION_ERROR, SQLSTATE_UNKNOWN,
+        ER(CR_SSL_CONNECTION_ERROR),
+        "Fingerprint validation of peer certificate failed");
+    else if (mysql->net.tls_verify_status & MARIADB_TLS_VERIFY_REVOKED)
+      my_set_error(mysql, CR_SSL_CONNECTION_ERROR, SQLSTATE_UNKNOWN,
+        ER(CR_SSL_CONNECTION_ERROR),
+        "Certificate revoked");
+    else if (mysql->net.tls_verify_status & MARIADB_TLS_VERIFY_HOST)
+      my_set_error(mysql, CR_SSL_CONNECTION_ERROR, SQLSTATE_UNKNOWN,
+        ER(CR_SSL_CONNECTION_ERROR),
+        "Hostname verification failed");
+    else if (mysql->net.tls_verify_status & MARIADB_TLS_VERIFY_UNKNOWN)
+      my_set_error(mysql, CR_SSL_CONNECTION_ERROR, SQLSTATE_UNKNOWN,
+        ER(CR_SSL_CONNECTION_ERROR),
+        "Peer certificate verification failed");
+    else if (mysql->net.tls_verify_status & MARIADB_TLS_VERIFY_TRUST)
+      my_set_error(mysql, CR_SSL_CONNECTION_ERROR, SQLSTATE_UNKNOWN,
+        ER(CR_SSL_CONNECTION_ERROR),
+        "Peer certificate is not trusted");
+  }
+
+  return rc;
 }
 
 const char *ma_pvio_tls_cipher(MARIADB_TLS *ctls)
@@ -150,8 +195,7 @@ static signed char ma_hex2int(char c)
 
 static my_bool ma_pvio_tls_compare_fp(MARIADB_TLS *ctls,
                                      const char *cert_fp,
-                                     unsigned int cert_fp_len
-)
+                                     unsigned int cert_fp_len)
 {
   const char fp[EVP_MAX_MD_SIZE];
   unsigned int fp_len= EVP_MAX_MD_SIZE;
@@ -206,8 +250,6 @@ static my_bool ma_pvio_tls_compare_fp(MARIADB_TLS *ctls,
     signed char d1, d2;
     if (*p == ':')
       p++;
-    if (p - cert_fp > (int)fp_len - 1)
-      return 1;
     if ((d1 = ma_hex2int(*p)) == -1 ||
       (d2 = ma_hex2int(*(p + 1))) == -1 ||
       (char)(d1 * 16 + d2) != *c)
@@ -270,8 +312,8 @@ void ma_pvio_tls_set_connection(MYSQL *mysql)
   ma_tls_set_connection(mysql);
 }
 
-unsigned int ma_pvio_tls_get_peer_cert_info(MARIADB_TLS *ctls)
+unsigned int ma_pvio_tls_get_peer_cert_info(MARIADB_TLS *ctls, unsigned int size)
 {
-  return ma_tls_get_peer_cert_info(ctls);
+  return ma_tls_get_peer_cert_info(ctls, size);
 }
 #endif /* HAVE_TLS */

libmariadb/mariadb_lib.c

@@ -1295,7 +1295,7 @@ mysql_init(MYSQL *mysql)
   }
   else
   {
-    memset((char*) (mysql), 0, sizeof(*(mysql)));
+    memset(mysql, 0, sizeof(MYSQL));
     mysql->net.pvio= 0;
     mysql->free_me= 0;
     mysql->net.extension= 0;
@@ -1462,7 +1462,7 @@ mysql_real_connect(MYSQL *mysql, const char *host, const char *user,
   if (!mysql->options.extension || !mysql->options.extension->status_callback)
     mysql_optionsv(mysql, MARIADB_OPT_STATUS_CALLBACK, NULL, NULL);
 
-  reset_tls_self_signed_error(mysql);
+  reset_tls_error(mysql);
 
   /* if host contains a semicolon, we need to parse connection string */
   if (host && strchr(host, ';'))
@@ -2468,7 +2468,7 @@ mysql_close(MYSQL *mysql)
     mysql_close_memory(mysql);
     mysql_close_options(mysql);
     ma_clear_session_state(mysql);
-    reset_tls_self_signed_error(mysql);
+    reset_tls_error(mysql);
 
     if (mysql->net.extension)
     {
@@ -4542,12 +4542,18 @@ my_bool mariadb_get_infov(MYSQL *mysql, enum mariadb_value value, void *arg, ...
   case MARIADB_TLS_PEER_CERT_INFO:
     if (mysql->net.pvio->ctls)
     {
-      if (!ma_pvio_tls_get_peer_cert_info(mysql->net.pvio->ctls))
+      unsigned int size;
+
+      size= va_arg(ap, unsigned int);
+      if (!ma_pvio_tls_get_peer_cert_info(mysql->net.pvio->ctls, size))
         *((MARIADB_X509_INFO **)arg)= (MARIADB_X509_INFO *)&mysql->net.pvio->ctls->cert_info;
       return 0;
     }
     *((MARIADB_X509_INFO **)arg)= NULL;
     break;
+  case MARIADB_TLS_VERIFY_STATUS:
+    *((unsigned int *)arg)= (unsigned int)mysql->net.tls_verify_status;
+    break;
 #endif
   case MARIADB_MAX_ALLOWED_PACKET:
     *((size_t *)arg)= (size_t)max_allowed_packet;