cleanup: X509_check_host() in the internal client

X509_check_host() and X509_check_ip_asc() exist in all supported SSL libraries in OpenSSL >= 1.0.2 and in the bundled WolfSSL And X509_free() handles NULL pointers all right.
MariaDB · Feb 4, 2024 · 05a421e · 05a421e
1 parent f4e174e
commit 05a421e
Show file tree

Hide file tree

Showing 3 changed files with 4 additions and 69 deletions.
diff --git a/cmake/ssl.cmake b/cmake/ssl.cmake
@@ -59,7 +59,6 @@ MACRO (MYSQL_USE_BUNDLED_SSL)
   SET(HAVE_ERR_remove_thread_state ON CACHE INTERNAL "wolfssl doesn't have ERR_remove_thread_state")
   SET(HAVE_EncryptAes128Ctr ON CACHE INTERNAL "wolfssl does support AES-CTR")
   SET(HAVE_EncryptAes128Gcm OFF CACHE INTERNAL "wolfssl does not support AES-GCM")
-  SET(HAVE_X509_check_host ON CACHE INTERNAL  "wolfssl does support X509_check_host")
   SET(HAVE_hkdf ON CACHE INTERNAL "wolfssl does support EVP_PKEY API")
   CHANGE_SSL_SETTINGS("bundled")
   ADD_SUBDIRECTORY(extra/wolfssl)
@@ -157,8 +156,6 @@ MACRO (MYSQL_CHECK_SSL)
                           HAVE_EncryptAes128Ctr)
       CHECK_SYMBOL_EXISTS(EVP_aes_128_gcm "openssl/evp.h"
                           HAVE_EncryptAes128Gcm)
-      CHECK_SYMBOL_EXISTS(X509_check_host "openssl/x509v3.h"
-                          HAVE_X509_check_host)
       CHECK_SYMBOL_EXISTS(EVP_PKEY_CTX_set_hkdf_md "string.h;stdarg.h;openssl/kdf.h"
                           HAVE_hkdf)
       SET(CMAKE_REQUIRED_INCLUDES)

diff --git a/mysql-test/suite.pm b/mysql-test/suite.pm
@@ -80,15 +80,8 @@ sub skip_combinations {
 
   $skip{'main/openssl_6975.test'} = 'no or wrong openssl version'
     unless $openssl_ver ge "1.0.1d" and $openssl_ver lt "1.1.1";
-
-  $skip{'main/ssl_7937.combinations'} = [ 'x509v3' ]
-    unless $ssl_lib =~ /WolfSSL/ or $openssl_ver ge "1.0.2";
-
   $skip{'main/func_kdf.combinations'} = [ $ssl_lib =~ /OpenSSL 1\.0\./ ? 'new' : 'old' ];
 
-  $skip{'main/ssl_verify_ip.test'} = 'x509v3 support required'
-    unless $openssl_ver ge "1.0.2";
-
   sub utf8_command_line_ok() {
    if (IS_WINDOWS) {
      # Can use UTF8 on command line since Windows 10 1903 (10.0.18362)

diff --git a/sql-common/client.c b/sql-common/client.c
@@ -1583,21 +1583,12 @@ mysql_get_ssl_cipher(MYSQL *mysql __attribute__((unused)))
 
 #if defined(HAVE_OPENSSL)
 
-#ifdef HAVE_X509_check_host
 #include <openssl/x509v3.h>
-#endif
 
 static int ssl_verify_server_cert(Vio *vio, const char* server_hostname, const char **errptr)
 {
   SSL *ssl;
   X509 *server_cert= NULL;
-#ifndef HAVE_X509_check_host
-  char *cn= NULL;
-  int cn_loc= -1;
-  ASN1_STRING *cn_asn1= NULL;
-  X509_NAME_ENTRY *cn_entry= NULL;
-  X509_NAME *subject= NULL;
-#endif
   int ret_validation= 1;
 
   DBUG_ENTER("ssl_verify_server_cert");
@@ -1632,59 +1623,13 @@ static int ssl_verify_server_cert(Vio *vio, const char* server_hostname, const c
     are what we expect.
   */
 
-#ifdef HAVE_X509_check_host
-  ret_validation=
-    X509_check_host(server_cert, server_hostname,
-       strlen(server_hostname), 0, 0) != 1;
-#ifndef HAVE_WOLFSSL
-   if (ret_validation)
-   {
-     ret_validation=
-         X509_check_ip_asc(server_cert, server_hostname, 0) != 1;
-   }
-#endif
-#else
-  subject= X509_get_subject_name(server_cert);
-  cn_loc= X509_NAME_get_index_by_NID(subject, NID_commonName, -1);
-  if (cn_loc < 0)
-  {
-    *errptr= "Failed to get CN location in the certificate subject";
-    goto error;
-  }
-  cn_entry= X509_NAME_get_entry(subject, cn_loc);
-  if (cn_entry == NULL)
-  {
-    *errptr= "Failed to get CN entry using CN location";
-    goto error;
-  }
-
-  cn_asn1 = X509_NAME_ENTRY_get_data(cn_entry);
-  if (cn_asn1 == NULL)
-  {
-    *errptr= "Failed to get CN from CN entry";
-    goto error;
-  }
-
-  cn= (char *) ASN1_STRING_get0_data(cn_asn1);
-
-  if ((size_t)ASN1_STRING_length(cn_asn1) != strlen(cn))
-  {
-    *errptr= "NULL embedded in the certificate CN";
-    goto error;
-  }
-
-  DBUG_PRINT("info", ("Server hostname in cert: %s", cn));
-  if (!strcmp(cn, server_hostname))
-  {
-    /* Success */
-    ret_validation= 0;
-  }
-#endif
+  ret_validation= X509_check_host(server_cert, server_hostname,
+                                  strlen(server_hostname), 0, 0) != 1 &&
+                  X509_check_ip_asc(server_cert, server_hostname, 0) != 1;
   *errptr= "SSL certificate validation failure";
 
 error:
-  if (server_cert != NULL)
-    X509_free (server_cert);
+  X509_free(server_cert);
   DBUG_RETURN(ret_validation);
 }