Merge branch '3.3' of https://github.com/mariadb-corporation/mariadb-…

…connector-c into 3.3

CMakeLists.txt

@@ -305,8 +305,7 @@ IF(NOT WITH_SSL STREQUAL "OFF")
     ENDIF()
     IF(OPENSSL_FOUND)
       ADD_DEFINITIONS(-DHAVE_OPENSSL -DHAVE_TLS)
-      SET(SSL_SOURCES "${CC_SOURCE_DIR}/libmariadb/secure/openssl.c"
-                      "${CC_SOURCE_DIR}/libmariadb/secure/openssl_crypt.c")
+      SET(SSL_SOURCES "${CC_SOURCE_DIR}/libmariadb/secure/openssl.c")
       SET(SSL_LIBRARIES ${OPENSSL_SSL_LIBRARY} ${OPENSSL_CRYPTO_LIBRARY})
       IF(WIN32)
         CHECK_INCLUDE_FILES (${OPENSSL_INCLUDE_DIR}/openssl/applink.c HAVE_OPENSSL_APPLINK_C)
@@ -333,8 +332,7 @@ IF(NOT WITH_SSL STREQUAL "OFF")
     FIND_PACKAGE(GnuTLS "3.3.24" REQUIRED)
     IF(GNUTLS_FOUND)
       ADD_DEFINITIONS(-DHAVE_GNUTLS -DHAVE_TLS)
-      SET(SSL_SOURCES "${CC_SOURCE_DIR}/libmariadb/secure/gnutls.c"
-                      "${CC_SOURCE_DIR}/libmariadb/secure/gnutls_crypt.c")
+      SET(SSL_SOURCES "${CC_SOURCE_DIR}/libmariadb/secure/gnutls.c")
       SET(SSL_LIBRARIES ${GNUTLS_LIBRARY})
       SET(TLS_LIBRARY_VERSION "GnuTLS ${GNUTLS_VERSION_STRING}")
       INCLUDE_DIRECTORIES(${GNUTLS_INCLUDE_DIR})
@@ -344,13 +342,12 @@ IF(NOT WITH_SSL STREQUAL "OFF")
   ENDIF()
   IF(WIN32)
     IF(WITH_SSL STREQUAL "SCHANNEL")
-      ADD_DEFINITIONS(-DHAVE_SCHANNEL -DHAVE_TLS -DHAVE_WINCRYPT)
+      ADD_DEFINITIONS(-DHAVE_SCHANNEL -DHAVE_TLS)
       SET(SSL_SOURCES "${CC_SOURCE_DIR}/libmariadb/secure/schannel.c"
-                      "${CC_SOURCE_DIR}/libmariadb/secure/win_crypt.c"
                       "${CC_SOURCE_DIR}/libmariadb/secure/ma_schannel.c"
                       "${CC_SOURCE_DIR}/libmariadb/secure/schannel_certs.c")
       INCLUDE_DIRECTORIES("${CC_SOURCE_DIR}/plugins/pvio/")
-      SET(SSL_LIBRARIES secur32 crypt32 bcrypt)
+      SET(SSL_LIBRARIES secur32)
       SET(TLS_LIBRARY_VERSION "Schannel ${CMAKE_SYSTEM_VERSION}")
     ENDIF()
   ENDIF()
@@ -385,7 +382,7 @@ CONFIGURE_FILE(${CC_SOURCE_DIR}/include/mariadb_version.h.in
 INCLUDE_DIRECTORIES(${CC_BINARY_DIR}/include)
 
 IF(WIN32)
-  SET(SYSTEM_LIBS ws2_32 advapi32 kernel32 shlwapi crypt32 bcrypt ${LIBZ})
+  SET(SYSTEM_LIBS ws2_32 advapi32 kernel32 shlwapi crypt32 ${LIBZ})
 ELSE()
   SET(SYSTEM_LIBS ${SYSTEM_LIBS} ${LIBPTHREAD} ${CMAKE_DL_LIBS} ${LIBM})
   IF(ICONV_EXTERNAL)

include/ma_common.h

@@ -86,7 +86,7 @@ struct st_mysql_options_extension {
   unsigned short rpl_port;
   void (*status_callback)(void *ptr, enum enum_mariadb_status_info type, ...);
   void *status_data;
-  my_bool tls_allow_invalid_server_cert;
+  my_bool tls_verify_server_cert;
 };
 
 typedef struct st_connection_handler
@@ -129,16 +129,3 @@ typedef struct st_mariadb_field_extension
 {
   MARIADB_CONST_STRING metadata[MARIADB_FIELD_ATTR_LAST+1]; /* 10.5 */
 } MA_FIELD_EXTENSION;
-
-#if defined(HAVE_SCHANNEL) || defined(HAVE_GNUTLS)
-#define reset_tls_self_signed_error(mysql)              \
-  do {                                                  \
-    free((char*)mysql->net.tls_self_signed_error);      \
-    mysql->net.tls_self_signed_error= 0;                \
-  } while(0)
-#else
-#define reset_tls_self_signed_error(mysql)              \
-  do {                                                  \
-    mysql->net.tls_self_signed_error= 0;                \
-  } while(0)
-#endif

include/ma_crypt.h

@@ -17,20 +17,34 @@
    51 Franklin St., Fifth Floor, Boston, MA 02110, USA
 */
 
-#ifndef _ma_crypt_h_
-#define _ma_crypt_h_
+#ifndef _ma_hash_h_
+#define _ma_hash_h_
 
-#include <ma_hash.h>
 #include <stddef.h>
 #include <stdarg.h>
 
 /*! Hash algorithms */
+#define MA_HASH_MD5       1
+#define MA_HASH_SHA1      2
+#define MA_HASH_SHA224    3
+#define MA_HASH_SHA256    4
+#define MA_HASH_SHA384    5
+#define MA_HASH_SHA512    6
 #define MA_HASH_RIPEMD160 7
 #define MA_HASH_MAX       8
 
 /*! Hash digest sizes */
+#define MA_MD5_HASH_SIZE 16
+#define MA_SHA1_HASH_SIZE 20
+#define MA_SHA224_HASH_SIZE 28
+#define MA_SHA256_HASH_SIZE 32
+#define MA_SHA384_HASH_SIZE 48
+#define MA_SHA512_HASH_SIZE 64
 #define MA_RIPEMD160_HASH_SIZE 20
 
+#define MA_MAX_HASH_SIZE 64
+/** \typedef MRL hash context */
+
 #if defined(HAVE_WINCRYPT)
 typedef void MA_HASH_CTX;
 #elif defined(HAVE_OPENSSL)
@@ -109,6 +123,8 @@ static inline size_t ma_hash_digest_size(unsigned int hash_alg)
     return MA_SHA384_HASH_SIZE;
   case MA_HASH_SHA512:
     return MA_SHA512_HASH_SIZE;
+  case MA_HASH_RIPEMD160:
+    return MA_RIPEMD160_HASH_SIZE;
   default:
     return 0;
   }
@@ -136,4 +152,4 @@ static inline void ma_hash(unsigned int algorithm,
   ma_hash_free(ctx);
 }
 
-#endif /* _ma_crypt_h_ */
+#endif /* _ma_hash_h_ */

include/ma_tls.h

@@ -1,8 +1,6 @@
 #ifndef _ma_tls_h_
 #define _ma_tls_h_
 
-#include <ma_hash.h>
-
 enum enum_pvio_tls_type {
   SSL_TYPE_DEFAULT=0,
 #ifdef _WIN32
@@ -130,14 +128,12 @@ const char *ma_tls_get_cipher(MARIADB_TLS *ssl);
    returns SHA1 finger print of server certificate
    Parameter:
      MARIADB_TLS  MariaDB SSL container
-     hash_type    hash_type as defined in ma_hash.h
      fp           buffer for fingerprint
      fp_len       buffer length
-
    Returns:
      actual size of finger print
 */
-unsigned int ma_tls_get_finger_print(MARIADB_TLS *ctls, uint hash_type, char *fp, unsigned int fp_len);
+unsigned int ma_tls_get_finger_print(MARIADB_TLS *ctls, char *fp, unsigned int fp_len);
 
 /* ma_tls_get_protocol_version 
    returns protocol version number in use

include/mariadb_com.h

@@ -288,7 +288,7 @@ typedef struct st_net {
   my_bool unused_2;
   my_bool compress;
   my_bool unused_3;
-  const char *tls_self_signed_error;
+  void *unused_4;
   unsigned int last_errno;
   unsigned char error;
   my_bool unused_5;

include/mysql/client_plugin.h

@@ -43,7 +43,7 @@
 #define MYSQL_CLIENT_PLUGIN_RESERVED2        1
 #define MYSQL_CLIENT_AUTHENTICATION_PLUGIN   2 /* authentication   */
 
-#define MYSQL_CLIENT_AUTHENTICATION_PLUGIN_INTERFACE_VERSION  0x0101
+#define MYSQL_CLIENT_AUTHENTICATION_PLUGIN_INTERFACE_VERSION  0x0100
 #define MYSQL_CLIENT_MAX_PLUGINS             3
 
 /* Connector/C specific plugin types */
@@ -128,7 +128,6 @@ struct st_mysql_client_plugin_AUTHENTICATION
 {
   MYSQL_CLIENT_PLUGIN_HEADER
   int (*authenticate_user)(MYSQL_PLUGIN_VIO *vio, struct st_mysql *mysql);
-  int (*hash_password_bin)(struct st_mysql *mysql, unsigned char *hash, size_t *hash_length);
 };
 
 /******** trace plugin *******/

libmariadb/CMakeLists.txt

@@ -344,10 +344,6 @@ IF(WIN32)
     ${CC_SOURCE_DIR}/win-iconv/win_iconv.c
     win32_errmsg.c
     win32_errmsg.h)
-    IF(WITH_SSL STREQUAL "SCHANNEL")
-      SET(LIBMARIADB_SOURCES ${LIBMARIADB_SOURCES}
-          secure/win_crypt.c)
-    ENDIF()
 ELSE()
   IF(ICONV_INCLUDE_DIR)
      INCLUDE_DIRECTORIES(BEFORE ${ICONV_INCLUDE_DIR}) 

libmariadb/ma_client_plugin.c.in

@@ -111,7 +111,8 @@ static int get_plugin_nr(uint type)
 
 static const char *check_plugin_version(struct st_mysql_client_plugin *plugin, unsigned int version)
 {
-  if (plugin->interface_version >> 8 != version >> 8)
+  if (plugin->interface_version < version ||
+      (plugin->interface_version >> 8) > (version >> 8))
     return "Incompatible client plugin interface";
   return 0;
 }

libmariadb/ma_pvio.c

@@ -522,44 +522,6 @@ my_bool ma_pvio_has_data(MARIADB_PVIO *pvio, ssize_t *data_len)
 /* }}} */
 
 #ifdef HAVE_TLS
-/**
-  Checks if self-signed certificate error should be ignored.
-*/
-static my_bool ignore_self_signed_cert_error(MARIADB_PVIO *pvio)
-{
-  const char *hostname= pvio->mysql->host;
-  const char *local_host_names[]= {
-#ifdef _WIN32
-  /*
-   On Unix, we consider TCP connections with "localhost"
-   an insecure transport, for the single reason to run tests for
-   insecure transport on CI.This is artificial, but should be ok.
-   Default client connections use unix sockets anyway, so it
-   would not hurt much.
-
-   On Windows, the situation is quite different.
-   Default connections type is TCP, default host name is "localhost",
-   non-password plugin gssapi is common (every installation)
-   In this environment, there would be a lot of faux/disruptive
-   "self-signed certificates" errors there. Thus, "localhost" TCP
-   needs to be considered secure transport.
-  */
-  "localhost",
-#endif
-  "127.0.0.1", "::1", NULL};
-  int i;
-  if (pvio->type != PVIO_TYPE_SOCKET)
-    return TRUE;
-  if (!hostname)
-    return FALSE;
-  for (i= 0; local_host_names[i]; i++)
-  {
-    if (strcmp(hostname, local_host_names[i]) == 0)
-      return TRUE;
-  }
-  return FALSE;
-}
-
 /* {{{ my_bool ma_pvio_start_ssl */
 my_bool ma_pvio_start_ssl(MARIADB_PVIO *pvio)
 {
@@ -582,8 +544,7 @@ my_bool ma_pvio_start_ssl(MARIADB_PVIO *pvio)
      2. verify CN (requires option ssl_verify_check)
      3. verrify finger print
   */
-  if (!pvio->mysql->options.extension->tls_allow_invalid_server_cert &&
-         !pvio->mysql->net.tls_self_signed_error &&
+  if (pvio->mysql->options.extension->tls_verify_server_cert &&
          ma_pvio_tls_verify_server_cert(pvio->ctls))
     return 1;
 
@@ -595,12 +556,8 @@ my_bool ma_pvio_start_ssl(MARIADB_PVIO *pvio)
           pvio->mysql->options.extension->tls_fp,
           pvio->mysql->options.extension->tls_fp_list))
       return 1;
-    reset_tls_self_signed_error(pvio->mysql); // validated
   }
 
-  if (pvio->mysql->net.tls_self_signed_error && ignore_self_signed_cert_error(pvio))
-    reset_tls_self_signed_error(pvio->mysql);
-
   return 0;
 }
 /* }}} */