CONC-795: Implementation of client side SNI support

9EOR9 · 9EOR9 · commit bd4100b9dc97 · 2025-10-06T09:47:22.000+02:00
diff --git a/include/ma_tls.h b/include/ma_tls.h
@@ -28,6 +28,7 @@ enum enum_pvio_tls_type {
 ((m)->options.extension->tls_fp_list && (m)->options.extension->tls_fp_list[0]))
 
 extern char tls_library_version[TLS_VERSION_LENGTH];
+extern my_bool ma_is_ip_address(const char *s);
 
 typedef struct st_ma_pvio_tls {
   void *data;
diff --git a/libmariadb/ma_net.c b/libmariadb/ma_net.c
@@ -80,7 +80,6 @@ ulong net_buffer_length= 8192;	/* Default length. Enlarged if necessary */
 
 int ma_net_write_buff(NET *net,const char *packet, size_t len);
 
-
 /* Init with packet info */
 
 int ma_net_init(NET *net, MARIADB_PVIO* pvio)
diff --git a/libmariadb/mariadb_lib.c b/libmariadb/mariadb_lib.c
@@ -168,6 +168,18 @@ my_bool ma_check_buffer_boundaries(MYSQL *mysql, uchar *current_pos,
   return 0;
 }
 
+my_bool ma_is_ip_address(const char *s)
+{
+  struct in_addr  v4;
+  struct in6_addr v6;
+
+  if (inet_pton(AF_INET, s, &v4) == 1 ||
+      inet_pton(AF_INET6, s, &v6) == 1)
+    return 1;
+
+  return 0;
+}
+
 /* net_get_error */
 void net_get_error(char *buf, size_t buf_len,
        char *error, size_t error_len,
diff --git a/libmariadb/secure/gnutls.c b/libmariadb/secure/gnutls.c
@@ -1162,7 +1162,11 @@ void *ma_tls_init(MYSQL *mysql)
      a client certificate we will send it via callback function */
   if ((ssl_error= gnutls_credentials_set(ssl, GNUTLS_CRD_CERTIFICATE, ctx)) < 0)
     goto error;
-  
+
+  if (mysql->host && !ma_is_ip_address(mysql->host))
+    if ((ssl_error = gnutls_server_name_set(ssl, GNUTLS_NAME_DNS, mysql->host, strlen(mysql->host))) < 0)
+      goto error;
+
   pthread_mutex_unlock(&LOCK_gnutls_config);
   return (void *)ssl;
 error:
diff --git a/libmariadb/secure/ma_schannel.c b/libmariadb/secure/ma_schannel.c
@@ -84,16 +84,20 @@ SECURITY_STATUS ma_schannel_handshake_loop(MARIADB_PVIO *pvio, my_bool InitialRe
   PUCHAR          IoBuffer;
   BOOL            fDoRead;
   MARIADB_TLS     *ctls= pvio->ctls;
+  MYSQL *mysql=   pvio->mysql;
   SC_CTX          *sctx= (SC_CTX *)ctls->ssl;
+  char            *sni_host= NULL;
 
 
   dwSSPIFlags = ISC_REQ_SEQUENCE_DETECT |
                 ISC_REQ_REPLAY_DETECT |
                 ISC_REQ_CONFIDENTIALITY |
                 ISC_RET_EXTENDED_ERROR |
-                ISC_REQ_ALLOCATE_MEMORY | 
+                ISC_REQ_ALLOCATE_MEMORY |
                 ISC_REQ_STREAM;
 
+  if (mysql->host && !ma_is_ip_address(mysql->host))
+    sni_host= mysql->host;
 
   /* Allocate data buffer */
   if (!(IoBuffer = malloc(SC_IO_BUFFER_SIZE)))
@@ -166,7 +170,7 @@ SECURITY_STATUS ma_schannel_handshake_loop(MARIADB_PVIO *pvio, my_bool InitialRe
 
     rc = InitializeSecurityContextA(&sctx->CredHdl,
                                     &sctx->hCtxt,
-                                    NULL,
+                                    sni_host,
                                     dwSSPIFlags,
                                     0,
                                     SECURITY_NATIVE_DREP,
diff --git a/libmariadb/secure/openssl.c b/libmariadb/secure/openssl.c
@@ -447,6 +447,12 @@ void *ma_tls_init(MYSQL *mysql)
   if (!(ssl= SSL_new(ctx)))
     goto error;
 
+#if !defined(OPENSSL_NO_TLSEXT)
+  if (mysql->host && !ma_is_ip_address(mysql->host))
+    if (!SSL_set_tlsext_host_name(ssl, mysql->host))
+      goto error;
+#endif
+
   if (!SSL_set_app_data(ssl, mysql))
     goto error;
 
diff --git a/unittest/libmariadb/tls.c.in b/unittest/libmariadb/tls.c.in
@@ -827,9 +827,60 @@ static int test_cert_ip(MYSQL *my __attribute((unused)))
   return OK;
 }
 
+static int test_conc795(MYSQL *my __attribute__((unused)))
+{
+  MYSQL *mysql= mysql_init(NULL);
+  MYSQL_RES *res= NULL;
+  int rc, ret= FAIL;
+  MYSQL_ROW row;
+
+  set_verify(mysql, 0);
+
+  if (ma_is_ip_address(hostname))
+  {
+    diag("SNI test skipped (hostname = ip address");
+    ret = SKIP;
+    goto end;
+  }
+
+  mysql_ssl_set(mysql, NULL, NULL, NULL, NULL, NULL);
+
+  if (!my_test_connect(mysql, hostname, username, password, schema,
+                       port, socketname, 0, 0))
+  {
+    diag("error: %s", mysql_error(mysql));
+    goto end;
+  }
+
+  rc= mysql_query(mysql, "SHOW STATUS LIKE 'Tls_sni_server_name'");
+  check_mysql_rc(rc, mysql);
+
+  if (!(res = mysql_store_result(mysql)) || !(row = mysql_fetch_row(res)))
+  {
+    diag("Server doesn't support tls_sni_server_name");
+    ret= SKIP;
+    goto end;
+  }
+
+  if (strcmp(row[1], hostname))
+  {
+    diag("SNI mismatch: %s != %s", hostname, row[1]);
+    goto end;
+  }
+
+  diag("SNI match: %s == %s", hostname, row[1]);
+  ret= OK;
+end:
+  if (res)
+    mysql_free_result(res);
+  mysql_close(mysql);
+  return ret;
+}
+
 
 struct my_tests_st my_tests[] = {
   /* Don't add test above, test_init needs to be run first */
+  {"test_conc795", test_conc795, TEST_CONNECTION_NEW, 0, NULL, NULL},
   {"test_start_tls_server", test_start_tls_server, TEST_CONNECTION_NONE, 0, NULL, NULL},
   {"test_init", test_init, TEST_CONNECTION_NONE, 0, NULL, NULL},
   /* Here you can add more tests */
