MonetDB: monetdburl - Avoid Unicode characters in normal strings...
Changeset: 6fc9e8f0ba1f for MonetDB URL: https://dev.monetdb.org/hg/MonetDB/rev/6fc9e8f0ba1f Modified Files: clients/mapilib/mapi.c Branch: monetdburl Log Message: Avoid Unicode characters in normal strings, use UTF-8 encoding explicitly. MSVC doesn't like \u23ce (doesn't know how to convert to whatever code page it's using). diffs (26 lines): diff --git a/clients/mapilib/mapi.c b/clients/mapilib/mapi.c --- a/clients/mapilib/mapi.c +++ b/clients/mapilib/mapi.c @@ -1214,7 +1214,7 @@ mapi_log_header(Mapi mid, const char *fi if (firstcall == 0) firstcall = now; double seconds = (double)(now - firstcall) / 1e6; - mnstr_printf(mid->tracelog, "▶ [%u] t=%.3fs %s %s(), line %ld\n", mid->index, seconds, mark, filename, line); + mnstr_printf(mid->tracelog, "\342\226\266 [%u] t=%.3fs %s %s(), line %ld\n", mid->index, seconds, mark, filename, line); /* U+25B6: right-pointing triangle */ } void @@ -1271,7 +1271,7 @@ mapi_impl_log_data(Mapi mid, const char mapi_log_header(mid, filename, line, mark); mnstr_write(mid->tracelog, start, 1, len); if (len > 0 && start[len - 1] != '\n') - mnstr_writeStr(mid->tracelog, "\u23ce\n"); + mnstr_writeStr(mid->tracelog, "\342\217\216\n"); /* U+23CE: return symbol */ mnstr_flush(mid->tracelog, MNSTR_FLUSH_DATA); } @@ -4677,4 +4677,3 @@ bailout: // malloc failure is the only way these calls could have failed return mapi_printError(mid, __func__, MERROR, "%s: %s", error_message, mnstr_peek_error(error_stream)); } - ___ checkin-list mailing list -- checkin-list@monetdb.org To unsubscribe send an email to checkin-list-le...@monetdb.org
MonetDB: monetdburl - Install openssl libraries on Windows.
Changeset: ecff245bc383 for MonetDB
URL: https://dev.monetdb.org/hg/MonetDB/rev/ecff245bc383
Modified Files:
NT/mkodbcwxs.py
NT/mksqlwxs.py
Branch: monetdburl
Log Message:
Install openssl libraries on Windows.
diffs (50 lines):
diff --git a/NT/mkodbcwxs.py b/NT/mkodbcwxs.py
--- a/NT/mkodbcwxs.py
+++ b/NT/mkodbcwxs.py
@@ -36,10 +36,12 @@ def main():
if sys.argv[2] == '64':
folder = r'ProgramFiles64Folder'
arch = 'x64'
+libcrypto = '-x64'
vcpkg = r'C:\vcpkg\installed\x64-windows\{}'
else:
folder = r'ProgramFilesFolder'
arch = 'x86'
+libcrypto = ''
vcpkg = r'C:\vcpkg\installed\x86-windows\{}'
vcdir = os.getenv('VCINSTALLDIR')
if vcdir is None:
@@ -91,6 +93,8 @@ def main():
vcpkg.format(r'bin\iconv-2.dll'),
vcpkg.format(r'bin\bz2.dll'),
vcpkg.format(r'bin\charset-1.dll'), # for iconv-2.dll
+ vcpkg.format(r'bin\libcrypto-3{}.dll'.format(libcrypto)),
+ vcpkg.format(r'bin\libssl-3{}.dll'.format(libcrypto)),
vcpkg.format(r'bin\lz4.dll'),
vcpkg.format(r'bin\liblzma.dll'),
vcpkg.format(r'bin\zlib1.dll')])
diff --git a/NT/mksqlwxs.py b/NT/mksqlwxs.py
--- a/NT/mksqlwxs.py
+++ b/NT/mksqlwxs.py
@@ -43,10 +43,12 @@ def main():
if sys.argv[2] == '64':
folder = r'ProgramFiles64Folder'
arch = 'x64'
+libcrypto = '-x64'
vcpkg = r'C:\vcpkg\installed\x64-windows\{}'
else:
folder = r'ProgramFilesFolder'
arch = 'x86'
+libcrypto = ''
vcpkg = r'C:\vcpkg\installed\x86-windows\{}'
vcdir = os.getenv('VCINSTALLDIR')
if vcdir is None:
@@ -158,6 +160,8 @@ def main():
vcpkg.format(r'bin\bz2.dll'),
vcpkg.format(r'bin\charset-1.dll'), # for iconv-2.dll
vcpkg.format(r'bin\getopt.dll'),
+ vcpkg.format(r'bin\libcrypto-3{}.dll'.format(libcrypto)),
+ vcpkg.format(r'bin\libssl-3{}.dll'.format(libcrypto)),
vcpkg.format(r'bin\libxml2.dll'),
vcpkg.format(r'bin\lz4.dll'),
vcpkg.format(r'bin\liblzma.dll'),
___
checkin-list mailing list -- checkin-list@monetdb.org
To unsubscribe send an email to checkin-list-le...@monetdb.org
MonetDB: monetdburl - Make test systemcertificates.py more verbose
Changeset: 46ff763b3ca8 for MonetDB
URL: https://dev.monetdb.org/hg/MonetDB/rev/46ff763b3ca8
Modified Files:
clients/mapilib/Tests/systemcertificates.py
Branch: monetdburl
Log Message:
Make test systemcertificates.py more verbose
diffs (21 lines):
diff --git a/clients/mapilib/Tests/systemcertificates.py
b/clients/mapilib/Tests/systemcertificates.py
--- a/clients/mapilib/Tests/systemcertificates.py
+++ b/clients/mapilib/Tests/systemcertificates.py
@@ -16,7 +16,7 @@ import sys
HOST = 'python.org'
# Run mclient
-cmd = ['mclient', '-d', f"monetdbs://{HOST}:443/demo"]
+cmd = ['mclient', '-L-', '-d', f"monetdbs://{HOST}:443/demo"]
proc = subprocess.run(cmd, stderr=subprocess.PIPE, stdout=subprocess.PIPE)
assert proc.returncode == 2, f"mclient is supposed to exit with status 2, not
{proc.returncode}"
@@ -25,5 +25,7 @@ assert proc.returncode == 2, f"mclient i
#
# In ASCII, 'H' + 256 * 'T' is 21576.
if b'21576' not in proc.stderr:
-print(f"Expected mclient to print an error message containing the number
21576, got:\n{proc.stderr}\n", file=sys.stderr)
+msg = str(proc.stderr, 'utf-8')
+print(f"Expected mclient to print an error message containing the number
21576, got:\n--- stderr ---\n{msg}\n---end stderr ---", file=sys.stderr)
exit(1)
+
___
checkin-list mailing list -- checkin-list@monetdb.org
To unsubscribe send an email to checkin-list-le...@monetdb.org
MonetDB: monetdburl - Use Windows Crypt API to extract system ce...
Changeset: 652d00b37663 for MonetDB
URL: https://dev.monetdb.org/hg/MonetDB/rev/652d00b37663
Added Files:
clients/mapilib/openssl_windows.c
Modified Files:
clients/mapilib/CMakeLists.txt
clients/mapilib/connect_openssl.c
clients/mapilib/mapi_intern.h
Branch: monetdburl
Log Message:
Use Windows Crypt API to extract system certificates
diffs (290 lines):
diff --git a/clients/mapilib/CMakeLists.txt b/clients/mapilib/CMakeLists.txt
--- a/clients/mapilib/CMakeLists.txt
+++ b/clients/mapilib/CMakeLists.txt
@@ -25,6 +25,7 @@ target_sources(mapi
parseurl.c
$<$:connect_unix.c>
$<$:connect_openssl.c>
+ $<$:$<$:openssl_windows.c>>
mapi_intern.h
PUBLIC
$/mapi.h>
@@ -46,6 +47,7 @@ target_link_libraries(mapi
stream
mutils
$<$:OpenSSL::SSL>
+ $<$:$<$:crypt32>>
$<$:ws2_32>)
target_compile_definitions(mapi
diff --git a/clients/mapilib/connect_openssl.c
b/clients/mapilib/connect_openssl.c
--- a/clients/mapilib/connect_openssl.c
+++ b/clients/mapilib/connect_openssl.c
@@ -11,10 +11,8 @@
#include
#include
-static MapiMsg croak(Mapi mid, const char *action, const char *fmt, ...)
- __attribute__(( __format__(__printf__, 3, 4) ));
-static MapiMsg
-croak(Mapi mid, const char *action, const char *fmt, ...)
+MapiMsg
+croak_openssl(Mapi mid, const char *action, const char *fmt, ...)
{
va_list ap;
char buffer[800];
@@ -38,6 +36,16 @@ croak(Mapi mid, const char *action, cons
return mapi_printError(mid, action, MERROR, "TLS error: %s",
buffer);
}
+#ifndef NATIVE_WIN32
+MapiMsg
+add_system_certificates(Mapi mid, SSL_CTX *ctx)
+{
+ (void)mid;
+ (void)ctx;
+ return MOK;
+}
+#endif
+
static MapiMsg
make_ssl_context(Mapi mid, SSL_CTX **ctx_out)
{
@@ -50,10 +58,10 @@ make_ssl_context(Mapi mid, SSL_CTX **ctx
const SSL_METHOD *method = TLS_method();
if (!method)
- return croak(mid, __func__, "TLS_method");
+ return croak_openssl(mid, __func__, "TLS_method");
SSL_CTX *ctx = SSL_CTX_new(method);
if (!ctx)
- return croak(mid, __func__, "SSL_CTX_new");
+ return croak_openssl(mid, __func__, "SSL_CTX_new");
// From here on we need to free 'ctx' on failure
SSL_CTX_set_verify(ctx, SSL_VERIFY_PEER, NULL);
@@ -72,13 +80,18 @@ make_ssl_context(Mapi mid, SSL_CTX **ctx
cert = msetting_string(mid->settings, MP_CERT);
if (1 != SSL_CTX_load_verify_locations(ctx, cert,
NULL)) {
SSL_CTX_free(ctx);
- return croak(mid, __func__,
"SSL_CTX_load_verify_file: %s", cert);
+ return croak_openssl(mid, __func__,
"SSL_CTX_load_verify_file: %s", cert);
}
break;
case verify_system:
if (1 != SSL_CTX_set_default_verify_paths(ctx)) {
SSL_CTX_free(ctx);
- return croak(mid, __func__,
"SSL_CTX_set_default_verify_paths");
+ return croak_openssl(mid, __func__,
"SSL_CTX_set_default_verify_paths");
+ }
+ MapiMsg msg = add_system_certificates(mid, ctx);
+ if (msg != MOK) {
+ SSL_CTX_free(ctx);
+ return msg;
}
break;
}
@@ -123,7 +136,7 @@ wrap_tls(Mapi mid, SOCKET sock)
if (bio == NULL) {
closesocket(sock);
SSL_CTX_free(ctx);
- return croak(mid, __func__, "BIO_new_ssl");
+ return croak_openssl(mid, __func__, "BIO_new_ssl");
}
// BIO_new_ssl() inc'd the reference count of ctx so we can drop our
// reference here.
@@ -134,7 +147,7 @@ wrap_tls(Mapi mid, SOCKET sock)
if (1 != BIO_get_ssl(bio, &ssl)) {
closesocket(sock);
BIO_free(bio);
- return croak(mid, __func__, "BIO_get_ssl");
+ return croak_openssl(mid, __func__, "BIO_get_ssl");
}
// As far as I know the SSL returned by BIO_get_ssl has not had
// its refcount inc'd so we don't need to free it.
@@ -150,7 +163,7 @@ wrap_tls(Mapi mid, SOCKET sock)
if (sockbio == NULL) {
closesocket(sock);
BIO_free_all(bio);
- return croak(mid, __func__, "BIO_new_socket");
+ return croak_openssl(mid, __func__, "BIO_new_socket");
}
// From here on, 'sock' will be free'd by 'sockbio'.
// On error: free 'sockbio' and free 'bio'.
@@ -158,7 +171,7 @@ wrap_tls(Mapi mid, SOCKET sock)
if (!BIO_up_ref(sockbio)) {
BIO_free_all(sockbio);
BIO_free_all(bio);
- return croak(mid, __func__, "BIO_up_ref soc
MonetDB: monetdburl - Add copyright notices
Changeset: 2b59493de8a7 for MonetDB URL: https://dev.monetdb.org/hg/MonetDB/rev/2b59493de8a7 Modified Files: clients/examples/C/murltest.c clients/examples/C/murltest.h clients/examples/C/testsfile.c clients/mapilib/Tests/murltest.py clients/mapilib/Tests/systemcertificates.py clients/mapilib/Tests/tlssecurity.py clients/mapilib/Tests/tlstester.py clients/mapilib/connect.c clients/mapilib/connect_openssl.c clients/mapilib/connect_unix.c clients/mapilib/mapi_intern.h clients/mapilib/msettings.c clients/mapilib/msettings.h clients/mapilib/openssl_windows.c clients/mapilib/parseurl.c common/stream/openssl_stream.c Branch: monetdburl Log Message: Add copyright notices diffs (258 lines): diff --git a/clients/examples/C/murltest.c b/clients/examples/C/murltest.c --- a/clients/examples/C/murltest.c +++ b/clients/examples/C/murltest.c @@ -1,3 +1,13 @@ +/* + * SPDX-License-Identifier: MPL-2.0 + * + * This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, You can obtain one at http://mozilla.org/MPL/2.0/. + * + * Copyright 1997 - July 2008 CWI, August 2008 - 2023 MonetDB B.V. + */ + #define _POSIX_C_SOURCE 200809L #include "murltest.h" diff --git a/clients/examples/C/murltest.h b/clients/examples/C/murltest.h --- a/clients/examples/C/murltest.h +++ b/clients/examples/C/murltest.h @@ -1,3 +1,13 @@ +/* + * SPDX-License-Identifier: MPL-2.0 + * + * This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, You can obtain one at http://mozilla.org/MPL/2.0/. + * + * Copyright 1997 - July 2008 CWI, August 2008 - 2023 MonetDB B.V. + */ + #include "monetdb_config.h" #include "stream.h" diff --git a/clients/examples/C/testsfile.c b/clients/examples/C/testsfile.c --- a/clients/examples/C/testsfile.c +++ b/clients/examples/C/testsfile.c @@ -1,3 +1,12 @@ +/* + * SPDX-License-Identifier: MPL-2.0 + * + * This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, You can obtain one at http://mozilla.org/MPL/2.0/. + * + * Copyright 1997 - July 2008 CWI, August 2008 - 2023 MonetDB B.V. + */ #include "monetdb_config.h" #define _POSIX_C_SOURCE 200809L diff --git a/clients/mapilib/Tests/murltest.py b/clients/mapilib/Tests/murltest.py --- a/clients/mapilib/Tests/murltest.py +++ b/clients/mapilib/Tests/murltest.py @@ -1,3 +1,11 @@ +# SPDX-License-Identifier: MPL-2.0 +# +# This Source Code Form is subject to the terms of the Mozilla Public +# License, v. 2.0. If a copy of the MPL was not distributed with this +# file, You can obtain one at http://mozilla.org/MPL/2.0/. +# +# Copyright 1997 - July 2008 CWI, August 2008 - 2023 MonetDB B.V. + import os import subprocess import sys diff --git a/clients/mapilib/Tests/systemcertificates.py b/clients/mapilib/Tests/systemcertificates.py --- a/clients/mapilib/Tests/systemcertificates.py +++ b/clients/mapilib/Tests/systemcertificates.py @@ -1,3 +1,10 @@ +# SPDX-License-Identifier: MPL-2.0 +# +# This Source Code Form is subject to the terms of the Mozilla Public +# License, v. 2.0. If a copy of the MPL was not distributed with this +# file, You can obtain one at http://mozilla.org/MPL/2.0/. +# +# Copyright 1997 - July 2008 CWI, August 2008 - 2023 MonetDB B.V. import subprocess diff --git a/clients/mapilib/Tests/tlssecurity.py b/clients/mapilib/Tests/tlssecurity.py --- a/clients/mapilib/Tests/tlssecurity.py +++ b/clients/mapilib/Tests/tlssecurity.py @@ -1,3 +1,10 @@ +# SPDX-License-Identifier: MPL-2.0 +# +# This Source Code Form is subject to the terms of the Mozilla Public +# License, v. 2.0. If a copy of the MPL was not distributed with this +# file, You can obtain one at http://mozilla.org/MPL/2.0/. +# +# Copyright 1997 - July 2008 CWI, August 2008 - 2023 MonetDB B.V. import logging diff --git a/clients/mapilib/Tests/tlstester.py b/clients/mapilib/Tests/tlstester.py --- a/clients/mapilib/Tests/tlstester.py +++ b/clients/mapilib/Tests/tlstester.py @@ -1,5 +1,13 @@ #!/usr/bin/env python3 +# SPDX-License-Identifier: MPL-2.0 +# +# This Source Code Form is subject to the terms of the Mozilla Public +# License, v. 2.0. If a copy of the MPL was not distributed with this +# file, You can obtain one at http://mozilla.org/MPL/2.0/. +# +# Copyright 1997 - July 2008 CWI, August 2008 - 2023 MonetDB B.V. + from argparse import ArgumentParser from datetime import datetime, timedelta import hashlib diff --git a/clients/mapilib/connect.c b/clients/mapilib/connect.c --- a/clients/mapilib/connect.c +++ b/clients/mapilib/connect.c @@ -1,3 +1,12 @@ +/* + * SPDX-License-Identifier: MPL-2.0 + * + * This Source Code Form is subject to the terms of the Mozilla Public + * License, v
MonetDB: monetdburl - Do not include monetdb_config.h in msettin...
Changeset: a9310eea3cc1 for MonetDB URL: https://dev.monetdb.org/hg/MonetDB/rev/a9310eea3cc1 Modified Files: clients/mapilib/msettings.h Branch: monetdburl Log Message: Do not include monetdb_config.h in msettings.h diffs (11 lines): diff --git a/clients/mapilib/msettings.h b/clients/mapilib/msettings.h --- a/clients/mapilib/msettings.h +++ b/clients/mapilib/msettings.h @@ -10,7 +10,6 @@ #ifndef _MSETTINGS_H #define _MSETTINGS_H 1 -#include "monetdb_config.h" #include #define MP__BOOL_START (100) ___ checkin-list mailing list -- checkin-list@monetdb.org To unsubscribe send an email to checkin-list-le...@monetdb.org
MonetDB: default - Give catalog_cnt and catalog_lid bats a name ...
Changeset: da26af578332 for MonetDB
URL: https://dev.monetdb.org/hg/MonetDB/rev/da26af578332
Modified Files:
gdk/gdk_logger.c
Branch: default
Log Message:
Give catalog_cnt and catalog_lid bats a name for debugging purposes.
diffs (52 lines):
diff --git a/gdk/gdk_logger.c b/gdk/gdk_logger.c
--- a/gdk/gdk_logger.c
+++ b/gdk/gdk_logger.c
@@ -1642,11 +1642,23 @@ cleanup_and_swap(logger *lg, int *r, con
lg->catalog_id = noids;
lg->dcatalog = ndels;
+ /* failing to rename these two bats is not fatal */
+ if (BBPrename(lg->catalog_cnt, NULL) != GDK_SUCCEED)
+ GDKclrerr();
+ if (BBPrename(lg->catalog_lid, NULL) != GDK_SUCCEED)
+ GDKclrerr();
BBPunfix(lg->catalog_cnt->batCacheid);
BBPunfix(lg->catalog_lid->batCacheid);
lg->catalog_cnt = ncnts;
lg->catalog_lid = nlids;
+ char bak[FILENAME_MAX];
+ strconcat_len(bak, sizeof(bak), lg->fn, "_catalog_cnt", NULL);
+ if (BBPrename(lg->catalog_cnt, bak) < 0)
+ GDKclrerr();
+ strconcat_len(bak, sizeof(bak), lg->fn, "_catalog_lid", NULL);
+ if (BBPrename(lg->catalog_lid, bak) < 0)
+ GDKclrerr();
lg->cnt = BATcount(lg->catalog_bid);
lg->deleted -= cleanup;
return rcnt;
@@ -2061,16 +2073,24 @@ log_load(const char *fn, const char *log
BBPretain(lg->catalog_id->batCacheid);
BBPretain(lg->dcatalog->batCacheid);
}
+ /* failing to rename the catalog_cnt and catalog_lid bats is not
+* fatal */
lg->catalog_cnt = logbat_new(TYPE_lng, 1, SYSTRANS);
if (lg->catalog_cnt == NULL) {
GDKerror("failed to create catalog_cnt bat");
goto error;
}
+ strconcat_len(bak, sizeof(bak), fn, "_catalog_cnt", NULL);
+ if (BBPrename(lg->catalog_cnt, bak) < 0)
+ GDKclrerr();
lg->catalog_lid = logbat_new(TYPE_lng, 1, SYSTRANS);
if (lg->catalog_lid == NULL) {
GDKerror("failed to create catalog_lid bat");
goto error;
}
+ strconcat_len(bak, sizeof(bak), fn, "_catalog_lid", NULL);
+ if (BBPrename(lg->catalog_lid, bak) < 0)
+ GDKclrerr();
if (bm_get_counts(lg) != GDK_SUCCEED)
goto error;
___
checkin-list mailing list -- checkin-list@monetdb.org
To unsubscribe send an email to checkin-list-le...@monetdb.org
MonetDB: monetdburl - Include monetdb_config.h in users of msett...
Changeset: 5bbdff377cc3 for MonetDB URL: https://dev.monetdb.org/hg/MonetDB/rev/5bbdff377cc3 Modified Files: clients/examples/C/testsfile.c clients/mapilib/msettings.c clients/mapilib/openssl_windows.c clients/mapilib/parseurl.c Branch: monetdburl Log Message: Include monetdb_config.h in users of msettings.h diffs (46 lines): diff --git a/clients/examples/C/testsfile.c b/clients/examples/C/testsfile.c --- a/clients/examples/C/testsfile.c +++ b/clients/examples/C/testsfile.c @@ -9,7 +9,6 @@ */ #include "monetdb_config.h" -#define _POSIX_C_SOURCE 200809L #include "murltest.h" #include "msettings.h" diff --git a/clients/mapilib/msettings.c b/clients/mapilib/msettings.c --- a/clients/mapilib/msettings.c +++ b/clients/mapilib/msettings.c @@ -8,7 +8,7 @@ * Copyright 1997 - July 2008 CWI, August 2008 - 2023 MonetDB B.V. */ - +#include "monetdb_config.h" #include "msettings.h" diff --git a/clients/mapilib/openssl_windows.c b/clients/mapilib/openssl_windows.c --- a/clients/mapilib/openssl_windows.c +++ b/clients/mapilib/openssl_windows.c @@ -63,7 +63,7 @@ add_system_certificates(Mapi mid, SSL_CT X509_STORE *x509_store = SSL_CTX_get_cert_store(ctx); HCERTSTORE sysstore = NULL; const CERT_CONTEXT *item = NULL; - + mapi_log_record(mid, "CONN", "Enumerating system certificates"); sysstore = CertOpenSystemStoreW(0, L"ROOT"); diff --git a/clients/mapilib/parseurl.c b/clients/mapilib/parseurl.c --- a/clients/mapilib/parseurl.c +++ b/clients/mapilib/parseurl.c @@ -9,6 +9,7 @@ */ +#include "monetdb_config.h" #include "msettings.h" ___ checkin-list mailing list -- checkin-list@monetdb.org To unsubscribe send an email to checkin-list-le...@monetdb.org
MonetDB: monetdburl - Mark parameters that have not been impleme...
Changeset: 2bfcb93b1a86 for MonetDB
URL: https://dev.monetdb.org/hg/MonetDB/rev/2bfcb93b1a86
Modified Files:
clients/mapilib/msettings.h
Branch: monetdburl
Log Message:
Mark parameters that have not been implemented yet
diffs (25 lines):
diff --git a/clients/mapilib/msettings.h b/clients/mapilib/msettings.h
--- a/clients/mapilib/msettings.h
+++ b/clients/mapilib/msettings.h
@@ -48,17 +48,17 @@ typedef enum mparm {
MP_SOCK = MP__STRING_START,
MP_SOCKDIR,
MP_CERT,
-MP_CLIENTKEY,
-MP_CLIENTCERT,
+MP_CLIENTKEY, // TODO implement this
+MP_CLIENTCERT, // TODO implement this
MP_HOST,
MP_DATABASE,
MP_TABLESCHEMA,
MP_TABLE,
-MP_CERTHASH,
+MP_CERTHASH, // TODO implement this
MP_USER,
MP_PASSWORD,
MP_LANGUAGE,
-MP_SCHEMA,
+MP_SCHEMA, // TODO implement this
MP_BINARY,
} mparm;
___
checkin-list mailing list -- checkin-list@monetdb.org
To unsubscribe send an email to checkin-list-le...@monetdb.org
MonetDB: monetdburl - Implement client certificates
Changeset: b4ccbe3a3fe6 for MonetDB
URL: https://dev.monetdb.org/hg/MonetDB/rev/b4ccbe3a3fe6
Modified Files:
clients/mapilib/Tests/tlssecurity.py
clients/mapilib/connect_openssl.c
clients/mapilib/msettings.h
Branch: monetdburl
Log Message:
Implement client certificates
diffs (73 lines):
diff --git a/clients/mapilib/Tests/tlssecurity.py
b/clients/mapilib/Tests/tlssecurity.py
--- a/clients/mapilib/Tests/tlssecurity.py
+++ b/clients/mapilib/Tests/tlssecurity.py
@@ -143,8 +143,7 @@ attempt('refuse_expired', 'expiredcert',
# Authenticate using client2.key and client2.crt. Have a succesful MAPI
# exchange.
-# TODO
-#attempt('connect_client_auth', 'clientauth', None,
cert=certpath('ca1.crt'),clientcert=certpath('client2.crt'),
clientkey=certpath('client2.key'))
+attempt('connect_client_auth', 'clientauth', None, cert=certpath('ca1.crt'),
clientcert=certpath('client2.crt'), clientkey=certpath('client2.key'))
# fail_plain_to_tls
#
diff --git a/clients/mapilib/connect_openssl.c
b/clients/mapilib/connect_openssl.c
--- a/clients/mapilib/connect_openssl.c
+++ b/clients/mapilib/connect_openssl.c
@@ -125,6 +125,11 @@ wrap_tls(Mapi mid, SOCKET sock)
size_t hostlen = strlen(host);
size_t hostportlen = hostlen + 1 + 20;
+ const char *clientkey = msetting_string(settings, MP_CLIENTKEY);
+ const char *clientcert = msetting_string(settings, MP_CLIENTCERT);
+ if (!clientcert[0])
+ clientcert = clientkey; // this logic should be virtual
parameters in the spec!
+
// Clear any earlier errrors
do {} while (ERR_get_error() != 0);
@@ -192,10 +197,29 @@ wrap_tls(Mapi mid, SOCKET sock)
return croak_openssl(mid, __func__, "SSL_set_tlsext_host_name");
}
+// if target.clientkey:
+// ssl_context.load_cert_chain(
+// certfile=target.clientcert if target.clientcert is not None
else target.clientkey,
+// keyfile=target.clientkey,
+// password=target.clientkeypassword,
+// )
+ assert(clientkey);
+ assert(clientcert);
+ if (clientkey[0]) {
+ if (1 != SSL_use_PrivateKey_file(ssl, clientkey,
SSL_FILETYPE_PEM)) {
+ BIO_free_all(bio);
+ return croak_openssl(mid, __func__,
"SSL_use_PrivateKey_file");
+ }
+ if (1 != SSL_use_certificate_chain_file(ssl, clientcert)) {
+ BIO_free_all(bio);
+ return croak_openssl(mid, __func__,
"SSL_use_certificate_chain_file");
+ }
+ }
+
// handshake
if (1 != SSL_connect(ssl)) {
BIO_free_all(bio);
- return croak_openssl(mid, __func__, "SSL_connect");
+ return croak_openssl(mid, __func__, "SSL_connect handshake");
}
/
diff --git a/clients/mapilib/msettings.h b/clients/mapilib/msettings.h
--- a/clients/mapilib/msettings.h
+++ b/clients/mapilib/msettings.h
@@ -48,8 +48,8 @@ typedef enum mparm {
MP_SOCK = MP__STRING_START,
MP_SOCKDIR,
MP_CERT,
-MP_CLIENTKEY, // TODO implement this
-MP_CLIENTCERT, // TODO implement this
+MP_CLIENTKEY,
+MP_CLIENTCERT,
MP_HOST,
MP_DATABASE,
MP_TABLESCHEMA,
___
checkin-list mailing list -- checkin-list@monetdb.org
To unsubscribe send an email to checkin-list-le...@monetdb.org
MonetDB: monetdburl - Accidentally swapped two test names
Changeset: ab791133e0e5 for MonetDB
URL: https://dev.monetdb.org/hg/MonetDB/rev/ab791133e0e5
Modified Files:
clients/mapilib/Tests/tlssecurity.py
Branch: monetdburl
Log Message:
Accidentally swapped two test names
diffs (43 lines):
diff --git a/clients/mapilib/Tests/tlssecurity.py
b/clients/mapilib/Tests/tlssecurity.py
--- a/clients/mapilib/Tests/tlssecurity.py
+++ b/clients/mapilib/Tests/tlssecurity.py
@@ -19,6 +19,8 @@ import tlstester
level = logging.WARNING
# if sys.platform == 'win32':
# level=logging.DEBUG
+if '-v' in sys.argv:
+level = logging.DEBUG
#level = logging.DEBUG
logging.basicConfig(level=level)
@@ -145,17 +147,17 @@ attempt('refuse_expired', 'expiredcert',
attempt('connect_client_auth', 'clientauth', None, cert=certpath('ca1.crt'),
clientcert=certpath('client2.crt'), clientkey=certpath('client2.key'))
-# fail_plain_to_tls
+# fail_tls_to_plain
#
# Connect to port 'plain' over TLS. This should fail, not hang.
-attempt('fail_plain_to_tls', 'plain', 'wrong version number', tls=True)
+attempt('fail_tls_to_plain', 'plain', 'wrong version number', tls=True)
-# fail_tls_to_plain
+# fail_plain_to_tls
#
# Make a plain MAPI connection to port 'server1'. This should fail.
-attempt('fail_tls_to_plain', 'server1', 'terminated', tls=False)
+attempt('fail_plain_to_tls', 'server1', 'terminated', tls=False)
# connect_trusted
#
@@ -164,6 +166,8 @@ attempt('fail_tls_to_plain', 'server1',
# system-specific. Connect to port 'server3' over TLS without passing a
# certificate to check. The implementation should pick it up from the system
# store. Have a succesful MAPI exchange.
+#
+# Tested elsewhere, in test systemcertificates
# TODO
#attempt('connect_trusted', 'server3', None)
___
checkin-list mailing list -- checkin-list@monetdb.org
To unsubscribe send an email to checkin-list-le...@monetdb.org
MonetDB: monetdburl - Send 'mapi/9' as the ALPN protocol
Changeset: f06bada3d253 for MonetDB
URL: https://dev.monetdb.org/hg/MonetDB/rev/f06bada3d253
Modified Files:
clients/mapilib/connect_openssl.c
Branch: monetdburl
Log Message:
Send 'mapi/9' as the ALPN protocol
diffs (17 lines):
diff --git a/clients/mapilib/connect_openssl.c
b/clients/mapilib/connect_openssl.c
--- a/clients/mapilib/connect_openssl.c
+++ b/clients/mapilib/connect_openssl.c
@@ -197,6 +197,13 @@ wrap_tls(Mapi mid, SOCKET sock)
return croak_openssl(mid, __func__, "SSL_set_tlsext_host_name");
}
+ unsigned char alpn_vector[] = { 6, 'm', 'a', 'p', 'i', '/', '9' };
+ // NOTE: these functions return 0 on success, not 1!
+ if (0 != SSL_set_alpn_protos(ssl, alpn_vector, sizeof(alpn_vector))) {
+ BIO_free_all(bio);
+ return croak_openssl(mid, __func__, "SSL_set_alpn_protos");
+ }
+
// if target.clientkey:
// ssl_context.load_cert_chain(
// certfile=target.clientcert if target.clientcert is not None
else target.clientkey,
___
checkin-list mailing list -- checkin-list@monetdb.org
To unsubscribe send an email to checkin-list-le...@monetdb.org
MonetDB: monetdburl - Test SNI name and ALPN protocol
Changeset: 1bcb2b462e57 for MonetDB
URL: https://dev.monetdb.org/hg/MonetDB/rev/1bcb2b462e57
Modified Files:
clients/mapilib/Tests/tlssecurity.py
Branch: monetdburl
Log Message:
Test SNI name and ALPN protocol
diffs (25 lines):
diff --git a/clients/mapilib/Tests/tlssecurity.py
b/clients/mapilib/Tests/tlssecurity.py
--- a/clients/mapilib/Tests/tlssecurity.py
+++ b/clients/mapilib/Tests/tlssecurity.py
@@ -159,6 +159,21 @@ attempt('fail_tls_to_plain', 'plain', 'w
attempt('fail_plain_to_tls', 'server1', 'terminated', tls=False)
+# connect_server_name
+#
+# Connect to port 'sni' over TLS. Have a succesful MAPI exchange. This
indicates
+# that the implementation sent a correct Server Name Indication.
+
+attempt('connect_server_name', 'sni', None, cert=certpath('ca1.crt'))
+
+# connect_alpn_mapi9
+#
+# Connect to port 'alpn_mapi9' over TLS. Have a succesful MAPI exchange. This
+# indicates that the implementation succesfully negotiated ALPN protocol
+# "mapi/9".
+
+attempt('connect_alpn_mapi9', 'alpn_mapi9', None, cert=certpath('ca1.crt'))
+
# connect_trusted
#
# Only when running in a throwaway environment such as a Docker container:
___
checkin-list mailing list -- checkin-list@monetdb.org
To unsubscribe send an email to checkin-list-le...@monetdb.org
MonetDB: monetdburl - Comment
Changeset: 7a1e3027c99f for MonetDB
URL: https://dev.monetdb.org/hg/MonetDB/rev/7a1e3027c99f
Modified Files:
clients/mapilib/connect_openssl.c
Branch: monetdburl
Log Message:
Comment
diffs (16 lines):
diff --git a/clients/mapilib/connect_openssl.c
b/clients/mapilib/connect_openssl.c
--- a/clients/mapilib/connect_openssl.c
+++ b/clients/mapilib/connect_openssl.c
@@ -204,12 +204,6 @@ wrap_tls(Mapi mid, SOCKET sock)
return croak_openssl(mid, __func__, "SSL_set_alpn_protos");
}
-// if target.clientkey:
-// ssl_context.load_cert_chain(
-// certfile=target.clientcert if target.clientcert is not None
else target.clientkey,
-// keyfile=target.clientkey,
-// password=target.clientkeypassword,
-// )
assert(clientkey);
assert(clientcert);
if (clientkey[0]) {
___
checkin-list mailing list -- checkin-list@monetdb.org
To unsubscribe send an email to checkin-list-le...@monetdb.org
MonetDB: monetdburl - Implement certhash checking
Changeset: 4a4b19149322 for MonetDB
URL: https://dev.monetdb.org/hg/MonetDB/rev/4a4b19149322
Modified Files:
clients/mapilib/Tests/tlssecurity.py
clients/mapilib/connect_openssl.c
clients/mapilib/msettings.h
Branch: monetdburl
Log Message:
Implement certhash checking
diffs (165 lines):
diff --git a/clients/mapilib/Tests/tlssecurity.py
b/clients/mapilib/Tests/tlssecurity.py
--- a/clients/mapilib/Tests/tlssecurity.py
+++ b/clients/mapilib/Tests/tlssecurity.py
@@ -6,7 +6,7 @@
#
# Copyright 1997 - July 2008 CWI, August 2008 - 2023 MonetDB B.V.
-
+from hashlib import sha256
import logging
import os
import subprocess
@@ -174,6 +174,37 @@ attempt('connect_server_name', 'sni', No
attempt('connect_alpn_mapi9', 'alpn_mapi9', None, cert=certpath('ca1.crt'))
+# connect_right_hash
+#
+# Connect to port 'server1' over TLS, with certhash set to a prefix of the hash
+# of the server certificate in DER form. Have a succesful MAPI exchange.
+
+server1hash = sha256(certs.get_file('server1.der')).hexdigest()
+attempt('connect_right_hash', 'server1', None, certhash='{sha256}' +
server1hash[:6])
+
+# connect_wrong_hash
+#
+# Connect to port 'server1' over TLS, with certhash set to a syntactically
valid
+# hash that is not a prefix of the hash of the server certificate in DER form.
+# This should fail.
+
+first_digit = server1hash[0]
+other_digit = f"{8 ^ int(first_digit, 16):x}"
+wronghash = other_digit + server1hash[1:]
+
+attempt('connect_wrong_hash', 'server1', "does not match certhash",
certhash='{sha256}' + wronghash[:6])
+
+
+# connect_ca_hash
+#
+# Connect to port 'server1' over TLS, with certhash set to a prefix of the hash
+# of the CA1 certificate in DER form. This should fail.
+
+ca1hash = sha256(certs.get_file('ca1.der')).hexdigest()
+attempt('connect_ca_hash', 'server1', "does not match certhash",
certhash='{sha256}' + ca1hash[:6])
+
+
+
# connect_trusted
#
# Only when running in a throwaway environment such as a Docker container:
diff --git a/clients/mapilib/connect_openssl.c
b/clients/mapilib/connect_openssl.c
--- a/clients/mapilib/connect_openssl.c
+++ b/clients/mapilib/connect_openssl.c
@@ -8,6 +8,11 @@
* Copyright 1997 - July 2008 CWI, August 2008 - 2023 MonetDB B.V.
*/
+
+// Request compatibility with OpenSSL 1.1.1.
+// We need this for the hashing API.
+#define OPENSSL_API_COMPAT 0x1010L
+
#include "monetdb_config.h"
@@ -109,6 +114,63 @@ make_ssl_context(Mapi mid, SSL_CTX **ctx
return MOK;
}
+static MapiMsg
+verify_server_certificate_hash(Mapi mid, SSL *ssl, const char *required_prefix)
+{
+ mapi_log_record(mid, "CONN", "verifying certificate hash against prefix
'%s'", required_prefix);
+
+ size_t prefix_len = strlen(required_prefix);
+ if (prefix_len > 2 * SHA256_DIGEST_LENGTH)
+ return mapi_setError(mid, "value of certhash= is longer than a
sha256 digest", __func__, MERROR);
+
+ X509 *x509 = SSL_get_peer_certificate(ssl);
+ if (x509 == NULL)
+ return mapi_printError(mid, __func__, MERROR, "Server did not
send a TLS certificate");
+
+ // Convert to DER
+ unsigned char *buf = NULL;
+ int buflen = i2d_X509(x509, &buf);
+ if (buflen <= 0) {
+ X509_free(x509);
+ return croak_openssl(mid, __func__, "could not convert server
certificate to DER");
+ }
+ assert(buf);
+ X509_free(x509);
+
+ // Compute the has of the DER using the deprecated API so we stay
+ // compatible with OpenSSL 1.1.1.
+ SHA256_CTX sha256;
+ if (1 != SHA256_Init(&sha256)) {
+ OPENSSL_free(buf);
+ return mapi_setError(mid, "SHA256_Init", __func__, MERROR);
+ }
+ if (1 != SHA256_Update(&sha256, buf, buflen)) {
+ OPENSSL_free(buf);
+ return mapi_setError(mid, "SHA256_Update", __func__, MERROR);
+ }
+ unsigned char digest[SHA256_DIGEST_LENGTH];
+ if (1 != SHA256_Final(digest, &sha256)) {
+ OPENSSL_free(buf);
+ return mapi_setError(mid, "SHA256_Final", __func__, MERROR);
+ }
+ OPENSSL_free(buf);
+
+ // Make hexadecimal;
+ char hex[2 * SHA256_DIGEST_LENGTH + 1];
+ for (int i = 0; i < SHA256_DIGEST_LENGTH; i++) {
+ snprintf(&hex[2 * i], 3, "%02x", digest[i]);
+ }
+ assert(hex[2 * SHA256_DIGEST_LENGTH] == '\0');
+
+ // Compare the digits
+ if (strncmp(required_prefix, hex, prefix_len) != 0)
+ return mapi_setError(mid, "server certificate does not match
certhash= prefix", __func__, MERROR);
+
+ mapi_log_record(mid, "CONN", "server certificate matches certhash");
+ return MOK;
+}
+
+
MapiMsg
wrap_tls(Mapi mid, SOCKET sock)
{
@@ -129,6 +191,7 @@ wrap_tls(Mapi mid, SOCKET sock)
const char *clientcert = msetting_string(settings, MP_CLIENTCERT);
if (!clientcert[0])
clientcert = clientkey; //
MonetDB: Jun2023 - With LOCK_OWNER defined (debug only), remove ...
Changeset: 4ce064e6b169 for MonetDB
URL: https://dev.monetdb.org/hg/MonetDB/rev/4ce064e6b169
Modified Files:
gdk/gdk_system.c
Branch: Jun2023
Log Message:
With LOCK_OWNER defined (debug only), remove lock from list even when not
inited.
diffs (31 lines):
diff --git a/gdk/gdk_system.c b/gdk/gdk_system.c
--- a/gdk/gdk_system.c
+++ b/gdk/gdk_system.c
@@ -380,9 +380,11 @@ MT_thread_add_mylock(MT_Lock *lock)
void
MT_thread_del_mylock(MT_Lock *lock)
{
+ struct winthread *w;
if (threadslot == TLS_OUT_OF_INDEXES)
- return;
- struct winthread *w = TlsGetValue(threadslot);
+ w = &mainthread;
+ else
+ w = TlsGetValue(threadslot);
if (w) {
if (w->mylocks == lock) {
@@ -864,9 +866,11 @@ MT_thread_add_mylock(MT_Lock *lock)
void
MT_thread_del_mylock(MT_Lock *lock)
{
+ struct posthread *p;
if (!thread_initialized)
- return;
- struct posthread *p = pthread_getspecific(threadkey);
+ p = &mainthread;
+ else
+ p = pthread_getspecific(threadkey);
if (p) {
if (p->mylocks == lock) {
___
checkin-list mailing list -- checkin-list@monetdb.org
To unsubscribe send an email to checkin-list-le...@monetdb.org
MonetDB: default - Merge with Jun2023 branch.
Changeset: ed279f37a2f6 for MonetDB
URL: https://dev.monetdb.org/hg/MonetDB/rev/ed279f37a2f6
Modified Files:
gdk/gdk_system.c
Branch: default
Log Message:
Merge with Jun2023 branch.
diffs (19 lines):
diff --git a/common/stream/Tests/read_tests.py
b/common/stream/Tests/read_tests.py
--- a/common/stream/Tests/read_tests.py
+++ b/common/stream/Tests/read_tests.py
@@ -148,4 +148,3 @@ if __name__ == "__main__":
else:
print("Usage: python3 read_tests.py [TESTDATANAME]", file=sys.stderr)
sys.exit(1)
-
diff --git a/common/stream/Tests/testdata.py b/common/stream/Tests/testdata.py
--- a/common/stream/Tests/testdata.py
+++ b/common/stream/Tests/testdata.py
@@ -216,6 +216,7 @@ class TestFile:
else:
raise Exception("Unknown compression scheme: " + self.compression)
f.write(content)
+f.close()
return filename
___
checkin-list mailing list -- checkin-list@monetdb.org
To unsubscribe send an email to checkin-list-le...@monetdb.org
