mysql/community-mysql-openssl11.patch

518 lines
26 KiB
Diff
Raw Normal View History

Add OpenSSL 1.1 compatibility
Based on patches in upstream tracker (bellow), and patches from MariaDB for the same feature.
Upstream tracker: https://bugs.mysql.com/bug.php?id=83814
diff -rup mysql-5.7.20-sslbak/mysql-test/suite/auth_sec/t/mysql_ssl_connection.test mysql-5.7.20/mysql-test/suite/auth_sec/t/mysql_ssl_connection.test
--- mysql-5.7.20-sslbak/mysql-test/suite/auth_sec/t/mysql_ssl_connection.test 2017-12-08 09:00:52.578760787 +0100
+++ mysql-5.7.20/mysql-test/suite/auth_sec/t/mysql_ssl_connection.test 2017-12-08 22:19:40.033870734 +0100
@@ -7,7 +7,7 @@
connection default;
CREATE USER u_20693153@localhost IDENTIFIED BY 'abcd';
---replace_result DHE-RSA-AES128-GCM-SHA256 SSL_CIPHER DHE-RSA-AES256-SHA SSL_CIPHER
+--replace_result ECDHE-RSA-AES128-GCM-SHA256 SSL_CIPHER DHE-RSA-AES128-GCM-SHA256 SSL_CIPHER DHE-RSA-AES256-SHA SSL_CIPHER
--exec $MYSQL --protocol=TCP -uu_20693153 -pabcd --ssl-ca=$MYSQL_TEST_DIR/std_data/cacert.pem -e "SHOW STATUS LIKE 'Ssl_cipher';"
DROP USER u_20693153@localhost;
diff -rup mysql-5.7.20-sslbak/mysql-test/suite/auth_sec/t/openssl_cert_generation.test mysql-5.7.20/mysql-test/suite/auth_sec/t/openssl_cert_generation.test
--- mysql-5.7.20-sslbak/mysql-test/suite/auth_sec/t/openssl_cert_generation.test 2017-12-08 09:00:52.579760795 +0100
+++ mysql-5.7.20/mysql-test/suite/auth_sec/t/openssl_cert_generation.test 2017-12-08 22:19:40.033870734 +0100
@@ -183,7 +183,7 @@ let SEARCH_PATTERN= Auto generated SSL c
--file_exists $MYSQLTEST_VARDIR/mysqld.1/data/public_key.pem
--echo # Ensure that server is ssl enabled
---replace_result DHE-RSA-AES128-GCM-SHA256 SSL_CIPHER DHE-RSA-AES256-SHA SSL_CIPHER
+--replace_result ECDHE-RSA-AES128-GCM-SHA256 SSL_CIPHER DHE-RSA-AES128-GCM-SHA256 SSL_CIPHER DHE-RSA-AES256-SHA SSL_CIPHER
--exec $MYSQL -uroot --ssl-mode=REQUIRED -e "show status like 'Ssl_cipher'"
#-----------------------------------------------------------------------------
@@ -285,7 +285,7 @@ grant usage on *.* to wl7699_sha256 iden
# Using SSL certificates
--echo # Should be able to connect to server using generated SSL certificates.
---replace_result DHE-RSA-AES128-GCM-SHA256 SSL_CIPHER DHE-RSA-AES256-SHA SSL_CIPHER
+--replace_result ECDHE-RSA-AES128-GCM-SHA256 SSL_CIPHER DHE-RSA-AES128-GCM-SHA256 SSL_CIPHER DHE-RSA-AES256-SHA SSL_CIPHER
--exec $MYSQL -uwl7699_sha256 -pabcd --ssl-mode=REQUIRED -e "show status like 'Ssl_cipher'"
# Using RSA key pair
--echo # Should be able to connect to server using RSA key pair.
@@ -351,7 +351,7 @@ show variables like 'sha256%';
--echo # 6.3 : SSL connection
--echo # Should be able to connect to server using generated SSL certificates.
---replace_result DHE-RSA-AES128-GCM-SHA256 SSL_CIPHER DHE-RSA-AES256-SHA SSL_CIPHER
+--replace_result ECDHE-RSA-AES128-GCM-SHA256 SSL_CIPHER DHE-RSA-AES128-GCM-SHA256 SSL_CIPHER DHE-RSA-AES256-SHA SSL_CIPHER
--exec $MYSQL -uroot --ssl-mode=REQUIRED -e "show status like 'Ssl_cipher'"
@@ -362,7 +362,7 @@ grant usage on *.* to wl7699_sha256 iden
# Using SSL certificates
--echo # Should be able to connect to server using generated SSL certificates.
---replace_result DHE-RSA-AES128-GCM-SHA256 SSL_CIPHER DHE-RSA-AES256-SHA SSL_CIPHER
+--replace_result ECDHE-RSA-AES128-GCM-SHA256 SSL_CIPHER DHE-RSA-AES128-GCM-SHA256 SSL_CIPHER DHE-RSA-AES256-SHA SSL_CIPHER
--exec $MYSQL -uwl7699_sha256 -pabcd --ssl-mode=REQUIRED -e "show status like 'Ssl_cipher'"
# Using RSA key pair
--echo # Should be able to connect to server using RSA key pair.
diff -rup mysql-5.7.20-sslbak/mysql-test/suite/auth_sec/t/ssl_auto_detect.test mysql-5.7.20/mysql-test/suite/auth_sec/t/ssl_auto_detect.test
--- mysql-5.7.20-sslbak/mysql-test/suite/auth_sec/t/ssl_auto_detect.test 2017-12-08 09:00:52.583760826 +0100
+++ mysql-5.7.20/mysql-test/suite/auth_sec/t/ssl_auto_detect.test 2017-12-08 22:19:40.034870741 +0100
@@ -54,7 +54,7 @@ let SEARCH_PATTERN= CA certificate .* is
--echo # Try to establish SSL connection : This must succeed.
connect (ssl_root_1,localhost,root,,,,,SSL);
---replace_result DHE-RSA-AES128-GCM-SHA256 SSL_CIPHER DHE-RSA-AES256-SHA SSL_CIPHER
+--replace_result ECDHE-RSA-AES128-GCM-SHA256 SSL_CIPHER DHE-RSA-AES128-GCM-SHA256 SSL_CIPHER DHE-RSA-AES256-SHA SSL_CIPHER
SHOW STATUS LIKE 'Ssl_cipher';
SHOW VARIABLES LIKE 'have_ssl';
@@ -68,7 +68,7 @@ connection default;
disconnect ssl_root_1;
--echo # Connect using mysql client : This must succeed.
---replace_result DHE-RSA-AES128-GCM-SHA256 SSL_CIPHER DHE-RSA-AES256-SHA SSL_CIPHER
+--replace_result ECDHE-RSA-AES128-GCM-SHA256 SSL_CIPHER DHE-RSA-AES128-GCM-SHA256 SSL_CIPHER DHE-RSA-AES256-SHA SSL_CIPHER
--exec $MYSQL -uroot --ssl-mode=REQUIRED -e "show status like 'Ssl_cipher';"
@@ -140,7 +140,7 @@ let SEARCH_PATTERN= CA certificate .* is
--source include/search_pattern_in_file.inc
--echo # Try creating SSL connection
---replace_result DHE-RSA-AES128-GCM-SHA256 SSL_CIPHER DHE-RSA-AES256-SHA SSL_CIPHER
+--replace_result ECDHE-RSA-AES128-GCM-SHA256 SSL_CIPHER DHE-RSA-AES128-GCM-SHA256 SSL_CIPHER DHE-RSA-AES256-SHA SSL_CIPHER
--exec $MYSQL -uroot --ssl-mode=REQUIRED -e "show status like 'Ssl_cipher';"
diff -rup mysql-5.7.20-sslbak/mysql-test/suite/auth_sec/t/tls.test mysql-5.7.20/mysql-test/suite/auth_sec/t/tls.test
--- mysql-5.7.20-sslbak/mysql-test/suite/auth_sec/t/tls.test 2017-12-08 09:00:52.584760834 +0100
+++ mysql-5.7.20/mysql-test/suite/auth_sec/t/tls.test 2017-12-08 22:56:42.786710772 +0100
@@ -36,7 +36,7 @@ let $cipher_default= DHE-RSA-AES256-SHA;
let $tls_default= TLSv1.1;
let $openssl= query_get_value("SHOW STATUS LIKE 'Rsa_public_key'", Variable_name, 1);
if ($openssl == 'Rsa_public_key'){
- let $cipher_default= DHE-RSA-AES128-GCM-SHA256;
+ let $cipher_default= ECDHE-RSA-AES128-GCM-SHA256;
let $tls_default= TLSv1.2;
}
--echo #T1: Default TLS connection
diff -rup mysql-5.7.20-sslbak/mysql-test/t/mysql_ssl_default.test mysql-5.7.20/mysql-test/t/mysql_ssl_default.test
--- mysql-5.7.20-sslbak/mysql-test/t/mysql_ssl_default.test 2017-12-08 09:00:55.717784968 +0100
+++ mysql-5.7.20/mysql-test/t/mysql_ssl_default.test 2017-12-08 22:19:40.035870748 +0100
@@ -14,15 +14,15 @@
--echo # verify that mysql default connect with ssl channel when using TCP/IP
--echo # connection
---replace_result DHE-RSA-AES128-GCM-SHA256 SSL_CIPHER DHE-RSA-AES256-SHA SSL_CIPHER
+--replace_result ECDHE-RSA-AES128-GCM-SHA256 SSL_CIPHER DHE-RSA-AES128-GCM-SHA256 SSL_CIPHER DHE-RSA-AES256-SHA SSL_CIPHER
--exec $MYSQL --host=127.0.0.1 -P $MASTER_MYPORT -e "SHOW STATUS like 'Ssl_cipher'"
--echo # verify that mysql --ssl=0 connect with unencrypted channel
---replace_result DHE-RSA-AES128-GCM-SHA256 SSL_CIPHER DHE-RSA-AES256-SHA SSL_CIPHER
+--replace_result ECDHE-RSA-AES128-GCM-SHA256 SSL_CIPHER DHE-RSA-AES128-GCM-SHA256 SSL_CIPHER DHE-RSA-AES256-SHA SSL_CIPHER
--exec $MYSQL --host=127.0.0.1 -P $MASTER_MYPORT -e "SHOW STATUS like 'Ssl_cipher'" --ssl-mode=DISABLED
--echo # verify that mysql --ssl=1 connect with ssl channel
---replace_result DHE-RSA-AES128-GCM-SHA256 SSL_CIPHER DHE-RSA-AES256-SHA SSL_CIPHER
+--replace_result ECDHE-RSA-AES128-GCM-SHA256 SSL_CIPHER DHE-RSA-AES128-GCM-SHA256 SSL_CIPHER DHE-RSA-AES256-SHA SSL_CIPHER
--exec $MYSQL --host=127.0.0.1 -P $MASTER_MYPORT -e "SHOW STATUS like 'Ssl_cipher'" --ssl-mode=REQUIRED
CREATE USER u1@localhost IDENTIFIED BY 'secret' REQUIRE SSL;
diff -rup mysql-5.7.20-sslbak/mysql-test/t/openssl_1.test mysql-5.7.20/mysql-test/t/openssl_1.test
--- mysql-5.7.20-sslbak/mysql-test/t/openssl_1.test 2017-12-08 09:00:55.729785060 +0100
+++ mysql-5.7.20/mysql-test/t/openssl_1.test 2017-12-08 22:19:40.035870748 +0100
@@ -19,17 +19,17 @@ insert into t1 values (5);
let $cipher_val= "DHE-RSA-AES256-SHA";
let $shavars= query_get_value("SHOW STATUS LIKE 'Rsa_public_key'", Variable_name, 1);
if ($shavars == 'Rsa_public_key'){
- let $cipher_val= "DHE-RSA-AES128-GCM-SHA256";
+ let $cipher_val= "ECDHE-RSA-AES128-GCM-SHA256";
}
grant select on test.* to ssl_user1@localhost require SSL;
---replace_result DHE-RSA-AES128-GCM-SHA256 SSL_CIPHER DHE-RSA-AES256-SHA SSL_CIPHER
+--replace_result ECDHE-RSA-AES128-GCM-SHA256 SSL_CIPHER DHE-RSA-AES128-GCM-SHA256 SSL_CIPHER DHE-RSA-AES256-SHA SSL_CIPHER
-- eval grant select on test.* to ssl_user2@localhost require cipher $cipher_val
---replace_result DHE-RSA-AES128-GCM-SHA256 SSL_CIPHER DHE-RSA-AES256-SHA SSL_CIPHER
+--replace_result ECDHE-RSA-AES128-GCM-SHA256 SSL_CIPHER DHE-RSA-AES128-GCM-SHA256 SSL_CIPHER DHE-RSA-AES256-SHA SSL_CIPHER
-- eval grant select on test.* to ssl_user3@localhost require cipher $cipher_val AND SUBJECT "/C=SE/ST=Stockholm/L=Stockholm/O=Oracle/OU=MySQL/CN=Client"
---replace_result DHE-RSA-AES128-GCM-SHA256 SSL_CIPHER DHE-RSA-AES256-SHA SSL_CIPHER
+--replace_result ECDHE-RSA-AES128-GCM-SHA256 SSL_CIPHER DHE-RSA-AES128-GCM-SHA256 SSL_CIPHER DHE-RSA-AES256-SHA SSL_CIPHER
-- eval grant select on test.* to ssl_user4@localhost require cipher $cipher_val AND SUBJECT "/C=SE/ST=Stockholm/L=Stockholm/O=Oracle/OU=MySQL/CN=Client" ISSUER "/C=SE/ST=Stockholm/L=Stockholm/O=Oracle/OU=MySQL/CN=CA"
---replace_result DHE-RSA-AES128-GCM-SHA256 SSL_CIPHER DHE-RSA-AES256-SHA SSL_CIPHER
+--replace_result ECDHE-RSA-AES128-GCM-SHA256 SSL_CIPHER DHE-RSA-AES128-GCM-SHA256 SSL_CIPHER DHE-RSA-AES256-SHA SSL_CIPHER
-- eval grant select on test.* to ssl_user5@localhost require cipher $cipher_val AND SUBJECT "xxx"
flush privileges;
@@ -43,7 +43,7 @@ connect (con5,localhost,ssl_user5,,,,,SS
connection con1;
# Check ssl turned on
---replace_result DHE-RSA-AES128-GCM-SHA256 SSL_CIPHER DHE-RSA-AES256-SHA SSL_CIPHER
+--replace_result ECDHE-RSA-AES128-GCM-SHA256 SSL_CIPHER DHE-RSA-AES128-GCM-SHA256 SSL_CIPHER DHE-RSA-AES256-SHA SSL_CIPHER
SHOW STATUS LIKE 'Ssl_cipher';
select * from t1;
--error ER_TABLEACCESS_DENIED_ERROR
@@ -51,7 +51,7 @@ delete from t1;
connection con2;
# Check ssl turned on
---replace_result DHE-RSA-AES128-GCM-SHA256 SSL_CIPHER DHE-RSA-AES256-SHA SSL_CIPHER
+--replace_result ECDHE-RSA-AES128-GCM-SHA256 SSL_CIPHER DHE-RSA-AES128-GCM-SHA256 SSL_CIPHER DHE-RSA-AES256-SHA SSL_CIPHER
SHOW STATUS LIKE 'Ssl_cipher';
select * from t1;
--error ER_TABLEACCESS_DENIED_ERROR
@@ -59,7 +59,7 @@ delete from t1;
connection con3;
# Check ssl turned on
---replace_result DHE-RSA-AES128-GCM-SHA256 SSL_CIPHER DHE-RSA-AES256-SHA SSL_CIPHER
+--replace_result ECDHE-RSA-AES128-GCM-SHA256 SSL_CIPHER DHE-RSA-AES128-GCM-SHA256 SSL_CIPHER DHE-RSA-AES256-SHA SSL_CIPHER
SHOW STATUS LIKE 'Ssl_cipher';
select * from t1;
--error ER_TABLEACCESS_DENIED_ERROR
@@ -67,7 +67,7 @@ delete from t1;
connection con4;
# Check ssl turned on
---replace_result DHE-RSA-AES128-GCM-SHA256 SSL_CIPHER DHE-RSA-AES256-SHA SSL_CIPHER
+--replace_result ECDHE-RSA-AES128-GCM-SHA256 SSL_CIPHER DHE-RSA-AES128-GCM-SHA256 SSL_CIPHER DHE-RSA-AES256-SHA SSL_CIPHER
SHOW STATUS LIKE 'Ssl_cipher';
select * from t1;
--error ER_TABLEACCESS_DENIED_ERROR
@@ -142,7 +142,7 @@ drop table t1;
# verification of servers certificate by setting both ca certificate
# and ca path to NULL
#
---replace_result DHE-RSA-AES128-GCM-SHA256 SSL_CIPHER DHE-RSA-AES256-SHA SSL_CIPHER
+--replace_result ECDHE-RSA-AES128-GCM-SHA256 SSL_CIPHER DHE-RSA-AES128-GCM-SHA256 SSL_CIPHER DHE-RSA-AES256-SHA SSL_CIPHER
--exec $MYSQL --ssl-mode=REQUIRED --ssl-key=$MYSQL_TEST_DIR/std_data/client-key.pem --ssl-cert=$MYSQL_TEST_DIR/std_data/client-cert.pem -e "SHOW STATUS LIKE 'ssl_Cipher'" 2>&1
--echo End of 5.0 tests
@@ -269,7 +269,7 @@ select 'is still running; no cipher requ
GRANT SELECT ON test.* TO bug42158@localhost REQUIRE X509;
FLUSH PRIVILEGES;
connect(con1,localhost,bug42158,,,,,SSL);
---replace_result DHE-RSA-AES128-GCM-SHA256 SSL_CIPHER DHE-RSA-AES256-SHA SSL_CIPHER
+--replace_result ECDHE-RSA-AES128-GCM-SHA256 SSL_CIPHER DHE-RSA-AES128-GCM-SHA256 SSL_CIPHER DHE-RSA-AES256-SHA SSL_CIPHER
SHOW STATUS LIKE 'Ssl_cipher';
disconnect con1;
connection default;
diff -rup mysql-5.7.20-sslbak/mysql-test/t/plugin_auth_sha256_tls.test mysql-5.7.20/mysql-test/t/plugin_auth_sha256_tls.test
--- mysql-5.7.20-sslbak/mysql-test/t/plugin_auth_sha256_tls.test 2017-12-08 09:00:55.747785199 +0100
+++ mysql-5.7.20/mysql-test/t/plugin_auth_sha256_tls.test 2017-12-08 22:19:40.035870748 +0100
@@ -2,7 +2,7 @@
--source include/have_ssl.inc
connect (ssl_con,localhost,root,,,,,SSL);
---replace_result DHE-RSA-AES128-GCM-SHA256 SSL_CIPHER DHE-RSA-AES256-SHA SSL_CIPHER
+--replace_result ECDHE-RSA-AES128-GCM-SHA256 SSL_CIPHER DHE-RSA-AES128-GCM-SHA256 SSL_CIPHER DHE-RSA-AES256-SHA SSL_CIPHER
SHOW STATUS LIKE 'Ssl_cipher';
CREATE USER 'kristofer' IDENTIFIED WITH 'sha256_password';
diff -rup mysql-5.7.20-sslbak/mysql-test/t/ssl_8k_key.test mysql-5.7.20/mysql-test/t/ssl_8k_key.test
--- mysql-5.7.20-sslbak/mysql-test/t/ssl_8k_key.test 2017-12-08 09:00:55.772785392 +0100
+++ mysql-5.7.20/mysql-test/t/ssl_8k_key.test 2017-12-08 22:19:40.036870755 +0100
@@ -4,7 +4,7 @@
#
# Bug#29784 YaSSL assertion failure when reading 8k key.
#
---replace_result DHE-RSA-AES128-GCM-SHA256 SSL_CIPHER DHE-RSA-AES256-SHA SSL_CIPHER
+--replace_result ECDHE-RSA-AES128-GCM-SHA256 SSL_CIPHER DHE-RSA-AES128-GCM-SHA256 SSL_CIPHER DHE-RSA-AES256-SHA SSL_CIPHER
--exec $MYSQL --ssl-mode=REQUIRED --ssl-key=$MYSQL_TEST_DIR/std_data/client-key.pem --ssl-cert=$MYSQL_TEST_DIR/std_data/client-cert.pem -e "SHOW STATUS LIKE 'ssl_Cipher'" 2>&1
## This test file is for testing encrypted communication only, not other
diff -rup mysql-5.7.20-sslbak/mysql-test/t/ssl_ca.test mysql-5.7.20/mysql-test/t/ssl_ca.test
--- mysql-5.7.20-sslbak/mysql-test/t/ssl_ca.test 2017-12-08 09:00:55.773785399 +0100
+++ mysql-5.7.20/mysql-test/t/ssl_ca.test 2017-12-08 22:19:40.036870755 +0100
@@ -10,7 +10,7 @@
--exec $MYSQL --ssl-ca=$MYSQL_TEST_DIR/std_data/wrong-crl-ca-cert.pem --ssl-key=$MYSQL_TEST_DIR/std_data/crl-client-key.pem --ssl-cert=$MYSQL_TEST_DIR/std_data/crl-client-cert.pem test -e "SHOW STATUS LIKE 'Ssl_cipher'" 2>&1
--echo # try to connect with correct '--ssl-ca' path : should connect
---replace_result DHE-RSA-AES128-GCM-SHA256 SSL_CIPHER DHE-RSA-AES256-SHA SSL_CIPHER
+--replace_result ECDHE-RSA-AES128-GCM-SHA256 SSL_CIPHER DHE-RSA-AES128-GCM-SHA256 SSL_CIPHER DHE-RSA-AES256-SHA SSL_CIPHER
--exec $MYSQL --ssl-ca=$MYSQL_TEST_DIR/std_data/crl-ca-cert.pem --ssl-key=$MYSQL_TEST_DIR/std_data/crl-client-key.pem --ssl-cert=$MYSQL_TEST_DIR/std_data/crl-client-cert.pem test -e "SHOW STATUS LIKE 'Ssl_cipher'"
--echo #
@@ -22,15 +22,15 @@
--echo # try to connect with '--ssl-ca' option using tilde home directoy
--echo # path substitution : should connect
---replace_result DHE-RSA-AES128-GCM-SHA256 SSL_CIPHER DHE-RSA-AES256-SHA SSL_CIPHER
+--replace_result ECDHE-RSA-AES128-GCM-SHA256 SSL_CIPHER DHE-RSA-AES128-GCM-SHA256 SSL_CIPHER DHE-RSA-AES256-SHA SSL_CIPHER
--exec $MYSQL --ssl-ca=$mysql_test_dir_path/std_data/crl-ca-cert.pem --ssl-key=$MYSQL_TEST_DIR/std_data/crl-client-key.pem --ssl-cert=$MYSQL_TEST_DIR/std_data/crl-client-cert.pem test -e "SHOW STATUS LIKE 'Ssl_cipher'"
--echo # try to connect with '--ssl-key' option using tilde home directoy
--echo # path substitution : should connect
---replace_result DHE-RSA-AES128-GCM-SHA256 SSL_CIPHER DHE-RSA-AES256-SHA SSL_CIPHER
+--replace_result ECDHE-RSA-AES128-GCM-SHA256 SSL_CIPHER DHE-RSA-AES128-GCM-SHA256 SSL_CIPHER DHE-RSA-AES256-SHA SSL_CIPHER
--exec $MYSQL --ssl-ca=$MYSQL_TEST_DIR/std_data/crl-ca-cert.pem --ssl-key=$mysql_test_dir_path/std_data/crl-client-key.pem --ssl-cert=$MYSQL_TEST_DIR/std_data/crl-client-cert.pem test -e "SHOW STATUS LIKE 'Ssl_cipher'"
--echo # try to connect with '--ssl-cert' option using tilde home directoy
--echo # path substitution : should connect
---replace_result DHE-RSA-AES128-GCM-SHA256 SSL_CIPHER DHE-RSA-AES256-SHA SSL_CIPHER
+--replace_result ECDHE-RSA-AES128-GCM-SHA256 SSL_CIPHER DHE-RSA-AES128-GCM-SHA256 SSL_CIPHER DHE-RSA-AES256-SHA SSL_CIPHER
--exec $MYSQL --ssl-ca=$MYSQL_TEST_DIR/std_data/crl-ca-cert.pem --ssl-key=$MYSQL_TEST_DIR/std_data/crl-client-key.pem --ssl-cert=$mysql_test_dir_path/std_data/crl-client-cert.pem test -e "SHOW STATUS LIKE 'Ssl_cipher'"
diff -rup mysql-5.7.20-sslbak/mysql-test/t/ssl_compress.test mysql-5.7.20/mysql-test/t/ssl_compress.test
--- mysql-5.7.20-sslbak/mysql-test/t/ssl_compress.test 2017-12-08 09:00:55.774785407 +0100
+++ mysql-5.7.20/mysql-test/t/ssl_compress.test 2017-12-08 22:19:40.036870755 +0100
@@ -17,7 +17,7 @@
connect (ssl_compress_con,localhost,root,,,,,SSL COMPRESS);
# Check ssl turned on
---replace_result DHE-RSA-AES128-GCM-SHA256 SSL_CIPHER DHE-RSA-AES256-SHA SSL_CIPHER
+--replace_result ECDHE-RSA-AES128-GCM-SHA256 SSL_CIPHER DHE-RSA-AES128-GCM-SHA256 SSL_CIPHER DHE-RSA-AES256-SHA SSL_CIPHER
SHOW STATUS LIKE 'Ssl_cipher';
# Check compression turned on
@@ -27,7 +27,7 @@ SHOW STATUS LIKE 'Compression';
-- source include/common-tests.inc
# Check ssl turned on
---replace_result DHE-RSA-AES128-GCM-SHA256 SSL_CIPHER DHE-RSA-AES256-SHA SSL_CIPHER
+--replace_result ECDHE-RSA-AES128-GCM-SHA256 SSL_CIPHER DHE-RSA-AES128-GCM-SHA256 SSL_CIPHER DHE-RSA-AES256-SHA SSL_CIPHER
SHOW STATUS LIKE 'Ssl_cipher';
# Check compression turned on
diff -rup mysql-5.7.20-sslbak/mysql-test/t/ssl_crl.test mysql-5.7.20/mysql-test/t/ssl_crl.test
--- mysql-5.7.20-sslbak/mysql-test/t/ssl_crl.test 2017-12-08 09:00:55.774785407 +0100
+++ mysql-5.7.20/mysql-test/t/ssl_crl.test 2017-12-08 22:19:40.037870762 +0100
@@ -32,9 +32,11 @@ if (!$crllen)
--echo # try to connect with '--ssl-crl' option using tilde home directoy
--echo # path substitution : should connect
--replace_result $MYSQL_TEST_DIR MYSQL_TEST_DIR
+--replace_result ECDHE-RSA-AES128-GCM-SHA256 DHE-RSA-AES128-GCM-SHA256
--exec $MYSQL --ssl-ca=$MYSQL_TEST_DIR/std_data/crl-ca-cert.pem --ssl-key=$MYSQL_TEST_DIR/std_data/crl-client-key.pem --ssl-cert=$MYSQL_TEST_DIR/std_data/crl-client-cert.pem test --ssl-crl=$mysql_test_dir_path/std_data/crl-client-revoked.crl -e "SHOW STATUS LIKE 'Ssl_cipher'"
--echo # try to connect with '--ssl-crlpath' option using tilde home directoy
--echo # path substitution : should connect
--replace_result $MYSQL_TEST_DIR MYSQL_TEST_DIR
+--replace_result ECDHE-RSA-AES128-GCM-SHA256 DHE-RSA-AES128-GCM-SHA256
--exec $MYSQL --ssl-ca=$MYSQL_TEST_DIR/std_data/crl-ca-cert.pem --ssl-key=$MYSQL_TEST_DIR/std_data/crl-client-key.pem --ssl-cert=$MYSQL_TEST_DIR/std_data/crl-client-cert.pem --ssl-crlpath=$mysql_test_dir_path/std_data/crldir test -e "SHOW STATUS LIKE 'Ssl_cipher'"
diff -rup mysql-5.7.20-sslbak/mysql-test/t/ssl.test mysql-5.7.20/mysql-test/t/ssl.test
--- mysql-5.7.20-sslbak/mysql-test/t/ssl.test 2017-12-08 09:00:55.772785392 +0100
+++ mysql-5.7.20/mysql-test/t/ssl.test 2017-12-08 22:19:40.037870762 +0100
@@ -16,7 +16,7 @@
connect (ssl_con,localhost,root,,,,,SSL);
# Check ssl turned on
---replace_result DHE-RSA-AES128-GCM-SHA256 SSL_CIPHER DHE-RSA-AES256-SHA SSL_CIPHER
+--replace_result ECDHE-RSA-AES128-GCM-SHA256 SSL_CIPHER DHE-RSA-AES128-GCM-SHA256 SSL_CIPHER DHE-RSA-AES256-SHA SSL_CIPHER
SHOW STATUS LIKE 'Ssl_cipher';
# Check ssl expiration
@@ -27,7 +27,7 @@ SHOW STATUS LIKE 'Ssl_server_not_after';
-- source include/common-tests.inc
# Check ssl turned on
---replace_result DHE-RSA-AES128-GCM-SHA256 SSL_CIPHER DHE-RSA-AES256-SHA SSL_CIPHER
+--replace_result ECDHE-RSA-AES128-GCM-SHA256 SSL_CIPHER DHE-RSA-AES128-GCM-SHA256 SSL_CIPHER DHE-RSA-AES256-SHA SSL_CIPHER
SHOW STATUS LIKE 'Ssl_cipher';
connection default;
diff -rup mysql-5.7.20-sslbak/mysys_ssl/my_aes_openssl.cc mysql-5.7.20/mysys_ssl/my_aes_openssl.cc
--- mysql-5.7.20-sslbak/mysys_ssl/my_aes_openssl.cc 2017-12-08 09:00:55.851786000 +0100
+++ mysql-5.7.20/mysys_ssl/my_aes_openssl.cc 2017-12-08 22:19:40.037870762 +0100
@@ -122,7 +122,7 @@ int my_aes_encrypt(const unsigned char *
enum my_aes_opmode mode, const unsigned char *iv,
bool padding)
{
- EVP_CIPHER_CTX ctx;
+ EVP_CIPHER_CTX *ctx = EVP_CIPHER_CTX_new();
const EVP_CIPHER *cipher= aes_evp_type(mode);
int u_len, f_len;
/* The real key to be used for encryption */
@@ -132,23 +132,23 @@ int my_aes_encrypt(const unsigned char *
if (!cipher || (EVP_CIPHER_iv_length(cipher) > 0 && !iv))
return MY_AES_BAD_DATA;
- if (!EVP_EncryptInit(&ctx, cipher, rkey, iv))
+ if (!EVP_EncryptInit(ctx, cipher, rkey, iv))
goto aes_error; /* Error */
- if (!EVP_CIPHER_CTX_set_padding(&ctx, padding))
+ if (!EVP_CIPHER_CTX_set_padding(ctx, padding))
goto aes_error; /* Error */
- if (!EVP_EncryptUpdate(&ctx, dest, &u_len, source, source_length))
+ if (!EVP_EncryptUpdate(ctx, dest, &u_len, source, source_length))
goto aes_error; /* Error */
- if (!EVP_EncryptFinal(&ctx, dest + u_len, &f_len))
+ if (!EVP_EncryptFinal(ctx, dest + u_len, &f_len))
goto aes_error; /* Error */
- EVP_CIPHER_CTX_cleanup(&ctx);
+ EVP_CIPHER_CTX_free(ctx);
return u_len + f_len;
aes_error:
/* need to explicitly clean up the error if we want to ignore it */
ERR_clear_error();
- EVP_CIPHER_CTX_cleanup(&ctx);
+ EVP_CIPHER_CTX_free(ctx);
return MY_AES_BAD_DATA;
}
@@ -159,7 +159,7 @@ int my_aes_decrypt(const unsigned char *
bool padding)
{
- EVP_CIPHER_CTX ctx;
+ EVP_CIPHER_CTX *ctx = EVP_CIPHER_CTX_new();
const EVP_CIPHER *cipher= aes_evp_type(mode);
int u_len, f_len;
@@ -170,24 +170,22 @@ int my_aes_decrypt(const unsigned char *
if (!cipher || (EVP_CIPHER_iv_length(cipher) > 0 && !iv))
return MY_AES_BAD_DATA;
- EVP_CIPHER_CTX_init(&ctx);
-
- if (!EVP_DecryptInit(&ctx, aes_evp_type(mode), rkey, iv))
+ if (!EVP_DecryptInit(ctx, aes_evp_type(mode), rkey, iv))
goto aes_error; /* Error */
- if (!EVP_CIPHER_CTX_set_padding(&ctx, padding))
+ if (!EVP_CIPHER_CTX_set_padding(ctx, padding))
goto aes_error; /* Error */
- if (!EVP_DecryptUpdate(&ctx, dest, &u_len, source, source_length))
+ if (!EVP_DecryptUpdate(ctx, dest, &u_len, source, source_length))
goto aes_error; /* Error */
- if (!EVP_DecryptFinal_ex(&ctx, dest + u_len, &f_len))
+ if (!EVP_DecryptFinal_ex(ctx, dest + u_len, &f_len))
goto aes_error; /* Error */
- EVP_CIPHER_CTX_cleanup(&ctx);
+ EVP_CIPHER_CTX_free(ctx);
return u_len + f_len;
aes_error:
/* need to explicitly clean up the error if we want to ignore it */
ERR_clear_error();
- EVP_CIPHER_CTX_cleanup(&ctx);
+ EVP_CIPHER_CTX_free(ctx);
return MY_AES_BAD_DATA;
}
diff -rup mysql-5.7.20-sslbak/rapid/plugin/group_replication/libmysqlgcs/src/bindings/xcom/xcom/xcom_ssl_transport.c mysql-5.7.20/rapid/plugin/group_replication/libmysqlgcs/src/bindings/xcom/xcom/xcom_ssl_transport.c
--- mysql-5.7.20-sslbak/rapid/plugin/group_replication/libmysqlgcs/src/bindings/xcom/xcom/xcom_ssl_transport.c 2017-12-08 09:00:55.975786955 +0100
+++ mysql-5.7.20/rapid/plugin/group_replication/libmysqlgcs/src/bindings/xcom/xcom/xcom_ssl_transport.c 2017-12-08 22:19:40.037870762 +0100
@@ -104,7 +104,7 @@ static const char* tls_cipher_blocked= "
mjxx/bg6bOOjpgZapvB6ABWlWmRmAAWFtwIBBQ==
-----END DH PARAMETERS-----
*/
-static unsigned char dh2048_p[]=
+static unsigned char dhp_2048[]=
{
0x8A, 0x5D, 0xFA, 0xC0, 0x66, 0x76, 0x4E, 0x61, 0xFA, 0xCA, 0xC0, 0x37,
0x57, 0x5C, 0x6D, 0x3F, 0x83, 0x0A, 0xA1, 0xF5, 0xF1, 0xE6, 0x7F, 0x3C,
@@ -131,20 +131,24 @@ static unsigned char dh2048_p[]=
};
-static unsigned char dh2048_g[]={
+static unsigned char dhg_2048[]={
0x05,
};
static DH *get_dh2048(void)
{
- DH *dh;
- if ((dh=DH_new()))
+ DH *dh = DH_new();
+ BIGNUM *dhp_bn, *dhg_bn;
+ if (dh != NULL)
{
- dh->p=BN_bin2bn(dh2048_p,sizeof(dh2048_p),NULL);
- dh->g=BN_bin2bn(dh2048_g,sizeof(dh2048_g),NULL);
- if (! dh->p || ! dh->g)
+ dhp_bn = BN_bin2bn(dhp_2048, sizeof (dhp_2048), NULL);
+ dhg_bn = BN_bin2bn(dhg_2048, sizeof (dhg_2048), NULL);
+ if (dhp_bn == NULL || dhg_bn == NULL
+ || !DH_set0_pqg(dh, dhp_bn, NULL, dhg_bn))
{
DH_free(dh);
+ BN_free(dhp_bn);
+ BN_free(dhg_bn);
dh=0;
}
}
diff -rup mysql-5.7.20-sslbak/sql/mysqld.cc mysql-5.7.20/sql/mysqld.cc
--- mysql-5.7.20-sslbak/sql/mysqld.cc 2017-12-08 09:00:56.309789528 +0100
+++ mysql-5.7.20/sql/mysqld.cc 2017-12-08 22:19:40.039870776 +0100
@@ -3376,7 +3376,7 @@ static int init_ssl()
{
#ifdef HAVE_OPENSSL
#ifndef HAVE_YASSL
- CRYPTO_malloc_init();
+ OPENSSL_malloc_init();
#endif
ssl_start();
#ifndef EMBEDDED_LIBRARY
diff -rup mysql-5.7.20-sslbak/sql-common/client.c mysql-5.7.20/sql-common/client.c
--- mysql-5.7.20-sslbak/sql-common/client.c 2017-12-08 09:00:56.245789035 +0100
+++ mysql-5.7.20/sql-common/client.c 2017-12-08 22:19:40.040870783 +0100
@@ -2741,7 +2741,7 @@ static int ssl_verify_server_cert(Vio *v
goto error;
}
- cn= (char *) ASN1_STRING_data(cn_asn1);
+ cn= (char *) ASN1_STRING_get0_data(cn_asn1);
// There should not be any NULL embedded in the CN
if ((size_t)ASN1_STRING_length(cn_asn1) != strlen(cn))
diff -rup mysql-5.7.20-sslbak/vio/viosslfactories.c mysql-5.7.20/vio/viosslfactories.c
--- mysql-5.7.20-sslbak/vio/viosslfactories.c 2017-12-08 09:00:56.807793365 +0100
+++ mysql-5.7.20/vio/viosslfactories.c 2017-12-08 22:19:40.040870783 +0100
@@ -86,7 +86,7 @@ static my_bool ssl_initialized
mjxx/bg6bOOjpgZapvB6ABWlWmRmAAWFtwIBBQ==
-----END DH PARAMETERS-----
*/
-static unsigned char dh2048_p[]=
+static unsigned char dhp_2048[]=
{
0x8A, 0x5D, 0xFA, 0xC0, 0x66, 0x76, 0x4E, 0x61, 0xFA, 0xCA, 0xC0, 0x37,
0x57, 0x5C, 0x6D, 0x3F, 0x83, 0x0A, 0xA1, 0xF5, 0xF1, 0xE6, 0x7F, 0x3C,
@@ -112,20 +112,25 @@ static unsigned char dh2048_p[]=
0x00, 0x05, 0x85, 0xB7,
};
-static unsigned char dh2048_g[]={
+static unsigned char dhg_2048[]={
0x05,
};
static DH *get_dh2048(void)
{
- DH *dh;
- if ((dh=DH_new()))
+ DH *dh = DH_new();
+ BIGNUM *dhp_bn, *dhg_bn;
+
+ if (dh != NULL)
{
- dh->p=BN_bin2bn(dh2048_p,sizeof(dh2048_p),NULL);
- dh->g=BN_bin2bn(dh2048_g,sizeof(dh2048_g),NULL);
- if (! dh->p || ! dh->g)
+ dhp_bn = BN_bin2bn(dhp_2048, sizeof (dhp_2048), NULL);
+ dhg_bn = BN_bin2bn(dhg_2048, sizeof (dhg_2048), NULL);
+ if (dhp_bn == NULL || dhg_bn == NULL
+ || !DH_set0_pqg(dh, dhp_bn, NULL, dhg_bn))
{
DH_free(dh);
+ BN_free(dhp_bn);
+ BN_free(dhg_bn);
dh=0;
}
}
@@ -419,9 +424,7 @@ void ssl_start()
{
ssl_initialized= TRUE;
- SSL_library_init();
- OpenSSL_add_all_algorithms();
- SSL_load_error_strings();
+ OPENSSL_init_ssl(0, NULL);
#ifndef HAVE_YASSL
init_ssl_locks();