rpms/mysql8.0
7
0
Fork 0
Code Issues Pull Requests Releases Activity

Fix ssl-related tests to specify expected cipher explicitly

Browse Source 
Related: #789600
This commit is contained in:
Honza Horák 2012-03-13 18:03:48 +01:00 committed by Michal Schorm
parent 2d45b49ace
commit 18724338ad
3 changed files with 121 additions and 248 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

115
mysql-cipherspec.patch Normal file
View File

@ -0,0 +1,115 @@
Some test items assume the default SSL cipher is DHE-RSA-AES256-SHA,
which is no longer the case as of openssl 1.0.1.
This patch enhances connect command by an option to specify a cipher
and tests are adjusted to specify the expected cipher explicitly.
Upstream bug report: http://bugs.mysql.com/bug.php?id=64461
diff -up mysql-5.5.21/client/mysqltest.cc.cipherspec mysql-5.5.21/client/mysqltest.cc
--- mysql-5.5.21/client/mysqltest.cc.cipherspec 2012-01-31 12:28:16.000000000 +0100
+++ mysql-5.5.21/client/mysqltest.cc 2012-03-09 14:38:37.083890817 +0100
@@ -5458,6 +5458,7 @@ void do_connect(struct st_command *comma
my_bool con_ssl= 0, con_compress= 0;
my_bool con_pipe= 0, con_shm= 0;
struct st_connection* con_slot;
+ char *con_cipher=NULL;
static DYNAMIC_STRING ds_connection_name;
static DYNAMIC_STRING ds_host;
@@ -5546,6 +5547,8 @@ void do_connect(struct st_command *comma
con_pipe= 1;
else if (!strncmp(con_options, "SHM", 3))
con_shm= 1;
+ else if (!strncmp(con_options, "CIPHER:", 7))
+ con_cipher = con_options + 7;
else
die("Illegal option to connect: %.*s",
(int) (end - con_options), con_options);
@@ -5593,8 +5596,11 @@ void do_connect(struct st_command *comma
if (con_ssl)
{
#if defined(HAVE_OPENSSL) && !defined(EMBEDDED_LIBRARY)
+ /* default cipher */
+ if (con_cipher == NULL && opt_ssl_cipher != NULL)
+ con_cipher = opt_ssl_cipher;
mysql_ssl_set(&con_slot->mysql, opt_ssl_key, opt_ssl_cert, opt_ssl_ca,
- opt_ssl_capath, opt_ssl_cipher);
+ opt_ssl_capath, con_cipher);
#if MYSQL_VERSION_ID >= 50000
/* Turn on ssl_verify_server_cert only if host is "localhost" */
opt_ssl_verify_server_cert= !strcmp(ds_host.str, "localhost");
diff -up mysql-5.5.21/mysql-test/t/openssl_1.test.cipherspec mysql-5.5.21/mysql-test/t/openssl_1.test
--- mysql-5.5.21/mysql-test/t/openssl_1.test.cipherspec 2012-01-31 12:28:15.000000000 +0100
+++ mysql-5.5.21/mysql-test/t/openssl_1.test 2012-03-09 14:59:52.305752562 +0100
@@ -20,13 +20,13 @@ grant select on test.* to ssl_user4@loca
grant select on test.* to ssl_user5@localhost require cipher "DHE-RSA-AES256-SHA" AND SUBJECT "xxx";
flush privileges;
-connect (con1,localhost,ssl_user1,,,,,SSL);
-connect (con2,localhost,ssl_user2,,,,,SSL);
-connect (con3,localhost,ssl_user3,,,,,SSL);
-connect (con4,localhost,ssl_user4,,,,,SSL);
+connect (con1,localhost,ssl_user1,,,,,SSL CIPHER:DHE-RSA-AES256-SHA);
+connect (con2,localhost,ssl_user2,,,,,SSL CIPHER:DHE-RSA-AES256-SHA);
+connect (con3,localhost,ssl_user3,,,,,SSL CIPHER:DHE-RSA-AES256-SHA);
+connect (con4,localhost,ssl_user4,,,,,SSL CIPHER:DHE-RSA-AES256-SHA);
--replace_result $MASTER_MYSOCK MASTER_SOCKET $MASTER_MYPORT MASTER_PORT
--error ER_ACCESS_DENIED_ERROR
-connect (con5,localhost,ssl_user5,,,,,SSL);
+connect (con5,localhost,ssl_user5,,,,,SSL CIPHER:DHE-RSA-AES256-SHA);
connection con1;
# Check ssl turned on
@@ -119,7 +119,7 @@ drop table t1;
# verification of servers certificate by setting both ca certificate
# and ca path to NULL
#
---exec $MYSQL --ssl --ssl-key=$MYSQL_TEST_DIR/std_data/client-key.pem --ssl-cert=$MYSQL_TEST_DIR/std_data/client-cert.pem -e "SHOW STATUS LIKE 'ssl_Cipher'" 2>&1
+--exec $MYSQL --ssl --ssl-key=$MYSQL_TEST_DIR/std_data/client-key.pem --ssl-cert=$MYSQL_TEST_DIR/std_data/client-cert.pem --ssl-cipher=DHE-RSA-AES256-SHA -e "SHOW STATUS LIKE 'ssl_Cipher'" 2>&1
--echo End of 5.0 tests
#
@@ -244,7 +244,7 @@ select 'is still running; no cipher requ
GRANT SELECT ON test.* TO bug42158@localhost REQUIRE X509;
FLUSH PRIVILEGES;
-connect(con1,localhost,bug42158,,,,,SSL);
+connect(con1,localhost,bug42158,,,,,SSL CIPHER:DHE-RSA-AES256-SHA);
SHOW STATUS LIKE 'Ssl_cipher';
disconnect con1;
connection default;
diff -up mysql-5.5.21/mysql-test/t/ssl_8k_key.test.cipherspec mysql-5.5.21/mysql-test/t/ssl_8k_key.test
--- mysql-5.5.21/mysql-test/t/ssl_8k_key.test.cipherspec 2012-01-31 12:28:15.000000000 +0100
+++ mysql-5.5.21/mysql-test/t/ssl_8k_key.test 2012-03-09 14:38:37.084890702 +0100
@@ -2,7 +2,7 @@
#
# Bug#29784 YaSSL assertion failure when reading 8k key.
#
---exec $MYSQL --ssl --ssl-key=$MYSQL_TEST_DIR/std_data/client-key.pem --ssl-cert=$MYSQL_TEST_DIR/std_data/client-cert.pem -e "SHOW STATUS LIKE 'ssl_Cipher'" 2>&1
+--exec $MYSQL --ssl --ssl-key=$MYSQL_TEST_DIR/std_data/client-key.pem --ssl-cert=$MYSQL_TEST_DIR/std_data/client-cert.pem --ssl-cipher=DHE-RSA-AES256-SHA -e "SHOW STATUS LIKE 'ssl_Cipher'" 2>&1
## This test file is for testing encrypted communication only, not other
## encryption routines that the SSL library happens to provide!
diff -up mysql-5.5.21/mysql-test/t/ssl_compress.test.cipherspec mysql-5.5.21/mysql-test/t/ssl_compress.test
--- mysql-5.5.21/mysql-test/t/ssl_compress.test.cipherspec 2012-01-31 12:28:15.000000000 +0100
+++ mysql-5.5.21/mysql-test/t/ssl_compress.test 2012-03-09 14:38:37.085890587 +0100
@@ -7,7 +7,7 @@
# Save the initial number of concurrent sessions
--source include/count_sessions.inc
-connect (ssl_compress_con,localhost,root,,,,,SSL COMPRESS);
+connect (ssl_compress_con,localhost,root,,,,,SSL COMPRESS CIPHER:DHE-RSA-AES256-SHA);
# Check ssl turned on
SHOW STATUS LIKE 'Ssl_cipher';
diff -up mysql-5.5.21/mysql-test/t/ssl.test.cipherspec mysql-5.5.21/mysql-test/t/ssl.test
--- mysql-5.5.21/mysql-test/t/ssl.test.cipherspec 2012-01-31 12:28:15.000000000 +0100
+++ mysql-5.5.21/mysql-test/t/ssl.test 2012-03-09 14:38:37.086890472 +0100
@@ -6,7 +6,7 @@
# Save the initial number of concurrent sessions
--source include/count_sessions.inc
-connect (ssl_con,localhost,root,,,,,SSL);
+connect (ssl_con,localhost,root,,,,,SSL CIPHER:DHE-RSA-AES256-SHA);
# Check ssl turned on
SHOW STATUS LIKE 'Ssl_cipher';

246
mysql-default-cipher.patch
View File

@ -1,246 +0,0 @@
Skip a few test items that assume the default SSL cipher is
DHE-RSA-AES256-SHA, which is no longer the case as of openssl 1.0.1.
There is probably a better answer than diking out these checks entirely,
but I will leave it to upstream to figure one out.
Upstream at http://bugs.mysql.com/bug.php?id=64461
diff -Naur mysql-5.5.21.orig/mysql-test/r/openssl_1.result mysql-5.5.21/mysql-test/r/openssl_1.result
--- mysql-5.5.21.orig/mysql-test/r/openssl_1.result 2012-01-31 06:28:16.000000000 -0500
+++ mysql-5.5.21/mysql-test/r/openssl_1.result 2012-02-27 00:31:11.789705322 -0500
@@ -2,40 +2,28 @@
create table t1(f1 int);
insert into t1 values (5);
grant select on test.* to ssl_user1@localhost require SSL;
-grant select on test.* to ssl_user2@localhost require cipher "DHE-RSA-AES256-SHA";
-grant select on test.* to ssl_user3@localhost require cipher "DHE-RSA-AES256-SHA" AND SUBJECT "/C=SE/ST=Uppsala/O=MySQL AB";
-grant select on test.* to ssl_user4@localhost require cipher "DHE-RSA-AES256-SHA" AND SUBJECT "/C=SE/ST=Uppsala/O=MySQL AB" ISSUER "/C=SE/ST=Uppsala/L=Uppsala/O=MySQL AB";
-grant select on test.* to ssl_user5@localhost require cipher "DHE-RSA-AES256-SHA" AND SUBJECT "xxx";
+grant select on test.* to ssl_user2@localhost require SSL;
+grant select on test.* to ssl_user3@localhost require SUBJECT "/C=SE/ST=Uppsala/O=MySQL AB";
+grant select on test.* to ssl_user4@localhost require SUBJECT "/C=SE/ST=Uppsala/O=MySQL AB" ISSUER "/C=SE/ST=Uppsala/L=Uppsala/O=MySQL AB";
+grant select on test.* to ssl_user5@localhost require SUBJECT "xxx";
flush privileges;
connect(localhost,ssl_user5,,test,MASTER_PORT,MASTER_SOCKET);
ERROR 28000: Access denied for user 'ssl_user5'@'localhost' (using password: NO)
-SHOW STATUS LIKE 'Ssl_cipher';
-Variable_name Value
-Ssl_cipher DHE-RSA-AES256-SHA
select * from t1;
f1
5
delete from t1;
ERROR 42000: DELETE command denied to user 'ssl_user1'@'localhost' for table 't1'
-SHOW STATUS LIKE 'Ssl_cipher';
-Variable_name Value
-Ssl_cipher DHE-RSA-AES256-SHA
select * from t1;
f1
5
delete from t1;
ERROR 42000: DELETE command denied to user 'ssl_user2'@'localhost' for table 't1'
-SHOW STATUS LIKE 'Ssl_cipher';
-Variable_name Value
-Ssl_cipher DHE-RSA-AES256-SHA
select * from t1;
f1
5
delete from t1;
ERROR 42000: DELETE command denied to user 'ssl_user3'@'localhost' for table 't1'
-SHOW STATUS LIKE 'Ssl_cipher';
-Variable_name Value
-Ssl_cipher DHE-RSA-AES256-SHA
select * from t1;
f1
5
@@ -51,11 +39,6 @@
mysqltest: Could not open connection 'default': 2026 SSL connection error: Unable to get private key
SSL error: Unable to get certificate from ''
mysqltest: Could not open connection 'default': 2026 SSL connection error: Unable to get certificate
-SHOW STATUS LIKE 'Ssl_cipher';
-Variable_name Value
-Ssl_cipher DHE-RSA-AES256-SHA
-Variable_name Value
-Ssl_cipher DHE-RSA-AES256-SHA
End of 5.0 tests
DROP TABLE IF EXISTS thread_status;
DROP EVENT IF EXISTS event_status;
@@ -204,8 +187,5 @@
is still running; no cipher request crashed the server
GRANT SELECT ON test.* TO bug42158@localhost REQUIRE X509;
FLUSH PRIVILEGES;
-SHOW STATUS LIKE 'Ssl_cipher';
-Variable_name Value
-Ssl_cipher DHE-RSA-AES256-SHA
DROP USER bug42158@localhost;
End of 5.1 tests
diff -Naur mysql-5.5.21.orig/mysql-test/r/ssl.result mysql-5.5.21/mysql-test/r/ssl.result
--- mysql-5.5.21.orig/mysql-test/r/ssl.result 2012-01-31 06:28:16.000000000 -0500
+++ mysql-5.5.21/mysql-test/r/ssl.result 2012-02-27 00:32:31.503920619 -0500
@@ -1,6 +1,3 @@
-SHOW STATUS LIKE 'Ssl_cipher';
-Variable_name Value
-Ssl_cipher DHE-RSA-AES256-SHA
drop table if exists t1,t2,t3,t4;
CREATE TABLE t1 (
Period smallint(4) unsigned zerofill DEFAULT '0000' NOT NULL,
@@ -2154,6 +2151,3 @@
Warnings:
Warning 1052 Column 'kundentyp' in group statement is ambiguous
drop table t1;
-SHOW STATUS LIKE 'Ssl_cipher';
-Variable_name Value
-Ssl_cipher DHE-RSA-AES256-SHA
diff -Naur mysql-5.5.21.orig/mysql-test/r/ssl_compress.result mysql-5.5.21/mysql-test/r/ssl_compress.result
--- mysql-5.5.21.orig/mysql-test/r/ssl_compress.result 2012-01-31 06:28:16.000000000 -0500
+++ mysql-5.5.21/mysql-test/r/ssl_compress.result 2012-02-27 00:36:03.726113717 -0500
@@ -1,6 +1,3 @@
-SHOW STATUS LIKE 'Ssl_cipher';
-Variable_name Value
-Ssl_cipher DHE-RSA-AES256-SHA
SHOW STATUS LIKE 'Compression';
Variable_name Value
Compression ON
@@ -2157,9 +2154,6 @@
Warnings:
Warning 1052 Column 'kundentyp' in group statement is ambiguous
drop table t1;
-SHOW STATUS LIKE 'Ssl_cipher';
-Variable_name Value
-Ssl_cipher DHE-RSA-AES256-SHA
SHOW STATUS LIKE 'Compression';
Variable_name Value
Compression ON
diff -Naur mysql-5.5.21.orig/mysql-test/t/openssl_1.test mysql-5.5.21/mysql-test/t/openssl_1.test
--- mysql-5.5.21.orig/mysql-test/t/openssl_1.test 2012-01-31 06:28:15.000000000 -0500
+++ mysql-5.5.21/mysql-test/t/openssl_1.test 2012-02-27 00:31:14.031717958 -0500
@@ -14,10 +14,10 @@
insert into t1 values (5);
grant select on test.* to ssl_user1@localhost require SSL;
-grant select on test.* to ssl_user2@localhost require cipher "DHE-RSA-AES256-SHA";
-grant select on test.* to ssl_user3@localhost require cipher "DHE-RSA-AES256-SHA" AND SUBJECT "/C=SE/ST=Uppsala/O=MySQL AB";
-grant select on test.* to ssl_user4@localhost require cipher "DHE-RSA-AES256-SHA" AND SUBJECT "/C=SE/ST=Uppsala/O=MySQL AB" ISSUER "/C=SE/ST=Uppsala/L=Uppsala/O=MySQL AB";
-grant select on test.* to ssl_user5@localhost require cipher "DHE-RSA-AES256-SHA" AND SUBJECT "xxx";
+grant select on test.* to ssl_user2@localhost require SSL;
+grant select on test.* to ssl_user3@localhost require SUBJECT "/C=SE/ST=Uppsala/O=MySQL AB";
+grant select on test.* to ssl_user4@localhost require SUBJECT "/C=SE/ST=Uppsala/O=MySQL AB" ISSUER "/C=SE/ST=Uppsala/L=Uppsala/O=MySQL AB";
+grant select on test.* to ssl_user5@localhost require SUBJECT "xxx";
flush privileges;
connect (con1,localhost,ssl_user1,,,,,SSL);
@@ -29,29 +29,21 @@
connect (con5,localhost,ssl_user5,,,,,SSL);
connection con1;
-# Check ssl turned on
-SHOW STATUS LIKE 'Ssl_cipher';
select * from t1;
--error ER_TABLEACCESS_DENIED_ERROR
delete from t1;
connection con2;
-# Check ssl turned on
-SHOW STATUS LIKE 'Ssl_cipher';
select * from t1;
--error ER_TABLEACCESS_DENIED_ERROR
delete from t1;
connection con3;
-# Check ssl turned on
-SHOW STATUS LIKE 'Ssl_cipher';
select * from t1;
--error ER_TABLEACCESS_DENIED_ERROR
delete from t1;
connection con4;
-# Check ssl turned on
-SHOW STATUS LIKE 'Ssl_cipher';
select * from t1;
--error ER_TABLEACCESS_DENIED_ERROR
delete from t1;
@@ -104,22 +96,6 @@
--error 1
--exec $MYSQL_TEST --ssl-cert= --max-connect-retries=1 < $MYSQLTEST_VARDIR/tmp/test.sql 2>&1
-#
-# Bug#21611 Slave can't connect when master-ssl-cipher specified
-# - Apparently selecting a cipher doesn't work at all
-# - Usa a cipher that both yaSSL and OpenSSL supports
-#
---exec echo "SHOW STATUS LIKE 'Ssl_cipher'; exit;" > $MYSQLTEST_VARDIR/tmp/test.sql
---exec $MYSQL_TEST --ssl-cipher=DHE-RSA-AES256-SHA < $MYSQLTEST_VARDIR/tmp/test.sql 2>&1
-
-#
-# Bug#25309 SSL connections without CA certificate broken since MySQL 5.0.23
-#
-# Test that we can open encrypted connection to server without
-# verification of servers certificate by setting both ca certificate
-# and ca path to NULL
-#
---exec $MYSQL --ssl --ssl-key=$MYSQL_TEST_DIR/std_data/client-key.pem --ssl-cert=$MYSQL_TEST_DIR/std_data/client-cert.pem -e "SHOW STATUS LIKE 'ssl_Cipher'" 2>&1
--echo End of 5.0 tests
#
@@ -245,7 +221,6 @@
GRANT SELECT ON test.* TO bug42158@localhost REQUIRE X509;
FLUSH PRIVILEGES;
connect(con1,localhost,bug42158,,,,,SSL);
-SHOW STATUS LIKE 'Ssl_cipher';
disconnect con1;
connection default;
DROP USER bug42158@localhost;
diff -Naur mysql-5.5.21.orig/mysql-test/t/ssl.test mysql-5.5.21/mysql-test/t/ssl.test
--- mysql-5.5.21.orig/mysql-test/t/ssl.test 2012-01-31 06:28:15.000000000 -0500
+++ mysql-5.5.21/mysql-test/t/ssl.test 2012-02-27 00:32:26.000889684 -0500
@@ -8,15 +8,9 @@
connect (ssl_con,localhost,root,,,,,SSL);
-# Check ssl turned on
-SHOW STATUS LIKE 'Ssl_cipher';
-
# Source select test case
-- source include/common-tests.inc
-# Check ssl turned on
-SHOW STATUS LIKE 'Ssl_cipher';
-
connection default;
disconnect ssl_con;
diff -Naur mysql-5.5.21.orig/mysql-test/t/ssl_8k_key.test mysql-5.5.21/mysql-test/t/ssl_8k_key.test
--- mysql-5.5.21.orig/mysql-test/t/ssl_8k_key.test 2012-01-31 06:28:15.000000000 -0500
+++ mysql-5.5.21/mysql-test/t/ssl_8k_key.test 2012-02-27 00:34:41.994654229 -0500
@@ -2,7 +2,7 @@
#
# Bug#29784 YaSSL assertion failure when reading 8k key.
#
---exec $MYSQL --ssl --ssl-key=$MYSQL_TEST_DIR/std_data/client-key.pem --ssl-cert=$MYSQL_TEST_DIR/std_data/client-cert.pem -e "SHOW STATUS LIKE 'ssl_Cipher'" 2>&1
+--exec $MYSQL --ssl --ssl-key=$MYSQL_TEST_DIR/std_data/client-key.pem --ssl-cert=$MYSQL_TEST_DIR/std_data/client-cert.pem --ssl-cipher=DHE-RSA-AES256-SHA -e "SHOW STATUS LIKE 'ssl_Cipher'" 2>&1
## This test file is for testing encrypted communication only, not other
## encryption routines that the SSL library happens to provide!
diff -Naur mysql-5.5.21.orig/mysql-test/t/ssl_compress.test mysql-5.5.21/mysql-test/t/ssl_compress.test
--- mysql-5.5.21.orig/mysql-test/t/ssl_compress.test 2012-01-31 06:28:15.000000000 -0500
+++ mysql-5.5.21/mysql-test/t/ssl_compress.test 2012-02-27 00:35:22.681882970 -0500
@@ -9,18 +9,12 @@
connect (ssl_compress_con,localhost,root,,,,,SSL COMPRESS);
-# Check ssl turned on
-SHOW STATUS LIKE 'Ssl_cipher';
-
# Check compression turned on
SHOW STATUS LIKE 'Compression';
# Source select test case
-- source include/common-tests.inc
-# Check ssl turned on
-SHOW STATUS LIKE 'Ssl_cipher';
-
# Check compression turned on
SHOW STATUS LIKE 'Compression';

8
mysql.spec
View File

@ -1,6 +1,6 @@
Name: mysql
Version: 5.5.21
Release: 1%{?dist}
Release: 2%{?dist}
Summary: MySQL client programs and shared libraries
Group: Applications/Databases
@ -54,7 +54,7 @@ Patch14: mysql-va-list.patch
Patch15: mysql-netdevname.patch
Patch16: mysql-logrotate.patch
Patch17: mysql-plugin-test.patch
Patch18: mysql-default-cipher.patch
Patch18: mysql-cipherspec.patch
Patch19: mysql-file-contents.patch
BuildRoot: %{_tmppath}/%{name}-%{version}-%{release}-root
@ -691,6 +691,10 @@ fi
%{_mandir}/man1/mysql_client_test.1*
%changelog
* Tue Mar 13 2012 Honza Horak <hhorak@redhat.com> 5.5.21-2
- Fix ssl-related tests to specify expected cipher explicitly
Related: #789600
* Mon Feb 27 2012 Tom Lane <tgl@redhat.com> 5.5.21-1
- Update to MySQL 5.5.21, for various fixes described at
http://dev.mysql.com/doc/refman/5.5/en/news-5-5-21.html