mysql8.4/mysql-ssl-bugs.patch

102 lines
5.5 KiB
Diff
Raw Normal View History

Workarounds for recently-introduced SSL breakage, filed as upstream bugs
#24121, #24148, and #24157.
I believe the client.c fix is actually correct.
The viossl.c patch is just a crude reversion to the 5.0.22 approach to work
around brain death in close_connection(). I don't know the mysql code well
enough to venture changing the locking logic in close_connection(), though.
Also, change openssl_1 test to agree with the test certificate included in the
distribution. And in viosslfactories.c, suppress ERR_print_errors_fp which
gives system-dependent error messages, since that breaks the openssl_1 test
(which has evidently only been tested with yassl, if at all).
diff -Naur mysql-5.0.33.orig/sql-common/client.c mysql-5.0.33/sql-common/client.c
--- mysql-5.0.33.orig/sql-common/client.c 2007-01-09 07:51:07.000000000 -0500
+++ mysql-5.0.33/sql-common/client.c 2007-02-09 12:36:17.000000000 -0500
@@ -3017,7 +3017,7 @@
mysql->reconnect= *(my_bool *) arg;
break;
case MYSQL_OPT_SSL_VERIFY_SERVER_CERT:
- if (!arg || test(*(uint*) arg))
+ if (!arg || test(*(my_bool*) arg))
mysql->options.client_flag|= CLIENT_SSL_VERIFY_SERVER_CERT;
else
mysql->options.client_flag&= ~CLIENT_SSL_VERIFY_SERVER_CERT;
diff -Naur mysql-5.0.33.orig/vio/viossl.c mysql-5.0.33/vio/viossl.c
--- mysql-5.0.33.orig/vio/viossl.c 2007-01-09 07:51:50.000000000 -0500
+++ mysql-5.0.33/vio/viossl.c 2007-02-09 12:39:12.000000000 -0500
@@ -124,19 +124,10 @@
if (ssl)
{
- switch ((r= SSL_shutdown(ssl)))
- {
- case 1: /* Shutdown successful */
- break;
- case 0: /* Shutdown not yet finished, call it again */
- if ((r= SSL_shutdown(ssl) >= 0))
- break;
- /* Fallthrough */
- default: /* Shutdown failed */
+ r = SSL_shutdown(ssl);
+ if (r < 0)
DBUG_PRINT("vio_error", ("SSL_shutdown() failed, error: %d",
SSL_get_error(ssl, r)));
- break;
- }
SSL_free(ssl);
vio->ssl_arg= 0;
}
diff -Naur mysql-5.0.33.orig/mysql-test/r/openssl_1.result mysql-5.0.33/mysql-test/r/openssl_1.result
--- mysql-5.0.33.orig/mysql-test/r/openssl_1.result 2007-01-09 08:09:32.000000000 -0500
+++ mysql-5.0.33/mysql-test/r/openssl_1.result 2007-02-09 12:36:17.000000000 -0500
@@ -3,8 +3,8 @@
insert into t1 values (5);
grant select on test.* to ssl_user1@localhost require SSL;
grant select on test.* to ssl_user2@localhost require cipher "DHE-RSA-AES256-SHA";
-grant select on test.* to ssl_user3@localhost require cipher "DHE-RSA-AES256-SHA" AND SUBJECT "/C=SE/ST=Uppsala/L=Uppsala/O=MySQL AB";
-grant select on test.* to ssl_user4@localhost require cipher "DHE-RSA-AES256-SHA" AND SUBJECT "/C=SE/ST=Uppsala/L=Uppsala/O=MySQL AB" ISSUER "/C=SE/ST=Uppsala/L=Uppsala/O=MySQL AB";
+grant select on test.* to ssl_user3@localhost require cipher "DHE-RSA-AES256-SHA" AND SUBJECT "/C=SE/ST=Uppsala/L=Uppsala/O=MySQL AB/emailAddress=abstract.mysql.developer@mysql.com";
+grant select on test.* to ssl_user4@localhost require cipher "DHE-RSA-AES256-SHA" AND SUBJECT "/C=SE/ST=Uppsala/L=Uppsala/O=MySQL AB/emailAddress=abstract.mysql.developer@mysql.com" ISSUER "/C=SE/ST=Uppsala/L=Uppsala/O=MySQL AB";
grant select on test.* to ssl_user5@localhost require cipher "DHE-RSA-AES256-SHA" AND SUBJECT "xxx";
flush privileges;
connect(localhost,ssl_user5,,test,MASTER_PORT,MASTER_SOCKET);
diff -Naur mysql-5.0.33.orig/mysql-test/t/openssl_1.test mysql-5.0.33/mysql-test/t/openssl_1.test
--- mysql-5.0.33.orig/mysql-test/t/openssl_1.test 2007-01-09 08:09:28.000000000 -0500
+++ mysql-5.0.33/mysql-test/t/openssl_1.test 2007-02-09 12:36:17.000000000 -0500
@@ -10,8 +10,8 @@
grant select on test.* to ssl_user1@localhost require SSL;
grant select on test.* to ssl_user2@localhost require cipher "DHE-RSA-AES256-SHA";
-grant select on test.* to ssl_user3@localhost require cipher "DHE-RSA-AES256-SHA" AND SUBJECT "/C=SE/ST=Uppsala/L=Uppsala/O=MySQL AB";
-grant select on test.* to ssl_user4@localhost require cipher "DHE-RSA-AES256-SHA" AND SUBJECT "/C=SE/ST=Uppsala/L=Uppsala/O=MySQL AB" ISSUER "/C=SE/ST=Uppsala/L=Uppsala/O=MySQL AB";
+grant select on test.* to ssl_user3@localhost require cipher "DHE-RSA-AES256-SHA" AND SUBJECT "/C=SE/ST=Uppsala/L=Uppsala/O=MySQL AB/emailAddress=abstract.mysql.developer@mysql.com";
+grant select on test.* to ssl_user4@localhost require cipher "DHE-RSA-AES256-SHA" AND SUBJECT "/C=SE/ST=Uppsala/L=Uppsala/O=MySQL AB/emailAddress=abstract.mysql.developer@mysql.com" ISSUER "/C=SE/ST=Uppsala/L=Uppsala/O=MySQL AB";
grant select on test.* to ssl_user5@localhost require cipher "DHE-RSA-AES256-SHA" AND SUBJECT "xxx";
flush privileges;
diff -Naur mysql-5.0.33.orig/vio/viosslfactories.c mysql-5.0.33/vio/viosslfactories.c
--- mysql-5.0.33.orig/vio/viosslfactories.c 2007-01-09 07:51:28.000000000 -0500
+++ mysql-5.0.33/vio/viosslfactories.c 2007-02-09 12:37:26.000000000 -0500
@@ -87,7 +87,7 @@
{
DBUG_PRINT("error",("unable to get certificate from '%s'\n", cert_file));
fprintf(stderr,"SSL error: ");
- ERR_print_errors_fp(stderr);
+ DBUG_EXECUTE("error",ERR_print_errors_fp(stderr););
fprintf(stderr,"Unable to get certificate from '%s'\n", cert_file);
fflush(stderr);
DBUG_RETURN(1);
@@ -100,7 +100,7 @@
{
DBUG_PRINT("error", ("unable to get private key from '%s'\n", key_file));
fprintf(stderr,"SSL error: ");
- ERR_print_errors_fp(stderr);
+ DBUG_EXECUTE("error",ERR_print_errors_fp(stderr););
fprintf(stderr,"Unable to get private key from '%s'\n", key_file);
fflush(stderr);
DBUG_RETURN(1);