mysql8.4/mysql-ssl-bugs.patch

102 lines
5.6 KiB
Diff

Workarounds for recently-introduced SSL breakage, filed as upstream bugs
#24121, #24148, and #24157.
I believe the client.c fix is actually correct.
The viossl.c patch is just a crude reversion to the 5.0.22 approach to work
around brain death in close_connection(). I don't know the mysql code well
enough to venture changing the locking logic in close_connection(), though.
Also, change openssl_1 test to agree with the test certificate included in the
distribution. And in viosslfactories.c, suppress ERR_print_errors_fp which
gives system-dependent error messages, since that breaks the openssl_1 test
(which has evidently only been tested with yassl, if at all).
diff -Naur mysql-5.0.27.orig/sql-common/client.c mysql-5.0.27/sql-common/client.c
--- mysql-5.0.27.orig/sql-common/client.c 2006-10-20 20:22:26.000000000 -0400
+++ mysql-5.0.27/sql-common/client.c 2006-11-08 19:20:49.000000000 -0500
@@ -2949,7 +2949,7 @@
mysql->reconnect= *(my_bool *) arg;
break;
case MYSQL_OPT_SSL_VERIFY_SERVER_CERT:
- if (!arg || test(*(uint*) arg))
+ if (!arg || test(*(my_bool*) arg))
mysql->options.client_flag|= CLIENT_SSL_VERIFY_SERVER_CERT;
else
mysql->options.client_flag&= ~CLIENT_SSL_VERIFY_SERVER_CERT;
diff -Naur mysql-5.0.27.orig/vio/viossl.c mysql-5.0.27/vio/viossl.c
--- mysql-5.0.27.orig/vio/viossl.c 2006-10-20 20:23:11.000000000 -0400
+++ mysql-5.0.27/vio/viossl.c 2006-11-09 13:57:32.000000000 -0500
@@ -119,19 +119,10 @@
if (ssl)
{
- switch ((r= SSL_shutdown(ssl)))
- {
- case 1: /* Shutdown successful */
- break;
- case 0: /* Shutdown not yet finished, call it again */
- if ((r= SSL_shutdown(ssl) >= 0))
- break;
- /* Fallthrough */
- default: /* Shutdown failed */
+ r = SSL_shutdown(ssl);
+ if (r < 0)
DBUG_PRINT("vio_error", ("SSL_shutdown() failed, error: %s",
SSL_get_error(ssl, r)));
- break;
- }
SSL_free(ssl);
vio->ssl_arg= 0;
}
diff -Naur mysql-5.0.27.orig/mysql-test/r/openssl_1.result mysql-5.0.27/mysql-test/r/openssl_1.result
--- mysql-5.0.27.orig/mysql-test/r/openssl_1.result 2006-10-20 20:36:44.000000000 -0400
+++ mysql-5.0.27/mysql-test/r/openssl_1.result 2006-11-09 15:11:47.000000000 -0500
@@ -3,8 +3,8 @@
insert into t1 values (5);
grant select on test.* to ssl_user1@localhost require SSL;
grant select on test.* to ssl_user2@localhost require cipher "DHE-RSA-AES256-SHA";
-grant select on test.* to ssl_user3@localhost require cipher "DHE-RSA-AES256-SHA" AND SUBJECT "/C=SE/ST=Uppsala/L=Uppsala/O=MySQL AB";
-grant select on test.* to ssl_user4@localhost require cipher "DHE-RSA-AES256-SHA" AND SUBJECT "/C=SE/ST=Uppsala/L=Uppsala/O=MySQL AB" ISSUER "/C=SE/ST=Uppsala/L=Uppsala/O=MySQL AB";
+grant select on test.* to ssl_user3@localhost require cipher "DHE-RSA-AES256-SHA" AND SUBJECT "/C=SE/ST=Uppsala/L=Uppsala/O=MySQL AB/emailAddress=abstract.mysql.developer@mysql.com";
+grant select on test.* to ssl_user4@localhost require cipher "DHE-RSA-AES256-SHA" AND SUBJECT "/C=SE/ST=Uppsala/L=Uppsala/O=MySQL AB/emailAddress=abstract.mysql.developer@mysql.com" ISSUER "/C=SE/ST=Uppsala/L=Uppsala/O=MySQL AB";
grant select on test.* to ssl_user5@localhost require cipher "DHE-RSA-AES256-SHA" AND SUBJECT "xxx";
flush privileges;
connect(localhost,ssl_user5,,test,MASTER_PORT,MASTER_SOCKET);
diff -Naur mysql-5.0.27.orig/mysql-test/t/openssl_1.test mysql-5.0.27/mysql-test/t/openssl_1.test
--- mysql-5.0.27.orig/mysql-test/t/openssl_1.test 2006-10-20 20:36:43.000000000 -0400
+++ mysql-5.0.27/mysql-test/t/openssl_1.test 2006-11-09 15:10:29.000000000 -0500
@@ -10,8 +10,8 @@
grant select on test.* to ssl_user1@localhost require SSL;
grant select on test.* to ssl_user2@localhost require cipher "DHE-RSA-AES256-SHA";
-grant select on test.* to ssl_user3@localhost require cipher "DHE-RSA-AES256-SHA" AND SUBJECT "/C=SE/ST=Uppsala/L=Uppsala/O=MySQL AB";
-grant select on test.* to ssl_user4@localhost require cipher "DHE-RSA-AES256-SHA" AND SUBJECT "/C=SE/ST=Uppsala/L=Uppsala/O=MySQL AB" ISSUER "/C=SE/ST=Uppsala/L=Uppsala/O=MySQL AB";
+grant select on test.* to ssl_user3@localhost require cipher "DHE-RSA-AES256-SHA" AND SUBJECT "/C=SE/ST=Uppsala/L=Uppsala/O=MySQL AB/emailAddress=abstract.mysql.developer@mysql.com";
+grant select on test.* to ssl_user4@localhost require cipher "DHE-RSA-AES256-SHA" AND SUBJECT "/C=SE/ST=Uppsala/L=Uppsala/O=MySQL AB/emailAddress=abstract.mysql.developer@mysql.com" ISSUER "/C=SE/ST=Uppsala/L=Uppsala/O=MySQL AB";
grant select on test.* to ssl_user5@localhost require cipher "DHE-RSA-AES256-SHA" AND SUBJECT "xxx";
flush privileges;
diff -Naur mysql-5.0.27.orig/vio/viosslfactories.c mysql-5.0.27/vio/viosslfactories.c
--- mysql-5.0.27.orig/vio/viosslfactories.c 2006-10-20 20:22:39.000000000 -0400
+++ mysql-5.0.27/vio/viosslfactories.c 2006-11-09 16:02:14.000000000 -0500
@@ -88,7 +88,7 @@
DBUG_PRINT("error",("unable to get certificate from '%s'\n", cert_file));
/* FIX stderr */
fprintf(stderr,"Error when connection to server using SSL:");
- ERR_print_errors_fp(stderr);
+ DBUG_EXECUTE("error",ERR_print_errors_fp(stderr););
fprintf(stderr,"Unable to get certificate from '%s'\n", cert_file);
fflush(stderr);
DBUG_RETURN(1);
@@ -102,7 +102,7 @@
DBUG_PRINT("error", ("unable to get private key from '%s'\n", key_file));
/* FIX stderr */
fprintf(stderr,"Error when connection to server using SSL:");
- ERR_print_errors_fp(stderr);
+ DBUG_EXECUTE("error",ERR_print_errors_fp(stderr););
fprintf(stderr,"Unable to get private key from '%s'\n", key_file);
fflush(stderr);
DBUG_RETURN(1);