102 lines
5.5 KiB
Diff
102 lines
5.5 KiB
Diff
Workarounds for recently-introduced SSL breakage, filed as upstream bugs
|
|
#24121, #24148, and #24157.
|
|
|
|
I believe the client.c fix is actually correct.
|
|
|
|
The viossl.c patch is just a crude reversion to the 5.0.22 approach to work
|
|
around brain death in close_connection(). I don't know the mysql code well
|
|
enough to venture changing the locking logic in close_connection(), though.
|
|
|
|
Also, change openssl_1 test to agree with the test certificate included in the
|
|
distribution. And in viosslfactories.c, suppress ERR_print_errors_fp which
|
|
gives system-dependent error messages, since that breaks the openssl_1 test
|
|
(which has evidently only been tested with yassl, if at all).
|
|
|
|
|
|
diff -Naur mysql-5.0.33.orig/sql-common/client.c mysql-5.0.33/sql-common/client.c
|
|
--- mysql-5.0.33.orig/sql-common/client.c 2007-01-09 07:51:07.000000000 -0500
|
|
+++ mysql-5.0.33/sql-common/client.c 2007-02-09 12:36:17.000000000 -0500
|
|
@@ -3017,7 +3017,7 @@
|
|
mysql->reconnect= *(my_bool *) arg;
|
|
break;
|
|
case MYSQL_OPT_SSL_VERIFY_SERVER_CERT:
|
|
- if (!arg || test(*(uint*) arg))
|
|
+ if (!arg || test(*(my_bool*) arg))
|
|
mysql->options.client_flag|= CLIENT_SSL_VERIFY_SERVER_CERT;
|
|
else
|
|
mysql->options.client_flag&= ~CLIENT_SSL_VERIFY_SERVER_CERT;
|
|
diff -Naur mysql-5.0.33.orig/vio/viossl.c mysql-5.0.33/vio/viossl.c
|
|
--- mysql-5.0.33.orig/vio/viossl.c 2007-01-09 07:51:50.000000000 -0500
|
|
+++ mysql-5.0.33/vio/viossl.c 2007-02-09 12:39:12.000000000 -0500
|
|
@@ -124,19 +124,10 @@
|
|
|
|
if (ssl)
|
|
{
|
|
- switch ((r= SSL_shutdown(ssl)))
|
|
- {
|
|
- case 1: /* Shutdown successful */
|
|
- break;
|
|
- case 0: /* Shutdown not yet finished, call it again */
|
|
- if ((r= SSL_shutdown(ssl) >= 0))
|
|
- break;
|
|
- /* Fallthrough */
|
|
- default: /* Shutdown failed */
|
|
+ r = SSL_shutdown(ssl);
|
|
+ if (r < 0)
|
|
DBUG_PRINT("vio_error", ("SSL_shutdown() failed, error: %d",
|
|
SSL_get_error(ssl, r)));
|
|
- break;
|
|
- }
|
|
SSL_free(ssl);
|
|
vio->ssl_arg= 0;
|
|
}
|
|
diff -Naur mysql-5.0.33.orig/mysql-test/r/openssl_1.result mysql-5.0.33/mysql-test/r/openssl_1.result
|
|
--- mysql-5.0.33.orig/mysql-test/r/openssl_1.result 2007-01-09 08:09:32.000000000 -0500
|
|
+++ mysql-5.0.33/mysql-test/r/openssl_1.result 2007-02-09 12:36:17.000000000 -0500
|
|
@@ -3,8 +3,8 @@
|
|
insert into t1 values (5);
|
|
grant select on test.* to ssl_user1@localhost require SSL;
|
|
grant select on test.* to ssl_user2@localhost require cipher "DHE-RSA-AES256-SHA";
|
|
-grant select on test.* to ssl_user3@localhost require cipher "DHE-RSA-AES256-SHA" AND SUBJECT "/C=SE/ST=Uppsala/L=Uppsala/O=MySQL AB";
|
|
-grant select on test.* to ssl_user4@localhost require cipher "DHE-RSA-AES256-SHA" AND SUBJECT "/C=SE/ST=Uppsala/L=Uppsala/O=MySQL AB" ISSUER "/C=SE/ST=Uppsala/L=Uppsala/O=MySQL AB";
|
|
+grant select on test.* to ssl_user3@localhost require cipher "DHE-RSA-AES256-SHA" AND SUBJECT "/C=SE/ST=Uppsala/L=Uppsala/O=MySQL AB/emailAddress=abstract.mysql.developer@mysql.com";
|
|
+grant select on test.* to ssl_user4@localhost require cipher "DHE-RSA-AES256-SHA" AND SUBJECT "/C=SE/ST=Uppsala/L=Uppsala/O=MySQL AB/emailAddress=abstract.mysql.developer@mysql.com" ISSUER "/C=SE/ST=Uppsala/L=Uppsala/O=MySQL AB";
|
|
grant select on test.* to ssl_user5@localhost require cipher "DHE-RSA-AES256-SHA" AND SUBJECT "xxx";
|
|
flush privileges;
|
|
connect(localhost,ssl_user5,,test,MASTER_PORT,MASTER_SOCKET);
|
|
diff -Naur mysql-5.0.33.orig/mysql-test/t/openssl_1.test mysql-5.0.33/mysql-test/t/openssl_1.test
|
|
--- mysql-5.0.33.orig/mysql-test/t/openssl_1.test 2007-01-09 08:09:28.000000000 -0500
|
|
+++ mysql-5.0.33/mysql-test/t/openssl_1.test 2007-02-09 12:36:17.000000000 -0500
|
|
@@ -10,8 +10,8 @@
|
|
|
|
grant select on test.* to ssl_user1@localhost require SSL;
|
|
grant select on test.* to ssl_user2@localhost require cipher "DHE-RSA-AES256-SHA";
|
|
-grant select on test.* to ssl_user3@localhost require cipher "DHE-RSA-AES256-SHA" AND SUBJECT "/C=SE/ST=Uppsala/L=Uppsala/O=MySQL AB";
|
|
-grant select on test.* to ssl_user4@localhost require cipher "DHE-RSA-AES256-SHA" AND SUBJECT "/C=SE/ST=Uppsala/L=Uppsala/O=MySQL AB" ISSUER "/C=SE/ST=Uppsala/L=Uppsala/O=MySQL AB";
|
|
+grant select on test.* to ssl_user3@localhost require cipher "DHE-RSA-AES256-SHA" AND SUBJECT "/C=SE/ST=Uppsala/L=Uppsala/O=MySQL AB/emailAddress=abstract.mysql.developer@mysql.com";
|
|
+grant select on test.* to ssl_user4@localhost require cipher "DHE-RSA-AES256-SHA" AND SUBJECT "/C=SE/ST=Uppsala/L=Uppsala/O=MySQL AB/emailAddress=abstract.mysql.developer@mysql.com" ISSUER "/C=SE/ST=Uppsala/L=Uppsala/O=MySQL AB";
|
|
grant select on test.* to ssl_user5@localhost require cipher "DHE-RSA-AES256-SHA" AND SUBJECT "xxx";
|
|
flush privileges;
|
|
|
|
diff -Naur mysql-5.0.33.orig/vio/viosslfactories.c mysql-5.0.33/vio/viosslfactories.c
|
|
--- mysql-5.0.33.orig/vio/viosslfactories.c 2007-01-09 07:51:28.000000000 -0500
|
|
+++ mysql-5.0.33/vio/viosslfactories.c 2007-02-09 12:37:26.000000000 -0500
|
|
@@ -87,7 +87,7 @@
|
|
{
|
|
DBUG_PRINT("error",("unable to get certificate from '%s'\n", cert_file));
|
|
fprintf(stderr,"SSL error: ");
|
|
- ERR_print_errors_fp(stderr);
|
|
+ DBUG_EXECUTE("error",ERR_print_errors_fp(stderr););
|
|
fprintf(stderr,"Unable to get certificate from '%s'\n", cert_file);
|
|
fflush(stderr);
|
|
DBUG_RETURN(1);
|
|
@@ -100,7 +100,7 @@
|
|
{
|
|
DBUG_PRINT("error", ("unable to get private key from '%s'\n", key_file));
|
|
fprintf(stderr,"SSL error: ");
|
|
- ERR_print_errors_fp(stderr);
|
|
+ DBUG_EXECUTE("error",ERR_print_errors_fp(stderr););
|
|
fprintf(stderr,"Unable to get private key from '%s'\n", key_file);
|
|
fflush(stderr);
|
|
DBUG_RETURN(1);
|