LIES ABOUT SUITE_LEN_
and
Bug#19355577 : YASSL PRE-AUTH BUFFER OVERFLOW WHEN CLIENT
LIES ABOUT COMP_LEN_
Description : Updating yaSSL to version 2.3.4.
WITH SSL ENABLED
Problem:
It was reported that MySQL community utilities cannot connect to a MySQL
Enterprise 5.6.x server with SSL configured. We can reproduce the issue
when we try to connect an MySQL Enterprise Server with a MySQL Client with
--ssl-ca parameter enabled.
We get an ERROR 2026 (HY000): SSL connection error: unknown error number.
Solution:
The root cause of the problem was determined to be the difference in handling
of the certificates by OpenSSL(Enterprise) and yaSSL(Community). OpenSSL expects
a blank certificate to be sent when a parameter (ssl-ca, or ssl-cert or ssl-key)
has not been specified.On the other hand yaSSL doesn't send any certificate and
since OpenSSL does not expect this behaviour it returns an Unknown SSL error.
The issue was resolved by yaSSL adding capability to send blank certificate when
any of the parameter is missing.
$SUBJ$
1. Took a diff between the previous base version and the
mysql sources.
2. Added the new 2.1.4 base version.
3. Reviewed and re-applied the diff from step #1.
The problem was that the bundled yaSSL library was being built
without thread safety support regardless of the thread safeness
of the compoments linked with it.
The solution is to enable yaSSL thread safety support if any
component (server or client) is to be built with thread support.
Also, generate new certificates for yaSSL's test suite.
config/ac-macros/yassl.m4:
Enable yaSSL thread safety if linking with the server or a
thread safe client library. Avoids building a thread safe
yaSSL when only building a non-thread safe client library.
extra/yassl/CMakeLists.txt:
Always enable for Windows builds.
extra/yassl/certs/ca-cert.pem:
New certificate, previous one expired.
extra/yassl/certs/client-cert.der:
New certificate, previous one expired.
extra/yassl/certs/client-cert.pem:
New certificate, previous one expired.
extra/yassl/certs/dsa-cert.pem:
New certificate, previous one expired.
extra/yassl/certs/server-cert.pem:
New certificate, previous one expired.
extra/yassl/include/lock.hpp:
Rename MULTI_THREAD to YASSL_THREAD_SAFE.
extra/yassl/src/Makefile.am:
Use CXXFLAGS to set thread related definitions as the lock header
(lock.hpp) has no local dependencies.
extra/yassl/src/lock.cpp:
Rename MULTI_THREAD to YASSL_THREAD_SAFE.
extra/yassl/taocrypt/CMakeLists.txt:
Always enable for Windows builds.
extra/yassl/taocrypt/benchmark/Makefile.am:
Pass thread related CXXFLAGS.
extra/yassl/taocrypt/src/Makefile.am:
Pass thread related CXXFLAGS.
extra/yassl/taocrypt/test/Makefile.am:
Pass thread related CXXFLAGS.
extra/yassl/taocrypt/test/memory.cpp:
Rename MULTI_THREAD to YASSL_THREAD_SAFE.
extra/yassl/testsuite/Makefile.am:
Pass thread related CXXFLAGS.
