Don't use a fixed buffer for X509_NAME_oneline() in the client.
Do as the server does - allocate it dynamically.
For a test - regenerate certificates to have the server cert with
a long subject.
change SSL methods to be SSLv23 (according to openssl manpage:
"A TLS/SSL connection established with these methods may understand
the SSLv2, SSLv3, TLSv1, TLSv1.1 and TLSv1.2 protocols") from
TLSv1 methods, that go back to the initial SSL implementation
in MySQL in 2001.
OpenSSL default ciphers are different if TLSv1.2 is enabled,
so tests need to take this into account.
CONNECTIONS IF SPE
Problem description: -ssl-key value is not validated, you can assign any bogus
text to --ssl-key and it is not verified that it exists, and more importantly,
it allows the client to connect to mysqld.
Fix: Added proper validations checks for --ssl-key.
Note:
1) Documentation changes require for 5.1, 5.5, 5.6 and trunk in the sections
listed below and the details are :
http://dev.mysql.com/doc/refman/5.6/en/ssl-options.html#option_general_ssl
and
REQUIRE SSL section of
http://dev.mysql.com/doc/refman/5.6/en/grant.html
2) Client having with option '--ssl', should able to get ssl connection. This
will be implemented as part of separate fix in 5.6 and trunk.
CONNECTIONS IF SPE
Problem description: -ssl-key value is not validated, you can assign any bogus
text to --ssl-key and it is not verified that it exists, and more importantly,
it allows the client to connect to mysqld.
Fix: Added proper validations checks for --ssl-key.
Note:
1) Documentation changes require for 5.1, 5.5, 5.6 and trunk in the sections
listed below and the details are :
http://dev.mysql.com/doc/refman/5.6/en/ssl-options.html#option_general_ssl
and
REQUIRE SSL section of
http://dev.mysql.com/doc/refman/5.6/en/grant.html
2) Client having with option '--ssl', should able to get ssl connection. This
will be implemented as part of separate fix in 5.6 and trunk.
suppress these harmless but confusing warnings.
fix the program name (MY_INIT) in mysqldump
client/mysqldump.c:
for backward compatibility, prefix mysqldump error messages with "mysqldump", not with the full path of the executable
In 5.5, ssl_do() no longer calls report_errors() in case of ssl error.
Since report_errors() iterated over the list of errors, this means that we
now report the first error in the list, rather than the last. Adjust the
--replace_regex line for OpenSSL build accordingly in the test case.
sql/sql_insert.cc:
CREATE ... IF NOT EXISTS may do nothing, but
it is still not a failure. don't forget to my_ok it.
******
CREATE ... IF NOT EXISTS may do nothing, but
it is still not a failure. don't forget to my_ok it.
sql/sql_table.cc:
small cleanup
******
small cleanup
ChangeSet@1.2703, 2007-12-07 09:35:28-05:00, cmiller@zippy.cornsilk.net +40 -0
Bug#13174: SHA2 function
Patch contributed from Bill Karwin, paper unnumbered CLA in Seattle
Implement SHA2 functions.
Chad added code to make it work with YaSSL. Also, he removed the
(probable) bug of embedded server never using SSL-dependent
functions. (libmysqld/Makefile.am didn't read ANY autoconf defs.)
Function specification:
SHA2( string cleartext, integer hash_length )
-> string hash, or NULL
where hash_length is one of 224, 256, 384, or 512. If either is
NULL or a length is unsupported, then the result is NULL. The
resulting string is always the length of the hash_length parameter
or is NULL.
Include the canonical hash examples from the NIST in the test
results.
---
Polish and address concerns of reviewers.
.bzrignore:
Added libmysqld/sha2.cc to the ignore list.
client/mysql.cc:
Add condition to remove code for embedded server.
client/mysqltest.cc:
Add condition to remove code for embedded server.
include/Makefile.am:
New header file to header list.
include/mysql_embed.h:
Embedded servers can use SSL-library functions too!
include/sha2.h:
Compatibility layer to make YaSSL behave like OpenSSL.
include/sslopt-case.h:
Remove SSL-communication parameters from command lines.
include/sslopt-longopts.h:
Remove SSL-communication parameters from command lines.
include/sslopt-vars.h:
Don't declare variables that are only used in SSL communication, if
we are compiling the embedded server.
include/violite.h:
Don't even compile the SSL-communication function if we're in the
embedded server.
---
Remove CPP condition indentation.
libmysqld/CMakeLists.txt:
Add new file to source list.
libmysqld/Makefile.am:
Include standard DEFS in embedded compilation. It's an undiscovered
but that it's not there.
Add new file to source list.
libmysqld/examples/Makefile.am:
Include autoconf DEFS.
libmysqld/lib_sql.cc:
Initialize SSL-related variables in embedded server.
mysql-test/include/have_ssl_crypto_functs.inc:
Distinguish between communication and crypto.
Use the tristate value of "have_ssl" variable to know whether to
test or not for SSL-provided crypto functions.
mysql-test/r/func_digest.result:
Test against the sample test vectors in the NIST Secure
Hash Standard (http://csrc.nist.gov/cryptval/shs.htm)
mysql-test/r/func_encrypt_nossl.result:
Update results to the new error message text.
mysql-test/r/have_ssl_is_yes_or_disabled_only.require:
Distinguish between communication and crypto.
Use the tristate value of "have_ssl" variable to know whether to
test or not for SSL-provided crypto functions.
mysql-test/suite/rpl/t/rpl_ssl.test:
Distinguish between communication and crypto.
mysql-test/suite/rpl/t/rpl_ssl1.test:
Distinguish between communication and crypto.
mysql-test/t/func_des_encrypt.test:
Distinguish between communication and crypto.
mysql-test/t/func_digest.test:
Test against the sample test vectors in the NIST Secure
Hash Standard (http://csrc.nist.gov/cryptval/shs.htm)
Also, test that various parameters (legal and illegal)
do what we expect.
---
Distinguish between communication and crypto.
mysql-test/t/func_encrypt.test:
Distinguish between communication and crypto.
mysql-test/t/openssl_1.test:
Don't test SSL communication if we're in the embedded server.
---
Distinguish between communication and crypto.
mysql-test/t/ssl-big.test:
Don't test SSL communication if we're in the embedded server.
---
Distinguish between communication and crypto.
mysql-test/t/ssl.test:
Don't test SSL communication if we're in the embedded server.
---
Distinguish between communication and crypto.
mysql-test/t/ssl_8k_key.test:
Don't test SSL communication if we're in the embedded server.
---
Distinguish between communication and crypto.
mysql-test/t/ssl_compress.test:
Don't test SSL communication if we're in the embedded server.
---
Distinguish between communication and crypto.
mysql-test/t/ssl_connect.test:
Don't test SSL communication if we're in the embedded server.
---
Distinguish between communication and crypto.
sql-common/client.c:
SSL is useful for more functionality than just connecting. Test
for whether we are not embedded server also.
sql/CMakeLists.txt:
Add new source file to source list so that we have access to SHA2
functions.
sql/Makefile.am:
Add new source file to source list so that we have access to SHA2
functions.
sql/item_create.cc:
Bootstrap the SHA2 function into the server.
sql/item_strfunc.cc:
Add new SHA2 Item class methods.
Clean up two minor problems.
---
Remove extraneous debugging.
---
We must check nullness of a parameter only /after/ computing its
value.
sql/item_strfunc.h:
Declare new SHA2 Item class.
sql/mysqld.cc:
For embedded server, don't refer to SSL-communications variables
or values.
---
Remove CPP condition indentation.
sql/sha2.cc:
Compatibility layer to make YaSSL behave like OpenSSL.
---
Add comment for generated functions.
sql/sql_acl.cc:
For embedded server, don't refer to SSL-communications variables
or values.
sql/sql_connect.cc:
SSL is useful for more functionality than just connecting. Test
for whether we are not embedded server also.
sql/sys_vars.cc:
For embedded server, don't refer to SSL-communications variables
or values.
ChangeSet@1.2703, 2007-12-07 09:35:28-05:00, cmiller@zippy.cornsilk.net +40 -0
Bug#13174: SHA2 function
Patch contributed from Bill Karwin, paper unnumbered CLA in Seattle
Implement SHA2 functions.
Chad added code to make it work with YaSSL. Also, he removed the
(probable) bug of embedded server never using SSL-dependent
functions. (libmysqld/Makefile.am didn't read ANY autoconf defs.)
Function specification:
SHA2( string cleartext, integer hash_length )
-> string hash, or NULL
where hash_length is one of 224, 256, 384, or 512. If either is
NULL or a length is unsupported, then the result is NULL. The
resulting string is always the length of the hash_length parameter
or is NULL.
Include the canonical hash examples from the NIST in the test
results.
---
Polish and address concerns of reviewers.
The problem is that the server failed to follow the rule that
every X509 object retrieved using SSL_get_peer_certificate()
must be explicitly freed by X509_free(). This caused a memory
leak for builds linked against OpenSSL where the X509 object
is reference counted -- improper counting will prevent the
object from being destroyed once the session containing the
peer certificate is freed.
The solution is to explicitly free every X509 object used.
mysql-test/r/openssl_1.result:
Add test case result for Bug#42158
mysql-test/t/openssl_1.test:
Add test case for Bug#42158
sql/sql_acl.cc:
Deallocate X509 objects.
The problem is that the server failed to follow the rule that
every X509 object retrieved using SSL_get_peer_certificate()
must be explicitly freed by X509_free(). This caused a memory
leak for builds linked against OpenSSL where the X509 object
is reference counted -- improper counting will prevent the
object from being destroyed once the session containing the
peer certificate is freed.
The solution is to explicitly free every X509 object used.
- If missing: add "disconnect <session>"
- If physical disconnect of non "default" sessions is not finished
at test end: add routine which waits till this happened
+ additional improvements like
- remove superfluous files created by the test
- replace error numbers by error names
- remove trailing spaces, replace tabs by spaces
- unify writing of bugs within comments
- correct comments
- minor changes of formatting
Modifications according to the code review are included.
Fixed tests:
grant2
grant3
lock_tables_lost_commit
mysqldump
openssl_1
outfile
- If missing: add "disconnect <session>"
- If physical disconnect of non "default" sessions is not finished
at test end: add routine which waits till this happened
+ additional improvements like
- remove superfluous files created by the test
- replace error numbers by error names
- remove trailing spaces, replace tabs by spaces
- unify writing of bugs within comments
- correct comments
- minor changes of formatting
Modifications according to the code review are included.
Fixed tests:
grant2
grant3
lock_tables_lost_commit
mysqldump
openssl_1
outfile
Re-generated the PKI files needed.
Removed the ones that are not needed.
Updated the tests to reference the correct SSL subject.
mysql-test/r/openssl_1.result:
Bug #42366: Updated the tests to reference the correct SSL subject
mysql-test/std_data/cacert.pem:
Bug #42366: Re-generated the PKI files needed.
mysql-test/std_data/client-cert.pem:
Bug #42366: Re-generated the PKI files needed.
mysql-test/std_data/client-key.pem:
Bug #42366: Re-generated the PKI files needed.
mysql-test/std_data/server-cert-des.pem:
Bug #42366: Removed the ones that are not needed.
mysql-test/std_data/server-cert.pem:
Bug #42366: Re-generated the PKI files needed.
mysql-test/std_data/server-key-des.pem:
Bug #42366: Removed the ones that are not needed.
mysql-test/std_data/server-key.pem:
Bug #42366: Re-generated the PKI files needed.
mysql-test/std_data/server8k-cert.pem:
Bug #42366: Re-generated the PKI files needed.
mysql-test/std_data/server8k-key.pem:
Bug #42366: Re-generated the PKI files needed.
mysql-test/t/openssl_1.test:
Bug #42366: Updated the tests to reference the correct SSL subject
using crashes server
When the server is configured to use a RSA key, and when the client sends
a cipher-suite list that contains a non-RSA key as acceptable, the server
would try to process that key even though it was impossible.
Now, yaSSL sets its own acceptable-cipher list according to what kind of
key the server is started with, and will never explore and try to pair
impossible combinations.
This involves a partial import of the current YaSSL tree, not the whole
thing, so as to try to avoid introducing new bugs.
(Updated to avoid many whitespace changes and make diff smaller.)
using crashes server
When the server is configured to use a RSA key, and when the client sends
a cipher-suite list that contains a non-RSA key as acceptable, the server
would try to process that key even though it was impossible.
Now, yaSSL sets its own acceptable-cipher list according to what kind of
key the server is started with, and will never explore and try to pair
impossible combinations.
This involves a partial import of the current YaSSL tree, not the whole
thing, so as to try to avoid introducing new bugs.
(Updated to avoid many whitespace changes and make diff smaller.)
- Add testcase for SSL connection from mysqldump to mysqld
mysql-test/r/openssl_1.result:
Add test result
mysql-test/t/openssl_1.test:
Add test case for mysqldump with SSL connection to mysqld
into pilot.blaudden:/home/msvensson/mysql/mysql-5.1-maint
sql/mysqld.cc:
Auto merged
vio/viosslfactories.c:
Auto merged
mysql-test/r/openssl_1.result:
Manual merge
mysql-test/t/openssl_1.test:
Manual merge
