diff options
Diffstat (limited to 'mysql-tls.patch')
-rw-r--r-- | mysql-tls.patch | 295 |
1 files changed, 295 insertions, 0 deletions
diff --git a/mysql-tls.patch b/mysql-tls.patch new file mode 100644 index 0000000..751e89b --- /dev/null +++ b/mysql-tls.patch @@ -0,0 +1,295 @@ +diff -rupN mysql-5.1.73.orig/mysql-test/r/openssl_1.result mysql-5.1.73/mysql-test/r/openssl_1.result +--- mysql-5.1.73.orig/mysql-test/r/openssl_1.result 2016-02-25 16:34:16.096559322 +0100 ++++ mysql-5.1.73/mysql-test/r/openssl_1.result 2016-02-25 16:38:38.685377646 +0100 +@@ -2,16 +2,16 @@ drop table if exists t1; + create table t1(f1 int); + insert into t1 values (5); + grant select on test.* to ssl_user1@localhost require SSL; +-grant select on test.* to ssl_user2@localhost require cipher "DHE-RSA-AES256-SHA"; +-grant select on test.* to ssl_user3@localhost require cipher "DHE-RSA-AES256-SHA" AND SUBJECT "/C=SE/ST=Uppsala/O=MySQL AB"; +-grant select on test.* to ssl_user4@localhost require cipher "DHE-RSA-AES256-SHA" AND SUBJECT "/C=SE/ST=Uppsala/O=MySQL AB" ISSUER "/C=SE/ST=Uppsala/L=Uppsala/O=MySQL AB"; +-grant select on test.* to ssl_user5@localhost require cipher "DHE-RSA-AES256-SHA" AND SUBJECT "xxx"; ++grant select on test.* to ssl_user2@localhost require cipher "DHE-RSA-AES256-GCM-SHA384"; ++grant select on test.* to ssl_user3@localhost require cipher "DHE-RSA-AES256-GCM-SHA384" AND SUBJECT "/C=SE/ST=Uppsala/O=MySQL AB"; ++grant select on test.* to ssl_user4@localhost require cipher "DHE-RSA-AES256-GCM-SHA384" AND SUBJECT "/C=SE/ST=Uppsala/O=MySQL AB" ISSUER "/C=SE/ST=Uppsala/L=Uppsala/O=MySQL AB"; ++grant select on test.* to ssl_user5@localhost require cipher "DHE-RSA-AES256-GCM-SHA384" AND SUBJECT "xxx"; + flush privileges; + connect(localhost,ssl_user5,,test,MASTER_PORT,MASTER_SOCKET); + ERROR 28000: Access denied for user 'ssl_user5'@'localhost' (using password: NO) + SHOW STATUS LIKE 'Ssl_cipher'; + Variable_name Value +-Ssl_cipher DHE-RSA-AES256-SHA ++Ssl_cipher DHE-RSA-AES256-GCM-SHA384 + select * from t1; + f1 + 5 +@@ -19,7 +19,7 @@ delete from t1; + ERROR 42000: DELETE command denied to user 'ssl_user1'@'localhost' for table 't1' + SHOW STATUS LIKE 'Ssl_cipher'; + Variable_name Value +-Ssl_cipher DHE-RSA-AES256-SHA ++Ssl_cipher DHE-RSA-AES256-GCM-SHA384 + select * from t1; + f1 + 5 +@@ -27,7 +27,7 @@ delete from t1; + ERROR 42000: DELETE command denied to user 'ssl_user2'@'localhost' for table 't1' + SHOW STATUS LIKE 'Ssl_cipher'; + Variable_name Value +-Ssl_cipher DHE-RSA-AES256-SHA ++Ssl_cipher DHE-RSA-AES256-GCM-SHA384 + select * from t1; + f1 + 5 +@@ -35,7 +35,7 @@ delete from t1; + ERROR 42000: DELETE command denied to user 'ssl_user3'@'localhost' for table 't1' + SHOW STATUS LIKE 'Ssl_cipher'; + Variable_name Value +-Ssl_cipher DHE-RSA-AES256-SHA ++Ssl_cipher DHE-RSA-AES256-GCM-SHA384 + select * from t1; + f1 + 5 +diff -rupN mysql-5.1.73.orig/mysql-test/r/openssl_6975,tlsv10.result mysql-5.1.73/mysql-test/r/openssl_6975,tlsv10.result +--- mysql-5.1.73.orig/mysql-test/r/openssl_6975,tlsv10.result 1970-01-01 01:00:00.000000000 +0100 ++++ mysql-5.1.73/mysql-test/r/openssl_6975,tlsv10.result 2016-02-25 16:34:45.356539140 +0100 +@@ -0,0 +1,25 @@ ++grant select on test.* to ssl_sslv3@localhost require cipher "RC4-SHA"; ++grant select on test.* to ssl_tls12@localhost require cipher "AES128-SHA256"; ++TLS1.2 ciphers: user is ok with any cipher ++ERROR 2026 (HY000): SSL connection error: error:14077410:SSL routines:SSL23_GET_SERVER_HELLO:sslv3 alert handshake failure ++ERROR 2026 (HY000): SSL connection error: error:14077410:SSL routines:SSL23_GET_SERVER_HELLO:sslv3 alert handshake failure ++TLS1.2 ciphers: user requires SSLv3 cipher RC4-SHA ++ERROR 2026 (HY000): SSL connection error: error:14077410:SSL routines:SSL23_GET_SERVER_HELLO:sslv3 alert handshake failure ++ERROR 2026 (HY000): SSL connection error: error:14077410:SSL routines:SSL23_GET_SERVER_HELLO:sslv3 alert handshake failure ++TLS1.2 ciphers: user requires TLSv1.2 cipher AES128-SHA256 ++ERROR 2026 (HY000): SSL connection error: error:14077410:SSL routines:SSL23_GET_SERVER_HELLO:sslv3 alert handshake failure ++ERROR 2026 (HY000): SSL connection error: error:14077410:SSL routines:SSL23_GET_SERVER_HELLO:sslv3 alert handshake failure ++SSLv3 ciphers: user is ok with any cipher ++Variable_name Value ++Ssl_cipher RC4-SHA ++Variable_name Value ++Ssl_cipher DHE-RSA-AES256-SHA ++SSLv3 ciphers: user requires SSLv3 cipher RC4-SHA ++Variable_name Value ++Ssl_cipher RC4-SHA ++ERROR 1045 (28000): Access denied for user 'ssl_sslv3'@'localhost' (using password: NO) ++SSLv3 ciphers: user requires TLSv1.2 cipher AES128-SHA256 ++ERROR 1045 (28000): Access denied for user 'ssl_tls12'@'localhost' (using password: NO) ++ERROR 1045 (28000): Access denied for user 'ssl_tls12'@'localhost' (using password: NO) ++drop user ssl_sslv3@localhost; ++drop user ssl_tls12@localhost; +diff -rupN mysql-5.1.73.orig/mysql-test/r/openssl_6975,tlsv12.result mysql-5.1.73/mysql-test/r/openssl_6975,tlsv12.result +--- mysql-5.1.73.orig/mysql-test/r/openssl_6975,tlsv12.result 1970-01-01 01:00:00.000000000 +0100 ++++ mysql-5.1.73/mysql-test/r/openssl_6975,tlsv12.result 2016-02-25 16:34:45.356539140 +0100 +@@ -0,0 +1,25 @@ ++grant select on test.* to ssl_sslv3@localhost require cipher "RC4-SHA"; ++grant select on test.* to ssl_tls12@localhost require cipher "AES128-SHA256"; ++TLS1.2 ciphers: user is ok with any cipher ++Variable_name Value ++Ssl_cipher AES128-SHA256 ++Variable_name Value ++Ssl_cipher DHE-RSA-AES256-GCM-SHA384 ++TLS1.2 ciphers: user requires SSLv3 cipher RC4-SHA ++ERROR 1045 (28000): Access denied for user 'ssl_sslv3'@'localhost' (using password: NO) ++ERROR 1045 (28000): Access denied for user 'ssl_sslv3'@'localhost' (using password: NO) ++TLS1.2 ciphers: user requires TLSv1.2 cipher AES128-SHA256 ++Variable_name Value ++Ssl_cipher AES128-SHA256 ++ERROR 1045 (28000): Access denied for user 'ssl_tls12'@'localhost' (using password: NO) ++SSLv3 ciphers: user is ok with any cipher ++ERROR 2026 (HY000): SSL connection error: error:14077410:SSL routines:SSL23_GET_SERVER_HELLO:sslv3 alert handshake failure ++ERROR 2026 (HY000): SSL connection error: error:14077410:SSL routines:SSL23_GET_SERVER_HELLO:sslv3 alert handshake failure ++SSLv3 ciphers: user requires SSLv3 cipher RC4-SHA ++ERROR 2026 (HY000): SSL connection error: error:14077410:SSL routines:SSL23_GET_SERVER_HELLO:sslv3 alert handshake failure ++ERROR 2026 (HY000): SSL connection error: error:14077410:SSL routines:SSL23_GET_SERVER_HELLO:sslv3 alert handshake failure ++SSLv3 ciphers: user requires TLSv1.2 cipher AES128-SHA256 ++ERROR 2026 (HY000): SSL connection error: error:14077410:SSL routines:SSL23_GET_SERVER_HELLO:sslv3 alert handshake failure ++ERROR 2026 (HY000): SSL connection error: error:14077410:SSL routines:SSL23_GET_SERVER_HELLO:sslv3 alert handshake failure ++drop user ssl_sslv3@localhost; ++drop user ssl_tls12@localhost; +diff -rupN mysql-5.1.73.orig/mysql-test/r/ssl_8k_key.result mysql-5.1.73/mysql-test/r/ssl_8k_key.result +--- mysql-5.1.73.orig/mysql-test/r/ssl_8k_key.result 2013-11-04 20:07:39.000000000 +0100 ++++ mysql-5.1.73/mysql-test/r/ssl_8k_key.result 2016-02-25 17:28:26.913129053 +0100 +@@ -1,2 +1,2 @@ + Variable_name Value +-Ssl_cipher DHE-RSA-AES256-SHA ++Ssl_cipher DHE-RSA-AES256-GCM-SHA384 +diff -rupN mysql-5.1.73.orig/mysql-test/t/openssl_1.test mysql-5.1.73/mysql-test/t/openssl_1.test +--- mysql-5.1.73.orig/mysql-test/t/openssl_1.test 2016-02-25 16:34:16.098559321 +0100 ++++ mysql-5.1.73/mysql-test/t/openssl_1.test 2016-02-25 16:37:32.668423736 +0100 +@@ -14,10 +14,10 @@ create table t1(f1 int); + insert into t1 values (5); + + grant select on test.* to ssl_user1@localhost require SSL; +-grant select on test.* to ssl_user2@localhost require cipher "DHE-RSA-AES256-SHA"; +-grant select on test.* to ssl_user3@localhost require cipher "DHE-RSA-AES256-SHA" AND SUBJECT "/C=SE/ST=Uppsala/O=MySQL AB"; +-grant select on test.* to ssl_user4@localhost require cipher "DHE-RSA-AES256-SHA" AND SUBJECT "/C=SE/ST=Uppsala/O=MySQL AB" ISSUER "/C=SE/ST=Uppsala/L=Uppsala/O=MySQL AB"; +-grant select on test.* to ssl_user5@localhost require cipher "DHE-RSA-AES256-SHA" AND SUBJECT "xxx"; ++grant select on test.* to ssl_user2@localhost require cipher "DHE-RSA-AES256-GCM-SHA384"; ++grant select on test.* to ssl_user3@localhost require cipher "DHE-RSA-AES256-GCM-SHA384" AND SUBJECT "/C=SE/ST=Uppsala/O=MySQL AB"; ++grant select on test.* to ssl_user4@localhost require cipher "DHE-RSA-AES256-GCM-SHA384" AND SUBJECT "/C=SE/ST=Uppsala/O=MySQL AB" ISSUER "/C=SE/ST=Uppsala/L=Uppsala/O=MySQL AB"; ++grant select on test.* to ssl_user5@localhost require cipher "DHE-RSA-AES256-GCM-SHA384" AND SUBJECT "xxx"; + flush privileges; + + connect (con1,localhost,ssl_user1,,,,,SSL); +@@ -125,6 +125,7 @@ drop table t1; + # verification of servers certificate by setting both ca certificate + # and ca path to NULL + # ++--replace_result DHE-RSA-AES256-GCM-SHA384 DHE-RSA-AES256-SHA + --exec $MYSQL --ssl --ssl-key=$MYSQL_TEST_DIR/std_data/client-key.pem --ssl-cert=$MYSQL_TEST_DIR/std_data/client-cert.pem -e "SHOW STATUS LIKE 'ssl_Cipher'" 2>&1 + --echo End of 5.0 tests + +@@ -250,6 +251,7 @@ select 'is still running; no cipher requ + GRANT SELECT ON test.* TO bug42158@localhost REQUIRE X509; + FLUSH PRIVILEGES; + connect(con1,localhost,bug42158,,,,,SSL); ++--replace_result DHE-RSA-AES256-GCM-SHA384 DHE-RSA-AES256-SHA + SHOW STATUS LIKE 'Ssl_cipher'; + disconnect con1; + connection default; +diff -rupN mysql-5.1.73.orig/mysql-test/t/openssl_6975.combinations mysql-5.1.73/mysql-test/t/openssl_6975.combinations +--- mysql-5.1.73.orig/mysql-test/t/openssl_6975.combinations 1970-01-01 01:00:00.000000000 +0100 ++++ mysql-5.1.73/mysql-test/t/openssl_6975.combinations 2016-02-25 16:34:45.356539140 +0100 +@@ -0,0 +1,6 @@ ++[tlsv12] ++loose-ssl-cipher=TLSv1.2 ++ ++[tlsv10] ++loose-ssl-cipher=SSLv3 ++ +diff -rupN mysql-5.1.73.orig/mysql-test/t/openssl_6975.test mysql-5.1.73/mysql-test/t/openssl_6975.test +--- mysql-5.1.73.orig/mysql-test/t/openssl_6975.test 1970-01-01 01:00:00.000000000 +0100 ++++ mysql-5.1.73/mysql-test/t/openssl_6975.test 2016-02-25 16:57:03.081601243 +0100 +@@ -0,0 +1,37 @@ ++# ++# MDEV-6975 Implement TLS protocol ++# ++# test SSLv3 and TLSv1.2 ciphers when OpenSSL is restricted to SSLv3 or TLSv1.2 ++# ++ ++# this is OpenSSL test. ++ ++grant select on test.* to ssl_sslv3@localhost require cipher "RC4-SHA"; ++grant select on test.* to ssl_tls12@localhost require cipher "AES128-SHA256"; ++ ++let $mysql=$MYSQL --ssl-key=$MYSQL_TEST_DIR/std_data/client-key.pem --ssl-cert=$MYSQL_TEST_DIR/std_data/client-cert.pem -e "SHOW STATUS LIKE 'ssl_Cipher'" 2>&1; ++ ++disable_abort_on_error; ++echo TLS1.2 ciphers: user is ok with any cipher; ++exec $mysql --ssl-cipher=AES128-SHA256; ++exec $mysql --ssl-cipher=TLSv1.2; ++echo TLS1.2 ciphers: user requires SSLv3 cipher RC4-SHA; ++exec $mysql --user ssl_sslv3 --ssl-cipher=AES128-SHA256; ++exec $mysql --user ssl_sslv3 --ssl-cipher=TLSv1.2; ++echo TLS1.2 ciphers: user requires TLSv1.2 cipher AES128-SHA256; ++exec $mysql --user ssl_tls12 --ssl-cipher=AES128-SHA256; ++exec $mysql --user ssl_tls12 --ssl-cipher=TLSv1.2; ++ ++echo SSLv3 ciphers: user is ok with any cipher; ++exec $mysql --ssl-cipher=RC4-SHA; ++exec $mysql --ssl-cipher=SSLv3; ++echo SSLv3 ciphers: user requires SSLv3 cipher RC4-SHA; ++exec $mysql --user ssl_sslv3 --ssl-cipher=RC4-SHA; ++exec $mysql --user ssl_sslv3 --ssl-cipher=SSLv3; ++echo SSLv3 ciphers: user requires TLSv1.2 cipher AES128-SHA256; ++exec $mysql --user ssl_tls12 --ssl-cipher=RC4-SHA; ++exec $mysql --user ssl_tls12 --ssl-cipher=SSLv3; ++ ++drop user ssl_sslv3@localhost; ++drop user ssl_tls12@localhost; ++ +diff -rupN mysql-5.1.73.orig/mysql-test/t/ssl_compress.test mysql-5.1.73/mysql-test/t/ssl_compress.test +--- mysql-5.1.73.orig/mysql-test/t/ssl_compress.test 2013-11-04 20:07:29.000000000 +0100 ++++ mysql-5.1.73/mysql-test/t/ssl_compress.test 2016-02-25 16:34:45.356539140 +0100 +@@ -10,6 +10,7 @@ + connect (ssl_compress_con,localhost,root,,,,,SSL COMPRESS); + + # Check ssl turned on ++--replace_result DHE-RSA-AES256-GCM-SHA384 DHE-RSA-AES256-SHA + SHOW STATUS LIKE 'Ssl_cipher'; + + # Check compression turned on +@@ -19,6 +20,7 @@ SHOW STATUS LIKE 'Compression'; + -- source include/common-tests.inc + + # Check ssl turned on ++--replace_result DHE-RSA-AES256-GCM-SHA384 DHE-RSA-AES256-SHA + SHOW STATUS LIKE 'Ssl_cipher'; + + # Check compression turned on +diff -rupN mysql-5.1.73.orig/mysql-test/t/ssl.test mysql-5.1.73/mysql-test/t/ssl.test +--- mysql-5.1.73.orig/mysql-test/t/ssl.test 2013-11-04 20:07:29.000000000 +0100 ++++ mysql-5.1.73/mysql-test/t/ssl.test 2016-02-25 16:34:45.356539140 +0100 +@@ -9,12 +9,14 @@ + connect (ssl_con,localhost,root,,,,,SSL); + + # Check ssl turned on ++--replace_result DHE-RSA-AES256-GCM-SHA384 DHE-RSA-AES256-SHA + SHOW STATUS LIKE 'Ssl_cipher'; + + # Source select test case + -- source include/common-tests.inc + + # Check ssl turned on ++--replace_result DHE-RSA-AES256-GCM-SHA384 DHE-RSA-AES256-SHA + SHOW STATUS LIKE 'Ssl_cipher'; + + connection default; +diff -rupN mysql-5.1.73.orig/vio/viossl.c mysql-5.1.73/vio/viossl.c +--- mysql-5.1.73.orig/vio/viossl.c 2013-11-04 19:52:27.000000000 +0100 ++++ mysql-5.1.73/vio/viossl.c 2016-02-25 16:34:45.357539140 +0100 +@@ -147,7 +147,7 @@ int vio_ssl_close(Vio *vio) + break; + default: /* Shutdown failed */ + DBUG_PRINT("vio_error", ("SSL_shutdown() failed, error: %d", +- SSL_get_error(ssl, r))); ++ (int)SSL_get_error(ssl, r))); + break; + } + } +@@ -176,6 +176,7 @@ void vio_ssl_delete(Vio *vio) + static int ssl_do(struct st_VioSSLFd *ptr, Vio *vio, long timeout, + int (*connect_accept_func)(SSL*)) + { ++ long options; + SSL *ssl; + my_bool unused; + my_bool was_blocking; +@@ -199,7 +200,11 @@ static int ssl_do(struct st_VioSSLFd *pt + SSL_SESSION_set_timeout(SSL_get_session(ssl), timeout); + SSL_set_fd(ssl, vio->sd); + #ifndef HAVE_YASSL +- SSL_set_options(ssl, SSL_OP_NO_COMPRESSION); ++ options = SSL_OP_ALL; ++ options |= SSL_OP_NO_SSLv2; ++ options |= SSL_OP_NO_SSLv3; ++ options |= SSL_OP_NO_COMPRESSION; ++ SSL_set_options(ssl, options); + #endif + + if (connect_accept_func(ssl) < 1) +diff -rupN mysql-5.1.73.orig/vio/viosslfactories.c mysql-5.1.73/vio/viosslfactories.c +--- mysql-5.1.73.orig/vio/viosslfactories.c 2016-02-25 16:34:16.095559323 +0100 ++++ mysql-5.1.73/vio/viosslfactories.c 2016-02-25 16:34:45.357539140 +0100 +@@ -245,8 +245,8 @@ new_VioSSLFd(const char *key_file, const + DBUG_RETURN(0); + + if (!(ssl_fd->ssl_context= SSL_CTX_new(is_client_method ? +- TLSv1_client_method() : +- TLSv1_server_method()))) ++ SSLv23_client_method() : ++ SSLv23_server_method()))) + { + *error= SSL_INITERR_MEMFAIL; + DBUG_PRINT("error", ("%s", sslGetErrString(*error))); +@@ -255,6 +255,8 @@ new_VioSSLFd(const char *key_file, const + DBUG_RETURN(0); + } + ++ SSL_CTX_set_options(ssl_fd->ssl_context, SSL_OP_NO_SSLv2 | SSL_OP_NO_SSLv3); ++ + /* + Set the ciphers that can be used + NOTE: SSL_CTX_set_cipher_list will return 0 if |