[MDEV-29817] Issues with handling options for SSL CRLs (and some others) - Jira

XML

Word

Printable

Details

Type: Bug
Status: Closed (View Workflow)
Priority: Critical
Resolution: Fixed
Affects Version/s: 10.11, 10.4.26, 10.5.17, 10.10.1, 10.6.10, 10.7.6, 10.8.5, 10.9.3
Fix Version/s: 10.11.2, 10.3.38, 10.4.28, 10.5.19, 10.6.12, 10.7.8, 10.9.5, 10.10.3
Component/s: Server, SSL
Labels:
None

Description

Looking for a problem that leads to instability of ssl tests for Galera, I seem to have found an issue in the description of the ssl options for the client and server in the sslopt-longopts.h file. In this snippet:

  {"ssl-key", OPT_SSL_KEY, "X509 key in PEM format (implies --ssl).",

   &opt_ssl_key, &opt_ssl_key, 0, GET_STR, REQUIRED_ARG,

   0, 0, 0, 0, 0, 0},

  {"ssl-crl", OPT_SSL_KEY, "Certificate revocation list (implies --ssl).",

   &opt_ssl_crl, &opt_ssl_crl, 0, GET_STR, REQUIRED_ARG,

   0, 0, 0, 0, 0, 0},

  {"ssl-crlpath", OPT_SSL_KEY,

    "Certificate revocation list path (implies --ssl).",

   &opt_ssl_crlpath, &opt_ssl_crlpath, 0, GET_STR, REQUIRED_ARG,

   0, 0, 0, 0, 0, 0},

the OPT_SSL_KEY option code is repeated three times, although this is probably the result of copy-paste. Also a question about assigning "opt_ssl_crl= NULL;" in the sslopt-case.h - perhaps (not sure) there may be a memory leak.

Also, in several client files, a common fragment similar to this is repeated:

#ifdef HAVE_OPENSSL

  if (opt_use_ssl)

    mysql_ssl_set(mysql, opt_ssl_key, opt_ssl_cert, opt_ssl_ca,

                  opt_ssl_capath, opt_ssl_cipher);

    mysql_options(mysql, MYSQL_OPT_SSL_CRL, opt_ssl_crl);

    mysql_options(mysql, MYSQL_OPT_SSL_CRLPATH, opt_ssl_crlpath);

    mysql_options(mysql, MARIADB_OPT_TLS_VERSION, opt_tls_version);

  mysql_options(mysql,MYSQL_OPT_SSL_VERIFY_SERVER_CERT,

                (char*)&opt_ssl_verify_server_cert);

#endif /*HAVE_OPENSSL*/

There is a possibility that sometimes the option MARIADB_OPT_TLS_VERSION and/or MYSQL_OPT_SSL_VERIFY_SERVER_CERT is forgotten there (mysqlcheck.c, mysqltest.cc, mysqlslap.c)

Also in slave.cc there is a fragment with an explicit repetition:

  mysql_options(mysql, MYSQL_OPT_SSL_VERIFY_SERVER_CERT,

                  &mi->ssl_verify_server_cert);

    mysql_options(mysql, MYSQL_OPT_SSL_CRLPATH,

                  mi->ssl_crlpath[0] ? mi->ssl_crlpath : 0);

    mysql_options(mysql, MYSQL_OPT_SSL_VERIFY_SERVER_CERT,

                  &mi->ssl_verify_server_cert);

Probably there in the first case there should be the MYSQL_OPT_SSL_CRL. option. And perhaps MARIADB_OPT_TLS_VERSION is forgotten here.

And mariadb_lib.c file, this fragment:

case MYSQL_OPT_SSL_CRL:

    *((char **)arg)= mysql->options.extension ? mysql->options.ssl_cipher : NULL;

    break;

"mysql->options.ssl_cipher" probably should be replaced to "mysql->options.extension->ssl_crl"

Attachments

Activity

People

Assignee:: Julius Goryavsky

Reporter:: Julius Goryavsky

Votes:: 0 Vote for this issue

Watchers:: 4 Start watching this issue

Dates

Created:: 2022-10-18 15:42

Updated:: 2022-11-23 08:03

Resolved:: 2022-11-22 13:16

Git Integration

Error rendering 'com.xiplink.jira.git.jira_git_plugin:git-issue-webpanel'. Please contact your Jira administrators.