[MDEV-29817] Issues with handling options for SSL CRLs (and some others) Created: 2022-10-18  Updated: 2022-11-23  Resolved: 2022-11-22

Status: Closed
Project: MariaDB Server
Component/s: Server, SSL
Affects Version/s: 10.4.26, 10.5.17, 10.10.1, 10.6.10, 10.7.6, 10.8.5, 10.9.3, 10.11
Fix Version/s: 10.11.2, 10.3.38, 10.4.28, 10.5.19, 10.6.12, 10.7.8, 10.9.5, 10.10.3

Type: Bug Priority: Critical
Reporter: Julius Goryavsky Assignee: Julius Goryavsky
Resolution: Fixed Votes: 0
Labels: None

Issue Links:
Blocks

 Description   

Looking for a problem that leads to instability of ssl tests for Galera, I seem to have found an issue in the description of the ssl options for the client and server in the sslopt-longopts.h file. In this snippet:

  {"ssl-key", OPT_SSL_KEY, "X509 key in PEM format (implies --ssl).",
 
   &opt_ssl_key, &opt_ssl_key, 0, GET_STR, REQUIRED_ARG,
 
   0, 0, 0, 0, 0, 0},
 
  {"ssl-crl", OPT_SSL_KEY, "Certificate revocation list (implies --ssl).",
 
   &opt_ssl_crl, &opt_ssl_crl, 0, GET_STR, REQUIRED_ARG,
 
   0, 0, 0, 0, 0, 0},
 
  {"ssl-crlpath", OPT_SSL_KEY, 
    "Certificate revocation list path (implies --ssl).",
 
   &opt_ssl_crlpath, &opt_ssl_crlpath, 0, GET_STR, REQUIRED_ARG,
 
   0, 0, 0, 0, 0, 0},

the OPT_SSL_KEY option code is repeated three times, although this is probably the result of copy-paste. Also a question about assigning "opt_ssl_crl= NULL;" in the sslopt-case.h - perhaps (not sure) there may be a memory leak.

Also, in several client files, a common fragment similar to this is repeated:

#ifdef HAVE_OPENSSL
 
  if (opt_use_ssl)
 
  {
 
    mysql_ssl_set(mysql, opt_ssl_key, opt_ssl_cert, opt_ssl_ca,
 
                  opt_ssl_capath, opt_ssl_cipher);
 
    mysql_options(mysql, MYSQL_OPT_SSL_CRL, opt_ssl_crl);
 
    mysql_options(mysql, MYSQL_OPT_SSL_CRLPATH, opt_ssl_crlpath);
 
    mysql_options(mysql, MARIADB_OPT_TLS_VERSION, opt_tls_version);
 
  }
 
  mysql_options(mysql,MYSQL_OPT_SSL_VERIFY_SERVER_CERT,
 
                (char*)&opt_ssl_verify_server_cert);
 
#endif /*HAVE_OPENSSL*/

There is a possibility that sometimes the option MARIADB_OPT_TLS_VERSION and/or MYSQL_OPT_SSL_VERIFY_SERVER_CERT is forgotten there (mysqlcheck.c, mysqltest.cc, mysqlslap.c)

Also in slave.cc there is a fragment with an explicit repetition:

  mysql_options(mysql, MYSQL_OPT_SSL_VERIFY_SERVER_CERT,
 
                  &mi->ssl_verify_server_cert);
 
    mysql_options(mysql, MYSQL_OPT_SSL_CRLPATH, 
                  mi->ssl_crlpath[0] ? mi->ssl_crlpath : 0);
 
    mysql_options(mysql, MYSQL_OPT_SSL_VERIFY_SERVER_CERT,
 
                  &mi->ssl_verify_server_cert);

Probably there in the first case there should be the MYSQL_OPT_SSL_CRL. option. And perhaps MARIADB_OPT_TLS_VERSION is forgotten here.

And mariadb_lib.c file, this fragment:

case MYSQL_OPT_SSL_CRL:
 
    *((char **)arg)= mysql->options.extension ? mysql->options.ssl_cipher : NULL;
 
    break;

"mysql->options.ssl_cipher" probably should be replaced to "mysql->options.extension->ssl_crl"

 Comments   
Comment by Jan Lindström (Inactive) [ 2022-10-27 ]

serg Can you please review this change. I do not know this part of the codebase.

Comment by Vladislav Vaintroub [ 2022-11-22 ]

Looks good to me. Ok to push

Comment by Julius Goryavsky [ 2022-11-22 ]

Fixed, https://github.com/MariaDB/server/commit/f0820400ee427f1398034c6881c803e42cfd249e

Generated at Thu Feb 08 10:11:30 UTC 2024 using Jira 8.20.16#820016-sha1:9d11dbea5f4be3d4cc21f03a88dd11d8c8687422.