Workaround for CONC-417, MDEV-13492

At irregular intervals older windows versions (prior Windows 10) fail to establish a secure (TLS) connection and return errors SEC_E_INVALID_TOKEN, SEC_E_BUFFER_TOO_SMALL or SEC_E_MESSAGE_ALTERED. This is a bug in windows schannel library and was only fixed in recent versions, also OpenSSL provided a workaround (see https://github.com/openssl/openssl/pull/1350). Since we are unable to fix this, we introduced a workaround for this problem. In case of an error during TLS handshake we check the errorcode and try to reconnect up to three times if the error code was SEC_E_INVALID_TOKEN, SEC_E_BUFFER_TOO_SMALL or SEC_E_MESSAGE_ALTERED.
2025-08-07 02:42:49 +03:00 · 2019-09-19 08:50:55 +02:00
parent 261a5c4355
commit de04c2e01f
4 changed files with 38 additions and 2 deletions
--- a/libmariadb/mariadb_lib.c
+++ b/libmariadb/mariadb_lib.c
@@ -1020,7 +1020,7 @@ mysql_init(MYSQL *mysql)
  mysql->charset= mysql_find_charset_name(MARIADB_DEFAULT_CHARSET);
  mysql->methods= &MARIADB_DEFAULT_METHODS;
  strcpy(mysql->net.sqlstate, "00000");
-  mysql->net.last_error[0]= mysql->net.last_errno= 0;
+  mysql->net.last_error[0]= mysql->net.last_errno= mysql->net.extension->extended_errno= 0;

  if (ENABLED_LOCAL_INFILE != LOCAL_INFILE_MODE_OFF)
    mysql->options.client_flag|= CLIENT_LOCAL_FILES;
@@ -1199,9 +1199,39 @@ mysql_real_connect(MYSQL *mysql, const char *host, const char *user,
      return my;
    }
  }
-
+#ifndef HAVE_SCHANNEL
  return mysql->methods->db_connect(mysql, host, user, passwd,
                                    db, port, unix_socket, client_flag);
+#else
+/* 
+   With older windows versions (prior Win 10) TLS connections periodically
+   fail with SEC_E_INVALID_TOKEN, SEC_E_BUFFER_TOO_SMALL or SEC_E_MESSAGE_ALTERED
+   error (see MDEV-13492). If the connect attempt returns on of these error codes
+   in mysql->net.extended_errno we will try to connect again (max. 3 times)
+*/
+#define MAX_SCHANNEL_CONNECT_ATTEMPTS 3
+  {
+    int ssl_retry= (mysql->options.use_ssl) ? MAX_SCHANNEL_CONNECT_ATTEMPTS : 1;
+	MYSQL *my= NULL;
+    while (ssl_retry)
+    {
+      if ((my= mysql->methods->db_connect(mysql, host, user, passwd,
+                                    db, port, unix_socket, client_flag)))
+        return my;
+
+      switch (mysql->net.extension->extended_errno) {
+        case SEC_E_INVALID_TOKEN:
+        case SEC_E_BUFFER_TOO_SMALL:
+        case SEC_E_MESSAGE_ALTERED:
+          ssl_retry--;
+		  break;
+        default:
+          return NULL;
+      }
+    }
+    return my;
+  }
+#endif
 }

 MYSQL *mthd_my_real_connect(MYSQL *mysql, const char *host, const char *user,