ChangeSet@1.2703, 2007-12-07 09:35:28-05:00, cmiller@zippy.cornsilk.net +40 -0
Bug#13174: SHA2 function
Patch contributed from Bill Karwin, paper unnumbered CLA in Seattle
Implement SHA2 functions.
Chad added code to make it work with YaSSL. Also, he removed the
(probable) bug of embedded server never using SSL-dependent
functions. (libmysqld/Makefile.am didn't read ANY autoconf defs.)
Function specification:
SHA2( string cleartext, integer hash_length )
-> string hash, or NULL
where hash_length is one of 224, 256, 384, or 512. If either is
NULL or a length is unsupported, then the result is NULL. The
resulting string is always the length of the hash_length parameter
or is NULL.
Include the canonical hash examples from the NIST in the test
results.
---
Polish and address concerns of reviewers.
The problem is that the server failed to follow the rule that
every X509 object retrieved using SSL_get_peer_certificate()
must be explicitly freed by X509_free(). This caused a memory
leak for builds linked against OpenSSL where the X509 object
is reference counted -- improper counting will prevent the
object from being destroyed once the session containing the
peer certificate is freed.
The solution is to explicitly free every X509 object used.
- If missing: add "disconnect <session>"
- If physical disconnect of non "default" sessions is not finished
at test end: add routine which waits till this happened
+ additional improvements like
- remove superfluous files created by the test
- replace error numbers by error names
- remove trailing spaces, replace tabs by spaces
- unify writing of bugs within comments
- correct comments
- minor changes of formatting
Modifications according to the code review are included.
Fixed tests:
grant2
grant3
lock_tables_lost_commit
mysqldump
openssl_1
outfile
using crashes server
When the server is configured to use a RSA key, and when the client sends
a cipher-suite list that contains a non-RSA key as acceptable, the server
would try to process that key even though it was impossible.
Now, yaSSL sets its own acceptable-cipher list according to what kind of
key the server is started with, and will never explore and try to pair
impossible combinations.
This involves a partial import of the current YaSSL tree, not the whole
thing, so as to try to avoid introducing new bugs.
(Updated to avoid many whitespace changes and make diff smaller.)
- Change check for return value of 'SSL_CTX_set_cipher_list'
in order to handle 0 as error setting cipher.
- Thanks to Dan Lukes for finding the problem!
- Turn off verification of peer if both ca_path and ca_file is null
i.e from only passing --ssl-key=<client_key> and --ssl-cert=<client_cert>
to the mysql utility programs.
The server will authenticate the client accoring to GRANT tables
but the client won't authenticate the server
- Small difference in output from 'X509_NAME_Oneline' between OpenSSL and yaSSL. OpenSSL uses
an extension that allow's the email adress of the cert holder.
- Imported patch for yaSSL "add email to DN output"
when X.509 subject was required for a connect, we tested whether it was the right
one, but did not refuse the connexion if not. fixed.
(corrected CS now --replace_results socket-path)
- Added show status variable "compression" for checking that compression is turned on.
- Updated show status variable "have_openssl" to be set to DISABLED if server supports ssl but it's not turned on to accept incoming ssl connections.
- Setup server to accept ssl connections from clients ig that is supported by server
- New tests
- ssl - Run with ssl turned on
- ssl_compress - Run with ssl and compression turned on
- compress - Run with compression turned in
- Updated test
- openssl_1, rpl_openssl1 - Changed to run if server supports ssl
