MDEV-7697 Client reports ERROR 2006 (MySQL server has gone away) or ERROR 2013 (Lost connection to MySQL server during query) while executing AES* functions under SSL

vuvova · vuvova · commit cc12a35cde45 · 2015-05-03T11:21:57.000+02:00
Clear OpenSSL error queue after an error in AES_ENCRYPT/AES_DECRYPT.
Otherwise it might affect current ssl-encrypted connection.
diff --git a/mysql-test/r/ssl.result b/mysql-test/r/ssl.result
@@ -2166,3 +2166,9 @@ drop table t1;
 SHOW STATUS LIKE 'Ssl_cipher';
 Variable_name	Value
 Ssl_cipher	DHE-RSA-AES256-SHA
+select aes_decrypt('MySQL','adf');
+aes_decrypt('MySQL','adf')
+NULL
+select 'still connected?';
+still connected?
+still connected?
diff --git a/mysql-test/t/ssl.test b/mysql-test/t/ssl.test
@@ -25,11 +25,14 @@ SHOW STATUS LIKE 'Ssl_server_not_after';
 --replace_result DHE-RSA-AES256-GCM-SHA384 DHE-RSA-AES256-SHA
 SHOW STATUS LIKE 'Ssl_cipher';
 
+#
+# MDEV-7697 Client reports ERROR 2006 (MySQL server has gone away) or ERROR 2013 (Lost connection to MySQL server during query) while executing AES* functions under SSL
+#
+select aes_decrypt('MySQL','adf');
+select 'still connected?';
+
 connection default;
 disconnect ssl_con;
 
 # Wait till all disconnects are completed
 --source include/wait_until_count_sessions.inc
-
-##  This test file is for testing encrypted communication only, not other
-##  encryption routines that the SSL library happens to provide!
diff --git a/mysys_ssl/my_aes.cc b/mysys_ssl/my_aes.cc
@@ -24,6 +24,7 @@
 #elif defined(HAVE_OPENSSL)
 #include <openssl/aes.h>
 #include <openssl/evp.h>
+#include <openssl/err.h>
 
 // Wrap C struct, to ensure resources are released.
 struct MyCipherCtx
@@ -165,14 +166,17 @@ int my_aes_encrypt(const char* source, int source_length, char* dest,
 #elif defined(HAVE_OPENSSL)
   if (! EVP_EncryptInit(&ctx.ctx, EVP_aes_128_ecb(),
                         (const unsigned char *) rkey, NULL))
-    return AES_BAD_DATA;                        /* Error */
+    goto err;
   if (! EVP_EncryptUpdate(&ctx.ctx, (unsigned char *) dest, &u_len,
                           (unsigned const char *) source, source_length))
-    return AES_BAD_DATA;                        /* Error */
+    goto err;
   if (! EVP_EncryptFinal(&ctx.ctx, (unsigned char *) dest + u_len, &f_len))
-    return AES_BAD_DATA;                        /* Error */
+    goto err;
 
   return u_len + f_len;
+err:
+  ERR_remove_state(0);
+  return AES_BAD_DATA;
 #endif
 }
 
@@ -248,13 +252,16 @@ int my_aes_decrypt(const char *source, int source_length, char *dest,
 #elif defined(HAVE_OPENSSL)
   if (! EVP_DecryptInit(&ctx.ctx, EVP_aes_128_ecb(),
                         (const unsigned char *) rkey, NULL))
-    return AES_BAD_DATA;                        /* Error */
+    goto err;
   if (! EVP_DecryptUpdate(&ctx.ctx, (unsigned char *) dest, &u_len,
                           (unsigned const char *) source, source_length))
-    return AES_BAD_DATA;                        /* Error */
+    goto err;
   if (! EVP_DecryptFinal(&ctx.ctx, (unsigned char *) dest + u_len, &f_len))
-    return AES_BAD_DATA;                        /* Error */
+    goto err;
   return u_len + f_len;
+err:
+  ERR_remove_state(0);
+  return AES_BAD_DATA;
 #endif
 }
 
