MDEV-10332 support for OpenSSL 1.1 and LibreSSL

Initial support tested against OpenSSL 1.0.1, 1.0.2, 1.1.0, Yassl and LibreSSL not working on Windows with native SChannel support, due to wrong cipher mapping: Latter one requires push of CONC-241 fixes. Please note that OpenSSL 0.9.8 and OpenSSL 1.1.0 will not work: Even if the build succeeds, test cases will fail with various errors, especially when using different tls libraries or versions for client and server.
MariaDB · May 9, 2017 · f8866f8 · f8866f8
1 parent eb2b7ff
commit f8866f8
Show file tree

Hide file tree

Showing 19 changed files with 254 additions and 88 deletions.
diff --git a/extra/yassl/src/handshake.cpp b/extra/yassl/src/handshake.cpp
@@ -788,6 +788,16 @@ int DoProcessReply(SSL& ssl)
             needHdr = true;
         else {
             buffer >> hdr;
+            /*
+              According to RFC 4346 (see "7.4.1.3. Server Hello"), the Server Hello
+              packet needs to specify the highest supported TLS version, but not
+              higher than what client requests. YaSSL highest supported version is
+              TLSv1.1 (=3.2) - if the client requests a higher version, downgrade it
+              here to 3.2.
+              See also Appendix E of RFC 5246 (TLS 1.2)
+            */
+            if (hdr.version_.major_ == 3 && hdr.version_.minor_ > 2)
+              hdr.version_.minor_ = 2;
             ssl.verifyState(hdr);
         }
 

diff --git a/include/my_crypt.h b/include/my_crypt.h
@@ -21,4 +21,19 @@
 #include <my_config.h> /* HAVE_EncryptAes128{Ctr,Gcm} */
 #include <mysql/service_my_crypt.h>
 
+/* OpenSSL version specific definitions */
+#if !defined(HAVE_YASSL) && defined(OPENSSL_VERSION_NUMBER)
+#if OPENSSL_VERSION_NUMBER >= 0x10100000L && !defined(LIBRESSL_VERSION_NUMBER)
+#define ERR_remove_state(X)
+#else
+#define EVP_CIPHER_CTX_reset(X) EVP_CIPHER_CTX_cleanup(X)
+#define RAND_OpenSSL() RAND_SSLeay();
+#if defined(HAVE_ERR_remove_thread_state)
+#define ERR_remove_state(X) ERR_remove_thread_state(NULL)
+#endif
+#endif
+#elif defined(HAVE_YASSL)
+#define EVP_CIPHER_CTX_reset(X) EVP_CIPHER_CTX_cleanup(X)
+#endif /* !defined(HAVE_YASSL) */
+
 #endif /* MY_CRYPT_INCLUDED */
diff --git a/include/violite.h b/include/violite.h
@@ -146,14 +146,15 @@ typedef my_socket YASSL_SOCKET_T;
 #include <openssl/ssl.h>
 #include <openssl/err.h>
 
-#ifdef HAVE_ERR_remove_thread_state
+#if OPENSSL_VERSION_NUMBER >= 0x10100000L && !defined(LIBRESSL_VERSION_NUMBER)
+#define ERR_remove_state(X)
+#elif defined(HAVE_ERR_remove_thread_state)
 #define ERR_remove_state(X) ERR_remove_thread_state(NULL)
 #endif
-
 enum enum_ssl_init_error
 {
-  SSL_INITERR_NOERROR= 0, SSL_INITERR_CERT, SSL_INITERR_KEY, 
-  SSL_INITERR_NOMATCH, SSL_INITERR_BAD_PATHS, SSL_INITERR_CIPHERS, 
+  SSL_INITERR_NOERROR= 0, SSL_INITERR_CERT, SSL_INITERR_KEY,
+  SSL_INITERR_NOMATCH, SSL_INITERR_BAD_PATHS, SSL_INITERR_CIPHERS,
   SSL_INITERR_MEMFAIL, SSL_INITERR_DH, SSL_INITERR_LASTERR
 };
 const char* sslGetErrString(enum enum_ssl_init_error err);

diff --git a/mysql-test/include/require_openssl_client.inc b/mysql-test/include/require_openssl_client.inc
@@ -0,0 +1,5 @@
+if ($CLIENT_TLS_LIBRARY != "OpenSSL") {
+  if ($CLIENT_TLS_LIBRARY != "LibreSSL") {
+    skip "Test requires Connector/C with OpenSSL library";
+  }
+}
diff --git a/mysql-test/mysql-test-run.pl b/mysql-test/mysql-test-run.pl
@@ -2279,6 +2279,11 @@ sub environment_setup {
   $ENV{'MYSQL_PLUGIN'}=             $exe_mysql_plugin;
   $ENV{'MYSQL_EMBEDDED'}=           $exe_mysql_embedded;
 
+  my $client_config_exe= 
+    native_path("$bindir/libmariadb/mariadb_config$opt_vs_config/mariadb_config");
+  my $tls_info= `$client_config_exe --tlsinfo`;
+  ($ENV{CLIENT_TLS_LIBRARY},$ENV{CLIENT_TLS_LIBRARY_VERSION})=
+    split(/ /, $tls_info, 2);
   my $exe_mysqld= find_mysqld($basedir);
   $ENV{'MYSQLD'}= $exe_mysqld;
   my $extra_opts= join (" ", @opt_extra_mysqld_opt);

diff --git a/mysql-test/r/openssl_1.result b/mysql-test/r/openssl_1.result
@@ -209,7 +209,7 @@ DROP TABLE t1;
 Variable_name	Value
 Ssl_cipher	AES256-SHA
 Variable_name	Value
-Ssl_cipher	DES-CBC3-SHA
+Ssl_cipher	AES128-SHA
 select 'is still running; no cipher request crashed the server' as result from dual;
 result
 is still running; no cipher request crashed the server

diff --git a/mysql-test/r/openssl_6975,tlsv10.result b/mysql-test/r/openssl_6975,tlsv10.result
@@ -1,24 +1,24 @@
 create user ssl_sslv3@localhost;
-grant select on test.* to ssl_sslv3@localhost require cipher "RC4-SHA";
+grant select on test.* to ssl_sslv3@localhost require cipher "AES128-SHA";
 create user ssl_tls12@localhost;
 grant select on test.* to ssl_tls12@localhost require cipher "AES128-SHA256";
 TLS1.2 ciphers: user is ok with any cipher
 ERROR 2026 (HY000): SSL connection error: sslv3 alert handshake failure
 ERROR 2026 (HY000): SSL connection error: sslv3 alert handshake failure
-TLS1.2 ciphers: user requires SSLv3 cipher RC4-SHA
+TLS1.2 ciphers: user requires SSLv3 cipher AES128-SHA
 ERROR 2026 (HY000): SSL connection error: sslv3 alert handshake failure
 ERROR 2026 (HY000): SSL connection error: sslv3 alert handshake failure
 TLS1.2 ciphers: user requires TLSv1.2 cipher AES128-SHA256
 ERROR 2026 (HY000): SSL connection error: sslv3 alert handshake failure
 ERROR 2026 (HY000): SSL connection error: sslv3 alert handshake failure
 SSLv3 ciphers: user is ok with any cipher
 Variable_name	Value
-Ssl_cipher	RC4-SHA
+Ssl_cipher	AES256-SHA
 Variable_name	Value
 Ssl_cipher	DHE-RSA-AES256-SHA
-SSLv3 ciphers: user requires SSLv3 cipher RC4-SHA
+SSLv3 ciphers: user requires SSLv3 cipher AES128-SHA
 Variable_name	Value
-Ssl_cipher	RC4-SHA
+Ssl_cipher	AES128-SHA
 ERROR 1045 (28000): Access denied for user 'ssl_sslv3'@'localhost' (using password: NO)
 SSLv3 ciphers: user requires TLSv1.2 cipher AES128-SHA256
 ERROR 1045 (28000): Access denied for user 'ssl_tls12'@'localhost' (using password: NO)

diff --git a/mysql-test/r/openssl_6975,tlsv12.result b/mysql-test/r/openssl_6975,tlsv12.result
@@ -1,13 +1,13 @@
 create user ssl_sslv3@localhost;
-grant select on test.* to ssl_sslv3@localhost require cipher "RC4-SHA";
+grant select on test.* to ssl_sslv3@localhost require cipher "AES128-SHA";
 create user ssl_tls12@localhost;
 grant select on test.* to ssl_tls12@localhost require cipher "AES128-SHA256";
 TLS1.2 ciphers: user is ok with any cipher
 Variable_name	Value
 Ssl_cipher	AES128-SHA256
 Variable_name	Value
 Ssl_cipher	DHE-RSA-AES256-GCM-SHA384
-TLS1.2 ciphers: user requires SSLv3 cipher RC4-SHA
+TLS1.2 ciphers: user requires SSLv3 cipher AES128-SHA
 ERROR 1045 (28000): Access denied for user 'ssl_sslv3'@'localhost' (using password: NO)
 ERROR 1045 (28000): Access denied for user 'ssl_sslv3'@'localhost' (using password: NO)
 TLS1.2 ciphers: user requires TLSv1.2 cipher AES128-SHA256
@@ -17,7 +17,7 @@ ERROR 1045 (28000): Access denied for user 'ssl_tls12'@'localhost' (using passwo
 SSLv3 ciphers: user is ok with any cipher
 ERROR 2026 (HY000): SSL connection error: sslv3 alert handshake failure
 ERROR 2026 (HY000): SSL connection error: sslv3 alert handshake failure
-SSLv3 ciphers: user requires SSLv3 cipher RC4-SHA
+SSLv3 ciphers: user requires SSLv3 cipher AES128-SHA
 ERROR 2026 (HY000): SSL connection error: sslv3 alert handshake failure
 ERROR 2026 (HY000): SSL connection error: sslv3 alert handshake failure
 SSLv3 ciphers: user requires TLSv1.2 cipher AES128-SHA256

diff --git a/mysql-test/t/openssl_1.test b/mysql-test/t/openssl_1.test
@@ -225,7 +225,7 @@ DROP TABLE t1;
 
 # Common ciphers to openssl and yassl
 --exec $MYSQL --host=localhost -e "SHOW STATUS LIKE 'Ssl_cipher';" --ssl-cipher=AES256-SHA
---exec $MYSQL --host=localhost -e "SHOW STATUS LIKE 'Ssl_cipher';" --ssl-cipher=DES-CBC3-SHA
+--exec $MYSQL --host=localhost -e "SHOW STATUS LIKE 'Ssl_cipher';" --ssl-cipher=AES128-SHA
 --disable_query_log
 --disable_result_log
 

diff --git a/mysql-test/t/openssl_6975.test b/mysql-test/t/openssl_6975.test
@@ -4,11 +4,13 @@
 # test SSLv3 and TLSv1.2 ciphers when OpenSSL is restricted to SSLv3 or TLSv1.2
 #
 source include/have_ssl_communication.inc;
+source include/require_openssl_client.inc;
 
 # this is OpenSSL test.
 
 create user ssl_sslv3@localhost;
-grant select on test.* to ssl_sslv3@localhost require cipher "RC4-SHA";
+# grant select on test.* to ssl_sslv3@localhost require cipher "AES128-SHA";
+grant select on test.* to ssl_sslv3@localhost require cipher "AES128-SHA";
 create user ssl_tls12@localhost;
 grant select on test.* to ssl_tls12@localhost require cipher "AES128-SHA256";
 
@@ -18,22 +20,23 @@ disable_abort_on_error;
 echo TLS1.2 ciphers: user is ok with any cipher;
 exec $mysql                  --ssl-cipher=AES128-SHA256;
 --replace_result DHE-RSA-CHACHA20-POLY1305 DHE-RSA-AES256-GCM-SHA384
-exec $mysql                  --ssl-cipher=TLSv1.2;
-echo TLS1.2 ciphers: user requires SSLv3 cipher RC4-SHA;
+--replace_result ECDHE-RSA-AES256-GCM-SHA384 DHE-RSA-AES256-GCM-SHA384
+exec $mysql                  --ssl-cipher=TLSv1.2
+echo TLS1.2 ciphers: user requires SSLv3 cipher AES128-SHA;
 exec $mysql --user ssl_sslv3 --ssl-cipher=AES128-SHA256;
 exec $mysql --user ssl_sslv3 --ssl-cipher=TLSv1.2;
 echo TLS1.2 ciphers: user requires TLSv1.2 cipher AES128-SHA256;
 exec $mysql --user ssl_tls12 --ssl-cipher=AES128-SHA256;
 exec $mysql --user ssl_tls12 --ssl-cipher=TLSv1.2;
 
 echo SSLv3 ciphers: user is ok with any cipher;
-exec $mysql                  --ssl-cipher=RC4-SHA;
-exec $mysql                  --ssl-cipher=SSLv3;
-echo SSLv3 ciphers: user requires SSLv3 cipher RC4-SHA;
-exec $mysql --user ssl_sslv3 --ssl-cipher=RC4-SHA;
+exec $mysql                  --ssl-cipher=AES256-SHA;
+exec $mysql                  --ssl-cipher=DHE-RSA-AES256-SHA
+echo SSLv3 ciphers: user requires SSLv3 cipher AES128-SHA;
+exec $mysql --user ssl_sslv3 --ssl-cipher=AES128-SHA;
 exec $mysql --user ssl_sslv3 --ssl-cipher=SSLv3;
 echo SSLv3 ciphers: user requires TLSv1.2 cipher AES128-SHA256;
-exec $mysql --user ssl_tls12 --ssl-cipher=RC4-SHA;
+exec $mysql --user ssl_tls12 --ssl-cipher=AES128-SHA;
 exec $mysql --user ssl_tls12 --ssl-cipher=SSLv3;
 
 drop user ssl_sslv3@localhost;

diff --git a/mysql-test/t/ssl_7937.test b/mysql-test/t/ssl_7937.test
@@ -26,7 +26,7 @@ create procedure have_ssl()
 # we fake the test result for yassl
 let yassl=`select variable_value='Unknown' from information_schema.session_status where variable_name='Ssl_session_cache_mode'`;
 if (!$yassl) {
-  --replace_result "self signed certificate in certificate chain" "Failed to verify the server certificate"
+  --replace_result "self signed certificate in certificate chain" "Failed to verify the server certificate" "Error in the certificate." "Failed to verify the server certificate"
   --exec $MYSQL --ssl --ssl-verify-server-cert -e "call test.have_ssl()" 2>&1
 }
 if ($yassl) {

diff --git a/mysql-test/t/ssl_8k_key.test b/mysql-test/t/ssl_8k_key.test
@@ -1,4 +1,5 @@
 # This test should work in embedded server after we fix mysqltest
+-- source include/require_openssl_client.inc
 -- source include/not_embedded.inc
 
 -- source include/have_ssl_communication.inc