Fix schannel problems that popup on Win2012 R2 buildbot

- Do not acquire a named context, because this might run into permissions problem. - Avoid sending TLS1.2 version by default. Yassl wrongfully rejects it with a bad handshake (it should consider that 1.1 and 1.0 are supported too but it does not)
mariadb-corporation · Apr 5, 2016 · 6190f60 · 6190f60
1 parent ec878da
commit 6190f60
Show file tree

Hide file tree

Showing 2 changed files with 12 additions and 15 deletions.
diff --git a/libmariadb/secure/ma_schannel.c b/libmariadb/secure/ma_schannel.c
@@ -296,7 +296,7 @@ my_bool ma_schannel_load_private_key(MARIADB_PVIO *pvio, CERT_CONTEXT *ctx, char
    LPBYTE priv_key= NULL;
    HCRYPTPROV  crypt_prov= 0;
    HCRYPTKEY  crypt_key= 0;
-   CERT_KEY_CONTEXT kpi;
+   CERT_KEY_CONTEXT kpi={ 0 };
    my_bool rc= 0;
 
    /* load private key into der binary object */
@@ -332,16 +332,11 @@ my_bool ma_schannel_load_private_key(MARIADB_PVIO *pvio, CERT_CONTEXT *ctx, char
      goto end;
    }
 
-   /* Acquire context:
-      If pvio_schannel context doesn't exist, create a new one */
-   if (!CryptAcquireContext(&crypt_prov, "pvio_schannel", MS_ENHANCED_PROV, PROV_RSA_FULL, 0))
+   /* Acquire context */
+   if (!CryptAcquireContext(&crypt_prov, NULL, MS_ENHANCED_PROV, PROV_RSA_FULL, CRYPT_VERIFYCONTEXT))
    {
-     DWORD last_error = GetLastError();
-     if (last_error != NTE_BAD_KEYSET || !CryptAcquireContext(&crypt_prov, "pvio_schannel", MS_ENHANCED_PROV, PROV_RSA_FULL, CRYPT_NEWKEYSET))
-     {
-       ma_schannel_set_win_error(pvio);
-       goto end;
-     }
+     ma_schannel_set_win_error(pvio);
+     goto end;
    }
    /* ... and import the private key */
    if (!CryptImportKey(crypt_prov, priv_key, priv_key_len, 0, 0, (HCRYPTKEY *)&crypt_key))
@@ -350,7 +345,6 @@ my_bool ma_schannel_load_private_key(MARIADB_PVIO *pvio, CERT_CONTEXT *ctx, char
      goto end;
    }
 
-   SecureZeroMemory(&kpi, sizeof(kpi));
    kpi.hCryptProv= crypt_prov;
    kpi.dwKeySpec = AT_KEYEXCHANGE;
    kpi.cbSize= sizeof(kpi);

diff --git a/libmariadb/secure/schannel.c b/libmariadb/secure/schannel.c
@@ -281,10 +281,10 @@ my_bool ma_tls_connect(MARIADB_TLS *ctls)
 
   ZeroMemory(&Cred, sizeof(SCHANNEL_CRED));
 
+  WORD validTokens = 0;
   /* Set cipher */
   if (mysql->options.ssl_cipher)
   {
-    WORD validTokens = 0;
     char *token = strtok(mysql->options.ssl_cipher, ":");
     while (token)
     {
@@ -300,8 +300,11 @@ my_bool ma_tls_connect(MARIADB_TLS *ctls)
       token = strtok(NULL, ":");
     }
   }
-  Cred.palgSupportedAlgs = (ALG_ID *)&AlgId;
-
+  if (validTokens)
+  {
+    Cred.palgSupportedAlgs = (ALG_ID *)&AlgId;
+    Cred.cSupportedAlgs = validTokens;
+  }
   Cred.dwVersion= SCHANNEL_CRED_VERSION;
   if (mysql->options.extension)
     Cred.dwMinimumCipherStrength = MAX(128, mysql->options.extension->tls_cipher_strength);
@@ -314,7 +317,7 @@ my_bool ma_tls_connect(MARIADB_TLS *ctls)
     Cred.cCreds = 1;
     Cred.paCred = &sctx->client_cert_ctx;
   }
-  Cred.grbitEnabledProtocols= 0;
+  Cred.grbitEnabledProtocols= SP_PROT_TLS1_0|SP_PROT_TLS1_1;
   if (mysql->options.extension && mysql->options.extension->tls_version)
   {
     if (strstr("TLSv1.0", mysql->options.extension->tls_version))