Commit a5fd94b1 authored by Otto Kekäläinen's avatar Otto Kekäläinen

Imported Upstream version 10.0.24

parent aff5af7c
......@@ -59,6 +59,9 @@ include/mysql_version.h
include/mysqld_ername.h
include/mysqld_error.h
include/sql_state.h
include/probes_mysql.d
include/probes_mysql_dtrace.h
include/probes_mysql_nodtrace.h
info_macros.cmake
libmysql*/libmysql*_exports_file.cc
libmysql*/merge_archives_mysql*.cmake
......
......@@ -31,6 +31,7 @@ Usage: $0 [-h|-n] [configure-options]
-h, --help Show this help message.
-n, --just-print Don't actually run any commands; just print them.
-c, --just-configure Stop after running configure.
Combined with --just-print shows configure options.
--extra-configs=xxx Add this to configure options
--extra-flags=xxx Add this C and CXX flags
--extra-cflags=xxx Add this to C flags
......@@ -257,6 +258,10 @@ fi
# (http://samba.org/ccache) is installed, use it.
# We use 'grep' and hope 'grep' will work as expected
# (returns 0 if finds lines)
# As cmake doesn't like CC and CXX with a space, use symlinks from
# /usr/lib64/ccache if they exits.
if test "$USING_GCOV" != "1"
then
# Not using gcov; Safe to use ccache
......@@ -265,8 +270,14 @@ fi
if ccache -V > /dev/null 2>&1 && test "$CCACHE_GCOV_VERSION_ENABLED" = "1"
then
echo "$CC" | grep "ccache" > /dev/null || CC="ccache $CC"
echo "$CXX" | grep "ccache" > /dev/null || CXX="ccache $CXX"
if test -x /usr/lib64/ccache/gcc
then
CC=/usr/lib64/ccache/gcc
fi
if test -x /usr/lib64/ccache/g++
then
CXX=/usr/lib64/ccache/g++
fi
fi
# gcov
......
MariaDB is brought to you by the MariaDB foundation, a USA non profit
organization.
MariaDB is brought to you by the MariaDB Foundation, a non profit
organization registered in the USA.
The current main members and sponsors of the MariaDB foundation are:
The current main members and sponsors of the MariaDB Foundation are:
Automattic http://automattic.com (2014)
SkySQL Ab http://www.skysql.com (2013, 2014)
Booking.com http://www.booking.com (2013)
Parallels http://www.parallels.com/products/plesk (2013)
MariaDB Corporation http://www.mariadb.com (2013 - 2016)
Booking.com http://www.booking.com (2013 - 2016)
Parallels http://www.parallels.com/products/plesk (2013 - 2016)
Automattic http://automattic.com (2014 - 2016)
Verkkokauppa.com http://verkkokauppa.com (2015 - 2016)
Visma http://visma.com/ (2015 - 2016)
Webyog http://webyog.com (2015 - 2016)
Wikimedia Foundation http://wikimedia.org (2015 - 2016)
Acronis http://acronis.com (2016)
For a full list of supporters and sponsors see
https://mariadb.org/en/supporters/
https://mariadb.org/about/supporters/
You can also do this by doing SHOW CONTRIBUTORS.
You can also do this by running SHOW CONTRIBUTORS.
For all corporate memberships and sponsorships please contact the
MariaDB foundation Board via foundation@mariadb.org.
MariaDB Foundation Board via foundation@mariadb.org.
The MariaDB foundation is responsible for the MariaDB source
The MariaDB Foundation is responsible for the MariaDB source
repository, the official MariaDB binaries and http://mariadb.org.
The MariaDB foundation provides also, among other things, the
The MariaDB Foundation also provides, among other things, the
following services to the MariaDB community:
- Code reviews and applying patches for MariaDB
......@@ -28,17 +33,19 @@ following services to the MariaDB community:
- Bug fixing in MariaDB (for bugs that affects a large part of the community)
- Building the official MariaDB binaries
- Maintaining http://mariadb.org
- Documenting MariaDB in the MariaDB Knowledge Base http://mariadb.com/kb
To be able to do the above we need help from cooperations and individuals!
To be able to do the above we need help from corporations and individuals!
You can help support MariaDB by be becoming a MariaDB developer or a
member or sponsor of the MariaDB foundation!
You can help support MariaDB by becoming a MariaDB developer or a
member or sponsor of the MariaDB Foundation. To donate or sponsor,
go to https://mariadb.org/donate/
You can get a list of all main authors of MariaDB / MySQL by doing
You can get a list of all the main authors of MariaDB / MySQL by running
SHOW AUTHORS;
You can get a list sponsors and contributors by doing
You can get a list sponsors and contributors by running
SHOW CONTRIBUTORS;
You can read more about the MariaDB foundation at:
https://mariadb.org/en/foundation/
You can read more about the MariaDB Foundation at:
https://mariadb.org/about/
commit: 90ea0145856338221803ebb9b446ed2a6e082412
date: 2015-12-16 19:39:00 +0400
build-date: 2015-12-16 17:05:47 +0100
short: 90ea014
commit: a4b271496888e1f8628d0af36309e35293093577
date: 2016-02-17 21:42:57 +0100
build-date: 2016-02-17 22:00:05 +0100
short: a4b2714
branch: HEAD
MySQL source 10.0.23
MySQL source 10.0.24
......@@ -3,17 +3,17 @@ This is a release of MariaDB.
MariaDB is designed as a drop-in replacement of MySQL(R) with more
features, new storage engines, fewer bugs, and better performance.
MariaDB is brought to you by the MariaDB foundation.
Please read the file CREDITS for details about the MariaDB foundation,
MariaDB is brought to you by the MariaDB Foundation.
Please read the CREDITS file for details about the MariaDB Foundation,
and who is developing MariaDB.
MariaDB is developed by many of the original developers of MySQL who
now work for MariadB foundation and SkySQL Ab, and by many people in
now work for the MariadB Foundation and the MariaDB Corporation, and by many people in
the community.
MySQL, which is the base of MariaDB, is a product and trademark of Oracle
Corporation, Inc. For a list of developers and other contributors,
see the Credits appendix. You can also do 'SHOW authors' to get a
see the Credits appendix. You can also run 'SHOW authors' to get a
list of active contributors.
A description of the MariaDB project and a manual can be found at:
......@@ -52,7 +52,7 @@ http://mariadb.org/jira
Bugs in the MySQL code can also be submitted at http://bugs.mysql.com
The code for MariaDB, including all revision history, can be found at:
https://code.launchpad.net/maria
https://github.com/MariaDB/server
***************************************************************************
......
MYSQL_VERSION_MAJOR=10
MYSQL_VERSION_MINOR=0
MYSQL_VERSION_PATCH=23
MYSQL_VERSION_PATCH=24
......@@ -1346,6 +1346,44 @@ sig_handler mysql_end(int sig)
exit(status.exit_status);
}
/*
set connection-specific options and call mysql_real_connect
*/
static bool do_connect(MYSQL *mysql, const char *host, const char *user,
const char *password, const char *database, ulong flags)
{
if (opt_secure_auth)
mysql_options(mysql, MYSQL_SECURE_AUTH, (char *) &opt_secure_auth);
#if defined(HAVE_OPENSSL) && !defined(EMBEDDED_LIBRARY)
if (opt_use_ssl)
{
mysql_ssl_set(mysql, opt_ssl_key, opt_ssl_cert, opt_ssl_ca,
opt_ssl_capath, opt_ssl_cipher);
mysql_options(mysql, MYSQL_OPT_SSL_CRL, opt_ssl_crl);
mysql_options(mysql, MYSQL_OPT_SSL_CRLPATH, opt_ssl_crlpath);
}
mysql_options(mysql,MYSQL_OPT_SSL_VERIFY_SERVER_CERT,
(char*)&opt_ssl_verify_server_cert);
#endif
if (opt_protocol)
mysql_options(mysql,MYSQL_OPT_PROTOCOL,(char*)&opt_protocol);
#ifdef HAVE_SMEM
if (shared_memory_base_name)
mysql_options(mysql,MYSQL_SHARED_MEMORY_BASE_NAME,shared_memory_base_name);
#endif
if (opt_plugin_dir && *opt_plugin_dir)
mysql_options(mysql, MYSQL_PLUGIN_DIR, opt_plugin_dir);
if (opt_default_auth && *opt_default_auth)
mysql_options(mysql, MYSQL_DEFAULT_AUTH, opt_default_auth);
mysql_options(mysql, MYSQL_OPT_CONNECT_ATTR_RESET, 0);
mysql_options4(mysql, MYSQL_OPT_CONNECT_ATTR_ADD,
"program_name", "mysql");
return mysql_real_connect(mysql, host, user, password, database,
opt_mysql_port, opt_mysql_unix_port, flags);
}
/*
This function handles sigint calls
......@@ -1367,11 +1405,7 @@ sig_handler handle_sigint(int sig)
}
kill_mysql= mysql_init(kill_mysql);
mysql_options(kill_mysql, MYSQL_OPT_CONNECT_ATTR_RESET, 0);
mysql_options4(kill_mysql, MYSQL_OPT_CONNECT_ATTR_ADD,
"program_name", "mysql");
if (!mysql_real_connect(kill_mysql,current_host, current_user, opt_password,
"", opt_mysql_port, opt_mysql_unix_port,0))
if (!do_connect(kill_mysql,current_host, current_user, opt_password, "", 0))
{
tee_fprintf(stdout, "Ctrl-C -- sorry, cannot connect to server to kill query, giving up ...\n");
goto err;
......@@ -4580,27 +4614,8 @@ sql_real_connect(char *host,char *database,char *user,char *password,
}
if (opt_compress)
mysql_options(&mysql,MYSQL_OPT_COMPRESS,NullS);
if (opt_secure_auth)
mysql_options(&mysql, MYSQL_SECURE_AUTH, (char *) &opt_secure_auth);
if (using_opt_local_infile)
mysql_options(&mysql,MYSQL_OPT_LOCAL_INFILE, (char*) &opt_local_infile);
#if defined(HAVE_OPENSSL) && !defined(EMBEDDED_LIBRARY)
if (opt_use_ssl)
{
mysql_ssl_set(&mysql, opt_ssl_key, opt_ssl_cert, opt_ssl_ca,
opt_ssl_capath, opt_ssl_cipher);
mysql_options(&mysql, MYSQL_OPT_SSL_CRL, opt_ssl_crl);
mysql_options(&mysql, MYSQL_OPT_SSL_CRLPATH, opt_ssl_crlpath);
}
mysql_options(&mysql,MYSQL_OPT_SSL_VERIFY_SERVER_CERT,
(char*)&opt_ssl_verify_server_cert);
#endif
if (opt_protocol)
mysql_options(&mysql,MYSQL_OPT_PROTOCOL,(char*)&opt_protocol);
#ifdef HAVE_SMEM
if (shared_memory_base_name)
mysql_options(&mysql,MYSQL_SHARED_MEMORY_BASE_NAME,shared_memory_base_name);
#endif
if (safe_updates)
{
char init_command[100];
......@@ -4612,18 +4627,8 @@ sql_real_connect(char *host,char *database,char *user,char *password,
mysql_options(&mysql, MYSQL_SET_CHARSET_NAME, default_charset);
if (opt_plugin_dir && *opt_plugin_dir)
mysql_options(&mysql, MYSQL_PLUGIN_DIR, opt_plugin_dir);
if (opt_default_auth && *opt_default_auth)
mysql_options(&mysql, MYSQL_DEFAULT_AUTH, opt_default_auth);
mysql_options(&mysql, MYSQL_OPT_CONNECT_ATTR_RESET, 0);
mysql_options4(&mysql, MYSQL_OPT_CONNECT_ATTR_ADD,
"program_name", "mysql");
if (!mysql_real_connect(&mysql, host, user, password,
database, opt_mysql_port, opt_mysql_unix_port,
connect_flag | CLIENT_MULTI_STATEMENTS))
if (!do_connect(&mysql, host, user, password, database,
connect_flag | CLIENT_MULTI_STATEMENTS))
{
if (!silent ||
(mysql_errno(&mysql) != CR_CONN_HOST_ERROR &&
......
......@@ -184,7 +184,8 @@ static const char *load_default_groups[]=
static void free_used_memory(void)
{
/* Free memory allocated by 'load_defaults' */
free_defaults(defaults_argv);
if (defaults_argv)
free_defaults(defaults_argv);
dynstr_free(&ds_args);
dynstr_free(&conn_args);
......@@ -1096,7 +1097,6 @@ int main(int argc, char **argv)
if (opt_systables_only && !opt_silent)
printf("The --upgrade-system-tables option was used, user tables won't be touched.\n");
/*
Read the mysql_upgrade_info file to check if mysql_upgrade
already has been run for this installation of MySQL
......
......@@ -43,7 +43,7 @@ static my_bool opt_alldbs = 0, opt_check_only_changed = 0, opt_extended = 0,
opt_silent = 0, opt_auto_repair = 0, ignore_errors = 0,
tty_password= 0, opt_frm= 0, debug_info_flag= 0, debug_check_flag= 0,
opt_fix_table_names= 0, opt_fix_db_names= 0, opt_upgrade= 0,
opt_do_tables= 1;
opt_persistent_all= 0, opt_do_tables= 1;
static my_bool opt_write_binlog= 1, opt_flush_tables= 0;
static uint verbose = 0, opt_mysql_port=0;
static int my_end_arg;
......@@ -160,6 +160,10 @@ static struct my_option my_long_options[] =
{"password", 'p',
"Password to use when connecting to server. If password is not given, it's solicited on the tty.",
0, 0, 0, GET_STR, OPT_ARG, 0, 0, 0, 0, 0, 0},
{"persistent", 'Z',
"When using ANALYZE TABLE use the PERSISTENT FOR ALL option.",
&opt_persistent_all, &opt_persistent_all, 0, GET_BOOL, NO_ARG,
0, 0, 0, 0, 0, 0},
#ifdef __WIN__
{"pipe", 'W', "Use named pipes to connect to server.", 0, 0, 0, GET_NO_ARG,
NO_ARG, 0, 0, 0, 0, 0, 0},
......@@ -909,6 +913,7 @@ static int handle_request_for_tables(char *tables, size_t length, my_bool view)
case DO_ANALYZE:
DBUG_ASSERT(!view);
op= (opt_write_binlog) ? "ANALYZE" : "ANALYZE NO_WRITE_TO_BINLOG";
if (opt_persistent_all) end = strmov(end, " PERSISTENT FOR ALL");
break;
case DO_OPTIMIZE:
DBUG_ASSERT(!view);
......
......@@ -5121,12 +5121,13 @@ static int my_kill(int pid, int sig)
{
#ifdef __WIN__
HANDLE proc;
if ((proc= OpenProcess(PROCESS_TERMINATE, FALSE, pid)) == NULL)
if ((proc= OpenProcess(SYNCHRONIZE|PROCESS_TERMINATE, FALSE, pid)) == NULL)
return -1;
if (sig == 0)
{
DWORD wait_result= WaitForSingleObject(proc, 0);
CloseHandle(proc);
return 0;
return wait_result == WAIT_OBJECT_0?-1:0;
}
(void)TerminateProcess(proc, 201);
CloseHandle(proc);
......
......@@ -86,6 +86,9 @@ IF(ENABLE_DTRACE)
${CMAKE_BINARY_DIR}/include/probes_mysql_dtrace.h
${CMAKE_BINARY_DIR}/include/probes_mysql_nodtrace.h
)
ELSE()
CONFIGURE_FILE(${CMAKE_SOURCE_DIR}/include/probes_mysql_nodtrace.h.in
${CMAKE_BINARY_DIR}/include/probes_mysql_nodtrace.h COPYONLY)
ENDIF()
FUNCTION(DTRACE_INSTRUMENT target)
......
......@@ -20,18 +20,22 @@ MACRO (CHECK_JEMALLOC)
SET(CMAKE_REQUIRED_LIBRARIES pthread dl m)
SET(what bundled)
ELSE()
SET(libname jemalloc)
SET(libname jemalloc c)
SET(what system)
ENDIF()
CHECK_LIBRARY_EXISTS(${libname} malloc_stats_print "" HAVE_JEMALLOC)
FOREACH(lib ${libname})
CHECK_LIBRARY_EXISTS(${lib} malloc_stats_print "" HAVE_JEMALLOC_IN_${lib})
IF (HAVE_JEMALLOC_IN_${lib})
SET(LIBJEMALLOC ${lib})
SET(MALLOC_LIBRARY "${what} jemalloc")
BREAK()
ENDIF()
ENDFOREACH()
SET(CMAKE_REQUIRED_LIBRARIES)
IF (HAVE_JEMALLOC)
SET(LIBJEMALLOC ${libname})
SET(MALLOC_LIBRARY "${what} jemalloc")
ELSEIF (NOT WITH_JEMALLOC STREQUAL "auto")
MESSAGE(FATAL_ERROR "${libname} is not found")
IF (NOT LIBJEMALLOC AND NOT WITH_JEMALLOC STREQUAL "auto")
MESSAGE(FATAL_ERROR "jemalloc is not found")
ENDIF()
ENDIF()
ENDMACRO()
......@@ -87,6 +87,11 @@ MACRO(CREATE_EXPORT_FILE VAR TARGET API_FUNCTIONS)
ENDFOREACH()
SET(CONTENT "${CONTENT} (void *)0\n}\;")
CONFIGURE_FILE_CONTENT(${CONTENT} ${EXPORTS})
# Avoid "function redeclared as variable" error
# when using gcc/clang option -flto(link time optimization)
IF(" ${CMAKE_C_FLAGS} ${CMAKE_CXX_FLAGS} " MATCHES " -flto")
SET_SOURCE_FILES_PROPERTIES(${EXPORTS} PROPERTIES COMPILE_FLAGS "-fno-lto")
ENDIF()
SET(${VAR} ${EXPORTS})
ENDIF()
ENDMACRO()
......
......@@ -74,7 +74,7 @@ MACRO(MYSQL_ADD_PLUGIN)
SET(WITH_${plugin} 1)
ELSEIF(WITHOUT_${plugin} OR WITHOUT_${plugin}_STORAGE_ENGINE OR
WITH_NONE OR ${plugin}_DISABLED)
WITH_NONE OR ARG_DISABLED)
SET(WITHOUT_${plugin} 1)
SET(WITH_${plugin}_STORAGE_ENGINE 0)
SET(WITH_${plugin} 0)
......
......@@ -55,6 +55,7 @@ MACRO (MYSQL_USE_BUNDLED_SSL)
SET(SSL_INCLUDE_DIRS ${INC_DIRS})
SET(SSL_INTERNAL_INCLUDE_DIRS ${CMAKE_SOURCE_DIR}/extra/yassl/taocrypt/mySTL)
SET(SSL_DEFINES "-DHAVE_YASSL -DYASSL_PREFIX -DHAVE_OPENSSL -DMULTI_THREADED")
SET(HAVE_ERR_remove_thread_state OFF CACHE INTERNAL "yassl doesn't have ERR_remove_thread_state")
CHANGE_SSL_SETTINGS("bundled")
ADD_SUBDIRECTORY(extra/yassl)
ADD_SUBDIRECTORY(extra/yassl/taocrypt)
......@@ -199,6 +200,10 @@ MACRO (MYSQL_CHECK_SSL)
SET(SSL_INCLUDE_DIRS ${OPENSSL_INCLUDE_DIR})
SET(SSL_INTERNAL_INCLUDE_DIRS "")
SET(SSL_DEFINES "-DHAVE_OPENSSL")
SET(CMAKE_REQUIRED_LIBRARIES ${SSL_LIBRARIES})
CHECK_SYMBOL_EXISTS(ERR_remove_thread_state "openssl/err.h"
HAVE_ERR_remove_thread_state)
ELSE()
IF(WITH_SSL STREQUAL "system")
MESSAGE(SEND_ERROR "Cannot find appropriate system libraries for SSL. Use WITH_SSL=bundled to enable SSL support")
......
......@@ -93,6 +93,7 @@
#cmakedefine HAVE_SYS_TYPES_H 1
#cmakedefine HAVE_SYS_UN_H 1
#cmakedefine HAVE_SYS_VADVISE_H 1
#cmakedefine HAVE_UCONTEXT_H 1
#cmakedefine HAVE_TERM_H 1
#cmakedefine HAVE_TERMBITS_H 1
#cmakedefine HAVE_TERMIOS_H 1
......@@ -289,7 +290,6 @@
#cmakedefine HAVE_THR_YIELD 1
#cmakedefine HAVE_TIME 1
#cmakedefine HAVE_TIMES 1
#cmakedefine HAVE_UCONTEXT 1
#cmakedefine HAVE_VALLOC 1
#cmakedefine HAVE_VIDATTR 1
#define HAVE_VIO_READ_BUFF 1
......@@ -466,7 +466,7 @@
#cmakedefine HAVE_BSD_SIGNALS 1
#cmakedefine HAVE_SVR3_SIGNALS 1
#cmakedefine HAVE_V7_SIGNALS 1
#cmakedefine HAVE_ERR_remove_thread_state 1
#cmakedefine HAVE_SOLARIS_STYLE_GETHOST 1
......
......@@ -790,16 +790,36 @@ ENDIF()
#
# Test for how the C compiler does inline, if at all
#
# SunPro is weird, apparently it only supports inline at -xO3 or -xO4.
# And if CMAKE_C_FLAGS has -xO4 but CMAKE_C_FLAGS_${CMAKE_BUILD_TYPE} has -xO2
# then CHECK_C_SOURCE_COMPILES will succeed but the built will fail.
# We must test all flags here.
# XXX actually, we can do this for all compilers, not only SunPro
IF (CMAKE_CXX_COMPILER_ID MATCHES "SunPro" AND
CMAKE_GENERATOR MATCHES "Makefiles")
STRING(TOUPPER "CMAKE_C_FLAGS_${CMAKE_BUILD_TYPE}" flags)
SET(CMAKE_REQUIRED_FLAGS "${${flags}}")
ENDIF()
CHECK_C_SOURCE_COMPILES("
static inline int foo(){return 0;}
extern int bar(int x);
static inline int foo(){return bar(1);}
int main(int argc, char *argv[]){return 0;}"
C_HAS_inline)
IF(NOT C_HAS_inline)
CHECK_C_SOURCE_COMPILES("
static __inline int foo(){return 0;}
extern int bar(int x);
static __inline int foo(){return bar(1);}
int main(int argc, char *argv[]){return 0;}"
C_HAS___inline)
SET(C_INLINE __inline)
IF(C_HAS___inline)
SET(C_INLINE __inline)
ElSE()
SET(C_INLINE)
MESSAGE(WARNING "C compiler does not support funcion inlining")
IF(NOT NOINLINE)
MESSAGE(FATAL_ERROR "Use -DNOINLINE=TRUE to allow compilation without inlining")
ENDIF()
ENDIF()
ENDIF()
IF(NOT CMAKE_CROSSCOMPILING AND NOT MSVC)
......@@ -1057,5 +1077,8 @@ CHECK_STRUCT_HAS_MEMBER("struct dirent" d_ino "dirent.h" STRUCT_DIRENT_HAS_D_IN
CHECK_STRUCT_HAS_MEMBER("struct dirent" d_namlen "dirent.h" STRUCT_DIRENT_HAS_D_NAMLEN)
SET(SPRINTF_RETURNS_INT 1)
CHECK_INCLUDE_FILE(ucontext.h HAVE_UCONTEXT_H)
IF(NOT HAVE_UCONTEXT_H)
CHECK_INCLUDE_FILE(sys/ucontext.h HAVE_UCONTEXT_H)
ENDIF()
CHECK_STRUCT_HAS_MEMBER("struct timespec" tv_sec "time.h" STRUCT_TIMESPEC_HAS_TV_SEC)
CHECK_STRUCT_HAS_MEMBER("struct timespec" tv_nsec "time.h" STRUCT_TIMESPEC_HAS_TV_NSEC)
......@@ -264,6 +264,11 @@ fi
db_stop # in case invoke failes
# If we upgrade from MySQL mysql.service may be masked, which also
# means init.d script is disabled. Unmask mysql service explicitely.
# Ignore exit code as command is not available everywhere.
deb-systemd-helper unmask mysql.service > /dev/null || true
#DEBHELPER#
exit 0
......@@ -280,6 +280,11 @@ fi
db_stop # in case invoke failes
# If we upgrade from MySQL mysql.service may be masked, which also
# means init.d script is disabled. Unmask mysql service explicitely.
# Ignore exit code as command is not available everywhere.
deb-systemd-helper unmask mysql.service > /dev/null || true
#DEBHELPER#
exit 0
......@@ -12,6 +12,17 @@ before calling SSL_new();
*** end Note ***
yaSSL Release notes, version 2.3.9 (12/01/2015)
This release of yaSSL fixes two client side Diffie-Hellman problems.
yaSSL was only handling the cases of zero or one leading zeros for the key
agreement instead of potentially any number. This caused about 1 in 50,000
connections to fail when using DHE cipher suites. The second problem was
the case where a server would send a public value shorter than the prime
value, causing about 1 in 128 client connections to fail, and also
caused the yaSSL client to read off the end of memory. All client side
DHE cipher suite users should update.
Thanks to Adam Langely (agl@imperialviolet.org) for the detailed report!
yaSSL Release notes, version 2.3.8 (9/17/2015)
This release of yaSSL fixes a high security vulnerability. All users
SHOULD update. If using yaSSL for TLS on the server side with private
......
......@@ -378,6 +378,7 @@ public:
uint get_agreedKeyLength() const;
const byte* get_agreedKey() const;
uint get_publicKeyLength() const;
const byte* get_publicKey() const;
void makeAgreement(const byte*, unsigned int);
......
......@@ -34,7 +34,7 @@
#include "rsa.h"
#define YASSL_VERSION "2.3.8"
#define YASSL_VERSION "2.3.9"
#if defined(__cplusplus)
......
......@@ -751,9 +751,10 @@ struct DiffieHellman::DHImpl {
byte* publicKey_;
byte* privateKey_;
byte* agreedKey_;
uint pubKeyLength_;
DHImpl(TaoCrypt::RandomNumberGenerator& r) : ranPool_(r), publicKey_(0),
privateKey_(0), agreedKey_(0) {}
privateKey_(0), agreedKey_(0), pubKeyLength_(0) {}
~DHImpl()
{
ysArrayDelete(agreedKey_);
......@@ -762,7 +763,7 @@ struct DiffieHellman::DHImpl {
}
DHImpl(const DHImpl& that) : dh_(that.dh_), ranPool_(that.ranPool_),
publicKey_(0), privateKey_(0), agreedKey_(0)
publicKey_(0), privateKey_(0), agreedKey_(0), pubKeyLength_(0)
{
uint length = dh_.GetByteLength();
AllocKeys(length, length, length);
......@@ -810,7 +811,7 @@ DiffieHellman::DiffieHellman(const byte* p, unsigned int pSz, const byte* g,
using TaoCrypt::Integer;
pimpl_->dh_.Initialize(Integer(p, pSz).Ref(), Integer(g, gSz).Ref());
pimpl_->publicKey_ = NEW_YS opaque[pubSz];
pimpl_->publicKey_ = NEW_YS opaque[pimpl_->pubKeyLength_ = pubSz];
memcpy(pimpl_->publicKey_, pub, pubSz);
}
......@@ -869,6 +870,10 @@ const byte* DiffieHellman::get_agreedKey() const
return pimpl_->agreedKey_;
}
uint DiffieHellman::get_publicKeyLength() const
{
return pimpl_->pubKeyLength_;
}
const byte* DiffieHellman::get_publicKey() const
{
......
......@@ -109,15 +109,12 @@ void ClientDiffieHellmanPublic::build(SSL& ssl)
uint keyLength = dhClient.get_agreedKeyLength(); // pub and agree same
alloc(keyLength, true);
dhClient.makeAgreement(dhServer.get_publicKey(), keyLength);
dhClient.makeAgreement(dhServer.get_publicKey(),
dhServer.get_publicKeyLength());
c16toa(keyLength, Yc_);
memcpy(Yc_ + KEY_OFFSET, dhClient.get_publicKey(), keyLength);
// because of encoding first byte might be zero, don't use it for preMaster
if (*dhClient.get_agreedKey() == 0)
ssl.set_preMaster(dhClient.get_agreedKey() + 1, keyLength - 1);
else
ssl.set_preMaster(dhClient.get_agreedKey(), keyLength);
ssl.set_preMaster(dhClient.get_agreedKey(), keyLength);
}