[CONC-654, MDEV-31585] CLIENT_CAN_SSL_V2 capability bit should not be MariaDB-specific

dlenski · dlenski · commit 95900c4fd42f · 2023-07-11T12:50:23.000-07:00
MySQL is also certainly affected, and we will likely try to get them
to follow the fixes for these TLS vulnerabilities as well, so the
SSL_V2 capability bit should not be MariaDB-specific.

All new code of the whole pull request, including one or several files
that are either new files or modified ones, are contributed under the
BSD-new license. I am contributing on behalf of my employer Amazon Web
Services, Inc.
diff --git a/include/mariadb_com.h b/include/mariadb_com.h
@@ -174,7 +174,7 @@ enum enum_server_command
  *   after the TLS handshake.
  *
  */
-#define CLIENT_CAN_SSL_V2    (1ULL << 37)
+#define CLIENT_CAN_SSL_V2    (1ULL << 28)
 #define CLIENT_PROGRESS          (1UL << 29) /* client supports progress indicator */
 #define CLIENT_PROGRESS_OBSOLETE  CLIENT_PROGRESS 
 #define CLIENT_SSL_VERIFY_SERVER_CERT (1UL << 30)
diff --git a/plugins/auth/my_auth.c b/plugins/auth/my_auth.c
@@ -211,7 +211,7 @@ static int send_client_reply_packet(MCPVIO_EXT *mpvio,
 
 #if defined(HAVE_TLS) && !defined(EMBEDDED_LIBRARY)
   bool server_supports_ssl_v2=
-      mysql->extension->mariadb_server_capabilities & (MARIADB_CLIENT_CAN_SSL_V2 >> 32);
+      mysql->server_capabilities & CLIENT_CAN_SSL_V2;
 #endif
 
   /* see end= buff+32 below, fixed size of the packet is 32 bytes */

Original file line number	Diff line number	Diff line change
`@@ -174,7 +174,7 @@ enum enum_server_command`
`174`	`174`	`* after the TLS handshake.`
`175`	`175`	`*`
`176`	`176`	`*/`
`177`		`-#define CLIENT_CAN_SSL_V2 (1ULL << 37)`
	`177`	`+#define CLIENT_CAN_SSL_V2 (1ULL << 28)`
`178`	`178`	`#define CLIENT_PROGRESS (1UL << 29) /* client supports progress indicator */`
`179`	`179`	`#define CLIENT_PROGRESS_OBSOLETE CLIENT_PROGRESS`
`180`	`180`	`#define CLIENT_SSL_VERIFY_SERVER_CERT (1UL << 30)`