Fix upgrade sysvars pre-check for colon-delimited cipher lists#29
Open
tonychen2001 wants to merge 1 commit into
Open
Fix upgrade sysvars pre-check for colon-delimited cipher lists#29tonychen2001 wants to merge 1 commit into
tonychen2001 wants to merge 1 commit into
Conversation
The upgrade checker validates Set-typed system variables by splitting the configured value into individual elements and checking each against the allowed list. The splitter only recognized space and comma as element separators, but the cipher list variables -- ssl_cipher, admin_ssl_cipher, tls_ciphersuites and admin_tls_ciphersuites -- are colon-separated. As a result, a colon-separated cipher list was compared as a single opaque string against the list of individual ciphers and never matched, so the check always reported the whole value as invalid even when every cipher in it was allowed. Make the element separator a per-variable property. A new optional "separator" field in sysvars.json overrides the default space/comma separator; the four cipher variables set it to " ,:" so each cipher is validated individually while remaining tolerant of space and comma. The generator (update_sysvar_configuration.py) gains a matching FORCE_SEPARATORS table so the field survives regeneration. Adds unit tests for colon-separated allowed lists, a colon list containing a disallowed cipher, and the single-value case, plus verification that the cipher variables load the expected separator. This contribution is under the OCA signed by Amazon and covering submissions to the MySQL project.
|
Hi, thank you for your contribution. Please confirm this code is submitted under the terms of the OCA (Oracle's Contribution Agreement) you have previously signed by cutting and pasting the following text as a comment: |
Author
|
I confirm the code being submitted is offered under the terms of the OCA, and that I am authorized to contribute it. |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Description
The upgrade checker's system-variable check validates
Set-typed variables bysplitting the configured value into individual elements and checking each
element against the variable's allowed-values list
(
Sysvar_check::get_invalid_allowed_values/get_invalid_forbidden_valuesinmodules/util/upgrade_checker/sysvar_check.cc). The split was hard-coded to usespace and comma (
" ,") as the only element separators.The four cipher-list variables:
ssl_cipher,admin_ssl_cipher,tls_ciphersuites,admin_tls_ciphersuitesare colon-delimited.They are marked
vartype: setinsysvars.json, so they went through the Set splitter, but colon was never arecognized separator.
A value like
ECDHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES128-GCM-SHA256was therefore compared asone opaque token against the list of individual ciphers, never matched, and the
whole value was reported as invalid resulting in a false positive even when every cipher in
the list is allowed.
Failing precheck example:
A similar fix for the
8.4branch was published in #24 but was ultimately not accepted as MySQL Shell 8.4 only receives critical updates. A partial fix in MySQL Shell 9.x was made to allow for comma delimited cipher lists but did not properly allow for colon delimited cipher lists.Fix
We introduce a per-variable element separator property that can configure the allowed delimiters for a set typed variable.
Only the four cipher variables carry the colon-inclusive separator (
,:). The otherSet-typed variables (optimizer_switch,sql-mode,slave_type_conversions,slave_rows_search_algorithms) are comma-separated andkeep the default, so their behavior is untouched.
Release Notes
Fixed an upgrade-checker issue where a colon-separated list of TLS/SSL ciphers in
ssl_cipher,admin_ssl_cipher,tls_ciphersuites, oradmin_tls_ciphersuiteswas incorrectly reported as an invalid value during
util.checkForServerUpgrade(), even when every cipher in the list was allowed inthe target version. Each cipher in the list is now validated individually.
Testing
New/updated cases in
unittest/modules/util/upgrade_checker/sysvar_upgrade_check_t.cc:Upgrade_checker_Sysvar_check.cipher_colon_list_allowed— a colon-separatedlist of individually-allowed ciphers produces no issue.
Upgrade_checker_Sysvar_check.cipher_colon_list_with_invalid— a colon listcontaining a disallowed cipher is still flagged.
Upgrade_checker_Sysvar_check.cipher_single_value_allowed— the single-valuepath still passes.
Upgrade_checker_sysvar_registry.load_configuration— extended to assert thefour cipher variables load with
separator == " ,:".Copyright
This contribution is under the OCA signed by Amazon and covering submissions to
the MySQL project.