[CONC-654, MDEV-31585] CLIENT_CAN_SSL_V2 capability bit should not be…

… MariaDB-specific MySQL is also certainly affected, and we will likely try to get them to follow the fixes for these TLS vulnerabilities as well, so the SSL_V2 capability bit should not be MariaDB-specific. All new code of the whole pull request, including one or several files that are either new files or modified ones, are contributed under the BSD-new license. I am contributing on behalf of my employer Amazon Web Services, Inc.
mariadb-corporation · Jul 11, 2023 · cf8638c · cf8638c
1 parent 8c8ac07
commit cf8638c
Show file tree

Hide file tree

Showing 2 changed files with 2 additions and 2 deletions.
diff --git a/include/mariadb_com.h b/include/mariadb_com.h
@@ -174,7 +174,7 @@ enum enum_server_command
  *   after the TLS handshake.
  *
  */
-#define CLIENT_CAN_SSL_V2    (1ULL << 37)
+#define CLIENT_CAN_SSL_V2    (1ULL << 28)
 #define CLIENT_PROGRESS          (1UL << 29) /* client supports progress indicator */
 #define CLIENT_PROGRESS_OBSOLETE  CLIENT_PROGRESS 
 #define CLIENT_SSL_VERIFY_SERVER_CERT (1UL << 30)

diff --git a/plugins/auth/my_auth.c b/plugins/auth/my_auth.c
@@ -211,7 +211,7 @@ static int send_client_reply_packet(MCPVIO_EXT *mpvio,
 
 #if defined(HAVE_TLS) && !defined(EMBEDDED_LIBRARY)
   bool server_supports_ssl_v2=
-      !!(mysql->extension->mariadb_server_capabilities & (MARIADB_CLIENT_CAN_SSL_V2 >> 32));
+      !!(mysql->server_capabilities & CLIENT_CAN_SSL_V2);
 #endif
 
   /* see end= buff+32 below, fixed size of the packet is 32 bytes */