1. 30 Sep, 2024 7 commits
  2. 29 Sep, 2024 1 commit
  3. 27 Sep, 2024 3 commits
  4. 26 Sep, 2024 1 commit
    • Tony Chen's avatar
      ssl_cipher parameter cannot configure TLSv1.3 and TLSv1.2 ciphers at the same time · be164fc4
      Tony Chen authored
      SSL_CTX_set_ciphersuites() sets the TLSv1.3 cipher suites.
      
      SSL_CTX_set_cipher_list() sets the ciphers for TLSv1.2 and below.
      
      The current TLS configuration logic will not perform SSL_CTX_set_cipher_list()
      to configure TLSv1.2 ciphers if the call to SSL_CTX_set_ciphersuites() was
      successful. The call to SSL_CTX_set_ciphersuites() is successful if any TLSv1.3
      cipher suite is passed into `--ssl-cipher`.
      
      This is a potential security vulnerability because users trying to restrict
      specific secure ciphers for TLSv1.3 and TLSv1.2, would unknowingly still have
      the database support insecure TLSv1.2 ciphers.
      
      For example:
      If setting `--ssl_cipher=TLS_AES_128_GCM_SHA256:ECDHE-RSA-AES128-GCM-SHA256`,
      the database would still support all possible TLSv1.2 ciphers rather than only
      ECDHE-RSA-AES128-GCM-SHA256.
      
      The solution is to execute both SSL_CTX_set_ciphersuites() and
      SSL_CTX_set_cipher_list() even if the first call succeeds.
      
      This allows the configuration of exactly which TLSv1.3 and TLSv1.2 ciphers to
      support.
      
      Note that there is 1 behavior change with this. When specifying only TLSv1.3
      ciphers to `--ssl-cipher`, the database will not support any TLSv1.2 cipher.
      However, this does not impose a security risk and considering TLSv1.3 is the
      modern protocol, this behavior should be fine.
      
      All TLSv1.3 ciphers are still supported if only TLSv1.2 ciphers are specified
      through `--ssl-cipher`.
      
      All new code of the whole pull request, including one or several files that are
      either new files or modified ones, are contributed under the BSD-new license. I
      am contributing on behalf of my employer Amazon Web Services, Inc.
      be164fc4
  5. 25 Sep, 2024 8 commits
  6. 24 Sep, 2024 3 commits
    • Max Kellermann's avatar
      MDEV-34994: sql/mysqld: stop accept() loop after the first EAGAIN · 53f5ee79
      Max Kellermann authored
      Each time a listener socket becomes ready, MariaDB calls accept() ten
      times (MAX_ACCEPT_RETRY), even if all but the first one return EAGAIN
      because there are no more connections.  This causes unnecessary CPU
      usage - on our server, the CPU load of that thread, which does nothing
      but accept(), saturates one CPU core by ~45%.  The loop should stop
      after the first EAGAIN.
      
      Perf report:
      
          11.01%  mariadbd  libc.so.6          [.] accept4
           6.42%  mariadbd  [kernel.kallsyms]  [k] finish_task_switch.isra.0
           5.50%  mariadbd  [kernel.kallsyms]  [k] _raw_spin_unlock_irqrestore
           5.50%  mariadbd  [kernel.kallsyms]  [k] syscall_enter_from_user_mode
           4.59%  mariadbd  [kernel.kallsyms]  [k] __fget_light
           3.67%  mariadbd  [kernel.kallsyms]  [k] kmem_cache_alloc
           2.75%  mariadbd  [kernel.kallsyms]  [k] fput
           2.75%  mariadbd  [kernel.kallsyms]  [k] mod_objcg_state
           1.83%  mariadbd  [kernel.kallsyms]  [k] __inode_wait_for_writeback
           1.83%  mariadbd  [kernel.kallsyms]  [k] __sys_accept4
           1.83%  mariadbd  [kernel.kallsyms]  [k] _raw_spin_unlock_irq
           1.83%  mariadbd  [kernel.kallsyms]  [k] alloc_inode
           1.83%  mariadbd  [kernel.kallsyms]  [k] call_rcu
      53f5ee79
    • Sergei Golubchik's avatar
      reformat galera sst error messages · 8fd1b060
      Sergei Golubchik authored
      put the command line at the end. so that when a very long command line
      is truncated, it doesn't take the actual error message with it
      8fd1b060
    • Sergei Golubchik's avatar
      galera_3nodes.MDEV-29171 fails · dd1cad7e
      Sergei Golubchik authored
      set transferfmt in .cnf file like other galera tests do.
      otherwise it defaults to socat when mtr detected that only nc is available
      dd1cad7e
  7. 23 Sep, 2024 3 commits
  8. 20 Sep, 2024 4 commits
  9. 18 Sep, 2024 3 commits
    • Lena Startseva's avatar
      MDEV-31005: Make working cursor-protocol · 0a5e4a01
      Lena Startseva authored
      Updated tests: cases with bugs or which cannot be run
      with the cursor-protocol were excluded with
      "--disable_cursor_protocol"/"--enable_cursor_protocol"
      
      Fix for v.10.5
      0a5e4a01
    • Lena Startseva's avatar
      MDEV-31005: Make working cursor-protocol · ab569524
      Lena Startseva authored
      Added ability to disable/enable (--disable_cursor_protocol/
      --enable_cursor_protocol) cursor-protocol in tests. If
      "--disable_cursor_protocol" is used then ps-protocol is also
      disabled. With cursor-protocol prepare statement is executed
      only once. For "--cursor-protocol" added filter for queries:
      it is executed only for "SELECT" queries.
      ab569524
    • Daniel Black's avatar
      MDEV-34952 main.log_slow test failure on opensuse builder · 450040e0
      Daniel Black authored
      The loose regex for the MDEV-34539 test ended up
      matching the opensuse in the path in buildbot.
      
      Adjust to more complete regex including space,
      backtick and \n, which becomes much less common
      as a path name.
      450040e0
  10. 17 Sep, 2024 2 commits
    • Brandon Nesterenko's avatar
      MDEV-33500 (part 2): rpl.rpl_parallel_sbm can still fail · 68938d2b
      Brandon Nesterenko authored
      The failing test case validates Seconds_Behind_Master for a delayed
      slave, while STOP SLAVE is executed during a delay. The test fixes
      initially added to the test (commit b04c8575) added a table lock
      to ensure a transaction could not finish before validating the
      Seconds_Behind_Master field after SLAVE START, but did not address a
      possibility that the transaction could finish before running the
      STOP SLAVE command, which invalidates the validations for the rest
      of the test case. Specifically, this would result in 1) a timeout in
      “Waiting for table metadata lock” on the replica, which expects the
      transaction to retry after slave restart and hit a lock conflict on
      the locked tables (added in b04c8575), and 2) that
      Seconds_Behind_Master should have increased, but did not.
      
      The failure can be reproduced by synchronizing the slave to the master
      before the MDEV-32265 echo statement (i.e. before the SLAVE STOP).
      
      This patch fixes the test by adding a mechanism to use DEBUG_SYNC to
      synchronize a MASTER_DELAY, rather than continually increase the
      duration of the delay each time the test fails on buildbot. This is
      to ensure that on slow machines, a delay does not pass before the
      test gets a chance to validate results. Additionally, it decreases
      overall test time because the test can continue immediately after
      validation, thereby bypassing the remainder of a full delay for each
      transaction.
      68938d2b
    • Alexander Barkov's avatar
      MDEV-25900 Assertion `octets < 1024' failed in... · a1adabdd
      Alexander Barkov authored
      MDEV-25900 Assertion `octets < 1024' failed in Binlog_type_info_fixed_string::Binlog_type_info_fixed_string OR Assertion `field_length < 1024' failed in Field_string::save_field_metadata
      
      A CHAR column cannot be longer than 1024, because
      Binlog_type_info_fixed_string::Binlog_type_info_fixed_string
      replies on this fact - it cannot store binlog metadata for longer columns.
      
      In case of the filename character set mbmaxlen is equal to 5,
      so only 1024/5=204 characters can fit into the 1024 limit.
      - In strict mode:
        Disallowing creation of a CHAR column with octet length grater than 1024.
      - In non-strict mode:
        Automatically convert CHAR with octet length>1024 into VARCHAR.
      a1adabdd
  11. 16 Sep, 2024 1 commit
  12. 15 Sep, 2024 4 commits