diff options
Diffstat (limited to 'sql-common')
-rw-r--r-- | sql-common/client.c | 313 | ||||
-rw-r--r-- | sql-common/client_plugin.c | 4 |
2 files changed, 194 insertions, 123 deletions
diff --git a/sql-common/client.c b/sql-common/client.c index db52a42c..9b88855f 100644 --- a/sql-common/client.c +++ b/sql-common/client.c @@ -167,6 +167,7 @@ static void mysql_close_free_options(MYSQL *mysql); static void mysql_close_free(MYSQL *mysql); static void mysql_prune_stmt_list(MYSQL *mysql); static int cli_report_progress(MYSQL *mysql, char *packet, uint length); +static my_bool parse_ok_packet(MYSQL *mysql, ulong length); CHARSET_INFO *default_client_charset_info = &my_charset_latin1; @@ -723,6 +724,12 @@ void end_server(MYSQL *mysql) DBUG_ENTER("end_server"); if (mysql->net.vio != 0) { + struct st_VioSSLFd *ssl_fd= (struct st_VioSSLFd*) mysql->connector_fd; + if (ssl_fd) + SSL_CTX_free(ssl_fd->ssl_context); + my_free(ssl_fd); + mysql->connector_fd = 0; + DBUG_PRINT("info",("Net: %s", vio_description(mysql->net.vio))); #ifdef MYSQL_SERVER slave_io_thread_detach_vio(); @@ -1432,6 +1439,7 @@ mysql_init(MYSQL *mysql) bzero((char*) (mysql), sizeof(*(mysql))); mysql->options.connect_timeout= CONNECT_TIMEOUT; mysql->charset=default_client_charset_info; + mysql->options.use_ssl= 1; strmov(mysql->net.sqlstate, not_error_sqlstate); /* @@ -1509,7 +1517,6 @@ mysql_ssl_set(MYSQL *mysql __attribute__((unused)) , static void mysql_ssl_free(MYSQL *mysql __attribute__((unused))) { - struct st_VioSSLFd *ssl_fd= (struct st_VioSSLFd*) mysql->connector_fd; DBUG_ENTER("mysql_ssl_free"); my_free(mysql->options.ssl_key); @@ -1522,9 +1529,6 @@ mysql_ssl_free(MYSQL *mysql __attribute__((unused))) my_free(mysql->options.extension->ssl_crl); my_free(mysql->options.extension->ssl_crlpath); } - if (ssl_fd) - SSL_CTX_free(ssl_fd->ssl_context); - my_free(mysql->connector_fd); mysql->options.ssl_key = 0; mysql->options.ssl_cert = 0; mysql->options.ssl_ca = 0; @@ -1536,7 +1540,6 @@ mysql_ssl_free(MYSQL *mysql __attribute__((unused))) mysql->options.extension->ssl_crlpath = 0; } mysql->options.use_ssl = FALSE; - mysql->connector_fd = 0; DBUG_VOID_RETURN; } @@ -1570,8 +1573,7 @@ mysql_get_ssl_cipher(MYSQL *mysql __attribute__((unused))) SYNOPSIS ssl_verify_server_cert() - vio pointer to a SSL connected vio - server_hostname name of the server that we connected to + MYSQL mysql errptr if we fail, we'll return (a pointer to a string describing) the reason here @@ -1583,33 +1585,24 @@ mysql_get_ssl_cipher(MYSQL *mysql __attribute__((unused))) #if defined(HAVE_OPENSSL) -#ifdef HAVE_X509_check_host #include <openssl/x509v3.h> -#endif -static int ssl_verify_server_cert(Vio *vio, const char* server_hostname, const char **errptr) +static int ssl_verify_server_cert(MYSQL *mysql, const char **errptr) { SSL *ssl; X509 *server_cert= NULL; -#ifndef HAVE_X509_check_host - char *cn= NULL; - int cn_loc= -1; - ASN1_STRING *cn_asn1= NULL; - X509_NAME_ENTRY *cn_entry= NULL; - X509_NAME *subject= NULL; -#endif int ret_validation= 1; DBUG_ENTER("ssl_verify_server_cert"); - DBUG_PRINT("enter", ("server_hostname: %s", server_hostname)); + DBUG_PRINT("enter", ("server_hostname: %s", mysql->host)); - if (!(ssl= (SSL*)vio->ssl_arg)) + if (!(ssl= (SSL*)mysql->net.vio->ssl_arg)) { *errptr= "No SSL pointer found"; goto error; } - if (!server_hostname) + if (!mysql->host) { *errptr= "No server hostname supplied"; goto error; @@ -1621,70 +1614,32 @@ static int ssl_verify_server_cert(Vio *vio, const char* server_hostname, const c goto error; } - if (X509_V_OK != SSL_get_verify_result(ssl)) + switch (SSL_get_verify_result(ssl)) { + case X509_V_ERR_DEPTH_ZERO_SELF_SIGNED_CERT: /* OpenSSL */ + case X509_V_ERR_SELF_SIGNED_CERT_IN_CHAIN: /* OpenSSL */ + case X509_V_ERR_UNABLE_TO_VERIFY_LEAF_SIGNATURE: /* wolfSSL */ + /* + If the caller have specified CA - it'll define whether the + cert is good. Otherwise we'll do more checks. + */ + ret_validation= (mysql->options.ssl_ca && mysql->options.ssl_ca[0]) || + (mysql->options.ssl_capath && mysql->options.ssl_capath[0]); + mysql->tls_self_signed_error= *errptr= "SSL certificate is self-signed"; + break; + case X509_V_OK: + ret_validation= X509_check_host(server_cert, mysql->host, + strlen(mysql->host), 0, 0) != 1 && + X509_check_ip_asc(server_cert, mysql->host, 0) != 1; + *errptr= "SSL certificate validation failure"; + break; + default: *errptr= "Failed to verify the server certificate"; - goto error; - } - /* - We already know that the certificate exchanged was valid; the SSL library - handled that. Now we need to verify that the contents of the certificate - are what we expect. - */ - -#ifdef HAVE_X509_check_host - ret_validation= - X509_check_host(server_cert, server_hostname, - strlen(server_hostname), 0, 0) != 1; -#ifndef HAVE_WOLFSSL - if (ret_validation) - { - ret_validation= - X509_check_ip_asc(server_cert, server_hostname, 0) != 1; - } -#endif -#else - subject= X509_get_subject_name(server_cert); - cn_loc= X509_NAME_get_index_by_NID(subject, NID_commonName, -1); - if (cn_loc < 0) - { - *errptr= "Failed to get CN location in the certificate subject"; - goto error; - } - cn_entry= X509_NAME_get_entry(subject, cn_loc); - if (cn_entry == NULL) - { - *errptr= "Failed to get CN entry using CN location"; - goto error; - } - - cn_asn1 = X509_NAME_ENTRY_get_data(cn_entry); - if (cn_asn1 == NULL) - { - *errptr= "Failed to get CN from CN entry"; - goto error; - } - - cn= (char *) ASN1_STRING_get0_data(cn_asn1); - - if ((size_t)ASN1_STRING_length(cn_asn1) != strlen(cn)) - { - *errptr= "NULL embedded in the certificate CN"; - goto error; + break; } - DBUG_PRINT("info", ("Server hostname in cert: %s", cn)); - if (!strcmp(cn, server_hostname)) - { - /* Success */ - ret_validation= 0; - } -#endif - *errptr= "SSL certificate validation failure"; - error: - if (server_cert != NULL) - X509_free (server_cert); + X509_free(server_cert); DBUG_RETURN(ret_validation); } @@ -1813,6 +1768,7 @@ C_MODE_END typedef struct st_mysql_client_plugin_AUTHENTICATION auth_plugin_t; static int client_mpvio_write_packet(struct st_plugin_vio*, const uchar*, int); static int native_password_auth_client(MYSQL_PLUGIN_VIO *vio, MYSQL *mysql); +static int native_password_auth_hash(MYSQL *mysql, uchar *out, size_t *outlen); static int old_password_auth_client(MYSQL_PLUGIN_VIO *vio, MYSQL *mysql); static auth_plugin_t native_password_client_plugin= @@ -1822,13 +1778,14 @@ static auth_plugin_t native_password_client_plugin= native_password_plugin_name, "R.J.Silk, Sergei Golubchik", "Native MySQL authentication", - {1, 0, 0}, + {1, 0, 1}, "GPL", NULL, NULL, NULL, NULL, - native_password_auth_client + native_password_auth_client, + native_password_auth_hash }; static auth_plugin_t old_password_client_plugin= @@ -1844,7 +1801,8 @@ static auth_plugin_t old_password_client_plugin= NULL, NULL, NULL, - old_password_auth_client + old_password_auth_client, + NULL }; @@ -2072,6 +2030,7 @@ static int send_client_reply_packet(MCPVIO_EXT *mpvio, { MYSQL *mysql= mpvio->mysql; NET *net= &mysql->net; + enum enum_vio_type vio_type= net->vio->type; char *buff, *end; size_t buff_size; size_t connect_attrs_len= @@ -2106,6 +2065,12 @@ static int send_client_reply_packet(MCPVIO_EXT *mpvio, if (mpvio->db) mysql->client_flag|= CLIENT_CONNECT_WITH_DB; + if (vio_type == VIO_TYPE_NAMEDPIPE) + { + mysql->server_capabilities&= ~CLIENT_SSL; + mysql->options.use_ssl= 0; + } + /* Remove options that server doesn't support */ mysql->client_flag= mysql->client_flag & (~(CLIENT_COMPRESS | CLIENT_SSL | CLIENT_PROTOCOL_41) @@ -2136,9 +2101,9 @@ static int send_client_reply_packet(MCPVIO_EXT *mpvio, certificate, a ssl connection is required. If the server does not support ssl, we abort the connection. */ - if (mysql->options.use_ssl && - (mysql->options.extension && mysql->options.extension->tls_verify_server_cert) && - !(mysql->server_capabilities & CLIENT_SSL)) + if (mysql->options.use_ssl && !(mysql->server_capabilities & CLIENT_SSL) && + (!mysql->options.extension || + !mysql->options.extension->tls_allow_invalid_server_cert)) { set_mysql_extended_error(mysql, CR_SSL_CONNECTION_ERROR, unknown_sqlstate, ER(CR_SSL_CONNECTION_ERROR), @@ -2156,9 +2121,6 @@ static int send_client_reply_packet(MCPVIO_EXT *mpvio, enum enum_ssl_init_error ssl_init_error; const char *cert_error; unsigned long ssl_error; -#ifdef EMBEDDED_LIBRARY - DBUG_ASSERT(0); // embedded should not do SSL connect -#endif /* Send mysql->client_flag, max_packet_size - unencrypted otherwise @@ -2189,7 +2151,7 @@ static int send_client_reply_packet(MCPVIO_EXT *mpvio, ER(CR_SSL_CONNECTION_ERROR), sslGetErrString(ssl_init_error)); goto error; } - mysql->connector_fd= (unsigned char *) ssl_fd; + mysql->connector_fd= (uchar *) ssl_fd; /* Connect to the server */ DBUG_PRINT("info", ("IO layer change in progress...")); @@ -2207,13 +2169,34 @@ static int send_client_reply_packet(MCPVIO_EXT *mpvio, DBUG_PRINT("info", ("IO layer change done!")); /* Verify server cert */ - if ((mysql->options.extension && mysql->options.extension->tls_verify_server_cert) && - ssl_verify_server_cert(net->vio, mysql->host, &cert_error)) + if ((!mysql->options.extension || + !mysql->options.extension->tls_allow_invalid_server_cert) && + ssl_verify_server_cert(mysql, &cert_error)) { set_mysql_extended_error(mysql, CR_SSL_CONNECTION_ERROR, unknown_sqlstate, ER(CR_SSL_CONNECTION_ERROR), cert_error); goto error; } + if (mysql->tls_self_signed_error) + { + /* + If the transport is secure (see opt_require_secure_transport) we + allow a self-signed cert as we know it came from the server. + + If no password or plugin uses insecure protocol - refuse the cert. + + Otherwise one last cert check after auth. + */ + if (vio_type == VIO_TYPE_SOCKET) + mysql->tls_self_signed_error= 0; + else if (!mysql->passwd || !mysql->passwd[0] || + !mpvio->plugin->hash_password_bin) + { + set_mysql_extended_error(mysql, CR_SSL_CONNECTION_ERROR, unknown_sqlstate, + ER(CR_SSL_CONNECTION_ERROR), mysql->tls_self_signed_error); + goto error; + } + } } #endif /* HAVE_OPENSSL */ @@ -2568,6 +2551,14 @@ int run_plugin_auth(MYSQL *mysql, char *data, uint data_len, auth_plugin_name, MYSQL_CLIENT_AUTHENTICATION_PLUGIN))) DBUG_RETURN (1); + /* refuse insecure plugin if TLS is in doubt */ + if (mysql->tls_self_signed_error && !auth_plugin->hash_password_bin) + { + set_mysql_extended_error(mysql, CR_SSL_CONNECTION_ERROR, unknown_sqlstate, + ER(CR_SSL_CONNECTION_ERROR), mysql->tls_self_signed_error); + DBUG_RETURN (1); + } + mpvio.plugin= auth_plugin; res= auth_plugin->authenticate_user((struct st_plugin_vio *)&mpvio, mysql); @@ -2589,7 +2580,7 @@ int run_plugin_auth(MYSQL *mysql, char *data, uint data_len, if (res != CR_OK_HANDSHAKE_COMPLETE) { /* Read what server thinks about out new auth message report */ - if (cli_safe_read(mysql) == packet_error) + if ((pkt_length= cli_safe_read(mysql)) == packet_error) { if (mysql->net.last_errno == CR_SERVER_LOST) set_mysql_extended_error(mysql, CR_SERVER_LOST, unknown_sqlstate, @@ -2604,7 +2595,44 @@ int run_plugin_auth(MYSQL *mysql, char *data, uint data_len, net->read_pos[0] should always be 0 here if the server implements the protocol correctly */ - DBUG_RETURN (mysql->net.read_pos[0] != 0); + if (mysql->net.read_pos[0] != 0) + DBUG_RETURN(1); + if (!mysql->tls_self_signed_error) + DBUG_RETURN(0); + + /* Last attempt to validate the cert: compare cert info packet */ + DBUG_ASSERT(mysql->options.use_ssl); + DBUG_ASSERT(mysql->net.vio->ssl_arg); + DBUG_ASSERT(!mysql->options.extension || + !mysql->options.extension->tls_allow_invalid_server_cert); + DBUG_ASSERT(!mysql->options.ssl_ca || !mysql->options.ssl_ca[0]); + DBUG_ASSERT(!mysql->options.ssl_capath || !mysql->options.ssl_capath[0]); + DBUG_ASSERT(auth_plugin->hash_password_bin); + DBUG_ASSERT(mysql->passwd[0]); + + parse_ok_packet(mysql, pkt_length); /* set mysql->info */ + if (mysql->info && mysql->info[0] == '\1') + { + uchar fp[128], buf[1024], digest[256/8]; + size_t buflen= sizeof(buf); + uint fplen= sizeof(fp); + char *hexsig= mysql->info + 1, hexdigest[sizeof(digest)*2+1]; + X509 *cert= SSL_get_peer_certificate((SSL*)mysql->net.vio->ssl_arg); + X509_digest(cert, EVP_sha256(), fp, &fplen); + X509_free(cert); + auth_plugin->hash_password_bin(mysql, buf, &buflen); + my_sha256_multi(digest, buf, buflen, mysql->scramble, SCRAMBLE_LENGTH, + fp, fplen, NULL); + mysql->info= NULL; /* no need to confuse the client with binary info */ + + octet2hex(hexdigest, digest, sizeof(digest)); + if (strcmp(hexdigest, hexsig) == 0) + DBUG_RETURN(0); /* phew. self-signed certificate is validated! */ + } + + set_mysql_extended_error(mysql, CR_SSL_CONNECTION_ERROR, unknown_sqlstate, + ER(CR_SSL_CONNECTION_ERROR), mysql->tls_self_signed_error); + DBUG_RETURN(1); } @@ -2695,6 +2723,7 @@ CLI_MYSQL_REAL_CONNECT(MYSQL *mysql,const char *host, const char *user, mysql->methods= &client_methods; mysql->client_flag=0; /* For handshake */ + mysql->tls_self_signed_error= 0; /* use default options */ if (mysql->options.my_cnf_file || mysql->options.my_cnf_group) @@ -3070,9 +3099,10 @@ CLI_MYSQL_REAL_CONNECT(MYSQL *mysql,const char *host, const char *user, mysql->port=port; /* - remove the rpl hack from the version string, - see RPL_VERSION_HACK comment + remove the rpl hack from the version string, in case we're connecting + to a pre-11.0 server */ +#define RPL_VERSION_HACK "5.5.5-" if ((mysql->server_capabilities & CLIENT_PLUGIN_AUTH) && strncmp(mysql->server_version, RPL_VERSION_HACK, sizeof(RPL_VERSION_HACK) - 1) == 0) @@ -3448,6 +3478,29 @@ void STDCALL mysql_close(MYSQL *mysql) } +static my_bool parse_ok_packet(MYSQL *mysql, ulong length) +{ + uchar *pos= mysql->net.read_pos + 1; + DBUG_ASSERT(pos[-1] == 0); + + mysql->affected_rows= net_field_length_ll(&pos); + mysql->insert_id= net_field_length_ll(&pos); + if (protocol_41(mysql)) + { + mysql->server_status=uint2korr(pos); pos+=2; + mysql->warning_count=uint2korr(pos); pos+=2; + } + else if (mysql->server_capabilities & CLIENT_TRANSACTIONS) + { + mysql->server_status=uint2korr(pos); pos+=2; + mysql->warning_count= 0; + } + if (pos < mysql->net.read_pos + length && net_field_length(&pos)) + mysql->info=(char*) pos; + return 0; +} + + static my_bool cli_read_query_result(MYSQL *mysql) { uchar *pos; @@ -3468,31 +3521,10 @@ static my_bool cli_read_query_result(MYSQL *mysql) #ifdef MYSQL_CLIENT /* Avoid warn of unused labels*/ get_info: #endif - pos=(uchar*) mysql->net.read_pos; + pos= mysql->net.read_pos; if ((field_count= net_field_length(&pos)) == 0) - { - mysql->affected_rows= net_field_length_ll(&pos); - mysql->insert_id= net_field_length_ll(&pos); - DBUG_PRINT("info",("affected_rows: %lu insert_id: %lu", - (ulong) mysql->affected_rows, - (ulong) mysql->insert_id)); - if (protocol_41(mysql)) - { - mysql->server_status=uint2korr(pos); pos+=2; - mysql->warning_count=uint2korr(pos); pos+=2; - } - else if (mysql->server_capabilities & CLIENT_TRANSACTIONS) - { - /* MySQL 4.0 protocol */ - mysql->server_status=uint2korr(pos); pos+=2; - mysql->warning_count= 0; - } - DBUG_PRINT("info",("status: %u warning_count: %u", - mysql->server_status, mysql->warning_count)); - if (pos < mysql->net.read_pos+length && net_field_length(&pos)) - mysql->info=(char*) pos; - DBUG_RETURN(0); - } + DBUG_RETURN(parse_ok_packet(mysql, length)); + #ifdef MYSQL_CLIENT if (field_count == NULL_LENGTH) /* LOAD DATA LOCAL INFILE */ { @@ -3817,7 +3849,7 @@ mysql_options(MYSQL *mysql,enum mysql_option option, const void *arg) sizeof(struct st_mysql_options_extention), MYF(MY_WME | MY_ZEROFILL)); if (mysql->options.extension) - mysql->options.extension->tls_verify_server_cert= *(my_bool*) arg; + mysql->options.extension->tls_allow_invalid_server_cert= !*(my_bool*) arg; break; case MYSQL_PLUGIN_DIR: EXTENSION_SET_STRING(&mysql->options, plugin_dir, arg); @@ -4170,6 +4202,22 @@ static int native_password_auth_client(MYSQL_PLUGIN_VIO *vio, MYSQL *mysql) DBUG_RETURN(CR_OK); } + +static int native_password_auth_hash(MYSQL *mysql, uchar *out, size_t *out_length) +{ + uchar hash_stage1[MY_SHA1_HASH_SIZE]; + + if (*out_length < MY_SHA1_HASH_SIZE) + return 1; + *out_length= MY_SHA1_HASH_SIZE; + + my_sha1(hash_stage1, mysql->passwd, strlen(mysql->passwd)); + my_sha1(out, (char*)hash_stage1, MY_SHA1_HASH_SIZE); + + return 0; +} + + /** client authentication plugin that does old MySQL authentication using an 8-byte (4.0-) scramble @@ -4235,3 +4283,28 @@ int STDCALL mysql_cancel(MYSQL *mysql) return vio_shutdown(mysql->net.vio, SHUT_RDWR); return -1; } + + +MYSQL_RES *STDCALL mysql_use_result(MYSQL *mysql) +{ + return (*mysql->methods->use_result)(mysql); +} + + +MYSQL_FIELD *STDCALL mysql_fetch_fields(MYSQL_RES *res) +{ + return (res)->fields; +} + + +ulong STDCALL +mysql_real_escape_string(MYSQL *mysql, char *to,const char *from, + ulong length) +{ + my_bool overflow; + if (mysql->server_status & SERVER_STATUS_NO_BACKSLASH_ESCAPES) + return (ulong) escape_quotes_for_mysql(mysql->charset, to, 0, from, length, + &overflow); + return (ulong) escape_string_for_mysql(mysql->charset, to, 0, from, length, + &overflow); +} diff --git a/sql-common/client_plugin.c b/sql-common/client_plugin.c index 0a2e39f7..38444648 100644 --- a/sql-common/client_plugin.c +++ b/sql-common/client_plugin.c @@ -171,9 +171,7 @@ add_plugin(MYSQL *mysql, struct st_mysql_client_plugin *plugin, void *dlhandle, goto err1; } - if (plugin->interface_version < plugin_version[plugin->type] || - (plugin->interface_version >> 8) > - (plugin_version[plugin->type] >> 8)) + if (plugin->interface_version >> 8 != plugin_version[plugin->type] >> 8) { errmsg= "Incompatible client plugin interface"; goto err1; |