From 8b01c2962b773630b63011f225c253cfe9fcab01 Mon Sep 17 00:00:00 2001 From: Georg Richter Date: Sun, 23 Jul 2023 18:58:26 +0200 Subject: [PATCH] Remove CLIENT_SSL_VERIFY_SERVER_CERT Since TLS server certificate verification is a client only option, this flag is removed in both client (C/C) and MariaDB server capability flags. This patch reverts commit 89d759b93e3975e5d5e1c5cf9b901c01b9e80ff7 (MySQL Bug #21543) and stores the server certificate validation option in mysql->options.extensions. --- include/mysql_com.h | 8 +++----- include/sql_common.h | 1 + sql-common/client.c | 14 ++++++++------ sql/sql_acl.cc | 1 - 4 files changed, 12 insertions(+), 12 deletions(-) diff --git a/include/mysql_com.h b/include/mysql_com.h index f63cf0ac5c2..2e51f67b662 100644 --- a/include/mysql_com.h +++ b/include/mysql_com.h @@ -275,7 +275,7 @@ enum enum_indicator_type #define CLIENT_DEPRECATE_EOF (1ULL << 24) #define CLIENT_PROGRESS_OBSOLETE (1ULL << 29) -#define CLIENT_SSL_VERIFY_SERVER_CERT (1ULL << 30) +#define CLIENT_SSL_VERIFY_SERVER_CERT_OBSOLETE (1ULL << 30) /* It used to be that if mysql_real_connect() failed, it would delete any options set by the client, unless the CLIENT_REMEMBER_OPTIONS flag was @@ -326,7 +326,6 @@ enum enum_indicator_type CLIENT_MULTI_STATEMENTS | \ CLIENT_MULTI_RESULTS | \ CLIENT_PS_MULTI_RESULTS | \ - CLIENT_SSL_VERIFY_SERVER_CERT | \ CLIENT_REMEMBER_OPTIONS | \ MARIADB_CLIENT_PROGRESS | \ CLIENT_PLUGIN_AUTH | \ @@ -343,9 +342,8 @@ enum enum_indicator_type If any of the optional flags is supported by the build it will be switched on before sending to the client during the connection handshake. */ -#define CLIENT_BASIC_FLAGS (((CLIENT_ALL_FLAGS & ~CLIENT_SSL) \ - & ~CLIENT_COMPRESS) \ - & ~CLIENT_SSL_VERIFY_SERVER_CERT) +#define CLIENT_BASIC_FLAGS ((CLIENT_ALL_FLAGS & ~CLIENT_SSL) \ + & ~CLIENT_COMPRESS) /** Is raised when a multi-statement transaction diff --git a/include/sql_common.h b/include/sql_common.h index 9836d0c1cdc..a61572e380c 100644 --- a/include/sql_common.h +++ b/include/sql_common.h @@ -44,6 +44,7 @@ struct st_mysql_options_extention { struct mysql_async_context *async_context; HASH connection_attributes; size_t connection_attributes_length; + my_bool tls_verify_server_cert; }; typedef struct st_mysql_methods diff --git a/sql-common/client.c b/sql-common/client.c index a1bdbebf639..6f4ea70a733 100644 --- a/sql-common/client.c +++ b/sql-common/client.c @@ -2093,7 +2093,7 @@ static int send_client_reply_packet(MCPVIO_EXT *mpvio, If the server does not support ssl, we abort the connection. */ if (mysql->options.use_ssl && - (mysql->client_flag & CLIENT_SSL_VERIFY_SERVER_CERT) && + (mysql->options.extension && mysql->options.extension->tls_verify_server_cert) && !(mysql->server_capabilities & CLIENT_SSL)) { set_mysql_extended_error(mysql, CR_SSL_CONNECTION_ERROR, unknown_sqlstate, @@ -2163,7 +2163,7 @@ static int send_client_reply_packet(MCPVIO_EXT *mpvio, DBUG_PRINT("info", ("IO layer change done!")); /* Verify server cert */ - if ((mysql->client_flag & CLIENT_SSL_VERIFY_SERVER_CERT) && + if ((mysql->options.extension && mysql->options.extension->tls_verify_server_cert) && ssl_verify_server_cert(net->vio, mysql->host, &cert_error)) { set_mysql_extended_error(mysql, CR_SSL_CONNECTION_ERROR, unknown_sqlstate, @@ -3847,10 +3847,12 @@ mysql_options(MYSQL *mysql,enum mysql_option option, const void *arg) mysql->options.use_thread_specific_memory= *(my_bool *) arg; break; case MYSQL_OPT_SSL_VERIFY_SERVER_CERT: - if (*(my_bool*) arg) - mysql->options.client_flag|= CLIENT_SSL_VERIFY_SERVER_CERT; - else - mysql->options.client_flag&= ~CLIENT_SSL_VERIFY_SERVER_CERT; + if (!mysql->options.extension) + mysql->options.extension= (struct st_mysql_options_extention *) + my_malloc(sizeof(struct st_mysql_options_extention), + MYF(MY_WME | MY_ZEROFILL)); + if (mysql->options.extension) + mysql->options.extension->tls_verify_server_cert= *(my_bool*) arg; break; case MYSQL_PLUGIN_DIR: EXTENSION_SET_STRING(&mysql->options, plugin_dir, arg); diff --git a/sql/sql_acl.cc b/sql/sql_acl.cc index c764d2fe2f7..4c2d063b771 100644 --- a/sql/sql_acl.cc +++ b/sql/sql_acl.cc @@ -12759,7 +12759,6 @@ static bool send_server_handshake_packet(MPVIO_EXT *mpvio, if (ssl_acceptor_fd) { thd->client_capabilities |= CLIENT_SSL; - thd->client_capabilities |= CLIENT_SSL_VERIFY_SERVER_CERT; } if (data_len)