database/mariadb
1
0
Fork 0
mirror of https://github.com/MariaDB/server.git synced 2025-08-07 00:04:31 +03:00
Code Activity

Remove CLIENT_SSL_VERIFY_SERVER_CERT

Browse Source 
Since TLS server certificate verification is a client
only option, this flag is removed in both client (C/C)
and MariaDB server capability flags.

This patch reverts commit 89d759b93e
(MySQL Bug #21543) and stores the server certificate validation
option in mysql->options.extensions.
This commit is contained in:
Georg Richter
2023-07-23 18:58:26 +02:00
parent 73c9415e6a
commit 8b01c2962b
4 changed files with 12 additions and 12 deletions
Download Patch File Download Diff File Expand all files Collapse all files

8
include/mysql_com.h
View File

@@ -275,7 +275,7 @@ enum enum_indicator_type
#define CLIENT_DEPRECATE_EOF (1ULL << 24) #define CLIENT_DEPRECATE_EOF (1ULL << 24)
#define CLIENT_PROGRESS_OBSOLETE (1ULL << 29) #define CLIENT_PROGRESS_OBSOLETE (1ULL << 29)
#define CLIENT_SSL_VERIFY_SERVER_CERT (1ULL << 30) #define CLIENT_SSL_VERIFY_SERVER_CERT_OBSOLETE (1ULL << 30)
/* /*
It used to be that if mysql_real_connect() failed, it would delete any It used to be that if mysql_real_connect() failed, it would delete any
options set by the client, unless the CLIENT_REMEMBER_OPTIONS flag was options set by the client, unless the CLIENT_REMEMBER_OPTIONS flag was
@@ -326,7 +326,6 @@ enum enum_indicator_type
CLIENT_MULTI_STATEMENTS | \ CLIENT_MULTI_STATEMENTS | \
CLIENT_MULTI_RESULTS | \ CLIENT_MULTI_RESULTS | \
CLIENT_PS_MULTI_RESULTS | \ CLIENT_PS_MULTI_RESULTS | \
CLIENT_SSL_VERIFY_SERVER_CERT | \
CLIENT_REMEMBER_OPTIONS | \ CLIENT_REMEMBER_OPTIONS | \
MARIADB_CLIENT_PROGRESS | \ MARIADB_CLIENT_PROGRESS | \
CLIENT_PLUGIN_AUTH | \ CLIENT_PLUGIN_AUTH | \
@@ -343,9 +342,8 @@ enum enum_indicator_type
If any of the optional flags is supported by the build it will be switched If any of the optional flags is supported by the build it will be switched
on before sending to the client during the connection handshake. on before sending to the client during the connection handshake.
*/ */
#define CLIENT_BASIC_FLAGS (((CLIENT_ALL_FLAGS & ~CLIENT_SSL) \ #define CLIENT_BASIC_FLAGS ((CLIENT_ALL_FLAGS & ~CLIENT_SSL) \
& ~CLIENT_COMPRESS) \ & ~CLIENT_COMPRESS)
& ~CLIENT_SSL_VERIFY_SERVER_CERT)
/** /**
Is raised when a multi-statement transaction Is raised when a multi-statement transaction

1
include/sql_common.h
View File

@@ -44,6 +44,7 @@ struct st_mysql_options_extention {
struct mysql_async_context *async_context; struct mysql_async_context *async_context;
HASH connection_attributes; HASH connection_attributes;
size_t connection_attributes_length; size_t connection_attributes_length;
my_bool tls_verify_server_cert;
}; };
typedef struct st_mysql_methods typedef struct st_mysql_methods

14
sql-common/client.c
View File

@@ -2093,7 +2093,7 @@ static int send_client_reply_packet(MCPVIO_EXT *mpvio,
If the server does not support ssl, we abort the connection. If the server does not support ssl, we abort the connection.
*/ */
if (mysql->options.use_ssl && if (mysql->options.use_ssl &&
(mysql->client_flag & CLIENT_SSL_VERIFY_SERVER_CERT) && (mysql->options.extension && mysql->options.extension->tls_verify_server_cert) &&
!(mysql->server_capabilities & CLIENT_SSL)) !(mysql->server_capabilities & CLIENT_SSL))
{ {
set_mysql_extended_error(mysql, CR_SSL_CONNECTION_ERROR, unknown_sqlstate, set_mysql_extended_error(mysql, CR_SSL_CONNECTION_ERROR, unknown_sqlstate,
@@ -2163,7 +2163,7 @@ static int send_client_reply_packet(MCPVIO_EXT *mpvio,
DBUG_PRINT("info", ("IO layer change done!")); DBUG_PRINT("info", ("IO layer change done!"));
/* Verify server cert */ /* Verify server cert */
if ((mysql->client_flag & CLIENT_SSL_VERIFY_SERVER_CERT) && if ((mysql->options.extension && mysql->options.extension->tls_verify_server_cert) &&
ssl_verify_server_cert(net->vio, mysql->host, &cert_error)) ssl_verify_server_cert(net->vio, mysql->host, &cert_error))
{ {
set_mysql_extended_error(mysql, CR_SSL_CONNECTION_ERROR, unknown_sqlstate, set_mysql_extended_error(mysql, CR_SSL_CONNECTION_ERROR, unknown_sqlstate,
@@ -3847,10 +3847,12 @@ mysql_options(MYSQL *mysql,enum mysql_option option, const void *arg)
mysql->options.use_thread_specific_memory= *(my_bool *) arg; mysql->options.use_thread_specific_memory= *(my_bool *) arg;
break; break;
case MYSQL_OPT_SSL_VERIFY_SERVER_CERT: case MYSQL_OPT_SSL_VERIFY_SERVER_CERT:
if (*(my_bool*) arg) if (!mysql->options.extension)
mysql->options.client_flag|= CLIENT_SSL_VERIFY_SERVER_CERT; mysql->options.extension= (struct st_mysql_options_extention *)
else my_malloc(sizeof(struct st_mysql_options_extention),
mysql->options.client_flag&= ~CLIENT_SSL_VERIFY_SERVER_CERT; MYF(MY_WME | MY_ZEROFILL));
if (mysql->options.extension)
mysql->options.extension->tls_verify_server_cert= *(my_bool*) arg;
break; break;
case MYSQL_PLUGIN_DIR: case MYSQL_PLUGIN_DIR:
EXTENSION_SET_STRING(&mysql->options, plugin_dir, arg); EXTENSION_SET_STRING(&mysql->options, plugin_dir, arg);

1
sql/sql_acl.cc
View File

@@ -12759,7 +12759,6 @@ static bool send_server_handshake_packet(MPVIO_EXT *mpvio,
if (ssl_acceptor_fd) if (ssl_acceptor_fd)
{ {
thd->client_capabilities |= CLIENT_SSL; thd->client_capabilities |= CLIENT_SSL;
thd->client_capabilities |= CLIENT_SSL_VERIFY_SERVER_CERT;
} }
if (data_len) if (data_len)