In environments with load balancers or proxies, the audit plugin logs
only the IP address, making it difficult to differentiate individual client
connections from the same IP.
Add a new 'port' field to the appropriate event objects to capture the
client's TCP port number. Populate the port field with thd->port in the
appropriate functions. The audit plugin receives and logs this port field
along with other connection information, enabling better identification
of individual client connections.
All new code of the whole pull request, including one or several files that
are either new files or modified ones, are contributed under the BSD-new license.
I am contributing on behalf of my employer Amazon Web Services, Inc.
Add tls_version and tls_version_length variables to the audit plugin so
they can be logged. This is useful to help identify suspicious or
malformed connections attempting to use unsupported TLS versions. A log
with this information will allow to detect and block more malicious
connection attempts.
Users with 'server_audit_events' empty will have these two new variables
automatically visible in their logs, but if users don't want them, they
can always configure what fields to include by listing the fields in
'server_audit_events'.
In connection event, The TLS version will be populated in `object` field
in key=value format, and the key-value pair will be omitted when the
value is empty.
To ensure the MTR test result matches in all environments, the TLS
version string is replaced with a general `TLS_VERSION` to avoid the MTR
test failing unexpectedly. It stores the version with query `SHOW STATUS
LIKE 'Ssl_version'` and replace the output with `replace_result` command.
All new code of the whole pull request, including one or several files
that are either new files or modified ones, are contributed under the
BSD-new license. I am contributing on behalf of my employer Amazon Web
Services, Inc.
[1]: https://docs.openssl.org/3.2/man3/SSL_get_version/
Limit size of server_audit_file_path value
Currently, the length of this value is not checked and can cause a buffer
overflow if given a long file path specifying a directory.
In file_logger:logger_open(), there is a check:
```
if (new_log.path_len+n_dig(rotations)+1 > FN_REFLEN)
// handle error
```
As n_dig(rotations) may return up to 3, this inherently limits the file path to
FN_REFLEN - 4 characters.
All new code of the whole pull request, including one or several files that are
either new files or modified ones, are contributed under the BSD-new license. I
am contributing on behalf of my employer Amazon Web Services, Inc.
[Breaking]
The `my_print_error` service passes formats and args directly
to `my_vsnprintf`. Just like the `my_snprintf` service,
I increased this service’s major version because:
* Custom suffixes are now a thing
(and custom specifiers will soon no longer be).
* GCC `-Wformat` now checks formats sent to them.
* use new deprecated printer for all deprecated server options
* restore alphabetic option sorting order
* move deprecated printer from mysqld.cc to my_getopt.c
* in --help print deprecation message at the end of the option help
* move 'ALL' help text where it belongs - to other SET options, and
with a correct indentation.
* consistently end all or none command-line option help strings
with a dot - my_print_help() needs that.
It's about 50/50 now, so let's do none, less line wraps in --help
* remove trailing spaces from command-line option help strings
This fixed the MySQL bug# 20338 about misuse of double underscore
prefix __WIN__, which was old MySQL's idea of identifying Windows
Replace it by _WIN32 standard symbol for targeting Windows OS
(both 32 and 64 bit)
Not that connect storage engine is not fixed in this patch (must be
fixed in "upstream" branch)
