Commit 8f50cd04 authored by dlenev@mysql.com's avatar dlenev@mysql.com

Fix security bug. mysqld server without ssl support was completly

ignorant about ssl_type attribute
parent a5eacc69
...@@ -15,6 +15,7 @@ bell@laptop.sanja.is.com.ua ...@@ -15,6 +15,7 @@ bell@laptop.sanja.is.com.ua
bell@sanja.is.com.ua bell@sanja.is.com.ua
bk@admin.bk bk@admin.bk
davida@isil.mysql.com davida@isil.mysql.com
dlenev@mysql.com
gluh@gluh.(none) gluh@gluh.(none)
gluh@gluh.mysql.r18.ru gluh@gluh.mysql.r18.ru
greg@gcw.ath.cx greg@gcw.ath.cx
......
...@@ -530,7 +530,6 @@ ulong acl_getroot(THD *thd, const char *host, const char *ip, const char *user, ...@@ -530,7 +530,6 @@ ulong acl_getroot(THD *thd, const char *host, const char *ip, const char *user,
!check_scramble(password,message,acl_user->salt, !check_scramble(password,message,acl_user->salt,
(my_bool) old_ver))) (my_bool) old_ver)))
{ {
#ifdef HAVE_OPENSSL
Vio *vio=thd->net.vio; Vio *vio=thd->net.vio;
/* /*
In this point we know that user is allowed to connect In this point we know that user is allowed to connect
...@@ -543,6 +542,7 @@ ulong acl_getroot(THD *thd, const char *host, const char *ip, const char *user, ...@@ -543,6 +542,7 @@ ulong acl_getroot(THD *thd, const char *host, const char *ip, const char *user,
case SSL_TYPE_NONE: /* SSL is not required to connect */ case SSL_TYPE_NONE: /* SSL is not required to connect */
user_access=acl_user->access; user_access=acl_user->access;
break; break;
#ifdef HAVE_OPENSSL
case SSL_TYPE_ANY: /* Any kind of SSL is good enough */ case SSL_TYPE_ANY: /* Any kind of SSL is good enough */
if (vio_type(vio) == VIO_TYPE_SSL) if (vio_type(vio) == VIO_TYPE_SSL)
user_access=acl_user->access; user_access=acl_user->access;
...@@ -625,10 +625,16 @@ ulong acl_getroot(THD *thd, const char *host, const char *ip, const char *user, ...@@ -625,10 +625,16 @@ ulong acl_getroot(THD *thd, const char *host, const char *ip, const char *user,
} }
break; break;
} }
}
#else /* HAVE_OPENSSL */ #else /* HAVE_OPENSSL */
user_access=acl_user->access; default:
/*
If we don't have SSL but SSL is required for this user the
authentication should fail.
*/
break;
#endif /* HAVE_OPENSSL */ #endif /* HAVE_OPENSSL */
}
*mqh=acl_user->user_resource; *mqh=acl_user->user_resource;
if (!acl_user->user) if (!acl_user->user)
*priv_user=(char*) ""; // Change to anonymous user /* purecov: inspected */ *priv_user=(char*) ""; // Change to anonymous user /* purecov: inspected */
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment