Fix bug: Crash server when grant ssl options are used and ssl handshake is not set

parent 52ebc0e8
...@@ -542,78 +542,79 @@ ulong acl_getroot(THD *thd, const char *host, const char *ip, const char *user, ...@@ -542,78 +542,79 @@ ulong acl_getroot(THD *thd, const char *host, const char *ip, const char *user,
break; break;
case SSL_TYPE_X509: /* Client should have any valid certificate. */ case SSL_TYPE_X509: /* Client should have any valid certificate. */
/* /*
Connections with non-valid certificates are dropped already We need to check for absence of SSL because without SSL
in sslaccept() anyway, so we do not check validity here. we should reject connection.
*/ */
if (SSL_get_peer_certificate(vio->ssl_)) if (vio_type(vio) == VIO_TYPE_SSL && SSL_get_peer_certificate(vio->ssl_))
user_access=acl_user->access; user_access=acl_user->access;
break; break;
case SSL_TYPE_SPECIFIED: /* Client should have specified attrib */ case SSL_TYPE_SPECIFIED: /* Client should have specified attrib */
/* /*
We do not check for absence of SSL because without SSL it does We need to check for absence of SSL because without SSL
not pass all checks here anyway. we should reject connection.
If cipher name is specified, we compare it to actual cipher in
use.
*/ */
if (acl_user->ssl_cipher) if (vio_type(vio) == VIO_TYPE_SSL)
{ {
DBUG_PRINT("info",("comparing ciphers: '%s' and '%s'", if (acl_user->ssl_cipher)
acl_user->ssl_cipher,
SSL_get_cipher(vio->ssl_)));
if (!strcmp(acl_user->ssl_cipher,SSL_get_cipher(vio->ssl_)))
user_access=acl_user->access;
else
{ {
if (global_system_variables.log_warnings) DBUG_PRINT("info",("comparing ciphers: '%s' and '%s'",
sql_print_error("X509 ciphers mismatch: should be '%s' but is '%s'", acl_user->ssl_cipher,
acl_user->ssl_cipher, SSL_get_cipher(vio->ssl_)));
SSL_get_cipher(vio->ssl_)); if (!strcmp(acl_user->ssl_cipher,SSL_get_cipher(vio->ssl_)))
user_access=NO_ACCESS; user_access=acl_user->access;
break; else
{
if (global_system_variables.log_warnings)
sql_print_error("X509 ciphers mismatch: should be '%s' but is '%s'",
acl_user->ssl_cipher,
SSL_get_cipher(vio->ssl_));
user_access=NO_ACCESS;
break;
}
} }
} /* Prepare certificate (if exists) */
/* Prepare certificate (if exists) */ DBUG_PRINT("info",("checkpoint 1"));
DBUG_PRINT("info",("checkpoint 1")); X509* cert=SSL_get_peer_certificate(vio->ssl_);
X509* cert=SSL_get_peer_certificate(vio->ssl_); DBUG_PRINT("info",("checkpoint 2"));
DBUG_PRINT("info",("checkpoint 2")); /* If X509 issuer is speified, we check it... */
/* If X509 issuer is speified, we check it... */ if (acl_user->x509_issuer)
if (acl_user->x509_issuer)
{
DBUG_PRINT("info",("checkpoint 3"));
char *ptr = X509_NAME_oneline(X509_get_issuer_name(cert), 0, 0);
DBUG_PRINT("info",("comparing issuers: '%s' and '%s'",
acl_user->x509_issuer, ptr));
if (strcmp(acl_user->x509_issuer, ptr))
{ {
if (global_system_variables.log_warnings) DBUG_PRINT("info",("checkpoint 3"));
sql_print_error("X509 issuer mismatch: should be '%s' but is '%s'", char *ptr = X509_NAME_oneline(X509_get_issuer_name(cert), 0, 0);
acl_user->x509_issuer, ptr); DBUG_PRINT("info",("comparing issuers: '%s' and '%s'",
user_access=NO_ACCESS; acl_user->x509_issuer, ptr));
if (strcmp(acl_user->x509_issuer, ptr))
{
if (global_system_variables.log_warnings)
sql_print_error("X509 issuer mismatch: should be '%s' but is '%s'",
acl_user->x509_issuer, ptr);
user_access=NO_ACCESS;
free(ptr);
break;
}
user_access=acl_user->access;
free(ptr); free(ptr);
break;
} }
user_access=acl_user->access; DBUG_PRINT("info",("checkpoint 4"));
free(ptr); /* X509 subject is specified, we check it .. */
} if (acl_user->x509_subject)
DBUG_PRINT("info",("checkpoint 4"));
/* X509 subject is specified, we check it .. */
if (acl_user->x509_subject)
{
char *ptr= X509_NAME_oneline(X509_get_subject_name(cert), 0, 0);
DBUG_PRINT("info",("comparing subjects: '%s' and '%s'",
acl_user->x509_subject, ptr));
if (strcmp(acl_user->x509_subject,ptr))
{ {
if (global_system_variables.log_warnings) char *ptr= X509_NAME_oneline(X509_get_subject_name(cert), 0, 0);
sql_print_error("X509 subject mismatch: '%s' vs '%s'", DBUG_PRINT("info",("comparing subjects: '%s' and '%s'",
acl_user->x509_subject, ptr); acl_user->x509_subject, ptr));
user_access=NO_ACCESS; if (strcmp(acl_user->x509_subject,ptr))
{
if (global_system_variables.log_warnings)
sql_print_error("X509 subject mismatch: '%s' vs '%s'",
acl_user->x509_subject, ptr);
user_access=NO_ACCESS;
}
else
user_access=acl_user->access;
free(ptr);
} }
else break;
user_access=acl_user->access;
free(ptr);
} }
break;
} }
#else /* HAVE_OPENSSL */ #else /* HAVE_OPENSSL */
user_access=acl_user->access; user_access=acl_user->access;
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment