Skip to content
Projects
Groups
Snippets
Help
Loading...
Help
Support
Keyboard shortcuts
?
Submit feedback
Contribute to GitLab
Sign in / Register
Toggle navigation
M
mariadb
Project overview
Project overview
Details
Activity
Releases
Repository
Repository
Files
Commits
Branches
Tags
Contributors
Graph
Compare
Issues
0
Issues
0
List
Boards
Labels
Milestones
Merge Requests
0
Merge Requests
0
Analytics
Analytics
Repository
Value Stream
Wiki
Wiki
Snippets
Snippets
Members
Members
Collapse sidebar
Close sidebar
Activity
Graph
Create a new issue
Commits
Issue Boards
Open sidebar
Kirill Smelkov
mariadb
Commits
7e312565
Commit
7e312565
authored
Dec 06, 2002
by
monty@mashka.mysql.fi
Browse files
Options
Browse Files
Download
Email Patches
Plain Diff
Remove usage of acl_getroot() in embedded server.
Fixed compilation problem when OPENSSL was enabled.
parent
f1d35b29
Changes
2
Hide whitespace changes
Inline
Side-by-side
Showing
2 changed files
with
75 additions
and
107 deletions
+75
-107
libmysqld/lib_sql.cc
libmysqld/lib_sql.cc
+2
-35
sql/sql_acl.cc
sql/sql_acl.cc
+73
-72
No files found.
libmysqld/lib_sql.cc
View file @
7e312565
...
...
@@ -223,41 +223,8 @@ static bool check_user(THD *thd,enum_server_command command, const char *user,
send_error
(
thd
,
ER_OUT_OF_RESOURCES
);
return
1
;
}
thd
->
master_access
=
acl_getroot
(
thd
,
thd
->
host
,
thd
->
ip
,
thd
->
user
,
passwd
,
thd
->
scramble
,
&
thd
->
priv_user
,
protocol_version
==
9
||
!
(
thd
->
client_capabilities
&
CLIENT_LONG_PASSWORD
),
&
ur
);
DBUG_PRINT
(
"info"
,
(
"Capabilities: %d packet_length: %d Host: '%s' User: '%s' Using password: %s Access: %u db: '%s'"
,
thd
->
client_capabilities
,
thd
->
max_client_packet_length
,
thd
->
host_or_ip
,
thd
->
priv_user
,
passwd
[
0
]
?
"yes"
:
"no"
,
thd
->
master_access
,
thd
->
db
?
thd
->
db
:
"*none*"
));
if
(
thd
->
master_access
&
NO_ACCESS
)
{
net_printf
(
thd
,
ER_ACCESS_DENIED_ERROR
,
thd
->
user
,
thd
->
host_or_ip
,
passwd
[
0
]
?
ER
(
ER_YES
)
:
ER
(
ER_NO
));
mysql_log
.
write
(
thd
,
COM_CONNECT
,
ER
(
ER_ACCESS_DENIED_ERROR
),
thd
->
user
,
thd
->
host_or_ip
,
passwd
[
0
]
?
ER
(
ER_YES
)
:
ER
(
ER_NO
));
return
(
1
);
// Error already given
}
if
(
check_count
)
{
VOID
(
pthread_mutex_lock
(
&
LOCK_thread_count
));
bool
tmp
=
(
thread_count
-
delayed_insert_threads
>=
max_connections
&&
!
(
thd
->
master_access
&
PROCESS_ACL
));
VOID
(
pthread_mutex_unlock
(
&
LOCK_thread_count
));
if
(
tmp
)
{
// Too many connections
send_error
(
thd
,
ER_CON_COUNT_ERROR
);
return
(
1
);
}
}
thd
->
master_access
=
~
0L
;
// No user checking
thd
->
priv_user
=
thd
->
user
;
mysql_log
.
write
(
thd
,
command
,
(
thd
->
priv_user
==
thd
->
user
?
(
char
*
)
"%s@%s on %s"
:
...
...
sql/sql_acl.cc
View file @
7e312565
...
...
@@ -578,85 +578,86 @@ ulong acl_getroot(THD *thd, const char *host, const char *ip, const char *user,
/* OK. User found and password checked continue validation */
#ifdef HAVE_OPENSSL
Vio
*
vio
=
thd
->
net
.
vio
;
/*
In this point we know that user is allowed to connect
from given host by given username/password pair. Now
we check if SSL is required, if user is using SSL and
if X509 certificate attributes are OK
*/
switch
(
acl_user
->
ssl_type
)
{
case
SSL_TYPE_NOT_SPECIFIED
:
// Impossible
case
SSL_TYPE_NONE
:
/* SSL is not required to connect */
user_access
=
acl_user
->
access
;
break
;
case
SSL_TYPE_ANY
:
/* Any kind of SSL is good enough */
if
(
vio_type
(
vio
)
==
VIO_TYPE_SSL
)
user_access
=
acl_user
->
access
;
break
;
case
SSL_TYPE_X509
:
/* Client should have any valid certificate. */
/*
Connections with non-valid certificates are dropped already
in sslaccept() anyway, so we do not check validity here.
*/
if
(
SSL_get_peer_certificate
(
vio
->
ssl_
))
{
Vio
*
vio
=
thd
->
net
.
vio
;
/*
In this point we know that user is allowed to connect
from given host by given username/password pair. Now
we check if SSL is required, if user is using SSL and
if X509 certificate attributes are OK
*/
switch
(
acl_user
->
ssl_type
)
{
case
SSL_TYPE_NOT_SPECIFIED
:
// Impossible
case
SSL_TYPE_NONE
:
/* SSL is not required to connect */
user_access
=
acl_user
->
access
;
break
;
case
SSL_TYPE_SPECIFIED
:
/* Client should have specified attrib */
/*
We do not check for absence of SSL because without SSL it does
not pass all checks here anyway.
If cipher name is specified, we compare it to actual cipher in
use.
*/
if
(
acl_user
->
ssl_cipher
)
{
DBUG_PRINT
(
"info"
,(
"comparing ciphers: '%s' and '%s'"
,
acl_user
->
ssl_cipher
,
SSL_get_cipher
(
vio
->
ssl_
)));
if
(
!
strcmp
(
acl_user
->
ssl_cipher
,
SSL_get_cipher
(
vio
->
ssl_
)))
user_access
=
acl_user
->
access
;
else
break
;
case
SSL_TYPE_ANY
:
/* Any kind of SSL is good enough */
if
(
vio_type
(
vio
)
==
VIO_TYPE_SSL
)
user_access
=
acl_user
->
access
;
break
;
case
SSL_TYPE_X509
:
/* Client should have any valid certificate. */
/*
Connections with non-valid certificates are dropped already
in sslaccept() anyway, so we do not check validity here.
*/
if
(
SSL_get_peer_certificate
(
vio
->
ssl_
))
user_access
=
acl_user
->
access
;
break
;
case
SSL_TYPE_SPECIFIED
:
/* Client should have specified attrib */
/*
We do not check for absence of SSL because without SSL it does
not pass all checks here anyway.
If cipher name is specified, we compare it to actual cipher in
use.
*/
if
(
acl_user
->
ssl_cipher
)
{
user_access
=
NO_ACCESS
;
break
;
DBUG_PRINT
(
"info"
,(
"comparing ciphers: '%s' and '%s'"
,
acl_user
->
ssl_cipher
,
SSL_get_cipher
(
vio
->
ssl_
)));
if
(
!
strcmp
(
acl_user
->
ssl_cipher
,
SSL_get_cipher
(
vio
->
ssl_
)))
user_access
=
acl_user
->
access
;
else
{
user_access
=
NO_ACCESS
;
break
;
}
}
}
/* Prepare certificate (if exists) */
DBUG_PRINT
(
"info"
,(
"checkpoint 1"
));
X509
*
cert
=
SSL_get_peer_certificate
(
vio
->
ssl_
);
DBUG_PRINT
(
"info"
,(
"checkpoint 2"
));
/* If X509 issuer is speified, we check it... */
if
(
acl_user
->
x509_issuer
)
{
DBUG_PRINT
(
"info"
,(
"checkpoint 3"
));
char
*
ptr
=
X509_NAME_oneline
(
X509_get_issuer_name
(
cert
),
0
,
0
);
DBUG_PRINT
(
"info"
,(
"comparing issuers: '%s' and '%s'"
,
acl_user
->
x509_issuer
,
ptr
));
if
(
strcmp
(
acl_user
->
x509_issuer
,
ptr
))
/* Prepare certificate (if exists) */
DBUG_PRINT
(
"info"
,(
"checkpoint 1"
));
X509
*
cert
=
SSL_get_peer_certificate
(
vio
->
ssl_
);
DBUG_PRINT
(
"info"
,(
"checkpoint 2"
));
/* If X509 issuer is speified, we check it... */
if
(
acl_user
->
x509_issuer
)
{
user_access
=
NO_ACCESS
;
free
(
ptr
);
break
;
DBUG_PRINT
(
"info"
,(
"checkpoint 3"
));
char
*
ptr
=
X509_NAME_oneline
(
X509_get_issuer_name
(
cert
),
0
,
0
);
DBUG_PRINT
(
"info"
,(
"comparing issuers: '%s' and '%s'"
,
acl_user
->
x509_issuer
,
ptr
));
if
(
strcmp
(
acl_user
->
x509_issuer
,
ptr
))
{
user_access
=
NO_ACCESS
;
free
(
ptr
);
break
;
}
user_access
=
acl_user
->
access
;
free
(
ptr
);
}
user_access
=
acl_user
->
access
;
free
(
ptr
);
}
DBUG_PRINT
(
"info"
,(
"checkpoint 4"
));
/* X509 subject is specified, we check it .. */
if
(
acl_user
->
x509_subject
)
{
char
*
ptr
=
X509_NAME_oneline
(
X509_get_subject_name
(
cert
),
0
,
0
);
DBUG_PRINT
(
"info"
,(
"comparing subjects: '%s' and '%s'"
,
acl_user
->
x509_subject
,
ptr
));
if
(
strcmp
(
acl_user
->
x509_subject
,
ptr
))
user_access
=
NO_ACCESS
;
else
user_access
=
acl_user
->
access
;
free
(
ptr
);
DBUG_PRINT
(
"info"
,(
"checkpoint 4"
));
/* X509 subject is specified, we check it .. */
if
(
acl_user
->
x509_subject
)
{
char
*
ptr
=
X509_NAME_oneline
(
X509_get_subject_name
(
cert
),
0
,
0
);
DBUG_PRINT
(
"info"
,(
"comparing subjects: '%s' and '%s'"
,
acl_user
->
x509_subject
,
ptr
));
if
(
strcmp
(
acl_user
->
x509_subject
,
ptr
))
user_access
=
NO_ACCESS
;
else
user_access
=
acl_user
->
access
;
free
(
ptr
);
}
break
;
}
break
;
}
#else
/* HAVE_OPENSSL */
user_access
=
acl_user
->
access
;
...
...
Write
Preview
Markdown
is supported
0%
Try again
or
attach a new file
Attach a file
Cancel
You are about to add
0
people
to the discussion. Proceed with caution.
Finish editing this message first!
Cancel
Please
register
or
sign in
to comment