Skip to content
Projects
Groups
Snippets
Help
Loading...
Help
Support
Keyboard shortcuts
?
Submit feedback
Contribute to GitLab
Sign in / Register
Toggle navigation
M
mariadb
Project overview
Project overview
Details
Activity
Releases
Repository
Repository
Files
Commits
Branches
Tags
Contributors
Graph
Compare
Issues
0
Issues
0
List
Boards
Labels
Milestones
Merge Requests
0
Merge Requests
0
Analytics
Analytics
Repository
Value Stream
Wiki
Wiki
Snippets
Snippets
Members
Members
Collapse sidebar
Close sidebar
Activity
Graph
Create a new issue
Commits
Issue Boards
Open sidebar
Kirill Smelkov
mariadb
Commits
7e312565
Commit
7e312565
authored
Dec 06, 2002
by
monty@mashka.mysql.fi
Browse files
Options
Browse Files
Download
Email Patches
Plain Diff
Remove usage of acl_getroot() in embedded server.
Fixed compilation problem when OPENSSL was enabled.
parent
f1d35b29
Changes
2
Hide whitespace changes
Inline
Side-by-side
Showing
2 changed files
with
75 additions
and
107 deletions
+75
-107
libmysqld/lib_sql.cc
libmysqld/lib_sql.cc
+2
-35
sql/sql_acl.cc
sql/sql_acl.cc
+73
-72
No files found.
libmysqld/lib_sql.cc
View file @
7e312565
...
@@ -223,41 +223,8 @@ static bool check_user(THD *thd,enum_server_command command, const char *user,
...
@@ -223,41 +223,8 @@ static bool check_user(THD *thd,enum_server_command command, const char *user,
send_error
(
thd
,
ER_OUT_OF_RESOURCES
);
send_error
(
thd
,
ER_OUT_OF_RESOURCES
);
return
1
;
return
1
;
}
}
thd
->
master_access
=
acl_getroot
(
thd
,
thd
->
host
,
thd
->
ip
,
thd
->
user
,
thd
->
master_access
=
~
0L
;
// No user checking
passwd
,
thd
->
scramble
,
&
thd
->
priv_user
,
thd
->
priv_user
=
thd
->
user
;
protocol_version
==
9
||
!
(
thd
->
client_capabilities
&
CLIENT_LONG_PASSWORD
),
&
ur
);
DBUG_PRINT
(
"info"
,
(
"Capabilities: %d packet_length: %d Host: '%s' User: '%s' Using password: %s Access: %u db: '%s'"
,
thd
->
client_capabilities
,
thd
->
max_client_packet_length
,
thd
->
host_or_ip
,
thd
->
priv_user
,
passwd
[
0
]
?
"yes"
:
"no"
,
thd
->
master_access
,
thd
->
db
?
thd
->
db
:
"*none*"
));
if
(
thd
->
master_access
&
NO_ACCESS
)
{
net_printf
(
thd
,
ER_ACCESS_DENIED_ERROR
,
thd
->
user
,
thd
->
host_or_ip
,
passwd
[
0
]
?
ER
(
ER_YES
)
:
ER
(
ER_NO
));
mysql_log
.
write
(
thd
,
COM_CONNECT
,
ER
(
ER_ACCESS_DENIED_ERROR
),
thd
->
user
,
thd
->
host_or_ip
,
passwd
[
0
]
?
ER
(
ER_YES
)
:
ER
(
ER_NO
));
return
(
1
);
// Error already given
}
if
(
check_count
)
{
VOID
(
pthread_mutex_lock
(
&
LOCK_thread_count
));
bool
tmp
=
(
thread_count
-
delayed_insert_threads
>=
max_connections
&&
!
(
thd
->
master_access
&
PROCESS_ACL
));
VOID
(
pthread_mutex_unlock
(
&
LOCK_thread_count
));
if
(
tmp
)
{
// Too many connections
send_error
(
thd
,
ER_CON_COUNT_ERROR
);
return
(
1
);
}
}
mysql_log
.
write
(
thd
,
command
,
mysql_log
.
write
(
thd
,
command
,
(
thd
->
priv_user
==
thd
->
user
?
(
thd
->
priv_user
==
thd
->
user
?
(
char
*
)
"%s@%s on %s"
:
(
char
*
)
"%s@%s on %s"
:
...
...
sql/sql_acl.cc
View file @
7e312565
...
@@ -578,85 +578,86 @@ ulong acl_getroot(THD *thd, const char *host, const char *ip, const char *user,
...
@@ -578,85 +578,86 @@ ulong acl_getroot(THD *thd, const char *host, const char *ip, const char *user,
/* OK. User found and password checked continue validation */
/* OK. User found and password checked continue validation */
#ifdef HAVE_OPENSSL
#ifdef HAVE_OPENSSL
Vio
*
vio
=
thd
->
net
.
vio
;
{
/*
Vio
*
vio
=
thd
->
net
.
vio
;
In this point we know that user is allowed to connect
/*
from given host by given username/password pair. Now
In this point we know that user is allowed to connect
we check if SSL is required, if user is using SSL and
from given host by given username/password pair. Now
if X509 certificate attributes are OK
we check if SSL is required, if user is using SSL and
*/
if X509 certificate attributes are OK
switch
(
acl_user
->
ssl_type
)
{
*/
case
SSL_TYPE_NOT_SPECIFIED
:
// Impossible
switch
(
acl_user
->
ssl_type
)
{
case
SSL_TYPE_NONE
:
/* SSL is not required to connect */
case
SSL_TYPE_NOT_SPECIFIED
:
// Impossible
user_access
=
acl_user
->
access
;
case
SSL_TYPE_NONE
:
/* SSL is not required to connect */
break
;
case
SSL_TYPE_ANY
:
/* Any kind of SSL is good enough */
if
(
vio_type
(
vio
)
==
VIO_TYPE_SSL
)
user_access
=
acl_user
->
access
;
break
;
case
SSL_TYPE_X509
:
/* Client should have any valid certificate. */
/*
Connections with non-valid certificates are dropped already
in sslaccept() anyway, so we do not check validity here.
*/
if
(
SSL_get_peer_certificate
(
vio
->
ssl_
))
user_access
=
acl_user
->
access
;
user_access
=
acl_user
->
access
;
break
;
break
;
case
SSL_TYPE_SPECIFIED
:
/* Client should have specified attrib */
case
SSL_TYPE_ANY
:
/* Any kind of SSL is good enough */
/*
if
(
vio_type
(
vio
)
==
VIO_TYPE_SSL
)
We do not check for absence of SSL because without SSL it does
user_access
=
acl_user
->
access
;
not pass all checks here anyway.
break
;
If cipher name is specified, we compare it to actual cipher in
case
SSL_TYPE_X509
:
/* Client should have any valid certificate. */
use.
/*
*/
Connections with non-valid certificates are dropped already
if
(
acl_user
->
ssl_cipher
)
in sslaccept() anyway, so we do not check validity here.
{
*/
DBUG_PRINT
(
"info"
,(
"comparing ciphers: '%s' and '%s'"
,
if
(
SSL_get_peer_certificate
(
vio
->
ssl_
))
acl_user
->
ssl_cipher
,
SSL_get_cipher
(
vio
->
ssl_
)));
user_access
=
acl_user
->
access
;
if
(
!
strcmp
(
acl_user
->
ssl_cipher
,
SSL_get_cipher
(
vio
->
ssl_
)))
break
;
user_access
=
acl_user
->
access
;
case
SSL_TYPE_SPECIFIED
:
/* Client should have specified attrib */
else
/*
We do not check for absence of SSL because without SSL it does
not pass all checks here anyway.
If cipher name is specified, we compare it to actual cipher in
use.
*/
if
(
acl_user
->
ssl_cipher
)
{
{
user_access
=
NO_ACCESS
;
DBUG_PRINT
(
"info"
,(
"comparing ciphers: '%s' and '%s'"
,
break
;
acl_user
->
ssl_cipher
,
SSL_get_cipher
(
vio
->
ssl_
)));
if
(
!
strcmp
(
acl_user
->
ssl_cipher
,
SSL_get_cipher
(
vio
->
ssl_
)))
user_access
=
acl_user
->
access
;
else
{
user_access
=
NO_ACCESS
;
break
;
}
}
}
}
/* Prepare certificate (if exists) */
/* Prepare certificate (if exists) */
DBUG_PRINT
(
"info"
,(
"checkpoint 1"
));
DBUG_PRINT
(
"info"
,(
"checkpoint 1"
));
X509
*
cert
=
SSL_get_peer_certificate
(
vio
->
ssl_
);
X509
*
cert
=
SSL_get_peer_certificate
(
vio
->
ssl_
);
DBUG_PRINT
(
"info"
,(
"checkpoint 2"
));
DBUG_PRINT
(
"info"
,(
"checkpoint 2"
));
/* If X509 issuer is speified, we check it... */
/* If X509 issuer is speified, we check it... */
if
(
acl_user
->
x509_issuer
)
if
(
acl_user
->
x509_issuer
)
{
DBUG_PRINT
(
"info"
,(
"checkpoint 3"
));
char
*
ptr
=
X509_NAME_oneline
(
X509_get_issuer_name
(
cert
),
0
,
0
);
DBUG_PRINT
(
"info"
,(
"comparing issuers: '%s' and '%s'"
,
acl_user
->
x509_issuer
,
ptr
));
if
(
strcmp
(
acl_user
->
x509_issuer
,
ptr
))
{
{
user_access
=
NO_ACCESS
;
DBUG_PRINT
(
"info"
,(
"checkpoint 3"
));
free
(
ptr
);
char
*
ptr
=
X509_NAME_oneline
(
X509_get_issuer_name
(
cert
),
0
,
0
);
break
;
DBUG_PRINT
(
"info"
,(
"comparing issuers: '%s' and '%s'"
,
acl_user
->
x509_issuer
,
ptr
));
if
(
strcmp
(
acl_user
->
x509_issuer
,
ptr
))
{
user_access
=
NO_ACCESS
;
free
(
ptr
);
break
;
}
user_access
=
acl_user
->
access
;
free
(
ptr
);
}
}
user_access
=
acl_user
->
access
;
DBUG_PRINT
(
"info"
,(
"checkpoint 4"
));
free
(
ptr
);
/* X509 subject is specified, we check it .. */
}
if
(
acl_user
->
x509_subject
)
DBUG_PRINT
(
"info"
,(
"checkpoint 4"
));
{
/* X509 subject is specified, we check it .. */
char
*
ptr
=
X509_NAME_oneline
(
X509_get_subject_name
(
cert
),
0
,
0
);
if
(
acl_user
->
x509_subject
)
DBUG_PRINT
(
"info"
,(
"comparing subjects: '%s' and '%s'"
,
{
acl_user
->
x509_subject
,
ptr
));
char
*
ptr
=
X509_NAME_oneline
(
X509_get_subject_name
(
cert
),
0
,
0
);
if
(
strcmp
(
acl_user
->
x509_subject
,
ptr
))
DBUG_PRINT
(
"info"
,(
"comparing subjects: '%s' and '%s'"
,
user_access
=
NO_ACCESS
;
acl_user
->
x509_subject
,
ptr
));
else
if
(
strcmp
(
acl_user
->
x509_subject
,
ptr
))
user_access
=
acl_user
->
access
;
user_access
=
NO_ACCESS
;
free
(
ptr
);
else
}
user_access
=
acl_user
->
access
;
break
;
free
(
ptr
);
}
}
break
;
}
}
#else
/* HAVE_OPENSSL */
#else
/* HAVE_OPENSSL */
user_access
=
acl_user
->
access
;
user_access
=
acl_user
->
access
;
...
...
Write
Preview
Markdown
is supported
0%
Try again
or
attach a new file
Attach a file
Cancel
You are about to add
0
people
to the discussion. Proceed with caution.
Finish editing this message first!
Cancel
Please
register
or
sign in
to comment