Fix bug: Crash server when grant ssl options are used and ssl handshake is not set

parent 52ebc0e8
......@@ -542,78 +542,79 @@ ulong acl_getroot(THD *thd, const char *host, const char *ip, const char *user,
break;
case SSL_TYPE_X509: /* Client should have any valid certificate. */
/*
Connections with non-valid certificates are dropped already
in sslaccept() anyway, so we do not check validity here.
We need to check for absence of SSL because without SSL
we should reject connection.
*/
if (SSL_get_peer_certificate(vio->ssl_))
if (vio_type(vio) == VIO_TYPE_SSL && SSL_get_peer_certificate(vio->ssl_))
user_access=acl_user->access;
break;
case SSL_TYPE_SPECIFIED: /* Client should have specified attrib */
/*
We do not check for absence of SSL because without SSL it does
not pass all checks here anyway.
If cipher name is specified, we compare it to actual cipher in
use.
We need to check for absence of SSL because without SSL
we should reject connection.
*/
if (acl_user->ssl_cipher)
if (vio_type(vio) == VIO_TYPE_SSL)
{
DBUG_PRINT("info",("comparing ciphers: '%s' and '%s'",
acl_user->ssl_cipher,
SSL_get_cipher(vio->ssl_)));
if (!strcmp(acl_user->ssl_cipher,SSL_get_cipher(vio->ssl_)))
user_access=acl_user->access;
else
if (acl_user->ssl_cipher)
{
if (global_system_variables.log_warnings)
sql_print_error("X509 ciphers mismatch: should be '%s' but is '%s'",
acl_user->ssl_cipher,
SSL_get_cipher(vio->ssl_));
user_access=NO_ACCESS;
break;
DBUG_PRINT("info",("comparing ciphers: '%s' and '%s'",
acl_user->ssl_cipher,
SSL_get_cipher(vio->ssl_)));
if (!strcmp(acl_user->ssl_cipher,SSL_get_cipher(vio->ssl_)))
user_access=acl_user->access;
else
{
if (global_system_variables.log_warnings)
sql_print_error("X509 ciphers mismatch: should be '%s' but is '%s'",
acl_user->ssl_cipher,
SSL_get_cipher(vio->ssl_));
user_access=NO_ACCESS;
break;
}
}
}
/* Prepare certificate (if exists) */
DBUG_PRINT("info",("checkpoint 1"));
X509* cert=SSL_get_peer_certificate(vio->ssl_);
DBUG_PRINT("info",("checkpoint 2"));
/* If X509 issuer is speified, we check it... */
if (acl_user->x509_issuer)
{
DBUG_PRINT("info",("checkpoint 3"));
char *ptr = X509_NAME_oneline(X509_get_issuer_name(cert), 0, 0);
DBUG_PRINT("info",("comparing issuers: '%s' and '%s'",
acl_user->x509_issuer, ptr));
if (strcmp(acl_user->x509_issuer, ptr))
/* Prepare certificate (if exists) */
DBUG_PRINT("info",("checkpoint 1"));
X509* cert=SSL_get_peer_certificate(vio->ssl_);
DBUG_PRINT("info",("checkpoint 2"));
/* If X509 issuer is speified, we check it... */
if (acl_user->x509_issuer)
{
if (global_system_variables.log_warnings)
sql_print_error("X509 issuer mismatch: should be '%s' but is '%s'",
acl_user->x509_issuer, ptr);
user_access=NO_ACCESS;
DBUG_PRINT("info",("checkpoint 3"));
char *ptr = X509_NAME_oneline(X509_get_issuer_name(cert), 0, 0);
DBUG_PRINT("info",("comparing issuers: '%s' and '%s'",
acl_user->x509_issuer, ptr));
if (strcmp(acl_user->x509_issuer, ptr))
{
if (global_system_variables.log_warnings)
sql_print_error("X509 issuer mismatch: should be '%s' but is '%s'",
acl_user->x509_issuer, ptr);
user_access=NO_ACCESS;
free(ptr);
break;
}
user_access=acl_user->access;
free(ptr);
break;
}
user_access=acl_user->access;
free(ptr);
}
DBUG_PRINT("info",("checkpoint 4"));
/* X509 subject is specified, we check it .. */
if (acl_user->x509_subject)
{
char *ptr= X509_NAME_oneline(X509_get_subject_name(cert), 0, 0);
DBUG_PRINT("info",("comparing subjects: '%s' and '%s'",
acl_user->x509_subject, ptr));
if (strcmp(acl_user->x509_subject,ptr))
DBUG_PRINT("info",("checkpoint 4"));
/* X509 subject is specified, we check it .. */
if (acl_user->x509_subject)
{
if (global_system_variables.log_warnings)
sql_print_error("X509 subject mismatch: '%s' vs '%s'",
acl_user->x509_subject, ptr);
user_access=NO_ACCESS;
char *ptr= X509_NAME_oneline(X509_get_subject_name(cert), 0, 0);
DBUG_PRINT("info",("comparing subjects: '%s' and '%s'",
acl_user->x509_subject, ptr));
if (strcmp(acl_user->x509_subject,ptr))
{
if (global_system_variables.log_warnings)
sql_print_error("X509 subject mismatch: '%s' vs '%s'",
acl_user->x509_subject, ptr);
user_access=NO_ACCESS;
}
else
user_access=acl_user->access;
free(ptr);
}
else
user_access=acl_user->access;
free(ptr);
break;
}
break;
}
#else /* HAVE_OPENSSL */
user_access=acl_user->access;
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment