diff options
| -rw-r--r-- | include/violite.h | 2 | ||||
| -rw-r--r-- | libmysqld/lib_sql.cc | 62 | ||||
| -rw-r--r-- | sql/mysqld.cc | 4 | ||||
| -rw-r--r-- | sql/sql_acl.cc | 279 |
4 files changed, 166 insertions, 181 deletions
diff --git a/include/violite.h b/include/violite.h index c59f6124838..d5f697b26c4 100644 --- a/include/violite.h +++ b/include/violite.h @@ -108,7 +108,6 @@ my_bool vio_poll_read(Vio *vio,uint timeout); #ifdef __cplusplus } #endif -#endif /* vio_violite_h_ */ #if defined(HAVE_VIO) && !defined(DONT_MAP_VIO) #define vio_delete(vio) (vio)->viodelete(vio) @@ -237,3 +236,4 @@ struct st_vio #endif /* HAVE_VIO */ }; #endif /* EMBEDDED_LIBRARY */ +#endif /* vio_violite_h_ */ diff --git a/libmysqld/lib_sql.cc b/libmysqld/lib_sql.cc index 116219372fd..f2599fe4016 100644 --- a/libmysqld/lib_sql.cc +++ b/libmysqld/lib_sql.cc @@ -19,13 +19,16 @@ #include "../regex/regex.h" #include "my_sys.h" +/* + The following is needed to not cause conflicts when we include mysqld.cc +*/ + #define main main1 #define mysql_unix_port mysql_inix_port1 #define mysql_port mysql_port1 #define net_read_timeout net_read_timeout1 #define net_write_timeout net_write_timeout1 #define changeable_vars changeable_vars1 -//#define mysql_tmpdir mysql_tmpdir1 extern "C" { @@ -36,38 +39,23 @@ extern "C" class THD; -static int -check_connections1(THD * thd); - -static bool -check_user(THD *thd, enum_server_command command,const char *user, const char *passwd, const char *db, bool check_count); - -static int -check_connections2(THD * thd); - -extern void free_defaults(char ** argv); -void free_defaults_internal(char ** argv){if (argv) free_defaults(argv);} +static int check_connections1(THD * thd); +static int check_connections2(THD * thd); +static bool check_user(THD *thd, enum_server_command command, + const char *user, const char *passwd, const char *db, + bool check_count); +void free_defaults_internal(char ** argv) {if (argv) free_defaults(argv);} #define free_defaults free_defaults_internal char mysql_data_home[FN_REFLEN]; -char * get_mysql_data_home(){return mysql_data_home;}; +char * get_mysql_data_home() { return mysql_data_home; } #define mysql_data_home mysql_data_home_internal #include "../sql/mysqld.cc" #define SCRAMBLE_LENGTH 8 extern "C" { - -/* -void -free_defaults(char ** argv) {}; -void -load_defaults(const char *, const char **, int *, char ***) {}; -*/ - -char * -get_mysql_home(){ return mysql_home;}; -char * -get_mysql_real_data_home(){ return mysql_real_data_home;}; +char * get_mysql_home(){ return mysql_home;}; +char * get_mysql_real_data_home(){ return mysql_real_data_home;}; bool lib_dispatch_command(enum enum_server_command command, NET *net, @@ -83,9 +71,7 @@ bool lib_dispatch_command(enum enum_server_command command, NET *net, } - -void -lib_connection_phase(NET * net, int phase) +void lib_connection_phase(NET * net, int phase) { THD * thd; thd = (THD *)(net->vio->dest_thd); @@ -99,7 +85,9 @@ lib_connection_phase(NET * net, int phase) } } } -} +} /* extern "C" */ + + void start_embedded_conn1(NET * net) { THD * thd = new THD; @@ -660,16 +648,14 @@ void mysql_thread_end() void start_embedded_connection(NET * net) { - start_embedded_conn1(net); -} -//==================================================================== + start_embedded_conn1(net); } + +} /* extern "C" */ + int embedded_do_command(NET * net) { - THD * thd = (THD *) net ->vio; - do_command(thd); - return 0; + THD * thd = (THD *) net ->vio; + do_command(thd); + return 0; } - - - diff --git a/sql/mysqld.cc b/sql/mysqld.cc index b27cb8a6bf3..c14ae3aa61a 100644 --- a/sql/mysqld.cc +++ b/sql/mysqld.cc @@ -677,9 +677,7 @@ static sig_handler print_signal_warning(int sig) void unireg_end(int signal_number __attribute__((unused))) { clean_up(); -#if defined(EMBEDDED_LIBRARY) - exit(0); // XXX QQ: this is a temporary hack (I hope) -#else +#ifndef EMBEDDED_LIBRARY pthread_exit(0); // Exit is in main thread #endif } diff --git a/sql/sql_acl.cc b/sql/sql_acl.cc index 2f6c126e693..888ccf7b482 100644 --- a/sql/sql_acl.cc +++ b/sql/sql_acl.cc @@ -205,17 +205,20 @@ int acl_init(bool dont_read_acl_tables) user.password=get_field(&mem, table,2); #ifdef HAVE_OPENSSL DBUG_PRINT("info",("table->fields=%d",table->fields)); - if (table->fields >= 21) { /* From 4.0.0 we have more fields */ - if(!strcmp(get_field(&mem, table,17),"ANY")) + if (table->fields >= 21) /* From 4.0.0 we have more fields */ + { + char *ssl_type=get_field(&mem, table,17); + if (!strcmp(ssl_type, "ANY")) user.ssl_type=SSL_TYPE_ANY; - else if(!strcmp(get_field(&mem, table,17),"X509")) + else if (!strcmp(ssl_type, "X509")) user.ssl_type=SSL_TYPE_X509; - else if(!strcmp(get_field(&mem, table,17),"SPECIFIED")) + else if (!strcmp(ssl_type, "SPECIFIED")) user.ssl_type=SSL_TYPE_SPECIFIED; - else user.ssl_type=SSL_TYPE_NONE; - user.ssl_cipher=get_field(&mem, table,18); - user.x509_issuer=get_field(&mem, table,19); - user.x509_subject=get_field(&mem, table,20); + else + user.ssl_type=SSL_TYPE_NONE; + user.ssl_cipher=get_field(&mem, table, 18); + user.x509_issuer=get_field(&mem, table, 19); + user.x509_subject=get_field(&mem, table, 20); } #endif /* HAVE_OPENSSL */ if (user.password && (length=(uint) strlen(user.password)) == 8 && @@ -447,82 +450,87 @@ uint acl_getroot(THD *thd, const char *host, const char *ip, const char *user, (my_bool) old_ver))) { #ifdef HAVE_OPENSSL -#define vio (thd->net.vio) - /* In this point we know that user is allowed to connect - * from given host by given username/password pair. Now - * we check if SSL is required, if user is using SSL and - * if X509 certificate attributes are OK - */ + Vio *vio=thd->net.vio; + /* + In this point we know that user is allowed to connect + from given host by given username/password pair. Now + we check if SSL is required, if user is using SSL and + if X509 certificate attributes are OK + */ switch(acl_user->ssl_type) { case SSL_TYPE_NONE: /* SSL is not required to connect */ - user_access=acl_user->access; - break; + user_access=acl_user->access; + break; case SSL_TYPE_ANY: /* Any kind of SSL is good enough */ - if(vio_type(vio) == VIO_TYPE_SSL) - user_access=acl_user->access; - break; + if (vio_type(vio) == VIO_TYPE_SSL) + user_access=acl_user->access; + break; case SSL_TYPE_X509: /* Client should have any valid certificate. */ - /* Connections with non-valid certificates are dropped already - * in sslaccept() anyway, so we do not check validity here. - */ - if(SSL_get_peer_certificate(vio->ssl_)) - user_access=acl_user->access; - break; - case SSL_TYPE_SPECIFIED: /* Client should have attributes as specified */ - /* We do not check for absence of SSL because without SSL it does not - * pass all checks here anyway. - */ - /* If cipher name is specified, we compare it to actual cipher in use */ - if(acl_user->ssl_cipher) - DBUG_PRINT("info",("comparing ciphers: '%s' and '%s'", - acl_user->ssl_cipher,SSL_get_cipher(vio->ssl_))); - if(!strcmp(acl_user->ssl_cipher,SSL_get_cipher(vio->ssl_))) - user_access=acl_user->access; - else - { - user_access=NO_ACCESS; - break; - } - /* Prepare certificate (if exists) */ - DBUG_PRINT("info",("checkpoint 1")); - X509* cert=SSL_get_peer_certificate(vio->ssl_); - DBUG_PRINT("info",("checkpoint 2")); - /* If X509 issuer is speified, we check it... */ - if(acl_user->x509_issuer) - { - DBUG_PRINT("info",("checkpoint 3")); - ptr = X509_NAME_oneline(X509_get_issuer_name(cert), 0, 0); - DBUG_PRINT("info",("comparing issuers: '%s' and '%s'", - acl_user->x509_issuer, ptr)); - if(!strcmp(acl_user->x509_issuer,ptr)) - user_access=acl_user->access; - else - { - user_access=NO_ACCESS; - free(ptr); - break; - } - free(ptr); - } - DBUG_PRINT("info",("checkpoint 4")); - /* X509 subject is specified, we check it .. */ - if(acl_user->x509_subject) - { - ptr = X509_NAME_oneline(X509_get_subject_name(cert), 0, 0); - DBUG_PRINT("info",("comparing subjects: '%s' and '%s'", - acl_user->x509_subject, ptr)); - if(!strcmp(acl_user->x509_subject,ptr)) - user_access=acl_user->access; - else - { - user_access=NO_ACCESS; - free(ptr); - break; - } - free(ptr); - } - DBUG_PRINT("info",("checkpoint 5")); - break; + /* + Connections with non-valid certificates are dropped already + in sslaccept() anyway, so we do not check validity here. + */ + if (SSL_get_peer_certificate(vio->ssl_)) + user_access=acl_user->access; + break; + case SSL_TYPE_SPECIFIED: /* Client should have specified attrib */ + /* + We do not check for absence of SSL because without SSL it does + not pass all checks here anyway. + If cipher name is specified, we compare it to actual cipher in + use. + */ + if (acl_user->ssl_cipher) + DBUG_PRINT("info",("comparing ciphers: '%s' and '%s'", + acl_user->ssl_cipher, + SSL_get_cipher(vio->ssl_))); + if (!strcmp(acl_user->ssl_cipher,SSL_get_cipher(vio->ssl_))) + user_access=acl_user->access; + else + { + user_access=NO_ACCESS; + break; + } + /* Prepare certificate (if exists) */ + DBUG_PRINT("info",("checkpoint 1")); + X509* cert=SSL_get_peer_certificate(vio->ssl_); + DBUG_PRINT("info",("checkpoint 2")); + /* If X509 issuer is speified, we check it... */ + if (acl_user->x509_issuer) + { + DBUG_PRINT("info",("checkpoint 3")); + ptr = X509_NAME_oneline(X509_get_issuer_name(cert), 0, 0); + DBUG_PRINT("info",("comparing issuers: '%s' and '%s'", + acl_user->x509_issuer, ptr)); + if (!strcmp(acl_user->x509_issuer,ptr)) + user_access=acl_user->access; + else + { + user_access=NO_ACCESS; + free(ptr); + break; + } + free(ptr); + } + DBUG_PRINT("info",("checkpoint 4")); + /* X509 subject is specified, we check it .. */ + if (acl_user->x509_subject) + { + ptr = X509_NAME_oneline(X509_get_subject_name(cert), 0, 0); + DBUG_PRINT("info",("comparing subjects: '%s' and '%s'", + acl_user->x509_subject, ptr)); + if (!strcmp(acl_user->x509_subject,ptr)) + user_access=acl_user->access; + else + { + user_access=NO_ACCESS; + free(ptr); + break; + } + free(ptr); + } + DBUG_PRINT("info",("checkpoint 5")); + break; } DBUG_PRINT("info",("checkpoint 6")); #else /* HAVE_OPENSSL */ @@ -557,12 +565,10 @@ static byte* check_get_key(ACL_USER *buff,uint *length, static void acl_update_user(const char *user, const char *host, const char *password, -#ifdef HAVE_OPENSSL enum SSL_type ssl_type, const char *ssl_cipher, const char *x509_issuer, const char *x509_subject, -#endif /* HAVE_OPENSSL */ uint privileges) { for (uint i=0 ; i < acl_users.elements ; i++) @@ -601,12 +607,10 @@ static void acl_update_user(const char *user, const char *host, static void acl_insert_user(const char *user, const char *host, const char *password, -#ifdef HAVE_OPENSSL enum SSL_type ssl_type, const char *ssl_cipher, const char *x509_issuer, const char *x509_subject, -#endif /* HAVE_OPENSSL */ uint privileges) { ACL_USER acl_user; @@ -1158,37 +1162,35 @@ static int replace_user_table(THD *thd, TABLE *table, const LEX_USER &combo, rights=get_access(table,3); #ifdef HAVE_OPENSSL /* We write down SSL related ACL stuff */ - DBUG_PRINT("info",("table->fields=%d",table->fields)); - if (table->fields >= 21) { /* From 4.0.0 we have more fields */ - switch (thd->lex.ssl_type) { - case SSL_TYPE_ANY: - table->field[17]->store("ANY",3); - table->field[18]->store("",0); - table->field[19]->store("",0); - table->field[20]->store("",0); - break; - case SSL_TYPE_X509: - table->field[17]->store("X509",4); - table->field[18]->store("",0); - table->field[19]->store("",0); - table->field[20]->store("",0); - break; - case SSL_TYPE_SPECIFIED: - table->field[17]->store("SPECIFIED",9); - if(thd->lex.ssl_cipher) - table->field[18]->store(thd->lex.ssl_cipher,strlen(thd->lex.ssl_cipher)); - if(thd->lex.x509_issuer) - table->field[19]->store(thd->lex.x509_issuer,strlen(thd->lex.x509_issuer)); - if(thd->lex.x509_subject) - table->field[20]->store(thd->lex.x509_subject,strlen(thd->lex.x509_subject)); - break; - default: - table->field[17]->store("NONE",4); - table->field[18]->store("",0); - table->field[19]->store("",0); - table->field[20]->store("",0); - } + DBUG_PRINT("info",("table->fields=%d",table->fields)); + if (table->fields >= 21) /* From 4.0.0 we have more fields */ + { + table->field[18]->store("",0); + table->field[19]->store("",0); + table->field[20]->store("",0); + switch (thd->lex.ssl_type) { + case SSL_TYPE_ANY: + table->field[17]->store("ANY",3); + break; + case SSL_TYPE_X509: + table->field[17]->store("X509",4); + break; + case SSL_TYPE_SPECIFIED: + table->field[17]->store("SPECIFIED",9); + if (thd->lex.ssl_cipher) + table->field[18]->store(thd->lex.ssl_cipher, + strlen(thd->lex.ssl_cipher)); + if (thd->lex.x509_issuer) + table->field[19]->store(thd->lex.x509_issuer, + strlen(thd->lex.x509_issuer)); + if (thd->lex.x509_subject) + table->field[20]->store(thd->lex.x509_subject, + strlen(thd->lex.x509_subject)); + break; + default: + table->field[17]->store("NONE",4); } + } #endif /* HAVE_OPENSSL */ if (old_row_exists) { @@ -1216,7 +1218,7 @@ static int replace_user_table(THD *thd, TABLE *table, const LEX_USER &combo, } error=0; // Privileges granted / revoked - end: +end: if (!error) { acl_cache->clear(1); // Clear privilege cache @@ -1224,22 +1226,18 @@ static int replace_user_table(THD *thd, TABLE *table, const LEX_USER &combo, password=0; // No password given on command if (old_row_exists) acl_update_user(combo.user.str,combo.host.str,password, -#ifdef HAVE_OPENSSL - thd->lex.ssl_type, - thd->lex.ssl_cipher, - thd->lex.x509_issuer, - thd->lex.x509_subject, -#endif /* HAVE_OPENSSL */ - rights); + thd->lex.ssl_type, + thd->lex.ssl_cipher, + thd->lex.x509_issuer, + thd->lex.x509_subject, + rights); else acl_insert_user(combo.user.str,combo.host.str,password, -#ifdef HAVE_OPENSSL - thd->lex.ssl_type, - thd->lex.ssl_cipher, - thd->lex.x509_issuer, - thd->lex.x509_subject, -#endif /* HAVE_OPENSSL */ - rights); + thd->lex.ssl_type, + thd->lex.ssl_cipher, + thd->lex.x509_issuer, + thd->lex.x509_subject, + rights); } table->file->index_end(); DBUG_RETURN(error); @@ -2591,30 +2589,33 @@ int mysql_show_grants(THD *thd,LEX_USER *lex_user) global.append('\''); } #ifdef HAVE_OPENSSL -/* "show grants" SSL related stuff */ - if(acl_user->ssl_type==SSL_TYPE_ANY) + /* "show grants" SSL related stuff */ + if (acl_user->ssl_type == SSL_TYPE_ANY) global.append(" REQUIRE SSL",12); - else if(acl_user->ssl_type==SSL_TYPE_X509) + else if (acl_user->ssl_type==SSL_TYPE_X509) global.append(" REQUIRE X509",13); - else if(acl_user->ssl_type==SSL_TYPE_SPECIFIED) + else if (acl_user->ssl_type==SSL_TYPE_SPECIFIED) { global.append(" REQUIRE ",9); - if(acl_user->x509_issuer) { - if(ssl_options++) + if (acl_user->x509_issuer) + { + if (ssl_options++) global.append(" AND ",5); global.append("ISSUER \"",8); global.append(acl_user->x509_issuer,strlen(acl_user->x509_issuer)); global.append("\"",1); } - if(acl_user->x509_subject) { - if(ssl_options++) + if (acl_user->x509_subject) + { + if (ssl_options++) global.append(" AND ",5); global.append("SUBJECT \"",9); global.append(acl_user->x509_subject,strlen(acl_user->x509_subject)); global.append("\"",1); } - if(acl_user->ssl_cipher) { - if(ssl_options++) + if (acl_user->ssl_cipher) + { + if (ssl_options++) global.append(" AND ",5); global.append("CIPHER \"",8); global.append(acl_user->ssl_cipher,strlen(acl_user->ssl_cipher)); |