Changes to improve robustness of SSL processing, separate it so far as possible from protocols. Separate the detailed mechanism of authentication from the MySQL protocol with a view to making it into a module later.

2016-02-15 09:29:07 +00:00
parent 971d1d5de2
commit 866e91c088
17 changed files with 1218 additions and 741 deletions
--- a/server/modules/include/mysql_auth.h
+++ b/server/modules/include/mysql_auth.h
@ -0,0 +1,48 @@
+#ifndef _MYSQL_AUTH_H
+#define _MYSQL_AUTH_H
+/*
+ * This file is distributed as part of the MariaDB Corporation MaxScale.  It is free
+ * software: you can redistribute it and/or modify it under the terms of the
+ * GNU General Public License as published by the Free Software Foundation,
+ * version 2.
+ *
+ * This program is distributed in the hope that it will be useful, but WITHOUT
+ * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS
+ * FOR A PARTICULAR PURPOSE.  See the GNU General Public License for more
+ * details.
+ *
+ * You should have received a copy of the GNU General Public License along with
+ * this program; if not, write to the Free Software Foundation, Inc., 51
+ * Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+ *
+ * Copyright MariaDB Corporation Ab 2013-2014
+ */
+
+/*
+ * @verbatim
+ * Revision History
+ *
+ * Date         Who                     Description
+ * 02/02/2016   Martin Brampton         Initial implementation
+ *
+ * @endverbatim
+ */
+
+#include <dcb.h>
+#include <buffer.h>
+#include <stdint.h>
+#include <mysql_client_server_protocol.h>
+
+int mysql_auth_set_protocol_data(DCB *dcb, GWBUF *buf);
+bool mysql_auth_is_client_ssl_capable (DCB *dcb);
+int mysql_auth_authenticate(DCB *dcb, GWBUF **buf);
+int gw_check_mysql_scramble_data(DCB *dcb,
+                                 uint8_t *token,
+                                 unsigned int token_len,
+                                 uint8_t *scramble,
+                                 unsigned int scramble_len,
+                                 char *username,
+                                 uint8_t *stage1_hash);
+int check_db_name_after_auth(DCB *dcb, char *database, int auth_ret);
+
+#endif /** _MYSQL_AUTH_H */
--- a/server/modules/include/mysql_client_server_protocol.h
+++ b/server/modules/include/mysql_client_server_protocol.h
@ -33,9 +33,10 @@
 * 					and repository to gw_check_mysql_scramble_data()
 * 					It's now possible to specify a different users' table than
 * 					dcb->service->users default
- * 26-02-2014	Massimiliano Pinto	Removed previouvsly added parameters to gw_check_mysql_scramble_data() and
+ * 26-02-2014	Massimiliano Pinto	Removed previously added parameters to gw_check_mysql_scramble_data() and
 * 					gw_find_mysql_user_password_sha1()
 * 28-02-2014	Massimiliano Pinto	MYSQL_DATABASE_MAXLEN,MYSQL_USER_MAXLEN moved to dbusers.h
+ * 07-02-2016   Martin Brampton     Extend MYSQL_session type; add MYSQL_AUTH_SUCCEEDED
 *
 */

@ -91,9 +92,12 @@
 #define COM_QUIT_PACKET_SIZE (4+1)
 struct dcb;

+#define MYSQL_AUTH_SUCCEEDED 0
 #define MYSQL_FAILED_AUTH 1
 #define MYSQL_FAILED_AUTH_DB 2
 #define MYSQL_FAILED_AUTH_SSL 3
+#define MYSQL_AUTH_SSL_INCOMPLETE 4
+#define MYSQL_AUTH_NO_SESSION 5

 typedef enum {
        MYSQL_ALLOC,                        /* Initial state of protocol auth state */
@ -132,9 +136,11 @@ typedef struct mysql_session {
 #if defined(SS_DEBUG)
 	skygw_chk_t	myses_chk_top;
 #endif
-        uint8_t client_sha1[MYSQL_SCRAMBLE_LEN];        /*< SHA1(passowrd) */
+        uint8_t client_sha1[MYSQL_SCRAMBLE_LEN];        /*< SHA1(password) */
        char user[MYSQL_USER_MAXLEN+1];                 /*< username       */
        char db[MYSQL_DATABASE_MAXLEN+1];               /*< database       */
+        int  auth_token_len;                            /*< token length   */
+        uint8_t *auth_token;                            /*< token          */
 #if defined(SS_DEBUG)
 	skygw_chk_t	myses_chk_tail;
 #endif
@ -306,7 +312,6 @@ typedef struct {
        unsigned        long tid;                         /*< MySQL Thread ID, in
        * handshake */
        unsigned int    charset;                          /*< MySQL character set at connect time */
-        bool use_ssl;
 #if defined(SS_DEBUG)
        skygw_chk_t     protocol_chk_tail;
 #endif
@ -370,14 +375,6 @@ int gw_find_mysql_user_password_sha1(
        char *username,
        uint8_t *gateway_password,
 	DCB *dcb);
-int gw_check_mysql_scramble_data(
-        DCB *dcb,
-        uint8_t *token,
-        unsigned int token_len,
-        uint8_t *scramble,
-        unsigned int scramble_len,
-        char *username,
-        uint8_t *stage1_hash);
 int mysql_send_auth_error (
        DCB *dcb,
        int packet_number,