hcq/MaxScale
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Move SSL-code in mysql_auth.c and pam_client_session.cc to

Browse Source 
a separate function in ssl.cc

Removes some duplicate code.
This commit is contained in:
Esa Korhonen
2017-08-04 14:53:52 +03:00
parent 8ef8ee6600
commit ed05d24a9a
5 changed files with 58 additions and 62 deletions
Download Patch File Download Diff File Expand all files Collapse all files

3
include/maxscale/authenticator.h
View File

@ -113,7 +113,8 @@ typedef struct mxs_authenticator
#define MXS_AUTH_FAILED_SSL 3 /**< SSL authentication failed */ #define MXS_AUTH_FAILED_SSL 3 /**< SSL authentication failed */
#define MXS_AUTH_INCOMPLETE 4 /**< Authentication is not yet complete */ #define MXS_AUTH_INCOMPLETE 4 /**< Authentication is not yet complete */
#define MXS_AUTH_SSL_INCOMPLETE 5 /**< SSL connection is not yet complete */ #define MXS_AUTH_SSL_INCOMPLETE 5 /**< SSL connection is not yet complete */
#define MXS_AUTH_NO_SESSION 6 #define MXS_AUTH_SSL_COMPLETE 6 /**< SSL connection complete or not required */
#define MXS_AUTH_NO_SESSION 7
/** Return values for the loadusers entry point */ /** Return values for the loadusers entry point */
#define MXS_AUTH_LOADUSERS_OK 0 /**< Users loaded successfully */ #define MXS_AUTH_LOADUSERS_OK 0 /**< Users loaded successfully */

12
include/maxscale/ssl.h
View File

@ -76,4 +76,16 @@ bool ssl_required_by_dcb(struct dcb *dcb);
bool ssl_required_but_not_negotiated(struct dcb *dcb); bool ssl_required_but_not_negotiated(struct dcb *dcb);
const char* ssl_method_type_to_string(ssl_method_type_t method_type); const char* ssl_method_type_to_string(ssl_method_type_t method_type);
/**
* Helper function for client ssl authentication. Authenticates and checks changes
* in ssl status.
*
* @param dcb Client dcb
*
* @return MXS_AUTH_FAILED_SSL or MXS_AUTH_FAILED on error. MXS_AUTH_SSL_INCOMPLETE
* if ssl authentication is in progress and should be retried, MXS_AUTH_SSL_COMPLETE
* if ssl authentication is complete or not required.
*/
int ssl_authenticate_check_status(struct dcb *dcb);
MXS_END_DECLS MXS_END_DECLS

39
server/core/ssl.cc
View File

@ -29,10 +29,11 @@
#include <stdlib.h> #include <stdlib.h>
#include <string.h> #include <string.h>
#include <stdbool.h> #include <stdbool.h>
#include <maxscale/dcb.h>
#include <maxscale/service.h>
#include <maxscale/log_manager.h>
#include <sys/ioctl.h> #include <sys/ioctl.h>
#include <maxscale/dcb.h>
#include <maxscale/log_manager.h>
#include <maxscale/poll.h>
#include <maxscale/service.h>
/** /**
* @brief Check client's SSL capability and start SSL if appropriate. * @brief Check client's SSL capability and start SSL if appropriate.
@ -214,3 +215,35 @@ const char* ssl_method_type_to_string(ssl_method_type_t method_type)
return "Unknown"; return "Unknown";
} }
} }
int ssl_authenticate_check_status(DCB* dcb)
{
int rval = MXS_AUTH_FAILED;
/**
* We record the SSL status before and after ssl authentication. This allows
* us to detect if the SSL handshake is immediately completed, which means more
* data needs to be read from the socket.
*/
bool health_before = ssl_is_connection_healthy(dcb);
int ssl_ret = ssl_authenticate_client(dcb, dcb->authfunc.connectssl(dcb));
bool health_after = ssl_is_connection_healthy(dcb);
if (ssl_ret != 0)
{
rval = (ssl_ret == SSL_ERROR_CLIENT_NOT_SSL) ? MXS_AUTH_FAILED_SSL : MXS_AUTH_FAILED;
}
else if (!health_after)
{
rval = MXS_AUTH_SSL_INCOMPLETE;
}
else if (!health_before && health_after)
{
rval = MXS_AUTH_SSL_INCOMPLETE;
poll_add_epollin_event_to_dcb(dcb, NULL);
}
else if (health_before && health_after)
{
rval = MXS_AUTH_SSL_COMPLETE;
}
return rval;
}

38
server/modules/authenticator/MySQLAuth/mysql_auth.c
View File

@ -285,11 +285,8 @@ static bool is_localhost_address(struct sockaddr_storage *addr)
/** /**
* @brief Authenticates a MySQL user who is a client to MaxScale. * @brief Authenticates a MySQL user who is a client to MaxScale.
* *
* First call the SSL authentication function, passing the DCB and a boolean * First call the SSL authentication function. Call other functions to validate
* indicating whether the client is SSL capable. If SSL authentication is * the user, reloading the user data if the first attempt fails.
* successful, check whether connection is complete. Fail if we do not have a
* user name. Call other functions to validate the user, reloading the user
* data if the first attempt fails.
* *
* @param dcb Request handler DCB connected to the client * @param dcb Request handler DCB connected to the client
* @return Authentication status * @return Authentication status
@ -298,40 +295,15 @@ static bool is_localhost_address(struct sockaddr_storage *addr)
static int static int
mysql_auth_authenticate(DCB *dcb) mysql_auth_authenticate(DCB *dcb)
{ {
MySQLProtocol *protocol = DCB_PROTOCOL(dcb, MySQLProtocol); int auth_ret = ssl_authenticate_check_status(dcb);
MYSQL_session *client_data = (MYSQL_session *)dcb->data; MYSQL_session *client_data = (MYSQL_session *)dcb->data;
int auth_ret = MXS_AUTH_FAILED; if (auth_ret == MXS_AUTH_SSL_COMPLETE && *client_data->user)
/**
* We record the SSL status before and after the authentication. This allows
* us to detect if the SSL handshake is immediately completed which means more
* data needs to be read from the socket.
*/
bool health_before = ssl_is_connection_healthy(dcb);
int ssl_ret = ssl_authenticate_client(dcb, dcb->authfunc.connectssl(dcb));
bool health_after = ssl_is_connection_healthy(dcb);
if (0 != ssl_ret)
{
auth_ret = (SSL_ERROR_CLIENT_NOT_SSL == ssl_ret) ? MXS_AUTH_FAILED_SSL : MXS_AUTH_FAILED;
}
else if (!health_after)
{
auth_ret = MXS_AUTH_SSL_INCOMPLETE;
}
else if (!health_before && health_after)
{
auth_ret = MXS_AUTH_SSL_INCOMPLETE;
poll_add_epollin_event_to_dcb(dcb, NULL);
}
else if (*client_data->user)
{ {
MXS_DEBUG("Receiving connection from '%s' to database '%s'.", MXS_DEBUG("Receiving connection from '%s' to database '%s'.",
client_data->user, client_data->db); client_data->user, client_data->db);
MYSQL_AUTH *instance = (MYSQL_AUTH*)dcb->listener->auth_instance; MYSQL_AUTH *instance = (MYSQL_AUTH*)dcb->listener->auth_instance;
MySQLProtocol *protocol = DCB_PROTOCOL(dcb, MySQLProtocol);
auth_ret = validate_mysql_user(instance->handle, dcb, client_data, auth_ret = validate_mysql_user(instance->handle, dcb, client_data,
protocol->scramble, sizeof(protocol->scramble)); protocol->scramble, sizeof(protocol->scramble));

28
server/modules/authenticator/PAM/PAMAuth/pam_client_session.cc
View File

@ -305,33 +305,11 @@ Buffer PamClientSession::create_auth_change_packet() const
int PamClientSession::authenticate(DCB* dcb) int PamClientSession::authenticate(DCB* dcb)
{ {
int rval = MXS_AUTH_FAILED; int rval = ssl_authenticate_check_status(dcb);
MYSQL_session *ses = static_cast<MYSQL_session*>(dcb->data); MYSQL_session *ses = static_cast<MYSQL_session*>(dcb->data);
/** if (rval == MXS_AUTH_SSL_COMPLETE && *ses->user)
* We record the SSL status before and after SSL-authentication. This allows
* us to detect if the SSL handshake is immediately completed which means more
* data needs to be read from the socket.
*/
bool health_before = ssl_is_connection_healthy(dcb);
int ssl_ret = ssl_authenticate_client(dcb, dcb->authfunc.connectssl(dcb));
bool health_after = ssl_is_connection_healthy(dcb);
if (0 != ssl_ret)
{ {
rval = (SSL_ERROR_CLIENT_NOT_SSL == ssl_ret) ? MXS_AUTH_FAILED_SSL : MXS_AUTH_FAILED; rval = MXS_AUTH_FAILED;
}
else if (!health_after)
{
rval = MXS_AUTH_SSL_INCOMPLETE;
}
else if (!health_before && health_after)
{
rval = MXS_AUTH_SSL_INCOMPLETE;
poll_add_epollin_event_to_dcb(dcb, NULL);
}
else if (*ses->user)
{
// SSL-connection has been established (or was not required)
if (m_state == PAM_AUTH_INIT) if (m_state == PAM_AUTH_INIT)
{ {
/** We need to send the authentication switch packet to change the /** We need to send the authentication switch packet to change the