Changes to SSL configurations is expected to be rare which allows them to
be made into immutable objects once created. This is an acceptable
compromise between performance and usability.
The header depended on ssl.hh to include the OpenSSL headers even though
it used OpenSSL types. By fixing these dependencies the ssl.h header can
now freely include the rworker_local type which removes the need for the
hidden implementation of SSLProvider.
The class is intended to be inherited by objects that need an SSL context
and a configuration. In practice this will be servers and listeners.
The SSLContext is stored in a rworker_local shared_ptr that makes it
possible to update safely. As the copying is always done behind a lock the
cached local value always holds a valid SSLContext instance for the
duration of all function calls.
Using the pImpl idiom, the routingworker.hh header is not exposed in the
ssl.hh header. This allows the SSLProvider class to be inherited more
easily.
Backend should use empty() instead of length() to see if the buffer is
empty. The length of a buffer should always be valid to call, even on
empty buffers.
Changed getter function return values to std::string, converted
MXS_CONFIG_PARAMETER::set_from_list to take std::strings instead of const
char pointers.
All GWBUF macros that address a single link in a chain are now
simple wrappers for equivalent gwbuf_link-functions.
Next step is to drop the macros and replace their use with calls
to the functions.
A GWBUF given to any gwbuf-function:
- Must not be NULL. Exceptions are gwbuf_free() and gwbuf_append(),
in analogy with free() and realloc() respectively.
- Must be the head of a chain.
- Must be owned by the calling thread.
Formatted with nl_func_type_name and related options set to ignore. This
keeps the formatting intact for long return types in declarations and
definitions.
The Listener::create method now takes a set of configuration parameters
from which it constructs a listener. This removes the duplicated code and
makes the behavior of listener creation similar to other objects in
MaxScale. It also allows the configuration parameters to be stored in the
listener object itself.
This makes iterating over packets in buffers faster while still
maintaining the requirements for forward iterators. Not using operator+=
makes it clear that this is not a random access iterator.
The functions that searched for listeners compared both sockets and
addresses in the same function. This made its use error prone and caused
false positives in some cases.
Before this change, if the firewall was configured to block the use
of certain columns, it could be be bypassed simply by
> set @@sql_mode='ANSI_QUOTES';
> select "ssn" from person;
The reason is that as the query classifier is not aware of whether
'ANSI_QUOTES' is on or not, it will not know that what above appears
to be the string "ssn", actually is the field name `ssn`. Consequently,
the select will not be blocked and the result returned in cleartext.
It's now possible to instruct the query classifier to report all strings
as fields, which will prevent the above. However, it will also mean that
there may be false positives.
Before this change, the masking could be bypassed simply by
> set @@sql_mode='ANSI_QUOTES';
> select concat("ssn") from person;
The reason is that as the query classifier is not aware of whether
'ANSI_QUOTES' is on or not, it will not know that what above appears
to be the string "ssn", actually is the field name `ssn`. Consequently,
the select will not be blocked and the result returned in cleartext.
It's now possible to instruct the query classifier to report all string
arguments of functions as fields, which will prevent the above. However,
it will also mean that there may be false positives.
If a connection attempt is not accepted due to the host being blocked, the
protocol can now return an error message that is sent to the client. Only
mariadb_client implements this as it is the only one who calls the auth
failure methods in the first place.
The RateLimit class stores authentication failure data mapped by the
client IP addresses. The authentication failures are limited
per thread. The limits are still hard-coded and at least the number of
failures should be made configurable.
The simplest, most maintainable and acceptably efficient implementation
for DDoS protection is a thread-local unordered_map. The unwanted
side-effect of "scaling" of the number of allowed authentication failures
is unlikely to be problematic in most use-cases.
As the blocking of a host is only temporary, the behavior differs from the
one in the MariaDB server. This allows the number of failures to be set to
a much lower value negating some of the problems caused by the relatively
simple implementation.
