From 58a5d44e67b3f911d3a4affa1b21339e2c39a154 Mon Sep 17 00:00:00 2001
From: obdev <obdev@oceanbase.com>
Date: Wed, 7 Feb 2024 21:31:12 +0000
Subject: [PATCH] when rpc_server_authentication_method has none, server does
 notverify client identity

---
 deps/ussl-hook/loop/handle-event.c | 4 +++-
 deps/ussl-hook/ssl/ssl_config.c    | 6 +++++-
 deps/ussl-hook/ssl/ssl_config.h    | 2 +-
 3 files changed, 9 insertions(+), 3 deletions(-)

diff --git a/deps/ussl-hook/loop/handle-event.c b/deps/ussl-hook/loop/handle-event.c
index 78de9e21d..fc7a7359b 100644
--- a/deps/ussl-hook/loop/handle-event.c
+++ b/deps/ussl-hook/loop/handle-event.c
@@ -444,7 +444,9 @@ static int acceptfd_handle_first_readable_event(acceptfd_sk_t *s)
             } else {
               negotiation_message_t nego_message_ack;
               nego_message_ack.type = nego_message->type;
-              if (0 != fd_enable_ssl_for_server(s->fd, ssl_config_ctx_id, nego_message->type)) {
+              int has_method_none = test_server_auth_methods(USSL_AUTH_NONE);
+              if (0 != fd_enable_ssl_for_server(s->fd, ssl_config_ctx_id, nego_message->type,
+                  has_method_none)) {
                 err = EUCLEAN;
                 s->has_error = 1;
                 ussl_log_error("fd_enable_ssl_for_server failed, fd:%d", s->fd);
diff --git a/deps/ussl-hook/ssl/ssl_config.c b/deps/ussl-hook/ssl/ssl_config.c
index 64a3c60b7..ad9738c46 100644
--- a/deps/ussl-hook/ssl/ssl_config.c
+++ b/deps/ussl-hook/ssl/ssl_config.c
@@ -554,7 +554,7 @@ int ssl_load_config(int ctx_id, const ssl_config_item_t *ssl_config)
   return ret;
 }
 
-int fd_enable_ssl_for_server(int fd, int ctx_id, int type)
+int fd_enable_ssl_for_server(int fd, int ctx_id, int type, int has_method_none)
 {
   int ret = 0;
   SSL_CTX *ctx = NULL;
@@ -575,6 +575,10 @@ int fd_enable_ssl_for_server(int fd, int ctx_id, int type)
       ret = EINVAL;
       ussl_log_warn("SSL_set_fd failed, ret:%d, fd:%d, ctx_id:%d", ret, fd, ctx_id);
     } else {
+      //if server has auth method none, server does not verify client identity
+      if (has_method_none) {
+        SSL_set_verify(ssl, SSL_VERIFY_NONE, NULL);
+      }
       SSL_set_accept_state(ssl);
       ATOMIC_STORE(&(gs_fd_ssl_array[fd].ssl), ssl);
       ATOMIC_STORE(&(gs_fd_ssl_array[fd].type), type);
diff --git a/deps/ussl-hook/ssl/ssl_config.h b/deps/ussl-hook/ssl/ssl_config.h
index 2723f34ee..a008d35cf 100644
--- a/deps/ussl-hook/ssl/ssl_config.h
+++ b/deps/ussl-hook/ssl/ssl_config.h
@@ -21,7 +21,7 @@ enum SSL_ROLE {
 };
 
 int ssl_load_config(int ctx_id, const ssl_config_item_t *ssl_config);
-int fd_enable_ssl_for_server(int fd, int ctx_id, int type);
+int fd_enable_ssl_for_server(int fd, int ctx_id, int type, int has_method_none);
 int fd_enable_ssl_for_client(int fd, int ctx_id, int type);
 void fd_disable_ssl(int fd);
 int ssl_do_handshake(int fd);