List:Commits« Previous MessageNext Message »
From:Tatjana A Nuernberg Date:August 22 2006 2:30pm
Subject:bk commit into 5.0 tree (tnurnberg:1.2250) BUG#20411
View as plain text  
Below is the list of changes that have just been committed into a local
5.0 repository of tnurnberg. When tnurnberg does a push these changes will
be propagated to the main repository and, within 24 hours after the
push, to the public repository.
For information on how to access the public repository
see http://dev.mysql.com/doc/mysql/en/installing-source-tree.html

ChangeSet@stripped, 2006-08-22 14:29:48+02:00, tnurnberg@stripped +3 -0
  Bug#20411: "GRANT ... REQUIRE ISSUER nnn AND SUBJECT mmm" fails to require both
  
  when X.509 subject was required for a connect, we tested whether it was the right
  one, but did not refuse the connexion if not. fixed.
  
  (corrected CS now --replace_results socket-path)

  mysql-test/r/openssl_1.result@stripped, 2006-08-22 14:29:44+02:00,
tnurnberg@stripped +6 -3
    Bug#20411: "GRANT ... REQUIRE ISSUER nnn AND SUBJECT mmm" fails to require both
    
    test not only whether we can connect with a correct X.509 subject when one is
    required, but also assure that we can't without one.

  mysql-test/t/openssl_1.test@stripped, 2006-08-22 14:29:44+02:00,
tnurnberg@stripped +7 -3
    Bug#20411: "GRANT ... REQUIRE ISSUER nnn AND SUBJECT mmm" fails to require both
    
    test not only whether we can connect with a correct X.509 subject when one is
    required, but also assure that we can't without one.

  sql/sql_acl.cc@stripped, 2006-08-22 14:29:44+02:00, tnurnberg@stripped
+6 -3
    Bug#20411: "GRANT ... REQUIRE ISSUER nnn AND SUBJECT mmm" fails to require both
    
    actually refuse connexion if X.509 is required, but does not match. kudos to Al Smith.

# This is a BitKeeper patch.  What follows are the unified diffs for the
# set of deltas contained in the patch.  The rest of the patch, the part
# that BitKeeper cares about, is below these diffs.
# User:	tnurnberg
# Host:	salvation.intern.azundris.com
# Root:	/home/tnurnberg/work/mysql-5.0-maint-20411

--- 1.200/sql/sql_acl.cc	2006-08-22 14:30:03 +02:00
+++ 1.201/sql/sql_acl.cc	2006-08-22 14:30:03 +02:00
@@ -874,6 +874,7 @@ int acl_getroot(THD *thd, USER_RESOURCES
             sql_print_information("X509 issuer mismatch: should be '%s' "
 			      "but is '%s'", acl_user->x509_issuer, ptr);
           free(ptr);
+          user_access=NO_ACCESS;
           break;
         }
         user_access= acl_user->access;
@@ -889,11 +890,13 @@ int acl_getroot(THD *thd, USER_RESOURCES
         if (strcmp(acl_user->x509_subject,ptr))
         {
           if (global_system_variables.log_warnings)
-            sql_print_information("X509 subject mismatch: '%s' vs '%s'",
+            sql_print_information("X509 subject mismatch: should be '%s' but is '%s'",
                             acl_user->x509_subject, ptr);
+          free(ptr);
+          user_access=NO_ACCESS;
+          break;
         }
-        else
-          user_access= acl_user->access;
+        user_access= acl_user->access;
         free(ptr);
       }
       break;

--- 1.14/mysql-test/r/openssl_1.result	2006-08-22 14:30:03 +02:00
+++ 1.15/mysql-test/r/openssl_1.result	2006-08-22 14:30:03 +02:00
@@ -3,9 +3,12 @@ create table t1(f1 int);
 insert into t1 values (5);
 grant select on test.* to ssl_user1@localhost require SSL;
 grant select on test.* to ssl_user2@localhost require cipher "DHE-RSA-AES256-SHA";
-grant select on test.* to ssl_user3@localhost require cipher "DHE-RSA-AES256-SHA" AND
SUBJECT "/C=SE/L=Uppsala/O=MySQL AB/CN=MySQL
Client/emailAddress=abstract.mysql.developer@stripped";
-grant select on test.* to ssl_user4@localhost require cipher "DHE-RSA-AES256-SHA" AND
SUBJECT "/C=SE/L=Uppsala/O=MySQL AB/CN=MySQL
Client/emailAddress=abstract.mysql.developer@stripped" ISSUER "/C=SE/L=Uppsala/O=MySQL
AB/CN=Abstract MySQL Developer/emailAddress=abstract.mysql.developer@stripped";
+grant select on test.* to ssl_user3@localhost require cipher "DHE-RSA-AES256-SHA" AND
SUBJECT "/C=SE/ST=Uppsala/L=Uppsala/O=MySQL AB";
+grant select on test.* to ssl_user4@localhost require cipher "DHE-RSA-AES256-SHA" AND
SUBJECT "/C=SE/ST=Uppsala/L=Uppsala/O=MySQL AB" ISSUER
"/C=SE/ST=Uppsala/L=Uppsala/O=MySQL AB";
+grant select on test.* to ssl_user5@localhost require cipher "DHE-RSA-AES256-SHA" AND
SUBJECT "xxx";
 flush privileges;
+connect(localhost,ssl_user5,,test,MASTER_PORT,MASTER_SOCKET);
+ERROR 28000: Access denied for user 'ssl_user5'@'localhost' (using password: NO)
 SHOW STATUS LIKE 'Ssl_cipher';
 Variable_name	Value
 Ssl_cipher	DHE-RSA-AES256-SHA
@@ -39,7 +42,7 @@ f1
 delete from t1;
 ERROR 42000: DELETE command denied to user 'ssl_user4'@'localhost' for table 't1'
 drop user ssl_user1@localhost, ssl_user2@localhost,
-ssl_user3@localhost, ssl_user4@localhost;
+ssl_user3@localhost, ssl_user4@localhost, ssl_user5@localhost;
 drop table t1;
 mysqltest: Could not open connection 'default': 2026 SSL connection error
 mysqltest: Could not open connection 'default': 2026 SSL connection error

--- 1.15/mysql-test/t/openssl_1.test	2006-08-22 14:30:03 +02:00
+++ 1.16/mysql-test/t/openssl_1.test	2006-08-22 14:30:03 +02:00
@@ -10,14 +10,18 @@ insert into t1 values (5);
 
 grant select on test.* to ssl_user1@localhost require SSL;
 grant select on test.* to ssl_user2@localhost require cipher "DHE-RSA-AES256-SHA";
-grant select on test.* to ssl_user3@localhost require cipher "DHE-RSA-AES256-SHA" AND
SUBJECT "/C=SE/L=Uppsala/O=MySQL AB/CN=MySQL
Client/emailAddress=abstract.mysql.developer@stripped";
-grant select on test.* to ssl_user4@localhost require cipher "DHE-RSA-AES256-SHA" AND
SUBJECT "/C=SE/L=Uppsala/O=MySQL AB/CN=MySQL
Client/emailAddress=abstract.mysql.developer@stripped" ISSUER "/C=SE/L=Uppsala/O=MySQL
AB/CN=Abstract MySQL Developer/emailAddress=abstract.mysql.developer@stripped";
+grant select on test.* to ssl_user3@localhost require cipher "DHE-RSA-AES256-SHA" AND
SUBJECT "/C=SE/ST=Uppsala/L=Uppsala/O=MySQL AB";
+grant select on test.* to ssl_user4@localhost require cipher "DHE-RSA-AES256-SHA" AND
SUBJECT "/C=SE/ST=Uppsala/L=Uppsala/O=MySQL AB" ISSUER
"/C=SE/ST=Uppsala/L=Uppsala/O=MySQL AB";
+grant select on test.* to ssl_user5@localhost require cipher "DHE-RSA-AES256-SHA" AND
SUBJECT "xxx";
 flush privileges;
 
 connect (con1,localhost,ssl_user1,,,,,SSL);
 connect (con2,localhost,ssl_user2,,,,,SSL);
 connect (con3,localhost,ssl_user3,,,,,SSL);
 connect (con4,localhost,ssl_user4,,,,,SSL);
+--replace_result $MASTER_MYSOCK MASTER_SOCKET $MASTER_MYPORT MASTER_PORT
+--error 1045
+connect (con5,localhost,ssl_user5,,,,,SSL);
 
 connection con1;
 # Check ssl turned on
@@ -49,7 +53,7 @@ delete from t1;
 
 connection default;
 drop user ssl_user1@localhost, ssl_user2@localhost,
-ssl_user3@localhost, ssl_user4@localhost;
+ssl_user3@localhost, ssl_user4@localhost, ssl_user5@localhost;
 
 drop table t1;
Thread
bk commit into 5.0 tree (tnurnberg:1.2250) BUG#20411Tatjana A Nuernberg22 Aug