-
Notifications
You must be signed in to change notification settings - Fork 1.6k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[MDEV-30178] Explicit errors on required secured transport #2581
Conversation
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
nice to see this bug being addressed. Thank you.
note the other test failures in BB (perfschema.hostcache_ipv6_ssl perfschema.hostcache_ipv4_ssl), check if they are returning the right error code and adjust accordingly.
@vuvova as the error code is the same can this be a 10.5 fix? or did you want the MySQL error code 3159? Did you want to do a final review?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
thanks
Thank you for your review! I see that buildbot is failing at 2 places, is that "expected"? When checking, it does not seem to be due to my changes |
Yes. Both seem unrelated to your change and have occurred before. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I'm not sure this is a good approach in general. I'd think a user-independent check for opt_require_secure_transport
should be done rather early, almost immediately after the connection is established. And it'll fail with ER_ACCESS_SSL_REQUIRED
. It's not part of the authentication, it checks whether the connection itself can be allowed to exist.
While acl_check_ssl()
checks user specific SSL requirements, is done after the password is verified and returns ER_ACCESS_DENIED, as it's part of the authentication.
Also, as it's the error message that MySQL has, can it have the same text and the same error number as in MySQL? For compatibility reasons.
sql/share/errmsg-utf8.txt
Outdated
@@ -10780,3 +10780,5 @@ ER_CM_OPTION_MISSING_REQUIREMENT | |||
eng "CHANGE MASTER TO option '%s=%s' is missing requirement %s" | |||
ER_SLAVE_STATEMENT_TIMEOUT 70100 | |||
eng "Slave log event execution was interrupted (slave_max_statement_time exceeded)" | |||
ER_ACCESS_SSL_REQUIRED 28000 |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
SQLSTATE 08004 is more appropriate here.
28000 is invalid authorization specification like ER_ACCESS_DENIED_ERROR
08004 is SQL-server rejected establishment SQL-connection like ER_NOT_SUPPORTED_AUTH_MODE
Thank you for your review @vuvova I understand that we should follow errors from MySQL, here is the original error
This is a bit different from what is proposed in this CR, the error would only concern this small part
Other errors due to user specific SSL requirements will still return ER_ACCESS_DENIED We can move this part to check it earlier in the function, before the check of the password? |
Here are the changes I added:
|
ac813a5
to
3bc8def
Compare
For some reason, amd64-ubuntu-2204-msan is failing on tests unrelated to my changes...
I'm not sure why these come up |
@vuvova the CI is green, feel free to review at any time |
The only CI failing is due to a test losing connection, I see that all PRs have the same issue, with a different test |
@LinuxJedi, @vuvova, could you please take another look at this? (And perhaps re-start the |
Agreed, this is likely unrelated. I'll look into it. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
A few more style issues to fixup. Looking good though :)
6b56768
to
669fc7c
Compare
I fixed the minor issues (and apparently the CI is working now) |
sql/share/errmsg-utf8.txt
Outdated
@@ -10780,3 +10780,5 @@ ER_CM_OPTION_MISSING_REQUIREMENT | |||
eng "CHANGE MASTER TO option '%s=%s' is missing requirement %s" | |||
ER_SLAVE_STATEMENT_TIMEOUT 70100 | |||
eng "Slave log event execution was interrupted (slave_max_statement_time exceeded)" | |||
ER_SECURE_TRANSPORT_REQUIRED 08004 |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
let's try to have it the same number as in MySQL, if possible
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
switched to 3159 as it is the error number on MySQL
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
How did you do it? I don't see how it was done :(
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Isn't it defined only through sql/share/errmsg-utf8.txt
? If so, I modified the error number to match the new number
sql/sql_connect.cc
Outdated
(type != VIO_TYPE_NAMEDPIPE); | ||
#else | ||
(type != VIO_TYPE_SOCKET); | ||
#endif |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
do you need all these #ifdef's ? they make the code difficult to read. Values are defined unconditionally, so it seems that you can remove ifdefs and the code will still compile file.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Those #ifdef
s predate this PR, as you can see from the diff of sql_acl.cc
above. @Chupsy has simplified them considerably here.
Values are defined unconditionally, …
Right. https://github.com/MariaDB/server/blob/HEAD/include/violite.h#L38-L45
… so it seems that you can remove ifdefs and the code will still compile file.
There are a fairly enormous number of other places in the code which are wrapped in unnecessary #ifdef HAVE_OPENSSL
, in that case 😅
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I am not totally certain on how #ifdef work so I just optimized them with @dlenski, not sure what would happen if we removed them. Tell me if you want me to remove them completely from the code
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Based on what @vuvova said and what I see in the code, it seems like you could simply change this section as follows…
return
(type != VIO_TYPE_SSL) &&
(type != VIO_TYPE_NAMEDPIPE) &&
(type != VIO_TYPE_SOCKET);
… and it should still compile and work correctly on all platforms, even if MariaDB is (somehow) built without TLS support, and even though named pipes are only used on Windows builds, and Unix sockets are only used on POSIX builds.
c9581e1
to
98e97d4
Compare
b04861c
to
afc3bea
Compare
sql/sql_connect.cc
Outdated
(type != VIO_TYPE_NAMEDPIPE); | ||
(type != VIO_TYPE_SOCKET); |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@Chupsy, these should be separated by ;
rather than &&
… probably should be caught by a compiler warning.
sql/share/errmsg-utf8.txt
Outdated
@@ -10780,3 +10780,5 @@ ER_CM_OPTION_MISSING_REQUIREMENT | |||
eng "CHANGE MASTER TO option '%s=%s' is missing requirement %s" | |||
ER_SLAVE_STATEMENT_TIMEOUT 70100 | |||
eng "Slave log event execution was interrupted (slave_max_statement_time exceeded)" | |||
ER_SECURE_TRANSPORT_REQUIRED 3159 |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
eh, no. you didn't change the error number, you've made sqlstate to be 3159, which isn't even a valid sqlstate value.
you can see error numbers in the include/mysqld_error.h file, they're generated, error messages are simply numbered sequentially.
you can see that the last MySQL error in errmsg-utf8.txt is currently ER_ALTER_OPERATION_NOT_SUPPORTED_REASON_GIS, number 3060. So if you want to add a new one with the number 3159, you need to add ~100 new error messages. Like this
eng "Do not support online operation on table with GIS index"
spa "No soporta operación en línea en tabla con índice GIS"
+
+ER_MYSQL_3061
+ eng ""
+ER_MYSQL_3062
+ eng ""
... and so on ...
+ER_MYSQL_3157
+ eng ""
+ER_MYSQL_3158
+ eng ""
+
+ER_SECURE_TRANSPORT_REQUIRED 08004
+ eng "Connections using insecure transport are prohibited while --requi>
+
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
let's try to have it the same number as in MySQL, if possible
I completely understand the goal here, but how is this going to be possible in the long run, without some explicit coordination?
If the wire protocol associates error codes with specific meanings purely based on their numeric codes, which are sequentially increasing numbers assigned by two diverging codebases (MySQL and MariaDB), then there's inevitably going to be a point where MySQL and MariaDB assign different meanings to the same code, right?
(Maybe it has happened already 🤷♂️)
So if you want to add a new one with the number 3159, you need to add ~100 new error messages.
Couldn't we simply skip to a new position using start-error-number
, as done at several other points in the file? E.g.
ER_ALTER_OPERATION_NOT_SUPPORTED_REASON_GIS
chi "不要支持使用GIS索引的表中的在线操作"
eng "Do not support online operation on table with GIS index"
spa "No soporta operación en línea en tabla con índice GIS"
+
+ start-error-number 3159
+ ER_SECURE_TRANSPORT_REQUIRED 08004
+ eng "Connections using insecure transport are prohibited while --require_secure_transport=ON."
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
- Ranges are different. 1000-1999 is the historical range for MySQL/MariaDB common errors, 2000-2999 is for client-side errors from Connector/C, 3000-3999 is the new MySQL error range, 4000-4999 is the new MariaDB error range.
- no we cannot, I even tried that before writing a previous comment. it is assumed that ranges are all 1000 messages wide, see how
ER()
macro is defined:
#define ERRORS_PER_RANGE 1000
#define ER_THD(thd,X) ((thd)->variables.errmsgs[((X)-ER_ERROR_FIRST) / ERRORS_PER_RANGE][(X) % ERRORS_PER_RANGE])
#define ER(X) ER_THD(current_thd, (X))
I fixed the error number and the error that @dlenski found, should be good to go now :) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Looks good to me, thanks @Chupsy !
Thanks @vuvova ! |
Can you please rebase against 11.2? Then I think we are good :) |
The error message for user connections using insecure transport when secured transport is required is very uninformative and doesn't mention the requirement of secure transport at all. To make the error message more relevant, introduce a new error 'ER_SECURE_TRANSPORT_REQUIRED', copy of MySQL error message with the error code 08004 (SQL-server rejected establishment SQL-connection). Move the code of 'require_secure_transport' to be executed before authentication verification, as it's not part of authentication but rather verifying if connection should be allowed in the first place. All new code of the whole pull request, including one or several files that are either new files or modified ones, are contributed under the BSD-new license. I am contributing on behalf of my employer Amazon Web Services, Inc.
Description
The error message for user connections using insecure transport when connection requires a secured transport.
To make the error message more relevant, introduce a new error 'ER_SECURE_TRANSPORT_REQUIRED', copy of MySQL error message with the error code 08004 (SQL-server rejected establishment SQL-connection).
Also move the code of 'require_secure_transport' to be executed before
authentication verification, as it's not part of authentication but
rather verifying if connection should be allowed in the first place.
How can this PR be tested?
Modified the existing test for require_secure_transport to expect the new error.
Basing the PR against the correct MariaDB version
Backward compatibility
This PR adds a new error message, this should be fully backward compatible.
PR quality check
Copyright
All new code of the whole pull request, including one or several files that
are either new files or modified ones, are contributed under the BSD-new license.
I am contributing on behalf of my employer Amazon Web Services, Inc.