From dd5047d9f57561a5a392f72149c66d1928f132fc Mon Sep 17 00:00:00 2001 From: Teodor Moroz Date: Wed, 13 Jan 2021 12:47:40 +0200 Subject: [PATCH 1/6] Add ability to customize ssl mode settings #474(Added specific handling for MariaDB lib) --- MySQLdb/_mysql.c | 24 +++++++++++++++++++++++- 1 file changed, 23 insertions(+), 1 deletion(-) diff --git a/MySQLdb/_mysql.c b/MySQLdb/_mysql.c index 27880ca2..c84df24c 100644 --- a/MySQLdb/_mysql.c +++ b/MySQLdb/_mysql.c @@ -474,8 +474,10 @@ _mysql_ConnectionObject_Initialize( return -1; } #else + #ifndef MARIADB_BASE_VERSION PyErr_SetString(_mysql_NotSupportedError, "MySQL client library does not support ssl_mode specification"); return -1; + #endif #endif } @@ -486,6 +488,21 @@ _mysql_ConnectionObject_Initialize( } Py_BEGIN_ALLOW_THREADS ; self->open = 1; + + #ifdef MARIADB_BASE_VERSION + if (ssl_mode) { + if (strcmp(ssl_mode, "PREFERRED") != 0) + { + int enforce_tls= 0; + if (strcmp(ssl_mode, "REQUIRED") == 0) + enforce_tls = 1; + #ifdef MYSQL_OPT_SSL_ENFORCE + mysql_optionsv(&(self->connection), MYSQL_OPT_SSL_ENFORCE, (void *)&enforce_tls); + mysql_optionsv(&(self->connection), MYSQL_OPT_SSL_VERIFY_SERVER_CERT, (void *)&enforce_tls); + #endif + } + } + #endif if (connect_timeout) { unsigned int timeout = connect_timeout; mysql_options(&(self->connection), MYSQL_OPT_CONNECT_TIMEOUT, @@ -522,7 +539,12 @@ _mysql_ConnectionObject_Initialize( } #ifdef HAVE_ENUM_MYSQL_OPT_SSL_MODE if (ssl_mode) { - int ssl_mode_num = _get_ssl_mode_num(ssl_mode); + char *corrected_ssl_mode = NULL; + if (strcmp(ssl_mode, "REQUIRED") == 0 || strcmp(ssl_mode, "VERIFY_CA")) + corrected_ssl_mode = "VERIFY_IDENTITY"; + else + corrected_ssl_mode = ssl_mode; + int ssl_mode_num = _get_ssl_mode_num(corrected_ssl_mode); mysql_options(&(self->connection), MYSQL_OPT_SSL_MODE, &ssl_mode_num); } #endif From d497312248a390106305605ff99f309407c7b167 Mon Sep 17 00:00:00 2001 From: Teodor Moroz Date: Thu, 25 Feb 2021 11:55:54 +0200 Subject: [PATCH 2/6] Add ability to customize ssl mode settings #474(fixed comparasion and case sensitivity) --- MySQLdb/_mysql.c | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/MySQLdb/_mysql.c b/MySQLdb/_mysql.c index c84df24c..29077be4 100644 --- a/MySQLdb/_mysql.c +++ b/MySQLdb/_mysql.c @@ -491,10 +491,10 @@ _mysql_ConnectionObject_Initialize( #ifdef MARIADB_BASE_VERSION if (ssl_mode) { - if (strcmp(ssl_mode, "PREFERRED") != 0) + if (strcasecmp(ssl_mode, "PREFERRED") != 0) { int enforce_tls= 0; - if (strcmp(ssl_mode, "REQUIRED") == 0) + if (strcasecmp(ssl_mode, "REQUIRED") == 0) enforce_tls = 1; #ifdef MYSQL_OPT_SSL_ENFORCE mysql_optionsv(&(self->connection), MYSQL_OPT_SSL_ENFORCE, (void *)&enforce_tls); @@ -540,7 +540,7 @@ _mysql_ConnectionObject_Initialize( #ifdef HAVE_ENUM_MYSQL_OPT_SSL_MODE if (ssl_mode) { char *corrected_ssl_mode = NULL; - if (strcmp(ssl_mode, "REQUIRED") == 0 || strcmp(ssl_mode, "VERIFY_CA")) + if (strcasecmp(ssl_mode, "REQUIRED") == 0 || strcasecmp(ssl_mode, "VERIFY_CA") == 0) corrected_ssl_mode = "VERIFY_IDENTITY"; else corrected_ssl_mode = ssl_mode; From 6cdf275f7ffaa7f6e61b259203efa72dcaef49d2 Mon Sep 17 00:00:00 2001 From: Teodor Moroz Date: Thu, 2 Jun 2022 14:51:27 +0300 Subject: [PATCH 3/6] Remove MYSQL_OPT_SSL_VERIFY_SERVER_CERT for MariaDB tls required --- MySQLdb/_mysql.c | 1 - 1 file changed, 1 deletion(-) diff --git a/MySQLdb/_mysql.c b/MySQLdb/_mysql.c index 29077be4..21ffee4a 100644 --- a/MySQLdb/_mysql.c +++ b/MySQLdb/_mysql.c @@ -498,7 +498,6 @@ _mysql_ConnectionObject_Initialize( enforce_tls = 1; #ifdef MYSQL_OPT_SSL_ENFORCE mysql_optionsv(&(self->connection), MYSQL_OPT_SSL_ENFORCE, (void *)&enforce_tls); - mysql_optionsv(&(self->connection), MYSQL_OPT_SSL_VERIFY_SERVER_CERT, (void *)&enforce_tls); #endif } } From 968a7407682ca97875b8ed10eb976e3270f10549 Mon Sep 17 00:00:00 2001 From: Teodor Moroz Date: Fri, 3 Jun 2022 13:08:20 +0300 Subject: [PATCH 4/6] Unify behaviour for MariaDB driver --- MySQLdb/_mysql.c | 15 +++++++++------ 1 file changed, 9 insertions(+), 6 deletions(-) diff --git a/MySQLdb/_mysql.c b/MySQLdb/_mysql.c index 21ffee4a..89ab3c32 100644 --- a/MySQLdb/_mysql.c +++ b/MySQLdb/_mysql.c @@ -496,9 +496,17 @@ _mysql_ConnectionObject_Initialize( int enforce_tls= 0; if (strcasecmp(ssl_mode, "REQUIRED") == 0) enforce_tls = 1; + #ifdef MYSQL_OPT_SSL_ENFORCE mysql_optionsv(&(self->connection), MYSQL_OPT_SSL_ENFORCE, (void *)&enforce_tls); #endif + + int verify_cert = 0; + if (strcasecmp(ssl_mode, "VERIFY_CA") == 0 || strcasecmp(ssl_mode, "VERIFY_IDENTITY") == 0 ) + enforce_tls = 1; + #ifdef MYSQL_OPT_SSL_VERIFY_SERVER_CERT + mysql_optionsv(&(self->connection), MYSQL_OPT_SSL_VERIFY_SERVER_CERT, (void *)&enforce_tls); + #endif } } #endif @@ -538,12 +546,7 @@ _mysql_ConnectionObject_Initialize( } #ifdef HAVE_ENUM_MYSQL_OPT_SSL_MODE if (ssl_mode) { - char *corrected_ssl_mode = NULL; - if (strcasecmp(ssl_mode, "REQUIRED") == 0 || strcasecmp(ssl_mode, "VERIFY_CA") == 0) - corrected_ssl_mode = "VERIFY_IDENTITY"; - else - corrected_ssl_mode = ssl_mode; - int ssl_mode_num = _get_ssl_mode_num(corrected_ssl_mode); + int ssl_mode_num = _get_ssl_mode_num(ssl_mode); mysql_options(&(self->connection), MYSQL_OPT_SSL_MODE, &ssl_mode_num); } #endif From 985e0e9174e2bc0effa919d2b3c076a0b13e2e75 Mon Sep 17 00:00:00 2001 From: Inada Naoki Date: Mon, 15 May 2023 15:37:25 +0900 Subject: [PATCH 5/6] Make code smarter. --- MySQLdb/_mysql.c | 58 ++++++++++++++++++++---------------------------- 1 file changed, 24 insertions(+), 34 deletions(-) diff --git a/MySQLdb/_mysql.c b/MySQLdb/_mysql.c index 0c2357e3..09ec12d8 100644 --- a/MySQLdb/_mysql.c +++ b/MySQLdb/_mysql.c @@ -380,7 +380,14 @@ static int _mysql_ResultObject_clear(_mysql_ResultObject *self) return 0; } -#ifdef HAVE_ENUM_MYSQL_OPT_SSL_MODE +enum { + SSLMODE_DISABLED = 1, + SSLMODE_PREFERRED = 2, + SSLMODE_REQUIRED = 3, + SSLMODE_VERIFY_CA = 4, + SSLMODE_VERIFY_IDENTITY = 5 +} + static int _get_ssl_mode_num(char *ssl_mode) { @@ -395,7 +402,6 @@ _get_ssl_mode_num(char *ssl_mode) } return -1; } -#endif static int _mysql_ConnectionObject_Initialize( @@ -429,6 +435,7 @@ _mysql_ConnectionObject_Initialize( int read_timeout = 0; int write_timeout = 0; int compress = -1, named_pipe = -1, local_infile = -1; + int ssl_mode_num = SSLMODE_DISABLED; char *init_command=NULL, *read_default_file=NULL, *read_default_group=NULL, @@ -469,17 +476,10 @@ _mysql_ConnectionObject_Initialize( _stringsuck(cipher, value, ssl); } if (ssl_mode) { -#ifdef HAVE_ENUM_MYSQL_OPT_SSL_MODE - if (_get_ssl_mode_num(ssl_mode) <= 0) { + if ((ssl_mode_num = _get_ssl_mode_num(ssl_mode)) <= 0) { PyErr_SetString(_mysql_NotSupportedError, "Unknown ssl_mode specification"); return -1; } -#else - #ifndef MARIADB_BASE_VERSION - PyErr_SetString(_mysql_NotSupportedError, "MySQL client library does not support ssl_mode specification"); - return -1; - #endif -#endif } conn = mysql_init(&(self->connection)); @@ -490,27 +490,6 @@ _mysql_ConnectionObject_Initialize( Py_BEGIN_ALLOW_THREADS ; self->open = 1; - #ifdef MARIADB_BASE_VERSION - if (ssl_mode) { - if (strcasecmp(ssl_mode, "PREFERRED") != 0) - { - int enforce_tls= 0; - if (strcasecmp(ssl_mode, "REQUIRED") == 0) - enforce_tls = 1; - - #ifdef MYSQL_OPT_SSL_ENFORCE - mysql_optionsv(&(self->connection), MYSQL_OPT_SSL_ENFORCE, (void *)&enforce_tls); - #endif - - int verify_cert = 0; - if (strcasecmp(ssl_mode, "VERIFY_CA") == 0 || strcasecmp(ssl_mode, "VERIFY_IDENTITY") == 0 ) - enforce_tls = 1; - #ifdef MYSQL_OPT_SSL_VERIFY_SERVER_CERT - mysql_optionsv(&(self->connection), MYSQL_OPT_SSL_VERIFY_SERVER_CERT, (void *)&enforce_tls); - #endif - } - } - #endif if (connect_timeout) { unsigned int timeout = connect_timeout; mysql_options(&(self->connection), MYSQL_OPT_CONNECT_TIMEOUT, @@ -545,12 +524,23 @@ _mysql_ConnectionObject_Initialize( if (ssl) { mysql_ssl_set(&(self->connection), key, cert, ca, capath, cipher); } -#ifdef HAVE_ENUM_MYSQL_OPT_SSL_MODE if (ssl_mode) { - int ssl_mode_num = _get_ssl_mode_num(ssl_mode); +#ifdef HAVE_ENUM_MYSQL_OPT_SSL_MODE mysql_options(&(self->connection), MYSQL_OPT_SSL_MODE, &ssl_mode_num); - } +#else + // MariaDB doesn't support MYSQL_OPT_SSL_MODE. + // See https://github.com/PyMySQL/mysqlclient/issues/474 + // TODO: Does MariaDB supports PREFERRED and VERIFY_CA? + // We support only two levels for now. + if (sslmode_num >= SSLMODE_REQUIRED) { + mysql_optionsv(&(self->connection), MYSQL_OPT_SSL_ENFORCE, (void *)&enforce_tls); + } + if (sslmode_num >= SSLMODE_VERIFY_CA) { + mysql_optionsv(&(self->connection), MYSQL_OPT_SSL_VERIFY_SERVER_CERT, (void *)&enforce_tls); + } #endif + } + if (charset) { mysql_options(&(self->connection), MYSQL_SET_CHARSET_NAME, charset); } From 25bc72c16b9659484c4ed6d228b9d9be255afc28 Mon Sep 17 00:00:00 2001 From: Inada Naoki Date: Mon, 15 May 2023 16:45:15 +0900 Subject: [PATCH 6/6] Add missing semicolon --- MySQLdb/_mysql.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/MySQLdb/_mysql.c b/MySQLdb/_mysql.c index 09ec12d8..4463f627 100644 --- a/MySQLdb/_mysql.c +++ b/MySQLdb/_mysql.c @@ -386,7 +386,7 @@ enum { SSLMODE_REQUIRED = 3, SSLMODE_VERIFY_CA = 4, SSLMODE_VERIFY_IDENTITY = 5 -} +}; static int _get_ssl_mode_num(char *ssl_mode)