From fb210cb9d0458d8b3d0fc1c5f7c13d60ae32042d Mon Sep 17 00:00:00 2001 From: Max Lohrmann Date: Wed, 14 Feb 2018 02:30:50 +0100 Subject: Experiment with #2979 * Updated libmysqlclient from 5.5.56 -> 5.5.59 * Changed the way the connection password is passed between SPMySQL and libmysqlclient --- .../Patches/001-cpp-dependency.diff | 8 ++ .../Patches/002-new-types.diff | 9 ++ .../Patches/003-callback-password-auth.diff | 96 +++++++++++++++++++++ .../MySQL Client Libraries/include/mysql.h | 12 +++ .../MySQL Client Libraries/include/mysql_version.h | 4 +- .../MySQL Client Libraries/lib/libmysqlclient.a | Bin 7932592 -> 7935040 bytes 6 files changed, 127 insertions(+), 2 deletions(-) create mode 100644 Frameworks/SPMySQLFramework/MySQL Client Libraries/Patches/003-callback-password-auth.diff (limited to 'Frameworks/SPMySQLFramework/MySQL Client Libraries') diff --git a/Frameworks/SPMySQLFramework/MySQL Client Libraries/Patches/001-cpp-dependency.diff b/Frameworks/SPMySQLFramework/MySQL Client Libraries/Patches/001-cpp-dependency.diff index 06c20001..e3ce848a 100644 --- a/Frameworks/SPMySQLFramework/MySQL Client Libraries/Patches/001-cpp-dependency.diff +++ b/Frameworks/SPMySQLFramework/MySQL Client Libraries/Patches/001-cpp-dependency.diff @@ -1,3 +1,11 @@ +This patch is neccesary to remove a linker error when trying to link SPMySQL with libmysqlclient.a. + +To apply: + cd mysql-source-root + patch -p1 < this-file + +(patch created with `diff -Naur`) + --- mysql-5.5.56-dist/extra/yassl/taocrypt/include/runtime.hpp 2017-04-27 09:12:30.000000000 +0200 +++ mysql-5.5.56/extra/yassl/taocrypt/include/runtime.hpp 2017-05-20 23:27:14.000000000 +0200 @@ -53,8 +53,8 @@ diff --git a/Frameworks/SPMySQLFramework/MySQL Client Libraries/Patches/002-new-types.diff b/Frameworks/SPMySQLFramework/MySQL Client Libraries/Patches/002-new-types.diff index bb42f9d9..47aa9c6d 100644 --- a/Frameworks/SPMySQLFramework/MySQL Client Libraries/Patches/002-new-types.diff +++ b/Frameworks/SPMySQLFramework/MySQL Client Libraries/Patches/002-new-types.diff @@ -1,3 +1,12 @@ +This patch backports field types that were added after MySQL 5.5, +but are technically still compatible to the old client libs. + +To apply: + cd mysql-source-root + patch -p1 < this-file + +(patch created with `diff -Naur`) + --- mysql-5.5.56-dist/include/mysql_com.h 2017-04-27 09:12:30.000000000 +0200 +++ mysql-5.5.56/include/mysql_com.h 2017-05-21 01:46:44.000000000 +0200 @@ -349,7 +349,11 @@ diff --git a/Frameworks/SPMySQLFramework/MySQL Client Libraries/Patches/003-callback-password-auth.diff b/Frameworks/SPMySQLFramework/MySQL Client Libraries/Patches/003-callback-password-auth.diff new file mode 100644 index 00000000..78fa873d --- /dev/null +++ b/Frameworks/SPMySQLFramework/MySQL Client Libraries/Patches/003-callback-password-auth.diff @@ -0,0 +1,96 @@ +This patch changes the way libmysqlclient receives the connection password. +Usually it will get the password by trying in order: + 1) The passwd that is passed as a parameter to mysql_real_connect() + 2) The password that was set on MYSQL->options.password + 3) The contents of the environment variable MYSQL_PWD (compile time setting) + 4) An empty string + +If a connection could be made (not yet authenticathed) the password will be stored +in MYSQL->passwd for the whole lifetime of the struct. + +We don't want that for two reasons: + 1) That way the password stays in plaintext memory for possibly a long time (and + may even get swapped to disk) + 2) MySQL uses plugins for auth (negotiated with the server) and some of them may + transmit the password in plaintext over an unsecure connection. + Since we have no control over that we would have to decide beforehand if that + COULD happen and flat out always deny or allow Keychain access (since e.g. + the AVAILABILITY of the cleartext plugin can be controlled by an envvar). + +So with this patch we change the flow of information: +Now mysql doesn't receive the password up front, but instead it has to ask the user (ie. SPMySQL) +to get the password precisely then when it needs it and mysql will also tell us +which auth plugin it negotiated with the server, so we can decide on a per situation +basis whether to request manual input or fetch it from Keychain. + +To apply: + cd mysql-source-root + patch -p1 < this-file + +(patch created with `diff -Naur`) + +diff -Naur mysql-5.5.59-dist/include/mysql.h mysql-5.5.59/include/mysql.h +--- mysql-5.5.59-dist/include/mysql.h 2017-11-27 13:03:17.000000000 +0100 ++++ mysql-5.5.59/include/mysql.h 2018-02-14 00:28:26.000000000 +0100 +@@ -288,6 +288,18 @@ + /* needed for embedded server - no net buffer to store the 'info' */ + char *info_buffer; + void *extension; ++ ++ /* SPMySQL patch: ++ * Set this to a callback function that will be invoked when mysql wants to do authentication. ++ * @param mysql The MYSQL struct ++ * @param plugin The name of the auth plugin that will be used (usually either ++ * "mysql_native_password", "mysql_old_password" or "mysql_clear_password") ++ * @param with_password A block function you must invoke, during which mysql can use the password you provide via the passwd parameter. ++ * After the block you should immediately clear the password from memory again. ++ */ ++ void (*passwd_callback)(struct st_mysql *mysql, const char *plugin, void (^with_password)(const char *passwd)); ++ /* SPMySQL patch: This is used with passwd_callback to bridge back to OOP land */ ++ void *sp_context; + } MYSQL; + + +diff -Naur mysql-5.5.59-dist/sql-common/client.c mysql-5.5.59/sql-common/client.c +--- mysql-5.5.59-dist/sql-common/client.c 2017-11-27 13:03:17.000000000 +0100 ++++ mysql-5.5.59/sql-common/client.c 2018-02-14 00:34:26.000000000 +0100 +@@ -2952,7 +2952,7 @@ + auth_plugin_t *auth_plugin; + MCPVIO_EXT mpvio; + ulong pkt_length; +- int res; ++ __block int res; + + DBUG_ENTER ("run_plugin_auth"); + /* determine the default/initial plugin to use */ +@@ -2996,7 +2996,29 @@ + mpvio.db= db; + mpvio.plugin= auth_plugin; + +- res= auth_plugin->authenticate_user((struct st_plugin_vio *)&mpvio, mysql); ++ /* ++ * SPMySQL Patch to inverse the password flow ++ */ ++ if(mysql->passwd_callback) ++ { ++ res = CR_ERROR; //fallback, if block is never invoked ++ mysql->passwd_callback(mysql, auth_plugin_name, ^(const char *passwd) { ++ char *saved_passwd = mysql->passwd; ++ mysql->passwd = (char *)(passwd ? passwd : ""); // see mysql_change_user ++ res= auth_plugin->authenticate_user((struct st_plugin_vio *)&mpvio, mysql); ++ mysql->passwd = saved_passwd; ++ }); ++ } ++ else ++ { ++ set_mysql_extended_error(mysql, CR_AUTH_PLUGIN_CANNOT_LOAD, ++ unknown_sqlstate, ++ ER(CR_AUTH_PLUGIN_CANNOT_LOAD), ++ auth_plugin_name, ++ "passwd_callback not set!"); ++ DBUG_RETURN (1); ++ } ++ + DBUG_PRINT ("info", ("authenticate_user returned %s", + res == CR_OK ? "CR_OK" : + res == CR_ERROR ? "CR_ERROR" : diff --git a/Frameworks/SPMySQLFramework/MySQL Client Libraries/include/mysql.h b/Frameworks/SPMySQLFramework/MySQL Client Libraries/include/mysql.h index 3a27ab41..353267aa 100644 --- a/Frameworks/SPMySQLFramework/MySQL Client Libraries/include/mysql.h +++ b/Frameworks/SPMySQLFramework/MySQL Client Libraries/include/mysql.h @@ -288,6 +288,18 @@ typedef struct st_mysql /* needed for embedded server - no net buffer to store the 'info' */ char *info_buffer; void *extension; + + /* SPMySQL patch: + * Set this to a callback function that will be invoked when mysql wants to do authentication. + * @param mysql The MYSQL struct + * @param plugin The name of the auth plugin that will be used (usually either + * "mysql_native_password", "mysql_old_password" or "mysql_clear_password") + * @param with_password A block function you must invoke, during which mysql can use the password you provide via the passwd parameter. + * After the block you should immediately clear the password from memory again. + */ + void (*passwd_callback)(struct st_mysql *mysql, const char *plugin, void (^with_password)(const char *passwd)); + /* SPMySQL patch: This is used with passwd_callback to bridge back to OOP land */ + void *sp_context; } MYSQL; diff --git a/Frameworks/SPMySQLFramework/MySQL Client Libraries/include/mysql_version.h b/Frameworks/SPMySQLFramework/MySQL Client Libraries/include/mysql_version.h index 8c18116a..77ea7e07 100644 --- a/Frameworks/SPMySQLFramework/MySQL Client Libraries/include/mysql_version.h +++ b/Frameworks/SPMySQLFramework/MySQL Client Libraries/include/mysql_version.h @@ -11,11 +11,11 @@ #include #else #define PROTOCOL_VERSION 10 -#define MYSQL_SERVER_VERSION "5.5.56" +#define MYSQL_SERVER_VERSION "5.5.59" #define MYSQL_BASE_VERSION "mysqld-5.5" #define MYSQL_SERVER_SUFFIX_DEF "" #define FRM_VER 6 -#define MYSQL_VERSION_ID 50556 +#define MYSQL_VERSION_ID 50559 #define MYSQL_PORT 3306 #define MYSQL_PORT_DEFAULT 0 #define MYSQL_UNIX_ADDR "/tmp/mysql.sock" diff --git a/Frameworks/SPMySQLFramework/MySQL Client Libraries/lib/libmysqlclient.a b/Frameworks/SPMySQLFramework/MySQL Client Libraries/lib/libmysqlclient.a index 0fccae22..27e9e15c 100644 Binary files a/Frameworks/SPMySQLFramework/MySQL Client Libraries/lib/libmysqlclient.a and b/Frameworks/SPMySQLFramework/MySQL Client Libraries/lib/libmysqlclient.a differ -- cgit v1.2.3