TLS connection

tmtm · tmtm · commit 4eeba6a817d9 · 2021-10-31T19:01:00.000+09:00
diff --git a/lib/mysql.rb b/lib/mysql.rb
@@ -96,6 +96,7 @@ def initialize
     @last_error = nil
     @result_exist = false
     @local_infile = nil
+    @ssl_mode = SSL_MODE_PREFERRED
   end
 
   # Connect to mysqld.
@@ -112,7 +113,7 @@ def connect(host=nil, user=nil, passwd=nil, db=nil, port=nil, socket=nil, flag=0
       warn 'unsupported flag: CLIENT_COMPRESS' if $VERBOSE
       flag &= ~CLIENT_COMPRESS
     end
-    @protocol = Protocol.new host, port, socket, @connect_timeout, @read_timeout, @write_timeout, @local_infile
+    @protocol = Protocol.new host, port, socket, @connect_timeout, @read_timeout, @write_timeout, @local_infile, @ssl_mode
     @protocol.authenticate user, passwd, db, flag, @charset
     @charset ||= @protocol.charset
     @host_info = (host.nil? || host == "localhost") ? 'Localhost via UNIX socket' : "#{host} via TCP/IP"
@@ -145,37 +146,61 @@ def close!
   #
   # Available options:
   #   Mysql::INIT_COMMAND, Mysql::OPT_CONNECT_TIMEOUT, Mysql::OPT_READ_TIMEOUT,
-  #   Mysql::OPT_WRITE_TIMEOUT, Mysql::SET_CHARSET_NAME
+  #   Mysql::OPT_SSL_MODE, Mysql::OPT_WRITE_TIMEOUT, Mysql::SET_CHARSET_NAME
   # @param [Integer] opt option
   # @param [Integer] value option value that is depend on opt
   # @return [Mysql] self
   def options(opt, value=nil)
     case opt
+#    when Mysql::DEFAULT_AUTH
+#    when Mysql::ENABLE_CLEARTEXT_PLUGIN
     when Mysql::INIT_COMMAND
       @init_command = value.to_s
+#    when Mysql::OPT_BIND
+#    when Mysql::OPT_CAN_HANDLE_EXPIRED_PASSWORDS
 #    when Mysql::OPT_COMPRESS
+#    when Mysql::OPT_COMPRESSION_ALGORITHMS
+#    when Mysql::OPT_CONNECT_ATTR_ADD
+#    when Mysql::OPT_CONNECT_ATTR_DELETE
+#    when Mysql::OPT_CONNECT_ATTR_RESET
     when Mysql::OPT_CONNECT_TIMEOUT
       @connect_timeout = value
-#    when Mysql::GUESS_CONNECTION
-    when Mysql::OPT_LOCAL_INFILE
-      @local_infile = value ? '' : nil
+#    when Mysql::OPT_GET_SERVER_PUBLIC_KEY
     when Mysql::OPT_LOAD_DATA_LOCAL_DIR
       @local_infile = value
+    when Mysql::OPT_LOCAL_INFILE
+      @local_infile = value ? '' : nil
+#    when Mysql::OPT_MAX_ALLOWED_PACKET
 #    when Mysql::OPT_NAMED_PIPE
+#    when Mysql::OPT_NET_BUFFER_LENGTH
+#    when Mysql::OPT_OPTIONAL_RESULTSET_METADATA
 #    when Mysql::OPT_PROTOCOL
     when Mysql::OPT_READ_TIMEOUT
       @read_timeout = value.to_i
 #    when Mysql::OPT_RECONNECT
+#    when Mysql::OPT_RETRY_COUNT
 #    when Mysql::SET_CLIENT_IP
-#    when Mysql::OPT_SSL_VERIFY_SERVER_CERT
-#    when Mysql::OPT_USE_EMBEDDED_CONNECTION
-#    when Mysql::OPT_USE_REMOTE_CONNECTION
+#    when Mysql::OPT_SSL_CA
+#    when Mysql::OPT_SSL_CAPATH
+#    when Mysql::OPT_SSL_CERT
+#    when Mysql::OPT_SSL_CIPHER
+#    when Mysql::OPT_SSL_CRL
+#    when Mysql::OPT_SSL_CRLPATH
+#    when Mysql::OPT_SSL_FIPS_MODE
+#    when Mysql::OPT_SSL_KEY
+    when Mysql::OPT_SSL_MODE
+      @ssl_mode = value
+#    when Mysql::OPT_TLS_CIPHERSUITES
+#    when Mysql::OPT_TLS_VERSION
+#    when Mysql::OPT_USE_RESULT
     when Mysql::OPT_WRITE_TIMEOUT
       @write_timeout = value.to_i
+#    when Mysql::OPT_ZSTD_COMPRESSION_LEVEL
+#    when Mysql::PLUGIN_DIR
 #    when Mysql::READ_DEFAULT_FILE
 #    when Mysql::READ_DEFAULT_GROUP
 #    when Mysql::REPORT_DATA_TRUNCATION
-#    when Mysql::SECURE_AUTH
+#    when Mysql::SERVER_PUBLIC_KEY
 #    when Mysql::SET_CHARSET_DIR
     when Mysql::SET_CHARSET_NAME
       @charset = Charset.by_name value.to_s
diff --git a/lib/mysql/authenticator/caching_sha2_password.rb b/lib/mysql/authenticator/caching_sha2_password.rb
@@ -26,7 +26,10 @@ def authenticate(passwd, scramble)
           when "\x03"  # fast_auth_success
             # OK
           when "\x04"  # perform_full_authentication
-            raise 'Authentication requires secure connection (not supported)'
+            if @protocol.client_flags & CLIENT_SSL == 0
+              raise 'Authentication requires secure connection'
+            end
+            @protocol.write passwd+"\0"
           else
             raise "invalid auth reply packet: #{data.inspect}"
           end
diff --git a/lib/mysql/authenticator/sha256_password.rb b/lib/mysql/authenticator/sha256_password.rb
@@ -18,6 +18,10 @@ def name
       # @yield [String] hashed password
       # @return [Mysql::Packet]
       def authenticate(passwd, scramble)
+        if @protocol.client_flags & CLIENT_SSL != 0
+          yield passwd+"\0"
+          return @protocol.read
+        end
         yield "\x01"  # request public key
         pkt = @protocol.read
         data = pkt.to_s
diff --git a/lib/mysql/constants.rb b/lib/mysql/constants.rb
@@ -116,6 +116,13 @@ class Mysql
   OPT_ZSTD_COMPRESSION_LEVEL       = 42
   OPT_LOAD_DATA_LOCAL_DIR          = 43
 
+  # SSL Mode
+  SSL_MODE_DISABLED        = 1
+  SSL_MODE_PREFERRED       = 2
+  SSL_MODE_REQUIRED        = 3
+  SSL_MODE_VERIFY_CA       = 4
+  SSL_MODE_VERIFY_IDENTITY = 5
+
   # Server Option
   OPTION_MULTI_STATEMENTS_ON  = 0
   OPTION_MULTI_STATEMENTS_OFF = 1
diff --git a/lib/mysql/protocol.rb b/lib/mysql/protocol.rb
@@ -5,6 +5,7 @@
 require "socket"
 require "timeout"
 require "stringio"
+require "openssl"
 require_relative 'authenticator.rb'
 
 class Mysql
@@ -136,16 +137,18 @@ def self.value2net(v)
     # read_timeout :: [Integer] read timeout (sec).
     # write_timeout :: [Integer] write timeout (sec).
     # local_infile :: [String] local infile path
+    # ssl_mode :: [Integer]
     # === Exception
     # [ClientError] :: connection timeout
-    def initialize(host, port, socket, conn_timeout, read_timeout, write_timeout, local_infile)
+    def initialize(host, port, socket, conn_timeout, read_timeout, write_timeout, local_infile, ssl_mode)
       @insert_id = 0
       @warning_count = 0
       @gc_stmt_queue = []   # stmt id list which GC destroy.
       set_state :INIT
       @read_timeout = read_timeout
       @write_timeout = write_timeout
       @local_infile = local_infile
+      @ssl_mode = ssl_mode
       begin
         Timeout.timeout conn_timeout do
           if host.nil? or host.empty? or host == "localhost"
@@ -181,6 +184,7 @@ def authenticate(user, passwd, db, flag, charset)
       init_packet = InitialPacket.parse read
       @server_info = init_packet.server_version
       @server_version = init_packet.server_version.split(/\D/)[0,3].inject{|a,b|a.to_i*100+b.to_i}
+      @server_capabilities = init_packet.server_capabilities
       @thread_id = init_packet.thread_id
       @client_flags = CLIENT_LONG_PASSWORD | CLIENT_LONG_FLAG | CLIENT_TRANSACTIONS | CLIENT_PROTOCOL_41 | CLIENT_SECURE_CONNECTION | CLIENT_PLUGIN_AUTH
       @client_flags |= CLIENT_LOCAL_FILES if @local_infile
@@ -191,10 +195,38 @@ def authenticate(user, passwd, db, flag, charset)
         @charset = Charset.by_number(init_packet.server_charset)
         @charset.encoding       # raise error if unsupported charset
       end
+      enable_ssl
       Authenticator.new(self).authenticate(user, passwd, db, init_packet.scramble_buff, init_packet.auth_plugin)
       set_state :READY
     end
 
+    def enable_ssl
+      case @ssl_mode
+      when SSL_MODE_DISABLED
+        return
+      when SSL_MODE_PREFERRED
+        return if @sock.is_a? UNIXSocket
+        return if @server_capabilities & CLIENT_SSL == 0
+      when SSL_MODE_REQUIRED
+        if @server_capabilities & CLIENT_SSL == 0
+          raise ClientError::SslConnectionError, "SSL is required but the server doesn't support it"
+        end
+      else
+        raise ClientError, "ssl_mode #{@ssl_mode} is not supported"
+      end
+      begin
+        @client_flags |= CLIENT_SSL
+        write Protocol::TlsAuthenticationPacket.serialize(@client_flags, 1024**3, @charset.number)
+        @sock = OpenSSL::SSL::SSLSocket.new(@sock)
+        @sock.sync_close = true
+        @sock.connect
+      rescue => e
+        @client_flags &= ~CLIENT_SSL
+        return if @ssl_mode == SSL_MODE_PREFERRED
+        raise e
+      end
+    end
+
     # Quit command
     def quit_command
       synchronize do
@@ -700,6 +732,18 @@ def self.serialize(client_flags, max_packet_size, charset_number, username, scra
       end
     end
 
+    # TLS Authentication packet
+    class TlsAuthenticationPacket
+      def self.serialize(client_flags, max_packet_size, charset_number)
+        [
+          client_flags,
+          max_packet_size,
+          charset_number,
+          "",                   # always 0x00 * 23
+        ].pack("VVCa23")
+      end
+    end
+
     # Execute packet
     class ExecutePacket
       def self.serialize(statement_id, cursor_type, values)
