From a7e3887c8ac8d1b2a34b13f19da3cc164c4aa74c Mon Sep 17 00:00:00 2001
From: Inada Naoki <songofacandy@gmail.com>
Date: Fri, 9 Feb 2024 00:21:36 +0900
Subject: [PATCH 1/2] Support `ssl=True` (#700)

MySQL use ssl by default but MariaDB don't.

Until mysqlclient<=2.2.1, `ssl=True` unintentionally allowed and it
called `mysql_ssl_set(mysql, NULL, NULL, NULL, NULL, NULL)`. Although it
is no-op in MySQL Connector, MariaDB Connector silently set
MYSQL_OPT_SSL_ENFORCE when the API is called. (See #698)

In case of PyMySQL, ssl is not used by default but `ssl=True` behave
like `sslmode="PREFERRED"`.

For better backward compatibility and compatibility with PyMySQL and
security, I decided to allow ssl=True and it means sslmode="REQUIRED" on
MySQL Connector and
set MYSQL_OPT_SSL_ENFORCE on MariaDB Connector.

Fix #699
---
 src/MySQLdb/_mysql.c       | 36 ++++++++++++++++++++++++------------
 src/MySQLdb/connections.py |  2 ++
 2 files changed, 26 insertions(+), 12 deletions(-)

diff --git a/src/MySQLdb/_mysql.c b/src/MySQLdb/_mysql.c
index c334db6..b9ec1c1 100644
--- a/src/MySQLdb/_mysql.c
+++ b/src/MySQLdb/_mysql.c
@@ -391,10 +391,10 @@ enum {
 };
 
 static int
-_get_ssl_mode_num(char *ssl_mode)
+_get_ssl_mode_num(const char *ssl_mode)
 {
-    static char *ssl_mode_list[] = { "DISABLED", "PREFERRED",
-                  "REQUIRED", "VERIFY_CA", "VERIFY_IDENTITY" };
+    static const char *ssl_mode_list[] = {
+        "DISABLED", "PREFERRED", "REQUIRED", "VERIFY_CA", "VERIFY_IDENTITY" };
     unsigned int i;
     for (i=0; i < sizeof(ssl_mode_list)/sizeof(ssl_mode_list[0]); i++) {
         if (strcmp(ssl_mode, ssl_mode_list[i]) == 0) {
@@ -414,7 +414,7 @@ _mysql_ConnectionObject_Initialize(
     MYSQL *conn = NULL;
     PyObject *conv = NULL;
     PyObject *ssl = NULL;
-    char *ssl_mode = NULL;
+    const char *ssl_mode = NULL;
     const char *key = NULL, *cert = NULL, *ca = NULL,
          *capath = NULL, *cipher = NULL;
     PyObject *ssl_keepref[5] = {NULL};
@@ -437,7 +437,7 @@ _mysql_ConnectionObject_Initialize(
     int read_timeout = 0;
     int write_timeout = 0;
     int compress = -1, named_pipe = -1, local_infile = -1;
-    int ssl_mode_num = SSLMODE_DISABLED;
+    int ssl_mode_num = SSLMODE_PREFERRED;
     char *init_command=NULL,
          *read_default_file=NULL,
          *read_default_group=NULL,
@@ -470,19 +470,31 @@ _mysql_ConnectionObject_Initialize(
         if(t){d=PyUnicode_AsUTF8(t);ssl_keepref[n_ssl_keepref++]=t;}\
         PyErr_Clear();}
 
+    char ssl_mode_set = 0;
     if (ssl) {
-        PyObject *value = NULL;
-        _stringsuck(ca, value, ssl);
-        _stringsuck(capath, value, ssl);
-        _stringsuck(cert, value, ssl);
-        _stringsuck(key, value, ssl);
-        _stringsuck(cipher, value, ssl);
+        if (PyMapping_Check(ssl)) {
+            PyObject *value = NULL;
+            _stringsuck(ca, value, ssl);
+            _stringsuck(capath, value, ssl);
+            _stringsuck(cert, value, ssl);
+            _stringsuck(key, value, ssl);
+            _stringsuck(cipher, value, ssl);
+        } else if (PyObject_IsTrue(ssl)) {
+            // Support ssl=True from mysqlclient 2.2.4.
+            // for compatibility with PyMySQL and mysqlclient==2.2.1&libmariadb.
+            ssl_mode_num = SSLMODE_REQUIRED;
+            ssl_mode_set = 1;
+        } else {
+            ssl_mode_num = SSLMODE_DISABLED;
+            ssl_mode_set = 1;
+        }
     }
     if (ssl_mode) {
         if ((ssl_mode_num = _get_ssl_mode_num(ssl_mode)) <= 0) {
             PyErr_SetString(_mysql_NotSupportedError, "Unknown ssl_mode specification");
             return -1;
         }
+        ssl_mode_set = 1;
     }
 
     conn = mysql_init(&(self->connection));
@@ -531,7 +543,7 @@ _mysql_ConnectionObject_Initialize(
         mysql_options(&(self->connection), MYSQL_OPT_SSL_CIPHER, cipher);
     }
 
-    if (ssl_mode) {
+    if (ssl_mode_set) {
 #ifdef HAVE_ENUM_MYSQL_OPT_SSL_MODE
         mysql_options(&(self->connection), MYSQL_OPT_SSL_MODE, &ssl_mode_num);
 #else
diff --git a/src/MySQLdb/connections.py b/src/MySQLdb/connections.py
index 4fa762d..c713229 100644
--- a/src/MySQLdb/connections.py
+++ b/src/MySQLdb/connections.py
@@ -134,6 +134,8 @@ class object, used to create cursors (keyword only)
             see the MySQL documentation for more details
             (mysql_ssl_set()).  If this is set, and the client does not
             support SSL, NotSupportedError will be raised.
+            Since mysqlclient 2.2.4, ssl=True is alias of ssl_mode=REQUIRED
+            for better compatibility with PyMySQL and MariaDB.
 
         :param bool local_infile:
             enables LOAD LOCAL INFILE; zero disables

From 9fd238b9e3105dcbed2b009a916828a38d1f0904 Mon Sep 17 00:00:00 2001
From: Inada Naoki <songofacandy@gmail.com>
Date: Fri, 9 Feb 2024 00:35:16 +0900
Subject: [PATCH 2/2] release 2.2.4 (#701)

---
 HISTORY.rst            | 11 +++++++++++
 src/MySQLdb/release.py |  4 ++--
 2 files changed, 13 insertions(+), 2 deletions(-)

diff --git a/HISTORY.rst b/HISTORY.rst
index b57251c..3dca31c 100644
--- a/HISTORY.rst
+++ b/HISTORY.rst
@@ -1,3 +1,14 @@
+======================
+ What's new in 2.2.4
+======================
+
+Release: 2024-02-09
+
+* Support ``ssl=True`` in ``connect()``. (#700)
+  This makes better compatibility with PyMySQL and mysqlclient==2.2.1
+  with libmariadb. See #698 for detail.
+
+
 ======================
  What's new in 2.2.3
 ======================
diff --git a/src/MySQLdb/release.py b/src/MySQLdb/release.py
index 6bc1089..35d53e2 100644
--- a/src/MySQLdb/release.py
+++ b/src/MySQLdb/release.py
@@ -1,3 +1,3 @@
 __author__ = "Inada Naoki <songofacandy@gmail.com>"
-__version__ = "2.2.3"
-version_info = (2, 2, 3, "final", 0)
+__version__ = "2.2.4"
+version_info = (2, 2, 4, "final", 0)