From 89511eef44a9a1ba1d02358c97997ef9073572a8 Mon Sep 17 00:00:00 2001 From: Inada Naoki Date: Tue, 12 Nov 2024 19:06:52 +0900 Subject: [PATCH 1/3] windows: use DEFAULT_SSL_VERIFY_SERVER_CERT=0 option (#731) --- .github/workflows/windows.yaml | 25 ++++++++++++++++---- src/MySQLdb/_mysql.c | 42 +++++++++++++++++++--------------- 2 files changed, 44 insertions(+), 23 deletions(-) diff --git a/.github/workflows/windows.yaml b/.github/workflows/windows.yaml index e884493..f8dbf87 100644 --- a/.github/workflows/windows.yaml +++ b/.github/workflows/windows.yaml @@ -17,7 +17,7 @@ jobs: uses: actions/cache@v4 with: path: c:/mariadb-connector - key: mariadb-connector-c-${{ env.CONNECTOR_VERSION }}-win + key: mariadb-connector-c-${{ env.CONNECTOR_VERSION }}-win-2 - name: Download and Unzip Connector if: steps.cache-connector.outputs.cache-hit != 'true' @@ -27,15 +27,32 @@ jobs: unzip "mariadb-connector-c-${CONNECTOR_VERSION}-src.zip" -d c:/ mv "c:/mariadb-connector-c-${CONNECTOR_VERSION}-src" c:/mariadb-connector-src - - name: Build Connector + - name: make build directory if: steps.cache-connector.outputs.cache-hit != 'true' shell: cmd working-directory: c:/mariadb-connector-src run: | mkdir build - cd build - cmake -A x64 .. -DCMAKE_BUILD_TYPE=Release -DCLIENT_PLUGIN_DIALOG=static -DCLIENT_PLUGIN_SHA256_PASSWORD=static -DCLIENT_PLUGIN_CACHING_SHA2_PASSWORD=static + + - name: cmake + if: steps.cache-connector.outputs.cache-hit != 'true' + shell: cmd + working-directory: c:/mariadb-connector-src/build + run: | + cmake -A x64 .. -DCMAKE_BUILD_TYPE=Release -DCLIENT_PLUGIN_DIALOG=static -DCLIENT_PLUGIN_SHA256_PASSWORD=static -DCLIENT_PLUGIN_CACHING_SHA2_PASSWORD=static -DDEFAULT_SSL_VERIFY_SERVER_CERT=0 + + - name: cmake build + if: steps.cache-connector.outputs.cache-hit != 'true' + shell: cmd + working-directory: c:/mariadb-connector-src/build + run: | cmake --build . -j 8 --config Release + + - name: cmake install + if: steps.cache-connector.outputs.cache-hit != 'true' + shell: cmd + working-directory: c:/mariadb-connector-src/build + run: | cmake -DCMAKE_INSTALL_PREFIX=c:/mariadb-connector -DCMAKE_INSTALL_COMPONENT=Development -DCMAKE_BUILD_TYPE=Release -P cmake_install.cmake - name: Checkout mysqlclient diff --git a/src/MySQLdb/_mysql.c b/src/MySQLdb/_mysql.c index b9ec1c1..1468f3e 100644 --- a/src/MySQLdb/_mysql.c +++ b/src/MySQLdb/_mysql.c @@ -543,23 +543,30 @@ _mysql_ConnectionObject_Initialize( mysql_options(&(self->connection), MYSQL_OPT_SSL_CIPHER, cipher); } - if (ssl_mode_set) { #ifdef HAVE_ENUM_MYSQL_OPT_SSL_MODE + if (ssl_mode_set) { mysql_options(&(self->connection), MYSQL_OPT_SSL_MODE, &ssl_mode_num); + } #else - // MariaDB doesn't support MYSQL_OPT_SSL_MODE. - // See https://github.com/PyMySQL/mysqlclient/issues/474 - // TODO: Does MariaDB supports PREFERRED and VERIFY_CA? - // We support only two levels for now. - my_bool enforce_tls = 1; - if (ssl_mode_num >= SSLMODE_REQUIRED) { - mysql_optionsv(&(self->connection), MYSQL_OPT_SSL_ENFORCE, (void *)&enforce_tls); - } - if (ssl_mode_num >= SSLMODE_VERIFY_CA) { - mysql_optionsv(&(self->connection), MYSQL_OPT_SSL_VERIFY_SERVER_CERT, (void *)&enforce_tls); - } -#endif + // MariaDB doesn't support MYSQL_OPT_SSL_MODE. + // See https://github.com/PyMySQL/mysqlclient/issues/474 + // And MariDB 11.4 changed the default value of MYSQL_OPT_SSL_ENFORCE and + // MYSQL_OPT_SSL_VERIFY_SERVER_CERT to 1. + // https://github.com/mariadb-corporation/mariadb-connector-c/commit/8dffd56936df3d03eeccf47904773860a0cdeb57 + // We emulate the ssl_mode and old behavior. + my_bool my_true = 1; + my_bool my_false = 0; + if (ssl_mode_num >= SSLMODE_REQUIRED) { + mysql_optionsv(&(self->connection), MYSQL_OPT_SSL_ENFORCE, (void *)&my_true); + } else { + mysql_optionsv(&(self->connection), MYSQL_OPT_SSL_ENFORCE, (void *)&my_false); + } + if (ssl_mode_num >= SSLMODE_VERIFY_CA) { + mysql_optionsv(&(self->connection), MYSQL_OPT_SSL_VERIFY_SERVER_CERT, (void *)&my_true); + } else { + mysql_optionsv(&(self->connection), MYSQL_OPT_SSL_VERIFY_SERVER_CERT, (void *)&my_false); } +#endif if (charset) { mysql_options(&(self->connection), MYSQL_SET_CHARSET_NAME, charset); @@ -573,12 +580,9 @@ _mysql_ConnectionObject_Initialize( port, unix_socket, client_flag); Py_END_ALLOW_THREADS - if (ssl) { - int i; - for (i=0; i Date: Tue, 12 Nov 2024 20:52:23 +0900 Subject: [PATCH 2/3] support server_public_key_path option. (#744) fix #682 --- doc/user_guide.rst | 4 +++ src/MySQLdb/_mysql.c | 53 ++++++++++++++++++++++++++------------ src/MySQLdb/connections.py | 4 +++ 3 files changed, 44 insertions(+), 17 deletions(-) diff --git a/doc/user_guide.rst b/doc/user_guide.rst index ab33615..8c76417 100644 --- a/doc/user_guide.rst +++ b/doc/user_guide.rst @@ -393,6 +393,10 @@ connect(parameters...) an exception is raised. *This must be a keyword parameter.* + server_public_key_path + specifies path to a RSA public key used by caching sha2 password authentication. + See https://dev.mysql.com/doc/refman/9.0/en/caching-sha2-pluggable-authentication.html + .. _mysql_ssl_set: http://dev.mysql.com/doc/refman/en/mysql-ssl-set.html diff --git a/src/MySQLdb/_mysql.c b/src/MySQLdb/_mysql.c index 1468f3e..d6df4df 100644 --- a/src/MySQLdb/_mysql.c +++ b/src/MySQLdb/_mysql.c @@ -36,13 +36,18 @@ PERFORMANCE OF THIS SOFTWARE. #endif #if ((MYSQL_VERSION_ID >= 50555 && MYSQL_VERSION_ID <= 50599) || \ -(MYSQL_VERSION_ID >= 50636 && MYSQL_VERSION_ID <= 50699) || \ -(MYSQL_VERSION_ID >= 50711 && MYSQL_VERSION_ID <= 50799) || \ -(MYSQL_VERSION_ID >= 80000)) && \ -!defined(MARIADB_BASE_VERSION) && !defined(MARIADB_VERSION_ID) + (MYSQL_VERSION_ID >= 50636 && MYSQL_VERSION_ID <= 50699) || \ + (MYSQL_VERSION_ID >= 50711 && MYSQL_VERSION_ID <= 50799) || \ + (MYSQL_VERSION_ID >= 80000)) && \ + !defined(MARIADB_BASE_VERSION) && !defined(MARIADB_VERSION_ID) #define HAVE_ENUM_MYSQL_OPT_SSL_MODE #endif +#if defined(MARIADB_VERSION_ID) && MARIADB_VERSION_ID >= 100403 || \ + !defined(MARIADB_VERSION_ID) && MYSQL_VERSION_ID >= 50723 +#define HAVE_MYSQL_SERVER_PUBLIC_KEY +#endif + #define PY_SSIZE_T_CLEAN 1 #include "Python.h" @@ -431,7 +436,7 @@ _mysql_ConnectionObject_Initialize( "client_flag", "ssl", "ssl_mode", "local_infile", "read_timeout", "write_timeout", "charset", - "auth_plugin", + "auth_plugin", "server_public_key_path", NULL } ; int connect_timeout = 0; int read_timeout = 0; @@ -442,14 +447,15 @@ _mysql_ConnectionObject_Initialize( *read_default_file=NULL, *read_default_group=NULL, *charset=NULL, - *auth_plugin=NULL; + *auth_plugin=NULL, + *server_public_key_path=NULL; self->converter = NULL; self->open = false; self->reconnect = false; if (!PyArg_ParseTupleAndKeywords(args, kwargs, - "|ssssisOiiisssiOsiiiss:connect", + "|ssssisOiiisssiOsiiisss:connect", kwlist, &host, &user, &passwd, &db, &port, &unix_socket, &conv, @@ -462,10 +468,19 @@ _mysql_ConnectionObject_Initialize( &read_timeout, &write_timeout, &charset, - &auth_plugin + &auth_plugin, + &server_public_key_path )) return -1; +#ifndef HAVE_MYSQL_SERVER_PUBLIC_KEY + if (server_public_key_path) { + PyErr_SetString(_mysql_NotSupportedError, "server_public_key_path is not supported"); + return -1; + } +#endif + // For compatibility with PyPy, we need to keep strong reference + // to unicode objects until we use UTF8. #define _stringsuck(d,t,s) {t=PyMapping_GetItemString(s,#d);\ if(t){d=PyUnicode_AsUTF8(t);ssl_keepref[n_ssl_keepref++]=t;}\ PyErr_Clear();} @@ -542,6 +557,10 @@ _mysql_ConnectionObject_Initialize( mysql_options(&(self->connection), MYSQL_OPT_SSL_CAPATH, capath); mysql_options(&(self->connection), MYSQL_OPT_SSL_CIPHER, cipher); } + for (int i=0 ; i= SSLMODE_REQUIRED) { - mysql_optionsv(&(self->connection), MYSQL_OPT_SSL_ENFORCE, (void *)&my_true); + mysql_options(&(self->connection), MYSQL_OPT_SSL_ENFORCE, (void *)&my_true); } else { - mysql_optionsv(&(self->connection), MYSQL_OPT_SSL_ENFORCE, (void *)&my_false); + mysql_options(&(self->connection), MYSQL_OPT_SSL_ENFORCE, (void *)&my_false); } if (ssl_mode_num >= SSLMODE_VERIFY_CA) { - mysql_optionsv(&(self->connection), MYSQL_OPT_SSL_VERIFY_SERVER_CERT, (void *)&my_true); + mysql_options(&(self->connection), MYSQL_OPT_SSL_VERIFY_SERVER_CERT, (void *)&my_true); } else { - mysql_optionsv(&(self->connection), MYSQL_OPT_SSL_VERIFY_SERVER_CERT, (void *)&my_false); + mysql_options(&(self->connection), MYSQL_OPT_SSL_VERIFY_SERVER_CERT, (void *)&my_false); } #endif @@ -574,17 +593,17 @@ _mysql_ConnectionObject_Initialize( if (auth_plugin) { mysql_options(&(self->connection), MYSQL_DEFAULT_AUTH, auth_plugin); } +#ifdef HAVE_MYSQL_SERVER_PUBLIC_KEY + if (server_public_key_path) { + mysql_options(&(self->connection), MYSQL_SERVER_PUBLIC_KEY, server_public_key_path); + } +#endif Py_BEGIN_ALLOW_THREADS conn = mysql_real_connect(&(self->connection), host, user, passwd, db, port, unix_socket, client_flag); Py_END_ALLOW_THREADS - for (int i=0; i Date: Wed, 13 Nov 2024 13:22:52 +0900 Subject: [PATCH 3/3] release v2.2.6 (#745) --- HISTORY.rst | 13 +++++++++++++ pyproject.toml | 1 - src/MySQLdb/release.py | 4 ++-- 3 files changed, 15 insertions(+), 3 deletions(-) diff --git a/HISTORY.rst b/HISTORY.rst index 1c795bf..bc95c77 100644 --- a/HISTORY.rst +++ b/HISTORY.rst @@ -1,3 +1,16 @@ +====================== + What's new in 2.2.6 +====================== + +Release: 2024-11-12 + +* MariaDB Connector/C 3.4 and MairaDB 11.4 enabled SSL and CA verification by default. + It affected 2.2.5 windows wheel. This release disables SSL and CA verification by default. (#731) + +* Add ``server_public_key_path`` option. It is needed to connect MySQL server with + ``sha256_password`` or ``caching_sha2_password`` authentication plugin without + secure connection. (#744) + ====================== What's new in 2.2.5 ====================== diff --git a/pyproject.toml b/pyproject.toml index 1976248..d786f33 100644 --- a/pyproject.toml +++ b/pyproject.toml @@ -1,6 +1,5 @@ [project] name = "mysqlclient" -# version = "2.2.0dev0" description = "Python interface to MySQL" readme = "README.md" requires-python = ">=3.8" diff --git a/src/MySQLdb/release.py b/src/MySQLdb/release.py index a1b63f6..0b16844 100644 --- a/src/MySQLdb/release.py +++ b/src/MySQLdb/release.py @@ -1,3 +1,3 @@ __author__ = "Inada Naoki " -__version__ = "2.2.5" -version_info = (2, 2, 5, "final", 0) +__version__ = "2.2.6" +version_info = (2, 2, 6, "final", 0)