Bug #14806 X509 subject verify is broken
Submitted: 9 Nov 2005 20:53 Modified: 1 Dec 2005 6:14
Reporter: Alexander Pilipenko Email Updates:
Status: Duplicate Impact on me:
None 
Category:MySQL Server Severity:S2 (Serious)
Version:4.1/5.0 4.0 seems to be OK OS:Any (ALL)
Assigned to: Sergei Glukhov CPU Architecture:Any

[9 Nov 2005 20:53] Alexander Pilipenko
Description:
It seems that GRANT with REQUIRE SUBJECT is broken, it do not return NO_ACCESS when subjects doesn't match:

in sql/sql_acl.cc

                if (strcmp(acl_user->x509_subject,ptr))
                {
                  if (global_system_variables.log_warnings)
                    sql_print_error("X509 subject mismatch: '%s' vs '%s'",
                                    acl_user->x509_subject, ptr);
                 }
                else
                  user_access=acl_user->access;
                free(ptr);
              }
              break;

REQUIRE ISSUER do not return NO_ACCESS too:

        if (strcmp(acl_user->x509_issuer, ptr))
        {
          if (global_system_variables.log_warnings)
            sql_print_information("X509 issuer mismatch: should be '%s' "
                              "but is '%s'", acl_user->x509_issuer, ptr);
          free(ptr);
          break;
        }

How to repeat:
just say require subject='some subject' and try to connect with another one.

Suggested fix:

in sql/sql_acl.cc
   libmysqld/sql_acl.cc
  
              if (strcmp(acl_user->x509_subject,ptr))
                {
                  if (global_system_variables.log_warnings)
                    sql_print_error("X509 subject mismatch: '%s' vs '%s'",
                                    acl_user->x509_subject, ptr);
                  user_access=NO_ACCESS;
                }
                else
                  user_access=acl_user->access;
                free(ptr);

                if (strcmp(acl_user->x509_issuer, ptr))
                {
                  if (global_system_variables.log_warnings)
                    sql_print_error("X509 issuer mismatch: should be '%s' but is '%s'",
                                    acl_user->x509_issuer, ptr);
                  user_access=NO_ACCESS;
                  free(ptr);
                  break;
[1 Dec 2005 6:14] Sergei Glukhov
duplicated with bug#8777