From fadbfba5b4caa185a3ec9af2e997d5db2071f02a Mon Sep 17 00:00:00 2001 From: GreaterFire <32649575+GreaterFire@users.noreply.github.com> Date: Sun, 22 Mar 2020 13:01:59 -0700 Subject: [PATCH 1/2] Squashed commit of the following: commit 2be23c8d46a1e5370e256ec26e3ccf92bcf5fc07 Author: memorz Date: Sat Mar 14 23:11:24 2020 +0800 Update src/core/authenticator.cpp Co-Authored-By: GreaterFire <32649575+GreaterFire@users.noreply.github.com> commit 1e11110854eec9d31d6605c7414ff73d213fbc35 Author: memorz Date: Sat Mar 14 23:10:36 2020 +0800 Update docs/authenticator.md good Co-Authored-By: GreaterFire <32649575+GreaterFire@users.noreply.github.com> commit 17a85490c703cbdd89dab63297ebb91cd44bd202 Author: memorz Date: Wed Mar 4 15:12:44 2020 +0800 Update authenticator.cpp commit ec1bd60ca1e98ae9b2e8d9cbffb6357b0a8fbbfd Author: memorz Date: Sat Feb 29 20:56:47 2020 +0800 Update src/core/config.cpp good Co-Authored-By: Syrone Wong commit 332fb53ffc2394f353beb6157146380c0c5af507 Author: memorz Date: Sat Feb 29 20:56:31 2020 +0800 Update src/core/authenticator.cpp good Co-Authored-By: Syrone Wong commit 20c206a6cd95d67b1ceb4621ca8ad912a69719b0 Author: memorz Date: Sat Feb 29 14:58:47 2020 +0800 add config options description add config options description about secure connect to mysql commit 376a597d651f03c6d33707becc3706e839673b22 Author: memorz Date: Sat Feb 29 14:53:37 2020 +0800 read the config about secure connect to mysql read the config about secure connect to mysql commit 718aeb8aaf45d28d7264e5cbc091b27a9ede40cb Author: memorz Date: Sat Feb 29 14:52:14 2020 +0800 add some head about secure connect add some head about secure connect commit b3a26ac4baab102853aeb3c7c992cd81329721b5 Author: memorz Date: Sat Feb 29 14:50:14 2020 +0800 add secure connect(TLS) to mysql add secure connect(TLS) to mysql commit 9a048e4fde152f6b964b18c142ed6a25b7ccee4e Author: memorz Date: Sat Feb 29 14:46:44 2020 +0800 add config description add config description commit 9264b26b3b8c3d7eab4dc4217bd5804834f951b5 Author: memorz Date: Sat Feb 29 14:44:21 2020 +0800 add mysql secure connect config options add mysql secure connect config options --- docs/authenticator.md | 6 ++++-- docs/config.md | 4 +++- examples/server.json-example | 4 +++- src/core/authenticator.cpp | 6 ++++++ src/core/config.cpp | 2 ++ src/core/config.h | 2 ++ 6 files changed, 20 insertions(+), 4 deletions(-) diff --git a/docs/authenticator.md b/docs/authenticator.md index 4217b86d..d6bf2a86 100644 --- a/docs/authenticator.md +++ b/docs/authenticator.md @@ -1,6 +1,6 @@ # Authenticator -Trojan servers can authenticate users according to not only passwords in the config file but also entries in a MySQL (MariaDB) database. To turn this functionality on, set `enabled` field in the MySQL config to `true` and correctly configure the server address and credentials, etc: +Trojan servers can authenticate users according to not only passwords in the config file but also entries in a MySQL (MariaDB) database. To turn this functionality on, set `enabled` field in the MySQL config to `true` and correctly configure the server address, credentials, and etc. If you would like to connect to the database securely, you can to fill the `cafile` and/or the `tls_version` field (refer to [MySQL Documentation](https://dev.mysql.com/doc/refman/8.0/en/encrypted-connection-protocols-ciphers.html)): ```json "mysql": { @@ -9,7 +9,9 @@ Trojan servers can authenticate users according to not only passwords in the con "server_port": 3306, "database": "trojan", "username": "trojan", - "password": "" + "password": "", + "cafile": "", + "tls_version": "" } ``` diff --git a/docs/config.md b/docs/config.md index 403df992..96b1988b 100644 --- a/docs/config.md +++ b/docs/config.md @@ -195,7 +195,9 @@ The NAT config is for transparent proxy. You'll need to [setup iptables rules](h "server_port": 3306, "database": "trojan", "username": "trojan", - "password": "" + "password": "", + "cafile": "", + "tls_version": "" } } ``` diff --git a/examples/server.json-example b/examples/server.json-example index be5522c3..2162acde 100644 --- a/examples/server.json-example +++ b/examples/server.json-example @@ -40,6 +40,8 @@ "server_port": 3306, "database": "trojan", "username": "trojan", - "password": "" + "password": "", + "cafile": "", + "tls_version": "" } } diff --git a/src/core/authenticator.cpp b/src/core/authenticator.cpp index b72c86ef..1abe21c1 100644 --- a/src/core/authenticator.cpp +++ b/src/core/authenticator.cpp @@ -27,6 +27,12 @@ using namespace std; Authenticator::Authenticator(const Config &config) { mysql_init(&con); Log::log_with_date_time("connecting to MySQL server " + config.mysql.server_addr + ':' + to_string(config.mysql.server_port), Log::INFO); + if (config.mysql.cafile != "") { + mysql_options(&con, MYSQL_OPT_SSL_CA, config.mysql.cafile.c_str()); + } + if (config.mysql.tls_version != "") { + mysql_optionsv(&con, MARIADB_OPT_TLS_VERSION, config.mysql.tls_version.c_str()); + } if (mysql_real_connect(&con, config.mysql.server_addr.c_str(), config.mysql.username.c_str(), config.mysql.password.c_str(), diff --git a/src/core/config.cpp b/src/core/config.cpp index ed29c2e4..a363063e 100644 --- a/src/core/config.cpp +++ b/src/core/config.cpp @@ -98,6 +98,8 @@ void Config::populate(const ptree &tree) { mysql.database = tree.get("mysql.database", string("trojan")); mysql.username = tree.get("mysql.username", string("trojan")); mysql.password = tree.get("mysql.password", string()); + mysql.cafile = tree.get("mysql.cafile", string()); + mysql.tls_version = tree.get("mysql.tls_version", string()); } bool Config::sip003() { diff --git a/src/core/config.h b/src/core/config.h index 4f1f9f5e..50b29321 100644 --- a/src/core/config.h +++ b/src/core/config.h @@ -78,6 +78,8 @@ class Config { std::string database; std::string username; std::string password; + std::string cafile; + std::string tls_version; } mysql; void load(const std::string &filename); void populate(const std::string &JSON); From 0b92c6c091738c27548c4908fc1f06b039da5372 Mon Sep 17 00:00:00 2001 From: GreaterFire <32649575+GreaterFire@users.noreply.github.com> Date: Sun, 22 Mar 2020 13:32:37 -0700 Subject: [PATCH 2/2] Minor fixes to MySQL SSL support --- docs/authenticator.md | 5 ++--- docs/config.md | 3 +-- examples/server.json-example | 5 ++--- src/core/authenticator.cpp | 5 +---- src/core/config.cpp | 1 - src/core/config.h | 1 - tests/LinuxSmokeTest/server.json | 3 ++- 7 files changed, 8 insertions(+), 15 deletions(-) diff --git a/docs/authenticator.md b/docs/authenticator.md index d6bf2a86..ab84a719 100644 --- a/docs/authenticator.md +++ b/docs/authenticator.md @@ -1,6 +1,6 @@ # Authenticator -Trojan servers can authenticate users according to not only passwords in the config file but also entries in a MySQL (MariaDB) database. To turn this functionality on, set `enabled` field in the MySQL config to `true` and correctly configure the server address, credentials, and etc. If you would like to connect to the database securely, you can to fill the `cafile` and/or the `tls_version` field (refer to [MySQL Documentation](https://dev.mysql.com/doc/refman/8.0/en/encrypted-connection-protocols-ciphers.html)): +Trojan servers can authenticate users according to not only passwords in the config file but also entries in a MySQL (MariaDB) database. To turn this functionality on, set `enabled` field in the MySQL config to `true` and correctly configure the server address, credentials, and etc. If you would like to connect to the database securely, you can to fill the `cafile` field indicating the CA file: ```json "mysql": { @@ -10,8 +10,7 @@ Trojan servers can authenticate users according to not only passwords in the con "database": "trojan", "username": "trojan", "password": "", - "cafile": "", - "tls_version": "" + "cafile": "" } ``` diff --git a/docs/config.md b/docs/config.md index 96b1988b..83f752d2 100644 --- a/docs/config.md +++ b/docs/config.md @@ -196,8 +196,7 @@ The NAT config is for transparent proxy. You'll need to [setup iptables rules](h "database": "trojan", "username": "trojan", "password": "", - "cafile": "", - "tls_version": "" + "cafile": "" } } ``` diff --git a/examples/server.json-example b/examples/server.json-example index 2162acde..fb201ca6 100644 --- a/examples/server.json-example +++ b/examples/server.json-example @@ -40,8 +40,7 @@ "server_port": 3306, "database": "trojan", "username": "trojan", - "password": "", - "cafile": "", - "tls_version": "" + "password": "", + "cafile": "" } } diff --git a/src/core/authenticator.cpp b/src/core/authenticator.cpp index 1abe21c1..a9d0051e 100644 --- a/src/core/authenticator.cpp +++ b/src/core/authenticator.cpp @@ -28,10 +28,7 @@ Authenticator::Authenticator(const Config &config) { mysql_init(&con); Log::log_with_date_time("connecting to MySQL server " + config.mysql.server_addr + ':' + to_string(config.mysql.server_port), Log::INFO); if (config.mysql.cafile != "") { - mysql_options(&con, MYSQL_OPT_SSL_CA, config.mysql.cafile.c_str()); - } - if (config.mysql.tls_version != "") { - mysql_optionsv(&con, MARIADB_OPT_TLS_VERSION, config.mysql.tls_version.c_str()); + mysql_ssl_set(&con, NULL, NULL, config.mysql.cafile.c_str(), NULL, NULL); } if (mysql_real_connect(&con, config.mysql.server_addr.c_str(), config.mysql.username.c_str(), diff --git a/src/core/config.cpp b/src/core/config.cpp index a363063e..753c565c 100644 --- a/src/core/config.cpp +++ b/src/core/config.cpp @@ -99,7 +99,6 @@ void Config::populate(const ptree &tree) { mysql.username = tree.get("mysql.username", string("trojan")); mysql.password = tree.get("mysql.password", string()); mysql.cafile = tree.get("mysql.cafile", string()); - mysql.tls_version = tree.get("mysql.tls_version", string()); } bool Config::sip003() { diff --git a/src/core/config.h b/src/core/config.h index 50b29321..abe89882 100644 --- a/src/core/config.h +++ b/src/core/config.h @@ -79,7 +79,6 @@ class Config { std::string username; std::string password; std::string cafile; - std::string tls_version; } mysql; void load(const std::string &filename); void populate(const std::string &JSON); diff --git a/tests/LinuxSmokeTest/server.json b/tests/LinuxSmokeTest/server.json index aa2acb37..37f24a8a 100644 --- a/tests/LinuxSmokeTest/server.json +++ b/tests/LinuxSmokeTest/server.json @@ -35,6 +35,7 @@ "server_port": 0, "database": "", "username": "", - "password": "" + "password": "", + "cafile": "" } }