From 76e643e7e3ebff679407255f66eafae790912f31 Mon Sep 17 00:00:00 2001
From: Andrey Andreev <narf@devilix.net>
Date: Thu, 16 Jul 2015 13:14:49 +0300
Subject: Refactor proposed changes from PR #3896

---
 system/database/drivers/mysqli/mysqli_driver.php | 72 +++++++++---------------
 1 file changed, 28 insertions(+), 44 deletions(-)

(limited to 'system/database')

diff --git a/system/database/drivers/mysqli/mysqli_driver.php b/system/database/drivers/mysqli/mysqli_driver.php
index 61a37bd03..82abf4e73 100644
--- a/system/database/drivers/mysqli/mysqli_driver.php
+++ b/system/database/drivers/mysqli/mysqli_driver.php
@@ -86,21 +86,6 @@ class CI_DB_mysqli_driver extends CI_DB {
 	 */
 	public $stricton = FALSE;
 
-	/**
-	 * Used to set various SSL options that can be used when making SSL connections.
-	 *
-	 * @see http://php.net/manual/en/mysqli.ssl-set.php		Documentation for MySQLi
-	 *
-	 * @var array
-	 */
-	public $ssl_options = array(
-			"ssl_key"    => '', // The path name to the key file.
-			"ssl_cert"   => '', // The path name to the certificate file.
-			"ssl_ca"     => '', // The path name to the certificate authority file.
-			"ssl_capath" => '', // The pathname to a directory that contains trusted SSL CA certificates in PEM format.
-			"ssl_cipher" => '' // A list of allowable ciphers to use for SSL encryption.
-	);
-
 	// --------------------------------------------------------------------
 
 	/**
@@ -117,7 +102,6 @@ class CI_DB_mysqli_driver extends CI_DB {
 	 *
 	 * @param	bool	$persistent
 	 * @return	object
-	 * @todo	SSL support
 	 */
 	public function db_connect($persistent = FALSE)
 	{
@@ -147,45 +131,45 @@ class CI_DB_mysqli_driver extends CI_DB {
 			$mysqli->options(MYSQLI_INIT_COMMAND, 'SET SESSION sql_mode="STRICT_ALL_TABLES"');
 		}
 
-		if ($this->encrypt === TRUE)
+		if (is_array($this->encrypt))
 		{
-			$ssl_key    = array_key_exists('ssl_key', $this->ssl_options) ? $this->ssl_options['ssl_key'] : '';
-			$ssl_cert   = array_key_exists('ssl_cert', $this->ssl_options) ? $this->ssl_options['ssl_cert'] : '';
-			$ssl_ca     = array_key_exists('ssl_ca', $this->ssl_options) ? $this->ssl_options['ssl_ca'] : '';
-			$ssl_capath = array_key_exists('ssl_capath', $this->ssl_options) ? $this->ssl_options['ssl_capath'] : '';
-			$ssl_cipher = array_key_exists('ssl_cipher', $this->ssl_options) ? $this->ssl_options['ssl_cipher'] : '';
-
-			$mysqli->ssl_set($ssl_key, $ssl_cert, $ssl_ca, $ssl_capath, $ssl_cipher);
-			$client_flags |= MYSQLI_CLIENT_SSL;
+			$ssl = array();
+			empty($this->encrypt['ssl_key'])    OR $ssl['key']    = $this->encrypt['ssl_key'];
+			empty($this->encrypt['ssl_cert'])   OR $ssl['cert']   = $this->encrypt['ssl_cert'];
+			empty($this->encrypt['ssl_ca'])     OR $ssl['ca']     = $this->encrypt['ssl_ca'];
+			empty($this->encrypt['ssl_capath']) OR $ssl['capath'] = $this->encrypt['ssl_capath'];
+			empty($this->encrypt['ssl_cipher']) OR $ssl['cipher'] = $this->encrypt['ssl_cipher'];
+
+			if ( ! empty($ssl))
+			{
+				$client_flags |= MYSQLI_CLIENT_SSL;
+				$mysqli->ssl_set(
+					isset($ssl['key'])    ? $ssl['key']    : NULL,
+					isset($ssl['cert'])   ? $ssl['cert']   : NULL,
+					isset($ssl['ca'])     ? $ssl['ca']     : NULL,
+					isset($ssl['capath']) ? $ssl['capath'] : NULL,
+					isset($ssl['cipher']) ? $ssl['cipher'] : NULL
+				);
+			}
 		}
 
-		$connected = @$mysqli->real_connect($hostname, $this->username, $this->password, $this->database, $port, $socket, $client_flags);
-
-		if ($connected)
+		if ($mysqli->real_connect($hostname, $this->username, $this->password, $this->database, $port, $socket, $client_flags))
 		{
-			// If SSL was requested we want to do some checking and log an error if an SSL connection wasn't established.
-			if ($this->encrypt === TRUE)
+			// Prior to version 5.7.3, MySQL silently downgrades to an unencrypted connection if SSL setup fails
+			if (($client_flags & MYSQLI_CLIENT_SSL) && version_compare($mysqli->client_info, '5.7.3', '<='))
 			{
-				$res        = $mysqli->query("SHOW STATUS LIKE 'ssl_cipher';");
-				$ssl_status = $res->fetch_row();
-
-				if ($ssl_status[1] == '')
+				$ssl = $mysqli->query("SHOW STATUS LIKE 'ssl_cipher'")->fetch_row();
+				if (empty($ssl[1]))
 				{
-					log_message('error',
-							"Problem With MySQLi SSL: An SSL connection was requested but the resulting connection is not using SSL!");
+					$mysqli->close();
+					$message = 'MySQLi was configured for an SSL connection, but got an unencrypted connection instead!';
+					log_message('error', $message);
+					return ($this->db->db_debug) ? $this->db->display_error($message, '', TRUE) : FALSE;
 				}
 			}
 
 			return $mysqli;
 		}
-		else
-		{
-			if ($mysqli->connect_errno)
-			{
-				log_message('error',
-						'msqli connect failed, error: ' . mysqli_connect_error() . " | " . $mysqli->connect_error . " | " . $mysqli->connect_errno);
-			}
-		}
 
 		return FALSE;
 	}
-- 
cgit v1.2.3-24-g4f1b