Workaround for CONC-469

If no default authentication plugin was specified and the server sends preferred authentication method in server hello package client now uses servers preferred authentication method instead of using mysql_native_password. If no default authentication plugin was specified and the server didn't send an authenticatoin method client uses the default mysql_native_password plugin.
2025-08-08 14:02:17 +03:00 · 2020-05-25 11:50:04 +02:00
parent cdfecebc99
commit 37a4fd1d6d
2 changed files with 47 additions and 16 deletions
--- a/plugins/auth/my_auth.c
+++ b/plugins/auth/my_auth.c
@@ -547,39 +547,37 @@ static void client_mpvio_info(MYSQL_PLUGIN_VIO *vio,
 int run_plugin_auth(MYSQL *mysql, char *data, uint data_len,
                    const char *data_plugin, const char *db)
 {
-  const char    *auth_plugin_name;
+  const char    *auth_plugin_name= NULL;
  auth_plugin_t *auth_plugin;
  MCPVIO_EXT    mpvio;
  ulong		pkt_length;
  int           res;

  /* determine the default/initial plugin to use */
-  if (mysql->options.extension && mysql->options.extension->default_auth &&
-      mysql->server_capabilities & CLIENT_PLUGIN_AUTH)
+  if (mysql->server_capabilities & CLIENT_PLUGIN_AUTH)
  {
+    if (mysql->options.extension && mysql->options.extension->default_auth)
      auth_plugin_name= mysql->options.extension->default_auth;
+    else if (data_plugin)
+      auth_plugin_name= data_plugin;
+  }
+  if (!auth_plugin_name)
+  {
+    if (mysql->server_capabilities & CLIENT_PROTOCOL_41)
+       auth_plugin_name= native_password_plugin_name;
+    else
+       auth_plugin_name= "mysql_old_password";
+  }
  if (!(auth_plugin= (auth_plugin_t*) mysql_client_find_plugin(mysql,
                     auth_plugin_name, MYSQL_CLIENT_AUTHENTICATION_PLUGIN)))
    auth_plugin= &dummy_fallback_client_plugin;
-  }
-  else
-  {
-    if (mysql->server_capabilities & CLIENT_PROTOCOL_41)
-      auth_plugin= &mysql_native_password_client_plugin;
-    else
-    {
-      if (!(auth_plugin= (auth_plugin_t*)mysql_client_find_plugin(mysql,
-                         "mysql_old_password", MYSQL_CLIENT_AUTHENTICATION_PLUGIN)))
-        auth_plugin= &dummy_fallback_client_plugin;
-    }
-    auth_plugin_name= auth_plugin->name;
-  }

  mysql->net.last_errno= 0; /* just in case */

  if (data_plugin && strcmp(data_plugin, auth_plugin_name))
  {
-    /* data was prepared for a different plugin, don't show it to this one */
+    /* data was prepared for a different plugin, so we don't
+       send any data */
    data= 0;
    data_len= 0;
  }
--- a/unittest/libmariadb/connection.c
+++ b/unittest/libmariadb/connection.c
@@ -1730,7 +1730,40 @@ static int test_conc443(MYSQL *my __attribute__((unused)))
  return OK;
 }

+static int test_default_auth(MYSQL *my __attribute__((unused)))
+{
+  MYSQL *mysql;
+
+  if (!is_mariadb)
+    return SKIP;
+
+  mysql= mysql_init(NULL);
+  mysql_options(mysql, MYSQL_DEFAULT_AUTH, "mysql_clear_password");
+
+  if (!mysql_real_connect(mysql, hostname, username, password, schema, port, socketname, CLIENT_REMEMBER_OPTIONS))
+  {
+    diag("Connection failed. Error: %s", mysql_error(mysql));
+    mysql_close(mysql);
+    return FAIL;
+  }
+  mysql_close(mysql);
+
+  mysql= mysql_init(NULL);
+  mysql_options(mysql, MYSQL_DEFAULT_AUTH, "caching_sha2_password");
+
+  if (!mysql_real_connect(mysql, hostname, username, password, schema, port, socketname, CLIENT_REMEMBER_OPTIONS))
+  {
+    diag("Connection failed. Error: %s", mysql_error(mysql));
+    mysql_close(mysql);
+    return FAIL;
+  
+  }
+  mysql_close(mysql);
+  return OK;
+}
+
 struct my_tests_st my_tests[] = {
+  {"test_default_auth", test_default_auth, TEST_CONNECTION_NONE, 0, NULL, NULL},
  {"test_conc443", test_conc443, TEST_CONNECTION_NONE, 0, NULL, NULL},
  {"test_conc366", test_conc366, TEST_CONNECTION_DEFAULT, 0, NULL, NULL},
  {"test_conc392", test_conc392, TEST_CONNECTION_DEFAULT, 0, NULL, NULL},