CONC-544: restrict authentication plugins

Added new option MARIADB_OPT_RESTRICTED_AUTH (and corresponding "restricted-auth" option for configuration files) which specifies on or more comma spearated authentication plugins which are allowed for authenication. If the server asks for an authentication plugin not listed in this option the connect attempt will fail with error CR_PLUGIN_NOT_ALLOWED.
2025-08-08 14:02:17 +03:00 · 2021-09-14 06:24:56 +02:00
parent fc9bfcd80a
commit 7e0be5a919
7 changed files with 90 additions and 2 deletions
--- a/libmariadb/mariadb_lib.c
+++ b/libmariadb/mariadb_lib.c
@@ -666,6 +666,7 @@ struct st_default_options mariadb_defaults[] =
  {MYSQL_SERVER_PUBLIC_KEY, MARIADB_OPTION_STR, "server-public-key"},
  {MYSQL_OPT_BIND, MARIADB_OPTION_STR, "bind-address"},
  {MYSQL_OPT_SSL_ENFORCE, MARIADB_OPTION_BOOL, "ssl-enforce"},
+  {MARIADB_OPT_RESTRICTED_AUTH, MARIADB_OPTION_STR, "restricted-auth"},
  {0, 0, NULL}
 };

@@ -1999,6 +2000,7 @@ static void mysql_close_options(MYSQL *mysql)
      ma_hashtbl_free(&mysql->options.extension->connect_attrs);
    if (ma_hashtbl_inited(&mysql->options.extension->userdata))
      ma_hashtbl_free(&mysql->options.extension->userdata);
+    free(mysql->options.extension->restricted_auth);

  }
  free(mysql->options.extension);
@@ -3367,6 +3369,9 @@ mysql_optionsv(MYSQL *mysql,enum mysql_option option, ...)
  case MARIADB_OPT_SKIP_READ_RESPONSE:
    OPT_SET_EXTENDED_VALUE_INT(&mysql->options, skip_read_response, *(my_bool *)arg1);
    break;
+  case MARIADB_OPT_RESTRICTED_AUTH:
+    OPT_SET_EXTENDED_VALUE_STR(&mysql->options, restricted_auth, (char *)arg1);
+    break;
  default:
    va_end(ap);
    SET_CLIENT_ERROR(mysql, CR_NOT_IMPLEMENTED, SQLSTATE_UNKNOWN, 0);