From 86e2e87fa22ace6e46353c13a09fa4b8878b7992 Mon Sep 17 00:00:00 2001
From: Georg Richter <georg@mariadb.com>
Date: Sun, 10 Mar 2024 14:04:27 +0100
Subject: [PATCH] Follow up of fix for CONC-680:

mysql_old_password is disabled by default (setting DISABLED YES),
but can be used if the plugin was added to the list of restricted
authentication plugins (via mysql_optionsv using option
MARIADB_OPT_RESTRICTED_AUTH).
---
 CMakeLists.txt                   | 1 +
 cmake/plugins.cmake              | 8 +++++++-
 libmariadb/ma_client_plugin.c.in | 2 ++
 plugins/auth/CMakeLists.txt      | 3 ++-
 plugins/auth/my_auth.c           | 9 +++++----
 unittest/libmariadb/my_test.h    | 1 +
 6 files changed, 18 insertions(+), 6 deletions(-)

diff --git a/CMakeLists.txt b/CMakeLists.txt
index a3bea923..ed9572cb 100644
--- a/CMakeLists.txt
+++ b/CMakeLists.txt
@@ -547,6 +547,7 @@ ENDIF()
 MESSAGE1(STATUS "MariaDB Connector/c configuration:
 -- Static PLUGINS ${PLUGINS_STATIC}
 -- Dynamic PLUGINS ${PLUGINS_DYNAMIC}
+-- Disabled PLUGINS ${PLUGINS_DISABLED}
 -- CPack generation: ${CPACK_GENERATOR}
 -- SSL support: ${WITH_SSL} Libs: ${SSL_LIBRARIES}
 -- Zlib support: ${zlib_status}
diff --git a/cmake/plugins.cmake b/cmake/plugins.cmake
index 1f321b14..89f9948e 100644
--- a/cmake/plugins.cmake
+++ b/cmake/plugins.cmake
@@ -12,7 +12,7 @@ include(${CC_SOURCE_DIR}/cmake/sign.cmake)
 
 FUNCTION(REGISTER_PLUGIN)
 
-  SET(one_value_keywords TARGET DEFAULT TYPE)
+  SET(one_value_keywords TARGET DISABLED TYPE DEFAULT)
   SET(multi_value_keywords CONFIGURATIONS SOURCES LIBRARIES INCLUDES COMPILE_OPTIONS)
 
   cmake_parse_arguments(CC_PLUGIN
@@ -43,6 +43,12 @@ FUNCTION(REGISTER_PLUGIN)
     message(FATAL_ERROR "Invalid plugin type ${CC_PLUGIN_DEFAULT}. Allowed plugin types are ${CC_PLUGIN_CONFIGURATIONS}")
   endif()
 
+# check if plugin is disabled
+  string(TOUPPER "${CC_PLUGIN_DISABLED}" CC_PLUGIN_DISABLED)
+  if("${CC_PLUGIN_DISABLED}" STREQUAL "YES")
+    set(PLUGINS_DISABLED ${PLUGINS_DISABLED} ${CC_PLUGIN_TARGET} PARENT_SCOPE)
+  endif()
+
   if(NOT ${CC_PLUGIN_DEFAULT} STREQUAL "OFF")
     set(PLUGIN_${CC_PLUGIN_TARGET}_TYPE ${CC_PLUGIN_TYPE})
 
diff --git a/libmariadb/ma_client_plugin.c.in b/libmariadb/ma_client_plugin.c.in
index 573feb4e..a402d082 100644
--- a/libmariadb/ma_client_plugin.c.in
+++ b/libmariadb/ma_client_plugin.c.in
@@ -46,6 +46,8 @@
 #include <dlfcn.h>
 #endif
 
+const char *disabled_plugins= "@PLUGINS_DISABLED@";
+
 struct st_client_plugin_int {
   struct st_client_plugin_int *next;
   void   *dlhandle;
diff --git a/plugins/auth/CMakeLists.txt b/plugins/auth/CMakeLists.txt
index f5fd2f75..c7e06c33 100644
--- a/plugins/auth/CMakeLists.txt
+++ b/plugins/auth/CMakeLists.txt
@@ -130,7 +130,8 @@ ENDIF()
 REGISTER_PLUGIN(TARGET mysql_old_password
                 TYPE MARIADB_CLIENT_PLUGIN_AUTH
                 CONFIGURATIONS STATIC DYNAMIC OFF
-                DEFAULT OFF
+                DEFAULT STATIC
+                DISABLED YES
                 SOURCES ${AUTH_DIR}/old_password.c)
 
 # Cleartext
diff --git a/plugins/auth/my_auth.c b/plugins/auth/my_auth.c
index 1195f1cd..6c551c32 100644
--- a/plugins/auth/my_auth.c
+++ b/plugins/auth/my_auth.c
@@ -15,6 +15,7 @@ extern void read_user_name(char *name);
 extern char *ma_send_connect_attr(MYSQL *mysql, unsigned char *buffer);
 extern int ma_read_ok_packet(MYSQL *mysql, uchar *pos, ulong length);
 extern unsigned char *mysql_net_store_length(unsigned char *packet, ulonglong length);
+extern const char *disabled_plugins;
 
 #define hashing(p)  (p->interface_version >= 0x0101 && p->hash_password_bin)
 
@@ -696,11 +697,11 @@ int run_plugin_auth(MYSQL *mysql, char *data, uint data_len,
 retry:
   mpvio.plugin= auth_plugin;
 
-  if (auth_plugin_name &&
-     mysql->options.extension &&
-     mysql->options.extension->restricted_auth)
+  if (auth_plugin_name)
   {
-    if (!strstr(mysql->options.extension->restricted_auth, auth_plugin_name))
+    if ((mysql->options.extension && mysql->options.extension->restricted_auth)
+        ? !strstr(mysql->options.extension->restricted_auth, auth_plugin_name)
+        : strstr(disabled_plugins, auth_plugin_name) != NULL)
     {
       my_set_error(mysql, CR_PLUGIN_NOT_ALLOWED, SQLSTATE_UNKNOWN, 0, data_plugin);
       return 1;
diff --git a/unittest/libmariadb/my_test.h b/unittest/libmariadb/my_test.h
index 9f75d67a..f6a2c42c 100644
--- a/unittest/libmariadb/my_test.h
+++ b/unittest/libmariadb/my_test.h
@@ -688,6 +688,7 @@ void run_tests(struct my_tests_st *test) {
 
   if (!mysql_real_connect(mysql, hostname, username, password, schema, port, socketname, 0))
   {
+    diag("Error: %s", mysql_error(mysql));
     BAIL_OUT("Can't establish TLS connection to server.");
   }