Follow up of fix for CONC-680:

mysql_old_password is disabled by default (setting DISABLED YES),
but can be used if the plugin was added to the list of restricted
authentication plugins (via mysql_optionsv using option
MARIADB_OPT_RESTRICTED_AUTH).

CMakeLists.txt

@@ -547,6 +547,7 @@ ENDIF()
 MESSAGE1(STATUS "MariaDB Connector/c configuration:
 -- Static PLUGINS ${PLUGINS_STATIC}
 -- Dynamic PLUGINS ${PLUGINS_DYNAMIC}
+-- Disabled PLUGINS ${PLUGINS_DISABLED}
 -- CPack generation: ${CPACK_GENERATOR}
 -- SSL support: ${WITH_SSL} Libs: ${SSL_LIBRARIES}
 -- Zlib support: ${zlib_status}

cmake/plugins.cmake

@@ -12,7 +12,7 @@ include(${CC_SOURCE_DIR}/cmake/sign.cmake)
 
 FUNCTION(REGISTER_PLUGIN)
 
-  SET(one_value_keywords TARGET DEFAULT TYPE)
+  SET(one_value_keywords TARGET DISABLED TYPE DEFAULT)
   SET(multi_value_keywords CONFIGURATIONS SOURCES LIBRARIES INCLUDES COMPILE_OPTIONS)
 
   cmake_parse_arguments(CC_PLUGIN
@@ -43,6 +43,12 @@ FUNCTION(REGISTER_PLUGIN)
     message(FATAL_ERROR "Invalid plugin type ${CC_PLUGIN_DEFAULT}. Allowed plugin types are ${CC_PLUGIN_CONFIGURATIONS}")
   endif()
 
+# check if plugin is disabled
+  string(TOUPPER "${CC_PLUGIN_DISABLED}" CC_PLUGIN_DISABLED)
+  if("${CC_PLUGIN_DISABLED}" STREQUAL "YES")
+    set(PLUGINS_DISABLED ${PLUGINS_DISABLED} ${CC_PLUGIN_TARGET} PARENT_SCOPE)
+  endif()
+
   if(NOT ${CC_PLUGIN_DEFAULT} STREQUAL "OFF")
     set(PLUGIN_${CC_PLUGIN_TARGET}_TYPE ${CC_PLUGIN_TYPE})
 

libmariadb/ma_client_plugin.c.in

@@ -46,6 +46,8 @@
 #include <dlfcn.h>
 #endif
 
+const char *disabled_plugins= "@PLUGINS_DISABLED@";
+
 struct st_client_plugin_int {
   struct st_client_plugin_int *next;
   void   *dlhandle;

plugins/auth/CMakeLists.txt

@@ -130,7 +130,8 @@ ENDIF()
 REGISTER_PLUGIN(TARGET mysql_old_password
                 TYPE MARIADB_CLIENT_PLUGIN_AUTH
                 CONFIGURATIONS STATIC DYNAMIC OFF
-                DEFAULT OFF
+                DEFAULT STATIC
+                DISABLED YES
                 SOURCES ${AUTH_DIR}/old_password.c)
 
 # Cleartext

plugins/auth/my_auth.c

@@ -15,6 +15,7 @@ extern void read_user_name(char *name);
 extern char *ma_send_connect_attr(MYSQL *mysql, unsigned char *buffer);
 extern int ma_read_ok_packet(MYSQL *mysql, uchar *pos, ulong length);
 extern unsigned char *mysql_net_store_length(unsigned char *packet, ulonglong length);
+extern const char *disabled_plugins;
 
 #define hashing(p)  (p->interface_version >= 0x0101 && p->hash_password_bin)
 
@@ -696,11 +697,11 @@ int run_plugin_auth(MYSQL *mysql, char *data, uint data_len,
 retry:
   mpvio.plugin= auth_plugin;
 
-  if (auth_plugin_name &&
+  if (auth_plugin_name)
-     mysql->options.extension &&
-     mysql->options.extension->restricted_auth)
   {
-    if (!strstr(mysql->options.extension->restricted_auth, auth_plugin_name))
+    if ((mysql->options.extension && mysql->options.extension->restricted_auth)
+        ? !strstr(mysql->options.extension->restricted_auth, auth_plugin_name)
+        : strstr(disabled_plugins, auth_plugin_name) != NULL)
     {
       my_set_error(mysql, CR_PLUGIN_NOT_ALLOWED, SQLSTATE_UNKNOWN, 0, data_plugin);
       return 1;

unittest/libmariadb/my_test.h

@@ -688,6 +688,7 @@ void run_tests(struct my_tests_st *test) {
 
   if (!mysql_real_connect(mysql, hostname, username, password, schema, port, socketname, 0))
   {
+    diag("Error: %s", mysql_error(mysql));
     BAIL_OUT("Can't establish TLS connection to server.");
   }