The MySQL protocol documentation as well as the comments in code state
that the compression level is stored in one byte. The code, however,
used four bytes.
This reverts 395641549ac7..536d9e2b9e5b, in particular:
8dffd56936 MDEV-31857 enable MYSQL_OPT_SSL_VERIFY_SERVER_CERT by default
a99570c118 MDEV-31855 SSL cert validation protocol extension
9aa15e72a7 TLS fingerprint
and related commits
because the default value of every option is 0
(option and option.extension are bzero-ed to reset),
tls_verify_server_cert was renamed to tls_allow_invalid_server_cert
with the default value of 0, "do not allow".
API didn't change, it's still MYSQL_OPT_SSL_VERIFY_SERVER_CERT
* extend the client auth plugin API with a new callback
* relax the plugin version check to allow load a plugin with the
same major version, even if the minor versions differ
* implement the protocol extension:
- don't abort at once if the certificate is self signed and
no CA was explicitly specified
- allow it if it passes fingerprint check
- allow it if plugin has hash_password_bin callback, password was
non-empty and the control hash matches server's
Since the server certification option is used by client
only, there is no need to have this flag in server and or
client capabilities. The server itself validates client
certificate depending on the user definition.
Since the server doesn't support secure connections for
shared memory and named pipe connections but indicates
this capability by setting the CLIENT_SSL flag, we unset
this flag in case the connection uses shared memory
or named pipe.
ZSTD compression is now supported for connections
to a MySQL Server 8.0.
Compression algorithms are supported via compression
plugins, which can be found in plugins/compress.
with --version=xxx the server doesn't send 5.5.5- version prefix,
so C/C doesn't detect the server as MariaDB (look for "is_maria"),
but it still sends MARIADB_CLIENT_EXTENDED_METADATA to the server.
This causes the server to send extended metadata, but C/C doesn't expect
it (is_maria is false) and parses the packet incorrectly.
As a fix, backport from 3.2 the code that makes C/C to announce
only those client capabilities that are supported by the server.
If mariadb_stmt_execute_direct fails, we need to set the number
of parameters (obtained by response packet of mysql_stmt_prepare)
back to the number of prebinded parameters to avoid memory
overrun.
This fix also includes several adress-sanitizer bugs in unit tests
of Connector/C.
Added new option MARIADB_OPT_RESTRICTED_AUTH (and corresponding
"restricted-auth" option for configuration files) which specifies
on or more comma spearated authentication plugins which are allowed
for authenication.
If the server asks for an authentication plugin not listed in this
option the connect attempt will fail with error CR_PLUGIN_NOT_ALLOWED.
Added support for passwords > 255 characters.
The new capability flag CLIENT_PLUGIN_AUTH_LENENC_CLIENT_DATA
now indicates that the client can send passwords > 255 characters:
If no default authentication plugin was specified and the server sends preferred
authentication method in server hello package client now uses servers preferred
authentication method instead of using mysql_native_password. If no default
authentication plugin was specified and the server didn't send an
authenticatoin method client uses the default mysql_native_password plugin.
string will be terminated by the NUL character, it is best to do that
externally in the caller. This code was originally introduced in
commit beb9d5ea89.
(patch by Marko)
Various coverity scan fixes, including CONC-452 and CONC-453.
Special thanks to Lukas Javorsky for fixing numerous covscan
issues (This patch includes part of his pull request #126).
Coverity scan build was using the following cmake parameters:
-WITH_EXTERNAL_ZLIB=ON -DWITH_UNIT_TESTS=OFF.
CWE-416 (use after free) in dtoa.c (from netlib) is still open.
mysql_change_user doesn't reset server status
Fixed my_auth.c, after successful connect the server status package information (including session change information) must be updated.
