More work on secure connection protocol. commited in order to do the sync with new large pushed

bunch.
2025-07-29 05:21:33 +03:00 · 2002-10-19 23:18:31 +04:00
parent d448caba6e
commit 37245fd17f
5 changed files with 50 additions and 2 deletions
--- a/client/insert_test.c
+++ b/client/insert_test.c
@ -16,6 +16,7 @@

 #include <stdio.h>
 #include <stdlib.h>
+#include "my_global.h"
 #include "mysql.h"

 #define INSERT_QUERY "insert into test (name,num) values ('item %d', %d)"
--- a/client/select_test.c
+++ b/client/select_test.c
@ -19,6 +19,7 @@
 #endif
 #include <stdio.h>
 #include <stdlib.h>
+#include "my_global.h"
 #include "mysql.h"

 #define SELECT_QUERY "select name from test where num = %d"
--- a/include/mysql_com.h
+++ b/include/mysql_com.h
@ -97,6 +97,7 @@ enum enum_server_command
 #define CLIENT_IGNORE_SIGPIPE   4096     /* IGNORE sigpipes */
 #define CLIENT_TRANSACTIONS	8192	/* Client knows about transactions */
 #define CLIENT_PROTOCOL_41       16384   /* New 4.1 protocol  */
+#define CLIENT_SECURE_CONNECTION 32768   /* New 4.1 authentication */

 #define SERVER_STATUS_IN_TRANS     1	/* Transaction has started */
 #define SERVER_STATUS_AUTOCOMMIT   2	/* Server in auto_commit mode */
--- a/sql/mysqld.cc
+++ b/sql/mysqld.cc
@ -317,6 +317,7 @@ uint volatile thread_count=0, thread_running=0, kill_cached_threads=0,
 ulong thd_startup_options=(OPTION_UPDATE_LOG | OPTION_AUTO_IS_NULL |
 			   OPTION_BIN_LOG | OPTION_QUOTE_SHOW_CREATE );
 uint protocol_version=PROTOCOL_VERSION;
+uint connection_auth_flag=0; /* Supported authentication mode */ 
 struct system_variables global_system_variables;
 struct system_variables max_system_variables;
 ulong keybuff_size,table_cache_size,
--- a/sql/sql_acl.cc
+++ b/sql/sql_acl.cc
@ -32,6 +32,8 @@
 #include <assert.h>
 #include <stdarg.h>

+extern uint connection_auth_flag;
+
 struct acl_host_and_ip
 {
  char *hostname;
@ -143,7 +145,11 @@ my_bool acl_init(bool dont_read_acl_tables)
 			    (hash_get_key) acl_entry_get_key,
 			    (void (*)(void*)) free);
  if (dont_read_acl_tables)
+  {
+    /* If we do not read tables use old handshake to make it quick for all clients */ 
+    connection_auth_flag=CLIENT_LONG_PASSWORD; 
    DBUG_RETURN(0); /* purecov: tested */
+  }    

  /*
    To be able to run this from boot, we allocate a temporary THD
@ -218,6 +224,7 @@ my_bool acl_init(bool dont_read_acl_tables)

  DBUG_PRINT("info",("user table fields: %d",table->fields));
  allow_all_hosts=0;
+  connection_auth_flag=0; /* Reset flag as we're rereading the table */
  while (!(read_record_info.read_record(&read_record_info)))
  {
    ACL_USER user;
@ -242,6 +249,18 @@ my_bool acl_init(bool dont_read_acl_tables)
    }
    get_salt_from_password(user.salt,user.password);
    user.pversion=get_password_version(user.password);
+    /*
+      We check the version of passwords in database. If no old passwords found we can force new handshake
+      if there are only old password we will force new handshake. In case of both types of passwords
+      found we will perform 2 stage authentication.
+    */
+    if (user.password && user.password[0]!=0) /* empty passwords are not counted */ 
+    {
+      if (user.pversion) 
+        connection_auth_flag|=CLIENT_SECURE_CONNECTION;
+      else
+        connection_auth_flag|=CLIENT_LONG_PASSWORD;   
+    }  
    user.access=get_access(table,3) & GLOBAL_ACLS;
    user.sort=get_sort(2,user.host.hostname,user.user);
    user.hostname_length= (user.host.hostname ?
@ -300,6 +319,17 @@ my_bool acl_init(bool dont_read_acl_tables)
  end_read_record(&read_record_info);
  freeze_size(&acl_users);
  
+  /* 
+   If database is empty or has no passwords use new connection protocol 
+   unless we're running with --old-passwords option
+  */ 
+  if (!connection_auth_flag)
+  {
+    if(!opt_old_passwords)     
+     connection_auth_flag=CLIENT_SECURE_CONNECTION;
+    else connection_auth_flag=CLIENT_LONG_PASSWORD; 
+  }
+  printf("Set flag after read: %d\n",connection_auth_flag);
  init_read_record(&read_record_info,thd,table=tables[2].table,NULL,1,0);
  VOID(my_init_dynamic_array(&acl_dbs,sizeof(ACL_DB),50,100));
  while (!(read_record_info.read_record(&read_record_info)))
@ -674,6 +704,12 @@ static void acl_update_user(const char *user, const char *host,
 	    acl_user->password=(char*) "";	// Just point at something
 	    get_salt_from_password(acl_user->salt,password);
 	    acl_user->pversion=get_password_version(acl_user->password);
+	    // We should allow connection with authentication method matching password
+	    if (acl_user->pversion)
+	      connection_auth_flag|=CLIENT_SECURE_CONNECTION;
+	    else
+	      connection_auth_flag|=CLIENT_LONG_PASSWORD;  
+	    printf("Debug: flag set to %d\n",connection_auth_flag);      
 	  }
 	}
 	break;
@ -1084,7 +1120,15 @@ bool change_password(THD *thd, const char *host, const char *user,
  if (!new_password[0])
    acl_user->password=0;
  else
+  {
    acl_user->password=(char*) "";		// Point at something        
+    /* Adjust global connection options depending of client password*/
+    if (acl_user->pversion)
+      connection_auth_flag|=CLIENT_SECURE_CONNECTION;
+    else
+      connection_auth_flag|=CLIENT_LONG_PASSWORD;    
+  }
+    
  acl_cache->clear(1);				// Clear locked hostname cache
  VOID(pthread_mutex_unlock(&acl_cache->lock));