Second part of WL #519:

Client option secure-auth deployed on all possible layers: - mysql client command-line and config file option - mysql_options option MYSQL_SECURE_AUTH - mysql_real_connect will automatically take into account that option if mysql->options.my_cnf_file/my_cnf_group is set client/client_priv.h: added OPT_SECURE_AUTH to enum of all my_read_default_options options. client/mysql.cc: added support for mysql command-line option --secure-auth include/errmsg.h: added return code for option --secure-auth include/mysql.h: added MYSQL_SECURE_AUTH to enum of all mysql_options options. added secure_auth flag to MYSQL handle libmysql/errmsg.c: Error messages for option --secure-auth sql-common/client.c: added check for secure-auth in mysql_real_connect: if password is provided, and secure-auth is on, then client will refuse connecting to pre-4.1.1 server
2025-08-08 11:22:35 +03:00 · 2003-11-28 13:11:44 +03:00
parent 94387d4be3
commit 506572b69e
6 changed files with 38 additions and 9 deletions
--- a/sql-common/client.c
+++ b/sql-common/client.c
@@ -783,7 +783,7 @@ static const char *default_options[]=
  "connect-timeout", "local-infile", "disable-local-infile",
  "replication-probe", "enable-reads-from-master", "repl-parse-query",
  "ssl-cipher", "max-allowed-packet", "protocol", "shared-memory-base-name",
-  "multi-results", "multi-queries",
+  "multi-results", "multi-queries", "secure-auth",
  NullS
 };

@@ -991,6 +991,9 @@ void mysql_read_default_options(struct st_mysql_options *options,
 	case 31:
 	  options->client_flag|= CLIENT_MULTI_STATEMENTS | CLIENT_MULTI_RESULTS;
 	  break;
+        case 32: /* secure-auth */
+          options->secure_auth= TRUE;
+          break;
 	default:
 	  DBUG_PRINT("warning",("unknown option: %s",option[0]));
 	}
@@ -1473,7 +1476,11 @@ CLI_MYSQL_REAL_CONNECT(MYSQL *mysql,const char *host, const char *user,
  if (!host || !host[0])
    host=mysql->options.host;
  if (!user || !user[0])
+  {
    user=mysql->options.user;
+    if (!user)
+      user= "";
+  }
  if (!passwd)
  {
    passwd=mysql->options.password;
@@ -1481,6 +1488,8 @@ CLI_MYSQL_REAL_CONNECT(MYSQL *mysql,const char *host, const char *user,
    if (!passwd)
      passwd=getenv("MYSQL_PWD");		/* get it from environment */
 #endif
+    if (!passwd)
+      passwd= "";
  }
  if (!db || !db[0])
    db=mysql->options.db;
@@ -1742,6 +1751,14 @@ CLI_MYSQL_REAL_CONNECT(MYSQL *mysql,const char *host, const char *user,
  else
    mysql->server_capabilities&= ~CLIENT_SECURE_CONNECTION;

+  if (mysql->options.secure_auth && passwd[0] &&
+      !(mysql->server_capabilities & CLIENT_SECURE_CONNECTION))
+  {
+    strmov(net->sqlstate, unknown_sqlstate);
+    strmov(net->last_error, ER(net->last_errno=CR_SECURE_AUTH));
+    goto error;
+  }
+
  charset_number= mysql->server_language;

  /* Set character set */
@@ -1793,8 +1810,6 @@ CLI_MYSQL_REAL_CONNECT(MYSQL *mysql,const char *host, const char *user,
  }

  /* Save connection information */
-  if (!user) user="";
-  if (!passwd) passwd="";
  if (!my_multi_malloc(MYF(0),
 		       &mysql->host_info, (uint) strlen(host_info)+1,
 		       &mysql->host,      (uint) strlen(host)+1,
@@ -2542,6 +2557,9 @@ mysql_options(MYSQL *mysql,enum mysql_option option, const char *arg)
    break;
  case MYSQL_SET_CLIENT_IP:
    mysql->options.client_ip= my_strdup(arg, MYF(MY_WME));
+  case MYSQL_SECURE_AUTH:
+    mysql->options.secure_auth= *(my_bool *) arg;
+    break;
  default:
    DBUG_RETURN(1);
  }