Commit 48edd0ac authored by unknown's avatar unknown

More work on secure connection protocol. commited in order to do the sync with new large pushed

bunch. 


client/insert_test.c:
  Fix function call
client/select_test.c:
  Fix function call
include/mysql_com.h:
  New flag defined for secure connection handling
sql/mysqld.cc:
  Add flag used for connection
sql/sql_acl.cc:
  Partial code to find out needed connection flag based on password format
parent c69223d9
...@@ -16,6 +16,7 @@ ...@@ -16,6 +16,7 @@
#include <stdio.h> #include <stdio.h>
#include <stdlib.h> #include <stdlib.h>
#include "my_global.h"
#include "mysql.h" #include "mysql.h"
#define INSERT_QUERY "insert into test (name,num) values ('item %d', %d)" #define INSERT_QUERY "insert into test (name,num) values ('item %d', %d)"
......
...@@ -19,6 +19,7 @@ ...@@ -19,6 +19,7 @@
#endif #endif
#include <stdio.h> #include <stdio.h>
#include <stdlib.h> #include <stdlib.h>
#include "my_global.h"
#include "mysql.h" #include "mysql.h"
#define SELECT_QUERY "select name from test where num = %d" #define SELECT_QUERY "select name from test where num = %d"
......
...@@ -97,6 +97,7 @@ enum enum_server_command ...@@ -97,6 +97,7 @@ enum enum_server_command
#define CLIENT_IGNORE_SIGPIPE 4096 /* IGNORE sigpipes */ #define CLIENT_IGNORE_SIGPIPE 4096 /* IGNORE sigpipes */
#define CLIENT_TRANSACTIONS 8192 /* Client knows about transactions */ #define CLIENT_TRANSACTIONS 8192 /* Client knows about transactions */
#define CLIENT_PROTOCOL_41 16384 /* New 4.1 protocol */ #define CLIENT_PROTOCOL_41 16384 /* New 4.1 protocol */
#define CLIENT_SECURE_CONNECTION 32768 /* New 4.1 authentication */
#define SERVER_STATUS_IN_TRANS 1 /* Transaction has started */ #define SERVER_STATUS_IN_TRANS 1 /* Transaction has started */
#define SERVER_STATUS_AUTOCOMMIT 2 /* Server in auto_commit mode */ #define SERVER_STATUS_AUTOCOMMIT 2 /* Server in auto_commit mode */
......
...@@ -317,6 +317,7 @@ uint volatile thread_count=0, thread_running=0, kill_cached_threads=0, ...@@ -317,6 +317,7 @@ uint volatile thread_count=0, thread_running=0, kill_cached_threads=0,
ulong thd_startup_options=(OPTION_UPDATE_LOG | OPTION_AUTO_IS_NULL | ulong thd_startup_options=(OPTION_UPDATE_LOG | OPTION_AUTO_IS_NULL |
OPTION_BIN_LOG | OPTION_QUOTE_SHOW_CREATE ); OPTION_BIN_LOG | OPTION_QUOTE_SHOW_CREATE );
uint protocol_version=PROTOCOL_VERSION; uint protocol_version=PROTOCOL_VERSION;
uint connection_auth_flag=0; /* Supported authentication mode */
struct system_variables global_system_variables; struct system_variables global_system_variables;
struct system_variables max_system_variables; struct system_variables max_system_variables;
ulong keybuff_size,table_cache_size, ulong keybuff_size,table_cache_size,
......
...@@ -32,6 +32,8 @@ ...@@ -32,6 +32,8 @@
#include <assert.h> #include <assert.h>
#include <stdarg.h> #include <stdarg.h>
extern uint connection_auth_flag;
struct acl_host_and_ip struct acl_host_and_ip
{ {
char *hostname; char *hostname;
...@@ -143,7 +145,11 @@ my_bool acl_init(bool dont_read_acl_tables) ...@@ -143,7 +145,11 @@ my_bool acl_init(bool dont_read_acl_tables)
(hash_get_key) acl_entry_get_key, (hash_get_key) acl_entry_get_key,
(void (*)(void*)) free); (void (*)(void*)) free);
if (dont_read_acl_tables) if (dont_read_acl_tables)
{
/* If we do not read tables use old handshake to make it quick for all clients */
connection_auth_flag=CLIENT_LONG_PASSWORD;
DBUG_RETURN(0); /* purecov: tested */ DBUG_RETURN(0); /* purecov: tested */
}
/* /*
To be able to run this from boot, we allocate a temporary THD To be able to run this from boot, we allocate a temporary THD
...@@ -218,6 +224,7 @@ my_bool acl_init(bool dont_read_acl_tables) ...@@ -218,6 +224,7 @@ my_bool acl_init(bool dont_read_acl_tables)
DBUG_PRINT("info",("user table fields: %d",table->fields)); DBUG_PRINT("info",("user table fields: %d",table->fields));
allow_all_hosts=0; allow_all_hosts=0;
connection_auth_flag=0; /* Reset flag as we're rereading the table */
while (!(read_record_info.read_record(&read_record_info))) while (!(read_record_info.read_record(&read_record_info)))
{ {
ACL_USER user; ACL_USER user;
...@@ -242,6 +249,18 @@ my_bool acl_init(bool dont_read_acl_tables) ...@@ -242,6 +249,18 @@ my_bool acl_init(bool dont_read_acl_tables)
} }
get_salt_from_password(user.salt,user.password); get_salt_from_password(user.salt,user.password);
user.pversion=get_password_version(user.password); user.pversion=get_password_version(user.password);
/*
We check the version of passwords in database. If no old passwords found we can force new handshake
if there are only old password we will force new handshake. In case of both types of passwords
found we will perform 2 stage authentication.
*/
if (user.password && user.password[0]!=0) /* empty passwords are not counted */
{
if (user.pversion)
connection_auth_flag|=CLIENT_SECURE_CONNECTION;
else
connection_auth_flag|=CLIENT_LONG_PASSWORD;
}
user.access=get_access(table,3) & GLOBAL_ACLS; user.access=get_access(table,3) & GLOBAL_ACLS;
user.sort=get_sort(2,user.host.hostname,user.user); user.sort=get_sort(2,user.host.hostname,user.user);
user.hostname_length= (user.host.hostname ? user.hostname_length= (user.host.hostname ?
...@@ -299,7 +318,18 @@ my_bool acl_init(bool dont_read_acl_tables) ...@@ -299,7 +318,18 @@ my_bool acl_init(bool dont_read_acl_tables)
sizeof(ACL_USER),(qsort_cmp) acl_compare); sizeof(ACL_USER),(qsort_cmp) acl_compare);
end_read_record(&read_record_info); end_read_record(&read_record_info);
freeze_size(&acl_users); freeze_size(&acl_users);
/*
If database is empty or has no passwords use new connection protocol
unless we're running with --old-passwords option
*/
if (!connection_auth_flag)
{
if(!opt_old_passwords)
connection_auth_flag=CLIENT_SECURE_CONNECTION;
else connection_auth_flag=CLIENT_LONG_PASSWORD;
}
printf("Set flag after read: %d\n",connection_auth_flag);
init_read_record(&read_record_info,thd,table=tables[2].table,NULL,1,0); init_read_record(&read_record_info,thd,table=tables[2].table,NULL,1,0);
VOID(my_init_dynamic_array(&acl_dbs,sizeof(ACL_DB),50,100)); VOID(my_init_dynamic_array(&acl_dbs,sizeof(ACL_DB),50,100));
while (!(read_record_info.read_record(&read_record_info))) while (!(read_record_info.read_record(&read_record_info)))
...@@ -674,6 +704,12 @@ static void acl_update_user(const char *user, const char *host, ...@@ -674,6 +704,12 @@ static void acl_update_user(const char *user, const char *host,
acl_user->password=(char*) ""; // Just point at something acl_user->password=(char*) ""; // Just point at something
get_salt_from_password(acl_user->salt,password); get_salt_from_password(acl_user->salt,password);
acl_user->pversion=get_password_version(acl_user->password); acl_user->pversion=get_password_version(acl_user->password);
// We should allow connection with authentication method matching password
if (acl_user->pversion)
connection_auth_flag|=CLIENT_SECURE_CONNECTION;
else
connection_auth_flag|=CLIENT_LONG_PASSWORD;
printf("Debug: flag set to %d\n",connection_auth_flag);
} }
} }
break; break;
...@@ -1084,7 +1120,15 @@ bool change_password(THD *thd, const char *host, const char *user, ...@@ -1084,7 +1120,15 @@ bool change_password(THD *thd, const char *host, const char *user,
if (!new_password[0]) if (!new_password[0])
acl_user->password=0; acl_user->password=0;
else else
acl_user->password=(char*) ""; // Point at something {
acl_user->password=(char*) ""; // Point at something
/* Adjust global connection options depending of client password*/
if (acl_user->pversion)
connection_auth_flag|=CLIENT_SECURE_CONNECTION;
else
connection_auth_flag|=CLIENT_LONG_PASSWORD;
}
acl_cache->clear(1); // Clear locked hostname cache acl_cache->clear(1); // Clear locked hostname cache
VOID(pthread_mutex_unlock(&acl_cache->lock)); VOID(pthread_mutex_unlock(&acl_cache->lock));
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment