Commit fedbda3f authored by Sergei Golubchik's avatar Sergei Golubchik

fixed a bug in handling mysql_native_password specified explicitly:

  CREATE USER mysqltest_up1 IDENTIFIED VIA mysql_native_password
pointers were not always fixed, salt wasn't updated
parent 9560ff99
...@@ -225,3 +225,17 @@ Connection on extra port 2 ok ...@@ -225,3 +225,17 @@ Connection on extra port 2 ok
# ------------------------------------------------------------------ # ------------------------------------------------------------------
# -- End of 5.1 tests # -- End of 5.1 tests
# ------------------------------------------------------------------ # ------------------------------------------------------------------
CREATE USER mysqltest_up1 IDENTIFIED VIA mysql_native_password using '*E8D46CE25265E545D225A8A6F1BAF642FEBEE5CB';
CREATE USER mysqltest_up2 IDENTIFIED VIA mysql_old_password using '09301740536db389';
connect(localhost,mysqltest_up1,foo,test,13001,MASTER_SOCKET);
ERROR 28000: Access denied for user 'mysqltest_up1'@'localhost' (using password: YES)
select user(), current_user();
user() current_user()
mysqltest_up1@localhost mysqltest_up1@%
connect(localhost,mysqltest_up2,newpw,test,13001,MASTER_SOCKET);
ERROR 28000: Access denied for user 'mysqltest_up2'@'localhost' (using password: YES)
select user(), current_user();
user() current_user()
mysqltest_up2@localhost mysqltest_up2@%
DROP USER mysqltest_up1@'%';
DROP USER mysqltest_up2@'%';
...@@ -328,6 +328,34 @@ if ($error) ...@@ -328,6 +328,34 @@ if ($error)
--disconnect extracon2 --disconnect extracon2
--connection default --connection default
#
# A couple of plugin tests - for builtin plugins only
#
CREATE USER mysqltest_up1 IDENTIFIED VIA mysql_native_password using '*E8D46CE25265E545D225A8A6F1BAF642FEBEE5CB';
CREATE USER mysqltest_up2 IDENTIFIED VIA mysql_old_password using '09301740536db389';
--replace_result $MASTER_MYSOCK MASTER_SOCKET $MASTER_MYPORT MASTER_PORT
--error ER_ACCESS_DENIED_ERROR
connect(pcon1,localhost,mysqltest_up1,foo,,$MASTER_EXTRA_PORT,);
connect(pcon2,localhost,mysqltest_up1,bar,,$MASTER_EXTRA_PORT,);
connection pcon2;
select user(), current_user();
disconnect pcon2;
--replace_result $MASTER_MYSOCK MASTER_SOCKET $MASTER_MYPORT MASTER_PORT
--error ER_ACCESS_DENIED_ERROR
connect(pcon3,localhost,mysqltest_up2,newpw,,$MASTER_EXTRA_PORT,);
connect(pcon4,localhost,mysqltest_up2,oldpw,,$MASTER_EXTRA_PORT,);
connection pcon4;
select user(), current_user();
disconnect pcon4;
connection default;
DROP USER mysqltest_up1@'%';
DROP USER mysqltest_up2@'%';
# Wait till all disconnects are completed # Wait till all disconnects are completed
--source include/wait_until_count_sessions.inc --source include/wait_until_count_sessions.inc
...@@ -319,6 +319,35 @@ set_user_salt(ACL_USER *acl_user, const char *password, uint password_len) ...@@ -319,6 +319,35 @@ set_user_salt(ACL_USER *acl_user, const char *password, uint password_len)
acl_user->salt_len= 0; acl_user->salt_len= 0;
} }
/**
Fix ACL::plugin pointer to point to a hard-coded string, if appropriate
Make sure that if ACL_USER's plugin is a built-in, then it points
to a hard coded string, not to an allocated copy. Run-time, for
authentication, we want to be able to detect built-ins by comparing
pointers, not strings.
Additionally - update the salt if the plugin is built-in.
@retval 0 the pointers were fixed
@retval 1 this ACL_USER uses a not built-in plugin
*/
static bool fix_user_plugin_ptr(ACL_USER *user)
{
if (my_strcasecmp(system_charset_info, user->plugin.str,
native_password_plugin_name.str) == 0)
user->plugin= native_password_plugin_name;
else
if (my_strcasecmp(system_charset_info, user->plugin.str,
old_password_plugin_name.str) == 0)
user->plugin= old_password_plugin_name;
else
return true;
set_user_salt(user, user->auth_string.str, user->auth_string.length);
return false;
}
/* /*
This after_update function is used when user.password is less than This after_update function is used when user.password is less than
SCRAMBLE_LENGTH bytes. SCRAMBLE_LENGTH bytes.
...@@ -662,6 +691,8 @@ static my_bool acl_load(THD *thd, TABLE_LIST *tables) ...@@ -662,6 +691,8 @@ static my_bool acl_load(THD *thd, TABLE_LIST *tables)
char *tmpstr= get_field(&mem, table->field[next_field++]); char *tmpstr= get_field(&mem, table->field[next_field++]);
if (tmpstr) if (tmpstr)
{ {
user.plugin.str= tmpstr;
user.plugin.length= strlen(user.plugin.str);
if (user.auth_string.length) if (user.auth_string.length)
{ {
sql_print_warning("'user' entry '%s@%s' has both a password " sql_print_warning("'user' entry '%s@%s' has both a password "
...@@ -670,22 +701,12 @@ static my_bool acl_load(THD *thd, TABLE_LIST *tables) ...@@ -670,22 +701,12 @@ static my_bool acl_load(THD *thd, TABLE_LIST *tables)
user.user ? user.user : "", user.user ? user.user : "",
user.host.hostname ? user.host.hostname : ""); user.host.hostname ? user.host.hostname : "");
} }
if (my_strcasecmp(system_charset_info, tmpstr,
native_password_plugin_name.str) == 0)
user.plugin= native_password_plugin_name;
else
if (my_strcasecmp(system_charset_info, tmpstr,
old_password_plugin_name.str) == 0)
user.plugin= old_password_plugin_name;
else
{
user.plugin.str= tmpstr;
user.plugin.length= strlen(tmpstr);
}
user.auth_string.str= get_field(&mem, table->field[next_field++]); user.auth_string.str= get_field(&mem, table->field[next_field++]);
if (!user.auth_string.str) if (!user.auth_string.str)
user.auth_string.str= const_cast<char*>(""); user.auth_string.str= const_cast<char*>("");
user.auth_string.length= strlen(user.auth_string.str); user.auth_string.length= strlen(user.auth_string.str);
fix_user_plugin_ptr(&user);
} }
} }
} }
...@@ -1132,12 +1153,15 @@ static void acl_update_user(const char *user, const char *host, ...@@ -1132,12 +1153,15 @@ static void acl_update_user(const char *user, const char *host,
{ {
if (plugin->str[0]) if (plugin->str[0])
{ {
acl_user->plugin.str= strmake_root(&mem, plugin->str, plugin->length); acl_user->plugin= *plugin;
acl_user->plugin.length= plugin->length;
acl_user->auth_string.str= auth->str ? acl_user->auth_string.str= auth->str ?
strmake_root(&mem, auth->str, auth->length) : const_cast<char*>(""); strmake_root(&mem, auth->str, auth->length) : const_cast<char*>("");
acl_user->auth_string.length= auth->length; acl_user->auth_string.length= auth->length;
if (fix_user_plugin_ptr(acl_user))
acl_user->plugin.str= strmake_root(&mem, plugin->str, plugin->length);
} }
else
set_user_salt(acl_user, password, password_len);
acl_user->access=privileges; acl_user->access=privileges;
if (mqh->specified_limits & USER_RESOURCES::QUERIES_PER_HOUR) if (mqh->specified_limits & USER_RESOURCES::QUERIES_PER_HOUR)
acl_user->user_resource.questions=mqh->questions; acl_user->user_resource.questions=mqh->questions;
...@@ -1157,8 +1181,6 @@ static void acl_update_user(const char *user, const char *host, ...@@ -1157,8 +1181,6 @@ static void acl_update_user(const char *user, const char *host,
acl_user->x509_subject= (x509_subject ? acl_user->x509_subject= (x509_subject ?
strdup_root(&mem,x509_subject) : 0); strdup_root(&mem,x509_subject) : 0);
} }
if (password)
set_user_salt(acl_user, password, password_len);
/* search complete: */ /* search complete: */
break; break;
} }
...@@ -1186,11 +1208,12 @@ static void acl_insert_user(const char *user, const char *host, ...@@ -1186,11 +1208,12 @@ static void acl_insert_user(const char *user, const char *host,
update_hostname(&acl_user.host, *host ? strdup_root(&mem, host): 0); update_hostname(&acl_user.host, *host ? strdup_root(&mem, host): 0);
if (plugin->str[0]) if (plugin->str[0])
{ {
acl_user.plugin.str= strmake_root(&mem, plugin->str, plugin->length); acl_user.plugin= *plugin;
acl_user.plugin.length= plugin->length;
acl_user.auth_string.str= auth->str ? acl_user.auth_string.str= auth->str ?
strmake_root(&mem, auth->str, auth->length) : const_cast<char*>(""); strmake_root(&mem, auth->str, auth->length) : const_cast<char*>("");
acl_user.auth_string.length= auth->length; acl_user.auth_string.length= auth->length;
if (fix_user_plugin_ptr(&acl_user))
acl_user.plugin.str= strmake_root(&mem, plugin->str, plugin->length);
} }
else else
{ {
...@@ -1198,6 +1221,7 @@ static void acl_insert_user(const char *user, const char *host, ...@@ -1198,6 +1221,7 @@ static void acl_insert_user(const char *user, const char *host,
old_password_plugin_name : native_password_plugin_name; old_password_plugin_name : native_password_plugin_name;
acl_user.auth_string.str= strmake_root(&mem, password, password_len); acl_user.auth_string.str= strmake_root(&mem, password, password_len);
acl_user.auth_string.length= password_len; acl_user.auth_string.length= password_len;
set_user_salt(&acl_user, password, password_len);
} }
acl_user.access=privileges; acl_user.access=privileges;
...@@ -1210,8 +1234,6 @@ static void acl_insert_user(const char *user, const char *host, ...@@ -1210,8 +1234,6 @@ static void acl_insert_user(const char *user, const char *host,
acl_user.x509_issuer= x509_issuer ? strdup_root(&mem,x509_issuer) : 0; acl_user.x509_issuer= x509_issuer ? strdup_root(&mem,x509_issuer) : 0;
acl_user.x509_subject=x509_subject ? strdup_root(&mem,x509_subject) : 0; acl_user.x509_subject=x509_subject ? strdup_root(&mem,x509_subject) : 0;
set_user_salt(&acl_user, password, password_len);
VOID(push_dynamic(&acl_users,(uchar*) &acl_user)); VOID(push_dynamic(&acl_users,(uchar*) &acl_user));
if (!acl_user.host.hostname || if (!acl_user.host.hostname ||
(acl_user.host.hostname[0] == wild_many && !acl_user.host.hostname[1])) (acl_user.host.hostname[0] == wild_many && !acl_user.host.hostname[1]))
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment