diff options
| -rw-r--r-- | client/client_priv.h | 1 | ||||
| -rw-r--r-- | client/mysql.cc | 13 | ||||
| -rw-r--r-- | client/mysqladmin.cc | 13 | ||||
| -rw-r--r-- | client/mysqlslap.c | 12 | ||||
| -rw-r--r-- | client/mysqltest.cc | 8 | ||||
| -rw-r--r-- | include/mysql.h | 3 | ||||
| -rw-r--r-- | include/mysql.h.pp | 3 | ||||
| -rw-r--r-- | include/sql_common.h | 2 | ||||
| -rw-r--r-- | mysql-test/t/plugin_auth.test | 4 | ||||
| -rw-r--r-- | sql-common/client.c | 69 | ||||
| -rw-r--r-- | sql-common/client_plugin.c | 5 |
11 files changed, 119 insertions, 14 deletions
diff --git a/client/client_priv.h b/client/client_priv.h index b776dcf8014..2362811d2b3 100644 --- a/client/client_priv.h +++ b/client/client_priv.h @@ -87,6 +87,7 @@ enum options_client OPT_PLUGIN_DIR, OPT_DEFAULT_AUTH, OPT_DEFAULT_PLUGIN, + OPT_ENABLE_CLEARTEXT_PLUGIN, OPT_MAX_CLIENT_OPTION }; diff --git a/client/mysql.cc b/client/mysql.cc index b6bc2f4b68f..630c6215603 100644 --- a/client/mysql.cc +++ b/client/mysql.cc @@ -148,6 +148,8 @@ static my_bool column_types_flag; static my_bool preserve_comments= 0; static ulong opt_max_allowed_packet, opt_net_buffer_length; static uint verbose=0,opt_silent=0,opt_mysql_port=0, opt_local_infile=0; +static uint opt_enable_cleartext_plugin= 0; +static my_bool using_opt_enable_cleartext_plugin= 0; static uint my_end_arg; static char * opt_mysql_unix_port=0; static int connect_flag=CLIENT_INTERACTIVE; @@ -1409,6 +1411,10 @@ static struct my_option my_long_options[] = &default_charset, 0, GET_STR, REQUIRED_ARG, 0, 0, 0, 0, 0, 0}, {"delimiter", OPT_DELIMITER, "Delimiter to be used.", &delimiter_str, &delimiter_str, 0, GET_STR, REQUIRED_ARG, 0, 0, 0, 0, 0, 0}, + {"enable_cleartext_plugin", OPT_ENABLE_CLEARTEXT_PLUGIN, + "Enable/disable the clear text authentication plugin.", + &opt_enable_cleartext_plugin, &opt_enable_cleartext_plugin, + 0, GET_BOOL, OPT_ARG, 0, 0, 0, 0, 0, 0}, {"execute", 'e', "Execute command and quit. (Disables --force and history file.)", 0, 0, 0, GET_STR, REQUIRED_ARG, 0, 0, 0, 0, 0, 0}, {"vertical", 'E', "Print the output of a query (rows) vertically.", @@ -1636,6 +1642,9 @@ get_one_option(int optid, const struct my_option *opt __attribute__((unused)), case OPT_LOCAL_INFILE: using_opt_local_infile=1; break; + case OPT_ENABLE_CLEARTEXT_PLUGIN: + using_opt_enable_cleartext_plugin= TRUE; + break; case OPT_TEE: if (argument == disabled_my_option) { @@ -4321,6 +4330,10 @@ sql_real_connect(char *host,char *database,char *user,char *password, if (opt_default_auth && *opt_default_auth) mysql_options(&mysql, MYSQL_DEFAULT_AUTH, opt_default_auth); + if (using_opt_enable_cleartext_plugin) + mysql_options(&mysql, MYSQL_ENABLE_CLEARTEXT_PLUGIN, + (char*) &opt_enable_cleartext_plugin); + if (!mysql_real_connect(&mysql, host, user, password, database, opt_mysql_port, opt_mysql_unix_port, connect_flag | CLIENT_MULTI_STATEMENTS)) diff --git a/client/mysqladmin.cc b/client/mysqladmin.cc index 3f33c25e664..321efd36642 100644 --- a/client/mysqladmin.cc +++ b/client/mysqladmin.cc @@ -43,6 +43,8 @@ static uint opt_count_iterations= 0, my_end_arg; static ulong opt_connect_timeout, opt_shutdown_timeout; static char * unix_port=0; static char *opt_plugin_dir= 0, *opt_default_auth= 0; +static uint opt_enable_cleartext_plugin= 0; +static my_bool using_opt_enable_cleartext_plugin= 0; #ifdef HAVE_SMEM static char *shared_memory_base_name=0; @@ -212,6 +214,10 @@ static struct my_option my_long_options[] = "Default authentication client-side plugin to use.", &opt_default_auth, &opt_default_auth, 0, GET_STR, REQUIRED_ARG, 0, 0, 0, 0, 0, 0}, + {"enable_cleartext_plugin", OPT_ENABLE_CLEARTEXT_PLUGIN, + "Enable/disable the clear text authentication plugin.", + &opt_enable_cleartext_plugin, &opt_enable_cleartext_plugin, + 0, GET_BOOL, OPT_ARG, 0, 0, 0, 0, 0, 0}, { 0, 0, 0, 0, 0, 0, GET_NO_ARG, NO_ARG, 0, 0, 0, 0, 0, 0} }; @@ -282,6 +288,9 @@ get_one_option(int optid, const struct my_option *opt __attribute__((unused)), opt_protocol= find_type_or_exit(argument, &sql_protocol_typelib, opt->name); break; + case OPT_ENABLE_CLEARTEXT_PLUGIN: + using_opt_enable_cleartext_plugin= TRUE; + break; } if (error) { @@ -354,6 +363,10 @@ int main(int argc,char *argv[]) if (opt_default_auth && *opt_default_auth) mysql_options(&mysql, MYSQL_DEFAULT_AUTH, opt_default_auth); + if (using_opt_enable_cleartext_plugin) + mysql_options(&mysql, MYSQL_ENABLE_CLEARTEXT_PLUGIN, + (char*) &opt_enable_cleartext_plugin); + if (sql_connect(&mysql, option_wait)) { /* diff --git a/client/mysqlslap.c b/client/mysqlslap.c index a2c01b85b5a..ac1cc31733c 100644 --- a/client/mysqlslap.c +++ b/client/mysqlslap.c @@ -125,6 +125,8 @@ static char *host= NULL, *opt_password= NULL, *user= NULL, *post_system= NULL, *opt_mysql_unix_port= NULL; static char *opt_plugin_dir= 0, *opt_default_auth= 0; +static uint opt_enable_cleartext_plugin= 0; +static my_bool using_opt_enable_cleartext_plugin= 0; const char *delimiter= "\n"; @@ -348,6 +350,9 @@ int main(int argc, char **argv) if (opt_default_auth && *opt_default_auth) mysql_options(&mysql, MYSQL_DEFAULT_AUTH, opt_default_auth); + if (using_opt_enable_cleartext_plugin) + mysql_options(&mysql, MYSQL_ENABLE_CLEARTEXT_PLUGIN, + (char*) &opt_enable_cleartext_plugin); if (!opt_only_print) { if (!(mysql_real_connect(&mysql, host, user, opt_password, @@ -603,6 +608,10 @@ static struct my_option my_long_options[] = "Detach (close and reopen) connections after X number of requests.", &detach_rate, &detach_rate, 0, GET_UINT, REQUIRED_ARG, 0, 0, 0, 0, 0, 0}, + {"enable_cleartext_plugin", OPT_ENABLE_CLEARTEXT_PLUGIN, + "Enable/disable the clear text authentication plugin.", + &opt_enable_cleartext_plugin, &opt_enable_cleartext_plugin, + 0, GET_BOOL, OPT_ARG, 0, 0, 0, 0, 0, 0}, {"engine", 'e', "Storage engine to use for creating the table.", &default_engine, &default_engine, 0, GET_STR, REQUIRED_ARG, 0, 0, 0, 0, 0, 0}, @@ -761,6 +770,9 @@ get_one_option(int optid, const struct my_option *opt __attribute__((unused)), case 'I': /* Info */ usage(); exit(0); + case OPT_ENABLE_CLEARTEXT_PLUGIN: + using_opt_enable_cleartext_plugin= TRUE; + break; } DBUG_RETURN(0); } diff --git a/client/mysqltest.cc b/client/mysqltest.cc index b1784fdc7b6..34d8edcbe0b 100644 --- a/client/mysqltest.cc +++ b/client/mysqltest.cc @@ -5456,7 +5456,7 @@ void do_connect(struct st_command *command) int con_port= opt_port; char *con_options; my_bool con_ssl= 0, con_compress= 0; - my_bool con_pipe= 0, con_shm= 0; + my_bool con_pipe= 0, con_shm= 0, con_cleartext_enable= 0; struct st_connection* con_slot; static DYNAMIC_STRING ds_connection_name; @@ -5546,6 +5546,8 @@ void do_connect(struct st_command *command) con_pipe= 1; else if (!strncmp(con_options, "SHM", 3)) con_shm= 1; + else if (!strncmp(con_options, "CLEARTEXT", 9)) + con_cleartext_enable= 1; else die("Illegal option to connect: %.*s", (int) (end - con_options), con_options); @@ -5642,6 +5644,10 @@ void do_connect(struct st_command *command) if (ds_default_auth.length) mysql_options(&con_slot->mysql, MYSQL_DEFAULT_AUTH, ds_default_auth.str); + + if (con_cleartext_enable) + mysql_options(&con_slot->mysql, MYSQL_ENABLE_CLEARTEXT_PLUGIN, + (char*) &con_cleartext_enable); /* Special database to allow one to connect without a database name */ if (ds_database.length && !strcmp(ds_database.str,"*NO-ONE*")) dynstr_set(&ds_database, ""); diff --git a/include/mysql.h b/include/mysql.h index cff8c647152..0ed35413a1c 100644 --- a/include/mysql.h +++ b/include/mysql.h @@ -166,7 +166,8 @@ enum mysql_option MYSQL_OPT_USE_REMOTE_CONNECTION, MYSQL_OPT_USE_EMBEDDED_CONNECTION, MYSQL_OPT_GUESS_CONNECTION, MYSQL_SET_CLIENT_IP, MYSQL_SECURE_AUTH, MYSQL_REPORT_DATA_TRUNCATION, MYSQL_OPT_RECONNECT, - MYSQL_OPT_SSL_VERIFY_SERVER_CERT, MYSQL_PLUGIN_DIR, MYSQL_DEFAULT_AUTH + MYSQL_OPT_SSL_VERIFY_SERVER_CERT, MYSQL_PLUGIN_DIR, MYSQL_DEFAULT_AUTH, + MYSQL_ENABLE_CLEARTEXT_PLUGIN }; /** diff --git a/include/mysql.h.pp b/include/mysql.h.pp index 15ec563dfc2..c2c5ba35044 100644 --- a/include/mysql.h.pp +++ b/include/mysql.h.pp @@ -262,7 +262,8 @@ enum mysql_option MYSQL_OPT_USE_REMOTE_CONNECTION, MYSQL_OPT_USE_EMBEDDED_CONNECTION, MYSQL_OPT_GUESS_CONNECTION, MYSQL_SET_CLIENT_IP, MYSQL_SECURE_AUTH, MYSQL_REPORT_DATA_TRUNCATION, MYSQL_OPT_RECONNECT, - MYSQL_OPT_SSL_VERIFY_SERVER_CERT, MYSQL_PLUGIN_DIR, MYSQL_DEFAULT_AUTH + MYSQL_OPT_SSL_VERIFY_SERVER_CERT, MYSQL_PLUGIN_DIR, MYSQL_DEFAULT_AUTH, + MYSQL_ENABLE_CLEARTEXT_PLUGIN }; struct st_mysql_options_extention; struct st_mysql_options { diff --git a/include/sql_common.h b/include/sql_common.h index 307b443d6d6..a2ea3ac45e7 100644 --- a/include/sql_common.h +++ b/include/sql_common.h @@ -31,6 +31,7 @@ extern const char *not_error_sqlstate; struct st_mysql_options_extention { char *plugin_dir; char *default_auth; + my_bool enable_cleartext_plugin; }; typedef struct st_mysql_methods @@ -104,6 +105,7 @@ int mysql_client_plugin_init(); void mysql_client_plugin_deinit(); struct st_mysql_client_plugin; extern struct st_mysql_client_plugin *mysql_client_builtins[]; +extern my_bool libmysql_cleartext_plugin_enabled; #ifdef __cplusplus } diff --git a/mysql-test/t/plugin_auth.test b/mysql-test/t/plugin_auth.test index f169360cf2e..75d3ef3e807 100644 --- a/mysql-test/t/plugin_auth.test +++ b/mysql-test/t/plugin_auth.test @@ -422,10 +422,10 @@ CREATE USER uplain@localhost IDENTIFIED WITH 'cleartext_plugin_server' --echo ## test plugin auth --disable_query_log --error ER_ACCESS_DENIED_ERROR : this should fail : no grant -connect(cleartext_fail_con,localhost,uplain,cleartext_test2); +connect(cleartext_fail_con,localhost,uplain,cleartext_test2,,,,CLEARTEXT); --enable_query_log -connect(cleartext_con,localhost,uplain,cleartext_test); +connect(cleartext_con,localhost,uplain,cleartext_test,,,,CLEARTEXT); connection cleartext_con; select USER(),CURRENT_USER(); diff --git a/sql-common/client.c b/sql-common/client.c index 08f4bfb1151..381768834cd 100644 --- a/sql-common/client.c +++ b/sql-common/client.c @@ -1136,7 +1136,8 @@ static const char *default_options[]= "connect-timeout", "local-infile", "disable-local-infile", "ssl-cipher", "max-allowed-packet", "protocol", "shared-memory-base-name", "multi-results", "multi-statements", "multi-queries", "secure-auth", - "report-data-truncation", "plugin-dir", "default-auth", + "report-data-truncation", "plugin-dir", "default-auth", + "enable-cleartext-plugin", NullS }; enum option_id { @@ -1148,6 +1149,7 @@ enum option_id { OPT_ssl_cipher, OPT_max_allowed_packet, OPT_protocol, OPT_shared_memory_base_name, OPT_multi_results, OPT_multi_statements, OPT_multi_queries, OPT_secure_auth, OPT_report_data_truncation, OPT_plugin_dir, OPT_default_auth, + OPT_enable_cleartext_plugin, OPT_keep_this_one_last }; @@ -1180,14 +1182,27 @@ static int add_init_command(struct st_mysql_options *options, const char *cmd) return 0; } -#define EXTENSION_SET_STRING(OPTS, X, STR) \ - if ((OPTS)->extension) \ - my_free((OPTS)->extension->X); \ - else \ +#define ALLOCATE_EXTENSIONS(OPTS) \ (OPTS)->extension= (struct st_mysql_options_extention *) \ my_malloc(sizeof(struct st_mysql_options_extention), \ - MYF(MY_WME | MY_ZEROFILL)); \ - (OPTS)->extension->X= my_strdup((STR), MYF(MY_WME)); + MYF(MY_WME | MY_ZEROFILL)) \ + +#define ENSURE_EXTENSIONS_PRESENT(OPTS) \ + do { \ + if (!(OPTS)->extension) \ + ALLOCATE_EXTENSIONS(OPTS); \ + } while (0) + + +#define EXTENSION_SET_STRING(OPTS, X, STR) \ + do { \ + if ((OPTS)->extension) \ + my_free((OPTS)->extension->X); \ + else \ + ALLOCATE_EXTENSIONS(OPTS); \ + (OPTS)->extension->X= ((STR) != NULL) ? \ + my_strdup((STR), MYF(MY_WME)) : NULL; \ + } while (0) void mysql_read_default_options(struct st_mysql_options *options, const char *filename,const char *group) @@ -1386,6 +1401,12 @@ void mysql_read_default_options(struct st_mysql_options *options, case OPT_default_auth: EXTENSION_SET_STRING(options, default_auth, opt_arg); break; + + case OPT_enable_cleartext_plugin: + ENSURE_EXTENSIONS_PRESENT(options); + options->extension->enable_cleartext_plugin= + (!opt_arg || atoi(opt_arg) != 0) ? TRUE : FALSE; + default: DBUG_PRINT("warning",("unknown option: %s",option[0])); } @@ -2782,6 +2803,27 @@ static void client_mpvio_info(MYSQL_PLUGIN_VIO *vio, mpvio_info(mpvio->mysql->net.vio, info); } + +my_bool libmysql_cleartext_plugin_enabled= 0; + +static my_bool check_plugin_enabled(MYSQL *mysql, auth_plugin_t *plugin) +{ + if (plugin == &clear_password_client_plugin && + (!libmysql_cleartext_plugin_enabled && + (!mysql->options.extension || + !mysql->options.extension->enable_cleartext_plugin))) + { + set_mysql_extended_error(mysql, CR_AUTH_PLUGIN_CANNOT_LOAD, + unknown_sqlstate, + ER(CR_AUTH_PLUGIN_CANNOT_LOAD), + clear_password_client_plugin.name, + "plugin not enabled"); + return TRUE; + } + return FALSE; +} + + /** Client side of the plugin driver authentication. @@ -2824,6 +2866,9 @@ int run_plugin_auth(MYSQL *mysql, char *data, uint data_len, auth_plugin_name= auth_plugin->name; } + if (check_plugin_enabled(mysql, auth_plugin)) + DBUG_RETURN(1); + DBUG_PRINT ("info", ("using plugin %s", auth_plugin_name)); mysql->net.last_errno= 0; /* just in case */ @@ -2915,6 +2960,9 @@ int run_plugin_auth(MYSQL *mysql, char *data, uint data_len, auth_plugin_name, MYSQL_CLIENT_AUTHENTICATION_PLUGIN))) DBUG_RETURN (1); + if (check_plugin_enabled(mysql, auth_plugin)) + DBUG_RETURN(1); + mpvio.plugin= auth_plugin; res= auth_plugin->authenticate_user((struct st_plugin_vio *)&mpvio, mysql); @@ -4117,6 +4165,11 @@ mysql_options(MYSQL *mysql,enum mysql_option option, const void *arg) case MYSQL_DEFAULT_AUTH: EXTENSION_SET_STRING(&mysql->options, default_auth, arg); break; + case MYSQL_ENABLE_CLEARTEXT_PLUGIN: + ENSURE_EXTENSIONS_PRESENT(&mysql->options); + mysql->options.extension->enable_cleartext_plugin= + (*(my_bool*) arg) ? TRUE : FALSE; + break; default: DBUG_RETURN(1); } @@ -4336,5 +4389,3 @@ static int clear_password_auth_client(MYSQL_PLUGIN_VIO *vio, MYSQL *mysql) return res ? CR_ERROR : CR_OK; } - - diff --git a/sql-common/client_plugin.c b/sql-common/client_plugin.c index 4016f0744be..75faeb7ee97 100644 --- a/sql-common/client_plugin.c +++ b/sql-common/client_plugin.c @@ -197,6 +197,10 @@ err1: static void load_env_plugins(MYSQL *mysql) { char *plugs, *free_env, *s= getenv("LIBMYSQL_PLUGINS"); + char *enable_cleartext_plugin= getenv("LIBMYSQL_ENABLE_CLEARTEXT_PLUGIN"); + + if (enable_cleartext_plugin && strchr("1Yy", enable_cleartext_plugin[0])) + libmysql_cleartext_plugin_enabled= 1; /* no plugins to load */ if(!s) @@ -212,6 +216,7 @@ static void load_env_plugins(MYSQL *mysql) } while (s); my_free(free_env); + } /********** extern functions to be used by libmysql *********************/ |