Commit a232225b authored by kostja@oak.local's avatar kostja@oak.local

Preliminary support for options --secure-auth,

--old-passwords
Support for option --old-protocol was removed.
Some test performed.
Tests for SSL and replication are pending.
More strict following to specification for --old-passwords
is in the TODO.
parent 1d20b232
...@@ -319,10 +319,9 @@ void create_random_string(char *to, uint length, struct rand_struct *rand_st); ...@@ -319,10 +319,9 @@ void create_random_string(char *to, uint length, struct rand_struct *rand_st);
void hash_password(ulong *to, const char *password); void hash_password(ulong *to, const char *password);
void make_scrambled_password_323(char *to, const char *password); void make_scrambled_password_323(char *to, const char *password);
char *scramble_323(char *to, const char *message, const char *password, char *scramble_323(char *to, const char *message, const char *password);
my_bool old_ver);
my_bool check_scramble_323(const char *, const char *message, my_bool check_scramble_323(const char *, const char *message,
unsigned long *salt, my_bool old_ver); unsigned long *salt);
void get_salt_from_password_323(unsigned long *res, const char *password); void get_salt_from_password_323(unsigned long *res, const char *password);
void make_password_from_salt_323(char *to, const unsigned long *salt); void make_password_from_salt_323(char *to, const unsigned long *salt);
......
...@@ -286,4 +286,5 @@ ...@@ -286,4 +286,5 @@
#define ER_REVOKE_GRANTS 1267 #define ER_REVOKE_GRANTS 1267
#define ER_CANT_AGGREGATE_3COLLATIONS 1268 #define ER_CANT_AGGREGATE_3COLLATIONS 1268
#define ER_CANT_AGGREGATE_NCOLLATIONS 1269 #define ER_CANT_AGGREGATE_NCOLLATIONS 1269
#define ER_ERROR_MESSAGES 270 #define ER_SERVER_IS_IN_SECURE_AUTH_MODE 1270
#define ER_ERROR_MESSAGES 271
...@@ -626,8 +626,7 @@ my_bool STDCALL mysql_change_user(MYSQL *mysql, const char *user, ...@@ -626,8 +626,7 @@ my_bool STDCALL mysql_change_user(MYSQL *mysql, const char *user,
end+= SCRAMBLE_LENGTH; end+= SCRAMBLE_LENGTH;
} }
else else
end= scramble_323(end, mysql->scramble_323, passwd, end= scramble_323(end, mysql->scramble_323, passwd);
(my_bool) (mysql->protocol_version == 9)) + 1;
} }
else else
*end++= '\0'; // empty password *end++= '\0'; // empty password
...@@ -651,8 +650,7 @@ my_bool STDCALL mysql_change_user(MYSQL *mysql, const char *user, ...@@ -651,8 +650,7 @@ my_bool STDCALL mysql_change_user(MYSQL *mysql, const char *user,
By sending this very specific reply server asks us to send scrambled By sending this very specific reply server asks us to send scrambled
password in old format. The reply contains scramble_323. password in old format. The reply contains scramble_323.
*/ */
scramble_323(buff, mysql->scramble_323, passwd, scramble_323(buff, mysql->scramble_323, passwd);
(my_bool) (mysql->protocol_version == 9));
if (my_net_write(net, buff, SCRAMBLE_LENGTH_323 + 1) || net_flush(net)) if (my_net_write(net, buff, SCRAMBLE_LENGTH_323 + 1) || net_flush(net))
{ {
net->last_errno= CR_SERVER_LOST; net->last_errno= CR_SERVER_LOST;
......
...@@ -30,6 +30,7 @@ show tables; ...@@ -30,6 +30,7 @@ show tables;
Tables_in_test Tables_in_test
update mysql.user set password=old_password("gambling2") where user="test"; update mysql.user set password=old_password("gambling2") where user="test";
flush privileges; flush privileges;
set password=old_password('gambling3');
show tables; show tables;
Tables_in_mysql Tables_in_mysql
columns_priv columns_priv
......
select length(encrypt('foo', 'ff')) <> 0; select length(encrypt('foo', 'ff')) <> 0;
length(encrypt('foo', 'ff')) <> 0 length(encrypt('foo', 'ff')) <> 0
1 1
select password("a",""), password("a",NULL), password("","a"), password(NULL,"a"); select password('abc');
password("a","") password("a",NULL) password("","a") password(NULL,"a") password('abc')
*2517f7235d68d4ba2e5019c93420523101157a792c01 NULL NULL *0d3ced9bec10a777aec23ccc353a8c08a633045e
select password("aaaaaaaaaaaaaaaa","a"), password("a","aaaaaaaaaaaaaaaa"); select password('');
password("aaaaaaaaaaaaaaaa","a") password("a","aaaaaaaaaaaaaaaa") password('')
*2cd3b9a44e9a9994789a30f935c92f45a96c5472f381 *37c7c5c794ff144819f2531bf03c57772cd84e40db09
select old_password('test'), length(password("1")), length(encrypt('test')), encrypt('test','aa'); select old_password('abc');
old_password('test') length(password("1")) length(encrypt('test')) encrypt('test','aa') old_password('abc')
378b243e220ca493 45 13 aaqPiZY5xR5l. 7cd2b5942be28759
select old_password(""), old_password(NULL), password(""), password(NULL); select old_password('');
old_password("") old_password(NULL) password("") password(NULL) old_password('')
NULL NULL
select password('gabbagabbahey');
password('gabbagabbahey')
*b0f99d2963660dd7e16b751ec9ee2f17b6a68fa6
select old_password('idkfa');
old_password('idkfa')
5c078dc54ca0fcca
select length(password('1'));
length(password('1'))
41
select length(encrypt('test'));
length(encrypt('test'))
13
select encrypt('test','aa');
encrypt('test','aa')
aaqPiZY5xR5l.
select old_password(NULL);
old_password(NULL)
NULL
select password(NULL);
password(NULL)
NULL
set global old_passwords=on;
select password('');
password('')
select old_password('');
old_password('')
select password('idkfa');
password('idkfa')
*b669c9dac3aa6f2254b03cdef8dfdd6b2d1054ba
select old_password('idkfa');
old_password('idkfa')
5c078dc54ca0fcca
set old_passwords=on;
select password('idkfa');
password('idkfa')
5c078dc54ca0fcca
select old_password('idkfa');
old_password('idkfa')
5c078dc54ca0fcca
set global old_passwords=off;
select password('idkfa');
password('idkfa')
5c078dc54ca0fcca
select old_password('idkfa');
old_password('idkfa')
5c078dc54ca0fcca
set old_passwords=off;
select password('idkfa ');
password('idkfa ')
*2dc31d90647b4c1abc9231563d2236e96c9a2db2
select password('idkfa');
password('idkfa')
*b669c9dac3aa6f2254b03cdef8dfdd6b2d1054ba
select password(' idkfa');
password(' idkfa')
*12b099e56bb7fe8d43c78fd834a9d1d11178d045
select old_password('idkfa');
old_password('idkfa')
5c078dc54ca0fcca
select old_password(' i d k f a ');
old_password(' i d k f a ')
5c078dc54ca0fcca
...@@ -48,8 +48,9 @@ flush privileges; ...@@ -48,8 +48,9 @@ flush privileges;
#connect (con1,localhost,test,gambling2,""); #connect (con1,localhost,test,gambling2,"");
#show tables; #show tables;
connect (con1,localhost,test,gambling2,mysql); connect (con1,localhost,test,gambling2,mysql);
set password=old_password('gambling3');
show tables; show tables;
connect (con1,localhost,test,gambling2,test); connect (con1,localhost,test,gambling3,test);
show tables; show tables;
# Re enable this one day if error handling on connect will take place # Re enable this one day if error handling on connect will take place
...@@ -63,7 +64,9 @@ show tables; ...@@ -63,7 +64,9 @@ show tables;
#connect (con1,localhost,test,zorro,); #connect (con1,localhost,test,zorro,);
#--error 1045 #--error 1045
# remove user 'test' so that other tests which may use 'test' # remove user 'test' so that other tests which may use 'test'
# do not depend on this test. # do not depend on this test.
delete from mysql.user where user="test"; delete from mysql.user where user="test";
flush privileges; flush privileges;
...@@ -4,7 +4,33 @@ select length(encrypt('foo', 'ff')) <> 0; ...@@ -4,7 +4,33 @@ select length(encrypt('foo', 'ff')) <> 0;
--replace_result $1$aa$4OSUA5cjdx0RUQ08opV27/ aaqPiZY5xR5l. --replace_result $1$aa$4OSUA5cjdx0RUQ08opV27/ aaqPiZY5xR5l.
# Test new and old password handling functions # Test new and old password handling functions
select password("a",""), password("a",NULL), password("","a"), password(NULL,"a"); select password('abc');
select password("aaaaaaaaaaaaaaaa","a"), password("a","aaaaaaaaaaaaaaaa"); select password('');
select old_password('test'), length(password("1")), length(encrypt('test')), encrypt('test','aa'); select old_password('abc');
select old_password(""), old_password(NULL), password(""), password(NULL); select old_password('');
select password('gabbagabbahey');
select old_password('idkfa');
select length(password('1'));
select length(encrypt('test'));
select encrypt('test','aa');
select old_password(NULL);
select password(NULL);
set global old_passwords=on;
select password('');
select old_password('');
select password('idkfa');
select old_password('idkfa');
set old_passwords=on;
select password('idkfa');
select old_password('idkfa');
set global old_passwords=off;
select password('idkfa');
select old_password('idkfa');
# this test shows that new scrambles honor spaces in passwords:
set old_passwords=off;
select password('idkfa ');
select password('idkfa');
select password(' idkfa');
select old_password('idkfa');
select old_password(' i d k f a ');
...@@ -1842,8 +1842,7 @@ mysql_real_connect(MYSQL *mysql,const char *host, const char *user, ...@@ -1842,8 +1842,7 @@ mysql_real_connect(MYSQL *mysql,const char *host, const char *user,
end+= SCRAMBLE_LENGTH; end+= SCRAMBLE_LENGTH;
} }
else else
end= scramble_323(end, mysql->scramble_323, passwd, end= scramble_323(end, mysql->scramble_323, passwd) + 1;
(my_bool) (mysql->protocol_version == 9)) + 1;
} }
else else
*end++= '\0'; /* empty password */ *end++= '\0'; /* empty password */
...@@ -1880,8 +1879,7 @@ mysql_real_connect(MYSQL *mysql,const char *host, const char *user, ...@@ -1880,8 +1879,7 @@ mysql_real_connect(MYSQL *mysql,const char *host, const char *user,
By sending this very specific reply server asks us to send scrambled By sending this very specific reply server asks us to send scrambled
password in old format. The reply contains scramble_323. password in old format. The reply contains scramble_323.
*/ */
scramble_323(buff, mysql->scramble_323, passwd, scramble_323(buff, mysql->scramble_323, passwd);
(my_bool) (mysql->protocol_version == 9));
if (my_net_write(net, buff, SCRAMBLE_LENGTH_323 + 1) || net_flush(net)) if (my_net_write(net, buff, SCRAMBLE_LENGTH_323 + 1) || net_flush(net))
{ {
net->last_errno= CR_SERVER_LOST; net->last_errno= CR_SERVER_LOST;
......
...@@ -277,7 +277,7 @@ public: ...@@ -277,7 +277,7 @@ public:
/* /*
Item_func_old_password -- PASSWORD() implementation used in MySQL 3.21 - 4.0 Item_func_old_password -- PASSWORD() implementation used in MySQL 3.21 - 4.0
compatibility mode. This item is created in sql_yacc.yy when compatibility mode. This item is created in sql_yacc.yy when
'use_old_passwords' session variable is set, and to handle OLD_PASSWORD() 'old_passwords' session variable is set, and to handle OLD_PASSWORD()
function. function.
*/ */
......
...@@ -748,7 +748,7 @@ extern my_bool opt_safe_show_db, opt_local_infile, lower_case_table_names; ...@@ -748,7 +748,7 @@ extern my_bool opt_safe_show_db, opt_local_infile, lower_case_table_names;
extern my_bool opt_slave_compressed_protocol, use_temp_pool; extern my_bool opt_slave_compressed_protocol, use_temp_pool;
extern my_bool opt_readonly; extern my_bool opt_readonly;
extern my_bool opt_enable_named_pipe; extern my_bool opt_enable_named_pipe;
extern my_bool opt_old_passwords, use_old_passwords; extern my_bool opt_secure_auth;
extern char *shared_memory_base_name, *mysqld_unix_port; extern char *shared_memory_base_name, *mysqld_unix_port;
extern bool opt_enable_shared_memory; extern bool opt_enable_shared_memory;
......
...@@ -250,9 +250,10 @@ my_bool opt_local_infile, opt_external_locking, opt_slave_compressed_protocol; ...@@ -250,9 +250,10 @@ my_bool opt_local_infile, opt_external_locking, opt_slave_compressed_protocol;
my_bool opt_safe_user_create = 0, opt_no_mix_types = 0; my_bool opt_safe_user_create = 0, opt_no_mix_types = 0;
my_bool lower_case_table_names, opt_old_rpl_compat; my_bool lower_case_table_names, opt_old_rpl_compat;
my_bool opt_show_slave_auth_info, opt_sql_bin_update = 0; my_bool opt_show_slave_auth_info, opt_sql_bin_update = 0;
my_bool opt_log_slave_updates= 0, opt_old_passwords=0, use_old_passwords=0; my_bool opt_log_slave_updates= 0;
my_bool opt_console= 0, opt_bdb, opt_innodb, opt_isam; my_bool opt_console= 0, opt_bdb, opt_innodb, opt_isam;
my_bool opt_readonly, use_temp_pool, relay_log_purge; my_bool opt_readonly, use_temp_pool, relay_log_purge;
my_bool opt_secure_auth= 0;
volatile bool mqh_used = 0; volatile bool mqh_used = 0;
uint mysqld_port, test_flags, select_errors, dropping_tables, ha_open_options; uint mysqld_port, test_flags, select_errors, dropping_tables, ha_open_options;
...@@ -3452,7 +3453,8 @@ enum options ...@@ -3452,7 +3453,8 @@ enum options
OPT_EXPIRE_LOGS_DAYS, OPT_EXPIRE_LOGS_DAYS,
OPT_DEFAULT_WEEK_FORMAT, OPT_DEFAULT_WEEK_FORMAT,
OPT_GROUP_CONCAT_MAX_LEN, OPT_GROUP_CONCAT_MAX_LEN,
OPT_DEFAULT_COLLATION OPT_DEFAULT_COLLATION,
OPT_SECURE_AUTH
}; };
...@@ -3753,9 +3755,10 @@ Does nothing yet.", ...@@ -3753,9 +3755,10 @@ Does nothing yet.",
(gptr*) &opt_no_mix_types, (gptr*) &opt_no_mix_types, 0, GET_BOOL, NO_ARG, (gptr*) &opt_no_mix_types, (gptr*) &opt_no_mix_types, 0, GET_BOOL, NO_ARG,
0, 0, 0, 0, 0, 0}, 0, 0, 0, 0, 0, 0},
#endif #endif
{"old-protocol", 'o', "Use the old (3.20) protocol client/server protocol.", {"old-passwords", OPT_OLD_PASSWORDS, "Use old password encryption method (needed for 4.0 and older clients).",
(gptr*) &protocol_version, (gptr*) &protocol_version, 0, GET_UINT, NO_ARG, (gptr*) &global_system_variables.old_passwords,
PROTOCOL_VERSION, 0, 0, 0, 0, 0}, (gptr*) &max_system_variables.old_passwords, 0, GET_BOOL, NO_ARG,
0, 0, 0, 0, 0, 0},
{"old-rpl-compat", OPT_OLD_RPL_COMPAT, {"old-rpl-compat", OPT_OLD_RPL_COMPAT,
"Use old LOAD DATA format in the binary log (don't save data in file).", "Use old LOAD DATA format in the binary log (don't save data in file).",
(gptr*) &opt_old_rpl_compat, (gptr*) &opt_old_rpl_compat, 0, GET_BOOL, (gptr*) &opt_old_rpl_compat, (gptr*) &opt_old_rpl_compat, 0, GET_BOOL,
...@@ -3824,8 +3827,6 @@ relay logs.", ...@@ -3824,8 +3827,6 @@ relay logs.",
GET_STR, REQUIRED_ARG, 0, 0, 0, 0, 0, 0}, GET_STR, REQUIRED_ARG, 0, 0, 0, 0, 0, 0},
{"safe-mode", OPT_SAFE, "Skip some optimize stages (for testing).", {"safe-mode", OPT_SAFE, "Skip some optimize stages (for testing).",
0, 0, 0, GET_NO_ARG, NO_ARG, 0, 0, 0, 0, 0, 0}, 0, 0, 0, GET_NO_ARG, NO_ARG, 0, 0, 0, 0, 0, 0},
{"old-passwords", OPT_OLD_PASSWORDS, "Use old password encryption method (needed for 4.0 and older clients).",
(gptr*) &opt_old_passwords, (gptr*) &opt_old_passwords, 0, GET_BOOL, NO_ARG, 0, 0, 0, 0, 0, 0},
#ifndef TO_BE_DELETED #ifndef TO_BE_DELETED
{"safe-show-database", OPT_SAFE_SHOW_DB, {"safe-show-database", OPT_SAFE_SHOW_DB,
"Deprecated option; One should use GRANT SHOW DATABASES instead...", "Deprecated option; One should use GRANT SHOW DATABASES instead...",
...@@ -3835,6 +3836,9 @@ relay logs.", ...@@ -3835,6 +3836,9 @@ relay logs.",
"Don't allow new user creation by the user who has no write privileges to the mysql.user table.", "Don't allow new user creation by the user who has no write privileges to the mysql.user table.",
(gptr*) &opt_safe_user_create, (gptr*) &opt_safe_user_create, 0, GET_BOOL, (gptr*) &opt_safe_user_create, (gptr*) &opt_safe_user_create, 0, GET_BOOL,
NO_ARG, 0, 0, 0, 0, 0, 0}, NO_ARG, 0, 0, 0, 0, 0, 0},
{"secure-auth", OPT_SECURE_AUTH, "Disallow authentication for accounts that have old (pre-4.1) passwords.",
(gptr*) &opt_secure_auth, (gptr*) &opt_secure_auth, 0, GET_BOOL, NO_ARG,
my_bool(0), 0, 0, 0, 0, 0},
{"server-id", OPT_SERVER_ID, {"server-id", OPT_SERVER_ID,
"Uniquely identifies the server instance in the community of replication partners.", "Uniquely identifies the server instance in the community of replication partners.",
(gptr*) &server_id, (gptr*) &server_id, 0, GET_ULONG, REQUIRED_ARG, 0, 0, 0, (gptr*) &server_id, (gptr*) &server_id, 0, GET_ULONG, REQUIRED_ARG, 0, 0, 0,
...@@ -4604,7 +4608,8 @@ static void mysql_init_variables(void) ...@@ -4604,7 +4608,8 @@ static void mysql_init_variables(void)
opt_log= opt_update_log= opt_bin_log= opt_slow_log= 0; opt_log= opt_update_log= opt_bin_log= opt_slow_log= 0;
opt_disable_networking= opt_skip_show_db=0; opt_disable_networking= opt_skip_show_db=0;
opt_logname= opt_update_logname= opt_binlog_index_name= opt_slow_logname=0; opt_logname= opt_update_logname= opt_binlog_index_name= opt_slow_logname=0;
opt_bootstrap= opt_myisam_log= use_old_passwords= 0; opt_secure_auth= 0;
opt_bootstrap= opt_myisam_log= 0;
mqh_used= 0; mqh_used= 0;
segfaulted= kill_in_progress= 0; segfaulted= kill_in_progress= 0;
cleanup_done= 0; cleanup_done= 0;
...@@ -4704,6 +4709,7 @@ static void mysql_init_variables(void) ...@@ -4704,6 +4709,7 @@ static void mysql_init_variables(void)
max_system_variables.select_limit= (ulonglong) HA_POS_ERROR; max_system_variables.select_limit= (ulonglong) HA_POS_ERROR;
global_system_variables.max_join_size= (ulonglong) HA_POS_ERROR; global_system_variables.max_join_size= (ulonglong) HA_POS_ERROR;
max_system_variables.max_join_size= (ulonglong) HA_POS_ERROR; max_system_variables.max_join_size= (ulonglong) HA_POS_ERROR;
global_system_variables.old_passwords= 0;
/* Variables that depends on compile options */ /* Variables that depends on compile options */
#ifndef DBUG_OFF #ifndef DBUG_OFF
...@@ -4825,9 +4831,6 @@ get_one_option(int optid, const struct my_option *opt __attribute__((unused)), ...@@ -4825,9 +4831,6 @@ get_one_option(int optid, const struct my_option *opt __attribute__((unused)),
case 'L': case 'L':
strmake(language, argument, sizeof(language)-1); strmake(language, argument, sizeof(language)-1);
break; break;
case 'o':
protocol_version=PROTOCOL_VERSION-1;
break;
#ifdef HAVE_REPLICATION #ifdef HAVE_REPLICATION
case OPT_SLAVE_SKIP_ERRORS: case OPT_SLAVE_SKIP_ERRORS:
init_slave_skip_errors(argument); init_slave_skip_errors(argument);
......
...@@ -88,24 +88,6 @@ void randominit(struct rand_struct *rand_st, ulong seed1, ulong seed2) ...@@ -88,24 +88,6 @@ void randominit(struct rand_struct *rand_st, ulong seed1, ulong seed2)
} }
/*
Old (MySQL 3.20) random generation structure initialization
XXX: is to be deleted very soon!
SYNOPSIS
old_randominit()
rand_st OUT Structure to initialize
seed1 IN First initialization parameter
*/
static void old_randominit(struct rand_struct *rand_st, ulong seed1)
{ /* For mysql 3.20.# */
rand_st->max_value= 0x01FFFFFFL;
rand_st->max_value_dbl=(double) rand_st->max_value;
seed1%=rand_st->max_value;
rand_st->seed1=seed1 ; rand_st->seed2=seed1/2;
}
/* /*
Generate random number. Generate random number.
SYNOPSIS SYNOPSIS
...@@ -178,13 +160,11 @@ void make_scrambled_password_323(char *to, const char *password) ...@@ -178,13 +160,11 @@ void make_scrambled_password_323(char *to, const char *password)
message IN Message to scramble. Message must be exactly message IN Message to scramble. Message must be exactly
SRAMBLE_LENGTH_323 long and NULL terminated. SRAMBLE_LENGTH_323 long and NULL terminated.
password IN Password to use while scrambling password IN Password to use while scrambling
old_ver IN Force old version random number generator
RETURN RETURN
End of scrambled string End of scrambled string
*/ */
char *scramble_323(char *to, const char *message, const char *password, char *scramble_323(char *to, const char *message, const char *password)
my_bool old_ver)
{ {
struct rand_struct rand_st; struct rand_struct rand_st;
ulong hash_pass[2], hash_message[2]; ulong hash_pass[2], hash_message[2];
...@@ -194,21 +174,15 @@ char *scramble_323(char *to, const char *message, const char *password, ...@@ -194,21 +174,15 @@ char *scramble_323(char *to, const char *message, const char *password,
char *to_start=to; char *to_start=to;
hash_password(hash_pass,password); hash_password(hash_pass,password);
hash_password(hash_message, message); hash_password(hash_message, message);
if (old_ver) randominit(&rand_st,hash_pass[0] ^ hash_message[0],
old_randominit(&rand_st,hash_pass[0] ^ hash_message[0]); hash_pass[1] ^ hash_message[1]);
else
randominit(&rand_st,hash_pass[0] ^ hash_message[0],
hash_pass[1] ^ hash_message[1]);
while (*message++) while (*message++)
*to++= (char) (floor(my_rnd(&rand_st)*31)+64); *to++= (char) (floor(my_rnd(&rand_st)*31)+64);
if (!old_ver) char extra=(char) (floor(my_rnd(&rand_st)*31));
{ /* Make it harder to break */ while (to_start != to)
char extra=(char) (floor(my_rnd(&rand_st)*31)); *(to_start++)^=extra;
while (to_start != to)
*(to_start++)^=extra;
}
} }
*to=0; *to= 0;
return to; return to;
} }
...@@ -223,7 +197,6 @@ char *scramble_323(char *to, const char *message, const char *password, ...@@ -223,7 +197,6 @@ char *scramble_323(char *to, const char *message, const char *password,
be exactly SCRAMBLED_LENGTH_323 bytes long and be exactly SCRAMBLED_LENGTH_323 bytes long and
NULL-terminated. NULL-terminated.
hash_pass IN password which should be used for scrambling hash_pass IN password which should be used for scrambling
old_ver IN force old (3.20) version random number generator
RETURN VALUE RETURN VALUE
0 - password correct 0 - password correct
!0 - password invalid !0 - password invalid
...@@ -231,7 +204,7 @@ char *scramble_323(char *to, const char *message, const char *password, ...@@ -231,7 +204,7 @@ char *scramble_323(char *to, const char *message, const char *password,
my_bool my_bool
check_scramble_323(const char *scrambled, const char *message, check_scramble_323(const char *scrambled, const char *message,
ulong *hash_pass, my_bool old_ver) ulong *hash_pass)
{ {
struct rand_struct rand_st; struct rand_struct rand_st;
ulong hash_message[2]; ulong hash_message[2];
...@@ -243,18 +216,12 @@ check_scramble_323(const char *scrambled, const char *message, ...@@ -243,18 +216,12 @@ check_scramble_323(const char *scrambled, const char *message,
return 1; /* Wrong password */ return 1; /* Wrong password */
hash_password(hash_message,message); hash_password(hash_message,message);
if (old_ver) randominit(&rand_st,hash_pass[0] ^ hash_message[0],
old_randominit(&rand_st,hash_pass[0] ^ hash_message[0]); hash_pass[1] ^ hash_message[1]);
else
randominit(&rand_st,hash_pass[0] ^ hash_message[0],
hash_pass[1] ^ hash_message[1]);
to=buff; to=buff;
for (pos=scrambled ; *pos ; pos++) for (pos=scrambled ; *pos ; pos++)
*to++=(char) (floor(my_rnd(&rand_st)*31)+64); *to++=(char) (floor(my_rnd(&rand_st)*31)+64);
if (old_ver) extra=(char) (floor(my_rnd(&rand_st)*31));
extra=0;
else
extra=(char) (floor(my_rnd(&rand_st)*31));
to=buff; to=buff;
while (*scrambled) while (*scrambled)
{ {
......
...@@ -210,6 +210,7 @@ sys_var_thd_ulong sys_net_retry_count("net_retry_count", ...@@ -210,6 +210,7 @@ sys_var_thd_ulong sys_net_retry_count("net_retry_count",
&SV::net_retry_count, &SV::net_retry_count,
fix_net_retry_count); fix_net_retry_count);
sys_var_thd_bool sys_new_mode("new", &SV::new_mode); sys_var_thd_bool sys_new_mode("new", &SV::new_mode);
sys_var_thd_bool sys_old_passwords("old_passwords", &SV::old_passwords);
sys_var_thd_ulong sys_preload_buff_size("preload_buffer_size", sys_var_thd_ulong sys_preload_buff_size("preload_buffer_size",
&SV::preload_buff_size); &SV::preload_buff_size);
sys_var_thd_ulong sys_read_buff_size("read_buffer_size", sys_var_thd_ulong sys_read_buff_size("read_buffer_size",
...@@ -236,6 +237,7 @@ sys_var_thd_enum sys_query_cache_type("query_cache_type", ...@@ -236,6 +237,7 @@ sys_var_thd_enum sys_query_cache_type("query_cache_type",
&SV::query_cache_type, &SV::query_cache_type,
&query_cache_type_typelib); &query_cache_type_typelib);
#endif /* HAVE_QUERY_CACHE */ #endif /* HAVE_QUERY_CACHE */
sys_var_bool_ptr sys_secure_auth("secure_auth", &opt_secure_auth);
sys_var_long_ptr sys_server_id("server_id",&server_id); sys_var_long_ptr sys_server_id("server_id",&server_id);
sys_var_bool_ptr sys_slave_compressed_protocol("slave_compressed_protocol", sys_var_bool_ptr sys_slave_compressed_protocol("slave_compressed_protocol",
&opt_slave_compressed_protocol); &opt_slave_compressed_protocol);
...@@ -425,6 +427,7 @@ sys_var *sys_variables[]= ...@@ -425,6 +427,7 @@ sys_var *sys_variables[]=
&sys_net_wait_timeout, &sys_net_wait_timeout,
&sys_net_write_timeout, &sys_net_write_timeout,
&sys_new_mode, &sys_new_mode,
&sys_old_passwords,
&sys_preload_buff_size, &sys_preload_buff_size,
&sys_pseudo_thread_id, &sys_pseudo_thread_id,
&sys_query_cache_size, &sys_query_cache_size,
...@@ -443,6 +446,7 @@ sys_var *sys_variables[]= ...@@ -443,6 +446,7 @@ sys_var *sys_variables[]=
#endif #endif
&sys_rpl_recovery_rank, &sys_rpl_recovery_rank,
&sys_safe_updates, &sys_safe_updates,
&sys_secure_auth,
&sys_select_limit, &sys_select_limit,
&sys_server_id, &sys_server_id,
#ifdef HAVE_REPLICATION #ifdef HAVE_REPLICATION
...@@ -600,6 +604,7 @@ struct show_var_st init_vars[]= { ...@@ -600,6 +604,7 @@ struct show_var_st init_vars[]= {
{sys_net_retry_count.name, (char*) &sys_net_retry_count, SHOW_SYS}, {sys_net_retry_count.name, (char*) &sys_net_retry_count, SHOW_SYS},
{sys_net_write_timeout.name,(char*) &sys_net_write_timeout, SHOW_SYS}, {sys_net_write_timeout.name,(char*) &sys_net_write_timeout, SHOW_SYS},
{sys_new_mode.name, (char*) &sys_new_mode, SHOW_SYS}, {sys_new_mode.name, (char*) &sys_new_mode, SHOW_SYS},
{sys_old_passwords.name, (char*) &sys_old_passwords, SHOW_SYS},
{"open_files_limit", (char*) &open_files_limit, SHOW_LONG}, {"open_files_limit", (char*) &open_files_limit, SHOW_LONG},
{"pid_file", (char*) pidfile_name, SHOW_CHAR}, {"pid_file", (char*) pidfile_name, SHOW_CHAR},
{"log_error", (char*) log_error_file, SHOW_CHAR}, {"log_error", (char*) log_error_file, SHOW_CHAR},
...@@ -620,6 +625,7 @@ struct show_var_st init_vars[]= { ...@@ -620,6 +625,7 @@ struct show_var_st init_vars[]= {
SHOW_SYS}, SHOW_SYS},
{sys_query_cache_size.name, (char*) &sys_query_cache_size, SHOW_SYS}, {sys_query_cache_size.name, (char*) &sys_query_cache_size, SHOW_SYS},
{sys_query_cache_type.name, (char*) &sys_query_cache_type, SHOW_SYS}, {sys_query_cache_type.name, (char*) &sys_query_cache_type, SHOW_SYS},
{"secure_auth", (char*) &sys_secure_auth, SHOW_SYS},
#endif /* HAVE_QUERY_CACHE */ #endif /* HAVE_QUERY_CACHE */
#ifdef HAVE_SMEM #ifdef HAVE_SMEM
{"shared_memory", (char*) &opt_enable_shared_memory, SHOW_MY_BOOL}, {"shared_memory", (char*) &opt_enable_shared_memory, SHOW_MY_BOOL},
......
...@@ -652,3 +652,5 @@ ulong fix_sql_mode(ulong sql_mode); ...@@ -652,3 +652,5 @@ ulong fix_sql_mode(ulong sql_mode);
extern sys_var_str sys_charset_system; extern sys_var_str sys_charset_system;
CHARSET_INFO *get_old_charset_by_name(const char *old_name); CHARSET_INFO *get_old_charset_by_name(const char *old_name);
extern sys_var_thd_bool sys_old_passwords;
...@@ -275,3 +275,4 @@ v/* ...@@ -275,3 +275,4 @@ v/*
"Can't revoke all privileges, grant for one or more of the requested users" "Can't revoke all privileges, grant for one or more of the requested users"
"Illegal mix of collations (%s,%s), (%s,%s), (%s,%s) for operation '%s'", "Illegal mix of collations (%s,%s), (%s,%s), (%s,%s) for operation '%s'",
"Illegal mix of collations for operation '%s'", "Illegal mix of collations for operation '%s'",
"Server is running in --secure-auth mode, but '%s@%s' has a password in the old format; please change the password to the new format"
...@@ -269,3 +269,4 @@ ...@@ -269,3 +269,4 @@
"Can't revoke all privileges, grant for one or more of the requested users" "Can't revoke all privileges, grant for one or more of the requested users"
"Illegal mix of collations (%s,%s), (%s,%s), (%s,%s) for operation '%s'", "Illegal mix of collations (%s,%s), (%s,%s), (%s,%s) for operation '%s'",
"Illegal mix of collations for operation '%s'", "Illegal mix of collations for operation '%s'",
"Server is running in --secure-auth mode, but '%s@%s' has a password in the old format; please change the password to the new format"
...@@ -277,3 +277,4 @@ ...@@ -277,3 +277,4 @@
"Can't revoke all privileges, grant for one or more of the requested users" "Can't revoke all privileges, grant for one or more of the requested users"
"Illegal mix of collations (%s,%s), (%s,%s), (%s,%s) for operation '%s'", "Illegal mix of collations (%s,%s), (%s,%s), (%s,%s) for operation '%s'",
"Illegal mix of collations for operation '%s'", "Illegal mix of collations for operation '%s'",
"Server is running in --secure-auth mode, but '%s@%s' has a password in the old format; please change the password to the new format"
...@@ -271,3 +271,4 @@ ...@@ -271,3 +271,4 @@
"Can't revoke all privileges, grant for one or more of the requested users" "Can't revoke all privileges, grant for one or more of the requested users"
"Illegal mix of collations (%s,%s), (%s,%s), (%s,%s) for operation '%s'", "Illegal mix of collations (%s,%s), (%s,%s), (%s,%s) for operation '%s'",
"Illegal mix of collations for operation '%s'", "Illegal mix of collations for operation '%s'",
"Server is running in --secure-auth mode, but '%s@%s' has a password in the old format; please change the password to the new format"
...@@ -271,3 +271,4 @@ ...@@ -271,3 +271,4 @@
"Can't revoke all privileges, grant for one or more of the requested users" "Can't revoke all privileges, grant for one or more of the requested users"
"Illegal mix of collations (%s,%s), (%s,%s), (%s,%s) for operation '%s'", "Illegal mix of collations (%s,%s), (%s,%s), (%s,%s) for operation '%s'",
"Illegal mix of collations for operation '%s'", "Illegal mix of collations for operation '%s'",
"Server is running in --secure-auth mode, but '%s@%s' has a password in the old format; please change the password to the new format"
...@@ -266,3 +266,4 @@ ...@@ -266,3 +266,4 @@
"Can't revoke all privileges, grant for one or more of the requested users" "Can't revoke all privileges, grant for one or more of the requested users"
"Illegal mix of collations (%s,%s), (%s,%s), (%s,%s) for operation '%s'", "Illegal mix of collations (%s,%s), (%s,%s), (%s,%s) for operation '%s'",
"Illegal mix of collations for operation '%s'", "Illegal mix of collations for operation '%s'",
"Server is running in --secure-auth mode, but '%s@%s' has a password in the old format; please change the password to the new format"
...@@ -275,3 +275,4 @@ ...@@ -275,3 +275,4 @@
"Can't revoke all privileges, grant for one or more of the requested users" "Can't revoke all privileges, grant for one or more of the requested users"
"Illegal mix of collations (%s,%s), (%s,%s), (%s,%s) for operation '%s'", "Illegal mix of collations (%s,%s), (%s,%s), (%s,%s) for operation '%s'",
"Illegal mix of collations for operation '%s'", "Illegal mix of collations for operation '%s'",
"Server is running in --secure-auth mode, but '%s@%s' has a password in the old format; please change the password to the new format"
...@@ -266,3 +266,4 @@ ...@@ -266,3 +266,4 @@
"Can't revoke all privileges, grant for one or more of the requested users" "Can't revoke all privileges, grant for one or more of the requested users"
"Illegal mix of collations (%s,%s), (%s,%s), (%s,%s) for operation '%s'", "Illegal mix of collations (%s,%s), (%s,%s), (%s,%s) for operation '%s'",
"Illegal mix of collations for operation '%s'", "Illegal mix of collations for operation '%s'",
"Server is running in --secure-auth mode, but '%s@%s' has a password in the old format; please change the password to the new format"
...@@ -268,3 +268,4 @@ ...@@ -268,3 +268,4 @@
"Can't revoke all privileges, grant for one or more of the requested users" "Can't revoke all privileges, grant for one or more of the requested users"
"Illegal mix of collations (%s,%s), (%s,%s), (%s,%s) for operation '%s'", "Illegal mix of collations (%s,%s), (%s,%s), (%s,%s) for operation '%s'",
"Illegal mix of collations for operation '%s'", "Illegal mix of collations for operation '%s'",
"Server is running in --secure-auth mode, but '%s@%s' has a password in the old format; please change the password to the new format"
...@@ -266,3 +266,4 @@ ...@@ -266,3 +266,4 @@
"Can't revoke all privileges, grant for one or more of the requested users" "Can't revoke all privileges, grant for one or more of the requested users"
"Illegal mix of collations (%s,%s), (%s,%s), (%s,%s) for operation '%s'", "Illegal mix of collations (%s,%s), (%s,%s), (%s,%s) for operation '%s'",
"Illegal mix of collations for operation '%s'", "Illegal mix of collations for operation '%s'",
"Server is running in --secure-auth mode, but '%s@%s' has a password in the old format; please change the password to the new format"
...@@ -268,3 +268,4 @@ ...@@ -268,3 +268,4 @@
"Can't revoke all privileges, grant for one or more of the requested users" "Can't revoke all privileges, grant for one or more of the requested users"
"Illegal mix of collations (%s,%s), (%s,%s), (%s,%s) for operation '%s'", "Illegal mix of collations (%s,%s), (%s,%s), (%s,%s) for operation '%s'",
"Illegal mix of collations for operation '%s'", "Illegal mix of collations for operation '%s'",
"Server is running in --secure-auth mode, but '%s@%s' has a password in the old format; please change the password to the new format"
...@@ -266,3 +266,4 @@ ...@@ -266,3 +266,4 @@
"Can't revoke all privileges, grant for one or more of the requested users" "Can't revoke all privileges, grant for one or more of the requested users"
"Illegal mix of collations (%s,%s), (%s,%s), (%s,%s) for operation '%s'", "Illegal mix of collations (%s,%s), (%s,%s), (%s,%s) for operation '%s'",
"Illegal mix of collations for operation '%s'", "Illegal mix of collations for operation '%s'",
"Server is running in --secure-auth mode, but '%s@%s' has a password in the old format; please change the password to the new format"
...@@ -268,3 +268,4 @@ ...@@ -268,3 +268,4 @@
"Can't revoke all privileges, grant for one or more of the requested users" "Can't revoke all privileges, grant for one or more of the requested users"
"Illegal mix of collations (%s,%s), (%s,%s), (%s,%s) for operation '%s'", "Illegal mix of collations (%s,%s), (%s,%s), (%s,%s) for operation '%s'",
"Illegal mix of collations for operation '%s'", "Illegal mix of collations for operation '%s'",
"Server is running in --secure-auth mode, but '%s@%s' has a password in the old format; please change the password to the new format"
...@@ -268,3 +268,4 @@ ...@@ -268,3 +268,4 @@
"Can't revoke all privileges, grant for one or more of the requested users" "Can't revoke all privileges, grant for one or more of the requested users"
"Illegal mix of collations (%s,%s), (%s,%s), (%s,%s) for operation '%s'", "Illegal mix of collations (%s,%s), (%s,%s), (%s,%s) for operation '%s'",
"Illegal mix of collations for operation '%s'", "Illegal mix of collations for operation '%s'",
"Server is running in --secure-auth mode, but '%s@%s' has a password in the old format; please change the password to the new format"
...@@ -270,3 +270,4 @@ ...@@ -270,3 +270,4 @@
"Can't revoke all privileges, grant for one or more of the requested users" "Can't revoke all privileges, grant for one or more of the requested users"
"Illegal mix of collations (%s,%s), (%s,%s), (%s,%s) for operation '%s'", "Illegal mix of collations (%s,%s), (%s,%s), (%s,%s) for operation '%s'",
"Illegal mix of collations for operation '%s'", "Illegal mix of collations for operation '%s'",
"Server is running in --secure-auth mode, but '%s@%s' has a password in the old format; please change the password to the new format"
...@@ -266,3 +266,4 @@ ...@@ -266,3 +266,4 @@
"Can't revoke all privileges, grant for one or more of the requested users" "Can't revoke all privileges, grant for one or more of the requested users"
"Illegal mix of collations (%s,%s), (%s,%s), (%s,%s) for operation '%s'", "Illegal mix of collations (%s,%s), (%s,%s), (%s,%s) for operation '%s'",
"Illegal mix of collations for operation '%s'", "Illegal mix of collations for operation '%s'",
"Server is running in --secure-auth mode, but '%s@%s' has a password in the old format; please change the password to the new format"
...@@ -270,3 +270,4 @@ ...@@ -270,3 +270,4 @@
"Can't revoke all privileges, grant for one or more of the requested users" "Can't revoke all privileges, grant for one or more of the requested users"
"Illegal mix of collations (%s,%s), (%s,%s), (%s,%s) for operation '%s'", "Illegal mix of collations (%s,%s), (%s,%s), (%s,%s) for operation '%s'",
"Illegal mix of collations for operation '%s'", "Illegal mix of collations for operation '%s'",
"Server is running in --secure-auth mode, but '%s@%s' has a password in the old format; please change the password to the new format"
...@@ -268,3 +268,4 @@ ...@@ -268,3 +268,4 @@
"Can't revoke all privileges, grant for one or more of the requested users" "Can't revoke all privileges, grant for one or more of the requested users"
"Illegal mix of collations (%s,%s), (%s,%s), (%s,%s) for operation '%s'", "Illegal mix of collations (%s,%s), (%s,%s), (%s,%s) for operation '%s'",
"Illegal mix of collations for operation '%s'", "Illegal mix of collations for operation '%s'",
" --secure-auth ( ), '%s@%s' Σ ; "
...@@ -262,3 +262,4 @@ ...@@ -262,3 +262,4 @@
"Can't revoke all privileges, grant for one or more of the requested users" "Can't revoke all privileges, grant for one or more of the requested users"
"Illegal mix of collations (%s,%s), (%s,%s), (%s,%s) for operation '%s'", "Illegal mix of collations (%s,%s), (%s,%s), (%s,%s) for operation '%s'",
"Illegal mix of collations for operation '%s'", "Illegal mix of collations for operation '%s'",
"Server is running in --secure-auth mode, but '%s@%s' has a password in the old format; please change the password to the new format"
...@@ -274,3 +274,4 @@ ...@@ -274,3 +274,4 @@
"Can't revoke all privileges, grant for one or more of the requested users" "Can't revoke all privileges, grant for one or more of the requested users"
"Illegal mix of collations (%s,%s), (%s,%s), (%s,%s) for operation '%s'", "Illegal mix of collations (%s,%s), (%s,%s), (%s,%s) for operation '%s'",
"Illegal mix of collations for operation '%s'", "Illegal mix of collations for operation '%s'",
"Server is running in --secure-auth mode, but '%s@%s' has a password in the old format; please change the password to the new format"
...@@ -267,3 +267,4 @@ ...@@ -267,3 +267,4 @@
"Can't revoke all privileges, grant for one or more of the requested users" "Can't revoke all privileges, grant for one or more of the requested users"
"Illegal mix of collations (%s,%s), (%s,%s), (%s,%s) for operation '%s'", "Illegal mix of collations (%s,%s), (%s,%s), (%s,%s) for operation '%s'",
"Illegal mix of collations for operation '%s'", "Illegal mix of collations for operation '%s'",
"Server is running in --secure-auth mode, but '%s@%s' has a password in the old format; please change the password to the new format"
...@@ -266,3 +266,4 @@ ...@@ -266,3 +266,4 @@
"Can't revoke all privileges, grant for one or more of the requested users" "Can't revoke all privileges, grant for one or more of the requested users"
"Illegal mix of collations (%s,%s), (%s,%s), (%s,%s) for operation '%s'", "Illegal mix of collations (%s,%s), (%s,%s), (%s,%s) for operation '%s'",
"Illegal mix of collations for operation '%s'", "Illegal mix of collations for operation '%s'",
"Server is running in --secure-auth mode, but '%s@%s' has a password in the old format; please change the password to the new format"
...@@ -271,3 +271,4 @@ ...@@ -271,3 +271,4 @@
"Can't revoke all privileges, grant for one or more of the requested users" "Can't revoke all privileges, grant for one or more of the requested users"
"Illegal mix of collations (%s,%s), (%s,%s), (%s,%s) for operation '%s'", "Illegal mix of collations (%s,%s), (%s,%s), (%s,%s) for operation '%s'",
"Illegal mix of collations for operation '%s'", "Illegal mix of collations for operation '%s'",
"Server is running in --secure-auth mode, but '%s@%s' has a password in the old format; please change the password to the new format"
...@@ -87,16 +87,33 @@ set_user_salt(ACL_USER *acl_user, const char *password, uint password_len) ...@@ -87,16 +87,33 @@ set_user_salt(ACL_USER *acl_user, const char *password, uint password_len)
get_salt_from_password(acl_user->salt, password); get_salt_from_password(acl_user->salt, password);
acl_user->salt_len= SCRAMBLE_LENGTH; acl_user->salt_len= SCRAMBLE_LENGTH;
} }
else if (password_len == SCRAMBLED_PASSWORD_CHAR_LENGTH_323 else if (password_len == SCRAMBLED_PASSWORD_CHAR_LENGTH_323)
|| password_len == 8 && protocol_version == 9)
{ {
get_salt_from_password_323((ulong *) acl_user->salt, password); get_salt_from_password_323((ulong *) acl_user->salt, password);
acl_user->salt_len= password_len/2; acl_user->salt_len= SCRAMBLE_LENGTH_323;
} }
else else
acl_user->salt_len= 0; acl_user->salt_len= 0;
} }
/*
This after_update function is used when user.password is less than
SCRAMBLE_LENGTH bytes.
*/
static void restrict_update_of_old_passwords_var(THD *thd,
enum_var_type var_type)
{
if (var_type == OPT_GLOBAL)
{
pthread_mutex_lock(&LOCK_global_system_variables);
global_system_variables.old_passwords= 1;
pthread_mutex_unlock(&LOCK_global_system_variables);
}
else
thd->variables.old_passwords= 1;
}
/* /*
Read grant privileges from the privilege tables in the 'mysql' database. Read grant privileges from the privilege tables in the 'mysql' database.
...@@ -139,8 +156,6 @@ my_bool acl_init(THD *org_thd, bool dont_read_acl_tables) ...@@ -139,8 +156,6 @@ my_bool acl_init(THD *org_thd, bool dont_read_acl_tables)
if (!(thd=new THD)) if (!(thd=new THD))
DBUG_RETURN(1); /* purecov: inspected */ DBUG_RETURN(1); /* purecov: inspected */
thd->store_globals(); thd->store_globals();
/* Use passwords according to command line option */
use_old_passwords= opt_old_passwords;
acl_cache->clear(1); // Clear locked hostname cache acl_cache->clear(1); // Clear locked hostname cache
thd->db= my_strdup("mysql",MYF(0)); thd->db= my_strdup("mysql",MYF(0));
...@@ -197,24 +212,43 @@ my_bool acl_init(THD *org_thd, bool dont_read_acl_tables) ...@@ -197,24 +212,43 @@ my_bool acl_init(THD *org_thd, bool dont_read_acl_tables)
init_read_record(&read_record_info,thd,table=tables[1].table,NULL,1,0); init_read_record(&read_record_info,thd,table=tables[1].table,NULL,1,0);
VOID(my_init_dynamic_array(&acl_users,sizeof(ACL_USER),50,100)); VOID(my_init_dynamic_array(&acl_users,sizeof(ACL_USER),50,100));
if (table->field[2]->field_length == 8 && if (table->field[2]->field_length < SCRAMBLED_PASSWORD_CHAR_LENGTH_323)
protocol_version == PROTOCOL_VERSION)
{ {
sql_print_error("Old 'user' table. " sql_print_error("Fatal error: mysql.user table is damaged or in "
"(Check README or the Reference manual). " "unsupported 3.20 format.");
"Continuing --old-protocol"); /* purecov: tested */ goto end;
protocol_version=9; /* purecov: tested */
} }
DBUG_PRINT("info",("user table fields: %d, password length: %d", DBUG_PRINT("info",("user table fields: %d, password length: %d",
table->fields, table->field[2]->field_length)); table->fields, table->field[2]->field_length));
if (table->field[2]->field_length < SCRAMBLED_PASSWORD_CHAR_LENGTH &&
!use_old_passwords) pthread_mutex_lock(&LOCK_global_system_variables);
if (table->field[2]->field_length < SCRAMBLED_PASSWORD_CHAR_LENGTH)
{ {
sql_print_error("mysql.user table is not updated to new password format; " if (opt_secure_auth)
"Disabling new password usage until " {
"mysql_fix_privilege_tables is run"); pthread_mutex_unlock(&LOCK_global_system_variables);
use_old_passwords= 1; sql_print_error("Fatal error: mysql.user table is in old format, "
"but server started with --secure-auth option.");
goto end;
}
sys_old_passwords.after_update= restrict_update_of_old_passwords_var;
if (global_system_variables.old_passwords)
pthread_mutex_unlock(&LOCK_global_system_variables);
else
{
global_system_variables.old_passwords= 1;
pthread_mutex_unlock(&LOCK_global_system_variables);
sql_print_error("mysql.user table is not updated to new password format; "
"Disabling new password usage until "
"mysql_fix_privilege_tables is run");
}
thd->variables.old_passwords= 1;
}
else
{
sys_old_passwords.after_update= 0;
pthread_mutex_unlock(&LOCK_global_system_variables);
} }
allow_all_hosts=0; allow_all_hosts=0;
...@@ -229,12 +263,6 @@ my_bool acl_init(THD *org_thd, bool dont_read_acl_tables) ...@@ -229,12 +263,6 @@ my_bool acl_init(THD *org_thd, bool dont_read_acl_tables)
if (user.salt_len == 0 && password_len != 0) if (user.salt_len == 0 && password_len != 0)
{ {
switch (password_len) { switch (password_len) {
case 8: /* 3.20: to be removed */
sql_print_error("Found old style password for user '%s'. "
"Ignoring user. (You may want to restart mysqld "
"using --old-protocol) ",
user.user ? user.user : "");
break;
case 45: /* 4.1: to be removed */ case 45: /* 4.1: to be removed */
sql_print_error("Found 4.1 style password for user '%s'. " sql_print_error("Found 4.1 style password for user '%s'. "
"Ignoring user. " "Ignoring user. "
...@@ -513,7 +541,6 @@ static int acl_compare(ACL_ACCESS *a,ACL_ACCESS *b) ...@@ -513,7 +541,6 @@ static int acl_compare(ACL_ACCESS *a,ACL_ACCESS *b)
original random string, original random string,
passwd_len IN length of passwd, must be one of 0, 8, passwd_len IN length of passwd, must be one of 0, 8,
SCRAMBLE_LENGTH_323, SCRAMBLE_LENGTH SCRAMBLE_LENGTH_323, SCRAMBLE_LENGTH
old_version IN if old (3.20) protocol is used
RETURN VALUE RETURN VALUE
0 success: thread data and mqh are updated 0 success: thread data and mqh are updated
1 user not found or authentification failure 1 user not found or authentification failure
...@@ -521,9 +548,8 @@ static int acl_compare(ACL_ACCESS *a,ACL_ACCESS *b) ...@@ -521,9 +548,8 @@ static int acl_compare(ACL_ACCESS *a,ACL_ACCESS *b)
-1 user found, has short (3.23) salt, but passwd is in new (4.1.1) format. -1 user found, has short (3.23) salt, but passwd is in new (4.1.1) format.
*/ */
int int acl_getroot(THD *thd, USER_RESOURCES *mqh,
acl_getroot(THD *thd, USER_RESOURCES *mqh, const char *passwd, uint passwd_len)
const char *passwd, uint passwd_len, bool old_version)
{ {
DBUG_ENTER("acl_getroot"); DBUG_ENTER("acl_getroot");
...@@ -557,7 +583,7 @@ acl_getroot(THD *thd, USER_RESOURCES *mqh, ...@@ -557,7 +583,7 @@ acl_getroot(THD *thd, USER_RESOURCES *mqh,
user_i->salt_len == SCRAMBLE_LENGTH && user_i->salt_len == SCRAMBLE_LENGTH &&
check_scramble(passwd, thd->scramble, user_i->salt) == 0 || check_scramble(passwd, thd->scramble, user_i->salt) == 0 ||
check_scramble_323(passwd, thd->scramble_323, check_scramble_323(passwd, thd->scramble_323,
(ulong *) user_i->salt, old_version) == 0) (ulong *) user_i->salt) == 0)
{ {
acl_user= user_i; acl_user= user_i;
res= 0; res= 0;
......
...@@ -135,8 +135,8 @@ void acl_reload(THD *thd); ...@@ -135,8 +135,8 @@ void acl_reload(THD *thd);
void acl_free(bool end=0); void acl_free(bool end=0);
ulong acl_get(const char *host, const char *ip, const char *bin_ip, ulong acl_get(const char *host, const char *ip, const char *bin_ip,
const char *user, const char *db); const char *user, const char *db);
int acl_getroot(THD *thd, USER_RESOURCES *mqh, int acl_getroot(THD *thd, USER_RESOURCES *mqh, const char *passwd,
const char *passwd, uint passwd_len, bool old_ver); uint passwd_len);
bool acl_check_host(const char *host, const char *ip); bool acl_check_host(const char *host, const char *ip);
bool check_change_password(THD *thd, const char *host, const char *user); bool check_change_password(THD *thd, const char *host, const char *user);
bool change_password(THD *thd, const char *host, const char *user, bool change_password(THD *thd, const char *host, const char *user,
......
...@@ -386,6 +386,7 @@ struct system_variables ...@@ -386,6 +386,7 @@ struct system_variables
my_bool log_warnings; my_bool log_warnings;
my_bool low_priority_updates; my_bool low_priority_updates;
my_bool new_mode; my_bool new_mode;
my_bool old_passwords;
CHARSET_INFO *character_set_server; CHARSET_INFO *character_set_server;
CHARSET_INFO *character_set_database; CHARSET_INFO *character_set_database;
......
...@@ -204,7 +204,22 @@ static int check_user(THD *thd, enum enum_server_command command, ...@@ -204,7 +204,22 @@ static int check_user(THD *thd, enum enum_server_command command,
bool check_count) bool check_count)
{ {
DBUG_ENTER("check_user"); DBUG_ENTER("check_user");
my_bool opt_secure_auth_local;
pthread_mutex_lock(&LOCK_global_system_variables);
opt_secure_auth_local= opt_secure_auth;
pthread_mutex_unlock(&LOCK_global_system_variables);
/*
If the server is running in secure auth mode, short scrambles are
forbidden.
*/
if (opt_secure_auth_local && passwd_len == SCRAMBLE_LENGTH_323)
{
net_printf(thd, ER_NOT_SUPPORTED_AUTH_MODE);
mysql_log.write(thd, COM_CONNECT, ER(ER_NOT_SUPPORTED_AUTH_MODE));
DBUG_RETURN(-1);
}
if (passwd_len != 0 && if (passwd_len != 0 &&
passwd_len != SCRAMBLE_LENGTH && passwd_len != SCRAMBLE_LENGTH &&
passwd_len != SCRAMBLE_LENGTH_323) passwd_len != SCRAMBLE_LENGTH_323)
...@@ -220,9 +235,7 @@ static int check_user(THD *thd, enum enum_server_command command, ...@@ -220,9 +235,7 @@ static int check_user(THD *thd, enum enum_server_command command,
char buff[NAME_LEN + 1]; /* to conditionally save db */ char buff[NAME_LEN + 1]; /* to conditionally save db */
USER_RESOURCES ur; USER_RESOURCES ur;
int res= acl_getroot(thd, &ur, passwd, passwd_len, int res= acl_getroot(thd, &ur, passwd, passwd_len);
protocol_version == 9 ||
!(thd->client_capabilities & CLIENT_LONG_PASSWORD));
if (res == -1) if (res == -1)
{ {
/* /*
...@@ -231,6 +244,14 @@ static int check_user(THD *thd, enum enum_server_command command, ...@@ -231,6 +244,14 @@ static int check_user(THD *thd, enum enum_server_command command,
scramble_323()). Here we please client to send scrambled_password scramble_323()). Here we please client to send scrambled_password
in old format. in old format.
*/ */
if (opt_secure_auth_local)
{
net_printf(thd, ER_SERVER_IS_IN_SECURE_AUTH_MODE,
thd->user, thd->host_or_ip);
mysql_log.write(thd, COM_CONNECT, ER(ER_SERVER_IS_IN_SECURE_AUTH_MODE),
thd->user, thd->host_or_ip);
DBUG_RETURN(-1);
}
/* save db because network buffer is to hold new packet */ /* save db because network buffer is to hold new packet */
if (db) if (db)
{ {
...@@ -247,8 +268,7 @@ static int check_user(THD *thd, enum enum_server_command command, ...@@ -247,8 +268,7 @@ static int check_user(THD *thd, enum enum_server_command command,
} }
/* Final attempt to check the user based on reply */ /* Final attempt to check the user based on reply */
/* So as passwd is short, errcode is always >= 0 */ /* So as passwd is short, errcode is always >= 0 */
res= acl_getroot(thd, &ur, (char *) net->read_pos, SCRAMBLE_LENGTH_323, res= acl_getroot(thd, &ur, (char *) net->read_pos, SCRAMBLE_LENGTH_323);
false);
} }
/* here res is always >= 0 */ /* here res is always >= 0 */
if (res == 0) if (res == 0)
......
...@@ -2517,7 +2517,8 @@ simple_expr: ...@@ -2517,7 +2517,8 @@ simple_expr:
{ $$= new Item_func_now($3); Lex->safe_to_cache_query=0;} { $$= new Item_func_now($3); Lex->safe_to_cache_query=0;}
| PASSWORD '(' expr ')' | PASSWORD '(' expr ')'
{ {
$$= use_old_passwords ? (Item *) new Item_func_old_password($3) : $$= YYTHD->variables.old_passwords ?
(Item *) new Item_func_old_password($3) :
(Item *) new Item_func_password($3); (Item *) new Item_func_password($3);
} }
| OLD_PASSWORD '(' expr ')' | OLD_PASSWORD '(' expr ')'
...@@ -4607,7 +4608,7 @@ text_or_password: ...@@ -4607,7 +4608,7 @@ text_or_password:
TEXT_STRING { $$=$1.str;} TEXT_STRING { $$=$1.str;}
| PASSWORD '(' TEXT_STRING ')' | PASSWORD '(' TEXT_STRING ')'
{ {
$$= $3.length ? use_old_passwords ? $$= $3.length ? YYTHD->variables.old_passwords ?
Item_func_old_password::alloc(YYTHD, $3.str) : Item_func_old_password::alloc(YYTHD, $3.str) :
Item_func_password::alloc(YYTHD, $3.str) : Item_func_password::alloc(YYTHD, $3.str) :
$3.str; $3.str;
...@@ -4923,7 +4924,7 @@ grant_user: ...@@ -4923,7 +4924,7 @@ grant_user:
$$=$1; $1->password=$4; $$=$1; $1->password=$4;
if ($4.length) if ($4.length)
{ {
if (use_old_passwords) if (YYTHD->variables.old_passwords)
{ {
char *buff= char *buff=
(char *) YYTHD->alloc(SCRAMBLED_PASSWORD_CHAR_LENGTH_323+1); (char *) YYTHD->alloc(SCRAMBLED_PASSWORD_CHAR_LENGTH_323+1);
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment