More work on secure connection protocol. commited in order to do the sync with new large pushed

bunch.

More work on secure connection protocol. commited in order to do the sync with new large pushed
bunch.
37245fd1 · peter@mysql.com · d448caba · 37245fd1 · 37245fd1 · 37245fd1
Commit 37245fd1 authored Oct 19, 2002 by peter@mysql.com
5 changed files
--- a/client/insert_test.c
+++ b/client/insert_test.c
@@ -16,6 +16,7 @@

 #include <stdio.h>
 #include <stdlib.h>
+#include "my_global.h"
 #include "mysql.h"

 #define INSERT_QUERY "insert into test (name,num) values ('item %d', %d)"

--- a/client/select_test.c
+++ b/client/select_test.c
@@ -19,6 +19,7 @@
 #endif
 #include <stdio.h>
 #include <stdlib.h>
+#include "my_global.h"
 #include "mysql.h"

 #define SELECT_QUERY "select name from test where num = %d"

--- a/include/mysql_com.h
+++ b/include/mysql_com.h
@@ -97,6 +97,7 @@ enum enum_server_command
 #define CLIENT_IGNORE_SIGPIPE   4096     /* IGNORE sigpipes */
 #define CLIENT_TRANSACTIONS	8192	/* Client knows about transactions */
 #define CLIENT_PROTOCOL_41       16384   /* New 4.1 protocol  */
+#define CLIENT_SECURE_CONNECTION 32768   /* New 4.1 authentication */

 #define SERVER_STATUS_IN_TRANS     1	/* Transaction has started */
 #define SERVER_STATUS_AUTOCOMMIT   2	/* Server in auto_commit mode */

--- a/sql/mysqld.cc
+++ b/sql/mysqld.cc
@@ -317,6 +317,7 @@ uint volatile thread_count=0, thread_running=0, kill_cached_threads=0,
 ulong thd_startup_options=(OPTION_UPDATE_LOG | OPTION_AUTO_IS_NULL |
 			   OPTION_BIN_LOG | OPTION_QUOTE_SHOW_CREATE );
 uint protocol_version=PROTOCOL_VERSION;
+uint connection_auth_flag=0; /* Supported authentication mode */ 
 struct system_variables global_system_variables;
 struct system_variables max_system_variables;
 ulong keybuff_size,table_cache_size,

--- a/sql/sql_acl.cc
+++ b/sql/sql_acl.cc
@@ -32,6 +32,8 @@
 #include <assert.h>
 #include <stdarg.h>

+extern uint connection_auth_flag;
+
 struct acl_host_and_ip
 {
  char *hostname;
@@ -143,7 +145,11 @@ my_bool acl_init(bool dont_read_acl_tables)
 			    (hash_get_key) acl_entry_get_key,
 			    (void (*)(void*)) free);
  if (dont_read_acl_tables)
+  {
+    /* If we do not read tables use old handshake to make it quick for all clients */ 
+    connection_auth_flag=CLIENT_LONG_PASSWORD; 
    DBUG_RETURN(0); /* purecov: tested */
+  }    

  /*
    To be able to run this from boot, we allocate a temporary THD
@@ -218,6 +224,7 @@ my_bool acl_init(bool dont_read_acl_tables)

  DBUG_PRINT("info",("user table fields: %d",table->fields));
  allow_all_hosts=0;
+  connection_auth_flag=0; /* Reset flag as we're rereading the table */
  while (!(read_record_info.read_record(&read_record_info)))
  {
    ACL_USER user;
@@ -242,6 +249,18 @@ my_bool acl_init(bool dont_read_acl_tables)
    }
    get_salt_from_password(user.salt,user.password);
    user.pversion=get_password_version(user.password);
+    /*
+      We check the version of passwords in database. If no old passwords found we can force new handshake
+      if there are only old password we will force new handshake. In case of both types of passwords
+      found we will perform 2 stage authentication.
+    */
+    if (user.password && user.password[0]!=0) /* empty passwords are not counted */ 
+    {
+      if (user.pversion) 
+        connection_auth_flag|=CLIENT_SECURE_CONNECTION;
+      else
+        connection_auth_flag|=CLIENT_LONG_PASSWORD;   
+    }  
    user.access=get_access(table,3) & GLOBAL_ACLS;
    user.sort=get_sort(2,user.host.hostname,user.user);
    user.hostname_length= (user.host.hostname ?
@@ -299,7 +318,18 @@ my_bool acl_init(bool dont_read_acl_tables)
 	sizeof(ACL_USER),(qsort_cmp) acl_compare);
  end_read_record(&read_record_info);
  freeze_size(&acl_users);
-
+  
+  /* 
+   If database is empty or has no passwords use new connection protocol 
+   unless we're running with --old-passwords option
+  */ 
+  if (!connection_auth_flag)
+  {
+    if(!opt_old_passwords)     
+     connection_auth_flag=CLIENT_SECURE_CONNECTION;
+    else connection_auth_flag=CLIENT_LONG_PASSWORD; 
+  }
+  printf("Set flag after read: %d\n",connection_auth_flag);
  init_read_record(&read_record_info,thd,table=tables[2].table,NULL,1,0);
  VOID(my_init_dynamic_array(&acl_dbs,sizeof(ACL_DB),50,100));
  while (!(read_record_info.read_record(&read_record_info)))
@@ -674,6 +704,12 @@ static void acl_update_user(const char *user, const char *host,
 	    acl_user->password=(char*) "";	// Just point at something
 	    get_salt_from_password(acl_user->salt,password);
 	    acl_user->pversion=get_password_version(acl_user->password);
+	    // We should allow connection with authentication method matching password
+	    if (acl_user->pversion)
+	      connection_auth_flag|=CLIENT_SECURE_CONNECTION;
+	    else
+	      connection_auth_flag|=CLIENT_LONG_PASSWORD;  
+	    printf("Debug: flag set to %d\n",connection_auth_flag);      
 	  }
 	}
 	break;
@@ -1084,7 +1120,15 @@ bool change_password(THD *thd, const char *host, const char *user,
  if (!new_password[0])
    acl_user->password=0;
  else
-    acl_user->password=(char*) "";		// Point at something
+  {
+    acl_user->password=(char*) "";		// Point at something        
+    /* Adjust global connection options depending of client password*/
+    if (acl_user->pversion)
+      connection_auth_flag|=CLIENT_SECURE_CONNECTION;
+    else
+      connection_auth_flag|=CLIENT_LONG_PASSWORD;    
+  }
+    
  acl_cache->clear(1);				// Clear locked hostname cache
  VOID(pthread_mutex_unlock(&acl_cache->lock));