Bug#11766631 (59780) - Move the client authentication_windows plugin

into the server repository This patch adds client windows authentication plugin code to the client library libmysql (only on Windows platform). The plugin is compiled into the library and added to the list of built-in plugins. This way clients should be able to connect to a server which uses windows authentication plugin even as an SQL user which uses such authentication. Note: this makes the client library to depend on Secur32 Windows system library. When building clients, they must be linked against Secur32. Command mysql_config --libs correctly lists Secur32 as a required dependency.

Bug#11766631 (59780) - Move the client authentication_windows plugin
into the server repository This patch adds client windows authentication plugin code to the client library libmysql (only on Windows platform). The plugin is compiled into the library and added to the list of built-in plugins. This way clients should be able to connect to a server which uses windows authentication plugin even as an SQL user which uses such authentication. Note: this makes the client library to depend on Secur32 Windows system library. When building clients, they must be linked against Secur32. Command mysql_config --libs correctly lists Secur32 as a required dependency.
c50c571f · Rafal Somla · dfc5c4ee · c50c571f · c50c571f · c50c571f
Commit c50c571f authored Apr 28, 2011 by Rafal Somla
10 changed files
--- a/libmysql/CMakeLists.txt
+++ b/libmysql/CMakeLists.txt
-# Copyright (c) 2006, 2010, Oracle and/or its affiliates. All rights reserved.
+# Copyright (c) 2006, 2011, Oracle and/or its affiliates. All rights reserved.
 # 
 # This program is free software; you can redistribute it and/or modify
 # it under the terms of the GNU General Public License as published by
@@ -134,6 +134,12 @@ CACHE INTERNAL "Functions exported by client API"

 )

+IF(WIN32)
+  ADD_SUBDIRECTORY(authentication_win)
+  SET(WITH_AUTHENTICATION_WIN 1)
+  ADD_DEFINITIONS(-DAUTHENTICATION_WIN)
+ENDIF(WIN32)
+
 SET(CLIENT_SOURCES
  get_password.c 
  libmysql.c
@@ -151,6 +157,10 @@ ADD_DEPENDENCIES(clientlib GenError)

 SET(LIBS clientlib dbug strings vio mysys ${ZLIB_LIBRARY} ${SSL_LIBRARIES} ${LIBDL})

+IF(WITH_AUTHENTICATION_WIN)
+  LIST(APPEND LIBS auth_win_client)
+ENDIF(WITH_AUTHENTICATION_WIN)
+
 # Merge several convenience libraries into one big mysqlclient
 # and link them together into shared library.
 MERGE_LIBRARIES(mysqlclient STATIC ${LIBS} COMPONENT Development)

--- a/libmysql/authentication_win/CMakeLists.txt
+++ b/libmysql/authentication_win/CMakeLists.txt
+# Copyright (c) 2011, Oracle and/or its affiliates. All rights reserved.
+# 
+# This program is free software; you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation; version 2 of the License.
+# 
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU General Public License for more details.
+# 
+# You should have received a copy of the GNU General Public License
+# along with this program; if not, write to the Free Software
+# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA  02110-1301 USA
+
+#
+# Configuration for building Windows Authentication Plugin (client-side)
+#
+
+ADD_DEFINITIONS(-DSECURITY_WIN32)
+ADD_DEFINITIONS(-DDEBUG_ERRROR_LOG)	# no error logging in production builds
+
+SET(HEADERS common.h handshake.h)
+SET(PLUGIN_SOURCES plugin_client.cc handshake_client.cc log_client.cc common.cc handshake.cc)
+
+ADD_CONVENIENCE_LIBRARY(auth_win_client ${PLUGIN_SOURCES} ${HEADERS})
+TARGET_LINK_LIBRARIES(auth_win_client Secur32)
+
+# In IDE, group headers in a separate folder.
+
+SOURCE_GROUP(Headers REGULAR_EXPRESSION ".*h$")
--- a/libmysql/authentication_win/common.cc
+++ b/libmysql/authentication_win/common.cc
--- a/libmysql/authentication_win/common.h
+++ b/libmysql/authentication_win/common.h
+/* Copyright (c) 2011, Oracle and/or its affiliates. All rights reserved.
+
+   This program is free software; you can redistribute it and/or modify
+   it under the terms of the GNU General Public License as published by
+   the Free Software Foundation; version 2 of the License.
+
+   This program is distributed in the hope that it will be useful,
+   but WITHOUT ANY WARRANTY; without even the implied warranty of
+   MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+   GNU General Public License for more details.
+
+   You should have received a copy of the GNU General Public License
+   along with this program; if not, write to the Free Software
+   Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA  02111-1307  USA */
+
+#ifndef COMMON_H
+#define COMMON_H
+
+#include <my_global.h>
+#include <windows.h>
+#include <sspi.h>              // for CtxtHandle
+#include <mysql/plugin_auth.h> // for MYSQL_PLUGIN_VIO
+
+/// Maximum length of the target service name.
+#define MAX_SERVICE_NAME_LENGTH  1024
+
+
+/** Debugging and error reporting infrastructure ***************************/
+
+/*
+  Note: We use plugin local logging and error reporting mechanisms until
+  WL#2940 (plugin service: error reporting) is available.
+*/
+
+#undef INFO
+#undef WARNING
+#undef ERROR
+
+struct error_log_level
+{
+  typedef enum {INFO, WARNING, ERROR}  type;
+};
+
+#undef  DBUG_ASSERT
+#ifndef DBUG_OFF
+#define DBUG_ASSERT(X)  assert(X)
+#else
+#define DBUG_ASSERT(X)  do {} while (0)
+#endif
+
+extern "C" int opt_auth_win_client_log;
+
+/*
+  Note1: Double level of indirection in definition of DBUG_PRINT allows to
+  temporary redefine or disable DBUG_PRINT macro and then easily return to
+  the original definition (in terms of DBUG_PRINT_DO).
+
+  Note2: DBUG_PRINT() can use printf-like format string like this:
+
+    DBUG_PRINT(Keyword, ("format string", args));
+
+  The implementation should handle it correctly. Currently it is passed 
+  to fprintf() (see debug_msg() function).
+*/
+
+#ifndef DBUG_OFF
+#define DBUG_PRINT_DO(Keyword, Msg) \
+  do { \
+    if (2 > opt_auth_win_client_log) break; \
+    fprintf(stderr, "winauth: %s: ", Keyword); \
+    debug_msg Msg; \
+  } while (0)
+#else
+#define DBUG_PRINT_DO(K, M)  do {} while (0)
+#endif
+
+#undef  DBUG_PRINT
+#define DBUG_PRINT(Keyword, Msg)  DBUG_PRINT_DO(Keyword, Msg)
+
+/*
+  If DEBUG_ERROR_LOG is defined then error logging happens only
+  in debug-copiled code. Otherwise ERROR_LOG() expands to 
+  error_log_print() even in production code. Note that in client
+  plugin, error_log_print() will print nothing if opt_auth_win_clinet_log
+  is 0.
+*/
+#if defined(DEBUG_ERROR_LOG) && defined(DBUG_OFF)
+#define ERROR_LOG(Level, Msg)     do {} while (0)
+#else
+#define ERROR_LOG(Level, Msg)     error_log_print< error_log_level::Level > Msg
+#endif
+
+inline
+void debug_msg(const char *fmt, ...)
+{
+  va_list args;
+  va_start(args, fmt);
+  vfprintf(stderr, fmt, args);
+  fputc('\n', stderr);
+  fflush(stderr);
+  va_end(args);
+}
+
+
+void error_log_vprint(error_log_level::type level,
+                        const char *fmt, va_list args);
+
+template <error_log_level::type Level>
+void error_log_print(const char *fmt, ...)
+{
+  va_list args;
+  va_start(args, fmt);
+  error_log_vprint(Level, fmt, args);
+  va_end(args);
+}
+
+typedef char Error_message_buf[1024];
+const char* get_last_error_message(Error_message_buf);
+
+
+/** Blob class *************************************************************/
+
+typedef unsigned char byte;
+
+/**
+  Class representing a region of memory (e.g., a string or binary buffer).
+
+  @note This class does not allocate memory. It merely describes a region
+  of memory which must be allocated externally (if it is dynamic memory).
+*/
+
+class Blob
+{
+  byte   *m_ptr;  ///< Pointer to the first byte of the memory region.
+  size_t  m_len;  ///< Length of the memory region.
+
+public:
+
+  Blob(): m_ptr(NULL), m_len(0)
+  {}
+
+  Blob(const byte *ptr, const size_t len)
+  : m_ptr(const_cast<byte*>(ptr)), m_len(len)
+  {}
+
+  Blob(const char *str): m_ptr((byte*)str)
+  {
+    m_len= strlen(str);
+  }
+
+  byte*  ptr() const
+  {
+    return m_ptr;
+  }
+
+  size_t len() const
+  {
+    return m_len;
+  }
+
+  byte operator[](unsigned pos) const
+  {
+    return pos < len() ? m_ptr[pos] : 0x00;
+  }
+
+  bool is_null() const
+  {
+    return m_ptr == NULL;
+  }
+};
+
+
+/** Connection class *******************************************************/
+
+/**
+  Convenience wrapper around MYSQL_PLUGIN_VIO object providing basic
+  read/write operations.
+*/
+
+class Connection
+{
+  MYSQL_PLUGIN_VIO *m_vio;    ///< Pointer to @c MYSQL_PLUGIN_VIO structure.
+
+  /**
+    If non-zero, indicates that connection is broken. If this has happened
+    because of failed operation, stores non-zero error code from that failure.
+  */
+  int               m_error;
+
+public:
+
+  Connection(MYSQL_PLUGIN_VIO *vio);
+  int write(const Blob&);
+  Blob read();
+
+  int error() const
+  {
+    return m_error;
+  }
+};
+
+
+/** Sid class **************************************************************/
+
+/**
+  Class for storing and manipulating Windows security identifiers (SIDs).
+*/
+
+class Sid
+{
+  TOKEN_USER    *m_data;  ///< Pointer to structure holding identifier's data.
+  SID_NAME_USE   m_type;  ///< Type of identified entity.
+
+public:
+
+  Sid(const wchar_t*);
+  Sid(HANDLE sec_token);
+  ~Sid();
+
+  bool is_valid(void) const;
+
+  bool is_group(void) const
+  {
+    return m_type == SidTypeGroup
+           || m_type == SidTypeWellKnownGroup
+           || m_type == SidTypeAlias;
+  }
+
+  bool is_user(void) const
+  {
+    return m_type == SidTypeUser;
+  }
+
+  bool operator==(const Sid&);
+
+  operator PSID() const
+  {
+    return (PSID)m_data->User.Sid;
+  }
+
+#ifndef DBUG_OFF
+
+private:
+    char *m_as_string;  ///< Cached string representation of the SID.
+public:
+    const char* as_string();
+
+#endif
+};
+
+
+/** UPN class **************************************************************/
+
+/**
+  An object of this class obtains and stores User Principal Name of the
+  account under which current process is running.
+*/
+
+class UPN
+{
+  char   *m_buf;  ///< Pointer to UPN in utf8 representation.
+  size_t  m_len;  ///< Length of the name.
+
+public:
+
+  UPN();
+  ~UPN();
+
+  bool is_valid() const
+  {
+    return m_len > 0;
+  }
+
+  const Blob as_blob() const
+  {
+    return m_len ? Blob((byte*)m_buf, m_len) : Blob();
+  }
+
+  const char* as_string() const
+  {
+    return (const char*)m_buf;
+  }
+
+};
+
+
+char*     wchar_to_utf8(const wchar_t*, size_t*);
+wchar_t*  utf8_to_wchar(const char*, size_t*);
+
+#endif
--- a/libmysql/authentication_win/handshake.cc
+++ b/libmysql/authentication_win/handshake.cc
+/* Copyright (c) 2011, Oracle and/or its affiliates. All rights reserved.
+
+   This program is free software; you can redistribute it and/or modify
+   it under the terms of the GNU General Public License as published by
+   the Free Software Foundation; version 2 of the License.
+
+   This program is distributed in the hope that it will be useful,
+   but WITHOUT ANY WARRANTY; without even the implied warranty of
+   MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+   GNU General Public License for more details.
+
+   You should have received a copy of the GNU General Public License
+   along with this program; if not, write to the Free Software
+   Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA  02111-1307  USA */
+
+#include "handshake.h"
+
+
+/** Handshake class implementation **********************************/
+
+/**
+  Create common part of handshake context.
+
+  @param[in]  ssp   name of the SSP (Security Service Provider) to
+                    be used for authentication
+  @param[in]  side  is this handshake object used for server- or
+                    client-side handshake
+
+  Prepare for handshake using the @c ssp security module. We use
+  "Negotiate" which picks best available module. Parameter @c side
+  tells if this is preparing for server or client side authentication
+  and is used to prepare appropriate credentials.
+*/
+
+Handshake::Handshake(const char *ssp, side_t side)
+: m_atts(0L), m_error(0), m_complete(FALSE),
+  m_have_credentials(false), m_have_sec_context(false)
+#ifndef DBUG_OFF
+  , m_ssp_info(NULL)
+#endif
+{
+  SECURITY_STATUS ret;
+
+  // Obtain credentials for the authentication handshake.
+
+  ret= AcquireCredentialsHandle(NULL, (SEC_CHAR*)ssp,
+         side == SERVER ? SECPKG_CRED_INBOUND : SECPKG_CRED_OUTBOUND,
+         NULL, NULL, NULL, NULL, &m_cred, &m_expire);
+
+  if (ret != SEC_E_OK)
+  {
+    DBUG_PRINT("error", ("AcqireCredentialsHandle() failed"
+                         " with error %X", ret));
+    ERROR_LOG(ERROR, ("Could not obtain local credentials"
+                      " required for authentication"));
+    m_error= ret;
+  }
+
+  m_have_credentials= true;
+}
+
+
+Handshake::~Handshake()
+{
+  if (m_have_credentials)
+    FreeCredentialsHandle(&m_cred);
+  if (m_have_sec_context)
+    DeleteSecurityContext(&m_sctx);
+  m_output.free();
+
+#ifndef DBUG_OFF
+  if (m_ssp_info)
+    FreeContextBuffer(m_ssp_info);
+#endif
+}
+
+
+/**
+  Read and process data packets from the other end of a connection.
+
+  @param[IN] con  a connection to read packets from
+
+  Packets are read and processed until authentication handshake is 
+  complete. It is assumed that the peer will send at least one packet. 
+  Packets are processed with @c process_data() method. If new data is
+  generated during packet processing, this data is sent to the peer and
+  another round of packet exchange starts.
+
+  @return 0 on success.
+
+  @note In case of error, appropriate error message is logged.
+*/
+int Handshake::packet_processing_loop(Connection &con)
+{
+  unsigned round= 1;
+
+  do {
+    // Read packet send by the peer
+    DBUG_PRINT("info", ("Waiting for packet"));
+    Blob packet= con.read();
+    if (con.error() || packet.is_null())
+    {
+      ERROR_LOG(ERROR, ("Error reading packet in round %d", round));
+      return 1;
+    }
+    DBUG_PRINT("info", ("Got packet of length %d", packet.len()));
+
+    /*
+      Process received data, possibly generating new data to be sent.
+    */
+
+    Blob new_data= process_data(packet);
+
+    if (error())
+    {
+      ERROR_LOG(ERROR, ("Error processing packet in round %d", round));
+      return 1;
+    }
+
+    /*
+      If new data has been generated, send it to the peer. Otherwise
+      handshake must be completed.
+    */
+
+    if (!new_data.is_null())
+    {
+      ++round;
+      DBUG_PRINT("info", ("Round %d started", round));
+
+      DBUG_PRINT("info", ("Sending packet of length %d", new_data.len()));
+      int ret= con.write(new_data);
+      if (ret)
+      {
+        ERROR_LOG(ERROR, ("Error writing packet in round %d", round));
+        return 1;
+      }
+      DBUG_PRINT("info", ("Data sent"));
+    }
+    else if (!is_complete())
+    {
+      ERROR_LOG(ERROR, ("No data to send in round %d"
+                        " but handshake is not complete", round));
+      return 1;
+    }
+
+    /*
+      To protect against malicious clients, break handshake exchange if
+      too many rounds.
+    */
+
+    if (round > MAX_HANDSHAKE_ROUNDS)
+    {
+      ERROR_LOG(ERROR, ("Authentication handshake could not be completed"
+                        " after %d rounds", round));
+      return 1;
+    }
+
+  } while(!is_complete());
+
+  ERROR_LOG(INFO, ("Handshake completed after %d rounds", round));
+  return 0;
+}
+
+
+#ifndef DBUG_OFF
+
+/**
+  Get name of the security package which was used in authentication.
+
+  This method should be called only after handshake was completed. It is
+  available only in debug builds.
+
+  @return Name of security package or NULL if it can not be obtained.
+*/
+
+const char* Handshake::ssp_name()
+{
+  if (!m_ssp_info && m_complete)
+  {
+    SecPkgContext_PackageInfo pinfo;
+
+    int ret= QueryContextAttributes(&m_sctx, SECPKG_ATTR_PACKAGE_INFO, &pinfo);
+
+    if (SEC_E_OK == ret)
+    {
+      m_ssp_info= pinfo.PackageInfo;
+    }
+    else
+      DBUG_PRINT("error",
+                 ("Could not obtain SSP info from authentication context"
+                  ", QueryContextAttributes() failed with error %X", ret));
+  }
+
+  return m_ssp_info ? m_ssp_info->Name : NULL;
+}
+
+#endif
+
+
+/**
+  Process result of @c {Initialize,Accept}SecurityContext() function.
+
+  @param[in]  ret   return code from @c {Initialize,Accept}SecurityContext()
+                    function
+
+  This function analyses return value of Windows
+  @c {Initialize,Accept}SecurityContext() function. A call to
+  @c CompleteAuthToken() is done if requested. If authentication is complete,
+  this fact is marked in the internal state of the Handshake object.
+  If errors are detected the object is moved to error state.
+
+  @return True if error has been detected.
+*/
+
+bool Handshake::process_result(int ret)
+{
+  /*
+    First check for errors and set the m_complete flag if the result
+    indicates that handshake is complete.
+  */
+
+  switch (ret)
+  {
+  case SEC_E_OK:
+  case SEC_I_COMPLETE_NEEDED:
+    // Handshake completed
+    m_complete= true;
+    break;
+
+  case SEC_I_CONTINUE_NEEDED:
+  case SEC_I_COMPLETE_AND_CONTINUE:
+    break;
+
+  default:
+    m_error= ret;
+    return true;
+  }
+
+  m_have_sec_context= true;
+
+  /*
+    If the result indicates a need for this, complete the authentication
+    token.
+  */
+
+  switch (ret)
+  {
+  case SEC_I_COMPLETE_NEEDED:
+  case SEC_I_COMPLETE_AND_CONTINUE:
+    ret= CompleteAuthToken(&m_sctx, &m_output);
+    if (ret != 0)
+    {
+      DBUG_PRINT("error", ("CompleteAuthToken() failed with error %X", ret));
+      m_error= ret;
+      return true;
+    }
+  default:
+    break;
+  }
+
+  return false;
+}
+
+
+/** Security_buffer class implementation **********************************/
+
+
+Security_buffer::Security_buffer(const Blob &blob): m_allocated(false)
+{
+  init(blob.ptr(), blob.len());
+}
+
+
+Security_buffer::Security_buffer(): m_allocated(true)
+{
+  init(NULL, 0);
+}
+
+
+void Security_buffer::free(void)
+{
+  if (!m_allocated)
+    return;
+  if (!ptr())
+    return;
+  FreeContextBuffer(ptr());
+  m_allocated= false;
+}
--- a/libmysql/authentication_win/handshake.h
+++ b/libmysql/authentication_win/handshake.h
+/* Copyright (c) 2011, Oracle and/or its affiliates. All rights reserved.
+
+   This program is free software; you can redistribute it and/or modify
+   it under the terms of the GNU General Public License as published by
+   the Free Software Foundation; version 2 of the License.
+
+   This program is distributed in the hope that it will be useful,
+   but WITHOUT ANY WARRANTY; without even the implied warranty of
+   MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+   GNU General Public License for more details.
+
+   You should have received a copy of the GNU General Public License
+   along with this program; if not, write to the Free Software
+   Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA  02111-1307  USA */
+
+#ifndef HANDSHAKE_H
+#define HANDSHAKE_H
+
+#include "common.h"
+
+/**
+  Name of the SSP (Security Support Provider) to be used for authentication.
+
+  We use "Negotiate" which will find the most secure SSP which can be used
+  and redirect to that SSP.
+*/
+#define SSP_NAME  "Negotiate"
+
+/**
+  Maximal number of rounds in authentication handshake.
+
+  Server will interrupt authentication handshake with error if client's
+  identity can not be determined within this many rounds.
+*/
+#define MAX_HANDSHAKE_ROUNDS  50
+
+
+/// Convenience wrapper around @c SecBufferDesc.
+
+class Security_buffer: public SecBufferDesc
+{
+  SecBuffer m_buf;        ///< A @c SecBuffer instance.
+
+  void init(byte *ptr, size_t len)
+  {
+    ulVersion= 0;
+    cBuffers=  1;
+    pBuffers=  &m_buf;
+
+    m_buf.BufferType= SECBUFFER_TOKEN;
+    m_buf.pvBuffer= ptr;
+    m_buf.cbBuffer= len;
+  }
+
+  /// If @c false, no deallocation will be done in the destructor.
+  bool m_allocated;
+
+ public:
+
+  Security_buffer(const Blob&);
+  Security_buffer();
+
+  ~Security_buffer()
+  {
+    free();
+  }
+
+  byte*  ptr() const
+  {
+    return (byte*)m_buf.pvBuffer;
+  }
+
+  size_t len() const
+  {
+    return m_buf.cbBuffer;
+  }
+
+  bool is_valid() const
+  {
+    return ptr() != NULL;
+  }
+
+  const Blob as_blob() const
+  {
+    return Blob(ptr(), len());
+  }
+
+  void free(void);
+};
+
+
+/// Common base for Handshake_{server,client}.
+
+class Handshake
+{
+public:
+
+  typedef enum {CLIENT, SERVER} side_t;
+
+  Handshake(const char *ssp, side_t side);
+  virtual ~Handshake();
+
+  int Handshake::packet_processing_loop(Connection &con);
+
+  bool virtual is_complete() const
+  {
+    return m_complete;
+  }
+
+  int error() const
+  {
+    return m_error;
+  }
+
+protected:
+
+  /// Security context object created during the handshake.
+  CtxtHandle  m_sctx;
+
+  /// Credentials of the principal performing this handshake.
+  CredHandle  m_cred;
+
+  /// Stores expiry date of the created security context.
+  TimeStamp  m_expire;
+
+  /// Stores attributes of the created security context.
+  ULONG  m_atts;
+
+  /// If non-zero, stores error code of the last failed operation.
+  int  m_error;
+
+  /// @c true when handshake is complete.
+  bool  m_complete;
+
+  /// @c true when the principal credentials has been determined.
+  bool  m_have_credentials;
+
+  /// @c true when the security context has been created.
+  bool  m_have_sec_context;
+
+  /// Buffer for data to be send to the other side.
+  Security_buffer  m_output;
+
+  bool process_result(int);
+
+  /**
+    This method is used inside @c packet_processing_loop to process
+    data packets received from the other end.
+
+    @param[IN]  data  data to be processed
+
+    @return A blob with data to be sent to the other end or null blob if
+    no more data needs to be exchanged.
+  */
+  virtual Blob process_data(const Blob &data)= 0;
+
+#ifndef DBUG_OFF
+
+private:
+  SecPkgInfo  *m_ssp_info;
+public:
+  const char* ssp_name();
+
+#endif
+};
+
+
+#endif
--- a/libmysql/authentication_win/handshake_client.cc
+++ b/libmysql/authentication_win/handshake_client.cc
+/* Copyright (c) 2011, Oracle and/or its affiliates. All rights reserved.
+
+   This program is free software; you can redistribute it and/or modify
+   it under the terms of the GNU General Public License as published by
+   the Free Software Foundation; version 2 of the License.
+
+   This program is distributed in the hope that it will be useful,
+   but WITHOUT ANY WARRANTY; without even the implied warranty of
+   MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+   GNU General Public License for more details.
+
+   You should have received a copy of the GNU General Public License
+   along with this program; if not, write to the Free Software
+   Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA  02111-1307  USA */
+
+#include "handshake.h"
+
+#include <mysql.h> // for MYSQL structure
+
+
+/// Client-side context for authentication handshake
+
+class Handshake_client: public Handshake
+{
+  /**
+    Name of the server's service for which we authenticate.
+
+    The service name is sent by server in the initial packet. If no
+    service name is used, this member is @c NULL.
+  */
+  SEC_WCHAR  *m_service_name;
+
+  /// Buffer for storing service name obtained from server.
+  SEC_WCHAR   m_service_name_buf[MAX_SERVICE_NAME_LENGTH];
+
+public:
+
+  Handshake_client(const char *target, size_t len);
+  ~Handshake_client();
+
+  Blob  first_packet();
+  Blob  process_data(const Blob&);
+};
+
+
+/**
+  Create authentication handshake context for client.
+
+  @param target    name of the target service with which we will authenticate
+                   (can be NULL if not used)
+
+  Some security packages (like Kerberos) require providing explicit name
+  of the service with which a client wants to authenticate. The server-side
+  authentication plugin sends this name in the greeting packet
+  (see @c win_auth_handshake_{server,client}() functions).
+*/
+
+Handshake_client::Handshake_client(const char *target, size_t len)
+: Handshake(SSP_NAME, CLIENT), m_service_name(NULL)
+{
+  if (!target || 0 == len)
+    return;
+
+  // Convert received UPN to internal WCHAR representation.
+
+  m_service_name= utf8_to_wchar(target, &len);
+
+  if (m_service_name)
+    DBUG_PRINT("info", ("Using target service: %S\n", m_service_name));
+  else
+  {
+    /*
+      Note: we ignore errors here - m_target will be NULL, the target name
+      will not be used and system will fall-back to NTLM authentication. But
+      we leave trace in error log.
+    */
+    ERROR_LOG(WARNING, ("Could not decode UPN sent by the server"
+                        "; target service name will not be used"
+                        " and Kerberos authentication will not work"));
+  }
+}
+
+
+Handshake_client::~Handshake_client()
+{
+  if (m_service_name)
+    free(m_service_name);
+}
+
+
+/**
+  Generate first packet to be sent to the server during packet exchange.
+
+  This first packet should contain some data. In case of error a null blob
+  is returned and @c error() gives non-zero error code.
+
+  @return Data to be sent in the first packet or null blob in case of error.
+*/
+
+Blob Handshake_client::first_packet()
+{
+  SECURITY_STATUS ret;
+
+  m_output.free();
+
+  ret= InitializeSecurityContextW(
+         &m_cred,
+         NULL,                                 // partial context
+         m_service_name,                       // service name
+         ASC_REQ_ALLOCATE_MEMORY,              // requested attributes
+         0,                                    // reserved
+         SECURITY_NETWORK_DREP,                // data representation
+         NULL,                                 // input data
+         0,                                    // reserved
+         &m_sctx,                              // context
+         &m_output,                            // output data
+         &m_atts,                              // attributes
+         &m_expire);                           // expire date
+
+  if (process_result(ret))
+  {
+    DBUG_PRINT("error",
+               ("InitializeSecurityContext() failed with error %X", ret));
+    return Blob();
+  }
+
+  return m_output.as_blob();
+}
+
+
+/**
+  Process data sent by server.
+
+  @param[in]  data  blob with data from server
+
+  This method analyses data sent by server during authentication handshake.
+  If client should continue packet exchange, this method returns data to
+  be sent to the server next. If no more data needs to be exchanged, an
+  empty blob is returned and @c is_complete() is @c true. In case of error
+  an empty blob is returned and @c error() gives non-zero error code.
+
+  @return Data to be sent to the server next or null blob if no more data
+  needs to be exchanged or in case of error.
+*/
+
+Blob Handshake_client::process_data(const Blob &data)
+{
+  Security_buffer  input(data);
+  SECURITY_STATUS  ret;
+
+  m_output.free();
+
+  ret= InitializeSecurityContextW(
+         &m_cred,
+         &m_sctx,                              // partial context
+         m_service_name,                       // service name
+         ASC_REQ_ALLOCATE_MEMORY,              // requested attributes
+         0,                                    // reserved
+         SECURITY_NETWORK_DREP,                // data representation
+         &input,                               // input data
+         0,                                    // reserved
+         &m_sctx,                              // context
+         &m_output,                            // output data
+         &m_atts,                              // attributes
+         &m_expire);                           // expire date
+
+  if (process_result(ret))
+  {
+    DBUG_PRINT("error",
+               ("InitializeSecurityContext() failed with error %X", ret));
+    return Blob();
+  }
+
+  return m_output.as_blob();
+}
+
+
+/**********************************************************************/
+
+
+/**
+  Perform authentication handshake from client side.
+
+  @param[in]  vio    pointer to @c MYSQL_PLUGIN_VIO instance to be used
+                     for communication with the server
+  @param[in]  mysql  pointer to a MySQL connection for which we authenticate
+
+  After reading the initial packet from server, containing its UPN to be
+  used as service name, client starts packet exchange by sending the first
+  packet in this exchange. While handshake is not yet completed, client
+  reads packets sent by the server and process them, possibly generating new
+  data to be sent to the server.
+
+  This function reports errors.
+
+  @return 0 on success.
+*/
+
+int win_auth_handshake_client(MYSQL_PLUGIN_VIO *vio, MYSQL *mysql)
+{
+  /*
+    Check if we should enable logging.
+  */
+  {
+    const char *opt= getenv("AUTHENTICATION_WIN_LOG");
+    int opt_val= opt ? atoi(opt) : 0;
+    if (opt && !opt_val)
+    {
+      if (!strncasecmp("on", opt, 2))    opt_val= 1;
+      if (!strncasecmp("yes", opt, 3))   opt_val= 1;
+      if (!strncasecmp("true", opt, 4))  opt_val= 1;
+      if (!strncasecmp("debug", opt, 5)) opt_val= 2;
+      if (!strncasecmp("dbug", opt, 4))  opt_val= 2;
+    }
+    opt_auth_win_client_log= opt_val;
+  }
+
+  ERROR_LOG(INFO, ("Authentication handshake for account %s", mysql->user));
+
+  // Create connection object.
+
+  Connection con(vio);
+  DBUG_ASSERT(!con.error());
+
+  // Read initial packet from server containing service name.
+
+  int ret;
+  Blob service_name= con.read();
+
+  if (con.error() || service_name.is_null())
+  {
+    ERROR_LOG(ERROR, ("Error reading initial packet"));
+    return CR_ERROR;
+  }
+  DBUG_PRINT("info", ("Got initial packet of length %d", service_name.len()));
+
+  // Create authentication handsake context using the given service name.
+
+  Handshake_client hndshk(service_name[0] ? (char *)service_name.ptr() : NULL,
+                          service_name.len());
+  if (hndshk.error())
+  {
+    ERROR_LOG(ERROR, ("Could not create authentication handshake context"));
+    return CR_ERROR;
+  }
+
+  /*
+    The following packet exchange always starts with a packet sent by
+    the client. Send this first packet now.
+  */
+
+  {
+    Blob packet= hndshk.first_packet();
+    if (hndshk.error() || packet.is_null())
+    {
+      ERROR_LOG(ERROR, ("Could not generate first packet"));
+      return CR_ERROR;
+    }
+    DBUG_PRINT("info", ("Sending first packet of length %d", packet.len()));
+
+    ret= con.write(packet);
+    if (ret)
+    {
+      ERROR_LOG(ERROR, ("Error writing first packet"));
+      return CR_ERROR;
+    }
+    DBUG_PRINT("info", ("First packet sent"));
+  }
+
+  DBUG_ASSERT(!hndshk.error());
+
+  /*
+    If handshake is not yet complete and client expects a reply, 
+    read and process packets from server until handshake is complete. 
+  */
+  if (!hndshk.is_complete())
+  {
+    if (hndshk.packet_processing_loop(con))
+      return CR_ERROR;
+  }
+
+  DBUG_ASSERT(!hndshk.error() && hndshk.is_complete());
+
+  return CR_OK;
+}
--- a/libmysql/authentication_win/log_client.cc
+++ b/libmysql/authentication_win/log_client.cc
+/* Copyright (c) 2011, Oracle and/or its affiliates. All rights reserved.
+
+   This program is free software; you can redistribute it and/or modify
+   it under the terms of the GNU General Public License as published by
+   the Free Software Foundation; version 2 of the License.
+
+   This program is distributed in the hope that it will be useful,
+   but WITHOUT ANY WARRANTY; without even the implied warranty of
+   MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+   GNU General Public License for more details.
+
+   You should have received a copy of the GNU General Public License
+   along with this program; if not, write to the Free Software
+   Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA  02111-1307  USA */
+
+#include <my_global.h>
+#include "common.h"
+
+/**
+  This option is set in win_auth_handshake_client() function 
+  in handshake_client.cc.
+
+  Values:
+  0 - no logging
+  1 - log error/warning/info messages
+  2 - also log debug messages
+
+  Note: No error or debug messages are logged in production code
+  (see logging macros in common.h).
+*/
+int opt_auth_win_client_log= 0;
+
+
+// Client-side logging function
+
+void error_log_vprint(error_log_level::type level,
+                        const char *fmt, va_list args)
+{
+  if (0 == opt_auth_win_client_log)
+    return;
+
+  const char *level_string= "";
+
+  switch (level)
+  {
+  case error_log_level::INFO:    level_string= "Note"; break;
+  case error_log_level::WARNING: level_string= "Warning"; break;
+  case error_log_level::ERROR:   level_string= "ERROR"; break;
+  }
+
+  fprintf(stderr, "Windows Authentication Plugin %s: ", level_string);
+  vfprintf(stderr, fmt, args);
+  fputc('\n', stderr);
+  fflush(stderr);
+}
--- a/libmysql/authentication_win/plugin_client.cc
+++ b/libmysql/authentication_win/plugin_client.cc
+/* Copyright (c) 2011, Oracle and/or its affiliates. All rights reserved.
+
+   This program is free software; you can redistribute it and/or modify
+   it under the terms of the GNU General Public License as published by
+   the Free Software Foundation; version 2 of the License.
+
+   This program is distributed in the hope that it will be useful,
+   but WITHOUT ANY WARRANTY; without even the implied warranty of
+   MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+   GNU General Public License for more details.
+
+   You should have received a copy of the GNU General Public License
+   along with this program; if not, write to the Free Software
+   Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA  02111-1307  USA */
+
+#include <my_global.h>
+#include <mysql.h>
+#include <mysql/plugin_auth.h>
+#include <mysql/client_plugin.h>
+
+#include "common.h"
+
+static int win_auth_client_plugin_init(char*, size_t, int, va_list)
+{
+  return 0;
+}
+
+
+static int win_auth_client_plugin_deinit()
+{
+  return 0;
+}
+
+
+int win_auth_handshake_client(MYSQL_PLUGIN_VIO *vio, MYSQL *mysql);
+
+
+/*
+  Client plugin declaration. This is added to mysql_client_builtins[]
+  in sql-common/client.c
+*/
+
+extern "C"
+st_mysql_client_plugin_AUTHENTICATION win_auth_client_plugin=
+{
+  MYSQL_CLIENT_AUTHENTICATION_PLUGIN,
+  MYSQL_CLIENT_AUTHENTICATION_PLUGIN_INTERFACE_VERSION,
+  "authentication_windows_client",
+  "Rafal Somla",
+  "Windows Authentication Plugin - client side",
+  {0,1,0},
+  "GPL",
+  NULL,
+  win_auth_client_plugin_init,
+  win_auth_client_plugin_deinit,
+  NULL,                            // option handling
+  win_auth_handshake_client
+};
--- a/sql-common/client.c
+++ b/sql-common/client.c
@@ -2314,11 +2314,18 @@ static auth_plugin_t clear_password_client_plugin=
  clear_password_auth_client
 };

+#ifdef AUTHENTICATION_WIN
+extern auth_plugin_t win_auth_client_plugin;
+#endif
+
 struct st_mysql_client_plugin *mysql_client_builtins[]=
 {
  (struct st_mysql_client_plugin *)&native_password_client_plugin,
  (struct st_mysql_client_plugin *)&old_password_client_plugin,
  (struct st_mysql_client_plugin *)&clear_password_client_plugin,
+#ifdef AUTHENTICATION_WIN
+  (struct st_mysql_client_plugin *)&win_auth_client_plugin,
+#endif
  0
 };