[packages/mysql.git] / mysql-no-default-secure-auth.patch

--- Percona-Server-5.6.14-rel62.0/client/mysql.cc~	2013-10-22 09:42:41.000000000 +0200
+++ Percona-Server-5.6.14-rel62.0/client/mysql.cc	2013-11-23 13:20:56.986861400 +0100
@@ -152,7 +152,7 @@
 	       vertical=0, line_numbers=1, column_names=1,opt_html=0,
                opt_xml=0,opt_nopager=1, opt_outfile=0, named_cmds= 0,
 	       tty_password= 0, opt_nobeep=0, opt_reconnect=1,
-	       opt_secure_auth= TRUE,
+	       opt_secure_auth= 0,
                default_pager_set= 0, opt_sigint_ignore= 0,
                auto_vertical_output= 0,
                show_warnings= 0, executing_query= 0, interrupted_query= 0,
--- Percona-Server-5.6.14-rel62.0/client/mysql.cc~	2013-11-23 14:34:06.000000000 +0100
+++ Percona-Server-5.6.14-rel62.0/client/mysql.cc	2013-11-23 15:25:56.195617871 +0100
@@ -1737,7 +1737,7 @@
    1, ULONG_MAX, 0, 1, 0},
   {"secure-auth", OPT_SECURE_AUTH, "Refuse client connecting to server if it"
     " uses old (pre-4.1.1) protocol.", &opt_secure_auth,
-    &opt_secure_auth, 0, GET_BOOL, NO_ARG, 1, 0, 0, 0, 0, 0},
+    &opt_secure_auth, 0, GET_BOOL, NO_ARG, 0, 0, 0, 0, 0, 0},
   {"server-arg", OPT_SERVER_ARG, "Send embedded server this as a parameter.",
    0, 0, 0, GET_STR, REQUIRED_ARG, 0, 0, 0, 0, 0, 0},
   {"show-warnings", OPT_SHOW_WARNINGS, "Show warnings after every statement.",
--- Percona-Server-5.6.14-rel62.0/sql/sys_vars.cc~	2013-11-23 15:30:45.000000000 +0100
+++ Percona-Server-5.6.14-rel62.0/sql/sys_vars.cc	2013-11-23 15:30:50.922370696 +0100
@@ -2655,9 +2655,7 @@
        "Disallow authentication for accounts that have old (pre-4.1) "
        "passwords",
        GLOBAL_VAR(opt_secure_auth), CMD_LINE(OPT_ARG, OPT_SECURE_AUTH),
-       DEFAULT(TRUE),
-       NO_MUTEX_GUARD, NOT_IN_BINLOG,
-       ON_CHECK(on_check_opt_secure_auth)
+       DEFAULT(FALSE)
        );
 
 static Sys_var_charptr Sys_secure_file_priv(
MySQL 5.6.11 does not allow pre-4.1.1 password hashes although the server is
started with "skip-secure-auth option" (secure-auth mode disabled), this patch
enables this feature again, it's a mysql_init() backport from MySQL 5.6.10.

mysql> SHOW VARIABLES LIKE 'secure_auth' ;
+---------------+-------+
| Variable_name | Value |
+---------------+-------+
| secure_auth   | OFF   |
+---------------+-------+

$ mysql -uexample -pexample test
ERROR 2049 (HY000): Connection using old (pre-4.1.1) authentication protocol refused (client option 'secure_auth' enabled)

This bug has been also reported by Jørgen Thomsen: http://bugs.mysql.com/bug.php?id=69027

Santi Saez 2013-04-22 / powerstack.org

diff -urN mysql-5.6.11.orig/sql-common/client.c mysql-5.6.11/sql-common/client.c
--- mysql-5.6.11.orig/sql-common/client.c	2013-04-05 14:27:18.000000000 +0200
+++ mysql-5.6.11/sql-common/client.c		2013-04-22 23:11:45.754001616 +0200
@@ -4747,27 +4747,10 @@
 
   if (mysql->passwd[0])
   {
-    /*
-       If --secure-auth option is used, throw an error.
-       Note that, we do not need to check for CLIENT_SECURE_CONNECTION
-       capability of server. If server is not capable of handling secure
-       connections, we would have raised error before reaching here.
-
-       TODO: Change following code to access MYSQL structure through
-       client-side plugin service.
-    */
-    if (mysql->options.secure_auth)
-    {
-      set_mysql_error(mysql, CR_SECURE_AUTH, unknown_sqlstate);
+    char scrambled[SCRAMBLE_LENGTH_323 + 1];
+    scramble_323(scrambled, (char*)pkt, mysql->passwd);
+    if (vio->write_packet(vio, (uchar*)scrambled, SCRAMBLE_LENGTH_323 + 1))
       DBUG_RETURN(CR_ERROR);
-    }
-    else
-    {
-      char scrambled[SCRAMBLE_LENGTH_323 + 1];
-      scramble_323(scrambled, (char*)pkt, mysql->passwd);
-      if (vio->write_packet(vio, (uchar*)scrambled, SCRAMBLE_LENGTH_323 + 1))
-        DBUG_RETURN(CR_ERROR);
-    }
   }
   else
     if (vio->write_packet(vio, 0, 0)) /* no password */
--- Percona-Server-5.6.14-rel62.0/sql-common/client.c~	2013-11-29 10:48:02.000000000 +0100
+++ Percona-Server-5.6.14-rel62.0/sql-common/client.c	2013-11-29 11:02:32.121352484 +0100
@@ -1697,7 +1697,7 @@
   */
   mysql->reconnect= 0;
  
-  mysql->options.secure_auth= TRUE;
+  mysql->options.secure_auth= 0;
 
   return mysql;
 }
Commit	Line	Data
610a5a46 AM	1	--- Percona-Server-5.6.14-rel62.0/client/mysql.cc~ 2013-10-22 09:42:41.000000000 +0200
	2	+++ Percona-Server-5.6.14-rel62.0/client/mysql.cc 2013-11-23 13:20:56.986861400 +0100
	3	@@ -152,7 +152,7 @@
	4	vertical=0, line_numbers=1, column_names=1,opt_html=0,
	5	opt_xml=0,opt_nopager=1, opt_outfile=0, named_cmds= 0,
	6	tty_password= 0, opt_nobeep=0, opt_reconnect=1,
	7	- opt_secure_auth= TRUE,
	8	+ opt_secure_auth= 0,
	9	default_pager_set= 0, opt_sigint_ignore= 0,
	10	auto_vertical_output= 0,
	11	show_warnings= 0, executing_query= 0, interrupted_query= 0,
	12	--- Percona-Server-5.6.14-rel62.0/client/mysql.cc~ 2013-11-23 14:34:06.000000000 +0100
	13	+++ Percona-Server-5.6.14-rel62.0/client/mysql.cc 2013-11-23 15:25:56.195617871 +0100
	14	@@ -1737,7 +1737,7 @@
	15	1, ULONG_MAX, 0, 1, 0},
	16	{"secure-auth", OPT_SECURE_AUTH, "Refuse client connecting to server if it"
	17	" uses old (pre-4.1.1) protocol.", &opt_secure_auth,
	18	- &opt_secure_auth, 0, GET_BOOL, NO_ARG, 1, 0, 0, 0, 0, 0},
	19	+ &opt_secure_auth, 0, GET_BOOL, NO_ARG, 0, 0, 0, 0, 0, 0},
	20	{"server-arg", OPT_SERVER_ARG, "Send embedded server this as a parameter.",
	21	0, 0, 0, GET_STR, REQUIRED_ARG, 0, 0, 0, 0, 0, 0},
	22	{"show-warnings", OPT_SHOW_WARNINGS, "Show warnings after every statement.",
	23	--- Percona-Server-5.6.14-rel62.0/sql/sys_vars.cc~ 2013-11-23 15:30:45.000000000 +0100
	24	+++ Percona-Server-5.6.14-rel62.0/sql/sys_vars.cc 2013-11-23 15:30:50.922370696 +0100
	25	@@ -2655,9 +2655,7 @@
	26	"Disallow authentication for accounts that have old (pre-4.1) "
	27	"passwords",
	28	GLOBAL_VAR(opt_secure_auth), CMD_LINE(OPT_ARG, OPT_SECURE_AUTH),
	29	- DEFAULT(TRUE),
	30	- NO_MUTEX_GUARD, NOT_IN_BINLOG,
	31	- ON_CHECK(on_check_opt_secure_auth)
	32	+ DEFAULT(FALSE)
	33	);
	34
	35	static Sys_var_charptr Sys_secure_file_priv(
	36	MySQL 5.6.11 does not allow pre-4.1.1 password hashes although the server is
	37	started with "skip-secure-auth option" (secure-auth mode disabled), this patch
	38	enables this feature again, it's a mysql_init() backport from MySQL 5.6.10.
	39
	40	mysql> SHOW VARIABLES LIKE 'secure_auth' ;
	41	+---------------+-------+
	42	\| Variable_name \| Value \|
	43	+---------------+-------+
	44	\| secure_auth \| OFF \|
	45	+---------------+-------+
	46
	47	$ mysql -uexample -pexample test
	48	ERROR 2049 (HY000): Connection using old (pre-4.1.1) authentication protocol refused (client option 'secure_auth' enabled)
	49
	50	This bug has been also reported by Jørgen Thomsen: http://bugs.mysql.com/bug.php?id=69027
	51
	52	Santi Saez 2013-04-22 / powerstack.org
	53
	54	diff -urN mysql-5.6.11.orig/sql-common/client.c mysql-5.6.11/sql-common/client.c
	55	--- mysql-5.6.11.orig/sql-common/client.c 2013-04-05 14:27:18.000000000 +0200
	56	+++ mysql-5.6.11/sql-common/client.c 2013-04-22 23:11:45.754001616 +0200
	57	@@ -4747,27 +4747,10 @@
	58
	59	if (mysql->passwd[0])
	60	{
	61	- /*
	62	- If --secure-auth option is used, throw an error.
	63	- Note that, we do not need to check for CLIENT_SECURE_CONNECTION
	64	- capability of server. If server is not capable of handling secure
65	- connections, we would have raised error before reaching here.
66	-
67	- TODO: Change following code to access MYSQL structure through
68	- client-side plugin service.
69	- */
70	- if (mysql->options.secure_auth)
71	- {
72	- set_mysql_error(mysql, CR_SECURE_AUTH, unknown_sqlstate);
73	+ char scrambled[SCRAMBLE_LENGTH_323 + 1];
74	+ scramble_323(scrambled, (char*)pkt, mysql->passwd);
75	+ if (vio->write_packet(vio, (uchar*)scrambled, SCRAMBLE_LENGTH_323 + 1))
76	DBUG_RETURN(CR_ERROR);
77	- }
78	- else
79	- {
80	- char scrambled[SCRAMBLE_LENGTH_323 + 1];
81	- scramble_323(scrambled, (char*)pkt, mysql->passwd);
82	- if (vio->write_packet(vio, (uchar*)scrambled, SCRAMBLE_LENGTH_323 + 1))
83	- DBUG_RETURN(CR_ERROR);
84	- }
85	}
86	else
87	if (vio->write_packet(vio, 0, 0)) /* no password */
88	--- Percona-Server-5.6.14-rel62.0/sql-common/client.c~ 2013-11-29 10:48:02.000000000 +0100
89	+++ Percona-Server-5.6.14-rel62.0/sql-common/client.c 2013-11-29 11:02:32.121352484 +0100
90	@@ -1697,7 +1697,7 @@
91	*/
92	mysql->reconnect= 0;
93
94	- mysql->options.secure_auth= TRUE;
95	+ mysql->options.secure_auth= 0;
96
97	return mysql;
98	}