Merge branch 'mysql-trunk' into wl411

Author: BennyWang

client/mysql_install_db.cc

@@ -273,18 +273,10 @@ struct Sql_user
 
   void to_sql(string *cmdstr)
   {
-    stringstream set_oldpasscmd,ss;
+    stringstream set_passcmd,ss, flush_priv;
     ss << "INSERT INTO mysql.user VALUES ("
        << "'" << escape_string(host) << "','" << escape_string(user) << "',";
 
-    if (plugin == "mysql_native_password")
-    {
-      ss << "PASSWORD('" << escape_string(password) << "'),";
-    }
-    else if (plugin == "sha256_password")
-    {
-      ss << "'',";
-    }
     uint64_t acl= priv.to_int();
     for(int i= 0; i< NUM_ACLS; ++i)
     {
@@ -302,22 +294,19 @@ struct Sql_user
        << max_connections << ","
        << max_user_connections << ","
        << "'" << plugin << "',";
-    if (plugin == "sha256_password")
-    {
-      set_oldpasscmd << "SET @@old_passwords= 2;\n";
-      ss << "PASSWORD('" << escape_string(password) << "'),";
-    }
-    else
-    {
-      ss << "'" << escape_string(authentication_string) << "',";
-    }
+    ss << "'',";
     if (password_expired)
       ss << "'Y',";
     else
       ss << "'N',";
     ss << "now(), NULL);\n";
 
-    cmdstr->append(set_oldpasscmd.str()).append(ss.str());
+    flush_priv << "FLUSH PRIVILEGES;\n";
+
+    set_passcmd << "ALTER USER '" << escape_string(user) << "'@'"
+                << escape_string(host) << "' IDENTIFIED BY '"
+                << escape_string(password) << "';\n";
+    cmdstr->append(ss.str()).append(flush_priv.str()).append(set_passcmd.str());
   }
 
 };

client/mysql_secure_installation.cc

@@ -441,10 +441,10 @@ my_bool mysql_set_password(MYSQL *mysql, char *password)
   size_t password_len= strlen(password);
   char *query, *end;
   query= (char *)my_malloc(PSI_NOT_INSTRUMENTED, password_len+50, MYF(MY_WME));
-  end= my_stpmov(query, "SET PASSWORD= PASSWORD('");
+  end= my_stpmov(query, "SET PASSWORD=");
+  *end++ = '\'';
   end+= mysql_real_escape_string_quote(mysql, end, password, password_len, '\'');
   *end++ = '\'';
-  *end++ = ')';
   if (mysql_real_query(mysql, query, (unsigned int) (end - query)))
   {
     my_free(query);
@@ -542,18 +542,17 @@ static void set_root_password(int plugin_set)
     if ((!plugin_set) || (reply == (int) 'y' || reply == (int) 'Y'))
     {
       char *query= NULL, *end;
-      int tmp= sizeof("SET PASSWORD=PASSWORD(") + 3;
+      int tmp= sizeof("SET PASSWORD=") + 3;
       /*
 	query string needs memory which is atleast the length of initial part
 	of query plus twice the size of variable being appended.
       */
       query= (char *)my_malloc(PSI_NOT_INSTRUMENTED,
 	                       (pass_length*2 + tmp)*sizeof(char), MYF(MY_WME));
-      end= my_stpcpy(query, "SET PASSWORD=PASSWORD(");
+      end= my_stpcpy(query, "SET PASSWORD=");
       *end++ = '\'';
       end+= mysql_real_escape_string_quote(&mysql, end, password1, pass_length, '\'');
       *end++ = '\'';
-      *end++ = ')';
       my_free(password1);
       my_free(password2);
       password1= NULL;

client/mysqladmin.cc

@@ -1017,10 +1017,12 @@ static int execute_commands(MYSQL *mysql,int argc, char **argv)
     }
     case ADMIN_PASSWORD:
     {
-      char buff[128],crypted_pw[64];
+      char buff[128];
       time_t start_time;
-      char *typed_password= NULL, *verified= NULL;
-      bool log_off= true, err= false;
+      char *typed_password= NULL, *verified= NULL, *tmp= NULL;
+      bool log_off= true, err= false, ssl_conn= false;
+      uint ssl_enforce= 0;
+      size_t password_len;
 
       /* Do initialization the same way as we do in mysqld */
       start_time=time((time_t*) 0);
@@ -1042,6 +1044,11 @@ static int execute_commands(MYSQL *mysql,int argc, char **argv)
           err= true;
           goto error;
         }
+        /* escape quotes if password has any special characters */
+        password_len= strlen(typed_password);
+        tmp= (char*) my_malloc(PSI_NOT_INSTRUMENTED, password_len*2+1, MYF(MY_WME));
+        mysql_real_escape_string(mysql, tmp, typed_password, password_len);
+        typed_password= tmp;
       }
       else
       {
@@ -1074,12 +1081,21 @@ static int execute_commands(MYSQL *mysql,int argc, char **argv)
           TODO: make sure this always uses SSL and then let the server
           calculate the scramble.
         */
-        make_scrambled_password(crypted_pw, typed_password);
       }
-      else
-	crypted_pw[0]=0;			/* No password */
 
-      sprintf(buff, "set password='%s'", crypted_pw);
+      /* Warn about password being set in non ssl connection */
+#if defined(HAVE_OPENSSL) && !defined(EMBEDDED_LIBRARY)
+      mysql_get_option(mysql, MYSQL_OPT_SSL_ENFORCE, &ssl_enforce);
+      if (opt_use_ssl && ssl_enforce)
+        ssl_conn= true;
+      if (!ssl_conn)
+      {
+        fprintf(stderr, "Warning: Since password will be sent to server in "
+                "plain text, use ssl connection to ensure password safety.\n");
+      }
+#endif
+      memset(buff, 0, sizeof(buff));
+      sprintf(buff, "ALTER USER USER() IDENTIFIED BY '%s'", typed_password);
 
       if (mysql_query(mysql,buff))
       {

include/mysql/plugin_auth.h

@@ -1,5 +1,5 @@
 #ifndef MYSQL_PLUGIN_AUTH_INCLUDED
-/* Copyright (c) 2010, Oracle and/or its affiliates. All rights reserved.
+/* Copyright (c) 2010, 2015 Oracle and/or its affiliates. All rights reserved.
 
    This program is free software; you can redistribute it and/or modify
    it under the terms of the GNU General Public License as published by
@@ -26,7 +26,7 @@
 
 #include <mysql/plugin.h>
 
-#define MYSQL_AUTHENTICATION_INTERFACE_VERSION 0x0100
+#define MYSQL_AUTHENTICATION_INTERFACE_VERSION 0x0101
 
 #include <mysql/plugin_auth_common.h>
 
@@ -120,6 +120,51 @@ struct st_mysql_auth
     used for authorization.
   */
   int (*authenticate_user)(MYSQL_PLUGIN_VIO *vio, MYSQL_SERVER_AUTH_INFO *info);
+  /**
+    New plugin API to generate password digest out of authentication string.
+    This function will first invoke a service to check for validity of the
+    password based on the policies defined and then generate encrypted hash
+
+    @param[OUT]   outbuf      A buffer provided by server which will hold the
+                              authentication string generated by plugin.
+    @param[INOUT] outbuflen   Length of server provided buffer as IN param and
+                              length of plugin generated string as OUT param.
+    @param[IN]    inbuf       auth string provided by user.
+    @param[IN]    inbuflen    auth string length.
+
+    @retval  0 OK
+             1 ERROR
+
+  */
+  int (*generate_authentication_string)(char *outbuf,
+      unsigned int *outbuflen, const char *inbuf, unsigned int inbuflen);
+  /**
+    Plugin API to validate password digest.
+
+    @param[IN]    inbuf     hash string to be validated.
+    @param[IN]    buflen    hash string length.
+
+    @retval  0 OK
+             1 ERROR
+
+  */
+  int (*validate_authentication_string)(char* const inbuf, unsigned int buflen);
+  /**
+   Plugin API to convert scrambled password to binary form
+   based on scramble type.
+
+   @param[IN]    password          The password hash containing the salt.
+   @param[IN]    password_len      The length of the password hash.
+   @param[INOUT] salt              Used as password hash based on the
+                                   authentication plugin.
+   @param[INOUT] salt_len          The length of salt.
+
+   @retval  0 OK
+            1 ERROR
+
+   */
+  int (*set_salt)(const char *password, unsigned int password_len,
+                  unsigned char* salt, unsigned char *salt_len);
 };
 #endif
 

include/mysql/plugin_auth.h.pp

@@ -134,4 +134,9 @@
   int interface_version;
   const char *client_auth_plugin;
   int (*authenticate_user)(MYSQL_PLUGIN_VIO *vio, MYSQL_SERVER_AUTH_INFO *info);
+  int (*generate_authentication_string)(char *outbuf,
+      unsigned int *outbuflen, const char *inbuf, unsigned int inbuflen);
+  int (*validate_authentication_string)(char* const inbuf, unsigned int buflen);
+  int (*set_salt)(const char *password, unsigned int password_len,
+                  unsigned char* salt, unsigned char *salt_len);
 };

include/mysql/service_mysql_password_policy.h

@@ -0,0 +1,64 @@
+/* Copyright (c) 2014, 2015 Oracle and/or its affiliates. All rights reserved.
+
+   This program is free software; you can redistribute it and/or modify
+   it under the terms of the GNU General Public License as published by
+   the Free Software Foundation; version 2 of the License.
+
+   This program is distributed in the hope that it will be useful,
+   but WITHOUT ANY WARRANTY; without even the implied warranty of
+   MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+   GNU General Public License for more details.
+
+   You should have received a copy of the GNU General Public License
+   along with this program; if not, write to the Free Software
+   Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301  USA */
+
+#ifndef MYSQL_SERVICE_MYSQL_PLUGIN_AUTH_INCLUDED
+#define MYSQL_SERVICE_MYSQL_PLUGIN_AUTH_INCLUDED
+
+/**
+  @file include/mysql/service_mysql_plugin_auth.h
+  This service provides functions to validatete password, check for strength
+  of password based on common policy.
+
+  SYNOPSIS
+  my_validate_password_policy()    - function to validate password
+                                     based on defined policy
+  const char*                        buffer holding the password value
+
+  my_calculate_password_strength() - function to calculate strength
+                                     of the password based on the policies defined.
+  const char*                        buffer holding the password value
+
+  Both the service function returns 0 on SUCCESS and 1 incase input password does not
+  match against the policy rules defined.
+*/
+
+#ifdef __cplusplus
+extern "C" {
+#endif
+
+extern struct mysql_password_policy_service_st {
+  int (*my_validate_password_policy_func)(const char *);
+  int (*my_calculate_password_strength_func)(const char *);
+} *mysql_password_policy_service;
+
+#ifdef MYSQL_DYNAMIC_PLUGIN
+
+#define my_validate_password_policy(buffer) \
+  mysql_password_policy_service->my_validate_password_policy_func(buffer)
+#define my_calculate_password_strength(buffer) \
+  mysql_password_policy_service->my_calculate_password_strength_func(buffer)
+
+#else
+
+int my_validate_password_policy(const char *);
+int my_calculate_password_strength(const char *);
+
+#endif
+
+#ifdef __cplusplus
+}
+#endif
+
+#endif

include/mysql/services.h

@@ -25,6 +25,7 @@ extern "C" {
 #include <mysql/service_my_plugin_log.h>
 #include <mysql/service_mysql_string.h>
 #include <mysql/service_mysql_alloc.h>
+#include <mysql/service_mysql_password_policy.h>
 #include <mysql/service_parser.h>
 #include <mysql/service_rpl_transaction_ctx.h>
 #include <mysql/service_rpl_transaction_write_set.h>

include/mysql/services.h.pp

@@ -130,6 +130,13 @@
 extern void * my_memdup(PSI_memory_key key, const void *from, size_t length, myf_t flags);
 extern char * my_strdup(PSI_memory_key key, const char *from, myf_t flags);
 extern char * my_strndup(PSI_memory_key key, const char *from, size_t length, myf_t flags);
+#include <mysql/service_mysql_password_policy.h>
+extern struct mysql_password_policy_service_st {
+int (*my_validate_password_policy_func)(const char *);
+int (*my_calculate_password_strength_func)(const char *);
+} *mysql_password_policy_service;
+int my_validate_password_policy(const char *);
+int my_calculate_password_strength(const char *);
 #include <mysql/service_parser.h>
 #include "my_md5_size.h"
 #include <mysql/mysql_lex_string.h>

include/service_versions.h

@@ -26,6 +26,7 @@
 #define VERSION_my_plugin_log 0x0100
 #define VERSION_mysql_string  0x0100
 #define VERSION_mysql_malloc  0x0100
+#define VERSION_mysql_password_policy 0x0100
 #define VERSION_parser  0x0100
 #define VERSION_rpl_transaction_ctx_service 0x0100
 #define VERSION_transaction_write_set_service 0x0100

libservices/CMakeLists.txt

@@ -23,6 +23,7 @@ SET(MYSQLSERVICES_SOURCES
   my_thread_scheduler_service.c
   mysql_string_service.c
   mysql_malloc_service.c
+  mysql_password_policy_service.c
   parser_service.c
   rpl_transaction_ctx_service.c
   rpl_transaction_write_set_service.c)

libservices/mysql_password_policy_service.c

@@ -0,0 +1,19 @@
+/*  Copyright (c) 2015 Oracle and/or its affiliates. All rights reserved.
+
+    This program is free software; you can redistribute it and/or
+    modify it under the terms of the GNU General Public License as
+    published by the Free Software Foundation; version 2 of the
+    License.
+
+    This program is distributed in the hope that it will be useful,
+    but WITHOUT ANY WARRANTY; without even the implied warranty of
+    MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+    GNU General Public License for more details.
+
+    You should have received a copy of the GNU General Public License
+    along with this program; if not, write to the Free Software
+    Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA */
+
+#include <service_versions.h>
+SERVICE_VERSION *mysql_password_policy_service= (void*)VERSION_mysql_password_policy;
+

mysql-test/extra/binlog_tests/binlog.test

@@ -227,8 +227,8 @@ create table if not exists t3 like tt1;
 
 --disable_warnings
 USE mysql;
-INSERT IGNORE INTO user SET host='localhost', user='@#@', password=password('Just a test');
-UPDATE user SET password=password('Another password') WHERE host='localhost' AND user='@#@';
+INSERT IGNORE INTO user SET host='localhost', user='@#@', authentication_string=password('Just a test');
+UPDATE user SET authentication_string=password('Another password') WHERE host='localhost' AND user='@#@';
 DELETE FROM user WHERE host='localhost' AND user='@#@';
 --enable_warnings
 

mysql-test/extra/rpl_tests/rpl_implicit_commit_binlog.test

@@ -220,7 +220,7 @@ while ($ddl_cases >= 1)
   }
   if ($ddl_cases == 31)
   {
-    let $cmd= SET PASSWORD FOR 'user'@'localhost' = PASSWORD('newpass');
+    let $cmd= SET PASSWORD FOR 'user'@'localhost' = 'newpass';
     #
     # In NDB (RBR mode), the commit event is the 14th event
     # in the binary log:

mysql-test/extra/rpl_tests/rpl_row_001.test

@@ -20,15 +20,15 @@ connection slave;
 sync_with_master;
 STOP SLAVE;
 connection master;
-SET PASSWORD FOR root@"localhost" = PASSWORD('foo');
+SET PASSWORD FOR root@"localhost" = 'foo';
 connection slave;
 START SLAVE;
 connection master;
 #
 # Give slave time to do at last one failed connect retry
 # This one must be short so that the slave will not stop retrying
 real_sleep 2;
-SET PASSWORD FOR root@"localhost" = PASSWORD('');
+SET PASSWORD FOR root@"localhost" = '';
 # Give slave time to connect (will retry every second)
 sleep 2;
 

mysql-test/include/concurrent.inc

@@ -49,7 +49,7 @@ let $keep_locks= `SELECT NOT @@global.innodb_locks_unsafe_for_binlog`;
 #
 # Set up privileges and remove user level locks, if exist.
 #
-GRANT USAGE ON test.* TO mysqltest@localhost;
+CREATE USER mysqltest@localhost;
 
 #
 # Preparatory cleanup.

mysql-test/include/ipv6.inc

@@ -13,7 +13,7 @@ connection default;
 disconnect con1;
 eval REVOKE ALL ON test.* FROM testuser@'$IPv6';
 eval RENAME USER testuser@'$IPv6' to testuser1@'$IPv6';
-eval SET PASSWORD FOR testuser1@'$IPv6' = PASSWORD ('9876');
+eval SET PASSWORD FOR testuser1@'$IPv6' = '9876';
 --replace_result ::1 localhost
 SELECT USER();
 eval DROP USER testuser1@'$IPv6';