MDEV-17950 SHOW GRANTS FOR does not work for a user identified with non-existing plugin

Revert the side effect of 7c40996cc866.
Do not convert password hash to its binary representation when a user
entry is loaded. Do it lazily on the first authenticatation attempt.

As a collateral - force all authentication plugins to follow the
protocol and read_packet at least once before accessing info->username
(username is not available before first client handshake packet is read).

Fix PAM and GSSAPI plugins to behave.

2 files changed, 41 insertions, 11 deletions

diff --git a/plugin/auth_pam/auth_pam.c b/plugin/auth_pam/auth_pam.c
index 1ffc3285a3d..56154fb1656 100644
--- a/plugin/auth_pam/auth_pam.c
+++ b/plugin/auth_pam/auth_pam.c
@@ -36,8 +36,8 @@ static int pam_auth(MYSQL_PLUGIN_VIO *vio, MYSQL_SERVER_AUTH_INFO *info)
 {
   int p_to_c[2], c_to_p[2]; /* Parent-to-child and child-to-parent pipes. */
   pid_t proc_id;
-  int result= CR_ERROR;
-  unsigned char field;
+  int result= CR_ERROR, pkt_len;
+  unsigned char field, *pkt;
 
   PAM_DEBUG((stderr, "PAM: opening pipes.\n"));
   if (pipe(p_to_c) < 0 || pipe(c_to_p) < 0)
@@ -96,6 +96,14 @@ static int pam_auth(MYSQL_PLUGIN_VIO *vio, MYSQL_SERVER_AUTH_INFO *info)
       close(c_to_p[1]) < 0)
     goto error_ret;
 
+  /* no user name yet ? read the client handshake packet with the user name */
+  if (info->user_name == 0)
+  {
+    if ((pkt_len= vio->read_packet(vio, &pkt) < 0))
+      return CR_ERROR;
+  }
+  else
+    pkt= NULL;
 
   PAM_DEBUG((stderr, "PAM: parent sends user data [%s], [%s].\n",
                info->user_name, info->auth_string));
@@ -140,23 +148,27 @@ static int pam_auth(MYSQL_PLUGIN_VIO *vio, MYSQL_SERVER_AUTH_INFO *info)
       {
         unsigned char buf[10240];
         int buf_len;
-        unsigned char *pkt;
 
         PAM_DEBUG((stderr, "PAM: getting CONV string.\n"));
         if ((buf_len= read_string(c_to_p[0], (char *) buf, sizeof(buf))) < 0)
           goto error_ret;
 
-        PAM_DEBUG((stderr, "PAM: sending CONV string.\n"));
-        if (vio->write_packet(vio, buf, buf_len))
-          goto error_ret;
+        if (!pkt || (buf[0] >> 1) != 2)
+        {
+          PAM_DEBUG((stderr, "PAM: sending CONV string.\n"));
+          if (vio->write_packet(vio, buf, buf_len))
+            goto error_ret;
 
-        PAM_DEBUG((stderr, "PAM: reading CONV answer.\n"));
-        if ((buf_len= vio->read_packet(vio, &pkt)) < 0)
-          goto error_ret;
+          PAM_DEBUG((stderr, "PAM: reading CONV answer.\n"));
+          if ((pkt_len= vio->read_packet(vio, &pkt)) < 0)
+            goto error_ret;
+        }
 
         PAM_DEBUG((stderr, "PAM: answering CONV.\n"));
-        if (write_string(p_to_c[1], pkt, buf_len))
+        if (write_string(p_to_c[1], pkt, pkt_len))
           goto error_ret;
+
+        pkt= NULL;
       }
       break;
 
diff --git a/plugin/auth_pam/auth_pam_v1.c b/plugin/auth_pam/auth_pam_v1.c
index 95110a5e310..6e0b2ea9991 100644
--- a/plugin/auth_pam/auth_pam_v1.c
+++ b/plugin/auth_pam/auth_pam_v1.c
@@ -17,13 +17,21 @@
 #include <mysql/plugin_auth.h>
 
 struct param {
-  unsigned char buf[10240], *ptr;
+  unsigned char buf[10240], *ptr, *cached;
+  int cached_len;
   MYSQL_PLUGIN_VIO *vio;
 };
 
 static int roundtrip(struct param *param, const unsigned char *buf,
                      int buf_len, unsigned char **pkt)
 {
+  if (param->cached && (buf[0] >> 1) == 2)
+  {
+    *pkt= param->cached;
+    param->cached= NULL;
+    return param->cached_len;
+  }
+  param->cached= NULL;
   if (param->vio->write_packet(param->vio, buf, buf_len))
     return -1;
   return param->vio->read_packet(param->vio, pkt);
@@ -35,6 +43,16 @@ static int pam_auth(MYSQL_PLUGIN_VIO *vio, MYSQL_SERVER_AUTH_INFO *info)
 {
   struct param param;
   param.vio = vio;
+
+  /* no user name yet ? read the client handshake packet with the user name */
+  if (info->user_name == 0)
+  {
+    if ((param.cached_len= vio->read_packet(vio, &param.cached) < 0))
+      return CR_ERROR;
+  }
+  else
+    param.cached= NULL;
+
   return pam_auth_base(&param, info);
 }