diff options
| -rw-r--r-- | include/mysql/plugin_password_validation.h | 5 | ||||
| -rw-r--r-- | include/mysql/plugin_password_validation.h.pp | 3 | ||||
| -rw-r--r-- | mysql-test/suite/plugins/r/cracklib_password_check.result | 14 | ||||
| -rw-r--r-- | mysql-test/suite/plugins/r/simple_password_check.result | 2 | ||||
| -rw-r--r-- | mysql-test/suite/plugins/t/cracklib_password_check.test | 8 | ||||
| -rw-r--r-- | plugin/cracklib_password_check/cracklib_password_check.c | 13 | ||||
| -rw-r--r-- | plugin/simple_password_check/simple_password_check.c | 4 | ||||
| -rw-r--r-- | sql/sql_acl.cc | 19 |
8 files changed, 51 insertions, 17 deletions
diff --git a/include/mysql/plugin_password_validation.h b/include/mysql/plugin_password_validation.h index 23d2c884012..94d6c63967f 100644 --- a/include/mysql/plugin_password_validation.h +++ b/include/mysql/plugin_password_validation.h @@ -30,7 +30,7 @@ extern "C" { #endif -#define MariaDB_PASSWORD_VALIDATION_INTERFACE_VERSION 0x0100 +#define MariaDB_PASSWORD_VALIDATION_INTERFACE_VERSION 0x0101 /** Password validation plugin descriptor @@ -43,7 +43,8 @@ struct st_mariadb_password_validation and return 0 if the password has passed the validation. */ int (*validate_password)(const MYSQL_CONST_LEX_STRING *username, - const MYSQL_CONST_LEX_STRING *password); + const MYSQL_CONST_LEX_STRING *password, + const MYSQL_CONST_LEX_STRING *hostname); }; #ifdef __cplusplus diff --git a/include/mysql/plugin_password_validation.h.pp b/include/mysql/plugin_password_validation.h.pp index eae776a753b..41b74f13985 100644 --- a/include/mysql/plugin_password_validation.h.pp +++ b/include/mysql/plugin_password_validation.h.pp @@ -629,6 +629,7 @@ struct st_mariadb_password_validation { int interface_version; int (*validate_password)(const MYSQL_CONST_LEX_STRING *username, - const MYSQL_CONST_LEX_STRING *password); + const MYSQL_CONST_LEX_STRING *password, + const MYSQL_CONST_LEX_STRING *hostname); }; } diff --git a/mysql-test/suite/plugins/r/cracklib_password_check.result b/mysql-test/suite/plugins/r/cracklib_password_check.result index 1194e6eef5a..b8cf27f545c 100644 --- a/mysql-test/suite/plugins/r/cracklib_password_check.result +++ b/mysql-test/suite/plugins/r/cracklib_password_check.result @@ -4,7 +4,7 @@ PLUGIN_NAME cracklib_password_check PLUGIN_VERSION 1.0 PLUGIN_STATUS ACTIVE PLUGIN_TYPE PASSWORD VALIDATION -PLUGIN_TYPE_VERSION 1.0 +PLUGIN_TYPE_VERSION 1.1 PLUGIN_LIBRARY cracklib_password_check.so PLUGIN_LIBRARY_VERSION 1.14 PLUGIN_AUTHOR Sergei Golubchik @@ -37,6 +37,18 @@ show warnings; Level Code Message Warning 1819 cracklib: it is based on a dictionary word Error 1819 Your password does not satisfy the current policy requirements +grant select on *.* to foocar@localhost identified by 'localhost'; +ERROR HY000: Your password does not satisfy the current policy requirements +show warnings; +Level Code Message +Warning 1819 cracklib: it is based upon your password entry +Error 1819 Your password does not satisfy the current policy requirements +grant select on *.* to foocar@localhost identified by 'foocar@localhost'; +ERROR HY000: Your password does not satisfy the current policy requirements +show warnings; +Level Code Message +Warning 1819 cracklib: it is derived from your password entry +Error 1819 Your password does not satisfy the current policy requirements grant select on *.* to foobar identified by 'q$%^&*rty'; drop user foobar; # diff --git a/mysql-test/suite/plugins/r/simple_password_check.result b/mysql-test/suite/plugins/r/simple_password_check.result index f8f56bc8b15..271b9c3ad71 100644 --- a/mysql-test/suite/plugins/r/simple_password_check.result +++ b/mysql-test/suite/plugins/r/simple_password_check.result @@ -4,7 +4,7 @@ PLUGIN_NAME simple_password_check PLUGIN_VERSION 1.0 PLUGIN_STATUS ACTIVE PLUGIN_TYPE PASSWORD VALIDATION -PLUGIN_TYPE_VERSION 1.0 +PLUGIN_TYPE_VERSION 1.1 PLUGIN_LIBRARY simple_password_check.so PLUGIN_LIBRARY_VERSION 1.14 PLUGIN_AUTHOR Sergei Golubchik diff --git a/mysql-test/suite/plugins/t/cracklib_password_check.test b/mysql-test/suite/plugins/t/cracklib_password_check.test index 89b53b656d6..0fbef757e30 100644 --- a/mysql-test/suite/plugins/t/cracklib_password_check.test +++ b/mysql-test/suite/plugins/t/cracklib_password_check.test @@ -27,6 +27,14 @@ show warnings; grant select on *.* to foobar identified by 'qwerty'; show warnings; +--error ER_NOT_VALID_PASSWORD +grant select on *.* to foocar@localhost identified by 'localhost'; +show warnings; + +--error ER_NOT_VALID_PASSWORD +grant select on *.* to foocar@localhost identified by 'foocar@localhost'; +show warnings; + grant select on *.* to foobar identified by 'q$%^&*rty'; drop user foobar; diff --git a/plugin/cracklib_password_check/cracklib_password_check.c b/plugin/cracklib_password_check/cracklib_password_check.c index 20294b070e7..95f8e11fe0e 100644 --- a/plugin/cracklib_password_check/cracklib_password_check.c +++ b/plugin/cracklib_password_check/cracklib_password_check.c @@ -22,18 +22,21 @@ static char *dictionary; static int crackme(const MYSQL_CONST_LEX_STRING *username, - const MYSQL_CONST_LEX_STRING *password) + const MYSQL_CONST_LEX_STRING *password, + const MYSQL_CONST_LEX_STRING *hostname) { char *user= alloca(username->length + 1); - char *host; + char *full_name= alloca(hostname->length + username->length + 2); const char *res; memcpy(user, username->str, username->length); user[username->length]= 0; - if ((host= strchr(user, '@'))) - *host++= 0; + memcpy(full_name, username->str, username->length); + full_name[username->length]= '@'; + memcpy(full_name + username->length + 1, hostname->str, hostname->length); + full_name[hostname->length+ username->length + 1]= 0; - if ((res= FascistCheckUser(password->str, dictionary, user, host))) + if ((res= FascistCheckUser(password->str, dictionary, user, full_name))) { my_printf_error(ER_NOT_VALID_PASSWORD, "cracklib: %s", ME_WARNING, res); diff --git a/plugin/simple_password_check/simple_password_check.c b/plugin/simple_password_check/simple_password_check.c index 65d017e24a1..e9d852d54ab 100644 --- a/plugin/simple_password_check/simple_password_check.c +++ b/plugin/simple_password_check/simple_password_check.c @@ -23,7 +23,9 @@ static unsigned min_length, min_digits, min_letters, min_others; static int validate(const MYSQL_CONST_LEX_STRING *username, - const MYSQL_CONST_LEX_STRING *password) + const MYSQL_CONST_LEX_STRING *password, + const MYSQL_CONST_LEX_STRING *hostname + __attribute__((unused))) { unsigned digits=0 , uppers=0 , lowers=0, others=0, length= (unsigned)password->length; const char *ptr= password->str, *end= ptr + length; diff --git a/sql/sql_acl.cc b/sql/sql_acl.cc index c6b690d6d42..97b666143aa 100644 --- a/sql/sql_acl.cc +++ b/sql/sql_acl.cc @@ -2168,24 +2168,26 @@ static bool has_validation_plugins() MariaDB_PASSWORD_VALIDATION_PLUGIN, NULL); } -struct validation_data { const LEX_CSTRING *user, *password; }; +struct validation_data { const LEX_CSTRING *user, *password, *host; }; static my_bool do_validate(THD *, plugin_ref plugin, void *arg) { struct validation_data *data= (struct validation_data *)arg; struct st_mariadb_password_validation *handler= (st_mariadb_password_validation *)plugin_decl(plugin)->info; - return handler->validate_password(data->user, data->password); + return handler->validate_password(data->user, data->password, data->host); } static bool validate_password(THD *thd, const LEX_CSTRING &user, + const LEX_CSTRING &host, const LEX_CSTRING &pwtext, bool has_hash) { if (pwtext.length || !has_hash) { struct validation_data data= { &user, - pwtext.str ? &pwtext : &empty_clex_str }; + pwtext.str ? &pwtext : &empty_clex_str, + &host }; if (plugin_foreach(NULL, do_validate, MariaDB_PASSWORD_VALIDATION_PLUGIN, &data)) { @@ -2239,6 +2241,7 @@ static int set_user_salt(ACL_USER::AUTH *auth, plugin_ref plugin) not loaded, if the auth_string is invalid, if the password is not applicable */ static int set_user_auth(THD *thd, const LEX_CSTRING &user, + const LEX_CSTRING &host, ACL_USER::AUTH *auth, const LEX_CSTRING &pwtext) { const char *plugin_name= auth->plugin.str; @@ -2264,7 +2267,7 @@ static int set_user_auth(THD *thd, const LEX_CSTRING &user, } if (info->hash_password && - validate_password(thd, user, pwtext, auth->auth_string.length)) + validate_password(thd, user, host, pwtext, auth->auth_string.length)) { res= ER_NOT_VALID_PASSWORD; goto end; @@ -3373,7 +3376,10 @@ static int acl_user_update(THD *thd, ACL_USER *acl_user, uint nauth, acl_user->auth[i].auth_string= safe_lexcstrdup_root(&acl_memroot, auth->auth_str); if (fix_user_plugin_ptr(acl_user->auth + i)) acl_user->auth[i].plugin= safe_lexcstrdup_root(&acl_memroot, auth->plugin); - if (set_user_auth(thd, acl_user->user, acl_user->auth + i, auth->pwtext)) + LEX_CSTRING host= { acl_user->host.hostname , + acl_user->hostname_length}; + if (set_user_auth(thd, acl_user->user, host, + acl_user->auth + i, auth->pwtext)) return 1; } } @@ -3976,7 +3982,8 @@ bool change_password(THD *thd, LEX_USER *user) { auth= acl_user->auth[i]; auth.auth_string= safe_lexcstrdup_root(&acl_memroot, user->auth->auth_str); - int r= set_user_auth(thd, user->user, &auth, user->auth->pwtext); + int r= set_user_auth(thd, user->user, user->host, + &auth, user->auth->pwtext); if (r == ER_SET_PASSWORD_AUTH_PLUGIN) password_plugin= auth.plugin.str; else if (r) |