Fix issue with CLIENT_PLUGIN_AUTH flag in ssl request packet

prefiks · prefiks · commit b0447a7eb801 · 2026-02-16T16:13:21.000+01:00
If server wanted mysql_native_password password in initial handshake,
we didn't include CLIENT_PLUGIN_AUTH bit in packet to initiate ssl
connection thinking that server was too old to support this, but we should
consult caps presented by server for this. Missing this flag caused
problem if server later needed to switch to different password format.

This fixes issue ejabberd#4532
diff --git a/src/p1_mysql_auth.erl b/src/p1_mysql_auth.erl
@@ -16,7 +16,7 @@
 %%--------------------------------------------------------------------
 %% External exports (should only be used by the 'p1_mysql_conn' module)
 %%--------------------------------------------------------------------
--export([do_auth/8, password_sha2/2, get_auth_head/2]).
+-export([do_auth/8, password_sha2/2, get_auth_head/3]).
 
 -include("p1_mysql_consts.hrl").
 -include("p1_mysql_state.hrl").
@@ -38,11 +38,11 @@
 %% External functions
 %%====================================================================
 
-get_auth_head("old_auth", ExtraCaps) ->
+get_auth_head("old_auth", _, ExtraCaps) ->
     make_auth_head(ExtraCaps);
-get_auth_head("mysql_native_password", ExtraCaps) ->
+get_auth_head("mysql_native_password", false, ExtraCaps) ->
     make_new_auth_head(none, "", ExtraCaps);
-get_auth_head(Type, ExtraCaps) ->
+get_auth_head(Type, _, ExtraCaps) ->
     make_new_auth_head(none, Type, ExtraCaps).
 
 %%--------------------------------------------------------------------
diff --git a/src/p1_mysql_conn.erl b/src/p1_mysql_conn.erl
@@ -469,7 +469,7 @@ mysql_init(State, User, Password, LogFun, SSLOpts) ->
 			_ ->
 			    case proplists:get_bool(ssl, SSLOpts) orelse proplists:get_bool(ssl_required, SSLOpts) of
 				true ->
-				    case start_ssl(NState, SSLOpts, LogFun, InitSeqNum + 1, AuthPlug) of
+				    case start_ssl(NState, SSLOpts, LogFun, InitSeqNum + 1, AuthPlug, Caps band ?CLIENT_PLUGIN_AUTH /= 0) of
 					{ok, NewState} ->
 					    authenticate(NewState, User, Password, LogFun,
 							 InitSeqNum + 1, Version, Salt, Caps, AuthPlug);
@@ -489,8 +489,8 @@ mysql_init(State, User, Password, LogFun, SSLOpts) ->
 
 %% part of mysql_init/4
 
-start_ssl(#state{socket = {_, Sock}} = State, SSLOpts, LogFun, SeqNum, AuthPlug) ->
-    Packet = p1_mysql_auth:get_auth_head(AuthPlug, ?CLIENT_SSL),
+start_ssl(#state{socket = {_, Sock}} = State, SSLOpts, LogFun, SeqNum, AuthPlug, ServerHasPlugAuth) ->
+    Packet = p1_mysql_auth:get_auth_head(AuthPlug, ServerHasPlugAuth, ?CLIENT_SSL),
     Data = <<(size(Packet)):24/little, SeqNum:8, Packet/binary>>,
     p1_mysql:log(LogFun, debug, "p1_mysql_conn send start ssl ~p: ~p", [SeqNum, Packet]),
     gen_tcp:send(Sock, Data),
