MDEV-31855 validate ssl certificates using client password in the internal client

port the client-side implementation from C/C to the internal client. add the test.

MDEV-31855 validate ssl certificates using client password in the internal client
port the client-side implementation from C/C to the internal client. add the test.
e0c30390 · Sergei Golubchik · 386df879 · e0c30390 · e0c30390 · e0c30390
Commit e0c30390 authored Sep 03, 2023 by Sergei Golubchik
15 changed files
--- a/include/mysql.h
+++ b/include/mysql.h
@@ -289,8 +289,9 @@ typedef struct st_mysql
  /* session-wide random string */
  char	        scramble[SCRAMBLE_LENGTH+1];
  my_bool       auto_local_infile;
-  void *unused2, *unused3, *unused4;
+  void          *unused2, *unused3;
  MYSQL_FIELD	*fields;
+  const char    *tls_self_signed_error;
  LIST  *stmts;                     /* list of all statements */
  const struct st_mysql_methods *methods;

--- a/include/mysql/client_plugin.h
+++ b/include/mysql/client_plugin.h
@@ -56,7 +56,7 @@
 #define MYSQL_CLIENT_reserved2               1
 #define MYSQL_CLIENT_AUTHENTICATION_PLUGIN   2
-#define MYSQL_CLIENT_AUTHENTICATION_PLUGIN_INTERFACE_VERSION  0x0100
+#define MYSQL_CLIENT_AUTHENTICATION_PLUGIN_INTERFACE_VERSION  0x0101
 #define MYSQL_CLIENT_MAX_PLUGINS             3
@@ -96,6 +96,7 @@ struct st_mysql_client_plugin_AUTHENTICATION
 {
  MYSQL_CLIENT_PLUGIN_HEADER
  int (*authenticate_user)(MYSQL_PLUGIN_VIO *vio, struct st_mysql *mysql);
+  int (*hash_password_bin)(struct st_mysql *mysql, unsigned char *hash, size_t *hash_length);
 };
 #include <mysql/auth_dialog_client.h>

--- a/include/mysql/client_plugin.h.pp
+++ b/include/mysql/client_plugin.h.pp
@@ -22,6 +22,7 @@ struct st_mysql_client_plugin_AUTHENTICATION
 {
  int type; unsigned int interface_version; const char *name; const char *author; const char *desc; unsigned int version[3]; const char *license; void *mysql_api; int (*init)(char *, size_t, int, va_list); int (*deinit)(); int (*options)(const char *option, const void *);
  int (*authenticate_user)(MYSQL_PLUGIN_VIO *vio, struct st_mysql *mysql);
+  int (*hash_password_bin)(struct st_mysql *mysql, unsigned char *hash, size_t *hash_length);
 };
 struct st_mysql;
 typedef char *(*mysql_authentication_dialog_ask_t)(struct st_mysql *mysql,

--- a/mysql-test/suite/mariabackup/backup_ssl.result
+++ b/mysql-test/suite/mariabackup/backup_ssl.result
@@ -7,3 +7,7 @@ FLUSH PRIVILEGES;
 # xtrabackup move back
 # restart
 DROP USER backup_user;
+#
+# MDEV-31855 validate ssl certificates using client password in the internal client
+#
+# tcp ssl ssl-verify-server-cert
--- a/mysql-test/suite/mariabackup/backup_ssl.test
+++ b/mysql-test/suite/mariabackup/backup_ssl.test
@@ -14,3 +14,10 @@ exec $XTRABACKUP  --prepare --target-dir=$targetdir;
 DROP USER backup_user;
 rmdir $targetdir;
+echo #;
+echo # MDEV-31855 validate ssl certificates using client password in the internal client;
+echo #;
+# fails to connect, passwordless root
+echo # tcp ssl ssl-verify-server-cert;
+error 1;
+exec $XTRABACKUP --protocol=tcp --user=root --port=$MASTER_MYPORT --backup --target-dir=$targetdir;
--- a/mysql-test/suite/mariabackup/backup_ssl_not_win.result
+++ b/mysql-test/suite/mariabackup/backup_ssl_not_win.result
+#
+# MDEV-31855 validate ssl certificates using client password in the internal client
+#
+# socket ssl ssl-verify-server-cert
--- a/mysql-test/suite/mariabackup/backup_ssl_not_win.test
+++ b/mysql-test/suite/mariabackup/backup_ssl_not_win.test
+source include/not_windows.inc;
+let $targetdir=$MYSQLTEST_VARDIR/tmp/backup;
+echo #;
+echo # MDEV-31855 validate ssl certificates using client password in the internal client;
+echo #;
+# connects fine, unix socket is a secure transport
+echo # socket ssl ssl-verify-server-cert;
+exec $XTRABACKUP --protocol=socket --user=root --socket=$MASTER_MYSOCK --backup --target-dir=$targetdir;
+rmdir $targetdir;
--- a/mysql-test/suite/rpl/r/rpl_ssl1.result
+++ b/mysql-test/suite/rpl/r/rpl_ssl1.result
@@ -75,14 +75,42 @@ Master_SSL_Cert = 'MYSQL_TEST_DIR/std_data/client-cert.pem'
 Master_SSL_Key = 'MYSQL_TEST_DIR/std_data/client-key.pem'
 include/check_slave_is_running.inc
 connection master;
+create user replssl@127.0.0.1 identified by "sslrepl";
+grant replication slave on *.* to replssl@127.0.0.1 require ssl;
+connection slave;
+stop slave;
+include/wait_for_slave_to_stop.inc
+change master to
+master_host="127.0.0.1",
+master_user='replssl',
+master_password="sslrepl",
+master_ssl=1,
+master_ssl_verify_server_cert=1,
+master_ssl_ca ='',
+master_ssl_cert='',
+master_ssl_key='';
+start slave;
+include/wait_for_slave_to_start.inc
+show tables;
+Tables_in_test
+t1
+connection master;
 drop table t1;
 connection slave;
+show tables;
+Tables_in_test
 include/stop_slave.inc
 CHANGE MASTER TO
 master_host="127.0.0.1",
+master_user='root',
+master_password='',
 master_ssl_ca ='',
 master_ssl_cert='',
 master_ssl_key='',
 master_ssl_verify_server_cert=0,
 master_ssl=0;
+connection master;
+drop user replssl@127.0.0.1;
+connection slave;
+drop user replssl@127.0.0.1;
 include/rpl_end.inc
--- a/mysql-test/suite/rpl/t/rpl_ssl1.test
+++ b/mysql-test/suite/rpl/t/rpl_ssl1.test
@@ -95,19 +95,47 @@ select * from t1;
 source include/show_slave_status.inc;
 --source include/check_slave_is_running.inc
-# ==== Clean up ====
+# MDEV-31855 validate with master_password
+connection master;
+create user replssl@127.0.0.1 identified by "sslrepl";
+grant replication slave on *.* to replssl@127.0.0.1 require ssl;
+connection slave;
+stop slave;
+--source include/wait_for_slave_to_stop.inc
+eval change master to
+ master_host="127.0.0.1",
+ master_user='replssl',
+ master_password="sslrepl",
+ master_ssl=1,
+ master_ssl_verify_server_cert=1,
+ master_ssl_ca ='',
+ master_ssl_cert='',
+ master_ssl_key='';
+start slave;
+--source include/wait_for_slave_to_start.inc
+show tables;
 connection master;
 drop table t1;
 sync_slave_with_master;
+show tables;
+# ==== Clean up ====
 --source include/stop_slave.inc
 CHANGE MASTER TO
 master_host="127.0.0.1",
+ master_user='root',
+ master_password='',
 master_ssl_ca ='',
 master_ssl_cert='',
 master_ssl_key='',
 master_ssl_verify_server_cert=0,
 master_ssl=0;
+connection master;
+drop user replssl@127.0.0.1;
+connection slave;
+drop user replssl@127.0.0.1;
 --let $rpl_only_running_threads= 1
 --source include/rpl_end.inc
--- a/plugin/auth_ed25519/client_ed25519.c
+++ b/plugin/auth_ed25519/client_ed25519.c
@@ -13,7 +13,7 @@
   You should have received a copy of the GNU General Public License
   along with this program; if not, write to the Free Software
   Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1335 USA */
+#error see libmariadb/plugins/auth/ed25519.c instead
 /************************** CLIENT *************************************/
 #include <stdlib.h>

--- a/plugin/auth_examples/qa_auth_client.c
+++ b/plugin/auth_examples/qa_auth_client.c
@@ -113,5 +113,6 @@ mysql_declare_client_plugin(AUTHENTICATION)
  NULL,
  NULL,
  NULL,
-  test_plugin_client
+  test_plugin_client,
+  NULL
 mysql_end_client_plugin;
--- a/plugin/auth_examples/qa_auth_interface.c
+++ b/plugin/auth_examples/qa_auth_interface.c
@@ -250,5 +250,6 @@ mysql_declare_client_plugin(AUTHENTICATION)
  NULL,
  NULL,
  NULL,
-  test_plugin_client
+  test_plugin_client,
+  NULL
 mysql_end_client_plugin;
--- a/plugin/auth_examples/test_plugin.c
+++ b/plugin/auth_examples/test_plugin.c
@@ -230,5 +230,6 @@ mysql_declare_client_plugin(AUTHENTICATION)
  NULL,
  NULL,
  NULL,
-  test_plugin_client
+  test_plugin_client,
+  NULL
 mysql_end_client_plugin;
--- a/sql-common/client.c
+++ b/sql-common/client.c
--- a/sql-common/client_plugin.c
+++ b/sql-common/client_plugin.c
@@ -171,9 +171,7 @@ add_plugin(MYSQL *mysql, struct st_mysql_client_plugin *plugin, void *dlhandle,
    goto err1;
  }
-  if (plugin->interface_version < plugin_version[plugin->type] ||
+  if (plugin->interface_version >> 8 != plugin_version[plugin->type] >> 8)
-      (plugin->interface_version >> 8) >
-       (plugin_version[plugin->type] >> 8))
  {
    errmsg= "Incompatible client plugin interface";
    goto err1;