Commit e0c30390 authored by Sergei Golubchik's avatar Sergei Golubchik

MDEV-31855 validate ssl certificates using client password in the internal client

port the client-side implementation from C/C to the internal client.
add the test.
parent 386df879
......@@ -289,8 +289,9 @@ typedef struct st_mysql
/* session-wide random string */
char scramble[SCRAMBLE_LENGTH+1];
my_bool auto_local_infile;
void *unused2, *unused3, *unused4;
void *unused2, *unused3;
MYSQL_FIELD *fields;
const char *tls_self_signed_error;
LIST *stmts; /* list of all statements */
const struct st_mysql_methods *methods;
......
......@@ -56,7 +56,7 @@
#define MYSQL_CLIENT_reserved2 1
#define MYSQL_CLIENT_AUTHENTICATION_PLUGIN 2
#define MYSQL_CLIENT_AUTHENTICATION_PLUGIN_INTERFACE_VERSION 0x0100
#define MYSQL_CLIENT_AUTHENTICATION_PLUGIN_INTERFACE_VERSION 0x0101
#define MYSQL_CLIENT_MAX_PLUGINS 3
......@@ -96,6 +96,7 @@ struct st_mysql_client_plugin_AUTHENTICATION
{
MYSQL_CLIENT_PLUGIN_HEADER
int (*authenticate_user)(MYSQL_PLUGIN_VIO *vio, struct st_mysql *mysql);
int (*hash_password_bin)(struct st_mysql *mysql, unsigned char *hash, size_t *hash_length);
};
#include <mysql/auth_dialog_client.h>
......
......@@ -22,6 +22,7 @@ struct st_mysql_client_plugin_AUTHENTICATION
{
int type; unsigned int interface_version; const char *name; const char *author; const char *desc; unsigned int version[3]; const char *license; void *mysql_api; int (*init)(char *, size_t, int, va_list); int (*deinit)(); int (*options)(const char *option, const void *);
int (*authenticate_user)(MYSQL_PLUGIN_VIO *vio, struct st_mysql *mysql);
int (*hash_password_bin)(struct st_mysql *mysql, unsigned char *hash, size_t *hash_length);
};
struct st_mysql;
typedef char *(*mysql_authentication_dialog_ask_t)(struct st_mysql *mysql,
......
......@@ -7,3 +7,7 @@ FLUSH PRIVILEGES;
# xtrabackup move back
# restart
DROP USER backup_user;
#
# MDEV-31855 validate ssl certificates using client password in the internal client
#
# tcp ssl ssl-verify-server-cert
......@@ -14,3 +14,10 @@ exec $XTRABACKUP --prepare --target-dir=$targetdir;
DROP USER backup_user;
rmdir $targetdir;
echo #;
echo # MDEV-31855 validate ssl certificates using client password in the internal client;
echo #;
# fails to connect, passwordless root
echo # tcp ssl ssl-verify-server-cert;
error 1;
exec $XTRABACKUP --protocol=tcp --user=root --port=$MASTER_MYPORT --backup --target-dir=$targetdir;
#
# MDEV-31855 validate ssl certificates using client password in the internal client
#
# socket ssl ssl-verify-server-cert
source include/not_windows.inc;
let $targetdir=$MYSQLTEST_VARDIR/tmp/backup;
echo #;
echo # MDEV-31855 validate ssl certificates using client password in the internal client;
echo #;
# connects fine, unix socket is a secure transport
echo # socket ssl ssl-verify-server-cert;
exec $XTRABACKUP --protocol=socket --user=root --socket=$MASTER_MYSOCK --backup --target-dir=$targetdir;
rmdir $targetdir;
......@@ -75,14 +75,42 @@ Master_SSL_Cert = 'MYSQL_TEST_DIR/std_data/client-cert.pem'
Master_SSL_Key = 'MYSQL_TEST_DIR/std_data/client-key.pem'
include/check_slave_is_running.inc
connection master;
create user replssl@127.0.0.1 identified by "sslrepl";
grant replication slave on *.* to replssl@127.0.0.1 require ssl;
connection slave;
stop slave;
include/wait_for_slave_to_stop.inc
change master to
master_host="127.0.0.1",
master_user='replssl',
master_password="sslrepl",
master_ssl=1,
master_ssl_verify_server_cert=1,
master_ssl_ca ='',
master_ssl_cert='',
master_ssl_key='';
start slave;
include/wait_for_slave_to_start.inc
show tables;
Tables_in_test
t1
connection master;
drop table t1;
connection slave;
show tables;
Tables_in_test
include/stop_slave.inc
CHANGE MASTER TO
master_host="127.0.0.1",
master_user='root',
master_password='',
master_ssl_ca ='',
master_ssl_cert='',
master_ssl_key='',
master_ssl_verify_server_cert=0,
master_ssl=0;
connection master;
drop user replssl@127.0.0.1;
connection slave;
drop user replssl@127.0.0.1;
include/rpl_end.inc
......@@ -95,19 +95,47 @@ select * from t1;
source include/show_slave_status.inc;
--source include/check_slave_is_running.inc
# ==== Clean up ====
# MDEV-31855 validate with master_password
connection master;
create user replssl@127.0.0.1 identified by "sslrepl";
grant replication slave on *.* to replssl@127.0.0.1 require ssl;
connection slave;
stop slave;
--source include/wait_for_slave_to_stop.inc
eval change master to
master_host="127.0.0.1",
master_user='replssl',
master_password="sslrepl",
master_ssl=1,
master_ssl_verify_server_cert=1,
master_ssl_ca ='',
master_ssl_cert='',
master_ssl_key='';
start slave;
--source include/wait_for_slave_to_start.inc
show tables;
connection master;
drop table t1;
sync_slave_with_master;
show tables;
# ==== Clean up ====
--source include/stop_slave.inc
CHANGE MASTER TO
master_host="127.0.0.1",
master_user='root',
master_password='',
master_ssl_ca ='',
master_ssl_cert='',
master_ssl_key='',
master_ssl_verify_server_cert=0,
master_ssl=0;
connection master;
drop user replssl@127.0.0.1;
connection slave;
drop user replssl@127.0.0.1;
--let $rpl_only_running_threads= 1
--source include/rpl_end.inc
......@@ -13,7 +13,7 @@
You should have received a copy of the GNU General Public License
along with this program; if not, write to the Free Software
Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1335 USA */
#error see libmariadb/plugins/auth/ed25519.c instead
/************************** CLIENT *************************************/
#include <stdlib.h>
......
......@@ -113,5 +113,6 @@ mysql_declare_client_plugin(AUTHENTICATION)
NULL,
NULL,
NULL,
test_plugin_client
test_plugin_client,
NULL
mysql_end_client_plugin;
......@@ -250,5 +250,6 @@ mysql_declare_client_plugin(AUTHENTICATION)
NULL,
NULL,
NULL,
test_plugin_client
test_plugin_client,
NULL
mysql_end_client_plugin;
......@@ -230,5 +230,6 @@ mysql_declare_client_plugin(AUTHENTICATION)
NULL,
NULL,
NULL,
test_plugin_client
test_plugin_client,
NULL
mysql_end_client_plugin;
This diff is collapsed.
......@@ -171,9 +171,7 @@ add_plugin(MYSQL *mysql, struct st_mysql_client_plugin *plugin, void *dlhandle,
goto err1;
}
if (plugin->interface_version < plugin_version[plugin->type] ||
(plugin->interface_version >> 8) >
(plugin_version[plugin->type] >> 8))
if (plugin->interface_version >> 8 != plugin_version[plugin->type] >> 8)
{
errmsg= "Incompatible client plugin interface";
goto err1;
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment