MDEV-31855 validate ssl certificates using client password in the int…

…ernal client port the client-side implementation from C/C to the internal client. add the test.
MariaDB · Feb 4, 2024 · e0c3039 · e0c3039
1 parent 386df87
commit e0c3039
Show file tree

Hide file tree

Showing 15 changed files with 240 additions and 60 deletions.
diff --git a/include/mysql.h b/include/mysql.h
@@ -289,8 +289,9 @@ typedef struct st_mysql
  /* session-wide random string */
  char scramble[SCRAMBLE_LENGTH+1];
  my_bool auto_local_infile;
- void *unused2, *unused3, *unused4;
+ void  *unused2, *unused3;
  MYSQL_FIELD *fields;
+ const char *tls_self_signed_error;
 
  LIST *stmts; /* list of all statements */
  const struct st_mysql_methods *methods;

diff --git a/include/mysql/client_plugin.h b/include/mysql/client_plugin.h
@@ -56,7 +56,7 @@
 #define MYSQL_CLIENT_reserved2 1
 #define MYSQL_CLIENT_AUTHENTICATION_PLUGIN 2
 
-#define MYSQL_CLIENT_AUTHENTICATION_PLUGIN_INTERFACE_VERSION 0x0100
+#define MYSQL_CLIENT_AUTHENTICATION_PLUGIN_INTERFACE_VERSION 0x0101
 
 #define MYSQL_CLIENT_MAX_PLUGINS 3
 
@@ -96,6 +96,7 @@ struct st_mysql_client_plugin_AUTHENTICATION
 {
  MYSQL_CLIENT_PLUGIN_HEADER
  int (*authenticate_user)(MYSQL_PLUGIN_VIO *vio, struct st_mysql *mysql);
+ int (*hash_password_bin)(struct st_mysql *mysql, unsigned char *hash, size_t *hash_length);
 };
 
 #include <mysql/auth_dialog_client.h>

diff --git a/include/mysql/client_plugin.h.pp b/include/mysql/client_plugin.h.pp
@@ -22,6 +22,7 @@
 {
  int type; unsigned int interface_version; const char *name; const char *author; const char *desc; unsigned int version[3]; const char *license; void *mysql_api; int (*init)(char *, size_t, int, va_list); int (*deinit)(); int (*options)(const char *option, const void *);
  int (*authenticate_user)(MYSQL_PLUGIN_VIO *vio, struct st_mysql *mysql);
+ int (*hash_password_bin)(struct st_mysql *mysql, unsigned char *hash, size_t *hash_length);
 };
 struct st_mysql;
 typedef char *(*mysql_authentication_dialog_ask_t)(struct st_mysql *mysql,

diff --git a/mysql-test/suite/mariabackup/backup_ssl.result b/mysql-test/suite/mariabackup/backup_ssl.result
@@ -7,3 +7,7 @@ FLUSH PRIVILEGES;
 # xtrabackup move back
 # restart
 DROP USER backup_user;
+#
+# MDEV-31855 validate ssl certificates using client password in the internal client
+#
+# tcp ssl ssl-verify-server-cert
diff --git a/mysql-test/suite/mariabackup/backup_ssl.test b/mysql-test/suite/mariabackup/backup_ssl.test
@@ -14,3 +14,10 @@ exec $XTRABACKUP --prepare --target-dir=$targetdir;
 DROP USER backup_user;
 rmdir $targetdir;
 
+echo #;
+echo # MDEV-31855 validate ssl certificates using client password in the internal client;
+echo #;
+# fails to connect, passwordless root
+echo # tcp ssl ssl-verify-server-cert;
+error 1;
+exec $XTRABACKUP --protocol=tcp --user=root --port=$MASTER_MYPORT --backup --target-dir=$targetdir;
diff --git a/mysql-test/suite/mariabackup/backup_ssl_not_win.result b/mysql-test/suite/mariabackup/backup_ssl_not_win.result
@@ -0,0 +1,4 @@
+#
+# MDEV-31855 validate ssl certificates using client password in the internal client
+#
+# socket ssl ssl-verify-server-cert
diff --git a/mysql-test/suite/mariabackup/backup_ssl_not_win.test b/mysql-test/suite/mariabackup/backup_ssl_not_win.test
@@ -0,0 +1,10 @@
+source include/not_windows.inc;
+let $targetdir=$MYSQLTEST_VARDIR/tmp/backup;
+
+echo #;
+echo # MDEV-31855 validate ssl certificates using client password in the internal client;
+echo #;
+# connects fine, unix socket is a secure transport
+echo # socket ssl ssl-verify-server-cert;
+exec $XTRABACKUP --protocol=socket --user=root --socket=$MASTER_MYSOCK --backup --target-dir=$targetdir;
+rmdir $targetdir;
diff --git a/mysql-test/suite/rpl/r/rpl_ssl1.result b/mysql-test/suite/rpl/r/rpl_ssl1.result
@@ -75,14 +75,42 @@ Master_SSL_Cert = 'MYSQL_TEST_DIR/std_data/client-cert.pem'
 Master_SSL_Key = 'MYSQL_TEST_DIR/std_data/client-key.pem'
 include/check_slave_is_running.inc
 connection master;
+create user [email protected] identified by "sslrepl";
+grant replication slave on *.* to [email protected] require ssl;
+connection slave;
+stop slave;
+include/wait_for_slave_to_stop.inc
+change master to
+master_host="127.0.0.1",
+master_user='replssl',
+master_password="sslrepl",
+master_ssl=1,
+master_ssl_verify_server_cert=1,
+master_ssl_ca ='',
+master_ssl_cert='',
+master_ssl_key='';
+start slave;
+include/wait_for_slave_to_start.inc
+show tables;
+Tables_in_test
+t1
+connection master;
 drop table t1;
 connection slave;
+show tables;
+Tables_in_test
 include/stop_slave.inc
 CHANGE MASTER TO
 master_host="127.0.0.1",
+master_user='root',
+master_password='',
 master_ssl_ca ='',
 master_ssl_cert='',
 master_ssl_key='',
 master_ssl_verify_server_cert=0,
 master_ssl=0;
+connection master;
+drop user [email protected];
+connection slave;
+drop user [email protected];
 include/rpl_end.inc
diff --git a/mysql-test/suite/rpl/t/rpl_ssl1.test b/mysql-test/suite/rpl/t/rpl_ssl1.test
@@ -95,19 +95,47 @@ select * from t1;
 source include/show_slave_status.inc;
 --source include/check_slave_is_running.inc
 
-# ==== Clean up ====
+# MDEV-31855 validate with master_password
+connection master;
+create user [email protected] identified by "sslrepl";
+grant replication slave on *.* to [email protected] require ssl;
+
+connection slave;
+stop slave;
+--source include/wait_for_slave_to_stop.inc
+eval change master to
+ master_host="127.0.0.1",
+ master_user='replssl',
+ master_password="sslrepl",
+ master_ssl=1,
+ master_ssl_verify_server_cert=1,
+ master_ssl_ca ='',
+ master_ssl_cert='',
+ master_ssl_key='';
+start slave;
+--source include/wait_for_slave_to_start.inc
 
+show tables;
 connection master;
 drop table t1;
 sync_slave_with_master;
+show tables;
+
+# ==== Clean up ====
 --source include/stop_slave.inc
 CHANGE MASTER TO
  master_host="127.0.0.1",
+ master_user='root',
+ master_password='',
  master_ssl_ca ='',
  master_ssl_cert='',
  master_ssl_key='',
  master_ssl_verify_server_cert=0,
  master_ssl=0;
+connection master;
+drop user [email protected];
+connection slave;
+drop user [email protected];
 
 --let $rpl_only_running_threads= 1
 --source include/rpl_end.inc
diff --git a/plugin/auth_ed25519/client_ed25519.c b/plugin/auth_ed25519/client_ed25519.c
@@ -13,7 +13,7 @@
  You should have received a copy of the GNU General Public License
  along with this program; if not, write to the Free Software
  Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1335 USA */
-
+#error see libmariadb/plugins/auth/ed25519.c instead
 /************************** CLIENT *************************************/
 
 #include <stdlib.h>

diff --git a/plugin/auth_examples/qa_auth_client.c b/plugin/auth_examples/qa_auth_client.c
@@ -113,5 +113,6 @@ mysql_declare_client_plugin(AUTHENTICATION)
  NULL,
  NULL,
  NULL,
- test_plugin_client
+ test_plugin_client,
+ NULL
 mysql_end_client_plugin;
diff --git a/plugin/auth_examples/qa_auth_interface.c b/plugin/auth_examples/qa_auth_interface.c
@@ -250,5 +250,6 @@ mysql_declare_client_plugin(AUTHENTICATION)
  NULL,
  NULL,
  NULL,
- test_plugin_client
+ test_plugin_client,
+ NULL
 mysql_end_client_plugin;
diff --git a/plugin/auth_examples/test_plugin.c b/plugin/auth_examples/test_plugin.c
@@ -230,5 +230,6 @@ mysql_declare_client_plugin(AUTHENTICATION)
  NULL,
  NULL,
  NULL,
- test_plugin_client
+ test_plugin_client,
+ NULL
 mysql_end_client_plugin;