[MDEV-31855] validate ssl certificates using client password (original) (raw)

This needs a change in the client auth plugin API

• client authentication plugins to get a new method hash_password(), the same as in the server plugin

The new authentication will work like this

Client side, when sending client reply packet:

• If SSL is used, and --ssl-verify-server-cert is in force, but
• no --ssl-ca or --ssl-fingerprint is in force, and
• the certificate failed validation as self-signed, and
• client authentication plugin doesn't have hash_password() method, and
• the non-empty password was provided, then
• disconnect, otherwise
• continue (let's call it late certificate validation mode)

Server side, when sending the OK packet after successful authentication:

• if SSL is used, and
• the certificate is ephemeral (after MDEV-31856), and
• the account has non-empty password, then
• calculate SHA2(user's hashed password, scramble, certificate fingerprint), and
• put it in the OK's info field, prefixed by byte 0x01

Client side, when receiving OK packet:

• if in the late certificate validation mode, then
• use hash_password() callback, calculate SHA2(user's hashed password, scramble, certificate fingerprint), compare

Notes

• client plugin versions and the API version have to be incremented
• the server doesn't know if the client is in the late password validation mode, so it might do some unnecessary work just in case
  • this could be fixed by a new capability bit, or
  • just live with potential unnecessary work on connect — it is assumed that in overwhelming majority of the cases this work will be necessary (almost all setups will use this mode)