WL#5602 Enable partial YaSSL support

Due to lack of functioanlity in YaSSL the RSA pub/priv key authentication
can't be supported.

Author: Kristofer Pettersson

mysql-test/r/plugin_auth_sha256_server_default_tls.result

@@ -0,0 +1,63 @@
+CREATE USER 'kristofer';
+SET PASSWORD FOR 'kristofer'=PASSWORD('secret');
+SELECT user, plugin FROM mysql.user;
+user	plugin
+root	
+root	
+root	
+root	
+kristofer	sha256_password
+SELECT USER(),CURRENT_USER();
+USER()	CURRENT_USER()
+kristofer@localhost	kristofer@%
+DROP USER 'kristofer';
+GRANT ALL ON *.* TO 'kristofer'@'localhost' IDENTIFIED WITH 'sha256_password';
+GRANT ALL ON *.* TO 'kristofer2'@'localhost' IDENTIFIED WITH 'sha256_password';
+SET PASSWORD FOR 'kristofer'@'localhost'=PASSWORD('secret2');
+SET PASSWORD FOR 'kristofer2'@'localhost'=PASSWORD('secret2');
+SELECT USER(),CURRENT_USER();
+USER()	CURRENT_USER()
+kristofer@localhost	kristofer@localhost
+SHOW GRANTS FOR 'kristofer'@'localhost';
+Grants for kristofer@localhost
+GRANT ALL PRIVILEGES ON *.* TO 'kristofer'@'localhost' IDENTIFIED BY PASSWORD '<non-deterministic-password-hash>'
+Change user (should succeed)
+SELECT USER(),CURRENT_USER();
+USER()	CURRENT_USER()
+kristofer2@localhost	kristofer2@localhost
+**** Client default_auth=sha_256_password and server default auth=sha256_password
+#### Test is disabled because it requires RSA-keys and this only works 
+#### with OpenSSL. The reason is that the current client library
+#### framework can't know if SSL was attempted or not when the default
+#### client auth is switched and hence it will only report that the 
+#### connection is unencrypted.
+**** Client default_auth=native and server default auth=sha256_password
+user()	current_user()
+kristofer@localhost	kristofer@localhost
+DROP USER 'kristofer'@'localhost';
+DROP USER 'kristofer2'@'localhost';
+GRANT ALL ON *.* TO 'kristofer'@'localhost';
+SET PASSWORD FOR 'kristofer'@'localhost'=PASSWORD('');
+SELECT USER(),CURRENT_USER();
+USER()	CURRENT_USER()
+kristofer@localhost	kristofer@localhost
+SHOW GRANTS FOR 'kristofer'@'localhost';
+Grants for kristofer@localhost
+GRANT ALL PRIVILEGES ON *.* TO 'kristofer'@'localhost' IDENTIFIED BY PASSWORD '<non-deterministic-password-hash>'
+DROP USER 'kristofer'@'localhost';
+GRANT ALL ON *.* TO 'kristofer'@'33.33.33.33';
+SET PASSWORD FOR 'kristofer'@'33.33.33.33'=PASSWORD('');
+Connection should fail for localhost
+ERROR 28000: Access denied for user 'kristofer'@'localhost' (using password: NO)
+DROP USER 'kristofer'@'33.33.33.33';
+GRANT ALL ON *.* TO 'kristofer'@'localhost' IDENTIFIED BY 'awesomeness';
+SELECT USER(),CURRENT_USER();
+USER()	CURRENT_USER()
+kristofer@localhost	kristofer@localhost
+SHOW GRANTS FOR 'kristofer'@'localhost';
+Grants for kristofer@localhost
+GRANT ALL PRIVILEGES ON *.* TO 'kristofer'@'localhost' IDENTIFIED BY PASSWORD '<non-deterministic-password-hash>'
+SET @@OLD_PASSWORDS= 0;
+SET PASSWORD FOR 'kristofer'@'localhost'= PASSWORD('error');
+ERROR HY000: The password hash doesn't have the expected format. Check if the correct password algorithm is being used with the PASSWORD() function.
+DROP USER 'kristofer'@'localhost';

mysql-test/r/plugin_auth_sha256_tls.result

@@ -0,0 +1,32 @@
+SHOW STATUS LIKE 'Ssl_cipher';
+Variable_name	Value
+Ssl_cipher	DHE-RSA-AES256-SHA
+CREATE USER 'kristofer' IDENTIFIED WITH 'sha256_password';
+SET GLOBAL old_passwords= 2;
+SET SESSION old_passwords= 2;
+SET PASSWORD FOR 'kristofer'=PASSWORD('secret');
+DROP USER 'kristofer';
+GRANT ALL ON *.* TO 'kristofer'@'localhost' IDENTIFIED WITH 'sha256_password';
+SET PASSWORD FOR 'kristofer'@'localhost'=PASSWORD('secret2');
+SELECT USER(),CURRENT_USER();
+USER()	CURRENT_USER()
+kristofer@localhost	kristofer@localhost
+SHOW GRANTS FOR 'kristofer'@'localhost';
+Grants for kristofer@localhost
+GRANT ALL PRIVILEGES ON *.* TO 'kristofer'@'localhost' IDENTIFIED BY PASSWORD '<non-deterministic-password-hash>'
+DROP USER 'kristofer'@'localhost';
+GRANT ALL ON *.* TO 'kristofer'@'localhost' IDENTIFIED WITH 'sha256_password';
+SET PASSWORD FOR 'kristofer'@'localhost'=PASSWORD('');
+SELECT USER(),CURRENT_USER();
+USER()	CURRENT_USER()
+kristofer@localhost	kristofer@localhost
+SHOW GRANTS FOR 'kristofer'@'localhost';
+Grants for kristofer@localhost
+GRANT ALL PRIVILEGES ON *.* TO 'kristofer'@'localhost' IDENTIFIED BY PASSWORD '<non-deterministic-password-hash>'
+DROP USER 'kristofer'@'localhost';
+GRANT ALL ON *.* TO 'kristofer'@'33.33.33.33' IDENTIFIED WITH 'sha256_password';
+SET PASSWORD FOR 'kristofer'@'33.33.33.33'=PASSWORD('');
+Connection should fail for localhost
+ERROR 28000: Access denied for user 'kristofer'@'localhost' (using password: NO)
+DROP USER 'kristofer'@'33.33.33.33';
+SET GLOBAL old_passwords= default;

mysql-test/t/plugin_auth_sha256_server_default_tls-master.opt

@@ -0,0 +1 @@
+--default_authentication_plugin=sha256_password

mysql-test/t/plugin_auth_sha256_server_default_tls.test

@@ -0,0 +1,78 @@
+--source include/not_embedded.inc
+--source include/have_ssl.inc
+
+CREATE USER 'kristofer';
+SET PASSWORD FOR 'kristofer'=PASSWORD('secret');
+SELECT user, plugin FROM mysql.user;
+connect(con1,localhost,kristofer,secret,,,,SSL);
+connection con1;
+SELECT USER(),CURRENT_USER();
+connection default;
+disconnect con1;
+DROP USER 'kristofer';
+
+GRANT ALL ON *.* TO 'kristofer'@'localhost' IDENTIFIED WITH 'sha256_password';
+GRANT ALL ON *.* TO 'kristofer2'@'localhost' IDENTIFIED WITH 'sha256_password';
+SET PASSWORD FOR 'kristofer'@'localhost'=PASSWORD('secret2');
+SET PASSWORD FOR 'kristofer2'@'localhost'=PASSWORD('secret2');
+connect(con2,localhost,kristofer,secret2,,,,SSL);
+connection con2;
+SELECT USER(),CURRENT_USER();
+--replace_regex /PASSWORD .*$/PASSWORD '<non-deterministic-password-hash>'/
+SHOW GRANTS FOR 'kristofer'@'localhost';
+
+--echo Change user (should succeed)
+change_user kristofer2,secret2;
+SELECT USER(),CURRENT_USER();
+
+connection default;
+disconnect con2;
+--echo **** Client default_auth=sha_256_password and server default auth=sha256_password
+--echo #### Test is disabled because it requires RSA-keys and this only works 
+--echo #### with OpenSSL. The reason is that the current client library
+--echo #### framework can't know if SSL was attempted or not when the default
+--echo #### client auth is switched and hence it will only report that the 
+--echo #### connection is unencrypted.
+# --exec xterm -e gdb --args $MYSQL -ukristofer -psecret2 --default_auth=sha256_password --ssl-ca=$MYSQL_TEST_DIR/std_data/cacert.pem --ssl-key=$MYSQL_TEST_DIR/std_data/client-key.pem --ssl-cert=$MYSQL_TEST_DIR/std_data/client-cert.pem -e "select user(), current_user()"
+--echo **** Client default_auth=native and server default auth=sha256_password
+--exec $MYSQL -ukristofer -psecret2 --default_auth=mysql_native_password --ssl-ca=$MYSQL_TEST_DIR/std_data/cacert.pem --ssl-key=$MYSQL_TEST_DIR/std_data/client-key.pem --ssl-cert=$MYSQL_TEST_DIR/std_data/client-cert.pem -e "select user(), current_user()"
+
+DROP USER 'kristofer'@'localhost';
+DROP USER 'kristofer2'@'localhost';
+
+GRANT ALL ON *.* TO 'kristofer'@'localhost';
+SET PASSWORD FOR 'kristofer'@'localhost'=PASSWORD('');
+connect(con3,localhost,kristofer,,,,,SSL);
+connection con3;
+SELECT USER(),CURRENT_USER();
+--replace_regex /PASSWORD .*$/PASSWORD '<non-deterministic-password-hash>'/
+SHOW GRANTS FOR 'kristofer'@'localhost';
+connection default;
+disconnect con3;
+DROP USER 'kristofer'@'localhost';
+
+GRANT ALL ON *.* TO 'kristofer'@'33.33.33.33';
+SET PASSWORD FOR 'kristofer'@'33.33.33.33'=PASSWORD('');
+--echo Connection should fail for localhost
+--replace_result $MASTER_MYSOCK MASTER_MYSOCK
+--disable_query_log
+--error ER_ACCESS_DENIED_ERROR
+connect(con4,127.0.0.1,kristofer,,,,,SSL);
+--enable_query_log
+DROP USER 'kristofer'@'33.33.33.33';
+
+GRANT ALL ON *.* TO 'kristofer'@'localhost' IDENTIFIED BY 'awesomeness';
+connect(con3,localhost,kristofer,awesomeness,,,,SSL);
+connection con3;
+SELECT USER(),CURRENT_USER();
+--replace_regex /PASSWORD .*$/PASSWORD '<non-deterministic-password-hash>'/
+SHOW GRANTS FOR 'kristofer'@'localhost';
+connection default;
+disconnect con3;
+# Setting password for kristofer@localhost using old_passwords=0 will fail.
+SET @@OLD_PASSWORDS= 0;
+--error ER_PASSWORD_FORMAT
+SET PASSWORD FOR 'kristofer'@'localhost'= PASSWORD('error');
+DROP USER 'kristofer'@'localhost';
+
+

mysql-test/t/plugin_auth_sha256_tls.test

@@ -0,0 +1,51 @@
+--source include/not_embedded.inc
+--source include/have_ssl.inc
+
+connect (ssl_con,localhost,root,,,,,SSL);
+SHOW STATUS LIKE 'Ssl_cipher';
+
+CREATE USER 'kristofer' IDENTIFIED WITH 'sha256_password';
+SET GLOBAL old_passwords= 2;
+SET SESSION old_passwords= 2;
+SET PASSWORD FOR 'kristofer'=PASSWORD('secret');
+connect(con1,localhost,kristofer,secret,,,,SSL);
+connection con1;
+connection ssl_con;
+disconnect con1;
+DROP USER 'kristofer';
+GRANT ALL ON *.* TO 'kristofer'@'localhost' IDENTIFIED WITH 'sha256_password';
+SET PASSWORD FOR 'kristofer'@'localhost'=PASSWORD('secret2');
+connect(con2,localhost,kristofer,secret2,,,,SSL);
+connection con2;
+SELECT USER(),CURRENT_USER();
+--replace_regex /PASSWORD .*$/PASSWORD '<non-deterministic-password-hash>'/
+SHOW GRANTS FOR 'kristofer'@'localhost';
+connection ssl_con;
+disconnect con2;
+DROP USER 'kristofer'@'localhost';
+GRANT ALL ON *.* TO 'kristofer'@'localhost' IDENTIFIED WITH 'sha256_password';
+SET PASSWORD FOR 'kristofer'@'localhost'=PASSWORD('');
+connect(con3,localhost,kristofer,,,,,SSL);
+connection con3;
+SELECT USER(),CURRENT_USER();
+--replace_regex /PASSWORD .*$/PASSWORD '<non-deterministic-password-hash>'/
+SHOW GRANTS FOR 'kristofer'@'localhost';
+connection ssl_con;
+disconnect con3;
+DROP USER 'kristofer'@'localhost';
+
+GRANT ALL ON *.* TO 'kristofer'@'33.33.33.33' IDENTIFIED WITH 'sha256_password';
+SET PASSWORD FOR 'kristofer'@'33.33.33.33'=PASSWORD('');
+--echo Connection should fail for localhost
+--replace_result $MASTER_MYSOCK MASTER_MYSOCK
+--disable_query_log
+--error ER_ACCESS_DENIED_ERROR
+connect(con4,127.0.0.1,kristofer,,,,,SSL);
+--enable_query_log
+DROP USER 'kristofer'@'33.33.33.33';
+# Restore default value to old_passwords
+SET GLOBAL old_passwords= default;
+connection default;
+disconnect ssl_con;
+
+

sql-common/client.c

@@ -2242,7 +2242,7 @@ static auth_plugin_t clear_password_client_plugin=
   clear_password_auth_client
 };
 
-#if defined(HAVE_OPENSSL) && !defined(HAVE_YASSL) 
+#if defined(HAVE_OPENSSL)
 static auth_plugin_t sha256_password_client_plugin=
 {
   MYSQL_CLIENT_AUTHENTICATION_PLUGIN,
@@ -2268,7 +2268,7 @@ struct st_mysql_client_plugin *mysql_client_builtins[]=
   (struct st_mysql_client_plugin *)&native_password_client_plugin,
   (struct st_mysql_client_plugin *)&old_password_client_plugin,
   (struct st_mysql_client_plugin *)&clear_password_client_plugin,
-#if defined(HAVE_OPENSSL) && !defined(HAVE_YASSL) 
+#if defined(HAVE_OPENSSL)
   (struct st_mysql_client_plugin *) &sha256_password_client_plugin,
 #endif
 #ifdef AUTHENTICATION_WIN

sql-common/client_authentication.cc

@@ -1,4 +1,4 @@
-#if defined(HAVE_OPENSSL) && !defined(HAVE_YASSL)
+#if defined(HAVE_OPENSSL)
 #include "crypt_genhash_impl.h"
 #include "mysql/client_authentication.h"
 #include "m_ctype.h"
@@ -8,30 +8,40 @@
 
 #include <string.h>
 #include <stdarg.h>
+#if !defined(HAVE_YASSL)
 #include <openssl/rsa.h>
 #include <openssl/pem.h>
 #include <openssl/err.h>
 #if defined(_WIN32) && !defined(_OPENSSL_Applink)
 #include <openssl/applink.c>
 #endif
+#endif
 #include "mysql/service_my_plugin_log.h"
 
 #define MAX_CIPHER_LENGTH 1024
+
+#if !defined(HAVE_YASSL)
 mysql_mutex_t g_public_key_mutex;
+#endif
 
 int sha256_password_init(char *a, size_t b, int c, va_list d)
 {
+#if !defined(HAVE_YASSL)
   mysql_mutex_init(0,&g_public_key_mutex, MY_MUTEX_INIT_SLOW);
+#endif
   return 0;
 }
 
 int sha256_password_deinit(void)
 {
+#if !defined(HAVE_YASSL)
   mysql_mutex_destroy(&g_public_key_mutex);
+#endif
   return 0;
 }
 
 
+#if !defined(HAVE_YASSL)
 /**
   Reads and parse RSA public key data from a file.
 
@@ -90,7 +100,7 @@ RSA *rsa_init(MYSQL *mysql)
 
   return key;
 }
-
+#endif // !defined(HAVE_YASSL)
 
 /**
   Authenticate the client using the RSA or TLS and a SHA256 salted password.
@@ -106,14 +116,17 @@ RSA *rsa_init(MYSQL *mysql)
 extern "C"
 int sha256_password_auth_client(MYSQL_PLUGIN_VIO *vio, MYSQL *mysql)
 {
+  bool uses_password= mysql->passwd[0] != 0;
+#if !defined(HAVE_YASSL)
   unsigned char encrypted_password[MAX_CIPHER_LENGTH];
   static char request_public_key= '\1';
-  bool uses_password= mysql->passwd[0] != 0;
   RSA *public_key= NULL;
+  bool got_public_key_from_server= false;
+#endif
   bool connection_is_secure= false;
   unsigned char scramble_pkt[20];
   unsigned char *pkt;
-  bool got_public_key_from_server= false;
+
 
   DBUG_ENTER("sha256_password_auth_client");
 
@@ -137,7 +150,11 @@ int sha256_password_auth_client(MYSQL_PLUGIN_VIO *vio, MYSQL *mysql)
 
   /* If connection isn't secure attempt to get the RSA public key file */
   if (!connection_is_secure)
+  {
+ #if !defined(HAVE_YASSL)
     public_key= rsa_init(mysql);
+#endif
+  }
 
   if (!uses_password)
   {
@@ -152,6 +169,7 @@ int sha256_password_auth_client(MYSQL_PLUGIN_VIO *vio, MYSQL *mysql)
     unsigned int passwd_len= strlen(mysql->passwd) + 1;
     if (!connection_is_secure)
     {
+#if !defined(HAVE_YASSL)
       /*
         If no public key; request one from the server.
       */
@@ -195,6 +213,9 @@ int sha256_password_auth_client(MYSQL_PLUGIN_VIO *vio, MYSQL *mysql)
 
       if (vio->write_packet(vio, (uchar*) encrypted_password, cipher_length))
         DBUG_RETURN(CR_ERROR);
+#else
+      DBUG_RETURN(CR_ERROR); // If no yassl support
+#endif
     }
     else
     {

sql/item_strfunc.cc

@@ -1942,7 +1942,7 @@ static int calculate_password(String *str, char *buffer)
   if (thd)
     old_passwords= thd->variables.old_passwords;
 
-#if defined(HAVE_OPENSSL) && !defined(HAVE_YASSL)
+#if defined(HAVE_OPENSSL)
   if (old_passwords == 2)
   {
     my_make_scrambled_password(buffer, str->ptr(),
@@ -2023,7 +2023,7 @@ char *Item_func_password::
     buff= (char *) thd->alloc(SCRAMBLED_PASSWORD_CHAR_LENGTH + 1);
     my_make_scrambled_password_sha1(buff, password, pass_len);
   }
-#if defined(HAVE_OPENSSL) && !defined(HAVE_YASSL)
+#if defined(HAVE_OPENSSL)
   else
   {
     /* Allocate memory for the password scramble and one extra byte for \0 */

sql/password.c

@@ -399,7 +399,7 @@ my_crypt(char *to, const uchar *s1, const uchar *s2, uint len)
     *to++= *s1++ ^ *s2++;
 }
 
-#if defined(HAVE_OPENSSL) && !defined(HAVE_YASSL)
+#if defined(HAVE_OPENSSL)
 void my_make_scrambled_password(char *to, const char *password,
                                 size_t pass_len)
 {