MDEV-31855 SSL cert validation protocol extension

* extend the client auth plugin API with a new callback * relax the plugin version check to allow load a plugin with the same major version, even if the minor versions differ * implement the protocol extension: - don't abort at once if the certificate is self signed and no CA was explicitly specified - allow it if it passes fingerprint check - allow it if plugin has hash_password_bin callback, password was non-empty and the control hash matches server's
2025-08-08 14:02:17 +03:00 · 2023-08-20 14:41:03 +02:00
parent 50f65db279
commit a99570c118
18 changed files with 144 additions and 26 deletions
--- a/include/mysql/client_plugin.h
+++ b/include/mysql/client_plugin.h
@@ -43,7 +43,7 @@
 #define MYSQL_CLIENT_PLUGIN_RESERVED2        1
 #define MYSQL_CLIENT_AUTHENTICATION_PLUGIN   2 /* authentication   */

-#define MYSQL_CLIENT_AUTHENTICATION_PLUGIN_INTERFACE_VERSION  0x0100
+#define MYSQL_CLIENT_AUTHENTICATION_PLUGIN_INTERFACE_VERSION  0x0101
 #define MYSQL_CLIENT_MAX_PLUGINS             3

 /* Connector/C specific plugin types */
@@ -128,6 +128,7 @@ struct st_mysql_client_plugin_AUTHENTICATION
 {
  MYSQL_CLIENT_PLUGIN_HEADER
  int (*authenticate_user)(MYSQL_PLUGIN_VIO *vio, struct st_mysql *mysql);
+  int (*hash_password_bin)(struct st_mysql *mysql, unsigned char *hash, size_t *hash_length);
 };

 /******** trace plugin *******/