This reverts 395641549ac7..536d9e2b9e5b, in particular:
8dffd56936 MDEV-31857 enable MYSQL_OPT_SSL_VERIFY_SERVER_CERT by default
a99570c118 MDEV-31855 SSL cert validation protocol extension
9aa15e72a7 TLS fingerprint
and related commits
because the default value of every option is 0
(option and option.extension are bzero-ed to reset),
tls_verify_server_cert was renamed to tls_allow_invalid_server_cert
with the default value of 0, "do not allow".
API didn't change, it's still MYSQL_OPT_SSL_VERIFY_SERVER_CERT
* extend the client auth plugin API with a new callback
* relax the plugin version check to allow load a plugin with the
same major version, even if the minor versions differ
* implement the protocol extension:
- don't abort at once if the certificate is self signed and
no CA was explicitly specified
- allow it if it passes fingerprint check
- allow it if plugin has hash_password_bin callback, password was
non-empty and the control hash matches server's
Since the server certification option is used by client
only, there is no need to have this flag in server and or
client capabilities. The server itself validates client
certificate depending on the user definition.
This feature allows client applications to register a callback function,
which is called as soon as the server status changes or session_track
information was sent by the server.
Registration is handled via mysql_optionsv() API function:
mysql_optionsv(mysql, MARIADB_OPT_STATUS_CALLBACK, function, data)
The callback function must be defined as follws:
void status_callback(void *data, enum enum_mariadb_status_info type, ..)
Parameters:
- data Pointer passed with registration of callback function
(usually a connection handle)
- type Information type STATUS_TYPE or SESSION_TRACK_TYPE
Variadic Parameters:
if (type == STATUS_TYPE):
- server status (unsigned int)
if (type == SESSION_TRACK_TYPE)
- enum enum_session_state_type track_type - session track type
if (track_type == SESSION_TRACK_SYSTEM_VARIABLES)
- MARIADB_CONST_STRING *key
- MARIADB_CONST_STRING *value
else
- MARIADB_CONST_STRING *value
An example can be found in connection.c (test_status_callback)
Added new option MARIADB_OPT_RPL_REGISTER_REPLICA which expects
two parameters, host and port. When this option was set, rpl_open
will send a COM_REGISTER_SLAVE command with server_id, host and
port to the connected server. This information can be retrieved
by "SHOW SLAVE STATUS" command.
Example:
rc= mysql_optionsv(mysql, MARIADB_OPT_RPL_REGISTER_REPLICA,
"myhost", 123);
ZSTD compression is now supported for connections
to a MySQL Server 8.0.
Compression algorithms are supported via compression
plugins, which can be found in plugins/compress.
Added new option MARIADB_OPT_RESTRICTED_AUTH (and corresponding
"restricted-auth" option for configuration files) which specifies
on or more comma spearated authentication plugins which are allowed
for authenication.
If the server asks for an authentication plugin not listed in this
option the connect attempt will fail with error CR_PLUGIN_NOT_ALLOWED.
Added a new option MARIADB_OPT_SKIP_READ_RESPONSE which skips automatic
reading of server response after sending a command to the server.
Server packets have to be retrieved by calling the corresponding methods,
e.g:
Send command Read method
mysql_real_query/mysql_send_query db_read_query_result
mysql_stmt_prepare db_read_prepare_response
mysql_stmt_execute,
mariadb_stmt_execute_direct db_read_execute_response
To allow static linking with GnuTLS hash lookup functions are now
prefixed with ma_hashtbl_. The files hash.c and hash.h were renamed
to ma_hashtbl.c and ma_hashtbl.h
At irregular intervals older windows versions (prior Windows 10) fail to establish a secure (TLS)
connection and return errors SEC_E_INVALID_TOKEN, SEC_E_BUFFER_TOO_SMALL or SEC_E_MESSAGE_ALTERED.
This is a bug in windows schannel library and was only fixed in recent versions, also OpenSSL provided
a workaround (see https://github.com/openssl/openssl/pull/1350).
Since we are unable to fix this, we introduced a workaround for this problem. In case of an error
during TLS handshake we check the errorcode and try to reconnect up to three times if the error code
was SEC_E_INVALID_TOKEN, SEC_E_BUFFER_TOO_SMALL or SEC_E_MESSAGE_ALTERED.
it's an internal state variable, should be in st_mariadb_extension.
In particular, treating it like an option, caused mysql->options
to be allocated in mysql_init(), which caused failed reconnects
to leak memory:
Direct leak of 10824 byte(s) in 33 object(s) allocated from:
#0 0x7f00db5ba79a in __interceptor_calloc (/usr/lib/x86_64-linux-gnu/libasan.so.2+0x9879a)
#1 0x55eb1b1d545e in mysql_init /home/buildbot/mariadb-10.2-build24320/libmariadb/libmariadb/mariadb_lib.c:1021
#2 0x55eb1b1e342e in mariadb_reconnect /home/buildbot/mariadb-10.2-build24320/libmariadb/libmariadb/mariadb_lib.c:1621
...
Disable LOAD DATA LOCAL INFILE suport by default and
auto-enable it for the duration of one query, if the query
string starts with the word "load". In all other cases the application
should enable LOAD DATA LOCAL INFILE support explicitly.
(Based on Sergei Golubchiks 5.5 server patch)
- At the moment the following session tracking types are supported:
SESSION_TRACK_SCHEMA
SESSION_TRACK_SYSTEM_VARIABLES
SESSION_TRACK_STATE_CHANGE
SESSION_TRACK_TRANSACTION_CHARACTERISTICS
- New API functions
mysql_session_track_get_next
mysql_session_track_get_first
- changed plugin API to avoid crashes: Oracle/MariaDB changed
structure several times without updating interface version.
- ABI fixes: moved additional net items to net->extension (connection
handler and com_multi buffer)
report an error if client requires SSL but server doesn't support SSL
(MTM attack)
new options MARIADB_OPT_SSL_FP for fingerprint of server certificate
MARIADB_OPT_SSL_FP_LIST for white list of finger prints.
