* extend the client auth plugin API with a new callback
* relax the plugin version check to allow load a plugin with the
same major version, even if the minor versions differ
* implement the protocol extension:
- don't abort at once if the certificate is self signed and
no CA was explicitly specified
- allow it if it passes fingerprint check
- allow it if plugin has hash_password_bin callback, password was
non-empty and the control hash matches server's
CryptOpenAlgorithmProvider() documentation states:
"We recommend that you cache any algorithm provider handles that you will
use more than once, rather than opening and closing the algorithm providers
over and over."
This patch implements algorithm handle caching,
and also simplifies how hashes are handled in win_crypt.c
- MA_HASH_CTX* is now just BCrypt hash handle.
- We no longer allocate or free memory any memory outselves.
There are small change in the ma_hash API:
ma_hash_new() lost the second parameter, only used on Windows previously
Apply HAVE_WINCRYPT as the defination for using the wincrypt/bcrypt
APIs for the authentication plugins caching_sha256_password,
ed25519 and sha256_password in the same way as the HAVE_OPENSSL and
HAVE_GNUTLS are applied.
Various coverity scan fixes, including CONC-452 and CONC-453.
Special thanks to Lukas Javorsky for fixing numerous covscan
issues (This patch includes part of his pull request #126).
Coverity scan build was using the following cmake parameters:
-WITH_EXTERNAL_ZLIB=ON -DWITH_UNIT_TESTS=OFF.
CWE-416 (use after free) in dtoa.c (from netlib) is still open.
By default Windows builds now use the native system crypto libraries used
by ed25519, caching_sha2_password and sha256_password authentication plugins.
Even if configuration option WITH_SSL=OFF was specified (or no TLS library was found) authentication plugins using crypto will be available.
