MDEV-31855 validate ssl certificates using client password

if the client enabled --ssl-verify-server-cert, then
the server certificate is verified as follows:

* if --ssl-ca or --ssl-capath were specified, the cert must have
  a proper signature by the specified CA (or CA in the path)
  and the cert's hostname must match the server's hostname.
  If the cert isn't signed or a hostname is wrong - the
  connection is aborted.

* if MARIADB_OPT_TLS_PEER_FP was used and the fingerprint matches,
  the connection is allowed, if it doesn't match - aborted.

* If the connection uses unix socket or named pipes - it's allowed.
  (consistent with server's --require-secure-transport behavior)

otherwise the cert is still in doubt, we don't know if we can trust
it or there's an active MitM in progress.

* If the user has provided no password or the server requested an
  authentication plugin that sends the password in cleartext -
  the connection is aborted.

* Perform the authentication. If the server accepts the password,
  it'll send SHA2(scramble || password hash || cert fingerprint)
  with the OK packet.

* Verify the SHA2 digest, if it matches - the connection is allowed,
  otherwise it's aborted.

mysql-test/main/ssl_autoverify.result

@@ -0,0 +1,47 @@
+install soname 'auth_ed25519';
+install plugin three_attempts soname 'dialog_examples';
+create user native@'%' identified via mysql_native_password using password('foo');
+create user ed@'%' identified via ed25519 using password('bar');
+create user nohash@'%' identified via three_attempts using 'onetwothree';
+create user multi@'%' identified via mysql_native_password using password('pw1')
+or ed25519 using password('pw2');
+grant all privileges on test.* to native@'%';
+grant all privileges on test.* to ed@'%';
+grant all privileges on test.* to nohash@'%';
+grant all privileges on test.* to multi@'%';
+create function have_ssl() returns char(3)
+return (select if(variable_value > '','yes','no') as 'have_ssl'
+  from information_schema.session_status
+where variable_name='ssl_cipher');
+# mysql -uroot --disable-ssl-verify-server-cert -e "select test.have_ssl()"
+test.have_ssl()
+yes
+# mysql -uroot --ssl-verify-server-cert -e "select test.have_ssl()"
+ERROR 2026 (HY000): TLS/SSL error: Failed to verify the server certificate
+# mysql --protocol socket -uroot --ssl-verify-server-cert -e "select test.have_ssl()"
+test.have_ssl()
+yes
+# mysql -unative -pfoo --ssl-verify-server-cert -e "select test.have_ssl()"
+test.have_ssl()
+yes
+# mysql -ued -pbar --ssl-verify-server-cert -e "select test.have_ssl()"
+test.have_ssl()
+yes
+# mysql -unohash -ponetwothree --disable-ssl-verify-server-cert -e "select test.have_ssl()"
+test.have_ssl()
+yes
+# mysql -unohash -ponetwothree --ssl-verify-server-cert -e "select test.have_ssl()"
+ERROR 2026 (HY000): TLS/SSL error: Failed to verify the server certificate
+# mysql -umulti -ppw1 --ssl-verify-server-cert -e "select test.have_ssl()"
+test.have_ssl()
+yes
+# mysql -umulti -ppw2 --ssl-verify-server-cert -e "select test.have_ssl()"
+test.have_ssl()
+yes
+drop function have_ssl;
+drop user native@'%';
+drop user ed@'%';
+drop user nohash@'%';
+drop user multi@'%';
+uninstall plugin ed25519;
+uninstall plugin three_attempts;