MDEV-25641 max_password_errors not working with ed25519 auth plugin

report correct error codes in ed25519. Invalid value stored in the user table or an OpenSSL error is CR_ERROR. When a user provided incorrect password when logging in - it's CR_AUTH_USER_CREDENTIALS.
MariaDB · May 22, 2021 · 6bf866c · 6bf866c
1 parent 681918a
commit 6bf866c
Show file tree

Hide file tree

Showing 3 changed files with 176 additions and 4 deletions.
diff --git a/mysql-test/suite/perfschema/r/hostcache_ipv4_auth_ed25519.result b/mysql-test/suite/perfschema/r/hostcache_ipv4_auth_ed25519.result
@@ -0,0 +1,119 @@
+install soname 'auth_ed25519';
+flush status;
+flush hosts;
+flush user_resources;
+flush privileges;
+select `User`, `Host` from mysql.`user` where `host` like '%\\%%';
+User	Host
+select `User`, `Host` from mysql.`user` where `user` like '192.%';
+User	Host
+select `User`, `Host` from mysql.`user` where `user` like '2001:%';
+User	Host
+select `User`, `Host` from mysql.`user` where `user` like 'santa.claus.%';
+User	Host
+create user plug1@'santa.claus.ipv4.example.com'
+  identified with ed25519 as 'foo';
+create user plug2@'santa.claus.ipv4.example.com'
+  identified with ED25519 as 'vubFBzIrapbfHct1/J72dnUryz5VS7lA6XHH8sIx4TI';
+set @saved_dbug = @@global.debug_dbug;
+set global debug_dbug= "+d,vio_peer_addr_fake_ipv4,getnameinfo_fake_ipv4,getaddrinfo_fake_good_ipv4";
+connect(127.0.0.1,plug1,foo,test,PORT,SOCKET);
+connect con1, 127.0.0.1, plug1,foo,,$MASTER_MYPORT;
+ERROR 28000: Access denied for user 'plug1'@'santa.claus.ipv4.example.com' (using password: NO)
+"Dumping performance_schema.host_cache"
+IP	192.0.2.4
+HOST	santa.claus.ipv4.example.com
+HOST_VALIDATED	YES
+SUM_CONNECT_ERRORS	0
+COUNT_HOST_BLOCKED_ERRORS	0
+COUNT_NAMEINFO_TRANSIENT_ERRORS	0
+COUNT_NAMEINFO_PERMANENT_ERRORS	0
+COUNT_FORMAT_ERRORS	0
+COUNT_ADDRINFO_TRANSIENT_ERRORS	0
+COUNT_ADDRINFO_PERMANENT_ERRORS	0
+COUNT_FCRDNS_ERRORS	0
+COUNT_HOST_ACL_ERRORS	0
+COUNT_NO_AUTH_PLUGIN_ERRORS	0
+COUNT_AUTH_PLUGIN_ERRORS	1
+COUNT_HANDSHAKE_ERRORS	0
+COUNT_PROXY_USER_ERRORS	0
+COUNT_PROXY_USER_ACL_ERRORS	0
+COUNT_AUTHENTICATION_ERRORS	0
+COUNT_SSL_ERRORS	0
+COUNT_MAX_USER_CONNECTIONS_ERRORS	0
+COUNT_MAX_USER_CONNECTIONS_PER_HOUR_ERRORS	0
+COUNT_DEFAULT_DATABASE_ERRORS	0
+COUNT_INIT_CONNECT_ERRORS	0
+COUNT_LOCAL_ERRORS	0
+COUNT_UNKNOWN_ERRORS	0
+FIRST_ERROR_SEEN	set
+LAST_ERROR_SEEN	set
+connect(127.0.0.1,plug2,bar,test,PORT,SOCKET);
+connect con1, 127.0.0.1, plug2,bar,,$MASTER_MYPORT;
+ERROR 28000: Access denied for user 'plug2'@'santa.claus.ipv4.example.com' (using password: YES)
+"Dumping performance_schema.host_cache"
+IP	192.0.2.4
+HOST	santa.claus.ipv4.example.com
+HOST_VALIDATED	YES
+SUM_CONNECT_ERRORS	0
+COUNT_HOST_BLOCKED_ERRORS	0
+COUNT_NAMEINFO_TRANSIENT_ERRORS	0
+COUNT_NAMEINFO_PERMANENT_ERRORS	0
+COUNT_FORMAT_ERRORS	0
+COUNT_ADDRINFO_TRANSIENT_ERRORS	0
+COUNT_ADDRINFO_PERMANENT_ERRORS	0
+COUNT_FCRDNS_ERRORS	0
+COUNT_HOST_ACL_ERRORS	0
+COUNT_NO_AUTH_PLUGIN_ERRORS	0
+COUNT_AUTH_PLUGIN_ERRORS	1
+COUNT_HANDSHAKE_ERRORS	0
+COUNT_PROXY_USER_ERRORS	0
+COUNT_PROXY_USER_ACL_ERRORS	0
+COUNT_AUTHENTICATION_ERRORS	1
+COUNT_SSL_ERRORS	0
+COUNT_MAX_USER_CONNECTIONS_ERRORS	0
+COUNT_MAX_USER_CONNECTIONS_PER_HOUR_ERRORS	0
+COUNT_DEFAULT_DATABASE_ERRORS	0
+COUNT_INIT_CONNECT_ERRORS	0
+COUNT_LOCAL_ERRORS	0
+COUNT_UNKNOWN_ERRORS	0
+FIRST_ERROR_SEEN	set
+LAST_ERROR_SEEN	set
+connect con1, 127.0.0.1, plug2,foo,,$MASTER_MYPORT;
+select current_user();
+current_user()
+plug2@santa.claus.ipv4.example.com
+disconnect con1;
+connection default;
+"Dumping performance_schema.host_cache"
+IP	192.0.2.4
+HOST	santa.claus.ipv4.example.com
+HOST_VALIDATED	YES
+SUM_CONNECT_ERRORS	0
+COUNT_HOST_BLOCKED_ERRORS	0
+COUNT_NAMEINFO_TRANSIENT_ERRORS	0
+COUNT_NAMEINFO_PERMANENT_ERRORS	0
+COUNT_FORMAT_ERRORS	0
+COUNT_ADDRINFO_TRANSIENT_ERRORS	0
+COUNT_ADDRINFO_PERMANENT_ERRORS	0
+COUNT_FCRDNS_ERRORS	0
+COUNT_HOST_ACL_ERRORS	0
+COUNT_NO_AUTH_PLUGIN_ERRORS	0
+COUNT_AUTH_PLUGIN_ERRORS	1
+COUNT_HANDSHAKE_ERRORS	0
+COUNT_PROXY_USER_ERRORS	0
+COUNT_PROXY_USER_ACL_ERRORS	0
+COUNT_AUTHENTICATION_ERRORS	1
+COUNT_SSL_ERRORS	0
+COUNT_MAX_USER_CONNECTIONS_ERRORS	0
+COUNT_MAX_USER_CONNECTIONS_PER_HOUR_ERRORS	0
+COUNT_DEFAULT_DATABASE_ERRORS	0
+COUNT_INIT_CONNECT_ERRORS	0
+COUNT_LOCAL_ERRORS	0
+COUNT_UNKNOWN_ERRORS	0
+FIRST_ERROR_SEEN	set
+LAST_ERROR_SEEN	set
+drop user plug1@'santa.claus.ipv4.example.com';
+drop user plug2@'santa.claus.ipv4.example.com';
+set @@global.debug_dbug = @saved_dbug;
+uninstall plugin ed25519;
diff --git a/mysql-test/suite/perfschema/t/hostcache_ipv4_auth_ed25519.test b/mysql-test/suite/perfschema/t/hostcache_ipv4_auth_ed25519.test
@@ -0,0 +1,53 @@
+#
+# Tests for the performance_schema host_cache.
+#
+# Test authorization with auth plugins.
+# error reporting in:
+# - column COUNT_AUTH_PLUGIN_ERRORS
+# - column COUNT_PROXY_USER_ERRORS
+# - column COUNT_PROXY_USER_ACL_ERRORS
+
+source include/not_embedded.inc;
+source include/have_debug.inc;
+source include/have_perfschema.inc;
+source include/have_plugin_auth.inc;
+source include/have_hostname_cache.inc;
+
+if (!$AUTH_ED25519_SO) {
+  skip No auth_ed25519 plugin;
+}
+install soname 'auth_ed25519';
+
+# Enforce a clean state
+source ../include/wait_for_pfs_thread_count.inc;
+source ../include/hostcache_set_state.inc;
+
+create user plug1@'santa.claus.ipv4.example.com'
+  identified with ed25519 as 'foo';
+create user plug2@'santa.claus.ipv4.example.com'
+  identified with ED25519 as 'vubFBzIrapbfHct1/J72dnUryz5VS7lA6XHH8sIx4TI';
+
+set @saved_dbug = @@global.debug_dbug;
+set global debug_dbug= "+d,vio_peer_addr_fake_ipv4,getnameinfo_fake_ipv4,getaddrinfo_fake_good_ipv4";
+
+replace_result $MASTER_MYPORT PORT $MASTER_MYSOCK SOCKET;
+error ER_ACCESS_DENIED_ERROR;
+connect con1, 127.0.0.1, plug1,foo,,$MASTER_MYPORT;
+source ../include/hostcache_dump.inc;
+
+replace_result $MASTER_MYPORT PORT $MASTER_MYSOCK SOCKET;
+error ER_ACCESS_DENIED_ERROR;
+connect con1, 127.0.0.1, plug2,bar,,$MASTER_MYPORT;
+source ../include/hostcache_dump.inc;
+
+connect con1, 127.0.0.1, plug2,foo,,$MASTER_MYPORT;
+select current_user();
+disconnect con1;
+connection default;
+source ../include/hostcache_dump.inc;
+
+drop user plug1@'santa.claus.ipv4.example.com';
+drop user plug2@'santa.claus.ipv4.example.com';
+
+set @@global.debug_dbug = @saved_dbug;
+uninstall plugin ed25519;
diff --git a/plugin/auth_ed25519/server_ed25519.c b/plugin/auth_ed25519/server_ed25519.c
@@ -41,17 +41,17 @@ static int auth(MYSQL_PLUGIN_VIO *vio, MYSQL_SERVER_AUTH_INFO *info)
 
   /* prepare the pk */
   if (info->auth_string_length != PASSWORD_LEN)
-    return CR_AUTH_USER_CREDENTIALS;
+    return CR_ERROR; // bad password in the user table
   memcpy(pw, info->auth_string, PASSWORD_LEN);
   pw[PASSWORD_LEN]= '=';
   if (my_base64_decode(pw, PASSWORD_LEN_BUF, pk, NULL, 0) != CRYPTO_PUBLICKEYBYTES)
-    return CR_AUTH_USER_CREDENTIALS;
+    return CR_ERROR; // bad password in the user table
 
   info->password_used= PASSWORD_USED_YES;
 
   /* prepare random nonce */
   if (my_random_bytes((unsigned char *)nonce, (int)sizeof(nonce)))
-    return CR_AUTH_USER_CREDENTIALS;
+    return CR_ERROR; // eh? OpenSSL error
 
   /* send it */
   if (vio->write_packet(vio, reply + CRYPTO_BYTES, NONCE_BYTES))
@@ -63,7 +63,7 @@ static int auth(MYSQL_PLUGIN_VIO *vio, MYSQL_SERVER_AUTH_INFO *info)
   memcpy(reply, pkt, CRYPTO_BYTES);
 
   if (crypto_sign_open(reply, CRYPTO_BYTES + NONCE_BYTES, pk))
-    return CR_ERROR;
+    return CR_AUTH_USER_CREDENTIALS; // wrong password provided by the user
 
   return CR_OK;
 }