Bug#27306178: ERROR IN SERVER HANDSHAKE WHILE CONNECTING

              WITH AUTH_SOCK PLUGIN USER

Description: On client side, if server's default plugin is
             different than that of client, client discards
             packet containing scramble information. This
             means that if server has default plugin
             caching_sha2_password and client has default
             plugin mysql_native_password, and if client is
             trying to connect to server using a user with
             plugin C (in this case auth_socket), following
             will happen:

             1. Client will discard scramble data
             2. Client will call native_password's client
                side authentication plugin
             3. In client_mpvio_read_packet, client will
                send user details to server and wait for
                scramble
             4. Server, having received user details, goes
                 on to process client reply and finds that
                 there are 3 plugins involved. It then
                 triggers a RESTART of authentication on
                 server side without sending anything to
                 client. As a part of restart, server uses
                 user's actual plugin (auth_socket) and
                 calls authenticate API for the same.
             5. auth_socket plugin, having received user
                details and connection info, performs
                verification and sends OK/ERROR.
             6. On client side, since client expects random
                data of length 20 from server, native
                plugin's authentication API will report
                error upon receing OK/ERROR.
             7. run_plugin_auth() won't find expected reply
                (because OK/ERROR was already read) and
                exit with error.

Solution: In run_plugin_auth(), there is a check for
          auth-switch packet. Fix is to extend it to cover
          OK packet too.

(cherry picked from commit b5840b451966469f4b527ba062147897750258cf)

Author: harinvadodaria

mysql-test/suite/auth_sec/include/multiple_plugins.inc

@@ -0,0 +1,89 @@
+#
+# Input(s) :
+# $server_default_authentication_plugin
+#
+
+--echo # Restart the server with $server_default_authentication_plugin as default authnetication plugin
+let $restart_file= $MYSQLTEST_VARDIR/tmp/mysqld.1.expect;
+--exec echo "wait" > $restart_file
+--shutdown_server
+--source include/wait_until_disconnected.inc
+--exec echo "restart:--default-authentication-plugin=$server_default_authentication_plugin" > $restart_file
+--enable_reconnect
+--source include/wait_until_connected_again.inc
+--disable_reconnect
+
+
+--echo # Create users
+CREATE USER qa_test_1_user IDENTIFIED WITH qa_auth_interface AS 'qa_test_1_dest';
+CREATE USER qa_test_1_dest IDENTIFIED BY 'dest_passwd';
+GRANT ALL PRIVILEGES ON test_user_db.* TO qa_test_1_dest identified by 'dest_passwd';
+GRANT PROXY ON qa_test_1_dest TO qa_test_1_user;
+
+CREATE USER native@localhost IDENTIFIED WITH 'mysql_native_password' BY 'abcd';
+CREATE USER sha256@localhost IDENTIFIED WITH 'sha256_password' BY 'abcd';
+
+--echo # Connection tests
+
+--exec $MYSQL $PLUGIN_AUTH_OPT --protocol=TCP --host=127.0.0.1 -P$MASTER_MYPORT -uqa_test_1_user -pqa_test_1_dest --ssl-mode=DISABLED --server-public-key-path=$MYSQL_TEST_DIR/std_data/rsa_public_key.pem -e "SELECT CURRENT_USER()" 2>&1
+--exec $MYSQL $PLUGIN_AUTH_OPT --default-auth=mysql_native_password --protocol=TCP --host=127.0.0.1 -P$MASTER_MYPORT -uqa_test_1_user -pqa_test_1_dest --ssl-mode=DISABLED --server-public-key-path=$MYSQL_TEST_DIR/std_data/rsa_public_key.pem -e "SELECT CURRENT_USER()" 2>&1
+--exec $MYSQL $PLUGIN_AUTH_OPT --default-auth=sha256_password --protocol=TCP --host=127.0.0.1 -P$MASTER_MYPORT -uqa_test_1_user -pqa_test_1_dest --ssl-mode=DISABLED --server-public-key-path=$MYSQL_TEST_DIR/std_data/rsa_public_key.pem -e "SELECT CURRENT_USER()" 2>&1
+FLUSH PRIVILEGES;
+
+--exec $MYSQL $PLUGIN_AUTH_OPT --protocol=TCP --host=127.0.0.1 -P$MASTER_MYPORT -uqa_test_1_user -pqa_test_1_dest --ssl-mode=DISABLED --server-public-key-path=$MYSQL_TEST_DIR/std_data/rsa_public_key.pem -e "SELECT CURRENT_USER()" 2>&1
+FLUSH PRIVILEGES;
+--exec $MYSQL $PLUGIN_AUTH_OPT --default-auth=mysql_native_password --protocol=TCP --host=127.0.0.1 -P$MASTER_MYPORT -uqa_test_1_user -pqa_test_1_dest --ssl-mode=DISABLED --server-public-key-path=$MYSQL_TEST_DIR/std_data/rsa_public_key.pem -e "SELECT CURRENT_USER()" 2>&1
+FLUSH PRIVILEGES;
+--exec $MYSQL $PLUGIN_AUTH_OPT --default-auth=sha256_password --protocol=TCP --host=127.0.0.1 -P$MASTER_MYPORT -uqa_test_1_user -pqa_test_1_dest --ssl-mode=DISABLED --server-public-key-path=$MYSQL_TEST_DIR/std_data/rsa_public_key.pem -e "SELECT CURRENT_USER()" 2>&1
+FLUSH PRIVILEGES;
+
+
+--exec $MYSQL $PLUGIN_AUTH_OPT --protocol=TCP --host=127.0.0.1 -P$MASTER_MYPORT -unative -pabcd --ssl-mode=DISABLED --server-public-key-path=$MYSQL_TEST_DIR/std_data/rsa_public_key.pem -e "SELECT CURRENT_USER()" 2>&1
+--exec $MYSQL $PLUGIN_AUTH_OPT --default-auth=mysql_native_password --protocol=TCP --host=127.0.0.1 -P$MASTER_MYPORT -unative -pabcd --ssl-mode=DISABLED --server-public-key-path=$MYSQL_TEST_DIR/std_data/rsa_public_key.pem -e "SELECT CURRENT_USER()" 2>&1
+--exec $MYSQL $PLUGIN_AUTH_OPT --default-auth=sha256_password --protocol=TCP --host=127.0.0.1 -P$MASTER_MYPORT -unative -pabcd --ssl-mode=DISABLED --server-public-key-path=$MYSQL_TEST_DIR/std_data/rsa_public_key.pem -e "SELECT CURRENT_USER()" 2>&1
+FLUSH PRIVILEGES;
+
+
+--exec $MYSQL $PLUGIN_AUTH_OPT --protocol=TCP --host=127.0.0.1 -P$MASTER_MYPORT -usha256 -pabcd --ssl-mode=DISABLED --server-public-key-path=$MYSQL_TEST_DIR/std_data/rsa_public_key.pem -e "SELECT CURRENT_USER()" 2>&1
+--exec $MYSQL $PLUGIN_AUTH_OPT --default-auth=mysql_native_password --protocol=TCP --host=127.0.0.1 -P$MASTER_MYPORT -usha256 -pabcd --ssl-mode=DISABLED --server-public-key-path=$MYSQL_TEST_DIR/std_data/rsa_public_key.pem -e "SELECT CURRENT_USER()" 2>&1
+--exec $MYSQL $PLUGIN_AUTH_OPT --default-auth=sha256_password --protocol=TCP --host=127.0.0.1 -P$MASTER_MYPORT -usha256 -pabcd --ssl-mode=DISABLED --server-public-key-path=$MYSQL_TEST_DIR/std_data/rsa_public_key.pem -e "SELECT CURRENT_USER()" 2>&1
+FLUSH PRIVILEGES;
+
+--echo # Change user tests
+
+--connect(qa_test_1_conn, localhost, qa_test_1_user, qa_test_1_dest,,,,SSL)
+--change_user native, abcd
+SELECT CURRENT_USER();
+--change_user sha256, abcd
+SELECT CURRENT_USER();
+--change_user
+SELECT CURRENT_USER();
+
+--connect(native_conn, localhost, native, abcd,,,,SSL)
+--change_user qa_test_1_user, qa_test_1_dest
+SELECT CURRENT_USER();
+--change_user sha256, abcd
+SELECT CURRENT_USER();
+--change_user
+SELECT CURRENT_USER();
+
+--connect(sha256_conn, localhost, sha256, abcd,,,,SSL)
+--change_user qa_test_1_user, qa_test_1_dest
+SELECT CURRENT_USER();
+--change_user native, abcd
+SELECT CURRENT_USER();
+--change_user
+SELECT CURRENT_USER();
+
+--connection default
+--disconnect qa_test_1_conn
+--disconnect native_conn
+--disconnect sha256_conn
+
+--echo # Drop users
+DROP USER qa_test_1_user;
+DROP USER qa_test_1_dest;
+DROP USER native@localhost;
+DROP USER sha256@localhost;
+
+--source include/force_restart.inc

mysql-test/suite/auth_sec/r/multiple_plugins.result

@@ -0,0 +1,174 @@
+# Check with mysql_native_password as --default-authentication-plugin
+# Restart the server with mysql_native_password as default authnetication plugin
+# Create users
+CREATE USER qa_test_1_user IDENTIFIED WITH qa_auth_interface AS 'qa_test_1_dest';
+CREATE USER qa_test_1_dest IDENTIFIED BY 'dest_passwd';
+GRANT ALL PRIVILEGES ON test_user_db.* TO qa_test_1_dest identified by 'dest_passwd';
+Warnings:
+Warning	1287	Using GRANT statement to modify existing user's properties other than privileges is deprecated and will be removed in future release. Use ALTER USER statement for this operation.
+GRANT PROXY ON qa_test_1_dest TO qa_test_1_user;
+CREATE USER native@localhost IDENTIFIED WITH 'mysql_native_password' BY 'abcd';
+CREATE USER sha256@localhost IDENTIFIED WITH 'sha256_password' BY 'abcd';
+# Connection tests
+mysql: [Warning] Using a password on the command line interface can be insecure.
+CURRENT_USER()
+qa_test_1_user@%
+mysql: [Warning] Using a password on the command line interface can be insecure.
+CURRENT_USER()
+qa_test_1_user@%
+mysql: [Warning] Using a password on the command line interface can be insecure.
+CURRENT_USER()
+qa_test_1_user@%
+FLUSH PRIVILEGES;
+mysql: [Warning] Using a password on the command line interface can be insecure.
+CURRENT_USER()
+qa_test_1_user@%
+FLUSH PRIVILEGES;
+mysql: [Warning] Using a password on the command line interface can be insecure.
+CURRENT_USER()
+qa_test_1_user@%
+FLUSH PRIVILEGES;
+mysql: [Warning] Using a password on the command line interface can be insecure.
+CURRENT_USER()
+qa_test_1_user@%
+FLUSH PRIVILEGES;
+mysql: [Warning] Using a password on the command line interface can be insecure.
+CURRENT_USER()
+native@localhost
+mysql: [Warning] Using a password on the command line interface can be insecure.
+CURRENT_USER()
+native@localhost
+mysql: [Warning] Using a password on the command line interface can be insecure.
+CURRENT_USER()
+native@localhost
+FLUSH PRIVILEGES;
+mysql: [Warning] Using a password on the command line interface can be insecure.
+CURRENT_USER()
+sha256@localhost
+mysql: [Warning] Using a password on the command line interface can be insecure.
+CURRENT_USER()
+sha256@localhost
+mysql: [Warning] Using a password on the command line interface can be insecure.
+CURRENT_USER()
+sha256@localhost
+FLUSH PRIVILEGES;
+# Change user tests
+SELECT CURRENT_USER();
+CURRENT_USER()
+native@localhost
+SELECT CURRENT_USER();
+CURRENT_USER()
+sha256@localhost
+SELECT CURRENT_USER();
+CURRENT_USER()
+sha256@localhost
+SELECT CURRENT_USER();
+CURRENT_USER()
+qa_test_1_user@%
+SELECT CURRENT_USER();
+CURRENT_USER()
+sha256@localhost
+SELECT CURRENT_USER();
+CURRENT_USER()
+sha256@localhost
+SELECT CURRENT_USER();
+CURRENT_USER()
+qa_test_1_user@%
+SELECT CURRENT_USER();
+CURRENT_USER()
+native@localhost
+SELECT CURRENT_USER();
+CURRENT_USER()
+native@localhost
+# Drop users
+DROP USER qa_test_1_user;
+DROP USER qa_test_1_dest;
+DROP USER native@localhost;
+DROP USER sha256@localhost;
+# Check with sha256_password as --default-authentication-plugin
+# Restart the server with sha256_password as default authnetication plugin
+# Create users
+CREATE USER qa_test_1_user IDENTIFIED WITH qa_auth_interface AS 'qa_test_1_dest';
+CREATE USER qa_test_1_dest IDENTIFIED BY 'dest_passwd';
+GRANT ALL PRIVILEGES ON test_user_db.* TO qa_test_1_dest identified by 'dest_passwd';
+Warnings:
+Warning	1287	Using GRANT statement to modify existing user's properties other than privileges is deprecated and will be removed in future release. Use ALTER USER statement for this operation.
+GRANT PROXY ON qa_test_1_dest TO qa_test_1_user;
+CREATE USER native@localhost IDENTIFIED WITH 'mysql_native_password' BY 'abcd';
+CREATE USER sha256@localhost IDENTIFIED WITH 'sha256_password' BY 'abcd';
+# Connection tests
+mysql: [Warning] Using a password on the command line interface can be insecure.
+CURRENT_USER()
+qa_test_1_user@%
+mysql: [Warning] Using a password on the command line interface can be insecure.
+CURRENT_USER()
+qa_test_1_user@%
+mysql: [Warning] Using a password on the command line interface can be insecure.
+CURRENT_USER()
+qa_test_1_user@%
+FLUSH PRIVILEGES;
+mysql: [Warning] Using a password on the command line interface can be insecure.
+CURRENT_USER()
+qa_test_1_user@%
+FLUSH PRIVILEGES;
+mysql: [Warning] Using a password on the command line interface can be insecure.
+CURRENT_USER()
+qa_test_1_user@%
+FLUSH PRIVILEGES;
+mysql: [Warning] Using a password on the command line interface can be insecure.
+CURRENT_USER()
+qa_test_1_user@%
+FLUSH PRIVILEGES;
+mysql: [Warning] Using a password on the command line interface can be insecure.
+CURRENT_USER()
+native@localhost
+mysql: [Warning] Using a password on the command line interface can be insecure.
+CURRENT_USER()
+native@localhost
+mysql: [Warning] Using a password on the command line interface can be insecure.
+CURRENT_USER()
+native@localhost
+FLUSH PRIVILEGES;
+mysql: [Warning] Using a password on the command line interface can be insecure.
+CURRENT_USER()
+sha256@localhost
+mysql: [Warning] Using a password on the command line interface can be insecure.
+CURRENT_USER()
+sha256@localhost
+mysql: [Warning] Using a password on the command line interface can be insecure.
+CURRENT_USER()
+sha256@localhost
+FLUSH PRIVILEGES;
+# Change user tests
+SELECT CURRENT_USER();
+CURRENT_USER()
+native@localhost
+SELECT CURRENT_USER();
+CURRENT_USER()
+sha256@localhost
+SELECT CURRENT_USER();
+CURRENT_USER()
+sha256@localhost
+SELECT CURRENT_USER();
+CURRENT_USER()
+qa_test_1_user@%
+SELECT CURRENT_USER();
+CURRENT_USER()
+sha256@localhost
+SELECT CURRENT_USER();
+CURRENT_USER()
+sha256@localhost
+SELECT CURRENT_USER();
+CURRENT_USER()
+qa_test_1_user@%
+SELECT CURRENT_USER();
+CURRENT_USER()
+native@localhost
+SELECT CURRENT_USER();
+CURRENT_USER()
+native@localhost
+# Drop users
+DROP USER qa_test_1_user;
+DROP USER qa_test_1_dest;
+DROP USER native@localhost;
+DROP USER sha256@localhost;

mysql-test/suite/auth_sec/t/multiple_plugins-master.opt

@@ -0,0 +1,4 @@
+$PLUGIN_AUTH_INTERFACE_OPT
+$PLUGIN_AUTH_INTERFACE_LOAD
+--loose-sha256_password_private_key_path=$MYSQL_TEST_DIR/std_data/rsa_private_key.pem
+--loose-sha256_password_public_key_path=$MYSQL_TEST_DIR/std_data/rsa_public_key.pem

mysql-test/suite/auth_sec/t/multiple_plugins.test

@@ -0,0 +1,12 @@
+--source include/have_plugin_interface.inc
+--source include/not_embedded.inc
+--source include/have_ssl.inc
+--source include/have_sha256_rsa_auth.inc
+
+--echo # Check with mysql_native_password as --default-authentication-plugin
+let $server_default_authentication_plugin=mysql_native_password;
+--source ../include/multiple_plugins.inc
+
+--echo # Check with sha256_password as --default-authentication-plugin
+let $server_default_authentication_plugin=sha256_password;
+--source ../include/multiple_plugins.inc

sql-common/client.c

@@ -4016,9 +4016,15 @@ int run_plugin_auth(MYSQL *mysql, char *data, uint data_len,
 
   /*
     The connection may be closed. If so: do not try to read from the buffer.
+    If server sends OK packet without sending auth-switch first, client side
+    auth plugin may not be able to process it correctly.
+    However, if server sends OK, it means server side authentication plugin
+    already performed required checks. Further, server side plugin did not
+    really care about plugin used by client in this case.
   */
   if (res > CR_OK && 
-      (!my_net_is_inited(&mysql->net) || mysql->net.read_pos[0] != 254))
+      (!my_net_is_inited(&mysql->net) ||
+      (mysql->net.read_pos[0] != 0 && mysql->net.read_pos[0] != 254)))
   {
     /*
       the plugin returned an error. write it down in mysql,
@@ -6213,29 +6219,16 @@ static int native_password_auth_client(MYSQL_PLUGIN_VIO *vio, MYSQL *mysql)
 
   DBUG_ENTER("native_password_auth_client");
 
+  /* read the scramble */
+  if ((pkt_len= vio->read_packet(vio, &pkt)) < 0)
+    DBUG_RETURN(CR_ERROR);
 
-  if (((MCPVIO_EXT *)vio)->mysql_change_user)
-  {
-    /*
-      in mysql_change_user() the client sends the first packet.
-      we use the old scramble.
-    */
-    pkt= (uchar*)mysql->scramble;
-    pkt_len= SCRAMBLE_LENGTH + 1;
-  }
-  else
-  {
-    /* read the scramble */
-    if ((pkt_len= vio->read_packet(vio, &pkt)) < 0)
-      DBUG_RETURN(CR_ERROR);
+  if (pkt_len != SCRAMBLE_LENGTH + 1)
+    DBUG_RETURN(CR_SERVER_HANDSHAKE_ERR);
 
-    if (pkt_len != SCRAMBLE_LENGTH + 1)
-      DBUG_RETURN(CR_SERVER_HANDSHAKE_ERR);
-
-    /* save it in MYSQL */
-    memcpy(mysql->scramble, pkt, SCRAMBLE_LENGTH);
-    mysql->scramble[SCRAMBLE_LENGTH] = 0;
-  }
+  /* save it in MYSQL */
+  memcpy(mysql->scramble, pkt, SCRAMBLE_LENGTH);
+  mysql->scramble[SCRAMBLE_LENGTH] = 0;
 
   if (mysql->passwd[0])
   {