MDEV-37600 Backport MDEV-37339 errors about caching_sha2_password on server startup (WolfSSL)

With WolfSSL, the plugins is statically compiled, and enabled, and defaults to autogenerating ssl keys, which was left unimplemented. Thus, it spits out some [ERROR] on every startup. Fixed by removing a couple some ifdefs. Allowed tcp_nossl to run on Windows. As WolfSSL is missing some APIs with FILE*, use related API that accept BIO , i.e - BIO_new_file() instead of fopen() - BIO_free instead of fclose() - PEM_write_bio_PrivateKey() instead of PEM_write_PrivateKey() - etc A note about BIO and error reporting: BIO_new_file sets the errno, therefore FILE_ERROR macro produces good expected error messages, while SSL_ERROR unfortunately creates something incomprehensible. Thus, FILE_ERROR is left in place where it was used previously (fopen errors) Curiously, removing APIs with FILE*, solves another bug MDEV-37343, where server on Windows dies with obscure message as plugins tries to use this function. OpenSSL_Applink supposed to be official solution against such problems, but I could not get it to work properly, no matter how much I tried. Avoiding APIs with FILE* in first place works best
2025-12-28 00:01:00 +00:00 · 2025-07-29 13:34:08 +02:00 · 2025-07-29 13:34:08 +02:00 · 09a6249958
commit 09a6249958
parent c0233a09ee
3 changed files with 25 additions and 30 deletions
--- a/plugin/auth_mysql_sha2/CMakeLists.txt
+++ b/plugin/auth_mysql_sha2/CMakeLists.txt
@ -2,6 +2,8 @@ ADD_DEFINITIONS(${SSL_DEFINES})
 IF(WITH_SSL STREQUAL "bundled")
  # WolfSSL is static, we don't want it linked both into plugin and server
  SET(static STATIC_ONLY DEFAULT)
+ELSE()
+  SET(static)
 ENDIF()
 MYSQL_ADD_PLUGIN(auth_mysql_sha2
  mysql_sha2.c sha256crypt.c ssl_stuff.c openssl1-compat.c
--- a/plugin/auth_mysql_sha2/mysql-test/mysql_sha2/tcp_nossl.test
+++ b/plugin/auth_mysql_sha2/mysql-test/mysql_sha2/tcp_nossl.test
@ -1,7 +1,10 @@
 call mtr.add_suppression('failed to read private_key.pem: 2 "No such file or directory"');
 call mtr.add_suppression('Authentication requires either RSA keys or secure transport');

-source include/require_openssl_client.inc;
+if ($CLIENT_TLS_LIBRARY == "GnuTLS") {
+    skip Test requires client library, which is not built with GnuTLS;
+}
+
 source init.inc;

 query_vertical select * from information_schema.system_variables where variable_name like 'caching_sha2_password%' order by 1;
--- a/plugin/auth_mysql_sha2/ssl_stuff.c
+++ b/plugin/auth_mysql_sha2/ssl_stuff.c
@ -56,71 +56,61 @@ int ssl_decrypt(EVP_PKEY *pkey, unsigned char *src, size_t srclen,
 */
 int ssl_genkeys()
 {
-#ifdef OPENSSL_IS_WOLFSSL
-  /*
-    doesn't have few functions from below and libmariadb doesn't support RSA
-    encryption anyway, so not worth bothering
-  */
-  my_printf_error(1, SELF ": cannot auto-generate keys with WolfSSL",
-                  ME_ERROR_LOG_ONLY);
-  return 1;
-#else
  EVP_PKEY *pkey;
-  FILE *f= NULL;
+  BIO *bio= NULL;

  if (!(pkey= EVP_RSA_gen(2048)))
    goto err;

-  if (!(f= fopen(private_key_path, "w")))
+  if (!(bio= BIO_new_file(private_key_path, "w")))
    FILE_ERROR("write", private_key_path);

-  if (PEM_write_PrivateKey(f, pkey, NULL, NULL, 0, NULL, NULL) != 1)
+  if (PEM_write_bio_PrivateKey(bio, pkey, NULL, NULL, 0, NULL, NULL) != 1)
    SSL_ERROR("write", private_key_path);
-  fclose(f);
+  BIO_free(bio);

-  if (!(f= fopen(public_key_path, "w")))
+  if (!(bio= BIO_new_file(public_key_path, "w")))
    FILE_ERROR("write", public_key_path);

-  if (PEM_write_PUBKEY(f, pkey) != 1)
+  if (PEM_write_bio_PUBKEY(bio, pkey) <= 0)
    SSL_ERROR("write", public_key_path);
-  fclose(f);
+  BIO_free(bio);

  EVP_PKEY_free(pkey);
  return 0;

 err:
-  if (f)
-    fclose(f);
+  if (bio)
+    BIO_free(bio);
  if (pkey)
    EVP_PKEY_free(pkey);
  return 1;
-#endif
 }

 int ssl_loadkeys()
 {
  EVP_PKEY *pkey= 0;
-  FILE *f;
+  BIO *bio;
  size_t len;

-  if (!(f= fopen(private_key_path, "r")))
+  if (!(bio= BIO_new_file(private_key_path, "r")))
    FILE_ERROR("read", private_key_path);

-  if (!(pkey= PEM_read_PrivateKey(f, NULL, NULL, NULL)))
+  if (!(pkey= PEM_read_bio_PrivateKey(bio, NULL, NULL, NULL)))
    SSL_ERROR("read", private_key_path);
-  fclose(f);
+  BIO_free(bio);

-  if (!(f= fopen(public_key_path, "r")))
+  if (!(bio= BIO_new_file(public_key_path, "r")))
    FILE_ERROR("read", public_key_path);
-  len= fread(public_key, 1, sizeof(public_key)-1, f);
+  len= BIO_read(bio, public_key, sizeof(public_key));

-  if (!feof(f))
+  if (len == sizeof(public_key))
  {
    my_printf_error(1, SELF ": failed to read %s: larger than %zu",
                    ME_ERROR_LOG_ONLY, private_key_path, sizeof(public_key)-1);
    goto err;
  }
-  fclose(f);
+  BIO_free(bio);

  public_key[len]= 0;
  public_key_len= len;
@ -128,8 +118,8 @@ int ssl_loadkeys()
  return 0;

 err:
-  if (f)
-    fclose(f);
+  if (bio)
+    BIO_free(bio);
  if (pkey)
    EVP_PKEY_free(pkey);
  return 1;