From 04dd05b262e4d7ad9cb5e9b7f38332781081cd4b Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Markus=20M=C3=A4kel=C3=A4?= <markus.makela@mariadb.com>
Date: Fri, 28 Dec 2018 17:22:44 +0200
Subject: [PATCH] MXS-2231: Move TLS handshake code into MariaDBClient

The code is now in the correct place and TLS connections with all
authenticators should now work.
---
 maxscale-system-test/kerberos_setup.cpp                | 10 +++++++---
 server/modules/authenticator/MySQLAuth/mysql_auth.c    |  5 +++--
 .../authenticator/PAM/PAMAuth/pam_client_session.cc    |  4 ++--
 .../protocol/MySQL/mariadbclient/mysql_client.cc       |  8 +++++++-
 4 files changed, 19 insertions(+), 8 deletions(-)

diff --git a/maxscale-system-test/kerberos_setup.cpp b/maxscale-system-test/kerberos_setup.cpp
index 3143cc133..3c05d07ae 100644
--- a/maxscale-system-test/kerberos_setup.cpp
+++ b/maxscale-system-test/kerberos_setup.cpp
@@ -135,17 +135,17 @@ int main(int argc, char *argv[])
     Test->tprintf("Trying use usr1 to execute query: RW Split\n");
     Test->add_result(
         Test->repl->ssh_node(1,
-                             "echo select User,Host from mysql.user | mysql -uusr1 -h maxscale.maxscale.test -P 4006", false),
+                             "echo select User,Host from mysql.user | mysql --ssl -uusr1 -h maxscale.maxscale.test -P 4006", false),
         "Error executing query against RW Split\n");
     Test->tprintf("Trying use usr1 to execute query: Read Connection Master\n");
     Test->add_result(
         Test->repl->ssh_node(1,
-                             "echo select User,Host from mysql.user | mysql -uusr1 -h maxscale.maxscale.test -P 4008", false),
+                             "echo select User,Host from mysql.user | mysql --ssl -uusr1 -h maxscale.maxscale.test -P 4008", false),
         "Error executing query against Read Connection Master\n");
     Test->tprintf("Trying use usr1 to execute query: Read Connection Slave\n");
     Test->add_result(
         Test->repl->ssh_node(1,
-                             "echo select User,Host from mysql.user | mysql -uusr1 -h maxscale.maxscale.test -P 4009", false),
+                             "echo select User,Host from mysql.user | mysql --ssl -uusr1 -h maxscale.maxscale.test -P 4009", false),
         "Error executing query against Read Connection Slave\n");
 
     for (int i = 0; i < Test->repl->N; i++)
@@ -153,6 +153,10 @@ int main(int argc, char *argv[])
         Test->repl->ssh_node(i, "sudo rm -f /etc/my.cnf.d/kerb.cnf", true);
     }
 
+    Test->repl->connect();
+    Test->try_query(Test->repl->nodes[0], "DROP USER usr1");
+    Test->repl->disconnect();
+
     int rval = Test->global_result;
     delete Test;
     return rval;
diff --git a/server/modules/authenticator/MySQLAuth/mysql_auth.c b/server/modules/authenticator/MySQLAuth/mysql_auth.c
index cb4696a46..0dd30787d 100644
--- a/server/modules/authenticator/MySQLAuth/mysql_auth.c
+++ b/server/modules/authenticator/MySQLAuth/mysql_auth.c
@@ -276,9 +276,10 @@ static bool is_localhost_address(struct sockaddr_storage *addr)
 static int
 mysql_auth_authenticate(DCB *dcb)
 {
-    int auth_ret = ssl_authenticate_check_status(dcb);
+    int auth_ret = MXS_AUTH_SSL_COMPLETE;
     MYSQL_session *client_data = (MYSQL_session *)dcb->data;
-    if (auth_ret == MXS_AUTH_SSL_COMPLETE && *client_data->user)
+
+    if (*client_data->user)
     {
         MXS_DEBUG("Receiving connection from '%s' to database '%s'.",
                   client_data->user, client_data->db);
diff --git a/server/modules/authenticator/PAM/PAMAuth/pam_client_session.cc b/server/modules/authenticator/PAM/PAMAuth/pam_client_session.cc
index 229f0bb65..04cb7afec 100644
--- a/server/modules/authenticator/PAM/PAMAuth/pam_client_session.cc
+++ b/server/modules/authenticator/PAM/PAMAuth/pam_client_session.cc
@@ -288,9 +288,9 @@ Buffer PamClientSession::create_auth_change_packet() const
 
 int PamClientSession::authenticate(DCB* dcb)
 {
-    int rval = ssl_authenticate_check_status(dcb);
+    int rval = MXS_AUTH_SSL_COMPLETE;
     MYSQL_session *ses = static_cast<MYSQL_session*>(dcb->data);
-    if (rval == MXS_AUTH_SSL_COMPLETE && *ses->user)
+    if (*ses->user)
     {
         rval = MXS_AUTH_FAILED;
         if (m_state == PAM_AUTH_INIT)
diff --git a/server/modules/protocol/MySQL/mariadbclient/mysql_client.cc b/server/modules/protocol/MySQL/mariadbclient/mysql_client.cc
index 763e8e79a..54fc54824 100644
--- a/server/modules/protocol/MySQL/mariadbclient/mysql_client.cc
+++ b/server/modules/protocol/MySQL/mariadbclient/mysql_client.cc
@@ -726,7 +726,13 @@ gw_read_do_authentication(DCB *dcb, GWBUF *read_buffer, int nbytes_read)
     int auth_val = MXS_AUTH_FAILED;
     if (dcb->authfunc.extract(dcb, read_buffer))
     {
-        auth_val = dcb->authfunc.authenticate(dcb);
+        auth_val = ssl_authenticate_check_status(dcb);
+
+        if (auth_val == MXS_AUTH_SSL_COMPLETE)
+        {
+            // TLS connection phase complete
+            auth_val = dcb->authfunc.authenticate(dcb);
+        }
     }
     else
     {