trilogy-libraries · jeremy · Dec 2, 2025 · Dec 2, 2025 · Nov 18, 2025
diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
@@ -12,15 +12,16 @@ on:
   pull_request:
 
 jobs:
-  build:
-    name: ${{ format('Build ({0}, {1}, {2})', matrix.mysql, matrix.distribution, matrix.ruby) }}
+  mysql:
+    name: ${{ format('MySQL {0} ({1}, Ruby {2}, ssl={3})', matrix.db_version, matrix.distribution, matrix.ruby, matrix.default_ssl) }}
     runs-on: ubuntu-latest
     strategy:
       fail-fast: false
       matrix:
-        mysql: ["8.0", "8.4"]
+        db_version: ["8.0", "8.4", "9.5"]
         distribution: ["debian:bookworm", "ubuntu:noble", "ubuntu:jammy", "ubuntu:focal"]
         ruby: ["3.3", "3.4"]
+        default_ssl: ["true", "false"]
     steps:
     - uses: actions/checkout@v6
     - name: docker login
@@ -29,7 +30,58 @@ jobs:
         GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
     - name: Run tests
       env:
-        MYSQL_VERSION: ${{ matrix.mysql }}
+        DB_VENDOR: mysql
+        DB_VERSION: ${{ matrix.db_version }}
         DISTRIBUTION: ${{ matrix.distribution }}
         RUBY_VERSION: ${{ matrix.ruby }}
+        TRILOGY_DEFAULT_SSL: ${{ matrix.default_ssl }}
+      run: script/cibuild
+
+  mariadb:
+    name: ${{ format('MariaDB {0} ({1}, Ruby {2})', matrix.db_version, matrix.distribution, matrix.ruby) }}
+    runs-on: ubuntu-latest
+    strategy:
+      fail-fast: false
+      matrix:
+        db_version: ["10.6", "10.11", "11.4", "11.8"]
+        distribution: ["debian:bookworm", "ubuntu:noble", "ubuntu:jammy", "ubuntu:focal"]
+        ruby: ["3.3", "3.4"]
+    steps:
+    - uses: actions/checkout@v6
+    - name: docker login
+      run: echo $GITHUB_TOKEN | docker login ghcr.io --username trilogy --password-stdin
+      env:
+        GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+    - name: Run tests
+      env:
+        DB_VENDOR: mariadb
+        DB_VERSION: ${{ matrix.db_version }}
+        DISTRIBUTION: ${{ matrix.distribution }}
+        RUBY_VERSION: ${{ matrix.ruby }}
+      run: script/cibuild
+
+  # MariaDB 12.1+ supports caching_sha2_password, so we test with ssl=true/false
+  mariadb-caching-sha2:
+    name: ${{ format('MariaDB {0} ({1}, Ruby {2}, ssl={3})', matrix.db_version, matrix.distribution, matrix.ruby, matrix.default_ssl) }}
+    runs-on: ubuntu-latest
+    strategy:
+      fail-fast: false
+      matrix:
+        db_version: ["12.1"]
+        distribution: ["debian:bookworm", "ubuntu:noble", "ubuntu:jammy", "ubuntu:focal"]
+        ruby: ["3.3", "3.4"]
+        default_ssl: ["true", "false"]
+    steps:
+    - uses: actions/checkout@v6
+    - name: docker login
+      run: echo $GITHUB_TOKEN | docker login ghcr.io --username trilogy --password-stdin
+      env:
+        GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+    - name: Run tests
+      env:
+        DB_VENDOR: mariadb
+        DB_VERSION: ${{ matrix.db_version }}
+        DISTRIBUTION: ${{ matrix.distribution }}
+        RUBY_VERSION: ${{ matrix.ruby }}
+        TRILOGY_DEFAULT_SSL: ${{ matrix.default_ssl }}
       run: script/cibuild
diff --git a/.github/workflows/macos.yml b/.github/workflows/macos.yml
@@ -2,6 +2,7 @@ permissions:
   contents: read
 
 name: macOS
+
 on:
   push:
     branches:
@@ -11,31 +12,71 @@ on:
   pull_request:
 
 jobs:
-  test:
-    name: Test
+  test-mysql:
+    name: Test (MySQL ${{ matrix.mysql }})
     runs-on: macos-latest
     strategy:
       matrix:
-        mysql: ["8.0", "8.4"]
+        mysql: ["8.0", "8.4", "9.5"]
     steps:
     - uses: actions/checkout@v6
     - name: Setup MySQL
       run: |
         brew install mysql@${{ matrix.mysql }}
+        # Apply macOS-specific config if it exists (e.g., 8.4 needs mysql_native_password=ON)
+        # Homebrew MySQL reads config from $(brew --prefix)/etc/my.cnf
+        if [[ -f "test/mysql/conf.d/${{ matrix.mysql }}/macos.cnf" ]]; then
+          cat test/mysql/conf.d/${{ matrix.mysql }}/macos.cnf >> $(brew --prefix)/etc/my.cnf
+        fi
         (unset CI; brew postinstall mysql@${{ matrix.mysql }})
         brew services start mysql@${{ matrix.mysql }}
         sleep 5
         $(brew --prefix mysql@${{ matrix.mysql }})/bin/mysql -uroot -e 'CREATE DATABASE test'
+        $(brew --prefix mysql@${{ matrix.mysql }})/bin/mysql -uroot < test/mysql/docker-entrypoint-initdb.d/caching_sha2_password_user.sql
     - name: Build
       run: CFLAGS="-I$(brew --prefix openssl@1.1)/include" LDFLAGS="-L$(brew --prefix openssl@1.1)/lib" make all test/test
     - name: test
       run: test/test
-  test-ruby:
-    name: Test Ruby
+
+  test-mariadb:
+    name: Test (MariaDB ${{ matrix.mariadb }})
     runs-on: macos-latest
     strategy:
       matrix:
-        mysql: ["8.0"]
+        mariadb: ["10.6", "10.11", "11.4", "11.8"]
+    steps:
+    - uses: actions/checkout@v6
+    - name: Setup MariaDB
+      run: |
+        brew install mariadb@${{ matrix.mariadb }}
+        # Apply macOS-specific config if it exists
+        if [[ -f "test/mariadb/conf.d/${{ matrix.mariadb }}/macos.cnf" ]]; then
+          cat test/mariadb/conf.d/${{ matrix.mariadb }}/macos.cnf >> $(brew --prefix)/etc/my.cnf
+        fi
+        (unset CI; brew postinstall mariadb@${{ matrix.mariadb }})
+        brew services start mariadb@${{ matrix.mariadb }}
+        sleep 5
+        # MariaDB uses unix_socket auth for root by default, so use sudo
+        sudo $(brew --prefix mariadb@${{ matrix.mariadb }})/bin/mariadb -e 'CREATE DATABASE IF NOT EXISTS test'
+        # Create a test user for C tests (root uses unix_socket which doesn't work for TCP)
+        sudo $(brew --prefix mariadb@${{ matrix.mariadb }})/bin/mariadb -e "CREATE USER IF NOT EXISTS 'trilogy'@'127.0.0.1' IDENTIFIED BY 'password'; GRANT ALL PRIVILEGES ON test.* TO 'trilogy'@'127.0.0.1';"
+        sudo $(brew --prefix mariadb@${{ matrix.mariadb }})/bin/mariadb -e "CREATE USER IF NOT EXISTS 'trilogy'@'localhost' IDENTIFIED BY 'password'; GRANT ALL PRIVILEGES ON test.* TO 'trilogy'@'localhost';"
+    - name: Build
+      run: CFLAGS="-I$(brew --prefix openssl@1.1)/include" LDFLAGS="-L$(brew --prefix openssl@1.1)/lib" make all test/test
+    - name: test
+      env:
+        MYSQL_HOST: "127.0.0.1"
+        MYSQL_USER: trilogy
+        MYSQL_PASS: password
+        MYSQL_DB: test
+      run: test/test
+
+  test-ruby-mysql:
+    name: Test Ruby (MySQL ${{ matrix.mysql }}, Ruby ${{ matrix.ruby }})
+    runs-on: macos-latest
+    strategy:
+      matrix:
+        mysql: ["8.0", "8.4", "9.5"]
         ruby: ["3.0", "3.1", "3.2", "3.3", "3.4"]
     steps:
     - uses: actions/checkout@v6
@@ -47,12 +88,20 @@ jobs:
         MYSQL_VERSION: ${{ matrix.mysql }}
       run: |
         brew install mysql@${{ matrix.mysql }}
+        # Apply macOS-specific config if it exists (e.g., 8.4 needs mysql_native_password=ON)
+        # Homebrew MySQL reads config from $(brew --prefix)/etc/my.cnf
+        if [[ -f "test/mysql/conf.d/${{ matrix.mysql }}/macos.cnf" ]]; then
+          cat test/mysql/conf.d/${{ matrix.mysql }}/macos.cnf >> $(brew --prefix)/etc/my.cnf
+        fi
         (unset CI; brew postinstall mysql@${{ matrix.mysql }})
         brew services start mysql@${{ matrix.mysql }}
         sleep 5
         $(brew --prefix mysql@${{ matrix.mysql }})/bin/mysql -uroot -e 'CREATE DATABASE test'
-        [[ "$MYSQL_VERSION" == "8.0" ]] && $(brew --prefix mysql@${{ matrix.mysql }})/bin/mysql -uroot < test/mysql/docker-entrypoint-initdb.d/caching_sha2_password_user.sql
-        $(brew --prefix mysql@${{ matrix.mysql }})/bin/mysql -uroot < test/mysql/docker-entrypoint-initdb.d/native_password_user.sql
+        $(brew --prefix mysql@${{ matrix.mysql }})/bin/mysql -uroot < test/mysql/docker-entrypoint-initdb.d/caching_sha2_password_user.sql
+        # mysql_native_password plugin was removed in MySQL 9.x
+        if [[ ! "${{ matrix.mysql }}" =~ ^9 ]]; then
+          $(brew --prefix mysql@${{ matrix.mysql }})/bin/mysql -uroot -e "CREATE USER 'native'@'%'; GRANT ALL PRIVILEGES ON test.* TO 'native'@'%'; ALTER USER 'native'@'%' IDENTIFIED WITH mysql_native_password BY 'password';"
+        fi
         $(brew --prefix mysql@${{ matrix.mysql }})/bin/mysql -uroot < test/mysql/docker-entrypoint-initdb.d/x509_user.sql
         $(brew --prefix mysql@${{ matrix.mysql }})/bin/mysql -uroot < test/mysql/docker-entrypoint-initdb.d/cleartext_user.sql
     - name: Install dependencies
@@ -63,3 +112,50 @@ jobs:
       run: |
         cd contrib/ruby
         bundle exec rake
+
+  test-ruby-mariadb:
+    name: Test Ruby (MariaDB ${{ matrix.mariadb }}, Ruby ${{ matrix.ruby }})
+    runs-on: macos-latest
+    strategy:
+      matrix:
+        mariadb: ["10.6", "10.11", "11.4", "11.8"]
+        ruby: ["3.0", "3.1", "3.2", "3.3", "3.4"]
+    steps:
+    - uses: actions/checkout@v6
+    - uses: ruby/setup-ruby@v1
+      with:
+        ruby-version: ${{ matrix.ruby }}
+    - name: Setup MariaDB
+      env:
+        MARIADB_VERSION: ${{ matrix.mariadb }}
+      run: |
+        brew install mariadb@${{ matrix.mariadb }}
+        # Apply macOS-specific config if it exists
+        if [[ -f "test/mariadb/conf.d/${{ matrix.mariadb }}/macos.cnf" ]]; then
+          cat test/mariadb/conf.d/${{ matrix.mariadb }}/macos.cnf >> $(brew --prefix)/etc/my.cnf
+        fi
+        (unset CI; brew postinstall mariadb@${{ matrix.mariadb }})
+        brew services start mariadb@${{ matrix.mariadb }}
+        sleep 5
+        # MariaDB uses unix_socket auth for root by default, so use sudo
+        sudo $(brew --prefix mariadb@${{ matrix.mariadb }})/bin/mariadb -e 'CREATE DATABASE IF NOT EXISTS test'
+        # Create a test user that can connect via TCP (root uses unix_socket which doesn't work for TCP)
+        sudo $(brew --prefix mariadb@${{ matrix.mariadb }})/bin/mariadb -e "CREATE USER IF NOT EXISTS 'trilogy'@'127.0.0.1' IDENTIFIED BY 'password'; GRANT ALL PRIVILEGES ON *.* TO 'trilogy'@'127.0.0.1' WITH GRANT OPTION;"
+        sudo $(brew --prefix mariadb@${{ matrix.mariadb }})/bin/mariadb -e "CREATE USER IF NOT EXISTS 'trilogy'@'localhost' IDENTIFIED BY 'password'; GRANT ALL PRIVILEGES ON *.* TO 'trilogy'@'localhost' WITH GRANT OPTION;"
+        # MariaDB uses IDENTIFIED VIA instead of IDENTIFIED WITH
+        sudo $(brew --prefix mariadb@${{ matrix.mariadb }})/bin/mariadb -e "CREATE USER IF NOT EXISTS 'native'@'%'; GRANT ALL PRIVILEGES ON test.* TO 'native'@'%'; ALTER USER 'native'@'%' IDENTIFIED VIA mysql_native_password USING PASSWORD('password');"
+        # Note: x509_user.sql and cleartext_user.sql are not used for MariaDB
+        # - x509 tests require custom client certificates (not available without generate_keys.sh)
+        # - cleartext_plugin_server requires auth_test_plugin.so (MySQL-specific)
+    - name: Install dependencies
+      run: |
+        cd contrib/ruby
+        bundle --without benchmark
+    - name: Run tests
+      env:
+        MYSQL_HOST: "127.0.0.1"
+        MYSQL_USER: trilogy
+        MYSQL_PASS: password
+      run: |
+        cd contrib/ruby
+        bundle exec rake
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -5,6 +5,10 @@ The format is based on [Keep a Changelog](http://keepachangelog.com/en/1.0.0/).
 
 ## Unreleased
 
+### Added
+
+- Support `caching_sha2_password` over TCP without TLS by requesting the server RSA public key when needed. #26
+
 ## 2.9.0
 
 ### Added

diff --git a/contrib/ruby/ext/trilogy-ruby/cext.c b/contrib/ruby/ext/trilogy-ruby/cext.c
@@ -534,7 +534,12 @@ static void auth_switch(struct trilogy_ctx *ctx, trilogy_handshake_t *handshake)
         }
 
         if (rc != TRILOGY_AGAIN) {
-            handle_trilogy_error(ctx, rc, "trilogy_auth_recv");
+            if (rc == TRILOGY_UNSUPPORTED) {
+                handle_trilogy_error(ctx, rc, "trilogy_auth_recv: caching_sha2_password requires either TCP with TLS or a unix socket");
+            }
+            else {
+                handle_trilogy_error(ctx, rc, "trilogy_auth_recv");
+            }
         }
 
         rc = trilogy_sock_wait_read(ctx->conn.socket);
@@ -588,12 +593,7 @@ static void authenticate(struct trilogy_ctx *ctx, trilogy_handshake_t *handshake
         }
 
         if (rc != TRILOGY_AGAIN) {
-            if (rc == TRILOGY_UNSUPPORTED) {
-                handle_trilogy_error(ctx, rc, "trilogy_auth_recv: caching_sha2_password requires either TCP with TLS or a unix socket");
-            }
-            else {
-                handle_trilogy_error(ctx, rc, "trilogy_auth_recv");
-            }
+            handle_trilogy_error(ctx, rc, "trilogy_auth_recv");
         }
 
         rc = trilogy_sock_wait_read(ctx->conn.socket);