From 02f4665e9b2db4734ce26ecf0bb5e569f2c26c81 Mon Sep 17 00:00:00 2001
From: Arne Welzel <arne.welzel@corelight.com>
Date: Tue, 13 Aug 2024 17:29:36 +0200
Subject: [PATCH] mysql: Implement and test COM_CHANGE_USER

This reworks the parser such that COM_CHANGE_USER switches the
connection back into the CONNECTION_PHASE so that we can remove the
EXPECT_AUTH_SWITCH special case in the COMMAND_PHASE. Adds two pcaps
produced with Python that actually do COM_CHANGE_USER as it seems
not possible from the MySQL CLI.
---
 scripts/base/protocols/mysql/main.zeek        |   5 ++
 src/analyzer/protocol/mysql/events.bif        |  12 ++++
 .../protocol/mysql/mysql-analyzer.pac         |  44 ++++++++++--
 .../protocol/mysql/mysql-protocol.pac         |  65 ++++++++++++++----
 .../mysql.log                                 |  13 ++++
 .../out                                       |  15 ++++
 .../mysql.log                                 |  17 +++++
 .../out                                       |  22 ++++++
 .../btest/Traces/mysql/change-user-error.pcap | Bin 0 -> 2567 bytes
 .../Traces/mysql/change-user-success.pcap     | Bin 0 -> 3034 bytes
 .../protocols/mysql/change-user-error.test    |  50 ++++++++++++++
 .../protocols/mysql/change-user-success.test  |  50 ++++++++++++++
 12 files changed, 275 insertions(+), 18 deletions(-)
 create mode 100644 testing/btest/Baseline/scripts.base.protocols.mysql.change-user-error/mysql.log
 create mode 100644 testing/btest/Baseline/scripts.base.protocols.mysql.change-user-error/out
 create mode 100644 testing/btest/Baseline/scripts.base.protocols.mysql.change-user-success/mysql.log
 create mode 100644 testing/btest/Baseline/scripts.base.protocols.mysql.change-user-success/out
 create mode 100644 testing/btest/Traces/mysql/change-user-error.pcap
 create mode 100644 testing/btest/Traces/mysql/change-user-success.pcap
 create mode 100644 testing/btest/scripts/base/protocols/mysql/change-user-error.test
 create mode 100644 testing/btest/scripts/base/protocols/mysql/change-user-success.test

diff --git a/scripts/base/protocols/mysql/main.zeek b/scripts/base/protocols/mysql/main.zeek
index d6513b5123..c968ed5326 100644
--- a/scripts/base/protocols/mysql/main.zeek
+++ b/scripts/base/protocols/mysql/main.zeek
@@ -84,6 +84,11 @@ event mysql_command_request(c: connection, command: count, arg: string) &priorit
 	Conn::register_removal_hook(c, finalize_mysql);
 	}
 
+event mysql_change_user(c: connection, username: string) &priority=5
+	{
+	c$mysql$arg = username;
+	}
+
 event mysql_command_request(c: connection, command: count, arg: string) &priority=-5
 	{
 	if ( c?$mysql && c$mysql?$cmd && c$mysql$cmd == "quit" )
diff --git a/src/analyzer/protocol/mysql/events.bif b/src/analyzer/protocol/mysql/events.bif
index a102842e05..2bec0aa649 100644
--- a/src/analyzer/protocol/mysql/events.bif
+++ b/src/analyzer/protocol/mysql/events.bif
@@ -12,6 +12,18 @@
 ## .. zeek:see:: mysql_error mysql_ok mysql_server_version mysql_handshake
 event mysql_command_request%(c: connection, command: count, arg: string%);
 
+## Generated for a change user command from a MySQL client.
+##
+## See the MySQL `documentation <http://dev.mysql.com/doc/internals/en/client-server-protocol.html>`__
+## for more information about the MySQL protocol.
+##
+## c: The connection.
+##
+## username: The username supplied by the client
+##
+## .. zeek:see:: mysql_error mysql_ok mysql_server_version mysql_handshake
+event mysql_change_user%(c: connection, username: string%);
+
 ## Generated for an unsuccessful MySQL response.
 ##
 ## See the MySQL `documentation <http://dev.mysql.com/doc/internals/en/client-server-protocol.html>`__
diff --git a/src/analyzer/protocol/mysql/mysql-analyzer.pac b/src/analyzer/protocol/mysql/mysql-analyzer.pac
index eacacf773f..cf2ef60e89 100644
--- a/src/analyzer/protocol/mysql/mysql-analyzer.pac
+++ b/src/analyzer/protocol/mysql/mysql-analyzer.pac
@@ -87,10 +87,44 @@ refine flow MySQL_Flow += {
 	function proc_mysql_command_request_packet(msg: Command_Request_Packet): bool
 		%{
 		if ( mysql_command_request )
+			{
+			auto arg = to_stringval(${msg.arg});
+
+			// CHANGE_USER will have parsed away the arg,
+			// restore it for backwards compat.
+			if ( ${msg.command} == COM_CHANGE_USER )
+				arg = to_stringval(${msg.change_user.sourcedata});
+
 			zeek::BifEvent::enqueue_mysql_command_request(connection()->zeek_analyzer(),
 			                                        connection()->zeek_analyzer()->Conn(),
 			                                        ${msg.command},
-			                                        to_stringval(${msg.arg}));
+			                                        std::move(arg));
+			}
+
+		return true;
+		%}
+
+	function proc_mysql_change_user_packet(msg: Change_User_Packet): bool
+		%{
+		if ( mysql_change_user )
+			zeek::BifEvent::enqueue_mysql_change_user(connection()->zeek_analyzer(),
+			                                          connection()->zeek_analyzer()->Conn(),
+			                                          zeek::make_intrusive<zeek::StringVal>(c_str(${msg.username})));
+
+		if ( mysql_auth_plugin )
+			{
+			auto data = to_stringval(${msg.auth_plugin_data});
+			auto auth_plugin = zeek::val_mgr->EmptyString();
+			if ( ${msg.have_more_data} )
+				auth_plugin = zeek::make_intrusive<zeek::StringVal>(c_str(${msg.auth_plugin_name}));
+
+			zeek::BifEvent::enqueue_mysql_auth_plugin(connection()->zeek_analyzer(),
+								  connection()->zeek_analyzer()->Conn(),
+								  true /*is_orig*/,
+								  std::move(auth_plugin),
+								  std::move(data));
+			}
+
 		return true;
 		%}
 
@@ -153,7 +187,7 @@ refine flow MySQL_Flow += {
 		return true;
 		%}
 
-	function proc_auth_switch_request_payload(msg: AuthSwitchRequestPayload): bool
+	function proc_auth_switch_request(msg: AuthSwitchRequest): bool
 		%{
 		zeek::BifEvent::enqueue_mysql_auth_switch_request(connection()->zeek_analyzer(),
 		                                                  connection()->zeek_analyzer()->Conn(),
@@ -183,6 +217,8 @@ refine typeattr Handshake_Response_Packet += &let {
 
 refine typeattr Command_Request_Packet += &let {
 	proc = $context.flow.proc_mysql_command_request_packet(this);
+	# Enqueue mysql_change_user() *after* mysql_command_request().
+	proc_change_user = $context.flow.proc_mysql_change_user_packet(change_user) &if(is_change_user);
 };
 
 refine typeattr ERR_Packet += &let {
@@ -201,8 +237,8 @@ refine typeattr Resultset += &let {
 	proc = $context.flow.proc_resultset(this);
 };
 
-refine typeattr AuthSwitchRequestPayload += &let {
-	proc = $context.flow.proc_auth_switch_request_payload(this);
+refine typeattr AuthSwitchRequest += &let {
+	proc = $context.flow.proc_auth_switch_request(this);
 };
 
 refine typeattr AuthMoreData += &let {
diff --git a/src/analyzer/protocol/mysql/mysql-protocol.pac b/src/analyzer/protocol/mysql/mysql-protocol.pac
index e726f591b8..41fbff5808 100644
--- a/src/analyzer/protocol/mysql/mysql-protocol.pac
+++ b/src/analyzer/protocol/mysql/mysql-protocol.pac
@@ -154,7 +154,6 @@ enum Expected {
 	EXPECT_EOF_THEN_RESULTSET,
 	EXPECT_RESULTSET,
 	EXPECT_REST_OF_PACKET,
-	EXPECT_AUTH_SWITCH,
 };
 
 enum EOFType {
@@ -297,7 +296,7 @@ type MySQL_PDU(is_orig: bool) = record {
 	hdr  : Header;
 	msg  : case is_orig of {
 		false -> server_msg: Server_Message(hdr.seq_id, hdr.len, state);
-		true  -> client_msg: Client_Message(state);
+		true  -> client_msg: Client_Message(hdr.len, state);
 	} &requires(state);
 } &let {
 	state: int = $context.connection.get_state();
@@ -377,7 +376,7 @@ type Server_Connection_Phase_Packets = record {
 	packet: case pkt_type of {
 		0x00 -> data_ok: OK_Packet;
 		0x01 -> auth_more_data: AuthMoreData(false);
-		0xfe -> auth_switch_request: AuthSwitchRequestPayload;
+		0xfe -> auth_switch_request: AuthSwitchRequest;
 		0xff -> data_err: ERR_Packet;
 	};
 };
@@ -443,6 +442,7 @@ type Handshake_Response_Packet_v10 = record {
 } &let {
 	deprecate_eof: bool = $context.connection.set_deprecate_eof(cap_flags & CLIENT_DEPRECATE_EOF);
 	client_query_attrs: bool = $context.connection.set_client_query_attrs(cap_flags & CLIENT_QUERY_ATTRIBUTES);
+	proc_cap_flags: bool = $context.connection.set_client_capabilities(cap_flags);
 };
 
 type Handshake_Response_Packet_v9 = record {
@@ -459,9 +459,9 @@ type Handshake_Response_Packet_v9 = record {
 
 # Connection Phase
 
-type Client_Message(state: int) = case state of {
+type Client_Message(pkt_len: uint32, state: int) = case state of {
 	CONNECTION_PHASE -> connection_phase: Connection_Phase_Packets;
-	COMMAND_PHASE    -> command_phase   : Command_Request_Packet;
+	COMMAND_PHASE    -> command_phase   : Command_Request_Packet(pkt_len);
 };
 
 type Connection_Phase_Packets = case $context.connection.get_conn_expectation() of {
@@ -514,17 +514,49 @@ type Query_Attributes = record {
 
 # Command Request
 
-type Command_Request_Packet = record {
+type Command_Request_Packet(pkt_len: uint32) = record {
 	command: uint8;
 	attrs  : case ( command == COM_QUERY && $context.connection.get_client_query_attrs() && $context.connection.get_server_query_attrs() ) of {
 		true  -> query_attrs: Query_Attributes;
 		false -> none: empty;
 	};
+
+	have_change_user: case is_change_user of {
+		true  -> change_user: Change_User_Packet(pkt_len);
+		false -> none_change_user: empty;
+	};
+
 	arg    : bytestring &restofdata;
 } &let {
+	is_change_user = command == COM_CHANGE_USER;
 	update_expectation: bool = $context.connection.set_next_expected_from_command(command);
 };
 
+# Command from the client to switch the user mid-session.
+#
+# https://dev.mysql.com/doc/dev/mysql-server/latest/page_protocol_com_change_user.html
+type Change_User_Packet(pkt_len: uint32) = record {
+	username : NUL_String;
+	auth_plugin_data_len: uint8;
+	auth_plugin_data: bytestring &length=auth_plugin_data_len;
+	database: NUL_String;
+	charset: uint16;
+
+	auth_plugin_name_case: case have_auth_plugin_name of {
+		true -> auth_plugin_name: NUL_String;
+		false -> no_more_data1: empty;
+	};
+
+	conn_attrs_case: case have_conn_attrs of {
+		true -> conn_attrs: Handshake_Connection_Attributes;
+		false -> no_conn_attrs: empty;
+	};
+} &let {
+	have_more_data = offsetof(auth_plugin_name_case) < pkt_len;
+	have_auth_plugin_name = have_more_data && ($context.connection.get_client_capabilities() & CLIENT_PLUGIN_AUTH) == CLIENT_PLUGIN_AUTH;
+	have_conn_attrs = have_more_data && ($context.connection.get_client_capabilities() & CLIENT_CONNECT_ATTRS) == CLIENT_CONNECT_ATTRS;
+} &exportsourcedata;
+
 # Command Response
 
 type Command_Response(pkt_len: uint32) = case $context.connection.get_expectation() of {
@@ -534,7 +566,6 @@ type Command_Response(pkt_len: uint32) = case $context.connection.get_expectatio
 	EXPECT_RESULTSET                -> resultset     : Resultset(pkt_len);
 	EXPECT_REST_OF_PACKET           -> rest          : bytestring &restofdata;
 	EXPECT_STATUS                   -> status        : Command_Response_Status;
-	EXPECT_AUTH_SWITCH              -> auth_switch   : AuthSwitchRequest;
 	EXPECT_EOF_THEN_RESULTSET       -> eof           : EOFIfLegacyThenResultset(pkt_len);
 	default                         -> unknown       : empty;
 };
@@ -643,11 +674,6 @@ type AuthMoreData(is_orig: bool) = record {
 };
 
 type AuthSwitchRequest = record {
-	status: uint8 &enforce(status==254);
-	payload: AuthSwitchRequestPayload;
-};
-
-type AuthSwitchRequestPayload = record {
 	name  : NUL_String;
 	data  : bytestring &restofdata;
 } &let {
@@ -708,6 +734,7 @@ refine connection MySQL_Conn += {
 		bool deprecate_eof_;
 		bool server_query_attrs_;
 		bool client_query_attrs_;
+		uint32 client_capabilities_;
 		std::string auth_plugin_;
 		int query_attr_idx_;
 	%}
@@ -797,6 +824,17 @@ refine connection MySQL_Conn += {
 		return true;
 		%}
 
+	function set_client_capabilities(c: uint32): bool
+		%{
+		client_capabilities_ = c;
+		return true;
+		%}
+
+	function get_client_capabilities(): uint32
+		%{
+		return client_capabilities_;
+		%}
+
 	function get_expectation(): Expected
 		%{
 		return expected_;
@@ -874,8 +912,7 @@ refine connection MySQL_Conn += {
 			expected_ = EXPECT_STATUS;
 			break;
 		case COM_CHANGE_USER:
-			// XXX: Could we switch into CONNECTION_PHASE instead?
-			expected_ = EXPECT_AUTH_SWITCH;
+			update_state(CONNECTION_PHASE);
 			break;
 		case COM_BINLOG_DUMP:
 			expected_ = NO_EXPECTATION;
diff --git a/testing/btest/Baseline/scripts.base.protocols.mysql.change-user-error/mysql.log b/testing/btest/Baseline/scripts.base.protocols.mysql.change-user-error/mysql.log
new file mode 100644
index 0000000000..92eacd2d18
--- /dev/null
+++ b/testing/btest/Baseline/scripts.base.protocols.mysql.change-user-error/mysql.log
@@ -0,0 +1,13 @@
+### BTest baseline data generated by btest-diff. Do not edit. Use "btest -U/-u" to update. Requires BTest >= 0.63.
+#separator \x09
+#set_separator	,
+#empty_field	(empty)
+#unset_field	-
+#path	mysql
+#open XXXX-XX-XX-XX-XX-XX
+#fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	cmd	arg	success	rows	response
+#types	time	string	addr	port	addr	port	string	string	bool	count	string
+XXXXXXXXXX.XXXXXX	CHhAvVGS1DHFjwGM9	127.0.0.1	37446	127.0.0.1	3306	login	root	T	0	-
+XXXXXXXXXX.XXXXXX	CHhAvVGS1DHFjwGM9	127.0.0.1	37446	127.0.0.1	3306	ping	(empty)	T	0	-
+XXXXXXXXXX.XXXXXX	CHhAvVGS1DHFjwGM9	127.0.0.1	37446	127.0.0.1	3306	change_user	root2	F	-	Access denied for user 'root2'@'127.0.0.1' (using password: YES)
+#close XXXX-XX-XX-XX-XX-XX
diff --git a/testing/btest/Baseline/scripts.base.protocols.mysql.change-user-error/out b/testing/btest/Baseline/scripts.base.protocols.mysql.change-user-error/out
new file mode 100644
index 0000000000..9eadb872b9
--- /dev/null
+++ b/testing/btest/Baseline/scripts.base.protocols.mysql.change-user-error/out
@@ -0,0 +1,15 @@
+### BTest baseline data generated by btest-diff. Do not edit. Use "btest -U/-u" to update. Requires BTest >= 0.63.
+mysql auth plugin, F, caching_sha2_password, ~~[R4_KL3\x1fi]M\x0fDRA\x12-\x0a\x00, 21
+mysql handshake, root
+mysql auth plugin, T, caching_sha2_password, \xda\xf6\xbf\x9e\xa2`\xe4\xba\xd8\xdd[\xdc\x84CE\xe0Ya\xdd\xb0\x9d;\x165Q\x89\xef\xacY\xef\x8dm, 32
+mysql auth switch request, mysql_native_password, ~~[R4_KL3\x1fi]M\x0fDRA\x12-\x0a\x00, 21
+mysql auth more data, T, W\xbf\xb89Z\x8d\xe4Z\xd4}\xaf\xeb\xd4\x1b\xf3\x0b\xb1OS\xd7, 20
+mysql ok, 0
+mysql request, 14, 
+mysql ok, 0
+mysql request, 17, root2\x00 \xf5n\xad'\xb7)\xee\x08\xc2&\xac6 a\xe3\xf2\xcd{\xda)\x09\xf1j\xa8\x8a\xcb 7\xf1\xb6\x8cK\x00\xff\x00caching_sha2_password\x00\x96\x04_pid\x071581535\x09_platform\x06x86_64\x0c_source_host\x07tinkyx1\x0c_client_name\x16mysql-connector-python\x0f_client_license\x07GPL-2.0\x0f_client_version\x059.0.0\x03_os\x0cUbuntu-24.04
+mysql change user, root2
+mysql auth plugin, T, caching_sha2_password, \xf5n\xad'\xb7)\xee\x08\xc2&\xac6 a\xe3\xf2\xcd{\xda)\x09\xf1j\xa8\x8a\xcb 7\xf1\xb6\x8cK, 32
+mysql auth switch request, mysql_native_password, ~~[R4_KL3\x1fi]M\x0fDRA\x12-\x0a\x00, 21
+mysql auth more data, T, \xcc\xc0\xaf\x97=\xc2lG\xebG\xef=\x93\xd1\xf1\xe6\x98\xb5\x04\x19, 20
+mysql error, 1045, Access denied for user 'root2'@'127.0.0.1' (using password: YES)
diff --git a/testing/btest/Baseline/scripts.base.protocols.mysql.change-user-success/mysql.log b/testing/btest/Baseline/scripts.base.protocols.mysql.change-user-success/mysql.log
new file mode 100644
index 0000000000..6b1e5933ee
--- /dev/null
+++ b/testing/btest/Baseline/scripts.base.protocols.mysql.change-user-success/mysql.log
@@ -0,0 +1,17 @@
+### BTest baseline data generated by btest-diff. Do not edit. Use "btest -U/-u" to update. Requires BTest >= 0.63.
+#separator \x09
+#set_separator	,
+#empty_field	(empty)
+#unset_field	-
+#path	mysql
+#open XXXX-XX-XX-XX-XX-XX
+#fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	cmd	arg	success	rows	response
+#types	time	string	addr	port	addr	port	string	string	bool	count	string
+XXXXXXXXXX.XXXXXX	CHhAvVGS1DHFjwGM9	127.0.0.1	43330	127.0.0.1	3306	login	root	T	0	-
+XXXXXXXXXX.XXXXXX	CHhAvVGS1DHFjwGM9	127.0.0.1	43330	127.0.0.1	3306	ping	(empty)	T	0	-
+XXXXXXXXXX.XXXXXX	CHhAvVGS1DHFjwGM9	127.0.0.1	43330	127.0.0.1	3306	change_user	root2	T	0	-
+XXXXXXXXXX.XXXXXX	CHhAvVGS1DHFjwGM9	127.0.0.1	43330	127.0.0.1	3306	query	SET NAMES 'utf8mb4' COLLATE 'utf8mb4_0900_ai_ci'	T	0	-
+XXXXXXXXXX.XXXXXX	CHhAvVGS1DHFjwGM9	127.0.0.1	43330	127.0.0.1	3306	query	SET @@session.autocommit = OFF	T	0	-
+XXXXXXXXXX.XXXXXX	CHhAvVGS1DHFjwGM9	127.0.0.1	43330	127.0.0.1	3306	ping	(empty)	T	0	-
+XXXXXXXXXX.XXXXXX	CHhAvVGS1DHFjwGM9	127.0.0.1	43330	127.0.0.1	3306	quit	(empty)	-	-	-
+#close XXXX-XX-XX-XX-XX-XX
diff --git a/testing/btest/Baseline/scripts.base.protocols.mysql.change-user-success/out b/testing/btest/Baseline/scripts.base.protocols.mysql.change-user-success/out
new file mode 100644
index 0000000000..edf7c67d47
--- /dev/null
+++ b/testing/btest/Baseline/scripts.base.protocols.mysql.change-user-success/out
@@ -0,0 +1,22 @@
+### BTest baseline data generated by btest-diff. Do not edit. Use "btest -U/-u" to update. Requires BTest >= 0.63.
+mysql auth plugin, F, caching_sha2_password, \x11<gm=NJ-\x12\x0fh\x0ddqQb\x1dZ24\x00, 21
+mysql handshake, root
+mysql auth plugin, T, caching_sha2_password, N#\x9d\x8a`\x0c.K\x81\xf7&\xbbE{\xd2*\x80\xb6b\xae>\x05\x8dA]\x9ay\xeeU\x1a\x8c%, 32
+mysql auth switch request, mysql_native_password, \x11<gm=NJ-\x12\x0fh\x0ddqQb\x1dZ24\x00, 21
+mysql auth more data, T, \x15\xe9Mj\x8d\x99/\xf8\x1d\xa7\x8am\xa4\xb9\x90\x1e!\xc5 \x05, 20
+mysql ok, 0
+mysql request, 14, 
+mysql ok, 0
+mysql request, 17, root2\x00 N#\x9d\x8a`\x0c.K\x81\xf7&\xbbE{\xd2*\x80\xb6b\xae>\x05\x8dA]\x9ay\xeeU\x1a\x8c%\x00\xff\x00caching_sha2_password\x00\x96\x04_pid\x071581443\x09_platform\x06x86_64\x0c_source_host\x07tinkyx1\x0c_client_name\x16mysql-connector-python\x0f_client_license\x07GPL-2.0\x0f_client_version\x059.0.0\x03_os\x0cUbuntu-24.04
+mysql change user, root2
+mysql auth plugin, T, caching_sha2_password, N#\x9d\x8a`\x0c.K\x81\xf7&\xbbE{\xd2*\x80\xb6b\xae>\x05\x8dA]\x9ay\xeeU\x1a\x8c%, 32
+mysql auth switch request, mysql_native_password, \x11<gm=NJ-\x12\x0fh\x0ddqQb\x1dZ24\x00, 21
+mysql auth more data, T, \x15\xe9Mj\x8d\x99/\xf8\x1d\xa7\x8am\xa4\xb9\x90\x1e!\xc5 \x05, 20
+mysql ok, 0
+mysql request, 3, SET NAMES 'utf8mb4' COLLATE 'utf8mb4_0900_ai_ci'
+mysql ok, 0
+mysql request, 3, SET @@session.autocommit = OFF
+mysql ok, 0
+mysql request, 14, 
+mysql ok, 0
+mysql request, 1, 
diff --git a/testing/btest/Traces/mysql/change-user-error.pcap b/testing/btest/Traces/mysql/change-user-error.pcap
new file mode 100644
index 0000000000000000000000000000000000000000..fbc2a4fa1a9e9cea2c7a8a2f67dc2ec76f87aae5
GIT binary patch
literal 2567
zcmdUxe@q)?7{}jU%N4rLG3Jm3r?<>lNk-Rpg~5afI!4@>KOly{V$NC)se?Q0wR5l(
zF)=0(7vo6O#7H)_IoOzN6*n>yy0DnV%tcLzEX1iOgRvzN*pCGN;C!B!zU(eS6aVx{
zp5%HhpXdAhdS8YwMUQaALYQe9Atw0nMAJ95r;hSuCp@F;Et!-MQV=y2ks`i*;2rn_
z^g}!Bw<_m0-^5=Y=Cl#pBZP1kZN$PQ+cNGZ-N5%Iv)PK|frMm2kX&$qk?pq*?I><8
z7l1x>I8D1!*=ZyroslmB`B{jBt~aXL8|A3x7$e6uPXT>HYbr-tszIY^K`&BK>*ZrS
z`4CX(dZWa5BPWnJc$E?3S~sB9)(npP95NE02ZSxp>2-QY8a%eN>?!w(yUK{BX&ljh
zTl*lwmd69H?q0RMyf`h}M*Kd1T|j<ARO@^mvC*fhZ!5tX+N2*rUV?<pG~q!ePnWPv
z6JBYQhY3#~=gBsh0d&1#!lq483liJDU6Ke1_djYR-i41VyD~F?RHW%~y62#xgorSD
zKi1jx+W3WQ*Z2JL-g70tSNX1=`TXhhoR{0Cd#k1oHY`(wk1b+jpvLOX$#dsy$w?6#
z>wTeGCD_34&&w5ay>?Mm!a=_z)+uVp8VbmJoA$fyqQ5>M$stkpHAv|VP3l|q*?vWq
zC4Wc>W;Zs4>J)hu`%QhoFUhK8Eq$ph+v9XCzTYPW)qo-=<vU$YmswO)`zx=9<xn`=
z<8`{cSjoSklFRod(v6jjtz(spkB(e9=NfBGHEEG_V<nNe_Y0l`p>pVYqr+Ge=|SS)
z%_WJ@n~q!~aTDy(Jk1^o5en>+9*h<nOv4nSg4z>2fi0o_F9l`MBvjCTj44={H`f>}
zSSPN-caB8`6S!ax6JoB64dhoJ9IqaZ^xYoLytCr$ixndnDZiU1yCDR+-e|7RL{8G`
z*;%A`^*W(?a~LTcHAI@Q5_-yUKtlLgfS1BEy51-}Kg!cI&M|mAjX6l82jLB08R57o
z4<UAAPeRS7sOA+68`s<en&+wJ<3=oKMl#cU3E+>x3v|8F#Y~M_5#IJIgU2<`gXVsO
zr^5jjKijbM6W0K-8aK~FgnRO7$N8+kl82t`%@urq&R#t*nw2v1W_SA)Ve8Df4|Wml
z|F?XulL=R)7ppaRgH<cuivG$u_b68Dqx;5c!K#@4>#DpD3KFbJGAd|4!W1m@%RLJH
z8b<}&*BBMRs&L<5?E9o}sJ`@e>2zVoPcsvrer;KYWA_I{N^nP=rnz2bk>a_IL$0$J
zX?AKc(j-m>+)-w2t!1Mp&*gFz`~8xt3N?}(kZJ@tScR}E1qBD497mDE?b(XwpVRFS
zo(ijQM+xkD+9p($RAiyNS&*0D9Q+dH#nu?*Rk*3V)f_ocXq1P<&&CoG`zSGOS>onJ
z;yp|liCsW^0agNCZ}dPYil)$J^)h0-S+m8>6`nKjk3(k6K%6w0l5Fsu8^1?-Yl}5O
w1)?@eKfe^c6)TX$==^%nJBh@OghWD+STMwh3oWnkKuz!9z2E$Up2)BN2e46|KmY&$

literal 0
HcmV?d00001

diff --git a/testing/btest/Traces/mysql/change-user-success.pcap b/testing/btest/Traces/mysql/change-user-success.pcap
new file mode 100644
index 0000000000000000000000000000000000000000..b9cd05c6e1c088717ff2e3b2bbde338c1a710574
GIT binary patch
literal 3034
zcmdUxT}&KR6vyxG0$Xv{vQ2A1(`LIy!P;Gy?b?7+1$4V9<!eJp1Y@TA1v{3Vp*sVz
z@xjGLtH?+Fhz1i)H8o0;`rt#2HfbM7i};nO+tj#Ch(0ON0tE{7!SS5ST$mwcqK}^B
zBr}uU-}(Q~z30wk$3K1FO!5c|MIpolH|F%Yj?;s7QU}+V+So(_gjBiys3z3~CEq;{
zf5058wN1yeO;6%4Pnwl02Xa8kQ?BHhHx(Aozwk3YH(4xJB%d`T6N2QbFBsW2JyzT9
z$m9dP?c^5a>mTRzWTZ3l1t8Z#B}{El&3@OPRP$v<RyDT)y&zL$CV!m)jiwd7NJXut
zVLKTC6s9&Pu|N1C5*KC|QPo<2S~JCFa_K!i@c<wSD?EOWk2v7cQPr8;*I4H!ilUf_
zGPP~3!j{bmd+cZ^vc28sC(&>;!3&+7lnDE{?yw|1E2d&}k!}Zh28ORu!&xRzW4MJH
zKCG9AhFeDL<YCwYnA$+YrroX?Bo^mxNd&_eYxKkgxV3+9cQKHv6)jG4of1WvI2-SI
zci^zibFhEuzH@=+e%O^c8~NnX{Gpns-$`F<y=(B^4Vv&)9@ovstmO|?l>7aAZsWSU
z!g7b0N*450?B(|QZJZ?bq@r;yAxg4U=7l5azH%EE?c(Et%n9LS{LW-rI@;xqih>Z2
z%3{jhot6`#u$ld)i;u<yDQ*om*Smcl@9Oj3cuL|$A-~e&^>{6uDA`&gJ%Zfh_W3<t
zKX&pd=;X$06MP9fx%dd{q`GxlV%g?UrpTn+<n^6I;`cyILFX{FK{sP8c$^XoZ%Kr;
z`4tvGyS;bA9Q{q*LnCCqH@>#D*v8cDLR64DVJGcS8dDooLA`4h6_l)w?#g~^4#9vO
z!*TeqZ&g7K2W%@LmTkW`JTo-<;PUp529l>fKe1!yMQ1)%Du2yR8lVKGHfW{Cf-h6A
zo^@W2LHBs9bUj~JDQ6}0lrsYf;bQ;~!ZoHgD7?}&M{Rt=;HnKCYz!lOx<C)dNx1{D
zGsc=<p_<(ctFHJkXciDVx2(s4W+XGsiP!C92Ry*k25L4HxvnF;c!9xH%>rm1Mfm);
zdiYO(aNy+m{>A7i|G(jzfNmL#$^cyoE9;iJ6r-_hs1CdJ%LRS6U{p;1byTK7fx)QE
zqk@vpn1Yq{3e~}SO`?KRm3jp*D&~zwrSuKMQF)bmeSlR`y-tGH2v(Y%&{u+OXMxSZ
zwp}g2({PWe4LT}ETnp63+YGMSh=7eO!Y@bk@I8RA5K~Lwkh8I-A<*J1?U6ewk`aHY
z^YNzo`kF(5)hC>{((C2IJQw9lakx$!yBwr0cQGNV%PhF0`+xShUdX!PngDnwXv5S7
zb=l@xq%J>ZaMk4~xST?lXUg>Ooq$kXR#!`L311YRaE~lT#blC~o%@_k`}d=#t#2Bx
z+z|D2KP#(xngUPf>B_a~%c`DGKf=oZ9)xR5ZK#Lb4eDuv!BtP^!P7Lte{0pl@zkM*
zT+~?eFx6bfu&QSGHVlnZ&F~4NzJ%}<fCn=>&rox>vF0VJ`4WSxn#V!&BElD+ScP9j
zIFe0>?FDQt++b>hw!-gPrr596VZWqUhnXxL)MJs@Z%7P|&@T8GQSHJabYU`s#I-J<
b(5pxsG$guiQjL?0s9K){jW_U9ZawiIQ`Y~`

literal 0
HcmV?d00001

diff --git a/testing/btest/scripts/base/protocols/mysql/change-user-error.test b/testing/btest/scripts/base/protocols/mysql/change-user-error.test
new file mode 100644
index 0000000000..c30f44f426
--- /dev/null
+++ b/testing/btest/scripts/base/protocols/mysql/change-user-error.test
@@ -0,0 +1,50 @@
+# @TEST-EXEC: zeek -b -C -r $TRACES/mysql/change-user-error.pcap %INPUT >out
+# @TEST-EXEC: btest-diff out
+# @TEST-EXEC: btest-diff mysql.log
+
+@load base/protocols/mysql
+
+event mysql_ok(c: connection, affected_rows: count)
+	{
+	print "mysql ok", affected_rows;
+	}
+
+event mysql_eof(c: connection, is_intermediate: bool)
+	{
+	print "mysql eof", is_intermediate;
+	}
+
+event mysql_error(c: connection, code: count, msg: string)
+	{
+	print "mysql error", code, msg;
+	}
+
+event mysql_command_request(c: connection, command: count, arg: string)
+	{
+	print "mysql request", command, arg;
+	}
+
+event mysql_change_user(c: connection, username: string)
+	{
+	print "mysql change user", username;
+	}
+
+event mysql_handshake(c: connection, username: string)
+	{
+	print "mysql handshake", username;
+	}
+
+event mysql_auth_plugin(c: connection, is_orig: bool, name: string, data: string)
+	{
+	print "mysql auth plugin", is_orig, name, data, |data|;
+	}
+
+event mysql_auth_switch_request(c: connection, name: string, data: string)
+	{
+	print "mysql auth switch request", name, data, |data|;
+	}
+
+event mysql_auth_more_data(c: connection, is_orig: bool, data: string)
+	{
+	print "mysql auth more data", is_orig, data, |data|;
+	}
diff --git a/testing/btest/scripts/base/protocols/mysql/change-user-success.test b/testing/btest/scripts/base/protocols/mysql/change-user-success.test
new file mode 100644
index 0000000000..46456f5a89
--- /dev/null
+++ b/testing/btest/scripts/base/protocols/mysql/change-user-success.test
@@ -0,0 +1,50 @@
+# @TEST-EXEC: zeek -b -C -r $TRACES/mysql/change-user-success.pcap %INPUT >out
+# @TEST-EXEC: btest-diff out
+# @TEST-EXEC: btest-diff mysql.log
+
+@load base/protocols/mysql
+
+event mysql_ok(c: connection, affected_rows: count)
+	{
+	print "mysql ok", affected_rows;
+	}
+
+event mysql_eof(c: connection, is_intermediate: bool)
+	{
+	print "mysql eof", is_intermediate;
+	}
+
+event mysql_error(c: connection, code: count, msg: string)
+	{
+	print "mysql error", code, msg;
+	}
+
+event mysql_command_request(c: connection, command: count, arg: string)
+	{
+	print "mysql request", command, arg;
+	}
+
+event mysql_change_user(c: connection, username: string)
+	{
+	print "mysql change user", username;
+	}
+
+event mysql_handshake(c: connection, username: string)
+	{
+	print "mysql handshake", username;
+	}
+
+event mysql_auth_plugin(c: connection, is_orig: bool, name: string, data: string)
+	{
+	print "mysql auth plugin", is_orig, name, data, |data|;
+	}
+
+event mysql_auth_switch_request(c: connection, name: string, data: string)
+	{
+	print "mysql auth switch request", name, data, |data|;
+	}
+
+event mysql_auth_more_data(c: connection, is_orig: bool, data: string)
+	{
+	print "mysql auth more data", is_orig, data, |data|;
+	}