MySQL 8.0.39
Source Code Documentation
|
AUTHENTICATION CODE. More...
#include "sql/auth/sql_authentication.h"
#include <fcntl.h>
#include <mysql/components/my_service.h>
#include <sql/ssl_acceptor_context_operator.h>
#include <sql/ssl_init_callback.h>
#include <stdio.h>
#include <string.h>
#include <sys/stat.h>
#include <sys/types.h>
#include <string>
#include <utility>
#include <vector>
#include "crypt_genhash_impl.h"
#include "include/compression.h"
#include "m_string.h"
#include "map_helpers.h"
#include "mutex_lock.h"
#include "my_byteorder.h"
#include "my_command.h"
#include "my_compiler.h"
#include "my_dbug.h"
#include "my_dir.h"
#include "my_inttypes.h"
#include "my_io.h"
#include "my_loglevel.h"
#include "my_psi_config.h"
#include "my_sys.h"
#include "my_time.h"
#include "mysql/components/services/bits/psi_bits.h"
#include "mysql/components/services/log_builtins.h"
#include "mysql/components/services/log_shared.h"
#include "mysql/plugin.h"
#include "mysql/psi/mysql_mutex.h"
#include "mysql/service_my_plugin_log.h"
#include "mysql/service_mysql_alloc.h"
#include "mysql/service_mysql_password_policy.h"
#include "mysql_com.h"
#include "mysql_time.h"
#include "mysqld_error.h"
#include "password.h"
#include "pfs_thread_provider.h"
#include "prealloced_array.h"
#include "sql/auth/auth_acls.h"
#include "sql/auth/auth_common.h"
#include "sql/auth/auth_internal.h"
#include "sql/auth/partial_revokes.h"
#include "sql/auth/sql_auth_cache.h"
#include "sql/auth/sql_security_ctx.h"
#include "sql/conn_handler/connection_handler_manager.h"
#include "sql/current_thd.h"
#include "sql/debug_sync.h"
#include "sql/derror.h"
#include "sql/hostname_cache.h"
#include "sql/log.h"
#include "sql/mysqld.h"
#include "sql/protocol.h"
#include "sql/protocol_classic.h"
#include "sql/psi_memory_key.h"
#include "sql/sql_class.h"
#include "sql/sql_connect.h"
#include "sql/sql_const.h"
#include "sql/sql_db.h"
#include "sql/sql_error.h"
#include "sql/sql_lex.h"
#include "sql/sql_plugin.h"
#include "sql/sql_time.h"
#include "sql/strfunc.h"
#include "sql/system_variables.h"
#include "sql/tztime.h"
#include "sql_common.h"
#include "sql_string.h"
#include "template_utils.h"
#include "violite.h"
#include <openssl/err.h>
#include <openssl/pem.h>
#include <openssl/rsa.h>
#include <openssl/x509v3.h>
Classes | |
class | FileCloser |
class | File_IO |
FILE_IO : Wrapper around std::fstream 1> Provides READ/WRITE handle to a file 2> Records error on READ/WRITE operations 3> Closes file before destruction. More... | |
class | File_creator |
class | RSA_gen |
class | X509_gen |
Macros | |
#define | LOG_COMPONENT_TAG "mysql_native_password" |
#define | AUTH_PACKET_HEADER_SIZE_PROTO_41 32 |
Size of the header fields of an authentication packet. More... | |
#define | AUTH_PACKET_HEADER_SIZE_PROTO_40 5 |
#define | MAX_CIPHER_LENGTH 1024 |
#define | SHA256_PASSWORD_MAX_PASSWORD_LENGTH MAX_PLAINTEXT_LENGTH |
#define | DEFAULT_SSL_CLIENT_CERT "client-cert.pem" |
#define | DEFAULT_SSL_CLIENT_KEY "client-key.pem" |
#define | MAX_CN_NAME_LENGTH 64 |
#define | LOG_COMPONENT_TAG "sha256_password" |
Typedefs | |
typedef char *(* | get_proto_string_func_t) (char **, size_t *, size_t *) |
Get a string according to the protocol of the underlying buffer. More... | |
typedef std::string | Sql_string_t |
Functions | |
const char * | client_plugin_name (plugin_ref ref) |
int | security_level (void) |
static bool | do_auto_rsa_keys_generation () |
void | optimize_plugin_compare_by_pointer (LEX_CSTRING *plugin_name) |
int | set_default_auth_plugin (char *plugin_name, size_t plugin_name_length) |
Initialize default authentication plugin based on command line options or configuration file settings. More... | |
std::string | get_default_autnetication_plugin_name () |
Return the default authentication plugin name. More... | |
bool | auth_plugin_is_built_in (const char *plugin_name) |
bool | auth_plugin_supports_expiration (const char *plugin_name) |
Only the plugins that are known to use the mysql.user table to store their passwords support password expiration atm. More... | |
static void | login_failed_error (THD *thd, MPVIO_EXT *mpvio, int passwd_used) |
a helper function to report an access denied error in all the proper places More... | |
static bool | send_server_handshake_packet (MPVIO_EXT *mpvio, const char *data, uint data_len) |
Sends a server Protocol::HandshakeV10. More... | |
static bool | send_plugin_request_packet (MPVIO_EXT *mpvio, const uchar *data, uint data_len) |
Sends a Protocol::AuthSwitchRequest:. More... | |
static bool | send_auth_next_factor_packet (MPVIO_EXT *mpvio, const uchar *data, uint data_len) |
Sends a Protocol::AuthNextFactor:. More... | |
bool | acl_check_host (THD *thd, const char *host, const char *ip) |
ACL_USER * | decoy_user (const LEX_CSTRING &username, const LEX_CSTRING &hostname, MEM_ROOT *mem, struct rand_struct *rand, bool is_initialized) |
When authentication is attempted using an unknown username a dummy user account with no authentication capabilities is assigned to the connection. More... | |
static bool | find_mpvio_user (THD *thd, MPVIO_EXT *mpvio) |
Finds acl entry in user database for authentication purposes. More... | |
static bool | read_client_connect_attrs (THD *thd, char **ptr, size_t *max_bytes_available, MPVIO_EXT *mpvio) |
static bool | acl_check_ssl (THD *thd, const ACL_USER *acl_user) |
bool | sha256_rsa_auth_status () |
Check if server has valid public key/private key pair for RSA communication. More... | |
static bool | parse_com_change_user_packet (THD *thd, MPVIO_EXT *mpvio, size_t packet_length) |
Parses a COM_CHANGE_USER. More... | |
static char * | get_41_protocol_string (char **buffer, size_t *max_bytes_available, size_t *string_length) |
Get a string formatted according to the 4.1 version of the MySQL protocol. More... | |
static char * | get_40_protocol_string (char **buffer, size_t *max_bytes_available, size_t *string_length) |
Get a string formatted according to the 4.0 version of the MySQL protocol. More... | |
static char * | get_56_lenc_string (char **buffer, size_t *max_bytes_available, size_t *string_length) |
Get a length encoded string from a user-supplied buffer. More... | |
static char * | get_41_lenc_string (char **buffer, size_t *max_bytes_available, size_t *string_length) |
Get a length encoded string from a user-supplied buffer. More... | |
static size_t | parse_client_handshake_packet (THD *thd, MPVIO_EXT *mpvio, uchar **buff, size_t pkt_len) |
static int | wrap_plguin_data_into_proper_command (NET *net, const uchar *packet, int packet_len) |
Wrap the extra auth data sent so that they can pass in the protocol. More... | |
static int | server_mpvio_write_packet (MYSQL_PLUGIN_VIO *param, const uchar *packet, int packet_len) |
vio->write_packet() callback method for server authentication plugins More... | |
static int | server_mpvio_read_packet (MYSQL_PLUGIN_VIO *param, uchar **buf) |
vio->read_packet() callback method for server authentication plugins More... | |
static void | server_mpvio_info (MYSQL_PLUGIN_VIO *vio, MYSQL_PLUGIN_VIO_INFO *info) |
fills MYSQL_PLUGIN_VIO_INFO structure with the information about the connection More... | |
static int | do_auth_once (THD *thd, const LEX_CSTRING &auth_plugin_name, MPVIO_EXT *mpvio) |
static int | do_multi_factor_auth (THD *thd, MPVIO_EXT *mpvio) |
Perform 2nd and 3rd factor authentication. More... | |
static void | server_mpvio_initialize (THD *thd, MPVIO_EXT *mpvio, Thd_charset_adapter *charset_adapter) |
static void | server_mpvio_update_thd (THD *thd, MPVIO_EXT *mpvio) |
static bool | check_password_lifetime (THD *thd, const ACL_USER *acl_user) |
Calculate the timestamp difference for password expiry. More... | |
void | acl_log_connect (const char *user, const char *host, const char *auth_as, const char *db, THD *thd, enum enum_server_command command) |
Logging connection for the general query log, extracted from acl_authenticate() as it's reused at different times based on whether proxy users are checked. More... | |
void | assign_priv_user_host (Security_context *sctx, ACL_USER *user) |
static bool | check_restrictions_for_com_connect_command (THD *thd) |
Check that for command COM_CONNECT, either restriction on max number of concurrent connections not violated or in case the connection is admin connection the user has required privilege. More... | |
static void | check_and_update_password_lock_state (MPVIO_EXT &mpvio, THD *thd, int &res) |
int | acl_authenticate (THD *thd, enum_server_command command) |
Perform the handshake, authorize the client and update thd sctx variables. More... | |
bool | is_secure_transport (int vio_type) |
static void | native_password_authentication_deprecation_warning () |
static int | generate_native_password (char *outbuf, unsigned int *buflen, const char *inbuf, unsigned int inbuflen) |
static int | validate_native_password_hash (char *const inbuf, unsigned int buflen) |
static int | set_native_salt (const char *password, unsigned int password_len, unsigned char *salt, unsigned char *salt_len) |
static int | generate_sha256_password (char *outbuf, unsigned int *buflen, const char *inbuf, unsigned int inbuflen) |
static int | validate_sha256_password_hash (char *const inbuf, unsigned int buflen) |
static int | set_sha256_salt (const char *password, unsigned int password_len, unsigned char *salt, unsigned char *salt_len) |
static int | compare_native_password_with_hash (const char *hash, unsigned long hash_length, const char *cleartext, unsigned long cleartext_length, int *is_error) |
Compare a clear text password with a stored hash for the native password plugin. More... | |
static int | native_password_authenticate (MYSQL_PLUGIN_VIO *vio, MYSQL_SERVER_AUTH_INFO *info) |
MySQL Server Password Authentication Plugin. More... | |
static int | my_vio_is_encrypted (MYSQL_PLUGIN_VIO *vio) |
Interface for querying the MYSQL_PUBLIC_VIO about encryption state. More... | |
int | show_rsa_public_key (THD *, SHOW_VAR *var, char *) |
void | deinit_rsa_keys (void) |
bool | init_rsa_keys (void) |
Loads the RSA key pair from disk and store them in a global variable. More... | |
static int | init_sha256_password_handler (MYSQL_PLUGIN plugin_ref) |
static void | auth_save_scramble (MYSQL_PLUGIN_VIO *vio, const char *scramble) |
static int | compare_sha256_password_with_hash (const char *hash, unsigned long hash_length, const char *cleartext, unsigned long cleartext_length, int *is_error) |
Compare a clear text password with a stored hash. More... | |
static int | sha256_password_authenticate (MYSQL_PLUGIN_VIO *vio, MYSQL_SERVER_AUTH_INFO *info) |
static | MYSQL_SYSVAR_STR (private_key_path, auth_rsa_private_key_path, PLUGIN_VAR_READONLY|PLUGIN_VAR_NOPERSIST, "A fully qualified path to the private RSA key used for authentication", nullptr, nullptr, AUTH_DEFAULT_RSA_PRIVATE_KEY) |
static | MYSQL_SYSVAR_STR (public_key_path, auth_rsa_public_key_path, PLUGIN_VAR_READONLY|PLUGIN_VAR_NOPERSIST, "A fully qualified path to the public RSA key used for authentication", nullptr, nullptr, AUTH_DEFAULT_RSA_PUBLIC_KEY) |
static | MYSQL_SYSVAR_BOOL (auto_generate_rsa_keys, auth_rsa_auto_generate_rsa_keys, PLUGIN_VAR_READONLY|PLUGIN_VAR_OPCMDARG|PLUGIN_VAR_NOPERSIST, "Auto generate RSA keys at server startup if corresponding " "system variables are not specified and key files are not present " "at the default location.", nullptr, nullptr, true) |
static bool | resize_no_exception (Sql_string_t &content, size_t size) |
Exception free resize. More... | |
static EVP_PKEY * | evp_pkey_generate (RSA *rsa) |
static Sql_string_t | rsa_priv_key_write (RSA *rsa) |
Write private key in a string buffer. More... | |
static Sql_string_t | rsa_pub_key_write (RSA *rsa) |
Write public key in a string buffer. More... | |
static X509 * | x509_cert_read (const Sql_string_t &input_string) |
Read a X509 certificate into X509 format. More... | |
static Sql_string_t | x509_cert_write (X509 *cert) |
Write X509 certificate into a string. More... | |
static EVP_PKEY * | x509_key_read (const Sql_string_t &input_string) |
Read Private key into EVP_PKEY structure. More... | |
static Sql_string_t | x509_key_write (EVP_PKEY *pkey) |
Write X509 certificate into a string. More... | |
template<typename RSA_generator_func , typename File_creation_func > | |
bool | create_x509_certificate (RSA_generator_func &rsa_gen, const Sql_string_t cn, uint32_t serial, const Sql_string_t cert_filename, const Sql_string_t key_filename, File_creation_func &filecr, const Sql_string_t ca_key_file="", const Sql_string_t ca_cert_file="") |
Algorithm to create X509 certificate. More... | |
template<typename RSA_generator_func , typename File_creation_func > | |
bool | create_RSA_key_pair (RSA_generator_func &rsa_gen, const Sql_string_t priv_key_filename, const Sql_string_t pub_key_filename, File_creation_func &filecr) |
Algorithm to generate RSA key pair. More... | |
bool | do_auto_cert_generation (ssl_artifacts_status auto_detection_status, const char **ssl_ca, const char **ssl_key, const char **ssl_cert) |
Check auto_generate_certs option and generate SSL certificates if required. More... | |
static bool | generate_rsa_keys (bool auto_generate, const char *priv_key_path, const char *pub_key_path, const char *message) |
mysql_declare_plugin (mysql_password) | |
Variables | |
constexpr const std::array | rsa_key_sizes {2048, 2048, 2048, 3072, 7680, 15360} |
const uint | MAX_UNKNOWN_ACCOUNTS = 1000 |
Map_with_rw_lock< Auth_id, uint > * | unknown_accounts = nullptr |
Hash to map unknown accounts to an authentication plugin. More... | |
LEX_CSTRING | validate_password_plugin_name |
LEX_CSTRING | default_auth_plugin_name |
Cached_authentication_plugins * | g_cached_authentication_plugins = nullptr |
bool | disconnect_on_expired_password = true |
bool | initialized |
bool | opt_auto_generate_certs = true |
bool | auth_rsa_auto_generate_rsa_keys = true |
char * | auth_rsa_private_key_path |
char * | auth_rsa_public_key_path |
Rsa_authentication_keys * | g_sha256_rsa_keys = nullptr |
static MYSQL_PLUGIN | plugin_info_ptr |
static SYS_VAR * | sha256_password_sysvars [] |
static struct st_mysql_auth | native_password_handler |
static struct st_mysql_auth | sha256_password_handler |
AUTHENTICATION CODE.
including initial connect handshake, invoking appropriate plugins, client-server plugin negotiation, COM_CHANGE_USER, and native MySQL authentication plugins.
#define AUTH_PACKET_HEADER_SIZE_PROTO_40 5 |
#define AUTH_PACKET_HEADER_SIZE_PROTO_41 32 |
Size of the header fields of an authentication packet.
#define DEFAULT_SSL_CLIENT_CERT "client-cert.pem" |
#define DEFAULT_SSL_CLIENT_KEY "client-key.pem" |
#define LOG_COMPONENT_TAG "mysql_native_password" |
#define LOG_COMPONENT_TAG "sha256_password" |
#define MAX_CIPHER_LENGTH 1024 |
#define MAX_CN_NAME_LENGTH 64 |
#define SHA256_PASSWORD_MAX_PASSWORD_LENGTH MAX_PLAINTEXT_LENGTH |
typedef char *(* get_proto_string_func_t) (char **, size_t *, size_t *) |
Get a string according to the protocol of the underlying buffer.
typedef std::string Sql_string_t |
int acl_authenticate | ( | THD * | thd, |
enum_server_command | command | ||
) |
Perform the handshake, authorize the client and update thd sctx variables.
thd | thread handle |
command | the command to be executed, it can be either a COM_CHANGE_USER or COM_CONNECT (if it's a new connection) |
0 | success, thd is updated. |
1 | error |
bool acl_check_host | ( | THD * | thd, |
const char * | host, | ||
const char * | ip | ||
) |
void acl_log_connect | ( | const char * | user, |
const char * | host, | ||
const char * | auth_as, | ||
const char * | db, | ||
THD * | thd, | ||
enum enum_server_command | command | ||
) |
Logging connection for the general query log, extracted from acl_authenticate() as it's reused at different times based on whether proxy users are checked.
user | authentication user name |
host | authentication user host or IP address |
auth_as | privilege user name |
db | default database |
thd | thread handle |
command | type of command(connect or change user) |
|
inline |
bool auth_plugin_is_built_in | ( | const char * | plugin_name | ) |
bool auth_plugin_supports_expiration | ( | const char * | plugin_name | ) |
Only the plugins that are known to use the mysql.user table to store their passwords support password expiration atm.
TODO: create a service and extend the plugin API to support password expiration for external plugins.
false | expiration not supported |
true | expiration supported |
|
inlinestatic |
vio | Virtual input-, output interface |
scramble | - Scramble to be saved |
Save the scramble in mpvio for future re-use. It is useful when we need to pass the scramble to another plugin. Especially in case when old 5.1 client with no CLIENT_PLUGIN_AUTH capability tries to connect to server with default-authentication-plugin set to sha256_password
Calculate the timestamp difference for password expiry.
thd | thread handle |
acl_user | ACL_USER handle |
0 | password is valid |
1 | password has expired |
|
inlinestatic |
Check that for command COM_CONNECT, either restriction on max number of concurrent connections not violated or in case the connection is admin connection the user has required privilege.
thd | Thread context |
false | success |
true | error |
|
inline |
|
static |
Compare a clear text password with a stored hash for the native password plugin.
If the password is non-empty it calculates a hash from the cleartext and compares it with the supplied hash.
if the password is empty checks if the hash is empty too.
0 | the hash was created with that password |
non-zero | the hash was created with a different password |
empty password results in an empty hash
|
static |
Compare a clear text password with a stored hash.
Checks if a stored hash is produced using a clear text password. To do that first it extracts the scramble from the hash. Then calculates a new hash using the extracted scramble and the supplied password. And finally compares the two scrambles.
0 | the hash was created with that password |
non-zero | the hash was created with a different password |
bool create_RSA_key_pair | ( | RSA_generator_func & | rsa_gen, |
const Sql_string_t | priv_key_filename, | ||
const Sql_string_t | pub_key_filename, | ||
File_creation_func & | filecr | ||
) |
Algorithm to generate RSA key pair.
Relies on: 1> RSA generator 2> File reader/writer
Overwrites existing Private/Public key file if any.
[in] | rsa_gen | RSA key pair generator |
[in] | priv_key_filename | File name of private key |
[in] | pub_key_filename | File name of public key |
[in] | filecr | File creator |
false | Error in RSA key pair generation. |
true | Private/Public keys are successfully generated. |
bool create_x509_certificate | ( | RSA_generator_func & | rsa_gen, |
const Sql_string_t | cn, | ||
uint32_t | serial, | ||
const Sql_string_t | cert_filename, | ||
const Sql_string_t | key_filename, | ||
File_creation_func & | filecr, | ||
const Sql_string_t | ca_key_file = "" , |
||
const Sql_string_t | ca_cert_file = "" |
||
) |
Algorithm to create X509 certificate.
Relies on: 1> RSA key generator 2> X509 certificate generator 3> FILE reader/writer
Overwrites key/certificate files if already present.
[in] | rsa_gen | RSA generator |
[in] | cn | Common name field of X509 certificate. |
[in] | serial | Certificate serial number |
[in] | cert_filename | File name for X509 certificate |
[in] | key_filename | File name for private key |
[in] | filecr | File creator |
[in] | ca_key_file | CA private key file |
[in] | ca_cert_file | CA certificate file |
false | Error in key/certificate generation. |
true | key/certificate files are generated successfully. |
ACL_USER * decoy_user | ( | const LEX_CSTRING & | username, |
const LEX_CSTRING & | hostname, | ||
MEM_ROOT * | mem, | ||
struct rand_struct * | rand, | ||
bool | is_initialized | ||
) |
When authentication is attempted using an unknown username a dummy user account with no authentication capabilities is assigned to the connection.
When server is started with -skip-grant-tables, a dummy user account with authentication capabilities is assigned to the connection. Dummy user authenticates with the empty authentication string. This is done to decrease the cost of enumerating user accounts based on authentication protocol.
[in] | username | A dummy user to be created. |
[in] | hostname | Host of the dummy user. |
[in] | mem | Memory in which the dummy ACL user will be created. |
[in] | rand | Seed value to generate random data |
[in] | is_initialized | State of ACL caches |
A | dummy ACL USER |
void deinit_rsa_keys | ( | void | ) |
|
static |
bool do_auto_cert_generation | ( | ssl_artifacts_status | auto_detection_status, |
const char ** | ssl_ca, | ||
const char ** | ssl_key, | ||
const char ** | ssl_cert | ||
) |
Check auto_generate_certs option and generate SSL certificates if required.
SSL Certificates are generated iff following conditions are met. 1> auto_generate_certs is set to ON. 2> None of the SSL system variables are specified. 3> Following files are not present in data directory. a> ca.pem b> server_cert.pem c> server_key.pem
If above mentioned conditions are satisfied, following action will be taken:
1> 6 File are generated and placed data directory: a> ca.pem b> ca_key.pem c> server_cert.pem d> server_key.pem e> client_cert.pem f> client_key.pem
ca.pem is self signed auto generated CA certificate. server_cert.pem and client_cert.pem are signed using auto generated CA.
ca_key.pem, client_cert.pem and client_key.pem are overwritten if they are present in data directory.
Path of following system variables are set if certificates are either generated or already present in data directory. a> ssl-ca b> ssl-cert c> ssl-key
Assumption : auto_detect_ssl() is called before control reaches to do_auto_cert_generation().
[in] | auto_detection_status | Status of SSL artifacts detection process |
[out] | ssl_ca | pointer to the generated CA certificate file |
[out] | ssl_key | pointer to the generated key file |
[out] | ssl_cert | pointer to the generated certificate file. |
true | i Generation is successful or skipped |
false | Generation failed. |
|
static |
Perform 2nd and 3rd factor authentication.
Once 1FA method succeeds, server checks if connecting user requires more authentication methods to do the authentication.
Refer to Multi Factor Authentication for server-client communication in various cases
thd | thread handle |
mpvio | the communications channel |
0 | success |
1 | error |
|
static |
Finds acl entry in user database for authentication purposes.
Finds a user and copies it into mpvio. Reports an authentication failure if a user is not found.
0 | found |
1 | not found |
|
static |
|
static |
|
static |
|
static |
Get a string formatted according to the 4.0 version of the MySQL protocol.
[in,out] | buffer | Pointer to the user-supplied buffer to be scanned. |
[in,out] | max_bytes_available | Limit the bytes to scan. |
[out] | string_length | The number of characters scanned not including the null character. |
|
static |
Get a length encoded string from a user-supplied buffer.
[in,out] | buffer | The buffer to scan; updates position after scan. |
[in,out] | max_bytes_available | Limit the number of bytes to scan |
[out] | string_length | Number of characters scanned |
NULL | The buffer content is malformed |
|
static |
Get a string formatted according to the 4.1 version of the MySQL protocol.
[in,out] | buffer | Pointer to the user-supplied buffer to be scanned. |
[in,out] | max_bytes_available | Limit the bytes to scan. |
[out] | string_length | The number of characters scanned not including the null character. |
NULL | The buffer content is malformed |
|
static |
Get a length encoded string from a user-supplied buffer.
[in,out] | buffer | The buffer to scan; updates position after scan. |
[in,out] | max_bytes_available | Limit the number of bytes to scan |
[out] | string_length | Number of characters scanned |
NULL | The buffer content is malformed |
std::string get_default_autnetication_plugin_name | ( | ) |
Return the default authentication plugin name.
A | string containing the default authentication plugin name |
bool init_rsa_keys | ( | void | ) |
Loads the RSA key pair from disk and store them in a global variable.
false | Success |
true | Error |
Presence of only a private key file and a public temp file implies that server crashed after creating the private key file and could not create a public key file. Hence removing the private key file.
|
static |
bool is_secure_transport | ( | int | vio_type | ) |
a helper function to report an access denied error in all the proper places
|
static |
Interface for querying the MYSQL_PUBLIC_VIO about encryption state.
mysql_declare_plugin | ( | mysql_password | ) |
|
static |
|
static |
|
static |
|
static |
MySQL Server Password Authentication Plugin.
In the MySQL authentication protocol:
|
static |
void optimize_plugin_compare_by_pointer | ( | LEX_CSTRING * | plugin_name | ) |
|
static |
Old clients didn't have their own charset. Instead the assumption was that they used what ever the server used.
Old clients didn't have their own charset. Instead the assumption was that they used what ever the server used.
|
static |
Parses a COM_CHANGE_USER.
thd | current thread |
mpvio | the communications channel |
packet_length | length of the packet in mpvio's buffer |
true | error |
false | success |
|
static |
|
static |
Exception free resize.
[in,out] | content | string handle |
[in] | size | New size |
false | Error |
true | Successfully resized |
|
static |
Write private key in a string buffer.
[in] | rsa | Handle to RSA structure where private key is stored |
|
static |
Write public key in a string buffer.
[in] | rsa | Handle to RSA structure where public key is stored |
int security_level | ( | void | ) |
|
static |
Sends a Protocol::AuthNextFactor:.
Used by the server to request that a client should initiate authentication for next authentication methods in the plugin chain of user definition.
See Protocol::AuthNextFactor: for more details.
[in] | mpvio | The communications channel |
[in] | data | Client plugin data |
[in] | data_len | Length of client plugin data |
false | ok |
true | error |
|
static |
Sends a Protocol::AuthSwitchRequest:.
Used by the server to request that a client should restart authentication using a different authentication plugin.
See Protocol::AuthSwitchRequest: for more details.
false | ok |
true | error |
|
static |
Sends a server Protocol::HandshakeV10.
0 | ok |
1 | error |
|
static |
fills MYSQL_PLUGIN_VIO_INFO structure with the information about the connection
|
static |
|
static |
vio->read_packet() callback method for server authentication plugins
This function is called by a server authentication plugin, when it wants to read data from the client.
It transparently extracts the client plugin data, if embedded into a client authentication handshake packet, and handles plugin negotiation with the client, if necessary.
RETURN -1 Protocol failure >= 0 Success and also the packet length
|
static |
vio->write_packet() callback method for server authentication plugins
This function is called by a server authentication plugin, when it wants to send data to the client.
It transparently wraps the data into a handshake packet, and handles plugin negotiation with the client. If necessary, it escapes the plugin data, if it starts with a mysql protocol packet byte.
int set_default_auth_plugin | ( | char * | plugin_name, |
size_t | plugin_name_length | ||
) |
Initialize default authentication plugin based on command line options or configuration file settings.
plugin_name | Name of the plugin |
plugin_name_length | Length of the string |
|
static |
|
static |
|
static |
vio | Virtual input-, output interface | |
[out] | info | Connection information |
Authenticate the user by receiving a RSA or TLS encrypted password and calculate a hash digest which should correspond to the user record digest
RSA keys are assumed to be pre-generated and supplied when server starts. If the client hasn't got a public key it can request one.
TLS certificates and keys are assumed to be pre-generated and supplied when server starts.
bool sha256_rsa_auth_status | ( | ) |
Check if server has valid public key/private key pair for RSA communication.
false | RSA support is available |
true | RSA support is not available |
|
static |
|
static |
|
inlinestatic |
Wrap the extra auth data sent so that they can pass in the protocol.
Check Protocol::AuthMoreData: for the format description.
0 | ok |
1 | error |
net | the network abstraction to use |
packet | data to transmit |
packet_len | length of packet |
|
static |
Read a X509 certificate into X509 format.
[in] | input_string | Content of X509 certificate file. |
Assumption : Caller will free X509 object
|
static |
Write X509 certificate into a string.
[in] | cert | Certificate information in X509 format. |
|
static |
Read Private key into EVP_PKEY structure.
[in] | input_string | Content of private key file. |
Assumption : Caller will free EVP_PKEY object
|
static |
Write X509 certificate into a string.
[in] | pkey | Private key information. |
bool auth_rsa_auto_generate_rsa_keys = true |
char* auth_rsa_private_key_path |
char* auth_rsa_public_key_path |
LEX_CSTRING default_auth_plugin_name |
bool disconnect_on_expired_password = true |
Cached_authentication_plugins* g_cached_authentication_plugins = nullptr |
Rsa_authentication_keys* g_sha256_rsa_keys = nullptr |
|
extern |
const uint MAX_UNKNOWN_ACCOUNTS = 1000 |
|
static |
bool opt_auto_generate_certs = true |
|
static |
|
constexpr |
|
static |
|
static |
Map_with_rw_lock<Auth_id, uint>* unknown_accounts = nullptr |
Hash to map unknown accounts to an authentication plugin.
If unknown accounts always map to default authentication plugin, server's reply to switch authentication plugin would indicate that user in question is indeed a valid user.
To counter this, one of the built-in authentication plugins is chosen at random. Thus, a request to switch authentication plugin is not and indicator of a valid user account.
For same unknown account, if different plugin is chosen every time, that again is an indicator. To resolve this, a hashmap is used to store information about unknown account => authentication plugin. This way, if same unknown account appears again, same authentication plugin is chosen again.
However, size of such a hash has to be kept under control. Hence, once MAX_UNKNOWN_ACCOUNTS lim
LEX_CSTRING validate_password_plugin_name |