MySQL 8.0.39
Source Code Documentation
sql_authentication.h
Go to the documentation of this file.
1/* Copyright (c) 2000, 2024, Oracle and/or its affiliates.
2
3 This program is free software; you can redistribute it and/or modify
4 it under the terms of the GNU General Public License, version 2.0,
5 as published by the Free Software Foundation.
6
7 This program is designed to work with certain software (including
8 but not limited to OpenSSL) that is licensed under separate terms,
9 as designated in a particular file or component or in included license
10 documentation. The authors of MySQL hereby grant you an additional
11 permission to link the program and your derivative works with the
12 separately licensed software that they have either included with
13 the program or referenced in the documentation.
14
15 This program is distributed in the hope that it will be useful,
16 but WITHOUT ANY WARRANTY; without even the implied warranty of
17 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
18 GNU General Public License, version 2.0, for more details.
19
20 You should have received a copy of the GNU General Public License
21 along with this program; if not, write to the Free Software
22 Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA */
23
24#ifndef SQL_AUTHENTICATION_INCLUDED
25#define SQL_AUTHENTICATION_INCLUDED
26
27#include <openssl/rsa.h>
28#include <stddef.h>
29#include <sys/types.h>
30
31#include "lex_string.h"
32#include "m_ctype.h"
33#include "my_thread_local.h" // my_thread_id
34#include "mysql/plugin_auth.h" // MYSQL_SERVER_AUTH_INFO
36#include "sql/sql_plugin_ref.h" // plugin_ref
37
38class ACL_USER;
40class THD;
41class Restrictions;
42struct MEM_ROOT;
43struct SHOW_VAR;
44
45/* Classes */
46
49
50 public:
51 Thd_charset_adapter(THD *thd_arg) : thd(thd_arg) {}
52 bool init_client_charset(uint cs_number);
53
54 const CHARSET_INFO *charset();
55};
56
57/**
58 The internal version of what plugins know as MYSQL_PLUGIN_VIO,
59 basically the context of the authentication session
60*/
61struct MPVIO_EXT : public MYSQL_PLUGIN_VIO {
65 plugin_ref plugin; ///< what plugin we're under
66 LEX_STRING db; ///< db name from the handshake packet
67 /** when restarting a plugin this caches the last client reply */
68 struct {
69 const char *plugin, *pkt; ///< pointers into NET::buff
72 /** this caches the first plugin packet for restart request on the client */
73 struct {
74 char *pkt;
77 int packets_read, packets_written; ///< counters for send/received packets
78 /** when plugin returns a failure this tells us what really happened */
80
81 /* encapsulation members */
82 char *scramble;
89 const char *ip;
90 const char *host;
94 bool can_authenticate();
95};
96
97class String;
98
99bool init_rsa_keys(void);
100void deinit_rsa_keys(void);
101int show_rsa_public_key(THD *thd, SHOW_VAR *var, char *buff);
102
103typedef struct rsa_st RSA;
105 private:
106#if OPENSSL_VERSION_NUMBER >= 0x30000000L
107 EVP_PKEY *m_public_key;
108 EVP_PKEY *m_private_key;
109#else /* OPENSSL_VERSION_NUMBER >= 0x30000000L */
112#endif /* OPENSSL_VERSION_NUMBER >= 0x30000000L */
117
118 void get_key_file_path(char *key, String *key_file_path);
119
120#if OPENSSL_VERSION_NUMBER >= 0x30000000L
121 bool read_key_file(EVP_PKEY **key_ptr, bool is_priv_key,
122 char **key_text_buffer);
123#else /* OPENSSL_VERSION_NUMBER >= 0x30000000L */
124 bool read_key_file(RSA **key_ptr, bool is_priv_key, char **key_text_buffer);
125#endif /* OPENSSL_VERSION_NUMBER >= 0x30000000L */
126
127 public:
128 Rsa_authentication_keys(char **private_key_path, char **public_key_path)
131 m_cipher_len(0),
133 m_private_key_path(private_key_path),
134 m_public_key_path(public_key_path) {}
136
137 void free_memory();
138 void *allocate_pem_buffer(size_t buffer_len);
139
140#if OPENSSL_VERSION_NUMBER >= 0x30000000L
141 EVP_PKEY *get_private_key() { return m_private_key; }
142 EVP_PKEY *get_public_key() { return m_public_key; }
143#else /* OPENSSL_VERSION_NUMBER >= 0x30000000L */
146#endif /* OPENSSL_VERSION_NUMBER >= 0x30000000L */
147
148 int get_cipher_length();
149 bool read_rsa_keys();
150 const char *get_public_key_as_pem(void) { return m_pem_public_key; }
151};
152
153/* Data Structures */
154
156
157extern bool allow_all_hosts;
158
159typedef enum {
163 /* Add new plugin before this */
166
168
170 public:
173
174 /**
175 Compare given plugin against one of the cached ones
176
177 @param [in] plugin_index Cached plugin index
178 @param [in] plugin Plugin to be compared
179
180 @returns status of comparison
181 @retval true Match
182 @retval false Not a match
183 */
184 static bool compare_plugin(cached_plugins_enum plugin_index,
185 LEX_CSTRING plugin) {
186 if (plugin_index < PLUGIN_LAST && plugin.str) {
188 return (plugin.str == cached_plugins_names[plugin_index].str);
189 }
190 return false;
191 }
192
193 /**
194 Check if given plugin is a builtin
195
196 @param [in] plugin Plugin name
197
198 @returns true if builtin, false otherwise
199 */
201 for (uint i = 0; i < (uint)PLUGIN_LAST; ++i) {
202 if (plugin->str == cached_plugins_names[i].str) return true;
203 }
204 return false;
205 }
206
207 /**
208 Get name of the plugin at given index
209
210 @param [in] plugin_index Cached plugin index
211
212 @returns name of the cached plugin at given index
213 */
214 static const char *get_plugin_name(cached_plugins_enum plugin_index) {
215 if (plugin_index < PLUGIN_LAST)
216 return cached_plugins_names[plugin_index].str;
217 return nullptr;
218 }
219
222
224
225 /**
226 Fetch cached plugin handle
227
228 @param plugin_index Cached plugin index
229
230 @returns cached plugin_ref if found, 0 otherwise
231 */
233 if (plugin_index < PLUGIN_LAST) return cached_plugins[plugin_index];
234 return nullptr;
235 }
236
238 bool is_valid() { return m_valid; }
239
240 private:
242};
243
245
246ACL_USER *decoy_user(const LEX_CSTRING &username, const LEX_CSTRING &hostname,
247 MEM_ROOT *mem, struct rand_struct *rand,
248 bool is_initialized);
249#define AUTH_DEFAULT_RSA_PRIVATE_KEY "private_key.pem"
250#define AUTH_DEFAULT_RSA_PUBLIC_KEY "public_key.pem"
251
252#endif /* SQL_AUTHENTICATION_INCLUDED */
Definition: sql_auth_cache.h:246
Definition: sql_authentication.h:169
bool m_valid
Definition: sql_authentication.h:241
Cached_authentication_plugins()
Cached_authentication_plugins constructor.
Definition: sql_authentication.cc:1034
static const LEX_CSTRING cached_plugins_names[(uint) PLUGIN_LAST]
Definition: sql_authentication.h:171
static bool compare_plugin(cached_plugins_enum plugin_index, LEX_CSTRING plugin)
Compare given plugin against one of the cached ones.
Definition: sql_authentication.h:184
bool is_valid()
Definition: sql_authentication.h:238
static const char * get_plugin_name(cached_plugins_enum plugin_index)
Get name of the plugin at given index.
Definition: sql_authentication.h:214
plugin_ref cached_plugins[(uint) PLUGIN_LAST]
Definition: sql_authentication.h:237
plugin_ref get_cached_plugin_ref(cached_plugins_enum plugin_index)
Fetch cached plugin handle.
Definition: sql_authentication.h:232
plugin_ref get_cached_plugin_ref(const LEX_CSTRING *plugin)
Get plugin_ref if plugin is cached.
Definition: sql_authentication.cc:1066
static bool auth_plugin_is_built_in(LEX_CSTRING *plugin)
Check if given plugin is a builtin.
Definition: sql_authentication.h:200
static void optimize_plugin_compare_by_pointer(LEX_CSTRING *plugin)
Use known pointers for cached plugins to improve comparison time.
Definition: sql_authentication.cc:1016
~Cached_authentication_plugins()
Cached_authentication_plugins destructor.
Definition: sql_authentication.cc:1052
Definition: protocol_classic.h:52
Container of all restrictions for a given user.
Definition: partial_revokes.h:155
Definition: sql_authentication.h:104
bool read_key_file(RSA **key_ptr, bool is_priv_key, char **key_text_buffer)
Read a key file and store its value in RSA structure.
Definition: sql_authentication.cc:1201
void * allocate_pem_buffer(size_t buffer_len)
Definition: sql_authentication.cc:1289
char ** m_public_key_path
Definition: sql_authentication.h:116
RSA * get_public_key()
Definition: sql_authentication.h:145
void get_key_file_path(char *key, String *key_file_path)
Set key file path.
Definition: sql_authentication.cc:1161
int get_cipher_length()
Definition: sql_authentication.cc:1294
int m_cipher_len
Definition: sql_authentication.h:113
RSA * m_private_key
Definition: sql_authentication.h:111
RSA * get_private_key()
Definition: sql_authentication.h:144
~Rsa_authentication_keys()=default
bool read_rsa_keys()
Read RSA private key and public key from file and store them in m_private_key and m_public_key.
Definition: sql_authentication.cc:1311
char ** m_private_key_path
Definition: sql_authentication.h:115
char * m_pem_public_key
Definition: sql_authentication.h:114
const char * get_public_key_as_pem(void)
Definition: sql_authentication.h:150
RSA * m_public_key
Definition: sql_authentication.h:110
Rsa_authentication_keys(char **private_key_path, char **public_key_path)
Definition: sql_authentication.h:128
void free_memory()
Definition: sql_authentication.cc:1269
Using this class is fraught with peril, and you need to be very careful when doing so.
Definition: sql_string.h:168
For each client connection we create a separate thread with THD serving as a thread/connection descri...
Definition: sql_lexer_thd.h:34
Definition: sql_authentication.h:47
Thd_charset_adapter(THD *thd_arg)
Definition: sql_authentication.h:51
const CHARSET_INFO * charset()
Definition: sql_authentication.cc:1151
bool init_client_charset(uint cs_number)
Definition: sql_authentication.cc:1145
THD * thd
Definition: sql_authentication.h:48
Fido Client Authentication nullptr
Definition: fido_client_plugin.cc:222
A better implementation of the UNIX ctype(3) library.
uint32 my_thread_id
Definition: my_thread_local.h:34
Authentication Plugin API.
This file defines constants and data structures that are the same for both client- and server-side au...
required string key
Definition: replication_asynchronous_connection_failover.proto:60
int show_rsa_public_key(THD *thd, SHOW_VAR *var, char *buff)
Definition: sql_authentication.cc:4620
ACL_USER * decoy_user(const LEX_CSTRING &username, const LEX_CSTRING &hostname, MEM_ROOT *mem, struct rand_struct *rand, bool is_initialized)
When authentication is attempted using an unknown username a dummy user account with no authenticatio...
Definition: sql_authentication.cc:2064
cached_plugins_enum
Definition: sql_authentication.h:159
@ PLUGIN_LAST
Definition: sql_authentication.h:164
@ PLUGIN_CACHING_SHA2_PASSWORD
Definition: sql_authentication.h:160
@ PLUGIN_SHA256_PASSWORD
Definition: sql_authentication.h:162
@ PLUGIN_MYSQL_NATIVE_PASSWORD
Definition: sql_authentication.h:161
bool allow_all_hosts
Definition: sql_auth_cache.cc:162
Cached_authentication_plugins * g_cached_authentication_plugins
Definition: sql_authentication.cc:1117
void deinit_rsa_keys(void)
Definition: sql_authentication.cc:4626
LEX_CSTRING default_auth_plugin_name
Definition: sql_authentication.cc:1004
struct rsa_st RSA
Definition: sql_authentication.h:103
bool init_rsa_keys(void)
Loads the RSA key pair from disk and store them in a global variable.
Definition: sql_authentication.cc:4660
LEX_CSTRING validate_password_plugin_name
Definition: sql_authentication.cc:1001
static MEM_ROOT mem
Definition: sql_servers.cc:99
Definition: m_ctype.h:385
The MEM_ROOT is a simple arena, where allocations are carved out of larger blocks.
Definition: my_alloc.h:83
The internal version of what plugins know as MYSQL_PLUGIN_VIO, basically the context of the authentic...
Definition: sql_authentication.h:61
ulong max_client_packet_length
Definition: sql_authentication.h:88
uint pkt_len
Definition: sql_authentication.h:70
char * pkt
Definition: sql_authentication.h:74
const ACL_USER * acl_user
Definition: sql_authentication.h:63
struct MPVIO_EXT::@37 cached_server_packet
this caches the first plugin packet for restart request on the client
int vio_is_encrypted
Definition: sql_authentication.h:93
const char * ip
Definition: sql_authentication.h:89
int packets_written
counters for send/received packets
Definition: sql_authentication.h:77
Protocol_classic * protocol
Definition: sql_authentication.h:87
int packets_read
Definition: sql_authentication.h:77
struct MPVIO_EXT::@36 cached_client_reply
when restarting a plugin this caches the last client reply
LEX_STRING db
db name from the handshake packet
Definition: sql_authentication.h:66
LEX_CSTRING acl_user_plugin
Definition: sql_authentication.h:92
my_thread_id thread_id
Definition: sql_authentication.h:85
const char * pkt
pointers into NET::buff
Definition: sql_authentication.h:69
bool can_authenticate()
Definition: sql_authentication.cc:6031
struct rand_struct * rand
Definition: sql_authentication.h:84
plugin_ref plugin
what plugin we're under
Definition: sql_authentication.h:65
const char * host
Definition: sql_authentication.h:90
char * scramble
Definition: sql_authentication.h:82
uint * server_status
Definition: sql_authentication.h:86
@ FAILURE
Definition: sql_authentication.h:79
@ START_MFA
Definition: sql_authentication.h:79
@ SUCCESS
Definition: sql_authentication.h:79
@ RESTART
Definition: sql_authentication.h:79
MYSQL_SERVER_AUTH_INFO auth_info
Definition: sql_authentication.h:62
Thd_charset_adapter * charset_adapter
Definition: sql_authentication.h:91
Restrictions * restrictions
Definition: sql_authentication.h:64
enum MPVIO_EXT::@38 status
when plugin returns a failure this tells us what really happened
MEM_ROOT * mem_root
Definition: sql_authentication.h:83
Definition: mysql_lex_string.h:40
const char * str
Definition: mysql_lex_string.h:41
Definition: mysql_lex_string.h:35
Provides plugin access to communication channel.
Definition: plugin_auth_common.h:146
Provides server plugin access to authentication information.
Definition: plugin_auth.h:71
SHOW STATUS Server status variable.
Definition: status_var.h:79
Definition: mysql_com.h:1108
Definition: sql_plugin_ref.h:45
unsigned int uint
Definition: uca9-dump.cc:75
std::atomic< bool > is_initialized(false)