MySQL 8.0.40
Source Code Documentation
i_sha2_password.h
Go to the documentation of this file.
1/*
2Copyright (c) 2017, 2024, Oracle and/or its affiliates.
3
4This program is free software; you can redistribute it and/or modify
5it under the terms of the GNU General Public License, version 2.0,
6as published by the Free Software Foundation.
7
8This program is designed to work with certain software (including
9but not limited to OpenSSL) that is licensed under separate terms,
10as designated in a particular file or component or in included license
11documentation. The authors of MySQL hereby grant you an additional
12permission to link the program and your derivative works with the
13separately licensed software that they have either included with
14the program or referenced in the documentation.
15
16This program is distributed in the hope that it will be useful,
17but WITHOUT ANY WARRANTY; without even the implied warranty of
18MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
19GNU General Public License, version 2.0, for more details.
20
21You should have received a copy of the GNU General Public License
22along with this program; if not, write to the Free Software
23Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA */
24
25#ifndef I_SHA2_PASSWORD_INCLUDED
26#define I_SHA2_PASSWORD_INCLUDED
27
28#include <string>
29#include <unordered_map>
30
31#include "crypt_genhash_impl.h" /* For salt, sha2 digest */
32#include "mysql/plugin.h" /* MYSQL_PLUGIN */
33#include "mysql/psi/mysql_rwlock.h" /* mysql_rwlock_t */
35
36/**
37 @file sql/auth/i_sha2_password.h
38 Classes for caching_sha2_authentication plugin
39*/
40
41/**
42 @defgroup auth_caching_sha2_auth caching_sha2_authentication information
43 @{
44*/
45namespace sha2_password {
46/* fast digest rounds */
47const unsigned int MIN_FAST_DIGEST_ROUNDS = 2;
48const unsigned int DEFAULT_FAST_DIGEST_ROUNDS = 2;
49const unsigned int MAX_FAST_DIGEST_ROUNDS = 1000;
50
51/* Length of Digest Info field */
52const unsigned int DIGEST_INFO_LENGTH = 1;
53/* Length of iteration info field */
54const unsigned int ITERATION_LENGTH = 3;
55/* Iteration multiplier to be used on extracted iteration count */
56const unsigned int ITERATION_MULTIPLIER = 1000;
57/* Upper cap on iterations */
58const long unsigned int MAX_ITERATIONS = 0xFFF * ITERATION_MULTIPLIER;
59/* length of salt */
60const unsigned int SALT_LENGTH = CRYPT_SALT_LENGTH;
61/* $ + A + $ + ITERATION_LENGTH + $ + SALT_LENGTH + CACHING_SHA2_DIGEST_LENGTH =
62 * 59 */
63const unsigned int SHA256_AUTH_STRING_LEN =
65/* Delimiter character */
66const char DELIMITER = '$';
67/* Store digest length */
68const unsigned int STORED_SHA256_DIGEST_LENGTH = 43;
69/* stored digest rounds*/
73/* Maximum password length */
75/* Maximum supported passwords */
76const unsigned int MAX_PASSWORDS = 2;
77
78typedef struct sha2_cache_entry {
81
82/**
83 Password cache used for caching_sha2_authentication
84*/
85
87 public:
88 typedef std::unordered_map<std::string, sha2_cache_entry> password_cache;
89
92 bool add(const std::string authorization_id,
93 const sha2_cache_entry &entry_to_be_cached);
94 bool remove(const std::string authorization_id);
95 bool search(const std::string authorization_id,
96 sha2_cache_entry &cache_entry);
97 /** Returns number of cache entries present */
98 size_t size() { return m_password_cache.size(); }
99 void clear_cache();
100
101 private:
103};
104
105/**
106 Class to handle caching_sha2_authentication
107 Provides methods for:
108 - Fast authentication
109 - Strong authentication
110 - Removal of cached entry
111*/
113 public:
115 MYSQL_PLUGIN plugin_handle, size_t stored_digest_rounds,
116 unsigned int fast_digest_rounds = DEFAULT_FAST_DIGEST_ROUNDS,
119 std::pair<bool, bool> authenticate(const std::string &authorization_id,
120 const std::string *serialized_string,
121 const std::string &plaintext_password);
122 std::pair<bool, bool> fast_authenticate(const std::string &authorization_id,
123 const unsigned char *random,
124 unsigned int random_length,
125 const unsigned char *scramble,
126 bool check_second);
127 void remove_cached_entry(const std::string authorization_id);
128 bool deserialize(const std::string &serialized_string,
129 Digest_info &digest_type, std::string &salt,
130 std::string &digest, size_t &iterations);
131 bool serialize(std::string &serialized_string, const Digest_info &digest_type,
132 const std::string &salt, const std::string &digest,
133 size_t iterations);
134 bool generate_fast_digest(const std::string &plaintext_password,
135 sha2_cache_entry &digest, unsigned int loc);
136 bool generate_sha2_multi_hash(const std::string &src,
137 const std::string &random, std::string *digest,
138 unsigned int iterations);
139 size_t get_cache_count();
140 void clear_cache();
141 bool validate_hash(const std::string serialized_string);
144
145 private:
146 /** Plugin handle */
148 /** Number of rounds for stored digest */
150 /** Number of rounds for fast digest */
152 /** Digest type */
154 /** Lock to protect @c m_cache */
156 /** user=>password cache */
158};
159} // namespace sha2_password
160
161/** @} (end of auth_caching_sha2_auth) */
162
163#endif // !I_SHA2_PASSWORD_INCLUDED
Class to handle caching_sha2_authentication Provides methods for:
Definition: i_sha2_password.h:112
size_t get_cache_count()
Get cache count.
Definition: sha2_password.cc:688
SHA2_password_cache m_cache
user=>password cache
Definition: i_sha2_password.h:157
std::pair< bool, bool > authenticate(const std::string &authorization_id, const std::string *serialized_string, const std::string &plaintext_password)
Perform slow authentication.
Definition: sha2_password.cc:236
std::pair< bool, bool > fast_authenticate(const std::string &authorization_id, const unsigned char *random, unsigned int random_length, const unsigned char *scramble, bool check_second)
Perform fast authentication.
Definition: sha2_password.cc:351
Digest_info get_digest_type() const
Definition: i_sha2_password.h:142
unsigned int m_fast_digest_rounds
Number of rounds for fast digest.
Definition: i_sha2_password.h:151
bool deserialize(const std::string &serialized_string, Digest_info &digest_type, std::string &salt, std::string &digest, size_t &iterations)
Deserialize obtained hash and retrieve various parts.
Definition: sha2_password.cc:440
size_t get_digest_rounds()
Definition: i_sha2_password.h:143
mysql_rwlock_t m_cache_lock
Lock to protect m_cache.
Definition: i_sha2_password.h:155
void clear_cache()
Clear the password cache.
Definition: sha2_password.cc:695
size_t m_stored_digest_rounds
Number of rounds for stored digest.
Definition: i_sha2_password.h:149
bool generate_fast_digest(const std::string &plaintext_password, sha2_cache_entry &digest, unsigned int loc)
Generate digest based on m_fast_digest_rounds.
Definition: sha2_password.cc:601
bool generate_sha2_multi_hash(const std::string &src, const std::string &random, std::string *digest, unsigned int iterations)
Generate multi-round sha2 hash using source and random string.
Definition: sha2_password.cc:650
Digest_info m_digest_type
Digest type.
Definition: i_sha2_password.h:153
void remove_cached_entry(const std::string authorization_id)
Remove an entry from the cache.
Definition: sha2_password.cc:398
~Caching_sha2_password()
Caching_sha2_password destructor - destroy rw lock.
Definition: sha2_password.cc:210
bool serialize(std::string &serialized_string, const Digest_info &digest_type, const std::string &salt, const std::string &digest, size_t iterations)
Serialize following: a.
Definition: sha2_password.cc:541
bool validate_hash(const std::string serialized_string)
Validate a hash format.
Definition: sha2_password.cc:710
MYSQL_PLUGIN m_plugin_info
Plugin handle.
Definition: i_sha2_password.h:147
Caching_sha2_password(MYSQL_PLUGIN plugin_handle, size_t stored_digest_rounds, unsigned int fast_digest_rounds=DEFAULT_FAST_DIGEST_ROUNDS, Digest_info digest_type=Digest_info::SHA256_DIGEST)
Caching_sha2_password constructor - Initializes rw lock.
Definition: sha2_password.cc:186
Password cache used for caching_sha2_authentication.
Definition: i_sha2_password.h:86
password_cache m_password_cache
Definition: i_sha2_password.h:102
~SHA2_password_cache()
Destructor - Release all memory.
Definition: sha2_password.cc:89
size_t size()
Returns number of cache entries present
Definition: i_sha2_password.h:98
void clear_cache()
Clear the cache - Release all memory.
Definition: sha2_password.cc:166
bool add(const std::string authorization_id, const sha2_cache_entry &entry_to_be_cached)
Add an entry in cache We manage our own memory.
Definition: sha2_password.cc:107
bool remove(const std::string authorization_id)
Remove an entry from the cache.
Definition: sha2_password.cc:127
bool search(const std::string authorization_id, sha2_cache_entry &cache_entry)
Search an entry from the cache.
Definition: sha2_password.cc:150
std::unordered_map< std::string, sha2_cache_entry > password_cache
Definition: i_sha2_password.h:88
#define MAX_PLAINTEXT_LENGTH
Definition: crypt_genhash_impl.h:41
#define CRYPT_SALT_LENGTH
Definition: crypt_genhash_impl.h:34
#define ROUNDS_DEFAULT
Definition: crypt_genhash_impl.h:30
#define ROUNDS_MIN
Definition: crypt_genhash_impl.h:31
#define ROUNDS_MAX
Definition: crypt_genhash_impl.h:32
Classes for caching_sha2_authentication plugin.
void * MYSQL_PLUGIN
Definition: plugin.h:82
void scramble(char *to, const char *message, const char *password)
Produce an obscure octet sequence from password and random string, received from the server.
Definition: password.cc:271
static unsigned int iterations
Definition: mysqlslap.cc:187
Definition: i_sha2_password.h:45
const unsigned int DIGEST_INFO_LENGTH
Definition: i_sha2_password.h:52
const unsigned int CACHING_SHA2_DIGEST_LENGTH
Definition: i_sha2_password_common.h:45
const char DELIMITER
Definition: i_sha2_password.h:66
const unsigned int STORED_SHA256_DIGEST_LENGTH
Definition: i_sha2_password.h:68
Digest_info
Supported digest information.
Definition: i_sha2_password_common.h:51
const unsigned int ITERATION_LENGTH
Definition: i_sha2_password.h:54
const long unsigned int MAX_ITERATIONS
Definition: i_sha2_password.h:58
const size_t CACHING_SHA2_PASSWORD_MAX_PASSWORD_LENGTH
Definition: i_sha2_password.h:74
const unsigned int MAX_FAST_DIGEST_ROUNDS
Definition: i_sha2_password.h:49
struct sha2_password::sha2_cache_entry sha2_cache_entry
const unsigned int DEFAULT_FAST_DIGEST_ROUNDS
Definition: i_sha2_password.h:48
const size_t MAX_STORED_DIGEST_ROUNDS
Definition: i_sha2_password.h:72
const size_t DEFAULT_STORED_DIGEST_ROUNDS
Definition: i_sha2_password.h:71
const unsigned int MIN_FAST_DIGEST_ROUNDS
Definition: i_sha2_password.h:47
const unsigned int MAX_PASSWORDS
Definition: i_sha2_password.h:76
const unsigned int SHA256_AUTH_STRING_LEN
Definition: i_sha2_password.h:63
const size_t MIN_STORED_DIGEST_ROUNDS
Definition: i_sha2_password.h:70
const unsigned int ITERATION_MULTIPLIER
Definition: i_sha2_password.h:56
const unsigned int SALT_LENGTH
Definition: i_sha2_password.h:60
Instrumentation helpers for rwlock.
An instrumented rwlock structure.
Definition: mysql_rwlock_bits.h:51
Definition: i_sha2_password.h:78
unsigned char digest_buffer[MAX_PASSWORDS][CACHING_SHA2_DIGEST_LENGTH]
Definition: i_sha2_password.h:79