MySQL 8.4.2
Source Code Documentation
sql_authentication.h
Go to the documentation of this file.
1/* Copyright (c) 2000, 2024, Oracle and/or its affiliates.
2
3 This program is free software; you can redistribute it and/or modify
4 it under the terms of the GNU General Public License, version 2.0,
5 as published by the Free Software Foundation.
6
7 This program is designed to work with certain software (including
8 but not limited to OpenSSL) that is licensed under separate terms,
9 as designated in a particular file or component or in included license
10 documentation. The authors of MySQL hereby grant you an additional
11 permission to link the program and your derivative works with the
12 separately licensed software that they have either included with
13 the program or referenced in the documentation.
14
15 This program is distributed in the hope that it will be useful,
16 but WITHOUT ANY WARRANTY; without even the implied warranty of
17 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
18 GNU General Public License, version 2.0, for more details.
19
20 You should have received a copy of the GNU General Public License
21 along with this program; if not, write to the Free Software
22 Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA */
23
24#ifndef SQL_AUTHENTICATION_INCLUDED
25#define SQL_AUTHENTICATION_INCLUDED
26
27#include <openssl/rsa.h>
28#include <stddef.h>
29#include <sys/types.h>
30
31#include "lex_string.h"
32#include "my_thread_local.h" // my_thread_id
33#include "mysql/plugin_auth.h" // MYSQL_SERVER_AUTH_INFO
36#include "sql/sql_plugin_ref.h" // plugin_ref
37
38class ACL_USER;
40class THD;
41class Restrictions;
42struct MEM_ROOT;
43struct SHOW_VAR;
44
45/* Classes */
46
49
50 public:
51 Thd_charset_adapter(THD *thd_arg) : thd(thd_arg) {}
52 bool init_client_charset(uint cs_number);
53
54 const CHARSET_INFO *charset();
55};
56
57/**
58 The internal version of what plugins know as MYSQL_PLUGIN_VIO,
59 basically the context of the authentication session
60*/
61struct MPVIO_EXT : public MYSQL_PLUGIN_VIO {
65 plugin_ref plugin; ///< what plugin we're under
66 LEX_STRING db; ///< db name from the handshake packet
67 /** when restarting a plugin this caches the last client reply */
68 struct {
69 const char *plugin, *pkt; ///< pointers into NET::buff
70 uint pkt_len;
72 /** this caches the first plugin packet for restart request on the client */
73 struct {
74 char *pkt;
75 uint pkt_len;
77 int packets_read, packets_written; ///< counters for send/received packets
78 /** when plugin returns a failure this tells us what really happened */
80
81 /* encapsulation members */
82 char *scramble;
89 const char *ip;
90 const char *host;
94 bool can_authenticate();
95};
96
97class String;
98
99bool init_rsa_keys(void);
100void deinit_rsa_keys(void);
101int show_rsa_public_key(THD *thd, SHOW_VAR *var, char *buff);
102
103typedef struct rsa_st RSA;
105 private:
106#if OPENSSL_VERSION_NUMBER >= 0x30000000L
107 EVP_PKEY *m_public_key;
108 EVP_PKEY *m_private_key;
109#else /* OPENSSL_VERSION_NUMBER >= 0x30000000L */
112#endif /* OPENSSL_VERSION_NUMBER >= 0x30000000L */
117
118 void get_key_file_path(char *key, String *key_file_path);
119
120#if OPENSSL_VERSION_NUMBER >= 0x30000000L
121 bool read_key_file(EVP_PKEY **key_ptr, bool is_priv_key,
122 char **key_text_buffer);
123#else /* OPENSSL_VERSION_NUMBER >= 0x30000000L */
124 bool read_key_file(RSA **key_ptr, bool is_priv_key, char **key_text_buffer);
125#endif /* OPENSSL_VERSION_NUMBER >= 0x30000000L */
126
127 public:
128 Rsa_authentication_keys(char **private_key_path, char **public_key_path)
131 m_cipher_len(0),
133 m_private_key_path(private_key_path),
134 m_public_key_path(public_key_path) {}
136
137 void free_memory();
138 void *allocate_pem_buffer(size_t buffer_len);
139
140#if OPENSSL_VERSION_NUMBER >= 0x30000000L
141 EVP_PKEY *get_private_key() { return m_private_key; }
142 EVP_PKEY *get_public_key() { return m_public_key; }
143#else /* OPENSSL_VERSION_NUMBER >= 0x30000000L */
146#endif /* OPENSSL_VERSION_NUMBER >= 0x30000000L */
147
148 int get_cipher_length();
149 bool read_rsa_keys();
150 const char *get_public_key_as_pem(void) { return m_pem_public_key; }
151};
152
153/* Data Structures */
154
156
157extern bool allow_all_hosts;
158
159typedef enum {
163 /* Add new plugin before this */
166
168 public:
171
172 /**
173 Compare given plugin against one of the cached ones
174
175 @param [in] plugin_index Cached plugin index
176 @param [in] plugin Plugin to be compared
177
178 @returns status of comparison
179 @retval true Match
180 @retval false Not a match
181 */
182 static bool compare_plugin(cached_plugins_enum plugin_index,
183 LEX_CSTRING plugin) {
184 if (plugin_index < PLUGIN_LAST && plugin.str) {
186 return (plugin.str == cached_plugins_names[plugin_index].str);
187 }
188 return false;
189 }
190
191 /**
192 Check if given plugin is a builtin
193
194 @param [in] plugin Plugin name
195
196 @returns true if builtin, false otherwise
197 */
199 for (uint i = 0; i < (uint)PLUGIN_LAST; ++i) {
200 if (plugin->str == cached_plugins_names[i].str) return true;
201 }
202 return false;
203 }
204
205 /**
206 Get name of the plugin at given index
207
208 @param [in] plugin_index Cached plugin index
209
210 @returns name of the cached plugin at given index
211 */
212 static const char *get_plugin_name(cached_plugins_enum plugin_index) {
213 if (plugin_index < PLUGIN_LAST)
214 return cached_plugins_names[plugin_index].str;
215 return nullptr;
216 }
217
220
222
223 /**
224 Fetch cached plugin handle
225
226 @param plugin_index Cached plugin index
227
228 @returns cached plugin_ref if found, 0 otherwise
229 */
231 if (plugin_index < PLUGIN_LAST) return cached_plugins[plugin_index];
232 return nullptr;
233 }
234
236 bool is_valid() { return m_valid; }
237
238 private:
240};
241
243
244ACL_USER *decoy_user(const LEX_CSTRING &username, const LEX_CSTRING &hostname,
245 MEM_ROOT *mem, struct rand_struct *rand,
246 bool is_initialized);
247#define AUTH_DEFAULT_RSA_PRIVATE_KEY "private_key.pem"
248#define AUTH_DEFAULT_RSA_PUBLIC_KEY "public_key.pem"
249
250#endif /* SQL_AUTHENTICATION_INCLUDED */
Kerberos Client Authentication nullptr
Definition: auth_kerberos_client_plugin.cc:251
Definition: sql_auth_cache.h:246
Definition: sql_authentication.h:167
bool m_valid
Definition: sql_authentication.h:239
Cached_authentication_plugins()
Cached_authentication_plugins constructor.
Definition: sql_authentication.cc:1192
static const LEX_CSTRING cached_plugins_names[(uint) PLUGIN_LAST]
Definition: sql_authentication.h:169
static bool compare_plugin(cached_plugins_enum plugin_index, LEX_CSTRING plugin)
Compare given plugin against one of the cached ones.
Definition: sql_authentication.h:182
bool is_valid()
Definition: sql_authentication.h:236
static const char * get_plugin_name(cached_plugins_enum plugin_index)
Get name of the plugin at given index.
Definition: sql_authentication.h:212
plugin_ref cached_plugins[(uint) PLUGIN_LAST]
Definition: sql_authentication.h:235
plugin_ref get_cached_plugin_ref(cached_plugins_enum plugin_index)
Fetch cached plugin handle.
Definition: sql_authentication.h:230
plugin_ref get_cached_plugin_ref(const LEX_CSTRING *plugin)
Get plugin_ref if plugin is cached.
Definition: sql_authentication.cc:1226
static bool auth_plugin_is_built_in(LEX_CSTRING *plugin)
Check if given plugin is a builtin.
Definition: sql_authentication.h:198
static void optimize_plugin_compare_by_pointer(LEX_CSTRING *plugin)
Use known pointers for cached plugins to improve comparison time.
Definition: sql_authentication.cc:1174
~Cached_authentication_plugins()
Cached_authentication_plugins destructor.
Definition: sql_authentication.cc:1212
Definition: protocol_classic.h:54
Container of all restrictions for a given user.
Definition: partial_revokes.h:155
Definition: sql_authentication.h:104
bool read_key_file(RSA **key_ptr, bool is_priv_key, char **key_text_buffer)
Read a key file and store its value in RSA structure.
Definition: sql_authentication.cc:1361
void * allocate_pem_buffer(size_t buffer_len)
Definition: sql_authentication.cc:1449
char ** m_public_key_path
Definition: sql_authentication.h:116
RSA * get_public_key()
Definition: sql_authentication.h:145
void get_key_file_path(char *key, String *key_file_path)
Set key file path.
Definition: sql_authentication.cc:1321
int get_cipher_length()
Definition: sql_authentication.cc:1454
int m_cipher_len
Definition: sql_authentication.h:113
RSA * m_private_key
Definition: sql_authentication.h:111
RSA * get_private_key()
Definition: sql_authentication.h:144
~Rsa_authentication_keys()=default
bool read_rsa_keys()
Read RSA private key and public key from file and store them in m_private_key and m_public_key.
Definition: sql_authentication.cc:1471
char ** m_private_key_path
Definition: sql_authentication.h:115
char * m_pem_public_key
Definition: sql_authentication.h:114
const char * get_public_key_as_pem(void)
Definition: sql_authentication.h:150
RSA * m_public_key
Definition: sql_authentication.h:110
Rsa_authentication_keys(char **private_key_path, char **public_key_path)
Definition: sql_authentication.h:128
void free_memory()
Definition: sql_authentication.cc:1429
Using this class is fraught with peril, and you need to be very careful when doing so.
Definition: sql_string.h:167
For each client connection we create a separate thread with THD serving as a thread/connection descri...
Definition: sql_lexer_thd.h:36
Definition: sql_authentication.h:47
Thd_charset_adapter(THD *thd_arg)
Definition: sql_authentication.h:51
const CHARSET_INFO * charset()
Definition: sql_authentication.cc:1311
bool init_client_charset(uint cs_number)
Definition: sql_authentication.cc:1305
THD * thd
Definition: sql_authentication.h:48
A better implementation of the UNIX ctype(3) library.
uint32 my_thread_id
Definition: my_thread_local.h:34
Authentication Plugin API.
This file defines constants and data structures that are the same for both client- and server-side au...
required string key
Definition: replication_asynchronous_connection_failover.proto:60
int show_rsa_public_key(THD *thd, SHOW_VAR *var, char *buff)
Definition: sql_authentication.cc:4474
ACL_USER * decoy_user(const LEX_CSTRING &username, const LEX_CSTRING &hostname, MEM_ROOT *mem, struct rand_struct *rand, bool is_initialized)
When authentication is attempted using an unknown username a dummy user account with no authenticatio...
Definition: sql_authentication.cc:2197
cached_plugins_enum
Definition: sql_authentication.h:159
@ PLUGIN_LAST
Definition: sql_authentication.h:164
@ PLUGIN_CACHING_SHA2_PASSWORD
Definition: sql_authentication.h:160
@ PLUGIN_SHA256_PASSWORD
Definition: sql_authentication.h:162
@ PLUGIN_MYSQL_NATIVE_PASSWORD
Definition: sql_authentication.h:161
bool allow_all_hosts
Definition: sql_auth_cache.cc:165
Cached_authentication_plugins * g_cached_authentication_plugins
Definition: sql_authentication.cc:1277
void deinit_rsa_keys(void)
Definition: sql_authentication.cc:4480
struct rsa_st RSA
Definition: sql_authentication.h:103
bool init_rsa_keys(void)
Loads the RSA key pair from disk and store them in a global variable.
Definition: sql_authentication.cc:4514
LEX_CSTRING validate_password_plugin_name
Definition: sql_authentication.cc:1159
static MEM_ROOT mem
Definition: sql_servers.cc:100
Definition: m_ctype.h:423
The MEM_ROOT is a simple arena, where allocations are carved out of larger blocks.
Definition: my_alloc.h:83
The internal version of what plugins know as MYSQL_PLUGIN_VIO, basically the context of the authentic...
Definition: sql_authentication.h:61
ulong max_client_packet_length
Definition: sql_authentication.h:88
uint pkt_len
Definition: sql_authentication.h:70
struct MPVIO_EXT::@40 cached_client_reply
when restarting a plugin this caches the last client reply
char * pkt
Definition: sql_authentication.h:74
const ACL_USER * acl_user
Definition: sql_authentication.h:63
int vio_is_encrypted
Definition: sql_authentication.h:93
enum MPVIO_EXT::@42 status
when plugin returns a failure this tells us what really happened
const char * ip
Definition: sql_authentication.h:89
int packets_written
counters for send/received packets
Definition: sql_authentication.h:77
Protocol_classic * protocol
Definition: sql_authentication.h:87
int packets_read
Definition: sql_authentication.h:77
struct MPVIO_EXT::@41 cached_server_packet
this caches the first plugin packet for restart request on the client
LEX_STRING db
db name from the handshake packet
Definition: sql_authentication.h:66
LEX_CSTRING acl_user_plugin
Definition: sql_authentication.h:92
@ FAILURE
Definition: sql_authentication.h:79
@ START_MFA
Definition: sql_authentication.h:79
@ SUCCESS
Definition: sql_authentication.h:79
@ RESTART
Definition: sql_authentication.h:79
my_thread_id thread_id
Definition: sql_authentication.h:85
const char * pkt
pointers into NET::buff
Definition: sql_authentication.h:69
bool can_authenticate()
Definition: sql_authentication.cc:5881
struct rand_struct * rand
Definition: sql_authentication.h:84
plugin_ref plugin
what plugin we're under
Definition: sql_authentication.h:65
const char * host
Definition: sql_authentication.h:90
char * scramble
Definition: sql_authentication.h:82
uint * server_status
Definition: sql_authentication.h:86
MYSQL_SERVER_AUTH_INFO auth_info
Definition: sql_authentication.h:62
Thd_charset_adapter * charset_adapter
Definition: sql_authentication.h:91
Restrictions * restrictions
Definition: sql_authentication.h:64
MEM_ROOT * mem_root
Definition: sql_authentication.h:83
Definition: mysql_lex_string.h:40
const char * str
Definition: mysql_lex_string.h:41
Definition: mysql_lex_string.h:35
Provides plugin access to communication channel.
Definition: plugin_auth_common.h:146
Provides server plugin access to authentication information.
Definition: plugin_auth.h:71
SHOW STATUS Server status variable.
Definition: status_var.h:79
Definition: mysql_com.h:1109
Definition: sql_plugin_ref.h:45
std::atomic< bool > is_initialized(false)