MySQL  8.0.18
Source Code Documentation
i_sha2_password.h
Go to the documentation of this file.
1 /*
2 Copyright (c) 2017, 2018, Oracle and/or its affiliates. All rights reserved.
3 
4 This program is free software; you can redistribute it and/or modify
5 it under the terms of the GNU General Public License, version 2.0,
6 as published by the Free Software Foundation.
7 
8 This program is also distributed with certain software (including
9 but not limited to OpenSSL) that is licensed under separate terms,
10 as designated in a particular file or component or in included license
11 documentation. The authors of MySQL hereby grant you an additional
12 permission to link the program and your derivative works with the
13 separately licensed software that they have included with MySQL.
14 
15 This program is distributed in the hope that it will be useful,
16 but WITHOUT ANY WARRANTY; without even the implied warranty of
17 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
18 GNU General Public License, version 2.0, for more details.
19 
20 You should have received a copy of the GNU General Public License
21 along with this program; if not, write to the Free Software
22 Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA */
23 
24 #ifndef I_SHA2_PASSWORD_INCLUDED
25 #define I_SHA2_PASSWORD_INCLUDED
26 
27 #include <string>
28 #include <unordered_map>
29 
30 #include "crypt_genhash_impl.h" /* For salt, sha2 digest */
31 #include "mysql/plugin.h" /* MYSQL_PLUGIN */
32 #include "mysql/psi/mysql_rwlock.h" /* mysql_rwlock_t */
34 
35 /**
36  @file sql/auth/i_sha2_password.h
37  Classes for caching_sha2_authentication plugin
38 */
39 
40 /**
41  @defgroup auth_caching_sha2_auth caching_sha2_authentication information
42  @{
43 */
44 namespace sha2_password {
45 /* fast digest rounds */
46 const unsigned int MIN_FAST_DIGEST_ROUNDS = 2;
47 const unsigned int DEFAULT_FAST_DIGEST_ROUNDS = 2;
48 const unsigned int MAX_FAST_DIGEST_ROUNDS = 1000;
49 
50 /* Length of Digest Info field */
51 const unsigned int DIGEST_INFO_LENGTH = 1;
52 /* Length of iteration info field */
53 const unsigned int ITERATION_LENGTH = 3;
54 /* Iteration multipler to be used on extracted iteration count */
55 const unsigned int ITERATION_MULTIPLIER = 1000;
56 /* Upper cap on iterations */
57 const long unsigned int MAX_ITERATIONS = 100000;
58 /* length of salt */
59 const unsigned int SALT_LENGTH = CRYPT_SALT_LENGTH;
60 /* $ + A + $ + ITERATION_LENGTH + $ + SALT_LENGTH + CACHING_SHA2_DIGEST_LENGTH =
61  * 59 */
62 const unsigned int SHA256_AUTH_STRING_LEN =
64 /* Delimiter character */
65 const char DELIMITER = '$';
66 /* Store digest length */
67 const unsigned int STORED_SHA256_DIGEST_LENGTH = 43;
68 /* stored digest rounds*/
72 /* Maximum password length */
74 /* Maximum supported passwords */
75 const unsigned int MAX_PASSWORDS = 2;
76 
77 typedef struct sha2_cache_entry {
80 
81 /**
82  Password cache used for caching_sha2_authentication
83 */
84 
86  public:
87  typedef std::unordered_map<std::string, sha2_cache_entry> password_cache;
88 
91  bool add(const std::string authorization_id,
92  const sha2_cache_entry &entry_to_be_cached);
93  bool remove(const std::string authorization_id);
94  bool search(const std::string authorization_id,
95  sha2_cache_entry &cache_entry);
96  /** Returns number of cache entries present */
97  size_t size() { return m_password_cache.size(); }
98  void clear_cache();
99 
100  private:
102 };
103 
104 /**
105  Class to handle caching_sha2_authentication
106  Provides methods for:
107  - Fast authentication
108  - Strong authentication
109  - Removal of cached entry
110 */
112  public:
114  MYSQL_PLUGIN plugin_handle,
115  size_t stored_digest_rounds = DEFAULT_STORED_DIGEST_ROUNDS,
116  unsigned int fast_digest_rounds = DEFAULT_FAST_DIGEST_ROUNDS,
119  std::pair<bool, bool> authenticate(const std::string &authorization_id,
120  const std::string *serialized_string,
121  const std::string &plaintext_password);
122  std::pair<bool, bool> fast_authenticate(const std::string &authorization_id,
123  const unsigned char *random,
124  unsigned int random_length,
125  const unsigned char *scramble,
126  bool check_second);
127  void remove_cached_entry(const std::string authorization_id);
128  bool deserialize(const std::string &serialized_string,
129  Digest_info &digest_type, std::string &salt,
130  std::string &digest, size_t &iterations);
131  bool serialize(std::string &serialized_string, const Digest_info &digest_type,
132  const std::string &salt, const std::string &digest,
133  size_t iterations);
134  bool generate_fast_digest(const std::string &plaintext_password,
135  sha2_cache_entry &digest, unsigned int loc);
136  bool generate_sha2_multi_hash(const std::string &src,
137  const std::string &random, std::string *digest,
138  unsigned int iterations);
139  size_t get_cache_count();
140  void clear_cache();
141  bool validate_hash(const std::string serialized_string);
144 
145  private:
146  /** Plugin handle */
148  /** Number of rounds for stored digest */
150  /** Number of rounds for fast digest */
151  unsigned int m_fast_digest_rounds;
152  /** Digest type */
154  /** Lock to protect @c m_cache */
156  /** user=>password cache */
158 };
159 } // namespace sha2_password
160 
161 /** @} (end of auth_caching_sha2_auth) */
162 
163 #endif // !I_SHA2_PASSWORD_INCLUDED
bool deserialize(const std::string &serialized_string, Digest_info &digest_type, std::string &salt, std::string &digest, size_t &iterations)
Deserialize obtained hash and retrieve various parts.
Definition: sha2_password.cc:438
mysql_rwlock_t m_cache_lock
Lock to protect m_cache.
Definition: i_sha2_password.h:155
bool generate_sha2_multi_hash(const std::string &src, const std::string &random, std::string *digest, unsigned int iterations)
Generate multi-round sha2 hash using source and random string.
Definition: sha2_password.cc:647
bool search(const std::string authorization_id, sha2_cache_entry &cache_entry)
Search an entry from the cache.
Definition: sha2_password.cc:146
const unsigned int DEFAULT_FAST_DIGEST_ROUNDS
Definition: i_sha2_password.h:47
size_t get_cache_count()
Get cache count.
Definition: sha2_password.cc:685
const unsigned int SALT_LENGTH
Definition: i_sha2_password.h:59
const unsigned int ITERATION_MULTIPLIER
Definition: i_sha2_password.h:55
const unsigned int CACHING_SHA2_DIGEST_LENGTH
Definition: i_sha2_password_common.h:44
#define ROUNDS_DEFAULT
Definition: crypt_genhash_impl.h:29
const unsigned int MAX_FAST_DIGEST_ROUNDS
Definition: i_sha2_password.h:48
const unsigned int STORED_SHA256_DIGEST_LENGTH
Definition: i_sha2_password.h:67
size_t size()
Returns number of cache entries present.
Definition: i_sha2_password.h:97
size_t get_digest_rounds()
Definition: i_sha2_password.h:143
bool add(const std::string authorization_id, const sha2_cache_entry &entry_to_be_cached)
Add an entry in cache We manage our own memory.
Definition: sha2_password.cc:103
const size_t CACHING_SHA2_PASSWORD_MAX_PASSWORD_LENGTH
Definition: i_sha2_password.h:73
const size_t MAX_STORED_DIGEST_ROUNDS
Definition: i_sha2_password.h:71
struct sha2_password::sha2_cache_entry sha2_cache_entry
bool serialize(std::string &serialized_string, const Digest_info &digest_type, const std::string &salt, const std::string &digest, size_t iterations)
Serialize following: a.
Definition: sha2_password.cc:539
unsigned int m_fast_digest_rounds
Number of rounds for fast digest.
Definition: i_sha2_password.h:151
Classes for caching_sha2_authentication plugin.
Digest_info get_digest_type() const
Definition: i_sha2_password.h:142
std::pair< bool, bool > authenticate(const std::string &authorization_id, const std::string *serialized_string, const std::string &plaintext_password)
Perform slow authentication.
Definition: sha2_password.cc:233
~Caching_sha2_password()
Caching_sha2_password destructor - destroy rw lock.
Definition: sha2_password.cc:207
#define MAX_PLAINTEXT_LENGTH
Definition: crypt_genhash_impl.h:40
~SHA2_password_cache()
Destructor - Release all memory.
Definition: sha2_password.cc:85
const unsigned int MAX_PASSWORDS
Definition: i_sha2_password.h:75
bool validate_hash(const std::string serialized_string)
Validate a hash format.
Definition: sha2_password.cc:707
Definition: i_sha2_password.h:44
void remove_cached_entry(const std::string authorization_id)
Remove an entry from the cache.
Definition: sha2_password.cc:396
SHA2_password_cache m_cache
user=>password cache
Definition: i_sha2_password.h:157
const long unsigned int MAX_ITERATIONS
Definition: i_sha2_password.h:57
Definition: i_sha2_password.h:77
Instrumentation helpers for rwlock.
#define CRYPT_SALT_LENGTH
Definition: crypt_genhash_impl.h:33
void * MYSQL_PLUGIN
Definition: plugin.h:73
Caching_sha2_password(MYSQL_PLUGIN plugin_handle, size_t stored_digest_rounds=DEFAULT_STORED_DIGEST_ROUNDS, unsigned int fast_digest_rounds=DEFAULT_FAST_DIGEST_ROUNDS, Digest_info digest_type=Digest_info::SHA256_DIGEST)
Caching_sha2_password constructor - Initializes rw lock.
Definition: sha2_password.cc:182
static unsigned int iterations
Definition: mysqlslap.cc:183
MYSQL_PLUGIN m_plugin_info
Plugin handle.
Definition: i_sha2_password.h:147
size_t m_stored_digest_rounds
Number of rounds for stored digest.
Definition: i_sha2_password.h:149
const unsigned int DIGEST_INFO_LENGTH
Definition: i_sha2_password.h:51
Digest_info m_digest_type
Digest type.
Definition: i_sha2_password.h:153
#define ROUNDS_MAX
Definition: crypt_genhash_impl.h:31
Class to handle caching_sha2_authentication Provides methods for:
Definition: i_sha2_password.h:111
const size_t DEFAULT_STORED_DIGEST_ROUNDS
Definition: i_sha2_password.h:70
void scramble(char *to, const char *message, const char *password)
Produce an obscure octet sequence from password and random string, received from the server...
Definition: password.cc:270
An instrumented rwlock structure.
Definition: mysql_rwlock_bits.h:50
void clear_cache()
Clear the password cache.
Definition: sha2_password.cc:692
const unsigned int ITERATION_LENGTH
Definition: i_sha2_password.h:53
bool generate_fast_digest(const std::string &plaintext_password, sha2_cache_entry &digest, unsigned int loc)
Generate digest based on m_fast_digest_rounds.
Definition: sha2_password.cc:598
const unsigned int SHA256_AUTH_STRING_LEN
Definition: i_sha2_password.h:62
unsigned char digest_buffer[MAX_PASSWORDS][CACHING_SHA2_DIGEST_LENGTH]
Definition: i_sha2_password.h:78
Digest_info
Supported digest information.
Definition: i_sha2_password_common.h:50
password_cache m_password_cache
Definition: i_sha2_password.h:101
SHA2_password_cache()
Definition: i_sha2_password.h:89
std::unordered_map< std::string, sha2_cache_entry > password_cache
Definition: i_sha2_password.h:87
void clear_cache()
Clear the cache - Release all memory.
Definition: sha2_password.cc:162
const unsigned int MIN_FAST_DIGEST_ROUNDS
Definition: i_sha2_password.h:46
#define ROUNDS_MIN
Definition: crypt_genhash_impl.h:30
const size_t MIN_STORED_DIGEST_ROUNDS
Definition: i_sha2_password.h:69
std::pair< bool, bool > fast_authenticate(const std::string &authorization_id, const unsigned char *random, unsigned int random_length, const unsigned char *scramble, bool check_second)
Perform fast authentication.
Definition: sha2_password.cc:349
const char DELIMITER
Definition: i_sha2_password.h:65
Password cache used for caching_sha2_authentication.
Definition: i_sha2_password.h:85