MySQL  8.0.19
Source Code Documentation
sha2_password.cc File Reference
#include <string.h>
#include <sys/types.h>
#include <algorithm>
#include <iomanip>
#include <iostream>
#include <string>
#include <unordered_map>
#include <utility>
#include "crypt_genhash_impl.h"
#include "lex_string.h"
#include "m_string.h"
#include "my_compiler.h"
#include "my_dbug.h"
#include "my_inttypes.h"
#include "my_macros.h"
#include "mysql/components/my_service.h"
#include "mysql/components/services/log_builtins.h"
#include "mysql/components/services/psi_rwlock_bits.h"
#include "mysql/mysql_lex_string.h"
#include "mysql/plugin.h"
#include "mysql/plugin_audit.h"
#include "mysql/plugin_auth.h"
#include "mysql/plugin_auth_common.h"
#include "mysql/psi/mysql_rwlock.h"
#include "mysql/psi/psi_base.h"
#include "mysql/service_my_plugin_log.h"
#include "mysql/service_mysql_password_policy.h"
#include "mysql_com.h"
#include "mysqld_error.h"
#include "rwlock_scoped_lock.h"
#include "sql/auth/auth_common.h"
#include "sql/auth/i_sha2_password.h"
#include "sql/auth/i_sha2_password_common.h"
#include "sql/auth/sql_auth_cache.h"
#include "sql/auth/sql_authentication.h"
#include "sql/protocol_classic.h"
#include "sql/sql_class.h"
#include "sql/sql_const.h"
#include "violite.h"
#include <openssl/ssl.h>

Classes

struct  caching_sha2_auth_handler
 st_mysql_auth for caching_sha2_password plugin More...
 

Namespaces

 sha2_password
 

Macros

#define LOG_COMPONENT_TAG   "caching_sha2_password"
 

Functions

static int my_vio_is_secure (MYSQL_PLUGIN_VIO *vio)
 Interface for querying the MYSQL_PUBLIC_VIO about encryption state. More...
 
static void auth_save_scramble (MYSQL_PLUGIN_VIO *vio, const char *scramble)
 Save the scramble in mpvio for future re-use. More...
 
static void make_hash_key (const char *username, const char *hostname, std::string &key)
 Make hash key. More...
 
static int caching_sha2_password_authenticate (MYSQL_PLUGIN_VIO *vio, MYSQL_SERVER_AUTH_INFO *info)
 Authentication routine for caching_sha2_password. More...
 
static int caching_sha2_password_generate (char *outbuf, unsigned int *buflen, const char *inbuf, unsigned int inbuflen)
 Generate hash for caching_sha2_password plugin. More...
 
static int caching_sha2_password_validate (char *const inbuf, unsigned int buflen)
 Validate a hash against caching_sha2_password plugin's hash format. More...
 
static int caching_sha2_password_salt (const char *password, unsigned int password_len, unsigned char *salt, unsigned char *salt_len)
 NoOp - Salt generation for cachhing_sha2_password plugin. More...
 
static int caching_sha2_authentication_init (MYSQL_PLUGIN plugin_ref)
 
static int caching_sha2_authentication_deinit (void *arg)
 Deinitialize caching_sha2_password plugin. More...
 
static int compare_caching_sha2_password_with_hash (const char *hash, unsigned long hash_length, const char *cleartext, unsigned long cleartext_length, int *is_error)
 Compare a clear text password with a stored hash. More...
 
static int show_caching_sha2_password_rsa_public_key (MYSQL_THD thd, SHOW_VAR *var, char *buff)
 Function to display value for status variable : Caching_sha2_password_rsa_public_key. More...
 
static MYSQL_SYSVAR_STR (private_key_path, caching_sha2_rsa_private_key_path, PLUGIN_VAR_READONLY|PLUGIN_VAR_NOPERSIST, "A fully qualified path to the private RSA key used for authentication.", NULL, NULL, AUTH_DEFAULT_RSA_PRIVATE_KEY)
 
static MYSQL_SYSVAR_STR (public_key_path, caching_sha2_rsa_public_key_path, PLUGIN_VAR_READONLY|PLUGIN_VAR_NOPERSIST, "A fully qualified path to the public RSA key used for authentication.", NULL, NULL, AUTH_DEFAULT_RSA_PUBLIC_KEY)
 
static MYSQL_SYSVAR_BOOL (auto_generate_rsa_keys, caching_sha2_auto_generate_rsa_keys, PLUGIN_VAR_READONLY|PLUGIN_VAR_OPCMDARG|PLUGIN_VAR_NOPERSIST, "Auto generate RSA keys at server startup if corresponding " "system variables are not specified and key files are not present " "at the default location.", NULL, NULL, true)
 
static int sha2_cache_cleaner_notify (MYSQL_THD, mysql_event_class_t event_class, const void *event)
 Handle an authentication audit event. More...
 
static int caching_sha2_cache_cleaner_init (MYSQL_PLUGIN plugin_info)
 Init function for sha2_cache_cleaner. More...
 
static int caching_sha2_cache_cleaner_deinit (void *arg)
 Deinit function for sha2_cache_cleaner. More...
 
 mysql_declare_plugin (caching_sha2_password)
 

Variables

char * caching_sha2_rsa_private_key_path
 
char * caching_sha2_rsa_public_key_path
 
bool caching_sha2_auto_generate_rsa_keys = true
 
Rsa_authentication_keys * g_caching_sha2_rsa_keys = 0
 
static const char * sha2_password::category = "sha2_auth"
 
static PSI_rwlock_key sha2_password::key_m_cache_lock
 
static PSI_rwlock_info sha2_password::all_rwlocks []
 
const int MAX_CIPHER_LENGTH = 1024
 Length of encrypted packet. More...
 
const int CACHING_SHA2_PASSWORD_ITERATIONS
 Default iteration count. More...
 
sha2_password::Caching_sha2_passwordg_caching_sha2_password = 0
 Caching_sha2_password handle. More...
 
static MYSQL_PLUGIN caching_sha2_auth_plugin_ref
 caching_sha2_password plugin handle - Mostly used for logging More...
 
static char request_public_key = '\2'
 
static char fast_auth_success = '\3'
 
static char perform_full_authentication = '\4'
 
static SYS_VARcaching_sha2_password_sysvars []
 Array of system variables. More...
 
static SHOW_VAR caching_sha2_password_status_variables []
 Array of status variables. More...
 
struct st_mysql_audit sha2_cache_cleaner
 st_mysql_audit for sha2_cache_cleaner plugin More...
 

Macro Definition Documentation

◆ LOG_COMPONENT_TAG

#define LOG_COMPONENT_TAG   "caching_sha2_password"

Function Documentation

◆ auth_save_scramble()

static void auth_save_scramble ( MYSQL_PLUGIN_VIO vio,
const char *  scramble 
)
inlinestatic

Save the scramble in mpvio for future re-use.

It is useful when we need to pass the scramble to another plugin. Especially in case when old 5.1 client with no CLIENT_PLUGIN_AUTH capability tries to connect to server with default-authentication-plugin set to caching_sha2_password

Parameters
vioVirtual Input-Output interface
scrambleScramble to be saved

◆ caching_sha2_authentication_deinit()

static int caching_sha2_authentication_deinit ( void *  arg)
static

Deinitialize caching_sha2_password plugin.

Parameters
[in]argUnused
Returns
Always returns success

◆ caching_sha2_authentication_init()

static int caching_sha2_authentication_init ( MYSQL_PLUGIN  plugin_ref)
static

◆ caching_sha2_cache_cleaner_deinit()

static int caching_sha2_cache_cleaner_deinit ( void *  arg)
static

Deinit function for sha2_cache_cleaner.

◆ caching_sha2_cache_cleaner_init()

static int caching_sha2_cache_cleaner_init ( MYSQL_PLUGIN  plugin_info)
static

Init function for sha2_cache_cleaner.

◆ caching_sha2_password_authenticate()

static int caching_sha2_password_authenticate ( MYSQL_PLUGIN_VIO vio,
MYSQL_SERVER_AUTH_INFO info 
)
static

Authentication routine for caching_sha2_password.

Parameters
[in]vioVirtual I/O interface
[in]infoConnection information

Refer to Caching_sha2_password information for server-client communication in various cases

Returns
status of authentication process
Return values
CR_OKSuccessful authentication
CR_ERRORAuthentication failure

◆ caching_sha2_password_generate()

static int caching_sha2_password_generate ( char *  outbuf,
unsigned int *  buflen,
const char *  inbuf,
unsigned int  inbuflen 
)
static

Generate hash for caching_sha2_password plugin.

Parameters
[out]outbufHash output buffer
[out]buflenLength of hash in output buffer
[in]inbufPlaintext password
[in]inbuflenInput password length
Note
outbuf must be larger than MAX_FIELD_WIDTH. It is assumed the caller asserts this.
Returns
status of hash generation
Return values
0Successful hash generation
1Error generating hash. Don't reply on outbuf/buflen

◆ caching_sha2_password_salt()

static int caching_sha2_password_salt ( const char *  password,
unsigned int  password_len,
unsigned char *  salt,
unsigned char *  salt_len 
)
static

NoOp - Salt generation for cachhing_sha2_password plugin.

Parameters
[in]passwordUnused
[in]password_lenUnused
[out]saltUnused
[out]salt_lenLength of the salt buffer
Returns
Always returns success (0)

◆ caching_sha2_password_validate()

static int caching_sha2_password_validate ( char *const  inbuf,
unsigned int  buflen 
)
static

Validate a hash against caching_sha2_password plugin's hash format.

Parameters
[in]inbufHash to be validated
[in]buflenLength of the hash
Returns
status of hash validation
Return values
0Hash is according to caching_sha2_password's expected format
1Hash does not match caching_sha2_password's requirement

◆ compare_caching_sha2_password_with_hash()

static int compare_caching_sha2_password_with_hash ( const char *  hash,
unsigned long  hash_length,
const char *  cleartext,
unsigned long  cleartext_length,
int *  is_error 
)
static

Compare a clear text password with a stored hash.

Check if stored hash is produced using a clear text password. To do that, first extra scrmable from the hash. Then calculate a new hash using extracted scramble and the supplied password. And finally compare the two hashes.

  • hash pointer to the hashed data
  • hash_length length of the hashed data
  • cleartext pointer to the clear text password
  • cleartext_length length of the cleat text password
  • [out] is_error non-zero in case of error extracting the salt
    Return values
    0the hash was created with that password
    non-zerothe hash was created with a different password

◆ make_hash_key()

static void make_hash_key ( const char *  username,
const char *  hostname,
std::string &  key 
)
static

Make hash key.

Parameters
[in]usernameUser part of the key
[in]hostnameHost part of the key
[out]keyGenerated hash key

◆ my_vio_is_secure()

static int my_vio_is_secure ( MYSQL_PLUGIN_VIO vio)
static

Interface for querying the MYSQL_PUBLIC_VIO about encryption state.

◆ mysql_declare_plugin()

mysql_declare_plugin ( caching_sha2_password  )

◆ MYSQL_SYSVAR_BOOL()

static MYSQL_SYSVAR_BOOL ( auto_generate_rsa_keys  ,
caching_sha2_auto_generate_rsa_keys  ,
PLUGIN_VAR_READONLY|PLUGIN_VAR_OPCMDARG PLUGIN_VAR_NOPERSIST,
"Auto generate RSA keys at server startup if corresponding " "system variables are not specified and key files are not present " "at the default location."  ,
NULL  ,
NULL  ,
true   
)
static

◆ MYSQL_SYSVAR_STR() [1/2]

static MYSQL_SYSVAR_STR ( private_key_path  ,
caching_sha2_rsa_private_key_path  ,
PLUGIN_VAR_READONLY PLUGIN_VAR_NOPERSIST,
"A fully qualified path to the private RSA key used for authentication."  ,
NULL  ,
NULL  ,
AUTH_DEFAULT_RSA_PRIVATE_KEY   
)
static

◆ MYSQL_SYSVAR_STR() [2/2]

static MYSQL_SYSVAR_STR ( public_key_path  ,
caching_sha2_rsa_public_key_path  ,
PLUGIN_VAR_READONLY PLUGIN_VAR_NOPERSIST,
"A fully qualified path to the public RSA key used for authentication."  ,
NULL  ,
NULL  ,
AUTH_DEFAULT_RSA_PUBLIC_KEY   
)
static

◆ sha2_cache_cleaner_notify()

static int sha2_cache_cleaner_notify ( MYSQL_THD  ,
mysql_event_class_t  event_class,
const void *  event 
)
static

Handle an authentication audit event.

Parameters
[in]event_classEvent class information
[in]eventEvent structure
Returns
Success always.

◆ show_caching_sha2_password_rsa_public_key()

static int show_caching_sha2_password_rsa_public_key ( MYSQL_THD  thd,
SHOW_VAR var,
char *  buff 
)
static

Function to display value for status variable : Caching_sha2_password_rsa_public_key.

Parameters
[in]thdMYSQL_THD handle. Unused.
[out]varStatus variable structure
[in]buffValue buffer

Variable Documentation

◆ caching_sha2_auth_plugin_ref

MYSQL_PLUGIN caching_sha2_auth_plugin_ref
static

caching_sha2_password plugin handle - Mostly used for logging

◆ caching_sha2_auto_generate_rsa_keys

bool caching_sha2_auto_generate_rsa_keys = true

◆ CACHING_SHA2_PASSWORD_ITERATIONS

const int CACHING_SHA2_PASSWORD_ITERATIONS
Initial value:

Default iteration count.

◆ caching_sha2_password_status_variables

SHOW_VAR caching_sha2_password_status_variables[]
static
Initial value:
= {
{"Caching_sha2_password_rsa_public_key",

Array of status variables.

Used in plugin declaration.

◆ caching_sha2_password_sysvars

SYS_VAR* caching_sha2_password_sysvars[]
static
Initial value:
= {
MYSQL_SYSVAR(private_key_path), MYSQL_SYSVAR(public_key_path),
MYSQL_SYSVAR(auto_generate_rsa_keys), 0}

Array of system variables.

Used in plugin declaration.

◆ caching_sha2_rsa_private_key_path

char* caching_sha2_rsa_private_key_path

◆ caching_sha2_rsa_public_key_path

char* caching_sha2_rsa_public_key_path

◆ fast_auth_success

char fast_auth_success = '\3'
static

◆ g_caching_sha2_password

sha2_password::Caching_sha2_password* g_caching_sha2_password = 0

Caching_sha2_password handle.

◆ g_caching_sha2_rsa_keys

Rsa_authentication_keys* g_caching_sha2_rsa_keys = 0

◆ MAX_CIPHER_LENGTH

const int MAX_CIPHER_LENGTH = 1024

Length of encrypted packet.

◆ perform_full_authentication

char perform_full_authentication = '\4'
static

◆ request_public_key

char request_public_key = '\2'
static

◆ sha2_cache_cleaner

struct st_mysql_audit sha2_cache_cleaner
Initial value:
= {
NULL,
{
0,
0,
0,
0,
0,
0,
0,
0,
0,
0,
0,
(unsigned long)
}}

st_mysql_audit for sha2_cache_cleaner plugin

NULL
#define NULL
Definition: types.h:55
enum_mysql_show_type
enum_mysql_show_type
Declarations for SHOW STATUS support in plugins.
Definition: status_var.h:29
MYSQL_SYSVAR
#define MYSQL_SYSVAR(name)
Definition: plugin.h:278
SHOW_SCOPE_GLOBAL
@ SHOW_SCOPE_GLOBAL
Definition: status_var.h:69
SHOW_FUNC
@ SHOW_FUNC
Definition: status_var.h:38
sha2_cache_cleaner_notify
static int sha2_cache_cleaner_notify(MYSQL_THD, mysql_event_class_t event_class, const void *event)
Handle an authentication audit event.
Definition: sha2_password.cc:1370
enum_mysql_show_scope
enum_mysql_show_scope
Status variable scope.
Definition: status_var.h:67
show_caching_sha2_password_rsa_public_key
static int show_caching_sha2_password_rsa_public_key(MYSQL_THD thd, SHOW_VAR *var, char *buff)
Function to display value for status variable : Caching_sha2_password_rsa_public_key.
Definition: sha2_password.cc:1310
sha2_password::DEFAULT_STORED_DIGEST_ROUNDS
const size_t DEFAULT_STORED_DIGEST_ROUNDS
Definition: i_sha2_password.h:70
MYSQL_AUDIT_INTERFACE_VERSION
#define MYSQL_AUDIT_INTERFACE_VERSION
Definition: plugin_audit.h:39
MYSQL_AUDIT_AUTHENTICATION_ALL
#define MYSQL_AUDIT_AUTHENTICATION_ALL
Definition: plugin_audit.h:571