MySQL  8.0.27
Source Code Documentation
sql_authentication.h
Go to the documentation of this file.
1 /* Copyright (c) 2000, 2021, Oracle and/or its affiliates. All rights reserved.
2 
3  This program is free software; you can redistribute it and/or modify
4  it under the terms of the GNU General Public License, version 2.0,
5  as published by the Free Software Foundation.
6 
7  This program is also distributed with certain software (including
8  but not limited to OpenSSL) that is licensed under separate terms,
9  as designated in a particular file or component or in included license
10  documentation. The authors of MySQL hereby grant you an additional
11  permission to link the program and your derivative works with the
12  separately licensed software that they have included with MySQL.
13 
14  This program is distributed in the hope that it will be useful,
15  but WITHOUT ANY WARRANTY; without even the implied warranty of
16  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
17  GNU General Public License, version 2.0, for more details.
18 
19  You should have received a copy of the GNU General Public License
20  along with this program; if not, write to the Free Software
21  Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA */
22 
23 #ifndef SQL_AUTHENTICATION_INCLUDED
24 #define SQL_AUTHENTICATION_INCLUDED
25 
26 #include <openssl/rsa.h>
27 #include <stddef.h>
28 #include <sys/types.h>
29 
30 #include "lex_string.h"
31 #include "m_ctype.h"
32 #include "my_thread_local.h" // my_thread_id
33 #include "mysql/plugin_auth.h" // MYSQL_SERVER_AUTH_INFO
35 #include "sql/sql_plugin_ref.h" // plugin_ref
36 
37 class ACL_USER;
38 class Protocol_classic;
39 class THD;
40 class Restrictions;
41 struct MEM_ROOT;
42 struct SHOW_VAR;
43 
44 /* Classes */
45 
47  THD *thd;
48 
49  public:
50  Thd_charset_adapter(THD *thd_arg) : thd(thd_arg) {}
51  bool init_client_charset(uint cs_number);
52 
53  const CHARSET_INFO *charset();
54 };
55 
56 /**
57  The internal version of what plugins know as MYSQL_PLUGIN_VIO,
58  basically the context of the authentication session
59 */
60 struct MPVIO_EXT : public MYSQL_PLUGIN_VIO {
64  plugin_ref plugin; ///< what plugin we're under
65  LEX_STRING db; ///< db name from the handshake packet
66  /** when restarting a plugin this caches the last client reply */
67  struct {
68  const char *plugin, *pkt; ///< pointers into NET::buff
71  /** this caches the first plugin packet for restart request on the client */
72  struct {
73  char *pkt;
74  uint pkt_len;
76  int packets_read, packets_written; ///< counters for send/received packets
77  /** when plugin returns a failure this tells us what really happened */
79 
80  /* encapsulation members */
81  char *scramble;
83  struct rand_struct *rand;
88  const char *ip;
89  const char *host;
93  bool can_authenticate();
94 };
95 
96 class String;
97 
98 bool init_rsa_keys(void);
99 void deinit_rsa_keys(void);
100 int show_rsa_public_key(THD *thd, SHOW_VAR *var, char *buff);
101 
102 typedef struct rsa_st RSA;
104  private:
111 
112  void get_key_file_path(char *key, String *key_file_path);
113  bool read_key_file(RSA **key_ptr, bool is_priv_key, char **key_text_buffer);
114 
115  public:
116  Rsa_authentication_keys(char **private_key_path, char **public_key_path)
119  m_cipher_len(0),
121  m_private_key_path(private_key_path),
122  m_public_key_path(public_key_path) {}
124 
125  void free_memory();
126  void *allocate_pem_buffer(size_t buffer_len);
128 
130 
131  int get_cipher_length();
132  bool read_rsa_keys();
133  const char *get_public_key_as_pem(void) { return m_pem_public_key; }
134 };
135 
136 /* Data Structures */
137 
139 
140 extern bool allow_all_hosts;
141 
142 typedef enum {
146  /* Add new plugin before this */
149 
151 
153  public:
155  static void optimize_plugin_compare_by_pointer(LEX_CSTRING *plugin);
156 
157  /**
158  Compare given plugin against one of the cached ones
159 
160  @param [in] plugin_index Cached plugin index
161  @param [in] plugin Plugin to be compared
162 
163  @returns status of comparison
164  @retval true Match
165  @retval false Not a match
166  */
167  static bool compare_plugin(cached_plugins_enum plugin_index,
168  LEX_CSTRING plugin) {
169  if (plugin_index < PLUGIN_LAST && plugin.str) {
171  return (plugin.str == cached_plugins_names[plugin_index].str);
172  }
173  return false;
174  }
175 
176  /**
177  Check if given plugin is a builtin
178 
179  @param [in] plugin Plugin name
180 
181  @returns true if builtin, false otherwise
182  */
183  static bool auth_plugin_is_built_in(LEX_CSTRING *plugin) {
184  for (uint i = 0; i < (uint)PLUGIN_LAST; ++i) {
185  if (plugin->str == cached_plugins_names[i].str) return true;
186  }
187  return false;
188  }
189 
190  /**
191  Get name of the plugin at given index
192 
193  @param [in] plugin_index Cached plugin index
194 
195  @returns name of the cached plugin at given index
196  */
197  static const char *get_plugin_name(cached_plugins_enum plugin_index) {
198  if (plugin_index < PLUGIN_LAST)
199  return cached_plugins_names[plugin_index].str;
200  return nullptr;
201  }
202 
205 
207 
208  /**
209  Fetch cached plugin handle
210 
211  @param plugin_index Cached plugin index
212 
213  @returns cached plugin_ref if found, 0 otherwise
214  */
216  if (plugin_index < PLUGIN_LAST) return cached_plugins[plugin_index];
217  return nullptr;
218  }
219 
221  bool is_valid() { return m_valid; }
222 
223  private:
224  bool m_valid;
225 };
226 
228 
229 ACL_USER *decoy_user(const LEX_CSTRING &username, const LEX_CSTRING &hostname,
230  MEM_ROOT *mem, struct rand_struct *rand,
231  bool is_initialized);
232 #define AUTH_DEFAULT_RSA_PRIVATE_KEY "private_key.pem"
233 #define AUTH_DEFAULT_RSA_PUBLIC_KEY "public_key.pem"
234 
235 #endif /* SQL_AUTHENTICATION_INCLUDED */
Definition: sql_auth_cache.h:248
Definition: sql_authentication.h:152
bool m_valid
Definition: sql_authentication.h:224
Cached_authentication_plugins()
Cached_authentication_plugins constructor.
Definition: sql_authentication.cc:1026
static const LEX_CSTRING cached_plugins_names[(uint) PLUGIN_LAST]
Definition: sql_authentication.h:154
static bool compare_plugin(cached_plugins_enum plugin_index, LEX_CSTRING plugin)
Compare given plugin against one of the cached ones.
Definition: sql_authentication.h:167
bool is_valid()
Definition: sql_authentication.h:221
plugin_ref cached_plugins[(uint) PLUGIN_LAST]
Definition: sql_authentication.h:220
plugin_ref get_cached_plugin_ref(cached_plugins_enum plugin_index)
Fetch cached plugin handle.
Definition: sql_authentication.h:215
plugin_ref get_cached_plugin_ref(const LEX_CSTRING *plugin)
Get plugin_ref if plugin is cached.
Definition: sql_authentication.cc:1058
static const char * get_plugin_name(cached_plugins_enum plugin_index)
Get name of the plugin at given index.
Definition: sql_authentication.h:197
static bool auth_plugin_is_built_in(LEX_CSTRING *plugin)
Check if given plugin is a builtin.
Definition: sql_authentication.h:183
static void optimize_plugin_compare_by_pointer(LEX_CSTRING *plugin)
Use known pointers for cached plugins to improve comparison time.
Definition: sql_authentication.cc:1008
~Cached_authentication_plugins()
Cached_authentication_plugins destructor.
Definition: sql_authentication.cc:1044
Definition: protocol_classic.h:51
Container of all restrictions for a given user.
Definition: partial_revokes.h:117
Definition: sql_authentication.h:103
bool read_key_file(RSA **key_ptr, bool is_priv_key, char **key_text_buffer)
Read a key file and store its value in RSA structure.
Definition: sql_authentication.cc:1157
void * allocate_pem_buffer(size_t buffer_len)
Definition: sql_authentication.cc:1230
RSA * get_public_key()
Definition: sql_authentication.h:129
char ** m_public_key_path
Definition: sql_authentication.h:110
const char * get_public_key_as_pem(void)
Definition: sql_authentication.h:133
void get_key_file_path(char *key, String *key_file_path)
Set key file path.
Definition: sql_authentication.cc:1122
int get_cipher_length()
Definition: sql_authentication.cc:1235
int m_cipher_len
Definition: sql_authentication.h:107
RSA * m_private_key
Definition: sql_authentication.h:106
RSA * get_private_key()
Definition: sql_authentication.h:127
~Rsa_authentication_keys()=default
bool read_rsa_keys()
Read RSA private key and public key from file and store them in m_private_key and m_public_key.
Definition: sql_authentication.cc:1248
char ** m_private_key_path
Definition: sql_authentication.h:109
char * m_pem_public_key
Definition: sql_authentication.h:108
RSA * m_public_key
Definition: sql_authentication.h:105
Rsa_authentication_keys(char **private_key_path, char **public_key_path)
Definition: sql_authentication.h:116
void free_memory()
Definition: sql_authentication.cc:1219
Using this class is fraught with peril, and you need to be very careful when doing so.
Definition: sql_string.h:165
For each client connection we create a separate thread with THD serving as a thread/connection descri...
Definition: sql_class.h:821
Definition: sql_authentication.h:46
Thd_charset_adapter(THD *thd_arg)
Definition: sql_authentication.h:50
const CHARSET_INFO * charset()
Definition: sql_authentication.cc:1112
bool init_client_charset(uint cs_number)
Definition: sql_authentication.cc:1106
THD * thd
Definition: sql_authentication.h:47
Dialog Client Authentication nullptr
Definition: dialog.cc:352
A better implementation of the UNIX ctype(3) library.
uint32 my_thread_id
Definition: my_thread_local.h:33
Authentication Plugin API.
This file defines constants and data structures that are the same for both client- and server-side au...
required string key
Definition: replication_asynchronous_connection_failover.proto:59
int show_rsa_public_key(THD *thd, SHOW_VAR *var, char *buff)
cached_plugins_enum
Definition: sql_authentication.h:142
@ PLUGIN_LAST
Definition: sql_authentication.h:147
@ PLUGIN_CACHING_SHA2_PASSWORD
Definition: sql_authentication.h:143
@ PLUGIN_SHA256_PASSWORD
Definition: sql_authentication.h:145
@ PLUGIN_MYSQL_NATIVE_PASSWORD
Definition: sql_authentication.h:144
bool allow_all_hosts
Definition: sql_auth_cache.cc:161
Cached_authentication_plugins * g_cached_authentication_plugins
Definition: sql_authentication.cc:1078
void deinit_rsa_keys(void)
Definition: sql_authentication.cc:4502
LEX_CSTRING default_auth_plugin_name
Definition: sql_authentication.cc:996
struct rsa_st RSA
Definition: sql_authentication.h:102
bool init_rsa_keys(void)
Loads the RSA key pair from disk and store them in a global variable.
Definition: sql_authentication.cc:4536
ACL_USER * decoy_user(const LEX_CSTRING &username, const LEX_CSTRING &hostname, MEM_ROOT *mem, struct rand_struct *rand, bool is_initialized)
When authentication is attempted using an unknown username a dummy user account with no authenticatio...
Definition: sql_authentication.cc:1983
LEX_CSTRING validate_password_plugin_name
Definition: sql_authentication.cc:993
static MEM_ROOT mem
Definition: sql_servers.cc:98
Definition: m_ctype.h:354
The MEM_ROOT is a simple arena, where allocations are carved out of larger blocks.
Definition: my_alloc.h:78
The internal version of what plugins know as MYSQL_PLUGIN_VIO, basically the context of the authentic...
Definition: sql_authentication.h:60
ulong max_client_packet_length
Definition: sql_authentication.h:87
uint pkt_len
Definition: sql_authentication.h:69
char * pkt
Definition: sql_authentication.h:73
const ACL_USER * acl_user
Definition: sql_authentication.h:62
int vio_is_encrypted
Definition: sql_authentication.h:92
const char * ip
Definition: sql_authentication.h:88
struct MPVIO_EXT::@30 cached_server_packet
this caches the first plugin packet for restart request on the client
int packets_written
counters for send/received packets
Definition: sql_authentication.h:76
Protocol_classic * protocol
Definition: sql_authentication.h:86
int packets_read
Definition: sql_authentication.h:76
LEX_STRING db
db name from the handshake packet
Definition: sql_authentication.h:65
@ FAILURE
Definition: sql_authentication.h:78
@ START_MFA
Definition: sql_authentication.h:78
@ SUCCESS
Definition: sql_authentication.h:78
@ RESTART
Definition: sql_authentication.h:78
LEX_CSTRING acl_user_plugin
Definition: sql_authentication.h:91
my_thread_id thread_id
Definition: sql_authentication.h:84
const char * pkt
pointers into NET::buff
Definition: sql_authentication.h:68
bool can_authenticate()
Definition: sql_authentication.cc:5766
struct rand_struct * rand
Definition: sql_authentication.h:83
plugin_ref plugin
what plugin we're under
Definition: sql_authentication.h:64
const char * host
Definition: sql_authentication.h:89
char * scramble
Definition: sql_authentication.h:81
struct MPVIO_EXT::@29 cached_client_reply
when restarting a plugin this caches the last client reply
enum MPVIO_EXT::@31 status
when plugin returns a failure this tells us what really happened
uint * server_status
Definition: sql_authentication.h:85
MYSQL_SERVER_AUTH_INFO auth_info
Definition: sql_authentication.h:61
Thd_charset_adapter * charset_adapter
Definition: sql_authentication.h:90
Restrictions * restrictions
Definition: sql_authentication.h:63
MEM_ROOT * mem_root
Definition: sql_authentication.h:82
Definition: mysql_lex_string.h:39
const char * str
Definition: mysql_lex_string.h:40
Definition: mysql_lex_string.h:34
Provides plugin access to communication channel.
Definition: plugin_auth_common.h:145
Provides server plugin access to authentication information.
Definition: plugin_auth.h:70
SHOW STATUS Server status variable.
Definition: status_var.h:78
Definition: mysql_com.h:1105
Definition: sql_plugin_ref.h:44
unsigned int uint
Definition: uca-dump.cc:29
std::atomic< bool > is_initialized(false)