MySQL 8.0.30
Source Code Documentation
sql_authentication.h
Go to the documentation of this file.
1/* Copyright (c) 2000, 2022, Oracle and/or its affiliates.
2
3 This program is free software; you can redistribute it and/or modify
4 it under the terms of the GNU General Public License, version 2.0,
5 as published by the Free Software Foundation.
6
7 This program is also distributed with certain software (including
8 but not limited to OpenSSL) that is licensed under separate terms,
9 as designated in a particular file or component or in included license
10 documentation. The authors of MySQL hereby grant you an additional
11 permission to link the program and your derivative works with the
12 separately licensed software that they have included with MySQL.
13
14 This program is distributed in the hope that it will be useful,
15 but WITHOUT ANY WARRANTY; without even the implied warranty of
16 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
17 GNU General Public License, version 2.0, for more details.
18
19 You should have received a copy of the GNU General Public License
20 along with this program; if not, write to the Free Software
21 Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA */
22
23#ifndef SQL_AUTHENTICATION_INCLUDED
24#define SQL_AUTHENTICATION_INCLUDED
25
26#include <openssl/rsa.h>
27#include <stddef.h>
28#include <sys/types.h>
29
30#include "lex_string.h"
31#include "m_ctype.h"
32#include "my_thread_local.h" // my_thread_id
33#include "mysql/plugin_auth.h" // MYSQL_SERVER_AUTH_INFO
35#include "sql/sql_plugin_ref.h" // plugin_ref
36
37class ACL_USER;
39class THD;
40class Restrictions;
41struct MEM_ROOT;
42struct SHOW_VAR;
43
44/* Classes */
45
48
49 public:
50 Thd_charset_adapter(THD *thd_arg) : thd(thd_arg) {}
51 bool init_client_charset(uint cs_number);
52
53 const CHARSET_INFO *charset();
54};
55
56/**
57 The internal version of what plugins know as MYSQL_PLUGIN_VIO,
58 basically the context of the authentication session
59*/
60struct MPVIO_EXT : public MYSQL_PLUGIN_VIO {
64 plugin_ref plugin; ///< what plugin we're under
65 LEX_STRING db; ///< db name from the handshake packet
66 /** when restarting a plugin this caches the last client reply */
67 struct {
68 const char *plugin, *pkt; ///< pointers into NET::buff
71 /** this caches the first plugin packet for restart request on the client */
72 struct {
73 char *pkt;
76 int packets_read, packets_written; ///< counters for send/received packets
77 /** when plugin returns a failure this tells us what really happened */
79
80 /* encapsulation members */
81 char *scramble;
88 const char *ip;
89 const char *host;
93 bool can_authenticate();
94};
95
96class String;
97
98bool init_rsa_keys(void);
99void deinit_rsa_keys(void);
100int show_rsa_public_key(THD *thd, SHOW_VAR *var, char *buff);
101
102typedef struct rsa_st RSA;
104 private:
105#if OPENSSL_VERSION_NUMBER >= 0x30000000L
106 EVP_PKEY *m_public_key;
107 EVP_PKEY *m_private_key;
108#else /* OPENSSL_VERSION_NUMBER >= 0x30000000L */
111#endif /* OPENSSL_VERSION_NUMBER >= 0x30000000L */
116
117 void get_key_file_path(char *key, String *key_file_path);
118
119#if OPENSSL_VERSION_NUMBER >= 0x30000000L
120 bool read_key_file(EVP_PKEY **key_ptr, bool is_priv_key,
121 char **key_text_buffer);
122#else /* OPENSSL_VERSION_NUMBER >= 0x30000000L */
123 bool read_key_file(RSA **key_ptr, bool is_priv_key, char **key_text_buffer);
124#endif /* OPENSSL_VERSION_NUMBER >= 0x30000000L */
125
126 public:
127 Rsa_authentication_keys(char **private_key_path, char **public_key_path)
130 m_cipher_len(0),
132 m_private_key_path(private_key_path),
133 m_public_key_path(public_key_path) {}
135
136 void free_memory();
137 void *allocate_pem_buffer(size_t buffer_len);
138
139#if OPENSSL_VERSION_NUMBER >= 0x30000000L
140 EVP_PKEY *get_private_key() { return m_private_key; }
141 EVP_PKEY *get_public_key() { return m_public_key; }
142#else /* OPENSSL_VERSION_NUMBER >= 0x30000000L */
145#endif /* OPENSSL_VERSION_NUMBER >= 0x30000000L */
146
147 int get_cipher_length();
148 bool read_rsa_keys();
149 const char *get_public_key_as_pem(void) { return m_pem_public_key; }
150};
151
152/* Data Structures */
153
155
156extern bool allow_all_hosts;
157
158typedef enum {
162 /* Add new plugin before this */
165
167
169 public:
172
173 /**
174 Compare given plugin against one of the cached ones
175
176 @param [in] plugin_index Cached plugin index
177 @param [in] plugin Plugin to be compared
178
179 @returns status of comparison
180 @retval true Match
181 @retval false Not a match
182 */
183 static bool compare_plugin(cached_plugins_enum plugin_index,
184 LEX_CSTRING plugin) {
185 if (plugin_index < PLUGIN_LAST && plugin.str) {
187 return (plugin.str == cached_plugins_names[plugin_index].str);
188 }
189 return false;
190 }
191
192 /**
193 Check if given plugin is a builtin
194
195 @param [in] plugin Plugin name
196
197 @returns true if builtin, false otherwise
198 */
200 for (uint i = 0; i < (uint)PLUGIN_LAST; ++i) {
201 if (plugin->str == cached_plugins_names[i].str) return true;
202 }
203 return false;
204 }
205
206 /**
207 Get name of the plugin at given index
208
209 @param [in] plugin_index Cached plugin index
210
211 @returns name of the cached plugin at given index
212 */
213 static const char *get_plugin_name(cached_plugins_enum plugin_index) {
214 if (plugin_index < PLUGIN_LAST)
215 return cached_plugins_names[plugin_index].str;
216 return nullptr;
217 }
218
221
223
224 /**
225 Fetch cached plugin handle
226
227 @param plugin_index Cached plugin index
228
229 @returns cached plugin_ref if found, 0 otherwise
230 */
232 if (plugin_index < PLUGIN_LAST) return cached_plugins[plugin_index];
233 return nullptr;
234 }
235
237 bool is_valid() { return m_valid; }
238
239 private:
241};
242
244
245ACL_USER *decoy_user(const LEX_CSTRING &username, const LEX_CSTRING &hostname,
246 MEM_ROOT *mem, struct rand_struct *rand,
247 bool is_initialized);
248#define AUTH_DEFAULT_RSA_PRIVATE_KEY "private_key.pem"
249#define AUTH_DEFAULT_RSA_PUBLIC_KEY "public_key.pem"
250
251#endif /* SQL_AUTHENTICATION_INCLUDED */
Definition: sql_auth_cache.h:245
Definition: sql_authentication.h:168
bool m_valid
Definition: sql_authentication.h:240
Cached_authentication_plugins()
Cached_authentication_plugins constructor.
Definition: sql_authentication.cc:1031
static const LEX_CSTRING cached_plugins_names[(uint) PLUGIN_LAST]
Definition: sql_authentication.h:170
static bool compare_plugin(cached_plugins_enum plugin_index, LEX_CSTRING plugin)
Compare given plugin against one of the cached ones.
Definition: sql_authentication.h:183
bool is_valid()
Definition: sql_authentication.h:237
static const char * get_plugin_name(cached_plugins_enum plugin_index)
Get name of the plugin at given index.
Definition: sql_authentication.h:213
plugin_ref cached_plugins[(uint) PLUGIN_LAST]
Definition: sql_authentication.h:236
plugin_ref get_cached_plugin_ref(cached_plugins_enum plugin_index)
Fetch cached plugin handle.
Definition: sql_authentication.h:231
plugin_ref get_cached_plugin_ref(const LEX_CSTRING *plugin)
Get plugin_ref if plugin is cached.
Definition: sql_authentication.cc:1063
static bool auth_plugin_is_built_in(LEX_CSTRING *plugin)
Check if given plugin is a builtin.
Definition: sql_authentication.h:199
static void optimize_plugin_compare_by_pointer(LEX_CSTRING *plugin)
Use known pointers for cached plugins to improve comparison time.
Definition: sql_authentication.cc:1013
~Cached_authentication_plugins()
Cached_authentication_plugins destructor.
Definition: sql_authentication.cc:1049
Definition: protocol_classic.h:51
Container of all restrictions for a given user.
Definition: partial_revokes.h:117
Definition: sql_authentication.h:103
bool read_key_file(RSA **key_ptr, bool is_priv_key, char **key_text_buffer)
Read a key file and store its value in RSA structure.
Definition: sql_authentication.cc:1167
void * allocate_pem_buffer(size_t buffer_len)
Definition: sql_authentication.cc:1255
char ** m_public_key_path
Definition: sql_authentication.h:115
RSA * get_public_key()
Definition: sql_authentication.h:144
void get_key_file_path(char *key, String *key_file_path)
Set key file path.
Definition: sql_authentication.cc:1127
int get_cipher_length()
Definition: sql_authentication.cc:1260
int m_cipher_len
Definition: sql_authentication.h:112
RSA * m_private_key
Definition: sql_authentication.h:110
RSA * get_private_key()
Definition: sql_authentication.h:143
~Rsa_authentication_keys()=default
bool read_rsa_keys()
Read RSA private key and public key from file and store them in m_private_key and m_public_key.
Definition: sql_authentication.cc:1277
char ** m_private_key_path
Definition: sql_authentication.h:114
char * m_pem_public_key
Definition: sql_authentication.h:113
const char * get_public_key_as_pem(void)
Definition: sql_authentication.h:149
RSA * m_public_key
Definition: sql_authentication.h:109
Rsa_authentication_keys(char **private_key_path, char **public_key_path)
Definition: sql_authentication.h:127
void free_memory()
Definition: sql_authentication.cc:1235
Using this class is fraught with peril, and you need to be very careful when doing so.
Definition: sql_string.h:166
For each client connection we create a separate thread with THD serving as a thread/connection descri...
Definition: sql_class.h:922
Definition: sql_authentication.h:46
Thd_charset_adapter(THD *thd_arg)
Definition: sql_authentication.h:50
const CHARSET_INFO * charset()
Definition: sql_authentication.cc:1117
bool init_client_charset(uint cs_number)
Definition: sql_authentication.cc:1111
THD * thd
Definition: sql_authentication.h:47
Fido Client Authentication nullptr
Definition: fido_client_plugin.cc:221
A better implementation of the UNIX ctype(3) library.
uint32 my_thread_id
Definition: my_thread_local.h:33
Authentication Plugin API.
This file defines constants and data structures that are the same for both client- and server-side au...
required string key
Definition: replication_asynchronous_connection_failover.proto:59
int show_rsa_public_key(THD *thd, SHOW_VAR *var, char *buff)
Definition: sql_authentication.cc:4542
ACL_USER * decoy_user(const LEX_CSTRING &username, const LEX_CSTRING &hostname, MEM_ROOT *mem, struct rand_struct *rand, bool is_initialized)
When authentication is attempted using an unknown username a dummy user account with no authenticatio...
Definition: sql_authentication.cc:2030
cached_plugins_enum
Definition: sql_authentication.h:158
@ PLUGIN_LAST
Definition: sql_authentication.h:163
@ PLUGIN_CACHING_SHA2_PASSWORD
Definition: sql_authentication.h:159
@ PLUGIN_SHA256_PASSWORD
Definition: sql_authentication.h:161
@ PLUGIN_MYSQL_NATIVE_PASSWORD
Definition: sql_authentication.h:160
bool allow_all_hosts
Definition: sql_auth_cache.cc:162
Cached_authentication_plugins * g_cached_authentication_plugins
Definition: sql_authentication.cc:1083
void deinit_rsa_keys(void)
Definition: sql_authentication.cc:4548
LEX_CSTRING default_auth_plugin_name
Definition: sql_authentication.cc:1001
struct rsa_st RSA
Definition: sql_authentication.h:102
bool init_rsa_keys(void)
Loads the RSA key pair from disk and store them in a global variable.
Definition: sql_authentication.cc:4582
LEX_CSTRING validate_password_plugin_name
Definition: sql_authentication.cc:998
static MEM_ROOT mem
Definition: sql_servers.cc:98
Definition: m_ctype.h:354
The MEM_ROOT is a simple arena, where allocations are carved out of larger blocks.
Definition: my_alloc.h:82
The internal version of what plugins know as MYSQL_PLUGIN_VIO, basically the context of the authentic...
Definition: sql_authentication.h:60
struct MPVIO_EXT::@36 cached_server_packet
this caches the first plugin packet for restart request on the client
ulong max_client_packet_length
Definition: sql_authentication.h:87
uint pkt_len
Definition: sql_authentication.h:69
char * pkt
Definition: sql_authentication.h:73
const ACL_USER * acl_user
Definition: sql_authentication.h:62
int vio_is_encrypted
Definition: sql_authentication.h:92
enum MPVIO_EXT::@37 status
when plugin returns a failure this tells us what really happened
const char * ip
Definition: sql_authentication.h:88
int packets_written
counters for send/received packets
Definition: sql_authentication.h:76
Protocol_classic * protocol
Definition: sql_authentication.h:86
int packets_read
Definition: sql_authentication.h:76
LEX_STRING db
db name from the handshake packet
Definition: sql_authentication.h:65
LEX_CSTRING acl_user_plugin
Definition: sql_authentication.h:91
my_thread_id thread_id
Definition: sql_authentication.h:84
const char * pkt
pointers into NET::buff
Definition: sql_authentication.h:68
@ FAILURE
Definition: sql_authentication.h:78
@ START_MFA
Definition: sql_authentication.h:78
@ SUCCESS
Definition: sql_authentication.h:78
@ RESTART
Definition: sql_authentication.h:78
bool can_authenticate()
Definition: sql_authentication.cc:5905
struct rand_struct * rand
Definition: sql_authentication.h:83
plugin_ref plugin
what plugin we're under
Definition: sql_authentication.h:64
const char * host
Definition: sql_authentication.h:89
char * scramble
Definition: sql_authentication.h:81
uint * server_status
Definition: sql_authentication.h:85
MYSQL_SERVER_AUTH_INFO auth_info
Definition: sql_authentication.h:61
Thd_charset_adapter * charset_adapter
Definition: sql_authentication.h:90
struct MPVIO_EXT::@35 cached_client_reply
when restarting a plugin this caches the last client reply
Restrictions * restrictions
Definition: sql_authentication.h:63
MEM_ROOT * mem_root
Definition: sql_authentication.h:82
Definition: mysql_lex_string.h:39
const char * str
Definition: mysql_lex_string.h:40
Definition: mysql_lex_string.h:34
Provides plugin access to communication channel.
Definition: plugin_auth_common.h:145
Provides server plugin access to authentication information.
Definition: plugin_auth.h:70
SHOW STATUS Server status variable.
Definition: status_var.h:78
Definition: mysql_com.h:1105
Definition: sql_plugin_ref.h:44
unsigned int uint
Definition: uca-dump.cc:29
std::atomic< bool > is_initialized(false)