MySQL  8.0.17
Source Code Documentation
sql_authentication.h
Go to the documentation of this file.
1 /* Copyright (c) 2000, 2019, Oracle and/or its affiliates. All rights reserved.
2 
3  This program is free software; you can redistribute it and/or modify
4  it under the terms of the GNU General Public License, version 2.0,
5  as published by the Free Software Foundation.
6 
7  This program is also distributed with certain software (including
8  but not limited to OpenSSL) that is licensed under separate terms,
9  as designated in a particular file or component or in included license
10  documentation. The authors of MySQL hereby grant you an additional
11  permission to link the program and your derivative works with the
12  separately licensed software that they have included with MySQL.
13 
14  This program is distributed in the hope that it will be useful,
15  but WITHOUT ANY WARRANTY; without even the implied warranty of
16  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
17  GNU General Public License, version 2.0, for more details.
18 
19  You should have received a copy of the GNU General Public License
20  along with this program; if not, write to the Free Software
21  Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA */
22 
23 #ifndef SQL_AUTHENTICATION_INCLUDED
24 #define SQL_AUTHENTICATION_INCLUDED
25 
26 #include <stddef.h>
27 #include <sys/types.h>
28 
29 #if defined(HAVE_OPENSSL)
30 #include <openssl/rsa.h>
31 #endif
32 
33 #include "lex_string.h"
34 #include "m_ctype.h"
35 #include "my_thread_local.h" // my_thread_id
36 #include "mysql/plugin_auth.h" // MYSQL_SERVER_AUTH_INFO
38 #include "sql/sql_plugin_ref.h" // plugin_ref
39 
40 class ACL_USER;
41 class Protocol_classic;
42 class THD;
43 class Restrictions;
44 struct MEM_ROOT;
45 struct SHOW_VAR;
46 
47 /* Classes */
48 
50  THD *thd;
51 
52  public:
53  Thd_charset_adapter(THD *thd_arg) : thd(thd_arg) {}
54  bool init_client_charset(uint cs_number);
55 
56  const CHARSET_INFO *charset();
57 };
58 
59 /**
60  The internal version of what plugins know as MYSQL_PLUGIN_VIO,
61  basically the context of the authentication session
62 */
63 struct MPVIO_EXT : public MYSQL_PLUGIN_VIO {
67  plugin_ref plugin; ///< what plugin we're under
68  LEX_STRING db; ///< db name from the handshake packet
69  /** when restarting a plugin this caches the last client reply */
70  struct {
71  const char *plugin, *pkt; ///< pointers into NET::buff
74  /** this caches the first plugin packet for restart request on the client */
75  struct {
76  char *pkt;
77  uint pkt_len;
79  int packets_read, packets_written; ///< counters for send/received packets
80  /** when plugin returns a failure this tells us what really happened */
82 
83  /* encapsulation members */
84  char *scramble;
86  struct rand_struct *rand;
91  const char *ip;
92  const char *host;
96  bool can_authenticate();
97 };
98 
99 #if defined(HAVE_OPENSSL)
100 class String;
101 
102 bool init_rsa_keys(void);
103 void deinit_rsa_keys(void);
104 int show_rsa_public_key(THD *thd, SHOW_VAR *var, char *buff);
105 
106 #ifndef HAVE_WOLFSSL
107 typedef struct rsa_st RSA;
108 #endif
109 class Rsa_authentication_keys {
110  private:
111  RSA *m_public_key;
112  RSA *m_private_key;
113  int m_cipher_len;
114  char *m_pem_public_key;
115  char **m_private_key_path;
116  char **m_public_key_path;
117 
118  void get_key_file_path(char *key, String *key_file_path);
119  bool read_key_file(RSA **key_ptr, bool is_priv_key, char **key_text_buffer);
120 
121  public:
122  Rsa_authentication_keys(char **private_key_path, char **public_key_path)
123  : m_public_key(0),
124  m_private_key(0),
125  m_cipher_len(0),
126  m_pem_public_key(0),
127  m_private_key_path(private_key_path),
128  m_public_key_path(public_key_path) {}
129  ~Rsa_authentication_keys() {}
130 
131  void free_memory();
132  void *allocate_pem_buffer(size_t buffer_len);
133  RSA *get_private_key() { return m_private_key; }
134 
135  RSA *get_public_key() { return m_public_key; }
136 
137  int get_cipher_length();
138  bool read_rsa_keys();
139  const char *get_public_key_as_pem(void) { return m_pem_public_key; }
140 };
141 
142 #endif /* HAVE_OPENSSL */
143 
144 /* Data Structures */
145 
147 
148 extern bool allow_all_hosts;
149 
150 typedef enum {
154  /* Add new plugin before this */
157 
159 
161  public:
164 
165  /**
166  Compare given plugin against one of the cached ones
167 
168  @param [in] plugin_index Cached plugin index
169  @param [in] plugin Plugin to be compared
170 
171  @returns status of comparison
172  @retval true Match
173  @retval false Not a match
174  */
175  static bool compare_plugin(cached_plugins_enum plugin_index,
177  if (plugin_index < PLUGIN_LAST && plugin.str) {
179  return (plugin.str == cached_plugins_names[plugin_index].str);
180  }
181  return false;
182  }
183 
184  /**
185  Check if given plugin is a builtin
186 
187  @param [in] plugin Plugin name
188 
189  @returns true if builtin, false otherwise
190  */
192  for (uint i = 0; i < (uint)PLUGIN_LAST; ++i) {
193  if (plugin->str == cached_plugins_names[i].str) return true;
194  }
195  return false;
196  }
197 
198  /**
199  Get name of the plugin at given index
200 
201  @param [in] plugin_index Cached plugin index
202 
203  @returns name of the cached plugin at given index
204  */
205  static const char *get_plugin_name(cached_plugins_enum plugin_index) {
206  if (plugin_index < PLUGIN_LAST)
207  return cached_plugins_names[plugin_index].str;
208  return 0;
209  }
210 
213 
215 
216  /**
217  Fetch cached plugin handle
218 
219  @param plugin_index Cached plugin index
220 
221  @returns cached plugin_ref if found, 0 otherwise
222  */
224  if (plugin_index < PLUGIN_LAST) return cached_plugins[plugin_index];
225  return 0;
226  }
227 
229  bool is_valid() { return m_valid; }
230 
231  private:
232  bool m_valid;
233 };
234 
236 
237 ACL_USER *decoy_user(const LEX_STRING &username, const LEX_CSTRING &hostname,
238  MEM_ROOT *mem, struct rand_struct *rand,
239  bool is_initialized);
240 #define AUTH_DEFAULT_RSA_PRIVATE_KEY "private_key.pem"
241 #define AUTH_DEFAULT_RSA_PUBLIC_KEY "public_key.pem"
242 
243 #endif /* SQL_AUTHENTICATION_INCLUDED */
plugin_ref get_cached_plugin_ref(const LEX_CSTRING *plugin)
Get plugin_ref if plugin is cached.
Definition: sql_authentication.cc:878
char * scramble
Definition: sql_authentication.h:84
Definition: sql_plugin_ref.h:44
Definition: sql_authentication.h:155
bool can_authenticate()
Definition: sql_authentication.cc:5177
static const LEX_CSTRING cached_plugins_names[(uint) PLUGIN_LAST]
Definition: sql_authentication.h:162
Definition: mysql_lex_string.h:34
plugin_ref cached_plugins[(uint) PLUGIN_LAST]
Definition: sql_authentication.h:228
Definition: mysql_com.h:1006
Thd_charset_adapter(THD *thd_arg)
Definition: sql_authentication.h:53
struct MPVIO_EXT::@21 cached_client_reply
when restarting a plugin this caches the last client reply
uint * server_status
Definition: sql_authentication.h:88
The internal version of what plugins know as MYSQL_PLUGIN_VIO, basically the context of the authentic...
Definition: sql_authentication.h:63
Definition: sql_authentication.h:81
Authentication Plugin API.
Definition: protocol_classic.h:52
const char * str
Definition: mysql_lex_string.h:40
bool init_client_charset(uint cs_number)
Definition: sql_authentication.cc:930
THD * thd
Definition: sql_authentication.h:50
uint pkt_len
Definition: sql_authentication.h:72
static bool auth_plugin_is_built_in(LEX_CSTRING *plugin)
Check if given plugin is a builtin.
Definition: sql_authentication.h:191
int vio_is_encrypted
Definition: sql_authentication.h:95
Definition: mysql_lex_string.h:39
int packets_read
Definition: sql_authentication.h:79
Container of all restrictions for a given user.
Definition: partial_revokes.h:126
static bool compare_plugin(cached_plugins_enum plugin_index, LEX_CSTRING plugin)
Compare given plugin against one of the cached ones.
Definition: sql_authentication.h:175
Definition: sql_authentication.h:81
static struct st_mysql_daemon plugin
Definition: test_services_host_application_signal.cc:130
Definition: sql_authentication.h:153
Definition: sql_authentication.h:49
char * pkt
Definition: sql_authentication.h:76
Cached_authentication_plugins * g_cached_authentication_plugins
Definition: sql_authentication.cc:898
const char * plugin
Definition: sql_authentication.h:71
Using this class is fraught with peril, and you need to be very careful when doing so...
Definition: sql_string.h:159
MEM_ROOT * mem_root
Definition: sql_authentication.h:85
static MEM_ROOT mem
Definition: sql_servers.cc:97
const ACL_USER * acl_user
Definition: sql_authentication.h:65
bool m_valid
Definition: sql_authentication.h:232
Definition: sql_auth_cache.h:141
cached_plugins_enum
Definition: sql_authentication.h:150
Protocol_classic * protocol
Definition: sql_authentication.h:89
const char * pkt
pointers into NET::buff
Definition: sql_authentication.h:71
ACL_USER * decoy_user(const LEX_STRING &username, const LEX_CSTRING &hostname, MEM_ROOT *mem, struct rand_struct *rand, bool is_initialized)
When authentication is attempted using an unknown username a dummy user account with no authenticatio...
Definition: sql_authentication.cc:1685
SHOW STATUS Server status variable.
Definition: status_var.h:78
Cached_authentication_plugins()
Cached_authentication_plugins constructor.
Definition: sql_authentication.cc:844
unsigned int uint
Definition: uca-dump.cc:29
plugin_ref plugin
what plugin we&#39;re under
Definition: sql_authentication.h:67
int packets_written
counters for send/received packets
Definition: sql_authentication.h:79
Definition: m_ctype.h:359
LEX_STRING db
db name from the handshake packet
Definition: sql_authentication.h:68
const char * ip
Definition: sql_authentication.h:91
Definition: sql_authentication.h:152
std::atomic< bool > is_initialized(false)
static const char * key
Definition: suite_stubs.c:14
This file defines constants and data structures that are the same for both client- and server-side au...
LEX_CSTRING default_auth_plugin_name
Definition: sql_authentication.cc:812
uint32 my_thread_id
Definition: my_thread_local.h:33
struct MPVIO_EXT::@22 cached_server_packet
this caches the first plugin packet for restart request on the client
LEX_CSTRING validate_password_plugin_name
Definition: sql_authentication.cc:809
MYSQL_SERVER_AUTH_INFO auth_info
Definition: sql_authentication.h:64
struct rand_struct * rand
Definition: sql_authentication.h:86
Provides server plugin access to authentication information.
Definition: plugin_auth.h:54
Definition: sql_authentication.h:151
enum MPVIO_EXT::@23 status
when plugin returns a failure this tells us what really happened
LEX_CSTRING acl_user_plugin
Definition: sql_authentication.h:94
const char * host
Definition: sql_authentication.h:92
plugin_ref get_cached_plugin_ref(cached_plugins_enum plugin_index)
Fetch cached plugin handle.
Definition: sql_authentication.h:223
ulong max_client_packet_length
Definition: sql_authentication.h:90
bool is_valid()
Definition: sql_authentication.h:229
static const char * get_plugin_name(cached_plugins_enum plugin_index)
Get name of the plugin at given index.
Definition: sql_authentication.h:205
A better implementation of the UNIX ctype(3) library.
Restrictions * restrictions
Definition: sql_authentication.h:66
Provides plugin access to communication channel.
Definition: plugin_auth_common.h:140
The MEM_ROOT is a simple arena, where allocations are carved out of larger blocks.
Definition: my_alloc.h:77
Definition: sql_authentication.h:160
~Cached_authentication_plugins()
Cached_authentication_plugins destructor.
Definition: sql_authentication.cc:863
unsigned long ulong
Definition: my_inttypes.h:48
const CHARSET_INFO * charset()
Definition: sql_authentication.cc:936
bool allow_all_hosts
Definition: sql_auth_cache.cc:162
my_thread_id thread_id
Definition: sql_authentication.h:87
Thd_charset_adapter * charset_adapter
Definition: sql_authentication.h:93
Definition: sql_authentication.h:81
For each client connection we create a separate thread with THD serving as a thread/connection descri...
Definition: sql_class.h:777
static void optimize_plugin_compare_by_pointer(LEX_CSTRING *plugin)
Use known pointers for cached plugins to improve comparison time.
Definition: sql_authentication.cc:824