MySQL  8.0.19
Source Code Documentation
sql_authentication.h
Go to the documentation of this file.
1 /* Copyright (c) 2000, 2019, Oracle and/or its affiliates. All rights reserved.
2 
3  This program is free software; you can redistribute it and/or modify
4  it under the terms of the GNU General Public License, version 2.0,
5  as published by the Free Software Foundation.
6 
7  This program is also distributed with certain software (including
8  but not limited to OpenSSL) that is licensed under separate terms,
9  as designated in a particular file or component or in included license
10  documentation. The authors of MySQL hereby grant you an additional
11  permission to link the program and your derivative works with the
12  separately licensed software that they have included with MySQL.
13 
14  This program is distributed in the hope that it will be useful,
15  but WITHOUT ANY WARRANTY; without even the implied warranty of
16  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
17  GNU General Public License, version 2.0, for more details.
18 
19  You should have received a copy of the GNU General Public License
20  along with this program; if not, write to the Free Software
21  Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA */
22 
23 #ifndef SQL_AUTHENTICATION_INCLUDED
24 #define SQL_AUTHENTICATION_INCLUDED
25 
26 #include <stddef.h>
27 #include <sys/types.h>
28 
29 #if defined(HAVE_OPENSSL)
30 #include <openssl/rsa.h>
31 #endif
32 
33 #include "lex_string.h"
34 #include "m_ctype.h"
35 #include "my_thread_local.h" // my_thread_id
36 #include "mysql/plugin_auth.h" // MYSQL_SERVER_AUTH_INFO
38 #include "sql/sql_plugin_ref.h" // plugin_ref
39 
40 class ACL_USER;
41 class Protocol_classic;
42 class THD;
43 class Restrictions;
44 struct MEM_ROOT;
45 struct SHOW_VAR;
46 
47 /* Classes */
48 
50  THD *thd;
51 
52  public:
53  Thd_charset_adapter(THD *thd_arg) : thd(thd_arg) {}
54  bool init_client_charset(uint cs_number);
55 
56  const CHARSET_INFO *charset();
57 };
58 
59 /**
60  The internal version of what plugins know as MYSQL_PLUGIN_VIO,
61  basically the context of the authentication session
62 */
63 struct MPVIO_EXT : public MYSQL_PLUGIN_VIO {
67  plugin_ref plugin; ///< what plugin we're under
68  LEX_STRING db; ///< db name from the handshake packet
69  /** when restarting a plugin this caches the last client reply */
70  struct {
71  const char *plugin, *pkt; ///< pointers into NET::buff
74  /** this caches the first plugin packet for restart request on the client */
75  struct {
76  char *pkt;
77  uint pkt_len;
79  int packets_read, packets_written; ///< counters for send/received packets
80  /** when plugin returns a failure this tells us what really happened */
82 
83  /* encapsulation members */
84  char *scramble;
86  struct rand_struct *rand;
91  const char *ip;
92  const char *host;
96  bool can_authenticate();
97 };
98 
99 #if defined(HAVE_OPENSSL)
100 class String;
101 
102 bool init_rsa_keys(void);
103 void deinit_rsa_keys(void);
104 int show_rsa_public_key(THD *thd, SHOW_VAR *var, char *buff);
105 
106 typedef struct rsa_st RSA;
107 class Rsa_authentication_keys {
108  private:
109  RSA *m_public_key;
110  RSA *m_private_key;
111  int m_cipher_len;
112  char *m_pem_public_key;
113  char **m_private_key_path;
114  char **m_public_key_path;
115 
116  void get_key_file_path(char *key, String *key_file_path);
117  bool read_key_file(RSA **key_ptr, bool is_priv_key, char **key_text_buffer);
118 
119  public:
120  Rsa_authentication_keys(char **private_key_path, char **public_key_path)
121  : m_public_key(0),
122  m_private_key(0),
123  m_cipher_len(0),
124  m_pem_public_key(0),
125  m_private_key_path(private_key_path),
126  m_public_key_path(public_key_path) {}
127  ~Rsa_authentication_keys() {}
128 
129  void free_memory();
130  void *allocate_pem_buffer(size_t buffer_len);
131  RSA *get_private_key() { return m_private_key; }
132 
133  RSA *get_public_key() { return m_public_key; }
134 
135  int get_cipher_length();
136  bool read_rsa_keys();
137  const char *get_public_key_as_pem(void) { return m_pem_public_key; }
138 };
139 
140 #endif /* HAVE_OPENSSL */
141 
142 /* Data Structures */
143 
145 
146 extern bool allow_all_hosts;
147 
148 typedef enum {
152  /* Add new plugin before this */
155 
157 
159  public:
162 
163  /**
164  Compare given plugin against one of the cached ones
165 
166  @param [in] plugin_index Cached plugin index
167  @param [in] plugin Plugin to be compared
168 
169  @returns status of comparison
170  @retval true Match
171  @retval false Not a match
172  */
173  static bool compare_plugin(cached_plugins_enum plugin_index,
175  if (plugin_index < PLUGIN_LAST && plugin.str) {
177  return (plugin.str == cached_plugins_names[plugin_index].str);
178  }
179  return false;
180  }
181 
182  /**
183  Check if given plugin is a builtin
184 
185  @param [in] plugin Plugin name
186 
187  @returns true if builtin, false otherwise
188  */
190  for (uint i = 0; i < (uint)PLUGIN_LAST; ++i) {
191  if (plugin->str == cached_plugins_names[i].str) return true;
192  }
193  return false;
194  }
195 
196  /**
197  Get name of the plugin at given index
198 
199  @param [in] plugin_index Cached plugin index
200 
201  @returns name of the cached plugin at given index
202  */
203  static const char *get_plugin_name(cached_plugins_enum plugin_index) {
204  if (plugin_index < PLUGIN_LAST)
205  return cached_plugins_names[plugin_index].str;
206  return 0;
207  }
208 
211 
213 
214  /**
215  Fetch cached plugin handle
216 
217  @param plugin_index Cached plugin index
218 
219  @returns cached plugin_ref if found, 0 otherwise
220  */
222  if (plugin_index < PLUGIN_LAST) return cached_plugins[plugin_index];
223  return 0;
224  }
225 
227  bool is_valid() { return m_valid; }
228 
229  private:
230  bool m_valid;
231 };
232 
234 
235 ACL_USER *decoy_user(const LEX_CSTRING &username, const LEX_CSTRING &hostname,
236  MEM_ROOT *mem, struct rand_struct *rand,
237  bool is_initialized);
238 #define AUTH_DEFAULT_RSA_PRIVATE_KEY "private_key.pem"
239 #define AUTH_DEFAULT_RSA_PUBLIC_KEY "public_key.pem"
240 
241 #endif /* SQL_AUTHENTICATION_INCLUDED */
MPVIO_EXT::RESTART
@ RESTART
Definition: sql_authentication.h:81
MPVIO_EXT::acl_user_plugin
LEX_CSTRING acl_user_plugin
Definition: sql_authentication.h:94
MPVIO_EXT::thread_id
my_thread_id thread_id
Definition: sql_authentication.h:87
MPVIO_EXT::restrictions
Restrictions * restrictions
Definition: sql_authentication.h:66
MPVIO_EXT::packets_written
int packets_written
counters for send/received packets
Definition: sql_authentication.h:79
MPVIO_EXT::pkt
char * pkt
Definition: sql_authentication.h:76
Cached_authentication_plugins::compare_plugin
static bool compare_plugin(cached_plugins_enum plugin_index, LEX_CSTRING plugin)
Compare given plugin against one of the cached ones.
Definition: sql_authentication.h:173
MPVIO_EXT::status
enum MPVIO_EXT::@36 status
when plugin returns a failure this tells us what really happened
MYSQL_LEX_CSTRING
Definition: mysql_lex_string.h:39
MPVIO_EXT::ip
const char * ip
Definition: sql_authentication.h:91
MPVIO_EXT::auth_info
MYSQL_SERVER_AUTH_INFO auth_info
Definition: sql_authentication.h:64
THD
Definition: sql_class.h:764
MPVIO_EXT::plugin
const char * plugin
Definition: sql_authentication.h:71
Cached_authentication_plugins::cached_plugins
plugin_ref cached_plugins[(uint) PLUGIN_LAST]
Definition: sql_authentication.h:226
rand_struct
Definition: mysql_com.h:1028
MPVIO_EXT::cached_client_reply
struct MPVIO_EXT::@34 cached_client_reply
when restarting a plugin this caches the last client reply
Thd_charset_adapter::thd
THD * thd
Definition: sql_authentication.h:50
plugin
static struct st_mysql_daemon plugin
Definition: test_services_host_application_signal.cc:130
plugin_auth_common.h
CHARSET_INFO
Definition: m_ctype.h:354
Thd_charset_adapter::charset
const CHARSET_INFO * charset()
Definition: sql_authentication.cc:933
MPVIO_EXT::pkt_len
uint pkt_len
Definition: sql_authentication.h:72
MPVIO_EXT::plugin
plugin_ref plugin
what plugin we're under
Definition: sql_authentication.h:67
Cached_authentication_plugins::~Cached_authentication_plugins
~Cached_authentication_plugins()
Cached_authentication_plugins destructor.
Definition: sql_authentication.cc:863
decoy_user
ACL_USER * decoy_user(const LEX_CSTRING &username, const LEX_CSTRING &hostname, MEM_ROOT *mem, struct rand_struct *rand, bool is_initialized)
When authentication is attempted using an unknown username a dummy user account with no authenticatio...
Definition: sql_authentication.cc:1720
String
Using this class is fraught with peril, and you need to be very careful when doing so.
Definition: sql_string.h:164
ACL_USER
Definition: sql_auth_cache.h:146
Thd_charset_adapter
Definition: sql_authentication.h:49
MYSQL_PLUGIN_VIO
Provides plugin access to communication channel.
Definition: plugin_auth_common.h:140
MPVIO_EXT::vio_is_encrypted
int vio_is_encrypted
Definition: sql_authentication.h:95
g_cached_authentication_plugins
Cached_authentication_plugins * g_cached_authentication_plugins
Definition: sql_authentication.cc:897
Cached_authentication_plugins::is_valid
bool is_valid()
Definition: sql_authentication.h:227
Cached_authentication_plugins::get_cached_plugin_ref
plugin_ref get_cached_plugin_ref(const LEX_CSTRING *plugin)
Get plugin_ref if plugin is cached.
Definition: sql_authentication.cc:877
Protocol_classic
Definition: protocol_classic.h:51
mem
static MEM_ROOT mem
Definition: sql_servers.cc:97
is_initialized
std::atomic< bool > is_initialized(false)
Cached_authentication_plugins::Cached_authentication_plugins
Cached_authentication_plugins()
Cached_authentication_plugins constructor.
Definition: sql_authentication.cc:845
MYSQL_SERVER_AUTH_INFO
Provides server plugin access to authentication information.
Definition: plugin_auth.h:54
key
static const char * key
Definition: suite_stubs.c:14
Cached_authentication_plugins::m_valid
bool m_valid
Definition: sql_authentication.h:230
SHOW_VAR
SHOW STATUS Server status variable.
Definition: status_var.h:78
MPVIO_EXT::rand
struct rand_struct * rand
Definition: sql_authentication.h:86
validate_password_plugin_name
LEX_CSTRING validate_password_plugin_name
Definition: sql_authentication.cc:812
PLUGIN_CACHING_SHA2_PASSWORD
@ PLUGIN_CACHING_SHA2_PASSWORD
Definition: sql_authentication.h:149
MPVIO_EXT::server_status
uint * server_status
Definition: sql_authentication.h:88
MPVIO_EXT::protocol
Protocol_classic * protocol
Definition: sql_authentication.h:89
MPVIO_EXT::scramble
char * scramble
Definition: sql_authentication.h:84
m_ctype.h
MPVIO_EXT::host
const char * host
Definition: sql_authentication.h:92
MEM_ROOT
The MEM_ROOT is a simple arena, where allocations are carved out of larger blocks.
Definition: my_alloc.h:77
lex_string.h
uint
unsigned int uint
Definition: uca-dump.cc:29
MPVIO_EXT::FAILURE
@ FAILURE
Definition: sql_authentication.h:81
Cached_authentication_plugins
Definition: sql_authentication.h:158
PLUGIN_SHA256_PASSWORD
@ PLUGIN_SHA256_PASSWORD
Definition: sql_authentication.h:151
MPVIO_EXT::cached_server_packet
struct MPVIO_EXT::@35 cached_server_packet
this caches the first plugin packet for restart request on the client
cached_plugins_enum
cached_plugins_enum
Definition: sql_authentication.h:148
PLUGIN_LAST
@ PLUGIN_LAST
Definition: sql_authentication.h:153
MPVIO_EXT::packets_read
int packets_read
Definition: sql_authentication.h:79
my_thread_id
uint32 my_thread_id
Definition: my_thread_local.h:33
MYSQL_LEX_STRING
Definition: mysql_lex_string.h:34
Thd_charset_adapter::init_client_charset
bool init_client_charset(uint cs_number)
Definition: sql_authentication.cc:927
MPVIO_EXT::charset_adapter
Thd_charset_adapter * charset_adapter
Definition: sql_authentication.h:93
plugin_auth.h
default_auth_plugin_name
LEX_CSTRING default_auth_plugin_name
Definition: sql_authentication.cc:815
MPVIO_EXT::can_authenticate
bool can_authenticate()
Definition: sql_authentication.cc:5303
MPVIO_EXT
The internal version of what plugins know as MYSQL_PLUGIN_VIO, basically the context of the authentic...
Definition: sql_authentication.h:63
Cached_authentication_plugins::optimize_plugin_compare_by_pointer
static void optimize_plugin_compare_by_pointer(LEX_CSTRING *plugin)
Use known pointers for cached plugins to improve comparison time.
Definition: sql_authentication.cc:827
Cached_authentication_plugins::get_plugin_name
static const char * get_plugin_name(cached_plugins_enum plugin_index)
Get name of the plugin at given index.
Definition: sql_authentication.h:203
MPVIO_EXT::db
LEX_STRING db
db name from the handshake packet
Definition: sql_authentication.h:68
MPVIO_EXT::acl_user
const ACL_USER * acl_user
Definition: sql_authentication.h:65
MPVIO_EXT::max_client_packet_length
ulong max_client_packet_length
Definition: sql_authentication.h:90
MPVIO_EXT::mem_root
MEM_ROOT * mem_root
Definition: sql_authentication.h:85
ulong
unsigned long ulong
Definition: my_inttypes.h:48
MYSQL_LEX_CSTRING::str
const char * str
Definition: mysql_lex_string.h:40
allow_all_hosts
bool allow_all_hosts
Definition: sql_auth_cache.cc:161
Cached_authentication_plugins::cached_plugins_names
static const LEX_CSTRING cached_plugins_names[(uint) PLUGIN_LAST]
Definition: sql_authentication.h:160
PLUGIN_MYSQL_NATIVE_PASSWORD
@ PLUGIN_MYSQL_NATIVE_PASSWORD
Definition: sql_authentication.h:150
Thd_charset_adapter::Thd_charset_adapter
Thd_charset_adapter(THD *thd_arg)
Definition: sql_authentication.h:53
MPVIO_EXT::SUCCESS
@ SUCCESS
Definition: sql_authentication.h:81
my_thread_local.h
sql_plugin_ref.h
MPVIO_EXT::pkt
const char * pkt
pointers into NET::buff
Definition: sql_authentication.h:71
st_plugin_int
Definition: sql_plugin_ref.h:44
Cached_authentication_plugins::auth_plugin_is_built_in
static bool auth_plugin_is_built_in(LEX_CSTRING *plugin)
Check if given plugin is a builtin.
Definition: sql_authentication.h:189
Restrictions
Container of all restrictions for a given user.
Definition: partial_revokes.h:123
Cached_authentication_plugins::get_cached_plugin_ref
plugin_ref get_cached_plugin_ref(cached_plugins_enum plugin_index)
Fetch cached plugin handle.
Definition: sql_authentication.h:221