MDEV-32618 new auth plugin

FooBarrior · sanja-byelkin · commit e580cf7ae08d · 2024-08-09T14:01:12.000+02:00
PARSEC: Password Authentication using Response Signed with Elliptic Curve new authentication plugin that uses salted passwords, key derivation, extensible password storage format, and both server- and client-side scrambles. It signs the response with ed25519, but it uses stock unmodified ed25519 as provided by OpenSSL/WolfSSL/GnuTLS. Edited by: Sergei Golubchik
diff --git a/cmake/mariadb_connector_c.cmake b/cmake/mariadb_connector_c.cmake
@@ -7,6 +7,7 @@ ENDIF()
 SET(CONC_WITH_SIGNCODE ${SIGNCODE})
 SET(SIGN_OPTIONS ${SIGNTOOL_PARAMETERS})
 SET(CONC_WITH_EXTERNAL_ZLIB ON)
+SET(CLIENT_PLUGIN_PARSEC DYNAMIC)
 
 IF(SSL_DEFINES MATCHES "WOLFSSL")
   IF(WIN32)
diff --git a/cmake/ssl.cmake b/cmake/ssl.cmake
@@ -54,7 +54,8 @@ MACRO (MYSQL_USE_BUNDLED_SSL)
   SET(HAVE_EncryptAes128Ctr ON CACHE INTERNAL "wolfssl does support AES-CTR")
   SET(HAVE_EncryptAes128Gcm OFF CACHE INTERNAL "wolfssl does not support AES-GCM")
   SET(HAVE_des ON CACHE INTERNAL "wolfssl does support DES API")
-  SET(HAVE_hkdf ON CACHE INTERNAL "wolfssl does support EVP_PKEY API")
+  SET(HAVE_evp_pkey ON CACHE INTERNAL "wolfssl does support EVP_PKEY API")
+  SET(HAVE_hkdf ON CACHE INTERNAL "wolfssl does support EVP_PKEY_HKDF API")
   CHANGE_SSL_SETTINGS("bundled")
   ADD_SUBDIRECTORY(extra/wolfssl)
   MESSAGE_ONCE(SSL_LIBRARIES "SSL_LIBRARIES = ${SSL_LIBRARIES}")
@@ -137,6 +138,8 @@ MACRO (MYSQL_CHECK_SSL)
                           HAVE_EncryptAes128Gcm)
       CHECK_SYMBOL_EXISTS(DES_set_key_unchecked "openssl/des.h"
                           HAVE_des)
+      CHECK_SYMBOL_EXISTS(EVP_PKEY_get_raw_public_key "openssl/evp.h"
+                          HAVE_evp_pkey)
       CHECK_SYMBOL_EXISTS(EVP_PKEY_CTX_set_hkdf_md "string.h;stdarg.h;openssl/kdf.h"
                           HAVE_hkdf)
       SET(CMAKE_REQUIRED_INCLUDES)
diff --git a/debian/libmariadb3.install b/debian/libmariadb3.install
@@ -4,3 +4,4 @@ usr/lib/*/libmariadb3/plugin/client_ed25519.so
 usr/lib/*/libmariadb3/plugin/dialog.so
 usr/lib/*/libmariadb3/plugin/mysql_clear_password.so
 usr/lib/*/libmariadb3/plugin/sha256_password.so
+usr/lib/*/libmariadb3/plugin/parsec.so
diff --git a/debian/mariadb-server.install b/debian/mariadb-server.install
@@ -39,6 +39,7 @@ usr/lib/mysql/plugin/auth_ed25519.so
 usr/lib/mysql/plugin/auth_pam.so
 usr/lib/mysql/plugin/auth_pam_tool_dir/auth_pam_tool
 usr/lib/mysql/plugin/auth_pam_v1.so
+usr/lib/mysql/plugin/auth_parsec.so
 usr/lib/mysql/plugin/disks.so
 usr/lib/mysql/plugin/file_key_management.so
 usr/lib/mysql/plugin/ha_archive.so
diff --git a/extra/wolfssl/CMakeLists.txt b/extra/wolfssl/CMakeLists.txt
@@ -60,7 +60,10 @@ ${WOLFCRYPT_SRCDIR}/des3.c
 ${WOLFCRYPT_SRCDIR}/dh.c
 ${WOLFCRYPT_SRCDIR}/dsa.c
 ${WOLFCRYPT_SRCDIR}/ecc.c
+${WOLFCRYPT_SRCDIR}/ed25519.c
 ${WOLFCRYPT_SRCDIR}/error.c
+${WOLFCRYPT_SRCDIR}/fe_operations.c
+${WOLFCRYPT_SRCDIR}/ge_operations.c
 ${WOLFCRYPT_SRCDIR}/hmac.c
 ${WOLFCRYPT_SRCDIR}/logging.c
 ${WOLFCRYPT_SRCDIR}/md4.c
@@ -112,6 +115,7 @@ if(WOLFSSL_INTELASM)
       ${WOLFCRYPT_SRCDIR}/aes_asm.S
       ${WOLFCRYPT_SRCDIR}/aes_gcm_asm.S
       ${WOLFCRYPT_SRCDIR}/chacha_asm.S
+      ${WOLFCRYPT_SRCDIR}/fe_x25519_asm.S
       ${WOLFCRYPT_SRCDIR}/poly1305_asm.S
       ${WOLFCRYPT_SRCDIR}/sha512_asm.S
       ${WOLFCRYPT_SRCDIR}/sha256_asm.S
@@ -132,5 +136,7 @@ if(MSVC)
   endif()
 endif()
 
+set_property(TARGET wolfssl PROPERTY POSITION_INDEPENDENT_CODE ON)
+
 CONFIGURE_FILE(user_settings.h.in user_settings.h)
 
diff --git a/extra/wolfssl/user_settings.h.in b/extra/wolfssl/user_settings.h.in
@@ -69,4 +69,6 @@
 #cmakedefine WOLFSSL_SP_X86_64
 #cmakedefine WOLFSSL_SP_X86_64_ASM
 
+#define HAVE_ED25519
+
 #endif  /* WOLFSSL_USER_SETTINGS_H */
diff --git a/mysql-test/suite/plugins/r/parsec.result b/mysql-test/suite/plugins/r/parsec.result
@@ -0,0 +1,32 @@
+install soname 'auth_parsec';
+create user test1@'%' identified via parsec using 'pwd';
+ERROR HY000: Operation CREATE USER failed for 'test1'@'%'
+create user test1@'%' identified via parsec using PASSWORD('pwd');
+show grants for test1@'%';
+Grants for test1@%
+GRANT USAGE ON *.* TO `test1`@`%` IDENTIFIED VIA parsec USING 'P0:salt:password'
+connect con1, localhost, test1, pwd;
+select 1, USER(), CURRENT_USER();
+1	USER()	CURRENT_USER()
+1	test1@localhost	test1@%
+disconnect con1;
+connect con2, localhost, test1, pwd;
+select 2, USER(), CURRENT_USER();
+2	USER()	CURRENT_USER()
+2	test1@localhost	test1@%
+disconnect con2;
+connect(localhost,test1,wrong_pwd,test,MASTER_MYPORT,MASTER_MYSOCK);
+connect con3, localhost, test1, wrong_pwd;
+ERROR 28000: Access denied for user 'test1'@'localhost' (using password: NO)
+connection default;
+create function have_ssl() returns char(3)
+return (select if(variable_value > '','yes','no') as 'have_ssl'
+  from information_schema.session_status
+where variable_name='ssl_cipher');
+grant execute on test.* to test1@'%';
+# mysql -utest1 -ppwd --ssl-verify-server-cert -e "select test.have_ssl()"
+test.have_ssl()
+yes
+drop function have_ssl;
+drop user test1@'%';
+uninstall soname 'auth_parsec';
diff --git a/mysql-test/suite/plugins/r/rpl_auth.result b/mysql-test/suite/plugins/r/rpl_auth.result
@@ -1,12 +1,12 @@
-install soname 'client_ed25519';
+install soname 'CLIENT_PLUGIN';
 Got one of the listed errors
 include/master-slave.inc
 [connection master]
 connection slave;
-install soname 'auth_ed25519';
+install soname 'auth_PLUGIN';
 connection master;
-install soname 'auth_ed25519';
-create user rpluser@'%' identified via ed25519 using PASSWORD('rpl_pass');
+install soname 'auth_plugin';
+create user rpluser@'%' identified via PLUGIN using PASSWORD('rpl_pass');
 grant replication slave on *.* to rpluser@'%';
 connection master;
 connection slave;
@@ -19,7 +19,7 @@ change master to master_user='root', master_password='';
 include/start_slave.inc
 include/stop_slave.inc
 drop user rpluser@'%';
-uninstall soname 'auth_ed25519';
+uninstall soname 'auth_plugin';
 connection master;
 drop user rpluser@'%';
-uninstall soname 'auth_ed25519';
+uninstall soname 'auth_plugin';
diff --git a/mysql-test/suite/plugins/t/parsec.opt b/mysql-test/suite/plugins/t/parsec.opt
@@ -0,0 +1,3 @@
+--ssl-key=
+--ssl-cert=
+--ssl-ca=
diff --git a/mysql-test/suite/plugins/t/parsec.test b/mysql-test/suite/plugins/t/parsec.test
@@ -0,0 +1,45 @@
+source include/platform.inc;
+source include/not_embedded.inc;
+
+if (!$AUTH_PARSEC_SO) {
+  skip No auth_parsec plugin;
+}
+if (!$PARSEC_SO) {
+  skip No auth_parsec plugin;
+}
+install soname 'auth_parsec';
+--error ER_CANNOT_USER
+create user test1@'%' identified via parsec using 'pwd';
+create user test1@'%' identified via parsec using PASSWORD('pwd');
+--replace_regex /:[A-Za-z0-9+\/]{43}'/:password'/ /:[A-Za-z0-9+\/]{24}:/:salt:/
+show grants for test1@'%';
+connect con1, localhost, test1, pwd;
+select 1, USER(), CURRENT_USER();
+disconnect con1;
+connect con2, localhost, test1, pwd;
+select 2, USER(), CURRENT_USER();
+disconnect con2;
+--replace_result $MASTER_MYSOCK MASTER_MYSOCK $MASTER_MYPORT MASTER_MYPORT
+--error ER_ACCESS_DENIED_ERROR
+connect con3, localhost, test1, wrong_pwd;
+
+connection default;
+
+create function have_ssl() returns char(3)
+  return (select if(variable_value > '','yes','no') as 'have_ssl'
+  from information_schema.session_status
+  where variable_name='ssl_cipher');
+grant execute on test.* to test1@'%';
+
+let host=;
+if ($MTR_COMBINATION_WIN) {
+  # see ssl_autoverify.test
+  let host=--host=127.0.0.2;
+}
+
+--echo # mysql -utest1 -ppwd --ssl-verify-server-cert -e "select test.have_ssl()"
+--exec $MYSQL --protocol tcp $host -utest1 -ppwd --ssl-verify-server-cert -e "select test.have_ssl()" 2>&1
+
+drop function have_ssl;
+drop user test1@'%';
+uninstall soname 'auth_parsec';
diff --git a/mysql-test/suite/plugins/t/rpl_auth.combinations b/mysql-test/suite/plugins/t/rpl_auth.combinations
@@ -0,0 +1,2 @@
+[parsec]
+[ed25519]
diff --git a/mysql-test/suite/plugins/t/rpl_auth.test b/mysql-test/suite/plugins/t/rpl_auth.test
@@ -1,29 +1,43 @@
-if (!$AUTH_ED25519_SO) {
-  skip No auth_ed25519 plugin;
+if ($MTR_COMBINATION_ED25519) {
+  if (!$AUTH_ED25519_SO) {
+    skip No auth_ed25519 plugin;
+  }
+  let $AUTH_PLUGIN = ed25519;
+  let $CLIENT_PLUGIN=client_ed25519;
 }
 
-if (!$CLIENT_ED25519_SO) {
-  skip No client_ed25519 plugin;
+if ($MTR_COMBINATION_PARSEC) {
+  if (!$AUTH_PARSEC_SO) {
+    skip No auth_parsec plugin;
+  }
+  let $AUTH_PLUGIN = parsec;
+  let $CLIENT_PLUGIN=parsec;
 }
+
+--replace_result $CLIENT_PLUGIN CLIENT_PLUGIN
 --error ER_CANT_OPEN_LIBRARY,ER_CANT_FIND_DL_ENTRY
-install soname 'client_ed25519';
+eval install soname '$CLIENT_PLUGIN';
 if ($errno == 1126) {
   # this happens in bintars when C/C is linked with gnutls
-  skip client_ed25519 contains unresolved symbols;
+  skip $CLIENT_PLUGIN is not found or contains unresolved symbols;
 }
 
 source include/master-slave.inc;
 
 sync_slave_with_master;
-install soname 'auth_ed25519';
-# create a user for replication with ed25519 auth plugin
+--replace_result $AUTH_PLUGIN PLUGIN
+eval install soname 'auth_$AUTH_PLUGIN';
+# create a user for replication with auth plugin
 connection master;
-install soname 'auth_ed25519';
-create user rpluser@'%' identified via ed25519 using PASSWORD('rpl_pass');
+--replace_result $AUTH_PLUGIN plugin
+eval install soname 'auth_$AUTH_PLUGIN';
+
+--replace_result $AUTH_PLUGIN PLUGIN
+eval create user rpluser@'%' identified via $AUTH_PLUGIN using PASSWORD('rpl_pass');
 grant replication slave on *.* to rpluser@'%';
 connection master;
 sync_slave_with_master;
-# Set the slave to connect using the user created with the ed25519 plugin for replication
+# Set the slave to connect using the user created with the auth plugin for replication
 source include/stop_slave.inc;
 --replace_result $MYSQL_TEST_DIR MYSQL_TEST_DIR
 change master to master_user='rpluser', master_password='rpl_pass';
@@ -35,7 +49,9 @@ change master to master_user='root', master_password='';
 source include/start_slave.inc;
 source include/stop_slave.inc;
 drop user rpluser@'%';
-uninstall soname 'auth_ed25519';
+--replace_result $AUTH_PLUGIN plugin
+eval uninstall soname 'auth_$AUTH_PLUGIN';
 connection master;
 drop user rpluser@'%';
-uninstall soname 'auth_ed25519';
+--replace_result $AUTH_PLUGIN plugin
+eval uninstall soname 'auth_$AUTH_PLUGIN';
diff --git a/plugin/auth_parsec/CMakeLists.txt b/plugin/auth_parsec/CMakeLists.txt
@@ -0,0 +1,4 @@
+IF (HAVE_evp_pkey)
+  ADD_DEFINITIONS(${SSL_DEFINES})
+  MYSQL_ADD_PLUGIN(auth_parsec server_parsec.cc LINK_LIBRARIES ${SSL_LIBRARIES})
+ENDIF()
diff --git a/plugin/auth_parsec/server_parsec.cc b/plugin/auth_parsec/server_parsec.cc

Original file line number	Diff line number	Diff line change
`@@ -0,0 +1,3 @@`
	`1`	`+--ssl-key=`
	`2`	`+--ssl-cert=`
	`3`	`+--ssl-ca=`