[DRAFT][mysql] Clean-room mysql_native_password scramble (Stage 1a of #2093 takeover)#3310
Draft
rajvarun77 wants to merge 1 commit into
Draft
[DRAFT][mysql] Clean-room mysql_native_password scramble (Stage 1a of #2093 takeover)#3310rajvarun77 wants to merge 1 commit into
rajvarun77 wants to merge 1 commit into
Conversation
Adds src/brpc/policy/mysql_auth_hash.{h,cpp} implementing the
mysql_native_password ("mysql41") authentication scramble used during
MySQL client connection handshake:
scramble = SHA1(password) XOR SHA1( salt || SHA1( SHA1(password) ) )
Implemented from MySQL's public protocol documentation only; not
derived from any GPL source. The previous in-tree implementation
proposed in PR apache#2093 was copied from MySQL Connector/C++ (GPLv2 with
FOSS exception) and was flagged as unmergeable by @wwbmmm at
apache#2093 (comment) .
Uses butil::SHA1HashBytes (BSD-licensed Chromium SHA-1 already
present in butil), so no new third-party dependency is introduced.
This is Stage 1a of the staged delivery plan announced on
dev@brpc.apache.org and at
apache#2093 (comment) .
It is intentionally a leaf utility: subsequent stages will wire it
into MysqlAuthenticator and the MySQL protocol policy.
Includes a gtest unittest (brpc_mysql_auth_hash_unittest.cpp) with
two known answer vectors plus empty-password, bad-salt-length,
determinism, and salt-diversity checks.
Refs: apache#209, apache#2093
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Draft / WIP — not for review yet. Posted now so the staged plan announced on dev@brpc.apache.org and at #2093 (comment) has a concrete first commit to point at.
What
Adds
src/brpc/policy/mysql_auth_hash.{h,cpp}implementing the mysql_native_password (a.k.a.mysql41) authentication scramble:Plus
test/brpc_mysql_auth_hash_unittest.cppwith two known-answer vectors, an empty-password check, a bad-salt-length check, a determinism check, and a salt-diversity check.Why this exists as a standalone commit
The original MySQL PR #2093 by @yanglimingcn bundled an
mysql_auth_hash.cpplifted directly from MySQL Connector/C++ — which is GPLv2 (with the FOSS exception). @wwbmmm flagged this as unmergeable at #2093 (discussion). Replacing that file with a clean-room implementation is on the critical path for any MySQL work landing in brpc, so it's the first stage of the takeover plan.This file is implemented from MySQL's public protocol documentation only — no GPL source consulted. It uses
butil::SHA1HashBytes(BSD-licensed Chromium SHA-1 already inbutil/), so it adds zero new third-party dependencies.Where this fits in the larger plan
The full staged delivery announced on dev@:
mysql_auth_hash(this PR)COM_QUERY, result-set parsing, authenticator wiring,MysqlChanneletc.)MysqlTransaction)Socket::_fd_versionABA mappingcaching_sha2_password+ TLS (beyond #2093 scope)This is intentionally a small leaf utility — it does not yet wire into
MysqlAuthenticator. That wiring lands in Stage 1b. Opening as Draft because the function has no production caller in this PR; it ships only with the unit test exercising it. Maintainers may prefer to wait until 1b before reviewing, which is fine.Refs
CC: @wwbmmm @yanglimingcn @chenBright
Test plan
brpc_mysql_auth_hash_unittest.cpp) — 6 cases, includes two SHA-1-derived known answer vectors