WL11073: Add caching_sha2_password authentication plugin

This patch adds caching_sha2_password plugin. This authentication mode requires
SSL to function.

There are 2 steps:
1. client sends a scramble in the form:
   XOR(SHA2(password), SHA2(SHA2(SHA2(password)), Nonce))
   Nonce is provided by the server. This information can be sent over both secure
   and unsecure medium.

2. If server responds with Error packet, raise Error.
   Else if server responds with fast_auth_success, Step 2a. Else Step 2b.

    2a. the server sends OK packet. Login is a success.
    2b. Only this step requires SSL. Client must send the password to the
        server. To send the password to the server, the connection must be SSL.
        Once this password is validated, the user is stored in the cache and
        login is faster next time. Server can now send an OK packet or Error
        packet after validating user.

Author: amitab

lib/mysql/connector/authentication.py

@@ -23,11 +23,11 @@
 
 """Implementing support for MySQL Authentication Plugins"""
 
-from hashlib import sha1
+from hashlib import sha1, sha256
 import struct
 
 from . import errors
-from .catch23 import PY2, isstr
+from .catch23 import PY2, isstr, UNICODE_TYPES
 
 
 class BaseAuthPlugin(object):
@@ -173,6 +173,81 @@ def prepare_password(self):
         return password + b'\x00'
 
 
+class MySQLCachingSHA2PasswordAuthPlugin(BaseAuthPlugin):
+    """Class implementing the MySQL caching_sha2_password authentication plugin
+
+    Note that encrypting using RSA is not supported since the Python
+    Standard Library does not provide this OpenSSL functionality.
+    """
+    requires_ssl = False
+    plugin_name = 'caching_sha2_password'
+    perform_full_authentication = 4
+    fast_auth_success = 3
+
+    def _scramble(self):
+        """ Returns a scramble of the password using a Nonce sent by the
+        server.
+
+        The scramble is of the form:
+        XOR(SHA2(password), SHA2(SHA2(SHA2(password)), Nonce))
+        """
+        if not self._auth_data:
+            raise errors.InterfaceError("Missing authentication data (seed)")
+
+        if not self._password:
+            return b''
+
+        password = self._password.encode('utf-8') \
+            if isinstance(self._password, UNICODE_TYPES) else self._password
+
+        if PY2:
+            password = buffer(password)  # pylint: disable=E0602
+            try:
+                auth_data = buffer(self._auth_data)  # pylint: disable=E0602
+            except TypeError:
+                raise errors.InterfaceError("Authentication data incorrect")
+        else:
+            password = password
+            auth_data = self._auth_data
+
+        hash1 = sha256(password).digest()
+        hash2 = sha256()
+        hash2.update(sha256(hash1).digest())
+        hash2.update(auth_data)
+        hash2 = hash2.digest()
+        if PY2:
+            xored = [ord(h1) ^ ord(h2) for (h1, h2) in zip(hash1, hash2)]
+        else:
+            xored = [h1 ^ h2 for (h1, h2) in zip(hash1, hash2)]
+        hash3 = struct.pack('32B', *xored)
+
+        return hash3
+
+    def prepare_password(self):
+        if len(self._auth_data) > 1:
+            return self._scramble()
+        elif self._auth_data[0] == self.perform_full_authentication:
+            return self._full_authentication()
+
+    def _full_authentication(self):
+        """Returns password as as clear text"""
+        if not self._ssl_enabled:
+            raise errors.InterfaceError("{name} requires SSL".format(
+                name=self.plugin_name))
+
+        if not self._password:
+            return b'\x00'
+        password = self._password
+
+        if PY2:
+            if isinstance(password, unicode):  # pylint: disable=E0602
+                password = password.encode('utf8')
+        elif isinstance(password, str):
+            password = password.encode('utf8')
+
+        return password + b'\x00'
+
+
 def get_auth_plugin(plugin_name):
     """Return authentication class based on plugin name
 

lib/mysql/connector/connection.py

@@ -170,6 +170,8 @@ def _auth_switch_request(self, username=None, password=None):
         Raises NotSupportedError when we get the old, insecure password
         reply back. Raises any error coming from MySQL.
         """
+        auth = None
+        new_auth_plugin = self._auth_plugin or self._handshake["auth_plugin"]
         packet = self._socket.recv()
         if packet[4] == 254 and len(packet) == 5:
             raise errors.NotSupportedError(
@@ -185,10 +187,19 @@ def _auth_switch_request(self, username=None, password=None):
             response = auth.auth_response()
             self._socket.send(response)
             packet = self._socket.recv()
-            if packet[4] != 1:
-                return self._handle_ok(packet)
-            else:
-                auth_data = self._protocol.parse_auth_more_data(packet)
+
+        if packet[4] == 1:
+            auth_data = self._protocol.parse_auth_more_data(packet)
+            auth = get_auth_plugin(new_auth_plugin)(
+                auth_data, password=password, ssl_enabled=self._ssl_active)
+            if new_auth_plugin == "caching_sha2_password":
+                response = auth.auth_response()
+                if response:
+                    self._socket.send(response)
+                packet = self._socket.recv()
+
+        if packet[4] == 0:
+            return self._handle_ok(packet)
         elif packet[4] == 255:
             raise errors.get_exception(packet)
 

tests/cext/test_cext_api.py

@@ -458,6 +458,7 @@ def test_commit(self):
     def test_change_user(self):
         connect_kwargs = self.connect_kwargs.copy()
         connect_kwargs['unix_socket'] = None
+        connect_kwargs['ssl_disabled'] = False
         cmy1 = MySQL(buffered=True)
         cmy1.connect(**connect_kwargs)
         cmy2 = MySQL(buffered=True)
@@ -477,7 +478,7 @@ def test_change_user(self):
             pass
 
         stmt = ("CREATE USER '{user}'@'{host}' IDENTIFIED WITH "
-                "mysql_native_password").format(**new_user)
+                "caching_sha2_password").format(**new_user)
         cmy1.query(stmt)
         cmy1.query("SET old_passwords = 0")
         res = cmy1.query("SET PASSWORD FOR '{user}'@'{host}' = "

tests/mysqld.py

@@ -417,7 +417,6 @@ def _get_bootstrap_cmd(self):
             '--no-defaults',
             '--basedir=%s' % self._basedir,
             '--datadir=%s' % self._datadir,
-            '--log-warnings=0',
             '--max_allowed_packet=8M',
             '--default-storage-engine=myisam',
             '--net_buffer_length=16K',
@@ -431,6 +430,9 @@ def _get_bootstrap_cmd(self):
         else:
             cmd.append("--bootstrap")
 
+        if self._version < (8, 0, 3):
+            cmd.append('--log-warnings=0')
+
         if self._version[0:2] < (5, 5):
             cmd.append('--language={0}/english'.format(self._lc_messages_dir))
         else:
@@ -467,34 +469,36 @@ def bootstrap(self):
         extra_sql = [
             "CREATE DATABASE myconnpy;"
         ]
-        defaults = ("'root'{0}, "
-                    "'Y','Y','Y','Y','Y','Y','Y','Y','Y','Y','Y','Y',"
-                    "'Y','Y','Y','Y','Y','Y','Y','Y','Y','Y','Y','Y',"
-                    "'Y','Y','Y','Y','Y','','','','',0,0,0,0,"
-                    "@@default_authentication_plugin,'','N',"
-                    "CURRENT_TIMESTAMP,NULL{1}")
-
-        hosts = ["::1", "127.0.0.1"]
-        if self._version[0:3] < (8, 0, 1):
-            # because we use --initialize-insecure for 8.0 above
-            # which already creates root @ localhost
-            hosts.append("localhost")
-
-        insert = "INSERT INTO mysql.user VALUES {0};".format(
-            ", ".join("('{0}', {{0}})".format(host) for host in hosts))
-
-        if self._version[0:3] >= (8, 0, 1):
-            # No password column, has account_locked, Create_role_priv and
-            # Drop_role_priv columns
-            defaults = defaults.format("", ", 'N', 'Y', 'Y'")
-        elif self._version[0:3] >= (5, 7, 6):
-            # No password column, has account_locked column
-            defaults = defaults.format("", ", 'N'")
-        elif self._version[0:3] >= (5, 7, 5):
-            # The password column
-            defaults = defaults.format(", ''", "")
-
-        extra_sql.append(insert.format(defaults))
+
+        if self._version < (8, 0, 1):
+            defaults = ("'root'{0}, "
+                        "'Y','Y','Y','Y','Y','Y','Y','Y','Y','Y','Y','Y',"
+                        "'Y','Y','Y','Y','Y','Y','Y','Y','Y','Y','Y','Y',"
+                        "'Y','Y','Y','Y','Y','','','','',0,0,0,0,"
+                        "@@default_authentication_plugin,'','N',"
+                        "CURRENT_TIMESTAMP,NULL{1}")
+
+            hosts = ["::1", "127.0.0.1", "localhost"]
+
+            insert = "INSERT INTO mysql.user VALUES {0};".format(
+                ", ".join("('{0}', {{0}})".format(host) for host in hosts))
+
+            if self._version[0:3] >= (5, 7, 6):
+                # No password column, has account_locked column
+                defaults = defaults.format("", ", 'N'")
+            elif self._version[0:3] >= (5, 7, 5):
+                # The password column
+                defaults = defaults.format(", ''", "")
+
+            extra_sql.append(insert.format(defaults))
+        else:
+            extra_sql.extend([
+                "CREATE USER 'root'@'127.0.01';",
+                "GRANT ALL ON *.* TO 'root'@'127.0.0.1';",
+                "CREATE USER 'root'@'::1';",
+                "GRANT ALL ON *.* TO 'root'@'::1';"
+            ])
+
         bootstrap_log = os.path.join(self._topdir, 'bootstrap.log')
         try:
             self._create_directories()
@@ -583,6 +587,7 @@ def update_config(self, **kwargs):
             'serverid': self._serverid,
             'lc_messages_dir': _convert_forward_slash(
                 self._lc_messages_dir),
+            'ssl': 1,
         }
 
         for arg in self._extra_args:

tests/test_bugs.py

@@ -385,6 +385,7 @@ class Bug519301(tests.MySQLConnectorTests):
     @foreach_cnx()
     def test_auth(self):
         config = self.config.copy()
+        config.pop('unix_socket')
         config['user'] = 'ham'
         config['password'] = 'spam'
 
@@ -4196,6 +4197,7 @@ def _drop_user(self, host, user):
 
     def test_unicode_password(self):
         config = tests.get_mysql_config()
+        config.pop('unix_socket')
         config['user'] = self.user
         config['password'] = self.password
         try:
@@ -4291,7 +4293,7 @@ def _disable_ssl(self):
         self.server.stop()
         self.server.wait_down()
 
-        self.server.start(ssl_ca='', ssl_cert='', ssl_key='')
+        self.server.start(ssl_ca='', ssl_cert='', ssl_key='', ssl=0)
         self.server.wait_up()
         time.sleep(1)
 

tests/test_connection.py

@@ -742,6 +742,7 @@ def recv(self):
     def test__do_auth(self):
         """Authenticate with the MySQL server"""
         self.cnx._socket.sock = tests.DummySocket()
+        self.cnx._handshake["auth_plugin"] = "mysql_native_password"
         flags = constants.ClientFlag.get_default()
         kwargs = {
             'username': 'ham',
@@ -781,6 +782,94 @@ def test__do_auth(self):
         self.assertRaises(errors.ProgrammingError,
                           self.cnx._do_auth, **kwargs)
 
+    @unittest.skipIf(not tests.SSL_AVAILABLE, "Python has no SSL support")
+    @unittest.skipIf(tests.MYSQL_VERSION < (8, 0, 3),
+                     "caching_sha2_password plugin not supported by server.")
+    def test_caching_sha2_password(self):
+        """Authenticate with the MySQL server using caching_sha2_password"""
+        self.cnx._socket.sock = tests.DummySocket()
+        flags = constants.ClientFlag.get_default()
+        flags |= constants.ClientFlag.SSL
+        kwargs = {
+            'username': 'ham',
+            'password': 'spam',
+            'database': 'test',
+            'charset': 33,
+            'client_flags': flags,
+            'ssl_options': {
+                'ca': os.path.join(tests.SSL_DIR, 'tests_CA_cert.pem'),
+                'cert': os.path.join(tests.SSL_DIR, 'tests_client_cert.pem'),
+                'key': os.path.join(tests.SSL_DIR, 'tests_client_key.pem'),
+            },
+        }
+
+        self.cnx._handshake['auth_plugin'] = 'caching_sha2_password'
+        self.cnx._handshake['auth_data'] = b'h4i6oP!OLng9&PD@WrYH'
+        self.cnx._socket.switch_to_ssl = \
+            lambda ca, cert, key, verify_cert, cipher: None
+
+        # Test perform_full_authentication
+        # Exchange:
+        # Client              Server
+        # ------              ------
+        # make_ssl_auth
+        # first_auth
+        #                     full_auth
+        # second_auth
+        #                     OK
+        self.cnx._socket.sock.reset()
+        self.cnx._socket.sock.add_packets([
+            bytearray(b'\x02\x00\x00\x03\x01\x04'), # full_auth request
+            bytearray(b'\x07\x00\x00\x05\x00\x00\x00\x02\x00\x00\x00') # OK
+        ])
+        self.cnx._do_auth(**kwargs)
+        packets = self.cnx._socket.sock._client_sends
+        self.assertEqual(3, len(packets))
+        ssl_pkt = self.cnx._protocol.make_auth_ssl(
+                charset=kwargs['charset'], client_flags=kwargs['client_flags'])
+        # Check the SSL request packet
+        self.assertEqual(packets[0][4:], ssl_pkt)
+        auth_pkt = self.cnx._protocol.make_auth(
+            self.cnx._handshake, kwargs['username'],
+            kwargs['password'], kwargs['database'],
+            charset=kwargs['charset'],
+            client_flags=kwargs['client_flags'],
+            ssl_enabled=True)
+        # Check the first_auth packet
+        self.assertEqual(packets[1][4:], auth_pkt)
+        # Check the second_auth packet
+        self.assertEqual(packets[2][4:],
+                bytearray(kwargs["password"].encode('utf-8') + b"\x00"))
+
+        # Test fast_auth_success
+        # Exchange:
+        # Client              Server
+        # ------              ------
+        # make_ssl_auth
+        # first_auth
+        #                     fast_auth
+        #                     OK
+        self.cnx._socket.sock.reset()
+        self.cnx._socket.sock.add_packets([
+            bytearray(b'\x02\x00\x00\x03\x01\x03'), # fast_auth success
+            bytearray(b'\x07\x00\x00\x05\x00\x00\x00\x02\x00\x00\x00') # OK
+        ])
+        self.cnx._do_auth(**kwargs)
+        packets = self.cnx._socket.sock._client_sends
+        self.assertEqual(2, len(packets))
+        ssl_pkt = self.cnx._protocol.make_auth_ssl(
+                charset=kwargs['charset'], client_flags=kwargs['client_flags'])
+        # Check the SSL request packet
+        self.assertEqual(packets[0][4:], ssl_pkt)
+        auth_pkt = self.cnx._protocol.make_auth(
+            self.cnx._handshake, kwargs['username'],
+            kwargs['password'], kwargs['database'],
+            charset=kwargs['charset'],
+            client_flags=kwargs['client_flags'],
+            ssl_enabled=True)
+        # Check the first auth packet
+        self.assertEqual(packets[1][4:], auth_pkt)
+
     @unittest.skipIf(not tests.SSL_AVAILABLE, "Python has no SSL support")
     def test__do_auth_ssl(self):
         """Authenticate with the MySQL server using SSL"""
@@ -812,7 +901,8 @@ def test__do_auth_ssl(self):
                 self.cnx._handshake, kwargs['username'],
                 kwargs['password'], kwargs['database'],
                 charset=kwargs['charset'],
-                client_flags=kwargs['client_flags']),
+                client_flags=kwargs['client_flags'],
+                ssl_enabled=True),
         ]
         self.cnx._socket.switch_to_ssl = \
             lambda ca, cert, key, verify_cert, cipher: None

unittests.py

@@ -148,7 +148,6 @@
 innodb_flush_log_at_trx_commit = 2
 innodb_log_file_size = 1Gb
 general_log_file = general_{name}.log
-ssl
 """
 
 # Platform specifics
@@ -169,6 +168,8 @@
     ))
     MYSQL_DEFAULT_BASE = os.path.join('/', 'usr', 'local', 'mysql')
 
+MY_CNF += "\nssl={ssl}"
+
 MYSQL_DEFAULT_TOPDIR = _TOPDIR
 
 _UNITTESTS_CMD_ARGS = {