WL11685: SHA256_MEMORY authentication

Author: silvakid

cdk/extra/process_launcher/process_launcher.h

@@ -28,19 +28,6 @@
  * 51 Franklin St, Fifth Floor, Boston, MA 02110-1301  USA
  */
 
-   This program is free software; you can redistribute it and/or modify
-   it under the terms of the GNU General Public License as published by
-   the Free Software Foundation; version 2 of the License.
-
-   This program is distributed in the hope that it will be useful,
-   but WITHOUT ANY WARRANTY; without even the implied warranty of
-   MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
-   GNU General Public License for more details.
-
-   You should have received a copy of the GNU General Public License
-   along with this program; if not, write to the Free Software
-   Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA  02110-1301  USA */
-
 #ifndef _PROCESS_LAUNCHER_H_
 #define _PROCESS_LAUNCHER_H_
 

cdk/include/mysql/cdk/data_source.h

@@ -141,7 +141,8 @@ class Protocol_options
     DEFAULT,
     PLAIN,
     MYSQL41,
-    EXTERNAL
+    EXTERNAL,
+    SHA256_MEMORY
   };
 
   virtual auth_method_t auth_method() const = 0;

cdk/include/mysql/cdk/mysqlx/session.h

@@ -640,6 +640,7 @@ class Session
 
   // Authentication (cdk::protocol::mysqlx::Auth_processor)
   void authenticate(const Options &options, bool secure = false);
+  void do_authenticate(const Options &options, int auth_method, bool secure);
   void auth_ok(bytes data);
   void auth_continue(bytes data);
   void auth_fail(bytes data);

cdk/mysqlx/CMakeLists.txt

@@ -36,16 +36,20 @@ ADD_DEFINITIONS(-DSIZEOF_LONG=${SIZEOF_LONG} -DSIZEOF_LONG_LONG=${SIZEOF_LONG_LO
 # TODO: Fix compile warnings in auth_mysql41.cc
 
 if(WIN32)
-  set_property(SOURCE auth_mysql41.cc
+  set_property(SOURCE auth_hash.cc
     PROPERTY COMPILE_FLAGS "/W3"
   )
 endif()
 
 
-ADD_LIBRARY(${target_mysqlx} OBJECT session.cc result.cc auth_mysql41.cc)
+ADD_LIBRARY(${target_mysqlx} OBJECT
+  session.cc
+  result.cc
+  auth_hash.cc
+  )
 ADD_COVERAGE(${target_mysqlx})
 
-# Note: File auth_mysql41.cc uses SSL code.
+# Note: File auth_mysql41.cc and auth_sha256.cc uses SSL code.
 
 add_ssl(${target_mysqlx})
 

cdk/mysqlx/auth_mysql41.cc renamed to cdk/mysqlx/auth_hash.cc

@@ -28,7 +28,7 @@
  * 51 Franklin St, Fifth Floor, Boston, MA 02110-1301  USA
  */
 
-#include "auth_mysql41.h"
+#include "auth_hash.h"
 #include <stdint.h>
 #include <stdexcept>
 #include <string.h>  // memset
@@ -58,6 +58,7 @@
 #define PVERSION41_CHAR '*'
 #define SCRAMBLE_LENGTH 20
 #define SHA1_HASH_SIZE 20
+#define SHA256_HASH_SIZE 32
 
 #if defined( WITH_SSL_YASSL)
 using namespace TaoCrypt;
@@ -77,6 +78,9 @@ class SHA
   }
 
   public:
+
+  enum { DIGEST_SIZE = SHA1_HASH_SIZE };   // in Bytes
+
   SHA()
   {
     init();
@@ -92,6 +96,40 @@ class SHA
     SHA1_Final(hash, &m_sha);
     init();
   }
+
+  size_t getDigestSize() const {return SHA1_HASH_SIZE; }
+};
+
+class SHA256
+{
+  SHA256_CTX m_sha;
+
+  void init()
+  {
+    SHA256_Init(&m_sha);
+  }
+
+  public:
+
+  enum { DIGEST_SIZE = SHA256_HASH_SIZE };   // in Bytes
+
+  SHA256()
+  {
+    init();
+  }
+
+  void Update(byte* data, length_t length)
+  {
+    SHA256_Update(&m_sha, data, length);
+  }
+
+  void Final(byte* hash)
+  {
+    SHA256_Final(hash, &m_sha);
+    init();
+  }
+
+  size_t getDigestSize() const {return SHA256_HASH_SIZE; }
 };
 #endif
 
@@ -106,37 +144,47 @@ static void my_crypt(uint8_t *to, const uint8_t *s1, const uint8_t *s2, size_t l
 
 
 
+template<class SHA_Crypt>
 static std::string scramble(const std::string &scramble_data, const std::string &password)
 {
-  class SHA sha1;
+  SHA_Crypt sha;
 
   if (scramble_data.length() != SCRAMBLE_LENGTH)
     throw std::invalid_argument("Password scramble data is invalid");
 
-  byte hash_stage1[SHA1_HASH_SIZE];
-  byte hash_stage2[SHA1_HASH_SIZE];
-  byte result_buf[SHA1_HASH_SIZE+1];
+  byte hash_stage1[SHA_Crypt::DIGEST_SIZE];
+  byte hash_stage2[SHA_Crypt::DIGEST_SIZE];
+  byte result_buf[SHA_Crypt::DIGEST_SIZE+1];
 
   memset(result_buf, 0, sizeof(result_buf));
 
   /* Two stage SHA1 hash of the pwd */
   /* Stage 1: hash pwd */
-  sha1.Update((byte*)password.data(), (length_t)password.length());
-  sha1.Final(hash_stage1);
+  sha.Update((byte*)password.data(), (length_t)password.length());
+  sha.Final(hash_stage1);
 
   /* Stage 2 : hash first stage's output. */
-  sha1.Update(hash_stage1, SHA1_HASH_SIZE);
-  sha1.Final(hash_stage2);
+  sha.Update(hash_stage1, sha.getDigestSize());
+  sha.Final(hash_stage2);
 
   /* create crypt string as sha1(message, hash_stage2) */;
-  sha1.Update((byte*)scramble_data.data(), (length_t)scramble_data.length());
-  sha1.Update(hash_stage2, SHA1_HASH_SIZE);
-  sha1.Final(result_buf);
-  result_buf[SHA1_HASH_SIZE] = '\0';
+  /* MYSQL41 and SHA256_PASSWORD have different behaviors here! Bug? */
+  if (sha.getDigestSize() == SHA1_HASH_SIZE)
+  {
+    sha.Update((byte*)scramble_data.data(), (length_t)scramble_data.length());
+    sha.Update(hash_stage2, sha.getDigestSize());
+  }
+  else
+  {
+    sha.Update(hash_stage2, sha.getDigestSize());
+    sha.Update((byte*)scramble_data.data(), (length_t)scramble_data.length());
+  }
+  sha.Final(result_buf);
+  result_buf[sha.getDigestSize()] = '\0';
 
-  my_crypt(result_buf, result_buf, hash_stage1, SCRAMBLE_LENGTH);
+  my_crypt(result_buf, result_buf, hash_stage1, sha.getDigestSize());
 
-  return std::string((char*)result_buf, SCRAMBLE_LENGTH);
+  return std::string((char*)result_buf, sha.getDigestSize());
 }
 
 static char *octet2hex(char *to, const char *str, size_t len)
@@ -153,8 +201,9 @@ static char *octet2hex(char *to, const char *str, size_t len)
   return to;
 }
 
+// MYSQL41 specific
 
-static std::string get_password_from_salt(const std::string &hash_stage2)
+static std::string get_password_from_salt_mysql41(const std::string &hash_stage2)
 {
   std::string result(2*SHA1_HASH_SIZE + 1, '\0');
 
@@ -168,18 +217,19 @@ static std::string get_password_from_salt(const std::string &hash_stage2)
 }
 
 
-std::string mysqlx::build_mysql41_authentication_response(const std::string &salt_data,
-                                                  const std::string &user,
-                                                  const std::string &password,
-                                                  const std::string &schema)
+std::string mysqlx::build_mysql41_authentication_response(
+    const std::string &salt_data,
+    const std::string &user,
+    const std::string &password,
+    const std::string &schema)
 {
   std::string data;
   std::string password_hash;
 
   if (password.length())
   {
-    password_hash = scramble(salt_data, password);
-    password_hash = get_password_from_salt(password_hash);
+    password_hash = scramble<class SHA>(salt_data, password);
+    password_hash = get_password_from_salt_mysql41(password_hash);
   }
 
   data.append(schema).push_back('\0'); // authz
@@ -188,3 +238,38 @@ std::string mysqlx::build_mysql41_authentication_response(const std::string &sal
 
   return data;
 }
+
+// SHA256_MEMORY specific
+
+static std::string get_password_from_salt_sha256(const std::string &hash_stage2)
+{
+  std::string result(2*SHA256_HASH_SIZE +1 , '\0');
+
+  if (hash_stage2.length() != SHA256_HASH_SIZE)
+    throw std::invalid_argument("Wrong size of binary hash password");
+
+  octet2hex(&result[0], &hash_stage2[0], SHA256_HASH_SIZE);
+
+  return result;
+}
+
+std::string mysqlx::build_sha256_authentication_response(
+    const std::string &salt_data,
+    const std::string &user,
+    const std::string &password,
+    const std::string &schema)
+{
+  std::string password_hash;
+  std::string data;
+
+  password_hash = scramble<class SHA256>(salt_data, password);
+  password_hash = get_password_from_salt_sha256(password_hash);
+  //REMOVE ending \0
+  password_hash.pop_back();
+
+  data.append(schema).push_back('\0'); // authz
+  data.append(user).push_back('\0'); // authc
+  data.append(password_hash); // pass
+
+  return data;
+}

cdk/mysqlx/auth_mysql41.h renamed to cdk/mysqlx/auth_hash.h

@@ -36,10 +36,17 @@
 
 namespace mysqlx
 {
-  std::string build_mysql41_authentication_response(const std::string &salt_data,
-                                            const std::string &user,
-                                            const std::string &password,
-                                            const std::string &schema);
+  std::string build_mysql41_authentication_response(
+      const std::string &salt_data,
+      const std::string &user,
+      const std::string &password,
+      const std::string &schema);
+
+  std::string build_sha256_authentication_response(
+      const std::string &salt_data,
+      const std::string &user,
+      const std::string &password,
+      const std::string &schema);
 }
 
 #endif

cdk/mysqlx/delayed_op.h

@@ -95,7 +95,7 @@ class Proto_delayed_op
       op = start();
 
     if (op)
-      op->wait();
+       op->wait();
     else
       THROW("Invalid delayed operation.");
   }