MDEV-12321 authentication plugin: SET PASSWORD support

Support SET PASSWORD for authentication plugins.

Authentication plugin API is extended with two optional methods:
* hash_password() is used to compute a password hash (or digest)
  from the plain-text password. This digest will be stored in mysql.user
  table
* preprocess_hash() is used to convert this digest into some memory
  representation that can be later used to authenticate a user.
  Build-in plugins convert the hash from hexadecimal or base64 to binary,
  to avoid doing it on every authentication attempt.

Note a change in behavior: when loading privileges (on startup or on
FLUSH PRIVILEGES) an account with an unknown plugin was loaded with a
warning (e.g. "Plugin 'foo' is not loaded"). But such an account could
not be used for authentication until the plugin is installed. Now an
account like that will not be loaded at all (with a warning, still).
Indeed, without plugin's preprocess_hash() method the server cannot know
how to load an account. Thus, if a new authentication plugin is
installed run-time, one might need FLUSH PRIVILEGES to activate all
existing accounts that were using this new plugin.

7 files changed, 49 insertions, 22 deletions

diff --git a/plugin/auth_ed25519/server_ed25519.c b/plugin/auth_ed25519/server_ed25519.c
index 23b4e7389c7..06c25558653 100644
--- a/plugin/auth_ed25519/server_ed25519.c
+++ b/plugin/auth_ed25519/server_ed25519.c
@@ -36,16 +36,6 @@ static int auth(MYSQL_PLUGIN_VIO *vio, MYSQL_SERVER_AUTH_INFO *info)
   int pkt_len;
   unsigned long nonce[CRYPTO_LONGS + NONCE_LONGS];
   unsigned char *pkt, *reply= (unsigned char*)nonce;
-  unsigned char pk[PASSWORD_LEN_BUF/4*3];
-  char pw[PASSWORD_LEN_BUF];
-
-  /* prepare the pk */
-  if (info->auth_string_length != PASSWORD_LEN)
-    return CR_AUTH_USER_CREDENTIALS;
-  memcpy(pw, info->auth_string, PASSWORD_LEN);
-  pw[PASSWORD_LEN]= '=';
-  if (my_base64_decode(pw, PASSWORD_LEN_BUF, pk, NULL, 0) != CRYPTO_PUBLICKEYBYTES)
-    return CR_AUTH_USER_CREDENTIALS;
 
   info->password_used= PASSWORD_USED_YES;
 
@@ -62,17 +52,46 @@ static int auth(MYSQL_PLUGIN_VIO *vio, MYSQL_SERVER_AUTH_INFO *info)
     return CR_AUTH_HANDSHAKE;
   memcpy(reply, pkt, CRYPTO_BYTES);
 
-  if (crypto_sign_open(reply, CRYPTO_BYTES + NONCE_BYTES, pk))
+  if (crypto_sign_open(reply, CRYPTO_BYTES + NONCE_BYTES,
+                       (unsigned char*)info->auth_string))
     return CR_ERROR;
 
   return CR_OK;
 }
 
+static int compute_password_digest(const char *pw, size_t pwlen,
+                                   char *d, size_t *dlen)
+{
+  unsigned char pk[CRYPTO_PUBLICKEYBYTES];
+  if (*dlen < PASSWORD_LEN || pwlen == 0)
+    return 1;
+  *dlen= PASSWORD_LEN;
+  crypto_sign_keypair(pk, (unsigned char*)pw, pwlen);
+  my_base64_encode(pk, CRYPTO_PUBLICKEYBYTES, d);
+  return 0;
+}
+
+static int digest_to_binary(const char *d, size_t dlen,
+                            unsigned char *b, size_t *blen)
+{
+  char pw[PASSWORD_LEN_BUF];
+
+  if (*blen < CRYPTO_PUBLICKEYBYTES || dlen != PASSWORD_LEN)
+    return 1;
+
+  *blen= CRYPTO_PUBLICKEYBYTES;
+  memcpy(pw, d, PASSWORD_LEN);
+  pw[PASSWORD_LEN]= '=';
+  return my_base64_decode(pw, PASSWORD_LEN_BUF, b, 0, 0) != CRYPTO_PUBLICKEYBYTES;
+}
+
 static struct st_mysql_auth info =
 {
   MYSQL_AUTHENTICATION_INTERFACE_VERSION,
   "client_ed25519",
- auth
+  auth,
+  compute_password_digest,
+  digest_to_binary
 };
 
 static int init(void *p __attribute__((unused)))
@@ -97,10 +116,10 @@ maria_declare_plugin(ed25519)
   PLUGIN_LICENSE_GPL,
   init,
   deinit,
-  0x0100,
+  0x0101,
   NULL,
   NULL,
-  "1.0",
+  "1.1",
   MariaDB_PLUGIN_MATURITY_STABLE
 }
 maria_declare_plugin_end;
diff --git a/plugin/auth_examples/dialog_examples.c b/plugin/auth_examples/dialog_examples.c
index 067244d6f7d..1c96c8d7faf 100644
--- a/plugin/auth_examples/dialog_examples.c
+++ b/plugin/auth_examples/dialog_examples.c
@@ -81,7 +81,8 @@ static struct st_mysql_auth two_handler=
 {
   MYSQL_AUTHENTICATION_INTERFACE_VERSION,
   "dialog", /* requires dialog client plugin */
-  two_questions
+  two_questions,
+  NULL, NULL /* no PASSWORD() */
 };
 
 /* dialog demo where the number of questions is not known in advance */
@@ -118,7 +119,8 @@ static struct st_mysql_auth three_handler=
 {
   MYSQL_AUTHENTICATION_INTERFACE_VERSION,
   "dialog", /* requires dialog client plugin */
-  three_attempts 
+  three_attempts,
+  NULL, NULL /* no PASSWORD() */
 };
 
 mysql_declare_plugin(dialog)
diff --git a/plugin/auth_examples/qa_auth_interface.c b/plugin/auth_examples/qa_auth_interface.c
index 08ddbf7f30a..70050cf0d91 100644
--- a/plugin/auth_examples/qa_auth_interface.c
+++ b/plugin/auth_examples/qa_auth_interface.c
@@ -136,7 +136,8 @@ static struct st_mysql_auth qa_auth_test_handler=
 {
   MYSQL_AUTHENTICATION_INTERFACE_VERSION,
   "qa_auth_interface", /* requires test_plugin client's plugin */
-  qa_auth_interface
+  qa_auth_interface,
+  NULL, NULL /* no PASSWORD() */
 };
 
 mysql_declare_plugin(test_plugin)
diff --git a/plugin/auth_examples/qa_auth_server.c b/plugin/auth_examples/qa_auth_server.c
index 59b926b63dc..0ed16b692cf 100644
--- a/plugin/auth_examples/qa_auth_server.c
+++ b/plugin/auth_examples/qa_auth_server.c
@@ -56,7 +56,8 @@ static struct st_mysql_auth qa_auth_test_handler=
 {
   MYSQL_AUTHENTICATION_INTERFACE_VERSION,
   "qa_auth_interface", /* requires test_plugin client's plugin */
-  qa_auth_interface
+  qa_auth_interface,
+  NULL, NULL /* no PASSWORD() */
 };
 
 mysql_declare_plugin(test_plugin)
diff --git a/plugin/auth_examples/test_plugin.c b/plugin/auth_examples/test_plugin.c
index 8cc17894be4..e2d79d753f4 100644
--- a/plugin/auth_examples/test_plugin.c
+++ b/plugin/auth_examples/test_plugin.c
@@ -69,7 +69,8 @@ static struct st_mysql_auth auth_test_handler=
 {
   MYSQL_AUTHENTICATION_INTERFACE_VERSION,
   "auth_test_plugin", /* requires test_plugin client's plugin */
-  auth_test_plugin
+  auth_test_plugin,
+  NULL, NULL /* no PASSWORD() */
 };
 
 /**
@@ -99,7 +100,8 @@ static struct st_mysql_auth auth_cleartext_handler=
 {
   MYSQL_AUTHENTICATION_INTERFACE_VERSION,
   "mysql_clear_password", /* requires the clear text plugin */
-  auth_cleartext_plugin
+  auth_cleartext_plugin,
+  NULL, NULL /* no PASSWORD() */
 };
 
 mysql_declare_plugin(test_plugin)
diff --git a/plugin/auth_pam/auth_pam_common.c b/plugin/auth_pam/auth_pam_common.c
index 1fbd5b12d3a..135feb611a6 100644
--- a/plugin/auth_pam/auth_pam_common.c
+++ b/plugin/auth_pam/auth_pam_common.c
@@ -24,7 +24,8 @@ static struct st_mysql_auth info =
 {
   MYSQL_AUTHENTICATION_INTERFACE_VERSION,
   "dialog",
-  pam_auth
+  pam_auth,
+  NULL, NULL /* no PASSWORD() */
 };
 
 static char use_cleartext_plugin;
diff --git a/plugin/auth_socket/auth_socket.c b/plugin/auth_socket/auth_socket.c
index f04b1d9d2a1..2fc29e9ba1c 100644
--- a/plugin/auth_socket/auth_socket.c
+++ b/plugin/auth_socket/auth_socket.c
@@ -102,7 +102,8 @@ static struct st_mysql_auth socket_auth_handler=
 {
   MYSQL_AUTHENTICATION_INTERFACE_VERSION,
   0,
-  socket_auth
+  socket_auth,
+  NULL, NULL /* no PASSWORD() */
 };
 
 maria_declare_plugin(auth_socket)