1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
|
#ifndef MYSQL_PLUGIN_AUTH_INCLUDED
/* Copyright (C) 2010 Sergei Golubchik and Monty Program Ab
Copyright (c) 2010, Oracle and/or its affiliates.
This program is free software; you can redistribute it and/or modify
it under the terms of the GNU General Public License as published by
the Free Software Foundation; version 2 of the License.
This program is distributed in the hope that it will be useful,
but WITHOUT ANY WARRANTY; without even the implied warranty of
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
GNU General Public License for more details.
You should have received a copy of the GNU General Public License
along with this program; if not, write to the Free Software
Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1335 USA */
/**
@file
Authentication Plugin API.
This file defines the API for server authentication plugins.
*/
#define MYSQL_PLUGIN_AUTH_INCLUDED
#include <mysql/plugin.h>
#define MYSQL_AUTHENTICATION_INTERFACE_VERSION 0x0202
#include <mysql/plugin_auth_common.h>
#ifdef __cplusplus
extern "C" {
#endif
/* defines for MYSQL_SERVER_AUTH_INFO.password_used */
#define PASSWORD_USED_NO 0
#define PASSWORD_USED_YES 1
#define PASSWORD_USED_NO_MENTION 2
/**
Provides server plugin access to authentication information
*/
typedef struct st_mysql_server_auth_info
{
/**
User name as sent by the client and shown in USER().
NULL if the client packet with the user name was not received yet.
*/
const char *user_name;
/**
Length of user_name
*/
unsigned int user_name_length;
/**
A corresponding column value from the mysql.user table for the
matching account name or the preprocessed value, if preprocess_hash
method is not NULL
*/
const char *auth_string;
/**
Length of auth_string
*/
unsigned long auth_string_length;
/**
Matching account name as found in the mysql.user table.
A plugin can override it with another name that will be
used by MySQL for authorization, and shown in CURRENT_USER()
*/
char authenticated_as[MYSQL_USERNAME_LENGTH+1];
/**
The unique user name that was used by the plugin to authenticate.
Not used by the server.
Available through the @@EXTERNAL_USER variable.
*/
char external_user[MYSQL_USERNAME_LENGTH+1];
/**
This only affects the "Authentication failed. Password used: %s"
error message. has the following values :
0 : %s will be NO.
1 : %s will be YES.
2 : there will be no %s.
Set it as appropriate or ignore at will.
*/
int password_used;
/**
Set to the name of the connected client host, if it can be resolved,
or to its IP address otherwise.
*/
const char *host_or_ip;
/**
Length of host_or_ip
*/
unsigned int host_or_ip_length;
/**
Current THD pointer (to use with various services)
*/
MYSQL_THD thd;
} MYSQL_SERVER_AUTH_INFO;
/**
Server authentication plugin descriptor
*/
struct st_mysql_auth
{
int interface_version; /**< version plugin uses */
/**
A plugin that a client must use for authentication with this server
plugin. Can be NULL to mean "any plugin".
*/
const char *client_auth_plugin;
/**
Function provided by the plugin which should perform authentication (using
the vio functions if necessary) and return 0 if successful. The plugin can
also fill the info.authenticated_as field if a different username should be
used for authorization.
*/
int (*authenticate_user)(MYSQL_PLUGIN_VIO *vio, MYSQL_SERVER_AUTH_INFO *info);
/**
Create a password hash (or digest) out of a plain-text password
Used in SET PASSWORD, GRANT, and CREATE USER to convert user specified
plain-text password into a value that will be stored in mysql.user table.
@see preprocess_hash
@param password plain-text password
@param password_length plain-text password length
@param hash the digest will be stored there
@param hash_length in: hash buffer size
out: the actual length of the hash
@return 0 for ok, 1 for error
Can be NULL, in this case one will not be able to use SET PASSWORD or
PASSWORD('...') in GRANT, CREATE USER, ALTER USER.
*/
int (*hash_password)(const char *password, size_t password_length,
char *hash, size_t *hash_length);
/**
Prepare the password hash for authentication.
Password hash is stored in the authentication_string column of the
mysql.user table in a text form. If a plugin needs to preprocess the
value somehow before the authentication (e.g. convert from hex or base64
to binary), it can do it in this method. This way the conversion
will happen only once, not for every authentication attempt.
The value written to the out buffer will be cached and later made
available to the authenticate_user() method in the
MYSQL_SERVER_AUTH_INFO::auth_string[] buffer.
@return 0 for ok, 1 for error
Can be NULL, in this case the mysql.user.authentication_string value will
be given to the authenticate_user() method as is, unconverted.
*/
int (*preprocess_hash)(const char *hash, size_t hash_length,
unsigned char *out, size_t *out_length);
};
#ifdef __cplusplus
}
#endif
#endif
|