WL11680: Add caching_sha2_password authentication plugin

nmariz · nmariz · commit 1829fbb993c7 · 2018-04-19T20:17:48.000+01:00
This patch adds caching_sha2_password plugin. This authentication mode
requires SSL to function.

There are 2 steps:
1. client sends a scramble in the form:
   XOR(SHA2(password), SHA2(SHA2(SHA2(password)), Nonce))
   Nonce is provided by the server. This information can be sent over
   both secure and unsecure medium.

2. If server responds with Error packet, raise Error.
   Else if server responds with fast_auth_success, Step 2a. Else Step 2b.

   2a. the server sends OK packet. Login is a success.
   2b. Only this step requires SSL. Client must send the password to the
       server. To send the password to the server, the connection must
       be SSL.
       Once this password is validated, the user is stored in the cache
       and login is faster next time. Server can now send an OK packet
       or Error packet after validating user.
diff --git a/.gitignore b/.gitignore
@@ -7,6 +7,7 @@ commit.txt
 *.diff
 dist/
 build/
+mysql-vendor/
 MANIFEST
 cpy_server*/
 *_output.txt
diff --git a/lib/mysql/connector/authentication.py b/lib/mysql/connector/authentication.py
@@ -23,11 +23,11 @@
 
 """Implementing support for MySQL Authentication Plugins"""
 
-from hashlib import sha1
+from hashlib import sha1, sha256
 import struct
 
 from . import errors
-from .catch23 import PY2, isstr
+from .catch23 import PY2, isstr, UNICODE_TYPES
 
 
 class BaseAuthPlugin(object):
@@ -173,6 +173,81 @@ def prepare_password(self):
         return password + b'\x00'
 
 
+class MySQLCachingSHA2PasswordAuthPlugin(BaseAuthPlugin):
+    """Class implementing the MySQL caching_sha2_password authentication plugin
+
+    Note that encrypting using RSA is not supported since the Python
+    Standard Library does not provide this OpenSSL functionality.
+    """
+    requires_ssl = False
+    plugin_name = 'caching_sha2_password'
+    perform_full_authentication = 4
+    fast_auth_success = 3
+
+    def _scramble(self):
+        """ Returns a scramble of the password using a Nonce sent by the
+        server.
+
+        The scramble is of the form:
+        XOR(SHA2(password), SHA2(SHA2(SHA2(password)), Nonce))
+        """
+        if not self._auth_data:
+            raise errors.InterfaceError("Missing authentication data (seed)")
+
+        if not self._password:
+            return b''
+
+        password = self._password.encode('utf-8') \
+            if isinstance(self._password, UNICODE_TYPES) else self._password
+
+        if PY2:
+            password = buffer(password)  # pylint: disable=E0602
+            try:
+                auth_data = buffer(self._auth_data)  # pylint: disable=E0602
+            except TypeError:
+                raise errors.InterfaceError("Authentication data incorrect")
+        else:
+            password = password
+            auth_data = self._auth_data
+
+        hash1 = sha256(password).digest()
+        hash2 = sha256()
+        hash2.update(sha256(hash1).digest())
+        hash2.update(auth_data)
+        hash2 = hash2.digest()
+        if PY2:
+            xored = [ord(h1) ^ ord(h2) for (h1, h2) in zip(hash1, hash2)]
+        else:
+            xored = [h1 ^ h2 for (h1, h2) in zip(hash1, hash2)]
+        hash3 = struct.pack('32B', *xored)
+
+        return hash3
+
+    def prepare_password(self):
+        if len(self._auth_data) > 1:
+            return self._scramble()
+        elif self._auth_data[0] == self.perform_full_authentication:
+            return self._full_authentication()
+
+    def _full_authentication(self):
+        """Returns password as as clear text"""
+        if not self._ssl_enabled:
+            raise errors.InterfaceError("{name} requires SSL".format(
+                name=self.plugin_name))
+
+        if not self._password:
+            return b'\x00'
+        password = self._password
+
+        if PY2:
+            if isinstance(password, unicode):  # pylint: disable=E0602
+                password = password.encode('utf8')
+        elif isinstance(password, str):
+            password = password.encode('utf8')
+
+        return password + b'\x00'
+
+
 def get_auth_plugin(plugin_name):
     """Return authentication class based on plugin name
 
diff --git a/lib/mysql/connector/connection.py b/lib/mysql/connector/connection.py
@@ -170,6 +170,8 @@ def _auth_switch_request(self, username=None, password=None):
         Raises NotSupportedError when we get the old, insecure password
         reply back. Raises any error coming from MySQL.
         """
+        auth = None
+        new_auth_plugin = self._auth_plugin or self._handshake["auth_plugin"]
         packet = self._socket.recv()
         if packet[4] == 254 and len(packet) == 5:
             raise errors.NotSupportedError(
@@ -185,10 +187,19 @@ def _auth_switch_request(self, username=None, password=None):
             response = auth.auth_response()
             self._socket.send(response)
             packet = self._socket.recv()
-            if packet[4] != 1:
-                return self._handle_ok(packet)
-            else:
-                auth_data = self._protocol.parse_auth_more_data(packet)
+
+        if packet[4] == 1:
+            auth_data = self._protocol.parse_auth_more_data(packet)
+            auth = get_auth_plugin(new_auth_plugin)(
+                auth_data, password=password, ssl_enabled=self._ssl_active)
+            if new_auth_plugin == "caching_sha2_password":
+                response = auth.auth_response()
+                if response:
+                    self._socket.send(response)
+                packet = self._socket.recv()
+
+        if packet[4] == 0:
+            return self._handle_ok(packet)
         elif packet[4] == 255:
             raise errors.get_exception(packet)
 
diff --git a/tests/cext/test_cext_api.py b/tests/cext/test_cext_api.py
@@ -458,6 +458,7 @@ def test_commit(self):
     def test_change_user(self):
         connect_kwargs = self.connect_kwargs.copy()
         connect_kwargs['unix_socket'] = None
+        connect_kwargs['ssl_disabled'] = False
         cmy1 = MySQL(buffered=True)
         cmy1.connect(**connect_kwargs)
         cmy2 = MySQL(buffered=True)
@@ -477,7 +478,7 @@ def test_change_user(self):
             pass
 
         stmt = ("CREATE USER '{user}'@'{host}' IDENTIFIED WITH "
-                "mysql_native_password").format(**new_user)
+                "caching_sha2_password").format(**new_user)
         cmy1.query(stmt)
         cmy1.query("SET old_passwords = 0")
         res = cmy1.query("SET PASSWORD FOR '{user}'@'{host}' = "
diff --git a/tests/test_bugs.py b/tests/test_bugs.py
@@ -386,6 +386,7 @@ class Bug519301(tests.MySQLConnectorTests):
     @foreach_cnx()
     def test_auth(self):
         config = self.config.copy()
+        config.pop('unix_socket')
         config['user'] = 'ham'
         config['password'] = 'spam'
 
@@ -4197,6 +4198,7 @@ def _drop_user(self, host, user):
 
     def test_unicode_password(self):
         config = tests.get_mysql_config()
+        config.pop('unix_socket')
         config['user'] = self.user
         config['password'] = self.password
         try:
@@ -4292,7 +4294,7 @@ def _disable_ssl(self):
         self.server.stop()
         self.server.wait_down()
 
-        self.server.start(ssl_ca='', ssl_cert='', ssl_key='')
+        self.server.start(ssl_ca='', ssl_cert='', ssl_key='', ssl=0)
         self.server.wait_up()
         time.sleep(1)
 
diff --git a/tests/test_connection.py b/tests/test_connection.py
@@ -742,6 +742,7 @@ def recv(self):
     def test__do_auth(self):
         """Authenticate with the MySQL server"""
         self.cnx._socket.sock = tests.DummySocket()
+        self.cnx._handshake["auth_plugin"] = "mysql_native_password"
         flags = constants.ClientFlag.get_default()
         kwargs = {
             'username': 'ham',
@@ -781,6 +782,94 @@ def test__do_auth(self):
         self.assertRaises(errors.ProgrammingError,
                           self.cnx._do_auth, **kwargs)
 
+    @unittest.skipIf(not tests.SSL_AVAILABLE, "Python has no SSL support")
+    @unittest.skipIf(tests.MYSQL_VERSION < (8, 0, 3),
+                     "caching_sha2_password plugin not supported by server.")
+    def test_caching_sha2_password(self):
+        """Authenticate with the MySQL server using caching_sha2_password"""
+        self.cnx._socket.sock = tests.DummySocket()
+        flags = constants.ClientFlag.get_default()
+        flags |= constants.ClientFlag.SSL
+        kwargs = {
+            'username': 'ham',
+            'password': 'spam',
+            'database': 'test',
+            'charset': 33,
+            'client_flags': flags,
+            'ssl_options': {
+                'ca': os.path.join(tests.SSL_DIR, 'tests_CA_cert.pem'),
+                'cert': os.path.join(tests.SSL_DIR, 'tests_client_cert.pem'),
+                'key': os.path.join(tests.SSL_DIR, 'tests_client_key.pem'),
+            },
+        }
+
+        self.cnx._handshake['auth_plugin'] = 'caching_sha2_password'
+        self.cnx._handshake['auth_data'] = b'h4i6oP!OLng9&PD@WrYH'
+        self.cnx._socket.switch_to_ssl = \
+            lambda ca, cert, key, verify_cert, cipher: None
+
+        # Test perform_full_authentication
+        # Exchange:
+        # Client              Server
+        # ------              ------
+        # make_ssl_auth
+        # first_auth
+        #                     full_auth
+        # second_auth
+        #                     OK
+        self.cnx._socket.sock.reset()
+        self.cnx._socket.sock.add_packets([
+            bytearray(b'\x02\x00\x00\x03\x01\x04'), # full_auth request
+            bytearray(b'\x07\x00\x00\x05\x00\x00\x00\x02\x00\x00\x00') # OK
+        ])
+        self.cnx._do_auth(**kwargs)
+        packets = self.cnx._socket.sock._client_sends
+        self.assertEqual(3, len(packets))
+        ssl_pkt = self.cnx._protocol.make_auth_ssl(
+                charset=kwargs['charset'], client_flags=kwargs['client_flags'])
+        # Check the SSL request packet
+        self.assertEqual(packets[0][4:], ssl_pkt)
+        auth_pkt = self.cnx._protocol.make_auth(
+            self.cnx._handshake, kwargs['username'],
+            kwargs['password'], kwargs['database'],
+            charset=kwargs['charset'],
+            client_flags=kwargs['client_flags'],
+            ssl_enabled=True)
+        # Check the first_auth packet
+        self.assertEqual(packets[1][4:], auth_pkt)
+        # Check the second_auth packet
+        self.assertEqual(packets[2][4:],
+                bytearray(kwargs["password"].encode('utf-8') + b"\x00"))
+
+        # Test fast_auth_success
+        # Exchange:
+        # Client              Server
+        # ------              ------
+        # make_ssl_auth
+        # first_auth
+        #                     fast_auth
+        #                     OK
+        self.cnx._socket.sock.reset()
+        self.cnx._socket.sock.add_packets([
+            bytearray(b'\x02\x00\x00\x03\x01\x03'), # fast_auth success
+            bytearray(b'\x07\x00\x00\x05\x00\x00\x00\x02\x00\x00\x00') # OK
+        ])
+        self.cnx._do_auth(**kwargs)
+        packets = self.cnx._socket.sock._client_sends
+        self.assertEqual(2, len(packets))
+        ssl_pkt = self.cnx._protocol.make_auth_ssl(
+                charset=kwargs['charset'], client_flags=kwargs['client_flags'])
+        # Check the SSL request packet
+        self.assertEqual(packets[0][4:], ssl_pkt)
+        auth_pkt = self.cnx._protocol.make_auth(
+            self.cnx._handshake, kwargs['username'],
+            kwargs['password'], kwargs['database'],
+            charset=kwargs['charset'],
+            client_flags=kwargs['client_flags'],
+            ssl_enabled=True)
+        # Check the first auth packet
+        self.assertEqual(packets[1][4:], auth_pkt)
+
     @unittest.skipIf(not tests.SSL_AVAILABLE, "Python has no SSL support")
     def test__do_auth_ssl(self):
         """Authenticate with the MySQL server using SSL"""
@@ -812,7 +901,8 @@ def test__do_auth_ssl(self):
                 self.cnx._handshake, kwargs['username'],
                 kwargs['password'], kwargs['database'],
                 charset=kwargs['charset'],
-                client_flags=kwargs['client_flags']),
+                client_flags=kwargs['client_flags'],
+                ssl_enabled=True),
         ]
         self.cnx._socket.switch_to_ssl = \
             lambda ca, cert, key, verify_cert, cipher: None
