Merge branch 'parsec-ssl' into develop

mariadb-corporation · Nov 14, 2024 · ce37c46 · ce37c46
2 parents bd7cd10 + 2194616
commit ce37c46
Show file tree

Hide file tree

Showing 28 changed files with 421 additions and 191 deletions.
diff --git a/src/main/java/org/mariadb/jdbc/client/impl/StandardClient.java b/src/main/java/org/mariadb/jdbc/client/impl/StandardClient.java
@@ -55,10 +55,7 @@
 import org.mariadb.jdbc.message.ClientMessage;
 import org.mariadb.jdbc.message.client.*;
 import org.mariadb.jdbc.message.server.*;
-import org.mariadb.jdbc.plugin.AuthenticationPlugin;
-import org.mariadb.jdbc.plugin.Credential;
-import org.mariadb.jdbc.plugin.CredentialPlugin;
-import org.mariadb.jdbc.plugin.TlsSocketPlugin;
+import org.mariadb.jdbc.plugin.*;
 import org.mariadb.jdbc.plugin.authentication.AuthenticationPluginLoader;
 import org.mariadb.jdbc.plugin.authentication.addon.ClearPasswordPlugin;
 import org.mariadb.jdbc.plugin.authentication.standard.NativePasswordPlugin;
@@ -220,8 +217,8 @@ public StandardClient(
           .encode(writer, context);
       authPlugin =
           "mysql_clear_password".equals(authenticationPluginType)
-              ? new ClearPasswordPlugin()
-              : new NativePasswordPlugin();
+              ? new ClearPasswordPlugin(credential.getPassword())
+              : new NativePasswordPlugin(credential.getPassword(), handshake.getSeed());
       writer.flush();
 
       authenticationHandler(credential, hostAddress);
@@ -284,19 +281,21 @@ public void authenticationHandler(Credential credential, HostAddress hostAddress
           // https://mariadb.com/kb/en/library/connection/#authentication-switch-request
           // *************************************************************************************
           AuthSwitchPacket authSwitchPacket = AuthSwitchPacket.decode(buf);
-          authPlugin = AuthenticationPluginLoader.get(authSwitchPacket.getPlugin(), conf);
-          if (authPlugin.requireSsl() && !context.hasClientCapability(SSL)) {
+          AuthenticationPluginFactory authPluginFactory =
+              AuthenticationPluginLoader.get(authSwitchPacket.getPlugin(), conf);
+          if (authPluginFactory.requireSsl() && !context.hasClientCapability(SSL)) {
             throw context
                 .getExceptionFactory()
                 .create(
                     "Cannot use authentication plugin "
-                        + authPlugin.type()
+                        + authPluginFactory.type()
                         + " if SSL is not enabled.",
                     "08000");
           }
+          authPlugin =
+              authPluginFactory.initialize(
+                  credential.getPassword(), authSwitchPacket.getSeed(), conf, hostAddress);
 
-          authPlugin.initialize(
-              credential.getPassword(), authSwitchPacket.getSeed(), conf, hostAddress);
           buf = authPlugin.process(writer, reader, context);
           break;
 
@@ -338,7 +337,7 @@ public void authenticationHandler(Credential credential, HostAddress hostAddress
               throw context
                   .getExceptionFactory()
                   .create(
-                      "Self signed certificates. Either set sslMode=trust, set a password or"
+                      "Self signed certificates. Either set sslMode=trust, use password with a MitM-Proof authentication plugin or"
                           + " provide server certificate to client",
                       "08000");
             }

diff --git a/src/main/java/org/mariadb/jdbc/plugin/AuthenticationPlugin.java b/src/main/java/org/mariadb/jdbc/plugin/AuthenticationPlugin.java
@@ -5,8 +5,6 @@
 
 import java.io.IOException;
 import java.sql.SQLException;
-import org.mariadb.jdbc.Configuration;
-import org.mariadb.jdbc.HostAddress;
 import org.mariadb.jdbc.client.Context;
 import org.mariadb.jdbc.client.ReadableByteBuf;
 import org.mariadb.jdbc.client.socket.Reader;
@@ -15,24 +13,6 @@
 /** Authentication plugin descriptor */
 public interface AuthenticationPlugin {
 
-  /**
-   * Authentication plugin type.
-   *
-   * @return authentication plugin type. ex: mysql_native_password
-   */
-  String type();
-
-  /**
-   * Plugin initialization.
-   *
-   * @param authenticationData authentication data (password/token)
-   * @param seed server provided seed
-   * @param conf Connection options
-   * @param hostAddress host address
-   */
-  void initialize(
-      String authenticationData, byte[] seed, Configuration conf, HostAddress hostAddress);
-
   /**
    * Process plugin authentication.
    *
@@ -64,13 +44,4 @@ default boolean isMitMProof() {
   default byte[] hash(Credential credential) {
     return null;
   }
-
-  /**
-   * Authentication plugin required SSL to be used
-   *
-   * @return true if SSL is required
-   */
-  default boolean requireSsl() {
-    return false;
-  }
 }
diff --git a/src/main/java/org/mariadb/jdbc/plugin/AuthenticationPluginFactory.java b/src/main/java/org/mariadb/jdbc/plugin/AuthenticationPluginFactory.java
@@ -0,0 +1,38 @@
+// SPDX-License-Identifier: LGPL-2.1-or-later
+// Copyright (c) 2012-2014 Monty Program Ab
+// Copyright (c) 2015-2024 MariaDB Corporation Ab
+package org.mariadb.jdbc.plugin;
+
+import org.mariadb.jdbc.Configuration;
+import org.mariadb.jdbc.HostAddress;
+
+/** Authentication plugin descriptor */
+public interface AuthenticationPluginFactory {
+
+  /**
+   * Authentication plugin type.
+   *
+   * @return authentication plugin type. ex: mysql_native_password
+   */
+  String type();
+
+  /**
+   * Plugin initialization.
+   *
+   * @param authenticationData authentication data (password/token)
+   * @param seed server provided seed
+   * @param conf Connection options
+   * @param hostAddress host address
+   */
+  AuthenticationPlugin initialize(
+      String authenticationData, byte[] seed, Configuration conf, HostAddress hostAddress);
+
+  /**
+   * Authentication plugin required SSL to be used
+   *
+   * @return true if SSL is required
+   */
+  default boolean requireSsl() {
+    return false;
+  }
+}
diff --git a/src/main/java/org/mariadb/jdbc/plugin/authentication/AuthenticationPluginLoader.java b/src/main/java/org/mariadb/jdbc/plugin/authentication/AuthenticationPluginLoader.java
@@ -8,7 +8,7 @@
 import java.util.ServiceLoader;
 import org.mariadb.jdbc.Configuration;
 import org.mariadb.jdbc.Driver;
-import org.mariadb.jdbc.plugin.AuthenticationPlugin;
+import org.mariadb.jdbc.plugin.AuthenticationPluginFactory;
 
 /** permit loading authentication plugins */
 public final class AuthenticationPluginLoader {
@@ -22,14 +22,15 @@ public final class AuthenticationPluginLoader {
    * @return Authentication plugin corresponding to type
    * @throws SQLException if no authentication plugin in classpath have indicated type
    */
-  public static AuthenticationPlugin get(String type, Configuration conf) throws SQLException {
+  public static AuthenticationPluginFactory get(String type, Configuration conf)
+      throws SQLException {
 
-    ServiceLoader<AuthenticationPlugin> loader =
-        ServiceLoader.load(AuthenticationPlugin.class, Driver.class.getClassLoader());
+    ServiceLoader<AuthenticationPluginFactory> loader =
+        ServiceLoader.load(AuthenticationPluginFactory.class, Driver.class.getClassLoader());
 
     String[] authList = (conf.restrictedAuth() != null) ? conf.restrictedAuth().split(",") : null;
 
-    for (AuthenticationPlugin implClass : loader) {
+    for (AuthenticationPluginFactory implClass : loader) {
       if (type.equals(implClass.type())) {
         if (authList == null || Arrays.stream(authList).anyMatch(type::contains)) {
           return implClass;

diff --git a/src/main/java/org/mariadb/jdbc/plugin/authentication/addon/ClearPasswordPlugin.java b/src/main/java/org/mariadb/jdbc/plugin/authentication/addon/ClearPasswordPlugin.java
@@ -5,8 +5,6 @@
 
 import java.io.IOException;
 import java.nio.charset.StandardCharsets;
-import org.mariadb.jdbc.Configuration;
-import org.mariadb.jdbc.HostAddress;
 import org.mariadb.jdbc.client.Context;
 import org.mariadb.jdbc.client.ReadableByteBuf;
 import org.mariadb.jdbc.client.socket.Reader;
@@ -15,31 +13,15 @@
 
 /** Clear password plugin. */
 public class ClearPasswordPlugin implements AuthenticationPlugin {
-  /** plugin name */
-  public static final String TYPE = "mysql_clear_password";
 
   private String authenticationData;
 
-  @Override
-  public String type() {
-    return TYPE;
-  }
-
-  @Override
-  public boolean requireSsl() {
-    return true;
-  }
-
   /**
    * Initialization.
    *
    * @param authenticationData authentication data (password/token)
-   * @param seed server provided seed
-   * @param conf Connection string options
-   * @param hostAddress host information
    */
-  public void initialize(
-      String authenticationData, byte[] seed, Configuration conf, HostAddress hostAddress) {
+  public ClearPasswordPlugin(String authenticationData) {
     this.authenticationData = authenticationData;
   }
 

diff --git a/src/main/java/org/mariadb/jdbc/plugin/authentication/addon/ClearPasswordPluginFactory.java b/src/main/java/org/mariadb/jdbc/plugin/authentication/addon/ClearPasswordPluginFactory.java
@@ -0,0 +1,36 @@
+// SPDX-License-Identifier: LGPL-2.1-or-later
+// Copyright (c) 2012-2014 Monty Program Ab
+// Copyright (c) 2015-2024 MariaDB Corporation Ab
+package org.mariadb.jdbc.plugin.authentication.addon;
+
+import org.mariadb.jdbc.Configuration;
+import org.mariadb.jdbc.HostAddress;
+import org.mariadb.jdbc.plugin.AuthenticationPlugin;
+import org.mariadb.jdbc.plugin.AuthenticationPluginFactory;
+
+/** Clear password plugin. */
+public class ClearPasswordPluginFactory implements AuthenticationPluginFactory {
+
+  @Override
+  public String type() {
+    return "mysql_clear_password";
+  }
+
+  @Override
+  public boolean requireSsl() {
+    return true;
+  }
+
+  /**
+   * Initialization.
+   *
+   * @param authenticationData authentication data (password/token)
+   * @param seed server provided seed
+   * @param conf Connection string options
+   * @param hostAddress host information
+   */
+  public AuthenticationPlugin initialize(
+      String authenticationData, byte[] seed, Configuration conf, HostAddress hostAddress) {
+    return new ClearPasswordPlugin(authenticationData);
+  }
+}
diff --git a/src/main/java/org/mariadb/jdbc/plugin/authentication/addon/SendGssApiAuthPacket.java b/src/main/java/org/mariadb/jdbc/plugin/authentication/addon/SendGssApiAuthPacket.java
@@ -6,7 +6,6 @@
 import java.io.IOException;
 import java.sql.SQLException;
 import org.mariadb.jdbc.Configuration;
-import org.mariadb.jdbc.HostAddress;
 import org.mariadb.jdbc.client.Context;
 import org.mariadb.jdbc.client.ReadableByteBuf;
 import org.mariadb.jdbc.client.impl.StandardReadableByteBuf;
@@ -35,21 +34,13 @@ public class SendGssApiAuthPacket implements AuthenticationPlugin {
   private byte[] seed;
   private String optionServicePrincipalName;
 
-  @Override
-  public String type() {
-    return "auth_gssapi_client";
-  }
-
   /**
    * Initialization.
    *
-   * @param authenticationData authentication data (password/token)
    * @param seed server provided seed
    * @param conf Connection string options
-   * @param hostAddress host information
    */
-  public void initialize(
-      String authenticationData, byte[] seed, Configuration conf, HostAddress hostAddress) {
+  public SendGssApiAuthPacket(byte[] seed, Configuration conf) {
     this.seed = seed;
     this.optionServicePrincipalName = conf.servicePrincipalName();
   }

diff --git a/src/main/java/org/mariadb/jdbc/plugin/authentication/addon/SendGssApiAuthPacketFactory.java b/src/main/java/org/mariadb/jdbc/plugin/authentication/addon/SendGssApiAuthPacketFactory.java
@@ -0,0 +1,31 @@
+// SPDX-License-Identifier: LGPL-2.1-or-later
+// Copyright (c) 2012-2014 Monty Program Ab
+// Copyright (c) 2015-2024 MariaDB Corporation Ab
+package org.mariadb.jdbc.plugin.authentication.addon;
+
+import org.mariadb.jdbc.Configuration;
+import org.mariadb.jdbc.HostAddress;
+import org.mariadb.jdbc.plugin.AuthenticationPlugin;
+import org.mariadb.jdbc.plugin.AuthenticationPluginFactory;
+
+/** GSSAPI plugin */
+public class SendGssApiAuthPacketFactory implements AuthenticationPluginFactory {
+
+  @Override
+  public String type() {
+    return "auth_gssapi_client";
+  }
+
+  /**
+   * Initialization.
+   *
+   * @param authenticationData authentication data (password/token)
+   * @param seed server provided seed
+   * @param conf Connection string options
+   * @param hostAddress host information
+   */
+  public AuthenticationPlugin initialize(
+      String authenticationData, byte[] seed, Configuration conf, HostAddress hostAddress) {
+    return new SendGssApiAuthPacket(seed, conf);
+  }
+}
diff --git a/src/main/java/org/mariadb/jdbc/plugin/authentication/standard/CachingSha2PasswordPlugin.java b/src/main/java/org/mariadb/jdbc/plugin/authentication/standard/CachingSha2PasswordPlugin.java
@@ -38,6 +38,14 @@ public class CachingSha2PasswordPlugin implements AuthenticationPlugin {
   private Configuration conf;
   private HostAddress hostAddress;
 
+  public CachingSha2PasswordPlugin(
+      String authenticationData, byte[] seed, Configuration conf, HostAddress hostAddress) {
+    this.authenticationData = authenticationData;
+    this.seed = seed;
+    this.conf = conf;
+    this.hostAddress = hostAddress;
+  }
+
   /**
    * Send an SHA-2 encrypted password. encryption XOR(SHA256(password), SHA256(seed,
    * SHA256(SHA256(password))))
@@ -150,11 +158,6 @@ public static byte[] encrypt(PublicKey publicKey, String password, byte[] seed)
     }
   }
 
-  @Override
-  public String type() {
-    return TYPE;
-  }
-
   /**
    * Initialized data.
    *

diff --git a/...ava/org/mariadb/jdbc/plugin/authentication/standard/CachingSha2PasswordPluginFactory.java b/...ava/org/mariadb/jdbc/plugin/authentication/standard/CachingSha2PasswordPluginFactory.java
@@ -0,0 +1,23 @@
+// SPDX-License-Identifier: LGPL-2.1-or-later
+// Copyright (c) 2012-2014 Monty Program Ab
+// Copyright (c) 2015-2024 MariaDB Corporation Ab
+package org.mariadb.jdbc.plugin.authentication.standard;
+
+import org.mariadb.jdbc.Configuration;
+import org.mariadb.jdbc.HostAddress;
+import org.mariadb.jdbc.plugin.AuthenticationPlugin;
+import org.mariadb.jdbc.plugin.AuthenticationPluginFactory;
+
+/** Mysql caching sha2 password plugin */
+public class CachingSha2PasswordPluginFactory implements AuthenticationPluginFactory {
+
+  @Override
+  public String type() {
+    return "caching_sha2_password";
+  }
+
+  public AuthenticationPlugin initialize(
+      String authenticationData, byte[] seed, Configuration conf, HostAddress hostAddress) {
+    return new CachingSha2PasswordPlugin(authenticationData, seed, conf, hostAddress);
+  }
+}
diff --git a/src/main/java/org/mariadb/jdbc/plugin/authentication/standard/Ed25519PasswordPlugin.java b/src/main/java/org/mariadb/jdbc/plugin/authentication/standard/Ed25519PasswordPlugin.java
@@ -84,20 +84,7 @@ private static byte[] ed25519SignWithPassword(final String password, final byte[
     }
   }
 
-  @Override
-  public String type() {
-    return "client_ed25519";
-  }
-
-  /**
-   * Initialization.
-   *
-   * @param authenticationData authentication data (password/token)
-   * @param seed server provided seed
-   * @param conf Connection string options
-   * @param hostAddress host information
-   */
-  public void initialize(
+  public Ed25519PasswordPlugin(
       String authenticationData, byte[] seed, Configuration conf, HostAddress hostAddress) {
     this.seed = seed;
     this.authenticationData = authenticationData;
@@ -146,7 +133,7 @@ public byte[] hash(Credential credential) {
       final byte[] sm = new byte[64 + mlen];
 
       byte[] az = hash.digest(bytePwd);
-      az[0] &= 248;
+      az[0] &= (byte) 248;
       az[31] &= 63;
       az[31] |= 64;