Re: [Maria-developers] ca4ef7185da: MDEV-9245 password "reuse prevention" validation plugin

Hi, Oleksandr! you forgot to check in the result file On Sep 07, Oleksandr Byelkin wrote:

revision-id: ca4ef7185da (mariadb-10.6.1-79-gca4ef7185da) parent(s): 271afbc88e4 author: Oleksandr Byelkin committer: Oleksandr Byelkin timestamp: 2021-09-07 14:35:05 +0200 message:

MDEV-9245 password "reuse prevention" validation plugin

diff --git a/plugin/reuse_password_check/CMakeLists.txt b/plugin/reuse_password_check/CMakeLists.txt --- /dev/null +++ b/plugin/reuse_password_check/CMakeLists.txt @@ -0,0 +1,4 @@ + +ADD_DEFINITIONS(-DMYSQL_SERVER)

as I wrote to HF, this should not be needed.

+ +MYSQL_ADD_PLUGIN(reuse_password_check reuse_password_check.c MODULE_ONLY)

Unless you have a reason why this must be "MODULE_ONLY", please remove MODULE_ONLY and try to compile and test with -DPLUGIN_REUSE_PASSWORD_CHECK=STATIC also, I'd suggest "password_reuse_check" not "reuse_password_check".

diff --git a/plugin/reuse_password_check/reuse_password_check.c b/plugin/reuse_password_check/reuse_password_check.c --- /dev/null +++ b/plugin/reuse_password_check/reuse_password_check.c @@ -0,0 +1,236 @@ +/* Copyright (c) 2021, Oleksandr Byelkin and MariaDB + + This program is free software; you can redistribute it and/or modify + it under the terms of the GNU General Public License as published by + the Free Software Foundation; version 2 of the License. + + This program is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + GNU General Public License for more details. + + You should have received a copy of the GNU General Public License + along with this program; if not, write to the Free Software + Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1335 USA */ + +#include <my_config.h> +#include <my_global.h> +#include <my_base.h> +#include <mysql/plugin_password_validation.h> +#include <mysql.h>

only plugin_password_validation.h should be needed here.

+ + +#include <mysqld_error.h>

this might be needed all right

+#include <mysql/service_sha2.h>

but this isn't needed either

+ +#define HISTORY_DB_NAME "reuse_password_check_history" + +#define SQL_BUFF_LEN 2048 + +// 0 - unlimited, otherwise number of days to check +static unsigned interval= 0; + +// helping string for bin_to_hex512 +static char digits[]= "0123456789ABCDEF"; + + +/** + Convert string of 512 bits (64 bytes) to hex representation + + @param to pointer to the result puffer + (should be at least 64*2 bytes) + @param str pointer to 512 bits (64 bytes string) +*/ + +static void bin_to_hex512(char *to, const unsigned char *str) +{ + const unsigned char *str_end= str + (512/8); + for (; str != str_end; ++str) + { + *to++= digits[((uchar) *str) >> 4]; + *to++= digits[((uchar) *str) & 0x0F]; + } +} + + +/** + Send SQL error as ER_UNKNOWN_ERROR for information + + @param mysql Connection handler +*/ + +static void report_sql_error(MYSQL *mysql) +{ + my_printf_error(ER_UNKNOWN_ERROR, "[%d] %s", ME_WARNING, + mysql_errno(mysql), mysql_error(mysql));

may be include plugin name here?

+} + + +/** + Create the history of passwords table for this plugin. + + @param mysql Connection handler + + @retval 1 - Error + @retval 0 - OK +*/ + +static int create_table(MYSQL *mysql) +{ + if (mysql_real_query(mysql, + // 512/8 = 64 + STRING_WITH_LEN("CREATE TABLE mysql." HISTORY_DB_NAME + " ( hash binary(64)," + " time timestamp,"

make it "default current_timestamp", just to be explicit. even though it's implicitly default current_timestamp already.

+ " primary key (hash), index tm (time) )" + " ENGINE=Aria"))) + { + report_sql_error(mysql); + return 1; + } + return 0; +} + + +/** + Run this query and create table if needed + + @param mysql Connection handler + @param query The query to run + @param len length of the query text + + @retval 1 - Error + @retval 0 - OK +*/ + +static int run_query_with_table_creation(MYSQL *mysql, const char *query, + size_t len) +{ + if (unlikely(mysql_real_query(mysql, query, len))) + { + unsigned int rc= mysql_errno(mysql); + if (rc != ER_NO_SUCH_TABLE) + { + // suppress this error in case of try to add the same password twice + if (rc != ER_DUP_ENTRY) + report_sql_error(mysql); + return 1; + } + if (create_table(mysql)) + return 1; + if (unlikely(mysql_real_query(mysql, query, len))) + { + report_sql_error(mysql); + return 1; + } + } + return 0; +} + + +/** + Password validator + + @param username User name (part of whole login name) + @param password Password to validate + @param hostname Host name (part of whole login name) + + @retval 1 - Password is not OK or an error happened + @retval 0 - Password is OK +*/ + +static int validate(const MYSQL_CONST_LEX_STRING *username, + const MYSQL_CONST_LEX_STRING *password, + const MYSQL_CONST_LEX_STRING *hostname) +{ + MYSQL *mysql= NULL; + size_t key_len= username->length + password->length + hostname->length; + size_t buff_len= (key_len > SQL_BUFF_LEN ? key_len : SQL_BUFF_LEN); + size_t len; + char *buff= malloc(buff_len); + unsigned char hash[512/8]; + char escaped_hash[512/8*2 + 1]; + if (!buff) + return 1; + + mysql= mysql_init(NULL); + if (!mysql) + { + free(buff); + return 1; + } + + memcpy(buff, hostname->str, hostname->length); + memcpy(buff + hostname->length, username->str, username->length); + memcpy(buff + hostname->length + username->length, password->str, + password->length); + buff[key_len]= 0; + bzero(hash, sizeof(hash)); + my_sha512(hash, buff, key_len); + if (mysql_real_connect_local(mysql, NULL, NULL, NULL, 0) == NULL) + goto sql_error; + + if (interval) + { + // trim the table + len= snprintf(buff, buff_len, + "DELETE FROM mysql." HISTORY_DB_NAME + " WHERE time < DATE_SUB(NOW(), interval %d day)", + interval); + if (unlikely(run_query_with_table_creation(mysql, buff, len))) + goto sql_error; + } + + bin_to_hex512(escaped_hash, hash); + escaped_hash[512/8*2]= '\0'; + len= snprintf(buff, buff_len, + "INSERT INTO mysql." HISTORY_DB_NAME "(hash) " + "values (x'%s')", + escaped_hash); + if (unlikely(run_query_with_table_creation(mysql, buff, len))) + goto sql_error; + + free(buff); + mysql_close(mysql); + return 0; // OK + +sql_error: + free(buff); + if (mysql) + mysql_close(mysql); + return 1; // Error +} + +static MYSQL_SYSVAR_UINT(interval, interval, PLUGIN_VAR_RQCMDARG, + "How old (in days) passwords to check (0 means unlimited)", NULL, NULL,

better "Password history retention period in days (0 means unlimited)"

+ 0, 0, 365*100, 1); + + +static struct st_mysql_sys_var* sysvars[]= { + MYSQL_SYSVAR(interval), + NULL +}; + +static struct st_mariadb_password_validation info= +{ + MariaDB_PASSWORD_VALIDATION_INTERFACE_VERSION, + validate +}; + +maria_declare_plugin(simple_password_check)

^^^ must be the same name as in CMakeLists.txt, otherwise static linking won't work.

+{ + MariaDB_PASSWORD_VALIDATION_PLUGIN, + &info, + "reuse_password_check", + "Oleksandr Byelkin", + "Reusage of password check",

Better "Password reuse check" or, as it's a description, "Prevent password reuse"

+ PLUGIN_LICENSE_GPL, + NULL, + NULL, + 0x0100, + NULL, + sysvars, + "1.0", + MariaDB_PLUGIN_MATURITY_ALPHA +} +maria_declare_plugin_end;

diff --git a/mysql-test/suite/plugins/t/reuse_password_check.test b/mysql-test/suite/plugins/t/reuse_password_check.test --- /dev/null +++ b/mysql-test/suite/plugins/t/reuse_password_check.test @@ -0,0 +1,58 @@ +--source include/not_embedded.inc + +if (!$REUSE_PASSWORD_CHECK_SO) { + skip No REUSE_PASSWORD_CHECK plugin; +} + +install soname "reuse_password_check"; + +set @save_reuse_password_check_interval= @@reuse_password_check_interval; + +set global reuse_password_check_interval= 0; + +--echo # Default value (sould be unlimited i.e. 0) +SHOW GLOBAL VARIABLES like "reuse_password_check%"; + +--echo # insert user +grant select on *.* to user_name@localhost identified by 'test_pwd';

what about sql mode that doesn't allow to create users with grant? I don't see where you've disabled that.

+ +#--error ER_NOT_VALID_PASSWORD +#grant select on *.* to user_name@localhost identified by 'test_pwd'; +#show warnings;

why is that commented out?

+ +--error ER_CANNOT_USER +alter user user_name@localhost identified by 'test_pwd'; +show warnings; + +# Plugin does not work for it +#--error ER_NOT_VALID_PASSWORD +#SET PASSWORD FOR user_name@localhost = PASSWORD('test_pwd'); + +--echo # check exparation + +set global reuse_password_check_interval= 10; + +--error ER_CANNOT_USER +alter user user_name@localhost identified by 'test_pwd'; +show warnings; +select hex(hash) from mysql.reuse_password_check_history; + +--echo # emulate old password +update mysql.reuse_password_check_history set time= date_sub(now(), interval +11 day); + +alter user user_name@localhost identified by 'test_pwd'; +show warnings; + +drop user user_name@localhost; + +show create table mysql.reuse_password_check_history; +select count(*) from mysql.reuse_password_check_history; + +drop table mysql.reuse_password_check_history; + +set @save_reuse_password_check_interval= @@reuse_password_check_interval; + +set global reuse_password_check_interval= @save_reuse_password_check_interval; + +uninstall plugin reuse_password_check;

Regards, Sergei VP of MariaDB Server Engineering and security@mariadb.org