MDEV-35254 Make iterations count configurable in PARSEC plugin

deo002 · deo002 · commit 910d32ee23e4 · 2025-12-31T12:41:24.000+05:30
This patch adds a global plugin variable parsec_iterations
to define define the number of iterations to be used when
generating the key corresponding to the password. It has a
 default value, lower and upper bounds.
diff --git a/plugin/auth_parsec/server_parsec.cc b/plugin/auth_parsec/server_parsec.cc
@@ -38,6 +38,49 @@ constexpr size_t PBKDF2_HASH_LENGTH= ED25519_KEY_LENGTH;
 constexpr size_t CLIENT_RESPONSE_LENGTH= CHALLENGE_SCRAMBLE_LENGTH
                                          + ED25519_SIG_LENGTH;
 
+constexpr unsigned int PARSEC_ITERATIONS_DEFAULT= 1u << 18;
+constexpr unsigned int PARSEC_ITERATIONS_MIN= 1u << 10;
+constexpr unsigned int PARSEC_ITERATIONS_MAX= 1u << 19;
+constexpr unsigned int PARSEC_ITERATIONS_STEP= 1u;
+static unsigned int iterations;
+
+static inline unsigned int round_to_power_of_two(const unsigned int x) {
+  unsigned int p = 1;
+  while (p < x)
+    p <<= 1;
+  return p;
+}
+
+
+static inline unsigned int log_2_of_power_of_2(const unsigned int x) {
+  // function will not work correctly for non power of 2 unsigned integers
+  unsigned int p = 0;
+  while ((1u << p) != x)
+    p++;
+  return p;
+}
+
+static void update_parsec_iterations(MYSQL_THD thd,
+              struct st_mysql_sys_var *var  __attribute__((unused)),
+              void *var_ptr  __attribute__((unused)), const void *save)
+{
+  unsigned int iterations_user_input= *(unsigned int *) save;
+  iterations= round_to_power_of_two(iterations_user_input);
+  if (iterations != iterations_user_input)
+    my_printf_error(0, "parsec: parsec_iterations rounded up to %d (next supported value)",
+      ME_WARNING, iterations);
+}
+
+static MYSQL_SYSVAR_UINT(parsec_iterations, iterations, PLUGIN_VAR_OPCMDARG,
+       "Number of iterations to be used when generating the key corresponding to the password",
+       NULL, update_parsec_iterations, PARSEC_ITERATIONS_DEFAULT, PARSEC_ITERATIONS_MIN,
+       PARSEC_ITERATIONS_MAX, PARSEC_ITERATIONS_STEP);
+
+static struct st_mysql_sys_var* system_vars[] = {
+    MYSQL_SYSVAR(parsec_iterations),
+    NULL
+};
+
 constexpr size_t base64_length(size_t input_length)
 {
   return ((input_length + 2) / 3) * 4; // with padding
@@ -176,7 +219,8 @@ int hash_password(const char *password, size_t password_length,
 
   Passwd_in_memory memory;
   memory.algorithm= 'P';
-  memory.iterations= 0;
+  constexpr unsigned int ITER_BASE_VAL= 10u;
+  memory.iterations= '0' + (log_2_of_power_of_2(iterations) - ITER_BASE_VAL);
   my_random_bytes(memory.salt, sizeof(memory.salt));
 
   uchar derived_key[PBKDF2_HASH_LENGTH];
@@ -204,10 +248,12 @@ int digest_to_binary(const char *hash, size_t hash_length,
 {
   auto stored= (Passwd_as_stored*)hash;
   auto memory= (Passwd_in_memory*)out;
+  const uchar ITER_MAX_VAL= '0' + 
+    log_2_of_power_of_2(PARSEC_ITERATIONS_MAX) - 10;
 
   if (hash_length != sizeof (*stored) || *out_length < sizeof(*memory) ||
       stored->algorithm != 'P' ||
-      stored->iterations < '0' || stored->iterations > '3' ||
+      stored->iterations < '0' || stored->iterations > ITER_MAX_VAL ||
       stored->colon != ':' || stored->colon2 != ':')
   {
     my_printf_error(ER_PASSWD_LENGTH, "Wrong ext-salt format", 0);
@@ -313,7 +359,7 @@ maria_declare_plugin(auth_parsec)
   NULL,
   0x0100,
   NULL,
-  NULL,
+  system_vars,
   "1.0",
   MariaDB_PLUGIN_MATURITY_GAMMA
 }
