MDEV-35254 Make iterations count configurable in PARSEC plugin

[deo002]

• The Jira issue number for this PR is: MDEV-35254

Description

Currently it is not possible with the PARSEC plugin to define the number of iterations to be used when generating the key corresponding to the password.

To ensure proper security for users long term, the PARSEC plugin should allow specifying the number of iterations. Additionally, the default should be something more secure.

This patch adds a global plugin variable parsec_iterations to define define the number of iterations to be used when generating the key corresponding to the password. It has a default value, lower and upper bounds.

Basing the PR against the correct MariaDB version

• This is a new feature or a refactoring, and the PR is based against the main branch.
• This is a bug fix, and the PR is based against the earliest maintained branch in which the bug can be reproduced.

PR quality check

• I checked the CODING_STANDARDS.md file and my PR conforms to this where appropriate.
• For any trivial modifications to the PR, I am ok with the reviewer making the changes themselves.

[deo002]

Related PR: mariadb-corporation/mariadb-connector-c#297

[gkodinov]

Please make sure the tests are passing. There are some parsec related failures as a result of your changes in buildbot.

[deo002]

Hi @gkodinov ,
Looking into it!

[deo002]

@gkodinov The PARSEC tests are failing because the current mariadb-connector-c PARSEC implementation enforces a maximum iteration factor of 3. The tests pass locally with the updated Connector/C, and and will pass in CI once PR is merged and the submodule is updated.

[gkodinov]

OK, I'll leave that to the final reviewer. Still learning how CI works. OK as far as the preliminary review goes.

Apparently this is an architectural issue with buildbot. Leaving it to the final reviewer.

[grooverdan]

note this could have been included in the existing test case parsec.test.

Tests would normally echo this line rather than it being a comment.

[FooBarrior]

Right you are @grooverdan.

@deo002 please start the line with --echo, without "Testg for":

--echo MDEV-35254: PARSEC plugin should allow....

Include this test into parsec.test.

[grooverdan]

no need to echo non-test information.

[grooverdan]

we'd normally save the default global value as user variable at the beginning of the test and set it back at the end. This enables a change in default without changing the test case.

[grooverdan]

An end of tests would normally include a --echo # End of 12.4 tests statement to make the test case easier to merge if in future tests are added in later versions.

[vaintroub]

you do not need var __attribute__((unused)), , it can be just struct st_mysql_sys_var *,. It is C++, after all

[kulebelden-wq]

even me that's what i thought in the first place

[FooBarrior]

I'm afraid it cannot -- we have buld issues with unused variables and, sometimes, functions. Most likely because we have the waning switch turned on manually in cmake. I don't like it either, but that's what we have.

[FooBarrior]

So we need this gcc-ism

[vuvova]

do we? I thought it's standard C++ and a common pattern we already use. What build issues?

[FooBarrior]

Good start!
Lots of comments, enough for now, then we'll do another iteration

[FooBarrior]

Right you are @grooverdan.

@deo002 please start the line with --echo, without "Testg for":

--echo MDEV-35254: PARSEC plugin should allow....

Include this test into parsec.test.

[FooBarrior]

We agreed with @vuvova that setting session value should be made possible: there can be special users that require more hardened security, like admin roles.

[FooBarrior]

I'm afraid it cannot -- we have buld issues with unused variables and, sometimes, functions. Most likely because we have the waning switch turned on manually in cmake. I don't like it either, but that's what we have.

[FooBarrior]

So we need this gcc-ism

[FooBarrior]

Can PARSEC_ITERATIONS_STEP be anything but 1? If not, then the existence of this variable confuses more, than if it was just "1" here

[FooBarrior]

this isn't a correct max value. To stay on the safe side, make it 1<<31, and that'll be our technical limitation of 32-bit int (because of my_bit.h function)

[deo002]

There's a slight problem for showing values above 9 in the auth string. I can do it via a hex style encoding:
0–9 → 0..9
A–V → 10..31
Thoughts?

[FooBarrior]

All the symbols from ascii'0' to ascii'z' are printable, so what we have will already work fine.

I.e. ascii'0' + iterations - base.
@vuvova agree?

[deo002]

We will require a little change. After '9', we have some symbols like ':', ';'...etc after which we have 'A', 'B', ...

[FooBarrior]

After '9', we have some symbols like ':', ';'

exactly.

[FooBarrior]

Oh, my bad! Our format
XY:salt:hash

Allows storing an arbitrary number in y. That is, for X=P, that is PBKDF2, and unadjusted iterations power Y=27, it'll be P27:salt:hash

[FooBarrior]

We have no other algorithm than P right now, but in allows an arbitrary config line in the first part. For P=PBKDF2, it's only an iterations count

[deo002]

Oh, my bad! Our format XY:salt:hash

Allows storing an arbitrary number in y. That is, for X=P, that is PBKDF2, and unadjusted iterations power Y=27, it'll be P27:salt:hash

I think 27 might be a slip - shouldn't it be 21(31 - 10)?

[FooBarrior]

@deo002, We had a talk with @vuvova

MDEV-32618 declares the format
concat('P', conv(log2(iterations)-10, 10, 62), ':', base64(salt), ':', base64(hash))

that is, the format is conv(log2(iterations)-10, 10, 62)

Which is base62 and is 0..9,A..Z,a..z as you suggested ☺️ 👍

Feel free to use _dig_vec_base62 which is declared in m_string.h and is defined in int2str.cc. And str2int for the backward conversion.

[FooBarrior]

Make a parsec_iterations_t type and alias it to uint32

[FooBarrior]

Default should be the old default value. 1024, IIRC? that is, 1u<<ITER_FACTOR_BASE_VAL

[deo002]

Yes, it was 1024. I thought of keeping it close to the OWASP's recommended value for PBKDF2-HMAC-SHA512(210,000) as stated in the Jira ticket.

[FooBarrior]

(1<<ITER_BASE_VAL)

[FooBarrior]

Or maybe PARSEC_ITERATIONS_MIN, if that'll be an alias

[FooBarrior]

I would maybe suggest renaming PARSEC_ITERATIONS_MIN -> ITER_BASE_VAL. So we'll have this one, and FACTOR one: ITER_FACTOR_BASE_VAL. And use ITER_BASE_VAL as min value in system variable declaration.

[FooBarrior]

Forgot to press "request changes"

[gkodinov]

For the sake of process, I'd like to mark the preliminary review as done. I see that the final review is in full swing. Please keep working with the other reviewers.

[vuvova]

do we? I thought it's standard C++ and a common pattern we already use. What build issues?

[vuvova]

why not include my_bit.h? it looks like a clean header, no dependencies

[deo002]

ABI may break if the my_bit.h's definitions change between versions. Although, it is extremely unlikely that they will ever change. Will add it as a header.

[deo002]

My bad, ABI is not a concern here. All are inline functions, compiled into the caller.

[deo002]

Tried including my_bit.h directly (requires my_global.h as a prerequisite). This caused a Windows build failure. Any suggestions on how should I proceed? @vuvova

[vuvova]

no, don't include my_global.h, if you cannot use my_bit.h without it then better revert to local functions.

But why my_bit.h needs my_global.h ? if it's only because of uchar/uint/ulonglong then you can either

• typedef them in the plugin, or
• change my_bit.h to use unsigned char, unigned int, etc., making it independent from my_global.h

[deo002]

Got it! Thanks!

[deo002]

I made my_bit.h standalone. I changed to unsigned char, unsigned int etc, but also had to change some macros like C_MODE_START, C_MODE_END, CONSTEXPR. Please let me know if this change is ok.

[FooBarrior]

Parsec already uses ma_global.h from libmariadb. Perhaps it's fine to use it here either?
my_global.h lies in the same directory as my_bit.h: in root/include. If my_bit.h is fine to include, then why my_global.h is not?

[vuvova]

I'd add

static_assert(ITER_MAX_VAL == 'z');

just in case

[vuvova]

perhaps, add ". Must be a power of two". Or ". Will be rounded up to a power of two"

[vuvova]

remove "parsec: " prefix, it's redundant. And may be " (next supported value)" too, because the variable help text should say that, not a warning message after the fact

[vuvova]

three-line header:

--echo #
--echo # MDEV-35254 PARSEC plugin should allow DBAs to specify number of iterations
--echo #

[vuvova]

print the password here, that is,

select left(json_value(...)) from mysql.global.priv where user='t_iter'

to verify that the password indeed has a correct iteration character. Perhaps even repeat it for a couple of different iteration values.

[deo002]

Working on it!

[FooBarrior]

Expressed my concerns, basically directed to @vuvova.

[FooBarrior]

MY_BIT_C_MODE_START is weird with this MY_BIT prefix. There is nothing specific to MY_BIT in this macro

If you want to avoid duplicate macro definition warning, then either:

1. #undef macro before #define -- undeffing an undefined macro doesn't produce a new warning
2. Wrap the definition in #ifndef/#endif

The first solution is one line shorter, but if the definition would change in my_global someday, it would likely not be updated here, and those who are using my_bit.h would end up in stale definition (hiding the one from my_global.h).

So I'd go with #1, however, see my next comment.

[vuvova]

I'd do

#ifdef __cplusplus
extern "C" {
#else
#define constexpr
#endif

// all my_bit.h content

#ifdef __cplusplus
}
#else
#undef constexpr
#endif

[FooBarrior]

And also uint, uchar,...

And do you suggest to change CONSTEXPR to constexpr?

[vuvova]

no uint, no uchar, this is already replaced by unsigned int, unsigned char, etc. only c/c++ changes to make a universal c/c++ header.

[FooBarrior]

It would have to be a separate commit

[deo002]

I have pushed the requested changes. Some tests are failing, they don't seem to be related to this PR.

[FooBarrior]

@deo002 Also put MDEV-35254 in the refactor commit header, that'll make it easier for us to cherry-pick changes if we'll want to.

[deo002]

Done!

[Copilot]

Pull request overview

Adds a configurable iteration count for the PARSEC authentication plugin by introducing a new parsec_iterations plugin system variable, plus a new thd_service to let plugins access the current THD and thus session/global sysvars.

Changes:

• Add parsec_iterations (power-of-two, rounded up) and encode iteration exponent in the stored auth string using base62.
• Introduce a new plugin service thd_service with get_current_thd() and wire it through the service registry.
• Update plugin interface version and adjust affected mysql-test expected outputs; refactor my_bit.h helpers for broader (C/C++) usability.

Reviewed changes

Copilot reviewed 25 out of 25 changed files in this pull request and generated 4 comments.

Show a summary per file

File	Description
sql/sql_plugin_services.inl	Registers the new thd_service in the server’s exported plugin services list.
sql/sql_class.cc	Implements get_current_thd() for the thd_service.
plugin/auth_parsec/server_parsec.cc	Adds parsec_iterations sysvar, updates hash format iteration encoding/decoding, and uses thd_service to read THDVAR.
mysql-test/suite/plugins/t/parsec.test	Extends PARSEC test coverage to validate sysvar behavior, rounding, and encoding in auth string.
mysql-test/suite/plugins/r/parsec.result	Updates expected output for the new PARSEC sysvar tests and warnings.
mysql-test/suite/plugins/r/simple_password_check.result	Bumps expected plugin library version due to interface change.
mysql-test/suite/plugins/r/show_all_plugins.result	Updates expected plugin library versions.
mysql-test/suite/plugins/r/cracklib_password_check.result	Bumps expected plugin library version due to interface change.
mysql-test/suite/plugins/r/auth_ed25519.result	Bumps expected plugin library version due to interface change.
mysql-test/main/plugin.result	Updates expected plugin library versions.
mysql-test/main/handlersocket.result	Updates expected plugin library version.
libservices/thd_service.c	Adds SERVICE_VERSION thd_service entry for the new service.
libservices/CMakeLists.txt	Builds the new thd_service.c into libservices.
include/service_versions.h	Introduces VERSION_thd for service versioning.
include/mysql/services.h	Exposes the new service_thd.h via umbrella services header.
include/mysql/service_thd.h	Defines the thd_service interface (dynamic macro + static prototype).
include/mysql/plugin.h	Bumps MARIA_PLUGIN_INTERFACE_VERSION.
include/mysql/plugin_password_validation.h.pp	Regenerates preprocessed plugin header output to include thd_service symbols.
include/mysql/plugin_function.h.pp	Same as above.
include/mysql/plugin_ftparser.h.pp	Same as above.
include/mysql/plugin_encryption.h.pp	Same as above.
include/mysql/plugin_data_type.h.pp	Same as above.
include/mysql/plugin_auth.h.pp	Same as above.
include/mysql/plugin_audit.h.pp	Same as above.
include/my_bit.h	Refactors bit utility helpers/types to be usable cleanly from C++ plugin code.

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[vuvova]

looks valid too

[vuvova]

nitpicking. signed/unsigned point is moot if we use a lower MAX value per previous comment

[vuvova]

looks valid

[vuvova]

Ok, this looks good.

The service should be in a separate commit. Copilot had a couple of good comments.
And an test with an actual connection attempt was missing.

I've rebased on top of main and fixed the above, now it's good for 13.1 and testing.

[vuvova]

looks valid

[vuvova]

nitpicking. signed/unsigned point is moot if we use a lower MAX value per previous comment

[vuvova]

looks valid too

[CLAassistant]

Thank you for your submission! We really appreciate it. Like many open source projects, we ask that you all sign our Contributor License Agreement before we can accept your contribution.
1 out of 2 committers have signed the CLA.

✅ deo002
❌ vuvova
_{You have signed the CLA already but the status is still pending? Let us recheck it.}

[deo002]

On it! Will push the requested changes soon!
P.S. Just checked, it's all done! Thanks for the fixes and refactor @vuvova