note this could have been included in the existing test case parsec.test.

Tests would normally echo this line rather than it being a comment.

Right you are @grooverdan.

@deo002 please start the line with --echo, without "Testg for":

--echo MDEV-35254: PARSEC plugin should allow....

Include this test into parsec.test.

no need to echo non-test information.

we'd normally save the default global value as user variable at the beginning of the test and set it back at the end. This enables a change in default without changing the test case.

An end of tests would normally include a --echo # End of 12.4 tests statement to make the test case easier to merge if in future tests are added in later versions.

you do not need var __attribute__((unused)), , it can be just struct st_mysql_sys_var *,. It is C++, after all

even me that's what i thought in the first place

I'm afraid it cannot -- we have buld issues with unused variables and, sometimes, functions. Most likely because we have the waning switch turned on manually in cmake. I don't like it either, but that's what we have.

So we need this gcc-ism

do we? I thought it's standard C++ and a common pattern we already use. What build issues?

Right you are @grooverdan.

@deo002 please start the line with --echo, without "Testg for":

--echo MDEV-35254: PARSEC plugin should allow....

Include this test into parsec.test.

We agreed with @vuvova that setting session value should be made possible: there can be special users that require more hardened security, like admin roles.

I'm afraid it cannot -- we have buld issues with unused variables and, sometimes, functions. Most likely because we have the waning switch turned on manually in cmake. I don't like it either, but that's what we have.

So we need this gcc-ism

Can PARSEC_ITERATIONS_STEP be anything but 1? If not, then the existence of this variable confuses more, than if it was just "1" here

this isn't a correct max value. To stay on the safe side, make it 1<<31, and that'll be our technical limitation of 32-bit int (because of my_bit.h function)

There's a slight problem for showing values above 9 in the auth string. I can do it via a hex style encoding:
0–9 → 0..9
A–V → 10..31
Thoughts?

All the symbols from ascii'0' to ascii'z' are printable, so what we have will already work fine.

I.e. ascii'0' + iterations - base.
@vuvova agree?

We will require a little change. After '9', we have some symbols like ':', ';'...etc after which we have 'A', 'B', ...

After '9', we have some symbols like ':', ';'

exactly.

Oh, my bad! Our format
XY:salt:hash

Allows storing an arbitrary number in y. That is, for X=P, that is PBKDF2, and unadjusted iterations power Y=27, it'll be P27:salt:hash

We have no other algorithm than P right now, but in allows an arbitrary config line in the first part. For P=PBKDF2, it's only an iterations count

Oh, my bad! Our format XY:salt:hash

Allows storing an arbitrary number in y. That is, for X=P, that is PBKDF2, and unadjusted iterations power Y=27, it'll be P27:salt:hash

I think 27 might be a slip - shouldn't it be 21(31 - 10)?

@deo002, We had a talk with @vuvova

MDEV-32618 declares the format
concat('P', conv(log2(iterations)-10, 10, 62), ':', base64(salt), ':', base64(hash))

that is, the format is conv(log2(iterations)-10, 10, 62)

Which is base62 and is 0..9,A..Z,a..z as you suggested ☺️ 👍

Feel free to use _dig_vec_base62 which is declared in m_string.h and is defined in int2str.cc. And str2int for the backward conversion.

Make a parsec_iterations_t type and alias it to uint32

Default should be the old default value. 1024, IIRC? that is, 1u<<ITER_FACTOR_BASE_VAL

Yes, it was 1024. I thought of keeping it close to the OWASP's recommended value for PBKDF2-HMAC-SHA512(210,000) as stated in the Jira ticket.

(1<<ITER_BASE_VAL)

Or maybe PARSEC_ITERATIONS_MIN, if that'll be an alias

I would maybe suggest renaming PARSEC_ITERATIONS_MIN -> ITER_BASE_VAL. So we'll have this one, and FACTOR one: ITER_FACTOR_BASE_VAL. And use ITER_BASE_VAL as min value in system variable declaration.

do we? I thought it's standard C++ and a common pattern we already use. What build issues?

why not include my_bit.h? it looks like a clean header, no dependencies

ABI may break if the my_bit.h's definitions change between versions. Although, it is extremely unlikely that they will ever change. Will add it as a header.

My bad, ABI is not a concern here. All are inline functions, compiled into the caller.

Tried including my_bit.h directly (requires my_global.h as a prerequisite). This caused a Windows build failure. Any suggestions on how should I proceed? @vuvova

no, don't include my_global.h, if you cannot use my_bit.h without it then better revert to local functions.

But why my_bit.h needs my_global.h ? if it's only because of uchar/uint/ulonglong then you can either

• typedef them in the plugin, or
• change my_bit.h to use unsigned char, unigned int, etc., making it independent from my_global.h

Got it! Thanks!

I made my_bit.h standalone. I changed to unsigned char, unsigned int etc, but also had to change some macros like C_MODE_START, C_MODE_END, CONSTEXPR. Please let me know if this change is ok.

Parsec already uses ma_global.h from libmariadb. Perhaps it's fine to use it here either?
my_global.h lies in the same directory as my_bit.h: in root/include. If my_bit.h is fine to include, then why my_global.h is not?

I'd add

static_assert(ITER_MAX_VAL == 'z');

just in case

perhaps, add ". Must be a power of two". Or ". Will be rounded up to a power of two"

remove "parsec: " prefix, it's redundant. And may be " (next supported value)" too, because the variable help text should say that, not a warning message after the fact

three-line header:

--echo #
--echo # MDEV-35254 PARSEC plugin should allow DBAs to specify number of iterations
--echo #

print the password here, that is,

select left(json_value(...)) from mysql.global.priv where user='t_iter'

to verify that the password indeed has a correct iteration character. Perhaps even repeat it for a couple of different iteration values.

MY_BIT_C_MODE_START is weird with this MY_BIT prefix. There is nothing specific to MY_BIT in this macro

If you want to avoid duplicate macro definition warning, then either:

1. #undef macro before #define -- undeffing an undefined macro doesn't produce a new warning
2. Wrap the definition in #ifndef/#endif

The first solution is one line shorter, but if the definition would change in my_global someday, it would likely not be updated here, and those who are using my_bit.h would end up in stale definition (hiding the one from my_global.h).

So I'd go with #1, however, see my next comment.

I'd do

#ifdef __cplusplus
extern "C" {
#else
#define constexpr
#endif

// all my_bit.h content

#ifdef __cplusplus
}
#else
#undef constexpr
#endif

And also uint, uchar,...

And do you suggest to change CONSTEXPR to constexpr?

no uint, no uchar, this is already replaced by unsigned int, unsigned char, etc. only c/c++ changes to make a universal c/c++ header.

It would have to be a separate commit