Support for sm3_password authentication.

[CbcWestwolf]

Enhancement

SM3 Cryptographic Hash Algorithm is a cryptographic hash function used in the Chinese National Standard. It is required from businesses related to banking, telecommunications, and insurance customers in China market.

TiDB has already supported encryption authentication like SHA1 and SHA256, we need to add SM3 encryption algorithm to the existing authentication mechanism. It could be a replacement supplement for SHA256 authentication.

[dveeden]

TiDB has already supported encryption authentication like SHA1 and SHA256, we need to add SM3 encryption algorithm to the existing authentication mechanism. It could be a replacement for SHA256 authentication.

Note that MySQL has:

• mysql_native_password that is based on SHA1. TiDB supports this.
• sha256_password that is based on SHA-256. TiDB doesn't support this.
• caching_sha2_password that is also based on SHA-256. TiDB does support this. This is newer than sha256_password and the recommended authentication method for MySQL 8.0

See also:

• https://dev.mysql.com/doc/refman/8.0/en/authentication-plugins.html
• https://docs.pingcap.com/tidb/stable/security-compatibility-with-mysql

I don't think SM3 should replace caching_sha2_password, but should be an additional authentication method. This is because MySQL doesn't have SM3, which means that clients and connectors don't support this without additional work.

I'm not sure if sm3_password is best name for this as this might collide with a name Oracle might choose for any SM3 implementation in MySQL. Maybe we should name this tidb_sm3_password?

[dveeden]

I assume this issue is only for authentication and not for function support (e.g. to have an SM3() that is similar to SHA2() ?

[CbcWestwolf]

I don't think SM3 should replace caching_sha2_password, but should be an additional authentication method.

Yes, SM3 could not replace caching_sha2_password, I change it to supplement in the description. In fact, the expected sm3_password is a variant of caching_sha2_password, which only differs in Hashing.

This is because MySQL doesn't have SM3, which means that clients and connectors don't support this without additional work.

Now an enhancement on JDBC is performed to support this new authentication. This PR will be merged after the connection test is successful.

Maybe we should name this tidb_sm3_password?

Good suggestion!

I assume this issue is only for authentication and not for function support

This PR will also introduce a hashing function SM3() like SHA2, to compute the result of hashing a string using sm3. But the main purpose is for authentication.

[dveeden]

Maybe we can try to write a client-side authentication plugin that would allow any client and connector that is based on libmysqlclient to use the new authentication method. (in addition to what is planned for Connector/J as that is not based on libmysqlclient)