*: Support for tidb_sm3_password authentication

DEPS.bzl

@@ -2502,8 +2502,8 @@ def go_deps():
         name = "com_github_pingcap_kvproto",
         build_file_proto_mode = "disable_global",
         importpath = "github.com/pingcap/kvproto",
-        sum = "h1:nP2wmyw9JTRsk5rm+tZtfAso6c/1FvuaFNbXTaYz3FE=",
-        version = "v0.0.0-20220705053936-aa9c2d20cd2a",
+        sum = "h1:VKMmvYhtG28j1sCCBdq4s+V9UOYqNgQ6CQviQwOgTeg=",
+        version = "v0.0.0-20220705090230-a5d4ffd2ba33",
     )
     go_repository(
         name = "com_github_pingcap_log",

executor/simple.go

@@ -838,7 +838,7 @@ func (e *SimpleExec) executeCreateUser(ctx context.Context, s *ast.CreateUserStm
 		}
 
 		switch authPlugin {
-		case mysql.AuthNativePassword, mysql.AuthCachingSha2Password, mysql.AuthSocket:
+		case mysql.AuthNativePassword, mysql.AuthCachingSha2Password, mysql.AuthSM3Password, mysql.AuthSocket:
 		default:
 			return ErrPluginIsNotLoaded.GenWithStackByArgs(spec.AuthOpt.AuthPlugin)
 		}
@@ -982,7 +982,7 @@ func (e *SimpleExec) executeAlterUser(ctx context.Context, s *ast.AlterUserStmt)
 				spec.AuthOpt.AuthPlugin = authplugin
 			}
 			switch spec.AuthOpt.AuthPlugin {
-			case mysql.AuthNativePassword, mysql.AuthCachingSha2Password, mysql.AuthSocket, "":
+			case mysql.AuthNativePassword, mysql.AuthCachingSha2Password, mysql.AuthSM3Password, mysql.AuthSocket, "":
 			default:
 				return ErrPluginIsNotLoaded.GenWithStackByArgs(spec.AuthOpt.AuthPlugin)
 			}
@@ -1463,6 +1463,8 @@ func (e *SimpleExec) executeSetPwd(ctx context.Context, s *ast.SetPwdStmt) error
 	switch authplugin {
 	case mysql.AuthCachingSha2Password:
 		pwd = auth.NewSha2Password(s.Password)
+	case mysql.AuthSM3Password:
+		pwd = auth.NewSM3Password(s.Password)
 	case mysql.AuthSocket:
 		e.ctx.GetSessionVars().StmtCtx.AppendNote(ErrSetPasswordAuthPlugin.GenWithStackByArgs(u, h))
 		pwd = ""

parser/ast/misc.go

@@ -1322,6 +1322,8 @@ func (n *UserSpec) EncodedPassword() (string, bool) {
 		switch opt.AuthPlugin {
 		case mysql.AuthCachingSha2Password:
 			return auth.NewSha2Password(opt.AuthString), true
+		case mysql.AuthSM3Password:
+			return auth.NewSM3Password(opt.AuthString), true
 		case mysql.AuthSocket:
 			return "", true
 		default:
@@ -1340,6 +1342,10 @@ func (n *UserSpec) EncodedPassword() (string, bool) {
 		if len(opt.HashString) != mysql.SHAPWDHashLen {
 			return "", false
 		}
+	case mysql.AuthSM3Password:
+		if len(opt.HashString) != mysql.SM3PWDHashLen {
+			return "", false
+		}
 	case "", mysql.AuthNativePassword:
 		if len(opt.HashString) != (mysql.PWDHashLen+1) || !strings.HasPrefix(opt.HashString, "*") {
 			return "", false

parser/auth/BUILD.bazel

@@ -6,6 +6,7 @@ go_library(
         "auth.go",
         "caching_sha2.go",
         "mysql_native_password.go",
+        "sm3.go",
     ],
     importpath = "github.com/pingcap/tidb/parser/auth",
     visibility = ["//visibility:public"],
@@ -21,6 +22,7 @@ go_test(
     srcs = [
         "caching_sha2_test.go",
         "mysql_native_password_test.go",
+        "sm3_test.go",
     ],
     embed = [":auth"],
     deps = ["@com_github_stretchr_testify//require"],

parser/auth/caching_sha2.go

@@ -177,24 +177,24 @@ func sha256crypt(plaintext string, salt []byte, iterations int) string {
 	return buf.String()
 }
 
-// Checks if a MySQL style caching_sha2 authentication string matches a password
+// CheckShaPassword checks if a MySQL style caching_sha2 authentication string matches a password
 func CheckShaPassword(pwhash []byte, password string) (bool, error) {
-	pwhash_parts := bytes.Split(pwhash, []byte("$"))
-	if len(pwhash_parts) != 4 {
+	pwhashParts := bytes.Split(pwhash, []byte("$"))
+	if len(pwhashParts) != 4 {
 		return false, errors.New("failed to decode hash parts")
 	}
 
-	hash_type := string(pwhash_parts[1])
-	if hash_type != "A" {
+	hashType := string(pwhashParts[1])
+	if hashType != "A" {
 		return false, errors.New("digest type is incompatible")
 	}
 
-	iterations, err := strconv.Atoi(string(pwhash_parts[2]))
+	iterations, err := strconv.Atoi(string(pwhashParts[2]))
 	if err != nil {
 		return false, errors.New("failed to decode iterations")
 	}
 	iterations = iterations * ITERATION_MULTIPLIER
-	salt := pwhash_parts[3][:SALT_LENGTH]
+	salt := pwhashParts[3][:SALT_LENGTH]
 
 	newHash := sha256crypt(password, salt, iterations)
 

parser/auth/caching_sha2_test.go

@@ -20,11 +20,11 @@ import (
 	"github.com/stretchr/testify/require"
 )
 
-var foobarPwdHash, _ = hex.DecodeString("24412430303524031A69251C34295C4B35167C7F1E5A7B63091349503974624D34504B5A424679354856336868686F52485A736E4A733368786E427575516C73446469496537")
+var foobarPwdSHA2Hash, _ = hex.DecodeString("24412430303524031A69251C34295C4B35167C7F1E5A7B63091349503974624D34504B5A424679354856336868686F52485A736E4A733368786E427575516C73446469496537")
 
 func TestCheckShaPasswordGood(t *testing.T) {
 	pwd := "foobar"
-	r, err := CheckShaPassword(foobarPwdHash, pwd)
+	r, err := CheckShaPassword(foobarPwdSHA2Hash, pwd)
 	require.NoError(t, err)
 	require.True(t, r)
 }
@@ -44,7 +44,7 @@ func TestCheckShaPasswordShort(t *testing.T) {
 	require.Error(t, err)
 }
 
-func TestCheckShaPasswordDigetTypeIncompatible(t *testing.T) {
+func TestCheckShaPasswordDigestTypeIncompatible(t *testing.T) {
 	pwd := "not_foobar"
 	pwhash, _ := hex.DecodeString("24422430303524031A69251C34295C4B35167C7F1E5A7B63091349503974624D34504B5A424679354856336868686F52485A736E4A733368786E427575516C73446469496537")
 	_, err := CheckShaPassword(pwhash, pwd)
@@ -58,7 +58,7 @@ func TestCheckShaPasswordIterationsInvalid(t *testing.T) {
 	require.Error(t, err)
 }
 
-// The output from NewSha2Password is not stable as the hash is based on the genrated salt.
+// The output from NewSha2Password is not stable as the hash is based on the generated salt.
 // This is why CheckShaPassword is used here.
 func TestNewSha2Password(t *testing.T) {
 	pwd := "testpwd"
@@ -76,7 +76,7 @@ func TestNewSha2Password(t *testing.T) {
 
 func BenchmarkShaPassword(b *testing.B) {
 	for i := 0; i < b.N; i++ {
-		m, err := CheckShaPassword(foobarPwdHash, "foobar")
+		m, err := CheckShaPassword(foobarPwdSHA2Hash, "foobar")
 		require.Nil(b, err)
 		require.True(b, m)
 	}