Add IAuthenticationMethod2 interface to avoid breaking change.

Refactor duplicated code in Ed25519AuthenticationPlugin.

Signed-off-by: Bradley Grainger <[email protected]>

Author: bgrainger

src/MySqlConnector.Authentication.Ed25519/Ed25519AuthenticationPlugin.cs

@@ -10,7 +10,7 @@ namespace MySqlConnector.Authentication.Ed25519;
 /// Provides an implementation of the <c>client_ed25519</c> authentication plugin for MariaDB.
 /// </summary>
 /// <remarks>See <a href="https://mariadb.com/kb/en/library/authentication-plugin-ed25519/">Authentication Plugin - ed25519</a>.</remarks>
-public sealed class Ed25519AuthenticationPlugin : IAuthenticationPlugin
+public sealed class Ed25519AuthenticationPlugin : IAuthenticationPlugin2
 {
 	/// <summary>
 	/// Registers the Ed25519 authentication plugin with MySqlConnector. You must call this method once before
@@ -31,6 +31,24 @@ public static void Install()
 	/// Creates the authentication response.
 	/// </summary>
 	public byte[] CreateResponse(string password, ReadOnlySpan<byte> authenticationData)
+	{
+		CreateResponseAndHash(password, authenticationData, out _, out var authenticationResponse);
+		return authenticationResponse;
+	}
+
+	/// <summary>
+	/// Creates the Ed25519 password hash.
+	/// </summary>
+	public byte[] CreatePasswordHash(string password, ReadOnlySpan<byte> authenticationData)
+	{
+		CreateResponseAndHash(password, authenticationData, out var passwordHash, out _);
+		return passwordHash;
+	}
+
+	/// <summary>
+	/// Creates the authentication response.
+	/// </summary>
+	private static void CreateResponseAndHash(string password, ReadOnlySpan<byte> authenticationData, out byte[] passwordHash, out byte[] authenticationResponse)
 	{
 		// Java reference: https://github.com/MariaDB/mariadb-connector-j/blob/master/src/main/java/org/mariadb/jdbc/internal/com/send/authentication/Ed25519PasswordPlugin.java
 		// C reference:  https://github.com/MariaDB/server/blob/592fe954ef82be1bc08b29a8e54f7729eb1e1343/plugin/auth_ed25519/ref10/sign.c#L7
@@ -109,6 +127,9 @@ public byte[] CreateResponse(string password, ReadOnlySpan<byte> authenticationD
 		GroupOperations.ge_scalarmult_base(out var A, az, 0);
 		GroupOperations.ge_p3_tobytes(sm, 32, ref A);
 
+		passwordHash = new byte[32];
+		Array.Copy(sm, 32, passwordHash, 0, 32);
+
 		/*** Java
 			nonce = scalar.reduce(nonce);
 			GroupElement elementRvalue = spec.getB().scalarMultiply(nonce);
@@ -152,30 +173,7 @@ public byte[] CreateResponse(string password, ReadOnlySpan<byte> authenticationD
 
 		var result = new byte[64];
 		Buffer.BlockCopy(sm, 0, result, 0, result.Length);
-		return result;
-	}
-
-	/// <summary>
-	/// Creates the ed25519 password hash.
-	/// </summary>
-	public byte[] CreatePasswordHash(string password, ReadOnlySpan<byte> authenticationData)
-	{
-		byte[] passwordBytes = Encoding.UTF8.GetBytes(password);
-		using var sha512 = SHA512.Create();
-		byte[] az = sha512.ComputeHash(passwordBytes);
-		ScalarOperations.sc_clamp(az, 0);
-
-		byte[] sm = new byte[64 + authenticationData.Length];
-		authenticationData.CopyTo(sm.AsSpan().Slice(64));
-		Buffer.BlockCopy(az, 32, sm, 32, 32);
-		sha512.ComputeHash(sm, 32, authenticationData.Length + 32);
-
-		GroupOperations.ge_scalarmult_base(out var A, az, 0);
-		GroupOperations.ge_p3_tobytes(sm, 32, ref A);
-
-		byte[] res = new byte[32];
-		Array.Copy(sm, 32, res, 0, 32);
-		return res;
+		authenticationResponse = result;
 	}
 
 	private Ed25519AuthenticationPlugin()

src/MySqlConnector/Authentication/IAuthenticationPlugin.cs

@@ -19,14 +19,20 @@ public interface IAuthenticationPlugin
 	/// Method Switch Request Packet</a>.</param>
 	/// <returns>The authentication response.</returns>
 	byte[] CreateResponse(string password, ReadOnlySpan<byte> authenticationData);
+}
 
+/// <summary>
+/// <see cref="IAuthenticationPlugin2"/> is an extension to <see cref="IAuthenticationPlugin"/> that returns a hash of the client's password.
+/// </summary>
+public interface IAuthenticationPlugin2 : IAuthenticationPlugin
+{
 	/// <summary>
-	/// create password hash for fingerprint verification
+	/// Hashes the client's password (e.g., for TLS certificate fingerprint verification).
 	/// </summary>
 	/// <param name="password">The client's password.</param>
 	/// <param name="authenticationData">The authentication data supplied by the server; this is the <code>auth method data</code>
 	/// from the <a href="https://dev.mysql.com/doc/internals/en/connection-phase-packets.html#packet-Protocol::AuthSwitchRequest">Authentication
 	/// Method Switch Request Packet</a>.</param>
-	/// <returns>password hash</returns>
+	/// <returns>The authentication-method-specific hash of the client's password.</returns>
 	byte[] CreatePasswordHash(string password, ReadOnlySpan<byte> authenticationData);
 }

src/MySqlConnector/Core/ServerSession.cs

@@ -18,9 +18,6 @@
 using MySqlConnector.Protocol.Payloads;
 using MySqlConnector.Protocol.Serialization;
 using MySqlConnector.Utilities;
-#if NET5_0_OR_GREATER
-using System.Runtime.CompilerServices;
-#endif
 
 namespace MySqlConnector.Core;
 
@@ -539,8 +536,7 @@ public async Task DisposeAsync(IOBehavior ioBehavior, CancellationToken cancella
 				// * auth plugin is MitM-proof and check SHA2(user's hashed password, scramble, certificate fingerprint)
 				if (cs.ConnectionProtocol != MySqlConnectionProtocol.UnixSocket)
 				{
-					if (string.IsNullOrEmpty(password) ||
-					    !ValidateFingerPrint(ok.StatusInfo, initialHandshake.AuthPluginData, password!))
+					if (string.IsNullOrEmpty(password) || !ValidateFingerprint(ok.StatusInfo, initialHandshake.AuthPluginData.AsSpan(0, 20), password!))
 					{
 						// fingerprint validation fail.
 						// now throwing SSL exception depending on m_rcbPolicyErrors
@@ -615,15 +611,16 @@ public async Task DisposeAsync(IOBehavior ioBehavior, CancellationToken cancella
 	/// <param name="challenge">initial seed</param>
 	/// <param name="password">password</param>
 	/// <returns>true if validated</returns>
-	private bool ValidateFingerPrint(byte[]? validationHash, ReadOnlySpan<byte> challenge, string password)
+	private bool ValidateFingerprint(byte[]? validationHash, ReadOnlySpan<byte> challenge, string password)
 	{
-		if (validationHash is null || validationHash.Length == 0) return false;
+		if (validationHash?.Length != 65)
+			return false;
 
 		// ensure using SHA256 encryption
 		if (validationHash[0] != 0x01)
 			throw new FormatException($"Unexpected validation hash format. expected 0x01 but got 0x{validationHash[0]:X2}");
 
-		byte[] passwordHashResult;
+		byte[]? passwordHashResult = null;
 		switch (m_pluginName)
 		{
 			case "mysql_native_password":
@@ -632,17 +629,17 @@ private bool ValidateFingerPrint(byte[]? validationHash, ReadOnlySpan<byte> chal
 
 			case "client_ed25519":
 				AuthenticationPlugins.TryGetPlugin("client_ed25519", out var ed25519Plugin);
-				passwordHashResult = ed25519Plugin!.CreatePasswordHash(password, challenge);
+				if (ed25519Plugin is IAuthenticationPlugin2 plugin2)
+					passwordHashResult = plugin2!.CreatePasswordHash(password, challenge);
 				break;
-
-			default:
-				return false;
 		}
+		if (passwordHashResult is null)
+			return false;
 
-		Span<byte> combined = stackalloc byte[32 + (challenge.Length - 1) + passwordHashResult.Length];
+		Span<byte> combined = stackalloc byte[32 + challenge.Length + passwordHashResult.Length];
 		passwordHashResult.CopyTo(combined);
 		challenge.CopyTo(combined[passwordHashResult.Length..]);
-		m_sha2Thumbprint!.CopyTo(combined[(passwordHashResult.Length + challenge.Length - 1)..]);
+		m_sha2Thumbprint!.CopyTo(combined[(passwordHashResult.Length + challenge.Length)..]);
 
 		byte[] hashBytes;
 #if NET5_0_OR_GREATER