diff options
author | Daniel Black <daniel@mariadb.org> | 2020-10-24 21:01:07 +1100 |
---|---|---|
committer | Daniel Black <daniel@mariadb.org> | 2020-12-14 14:47:39 +1100 |
commit | 2c9d0ee38276bc1f04570b88f67c03eacd829875 (patch) | |
tree | 8634beaae77ec5dfa65b9755fbb01a447563f9ba | |
parent | b2029c0300bf8c311ff5d9fdc4b73a9e48bf6930 (diff) | |
download | mariadb-git-bb-10.4-danielblack-MDEV-24207-accept-m57-forms-of-invalid-password.tar.gz |
MDEV-24207: recognise mysql forms of invalid password for mysql_native_passwordbb-10.4-danielblack-MDEV-24207-accept-m57-forms-of-invalid-password
The main goal of this patch is to prevent MariaDB's native_password_plugin
from "parsing" the hex (or non hex) authentication_string. Due to how the
current code is written, we convert any string (within native_password_get_salt)
that has the appropriate length to a "binary" representation, that can
potentially match a real password.
More specifically,
"*THISISNOTAVALIDPASSWORDTHATCANBEUSEDHERE" produces the same results as
"*d13c3c78dafa52d9bce09bdd1adcb7befced1ebe".
The length indicator is the main indicator of an invalid password. We use
use same trick with "invalid".
The "parsing" by the get_salt_from_password down to char_val() as a password).
In supporting these, we support the SHOW CREATE USER from MySQL may have the
hashed password string: *THISISNOTAVALIDPASSWORDTHATCANBEUSEDHERE.
Obviously this isn't a hash because it contains non-hex characters.
After this patch we do however recognise the pattern:
[any char, notionally *]{40 chars not all are hex}
..a s a pattern for an invalid password. This was determined to be the general
pattern that MySQL used.
-rw-r--r-- | mysql-test/main/set_password.result | 8 | ||||
-rw-r--r-- | mysql-test/main/set_password.test | 7 | ||||
-rw-r--r-- | sql/sql_acl.cc | 18 |
3 files changed, 29 insertions, 4 deletions
diff --git a/mysql-test/main/set_password.result b/mysql-test/main/set_password.result index 6a4e0da937e..a3d8683ee64 100644 --- a/mysql-test/main/set_password.result +++ b/mysql-test/main/set_password.result @@ -11,9 +11,11 @@ create user oldauth@localhost identified with 'mysql_old_password' using '378b24 create user oldpass@localhost identified by password '378b243e220ca493'; create user oldpassold@localhost identified with 'mysql_old_password'; set password for oldpassold@localhost = '378b243e220ca493'; +create user invalidmysql57auth@localhost identified via 'mysql_native_password' using '*THISISNOTAVALIDPASSWORDTHATCANBEUSEDHERE'; select user, host, password, plugin, authentication_string from mysql.user where user != 'root'; User Host Password plugin authentication_string invalidauth localhost invalid mysql_native_password invalid +invalidmysql57auth localhost *THISISNOTAVALIDPASSWORDTHATCANBEUSEDHERE mysql_native_password *THISISNOTAVALIDPASSWORDTHATCANBEUSEDHERE invalidpass localhost invalid mysql_native_password invalid invalidpassnat localhost invalid mysql_native_password invalid mariadb.sys localhost mysql_native_password @@ -95,6 +97,7 @@ set password for oldpassold@localhost = PASSWORD('test2'); select user, host, password, plugin, authentication_string from mysql.user where user != 'root'; User Host Password plugin authentication_string invalidauth localhost invalid mysql_native_password invalid +invalidmysql57auth localhost *THISISNOTAVALIDPASSWORDTHATCANBEUSEDHERE mysql_native_password *THISISNOTAVALIDPASSWORDTHATCANBEUSEDHERE invalidpass localhost invalid mysql_native_password invalid invalidpassnat localhost invalid mysql_native_password invalid mariadb.sys localhost mysql_native_password @@ -160,6 +163,9 @@ ERROR 28000: Access denied for user 'invalidpass'@'localhost' (using password: Y connect(localhost,invalidpassnat,invalid,test,MASTER_PORT,MASTER_SOCKET); connect con,localhost,invalidpassnat,invalid,; ERROR 28000: Access denied for user 'invalidpassnat'@'localhost' (using password: YES) +connect(localhost,invalidmysql57auth,invalid,test,MASTER_PORT,MASTER_SOCKET); +connect con,localhost,invalidmysql57auth,invalid,; +ERROR 28000: Access denied for user 'invalidmysql57auth'@'localhost' (using password: YES) connect con,localhost,oldauth,test2,; select current_user(); current_user() @@ -177,7 +183,7 @@ oldpassold@localhost disconnect con; connection default; drop user natauth@localhost, newpass@localhost, newpassnat@localhost; -drop user invalidauth@localhost, invalidpass@localhost, invalidpassnat@localhost; +drop user invalidauth@localhost, invalidpass@localhost, invalidpassnat@localhost,invalidmysql57auth@localhost; drop user oldauth@localhost, oldpass@localhost, oldpassold@localhost; set global secure_auth=default; # switching from mysql.global_priv to mysql.user diff --git a/mysql-test/main/set_password.test b/mysql-test/main/set_password.test index dd5e261346b..ec652a09274 100644 --- a/mysql-test/main/set_password.test +++ b/mysql-test/main/set_password.test @@ -31,6 +31,8 @@ create user oldpass@localhost identified by password '378b243e220ca493'; create user oldpassold@localhost identified with 'mysql_old_password'; set password for oldpassold@localhost = '378b243e220ca493'; +create user invalidmysql57auth@localhost identified via 'mysql_native_password' using '*THISISNOTAVALIDPASSWORDTHATCANBEUSEDHERE'; + --sorted_result select user, host, password, plugin, authentication_string from mysql.user where user != 'root'; @@ -131,6 +133,9 @@ select current_user(); --replace_result $MASTER_MYSOCK MASTER_SOCKET $MASTER_MYPORT MASTER_PORT --error ER_ACCESS_DENIED_ERROR --connect(con,localhost,invalidpassnat,invalid,) +--replace_result $MASTER_MYSOCK MASTER_SOCKET $MASTER_MYPORT MASTER_PORT +--error ER_ACCESS_DENIED_ERROR +--connect(con,localhost,invalidmysql57auth,invalid,) --connect(con,localhost,oldauth,test2,) select current_user(); @@ -144,7 +149,7 @@ select current_user(); --connection default drop user natauth@localhost, newpass@localhost, newpassnat@localhost; -drop user invalidauth@localhost, invalidpass@localhost, invalidpassnat@localhost; +drop user invalidauth@localhost, invalidpass@localhost, invalidpassnat@localhost,invalidmysql57auth@localhost; drop user oldauth@localhost, oldpass@localhost, oldpassold@localhost; set global secure_auth=default; diff --git a/sql/sql_acl.cc b/sql/sql_acl.cc index 57e8411b084..13947b1bec7 100644 --- a/sql/sql_acl.cc +++ b/sql/sql_acl.cc @@ -14201,6 +14201,7 @@ static int native_password_get_salt(const char *hash, size_t hash_length, { DBUG_ASSERT(sizeof(invalid_password) > SCRAMBLE_LENGTH); DBUG_ASSERT(*out_length >= SCRAMBLE_LENGTH); + DBUG_ASSERT(*out_length >= sizeof(invalid_password)); if (hash_length == 0) { *out_length= 0; @@ -14211,14 +14212,27 @@ static int native_password_get_salt(const char *hash, size_t hash_length, { if (hash_length == 7 && strcmp(hash, "invalid") == 0) { - memcpy(out, invalid_password, SCRAMBLED_PASSWORD_CHAR_LENGTH); - *out_length= SCRAMBLED_PASSWORD_CHAR_LENGTH; + memcpy(out, invalid_password, sizeof(invalid_password)); + *out_length= sizeof(invalid_password); return 0; } my_error(ER_PASSWD_LENGTH, MYF(0), SCRAMBLED_PASSWORD_CHAR_LENGTH); return 1; } + for (const char *c= hash + 1; c < (hash + hash_length); c++) + { + /* If any non-hex characters are found, mark the password as invalid. */ + if (!(*c >= '0' && *c <= '9') && + !(*c >= 'A' && *c <= 'F') && + !(*c >= 'a' && *c <= 'f')) + { + memcpy(out, invalid_password, sizeof(invalid_password)); + *out_length= sizeof(invalid_password); + return 0; + } + } + *out_length= SCRAMBLE_LENGTH; get_salt_from_password(out, hash); return 0; |