On Mon, 7 Oct 2024 at 21:08, Sergei Golubchik <s...@mariadb.org> wrote:
> Hi, Nikita,
>
> On Oct 07, Nikita Malyavin wrote:
> > revision-id: b17308e254a (mariadb-11.6.1-10-gb17308e254a)
> > parent(s): e8021aaf28e
> > author: Nikita Malyavin
> > committer: Nikita Malyavin
> > timestamp: 2024-10-04 01:33:47 +0200
> > message:
> >
> > MDEV-34854 Parsec sends garbage when using an empty password
> >
> > When an empty password is set, the server doesn't call
> > st_mysql_auth::hash_password and leaves
> > MYSQL_SERVER_AUTH_INFO::auth_string empty.
> >
> > Fix:
> > generate hashes for empty passwords as well. This breaks some auth
> > plugins, so we increment interface version and do it only from Auth V.
> > 2.03.
> >
> > Some empty passwords could be already stored with no though. The user
>
> "with no though" ?
>
>
with none. All empty passwords.
All empty passwords have no ext-salt stored.
> > will have to call SET PASSWORD once again, anyway the authentication
> > wouldn't have worked for such password.
>
> ok, I presume you mean ed25519 only, because mysql_native_password
> worked with an empty password and it generates an empty hash for it.
>
No, this is only about those users, who could set an empty password for
PARSEC plugin within the last two months.
>
> > diff --git a/mysql-test/suite/plugins/r/parsec.result
> b/mysql-test/suite/plugins/r/parsec.result
> > index 512c066e2d7..b7e3537af29 100644
> > --- a/mysql-test/suite/plugins/r/parsec.result
> > +++ b/mysql-test/suite/plugins/r/parsec.result
> ...
> let's add ed25519 test too, for completeness.
>
I guess it will not work with empty password, just as before?
I'll check anyway.
>
> > diff --git a/sql/sql_acl.cc b/sql/sql_acl.cc
> > index 2722ea2ea19..ba05a5656c5 100644
> > --- a/sql/sql_acl.cc
> > +++ b/sql/sql_acl.cc
> > @@ -2402,7 +2402,10 @@ static int set_user_auth(THD *thd, const
> LEX_CSTRING &user,
> > res= ER_NOT_VALID_PASSWORD;
> > goto end;
> > }
> > - if (pwtext.length)
> > +
> > + // Starting from version 2.03 we also generate hash for empty
> passwords.
> > + if ((info->interface_version >= MYSQL_AUTH_INTERFACE_VERSION_2_03
>
> I don't understand this MYSQL_AUTH_INTERFACE_VERSION_2_03 thing.
> First, again, that's not how a version is supposed to work.
> Second, this empty-password change isn't a change in the API.
>
> You can simply start calling hash_password() for empty passwords and
> it'll just work. I've tried :)
>
I've tried, and I had main.set_password failing, exactly with
mysql_old_password .
This is why I decided to simply alter the version and leave
mysql_old_password
as it is, without figuring out the problem.
>
> > + && pwtext.str) || pwtext.length)
> > {
> > if (info->hash_password)
> > {
>
> Regards,
> Sergei
> Chief Architect, MariaDB Server
> and secur...@mariadb.org
>
--
Yours truly,
Nikita Malyavin
_______________________________________________
developers mailing list -- developers@lists.mariadb.org
To unsubscribe send an email to developers-le...@lists.mariadb.org
