On 12/20/11 11:47, Dmitry Yemanov wrote: > 20.12.2011 10:30, Alex Peshkoff wrote: > >> Returning to that useful idea - the problem is that when the warning can >> be returned password was already passed to the net in legacy unsafe >> form. That's not too big problem if this is password for FB<3. The worst >> case is when user mixed two servers and used password for FB3 server >> with older version. Yes, he gets logon error and a warning together with >> it - but password is already compromised. > Is it possible to skip SRP for protocol versions less than FB3's one? > I.e. decide which auth method to use *after* getting a reply on op_connect?
Certainly, and it's already done. With one exception - FB3 protocol begins authentication inside op_connect. That's absolutely backward compatible - I've added new tags to CNCT_ID block, and they are certainly just ignored by older servers. For FB3 client-server pair this helps to avoid extra roundtrip when attaching database. This is successful SRP attach process: connect: client's public key, login and database name => server accept: server's public key and salt => client attach: client's proof => server response: success if client's proof == server's proof When talking to older servers: connect: client's public key, login and database name => server accept: (server ignored SRP info) => client attach: legacy password_enc => server response: success if password is correct I.e. we do not loose anything except about 300-400 additional bytes in connect packet. ------------------------------------------------------------------------------ Write once. Port to many. Get the SDK and tools to simplify cross-platform app development. Create new or port existing apps to sell to consumers worldwide. Explore the Intel AppUpSM program developer opportunity. appdeveloper.intel.com/join http://p.sf.net/sfu/intel-appdev Firebird-Devel mailing list, web interface at https://lists.sourceforge.net/lists/listinfo/firebird-devel
