mirror of
https://github.com/MariaDB/server.git
synced 2025-07-29 05:21:33 +03:00
More work on secure authentication. Commit for merge
This commit is contained in:
peter@mysql.com
@ -284,7 +284,7 @@ void make_scrambled_password(char *to,const char *password,my_bool force_old_scr
|
|||||||
uint get_password_length(my_bool force_old_scramble);
|
uint get_password_length(my_bool force_old_scramble);
|
||||||
uint8 get_password_version(const char* password);
|
uint8 get_password_version(const char* password);
|
||||||
void get_salt_from_password(unsigned long *res,const char *password);
|
void get_salt_from_password(unsigned long *res,const char *password);
|
||||||
void make_password_from_salt(char *to, unsigned long *hash_res);
|
void make_password_from_salt(char *to, unsigned long *hash_res, uint8 password_version);
|
||||||
char *scramble(char *to,const char *message,const char *password,
|
char *scramble(char *to,const char *message,const char *password,
|
||||||
my_bool old_ver);
|
my_bool old_ver);
|
||||||
my_bool check_scramble(const char *, const char *message,
|
my_bool check_scramble(const char *, const char *message,
|
||||||
|
|||||||
@ -166,24 +166,26 @@ inline uint char_val(char X)
|
|||||||
** This code detects new version password by leading char.
|
** This code detects new version password by leading char.
|
||||||
** Old password has to be divisible by 8 length
|
** Old password has to be divisible by 8 length
|
||||||
** do not forget to increase array length if you need longer passwords
|
** do not forget to increase array length if you need longer passwords
|
||||||
|
** THIS FUNCTION DOES NOT HAVE ANY LENGTH CHECK
|
||||||
*/
|
*/
|
||||||
|
|
||||||
void get_salt_from_password(ulong *res,const char *password)
|
void get_salt_from_password(ulong *res,const char *password)
|
||||||
{
|
{
|
||||||
bzero(res,5*sizeof(res[0]));
|
bzero(res,6*sizeof(res[0]));
|
||||||
if (password)
|
if (password) // zero salt corresponds to empty password
|
||||||
{
|
{
|
||||||
if (password[0]==PVERSION41_CHAR) // if new password
|
if (password[0]==PVERSION41_CHAR) // if new password
|
||||||
{
|
{
|
||||||
uint val=0;
|
uint val=0;
|
||||||
uint i;
|
uint i;
|
||||||
password++; // skip version identifier.
|
password++; // skip version identifier.
|
||||||
//get hashing salt from password and store in in the start of array
|
|
||||||
|
|
||||||
|
//get hashing salt from password and store in in the start of array
|
||||||
for (i=0 ; i < 4 ; i++)
|
for (i=0 ; i < 4 ; i++)
|
||||||
val=(val << 4)+char_val(*password++);
|
val=(val << 4)+char_val(*password++);
|
||||||
*res++=val;
|
*res++=val;
|
||||||
}
|
}
|
||||||
|
// We process old passwords the same way as new ones in other case
|
||||||
while (*password)
|
while (*password)
|
||||||
{
|
{
|
||||||
ulong val=0;
|
ulong val=0;
|
||||||
@ -196,10 +198,16 @@ void get_salt_from_password(ulong *res,const char *password)
|
|||||||
return;
|
return;
|
||||||
}
|
}
|
||||||
|
|
||||||
void make_password_from_salt(char *to, ulong *hash_res)
|
void make_password_from_salt(char *to, ulong *hash_res,uint8 password_version)
|
||||||
{
|
{
|
||||||
// warning this does not work for new passwords yet
|
if (!password_version) // Handling of old passwords.
|
||||||
sprintf(to,"%08lx%08lx",hash_res[0],hash_res[1]);
|
sprintf(to,"%08lx%08lx",hash_res[0],hash_res[1]);
|
||||||
|
else
|
||||||
|
if (password_version==PVERSION41_CHAR)
|
||||||
|
sprintf(to,"%c%04x%08lx%08lx%08lx%08lx%08lx",(uint)hash_res[0],hash_res[1],
|
||||||
|
hash_res[2],hash_res[3],hash_res[4],hash_res[5]);
|
||||||
|
else // Just use empty password if we can't handle it. This should not happen
|
||||||
|
to[0]='\0';
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
||||||
|
|||||||
@ -32,7 +32,7 @@
|
|||||||
#include <assert.h>
|
#include <assert.h>
|
||||||
#include <stdarg.h>
|
#include <stdarg.h>
|
||||||
|
|
||||||
extern uint connection_auth_flag;
|
extern uint connection_auth_flag; // any better way to do it ?
|
||||||
|
|
||||||
struct acl_host_and_ip
|
struct acl_host_and_ip
|
||||||
{
|
{
|
||||||
@ -329,7 +329,7 @@ my_bool acl_init(bool dont_read_acl_tables)
|
|||||||
connection_auth_flag=CLIENT_SECURE_CONNECTION;
|
connection_auth_flag=CLIENT_SECURE_CONNECTION;
|
||||||
else connection_auth_flag=CLIENT_LONG_PASSWORD;
|
else connection_auth_flag=CLIENT_LONG_PASSWORD;
|
||||||
}
|
}
|
||||||
printf("Set flag after read: %d\n",connection_auth_flag);
|
printf("Set flag after read: %d\n",connection_auth_flag); /* DEBUG to be removed */
|
||||||
init_read_record(&read_record_info,thd,table=tables[2].table,NULL,1,0);
|
init_read_record(&read_record_info,thd,table=tables[2].table,NULL,1,0);
|
||||||
VOID(my_init_dynamic_array(&acl_dbs,sizeof(ACL_DB),50,100));
|
VOID(my_init_dynamic_array(&acl_dbs,sizeof(ACL_DB),50,100));
|
||||||
while (!(read_record_info.read_record(&read_record_info)))
|
while (!(read_record_info.read_record(&read_record_info)))
|
||||||
@ -746,6 +746,10 @@ static void acl_insert_user(const char *user, const char *host,
|
|||||||
acl_user.password=(char*) ""; // Just point at something
|
acl_user.password=(char*) ""; // Just point at something
|
||||||
get_salt_from_password(acl_user.salt,password);
|
get_salt_from_password(acl_user.salt,password);
|
||||||
acl_user.pversion=get_password_version(acl_user.password);
|
acl_user.pversion=get_password_version(acl_user.password);
|
||||||
|
if (acl_user.pversion)
|
||||||
|
connection_auth_flag|=CLIENT_SECURE_CONNECTION;
|
||||||
|
else
|
||||||
|
connection_auth_flag|=CLIENT_LONG_PASSWORD;
|
||||||
}
|
}
|
||||||
|
|
||||||
VOID(push_dynamic(&acl_users,(gptr) &acl_user));
|
VOID(push_dynamic(&acl_users,(gptr) &acl_user));
|
||||||
@ -2844,7 +2848,7 @@ int mysql_show_grants(THD *thd,LEX_USER *lex_user)
|
|||||||
if (acl_user->password)
|
if (acl_user->password)
|
||||||
{
|
{
|
||||||
char passd_buff[HASH_PASSWORD_LENGTH+1];
|
char passd_buff[HASH_PASSWORD_LENGTH+1];
|
||||||
make_password_from_salt(passd_buff,acl_user->salt);
|
make_password_from_salt(passd_buff,acl_user->salt,acl_user->pversion);
|
||||||
global.append(" IDENTIFIED BY PASSWORD '",25);
|
global.append(" IDENTIFIED BY PASSWORD '",25);
|
||||||
global.append(passd_buff);
|
global.append(passd_buff);
|
||||||
global.append('\'');
|
global.append('\'');
|
||||||
|
|||||||
@ -51,6 +51,8 @@
|
|||||||
#define TRANS_MEM_ROOT_BLOCK_SIZE 4096
|
#define TRANS_MEM_ROOT_BLOCK_SIZE 4096
|
||||||
#define TRANS_MEM_ROOT_PREALLOC 4096
|
#define TRANS_MEM_ROOT_PREALLOC 4096
|
||||||
|
|
||||||
|
extern uint connection_auth_flag;
|
||||||
|
|
||||||
extern int yyparse(void);
|
extern int yyparse(void);
|
||||||
extern "C" pthread_mutex_t THR_LOCK_keycache;
|
extern "C" pthread_mutex_t THR_LOCK_keycache;
|
||||||
#ifdef SOLARIS
|
#ifdef SOLARIS
|
||||||
@ -504,7 +506,8 @@ check_connections(THD *thd)
|
|||||||
{
|
{
|
||||||
/* buff[] needs to big enough to hold the server_version variable */
|
/* buff[] needs to big enough to hold the server_version variable */
|
||||||
char buff[SERVER_VERSION_LENGTH + SCRAMBLE_LENGTH+32],*end;
|
char buff[SERVER_VERSION_LENGTH + SCRAMBLE_LENGTH+32],*end;
|
||||||
int client_flags = CLIENT_LONG_FLAG | CLIENT_CONNECT_WITH_DB | CLIENT_PROTOCOL_41;
|
int client_flags = CLIENT_LONG_FLAG | CLIENT_CONNECT_WITH_DB |
|
||||||
|
CLIENT_PROTOCOL_41 | connection_auth_flag;
|
||||||
|
|
||||||
if (opt_using_transactions)
|
if (opt_using_transactions)
|
||||||
client_flags|=CLIENT_TRANSACTIONS;
|
client_flags|=CLIENT_TRANSACTIONS;
|
||||||
|
|||||||
Reference in New Issue
Block a user