From 7df0475847103581798ddacf75dbf634e8f98d0a Mon Sep 17 00:00:00 2001 From: "kostja@oak.local" <> Date: Tue, 1 Jul 2003 23:40:59 +0400 Subject: First version of new authentification procedure: now authentification is one-stage (instead of two-stage in 4.1) For now following tasks have been done: - PASSWORD() function was rewritten. PASSWORD() now returns SHA1 hash_stage2; for new passwords user.password contains '*'hash_stage2; sql_yacc.yy also fixed; - password.c: new functions were implemented, old rolled back to 4.0 state - server code was rewritten to use new authorization algorithm (check_user(), change user, and other stuff in sql/sql_parse.cc) - client code was rewritten to use new authorization algorithm (mysql_real_connect, myslq_authenticate in sql-common/client.c) - now server barks on 45-byte-length 4.1.0 passwords and refuses 4.1.0-style authentification. Users with 4.1.0 passwords are blocked (sql/sql_acl.cc) - mysqladmin.c was fixed to work correctly with new passwords Tests for 4.0-4.1.1, 4.1.1-4.1.1 (with or without db/password) logons was performed; mysqladmin also was tested. Additional check are nevertheless necessary. --- include/mysql.h | 4 +++- include/mysql_com.h | 61 +++++++++++++++++++++++++++++++---------------------- 2 files changed, 39 insertions(+), 26 deletions(-) (limited to 'include') diff --git a/include/mysql.h b/include/mysql.h index bd63a10ba45..91ef481e7f7 100644 --- a/include/mysql.h +++ b/include/mysql.h @@ -227,7 +227,9 @@ typedef struct st_mysql enum mysql_status status; my_bool free_me; /* If free in mysql_close */ my_bool reconnect; /* set to 1 if automatic reconnect */ - char scramble_buff[21]; /* New protocol requires longer scramble*/ + + char scramble[SCRAMBLE_LENGTH+1]; /* for new servers */ + char scramble_323[SCRAMBLE_LENGTH_323+1]; /* for old servers */ /* Set if this is the original connection, not a master or a slave we have diff --git a/include/mysql_com.h b/include/mysql_com.h index e87001ff27d..c1f18160667 100644 --- a/include/mysql_com.h +++ b/include/mysql_com.h @@ -48,8 +48,15 @@ enum enum_server_command }; -#define SCRAMBLE_LENGTH 8 -#define SCRAMBLE41_LENGTH 20 +/* + Length of random string sent by server on handshake; this is also length of + obfuscated password, recieved from client +*/ +#define SCRAMBLE_LENGTH 20 +#define SCRAMBLE_LENGTH_323 8 +/* length of password stored in the db: new passwords are preceeded with '*' */ +#define SCRAMBLED_PASSWORD_CHAR_LENGTH (SCRAMBLE_LENGTH*2+1) +#define SCRAMBLED_PASSWORD_CHAR_LENGTH_323 (SCRAMBLE_LENGTH_323*2) #define NOT_NULL_FLAG 1 /* Field can't be NULL */ @@ -300,31 +307,35 @@ extern "C" { extern unsigned long max_allowed_packet; extern unsigned long net_buffer_length; -void randominit(struct rand_struct *,unsigned long seed1, - unsigned long seed2); +/* + These functions are used for authentication by client and server and + implemented in sql/password.c +*/ + +void randominit(struct rand_struct *, unsigned long seed1, + unsigned long seed2); double my_rnd(struct rand_struct *); -void make_scrambled_password(char *to,const char *password, - my_bool force_old_scramble,struct rand_struct *rand_st); -int get_password_length(my_bool force_old_scramble); -char get_password_version(const char* password); -void create_random_string(int length,struct rand_struct *rand_st,char* target); -my_bool validate_password(const char* password, const char* message, - unsigned long* salt); -void password_hash_stage1(char *to, const char *password); -void password_hash_stage2(char *to,const char *salt); -void password_crypt(const char* from,char* to, const char* password,int length); -void get_hash_and_password(unsigned long* salt, unsigned char pversion,char* hash, - unsigned char* bin_password); -void get_salt_from_password(unsigned long *res,const char *password); -void create_key_from_old_password(const char* password,char* key); -void make_password_from_salt(char *to, unsigned long *hash_res, - unsigned char password_version); -char *scramble(char *to,const char *message,const char *password, - my_bool old_ver); -my_bool check_scramble(const char *, const char *message, - unsigned long *salt,my_bool old_ver); +void create_random_string(char *to, uint length, struct rand_struct *rand_st); + +void hash_password(ulong *to, const char *password); +void make_scrambled_password_323(char *to, const char *password); +char *scramble_323(char *to, const char *message, const char *password, + my_bool old_ver); +my_bool check_scramble_323(const char *, const char *message, + unsigned long *salt, my_bool old_ver); +void get_salt_from_password_323(unsigned long *res, const char *password); +void make_password_from_salt_323(char *to, const unsigned long *salt); + +void make_scrambled_password(char *to, const char *password); +char *scramble(char *to, const char *message, const char *password); +my_bool check_scramble(const char *reply, const char *message, + const unsigned char *hash_stage2); +void get_salt_from_password(unsigned char *res, const char *password); +void make_password_from_salt(char *to, const unsigned char *hash_stage2); + +/* end of password.c */ + char *get_tty_password(char *opt_message); -void hash_password(unsigned long *result, const char *password); const char *mysql_errno_to_sqlstate(unsigned int mysql_errno); /* Some other useful functions */ -- cgit v1.2.1 From 1d20b23247e19aa6aa5e309fc47d5c5c3bbfe433 Mon Sep 17 00:00:00 2001 From: "kostja@oak.local" <> Date: Fri, 4 Jul 2003 20:52:04 +0400 Subject: Bug fixes for authentication OLD_PASSWORD made a keyword to allow set password=old_password('abc') constructions. --- include/mysql_com.h | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'include') diff --git a/include/mysql_com.h b/include/mysql_com.h index c1f18160667..784a7782855 100644 --- a/include/mysql_com.h +++ b/include/mysql_com.h @@ -327,7 +327,7 @@ void get_salt_from_password_323(unsigned long *res, const char *password); void make_password_from_salt_323(char *to, const unsigned long *salt); void make_scrambled_password(char *to, const char *password); -char *scramble(char *to, const char *message, const char *password); +void scramble(char *to, const char *message, const char *password); my_bool check_scramble(const char *reply, const char *message, const unsigned char *hash_stage2); void get_salt_from_password(unsigned char *res, const char *password); -- cgit v1.2.1 From a232225b69cc34f18f87a761e19fc0e3d2790d97 Mon Sep 17 00:00:00 2001 From: "kostja@oak.local" <> Date: Tue, 8 Jul 2003 02:36:14 +0400 Subject: Preliminary support for options --secure-auth, --old-passwords Support for option --old-protocol was removed. Some test performed. Tests for SSL and replication are pending. More strict following to specification for --old-passwords is in the TODO. --- include/mysql_com.h | 5 ++--- include/mysqld_error.h | 3 ++- 2 files changed, 4 insertions(+), 4 deletions(-) (limited to 'include') diff --git a/include/mysql_com.h b/include/mysql_com.h index 784a7782855..1f9d996c457 100644 --- a/include/mysql_com.h +++ b/include/mysql_com.h @@ -319,10 +319,9 @@ void create_random_string(char *to, uint length, struct rand_struct *rand_st); void hash_password(ulong *to, const char *password); void make_scrambled_password_323(char *to, const char *password); -char *scramble_323(char *to, const char *message, const char *password, - my_bool old_ver); +char *scramble_323(char *to, const char *message, const char *password); my_bool check_scramble_323(const char *, const char *message, - unsigned long *salt, my_bool old_ver); + unsigned long *salt); void get_salt_from_password_323(unsigned long *res, const char *password); void make_password_from_salt_323(char *to, const unsigned long *salt); diff --git a/include/mysqld_error.h b/include/mysqld_error.h index 565c2812c50..341e0144ca3 100644 --- a/include/mysqld_error.h +++ b/include/mysqld_error.h @@ -286,4 +286,5 @@ #define ER_REVOKE_GRANTS 1267 #define ER_CANT_AGGREGATE_3COLLATIONS 1268 #define ER_CANT_AGGREGATE_NCOLLATIONS 1269 -#define ER_ERROR_MESSAGES 270 +#define ER_SERVER_IS_IN_SECURE_AUTH_MODE 1270 +#define ER_ERROR_MESSAGES 271 -- cgit v1.2.1 From 09e53b016967a84126dc50474a54010712893bf1 Mon Sep 17 00:00:00 2001 From: "kostja@oak.local" <> Date: Fri, 18 Jul 2003 18:25:54 +0400 Subject: Style fixes, comments for 4.1.1 authorization Now special 1-byte packet is used for request of old password Fixed bug with --skip-grant-tables and acl_getroot --- include/mysql.h | 4 ++-- include/mysql_com.h | 4 ++-- 2 files changed, 4 insertions(+), 4 deletions(-) (limited to 'include') diff --git a/include/mysql.h b/include/mysql.h index bf05f6e8e37..079808d9ba7 100644 --- a/include/mysql.h +++ b/include/mysql.h @@ -228,8 +228,8 @@ typedef struct st_mysql my_bool free_me; /* If free in mysql_close */ my_bool reconnect; /* set to 1 if automatic reconnect */ - char scramble[SCRAMBLE_LENGTH+1]; /* for new servers */ - char scramble_323[SCRAMBLE_LENGTH_323+1]; /* for old servers */ + /* session-wide random string */ + char scramble[max(SCRAMBLE_LENGTH,SCRAMBLE_LENGTH_323)+1]; /* Set if this is the original connection, not a master or a slave we have diff --git a/include/mysql_com.h b/include/mysql_com.h index e5782235934..87cedafb93d 100644 --- a/include/mysql_com.h +++ b/include/mysql_com.h @@ -318,9 +318,9 @@ void randominit(struct rand_struct *, unsigned long seed1, double my_rnd(struct rand_struct *); void create_random_string(char *to, uint length, struct rand_struct *rand_st); -void hash_password(ulong *to, const char *password); +void hash_password(ulong *to, const char *password, uint password_len); void make_scrambled_password_323(char *to, const char *password); -char *scramble_323(char *to, const char *message, const char *password); +void scramble_323(char *to, const char *message, const char *password); my_bool check_scramble_323(const char *, const char *message, unsigned long *salt); void get_salt_from_password_323(unsigned long *res, const char *password); -- cgit v1.2.1 From 715f8747d49bec27ae4948e74e18247dc4e9d52b Mon Sep 17 00:00:00 2001 From: "kostja@oak.local" <> Date: Fri, 18 Jul 2003 18:57:21 +0400 Subject: few compile-time bugs fixed --- include/mysql.h | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'include') diff --git a/include/mysql.h b/include/mysql.h index 079808d9ba7..10bacffb2b1 100644 --- a/include/mysql.h +++ b/include/mysql.h @@ -229,7 +229,7 @@ typedef struct st_mysql my_bool reconnect; /* set to 1 if automatic reconnect */ /* session-wide random string */ - char scramble[max(SCRAMBLE_LENGTH,SCRAMBLE_LENGTH_323)+1]; + char scramble[SCRAMBLE_LENGTH+1]; /* Set if this is the original connection, not a master or a slave we have -- cgit v1.2.1