Hi, Nikita, On Oct 07, Nikita Malyavin wrote:
On Mon, 7 Oct 2024 at 21:08, Sergei Golubchik <serg@mariadb.org> wrote:
--- a/mysql-test/suite/plugins/r/parsec.result +++ b/mysql-test/suite/plugins/r/parsec.result ... let's add ed25519 test too, for completeness.
I guess it will not work with empty password, just as before? I'll check anyway.
It will not, of course, its hash_password callback starts from if (*dlen < PASSWORD_LEN || pwlen == 0) return 1; I mean, perhaps it'd make sense to remove this "|| pwlen == 0" part and allow it to run with empty passwords?
diff --git a/sql/sql_acl.cc b/sql/sql_acl.cc index 2722ea2ea19..ba05a5656c5 100644 --- a/sql/sql_acl.cc +++ b/sql/sql_acl.cc @@ -2402,7 +2402,10 @@ static int set_user_auth(THD *thd, const LEX_CSTRING &user, res= ER_NOT_VALID_PASSWORD; goto end; } - if (pwtext.length) + + // Starting from version 2.03 we also generate hash for empty passwords. + if ((info->interface_version >= MYSQL_AUTH_INTERFACE_VERSION_2_03
I don't understand this MYSQL_AUTH_INTERFACE_VERSION_2_03 thing. First, again, that's not how a version is supposed to work. Second, this empty-password change isn't a change in the API.
You can simply start calling hash_password() for empty passwords and it'll just work. I've tried :)
I've tried, and I had main.set_password failing, exactly with mysql_old_password . This is why I decided to simply alter the version and leave mysql_old_password as it is, without figuring out the problem.
I see. It was failing if you simply remove pwtext.length check, because you called hash_password() when password hash was already provided. This is how to enable hash_password() for empty passwords: --- a/sql/sql_acl.cc +++ b/sql/sql_acl.cc @@ -2341,7 +2341,7 @@ static int set_user_auth(THD *thd, const LEX_CSTRING &user, res= ER_NOT_VALID_PASSWORD; goto end; } - if (pwtext.length) + if (!auth->auth_string.length) { if (info->hash_password) { @@ -2356,7 +2356,7 @@ static int set_user_auth(THD *thd, const LEX_CSTRING &user, auth->auth_string.str= (char*)memdup_root(&acl_memroot, buf, len+1); auth->auth_string.length= len; } - else + else if (pwtext.length) { res= ER_SET_PASSWORD_AUTH_PLUGIN; goto end; Regards, Sergei Chief Architect, MariaDB Server and security@mariadb.org