On Mon, 7 Oct 2024 at 21:08, Sergei Golubchik <serg@mariadb.org> wrote:
Hi, Nikita,
On Oct 07, Nikita Malyavin wrote:
revision-id: b17308e254a (mariadb-11.6.1-10-gb17308e254a) parent(s): e8021aaf28e author: Nikita Malyavin committer: Nikita Malyavin timestamp: 2024-10-04 01:33:47 +0200 message:
MDEV-34854 Parsec sends garbage when using an empty password
When an empty password is set, the server doesn't call st_mysql_auth::hash_password and leaves MYSQL_SERVER_AUTH_INFO::auth_string empty.
Fix: generate hashes for empty passwords as well. This breaks some auth plugins, so we increment interface version and do it only from Auth V. 2.03.
Some empty passwords could be already stored with no though. The user
"with no though" ?
with none. All empty passwords. All empty passwords have no ext-salt stored.
will have to call SET PASSWORD once again, anyway the authentication wouldn't have worked for such password.
ok, I presume you mean ed25519 only, because mysql_native_password worked with an empty password and it generates an empty hash for it.
No, this is only about those users, who could set an empty password for PARSEC plugin within the last two months.
diff --git a/mysql-test/suite/plugins/r/parsec.result b/mysql-test/suite/plugins/r/parsec.result index 512c066e2d7..b7e3537af29 100644 --- a/mysql-test/suite/plugins/r/parsec.result +++ b/mysql-test/suite/plugins/r/parsec.result ... let's add ed25519 test too, for completeness.
I guess it will not work with empty password, just as before? I'll check anyway.
diff --git a/sql/sql_acl.cc b/sql/sql_acl.cc index 2722ea2ea19..ba05a5656c5 100644 --- a/sql/sql_acl.cc +++ b/sql/sql_acl.cc @@ -2402,7 +2402,10 @@ static int set_user_auth(THD *thd, const LEX_CSTRING &user, res= ER_NOT_VALID_PASSWORD; goto end; } - if (pwtext.length) + + // Starting from version 2.03 we also generate hash for empty passwords. + if ((info->interface_version >= MYSQL_AUTH_INTERFACE_VERSION_2_03
I don't understand this MYSQL_AUTH_INTERFACE_VERSION_2_03 thing. First, again, that's not how a version is supposed to work. Second, this empty-password change isn't a change in the API.
You can simply start calling hash_password() for empty passwords and it'll just work. I've tried :)
I've tried, and I had main.set_password failing, exactly with mysql_old_password . This is why I decided to simply alter the version and leave mysql_old_password as it is, without figuring out the problem.
+ && pwtext.str) || pwtext.length) { if (info->hash_password) {
Regards, Sergei Chief Architect, MariaDB Server and security@mariadb.org
-- Yours truly, Nikita Malyavin