Hi, Nikita, On Oct 07, Nikita Malyavin wrote:
revision-id: b17308e254a (mariadb-11.6.1-10-gb17308e254a) parent(s): e8021aaf28e author: Nikita Malyavin committer: Nikita Malyavin timestamp: 2024-10-04 01:33:47 +0200 message:
MDEV-34854 Parsec sends garbage when using an empty password
When an empty password is set, the server doesn't call st_mysql_auth::hash_password and leaves MYSQL_SERVER_AUTH_INFO::auth_string empty.
Fix: generate hashes for empty passwords as well. This breaks some auth plugins, so we increment interface version and do it only from Auth V. 2.03.
Some empty passwords could be already stored with no though. The user
"with no though" ?
will have to call SET PASSWORD once again, anyway the authentication wouldn't have worked for such password.
ok, I presume you mean ed25519 only, because mysql_native_password worked with an empty password and it generates an empty hash for it.
diff --git a/mysql-test/suite/plugins/r/parsec.result b/mysql-test/suite/plugins/r/parsec.result index 512c066e2d7..b7e3537af29 100644 --- a/mysql-test/suite/plugins/r/parsec.result +++ b/mysql-test/suite/plugins/r/parsec.result ... let's add ed25519 test too, for completeness.
diff --git a/sql/sql_acl.cc b/sql/sql_acl.cc index 2722ea2ea19..ba05a5656c5 100644 --- a/sql/sql_acl.cc +++ b/sql/sql_acl.cc @@ -2402,7 +2402,10 @@ static int set_user_auth(THD *thd, const LEX_CSTRING &user, res= ER_NOT_VALID_PASSWORD; goto end; } - if (pwtext.length) + + // Starting from version 2.03 we also generate hash for empty passwords. + if ((info->interface_version >= MYSQL_AUTH_INTERFACE_VERSION_2_03
I don't understand this MYSQL_AUTH_INTERFACE_VERSION_2_03 thing. First, again, that's not how a version is supposed to work. Second, this empty-password change isn't a change in the API. You can simply start calling hash_password() for empty passwords and it'll just work. I've tried :)
+ && pwtext.str) || pwtext.length) { if (info->hash_password) {
Regards, Sergei Chief Architect, MariaDB Server and security@mariadb.org