Re: [Maria-developers] 9ec0b36ee8b: MDEV-28838 password_reuse_check plugin mixes username and password

4 Jul 2022

Hi, Oleksandr,

On Jul 04, Oleksandr Byelkin wrote:
...
revision-id: 9ec0b36ee8b (mariadb-10.7.4-27-g9ec0b36ee8b)
parent(s): ac0af4ec4ab
author: Oleksandr Byelkin
committer: Oleksandr Byelkin
timestamp: 2022-06-29 17:25:44 +0200
message:
MDEV-28838 password_reuse_check plugin mixes username and password
To prevent the problem of mixing user name and password and
host name and user name we add length of the hostname and user name
to the hash.

diff --git a/plugin/password_reuse_check/password_reuse_check.c b/plugin/password_reuse_check/password_reuse_check.c
index ff0364ce007..4d07cda878a 100644
--- a/plugin/password_reuse_check/password_reuse_check.c
+++ b/plugin/password_reuse_check/password_reuse_check.c
@@ -165,9 +166,11 @@ static int validate(const MYSQL_CONST_LEX_STRING *username,
     return 1;
   }
-  memcpy(buff, hostname->str, hostname->length);
-  memcpy(buff + hostname->length, username->str, username->length);
-  memcpy(buff + hostname->length + username->length, password->str,
+  int2store(buff, hostname->length);
+  int2store(buff + 2, username->length);
+  memcpy(buff + 4, hostname->str, hostname->length);
+  memcpy(buff + 4 + hostname->length, username->str, username->length);
+  memcpy(buff + 4 + hostname->length + username->length, password->str,
           password->length);
why? let's use the standard length,string format, why risk inventing
something unusual here for no benefits at all? I'd do like:

  static char *store_str(char *to, MYSQL_CONST_LEX_STRING from)
  {
    int2store(to, from.length);
    memcpy(to+2, from.str, from.length);
    return to+2+from.length;
  }

  and

  buff= store_str(buff, hostname);
  buff= store_str(buff, username);
  buff= store_str(buff, password);
...
buff[key_len]= 0;
   memset(hash, 0, sizeof(hash));
@@ -235,7 +238,7 @@ maria_declare_plugin(password_reuse_check)
   0x0100,
^^^ this should be 0x0101 (or 0x0200 as I suggest below)
...
NULL,
   sysvars,
-  "1.0",
+  "1.1",
make it 2.0 please, this is an incompatible change
...
MariaDB_PLUGIN_MATURITY_GAMMA
 }
 maria_declare_plugin_end;
Regards,
Sergei
VP of MariaDB Server Engineering
and security@mariadb.org

    

Sergei Golubchik

tags

participants (1)