More work on secure authentication. Commit for merge

ecedc7ac · peter@mysql.com · 334ffec5 · ecedc7ac · ecedc7ac · ecedc7ac
Commit ecedc7ac authored Nov 05, 2002 by peter@mysql.com
Hide whitespace changes
Inline Side-by-side

Showing with 26 additions and 11 deletions

include/mysql_com.h include/mysql_com.h +1 -1

sql/password.c sql/password.c +14 -6

sql/sql_acl.cc sql/sql_acl.cc +7 -3

sql/sql_parse.cc sql/sql_parse.cc +4 -1

No files found.
--- a/include/mysql_com.h
+++ b/include/mysql_com.h
@@ -284,7 +284,7 @@ void make_scrambled_password(char *to,const char *password,my_bool force_old_scr
 uint get_password_length(my_bool force_old_scramble);
 uint8 get_password_version(const char* password);
 void get_salt_from_password(unsigned long *res,const char *password);
-void make_password_from_salt(char *to, unsigned long *hash_res);
+void make_password_from_salt(char *to, unsigned long *hash_res, uint8 password_version);
 char *scramble(char *to,const char *message,const char *password,
 	       my_bool old_ver);
 my_bool check_scramble(const char *, const char *message,

--- a/sql/password.c
+++ b/sql/password.c
@@ -166,24 +166,26 @@ inline uint char_val(char X)
 ** This code detects new version password by leading char. 
 ** Old password has to be divisible by 8 length
 ** do not forget to increase array length if you need longer passwords
+** THIS FUNCTION DOES NOT HAVE ANY LENGTH CHECK 
 */

 void get_salt_from_password(ulong *res,const char *password)
 {
-  bzero(res,5*sizeof(res[0]));
-  if (password)
+  bzero(res,6*sizeof(res[0]));
+  if (password) // zero salt corresponds to empty password 
  {
    if (password[0]==PVERSION41_CHAR) // if new password
    {
      uint val=0;
      uint i;
      password++; // skip version identifier.
-      //get hashing salt from password and store in in the start of array
      
+      //get hashing salt from password and store in in the start of array      
      for (i=0 ; i < 4 ; i++)
 	val=(val << 4)+char_val(*password++);
      *res++=val; 
    }
+     // We process old passwords the same way as new ones in other case
    while (*password)
    {
      ulong val=0;
@@ -196,10 +198,16 @@ void get_salt_from_password(ulong *res,const char *password)
  return;
 }

-void make_password_from_salt(char *to, ulong *hash_res)
+void make_password_from_salt(char *to, ulong *hash_res,uint8 password_version)
 {
-  // warning this does not work for new passwords yet
-  sprintf(to,"%08lx%08lx",hash_res[0],hash_res[1]);
+  if (!password_version) // Handling of old passwords.
+    sprintf(to,"%08lx%08lx",hash_res[0],hash_res[1]);
+  else
+    if (password_version==PVERSION41_CHAR)
+      sprintf(to,"%c%04x%08lx%08lx%08lx%08lx%08lx",(uint)hash_res[0],hash_res[1],
+              hash_res[2],hash_res[3],hash_res[4],hash_res[5]);
+    else // Just use empty password if we can't handle it. This should not happen
+      to[0]='\0';
 }



--- a/sql/sql_acl.cc
+++ b/sql/sql_acl.cc
@@ -32,7 +32,7 @@
 #include <assert.h>
 #include <stdarg.h>

-extern uint connection_auth_flag;
+extern uint connection_auth_flag; // any better way to do it ?

 struct acl_host_and_ip
 {
@@ -329,7 +329,7 @@ my_bool acl_init(bool dont_read_acl_tables)
     connection_auth_flag=CLIENT_SECURE_CONNECTION;
    else connection_auth_flag=CLIENT_LONG_PASSWORD; 
  }
-  printf("Set flag after read: %d\n",connection_auth_flag);
+  printf("Set flag after read: %d\n",connection_auth_flag); /* DEBUG to be removed */
  init_read_record(&read_record_info,thd,table=tables[2].table,NULL,1,0);
  VOID(my_init_dynamic_array(&acl_dbs,sizeof(ACL_DB),50,100));
  while (!(read_record_info.read_record(&read_record_info)))
@@ -746,6 +746,10 @@ static void acl_insert_user(const char *user, const char *host,
    acl_user.password=(char*) "";		// Just point at something
    get_salt_from_password(acl_user.salt,password);
    acl_user.pversion=get_password_version(acl_user.password);
+    if (acl_user.pversion)
+      connection_auth_flag|=CLIENT_SECURE_CONNECTION;
+    else
+      connection_auth_flag|=CLIENT_LONG_PASSWORD;
  }

  VOID(push_dynamic(&acl_users,(gptr) &acl_user));
@@ -2844,7 +2848,7 @@ int mysql_show_grants(THD *thd,LEX_USER *lex_user)
    if (acl_user->password)
    {
      char passd_buff[HASH_PASSWORD_LENGTH+1];
-      make_password_from_salt(passd_buff,acl_user->salt);
+      make_password_from_salt(passd_buff,acl_user->salt,acl_user->pversion);
      global.append(" IDENTIFIED BY PASSWORD '",25);
      global.append(passd_buff);
      global.append('\'');

--- a/sql/sql_parse.cc
+++ b/sql/sql_parse.cc
@@ -51,6 +51,8 @@
 #define TRANS_MEM_ROOT_BLOCK_SIZE 4096
 #define TRANS_MEM_ROOT_PREALLOC   4096

+extern uint connection_auth_flag;
+
 extern int yyparse(void);
 extern "C" pthread_mutex_t THR_LOCK_keycache;
 #ifdef SOLARIS
@@ -504,7 +506,8 @@ check_connections(THD *thd)
  {
    /* buff[] needs to big enough to hold the server_version variable */
    char buff[SERVER_VERSION_LENGTH + SCRAMBLE_LENGTH+32],*end;
-    int client_flags = CLIENT_LONG_FLAG | CLIENT_CONNECT_WITH_DB | CLIENT_PROTOCOL_41;
+    int client_flags = CLIENT_LONG_FLAG | CLIENT_CONNECT_WITH_DB | 
+                       CLIENT_PROTOCOL_41 | connection_auth_flag;

    if (opt_using_transactions)
      client_flags|=CLIENT_TRANSACTIONS;