Commit fa7d0c4f authored by Sergei Golubchik's avatar Sergei Golubchik

MDEV-3909 remote user enumeration

instead of returning Access denied on the incorrect user name,
emulate the complete failed logic procedure, possibly with
the change plugin packet.
parent 82c022f2
optimize table mysql.user;
Table Op Msg_type Msg_text
mysql.user optimize status OK
insert mysql.user (user,plugin) values ('foo','bar'),('bar','bar'),('baz','bar');
Warnings:
Warning 1364 Field 'ssl_cipher' doesn't have a default value
Warning 1364 Field 'x509_issuer' doesn't have a default value
Warning 1364 Field 'x509_subject' doesn't have a default value
Warning 1364 Field 'auth_string' doesn't have a default value
flush privileges;
connect(localhost,u1,,test,MASTER_PORT,MASTER_SOCKET);
ERROR HY000: Plugin 'bar' is not loaded
connect(localhost,u2,,test,MASTER_PORT,MASTER_SOCKET);
ERROR 28000: Access denied for user 'u2'@'localhost' (using password: NO)
connect(localhost,u2,password,test,MASTER_PORT,MASTER_SOCKET);
ERROR 28000: Access denied for user 'u2'@'localhost' (using password: YES)
ERROR HY000: Plugin 'bar' is not loaded
ERROR 28000: Access denied for user 'u2'@'localhost' (using password: NO)
ERROR 28000: Access denied for user 'u2'@'localhost' (using password: YES)
delete from mysql.user where plugin = 'bar';
flush privileges;
source include/not_embedded.inc;
#
# MDEV-3909 remote user enumeration
#
# verify that for some failed login attemps (with wrong user names)
# the server requests a plugin
#
optimize table mysql.user;
insert mysql.user (user,plugin) values ('foo','bar'),('bar','bar'),('baz','bar');
flush privileges;
--replace_result $MASTER_MYSOCK MASTER_SOCKET $MASTER_MYPORT MASTER_PORT
--error ER_PLUGIN_IS_NOT_LOADED
connect (fail,localhost,u1);
--replace_result $MASTER_MYSOCK MASTER_SOCKET $MASTER_MYPORT MASTER_PORT
--error ER_ACCESS_DENIED_ERROR
connect (fail,localhost,u2);
--replace_result $MASTER_MYSOCK MASTER_SOCKET $MASTER_MYPORT MASTER_PORT
--error ER_ACCESS_DENIED_ERROR
connect (fail,localhost,u2,password);
--error ER_PLUGIN_IS_NOT_LOADED
change_user u1;
--error ER_ACCESS_DENIED_ERROR
change_user u2;
--error ER_ACCESS_DENIED_ERROR
change_user u2,password;
delete from mysql.user where plugin = 'bar';
flush privileges;
......@@ -7056,6 +7056,7 @@ struct MPVIO_EXT : public MYSQL_PLUGIN_VIO
} cached_server_packet;
int packets_read, packets_written; ///< counters for send/received packets
uint connect_errors; ///< if there were connect errors for this host
bool make_it_fail;
/** when plugin returns a failure this tells us what really happened */
enum { SUCCESS, FAILURE, RESTART } status;
};
......@@ -7322,14 +7323,14 @@ static bool send_plugin_request_packet(MPVIO_EXT *mpvio,
/**
Finds acl entry in user database for authentication purposes.
Finds a user and copies it into mpvio. Reports an authentication
failure if a user is not found.
Finds a user and copies it into mpvio. Creates a fake user
if no matching user account is found.
@note find_acl_user is not the same, because it doesn't take into
account the case when user is not empty, but acl_user->user is empty
@retval 0 found
@retval 1 not found
@retval 1 error
*/
static bool find_mpvio_user(MPVIO_EXT *mpvio, Security_context *sctx)
......@@ -7351,8 +7352,27 @@ static bool find_mpvio_user(MPVIO_EXT *mpvio, Security_context *sctx)
if (!mpvio->acl_user)
{
login_failed_error(mpvio->thd);
return 1;
/*
A matching user was not found. Fake it. Take any user, make the
authentication fail later.
This way we get a realistically looking failure, with occasional
"change auth plugin" requests even for nonexistent users. The ratio
of "change auth plugin" request will be the same for real and
nonexistent users.
Note, that we cannot pick any user at random, it must always be
the same user account for the incoming sctx->user name.
*/
ulong nr1=1, nr2=4;
CHARSET_INFO *cs= &my_charset_latin1;
cs->coll->hash_sort(cs, (uchar*) sctx->user, strlen(sctx->user), &nr1, &nr2);
pthread_mutex_lock(&acl_cache->lock);
uint i= nr1 % acl_users.elements;
ACL_USER *acl_user_tmp= dynamic_element(&acl_users, i, ACL_USER*);
mpvio->acl_user= acl_user_tmp->copy(mpvio->thd->mem_root);
pthread_mutex_unlock(&acl_cache->lock);
mpvio->make_it_fail= true;
}
/* user account requires non-default plugin and the client is too old */
......@@ -7763,8 +7783,8 @@ static ulong parse_client_handshake_packet(MPVIO_EXT *mpvio,
mpvio->cached_server_packet.pkt_len))
return packet_error;
passwd_len= my_net_read(&mpvio->thd->net);
passwd = (char*)mpvio->thd->net.read_pos;
passwd_len= my_net_read(&thd->net);
passwd= (char*)thd->net.read_pos;
}
*buff= (uchar*)passwd;
......@@ -7868,6 +7888,10 @@ static int server_mpvio_read_packet(MYSQL_PLUGIN_VIO *param, uchar **buf)
*buf= (uchar*)mpvio->cached_client_reply.pkt;
mpvio->cached_client_reply.pkt= 0;
mpvio->packets_read++;
if (mpvio->make_it_fail)
goto err;
return (int)mpvio->cached_client_reply.pkt_len;
}
/*
......@@ -7901,12 +7925,18 @@ static int server_mpvio_read_packet(MYSQL_PLUGIN_VIO *param, uchar **buf)
else
*buf = mpvio->thd->net.read_pos;
if (mpvio->make_it_fail)
goto err;
return (int)pkt_len;
err:
if (mpvio->status == MPVIO_EXT::FAILURE && !mpvio->thd->is_error())
{
inc_host_errors(&mpvio->thd->net.vio->remote.sin_addr);
if (mpvio->make_it_fail)
login_failed_error(mpvio->thd);
else
my_error(ER_HANDSHAKE_ERROR, MYF(0));
}
return -1;
......@@ -8116,6 +8146,7 @@ bool acl_authenticate(THD *thd, uint connect_errors,
mpvio.thd= thd;
mpvio.connect_errors= connect_errors;
mpvio.status= MPVIO_EXT::FAILURE;
mpvio.make_it_fail= false;
if (command == COM_CHANGE_USER)
{
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment