Uploaded image for project: 'MariaDB Server'
  1. MariaDB Server
  2. MDEV-34854

Parsec sends garbage when using an empty password

Details

    Description

      About parsec authentication, when user has an empty password, user doesn't have an authentication_string set (visible in mysql.user).
      Exchanges when creating a connection results then sends unexpected data when asking for ext-salt.

      example when using an empty password, packet is for example : 

      +--------------------------------------------------+
      		 
      |  0  1  2  3  4  5  6  7   8  9  a  b  c  d  e  f |
      		 
      +--------------------------------------------------+------------------+
      		 
      | 14 00 00 04 00 04 00 05  00 06 00 07 00 08 00 0B | ................ |
      		 
      | 00 0E 00 0F 00 10 00 13                          | ........         |
      		 
      +--------------------------------------------------+------------------+

      in place of something that begins with 'P0' like : 

      +--------------------------------------------------+
      		 
      |  0  1  2  3  4  5  6  7   8  9  a  b  c  d  e  f |
      		 
      +--------------------------------------------------+------------------+
      		 
      | 14 00 00 04 50 00 01 A5  ED 67 34 40 70 2A E3 8A | ....P....g4@p*.. |
      		 
      | 00 A2 BB 63 6B 9C D3 13                          | ...ck...         |
      		 
      +--------------------------------------------------+------------------+

      Attachments

        Issue Links

          is caused by

          New Feature - A new feature of the product, which has yet to be developed. MDEV-32618 PARSEC Authentication Plugin

          • Critical - Crashes, loss of data, severe memory leak.
          • Closed

          Activity

            Ascending order - Click to sort in descending order
            nikitamalyavin Nikita Malyavin added a comment -

            Hello Sergei!

            Since hash_password is not called for an empty password, a password derivation is not stored in the database, so I had to work around this.

            The proposed fix for 11.6 just calculates a derivation for each login attempt:
            https://github.com/MariaDB/server/commit/9e23d9cf901504c0a9c949f1d8ebded0d8675bd9

            Ironically, the intention to derive less turns upside down here.

            The other downside of this approach is that the salt will be new for each login, so it can't be pre-saved.
            I think we can make a different fix for a (next) major version, which calls hash_password for empty passwords, but I'm afraid to do so in 11.6 plugin-wise.

            Maybe we'll introduce some flag for a plugin to control this, so that old password plugins won't be affected.

            nikitamalyavin Nikita Malyavin added a comment - Hello Sergei! Since hash_password is not called for an empty password, a password derivation is not stored in the database, so I had to work around this. The proposed fix for 11.6 just calculates a derivation for each login attempt: https://github.com/MariaDB/server/commit/9e23d9cf901504c0a9c949f1d8ebded0d8675bd9 Ironically, the intention to derive less turns upside down here. The other downside of this approach is that the salt will be new for each login, so it can't be pre-saved. I think we can make a different fix for a (next) major version, which calls hash_password for empty passwords, but I'm afraid to do so in 11.6 plugin-wise. Maybe we'll introduce some flag for a plugin to control this, so that old password plugins won't be affected.
            serg Sergei Golubchik added a comment -

            I'd say, let's fix it properly and call hash_password for empty passwords.

            mysql_native_password can handle it, it won't be affected. mysql_old_password is disabled, ed25519 doesn't support empty passwords, no other plugin supports password hashing.

            serg Sergei Golubchik added a comment - I'd say, let's fix it properly and call hash_password for empty passwords. mysql_native_password can handle it, it won't be affected. mysql_old_password is disabled, ed25519 doesn't support empty passwords, no other plugin supports password hashing.
            serg Sergei Golubchik added a comment -

            c3e28ca1178 and 06e4583a2e0 are ok to push. thanks!

            serg Sergei Golubchik added a comment - c3e28ca1178 and 06e4583a2e0 are ok to push. thanks!

            People

              nikitamalyavin Nikita Malyavin
              diego dupin Diego Dupin
              Votes:
              0 Vote for this issue
              Watchers:
              6 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved:

                Git Integration

                  Error rendering 'com.xiplink.jira.git.jira_git_plugin:git-issue-webpanel'. Please contact your Jira administrators.