fixed getting double SHA1 in mysql_native_password auth plugin

2024-11-21 23:21:59 +00:00 · 2019-12-06 04:30:01 +03:00 · 2019-12-06 04:30:01 +03:00 · 6c8e2d8b85
commit 6c8e2d8b85
parent e91d4722a4
5 changed files with 46 additions and 8 deletions
--- a/dbms/src/Access/Authentication.cpp
+++ b/dbms/src/Access/Authentication.cpp
@ -160,6 +160,35 @@ void Authentication::setPasswordHashBinary(const Digest & hash)
 }


+Digest Authentication::getPasswordDoubleSHA1() const
+{
+    switch (type)
+    {
+        case NO_PASSWORD:
+        {
+            Poco::SHA1Engine engine;
+            return engine.digest();
+        }
+
+        case PLAINTEXT_PASSWORD:
+        {
+            Poco::SHA1Engine engine;
+            engine.update(getPassword());
+            const Digest & first_sha1 = engine.digest();
+            engine.update(first_sha1.data(), first_sha1.size());
+            return engine.digest();
+        }
+
+        case SHA256_PASSWORD:
+            throw Exception("Cannot get password double SHA1 for user with 'SHA256_PASSWORD' authentication.", ErrorCodes::BAD_ARGUMENTS);
+
+        case DOUBLE_SHA1_PASSWORD:
+            return password_hash;
+    }
+    throw Exception("Unknown authentication type: " + std::to_string(static_cast<int>(type)), ErrorCodes::LOGICAL_ERROR);
+}
+
+
 bool Authentication::isCorrectPassword(const String & password_) const
 {
    switch (type)
--- a/dbms/src/Access/Authentication.h
+++ b/dbms/src/Access/Authentication.h
@ -49,6 +49,10 @@ public:
    void setPasswordHashBinary(const Digest & hash);
    const Digest & getPasswordHashBinary() const { return password_hash; }

+    /// Returns SHA1(SHA1(password)) used by MySQL compatibility server for authentication.
+    /// Allowed to use for Type::NO_PASSWORD, Type::PLAINTEXT_PASSWORD, Type::DOUBLE_SHA1_PASSWORD.
+    Digest getPasswordDoubleSHA1() const;
+
    /// Checks if the provided password is correct. Returns false if not.
    bool isCorrectPassword(const String & password) const;

--- a/dbms/src/Core/MySQLProtocol.h
+++ b/dbms/src/Core/MySQLProtocol.h
@ -953,11 +953,7 @@ public:

        auto user = context.getUser(user_name);

-        const DB::Authentication::Type user_auth_type = user->authentication.getType();
-        if (user_auth_type != DB::Authentication::DOUBLE_SHA1_PASSWORD && user_auth_type != DB::Authentication::PLAINTEXT_PASSWORD && user_auth_type != DB::Authentication::NO_PASSWORD)
-            throw Exception("Cannot use " + getName() + " auth plugin for user " + user_name + " since its password isn't specified using double SHA1 or plaintext.", ErrorCodes::UNKNOWN_EXCEPTION);
-
-        Poco::SHA1Engine::Digest double_sha1_value = user->authentication.getPasswordHashBinary();
+        Poco::SHA1Engine::Digest double_sha1_value = user->authentication.getPasswordDoubleSHA1();
        assert(double_sha1_value.size() == Poco::SHA1Engine::DIGEST_SIZE);

        Poco::SHA1Engine engine;
--- a/dbms/tests/integration/test_mysql_protocol/configs/users.xml
+++ b/dbms/tests/integration/test_mysql_protocol/configs/users.xml
@ -15,6 +15,16 @@
            <quota>default</quota>
        </default>

+        <user_with_sha256>
+            <!-- echo -n abacaba | openssl dgst -sha256 !-->
+            <password_sha256_hex>65e84be33532fb784c48129675f9eff3a682b27168c0ea744b2cf58ee02337c5</password_sha256_hex>
+            <networks incl="networks" replace="replace">
+                <ip>::/0</ip>
+            </networks>
+            <profile>default</profile>
+            <quota>default</quota>
+        </user_with_sha256>
+
        <user_with_double_sha1>
            <!-- echo -n abacaba | openssl dgst -sha1 -binary | openssl dgst -sha1 !-->
            <password_double_sha1_hex>e395796d6546b1b65db9d665cd43f0e858dd4303</password_double_sha1_hex>
--- a/dbms/tests/integration/test_mysql_protocol/test.py
+++ b/dbms/tests/integration/test_mysql_protocol/test.py
@ -250,13 +250,12 @@ def test_php_client(server_address, php_container):


 def test_mysqljs_client(server_address, nodejs_container):
-    code, (_, stderr) = nodejs_container.exec_run('node test.js {host} {port} default 123'.format(host=server_address, port=server_port), demux=True)
+    code, (_, stderr) = nodejs_container.exec_run('node test.js {host} {port} user_with_sha256 abacaba'.format(host=server_address, port=server_port), demux=True)
    assert code == 1
    assert 'MySQL is requesting the sha256_password authentication method, which is not supported.' in stderr

    code, (_, stderr) = nodejs_container.exec_run('node test.js {host} {port} user_with_empty_password ""'.format(host=server_address, port=server_port), demux=True)
-    assert code == 1
-    assert 'MySQL is requesting the sha256_password authentication method, which is not supported.' in stderr
+    assert code == 0

    code, (_, _) = nodejs_container.exec_run('node test.js {host} {port} user_with_double_sha1 abacaba'.format(host=server_address, port=server_port), demux=True)
    assert code == 0