Tarantool development patches archive
 help / color / mirror / Atom feed
From: Vladimir Davydov <vdavydov.dev@gmail.com>
To: Konstantin Osipov <kostja@tarantool.org>
Cc: tarantool-patches@freelists.org
Subject: Re: [PATCH v2] auth: fix empty password authentication
Date: Wed, 17 Jul 2019 14:51:07 +0300	[thread overview]
Message-ID: <20190717115107.nbvubbkhz3d7hmat@esperanza> (raw)
In-Reply-To: <20190715195205.GC4099@atlas>

On Mon, Jul 15, 2019 at 10:52:05PM +0300, Konstantin Osipov wrote:
> > +/**
> > + * chap-sha1 of empty string, i.e.
> > + * base64_encode(sha1(sha1(""), 0)
> > + */
> > +static const char *CHAP_SHA1_EMPTY_PASSWORD = "vhvewKp0tNyweZQ+cFKAlsyphfg=";
> 
> Do you insist on copy-pasting it from alter.cc?

Thought you wouldn't notice :-)

> >  void
> >  authenticate(const char *user_name, uint32_t len, const char *salt,
> > @@ -52,10 +57,14 @@ authenticate(const char *user_name, uint32_t len, const char *salt,
> >  	 * pooling.
> >  	 */
> >  	part_count = mp_decode_array(&tuple);
> > -	if (part_count == 0 && user->def->uid == GUEST &&
> > -	    memcmp(user->def->hash2, zero_hash, SCRAMBLE_SIZE) == 0) {
> > -		/* No password is set for GUEST, OK. */
> > -		goto ok;
> > +	if (part_count == 0 && user->def->uid == GUEST) {
> > +		char hash2[SCRAMBLE_SIZE];
> > +		base64_decode(CHAP_SHA1_EMPTY_PASSWORD, SCRAMBLE_BASE64_SIZE,
> > +			      hash2, SCRAMBLE_SIZE);
> > +		if (memcmp(user->def->hash2, hash2, SCRAMBLE_SIZE) == 0) {
> > +			/* Empty password is set, OK. */
> > +			goto ok;
> > +		}
> 
> I think we're still misunderstanding each other. Both zero hash
> and empty string should work. We should become more permissive,
> not less.

Sorry for misunderstanding. Fixed. See the new patch below and on
the branch.

From c185a3872dc2cd86a383e72d9544ec5b97a9dc8d Mon Sep 17 00:00:00 2001
From: Vladimir Davydov <vdavydov.dev@gmail.com>
Date: Wed, 17 Jul 2019 14:41:26 +0300
Subject: [PATCH] auth: fix empty password authentication

We are supposed to authenticate guest user without a password. This
used to work before commit 076a842011e0 ("Permit empty passwords in
net.box"), when guest didn't have any password. Now it has an empty
password and the check in authenticate turns out to be broken, which
breaks assumptions made by certain connectors. This patch fixes the
check.

Closes #4327

diff --git a/src/box/alter.cc b/src/box/alter.cc
index 1dbfe6b2..f98a77a5 100644
--- a/src/box/alter.cc
+++ b/src/box/alter.cc
@@ -58,12 +58,6 @@
 #include "sequence.h"
 #include "sql.h"
 
-/**
- * chap-sha1 of empty string, i.e.
- * base64_encode(sha1(sha1(""), 0)
- */
-#define CHAP_SHA1_EMPTY_PASSWORD "vhvewKp0tNyweZQ+cFKAlsyphfg="
-
 /* {{{ Auxiliary functions and methods. */
 
 static void
diff --git a/src/box/authentication.cc b/src/box/authentication.cc
index 811974cb..fdad7395 100644
--- a/src/box/authentication.cc
+++ b/src/box/authentication.cc
@@ -33,6 +33,7 @@
 #include "session.h"
 #include "msgpuck.h"
 #include "error.h"
+#include "third_party/base64.h"
 
 static char zero_hash[SCRAMBLE_SIZE];
 
@@ -52,10 +53,14 @@ authenticate(const char *user_name, uint32_t len, const char *salt,
 	 * pooling.
 	 */
 	part_count = mp_decode_array(&tuple);
-	if (part_count == 0 && user->def->uid == GUEST &&
-	    memcmp(user->def->hash2, zero_hash, SCRAMBLE_SIZE) == 0) {
-		/* No password is set for GUEST, OK. */
-		goto ok;
+	if (part_count == 0 && user->def->uid == GUEST) {
+		if (memcmp(user->def->hash2, zero_hash, SCRAMBLE_SIZE) == 0)
+			goto ok; /* no password is set, OK */
+		char hash2[SCRAMBLE_SIZE];
+		base64_decode(CHAP_SHA1_EMPTY_PASSWORD, SCRAMBLE_BASE64_SIZE,
+			      hash2, SCRAMBLE_SIZE);
+		if (memcmp(user->def->hash2, hash2, SCRAMBLE_SIZE) == 0)
+			goto ok; /* empty password is set, OK */
 	}
 
 	access_check_session_xc(user);
@@ -90,11 +95,11 @@ authenticate(const char *user_name, uint32_t len, const char *salt,
 			diag_raise();
 		tnt_raise(ClientError, ER_PASSWORD_MISMATCH, user->def->name);
 	}
+ok:
 	/* check and run auth triggers on success */
 	if (! rlist_empty(&session_on_auth) &&
 	    session_run_on_auth_triggers(&auth_res) != 0)
 		diag_raise();
-ok:
 	credentials_init(&session->credentials, user->auth_token,
 			 user->def->uid);
 }
diff --git a/src/box/user_def.c b/src/box/user_def.c
index 7d783771..4d9821a2 100644
--- a/src/box/user_def.c
+++ b/src/box/user_def.c
@@ -29,6 +29,9 @@
  * SUCH DAMAGE.
  */
 #include "user_def.h"
+
+const char *CHAP_SHA1_EMPTY_PASSWORD = "vhvewKp0tNyweZQ+cFKAlsyphfg=";
+
 const char *
 priv_name(user_access_t access)
 {
diff --git a/src/box/user_def.h b/src/box/user_def.h
index 8bf31c2f..98097c39 100644
--- a/src/box/user_def.h
+++ b/src/box/user_def.h
@@ -39,6 +39,11 @@
 extern "C" {
 #endif /* defined(__cplusplus) */
 
+/**
+ * chap-sha1 of empty string, i.e. base64_encode(sha1(sha1(""), 0)
+ */
+extern const char *CHAP_SHA1_EMPTY_PASSWORD;
+
 typedef uint16_t user_access_t;
 /**
  * Effective session user. A cache of user data

  reply	other threads:[~2019-07-17 11:51 UTC|newest]

Thread overview: 5+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2019-07-15 16:26 Vladimir Davydov
2019-07-15 19:52 ` Konstantin Osipov
2019-07-17 11:51   ` Vladimir Davydov [this message]
2019-07-17 14:28     ` Konstantin Osipov
2019-07-17 14:49       ` Vladimir Davydov

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20190717115107.nbvubbkhz3d7hmat@esperanza \
    --to=vdavydov.dev@gmail.com \
    --cc=kostja@tarantool.org \
    --cc=tarantool-patches@freelists.org \
    --subject='Re: [PATCH v2] auth: fix empty password authentication' \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox