From: Vladimir Davydov <vdavydov.dev@gmail.com> To: kostja@tarantool.org Cc: tarantool-patches@freelists.org Subject: [PATCH v2] auth: fix empty password authentication Date: Mon, 15 Jul 2019 19:26:12 +0300 [thread overview] Message-ID: <704d9c5686cb5bacfa53a7459a2eea411812bcc5.1563207875.git.vdavydov.dev@gmail.com> (raw) We are supposed to authenticate guest user without a password. This used to work before commit 076a842011e0 ("Permit empty passwords in net.box"), when guest didn't have any password. Now it has an empty password and the check in authenticate turns out to be broken, which breaks assumptions made by certain connectors. This patch fixes the check. Closes #4327 --- https://github.com/tarantool/tarantool/issues/4327 https://github.com/tarantool/tarantool/tree/dv/gh-4327-fix-empty-password-auth Changes in v2: - Don't change the way net.box treats absense of a password. Just fix the issue in question. v1: https://www.freelists.org/post/tarantool-patches/PATCH-auth-fix-empty-password-authentication src/box/authentication.cc | 21 +++++++++++++++------ 1 file changed, 15 insertions(+), 6 deletions(-) diff --git a/src/box/authentication.cc b/src/box/authentication.cc index 811974cb..b0459a5b 100644 --- a/src/box/authentication.cc +++ b/src/box/authentication.cc @@ -33,8 +33,13 @@ #include "session.h" #include "msgpuck.h" #include "error.h" +#include "third_party/base64.h" -static char zero_hash[SCRAMBLE_SIZE]; +/** + * chap-sha1 of empty string, i.e. + * base64_encode(sha1(sha1(""), 0) + */ +static const char *CHAP_SHA1_EMPTY_PASSWORD = "vhvewKp0tNyweZQ+cFKAlsyphfg="; void authenticate(const char *user_name, uint32_t len, const char *salt, @@ -52,10 +57,14 @@ authenticate(const char *user_name, uint32_t len, const char *salt, * pooling. */ part_count = mp_decode_array(&tuple); - if (part_count == 0 && user->def->uid == GUEST && - memcmp(user->def->hash2, zero_hash, SCRAMBLE_SIZE) == 0) { - /* No password is set for GUEST, OK. */ - goto ok; + if (part_count == 0 && user->def->uid == GUEST) { + char hash2[SCRAMBLE_SIZE]; + base64_decode(CHAP_SHA1_EMPTY_PASSWORD, SCRAMBLE_BASE64_SIZE, + hash2, SCRAMBLE_SIZE); + if (memcmp(user->def->hash2, hash2, SCRAMBLE_SIZE) == 0) { + /* Empty password is set, OK. */ + goto ok; + } } access_check_session_xc(user); @@ -90,11 +99,11 @@ authenticate(const char *user_name, uint32_t len, const char *salt, diag_raise(); tnt_raise(ClientError, ER_PASSWORD_MISMATCH, user->def->name); } +ok: /* check and run auth triggers on success */ if (! rlist_empty(&session_on_auth) && session_run_on_auth_triggers(&auth_res) != 0) diag_raise(); -ok: credentials_init(&session->credentials, user->auth_token, user->def->uid); } -- 2.11.0
next reply other threads:[~2019-07-15 16:26 UTC|newest] Thread overview: 5+ messages / expand[flat|nested] mbox.gz Atom feed top 2019-07-15 16:26 Vladimir Davydov [this message] 2019-07-15 19:52 ` Konstantin Osipov 2019-07-17 11:51 ` Vladimir Davydov 2019-07-17 14:28 ` Konstantin Osipov 2019-07-17 14:49 ` Vladimir Davydov
Reply instructions: You may reply publicly to this message via plain-text email using any one of the following methods: * Save the following mbox file, import it into your mail client, and reply-to-all from there: mbox Avoid top-posting and favor interleaved quoting: https://en.wikipedia.org/wiki/Posting_style#Interleaved_style * Reply using the --to, --cc, and --in-reply-to switches of git-send-email(1): git send-email \ --in-reply-to=704d9c5686cb5bacfa53a7459a2eea411812bcc5.1563207875.git.vdavydov.dev@gmail.com \ --to=vdavydov.dev@gmail.com \ --cc=kostja@tarantool.org \ --cc=tarantool-patches@freelists.org \ --subject='Re: [PATCH v2] auth: fix empty password authentication' \ /path/to/YOUR_REPLY https://kernel.org/pub/software/scm/git/docs/git-send-email.html * If your mail client supports setting the In-Reply-To header via mailto: links, try the mailto: link
This is a public inbox, see mirroring instructions for how to clone and mirror all data and code used for this inbox