From: Vladimir Davydov <vdavydov.dev@gmail.com>
To: kostja@tarantool.org
Cc: tarantool-patches@freelists.org
Subject: [PATCH v2] auth: fix empty password authentication
Date: Mon, 15 Jul 2019 19:26:12 +0300 [thread overview]
Message-ID: <704d9c5686cb5bacfa53a7459a2eea411812bcc5.1563207875.git.vdavydov.dev@gmail.com> (raw)
We are supposed to authenticate guest user without a password. This
used to work before commit 076a842011e0 ("Permit empty passwords in
net.box"), when guest didn't have any password. Now it has an empty
password and the check in authenticate turns out to be broken, which
breaks assumptions made by certain connectors. This patch fixes the
check.
Closes #4327
---
https://github.com/tarantool/tarantool/issues/4327
https://github.com/tarantool/tarantool/tree/dv/gh-4327-fix-empty-password-auth
Changes in v2:
- Don't change the way net.box treats absense of a password.
Just fix the issue in question.
v1: https://www.freelists.org/post/tarantool-patches/PATCH-auth-fix-empty-password-authentication
src/box/authentication.cc | 21 +++++++++++++++------
1 file changed, 15 insertions(+), 6 deletions(-)
diff --git a/src/box/authentication.cc b/src/box/authentication.cc
index 811974cb..b0459a5b 100644
--- a/src/box/authentication.cc
+++ b/src/box/authentication.cc
@@ -33,8 +33,13 @@
#include "session.h"
#include "msgpuck.h"
#include "error.h"
+#include "third_party/base64.h"
-static char zero_hash[SCRAMBLE_SIZE];
+/**
+ * chap-sha1 of empty string, i.e.
+ * base64_encode(sha1(sha1(""), 0)
+ */
+static const char *CHAP_SHA1_EMPTY_PASSWORD = "vhvewKp0tNyweZQ+cFKAlsyphfg=";
void
authenticate(const char *user_name, uint32_t len, const char *salt,
@@ -52,10 +57,14 @@ authenticate(const char *user_name, uint32_t len, const char *salt,
* pooling.
*/
part_count = mp_decode_array(&tuple);
- if (part_count == 0 && user->def->uid == GUEST &&
- memcmp(user->def->hash2, zero_hash, SCRAMBLE_SIZE) == 0) {
- /* No password is set for GUEST, OK. */
- goto ok;
+ if (part_count == 0 && user->def->uid == GUEST) {
+ char hash2[SCRAMBLE_SIZE];
+ base64_decode(CHAP_SHA1_EMPTY_PASSWORD, SCRAMBLE_BASE64_SIZE,
+ hash2, SCRAMBLE_SIZE);
+ if (memcmp(user->def->hash2, hash2, SCRAMBLE_SIZE) == 0) {
+ /* Empty password is set, OK. */
+ goto ok;
+ }
}
access_check_session_xc(user);
@@ -90,11 +99,11 @@ authenticate(const char *user_name, uint32_t len, const char *salt,
diag_raise();
tnt_raise(ClientError, ER_PASSWORD_MISMATCH, user->def->name);
}
+ok:
/* check and run auth triggers on success */
if (! rlist_empty(&session_on_auth) &&
session_run_on_auth_triggers(&auth_res) != 0)
diag_raise();
-ok:
credentials_init(&session->credentials, user->auth_token,
user->def->uid);
}
--
2.11.0
next reply other threads:[~2019-07-15 16:26 UTC|newest]
Thread overview: 5+ messages / expand[flat|nested] mbox.gz Atom feed top
2019-07-15 16:26 Vladimir Davydov [this message]
2019-07-15 19:52 ` Konstantin Osipov
2019-07-17 11:51 ` Vladimir Davydov
2019-07-17 14:28 ` Konstantin Osipov
2019-07-17 14:49 ` Vladimir Davydov
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=704d9c5686cb5bacfa53a7459a2eea411812bcc5.1563207875.git.vdavydov.dev@gmail.com \
--to=vdavydov.dev@gmail.com \
--cc=kostja@tarantool.org \
--cc=tarantool-patches@freelists.org \
--subject='Re: [PATCH v2] auth: fix empty password authentication' \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox