From 583a5a79c992a11eb42834add2b5fd07c3fecb75 Mon Sep 17 00:00:00 2001 From: Nikita Malyavin Date: Wed, 4 Sep 2024 19:57:45 +0200 Subject: [PATCH] MDEV-34854 Parsec sends garbage when using an empty password When an empty password is set, the server doesn't call st_mysql_auth::hash_password and leaves MYSQL_SERVER_AUTH_INFO::auth_string empty. Fix: generate hashes by calling hash_password for empty passwords as well. This changes the api behavior slightly, but since even old plugins support it, we can ignore this. Some empty passwords could be already stored with no salt, though. The user will have to call SET PASSWORD once again, anyway the authentication wouldn't have worked for such password. --- mysql-test/suite/plugins/r/parsec.result | 15 +++++++++++++++ mysql-test/suite/plugins/t/parsec.test | 15 +++++++++++++++ sql/sql_acl.cc | 5 +++-- 3 files changed, 33 insertions(+), 2 deletions(-) diff --git a/mysql-test/suite/plugins/r/parsec.result b/mysql-test/suite/plugins/r/parsec.result index 98b67c4d09d..a7472d0e666 100644 --- a/mysql-test/suite/plugins/r/parsec.result +++ b/mysql-test/suite/plugins/r/parsec.result @@ -28,3 +28,18 @@ test.have_ssl() yes drop function have_ssl; drop user test1@'%'; +# MDEV-34854 Parsec sends garbage when using an empty password +create user test2@'%' identified via parsec using PASSWORD(''); +show grants for test2@'%'; +Grants for test2@% +GRANT USAGE ON *.* TO `test2`@`%` IDENTIFIED VIA parsec USING 'P0:salt:password' +connect con4, localhost, test2,; +select 4, USER(), CURRENT_USER(); +4 USER() CURRENT_USER() +4 test2@localhost test2@% +disconnect con4; +connect(localhost,test2,wrong_pwd,test,MASTER_MYPORT,MASTER_MYSOCK); +connect con5, localhost, test2, "wrong_pwd"; +ERROR 28000: Access denied for user 'test2'@'localhost' (using password: NO) +connection default; +drop user test2@'%'; diff --git a/mysql-test/suite/plugins/t/parsec.test b/mysql-test/suite/plugins/t/parsec.test index 25db07bcbe4..f021b1d1007 100644 --- a/mysql-test/suite/plugins/t/parsec.test +++ b/mysql-test/suite/plugins/t/parsec.test @@ -43,3 +43,18 @@ if ($MTR_COMBINATION_WIN) { drop function have_ssl; drop user test1@'%'; + + +--echo # MDEV-34854 Parsec sends garbage when using an empty password +create user test2@'%' identified via parsec using PASSWORD(''); +--replace_regex /:[A-Za-z0-9+\/]{43}'/:password'/ /:[A-Za-z0-9+\/]{24}:/:salt:/ +show grants for test2@'%'; +connect con4, localhost, test2,; +select 4, USER(), CURRENT_USER(); +disconnect con4; + +--replace_result $MASTER_MYSOCK MASTER_MYSOCK $MASTER_MYPORT MASTER_MYPORT +--error ER_ACCESS_DENIED_ERROR +connect con5, localhost, test2, "wrong_pwd"; +connection default; +drop user test2@'%'; diff --git a/sql/sql_acl.cc b/sql/sql_acl.cc index 3dd23923558..96886fb0175 100644 --- a/sql/sql_acl.cc +++ b/sql/sql_acl.cc @@ -2401,7 +2401,8 @@ static int set_user_auth(THD *thd, const LEX_CSTRING &user, res= ER_NOT_VALID_PASSWORD; goto end; } - if (pwtext.length) + + if (!auth->auth_string.length) { if (info->hash_password) { @@ -2416,7 +2417,7 @@ static int set_user_auth(THD *thd, const LEX_CSTRING &user, auth->auth_string.str= (char*)memdup_root(&acl_memroot, buf, len+1); auth->auth_string.length= len; } - else + else if (pwtext.length) { res= ER_SET_PASSWORD_AUTH_PLUGIN; goto end;