• Daniel Black's avatar
    MDEV-24207: recognise mysql forms of invalid password for mysql_native_password · d4c35fb2
    Daniel Black authored
    The main goal of this patch is to prevent MariaDB's native_password_plugin
    from "parsing" the hex (or non hex) authentication_string. Due to how the
    current code is written, we convert any string (within native_password_get_salt)
    that has the appropriate length to a "binary" representation, that can
    potentially match a real password.
    
    More specifically,
    "*THISISNOTAVALIDPASSWORDTHATCANBEUSEDHERE" produces the same results as
    "*d13c3c78dafa52d9bce09bdd1adcb7befced1ebe".
    
    The length indicator is the main indicator of an invalid password. We use
    use same trick with "invalid" to change its internal representation.
    
    The "parsing" mentioned is by get_salt_from_password down to char_val()
    and because if where it is, its effectively a static plugin API that cannot
    change.
    
    In supporting these, we support the SHOW CREATE USER from MySQL may have the
    hashed password string: *THISISNOTAVALIDPASSWORDTHATCANBEUSEDHERE.
    
    Obviously this isn't a hash because it contains non-hex characters.
    
    After this patch we do however recognise the pattern;
    
     [any char, notionally *]{40 chars not all are hex}
    
    as a pattern for an invalid password. This was determined to be the general
    pattern that MySQL used.
    
    Reviewers: Sergei G, Vicentiu
    d4c35fb2
set_password.test 5.6 KB