*: add back salt #134

xhebox · 2022-11-08T06:14:41Z

Signed-off-by: xhe xw897002528@gmail.com

What problem does this PR solve?

Issue Number: close None

Problem Summary: The fake salt does not have any usage. But client will still send the computed passwords with the fake salt in the response. In cases of non-TLS, all-zero salt will let client send a fixed auth string(sha1 three times with fixed input), which is highly insecure. Thus we should still send random salt instead.

Check List

Tests

Unit test
Integration test
Manual test (add detailed scripts or steps below)
No code

Notable changes

Has configuration change
Has HTTP API interfaces change (Don't forget to add the declarative for API)
Has tiproxyctl change
Other user behavior changes

Release note

Please refer to Release Notes Language Style Guide to write a quality release note.

None

Signed-off-by: xhe <xw897002528@gmail.com>

*: add back salt

87d36ad

Signed-off-by: xhe <xw897002528@gmail.com>

xhebox requested a review from djshow832 November 8, 2022 06:14

djshow832 approved these changes Nov 11, 2022

View reviewed changes

djshow832 merged commit d482ba1 into pingcap:main Nov 11, 2022

xhebox deleted the log branch November 11, 2022 07:24

xhebox added a commit to xhebox/TiProxy that referenced this pull request Mar 7, 2023

*: add back salt (pingcap#134)

251d80c

xhebox added a commit to xhebox/TiProxy that referenced this pull request Mar 13, 2023

*: add back salt (pingcap#134)

7111e9f

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

*: add back salt #134

*: add back salt #134

xhebox commented Nov 8, 2022

*: add back salt #134

*: add back salt #134

Conversation

xhebox commented Nov 8, 2022

What problem does this PR solve?

Check List

Release note