In caching sha2 password xor, b length can be less than a. #1044
Comments
|
Good catch @normano ! |
|
There is a link to Preparing Your MySQL Community Connector in the code but
the site is not currently working. You can search for "MySQL 8
caching_sha2_password xor rotated in Google to find reference to this.
…On Wed, Oct 23, 2019, 5:12 PM Andrey Sidorov ***@***.***> wrote:
Good catch @normano <https://github.com/normano> !
I wonder if mysql server actually expects xor rotated this way. Are you
able to test this scenario?
Scramble is usually 20 bytes, this means you need to create a user with >
20 char password to be able to test
—
You are receiving this because you were mentioned.
Reply to this email directly, view it on GitHub
<#1044?email_source=notifications&email_token=AAHLRKCOFQSX27BAJVAN6ULQQDR6BA5CNFSM4JEDHAQKYY3PNVWWK3TUL52HS4DFVREXG43VMVBW63LNMVXHJKTDN5WW2ZLOORPWSZGOECDIOCY#issuecomment-545687307>,
or unsubscribe
<https://github.com/notifications/unsubscribe-auth/AAHLRKEKIVWQEJHKXRVGWOTQQDR6BANCNFSM4JEDHAQA>
.
|
|
… On Wed, Oct 23, 2019, 5:16 PM Norm O ***@***.***> wrote:
There is a link to Preparing Your MySQL Community Connector in the code
but the site is not currently working. You can search for "MySQL 8
caching_sha2_password xor rotated in Google to find reference to this.
On Wed, Oct 23, 2019, 5:12 PM Andrey Sidorov ***@***.***>
wrote:
> Good catch @normano <https://github.com/normano> !
> I wonder if mysql server actually expects xor rotated this way. Are you
> able to test this scenario?
> Scramble is usually 20 bytes, this means you need to create a user with >
> 20 char password to be able to test
>
> —
> You are receiving this because you were mentioned.
> Reply to this email directly, view it on GitHub
> <#1044?email_source=notifications&email_token=AAHLRKCOFQSX27BAJVAN6ULQQDR6BA5CNFSM4JEDHAQKYY3PNVWWK3TUL52HS4DFVREXG43VMVBW63LNMVXHJKTDN5WW2ZLOORPWSZGOECDIOCY#issuecomment-545687307>,
> or unsubscribe
> <https://github.com/notifications/unsubscribe-auth/AAHLRKEKIVWQEJHKXRVGWOTQQDR6BANCNFSM4JEDHAQA>
> .
>
|
|
Thanks, do you want to create a PR with this change? Note that currently xor function is not shared between different auth plugins, maybe worth refactoring now |
|
I think this is only affects caching_sha2_password where seed is xored against password, in all 4.1 auth scenarios both arguments to xor are sha1 hashes exactly 32 bytes. I can confirm that current code fails to login for a user with |
|
Just got home, I can pull in your changes and attempt to implement. |
…ail for passwords longer than 19 characters. Thanks to sidorares and normano for their guidance. Refer to: mysqljs#2233 (comment) sidorares/node-mysql2#1044 sidorares/node-mysql2#1045 Updated version to 2.18.3
In short, replacing `xor` for `xorRotating` when authenticating passwords that are greater than 20 characters in length. The original issue was first spotted in the auth_plugin `caching_sha2_password` but is also present in the `sha256_password` auth_plugin as well. The link to the original issue (and fix) can be found here: sidorares#1044
node-mysql2/lib/auth_plugins/caching_sha2_password.js
Line 35 in 93df7a8
You could use xorRotating func to fix:
https://github.com/normano/node-mysql2/blob/72aaf4a07680d26edb5ac6bb828027207e97e004/lib/auth_41.js#L137
The text was updated successfully, but these errors were encountered: