auth: caching_sha2_password salt fix (#1249)

- a NUL or '$' could get replaced with another NUL or '$' - Replacement characters didn't get their first bit set to 0 (`&^ 128`) - The test case used the index number instead of the value of the rune.
pingcap · Jun 15, 2021 · af39ecc · af39ecc
1 parent cb77169
commit af39ecc
Show file tree

Hide file tree

Showing 2 changed files with 5 additions and 3 deletions.
diff --git a/auth/caching_sha2.go b/auth/caching_sha2.go
@@ -209,10 +209,10 @@ func NewSha2Password(pwd string) string {
 	// Restrict to 7-bit to avoid multi-byte UTF-8
 	for i := range salt {
 		salt[i] = salt[i] &^ 128
-		if salt[i] == 36 || salt[i] == 0 { // '$' or NUL
+		for salt[i] == 36 || salt[i] == 0 { // '$' or NUL
 			newval := make([]byte, 1)
 			rand.Read(newval)
-			salt[i] = newval[0]
+			salt[i] = newval[0] &^ 128
 		}
 	}
 

diff --git a/auth/caching_sha2_test.go b/auth/caching_sha2_test.go
@@ -66,6 +66,8 @@ func (s *testAuthSuite) TestNewSha2Password(c *C) {
 	c.Assert(r, IsTrue)
 
 	for r := range pwhash {
-		c.Assert(r < 128, IsTrue)
+		c.Assert(pwhash[r], Less, uint8(128))
+		c.Assert(pwhash[r], Not(Equals), 0)  // NUL
+		c.Assert(pwhash[r], Not(Equals), 36) // '$'
 	}
 }