auth: fix iterations decode error in hashCrypt (#43578)

close #43576
pingcap · May 10, 2023 · bfa042b · bfa042b
1 parent ec03200
commit bfa042b
Show file tree

Hide file tree

Showing 3 changed files with 6 additions and 6 deletions.
diff --git a/parser/auth/caching_sha2.go b/parser/auth/caching_sha2.go
@@ -169,7 +169,7 @@ func hashCrypt(plaintext string, salt []byte, iterations int, hash func([]byte)
 	// 22
 	buf := bytes.NewBuffer(make([]byte, 0, 100))
 	buf.Write([]byte{'$', 'A', '$'})
-	rounds := fmt.Sprintf("%03d", iterations/ITERATION_MULTIPLIER)
+	rounds := fmt.Sprintf("%03X", iterations/ITERATION_MULTIPLIER)
 	buf.WriteString(rounds)
 	buf.Write([]byte{'$'})
 	buf.Write(salt)
@@ -201,7 +201,7 @@ func CheckHashingPassword(pwhash []byte, password string, hash string) (bool, er
 		return false, errors.New("digest type is incompatible")
 	}
 
-	iterations, err := strconv.Atoi(string(pwhashParts[2]))
+	iterations, err := strconv.ParseInt(string(pwhashParts[2]), 16, 64)
 	if err != nil {
 		return false, errors.New("failed to decode iterations")
 	}
@@ -211,9 +211,9 @@ func CheckHashingPassword(pwhash []byte, password string, hash string) (bool, er
 	var newHash string
 	switch hash {
 	case mysql.AuthCachingSha2Password:
-		newHash = hashCrypt(password, salt, iterations, Sha256Hash)
+		newHash = hashCrypt(password, salt, int(iterations), Sha256Hash)
 	case mysql.AuthTiDBSM3Password:
-		newHash = hashCrypt(password, salt, iterations, Sm3Hash)
+		newHash = hashCrypt(password, salt, int(iterations), Sm3Hash)
 	}
 
 	return bytes.Equal(pwhash, []byte(newHash)), nil

diff --git a/parser/auth/caching_sha2_test.go b/parser/auth/caching_sha2_test.go
@@ -54,7 +54,7 @@ func TestCheckShaPasswordDigestTypeIncompatible(t *testing.T) {
 
 func TestCheckShaPasswordIterationsInvalid(t *testing.T) {
 	pwd := "not_foobar"
-	pwhash, _ := hex.DecodeString("24412430304124031A69251C34295C4B35167C7F1E5A7B63091349503974624D34504B5A424679354856336868686F52485A736E4A733368786E427575516C73446469496537")
+	pwhash, _ := hex.DecodeString("24412430304724031A69251C34295C4B35167C7F1E5A7B63091349503974624D34504B5A424679354856336868686F52485A736E4A733368786E427575516C73446469496537")
 	_, err := CheckHashingPassword(pwhash, pwd, mysql.AuthCachingSha2Password)
 	require.Error(t, err)
 }

diff --git a/parser/auth/tidb_sm3_test.go b/parser/auth/tidb_sm3_test.go
@@ -69,7 +69,7 @@ func TestCheckSM3PasswordDigestTypeIncompatible(t *testing.T) {
 
 func TestCheckSM3PasswordIterationsInvalid(t *testing.T) {
 	pwd := "not_foobar"
-	pwhash, _ := hex.DecodeString("24412430304124031A69251C34295C4B35167C7F1E5A7B63091349503974624D34504B5A424679354856336868686F52485A736E4A733368786E427575516C73446469496537")
+	pwhash, _ := hex.DecodeString("24412430304724031A69251C34295C4B35167C7F1E5A7B63091349503974624D34504B5A424679354856336868686F52485A736E4A733368786E427575516C73446469496537")
 	_, err := CheckHashingPassword(pwhash, pwd, mysql.AuthTiDBSM3Password)
 	require.Error(t, err)
 }