From bfa042b42daa6f6944396ab17f0a0d7f66ce8db4 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?=E6=9D=A8=E6=88=90=E9=94=B4?= Date: Wed, 10 May 2023 09:30:08 +0800 Subject: [PATCH] auth: fix iterations decode error in hashCrypt (#43578) close pingcap/tidb#43576 --- parser/auth/caching_sha2.go | 8 ++++---- parser/auth/caching_sha2_test.go | 2 +- parser/auth/tidb_sm3_test.go | 2 +- 3 files changed, 6 insertions(+), 6 deletions(-) diff --git a/parser/auth/caching_sha2.go b/parser/auth/caching_sha2.go index b97ac29b0ddd..d3a29cbb076f 100644 --- a/parser/auth/caching_sha2.go +++ b/parser/auth/caching_sha2.go @@ -169,7 +169,7 @@ func hashCrypt(plaintext string, salt []byte, iterations int, hash func([]byte) // 22 buf := bytes.NewBuffer(make([]byte, 0, 100)) buf.Write([]byte{'$', 'A', '$'}) - rounds := fmt.Sprintf("%03d", iterations/ITERATION_MULTIPLIER) + rounds := fmt.Sprintf("%03X", iterations/ITERATION_MULTIPLIER) buf.WriteString(rounds) buf.Write([]byte{'$'}) buf.Write(salt) @@ -201,7 +201,7 @@ func CheckHashingPassword(pwhash []byte, password string, hash string) (bool, er return false, errors.New("digest type is incompatible") } - iterations, err := strconv.Atoi(string(pwhashParts[2])) + iterations, err := strconv.ParseInt(string(pwhashParts[2]), 16, 64) if err != nil { return false, errors.New("failed to decode iterations") } @@ -211,9 +211,9 @@ func CheckHashingPassword(pwhash []byte, password string, hash string) (bool, er var newHash string switch hash { case mysql.AuthCachingSha2Password: - newHash = hashCrypt(password, salt, iterations, Sha256Hash) + newHash = hashCrypt(password, salt, int(iterations), Sha256Hash) case mysql.AuthTiDBSM3Password: - newHash = hashCrypt(password, salt, iterations, Sm3Hash) + newHash = hashCrypt(password, salt, int(iterations), Sm3Hash) } return bytes.Equal(pwhash, []byte(newHash)), nil diff --git a/parser/auth/caching_sha2_test.go b/parser/auth/caching_sha2_test.go index d7c1f8ff8dee..e3e6cccd2b16 100644 --- a/parser/auth/caching_sha2_test.go +++ b/parser/auth/caching_sha2_test.go @@ -54,7 +54,7 @@ func TestCheckShaPasswordDigestTypeIncompatible(t *testing.T) { func TestCheckShaPasswordIterationsInvalid(t *testing.T) { pwd := "not_foobar" - pwhash, _ := hex.DecodeString("24412430304124031A69251C34295C4B35167C7F1E5A7B63091349503974624D34504B5A424679354856336868686F52485A736E4A733368786E427575516C73446469496537") + pwhash, _ := hex.DecodeString("24412430304724031A69251C34295C4B35167C7F1E5A7B63091349503974624D34504B5A424679354856336868686F52485A736E4A733368786E427575516C73446469496537") _, err := CheckHashingPassword(pwhash, pwd, mysql.AuthCachingSha2Password) require.Error(t, err) } diff --git a/parser/auth/tidb_sm3_test.go b/parser/auth/tidb_sm3_test.go index ae2d3162c440..7d5f8593e535 100644 --- a/parser/auth/tidb_sm3_test.go +++ b/parser/auth/tidb_sm3_test.go @@ -69,7 +69,7 @@ func TestCheckSM3PasswordDigestTypeIncompatible(t *testing.T) { func TestCheckSM3PasswordIterationsInvalid(t *testing.T) { pwd := "not_foobar" - pwhash, _ := hex.DecodeString("24412430304124031A69251C34295C4B35167C7F1E5A7B63091349503974624D34504B5A424679354856336868686F52485A736E4A733368786E427575516C73446469496537") + pwhash, _ := hex.DecodeString("24412430304724031A69251C34295C4B35167C7F1E5A7B63091349503974624D34504B5A424679354856336868686F52485A736E4A733368786E427575516C73446469496537") _, err := CheckHashingPassword(pwhash, pwd, mysql.AuthTiDBSM3Password) require.Error(t, err) }