1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
|
/* -*- mode: c++; c-basic-offset: 2; indent-tabs-mode: nil; -*-
* vim:expandtab:shiftwidth=2:tabstop=2:smarttab:
*
* Copyright (C) 2010 Rackspace
*
* This program is free software; you can redistribute it and/or modify
* it under the terms of the GNU General Public License as published by
* the Free Software Foundation; version 2 of the License.
*
* This program is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
* GNU General Public License for more details.
*
* You should have received a copy of the GNU General Public License
* along with this program; if not, write to the Free Software
* Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA
*/
#include "config.h"
#include <string>
#include "drizzled/plugin/authentication.h"
#include "drizzled/security_context.h"
#include "drizzled/util/convert.h"
#include "drizzled/algorithm/sha1.h"
using namespace std;
using namespace drizzled;
namespace auth_test
{
/* This is the result of MYSQL_PASSWORD("scramble_password"). */
static const char *scrambled_password= "2C5A870CEFF02BA3B0A927D7956B3FEB4D59CF21";
class AuthTest: public plugin::Authentication
{
public:
AuthTest(string name_arg):
plugin::Authentication(name_arg)
{ }
virtual bool authenticate(const SecurityContext &sctx, const string &password)
{
/* The "root" user always succeeds for drizzletest to get in. */
if (sctx.getUser() == "root" && password.empty())
return true;
/* Any password succeeds. */
if (sctx.getUser() == "password_ok" && !password.empty())
return true;
/* No password succeeds. */
if (sctx.getUser() == "no_password_ok" && password.empty())
return true;
/* Check if MySQL password scramble succeeds. */
if (sctx.getUser() == "scramble_ok" &&
sctx.getPasswordType() == SecurityContext::MYSQL_HASH &&
sctx.getPasswordContext().size() == SHA1_DIGEST_LENGTH &&
password.size() == SHA1_DIGEST_LENGTH)
{
SHA1_CTX ctx;
uint8_t scrambled_password_hash[SHA1_DIGEST_LENGTH];
uint8_t temp_hash[SHA1_DIGEST_LENGTH];
uint8_t scrambled_password_check[SHA1_DIGEST_LENGTH];
/* Get the double-hashed password from the stored hex string. */
drizzled_hex_to_string(reinterpret_cast<char*>(scrambled_password_hash),
scrambled_password, SHA1_DIGEST_LENGTH * 2);
/* Hash the scramble that was sent to client with the stored password. */
SHA1Init(&ctx);
SHA1Update(&ctx, reinterpret_cast<const uint8_t*>(sctx.getPasswordContext().c_str()), SHA1_DIGEST_LENGTH);
SHA1Update(&ctx, scrambled_password_hash, SHA1_DIGEST_LENGTH);
SHA1Final(temp_hash, &ctx);
/* Next, XOR the result with what the client sent to get the original
single-hashed password. */
for (int x= 0; x < SHA1_DIGEST_LENGTH; x++)
temp_hash[x]= temp_hash[x] ^ password[x];
/* Hash this result once more to get the double-hashed password again. */
SHA1Init(&ctx);
SHA1Update(&ctx, temp_hash, SHA1_DIGEST_LENGTH);
SHA1Final(scrambled_password_check, &ctx);
/* These should match for a successful auth. */
return memcmp(scrambled_password_hash, scrambled_password_check, SHA1_DIGEST_LENGTH) == 0;
}
return false;
}
};
AuthTest *auth_test= NULL;
static int init(module::Context &context)
{
auth_test= new AuthTest("auth_test");
context.add(auth_test);
return 0;
}
} /* namespace auth_test */
DRIZZLE_PLUGIN(auth_test::init, NULL, NULL);
|