~drizzle-trunk/drizzle/development

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
/* -*- mode: c++; c-basic-offset: 2; indent-tabs-mode: nil; -*-
 *  vim:expandtab:shiftwidth=2:tabstop=2:smarttab:
 *
 *  Copyright (C) 2010 Rackspace
 *
 *  This program is free software; you can redistribute it and/or modify
 *  it under the terms of the GNU General Public License as published by
 *  the Free Software Foundation; version 2 of the License.
 *
 *  This program is distributed in the hope that it will be useful,
 *  but WITHOUT ANY WARRANTY; without even the implied warranty of
 *  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
 *  GNU General Public License for more details.
 *
 *  You should have received a copy of the GNU General Public License
 *  along with this program; if not, write to the Free Software
 *  Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA  02110-1301  USA
 */

#include "config.h"

#include <string>

#include "drizzled/plugin/authentication.h"
#include "drizzled/security_context.h"
#include "drizzled/util/convert.h"
#include "drizzled/algorithm/sha1.h"

using namespace std;
using namespace drizzled;

namespace auth_test
{

/* This is the result of MYSQL_PASSWORD("scramble_password"). */
static const char *scrambled_password= "2C5A870CEFF02BA3B0A927D7956B3FEB4D59CF21";

class AuthTest: public plugin::Authentication
{
public:
  AuthTest(string name_arg):
    plugin::Authentication(name_arg)
  { }

  virtual bool authenticate(const SecurityContext &sctx, const string &password)
  {
    /* The "root" user always succeeds for drizzletest to get in. */
    if (sctx.getUser() == "root" && password.empty())
      return true;

    /* Any password succeeds. */
    if (sctx.getUser() == "password_ok" && !password.empty())
      return true;

    /* No password succeeds. */
    if (sctx.getUser() == "no_password_ok" && password.empty())
      return true;

    /* Check if MySQL password scramble succeeds. */
    if (sctx.getUser() == "scramble_ok" &&
        sctx.getPasswordType() == SecurityContext::MYSQL_HASH &&
        sctx.getPasswordContext().size() == SHA1_DIGEST_LENGTH &&
        password.size() == SHA1_DIGEST_LENGTH)
    {
      SHA1_CTX ctx;
      uint8_t scrambled_password_hash[SHA1_DIGEST_LENGTH];
      uint8_t temp_hash[SHA1_DIGEST_LENGTH];
      uint8_t scrambled_password_check[SHA1_DIGEST_LENGTH];

      /* Get the double-hashed password from the stored hex string. */
      drizzled_hex_to_string(reinterpret_cast<char*>(scrambled_password_hash),
                             scrambled_password, SHA1_DIGEST_LENGTH * 2);

      /* Hash the scramble that was sent to client with the stored password. */
      SHA1Init(&ctx);
      SHA1Update(&ctx, reinterpret_cast<const uint8_t*>(sctx.getPasswordContext().c_str()), SHA1_DIGEST_LENGTH);
      SHA1Update(&ctx, scrambled_password_hash, SHA1_DIGEST_LENGTH);
      SHA1Final(temp_hash, &ctx);

      /* Next, XOR the result with what the client sent to get the original
         single-hashed password. */
      for (int x= 0; x < SHA1_DIGEST_LENGTH; x++)
        temp_hash[x]= temp_hash[x] ^ password[x];

      /* Hash this result once more to get the double-hashed password again. */
      SHA1Init(&ctx);
      SHA1Update(&ctx, temp_hash, SHA1_DIGEST_LENGTH);
      SHA1Final(scrambled_password_check, &ctx);

      /* These should match for a successful auth. */
      return memcmp(scrambled_password_hash, scrambled_password_check, SHA1_DIGEST_LENGTH) == 0;
    }

    return false;
  }
};

AuthTest *auth_test= NULL;

static int init(module::Context &context)
{
  auth_test= new AuthTest("auth_test");
  context.add(auth_test);
  return 0;
}

} /* namespace auth_test */

DRIZZLE_PLUGIN(auth_test::init, NULL, NULL);