Description
I was looking to implement a version of the CredentialProvider
for a MySQL proxy. I was trying to understand how to store the password so I could return what was expected. Looking at how the password is used during authentication it is required that the server gets the password in plain text, therefore it is required for the CredentialProvider
to be able to provide the password in plain text.
I believe this is a big security issue in the code that can be easily avoided if you correctly follow the MySQL implementations.
As an example, if you look at how this is implemented for the mysql_native_password
in MySQL proper you will see that they rather use the salt/seed to encrypt the hash_stage1
and then generate the hash_stage2
from that for comparison with what is stored on the server.
SERVER: public_seed=generate_user_salt()
send(public_seed)
CLIENT: recv(public_seed)
hash_stage1=sha1("password")
hash_stage2=sha1(hash_stage1)
reply=xor(hash_stage1, sha1(public_seed,hash_stage2)
// this three steps are done in scramble()
send(reply)
SERVER: recv(reply)
hash_stage1=xor(reply, sha1(public_seed,hash_stage2))
candidate_hash2=sha1(hash_stage1)
check(candidate_hash2==hash_stage2)
The reason for doing this is so the actual password does not need to be stored anywhere on the server, you just need to store the hash_stage2
of the password.