Don't store plaintext passwords (#1040)

Author: gdsmith

client/auth.go

@@ -154,9 +154,9 @@ func (c *Conn) genAuthResponse(authData []byte) ([]byte, bool, error) {
 	// password hashing
 	switch c.authPluginName {
 	case mysql.AUTH_NATIVE_PASSWORD:
-		return mysql.CalcPassword(authData[:20], []byte(c.password)), false, nil
+		return mysql.CalcNativePassword(authData[:20], []byte(c.password)), false, nil
 	case mysql.AUTH_CACHING_SHA2_PASSWORD:
-		return mysql.CalcCachingSha2Password(authData, c.password), false, nil
+		return mysql.CalcCachingSha2Password(authData, []byte(c.password)), false, nil
 	case mysql.AUTH_CLEAR_PASSWORD:
 		return []byte(c.password), true, nil
 	case mysql.AUTH_SHA256_PASSWORD:

driver/driver_options_test.go

@@ -39,7 +39,7 @@ type mockHandler struct {
 }
 
 func TestDriverOptions_SetRetriesOn(t *testing.T) {
-	srv := CreateMockServer(t)
+	srv := createMockServer(t)
 	defer srv.Stop()
 	var wg sync.WaitGroup
 	srv.handler.modifier = &wg
@@ -64,7 +64,7 @@ func TestDriverOptions_SetRetriesOn(t *testing.T) {
 }
 
 func TestDriverOptions_SetRetriesOff(t *testing.T) {
-	srv := CreateMockServer(t)
+	srv := createMockServer(t)
 	defer srv.Stop()
 	var wg sync.WaitGroup
 	srv.handler.modifier = &wg
@@ -114,7 +114,7 @@ func TestDriverOptions_SetCompression(t *testing.T) {
 }
 
 func TestDriverOptions_ConnectTimeout(t *testing.T) {
-	srv := CreateMockServer(t)
+	srv := createMockServer(t)
 	defer srv.Stop()
 
 	conn, err := sql.Open("mysql", "[email protected]:3307/test?timeout=1s")
@@ -131,7 +131,7 @@ func TestDriverOptions_ConnectTimeout(t *testing.T) {
 }
 
 func TestDriverOptions_BufferSize(t *testing.T) {
-	srv := CreateMockServer(t)
+	srv := createMockServer(t)
 	defer srv.Stop()
 
 	SetDSNOptions(map[string]DriverOption{
@@ -156,7 +156,7 @@ func TestDriverOptions_BufferSize(t *testing.T) {
 }
 
 func TestDriverOptions_ReadTimeout(t *testing.T) {
-	srv := CreateMockServer(t)
+	srv := createMockServer(t)
 	defer srv.Stop()
 
 	conn, err := sql.Open("mysql", "[email protected]:3307/test?readTimeout=100ms")
@@ -177,7 +177,7 @@ func TestDriverOptions_ReadTimeout(t *testing.T) {
 }
 
 func TestDriverOptions_writeTimeout(t *testing.T) {
-	srv := CreateMockServer(t)
+	srv := createMockServer(t)
 	defer srv.Stop()
 
 	// use a writeTimeout that will fail parsing by ParseDuration resulting
@@ -224,7 +224,7 @@ func TestDriverOptions_namedValueChecker(t *testing.T) {
 		return nil
 	})
 
-	srv := CreateMockServer(t)
+	srv := createMockServer(t)
 	defer srv.Stop()
 	conn, err := sql.Open("mysql", "[email protected]:3307/test?writeTimeout=1s")
 	defer func() {
@@ -265,9 +265,9 @@ func TestDriverOptions_namedValueChecker(t *testing.T) {
 	require.True(t, math.MaxUint64 == a)
 }
 
-func CreateMockServer(t *testing.T) *testServer {
+func createMockServer(t *testing.T) *testServer {
 	inMemProvider := server.NewInMemoryProvider()
-	inMemProvider.AddUser(*testUser, *testPassword)
+	require.NoError(t, inMemProvider.AddUser(*testUser, *testPassword))
 	defaultServer := server.NewDefaultServer()
 
 	l, err := net.Listen("tcp", "127.0.0.1:3307")

mysql/mysql_gtid.go

@@ -111,20 +111,6 @@ func (s IntervalSlice) Normalize() IntervalSlice {
 	return n
 }
 
-func min(a, b int64) int64 {
-	if a < b {
-		return a
-	}
-	return b
-}
-
-func max(a, b int64) int64 {
-	if a > b {
-		return a
-	}
-	return b
-}
-
 func (s *IntervalSlice) InsertInterval(interval Interval) {
 	var (
 		count int

mysql/util.go

@@ -9,7 +9,9 @@ import (
 	"crypto/sha1"
 	"crypto/sha256"
 	"crypto/sha512"
+	"crypto/subtle"
 	"encoding/binary"
+	"encoding/hex"
 	"fmt"
 	"io"
 	mrand "math/rand"
@@ -29,7 +31,7 @@ func Pstack() string {
 	return string(buf[0:n])
 }
 
-func CalcPassword(scramble, password []byte) []byte {
+func CalcNativePassword(scramble, password []byte) []byte {
 	if len(password) == 0 {
 		return nil
 	}
@@ -39,35 +41,100 @@ func CalcPassword(scramble, password []byte) []byte {
 	crypt.Write(password)
 	stage1 := crypt.Sum(nil)
 
-	// scrambleHash = SHA1(scramble + SHA1(stage1Hash))
-	// inner Hash
+	// stage2Hash = SHA1(stage1Hash)
 	crypt.Reset()
 	crypt.Write(stage1)
-	hash := crypt.Sum(nil)
+	stage2 := crypt.Sum(nil)
 
-	// outer Hash
+	// scrambleHash = SHA1(scramble + stage2Hash)
 	crypt.Reset()
 	crypt.Write(scramble)
-	crypt.Write(hash)
-	scramble = crypt.Sum(nil)
+	crypt.Write(stage2)
+	scrambleHash := crypt.Sum(nil)
 
 	// token = scrambleHash XOR stage1Hash
-	for i := range scramble {
-		scramble[i] ^= stage1[i]
+	return Xor(scrambleHash, stage1)
+}
+
+// Xor modifies hash1 in-place with XOR against hash2
+func Xor(hash1 []byte, hash2 []byte) []byte {
+	l := min(len(hash1), len(hash2))
+	for i := range l {
+		hash1[i] ^= hash2[i]
+	}
+	return hash1
+}
+
+// hash_stage1 = xor(reply, sha1(public_seed, hash_stage2))
+func stage1FromReply(scramble []byte, seed []byte, stage2 []byte) []byte {
+	crypt := sha1.New()
+	crypt.Write(seed)
+	crypt.Write(stage2)
+	seededHash := crypt.Sum(nil)
+
+	return Xor(scramble, seededHash)
+}
+
+// DecodePasswordHex decodes the standard format used by MySQL
+// Password hashes in the 4.1 format always begin with a * character
+// see https://dev.mysql.com/doc/mysql-security-excerpt/5.7/en/password-hashing.html
+// ref vitess.io/vitess/go/mysql/auth_server.go
+func DecodePasswordHex(hexEncodedPassword string) ([]byte, error) {
+	if hexEncodedPassword[0] == '*' {
+		hexEncodedPassword = hexEncodedPassword[1:]
+	}
+	return hex.DecodeString(hexEncodedPassword)
+}
+
+// EncodePasswordHex encodes to the standard format used by MySQL
+// adds the optionally leading * to the hashed password
+func EncodePasswordHex(passwordHash []byte) string {
+	hexstr := strings.ToUpper(hex.EncodeToString(passwordHash))
+	return "*" + hexstr
+}
+
+// NativePasswordHash = sha1(sha1(password))
+func NativePasswordHash(password []byte) []byte {
+	if len(password) == 0 {
+		return nil
 	}
-	return scramble
+
+	// stage1Hash = SHA1(password)
+	crypt := sha1.New()
+	crypt.Write(password)
+	stage1 := crypt.Sum(nil)
+
+	// stage2Hash = SHA1(stage1Hash)
+	crypt.Reset()
+	crypt.Write(stage1)
+	return crypt.Sum(stage1[:0])
+}
+
+func CompareNativePassword(reply []byte, stored []byte, seed []byte) bool {
+	if len(stored) == 0 {
+		return false
+	}
+
+	// hash_stage1 = xor(reply, sha1(public_seed, hash_stage2))
+	stage1 := stage1FromReply(reply, seed, stored)
+	// andidate_hash2 = sha1(hash_stage1)
+	stage2 := sha1.Sum(stage1)
+
+	// check(candidate_hash2 == hash_stage2)
+	// use ConstantTimeCompare to mitigate timing based attacks
+	return subtle.ConstantTimeCompare(stage2[:], stored) == 1
 }
 
 // CalcCachingSha2Password: Hash password using MySQL 8+ method (SHA256)
-func CalcCachingSha2Password(scramble []byte, password string) []byte {
+func CalcCachingSha2Password(scramble []byte, password []byte) []byte {
 	if len(password) == 0 {
 		return nil
 	}
 
 	// XOR(SHA256(password), SHA256(SHA256(SHA256(password)), scramble))
 
 	crypt := sha256.New()
-	crypt.Write([]byte(password))
+	crypt.Write(password)
 	message1 := crypt.Sum(nil)
 
 	crypt.Reset()
@@ -79,11 +146,7 @@ func CalcCachingSha2Password(scramble []byte, password string) []byte {
 	crypt.Write(scramble)
 	message2 := crypt.Sum(nil)
 
-	for i := range message1 {
-		message1[i] ^= message2[i]
-	}
-
-	return message1
+	return Xor(message1, message2)
 }
 
 // Taken from https://github.com/go-sql-driver/mysql/pull/1518
@@ -135,6 +198,89 @@ func EncryptPassword(password string, seed []byte, pub *rsa.PublicKey) ([]byte,
 	return rsa.EncryptOAEP(sha1v, rand.Reader, pub, plain, nil)
 }
 
+const (
+	SALT_LENGTH                = 16
+	ITERATION_MULTIPLIER       = 1000
+	SHA256_PASSWORD_ITERATIONS = 5
+)
+
+// generateUserSalt generate salt of given length for sha256_password hash
+func generateUserSalt(length int) ([]byte, error) {
+	// Generate a random salt of the given length
+	// Implement this function for your project
+	salt := make([]byte, length)
+	_, err := rand.Read(salt)
+	if err != nil {
+		return []byte(""), err
+	}
+
+	// Restrict to 7-bit to avoid multi-byte UTF-8
+	for i := range salt {
+		salt[i] = salt[i] &^ 128
+		for salt[i] == 36 || salt[i] == 0 { // '$' or NUL
+			newval := make([]byte, 1)
+			_, err := rand.Read(newval)
+			if err != nil {
+				return []byte(""), err
+			}
+			salt[i] = newval[0] &^ 128
+		}
+	}
+	return salt, nil
+}
+
+// hashCrypt256 salt and hash a password the given number of iterations
+func hashCrypt256(source, salt string, iterations uint64) (string, error) {
+	actualIterations := iterations * ITERATION_MULTIPLIER
+	hashInput := []byte(source + salt)
+	var hash [32]byte
+	for i := uint64(0); i < actualIterations; i++ {
+		hash = sha256.Sum256(hashInput)
+		hashInput = hash[:]
+	}
+
+	hashHex := hex.EncodeToString(hash[:])
+	digest := fmt.Sprintf("$%d$%s$%s", iterations, salt, hashHex)
+	return digest, nil
+}
+
+// Check256HashingPassword compares a password to a hash for sha256_password
+// rather than trying to recreate just the hash we recreate the full hash
+// and use that for comparison
+func Check256HashingPassword(pwhash []byte, password string) (bool, error) {
+	pwHashParts := bytes.Split(pwhash, []byte("$"))
+	if len(pwHashParts) != 4 {
+		return false, errors.New("failed to decode hash parts")
+	}
+
+	iterationsPart := pwHashParts[1]
+	if len(iterationsPart) == 0 {
+		return false, errors.New("iterations part is empty")
+	}
+
+	iterations, err := strconv.ParseUint(string(iterationsPart), 10, 64)
+	if err != nil {
+		return false, errors.New("failed to decode iterations")
+	}
+	salt := pwHashParts[2][:SALT_LENGTH]
+
+	newHash, err := hashCrypt256(password, string(salt), iterations)
+	if err != nil {
+		return false, err
+	}
+
+	return subtle.ConstantTimeCompare(pwhash, []byte(newHash)) == 1, nil
+}
+
+// NewSha256PasswordHash creates a new password hash for sha256_password
+func NewSha256PasswordHash(pwd string) (string, error) {
+	salt, err := generateUserSalt(SALT_LENGTH)
+	if err != nil {
+		return "", err
+	}
+	return hashCrypt256(pwd, string(salt), SHA256_PASSWORD_ITERATIONS)
+}
+
 func DecompressMariadbData(data []byte) ([]byte, error) {
 	// algorithm always 0=zlib
 	// algorithm := (data[pos] & 0x07) >> 4