
If you were logged in you would be able to see more operations.
|
|
|
Environment:
|
Ubuntu 18.10 x86_64, Cent OS 6/7 x86_64
|
|
QA Status: |
Done successfully
|
To reproduce this bug enough to create user/try to login/drop user many times.
I digged into Srp manager and found it happen with some "magic" salts. For example: AE7A9732FB795098A4ECE3CE28BD01C4363E870F9AD399AFBEE2CBC6FBB30580
If you try to set this constant salt in SrpManagement.cpp all newly created users will be unable to authenticate (SrpServer.cpp: SrpServer::authenticate "if (clientProof == serverProof)" always false).
Reproducing script:
#!/bin/bash
BIN=/opt/firebird/bin/
DBPATH=/tmp/test
DB=localhost:$DBPATH
cat << EOF > /tmp/prepare
create database '$DB' user sysdba password 'masterkey';
drop user test;
EOF
cat << EOF > /tmp/sql
connect '$DB' user sysdba password 'masterkey';
create user test password 'test';
connect '$DB' user test password 'test';
connect '$DB' user sysdba password 'masterkey';
drop user test;
EOF
rm $DBPATH
$BIN/isql -i /tmp/prepare
set -e
while true; do
$BIN/isql -b -i /tmp/sql
done
|
Description
|
To reproduce this bug enough to create user/try to login/drop user many times.
I digged into Srp manager and found it happen with some "magic" salts. For example: AE7A9732FB795098A4ECE3CE28BD01C4363E870F9AD399AFBEE2CBC6FBB30580
If you try to set this constant salt in SrpManagement.cpp all newly created users will be unable to authenticate (SrpServer.cpp: SrpServer::authenticate "if (clientProof == serverProof)" always false).
Reproducing script:
#!/bin/bash
BIN=/opt/firebird/bin/
DBPATH=/tmp/test
DB=localhost:$DBPATH
cat << EOF > /tmp/prepare
create database '$DB' user sysdba password 'masterkey';
drop user test;
EOF
cat << EOF > /tmp/sql
connect '$DB' user sysdba password 'masterkey';
create user test password 'test';
connect '$DB' user test password 'test';
connect '$DB' user sysdba password 'masterkey';
drop user test;
EOF
rm $DBPATH
$BIN/isql -i /tmp/prepare
set -e
while true; do
$BIN/isql -b -i /tmp/sql
done
|
Show » |
|
In some cases verifier (SrpManager.cpp: server.computeVerifier(user->userName()->get(), s1, user->password()->get()).getBytes(s);) which is should be 128 bit number generated as 127 bit.
When selecting (SrpServer.cpp: "SELECT PLG$VERIFIER, PLG$SALT FROM PLG$SRP WHERE PLG$USER_NAME = ? AND PLG$ACTIVE";) it casted to array of 128 bits (SrpServer.cpp: verifier.assign(reinterpret_cast<const UCHAR*>((const char*)verify), RemotePassword::SRP_VERIFIER_SIZE);) and padded with extra zero bytes at right. So after this casting we will get wrong verifier.
For example if we pad verifier from left when selecting it will be casted properly:
SELECT LPAD(PLG$VERIFIER, 128), PLG$SALT FROM PLG$SRP WHERE PLG$USER_NAME = ? AND PLG$ACTIVE"
The question is it always should be 128 bit or not?