Issue Details (XML | Word | Printable)

Key: CORE-6038
Type: Bug Bug
Status: Closed Closed
Resolution: Fixed
Priority: Major Major
Assignee: Alexander Peshkov
Reporter: Artyom Smirnov
Votes: 0
Watchers: 4
Operations

If you were logged in you would be able to see more operations.
Firebird Core

Srp user manager sporadically creates users which can not attach

Created: 29/Mar/19 12:07 PM   Updated: 11/Jun/19 05:36 PM
Component/s: Engine
Affects Version/s: 3.0.4
Fix Version/s: 3.0.5, 4.0 Beta 2

Environment: Ubuntu 18.10 x86_64, Cent OS 6/7 x86_64

QA Status: Done successfully


 Description  « Hide
To reproduce this bug enough to create user/try to login/drop user many times.

I digged into Srp manager and found it happen with some "magic" salts. For example: AE7A9732FB795098A4ECE3CE28BD01C4363E870F9AD399AFBEE2CBC6FBB30580

If you try to set this constant salt in SrpManagement.cpp all newly created users will be unable to authenticate (SrpServer.cpp: SrpServer::authenticate "if (clientProof == serverProof)" always false).

Reproducing script:

#!/bin/bash

BIN=/opt/firebird/bin/
DBPATH=/tmp/test
DB=localhost:$DBPATH

cat << EOF > /tmp/prepare
create database '$DB' user sysdba password 'masterkey';
drop user test;
EOF

cat << EOF > /tmp/sql
connect '$DB' user sysdba password 'masterkey';
create user test password 'test';
connect '$DB' user test password 'test';
connect '$DB' user sysdba password 'masterkey';
drop user test;
EOF

rm $DBPATH
$BIN/isql -i /tmp/prepare

set -e

while true; do
$BIN/isql -b -i /tmp/sql
done


 All   Comments   Change History   Subversion Commits      Sort Order: Ascending order - Click to sort in descending order
Alexander Peshkov made changes - 29/Mar/19 12:45 PM
Field Original Value New Value
Assignee Alexander Peshkov [ alexpeshkoff ]
Artyom Smirnov added a comment - 04/Apr/19 01:00 PM
Looks I've found root of problem:

In some cases verifier (SrpManager.cpp: server.computeVerifier(user->userName()->get(), s1, user->password()->get()).getBytes(s);) which is should be 128 bit number generated as 127 bit.

When selecting (SrpServer.cpp: "SELECT PLG$VERIFIER, PLG$SALT FROM PLG$SRP WHERE PLG$USER_NAME = ? AND PLG$ACTIVE";) it casted to array of 128 bits (SrpServer.cpp: verifier.assign(reinterpret_cast<const UCHAR*>((const char*)verify), RemotePassword::SRP_VERIFIER_SIZE);) and padded with extra zero bytes at right. So after this casting we will get wrong verifier.

For example if we pad verifier from left when selecting it will be casted properly:
SELECT LPAD(PLG$VERIFIER, 128), PLG$SALT FROM PLG$SRP WHERE PLG$USER_NAME = ? AND PLG$ACTIVE"

The question is it always should be 128 bit or not?

Alexander Peshkov added a comment - 04/Apr/19 03:58 PM
You've meant 128 bytes I suppose.
No - it should not. Treat verifier as a very big integer. When upper byte is 0 it's just omitted and this looks like 127-byte verifier.
If you have any DB with such verifier please send it to me - want to fix.

Artyom Smirnov added a comment - 04/Apr/19 06:51 PM
Yep, bytes of course.

Here backup and original security3.fdb database. User/password are test/test

https://www.dropbox.com/s/0qc79m69fix0byi/security3.bak?dl=1
https://www.dropbox.com/s/1wej7tbiphm2any/security3.fdb?dl=1

Alexander Peshkov added a comment - 14/Apr/19 06:08 PM
Slightly offtopic - never used to notice that effect myself, great that you've found relatively stable case.

Alexander Peshkov made changes - 14/Apr/19 06:08 PM
Status Open [ 1 ] Resolved [ 5 ]
Fix Version/s 3.0.5 [ 10885 ]
Fix Version/s 4.0 Beta 2 [ 10888 ]
Resolution Fixed [ 1 ]
Pavel Zotov made changes - 05/Jun/19 05:49 AM
Status Resolved [ 5 ] Resolved [ 5 ]
Test Details Reproduced on old FB, but have question about randomness.
Sent letter to dimitr and alex, 04.06.2019 08:48.
Waiting for reply.
QA Status No test Deferred
Pavel Zotov made changes - 05/Jun/19 10:06 AM
Status Resolved [ 5 ] Resolved [ 5 ]
Test Details Reproduced on old FB, but have question about randomness.
Sent letter to dimitr and alex, 04.06.2019 08:48.
Waiting for reply.
Ticket's issue *confirmed* following script:
=======
connect 'localhost:e30' user sysdba password 'masterkey';
create or alter user c6038_srp password 'c6038_srp' using plugin Srp;
commit;
connect 'localhost:e30' user c6038_srp password 'c6038_srp';
commit;
connect 'localhost:e30' user sysdba password 'masterkey';
drop user c6038_srp using plugin Srp;
exit;
=======
-- raises exception on WI-V3.0.5.33118 (date: 11.04.19): Statement failed, SQLSTATE = 28000 / Your user name and password are not defined. Ask your database administrator to set up a Firebird login.
But this error can occur within wide scopr of iterations. On my machine (Win 8.1) this is scope from 5 to ~250.

Error was gone on WI-V3.0.5.33139 - at least for first 10'000 iterations there was no exception.
But if some kind of regression will occur in the future then NEW scope for getting error can be much larger than above mentioned - say, with lo bound = 3000 or 5000 or so.
This means that creating test with hard-coded upper bound for loop is almost useless.

After discuss with dimitr, it was decided to SKIP creation of test for this ticket.

QA Status Deferred Cannot be tested
Pavel Zotov made changes - 05/Jun/19 10:06 AM
Status Resolved [ 5 ] Closed [ 6 ]
Pavel Zotov made changes - 05/Jun/19 10:06 AM
Status Closed [ 6 ] Closed [ 6 ]
Test Details Ticket's issue *confirmed* following script:
=======
connect 'localhost:e30' user sysdba password 'masterkey';
create or alter user c6038_srp password 'c6038_srp' using plugin Srp;
commit;
connect 'localhost:e30' user c6038_srp password 'c6038_srp';
commit;
connect 'localhost:e30' user sysdba password 'masterkey';
drop user c6038_srp using plugin Srp;
exit;
=======
-- raises exception on WI-V3.0.5.33118 (date: 11.04.19): Statement failed, SQLSTATE = 28000 / Your user name and password are not defined. Ask your database administrator to set up a Firebird login.
But this error can occur within wide scopr of iterations. On my machine (Win 8.1) this is scope from 5 to ~250.

Error was gone on WI-V3.0.5.33139 - at least for first 10'000 iterations there was no exception.
But if some kind of regression will occur in the future then NEW scope for getting error can be much larger than above mentioned - say, with lo bound = 3000 or 5000 or so.
This means that creating test with hard-coded upper bound for loop is almost useless.

After discuss with dimitr, it was decided to SKIP creation of test for this ticket.

Ticket's issue was *confirmed* by executing following script:
=======
connect 'localhost:e30' user sysdba password 'masterkey';
create or alter user c6038_srp password 'c6038_srp' using plugin Srp;
commit;
connect 'localhost:e30' user c6038_srp password 'c6038_srp';
commit;
connect 'localhost:e30' user sysdba password 'masterkey';
drop user c6038_srp using plugin Srp;
exit;
=======
-- raises exception on WI-V3.0.5.33118 (date: 11.04.19): Statement failed, SQLSTATE = 28000 / Your user name and password are not defined. Ask your database administrator to set up a Firebird login.
But this error can occur within wide scopr of iterations. On my machine (Win 8.1) this is scope from 5 to ~250.

Error was gone on WI-V3.0.5.33139 - at least for first 10'000 iterations there was no exception.
But if some kind of regression will occur in the future then NEW scope for getting error can be much larger than above mentioned - say, with lo bound = 3000 or 5000 or so.
This means that creating test with hard-coded upper bound for loop is almost useless.

After discuss with dimitr, it was decided to SKIP creation of test for this ticket.

Pavel Zotov made changes - 06/Jun/19 05:53 AM
Resolution Fixed [ 1 ]
Status Closed [ 6 ] Reopened [ 4 ]
Pavel Zotov made changes - 06/Jun/19 05:59 AM
Status Reopened [ 4 ] Reopened [ 4 ]
Test Details Ticket's issue was *confirmed* by executing following script:
=======
connect 'localhost:e30' user sysdba password 'masterkey';
create or alter user c6038_srp password 'c6038_srp' using plugin Srp;
commit;
connect 'localhost:e30' user c6038_srp password 'c6038_srp';
commit;
connect 'localhost:e30' user sysdba password 'masterkey';
drop user c6038_srp using plugin Srp;
exit;
=======
-- raises exception on WI-V3.0.5.33118 (date: 11.04.19): Statement failed, SQLSTATE = 28000 / Your user name and password are not defined. Ask your database administrator to set up a Firebird login.
But this error can occur within wide scopr of iterations. On my machine (Win 8.1) this is scope from 5 to ~250.

Error was gone on WI-V3.0.5.33139 - at least for first 10'000 iterations there was no exception.
But if some kind of regression will occur in the future then NEW scope for getting error can be much larger than above mentioned - say, with lo bound = 3000 or 5000 or so.
This means that creating test with hard-coded upper bound for loop is almost useless.

After discuss with dimitr, it was decided to SKIP creation of test for this ticket.

Ticket was reopened after discuss with alex and dimitr.
Test is ready but new problem detected on Classic: SYSDBA after some number of iterations (usually no more than 100) get exception on attempt to execute "DROP USER" statemewnt:
336723990 : record not found for user: <selected_user_name>
After this connect to database with <selected_user_name> will fail.

Sent letter to alex and dimitr, 06.06.2019 08:29. Waiting for reply.
QA Status Cannot be tested Deferred
Pavel Zotov made changes - 11/Jun/19 05:36 PM
Status Reopened [ 4 ] Reopened [ 4 ]
Test Details Ticket was reopened after discuss with alex and dimitr.
Test is ready but new problem detected on Classic: SYSDBA after some number of iterations (usually no more than 100) get exception on attempt to execute "DROP USER" statemewnt:
336723990 : record not found for user: <selected_user_name>
After this connect to database with <selected_user_name> will fail.

Sent letter to alex and dimitr, 06.06.2019 08:29. Waiting for reply.
QA Status Deferred Done successfully
Pavel Zotov made changes - 11/Jun/19 05:36 PM
Status Reopened [ 4 ] Closed [ 6 ]
Resolution Fixed [ 1 ]