Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

caching_sha2_password iterations handling error #43576

Closed
asjdf opened this issue May 6, 2023 · 2 comments · Fixed by #43578
Closed

caching_sha2_password iterations handling error #43576

asjdf opened this issue May 6, 2023 · 2 comments · Fixed by #43578
Labels
severity/moderate sig/sql-infra SIG: SQL Infra type/bug The issue is confirmed as a bug.

Comments

@asjdf
Copy link
Contributor

asjdf commented May 6, 2023

Bug Report

1. Minimal reproduce step (Required)

In MySQL the default number of rounds is 5000. The MySQL server being tested has been configured with 10000 rounds using the caching_sha2_password_digest_rounds server system variable.

A hash with 10000 iterations gets retrieved that starts like this:

$A$00A$... instead of $A$010$...

2. What did you expect to see?

The number of iterations should be decoded in hexadecimal not decimal

related info

https://dev.mysql.com/doc/refman/8.0/en/server-system-variables.html#sysvar_caching_sha2_password_digest_rounds

hashcat/hashcat#3049

@asjdf asjdf added the type/bug The issue is confirmed as a bug. label May 6, 2023
@asjdf
Copy link
Contributor Author

asjdf commented May 6, 2023

related code :

rounds := fmt.Sprintf("%03d", iterations/ITERATION_MULTIPLIER)

iterations, err := strconv.Atoi(string(pwhashParts[2]))

@dveeden
Copy link
Contributor

dveeden commented May 8, 2023

This affects accounts that have an authentication_string in the mysql.user table that has a different value than \x30\x30\x35 (005). The 5 here means 5x1000=5000 iterations.

mysql> SELECT SUBSTRING(authentication_string FROM 4 FOR 3) FROM mysql.user WHERE user='testuser';
+-----------------------------------------------+
| SUBSTRING(authentication_string FROM 4 FOR 3) |
+-----------------------------------------------+
| 005                                           |
+-----------------------------------------------+
1 row in set (0.00 sec)

mysql> SELECT HEX(SUBSTRING(authentication_string FROM 4 FOR 3)) FROM mysql.user WHERE plugin='caching_sha2_password';
+----------------------------------------------------+
| HEX(SUBSTRING(authentication_string FROM 4 FOR 3)) |
+----------------------------------------------------+
| 303035                                             |
+----------------------------------------------------+
1 row in set (0.01 sec)

5000 iterations is hardcoded in TiDB in NewHashPassword for new caching_sha2_password password hashes.

In MySQL this can be configured with caching_sha2_password_digest_rounds, which also defaults to 5000.

mysql> SET PERSIST_ONLY caching_sha2_password_digest_rounds=10000;
Query OK, 0 rows affected (0.02 sec)

mysql> RESTART;
Query OK, 0 rows affected (0.01 sec)

mysql> CREATE USER 'foobar'@'%' IDENTIFIED WITH caching_sha2_password BY 'abcdefghij';
ERROR 2013 (HY000): Lost connection to MySQL server during query
No connection. Trying to reconnect...
Connection id:    8
Current database: *** NONE ***

Query OK, 0 rows affected (0.08 sec)

mysql> SELECT HEX(SUBSTRING(authentication_string FROM 4 FOR 3)) FROM mysql.user WHERE plugin='caching_sha2_password';
+----------------------------------------------------+
| HEX(SUBSTRING(authentication_string FROM 4 FOR 3)) |
+----------------------------------------------------+
| 303035                                             |
| 303041                                             | ←-----------
| 303035                                             |
| 303035                                             |
| 303035                                             |
| 303035                                             |
| 303035                                             |
| 303035                                             |
+----------------------------------------------------+
8 rows in set (0.00 sec)

mysql> SELECT SUBSTRING(authentication_string FROM 4 FOR 3) FROM mysql.user WHERE plugin='caching_sha2_password';
+-----------------------------------------------+
| SUBSTRING(authentication_string FROM 4 FOR 3) |
+-----------------------------------------------+
| 005                                           |
| 00A                                           | ←-----------
| 005                                           |
| 005                                           |
| 005                                           |
| 005                                           |
| 005                                           |
| 005                                           |
+-----------------------------------------------+
8 rows in set (0.01 sec)

So for 10*1000 = 10_000 iterations the correct value is \x30\x30\x41/00A.

So this impacts only accounts that were migrated from MySQL to TiDB and were created on MySQL with non-default settings for caching_sha2_password.

Example:

package main

import "fmt"

func main() {
	for _, v := range []int{5, 10} {
		fmt.Printf("%2d - dec: %#v\n", v, []byte(fmt.Sprintf("%03d", v)))
		fmt.Printf("%2d - hex: %#v\n", v, []byte(fmt.Sprintf("%03X", v)))
	}
}

output:

 5 - dec: []byte{0x30, 0x30, 0x35}
 5 - hex: []byte{0x30, 0x30, 0x35}
10 - dec: []byte{0x30, 0x31, 0x30}
10 - hex: []byte{0x30, 0x30, 0x41}

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
severity/moderate sig/sql-infra SIG: SQL Infra type/bug The issue is confirmed as a bug.
Projects
None yet
Development

Successfully merging a pull request may close this issue.

3 participants