database/tidb
2
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
fad1e7eca163b8317faaba67bcb67b8e6b99660c
tidb/util/auth.go
louishust f453b19341 privileges: Upgrade stored password format to Compatible with MySQL. (#3292) 
Password stored in mysql.user of TIDB is the format of SHA1(pwd),
which is not compatible with MySQL.
Different password format will cause user migrate data from MySQL
login failed on TIDB.
2017-06-01 09:37:41 +08:00

79 lines
2.2 KiB
Go
Raw Blame History

// Copyright 2015 PingCAP, Inc.
//
// Licensed under the Apache License, Version 2.0 (the "License");
// you may not use this file except in compliance with the License.
// You may obtain a copy of the License at
//
// http://www.apache.org/licenses/LICENSE-2.0
//
// Unless required by applicable law or agreed to in writing, software
// distributed under the License is distributed on an "AS IS" BASIS,
// See the License for the specific language governing permissions and
// limitations under the License.
package util
import (
"bytes"
"crypto/sha1"
"encoding/hex"
"fmt"
"github.com/juju/errors"
)
// CheckScrambledPassword check scrambled password received from client.
// The new authentication is performed in following manner:
// SERVER: public_seed=create_random_string()
// send(public_seed)
// CLIENT: recv(public_seed)
// hash_stage1=sha1("password")
// hash_stage2=sha1(hash_stage1)
// reply=xor(hash_stage1, sha1(public_seed,hash_stage2)
// // this three steps are done in scramble()
// send(reply)
// SERVER: recv(reply)
// hash_stage1=xor(reply, sha1(public_seed,hash_stage2))
// candidate_hash2=sha1(hash_stage1)
// check(candidate_hash2==hash_stage2)
// // this three steps are done in check_scramble()
func CheckScrambledPassword(salt, hpwd, auth []byte) bool {
crypt := sha1.New()
crypt.Write(salt)
crypt.Write(hpwd)
hash := crypt.Sum(nil)
// token = scrambleHash XOR stage1Hash
for i := range hash {
hash[i] ^= auth[i]
}
return bytes.Equal(hpwd, Sha1Hash(hash))
}
// Sha1Hash is an util function to calculate sha1 hash.
func Sha1Hash(bs []byte) []byte {
crypt := sha1.New()
crypt.Write(bs)
return crypt.Sum(nil)
}
// EncodePassword converts plaintext password to hashed hex string.
func EncodePassword(pwd string) string {
if len(pwd) == 0 {
return ""
}
hash1 := Sha1Hash([]byte(pwd))
hash2 := Sha1Hash(hash1)
return fmt.Sprintf("*%X", hash2)
}
// DecodePassword converts hex string password without prefix '*' to byte array.
func DecodePassword(pwd string) ([]byte, error) {
x, err := hex.DecodeString(pwd[1:])
if err != nil {
return nil, errors.Trace(err)
}
return x, nil
}
Reference in New Issue View Git Blame Copy Permalink