From cb8b4546cb0cacfadefc1dc779bb5bee1ef1eb89 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Markus=20M=C3=A4kel=C3=A4?= Date: Mon, 1 Jun 2020 19:28:48 +0300 Subject: [PATCH] Don't use client SHA1 for fake responses When a fake handshake response is generated for a connection that hasn't received the server's handshake, the client's SHA1 would be used with a static scramble. This, in theory, would weaken the authentication to some extend so to completely prevent this, a null password is used. This removes any possibility of the password being exposed. --- server/modules/protocol/MySQL/mariadbbackend/mysql_backend.cc | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/server/modules/protocol/MySQL/mariadbbackend/mysql_backend.cc b/server/modules/protocol/MySQL/mariadbbackend/mysql_backend.cc index e23890ff5..3362a022a 100644 --- a/server/modules/protocol/MySQL/mariadbbackend/mysql_backend.cc +++ b/server/modules/protocol/MySQL/mariadbbackend/mysql_backend.cc @@ -1416,6 +1416,10 @@ static int gw_backend_close(DCB* dcb) { MYSQL_session client; gw_get_shared_session_auth_info(dcb, &client); + + // Don't use the actual client SHA1. This prevents the password from being used with the constant + // null scramble we use in these cases. + memset(client.client_sha1, 0, sizeof(client.client_sha1)); memset(proto->scramble, 0, sizeof(proto->scramble)); dcb_write(dcb, gw_generate_auth_response(&client, proto, false, false, 0)); }