World: r3wp
[MySQL]
| older newer | first last |
| Pekr 9-Jan-2006 [233x5] | there is read-packet and write-packet functions ... |
in write-packet, there is part, where he simply sends passwd and calls 'scramble on it ... scramble decides upon protocol V9 or V10 version, and calls crypt-v9 or crypt-v10 accordingly, those two call hash-v9 or hash-v10 .... | |
simply put - server sends you a "seed", that is stored in 'crypt-seed ... you then use that seed for your hashing ... | |
I was not able to find-out, what just does v9 or V10 protocol mean? maybe mySQL protocol version ... | |
but dunno also, if it has anything in commone with password method used, as you can simply use old or new scheme with new server version ... | |
| Volker 9-Jan-2006 [238] | Yes. "It supports server protocols v9 and v10, so it should work with all versions of mySQL." http://softinnov.org/rebol/mysql-usage.html |
| Pekr 9-Jan-2006 [239x2] | how do I automatically distinguish what version is mySQL communicating with me when sending me a seed is unknown to me yet ... |
I mean - what password version ... | |
| Volker 9-Jan-2006 [241] | On server-side it is marked with a "*" as first char. |
| Pekr 9-Jan-2006 [242x2] | I just know that mySQL distinguishes it for itself simply by using asterisk as a first char in password ... |
nice - checksum/secure "mypass" = checsum/method "mypass" 'sha1 | |
| Volker 9-Jan-2006 [244] | Does this help? http://www.redferni.uklinux.net/mysql/MySQL-Protocol.html |
| Pekr 9-Jan-2006 [245] | so maybe we are closer to solution then it might seem :-) with older password schemes, maybe all those funcs were needed, as 'sha1standard was not used? |
| Volker 9-Jan-2006 [246] | could be. |
| Pekr 9-Jan-2006 [247] | thanks for the above link, informative ... clears some bits for me ... |
| Volker 9-Jan-2006 [248] | That article says password-length is given by a count-byte. |
| Pekr 9-Jan-2006 [249x4] | Doc already has 'long-password constant there, but it is not further used ... |
what do you mean by "count-byte"? | |
ah, length? passwd? | |
but - server does not send password, only the 'seed ... | |
| Volker 9-Jan-2006 [253] | look for "preceeded with a single byte". yes, length. |
| Pekr 9-Jan-2006 [254] | ok, going for lunch .... I will look into it later ... thanks for the tips ... |
| Volker 9-Jan-2006 [255x2] | its not the password, its this sha1-thing i guess. |
it says "usually 20", like the cha1-length. Good lunch. | |
| Pekr 9-Jan-2006 [257] | yes, hash is 20 bytes long, but server sends you a seed, which is shorter ... if I will not be able to distinguish by seed-lenght, then I will have to look elsewhere ... will check-on long-password constant ... |
| Volker 9-Jan-2006 [258] | salt is sended before that, Salt="yF/WHCWj" |
| Pekr 9-Jan-2006 [259x2] | salt = seed ... |
password is never sent .... | |
| Volker 9-Jan-2006 [261x2] | i think so. and a PROTOCOL_41 in a line nearby. |
yes, it says scrambeled password. i guess the clients sends the length and then that sha1-wrangled thing. | |
| Pekr 9-Jan-2006 [263] | so I have to find a way, how to distinguish, what passwd version is stored on the server ... it starts with asterisk, so the server easily knows, but seed does not start with asterisk ... which is a pity, would be trivial :-) |
| Volker 9-Jan-2006 [264x2] | Caps=LONG_FLAG | CONNECT_WITH_DB | COMPRESS | TRANSACTIONS | PROTOCOL_41 | SECURE_CONNECTION |
is send by the server. | |
| Pekr 9-Jan-2006 [266x2] | and? |
protocol_41 means a long password? | |
| Volker 9-Jan-2006 [268] | i hope so. reminds on mysql 4.1 |
| Pekr 9-Jan-2006 [269x2] | btw - from description it seems to me that seed is the random string ... |
but you can use 4.11 with old password ... well, will look into it, - other than that it seems to me I might be able to fix the scheme in less than 10 minutes now :-) | |
| Volker 9-Jan-2006 [271] | maybe it relies on the count-byte you send? |
| Pekr 9-Jan-2006 [272] | fix=make it working - we will see - not just with automatic distinguishing what password scheme should be used .... good doc, Volker! I searched Google yesterday, but did not find the one describing the protocol ... |
| Volker 9-Jan-2006 [273] | then look how Doc parses this header, maybe you can hexdump it and test with old and new password? |
| Pekr 9-Jan-2006 [274x3] | The new authentication is performed in following manner:
SERVER: public_seed=create_random_string()
send(public_seed)
CLIENT: recv(public_seed)
hash_stage1=sha1("password")
hash_stage2=sha1(hash_stage1)
reply=xor(hash_stage1, sha1(public_seed,hash_stage2)
// this three steps are done in scramble()
send(reply)
SERVER: recv(reply)
hash_stage1=xor(reply, sha1(public_seed,hash_stage2))
candidate_hash2=sha1(hash_stage1)
check(candidate_hash2==hash_stage2)
// this three steps are done in check_scramble()
|
he does nice job, he puts it into words ... | |
just went away for lunch :-) | |
| Volker 9-Jan-2006 [277] | CLIENT: recv(public_seed) //must be that salt-thing zapadapadu password send(reply) //must be the scrambled password, makes no sense otherwise. |
| Anton 9-Jan-2006 [278] | Doc probably wanted his script to work independently of Pro and Command. (or, that method wasn't implemented at that time). |
| Volker 9-Jan-2006 [279] | I think so. I guess they used no sha1 and rebol had nothing inbuild. now checksum/secure matches perfect. |
| Pekr 9-Jan-2006 [280] | hmm, sadly, there is probably bug in protocol read-out directly. I thought that salt (seed) is those 8 bytes only. It is so, only if old password scheme is used, otherwise another 12 bytes follow. But Doc keeps only 8 bytes in crypt-seed word no matter what protocol password version is used ... |
| Volker 9-Jan-2006 [281x2] | The host sends an initial greeting in docu, do-handshake: in Docs code. |
you see the first entries match. | |
| older newer | first last |