World: r3wp

I implemented scramble-long function as follows:

scramble-long: func [pass port][
     hash-stage1: checksum/method port/locals/long-seed 'sha1
     hash-stage2: checksum/method hash-stage1 'sha1

     to-string xor hash-stage1 (checksum/method/key port/locals/long-seed 
     'sha1 hash-stage2)
]

I simply don't know how to rewrite in rebol using 'checksum following 
line:

reply=xor(hash_stage1, sha1(public_seed, hash_stage2))

uh, there is a bug on first line of my func above - hash-stage1: 
checksum/method pass 'sha1 .... but it does not work anyway ...

the C equivalent is in 'scramble(), posted on rebol.cz link earlier 
....

if you look into scrambel(), they use sha1_reset, input, result function 
calls, which is imo equivalent of rebol using ports - opening, inserting, 
copying the result ... all this is also equivalent to checksum/secure 
"my-string" .... but, in one place, they call sha1_input two times, 
and I dunno what it does mean ...

I have rather bad feeling, that those two consecutive sha1_input 
calls will be show stopper for checksum to be used ....

I found sha1.c funcs in mySQL distro, I will post it in two hours 
to ftp, as I don't have account access here ...

just to let you know, Doc is looking into mysql 5 issues 8)

ah, so ... I am so near :-)

I fixed the protocol .... just latest bit is needed :-)

if you have contact to Doc, you can let him know that I can give 
him some pointers ... well, you can point his to this group discussion 
....

(it is available also via web, in the case he does not have altme 
anymore)

Hi, you did well by making this group web visible, I have no more 
time to chat on AltMe only checking sometime the web export of AltMe 
channels.

hi Doc!

I have a couple of hours to hack someething for MySQL v5 support.

I just felt ppl feel frustrated about not being able to connect ...

can I sum for you?

I'll try to reuse your code for scrambling, it will save me time 
looking in the sources of MySQL server.

Yes, please :-).

OK, so first - handshake is not complete parsing full headers ...

I'm currently adding code to process the remaing headers. I'm retrieving 
the second part of the seed.

I added read-byte (charset), read-int (server-status), 13 skip (not-used), 
read-string (the rest of seed)

We agree ;)

so I extended also locals-class by those variables ...

ok

I'll do the same

next things, which can/or does not need to be solved is read-packet 
port following send-packed after handshake - IF the server is new 
one, but it does not use new passwords, it will reply with Oxfe

but - maybe we don't need to care to do it so automatically.....

ppl will be happy to connect to new versions ....

we also found out, that new shceme uses sha1 .... which is ok with 
checksum/secure ...

however:


if you look into scramble(), they use sha1_reset, input, result function 
calls, which is imo equivalent of rebol using ports - opening, inserting, 
copying the result ... all this is also equivalent to checksum/secure 
"my-string" .... but, in one place, they call sha1_input two times, 
and I dunno what it does mean ...

scheme used between client, server:

The new authentication is performed in following manner:

  SERVER:  public_seed=create_random_string()
           send(public_seed)

  CLIENT:  recv(public_seed)
           hash_stage1=sha1("password")
           hash_stage2=sha1(hash_stage1)
           reply=xor(hash_stage1, sha1(public_seed,hash_stage2)

           // this three steps are done in scramble() 

           send(reply)

     
  SERVER:  recv(reply)
           hash_stage1=xor(reply, sha1(public_seed,hash_stage2))
           candidate_hash2=sha1(hash_stage1)
           check(candidate_hash2==hash_stage2)

           // this three steps are done in check_scramble()

http://www.redferni.uklinux.net/mysql/MySQL-Protocol.html

http://dev.mysql.com/doc/refman/5.0/en/password-hashing.html

Now - sorry if I am breaking some licenses, but I will post some 
stuff to my website, and remove it once we are finished:

http://www.rebol.cz/mysql/mysql-protocol.r
http://www.rebol.cz/mysql/password.c

above some usefull links collected ...

btw- where do crypt-v10, hash-v10 and 9 come from?

MySQL client sources

Did you implement your scrambler according some earlier mysql sources?

I wonder if they will be needed ...

from 3.x versions

I'll keep them for ppl still using 3.x server versions

rebol now has checksum/secure ....

ok ....

Is 'sha1 encoding available in free REBOL cores ?

the strange things is, there is long-password flag, but server somehow 
does not report it during negotiation ...

yes, in cores - try help checksum ... wait a bit ...

>> help checksum
USAGE:

    CHECKSUM data /tcp /secure /hash size /method word /key key-value

DESCRIPTION:
     Returns a CRC or other type of checksum.
     CHECKSUM is a native value.

ARGUMENTS:
     data -- Data to checksum (Type: any-string)

REFINEMENTS:
     /tcp -- Returns an Internet TCP 16-bit checksum.
     /secure -- Returns a cryptographically secure checksum.
     /hash -- Returns a hash value
         size -- Size of the hash table (Type: integer)
     /method -- Method to use
         word -- Method: SHA1 MD5 (Type: word)
     /key -- Returns keyed HMAC value
         key-value -- Key to use (Type: any-string)

so basically checksum/secure checksum/secure "mypass" gives exactly 
the same result as in mysql doc page posted above.....

however, the trouble imo comes from sha1(public-seed, hash_stage2) 
... it calls two times sha1_input, without reading out the result 
first ... I am afraid that maybe we will have to reimplement all 
hashing functions in rebol now?