From 860d6b3f06a60c0d90426ee0f957dd3c93c0b4c6 Mon Sep 17 00:00:00 2001
From: Vladislav Shpilevoy <v.shpilevoy@tarantool.org>
Date: Thu, 19 Apr 2018 13:07:52 +0300
Subject: [PATCH] session: move salt into iproto connection
Session salt is 32 random bytes, that are used to encode password
when a user is authorized. The salt is not used in non-binary
sessions, and can be moved to iproto connection.
---
src/box/authentication.cc | 4 ++--
src/box/authentication.h | 3 ++-
src/box/box.cc | 4 ++--
src/box/box.h | 2 +-
src/box/iproto.cc | 17 ++++++++++++-----
src/box/session.cc | 3 ---
src/box/session.h | 4 ----
7 files changed, 19 insertions(+), 18 deletions(-)
diff --git a/src/box/authentication.cc b/src/box/authentication.cc
index fef549c550..811974cb9c 100644
--- a/src/box/authentication.cc
+++ b/src/box/authentication.cc
@@ -37,7 +37,7 @@
static char zero_hash[SCRAMBLE_SIZE];
void
-authenticate(const char *user_name, uint32_t len,
+authenticate(const char *user_name, uint32_t len, const char *salt,
const char *tuple)
{
struct user *user = user_find_by_name_xc(user_name, len);
@@ -84,7 +84,7 @@ authenticate(const char *user_name, uint32_t len,
"invalid scramble size");
}
- if (scramble_check(scramble, session->salt, user->def->hash2)) {
+ if (scramble_check(scramble, salt, user->def->hash2)) {
auth_res.is_authenticated = false;
if (session_run_on_auth_triggers(&auth_res) != 0)
diag_raise();
diff --git a/src/box/authentication.h b/src/box/authentication.h
index e91fe0a0e1..9935e35487 100644
--- a/src/box/authentication.h
+++ b/src/box/authentication.h
@@ -45,6 +45,7 @@ struct on_auth_trigger_ctx {
void
-authenticate(const char *user_name, uint32_t len, const char *tuple);
+authenticate(const char *user_name, uint32_t len, const char *salt,
+ const char *tuple);
#endif /* INCLUDES_TARANTOOL_BOX_AUTHENTICATION_H */
diff --git a/src/box/box.cc b/src/box/box.cc
index 9edf822481..1bdd9f76ae 100644
--- a/src/box/box.cc
+++ b/src/box/box.cc
@@ -1267,7 +1267,7 @@ box_on_join(const tt_uuid *instance_uuid)
}
void
-box_process_auth(struct auth_request *request)
+box_process_auth(struct auth_request *request, const char *salt)
{
rmean_collect(rmean_box, IPROTO_AUTH, 1);
@@ -1277,7 +1277,7 @@ box_process_auth(struct auth_request *request)
const char *user = request->user_name;
uint32_t len = mp_decode_strl(&user);
- authenticate(user, len, request->scramble);
+ authenticate(user, len, salt, request->scramble);
}
void
diff --git a/src/box/box.h b/src/box/box.h
index e94c48cc65..f0183aa236 100644
--- a/src/box/box.h
+++ b/src/box/box.h
@@ -150,7 +150,7 @@ box_reset_stat(void);
} /* extern "C" */
void
-box_process_auth(struct auth_request *request);
+box_process_auth(struct auth_request *request, const char *salt);
void
box_process_join(struct ev_io *io, struct xrow_header *header);
diff --git a/src/box/iproto.cc b/src/box/iproto.cc
index 9421127454..16f2d1ef49 100644
--- a/src/box/iproto.cc
+++ b/src/box/iproto.cc
@@ -48,6 +48,7 @@
#include "coio.h"
#include "scoped_guard.h"
#include "memory.h"
+#include "random.h"
#include "port.h"
#include "box.h"
@@ -63,6 +64,8 @@
#include "applier.h"
#include "cfg.h"
+enum { IPROTO_SALT_SIZE = 32 };
+
/**
* Network readahead. A signed integer to avoid
* automatic type coercion to an unsigned type.
@@ -362,6 +365,8 @@ struct iproto_connection
/** Pointer to the current output buffer. */
struct obuf *p_obuf;
} tx;
+ /** Authentication salt. */
+ char salt[IPROTO_SALT_SIZE];
};
static struct mempool iproto_connection_pool;
@@ -1421,9 +1426,10 @@ static void
tx_process_misc(struct cmsg *m)
{
struct iproto_msg *msg = tx_accept_msg(m);
- struct obuf *out = msg->connection->tx.p_obuf;
+ struct iproto_connection *con = msg->connection;
+ struct obuf *out = con->tx.p_obuf;
- tx_fiber_init(msg->connection->session, msg->header.sync);
+ tx_fiber_init(con->session, msg->header.sync);
if (tx_check_schema(msg->header.schema_version))
goto error;
@@ -1431,7 +1437,7 @@ tx_process_misc(struct cmsg *m)
try {
switch (msg->header.type) {
case IPROTO_AUTH:
- box_process_auth(&msg->auth);
+ box_process_auth(&msg->auth, con->salt);
iproto_reply_ok_xc(out, msg->header.sync,
::schema_version);
break;
@@ -1584,8 +1590,9 @@ tx_process_connect(struct cmsg *m)
static __thread char greeting[IPROTO_GREETING_SIZE];
/* TODO: dirty read from tx thread */
struct tt_uuid uuid = INSTANCE_UUID;
- greeting_encode(greeting, tarantool_version_id(),
- &uuid, con->session->salt, SESSION_SEED_SIZE);
+ random_bytes(con->salt, IPROTO_SALT_SIZE);
+ greeting_encode(greeting, tarantool_version_id(), &uuid,
+ con->salt, IPROTO_SALT_SIZE);
obuf_dup_xc(out, greeting, IPROTO_GREETING_SIZE);
if (! rlist_empty(&session_on_connect)) {
if (session_run_on_connect_triggers(con->session) != 0)
diff --git a/src/box/session.cc b/src/box/session.cc
index ea6d76bb4a..3d787bd51f 100644
--- a/src/box/session.cc
+++ b/src/box/session.cc
@@ -33,7 +33,6 @@
#include "memory.h"
#include "assoc.h"
#include "trigger.h"
-#include "random.h"
#include "user.h"
#include "error.h"
@@ -96,8 +95,6 @@ session_create(int fd, enum session_type type)
/* For on_connect triggers. */
credentials_init(&session->credentials, guest_user->auth_token,
guest_user->def->uid);
- if (fd >= 0)
- random_bytes(session->salt, SESSION_SEED_SIZE);
struct mh_i64ptr_node_t node;
node.key = session->id;
node.val = session;
diff --git a/src/box/session.h b/src/box/session.h
index 4f9235ea83..c387e6f95f 100644
--- a/src/box/session.h
+++ b/src/box/session.h
@@ -47,8 +47,6 @@ session_init();
void
session_free();
-enum { SESSION_SEED_SIZE = 32, SESSION_DELIM_SIZE = 16 };
-
enum session_type {
SESSION_TYPE_BACKGROUND = 0,
SESSION_TYPE_BINARY,
@@ -86,8 +84,6 @@ struct session {
*/
uint64_t sync;
enum session_type type;
- /** Authentication salt. */
- char salt[SESSION_SEED_SIZE];
/** Session user id and global grants */
struct credentials credentials;
/** Trigger for fiber on_stop to cleanup created on-demand session */
--
GitLab