fix make scrambled password segmentation fault bug when password longer than 26 characters

[heat1024]

Comment Hello, I found a segmentation fault bug when use long long password(longer than 26 characters. like 32) in make_scrambled_password function.

During create password by sha1, temporary variable h0 will set zero for clear. But, for now, set zero to h0 until length of password .

h0 variable is just 20 bytes, but password can set 255 characters. So if password is too long, I thing it will cleanup data even outside of the h0 variable range.

In this PR, make set zero h0 just for size of h0 for not occur segmentation fault.

[NigelCunningham]

Thanks for your PR. I'm creating a test to cover this issue and will then merge the patch.

[NigelCunningham]

Further to this - I'm wondering whether we should actually keep this code; the 323 method was proven insecure a long, long time ago. What use it is nowadays?

[heat1024]

What use it is nowadays?

Well, you're right. This algorithm insecure so mysql drop it long time ago. But I think, like our case, a lot of users use this library with 323 method for resolve there authentifications since long time ago 😅

[NigelCunningham]

Thanks for the reply. I guess it's time to encourage them to move on to something that's actually secure then. I'll add a new flag to the meson configuration to enable deprecated algorithms and make this (and other insecure ones) deprecated and disabled by default.

[royarisse]

Maybe we can trigger a notice into syslog mentioning this algo is insecure, nudging people to migrate to a more modern alternative? Sort as a first step towards deprecation.