World: r3wp

So - I did some homework here, but I am at my limits (well, maybe 
not, but I will be very slow from now on), whereas we have ppl knowing 
C here, and ppl who did some hashing etc. for Beer (Ladislav), so 
guys, if you find some 10 minutes of spare time, please at least 
try to give me some pointers here. As I said - the world is upgrading 
mySQL to 5.0 now, so 4.11 is older, not to mention 4.0.1 or 3.23. 
It is about having mysql free scheme for rebol, or not. And don't 
think every admin will be willing to set old-password parameter for 
his server, as this can be regarded a security risk ...

.

I think someone needs to pay someone to fix it.

:-)

You have these open source sites where a developer offers to fix 
something for a sum.  The community then collects the money and pays 
the developer.  Whoever needs this, will donate to have this done.

how much, and to whom?

someone first off needs to say that they will do it, and for how 
much.

Jeff could probably do it.

I suggested such model for a long time already. I used it with rebol 
in the past too ... so just - how much, and who does it? :-)

Ask him how much he wants, and then see who is interested in contributing.

There must be quite a few rebol users using mysql.

if no one contributes .. then clearly it's not worth doing.

I will see what comes up on ml ....

People have to earn a living ..

anton (sorry, can't write capital "a", my keyboard broken :-), the 
trouble is that I can see some ppl frustrated at ml .....

I don't know any other language, which would not have mysql scheme 
....

I did some preparations even for plug-in ... but nothing happened. 
To have NS kind of plug-in, not many C wrapped code would be needed 
imo!

Not investing much money in our PC shop, I would pay some ppl myself 
to do the job for me :-(

I'd be crazy to add this to my schedule now. But ask me in about 
a month and I might look into it then.

working on some rebol stuff, if I might ask?

I would at least like to know, if checksum/secure uses typical SHa1 
method?

notice : this group is now web-public

Of course, rebol, but also looking at getting broadband, and fixing 
other people's computers :-( Trojans galore last week.)

Goodness me, Petr, the checksum/secure question can be sooo easily 
answered. So easily, that I think an experienced reboler such as 
yourself in posing this question must be implying something else.

I don't understand what do you mean here. I probably know, from its 
help, that it supports md5 and sha1, but dunno how to use such fact 
in regards to mysql scheme. Why doc coded his own functions then? 
Or is it just that older auth schemes did not use typical sha1 hashing?

Only the /pro,  /command  and sdk  versions have this functions exposed

really?

If I remember, otherwise there is only encloak

I am not talking about encryption, just looking into 'checsum function 
help ... I just need hash ...

We need the C code that they use to generate the checksum. That way 
we might see some comments or code which tell us how it is computed 
and if rebol's builtin checksum also does it.

I posted two links above to rebol.cz ...

Now - sorry if I am breaking some licenses, but I will post some 
stuff to my website, and remove it once we are finished:

http://www.rebol.cz/mysql/mysql-protocol.r
http://www.rebol.cz/mysql/password.c

Yep, so now you can go and find the C code.

maybe this is better description:

The password is saved (in user.password) by using the PASSWORD() 
function in
  mysql.


  This is .c file because it's used in libmysqlclient, which is entirely 
  in C.
  (we need it to be portable to a variety of systems).
  Example:
    update user set password=PASSWORD("hello") where user="test"
  This saves a hashed number as a string in the password field.

  The new authentication is performed in following manner:

  SERVER:  public_seed=create_random_string()
           send(public_seed)

  CLIENT:  recv(public_seed)
           hash_stage1=sha1("password")
           hash_stage2=sha1(hash_stage1)
           reply=xor(hash_stage1, sha1(public_seed,hash_stage2)

           // this three steps are done in scramble() 

           send(reply)

     
  SERVER:  recv(reply)
           hash_stage1=xor(reply, sha1(public_seed,hash_stage2))
           candidate_hash2=sha1(hash_stage1)
           check(candidate_hash2==hash_stage2)

           // this three steps are done in check_scramble()

according to above, it is not so difficult - algorithm is as above 
...

what I am not sure is if I can use checksum to get equivalent of 
above sha1("password") ?

Ah right:
checksum/secure checksum/secure "mypass"
== #{6C8989366EAF75BB670AD8EA7A7FC1176A95CEF4}

looks same as in 
http://dev.mysql.com/doc/refman/5.0/en/password-hashing.html

what is checksum/method "mypass" 'sha1 good for then?

does it mean mySQL new password method is even more rebol friendly 
as it was in the past? hmm, if so, should not be difficult to proceed 
from this point?

that checksum has only 20 digits?
'sha1, maybe more explicit?

above scheme, what client does, and what server does, should be sufficient 
to achieve the result?

I just wonder why Doc implemented scrambler in such complicated way 
then? Maybe older mysql did so too (some non standard mechanism). 
Do implemented 'floor, crypt-v9, crypt-v10, scramble, hash-v9, hash-v10 
in his scrambler object...

looks like a direct translation of the c-code to me.

i think it would be enough, if you figure out how Doc sends data 
to server. Have no experience with mysql unfortunally., always using 
files..

I figured it out ...

:-)

BTW, good recherche :)

there is read-packet and write-packet functions ...

in write-packet, there is part, where he simply sends passwd and 
calls 'scramble on it ... scramble decides upon protocol V9 or V10 
version, and calls crypt-v9 or crypt-v10 accordingly, those two call 
hash-v9 or hash-v10 ....