diff options
Diffstat (limited to 'ext/mysqlnd/mysqlnd_auth.c')
| -rw-r--r-- | ext/mysqlnd/mysqlnd_auth.c | 361 |
1 files changed, 310 insertions, 51 deletions
diff --git a/ext/mysqlnd/mysqlnd_auth.c b/ext/mysqlnd/mysqlnd_auth.c index e56ea20380..342005aa36 100644 --- a/ext/mysqlnd/mysqlnd_auth.c +++ b/ext/mysqlnd/mysqlnd_auth.c @@ -2,7 +2,7 @@ +----------------------------------------------------------------------+ | PHP Version 7 | +----------------------------------------------------------------------+ - | Copyright (c) 2006-2018 The PHP Group | + | Copyright (c) The PHP Group | +----------------------------------------------------------------------+ | This source file is subject to version 3.01 of the PHP license, | | that is bundled with this package in the file LICENSE, and is | @@ -36,7 +36,7 @@ static const char * const mysqlnd_old_passwd = "mysqlnd cannot connect to MySQL /* {{{ mysqlnd_run_authentication */ enum_func_status mysqlnd_run_authentication( - MYSQLND_CONN_DATA * conn, + MYSQLND_CONN_DATA * const conn, const char * const user, const char * const passwd, const size_t passwd_len, @@ -44,11 +44,11 @@ mysqlnd_run_authentication( const size_t db_len, const MYSQLND_STRING auth_plugin_data, const char * const auth_protocol, - unsigned int charset_no, + const unsigned int charset_no, const MYSQLND_SESSION_OPTIONS * const session_options, - zend_ulong mysql_flags, - zend_bool silent, - zend_bool is_change_user + const zend_ulong mysql_flags, + const zend_bool silent, + const zend_bool is_change_user ) { enum_func_status ret = FAIL; @@ -89,6 +89,7 @@ mysqlnd_run_authentication( } } + { zend_uchar * switch_to_auth_protocol_data = NULL; size_t switch_to_auth_protocol_data_len = 0; @@ -113,10 +114,11 @@ mysqlnd_run_authentication( DBG_INF_FMT("salt(%d)=[%.*s]", plugin_data_len, plugin_data_len, plugin_data); /* The data should be allocated with malloc() */ if (auth_plugin) { - scrambled_data = - auth_plugin->methods.get_auth_data(NULL, &scrambled_data_len, conn, user, passwd, passwd_len, - plugin_data, plugin_data_len, session_options, - conn->protocol_frame_codec->data, mysql_flags); + scrambled_data = auth_plugin->methods.get_auth_data( + NULL, &scrambled_data_len, conn, user, passwd, + passwd_len, plugin_data, plugin_data_len, + session_options, conn->protocol_frame_codec->data, + mysql_flags); } if (conn->error_info->error_no) { @@ -127,6 +129,7 @@ mysqlnd_run_authentication( charset_no, first_call, requested_protocol, + auth_plugin, plugin_data, plugin_data_len, scrambled_data, scrambled_data_len, &switch_to_auth_protocol, &switch_to_auth_protocol_len, &switch_to_auth_protocol_data, &switch_to_auth_protocol_data_len @@ -177,23 +180,23 @@ end: /* {{{ mysqlnd_switch_to_ssl_if_needed */ static enum_func_status -mysqlnd_switch_to_ssl_if_needed(MYSQLND_CONN_DATA * conn, +mysqlnd_switch_to_ssl_if_needed(MYSQLND_CONN_DATA * const conn, unsigned int charset_no, - size_t server_capabilities, + const size_t server_capabilities, const MYSQLND_SESSION_OPTIONS * const session_options, - zend_ulong mysql_flags) + const zend_ulong mysql_flags) { enum_func_status ret = FAIL; const MYSQLND_CHARSET * charset; DBG_ENTER("mysqlnd_switch_to_ssl_if_needed"); if (session_options->charset_name && (charset = mysqlnd_find_charset_name(session_options->charset_name))) { - charset_no = charset->nr; + charset_no = charset->nr; } { - size_t client_capabilities = mysql_flags; - ret = conn->run_command(COM_ENABLE_SSL, conn, client_capabilities, server_capabilities, charset_no); + const size_t client_capabilities = mysql_flags; + ret = conn->command->enable_ssl(conn, client_capabilities, server_capabilities, charset_no); } DBG_RETURN(ret); } @@ -203,18 +206,18 @@ mysqlnd_switch_to_ssl_if_needed(MYSQLND_CONN_DATA * conn, /* {{{ mysqlnd_connect_run_authentication */ enum_func_status mysqlnd_connect_run_authentication( - MYSQLND_CONN_DATA * conn, + MYSQLND_CONN_DATA * const conn, const char * const user, const char * const passwd, const char * const db, - size_t db_len, - size_t passwd_len, - MYSQLND_STRING authentication_plugin_data, + const size_t db_len, + const size_t passwd_len, + const MYSQLND_STRING authentication_plugin_data, const char * const authentication_protocol, const unsigned int charset_no, - size_t server_capabilities, + const size_t server_capabilities, const MYSQLND_SESSION_OPTIONS * const session_options, - zend_ulong mysql_flags + const zend_ulong mysql_flags ) { enum_func_status ret = FAIL; @@ -240,16 +243,19 @@ mysqlnd_auth_handshake(MYSQLND_CONN_DATA * conn, const char * const db, const size_t db_len, const MYSQLND_SESSION_OPTIONS * const session_options, - zend_ulong mysql_flags, - unsigned int server_charset_no, - zend_bool use_full_blown_auth_packet, + const zend_ulong mysql_flags, + const unsigned int server_charset_no, + const zend_bool use_full_blown_auth_packet, const char * const auth_protocol, + struct st_mysqlnd_authentication_plugin * auth_plugin, + const zend_uchar * const orig_auth_plugin_data, + const size_t orig_auth_plugin_data_len, const zend_uchar * const auth_plugin_data, const size_t auth_plugin_data_len, char ** switch_to_auth_protocol, - size_t * switch_to_auth_protocol_len, + size_t * const switch_to_auth_protocol_len, zend_uchar ** switch_to_auth_protocol_data, - size_t * switch_to_auth_protocol_data_len + size_t * const switch_to_auth_protocol_data_len ) { enum_func_status ret = FAIL; @@ -313,6 +319,11 @@ mysqlnd_auth_handshake(MYSQLND_CONN_DATA * conn, PACKET_FREE(&auth_packet); } + if (auth_plugin && auth_plugin->methods.handle_server_response) { + auth_plugin->methods.handle_server_response(auth_plugin, conn, + orig_auth_plugin_data, orig_auth_plugin_data_len, passwd, passwd_len); + } + if (FAIL == PACKET_READ(conn, &auth_resp_packet) || auth_resp_packet.response_code >= 0xFE) { if (auth_resp_packet.response_code == 0xFE) { /* old authentication with new server !*/ @@ -360,14 +371,14 @@ mysqlnd_auth_change_user(MYSQLND_CONN_DATA * const conn, const char * const db, const size_t db_len, const zend_bool silent, - zend_bool use_full_blown_auth_packet, + const zend_bool use_full_blown_auth_packet, const char * const auth_protocol, - zend_uchar * auth_plugin_data, - size_t auth_plugin_data_len, + const zend_uchar * const auth_plugin_data, + const size_t auth_plugin_data_len, char ** switch_to_auth_protocol, - size_t * switch_to_auth_protocol_len, + size_t * const switch_to_auth_protocol_len, zend_uchar ** switch_to_auth_protocol_data, - size_t * switch_to_auth_protocol_data_len + size_t * const switch_to_auth_protocol_data_len ) { enum_func_status ret = FAIL; @@ -548,10 +559,10 @@ static zend_uchar * mysqlnd_native_auth_get_auth_data(struct st_mysqlnd_authentication_plugin * self, size_t * auth_data_len, MYSQLND_CONN_DATA * conn, const char * const user, const char * const passwd, - const size_t passwd_len, zend_uchar * auth_plugin_data, size_t auth_plugin_data_len, + const size_t passwd_len, zend_uchar * auth_plugin_data, const size_t auth_plugin_data_len, const MYSQLND_SESSION_OPTIONS * const session_options, const MYSQLND_PFC_DATA * const pfc_data, - zend_ulong mysql_flags + const zend_ulong mysql_flags ) { zend_uchar * ret = NULL; @@ -596,7 +607,8 @@ static struct st_mysqlnd_authentication_plugin mysqlnd_native_auth_plugin = } }, {/* methods */ - mysqlnd_native_auth_get_auth_data + mysqlnd_native_auth_get_auth_data, + NULL } }; @@ -608,10 +620,10 @@ static zend_uchar * mysqlnd_pam_auth_get_auth_data(struct st_mysqlnd_authentication_plugin * self, size_t * auth_data_len, MYSQLND_CONN_DATA * conn, const char * const user, const char * const passwd, - const size_t passwd_len, zend_uchar * auth_plugin_data, size_t auth_plugin_data_len, + const size_t passwd_len, zend_uchar * auth_plugin_data, const size_t auth_plugin_data_len, const MYSQLND_SESSION_OPTIONS * const session_options, const MYSQLND_PFC_DATA * const pfc_data, - zend_ulong mysql_flags + const zend_ulong mysql_flags ) { zend_uchar * ret = NULL; @@ -645,7 +657,8 @@ static struct st_mysqlnd_authentication_plugin mysqlnd_pam_authentication_plugin } }, {/* methods */ - mysqlnd_pam_auth_get_auth_data + mysqlnd_pam_auth_get_auth_data, + NULL } }; @@ -749,10 +762,10 @@ static zend_uchar * mysqlnd_sha256_auth_get_auth_data(struct st_mysqlnd_authentication_plugin * self, size_t * auth_data_len, MYSQLND_CONN_DATA * conn, const char * const user, const char * const passwd, - const size_t passwd_len, zend_uchar * auth_plugin_data, size_t auth_plugin_data_len, + const size_t passwd_len, zend_uchar * auth_plugin_data, const size_t auth_plugin_data_len, const MYSQLND_SESSION_OPTIONS * const session_options, const MYSQLND_PFC_DATA * const pfc_data, - zend_ulong mysql_flags + const zend_ulong mysql_flags ) { RSA * server_public_key; @@ -820,11 +833,266 @@ static struct st_mysqlnd_authentication_plugin mysqlnd_sha256_authentication_plu } }, {/* methods */ - mysqlnd_sha256_auth_get_auth_data + mysqlnd_sha256_auth_get_auth_data, + NULL + } +}; +#endif + +/*************************************** CACHING SHA2 Password *******************************/ +#ifdef MYSQLND_HAVE_SSL + +#undef L64 + +#include "ext/hash/php_hash.h" +#include "ext/hash/php_hash_sha.h" + +#define SHA256_LENGTH 32 + +/* {{{ php_mysqlnd_scramble_sha2 */ +void php_mysqlnd_scramble_sha2(zend_uchar * const buffer, const zend_uchar * const scramble, const zend_uchar * const password, const size_t password_len) +{ + PHP_SHA256_CTX context; + zend_uchar sha1[SHA256_LENGTH]; + zend_uchar sha2[SHA256_LENGTH]; + + /* Phase 1: hash password */ + PHP_SHA256Init(&context); + PHP_SHA256Update(&context, password, password_len); + PHP_SHA256Final(sha1, &context); + + /* Phase 2: hash sha1 */ + PHP_SHA256Init(&context); + PHP_SHA256Update(&context, (zend_uchar*)sha1, SHA256_LENGTH); + PHP_SHA256Final(sha2, &context); + + /* Phase 3: hash scramble + sha2 */ + PHP_SHA256Init(&context); + PHP_SHA256Update(&context, (zend_uchar*)sha2, SHA256_LENGTH); + PHP_SHA256Update(&context, scramble, SCRAMBLE_LENGTH); + PHP_SHA256Final(buffer, &context); + + /* let's crypt buffer now */ + php_mysqlnd_crypt(buffer, (const zend_uchar *)sha1, (const zend_uchar *)buffer, SHA256_LENGTH); +} +/* }}} */ + + +/* {{{ mysqlnd_native_auth_get_auth_data */ +static zend_uchar * +mysqlnd_caching_sha2_get_auth_data(struct st_mysqlnd_authentication_plugin * self, + size_t * auth_data_len, + MYSQLND_CONN_DATA * conn, const char * const user, const char * const passwd, + const size_t passwd_len, zend_uchar * auth_plugin_data, const size_t auth_plugin_data_len, + const MYSQLND_SESSION_OPTIONS * const session_options, + const MYSQLND_PFC_DATA * const pfc_data, + const zend_ulong mysql_flags + ) +{ + zend_uchar * ret = NULL; + DBG_ENTER("mysqlnd_caching_sha2_get_auth_data"); + DBG_INF_FMT("salt(%d)=[%.*s]", auth_plugin_data_len, auth_plugin_data_len, auth_plugin_data); + *auth_data_len = 0; + + DBG_INF("First auth step: send hashed password"); + /* copy scrambled pass*/ + if (passwd && passwd_len) { + ret = malloc(SHA256_LENGTH + 1); + *auth_data_len = SHA256_LENGTH; + php_mysqlnd_scramble_sha2((zend_uchar*)ret, auth_plugin_data, (zend_uchar*)passwd, passwd_len); + ret[SHA256_LENGTH] = '\0'; + DBG_INF_FMT("hash(%d)=[%.*s]", *auth_data_len, *auth_data_len, ret); + } + + DBG_RETURN(ret); +} +/* }}} */ + +static RSA * +mysqlnd_caching_sha2_get_key(MYSQLND_CONN_DATA *conn) +{ + RSA * ret = NULL; + const MYSQLND_PFC_DATA * const pfc_data = conn->protocol_frame_codec->data; + const char * fname = (pfc_data->sha256_server_public_key && pfc_data->sha256_server_public_key[0] != '\0')? + pfc_data->sha256_server_public_key: + MYSQLND_G(sha256_server_public_key); + php_stream * stream; + DBG_ENTER("mysqlnd_cached_sha2_get_key"); + DBG_INF_FMT("options_s256_pk=[%s] MYSQLND_G(sha256_server_public_key)=[%s]", + pfc_data->sha256_server_public_key? pfc_data->sha256_server_public_key:"n/a", + MYSQLND_G(sha256_server_public_key)? MYSQLND_G(sha256_server_public_key):"n/a"); + if (!fname || fname[0] == '\0') { + MYSQLND_PACKET_CACHED_SHA2_RESULT req_packet; + MYSQLND_PACKET_SHA256_PK_REQUEST_RESPONSE pk_resp_packet; + + do { + DBG_INF("requesting the public key from the server"); + conn->payload_decoder_factory->m.init_cached_sha2_result_packet(&req_packet); + conn->payload_decoder_factory->m.init_sha256_pk_request_response_packet(&pk_resp_packet); + req_packet.request = 1; + + if (! PACKET_WRITE(conn, &req_packet)) { + DBG_ERR_FMT("Error while sending public key request packet"); + php_error(E_WARNING, "Error while sending public key request packet. PID=%d", getpid()); + SET_CONNECTION_STATE(&conn->state, CONN_QUIT_SENT); + break; + } + if (FAIL == PACKET_READ(conn, &pk_resp_packet) || NULL == pk_resp_packet.public_key) { + DBG_ERR_FMT("Error while receiving public key"); + php_error(E_WARNING, "Error while receiving public key. PID=%d", getpid()); + SET_CONNECTION_STATE(&conn->state, CONN_QUIT_SENT); + break; + } + DBG_INF_FMT("Public key(%d):\n%s", pk_resp_packet.public_key_len, pk_resp_packet.public_key); + /* now extract the public key */ + { + BIO * bio = BIO_new_mem_buf(pk_resp_packet.public_key, pk_resp_packet.public_key_len); + ret = PEM_read_bio_RSA_PUBKEY(bio, NULL, NULL, NULL); + BIO_free(bio); + } + } while (0); + PACKET_FREE(&req_packet); + PACKET_FREE(&pk_resp_packet); + + DBG_INF_FMT("ret=%p", ret); + DBG_RETURN(ret); + + SET_CLIENT_ERROR(conn->error_info, CR_UNKNOWN_ERROR, UNKNOWN_SQLSTATE, + "caching_sha2_server_public_key is not set for the connection or as mysqlnd.sha256_server_public_key"); + DBG_ERR("server_public_key is not set"); + DBG_RETURN(NULL); + } else { + zend_string * key_str; + DBG_INF_FMT("Key in a file. [%s]", fname); + stream = php_stream_open_wrapper((char *) fname, "rb", REPORT_ERRORS, NULL); + + if (stream) { + if ((key_str = php_stream_copy_to_mem(stream, PHP_STREAM_COPY_ALL, 0)) != NULL) { + BIO * bio = BIO_new_mem_buf(ZSTR_VAL(key_str), ZSTR_LEN(key_str)); + ret = PEM_read_bio_RSA_PUBKEY(bio, NULL, NULL, NULL); + BIO_free(bio); + DBG_INF("Successfully loaded"); + DBG_INF_FMT("Public key:%*.s", ZSTR_LEN(key_str), ZSTR_VAL(key_str)); + zend_string_release(key_str); + } + php_stream_close(stream); + } + } + DBG_RETURN(ret); + +} + + +/* {{{ mysqlnd_caching_sha2_get_key */ +static size_t +mysqlnd_caching_sha2_get_and_use_key(MYSQLND_CONN_DATA *conn, + const zend_uchar * auth_plugin_data, const size_t auth_plugin_data_len, + unsigned char **crypted, + const char * const passwd, + const size_t passwd_len) +{ + static RSA *server_public_key; + server_public_key = mysqlnd_caching_sha2_get_key(conn); + + DBG_ENTER("mysqlnd_caching_sha2_get_and_use_key("); + + if (server_public_key) { + int server_public_key_len; + char xor_str[passwd_len + 1]; + memcpy(xor_str, passwd, passwd_len); + xor_str[passwd_len] = '\0'; + mysqlnd_xor_string(xor_str, passwd_len, (char *) auth_plugin_data, auth_plugin_data_len); + + server_public_key_len = RSA_size(server_public_key); + /* + Because RSA_PKCS1_OAEP_PADDING is used there is a restriction on the passwd_len. + RSA_PKCS1_OAEP_PADDING is recommended for new applications. See more here: + http://www.openssl.org/docs/crypto/RSA_public_encrypt.html + */ + if ((size_t) server_public_key_len - 41 <= passwd_len) { + /* password message is to long */ + SET_CLIENT_ERROR(conn->error_info, CR_UNKNOWN_ERROR, UNKNOWN_SQLSTATE, "password is too long"); + DBG_ERR("password is too long"); + DBG_RETURN(0); + } + + *crypted = emalloc(server_public_key_len); + RSA_public_encrypt(passwd_len + 1, (zend_uchar *) xor_str, *crypted, server_public_key, RSA_PKCS1_OAEP_PADDING); + DBG_RETURN(server_public_key_len); + } + DBG_RETURN(0); +} +/* }}} */ + +/* {{{ mysqlnd_native_auth_get_auth_data */ +static void +mysqlnd_caching_sha2_handle_server_response(struct st_mysqlnd_authentication_plugin *self, + MYSQLND_CONN_DATA * conn, + const zend_uchar * auth_plugin_data, const size_t auth_plugin_data_len, + const char * const passwd, + const size_t passwd_len) +{ + DBG_ENTER("mysqlnd_caching_sha2_handle_server_response"); + MYSQLND_PACKET_CACHED_SHA2_RESULT result_packet; + conn->payload_decoder_factory->m.init_cached_sha2_result_packet(&result_packet); + + if (FAIL == PACKET_READ(conn, &result_packet)) { + DBG_VOID_RETURN; + } + + switch (result_packet.response_code) { + case 3: + DBG_INF("fast path succeeded"); + DBG_VOID_RETURN; + case 4: + if (conn->vio->data->ssl || conn->unix_socket.s) { + DBG_INF("fast path failed, doing full auth via SSL"); + result_packet.password = (zend_uchar *)passwd; + result_packet.password_len = passwd_len + 1; + PACKET_WRITE(conn, &result_packet); + } else { + DBG_INF("fast path failed, doing full auth without SSL"); + result_packet.password_len = mysqlnd_caching_sha2_get_and_use_key(conn, auth_plugin_data, auth_plugin_data_len, &result_packet.password, passwd, passwd_len); + PACKET_WRITE(conn, &result_packet); + efree(result_packet.password); + } + DBG_VOID_RETURN; + case 2: + // The server tried to send a key, which we didn't expect + // fall-through + default: + php_error_docref(NULL, E_WARNING, "Unexpected server response while doing caching_sha2 auth: %i", result_packet.response_code); + } + + DBG_VOID_RETURN; +} +/* }}} */ + +static struct st_mysqlnd_authentication_plugin mysqlnd_caching_sha2_auth_plugin = +{ + { + MYSQLND_PLUGIN_API_VERSION, + "auth_plugin_caching_sha2_password", + MYSQLND_VERSION_ID, + PHP_MYSQLND_VERSION, + "PHP License 3.01", + "Johannes Schlüter <johannes.schlueter@php.net>", + { + NULL, /* no statistics , will be filled later if there are some */ + NULL, /* no statistics */ + }, + { + NULL /* plugin shutdown */ + } + }, + {/* methods */ + mysqlnd_caching_sha2_get_auth_data, + mysqlnd_caching_sha2_handle_server_response } }; #endif + /* {{{ mysqlnd_register_builtin_authentication_plugins */ void mysqlnd_register_builtin_authentication_plugins(void) @@ -832,17 +1100,8 @@ mysqlnd_register_builtin_authentication_plugins(void) mysqlnd_plugin_register_ex((struct st_mysqlnd_plugin_header *) &mysqlnd_native_auth_plugin); mysqlnd_plugin_register_ex((struct st_mysqlnd_plugin_header *) &mysqlnd_pam_authentication_plugin); #ifdef MYSQLND_HAVE_SSL + mysqlnd_plugin_register_ex((struct st_mysqlnd_plugin_header *) &mysqlnd_caching_sha2_auth_plugin); mysqlnd_plugin_register_ex((struct st_mysqlnd_plugin_header *) &mysqlnd_sha256_authentication_plugin); #endif } /* }}} */ - - -/* - * Local variables: - * tab-width: 4 - * c-basic-offset: 4 - * End: - * vim600: noet sw=4 ts=4 fdm=marker - * vim<600: noet sw=4 ts=4 - */ |