diff options
Diffstat (limited to 'ext/mysqlnd/mysqlnd_auth.c')
| -rw-r--r-- | ext/mysqlnd/mysqlnd_auth.c | 626 |
1 files changed, 545 insertions, 81 deletions
diff --git a/ext/mysqlnd/mysqlnd_auth.c b/ext/mysqlnd/mysqlnd_auth.c index 30ef6639ca..fa156fa0e1 100644 --- a/ext/mysqlnd/mysqlnd_auth.c +++ b/ext/mysqlnd/mysqlnd_auth.c @@ -2,7 +2,7 @@ +----------------------------------------------------------------------+ | PHP Version 7 | +----------------------------------------------------------------------+ - | Copyright (c) 2006-2018 The PHP Group | + | Copyright (c) The PHP Group | +----------------------------------------------------------------------+ | This source file is subject to version 3.01 of the PHP license, | | that is bundled with this package in the file LICENSE, and is | @@ -36,7 +36,7 @@ static const char * const mysqlnd_old_passwd = "mysqlnd cannot connect to MySQL /* {{{ mysqlnd_run_authentication */ enum_func_status mysqlnd_run_authentication( - MYSQLND_CONN_DATA * conn, + MYSQLND_CONN_DATA * const conn, const char * const user, const char * const passwd, const size_t passwd_len, @@ -44,11 +44,11 @@ mysqlnd_run_authentication( const size_t db_len, const MYSQLND_STRING auth_plugin_data, const char * const auth_protocol, - unsigned int charset_no, + const unsigned int charset_no, const MYSQLND_SESSION_OPTIONS * const session_options, - zend_ulong mysql_flags, - zend_bool silent, - zend_bool is_change_user + const zend_ulong mysql_flags, + const zend_bool silent, + const zend_bool is_change_user ) { enum_func_status ret = FAIL; @@ -89,6 +89,7 @@ mysqlnd_run_authentication( } } + { zend_uchar * switch_to_auth_protocol_data = NULL; size_t switch_to_auth_protocol_data_len = 0; @@ -113,10 +114,11 @@ mysqlnd_run_authentication( DBG_INF_FMT("salt(%d)=[%.*s]", plugin_data_len, plugin_data_len, plugin_data); /* The data should be allocated with malloc() */ if (auth_plugin) { - scrambled_data = - auth_plugin->methods.get_auth_data(NULL, &scrambled_data_len, conn, user, passwd, passwd_len, - plugin_data, plugin_data_len, session_options, - conn->protocol_frame_codec->data, mysql_flags); + scrambled_data = auth_plugin->methods.get_auth_data( + NULL, &scrambled_data_len, conn, user, passwd, + passwd_len, plugin_data, plugin_data_len, + session_options, conn->protocol_frame_codec->data, + mysql_flags); } if (conn->error_info->error_no) { @@ -127,6 +129,7 @@ mysqlnd_run_authentication( charset_no, first_call, requested_protocol, + auth_plugin, plugin_data, plugin_data_len, scrambled_data, scrambled_data_len, &switch_to_auth_protocol, &switch_to_auth_protocol_len, &switch_to_auth_protocol_data, &switch_to_auth_protocol_data_len @@ -135,6 +138,7 @@ mysqlnd_run_authentication( ret = mysqlnd_auth_change_user(conn, user, strlen(user), passwd, passwd_len, db, db_len, silent, first_call, requested_protocol, + auth_plugin, plugin_data, plugin_data_len, scrambled_data, scrambled_data_len, &switch_to_auth_protocol, &switch_to_auth_protocol_len, &switch_to_auth_protocol_data, &switch_to_auth_protocol_data_len @@ -177,23 +181,23 @@ end: /* {{{ mysqlnd_switch_to_ssl_if_needed */ static enum_func_status -mysqlnd_switch_to_ssl_if_needed(MYSQLND_CONN_DATA * conn, +mysqlnd_switch_to_ssl_if_needed(MYSQLND_CONN_DATA * const conn, unsigned int charset_no, - size_t server_capabilities, + const size_t server_capabilities, const MYSQLND_SESSION_OPTIONS * const session_options, - zend_ulong mysql_flags) + const zend_ulong mysql_flags) { enum_func_status ret = FAIL; const MYSQLND_CHARSET * charset; DBG_ENTER("mysqlnd_switch_to_ssl_if_needed"); if (session_options->charset_name && (charset = mysqlnd_find_charset_name(session_options->charset_name))) { - charset_no = charset->nr; + charset_no = charset->nr; } { - size_t client_capabilities = mysql_flags; - ret = conn->run_command(COM_ENABLE_SSL, conn, client_capabilities, server_capabilities, charset_no); + const size_t client_capabilities = mysql_flags; + ret = conn->command->enable_ssl(conn, client_capabilities, server_capabilities, charset_no); } DBG_RETURN(ret); } @@ -203,18 +207,18 @@ mysqlnd_switch_to_ssl_if_needed(MYSQLND_CONN_DATA * conn, /* {{{ mysqlnd_connect_run_authentication */ enum_func_status mysqlnd_connect_run_authentication( - MYSQLND_CONN_DATA * conn, + MYSQLND_CONN_DATA * const conn, const char * const user, const char * const passwd, const char * const db, - size_t db_len, - size_t passwd_len, - MYSQLND_STRING authentication_plugin_data, + const size_t db_len, + const size_t passwd_len, + const MYSQLND_STRING authentication_plugin_data, const char * const authentication_protocol, const unsigned int charset_no, - size_t server_capabilities, + const size_t server_capabilities, const MYSQLND_SESSION_OPTIONS * const session_options, - zend_ulong mysql_flags + const zend_ulong mysql_flags ) { enum_func_status ret = FAIL; @@ -240,16 +244,19 @@ mysqlnd_auth_handshake(MYSQLND_CONN_DATA * conn, const char * const db, const size_t db_len, const MYSQLND_SESSION_OPTIONS * const session_options, - zend_ulong mysql_flags, - unsigned int server_charset_no, - zend_bool use_full_blown_auth_packet, + const zend_ulong mysql_flags, + const unsigned int server_charset_no, + const zend_bool use_full_blown_auth_packet, const char * const auth_protocol, + struct st_mysqlnd_authentication_plugin * auth_plugin, + const zend_uchar * const orig_auth_plugin_data, + const size_t orig_auth_plugin_data_len, const zend_uchar * const auth_plugin_data, const size_t auth_plugin_data_len, char ** switch_to_auth_protocol, - size_t * switch_to_auth_protocol_len, + size_t * const switch_to_auth_protocol_len, zend_uchar ** switch_to_auth_protocol_data, - size_t * switch_to_auth_protocol_data_len + size_t * const switch_to_auth_protocol_data_len ) { enum_func_status ret = FAIL; @@ -313,6 +320,15 @@ mysqlnd_auth_handshake(MYSQLND_CONN_DATA * conn, PACKET_FREE(&auth_packet); } + if (auth_plugin && auth_plugin->methods.handle_server_response) { + if (FAIL == auth_plugin->methods.handle_server_response(auth_plugin, conn, + orig_auth_plugin_data, orig_auth_plugin_data_len, passwd, passwd_len, + switch_to_auth_protocol, switch_to_auth_protocol_len, + switch_to_auth_protocol_data, switch_to_auth_protocol_data_len)) { + goto end; + } + } + if (FAIL == PACKET_READ(conn, &auth_resp_packet) || auth_resp_packet.response_code >= 0xFE) { if (auth_resp_packet.response_code == 0xFE) { /* old authentication with new server !*/ @@ -360,14 +376,17 @@ mysqlnd_auth_change_user(MYSQLND_CONN_DATA * const conn, const char * const db, const size_t db_len, const zend_bool silent, - zend_bool use_full_blown_auth_packet, + const zend_bool use_full_blown_auth_packet, const char * const auth_protocol, - zend_uchar * auth_plugin_data, - size_t auth_plugin_data_len, + struct st_mysqlnd_authentication_plugin * auth_plugin, + const zend_uchar * const orig_auth_plugin_data, + const size_t orig_auth_plugin_data_len, + const zend_uchar * const auth_plugin_data, + const size_t auth_plugin_data_len, char ** switch_to_auth_protocol, - size_t * switch_to_auth_protocol_len, + size_t * const switch_to_auth_protocol_len, zend_uchar ** switch_to_auth_protocol_data, - size_t * switch_to_auth_protocol_data_len + size_t * const switch_to_auth_protocol_data_len ) { enum_func_status ret = FAIL; @@ -427,6 +446,15 @@ mysqlnd_auth_change_user(MYSQLND_CONN_DATA * const conn, PACKET_FREE(&auth_packet); } + if (auth_plugin && auth_plugin->methods.handle_server_response) { + if (FAIL == auth_plugin->methods.handle_server_response(auth_plugin, conn, + orig_auth_plugin_data, orig_auth_plugin_data_len, passwd, passwd_len, + switch_to_auth_protocol, switch_to_auth_protocol_len, + switch_to_auth_protocol_data, switch_to_auth_protocol_data_len)) { + goto end; + } + } + ret = PACKET_READ(conn, &chg_user_resp); COPY_CLIENT_ERROR(conn->error_info, chg_user_resp.error_info); @@ -551,10 +579,10 @@ static zend_uchar * mysqlnd_native_auth_get_auth_data(struct st_mysqlnd_authentication_plugin * self, size_t * auth_data_len, MYSQLND_CONN_DATA * conn, const char * const user, const char * const passwd, - const size_t passwd_len, zend_uchar * auth_plugin_data, size_t auth_plugin_data_len, + const size_t passwd_len, zend_uchar * auth_plugin_data, const size_t auth_plugin_data_len, const MYSQLND_SESSION_OPTIONS * const session_options, const MYSQLND_PFC_DATA * const pfc_data, - zend_ulong mysql_flags + const zend_ulong mysql_flags ) { zend_uchar * ret = NULL; @@ -599,7 +627,8 @@ static struct st_mysqlnd_authentication_plugin mysqlnd_native_auth_plugin = } }, {/* methods */ - mysqlnd_native_auth_get_auth_data + mysqlnd_native_auth_get_auth_data, + NULL } }; @@ -611,10 +640,10 @@ static zend_uchar * mysqlnd_pam_auth_get_auth_data(struct st_mysqlnd_authentication_plugin * self, size_t * auth_data_len, MYSQLND_CONN_DATA * conn, const char * const user, const char * const passwd, - const size_t passwd_len, zend_uchar * auth_plugin_data, size_t auth_plugin_data_len, + const size_t passwd_len, zend_uchar * auth_plugin_data, const size_t auth_plugin_data_len, const MYSQLND_SESSION_OPTIONS * const session_options, const MYSQLND_PFC_DATA * const pfc_data, - zend_ulong mysql_flags + const zend_ulong mysql_flags ) { zend_uchar * ret = NULL; @@ -648,7 +677,8 @@ static struct st_mysqlnd_authentication_plugin mysqlnd_pam_authentication_plugin } }, {/* methods */ - mysqlnd_pam_auth_get_auth_data + mysqlnd_pam_auth_get_auth_data, + NULL } }; @@ -664,20 +694,146 @@ mysqlnd_xor_string(char * dst, const size_t dst_len, const char * xor_str, const } } +#ifndef PHP_WIN32 #include <openssl/rsa.h> #include <openssl/pem.h> #include <openssl/err.h> +typedef RSA * mysqlnd_rsa_t; + +/* {{{ mysqlnd_sha256_get_rsa_from_pem */ +static mysqlnd_rsa_t +mysqlnd_sha256_get_rsa_from_pem(const char *buf, size_t len) +{ + BIO * bio = BIO_new_mem_buf(buf, len); + RSA * ret = PEM_read_bio_RSA_PUBKEY(bio, NULL, NULL, NULL); + BIO_free(bio); + return ret; +} +/* }}} */ + +/* {{{ mysqlnd_sha256_public_encrypt */ +static zend_uchar * +mysqlnd_sha256_public_encrypt(MYSQLND_CONN_DATA * conn, mysqlnd_rsa_t server_public_key, size_t passwd_len, size_t * auth_data_len, char *xor_str) +{ + zend_uchar * ret = NULL; + size_t server_public_key_len = (size_t) RSA_size(server_public_key); + + DBG_ENTER("mysqlnd_sha256_public_encrypt"); + /* + Because RSA_PKCS1_OAEP_PADDING is used there is a restriction on the passwd_len. + RSA_PKCS1_OAEP_PADDING is recommended for new applications. See more here: + http://www.openssl.org/docs/crypto/RSA_public_encrypt.html + */ + if (server_public_key_len <= passwd_len + 41) { + /* password message is to long */ + SET_CLIENT_ERROR(conn->error_info, CR_UNKNOWN_ERROR, UNKNOWN_SQLSTATE, "password is too long"); + DBG_ERR("password is too long"); + DBG_RETURN(NULL); + } + + *auth_data_len = server_public_key_len; + ret = malloc(*auth_data_len); + RSA_public_encrypt(passwd_len + 1, (zend_uchar *) xor_str, ret, server_public_key, RSA_PKCS1_OAEP_PADDING); + RSA_free(server_public_key); + DBG_RETURN(ret); +} +/* }}} */ + +#else + +#include <wincrypt.h> +#include <bcrypt.h> + +typedef HANDLE mysqlnd_rsa_t; + +/* {{{ mysqlnd_sha256_get_rsa_from_pem */ +static mysqlnd_rsa_t +mysqlnd_sha256_get_rsa_from_pem(const char *buf, size_t len) +{ + BCRYPT_KEY_HANDLE ret = 0; + LPCSTR der_buf = NULL; + DWORD der_len; + CERT_PUBLIC_KEY_INFO *key_info = NULL; + DWORD key_info_len; + ALLOCA_FLAG(use_heap); + + if (!CryptStringToBinaryA(buf, len, CRYPT_STRING_BASE64HEADER, NULL, &der_len, NULL, NULL)) { + goto finish; + } + der_buf = do_alloca(der_len, use_heap); + if (!CryptStringToBinaryA(buf, len, CRYPT_STRING_BASE64HEADER, der_buf, &der_len, NULL, NULL)) { + goto finish; + } + if (!CryptDecodeObjectEx(X509_ASN_ENCODING, X509_PUBLIC_KEY_INFO, der_buf, der_len, CRYPT_ENCODE_ALLOC_FLAG, NULL, &key_info, &key_info_len)) { + goto finish; + } + if (!CryptImportPublicKeyInfoEx2(X509_ASN_ENCODING, key_info, CRYPT_OID_INFO_PUBKEY_ENCRYPT_KEY_FLAG, NULL, &ret)) { + goto finish; + } + +finish: + if (key_info) { + LocalFree(key_info); + } + if (der_buf) { + free_alloca(der_buf, use_heap); + } + return (mysqlnd_rsa_t) ret; +} +/* }}} */ + +/* {{{ mysqlnd_sha256_public_encrypt */ +static zend_uchar * +mysqlnd_sha256_public_encrypt(MYSQLND_CONN_DATA * conn, mysqlnd_rsa_t server_public_key, size_t passwd_len, size_t * auth_data_len, char *xor_str) +{ + zend_uchar * ret = NULL; + DWORD server_public_key_len = passwd_len; + BCRYPT_OAEP_PADDING_INFO padding_info; + + DBG_ENTER("mysqlnd_sha256_public_encrypt"); + + ZeroMemory(&padding_info, sizeof padding_info); + padding_info.pszAlgId = BCRYPT_SHA1_ALGORITHM; + if (BCryptEncrypt((BCRYPT_KEY_HANDLE) server_public_key, xor_str, passwd_len + 1, &padding_info, + NULL, 0, NULL, 0, &server_public_key_len, BCRYPT_PAD_OAEP)) { + DBG_RETURN(0); + } + + /* + Because RSA_PKCS1_OAEP_PADDING is used there is a restriction on the passwd_len. + RSA_PKCS1_OAEP_PADDING is recommended for new applications. See more here: + http://www.openssl.org/docs/crypto/RSA_public_encrypt.html + */ + if ((size_t) server_public_key_len <= passwd_len + 41) { + /* password message is to long */ + SET_CLIENT_ERROR(conn->error_info, CR_UNKNOWN_ERROR, UNKNOWN_SQLSTATE, "password is too long"); + DBG_ERR("password is too long"); + DBG_RETURN(0); + } + + *auth_data_len = server_public_key_len; + ret = malloc(*auth_data_len); + if (BCryptEncrypt((BCRYPT_KEY_HANDLE) server_public_key, xor_str, passwd_len + 1, &padding_info, + NULL, 0, ret, server_public_key_len, &server_public_key_len, BCRYPT_PAD_OAEP)) { + DBG_RETURN(0); + } + BCryptDestroyKey((BCRYPT_KEY_HANDLE) server_public_key); + DBG_RETURN(ret); +} +/* }}} */ + +#endif /* {{{ mysqlnd_sha256_get_rsa_key */ -static RSA * +static mysqlnd_rsa_t mysqlnd_sha256_get_rsa_key(MYSQLND_CONN_DATA * conn, const MYSQLND_SESSION_OPTIONS * const session_options, const MYSQLND_PFC_DATA * const pfc_data ) { - RSA * ret = NULL; + mysqlnd_rsa_t ret = NULL; const char * fname = (pfc_data->sha256_server_public_key && pfc_data->sha256_server_public_key[0] != '\0')? pfc_data->sha256_server_public_key: MYSQLND_G(sha256_server_public_key); @@ -709,11 +865,7 @@ mysqlnd_sha256_get_rsa_key(MYSQLND_CONN_DATA * conn, } DBG_INF_FMT("Public key(%d):\n%s", pk_resp_packet.public_key_len, pk_resp_packet.public_key); /* now extract the public key */ - { - BIO * bio = BIO_new_mem_buf(pk_resp_packet.public_key, pk_resp_packet.public_key_len); - ret = PEM_read_bio_RSA_PUBKEY(bio, NULL, NULL, NULL); - BIO_free(bio); - } + ret = mysqlnd_sha256_get_rsa_from_pem((const char *) pk_resp_packet.public_key, pk_resp_packet.public_key_len); } while (0); PACKET_FREE(&pk_req_packet); PACKET_FREE(&pk_resp_packet); @@ -732,9 +884,7 @@ mysqlnd_sha256_get_rsa_key(MYSQLND_CONN_DATA * conn, if (stream) { if ((key_str = php_stream_copy_to_mem(stream, PHP_STREAM_COPY_ALL, 0)) != NULL) { - BIO * bio = BIO_new_mem_buf(ZSTR_VAL(key_str), ZSTR_LEN(key_str)); - ret = PEM_read_bio_RSA_PUBKEY(bio, NULL, NULL, NULL); - BIO_free(bio); + ret = mysqlnd_sha256_get_rsa_from_pem(ZSTR_VAL(key_str), ZSTR_LEN(key_str)); DBG_INF("Successfully loaded"); DBG_INF_FMT("Public key:%*.s", ZSTR_LEN(key_str), ZSTR_VAL(key_str)); zend_string_release_ex(key_str, 0); @@ -752,13 +902,13 @@ static zend_uchar * mysqlnd_sha256_auth_get_auth_data(struct st_mysqlnd_authentication_plugin * self, size_t * auth_data_len, MYSQLND_CONN_DATA * conn, const char * const user, const char * const passwd, - const size_t passwd_len, zend_uchar * auth_plugin_data, size_t auth_plugin_data_len, + const size_t passwd_len, zend_uchar * auth_plugin_data, const size_t auth_plugin_data_len, const MYSQLND_SESSION_OPTIONS * const session_options, const MYSQLND_PFC_DATA * const pfc_data, - zend_ulong mysql_flags + const zend_ulong mysql_flags ) { - RSA * server_public_key; + mysqlnd_rsa_t server_public_key; zend_uchar * ret = NULL; DBG_ENTER("mysqlnd_sha256_auth_get_auth_data"); DBG_INF_FMT("salt(%d)=[%.*s]", auth_plugin_data_len, auth_plugin_data_len, auth_plugin_data); @@ -775,28 +925,13 @@ mysqlnd_sha256_auth_get_auth_data(struct st_mysqlnd_authentication_plugin * self server_public_key = mysqlnd_sha256_get_rsa_key(conn, session_options, pfc_data); if (server_public_key) { - int server_public_key_len; - char xor_str[passwd_len + 1]; + ALLOCA_FLAG(use_heap); + char *xor_str = do_alloca(passwd_len + 1, use_heap); memcpy(xor_str, passwd, passwd_len); xor_str[passwd_len] = '\0'; mysqlnd_xor_string(xor_str, passwd_len, (char *) auth_plugin_data, auth_plugin_data_len); - - server_public_key_len = RSA_size(server_public_key); - /* - Because RSA_PKCS1_OAEP_PADDING is used there is a restriction on the passwd_len. - RSA_PKCS1_OAEP_PADDING is recommended for new applications. See more here: - http://www.openssl.org/docs/crypto/RSA_public_encrypt.html - */ - if ((size_t) server_public_key_len - 41 <= passwd_len) { - /* password message is to long */ - SET_CLIENT_ERROR(conn->error_info, CR_UNKNOWN_ERROR, UNKNOWN_SQLSTATE, "password is too long"); - DBG_ERR("password is too long"); - DBG_RETURN(NULL); - } - - *auth_data_len = server_public_key_len; - ret = malloc(*auth_data_len); - RSA_public_encrypt(passwd_len + 1, (zend_uchar *) xor_str, ret, server_public_key, RSA_PKCS1_OAEP_PADDING); + ret = mysqlnd_sha256_public_encrypt(conn, server_public_key, passwd_len, auth_data_len, xor_str); + free_alloca(xor_str, use_heap); } } @@ -823,11 +958,349 @@ static struct st_mysqlnd_authentication_plugin mysqlnd_sha256_authentication_plu } }, {/* methods */ - mysqlnd_sha256_auth_get_auth_data + mysqlnd_sha256_auth_get_auth_data, + NULL } }; #endif +/*************************************** CACHING SHA2 Password *******************************/ +#ifdef MYSQLND_HAVE_SSL + +#undef L64 + +#include "ext/hash/php_hash.h" +#include "ext/hash/php_hash_sha.h" + +#define SHA256_LENGTH 32 + +/* {{{ php_mysqlnd_scramble_sha2 */ +void php_mysqlnd_scramble_sha2(zend_uchar * const buffer, const zend_uchar * const scramble, const zend_uchar * const password, const size_t password_len) +{ + PHP_SHA256_CTX context; + zend_uchar sha1[SHA256_LENGTH]; + zend_uchar sha2[SHA256_LENGTH]; + + /* Phase 1: hash password */ + PHP_SHA256Init(&context); + PHP_SHA256Update(&context, password, password_len); + PHP_SHA256Final(sha1, &context); + + /* Phase 2: hash sha1 */ + PHP_SHA256Init(&context); + PHP_SHA256Update(&context, (zend_uchar*)sha1, SHA256_LENGTH); + PHP_SHA256Final(sha2, &context); + + /* Phase 3: hash scramble + sha2 */ + PHP_SHA256Init(&context); + PHP_SHA256Update(&context, (zend_uchar*)sha2, SHA256_LENGTH); + PHP_SHA256Update(&context, scramble, SCRAMBLE_LENGTH); + PHP_SHA256Final(buffer, &context); + + /* let's crypt buffer now */ + php_mysqlnd_crypt(buffer, (const zend_uchar *)sha1, (const zend_uchar *)buffer, SHA256_LENGTH); +} +/* }}} */ + +#ifndef PHP_WIN32 + +/* {{{ mysqlnd_caching_sha2_public_encrypt */ +static size_t +mysqlnd_caching_sha2_public_encrypt(MYSQLND_CONN_DATA * conn, mysqlnd_rsa_t server_public_key, size_t passwd_len, unsigned char **crypted, char *xor_str) +{ + size_t server_public_key_len = (size_t) RSA_size(server_public_key); + + DBG_ENTER("mysqlnd_caching_sha2_public_encrypt"); + /* + Because RSA_PKCS1_OAEP_PADDING is used there is a restriction on the passwd_len. + RSA_PKCS1_OAEP_PADDING is recommended for new applications. See more here: + http://www.openssl.org/docs/crypto/RSA_public_encrypt.html + */ + if (server_public_key_len <= passwd_len + 41) { + /* password message is to long */ + SET_CLIENT_ERROR(conn->error_info, CR_UNKNOWN_ERROR, UNKNOWN_SQLSTATE, "password is too long"); + DBG_ERR("password is too long"); + DBG_RETURN(0); + } + + *crypted = emalloc(server_public_key_len); + RSA_public_encrypt(passwd_len + 1, (zend_uchar *) xor_str, *crypted, server_public_key, RSA_PKCS1_OAEP_PADDING); + DBG_RETURN(server_public_key_len); +} +/* }}} */ + +#else + +/* {{{ mysqlnd_caching_sha2_public_encrypt */ +static size_t +mysqlnd_caching_sha2_public_encrypt(MYSQLND_CONN_DATA * conn, mysqlnd_rsa_t server_public_key, size_t passwd_len, unsigned char **crypted, char *xor_str) +{ + DWORD server_public_key_len = passwd_len; + BCRYPT_OAEP_PADDING_INFO padding_info; + + DBG_ENTER("mysqlnd_caching_sha2_public_encrypt"); + + ZeroMemory(&padding_info, sizeof padding_info); + padding_info.pszAlgId = BCRYPT_SHA1_ALGORITHM; + if (BCryptEncrypt((BCRYPT_KEY_HANDLE) server_public_key, xor_str, passwd_len + 1, &padding_info, + NULL, 0, NULL, 0, &server_public_key_len, BCRYPT_PAD_OAEP)) { + DBG_RETURN(0); + } + + /* + Because RSA_PKCS1_OAEP_PADDING is used there is a restriction on the passwd_len. + RSA_PKCS1_OAEP_PADDING is recommended for new applications. See more here: + http://www.openssl.org/docs/crypto/RSA_public_encrypt.html + */ + if ((size_t) server_public_key_len <= passwd_len + 41) { + /* password message is to long */ + SET_CLIENT_ERROR(conn->error_info, CR_UNKNOWN_ERROR, UNKNOWN_SQLSTATE, "password is too long"); + DBG_ERR("password is too long"); + DBG_RETURN(0); + } + + *crypted = emalloc(server_public_key_len); + if (BCryptEncrypt((BCRYPT_KEY_HANDLE) server_public_key, xor_str, passwd_len + 1, &padding_info, + NULL, 0, *crypted, server_public_key_len, &server_public_key_len, BCRYPT_PAD_OAEP)) { + DBG_RETURN(0); + } + DBG_RETURN(server_public_key_len); +} +/* }}} */ + +#endif + +/* {{{ mysqlnd_native_auth_get_auth_data */ +static zend_uchar * +mysqlnd_caching_sha2_get_auth_data(struct st_mysqlnd_authentication_plugin * self, + size_t * auth_data_len, + MYSQLND_CONN_DATA * conn, const char * const user, const char * const passwd, + const size_t passwd_len, zend_uchar * auth_plugin_data, const size_t auth_plugin_data_len, + const MYSQLND_SESSION_OPTIONS * const session_options, + const MYSQLND_PFC_DATA * const pfc_data, + const zend_ulong mysql_flags + ) +{ + zend_uchar * ret = NULL; + DBG_ENTER("mysqlnd_caching_sha2_get_auth_data"); + DBG_INF_FMT("salt(%d)=[%.*s]", auth_plugin_data_len, auth_plugin_data_len, auth_plugin_data); + *auth_data_len = 0; + + if (auth_plugin_data_len < SCRAMBLE_LENGTH) { + SET_CLIENT_ERROR(conn->error_info, CR_MALFORMED_PACKET, UNKNOWN_SQLSTATE, "The server sent wrong length for scramble"); + DBG_ERR_FMT("The server sent wrong length for scramble %u. Expected %u", auth_plugin_data_len, SCRAMBLE_LENGTH); + DBG_RETURN(NULL); + } + + DBG_INF("First auth step: send hashed password"); + /* copy scrambled pass*/ + if (passwd && passwd_len) { + ret = malloc(SHA256_LENGTH + 1); + *auth_data_len = SHA256_LENGTH; + php_mysqlnd_scramble_sha2((zend_uchar*)ret, auth_plugin_data, (zend_uchar*)passwd, passwd_len); + ret[SHA256_LENGTH] = '\0'; + DBG_INF_FMT("hash(%d)=[%.*s]", *auth_data_len, *auth_data_len, ret); + } + + DBG_RETURN(ret); +} +/* }}} */ + +static mysqlnd_rsa_t +mysqlnd_caching_sha2_get_key(MYSQLND_CONN_DATA *conn) +{ + mysqlnd_rsa_t ret = NULL; + const MYSQLND_PFC_DATA * const pfc_data = conn->protocol_frame_codec->data; + const char * fname = (pfc_data->sha256_server_public_key && pfc_data->sha256_server_public_key[0] != '\0')? + pfc_data->sha256_server_public_key: + MYSQLND_G(sha256_server_public_key); + php_stream * stream; + DBG_ENTER("mysqlnd_cached_sha2_get_key"); + DBG_INF_FMT("options_s256_pk=[%s] MYSQLND_G(sha256_server_public_key)=[%s]", + pfc_data->sha256_server_public_key? pfc_data->sha256_server_public_key:"n/a", + MYSQLND_G(sha256_server_public_key)? MYSQLND_G(sha256_server_public_key):"n/a"); + if (!fname || fname[0] == '\0') { + MYSQLND_PACKET_CACHED_SHA2_RESULT req_packet; + MYSQLND_PACKET_SHA256_PK_REQUEST_RESPONSE pk_resp_packet; + + do { + DBG_INF("requesting the public key from the server"); + conn->payload_decoder_factory->m.init_cached_sha2_result_packet(&req_packet); + conn->payload_decoder_factory->m.init_sha256_pk_request_response_packet(&pk_resp_packet); + req_packet.request = 1; + + if (! PACKET_WRITE(conn, &req_packet)) { + DBG_ERR_FMT("Error while sending public key request packet"); + php_error(E_WARNING, "Error while sending public key request packet. PID=%d", getpid()); + SET_CONNECTION_STATE(&conn->state, CONN_QUIT_SENT); + break; + } + if (FAIL == PACKET_READ(conn, &pk_resp_packet) || NULL == pk_resp_packet.public_key) { + DBG_ERR_FMT("Error while receiving public key"); + php_error(E_WARNING, "Error while receiving public key. PID=%d", getpid()); + SET_CONNECTION_STATE(&conn->state, CONN_QUIT_SENT); + break; + } + DBG_INF_FMT("Public key(%d):\n%s", pk_resp_packet.public_key_len, pk_resp_packet.public_key); + /* now extract the public key */ + ret = mysqlnd_sha256_get_rsa_from_pem((const char *) pk_resp_packet.public_key, pk_resp_packet.public_key_len); + } while (0); + PACKET_FREE(&req_packet); + PACKET_FREE(&pk_resp_packet); + + DBG_INF_FMT("ret=%p", ret); + DBG_RETURN(ret); + + SET_CLIENT_ERROR(conn->error_info, CR_UNKNOWN_ERROR, UNKNOWN_SQLSTATE, + "caching_sha2_server_public_key is not set for the connection or as mysqlnd.sha256_server_public_key"); + DBG_ERR("server_public_key is not set"); + DBG_RETURN(NULL); + } else { + zend_string * key_str; + DBG_INF_FMT("Key in a file. [%s]", fname); + stream = php_stream_open_wrapper((char *) fname, "rb", REPORT_ERRORS, NULL); + + if (stream) { + if ((key_str = php_stream_copy_to_mem(stream, PHP_STREAM_COPY_ALL, 0)) != NULL) { + ret = mysqlnd_sha256_get_rsa_from_pem(ZSTR_VAL(key_str), ZSTR_LEN(key_str)); + DBG_INF("Successfully loaded"); + DBG_INF_FMT("Public key:%*.s", ZSTR_LEN(key_str), ZSTR_VAL(key_str)); + zend_string_release(key_str); + } + php_stream_close(stream); + } + } + DBG_RETURN(ret); + +} + + +/* {{{ mysqlnd_caching_sha2_get_and_use_key */ +static size_t +mysqlnd_caching_sha2_get_and_use_key(MYSQLND_CONN_DATA *conn, + const zend_uchar * auth_plugin_data, const size_t auth_plugin_data_len, + unsigned char **crypted, + const char * const passwd, + const size_t passwd_len) +{ + mysqlnd_rsa_t server_public_key = mysqlnd_caching_sha2_get_key(conn); + + DBG_ENTER("mysqlnd_caching_sha2_get_and_use_key("); + + if (server_public_key) { + int server_public_key_len; + ALLOCA_FLAG(use_heap) + char *xor_str = do_alloca(passwd_len + 1, use_heap); + memcpy(xor_str, passwd, passwd_len); + xor_str[passwd_len] = '\0'; + mysqlnd_xor_string(xor_str, passwd_len, (char *) auth_plugin_data, SCRAMBLE_LENGTH); + server_public_key_len = mysqlnd_caching_sha2_public_encrypt(conn, server_public_key, passwd_len, crypted, xor_str); + free_alloca(xor_str, use_heap); + DBG_RETURN(server_public_key_len); + } + DBG_RETURN(0); +} +/* }}} */ + +static int is_secure_transport(MYSQLND_CONN_DATA *conn) { + if (conn->vio->data->ssl) { + return 1; + } + + return strcmp(conn->vio->data->stream->ops->label, "unix_socket") == 0; +} + +/* {{{ mysqlnd_caching_sha2_handle_server_response */ +static enum_func_status +mysqlnd_caching_sha2_handle_server_response(struct st_mysqlnd_authentication_plugin *self, + MYSQLND_CONN_DATA * conn, + const zend_uchar * auth_plugin_data, const size_t auth_plugin_data_len, + const char * const passwd, + const size_t passwd_len, + char **new_auth_protocol, size_t *new_auth_protocol_len, + zend_uchar **new_auth_protocol_data, size_t *new_auth_protocol_data_len + ) +{ + DBG_ENTER("mysqlnd_caching_sha2_handle_server_response"); + MYSQLND_PACKET_CACHED_SHA2_RESULT result_packet; + + if (passwd_len == 0) { + DBG_INF("empty password fast path"); + DBG_RETURN(PASS); + } + + conn->payload_decoder_factory->m.init_cached_sha2_result_packet(&result_packet); + if (FAIL == PACKET_READ(conn, &result_packet)) { + DBG_RETURN(PASS); + } + + switch (result_packet.response_code) { + case 0xFF: + if (result_packet.sqlstate[0]) { + strlcpy(conn->error_info->sqlstate, result_packet.sqlstate, sizeof(conn->error_info->sqlstate)); + DBG_ERR_FMT("ERROR:%u [SQLSTATE:%s] %s", result_packet.error_no, result_packet.sqlstate, result_packet.error); + } + SET_CLIENT_ERROR(conn->error_info, result_packet.error_no, UNKNOWN_SQLSTATE, result_packet.error); + DBG_RETURN(FAIL); + case 0xFE: + DBG_INF("auth switch response"); + *new_auth_protocol = result_packet.new_auth_protocol; + *new_auth_protocol_len = result_packet.new_auth_protocol_len; + *new_auth_protocol_data = result_packet.new_auth_protocol_data; + *new_auth_protocol_data_len = result_packet.new_auth_protocol_data_len; + DBG_RETURN(FAIL); + case 3: + DBG_INF("fast path succeeded"); + DBG_RETURN(PASS); + case 4: + if (is_secure_transport(conn)) { + DBG_INF("fast path failed, doing full auth via secure transport"); + result_packet.password = (zend_uchar *)passwd; + result_packet.password_len = passwd_len + 1; + PACKET_WRITE(conn, &result_packet); + } else { + DBG_INF("fast path failed, doing full auth via insecure transport"); + result_packet.password_len = mysqlnd_caching_sha2_get_and_use_key(conn, auth_plugin_data, auth_plugin_data_len, &result_packet.password, passwd, passwd_len); + PACKET_WRITE(conn, &result_packet); + efree(result_packet.password); + } + DBG_RETURN(PASS); + case 2: + // The server tried to send a key, which we didn't expect + // fall-through + default: + php_error_docref(NULL, E_WARNING, "Unexpected server response while doing caching_sha2 auth: %i", result_packet.response_code); + } + + DBG_RETURN(PASS); +} +/* }}} */ + +static struct st_mysqlnd_authentication_plugin mysqlnd_caching_sha2_auth_plugin = +{ + { + MYSQLND_PLUGIN_API_VERSION, + "auth_plugin_caching_sha2_password", + MYSQLND_VERSION_ID, + PHP_MYSQLND_VERSION, + "PHP License 3.01", + "Johannes Schlüter <johannes.schlueter@php.net>", + { + NULL, /* no statistics , will be filled later if there are some */ + NULL, /* no statistics */ + }, + { + NULL /* plugin shutdown */ + } + }, + {/* methods */ + mysqlnd_caching_sha2_get_auth_data, + mysqlnd_caching_sha2_handle_server_response + } +}; +#endif + + /* {{{ mysqlnd_register_builtin_authentication_plugins */ void mysqlnd_register_builtin_authentication_plugins(void) @@ -835,17 +1308,8 @@ mysqlnd_register_builtin_authentication_plugins(void) mysqlnd_plugin_register_ex((struct st_mysqlnd_plugin_header *) &mysqlnd_native_auth_plugin); mysqlnd_plugin_register_ex((struct st_mysqlnd_plugin_header *) &mysqlnd_pam_authentication_plugin); #ifdef MYSQLND_HAVE_SSL + mysqlnd_plugin_register_ex((struct st_mysqlnd_plugin_header *) &mysqlnd_caching_sha2_auth_plugin); mysqlnd_plugin_register_ex((struct st_mysqlnd_plugin_header *) &mysqlnd_sha256_authentication_plugin); #endif } /* }}} */ - - -/* - * Local variables: - * tab-width: 4 - * c-basic-offset: 4 - * End: - * vim600: noet sw=4 ts=4 fdm=marker - * vim<600: noet sw=4 ts=4 - */ |