From 03ee36d1c526b402e1e5f283ee6f1631f3f61982 Mon Sep 17 00:00:00 2001 From: Nikita Popov Date: Fri, 27 Dec 2019 13:27:10 +0100 Subject: Fix unix socket check during caching_sha2_password The fact that conn->unix_socket is set does not mean that a Unix socket is actually in use -- this member is set in a default configuration. Instead check whether a unix_socket stream ops is used. --- ext/mysqlnd/mysqlnd_auth.c | 14 +++++++++++--- 1 file changed, 11 insertions(+), 3 deletions(-) (limited to 'ext/mysqlnd/mysqlnd_auth.c') diff --git a/ext/mysqlnd/mysqlnd_auth.c b/ext/mysqlnd/mysqlnd_auth.c index 3ceaaa457e..a1aaebd9da 100644 --- a/ext/mysqlnd/mysqlnd_auth.c +++ b/ext/mysqlnd/mysqlnd_auth.c @@ -1032,6 +1032,14 @@ mysqlnd_caching_sha2_get_and_use_key(MYSQLND_CONN_DATA *conn, } /* }}} */ +static int is_secure_transport(MYSQLND_CONN_DATA *conn) { + if (conn->vio->data->ssl) { + return 1; + } + + return strcmp(conn->vio->data->stream->ops->label, "unix_socket") == 0; +} + /* {{{ mysqlnd_caching_sha2_handle_server_response */ static enum_func_status mysqlnd_caching_sha2_handle_server_response(struct st_mysqlnd_authentication_plugin *self, @@ -1063,13 +1071,13 @@ mysqlnd_caching_sha2_handle_server_response(struct st_mysqlnd_authentication_plu DBG_INF("fast path succeeded"); DBG_RETURN(PASS); case 4: - if (conn->vio->data->ssl || conn->unix_socket.s) { - DBG_INF("fast path failed, doing full auth via SSL"); + if (is_secure_transport(conn)) { + DBG_INF("fast path failed, doing full auth via secure transport"); result_packet.password = (zend_uchar *)passwd; result_packet.password_len = passwd_len + 1; PACKET_WRITE(conn, &result_packet); } else { - DBG_INF("fast path failed, doing full auth without SSL"); + DBG_INF("fast path failed, doing full auth via insecure transport"); result_packet.password_len = mysqlnd_caching_sha2_get_and_use_key(conn, auth_plugin_data, auth_plugin_data_len, &result_packet.password, passwd, passwd_len); PACKET_WRITE(conn, &result_packet); efree(result_packet.password); -- cgit v1.2.1