xref: /PHP-5.6/ext/mysqlnd/mysqlnd_auth.c (revision 49493a2d)
1 /*
2   +----------------------------------------------------------------------+
3   | PHP Version 5                                                        |
4   +----------------------------------------------------------------------+
5   | Copyright (c) 2006-2016 The PHP Group                                |
6   +----------------------------------------------------------------------+
7   | This source file is subject to version 3.01 of the PHP license,      |
8   | that is bundled with this package in the file LICENSE, and is        |
9   | available through the world-wide-web at the following url:           |
10   | http://www.php.net/license/3_01.txt                                  |
11   | If you did not receive a copy of the PHP license and are unable to   |
12   | obtain it through the world-wide-web, please send a note to          |
13   | license@php.net so we can mail you a copy immediately.               |
14   +----------------------------------------------------------------------+
15   | Authors: Georg Richter <georg@mysql.com>                             |
16   |          Andrey Hristov <andrey@mysql.com>                           |
17   |          Ulf Wendel <uwendel@mysql.com>                              |
18   +----------------------------------------------------------------------+
19 */
20 
21 /* $Id: mysqlnd.c 307377 2011-01-11 13:02:57Z andrey $ */
22 #include "php.h"
23 #include "mysqlnd.h"
24 #include "mysqlnd_structs.h"
25 #include "mysqlnd_wireprotocol.h"
26 #include "mysqlnd_priv.h"
27 #include "mysqlnd_result.h"
28 #include "mysqlnd_charset.h"
29 #include "mysqlnd_debug.h"
30 
31 /* {{{ mysqlnd_auth_handshake */
32 enum_func_status
mysqlnd_auth_handshake(MYSQLND_CONN_DATA * conn,const char * const user,const char * const passwd,const size_t passwd_len,const char * const db,const size_t db_len,const MYSQLND_OPTIONS * const options,unsigned long mysql_flags,unsigned int server_charset_no,zend_bool use_full_blown_auth_packet,const char * const auth_protocol,const zend_uchar * const auth_plugin_data,const size_t auth_plugin_data_len,char ** switch_to_auth_protocol,size_t * switch_to_auth_protocol_len,zend_uchar ** switch_to_auth_protocol_data,size_t * switch_to_auth_protocol_data_len TSRMLS_DC)33 mysqlnd_auth_handshake(MYSQLND_CONN_DATA * conn,
34 							  const char * const user,
35 							  const char * const passwd,
36 							  const size_t passwd_len,
37 							  const char * const db,
38 							  const size_t db_len,
39 							  const MYSQLND_OPTIONS * const options,
40 							  unsigned long mysql_flags,
41 							  unsigned int server_charset_no,
42 							  zend_bool use_full_blown_auth_packet,
43 							  const char * const auth_protocol,
44 							  const zend_uchar * const auth_plugin_data,
45 							  const size_t auth_plugin_data_len,
46 							  char ** switch_to_auth_protocol,
47 							  size_t * switch_to_auth_protocol_len,
48 							  zend_uchar ** switch_to_auth_protocol_data,
49 							  size_t * switch_to_auth_protocol_data_len
50 							  TSRMLS_DC)
51 {
52 	enum_func_status ret = FAIL;
53 	const MYSQLND_CHARSET * charset = NULL;
54 	MYSQLND_PACKET_CHANGE_AUTH_RESPONSE * change_auth_resp_packet = NULL;
55 	MYSQLND_PACKET_AUTH_RESPONSE * auth_resp_packet = NULL;
56 	MYSQLND_PACKET_AUTH * auth_packet = NULL;
57 
58 	DBG_ENTER("mysqlnd_auth_handshake");
59 
60 	auth_resp_packet = conn->protocol->m.get_auth_response_packet(conn->protocol, FALSE TSRMLS_CC);
61 
62 	if (!auth_resp_packet) {
63 		SET_OOM_ERROR(*conn->error_info);
64 		goto end;
65 	}
66 
67 	if (use_full_blown_auth_packet != TRUE) {
68 		change_auth_resp_packet = conn->protocol->m.get_change_auth_response_packet(conn->protocol, FALSE TSRMLS_CC);
69 		if (!change_auth_resp_packet) {
70 			SET_OOM_ERROR(*conn->error_info);
71 			goto end;
72 		}
73 
74 		change_auth_resp_packet->auth_data = auth_plugin_data;
75 		change_auth_resp_packet->auth_data_len = auth_plugin_data_len;
76 
77 		if (!PACKET_WRITE(change_auth_resp_packet, conn)) {
78 			CONN_SET_STATE(conn, CONN_QUIT_SENT);
79 			SET_CLIENT_ERROR(*conn->error_info, CR_SERVER_GONE_ERROR, UNKNOWN_SQLSTATE, mysqlnd_server_gone);
80 			goto end;
81 		}
82 	} else {
83 		auth_packet = conn->protocol->m.get_auth_packet(conn->protocol, FALSE TSRMLS_CC);
84 
85 		auth_packet->client_flags = mysql_flags;
86 		auth_packet->max_packet_size = options->max_allowed_packet;
87 		if (options->charset_name && (charset = mysqlnd_find_charset_name(options->charset_name))) {
88 			auth_packet->charset_no	= charset->nr;
89 		} else {
90 			auth_packet->charset_no	= server_charset_no;
91 		}
92 
93 		auth_packet->send_auth_data = TRUE;
94 		auth_packet->user		= user;
95 		auth_packet->db			= db;
96 		auth_packet->db_len		= db_len;
97 
98 		auth_packet->auth_data = auth_plugin_data;
99 		auth_packet->auth_data_len = auth_plugin_data_len;
100 		auth_packet->auth_plugin_name = auth_protocol;
101 
102 		if (conn->server_capabilities & CLIENT_CONNECT_ATTRS) {
103 			auth_packet->connect_attr = conn->options->connect_attr;
104 		}
105 
106 		if (!PACKET_WRITE(auth_packet, conn)) {
107 			goto end;
108 		}
109 	}
110 	if (use_full_blown_auth_packet == TRUE) {
111 		conn->charset = mysqlnd_find_charset_nr(auth_packet->charset_no);
112 	}
113 
114 	if (FAIL == PACKET_READ(auth_resp_packet, conn) || auth_resp_packet->response_code >= 0xFE) {
115 		if (auth_resp_packet->response_code == 0xFE) {
116 			/* old authentication with new server  !*/
117 			if (!auth_resp_packet->new_auth_protocol) {
118 				DBG_ERR(mysqlnd_old_passwd);
119 				SET_CLIENT_ERROR(*conn->error_info, CR_UNKNOWN_ERROR, UNKNOWN_SQLSTATE, mysqlnd_old_passwd);
120 			} else {
121 				*switch_to_auth_protocol = mnd_pestrndup(auth_resp_packet->new_auth_protocol, auth_resp_packet->new_auth_protocol_len, FALSE);
122 				*switch_to_auth_protocol_len = auth_resp_packet->new_auth_protocol_len;
123 				if (auth_resp_packet->new_auth_protocol_data) {
124 					*switch_to_auth_protocol_data_len = auth_resp_packet->new_auth_protocol_data_len;
125 					*switch_to_auth_protocol_data = mnd_emalloc(*switch_to_auth_protocol_data_len);
126 					memcpy(*switch_to_auth_protocol_data, auth_resp_packet->new_auth_protocol_data, *switch_to_auth_protocol_data_len);
127 				} else {
128 					*switch_to_auth_protocol_data = NULL;
129 					*switch_to_auth_protocol_data_len = 0;
130 				}
131 			}
132 		} else if (auth_resp_packet->response_code == 0xFF) {
133 			if (auth_resp_packet->sqlstate[0]) {
134 				strlcpy(conn->error_info->sqlstate, auth_resp_packet->sqlstate, sizeof(conn->error_info->sqlstate));
135 				DBG_ERR_FMT("ERROR:%u [SQLSTATE:%s] %s", auth_resp_packet->error_no, auth_resp_packet->sqlstate, auth_resp_packet->error);
136 			}
137 			SET_CLIENT_ERROR(*conn->error_info, auth_resp_packet->error_no, UNKNOWN_SQLSTATE, auth_resp_packet->error);
138 		}
139 		goto end;
140 	}
141 
142 	SET_NEW_MESSAGE(conn->last_message, conn->last_message_len, auth_resp_packet->message, auth_resp_packet->message_len, conn->persistent);
143 	ret = PASS;
144 end:
145 	PACKET_FREE(change_auth_resp_packet);
146 	PACKET_FREE(auth_packet);
147 	PACKET_FREE(auth_resp_packet);
148 	DBG_RETURN(ret);
149 }
150 /* }}} */
151 
152 
153 /* {{{ mysqlnd_auth_change_user */
154 enum_func_status
mysqlnd_auth_change_user(MYSQLND_CONN_DATA * const conn,const char * const user,const size_t user_len,const char * const passwd,const size_t passwd_len,const char * const db,const size_t db_len,const zend_bool silent,zend_bool use_full_blown_auth_packet,const char * const auth_protocol,zend_uchar * auth_plugin_data,size_t auth_plugin_data_len,char ** switch_to_auth_protocol,size_t * switch_to_auth_protocol_len,zend_uchar ** switch_to_auth_protocol_data,size_t * switch_to_auth_protocol_data_len TSRMLS_DC)155 mysqlnd_auth_change_user(MYSQLND_CONN_DATA * const conn,
156 								const char * const user,
157 								const size_t user_len,
158 								const char * const passwd,
159 								const size_t passwd_len,
160 								const char * const db,
161 								const size_t db_len,
162 								const zend_bool silent,
163 								zend_bool use_full_blown_auth_packet,
164 								const char * const auth_protocol,
165 								zend_uchar * auth_plugin_data,
166 								size_t auth_plugin_data_len,
167 								char ** switch_to_auth_protocol,
168 								size_t * switch_to_auth_protocol_len,
169 								zend_uchar ** switch_to_auth_protocol_data,
170 								size_t * switch_to_auth_protocol_data_len
171 								TSRMLS_DC)
172 {
173 	enum_func_status ret = FAIL;
174 	const MYSQLND_CHARSET * old_cs = conn->charset;
175 	MYSQLND_PACKET_CHANGE_AUTH_RESPONSE * change_auth_resp_packet = NULL;
176 	MYSQLND_PACKET_CHG_USER_RESPONSE * chg_user_resp = NULL;
177 	MYSQLND_PACKET_AUTH * auth_packet = NULL;
178 
179 	DBG_ENTER("mysqlnd_auth_change_user");
180 
181 	chg_user_resp = conn->protocol->m.get_change_user_response_packet(conn->protocol, FALSE TSRMLS_CC);
182 
183 	if (!chg_user_resp) {
184 		SET_OOM_ERROR(*conn->error_info);
185 		goto end;
186 	}
187 
188 	if (use_full_blown_auth_packet != TRUE) {
189 		change_auth_resp_packet = conn->protocol->m.get_change_auth_response_packet(conn->protocol, FALSE TSRMLS_CC);
190 		if (!change_auth_resp_packet) {
191 			SET_OOM_ERROR(*conn->error_info);
192 			goto end;
193 		}
194 
195 		change_auth_resp_packet->auth_data = auth_plugin_data;
196 		change_auth_resp_packet->auth_data_len = auth_plugin_data_len;
197 
198 		if (!PACKET_WRITE(change_auth_resp_packet, conn)) {
199 			CONN_SET_STATE(conn, CONN_QUIT_SENT);
200 			SET_CLIENT_ERROR(*conn->error_info, CR_SERVER_GONE_ERROR, UNKNOWN_SQLSTATE, mysqlnd_server_gone);
201 			goto end;
202 		}
203 	} else {
204 		auth_packet = conn->protocol->m.get_auth_packet(conn->protocol, FALSE TSRMLS_CC);
205 
206 		if (!auth_packet) {
207 			SET_OOM_ERROR(*conn->error_info);
208 			goto end;
209 		}
210 
211 		auth_packet->is_change_user_packet = TRUE;
212 		auth_packet->user		= user;
213 		auth_packet->db			= db;
214 		auth_packet->db_len		= db_len;
215 		auth_packet->silent		= silent;
216 
217 		auth_packet->auth_data = auth_plugin_data;
218 		auth_packet->auth_data_len = auth_plugin_data_len;
219 		auth_packet->auth_plugin_name = auth_protocol;
220 
221 
222 		if (conn->m->get_server_version(conn TSRMLS_CC) >= 50123) {
223 			auth_packet->charset_no	= conn->charset->nr;
224 		}
225 
226 		if (!PACKET_WRITE(auth_packet, conn)) {
227 			CONN_SET_STATE(conn, CONN_QUIT_SENT);
228 				SET_CLIENT_ERROR(*conn->error_info, CR_SERVER_GONE_ERROR, UNKNOWN_SQLSTATE, mysqlnd_server_gone);
229 			goto end;
230 		}
231 	}
232 
233 	ret = PACKET_READ(chg_user_resp, conn);
234 	COPY_CLIENT_ERROR(*conn->error_info, chg_user_resp->error_info);
235 
236 	if (0xFE == chg_user_resp->response_code) {
237 		ret = FAIL;
238 		if (!chg_user_resp->new_auth_protocol) {
239 			DBG_ERR(mysqlnd_old_passwd);
240 			SET_CLIENT_ERROR(*conn->error_info, CR_UNKNOWN_ERROR, UNKNOWN_SQLSTATE, mysqlnd_old_passwd);
241 		} else {
242 			*switch_to_auth_protocol = mnd_pestrndup(chg_user_resp->new_auth_protocol, chg_user_resp->new_auth_protocol_len, FALSE);
243 			*switch_to_auth_protocol_len = chg_user_resp->new_auth_protocol_len;
244 			if (chg_user_resp->new_auth_protocol_data) {
245 				*switch_to_auth_protocol_data_len = chg_user_resp->new_auth_protocol_data_len;
246 				*switch_to_auth_protocol_data = mnd_emalloc(*switch_to_auth_protocol_data_len);
247 				memcpy(*switch_to_auth_protocol_data, chg_user_resp->new_auth_protocol_data, *switch_to_auth_protocol_data_len);
248 			} else {
249 				*switch_to_auth_protocol_data = NULL;
250 				*switch_to_auth_protocol_data_len = 0;
251 			}
252 		}
253 	}
254 
255 	if (conn->error_info->error_no) {
256 		ret = FAIL;
257 		/*
258 		  COM_CHANGE_USER is broken in 5.1. At least in 5.1.15 and 5.1.14, 5.1.11 is immune.
259 		  bug#25371 mysql_change_user() triggers "packets out of sync"
260 		  When it gets fixed, there should be one more check here
261 		*/
262 		if (conn->m->get_server_version(conn TSRMLS_CC) > 50113L &&conn->m->get_server_version(conn TSRMLS_CC) < 50118L) {
263 			MYSQLND_PACKET_OK * redundant_error_packet = conn->protocol->m.get_ok_packet(conn->protocol, FALSE TSRMLS_CC);
264 			if (redundant_error_packet) {
265 				PACKET_READ(redundant_error_packet, conn);
266 				PACKET_FREE(redundant_error_packet);
267 				DBG_INF_FMT("Server is %u, buggy, sends two ERR messages", conn->m->get_server_version(conn TSRMLS_CC));
268 			} else {
269 				SET_OOM_ERROR(*conn->error_info);
270 			}
271 		}
272 	}
273 	if (ret == PASS) {
274 		char * tmp = NULL;
275 		/* if we get conn->user as parameter and then we first free it, then estrndup it, we will crash */
276 		tmp = mnd_pestrndup(user, user_len, conn->persistent);
277 		if (conn->user) {
278 			mnd_pefree(conn->user, conn->persistent);
279 		}
280 		conn->user = tmp;
281 
282 		tmp = mnd_pestrdup(passwd, conn->persistent);
283 		if (conn->passwd) {
284 			mnd_pefree(conn->passwd, conn->persistent);
285 		}
286 		conn->passwd = tmp;
287 
288 		if (conn->last_message) {
289 			mnd_pefree(conn->last_message, conn->persistent);
290 			conn->last_message = NULL;
291 		}
292 		memset(conn->upsert_status, 0, sizeof(*conn->upsert_status));
293 		/* set charset for old servers */
294 		if (conn->m->get_server_version(conn TSRMLS_CC) < 50123) {
295 			ret = conn->m->set_charset(conn, old_cs->name TSRMLS_CC);
296 		}
297 	} else if (ret == FAIL && chg_user_resp->server_asked_323_auth == TRUE) {
298 		/* old authentication with new server  !*/
299 		DBG_ERR(mysqlnd_old_passwd);
300 		SET_CLIENT_ERROR(*conn->error_info, CR_UNKNOWN_ERROR, UNKNOWN_SQLSTATE, mysqlnd_old_passwd);
301 	}
302 end:
303 	PACKET_FREE(change_auth_resp_packet);
304 	PACKET_FREE(auth_packet);
305 	PACKET_FREE(chg_user_resp);
306 	DBG_RETURN(ret);
307 }
308 /* }}} */
309 
310 
311 /******************************************* MySQL Native Password ***********************************/
312 
313 #include "ext/standard/sha1.h"
314 
315 /* {{{ php_mysqlnd_crypt */
316 static void
php_mysqlnd_crypt(zend_uchar * buffer,const zend_uchar * s1,const zend_uchar * s2,size_t len)317 php_mysqlnd_crypt(zend_uchar *buffer, const zend_uchar *s1, const zend_uchar *s2, size_t len)
318 {
319 	const zend_uchar *s1_end = s1 + len;
320 	while (s1 < s1_end) {
321 		*buffer++= *s1++ ^ *s2++;
322 	}
323 }
324 /* }}} */
325 
326 
327 /* {{{ php_mysqlnd_scramble */
php_mysqlnd_scramble(zend_uchar * const buffer,const zend_uchar * const scramble,const zend_uchar * const password,size_t password_len)328 void php_mysqlnd_scramble(zend_uchar * const buffer, const zend_uchar * const scramble, const zend_uchar * const password, size_t password_len)
329 {
330 	PHP_SHA1_CTX context;
331 	zend_uchar sha1[SHA1_MAX_LENGTH];
332 	zend_uchar sha2[SHA1_MAX_LENGTH];
333 
334 	/* Phase 1: hash password */
335 	PHP_SHA1Init(&context);
336 	PHP_SHA1Update(&context, password, password_len);
337 	PHP_SHA1Final(sha1, &context);
338 
339 	/* Phase 2: hash sha1 */
340 	PHP_SHA1Init(&context);
341 	PHP_SHA1Update(&context, (zend_uchar*)sha1, SHA1_MAX_LENGTH);
342 	PHP_SHA1Final(sha2, &context);
343 
344 	/* Phase 3: hash scramble + sha2 */
345 	PHP_SHA1Init(&context);
346 	PHP_SHA1Update(&context, scramble, SCRAMBLE_LENGTH);
347 	PHP_SHA1Update(&context, (zend_uchar*)sha2, SHA1_MAX_LENGTH);
348 	PHP_SHA1Final(buffer, &context);
349 
350 	/* let's crypt buffer now */
351 	php_mysqlnd_crypt(buffer, (const zend_uchar *)buffer, (const zend_uchar *)sha1, SHA1_MAX_LENGTH);
352 }
353 /* }}} */
354 
355 
356 /* {{{ mysqlnd_native_auth_get_auth_data */
357 static zend_uchar *
mysqlnd_native_auth_get_auth_data(struct st_mysqlnd_authentication_plugin * self,size_t * auth_data_len,MYSQLND_CONN_DATA * conn,const char * const user,const char * const passwd,const size_t passwd_len,zend_uchar * auth_plugin_data,size_t auth_plugin_data_len,const MYSQLND_OPTIONS * const options,const MYSQLND_NET_OPTIONS * const net_options,unsigned long mysql_flags TSRMLS_DC)358 mysqlnd_native_auth_get_auth_data(struct st_mysqlnd_authentication_plugin * self,
359 								  size_t * auth_data_len,
360 								  MYSQLND_CONN_DATA * conn, const char * const user, const char * const passwd,
361 								  const size_t passwd_len, zend_uchar * auth_plugin_data, size_t auth_plugin_data_len,
362 								  const MYSQLND_OPTIONS * const options,
363 								  const MYSQLND_NET_OPTIONS * const net_options,
364 								  unsigned long mysql_flags
365 								  TSRMLS_DC)
366 {
367 	zend_uchar * ret = NULL;
368 	DBG_ENTER("mysqlnd_native_auth_get_auth_data");
369 	*auth_data_len = 0;
370 
371 	/* 5.5.x reports 21 as scramble length because it needs to show the length of the data before the plugin name */
372 	if (auth_plugin_data_len < SCRAMBLE_LENGTH) {
373 		/* mysql_native_password only works with SCRAMBLE_LENGTH scramble */
374 		SET_CLIENT_ERROR(*conn->error_info, CR_MALFORMED_PACKET, UNKNOWN_SQLSTATE, "The server sent wrong length for scramble");
375 		DBG_ERR_FMT("The server sent wrong length for scramble %u. Expected %u", auth_plugin_data_len, SCRAMBLE_LENGTH);
376 		DBG_RETURN(NULL);
377 	}
378 
379 	/* copy scrambled pass*/
380 	if (passwd && passwd_len) {
381 		ret = malloc(SCRAMBLE_LENGTH);
382 		*auth_data_len = SCRAMBLE_LENGTH;
383 		/* In 4.1 we use CLIENT_SECURE_CONNECTION and thus the len of the buf should be passed */
384 		php_mysqlnd_scramble((zend_uchar*)ret, auth_plugin_data, (zend_uchar*)passwd, passwd_len);
385 	}
386 	DBG_RETURN(ret);
387 }
388 /* }}} */
389 
390 
391 static struct st_mysqlnd_authentication_plugin mysqlnd_native_auth_plugin =
392 {
393 	{
394 		MYSQLND_PLUGIN_API_VERSION,
395 		"auth_plugin_mysql_native_password",
396 		MYSQLND_VERSION_ID,
397 		MYSQLND_VERSION,
398 		"PHP License 3.01",
399 		"Andrey Hristov <andrey@mysql.com>,  Ulf Wendel <uwendel@mysql.com>, Georg Richter <georg@mysql.com>",
400 		{
401 			NULL, /* no statistics , will be filled later if there are some */
402 			NULL, /* no statistics */
403 		},
404 		{
405 			NULL /* plugin shutdown */
406 		}
407 	},
408 	{/* methods */
409 		mysqlnd_native_auth_get_auth_data
410 	}
411 };
412 
413 
414 /******************************************* PAM Authentication ***********************************/
415 
416 /* {{{ mysqlnd_pam_auth_get_auth_data */
417 static zend_uchar *
mysqlnd_pam_auth_get_auth_data(struct st_mysqlnd_authentication_plugin * self,size_t * auth_data_len,MYSQLND_CONN_DATA * conn,const char * const user,const char * const passwd,const size_t passwd_len,zend_uchar * auth_plugin_data,size_t auth_plugin_data_len,const MYSQLND_OPTIONS * const options,const MYSQLND_NET_OPTIONS * const net_options,unsigned long mysql_flags TSRMLS_DC)418 mysqlnd_pam_auth_get_auth_data(struct st_mysqlnd_authentication_plugin * self,
419 							   size_t * auth_data_len,
420 							   MYSQLND_CONN_DATA * conn, const char * const user, const char * const passwd,
421 							   const size_t passwd_len, zend_uchar * auth_plugin_data, size_t auth_plugin_data_len,
422 							   const MYSQLND_OPTIONS * const options,
423 							   const MYSQLND_NET_OPTIONS * const net_options,
424 							   unsigned long mysql_flags
425 							   TSRMLS_DC)
426 {
427 	zend_uchar * ret = NULL;
428 
429 	/* copy pass*/
430 	if (passwd && passwd_len) {
431 		ret = (zend_uchar*) zend_strndup(passwd, passwd_len);
432 	}
433 	*auth_data_len = passwd_len;
434 
435 	return ret;
436 }
437 /* }}} */
438 
439 
440 static struct st_mysqlnd_authentication_plugin mysqlnd_pam_authentication_plugin =
441 {
442 	{
443 		MYSQLND_PLUGIN_API_VERSION,
444 		"auth_plugin_mysql_clear_password",
445 		MYSQLND_VERSION_ID,
446 		MYSQLND_VERSION,
447 		"PHP License 3.01",
448 		"Andrey Hristov <andrey@php.net>,  Ulf Wendel <uw@php.net>, Georg Richter <georg@php.net>",
449 		{
450 			NULL, /* no statistics , will be filled later if there are some */
451 			NULL, /* no statistics */
452 		},
453 		{
454 			NULL /* plugin shutdown */
455 		}
456 	},
457 	{/* methods */
458 		mysqlnd_pam_auth_get_auth_data
459 	}
460 };
461 
462 
463 /******************************************* SHA256 Password ***********************************/
464 #ifdef MYSQLND_HAVE_SSL
465 static void
mysqlnd_xor_string(char * dst,const size_t dst_len,const char * xor_str,const size_t xor_str_len)466 mysqlnd_xor_string(char * dst, const size_t dst_len, const char * xor_str, const size_t xor_str_len)
467 {
468 	unsigned int i;
469 	for (i = 0; i <= dst_len; ++i) {
470 		dst[i] ^= xor_str[i % xor_str_len];
471 	}
472 }
473 
474 
475 #include <openssl/rsa.h>
476 #include <openssl/pem.h>
477 #include <openssl/err.h>
478 
479 
480 /* {{{ mysqlnd_sha256_get_rsa_key */
481 static RSA *
mysqlnd_sha256_get_rsa_key(MYSQLND_CONN_DATA * conn,const MYSQLND_OPTIONS * const options,const MYSQLND_NET_OPTIONS * const net_options TSRMLS_DC)482 mysqlnd_sha256_get_rsa_key(MYSQLND_CONN_DATA * conn,
483 						   const MYSQLND_OPTIONS * const options,
484 						   const MYSQLND_NET_OPTIONS * const net_options
485 						   TSRMLS_DC)
486 {
487 	RSA * ret = NULL;
488 	int len;
489 	const char * fname = (net_options->sha256_server_public_key && net_options->sha256_server_public_key[0] != '\0')?
490 								net_options->sha256_server_public_key:
491 								MYSQLND_G(sha256_server_public_key);
492 	php_stream * stream;
493 	DBG_ENTER("mysqlnd_sha256_get_rsa_key");
494 	DBG_INF_FMT("options_s256_pk=[%s] MYSQLND_G(sha256_server_public_key)=[%s]",
495 				 net_options->sha256_server_public_key? net_options->sha256_server_public_key:"n/a",
496 				 MYSQLND_G(sha256_server_public_key)? MYSQLND_G(sha256_server_public_key):"n/a");
497 	if (!fname || fname[0] == '\0') {
498 		MYSQLND_PACKET_SHA256_PK_REQUEST * pk_req_packet = NULL;
499 		MYSQLND_PACKET_SHA256_PK_REQUEST_RESPONSE * pk_resp_packet = NULL;
500 
501 		do {
502 			DBG_INF("requesting the public key from the server");
503 			pk_req_packet = conn->protocol->m.get_sha256_pk_request_packet(conn->protocol, FALSE TSRMLS_CC);
504 			if (!pk_req_packet) {
505 				SET_OOM_ERROR(*conn->error_info);
506 				break;
507 			}
508 			pk_resp_packet = conn->protocol->m.get_sha256_pk_request_response_packet(conn->protocol, FALSE TSRMLS_CC);
509 			if (!pk_resp_packet) {
510 				SET_OOM_ERROR(*conn->error_info);
511 				PACKET_FREE(pk_req_packet);
512 				break;
513 			}
514 
515 			if (! PACKET_WRITE(pk_req_packet, conn)) {
516 				DBG_ERR_FMT("Error while sending public key request packet");
517 				php_error(E_WARNING, "Error while sending public key request packet. PID=%d", getpid());
518 				CONN_SET_STATE(conn, CONN_QUIT_SENT);
519 				break;
520 			}
521 			if (FAIL == PACKET_READ(pk_resp_packet, conn) || NULL == pk_resp_packet->public_key) {
522 				DBG_ERR_FMT("Error while receiving public key");
523 				php_error(E_WARNING, "Error while receiving public key. PID=%d", getpid());
524 				CONN_SET_STATE(conn, CONN_QUIT_SENT);
525 				break;
526 			}
527 			DBG_INF_FMT("Public key(%d):\n%s", pk_resp_packet->public_key_len, pk_resp_packet->public_key);
528 			/* now extract the public key */
529 			{
530 				BIO * bio = BIO_new_mem_buf(pk_resp_packet->public_key, pk_resp_packet->public_key_len);
531 				ret = PEM_read_bio_RSA_PUBKEY(bio, NULL, NULL, NULL);
532 				BIO_free(bio);
533 			}
534 		} while (0);
535 		PACKET_FREE(pk_req_packet);
536 		PACKET_FREE(pk_resp_packet);
537 
538 		DBG_INF_FMT("ret=%p", ret);
539 		DBG_RETURN(ret);
540 
541 		SET_CLIENT_ERROR(*conn->error_info, CR_UNKNOWN_ERROR, UNKNOWN_SQLSTATE,
542 			"sha256_server_public_key is not set for the connection or as mysqlnd.sha256_server_public_key");
543 		DBG_ERR("server_public_key is not set");
544 		DBG_RETURN(NULL);
545 	} else {
546 		char * key_str = NULL;
547 		DBG_INF_FMT("Key in a file. [%s]", fname);
548 		stream = php_stream_open_wrapper((char *) fname, "rb", REPORT_ERRORS, NULL);
549 
550 		if (stream) {
551 			if ((len = php_stream_copy_to_mem(stream, &key_str, PHP_STREAM_COPY_ALL, 0)) >= 0 ) {
552 				BIO * bio = BIO_new_mem_buf(key_str, len);
553 				ret = PEM_read_bio_RSA_PUBKEY(bio, NULL, NULL, NULL);
554 				BIO_free(bio);
555 				DBG_INF("Successfully loaded");
556 			}
557 			if (key_str) {
558 				DBG_INF_FMT("Public key:%*.s", len, key_str);
559 				efree(key_str);
560 			}
561 			php_stream_free(stream, PHP_STREAM_FREE_CLOSE);
562 		}
563 	}
564 	DBG_RETURN(ret);
565 }
566 /* }}} */
567 
568 
569 /* {{{ mysqlnd_sha256_auth_get_auth_data */
570 static zend_uchar *
mysqlnd_sha256_auth_get_auth_data(struct st_mysqlnd_authentication_plugin * self,size_t * auth_data_len,MYSQLND_CONN_DATA * conn,const char * const user,const char * const passwd,const size_t passwd_len,zend_uchar * auth_plugin_data,size_t auth_plugin_data_len,const MYSQLND_OPTIONS * const options,const MYSQLND_NET_OPTIONS * const net_options,unsigned long mysql_flags TSRMLS_DC)571 mysqlnd_sha256_auth_get_auth_data(struct st_mysqlnd_authentication_plugin * self,
572 								  size_t * auth_data_len,
573 								  MYSQLND_CONN_DATA * conn, const char * const user, const char * const passwd,
574 								  const size_t passwd_len, zend_uchar * auth_plugin_data, size_t auth_plugin_data_len,
575 								  const MYSQLND_OPTIONS * const options,
576 								  const MYSQLND_NET_OPTIONS * const net_options,
577 								  unsigned long mysql_flags
578 								  TSRMLS_DC)
579 {
580 	RSA * server_public_key;
581 	zend_uchar * ret = NULL;
582 	DBG_ENTER("mysqlnd_sha256_auth_get_auth_data");
583 	DBG_INF_FMT("salt(%d)=[%.*s]", auth_plugin_data_len, auth_plugin_data_len, auth_plugin_data);
584 
585 
586 	if (conn->net->data->ssl) {
587 		DBG_INF("simple clear text under SSL");
588 		/* clear text under SSL */
589 		*auth_data_len = passwd_len;
590 		ret = malloc(passwd_len);
591 		memcpy(ret, passwd, passwd_len);
592 	} else {
593 		*auth_data_len = 0;
594 		server_public_key = mysqlnd_sha256_get_rsa_key(conn, options, net_options TSRMLS_CC);
595 
596 		if (server_public_key) {
597 			int server_public_key_len;
598 			char xor_str[passwd_len + 1];
599 			memcpy(xor_str, passwd, passwd_len);
600 			xor_str[passwd_len] = '\0';
601 			mysqlnd_xor_string(xor_str, passwd_len, (char *) auth_plugin_data, auth_plugin_data_len);
602 
603 			server_public_key_len = RSA_size(server_public_key);
604 			/*
605 			  Because RSA_PKCS1_OAEP_PADDING is used there is a restriction on the passwd_len.
606 			  RSA_PKCS1_OAEP_PADDING is recommended for new applications. See more here:
607 			  http://www.openssl.org/docs/crypto/RSA_public_encrypt.html
608 			*/
609 			if ((size_t) server_public_key_len - 41 <= passwd_len) {
610 				/* password message is to long */
611 				SET_CLIENT_ERROR(*conn->error_info, CR_UNKNOWN_ERROR, UNKNOWN_SQLSTATE, "password is too long");
612 				DBG_ERR("password is too long");
613 				DBG_RETURN(NULL);
614 			}
615 
616 			*auth_data_len = server_public_key_len;
617 			ret = malloc(*auth_data_len);
618 			RSA_public_encrypt(passwd_len + 1, (zend_uchar *) xor_str, ret, server_public_key, RSA_PKCS1_OAEP_PADDING);
619 		}
620 	}
621 
622 	DBG_RETURN(ret);
623 }
624 /* }}} */
625 
626 
627 static struct st_mysqlnd_authentication_plugin mysqlnd_sha256_authentication_plugin =
628 {
629 	{
630 		MYSQLND_PLUGIN_API_VERSION,
631 		"auth_plugin_sha256_password",
632 		MYSQLND_VERSION_ID,
633 		MYSQLND_VERSION,
634 		"PHP License 3.01",
635 		"Andrey Hristov <andrey@mysql.com>,  Ulf Wendel <uwendel@mysql.com>",
636 		{
637 			NULL, /* no statistics , will be filled later if there are some */
638 			NULL, /* no statistics */
639 		},
640 		{
641 			NULL /* plugin shutdown */
642 		}
643 	},
644 	{/* methods */
645 		mysqlnd_sha256_auth_get_auth_data
646 	}
647 };
648 #endif
649 
650 /* {{{ mysqlnd_register_builtin_authentication_plugins */
651 void
mysqlnd_register_builtin_authentication_plugins(TSRMLS_D)652 mysqlnd_register_builtin_authentication_plugins(TSRMLS_D)
653 {
654 	mysqlnd_plugin_register_ex((struct st_mysqlnd_plugin_header *) &mysqlnd_native_auth_plugin TSRMLS_CC);
655 	mysqlnd_plugin_register_ex((struct st_mysqlnd_plugin_header *) &mysqlnd_pam_authentication_plugin TSRMLS_CC);
656 #ifdef MYSQLND_HAVE_SSL
657 	mysqlnd_plugin_register_ex((struct st_mysqlnd_plugin_header *) &mysqlnd_sha256_authentication_plugin TSRMLS_CC);
658 #endif
659 }
660 /* }}} */
661 
662 
663 /*
664  * Local variables:
665  * tab-width: 4
666  * c-basic-offset: 4
667  * End:
668  * vim600: noet sw=4 ts=4 fdm=marker
669  * vim<600: noet sw=4 ts=4
670  */
671