mirror of
https://github.com/php/php-src.git
synced 2024-09-21 09:57:23 +00:00
Fix GH-11438: mysqlnd fails to authenticate with sha256_password accounts using passwords longer than 19 characters
https://dev.mysql.com/doc/dev/mysql-server/latest/page_caching_sha2_authentication_exchanges.html
tells us that the nonce used in this authentication method is 20 bytes
long. However, we might receive additional scramble data in
php_mysqlnd_greet_read not used in this method.
On my test setup, I received 21 bytes (20 bytes + '\0'). This resulted
in the xor computation to incorrectly include the NUL byte. Every
password of at least 20 characters therefore failed to authenticate
using this method.
Looking at mysql-server source code also seems to reveal that it always
uses a fixed number of scramble bytes [1].
[1] ea7087d885/sql/auth/sha2_password.cc (L1078-L1079)
Closes GH-11445.
Co-authored-by: Kamil Tekiela <tekiela246@gmail.com>
This commit is contained in:
parent
4e652412b3
commit
509906b2a5
3
NEWS
3
NEWS
@ -22,6 +22,9 @@ PHP NEWS
|
||||
- MySQLnd:
|
||||
. Fixed bug GH-11440 (authentication to a sha256_password account fails over
|
||||
SSL). (nielsdos)
|
||||
. Fixed bug GH-11438 (mysqlnd fails to authenticate with sha256_password
|
||||
accounts using passwords longer than 19 characters).
|
||||
(nielsdos, Kamil Tekiela)
|
||||
|
||||
- Opcache:
|
||||
. Fixed bug GH-11715 (opcache.interned_strings_buffer either has no effect or
|
||||
|
84
ext/mysqli/tests/gh11438.phpt
Normal file
84
ext/mysqli/tests/gh11438.phpt
Normal file
@ -0,0 +1,84 @@
|
||||
--TEST--
|
||||
GH-11438 (mysqlnd fails to authenticate with sha256_password accounts using passwords longer than 19 characters)
|
||||
--EXTENSIONS--
|
||||
mysqli
|
||||
--SKIPIF--
|
||||
<?php
|
||||
require_once 'skipifconnectfailure.inc';
|
||||
|
||||
ob_start();
|
||||
phpinfo(INFO_MODULES);
|
||||
$tmp = ob_get_contents();
|
||||
ob_end_clean();
|
||||
if (!stristr($tmp, "auth_plugin_sha256_password"))
|
||||
die("skip SHA256 auth plugin not built-in to mysqlnd");
|
||||
|
||||
if (!$link = my_mysqli_connect($host, $user, $passwd, $db, $port, $socket))
|
||||
die(printf("skip: [%d] %s\n", mysqli_connect_errno(), mysqli_connect_error()));
|
||||
|
||||
if (mysqli_get_server_version($link) < 50606)
|
||||
die("skip: SHA-256 requires MySQL 5.6.6+");
|
||||
|
||||
if (!($res = $link->query("SHOW PLUGINS"))) {
|
||||
die(sprintf("skip [%d] %s\n", $link->errno, $link->error));
|
||||
}
|
||||
|
||||
$found = false;
|
||||
while ($row = $res->fetch_assoc()) {
|
||||
if (($row['Name'] == 'sha256_password') && ($row['Status'] == 'ACTIVE')) {
|
||||
$found = true;
|
||||
break;
|
||||
}
|
||||
}
|
||||
if (!$found)
|
||||
die("skip SHA-256 server plugin unavailable");
|
||||
|
||||
// Ignore errors because this variable exists only in MySQL 5.6 and 5.7
|
||||
$link->query("SET @@session.old_passwords=2");
|
||||
|
||||
$link->query('DROP USER shatest');
|
||||
$link->query("DROP USER shatest@localhost");
|
||||
|
||||
if (!$link->query('CREATE USER shatest@"%" IDENTIFIED WITH sha256_password') ||
|
||||
!$link->query('CREATE USER shatest@"localhost" IDENTIFIED WITH sha256_password')) {
|
||||
die(sprintf("skip CREATE USER failed [%d] %s", $link->errno, $link->error));
|
||||
}
|
||||
|
||||
// Password of length 52, more than twice the length of the scramble data to ensure scramble is repeated correctly
|
||||
if (!$link->query('SET PASSWORD FOR shatest@"%" = "abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ"') ||
|
||||
!$link->query('SET PASSWORD FOR shatest@"localhost" = "abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ"')) {
|
||||
die(sprintf("skip SET PASSWORD failed [%d] %s", $link->errno, $link->error));
|
||||
}
|
||||
|
||||
echo "nocache";
|
||||
?>
|
||||
--FILE--
|
||||
<?php
|
||||
require_once 'connect.inc';
|
||||
|
||||
$link = new mysqli($host, 'shatest', 'abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ', null, $port, $socket);
|
||||
if ($link->connect_errno) {
|
||||
printf("[001] [%d] %s\n", $link->connect_errno, $link->connect_error);
|
||||
} else {
|
||||
if (!$res = $link->query("SELECT USER()"))
|
||||
printf("[002] [%d] %s\n", $link->errno, $link->error);
|
||||
|
||||
if (!$row = mysqli_fetch_assoc($res)) {
|
||||
printf("[003] [%d] %s\n", $link->errno, $link->error);
|
||||
}
|
||||
|
||||
if (!is_string($row['USER()']) || !str_starts_with($row['USER()'], 'shatest')) {
|
||||
printf("[004] Expecting 1 got %s/'%s'", gettype($row['USER()']), $row['USER()']);
|
||||
}
|
||||
}
|
||||
|
||||
print "done!";
|
||||
?>
|
||||
--CLEAN--
|
||||
<?php
|
||||
require_once 'connect.inc';
|
||||
$link->query('DROP USER shatest');
|
||||
$link->query('DROP USER shatest@localhost');
|
||||
?>
|
||||
--EXPECTF--
|
||||
done!
|
@ -927,7 +927,10 @@ mysqlnd_sha256_auth_get_auth_data(struct st_mysqlnd_authentication_plugin * self
|
||||
char *xor_str = do_alloca(passwd_len + 1, use_heap);
|
||||
memcpy(xor_str, passwd, passwd_len);
|
||||
xor_str[passwd_len] = '\0';
|
||||
mysqlnd_xor_string(xor_str, passwd_len, (char *) auth_plugin_data, auth_plugin_data_len);
|
||||
/* https://dev.mysql.com/doc/dev/mysql-server/latest/page_caching_sha2_authentication_exchanges.html
|
||||
* This tells us that the nonce is 20 (==SCRAMBLE_LENGTH) bytes long.
|
||||
* In a 5.5+ server we might get additional scramble data in php_mysqlnd_greet_read, not used by this authentication method. */
|
||||
mysqlnd_xor_string(xor_str, passwd_len, (char *) auth_plugin_data, SCRAMBLE_LENGTH);
|
||||
ret = mysqlnd_sha256_public_encrypt(conn, server_public_key, passwd_len, auth_data_len, xor_str);
|
||||
free_alloca(xor_str, use_heap);
|
||||
}
|
||||
|
Loading…
Reference in New Issue
Block a user