1 /*
2 Copyright (c) 2000, 2016, Oracle and/or its affiliates. All rights reserved.
3
4 This program is free software; you can redistribute it and/or modify
5 it under the terms of the GNU General Public License, version 2.0,
6 as published by the Free Software Foundation.
7
8 This program is also distributed with certain software (including
9 but not limited to OpenSSL) that is licensed under separate terms,
10 as designated in a particular file or component or in included license
11 documentation. The authors of MySQL hereby grant you an additional
12 permission to link the program and your derivative works with the
13 separately licensed software that they have included with MySQL.
14
15 Without limiting anything contained in the foregoing, this file,
16 which is part of C Driver for MySQL (Connector/C), is also subject to the
17 Universal FOSS Exception, version 1.0, a copy of which can be found at
18 http://oss.oracle.com/licenses/universal-foss-exception.
19
20 This program is distributed in the hope that it will be useful,
21 but WITHOUT ANY WARRANTY; without even the implied warranty of
22 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
23 GNU General Public License, version 2.0, for more details.
24
25 You should have received a copy of the GNU General Public License
26 along with this program; if not, write to the Free Software
27 Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA */
28
29 /* password checking routines */
30 /*****************************************************************************
31 The main idea is that no password are sent between client & server on
32 connection and that no password are saved in mysql in a decodable form.
33
34 On connection a random string is generated and sent to the client.
35 The client generates a new string with a random generator inited with
36 the hash values from the password and the sent string.
37 This 'check' string is sent to the server where it is compared with
38 a string generated from the stored hash_value of the password and the
39 random string.
40
41 The password is saved (in user.password) by using the PASSWORD() function in
42 mysql.
43
44 This is .c file because it's used in libperconaserverclient, which is entirely in C.
45 (we need it to be portable to a variety of systems).
46 Example:
47 update user set password=PASSWORD("hello") where user="test"
48 This saves a hashed number as a string in the password field.
49
50 The new authentication is performed in following manner:
51
52 SERVER: public_seed=create_random_string()
53 send(public_seed)
54
55 CLIENT: recv(public_seed)
56 hash_stage1=sha1("password")
57 hash_stage2=sha1(hash_stage1)
58 reply=xor(hash_stage1, sha1(public_seed,hash_stage2)
59
60 // this three steps are done in scramble()
61
62 send(reply)
63
64
65 SERVER: recv(reply)
66 hash_stage1=xor(reply, sha1(public_seed,hash_stage2))
67 candidate_hash2=sha1(hash_stage1)
68 check(candidate_hash2==hash_stage2)
69
70 // this three steps are done in check_scramble()
71
72 *****************************************************************************/
73
74 #include <password.h>
75 #include <my_global.h>
76 #include <my_sys.h>
77 #include <m_string.h>
78 #include <sha1.h>
79 #include <my_rnd.h>
80 #include "mysql.h"
81 #include "crypt_genhash_impl.h"
82
83 /************ MySQL 3.23-4.0 authentication routines: untouched ***********/
84
85 /*
86 New (MySQL 3.21+) random generation structure initialization
87 SYNOPSIS
88 randominit()
89 rand_st OUT Structure to initialize
90 seed1 IN First initialization parameter
91 seed2 IN Second initialization parameter
92 */
93
randominit(struct rand_struct * rand_st,ulong seed1,ulong seed2)94 void randominit(struct rand_struct *rand_st, ulong seed1, ulong seed2)
95 { /* For mysql 3.21.# */
96 #ifdef HAVE_purify
97 memset(rand_st, 0, sizeof(*rand_st)); /* Avoid UMC varnings */
98 #endif
99 rand_st->max_value= 0x3FFFFFFFL;
100 rand_st->max_value_dbl=(double) rand_st->max_value;
101 rand_st->seed1=seed1%rand_st->max_value ;
102 rand_st->seed2=seed2%rand_st->max_value;
103 }
104
105 /*
106 Generate binary hash from raw text string
107 Used for Pre-4.1 password handling
108 SYNOPSIS
109 hash_password()
110 result OUT store hash in this location
111 password IN plain text password to build hash
112 password_len IN password length (password may be not null-terminated)
113 */
114
hash_password(ulong * result,const char * password,uint password_len)115 void hash_password(ulong *result, const char *password, uint password_len)
116 {
117 ulong nr=1345345333L, add=7, nr2=0x12345671L;
118 ulong tmp;
119 const char *password_end= password + password_len;
120 for (; password < password_end; password++)
121 {
122 if (*password == ' ' || *password == '\t')
123 continue; /* skip space in password */
124 tmp= (ulong) (uchar) *password;
125 nr^= (((nr & 63)+add)*tmp)+ (nr << 8);
126 nr2+=(nr2 << 8) ^ nr;
127 add+=tmp;
128 }
129 result[0]=nr & (((ulong) 1L << 31) -1L); /* Don't use sign bit (str2int) */;
130 result[1]=nr2 & (((ulong) 1L << 31) -1L);
131 }
132
133
134 /*
135 Create password to be stored in user database from raw string
136 Used for pre-4.1 password handling
137 SYNOPSIS
138 my_make_scrambled_password_323()
139 to OUT store scrambled password here
140 password IN user-supplied password
141 pass_len IN length of password string
142 */
143
my_make_scrambled_password_323(char * to,const char * password,size_t pass_len)144 void my_make_scrambled_password_323(char *to, const char *password,
145 size_t pass_len)
146 {
147 ulong hash_res[2];
148 hash_password(hash_res, password, (uint) pass_len);
149 sprintf(to, "%08lx%08lx", hash_res[0], hash_res[1]);
150 }
151
152
153 /*
154 Wrapper around my_make_scrambled_password_323() to maintain client lib ABI
155 compatibility.
156 In server code usage of my_make_scrambled_password_323() is preferred to
157 avoid strlen().
158 SYNOPSIS
159 make_scrambled_password_323()
160 to OUT store scrambled password here
161 password IN NULL-terminated string with user-supplied password
162 */
163
make_scrambled_password_323(char * to,const char * password)164 void make_scrambled_password_323(char *to, const char *password)
165 {
166 my_make_scrambled_password_323(to, password, strlen(password));
167 }
168
169
170 /*
171 Scramble string with password.
172 Used in pre 4.1 authentication phase.
173 SYNOPSIS
174 scramble_323()
175 to OUT Store scrambled message here. Buffer must be at least
176 SCRAMBLE_LENGTH_323+1 bytes long
177 message IN Message to scramble. Message must be at least
178 SRAMBLE_LENGTH_323 bytes long.
179 password IN Password to use while scrambling
180 */
181
scramble_323(char * to,const char * message,const char * password)182 void scramble_323(char *to, const char *message, const char *password)
183 {
184 struct rand_struct rand_st;
185 ulong hash_pass[2], hash_message[2];
186
187 if (password && password[0])
188 {
189 char extra, *to_start=to;
190 const char *message_end= message + SCRAMBLE_LENGTH_323;
191 hash_password(hash_pass,password, (uint) strlen(password));
192 hash_password(hash_message, message, SCRAMBLE_LENGTH_323);
193 randominit(&rand_st,hash_pass[0] ^ hash_message[0],
194 hash_pass[1] ^ hash_message[1]);
195 for (; message < message_end; message++)
196 *to++= (char) (floor(my_rnd(&rand_st)*31)+64);
197 extra=(char) (floor(my_rnd(&rand_st)*31));
198 while (to_start != to)
199 *(to_start++)^=extra;
200 }
201 *to= 0;
202 }
203
204
205 /**
206 Check scrambled message. Used in pre 4.1 password handling.
207
208 @param scrambled Scrambled message to check.
209 @param message Original random message which was used for scrambling.
210 @param hash_pass Password which should be used for scrambling.
211
212 @remark scrambled and message must be SCRAMBLED_LENGTH_323 bytes long.
213
214 @return FALSE if password is correct, TRUE otherwise.
215 */
216
217 my_bool
check_scramble_323(const unsigned char * scrambled,const char * message,ulong * hash_pass)218 check_scramble_323(const unsigned char *scrambled, const char *message,
219 ulong *hash_pass)
220 {
221 struct rand_struct rand_st;
222 ulong hash_message[2];
223 /* Big enough for checks. */
224 uchar buff[16], scrambled_buff[SCRAMBLE_LENGTH_323 + 1];
225 uchar *to, extra;
226 const uchar *pos;
227
228 /* Ensure that the scrambled message is null-terminated. */
229 memcpy(scrambled_buff, scrambled, SCRAMBLE_LENGTH_323);
230 scrambled_buff[SCRAMBLE_LENGTH_323]= '\0';
231 scrambled= scrambled_buff;
232
233 hash_password(hash_message, message, SCRAMBLE_LENGTH_323);
234 randominit(&rand_st,hash_pass[0] ^ hash_message[0],
235 hash_pass[1] ^ hash_message[1]);
236 to=buff;
237 DBUG_ASSERT(sizeof(buff) > SCRAMBLE_LENGTH_323);
238 for (pos=scrambled ; *pos && to < buff+sizeof(buff) ; pos++)
239 *to++=(char) (floor(my_rnd(&rand_st)*31)+64);
240 if (pos-scrambled != SCRAMBLE_LENGTH_323)
241 return 1;
242 extra=(char) (floor(my_rnd(&rand_st)*31));
243 to=buff;
244 while (*scrambled)
245 {
246 if (*scrambled++ != (uchar) (*to++ ^ extra))
247 return 1; /* Wrong password */
248 }
249 return 0;
250 }
251
char_val(uint8 X)252 static inline uint8 char_val(uint8 X)
253 {
254 return (uint) (X >= '0' && X <= '9' ? X-'0' :
255 X >= 'A' && X <= 'Z' ? X-'A'+10 : X-'a'+10);
256 }
257
258
259 /*
260 Convert password from hex string (as stored in mysql.user) to binary form.
261 SYNOPSIS
262 get_salt_from_password_323()
263 res OUT store salt here
264 password IN password string as stored in mysql.user
265 NOTE
266 This function does not have length check for passwords. It will just crash
267 Password hashes in old format must have length divisible by 8
268 */
269
get_salt_from_password_323(ulong * res,const char * password)270 void get_salt_from_password_323(ulong *res, const char *password)
271 {
272 res[0]= res[1]= 0;
273 if (password)
274 {
275 while (*password)
276 {
277 ulong val=0;
278 uint i;
279 for (i=0 ; i < 8 ; i++)
280 val=(val << 4)+char_val(*password++);
281 *res++=val;
282 }
283 }
284 }
285
286
287 /*
288 Convert scrambled password from binary form to asciiz hex string.
289 SYNOPSIS
290 make_password_from_salt_323()
291 to OUT store resulting string password here, at least 17 bytes
292 salt IN password in salt format, 2 ulongs
293 */
294
make_password_from_salt_323(char * to,const ulong * salt)295 void make_password_from_salt_323(char *to, const ulong *salt)
296 {
297 sprintf(to,"%08lx%08lx", salt[0], salt[1]);
298 }
299
300
301 /*
302 **************** MySQL 4.1.1 authentication routines *************
303 */
304
305 /**
306 Generate string of printable pseudo random characters of requested length.
307
308 @param to[out] Buffer for generation; must be at least length+1 bytes
309 long; result string is always null-terminated
310 @param length[in] How many random characters to put in buffer
311 @param rand_st Structure used for number generation
312
313 @note This function is restricted for use with
314 native_password_authenticate() because of security reasons.
315
316 DON'T RELY ON THIS FUNCTION FOR A UNIFORMLY DISTRIBUTION OF BITS!
317
318 */
319
create_random_string(char * to,uint length,struct rand_struct * rand_st)320 void create_random_string(char *to, uint length, struct rand_struct *rand_st)
321 {
322 char *end= to + length;
323 /*
324 Warning: my_rnd() is a fast prng, but it doesn't necessarily have a uniform
325 distribution.
326 */
327 for (; to < end; to++)
328 *to= (char) (my_rnd(rand_st) * 94 + 33);
329 *to= '\0';
330 }
331
332
333 /* Character to use as version identifier for version 4.1 */
334
335 #define PVERSION41_CHAR '*'
336
337
338 /*
339 Convert given octet sequence to asciiz string of hex characters;
340 str..str+len and 'to' may not overlap.
341 SYNOPSIS
342 octet2hex()
343 buf OUT output buffer. Must be at least 2*len+1 bytes
344 str, len IN the beginning and the length of the input string
345
346 RETURN
347 buf+len*2
348 */
349
octet2hex(char * to,const char * str,uint len)350 char *octet2hex(char *to, const char *str, uint len)
351 {
352 const char *str_end= str + len;
353 for (; str != str_end; ++str)
354 {
355 *to++= _dig_vec_upper[((uchar) *str) >> 4];
356 *to++= _dig_vec_upper[((uchar) *str) & 0x0F];
357 }
358 *to= '\0';
359 return to;
360 }
361
362
363 /*
364 Convert given asciiz string of hex (0..9 a..f) characters to octet
365 sequence.
366 SYNOPSIS
367 hex2octet()
368 to OUT buffer to place result; must be at least len/2 bytes
369 str, len IN begin, length for character string; str and to may not
370 overlap; len % 2 == 0
371 */
372
373 static void
hex2octet(uint8 * to,const char * str,uint len)374 hex2octet(uint8 *to, const char *str, uint len)
375 {
376 const char *str_end= str + len;
377 while (str < str_end)
378 {
379 char tmp= char_val(*str++);
380 *to++= (tmp << 4) | char_val(*str++);
381 }
382 }
383
384
385 /*
386 Encrypt/Decrypt function used for password encryption in authentication.
387 Simple XOR is used here but it is OK as we crypt random strings. Note,
388 that XOR(s1, XOR(s1, s2)) == s2, XOR(s1, s2) == XOR(s2, s1)
389 SYNOPSIS
390 my_crypt()
391 to OUT buffer to hold crypted string; must be at least len bytes
392 long; to and s1 (or s2) may be the same.
393 s1, s2 IN input strings (of equal length)
394 len IN length of s1 and s2
395 */
396
397 static void
my_crypt(char * to,const uchar * s1,const uchar * s2,uint len)398 my_crypt(char *to, const uchar *s1, const uchar *s2, uint len)
399 {
400 const uint8 *s1_end= s1 + len;
401 while (s1 < s1_end)
402 *to++= *s1++ ^ *s2++;
403 }
404
405 #if defined(HAVE_OPENSSL)
my_make_scrambled_password(char * to,const char * password,size_t pass_len)406 void my_make_scrambled_password(char *to, const char *password,
407 size_t pass_len)
408 {
409
410 char salt[CRYPT_SALT_LENGTH + 1];
411
412 generate_user_salt(salt, CRYPT_SALT_LENGTH + 1);
413 my_crypt_genhash(to,
414 CRYPT_MAX_PASSWORD_SIZE,
415 password,
416 pass_len,
417 salt,
418 0);
419
420 }
421 #endif
422 /**
423 Compute two stage SHA1 hash of the password :
424
425 hash_stage1=sha1("password")
426 hash_stage2=sha1(hash_stage1)
427
428 @param password [IN] Password string.
429 @param pass_len [IN] Length of the password.
430 @param hash_stage1 [OUT] sha1(password)
431 @param hash_stage2 [OUT] sha1(hash_stage1)
432 */
433
434 inline static
compute_two_stage_sha1_hash(const char * password,size_t pass_len,uint8 * hash_stage1,uint8 * hash_stage2)435 void compute_two_stage_sha1_hash(const char *password, size_t pass_len,
436 uint8 *hash_stage1, uint8 *hash_stage2)
437 {
438 /* Stage 1: hash password */
439 compute_sha1_hash(hash_stage1, password, pass_len);
440
441 /* Stage 2 : hash first stage's output. */
442 compute_sha1_hash(hash_stage2, (const char *) hash_stage1, SHA1_HASH_SIZE);
443 }
444
445
446 /*
447 MySQL 4.1.1 password hashing: SHA conversion (see RFC 2289, 3174) twice
448 applied to the password string, and then produced octet sequence is
449 converted to hex string.
450 The result of this function is used as return value from PASSWORD() and
451 is stored in the database.
452 SYNOPSIS
453 my_make_scrambled_password_sha1()
454 buf OUT buffer of size 2*SHA1_HASH_SIZE + 2 to store hex string
455 password IN password string
456 pass_len IN length of password string
457 */
458
my_make_scrambled_password_sha1(char * to,const char * password,size_t pass_len)459 void my_make_scrambled_password_sha1(char *to, const char *password,
460 size_t pass_len)
461 {
462 uint8 hash_stage2[SHA1_HASH_SIZE];
463
464 /* Two stage SHA1 hash of the password. */
465 compute_two_stage_sha1_hash(password, pass_len, (uint8 *) to, hash_stage2);
466
467 /* convert hash_stage2 to hex string */
468 *to++= PVERSION41_CHAR;
469 octet2hex(to, (const char*) hash_stage2, SHA1_HASH_SIZE);
470 }
471
472
473 /*
474 Wrapper around my_make_scrambled_password() to maintain client lib ABI
475 compatibility.
476 In server code usage of my_make_scrambled_password() is preferred to
477 avoid strlen().
478 SYNOPSIS
479 make_scrambled_password()
480 buf OUT buffer of size 2*SHA1_HASH_SIZE + 2 to store hex string
481 password IN NULL-terminated password string
482 */
483
make_scrambled_password(char * to,const char * password)484 void make_scrambled_password(char *to, const char *password)
485 {
486 my_make_scrambled_password_sha1(to, password, strlen(password));
487 }
488
489
490 /*
491 Produce an obscure octet sequence from password and random
492 string, recieved from the server. This sequence corresponds to the
493 password, but password can not be easily restored from it. The sequence
494 is then sent to the server for validation. Trailing zero is not stored
495 in the buf as it is not needed.
496 This function is used by client to create authenticated reply to the
497 server's greeting.
498 SYNOPSIS
499 scramble()
500 buf OUT store scrambled string here. The buf must be at least
501 SHA1_HASH_SIZE bytes long.
502 message IN random message, must be exactly SCRAMBLE_LENGTH long and
503 NULL-terminated.
504 password IN users' password
505 */
506
507 void
scramble(char * to,const char * message,const char * password)508 scramble(char *to, const char *message, const char *password)
509 {
510 uint8 hash_stage1[SHA1_HASH_SIZE];
511 uint8 hash_stage2[SHA1_HASH_SIZE];
512
513 /* Two stage SHA1 hash of the password. */
514 compute_two_stage_sha1_hash(password, strlen(password), hash_stage1,
515 hash_stage2);
516
517 /* create crypt string as sha1(message, hash_stage2) */;
518 compute_sha1_hash_multi((uint8 *) to, message, SCRAMBLE_LENGTH,
519 (const char *) hash_stage2, SHA1_HASH_SIZE);
520 my_crypt(to, (const uchar *) to, hash_stage1, SCRAMBLE_LENGTH);
521 }
522
523
524 /*
525 Check that scrambled message corresponds to the password; the function
526 is used by server to check that recieved reply is authentic.
527 This function does not check lengths of given strings: message must be
528 null-terminated, reply and hash_stage2 must be at least SHA1_HASH_SIZE
529 long (if not, something fishy is going on).
530 SYNOPSIS
531 check_scramble_sha1()
532 scramble clients' reply, presumably produced by scramble()
533 message original random string, previously sent to client
534 (presumably second argument of scramble()), must be
535 exactly SCRAMBLE_LENGTH long and NULL-terminated.
536 hash_stage2 hex2octet-decoded database entry
537 All params are IN.
538
539 RETURN VALUE
540 0 password is correct
541 !0 password is invalid
542 */
543
544 my_bool
check_scramble_sha1(const uchar * scramble_arg,const char * message,const uint8 * hash_stage2)545 check_scramble_sha1(const uchar *scramble_arg, const char *message,
546 const uint8 *hash_stage2)
547 {
548 uint8 buf[SHA1_HASH_SIZE];
549 uint8 hash_stage2_reassured[SHA1_HASH_SIZE];
550
551 /* create key to encrypt scramble */
552 compute_sha1_hash_multi(buf, message, SCRAMBLE_LENGTH,
553 (const char *) hash_stage2, SHA1_HASH_SIZE);
554 /* encrypt scramble */
555 my_crypt((char *) buf, buf, scramble_arg, SCRAMBLE_LENGTH);
556
557 /* now buf supposedly contains hash_stage1: so we can get hash_stage2 */
558 compute_sha1_hash(hash_stage2_reassured, (const char *) buf, SHA1_HASH_SIZE);
559
560 return MY_TEST(memcmp(hash_stage2, hash_stage2_reassured, SHA1_HASH_SIZE));
561 }
562
563 my_bool
check_scramble(const uchar * scramble_arg,const char * message,const uint8 * hash_stage2)564 check_scramble(const uchar *scramble_arg, const char *message,
565 const uint8 *hash_stage2)
566 {
567 return check_scramble_sha1(scramble_arg, message, hash_stage2);
568 }
569
570 /*
571 Convert scrambled password from asciiz hex string to binary form.
572
573 SYNOPSIS
574 get_salt_from_password()
575 res OUT buf to hold password. Must be at least SHA1_HASH_SIZE
576 bytes long.
577 password IN 4.1.1 version value of user.password
578 */
579
get_salt_from_password(uint8 * hash_stage2,const char * password)580 void get_salt_from_password(uint8 *hash_stage2, const char *password)
581 {
582 hex2octet(hash_stage2, password+1 /* skip '*' */, SHA1_HASH_SIZE * 2);
583 }
584
585 /*
586 Convert scrambled password from binary form to asciiz hex string.
587 SYNOPSIS
588 make_password_from_salt()
589 to OUT store resulting string here, 2*SHA1_HASH_SIZE+2 bytes
590 salt IN password in salt format
591 */
592
make_password_from_salt(char * to,const uint8 * hash_stage2)593 void make_password_from_salt(char *to, const uint8 *hash_stage2)
594 {
595 *to++= PVERSION41_CHAR;
596 octet2hex(to, (const char*) hash_stage2, SHA1_HASH_SIZE);
597 }
598
599 #if defined(EXPORT_SYMVER16)
600 #ifndef EMBEDDED_LIBRARY
601
602 // Hack to provide both libmysqlclient_16 and libmysqlclient_18 symbol versions
603
604 #define SYM_16(_exportedsym) __asm__(".symver symver16_" #_exportedsym "," #_exportedsym "@libmysqlclient_16")
605
symver16_my_make_scrambled_password(char * to,const char * password,size_t pass_len)606 void symver16_my_make_scrambled_password(char *to, const char *password, size_t pass_len)
607 {
608 my_make_scrambled_password(to, password, pass_len);
609 }
610 SYM_16(my_make_scrambled_password);
611
612 #endif
613 #endif /* EXPORT_SYMVER16 */
614