231 lines
7.2 KiB
C++
231 lines
7.2 KiB
C++
//
|
|
// Copyright (c) 2019-2024 Ruben Perez Hidalgo (rubenperez038 at gmail dot com)
|
|
//
|
|
// Distributed under the Boost Software License, Version 1.0. (See accompanying
|
|
// file LICENSE_1_0.txt or copy at http://www.boost.org/LICENSE_1_0.txt)
|
|
//
|
|
|
|
#ifndef BOOST_MYSQL_IMPL_INTERNAL_AUTH_AUTH_IPP
|
|
#define BOOST_MYSQL_IMPL_INTERNAL_AUTH_AUTH_IPP
|
|
|
|
#pragma once
|
|
|
|
#include <boost/mysql/client_errc.hpp>
|
|
#include <boost/mysql/string_view.hpp>
|
|
|
|
#include <boost/mysql/detail/make_string_view.hpp>
|
|
|
|
#include <boost/mysql/impl/internal/auth/auth.hpp>
|
|
|
|
#include <boost/config.hpp>
|
|
|
|
#include <algorithm>
|
|
#include <cstring>
|
|
#include <openssl/sha.h>
|
|
|
|
namespace boost {
|
|
namespace mysql {
|
|
namespace detail {
|
|
|
|
// mysql_native_password
|
|
// Authorization for this plugin is always challenge (nonce) -> response
|
|
// (hashed password).
|
|
|
|
BOOST_INLINE_CONSTEXPR std::size_t mnp_challenge_length = 20;
|
|
BOOST_INLINE_CONSTEXPR std::size_t mnp_response_length = 20;
|
|
|
|
// challenge must point to challenge_length bytes of data
|
|
// output must point to response_length bytes of data
|
|
// SHA1( password ) XOR SHA1( "20-bytes random data from server" <concat> SHA1( SHA1( password ) ) )
|
|
inline void mnp_compute_auth_string(string_view password, const void* challenge, void* output)
|
|
{
|
|
// SHA1 (password)
|
|
using sha1_buffer = unsigned char[SHA_DIGEST_LENGTH];
|
|
sha1_buffer password_sha1;
|
|
SHA1(reinterpret_cast<const unsigned char*>(password.data()), password.size(), password_sha1);
|
|
|
|
// Add server challenge (salt)
|
|
unsigned char salted_buffer[mnp_challenge_length + SHA_DIGEST_LENGTH];
|
|
memcpy(salted_buffer, challenge, mnp_challenge_length);
|
|
SHA1(password_sha1, sizeof(password_sha1), salted_buffer + 20);
|
|
sha1_buffer salted_sha1;
|
|
SHA1(salted_buffer, sizeof(salted_buffer), salted_sha1);
|
|
|
|
// XOR
|
|
static_assert(mnp_response_length == SHA_DIGEST_LENGTH, "Buffer size mismatch");
|
|
for (std::size_t i = 0; i < SHA_DIGEST_LENGTH; ++i)
|
|
{
|
|
static_cast<std::uint8_t*>(output)[i] = password_sha1[i] ^ salted_sha1[i];
|
|
}
|
|
}
|
|
|
|
inline error_code mnp_compute_response(
|
|
string_view password,
|
|
boost::span<const std::uint8_t> challenge,
|
|
bool, // secure_channel
|
|
std::vector<std::uint8_t>& output
|
|
)
|
|
{
|
|
// Check challenge size
|
|
if (challenge.size() != mnp_challenge_length)
|
|
{
|
|
return make_error_code(client_errc::protocol_value_error);
|
|
}
|
|
|
|
// Do the calculation
|
|
output.resize(mnp_response_length);
|
|
mnp_compute_auth_string(password, challenge.data(), output.data());
|
|
return error_code();
|
|
}
|
|
|
|
// caching_sha2_password
|
|
// Authorization for this plugin may be cleartext password or challenge/response.
|
|
// The server has a cache that uses when employing challenge/response. When
|
|
// the server sends a challenge of challenge_length bytes, we should send
|
|
// the password hashed with the challenge. The server may send a challenge
|
|
// equals to perform_full_auth, meaning it could not use the cache to
|
|
// complete the auth. In this case, we should just send the cleartext password.
|
|
// Doing the latter requires a SSL connection. It is possible to perform full
|
|
// auth without an SSL connection, but that requires the server public key,
|
|
// and we do not implement that.
|
|
|
|
BOOST_INLINE_CONSTEXPR std::size_t csha2p_challenge_length = 20;
|
|
BOOST_INLINE_CONSTEXPR std::size_t csha2p_response_length = 32;
|
|
|
|
// challenge must point to challenge_length bytes of data
|
|
// output must point to response_length bytes of data
|
|
inline void csha2p_compute_auth_string(string_view password, const void* challenge, void* output)
|
|
{
|
|
static_assert(csha2p_response_length == SHA256_DIGEST_LENGTH, "Buffer size mismatch");
|
|
|
|
// SHA(SHA(password_sha) concat challenge) XOR password_sha
|
|
// hash1 = SHA(pass)
|
|
using sha_buffer = std::uint8_t[csha2p_response_length];
|
|
sha_buffer password_sha;
|
|
SHA256(reinterpret_cast<const unsigned char*>(password.data()), password.size(), password_sha);
|
|
|
|
// SHA(password_sha) concat challenge = buffer
|
|
std::uint8_t buffer[csha2p_response_length + csha2p_challenge_length];
|
|
SHA256(password_sha, csha2p_response_length, buffer);
|
|
std::memcpy(buffer + csha2p_response_length, challenge, csha2p_challenge_length);
|
|
|
|
// SHA(SHA(password_sha) concat challenge) = SHA(buffer) = salted_password
|
|
sha_buffer salted_password;
|
|
SHA256(buffer, sizeof(buffer), salted_password);
|
|
|
|
// salted_password XOR password_sha
|
|
for (unsigned i = 0; i < csha2p_response_length; ++i)
|
|
{
|
|
static_cast<std::uint8_t*>(output)[i] = salted_password[i] ^ password_sha[i];
|
|
}
|
|
}
|
|
|
|
inline bool should_perform_full_auth(boost::span<const std::uint8_t> challenge)
|
|
{
|
|
// A challenge of "\4" means "perform full auth"
|
|
return challenge.size() == 1u && challenge[0] == 4;
|
|
}
|
|
|
|
inline error_code csha2p_compute_response(
|
|
string_view password,
|
|
boost::span<const std::uint8_t> challenge,
|
|
bool secure_channel,
|
|
std::vector<std::uint8_t>& output
|
|
)
|
|
{
|
|
if (should_perform_full_auth(challenge))
|
|
{
|
|
if (!secure_channel)
|
|
{
|
|
return make_error_code(client_errc::auth_plugin_requires_ssl);
|
|
}
|
|
output.assign(password.begin(), password.end());
|
|
output.push_back(0);
|
|
return error_code();
|
|
}
|
|
else
|
|
{
|
|
// Check challenge size
|
|
if (challenge.size() != csha2p_challenge_length)
|
|
{
|
|
return make_error_code(client_errc::protocol_value_error);
|
|
}
|
|
|
|
// Do the calculation
|
|
output.resize(csha2p_response_length);
|
|
csha2p_compute_auth_string(password, challenge.data(), output.data());
|
|
return error_code();
|
|
}
|
|
}
|
|
|
|
// top-level API
|
|
struct authentication_plugin
|
|
{
|
|
using calculator_signature = error_code (*)(
|
|
string_view password,
|
|
boost::span<const std::uint8_t> challenge,
|
|
bool secure_channel,
|
|
std::vector<std::uint8_t>& output
|
|
);
|
|
|
|
string_view name;
|
|
calculator_signature calculator;
|
|
};
|
|
|
|
BOOST_INLINE_CONSTEXPR authentication_plugin all_authentication_plugins[] = {
|
|
{
|
|
make_string_view("mysql_native_password"),
|
|
&mnp_compute_response,
|
|
},
|
|
{
|
|
make_string_view("caching_sha2_password"),
|
|
&csha2p_compute_response,
|
|
},
|
|
};
|
|
|
|
inline const authentication_plugin* find_plugin(string_view name)
|
|
{
|
|
auto it = std::find_if(
|
|
std::begin(all_authentication_plugins),
|
|
std::end(all_authentication_plugins),
|
|
[name](const authentication_plugin& plugin) { return plugin.name == name; }
|
|
);
|
|
return it == std::end(all_authentication_plugins) ? nullptr : it;
|
|
}
|
|
|
|
} // namespace detail
|
|
} // namespace mysql
|
|
} // namespace boost
|
|
|
|
boost::mysql::error_code boost::mysql::detail::compute_auth_response(
|
|
string_view plugin_name,
|
|
string_view password,
|
|
span<const std::uint8_t> challenge,
|
|
bool secure_channel,
|
|
auth_response& output
|
|
)
|
|
{
|
|
const auto* plugin = find_plugin(plugin_name);
|
|
if (plugin)
|
|
{
|
|
output.plugin_name = plugin->name;
|
|
|
|
if (password.empty())
|
|
{
|
|
// Blank password: we should just return an empty auth string
|
|
output.data.clear();
|
|
return error_code();
|
|
}
|
|
else
|
|
{
|
|
return plugin->calculator(password, challenge, secure_channel, output.data);
|
|
}
|
|
}
|
|
else
|
|
{
|
|
return client_errc::unknown_auth_plugin;
|
|
}
|
|
}
|
|
|
|
#endif
|