Merge branch 'mysql_sha2' into 'develop'

Till Brehm · Till Brehm · commit 1169dfe9d99c · 2024-09-22T06:28:12.000Z
feat(mysql): Support the caching_sha2_password auth for newer MySQL servers

Closes #6702 and #6695

See merge request ispconfig/ispconfig3!1936
diff --git a/.gitignore b/.gitignore
@@ -58,3 +58,9 @@ Temporary Items
 
 # Visual Studio IDE cache/options directory
 .vs/
+
+# do not version control generated config files
+/server/lib/mysql_clientdb.conf
+/server/lib/config.inc.php
+/server/lib/config.inc.local.php
+/interface/lib/config.inc.local.php
diff --git a/install/sql/incremental/upd_dev_collection.sql b/install/sql/incremental/upd_dev_collection.sql
@@ -0,0 +1 @@
+ALTER TABLE `web_database_user` ADD `database_password_sha2` varchar(70) DEFAULT NULL AFTER `database_password`;
diff --git a/install/sql/ispconfig3.sql b/install/sql/ispconfig3.sql
@@ -1947,6 +1947,7 @@ CREATE TABLE IF NOT EXISTS `web_database_user` (
   `database_user` varchar(64) DEFAULT NULL,
   `database_user_prefix` varchar(50) NOT NULL default '',
   `database_password` varchar(64) DEFAULT NULL,
+  `database_password_sha2` varchar(70) DEFAULT NULL,
   `database_password_mongo` varchar(32) DEFAULT NULL,
   PRIMARY KEY (`database_user_id`)
 )  DEFAULT CHARSET=utf8 AUTO_INCREMENT=1 ;
diff --git a/interface/lib/classes/db_mysql.inc.php b/interface/lib/classes/db_mysql.inc.php
@@ -239,7 +239,7 @@ private function securityScan($string) {
 						}
 					}
 				}
-				if($ok == true) {
+				if($ok) {
 					return true;
 				} else {
 					if($ids_config['sql_scan_action'] == 'warn') {
@@ -252,6 +252,8 @@ private function securityScan($string) {
 				}
 			}
 		}
+
+		return true;
 	}
 
 	private function _query($sQuery = '') {
@@ -298,7 +300,9 @@ private function _query($sQuery = '') {
 		} while($ok == false);
 
 		$sQuery = call_user_func_array(array(&$this, '_build_query_string'), $aArgs);
-		$this->securityScan($sQuery);
+		if (!$this->securityScan($sQuery)) {
+			return false;
+		}
 		$this->_iQueryId = mysqli_query($this->_iConnId, $sQuery);
 		if (!$this->_iQueryId) {
 			$this->_sqlerror('Falsche Anfrage / Wrong Query', 'SQL-Query = ' . $sQuery);
@@ -590,6 +594,7 @@ public function unquote($formfield) {
 	}
 
 	public function toLower($record) {
+		$out = [];
 		if(is_array($record)) {
 			foreach($record as $key => $val) {
 				$key = strtolower($key);
@@ -678,7 +683,7 @@ public function getDatabaseSize($database_name) {
 		$result = $db->_query("SELECT SUM(data_length+index_length) FROM information_schema.TABLES WHERE table_schema='".$db->escape($database_name)."'");
 		if(!$result) {
 			$db->_sqlerror('Unable to determine the size of database ' . $database_name);
-			return;
+			return 0;
 		}
 		$database_size = $result->getAsRow();
 		$result->free();
@@ -1075,7 +1080,7 @@ function tableInfo($table_name) {
 	}
 
 	public function mapType($metaType, $typeValue) {
-		global $go_api;
+		global $app;
 		$metaType = strtolower($metaType);
 		switch ($metaType) {
 		case 'int16':
@@ -1107,6 +1112,8 @@ public function mapType($metaType, $typeValue) {
 			return 'date';
 			break;
 		}
+		$app->error('Unknown meta type: '.$metaType);
+		return false;
 	}
 
 	/**
@@ -1148,36 +1155,173 @@ public function getDatabaseVersion($major_version_only = false) {
 	 * Get a mysql password hash
 	 *
 	 * @access public
-	 * @param string   cleartext password
+	 * @param string $password cleartext password
+	 * @param string $hash_type MySQL hash type to use. either mysql_native_password or caching_sha2_password
 	 * @return string  Password hash
 	 */
 
-	public function getPasswordHash($password) {
+	public function getPasswordHash($password, $hash_type = 'mysql_native_password') {
+		if($hash_type == 'caching_sha2_password') {
+			$password_hash = $this->mysqlSha256Crypt($password, $this->genSalt(20), 5000);
+		} else {
+			$password_hash = '*' . strtoupper(sha1(sha1($password, true)));
+		}
 
-		$password_type = 'password';
+		return $password_hash;
+	}
 
-		/* Disabled until caching_sha2_password is implemented
-		if($this->getDatabaseType() == 'mysql' && $this->getDatabaseVersion(true) >= 8) {
-			// we are in MySQL 8 mode
-			$tmp = $this->queryOneRecord("show variables like 'default_authentication_plugin'");
-			if($tmp['default_authentication_plugin'] == 'caching_sha2_password') {
-				$password_type = 'caching_sha2_password';
+	/**
+	 * @param $size int length of salt in bytes
+	 *
+	 * @return string
+	 */
+	private function genSalt($size) {
+		$salt = random_bytes($size);
+		if($salt === false) {
+			throw new Exception('Cannot generate salt.');
+		}
+		for($i = 0; $i < $size; $i++) {
+			$ord = ord($salt[$i]) & 0x7f;
+			if($ord < 32) {
+				$ord += 32;
+			}
+			if($ord == 36 /* $ */) {
+				$ord += 1;
 			}
+			$salt[$i] = chr($ord);
 		}
-		*/
 
-		if($password_type == 'caching_sha2_password') {
-			/*
-				caching_sha2_password hashing needs to be implemented, have not
-				found valid PHP implementation for the new password hash type.
-			*/
-		} else {
-			$password_hash = '*'.strtoupper(sha1(sha1($password, true)));
+		return $salt;
+	}
+
+	/**
+	 * this is the SHA256 algorithm of the crypt unix call – the only difference is that we do not truncate the salt to 16 chars
+	 * @see https://www.akkadia.org/drepper/SHA-crypt.txt
+	 * @see https://github.com/mysql/mysql-server/blob/trunk/mysys/crypt_genhash_impl.cc
+	 *
+	 * @param string $plaintext the plain text password
+	 * @param string $salt the raw salt (needs to be 20 bytes long)
+	 * @param int $rounds number of rounds. MySQL default is 5000.  Must be between 1000 and 4095000 (0xFFF * 1000)
+	 *
+	 * @return string hashed password in MySQL format
+	 */
+	private function mysqlSha256Crypt($plaintext, $salt, $rounds) {
+		$plaintext_len = strlen($plaintext);
+		$salt_len = strlen($salt);
+
+		// 1
+		$ctxA = hash_init('sha256');
+		// 2
+		hash_update($ctxA, $plaintext);
+		// 3
+		hash_update($ctxA, $salt);
+		// 4
+		$ctxB = hash_init('sha256');
+		// 5
+		hash_update($ctxB, $plaintext);
+		// 6
+		hash_update($ctxB, $salt);
+		// 7
+		hash_update($ctxB, $plaintext);
+		// 8
+		$B = hash_final($ctxB, true);
+		// 9
+		for($i = $plaintext_len; $i > 32; $i -= 32) {
+			hash_update($ctxA, $B);
 		}
+		// 10
+		hash_update($ctxA, substr($B, 0, $i));
+		// 11
+		for($i = $plaintext_len; $i > 0; $i >>= 1) {
+			if(($i & 1) != 0) {
+				hash_update($ctxA, $B);
+			} else {
+				hash_update($ctxA, $plaintext);
+			}
+		}
+		// 12
+		$A = hash_final($ctxA, true);
+		// 13
+		$ctxDP = hash_init('sha256');
+		// 14
+		for($i = 0; $i < $plaintext_len; $i++) {
+			hash_update($ctxDP, $plaintext);
+		}
+		// 15
+		$DP = hash_final($ctxDP, true);
+		// 16
+		$P = "";
+		for($i = $plaintext_len; $i > 32; $i -= 32) {
+			$P .= $DP;
+		}
+		$P .= substr($DP, 0, $i);
+		// 17
+		$ctxDS = hash_init('sha256');
+		// 18
+		for($i = 0; $i < 16 + ord($A[0]); $i++) {
+			hash_update($ctxDS, $salt);
+		}
+		// 19
+		$DS = hash_final($ctxDS, true);
+		// 20
+		$S = "";
+		for($i = $salt_len; $i >= 32; $i -= 32) {
+			$S .= $DS;
+		}
+		$S .= substr($DS, 0, $i);
+		// 21
+		$C = "";
+		for($i = 0; $i < $rounds; $i++) {
+			$ctxC = hash_init('sha256');
+			if(($i & 1) != 0) {
+				hash_update($ctxC, $P);
+			} else {
+				hash_update($ctxC, $i == 0 ? $A : $C);
+			}
 
-		return $password_hash;
-	}
+			if($i % 3 != 0) {
+				hash_update($ctxC, $S);
+			}
+
+			if($i % 7 != 0) {
+				hash_update($ctxC, $P);
+			}
+
+			if(($i & 1) != 0) {
+				hash_update($ctxC, $i == 0 ? $A : $C);
+			} else {
+				hash_update($ctxC, $P);
+			}
+			$C = hash_final($ctxC, true);
+		}
 
+		// 22
+		$b64result = str_repeat(' ', 43);
+		$p = 0;
+		$b64_from_24bit = function($B2, $B1, $B0, $N) use (&$b64result, &$p) {
+			$b64_alphabet = "./0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz";
+			$w = ($B2 << 16) | ($B1 << 8) | $B0;
+			$n = $N;
+			while(--$n >= 0) {
+				$b64result[$p++] = $b64_alphabet[$w & 0x3f];
+				$w = $w >> 6;
+			}
+		};
+		$b64_from_24bit(ord($C[0]), ord($C[10]), ord($C[20]), 4);
+		$b64_from_24bit(ord($C[21]), ord($C[1]), ord($C[11]), 4);
+		$b64_from_24bit(ord($C[12]), ord($C[22]), ord($C[2]), 4);
+		$b64_from_24bit(ord($C[3]), ord($C[13]), ord($C[23]), 4);
+		$b64_from_24bit(ord($C[24]), ord($C[4]), ord($C[14]), 4);
+		$b64_from_24bit(ord($C[15]), ord($C[25]), ord($C[5]), 4);
+		$b64_from_24bit(ord($C[6]), ord($C[16]), ord($C[26]), 4);
+		$b64_from_24bit(ord($C[27]), ord($C[7]), ord($C[17]), 4);
+		$b64_from_24bit(ord($C[18]), ord($C[28]), ord($C[8]), 4);
+		$b64_from_24bit(ord($C[9]), ord($C[19]), ord($C[29]), 4);
+		$b64_from_24bit(0, ord($C[31]), ord($C[30]), 3);
+
+		// we do not truncate $salt to 16 chars since MySQL does not do that and uses 20 bytes salts
+		return sprintf('$A$%03x$%s%s', $rounds / 1000, $salt, $b64result);
+	}
 
 }
 
@@ -1191,10 +1335,11 @@ class db_result {
 
 	/**
 	 *
-	 *
+	 * @var mysqli_result|null
 	 * @access private
 	 */
 	private $_iResId = null;
+	/** @var mysqli|null  */
 	private $_iConnection = null;
 
 
@@ -1406,7 +1551,7 @@ public function getAsRow() {
 	 *
 	 * @access public
 	 * @param int     $iStart offset to start read
-	 * @param int     iLength amount of datasets to read
+	 * @param int     $iLength amount of datasets to read
 	 */
 	public function limit_result($iStart, $iLength) {
 		$this->aLimitedData = array_slice($this->aResultData, $iStart, $iLength, true);
diff --git a/interface/lib/classes/tform_base.inc.php b/interface/lib/classes/tform_base.inc.php
@@ -1376,6 +1376,9 @@ protected function _getSQL($record, $tab, $action = 'INSERT', $primary_id = 0, $
 							} elseif (isset($field['encryption']) && $field['encryption'] == 'MYSQL') {
 								$record[$key] = $app->db->getPasswordHash($record[$key]);
 								$sql_insert_val .= "'".$app->db->quote($record[$key])."', ";
+							} elseif (isset($field['encryption']) && $field['encryption'] == 'MYSQLSHA2') {
+								$record[$key] = $app->db->getPasswordHash($record[$key], 'caching_sha2_password');
+								$sql_insert_val .= "'".$app->db->quote($record[$key])."', ";
 							} else {
 								$record[$key] = md5(stripslashes($record[$key]));
 								$sql_insert_val .= "'".$app->db->quote($record[$key])."', ";
@@ -1407,6 +1410,9 @@ protected function _getSQL($record, $tab, $action = 'INSERT', $primary_id = 0, $
 							} elseif (isset($field['encryption']) && $field['encryption'] == 'MYSQL') {
 								$record[$key] = $app->db->getPasswordHash($record[$key]);
 								$sql_update .= "`$key` = '".$app->db->quote($record[$key])."', ";
+							} elseif (isset($field['encryption']) && $field['encryption'] == 'MYSQLSHA2') {
+								$record[$key] = $app->db->getPasswordHash($record[$key], 'caching_sha2_password');
+								$sql_update .= "`$key` = '".$app->db->quote($record[$key])."', ";
 							} else {
 								$record[$key] = md5(stripslashes($record[$key]));
 								$sql_update .= "`$key` = '".$app->db->quote($record[$key])."', ";
diff --git a/interface/web/sites/database_user_edit.php b/interface/web/sites/database_user_edit.php
@@ -168,6 +168,13 @@ function onBeforeUpdate() {
 			$this->dataRecord['database_user'] = substr($dbuser_prefix . $this->dataRecord['database_user'], 0, 32);
 		}
 
+		// always copy over the password to the SHA2 column
+		if($this->dataRecord['database_password']) {
+			$this->dataRecord['database_password_sha2'] = $this->dataRecord['database_password'];
+		} else {
+			$this->dataRecord['database_password_sha2'] = '';
+		}
+
 		/* prepare password for MongoDB */
 		// TODO: this still doens't work as when only the username changes we have no database_password.
 		// taking the one from oldData doesn't work as it's encrypted...shit!
@@ -184,10 +191,13 @@ function onBeforeInsert() {
 
 		//* Database username shall not be empty
 		if($this->dataRecord['database_user'] == '') $app->tform->errorMessage .= $app->tform->wordbook["database_user_error_empty"].'<br />';
-		
+
 		//* Database password shall not be empty
 		if($this->dataRecord['database_password'] == '') $app->tform->errorMessage .= $app->tform->wordbook["database_password_error_empty"].'<br />';
 
+		// always copy over the password to the SHA2 column
+		$this->dataRecord['database_password_sha2'] = $this->dataRecord['database_password'];
+
 		//* Get the database name and database user prefix
 		$app->uses('getconf,tools_sites');
 		$global_config = $app->getconf->get_global_config('sites');
diff --git a/interface/web/sites/form/database_user.tform.php b/interface/web/sites/form/database_user.tform.php
@@ -117,6 +117,15 @@
 			'width'  => '30',
 			'maxlength' => '255'
 		),
+		'database_password_sha2' => array (
+			'datatype' => 'VARCHAR',
+			'formtype' => 'PASSWORD',
+			'encryption' => 'MYSQLSHA2',
+			'default' => '',
+			'value'  => '',
+			'width'  => '30',
+			'maxlength' => '255'
+		),
 		'database_password_mongo' => array (
 			'datatype' => 'VARCHAR',
 			'formtype' => 'PASSWORD',
diff --git a/server/lib/classes/db_mysql.inc.php b/server/lib/classes/db_mysql.inc.php
diff --git a/server/plugins-available/mysql_clientdb_plugin.inc.php b/server/plugins-available/mysql_clientdb_plugin.inc.php

Original file line number	Diff line number	Diff line change
`@@ -0,0 +1 @@`
	`1`	+ALTER TABLE `web_database_user` ADD `database_password_sha2` varchar(70) DEFAULT NULL AFTER `database_password`;