Fix unix socket check during caching_sha2_password

nikic · nikic · commit 03ee36d1c526 · 2019-12-27T17:27:41.000+01:00
The fact that conn-&gt;unix_socket is set does not mean that a Unix
socket is actually in use -- this member is set in a default
configuration.

Instead check whether a unix_socket stream ops is used.
diff --git a/ext/mysqlnd/mysqlnd_auth.c b/ext/mysqlnd/mysqlnd_auth.c
@@ -1032,6 +1032,14 @@ mysqlnd_caching_sha2_get_and_use_key(MYSQLND_CONN_DATA *conn,
 }
 /* }}} */
 
+static int is_secure_transport(MYSQLND_CONN_DATA *conn) {
+	if (conn->vio->data->ssl) {
+		return 1;
+	}
+
+	return strcmp(conn->vio->data->stream->ops->label, "unix_socket") == 0;
+}
+
 /* {{{ mysqlnd_caching_sha2_handle_server_response */
 static enum_func_status
 mysqlnd_caching_sha2_handle_server_response(struct st_mysqlnd_authentication_plugin *self,
@@ -1063,13 +1071,13 @@ mysqlnd_caching_sha2_handle_server_response(struct st_mysqlnd_authentication_plu
 			DBG_INF("fast path succeeded");
 			DBG_RETURN(PASS);
 		case 4:
-			if (conn->vio->data->ssl || conn->unix_socket.s) {
-				DBG_INF("fast path failed, doing full auth via SSL");
+			if (is_secure_transport(conn)) {
+				DBG_INF("fast path failed, doing full auth via secure transport");
 				result_packet.password = (zend_uchar *)passwd;
 				result_packet.password_len = passwd_len + 1;
 				PACKET_WRITE(conn, &result_packet);
 			} else {
-				DBG_INF("fast path failed, doing full auth without SSL");
+				DBG_INF("fast path failed, doing full auth via insecure transport");
 				result_packet.password_len = mysqlnd_caching_sha2_get_and_use_key(conn, auth_plugin_data, auth_plugin_data_len, &result_packet.password, passwd, passwd_len);
 				PACKET_WRITE(conn, &result_packet);
 				efree(result_packet.password);
diff --git a/ext/mysqlnd/mysqlnd_connection.c b/ext/mysqlnd/mysqlnd_connection.c
@@ -671,13 +671,9 @@ MYSQLND_METHOD(mysqlnd_conn_data, connect)(MYSQLND_CONN_DATA * conn,
 
 	{
 		const MYSQLND_CSTRING scheme = { transport.s, transport.l };
-		/* This will be overwritten below with a copy, but we can use it during authentication */
-		conn->unix_socket.s = (char *)socket_or_pipe.s;
 		if (FAIL == conn->m->connect_handshake(conn, &scheme, &username, &password, &database, mysql_flags)) {
-			conn->unix_socket.s = NULL;
 			goto err;
 		}
-		conn->unix_socket.s = NULL;
 	}
 
 	{

Original file line number	Diff line number	Diff line change
`@@ -671,13 +671,9 @@ MYSQLND_METHOD(mysqlnd_conn_data, connect)(MYSQLND_CONN_DATA * conn,`
`671`	`671`
`672`	`672`	`{`
`673`	`673`	`const MYSQLND_CSTRING scheme = { transport.s, transport.l };`
`674`		`- /* This will be overwritten below with a copy, but we can use it during authentication */`
`675`		`- conn->unix_socket.s = (char *)socket_or_pipe.s;`
`676`	`674`	`if (FAIL == conn->m->connect_handshake(conn, &scheme, &username, &password, &database, mysql_flags)) {`
`677`		`- conn->unix_socket.s = NULL;`
`678`	`675`	`goto err;`
`679`	`676`	`}`
`680`		`- conn->unix_socket.s = NULL;`
`681`	`677`	`}`
`682`	`678`
`683`	`679`	`{`