mysqli::real_connect(): Authentication data too long. Won't fit into the buffer and will be truncated. Authentication will thus fail

[maemigh]

Description

I'm using JWT tokens as passwords for MariaDB (via PAM auth) and while using phpmyadmin 5.2.1 I see this message pop up. However, even though the message appears authentication does succeed.

It looks like mysqlnd_wireprotocol.c will set this message if (packet->auth_data_len > 0xFF)

Passwords can actually be extremely long though.

PHP Version

PHP 8.1.15

Operating System

No response

[iluuu1994]

@kamil-tekiela Can you help here? I couldn't find any documentation on password limits, but I also don't know mysql well.

[maemigh]

I want to say that I saw a comment somewhere a while back that said the actual length limit was based on stack size, but I can’t seem to find anything now.

If a good answer can’t be found, can I suggest that this message only be presented if authentication fails?

[iluuu1994]

@maemigh I see. That would depend on whether the stack will overflow or mariadb will catch this and report an error. Let's see if somebody who knows MariaDB/MySQL better can answer that.

[nielsdos]

I want to say that I saw a comment somewhere a while back that said the actual length limit was based on stack size, but I can’t seem to find anything now.

Just thought of chiming in here quickly to drop the following info because coincidentally I already played with this code and I happen to know where this comes from. Pretty sure this comes from here:

php-src/ext/mysqlnd/mysqlnd_wireprotocol.c

Line 491 in b6ceae3

zend_uchar buffer[AUTH_WRITE_BUFFER_LEN];

That hardcoded buffer size is defined here:

php-src/ext/mysqlnd/mysqlnd_wireprotocol.c

Line 485 in b6ceae3

#define AUTH_WRITE_BUFFER_LEN (MYSQLND_HEADER_SIZE + MYSQLND_MAX_ALLOWED_USER_LEN + SCRAMBLE_LENGTH + MYSQLND_MAX_ALLOWED_DB_LEN + 1 + 4096)

AFAIK mysql passwords can be arbitrarily long (as long as they fit in the datatype ofc), so this might need a dynamic allocation (fallback).

[kamil-tekiela]

I had a brief look at it now. It's a bit strange. Technically, the error is correct. The MySQL packet specification allocates one byte for the length of the authentication data (auth_response_length) which means that the max length can be 255 bytes. But as can be seen in the documentation, the flag CLIENT_PLUGIN_AUTH_LENENC_CLIENT_DATA can be used to enable unrestricted authentication data. But we don't allow this in mysqlnd. It was probably not implemented.

For the most common use case caching_sha2_password this doesn't matter as the length is always 32 bytes. But for other authentication methods (maybe even plaintext) this could be a problem. I don't know JWT at all, so I cannot test it myself. If you could provide a test case then I should be able to investigate it further and maybe implement the variable length encoding data.