Implement pluggable authentication.

bgrainger · bgrainger · commit b57e303d0ce0 · 2017-05-15T10:54:02.000-07:00
Send the CLIENT_PLUGIN_AUTH flag when negotiating the initial connection
and supply the auth plugin name in the packets that need it when this
client flag is set.
diff --git a/Readme.md b/Readme.md
@@ -1319,6 +1319,7 @@ The following flags are sent by default on a new connection:
 - `LONG_PASSWORD` - Use the improved version of Old Password Authentication.
 - `MULTI_RESULTS` - Can handle multiple resultsets for COM_QUERY.
 - `ODBC` Old; no effect.
+- `PLUGIN_AUTH` - Supports auth plugins (specifically, `mysql_old_password` and `mysql_native_password`)
 - `PROTOCOL_41` - Uses the 4.1 protocol.
 - `PS_MULTI_RESULTS` - Can handle multiple resultsets for COM_STMT_EXECUTE.
 - `RESERVED` - Old flag for the 4.1 protocol.
@@ -1339,7 +1340,6 @@ available to specify.
 - COMPRESS
 - INTERACTIVE
 - NO_SCHEMA
-- PLUGIN_AUTH
 - REMEMBER_OPTIONS
 - SSL
 - SSL_VERIFY_SERVER_CERT
diff --git a/lib/ConnectionConfig.js b/lib/ConnectionConfig.js
@@ -106,7 +106,7 @@ ConnectionConfig.getDefaultFlags = function getDefaultFlags(options) {
     '+LONG_PASSWORD',     // Use the improved version of Old Password Authentication
     '+MULTI_RESULTS',     // Can handle multiple resultsets for COM_QUERY
     '+ODBC',              // Special handling of ODBC behaviour
-    '-PLUGIN_AUTH',       // Does *NOT* support auth plugins
+    '+PLUGIN_AUTH',       // Supports auth plugins
     '+PROTOCOL_41',       // Uses the 4.1 protocol
     '+PS_MULTI_RESULTS',  // Can handle multiple resultsets for COM_STMT_EXECUTE
     '+RESERVED',          // Unused
diff --git a/lib/protocol/packets/ClientAuthenticationPacket.js b/lib/protocol/packets/ClientAuthenticationPacket.js
@@ -12,6 +12,7 @@ function ClientAuthenticationPacket(options) {
   this.scrambleBuff  = options.scrambleBuff;
   this.database      = options.database;
   this.protocol41    = options.protocol41;
+  this.pluginName    = options.pluginName;
 }
 
 ClientAuthenticationPacket.prototype.parse = function(parser) {
@@ -23,6 +24,7 @@ ClientAuthenticationPacket.prototype.parse = function(parser) {
     this.user          = parser.parseNullTerminatedString();
     this.scrambleBuff  = parser.parseLengthCodedBuffer();
     this.database      = parser.parseNullTerminatedString();
+    this.pluginName    = parser.parseNullTerminatedString();
   } else {
     this.clientFlags   = parser.parseUnsignedNumber(2);
     this.maxPacketSize = parser.parseUnsignedNumber(3);
@@ -41,6 +43,7 @@ ClientAuthenticationPacket.prototype.write = function(writer) {
     writer.writeNullTerminatedString(this.user);
     writer.writeLengthCodedBuffer(this.scrambleBuff);
     writer.writeNullTerminatedString(this.database);
+    writer.writeNullTerminatedString(this.pluginName);
   } else {
     writer.writeUnsignedNumber(2, this.clientFlags);
     writer.writeUnsignedNumber(3, this.maxPacketSize);
diff --git a/lib/protocol/packets/ComChangeUserPacket.js b/lib/protocol/packets/ComChangeUserPacket.js
@@ -7,14 +7,16 @@ function ComChangeUserPacket(options) {
   this.scrambleBuff  = options.scrambleBuff;
   this.database      = options.database;
   this.charsetNumber = options.charsetNumber;
+  this.pluginName    = options.pluginName;
 }
 
 ComChangeUserPacket.prototype.parse = function(parser) {
   this.command       = parser.parseUnsignedNumber(1);
   this.user          = parser.parseNullTerminatedString();
   this.scrambleBuff  = parser.parseLengthCodedBuffer();
   this.database      = parser.parseNullTerminatedString();
-  this.charsetNumber = parser.parseUnsignedNumber(1);
+  this.charsetNumber = parser.parseUnsignedNumber(2);
+  this.pluginName    = parser.parseNullTerminatedString();
 };
 
 ComChangeUserPacket.prototype.write = function(writer) {
@@ -23,4 +25,5 @@ ComChangeUserPacket.prototype.write = function(writer) {
   writer.writeLengthCodedBuffer(this.scrambleBuff);
   writer.writeNullTerminatedString(this.database);
   writer.writeUnsignedNumber(2, this.charsetNumber);
+  writer.writeNullTerminatedString(this.pluginName);
 };
diff --git a/lib/protocol/sequences/ChangeUser.js b/lib/protocol/sequences/ChangeUser.js
@@ -23,7 +23,8 @@ ChangeUser.prototype.start = function(handshakeInitializationPacket) {
     user          : this._user,
     scrambleBuff  : scrambleBuff,
     database      : this._database,
-    charsetNumber : this._charsetNumber
+    charsetNumber : this._charsetNumber,
+    pluginName    : 'mysql_native_password'
   });
 
   this._currentConfig.user          = this._user;
@@ -34,8 +35,58 @@ ChangeUser.prototype.start = function(handshakeInitializationPacket) {
   this.emit('packet', packet);
 };
 
+ChangeUser.prototype.determinePacket = function(firstByte) {
+  if (firstByte === 0xfe) {
+    return Packets.UseOldPasswordPacket;
+  }
+
+  return undefined;
+};
+
 ChangeUser.prototype['ErrorPacket'] = function(packet) {
   var err = this._packetToError(packet);
   err.fatal = true;
   this.end(err);
 };
+
+ChangeUser.prototype['UseOldPasswordPacket'] = function(packet) {
+  if (!packet || !packet.methodName || packet.methodName === 'mysql_old_password') {
+    if (!this._currentConfig.insecureAuth) {
+      var err = new Error(
+        'MySQL server is requesting the old and insecure pre-4.1 auth mechanism.' +
+        'Upgrade the user password or use the {insecureAuth: true} option.'
+      );
+
+      err.code = 'HANDSHAKE_INSECURE_AUTH';
+      err.fatal = true;
+
+      this.end(err);
+      return;
+    }
+
+    this.emit('packet', new Packets.OldPasswordPacket({
+      scrambleBuff: Auth.scramble323(packet.pluginData || this._handshakeInitializationPacket.scrambleBuff(), this._currentConfig.password)
+    }));
+  } else if (packet.methodName === 'mysql_native_password') {
+    // "auth plugin data" is documented as "string[EOF]", but MySQL Server will send a
+    // null-terminated byte array for mysql_native_password; we only need to hash with
+    // the first 20 bytes
+    var challenge = packet.pluginData;
+    if (challenge.length === 21 && challenge[20] === 0) {
+      challenge = challenge.slice(0, 20);
+    }
+
+    this.emit('packet', new Packets.AuthenticationSwitchResponsePacket({
+      scrambleBuff: Auth.token(this._currentConfig.password, challenge)
+    }));
+  } else {
+    var err = new Error(
+      'MySQL is requesting the ' + packet.methodName + ' authentication method, which is not supported.'
+    );
+
+    err.code = 'UNSUPPORTED_AUTH_METHOD';
+    err.fatal = true;
+
+    this.end(err);
+  }
+};
diff --git a/lib/protocol/sequences/Handshake.js b/lib/protocol/sequences/Handshake.js
@@ -74,6 +74,7 @@ Handshake.prototype._sendCredentials = function() {
     user          : this._config.user,
     database      : this._config.database,
     protocol41    : packet.protocol41,
+    pluginName    : (packet.protocol41) ? 'mysql_native_password' : '',
     scrambleBuff  : (packet.protocol41)
                      ? Auth.token(this._config.password, packet.scrambleBuff())
                      : Auth.scramble323(packet.scrambleBuff(), this._config.password)
