Fix empty SHA2 password handling

julienschmidt · julienschmidt · commit 4bcaa02ade6a · 2018-05-21T23:44:59.000+02:00
Fixes #799
diff --git a/const.go b/const.go
@@ -19,10 +19,11 @@ const (
 // http://dev.mysql.com/doc/internals/en/client-server-protocol.html
 
 const (
-	iOK          byte = 0x00
-	iLocalInFile byte = 0xfb
-	iEOF         byte = 0xfe
-	iERR         byte = 0xff
+	iOK           byte = 0x00
+	iAuthMoreData byte = 0x01
+	iLocalInFile  byte = 0xfb
+	iEOF          byte = 0xfe
+	iERR          byte = 0xff
 )
 
 // https://dev.mysql.com/doc/internals/en/capability-flags.html#packet-Protocol::CapabilityFlags
@@ -166,6 +167,7 @@ const (
 )
 
 const (
+	cachingSha2PasswordOK                        = 0
 	cachingSha2PasswordRequestPublicKey          = 2
 	cachingSha2PasswordFastAuthSuccess           = 3
 	cachingSha2PasswordPerformFullAuthentication = 4
diff --git a/driver.go b/driver.go
@@ -161,7 +161,15 @@ func handleAuthResult(mc *mysqlConn, oldCipher []byte, pluginName string) error
 		if err != nil {
 			return err
 		}
-		if auth == cachingSha2PasswordPerformFullAuthentication {
+
+		switch auth {
+		case cachingSha2PasswordOK:
+			return nil // auth successful
+
+		case cachingSha2PasswordFastAuthSuccess:
+			// continue to read result packet...
+
+		case cachingSha2PasswordPerformFullAuthentication:
 			if mc.cfg.tls != nil || mc.cfg.Net == "unix" {
 				if err = mc.writeClearAuthPacket(); err != nil {
 					return err
@@ -171,6 +179,10 @@ func handleAuthResult(mc *mysqlConn, oldCipher []byte, pluginName string) error
 					return err
 				}
 			}
+			// continue to read result packet...
+
+		default:
+			return ErrMalformPkt
 		}
 	}
 
@@ -184,36 +196,46 @@ func handleAuthResult(mc *mysqlConn, oldCipher []byte, pluginName string) error
 		return err // auth failed and retry not possible
 	}
 
-	// Retry auth if configured to do so.
-	if mc.cfg.AllowOldPasswords && err == ErrOldPassword {
-		// Retry with old authentication method. Note: there are edge cases
-		// where this should work but doesn't; this is currently "wontfix":
-		// https://github.com/go-sql-driver/mysql/issues/184
-
-		// If CLIENT_PLUGIN_AUTH capability is not supported, no new cipher is
-		// sent and we have to keep using the cipher sent in the init packet.
-		if cipher == nil {
-			cipher = oldCipher
+	// Retry auth if configured to do so
+	switch err {
+	case ErrCleartextPassword:
+		if mc.cfg.AllowCleartextPasswords {
+			// Retry with clear text password for
+			// http://dev.mysql.com/doc/refman/5.7/en/cleartext-authentication-plugin.html
+			// http://dev.mysql.com/doc/refman/5.7/en/pam-authentication-plugin.html
+			if err = mc.writeClearAuthPacket(); err != nil {
+				return err
+			}
+			_, err = mc.readResultOK()
 		}
 
-		if err = mc.writeOldAuthPacket(cipher); err != nil {
-			return err
-		}
-		_, err = mc.readResultOK()
-	} else if mc.cfg.AllowCleartextPasswords && err == ErrCleartextPassword {
-		// Retry with clear text password for
-		// http://dev.mysql.com/doc/refman/5.7/en/cleartext-authentication-plugin.html
-		// http://dev.mysql.com/doc/refman/5.7/en/pam-authentication-plugin.html
-		if err = mc.writeClearAuthPacket(); err != nil {
-			return err
+	case ErrNativePassword:
+		if mc.cfg.AllowNativePasswords {
+			if err = mc.writeNativeAuthPacket(cipher); err != nil {
+				return err
+			}
+			_, err = mc.readResultOK()
 		}
-		_, err = mc.readResultOK()
-	} else if mc.cfg.AllowNativePasswords && err == ErrNativePassword {
-		if err = mc.writeNativeAuthPacket(cipher); err != nil {
-			return err
+
+	case ErrOldPassword:
+		if mc.cfg.AllowOldPasswords {
+			// Retry with old authentication method. Note: there are edge cases
+			// where this should work but doesn't; this is currently "wontfix":
+			// https://github.com/go-sql-driver/mysql/issues/184
+
+			// If CLIENT_PLUGIN_AUTH capability is not supported, no new cipher is
+			// sent and we have to keep using the cipher sent in the init packet.
+			if cipher == nil {
+				cipher = oldCipher
+			}
+
+			if err = mc.writeOldAuthPacket(cipher); err != nil {
+				return err
+			}
+			_, err = mc.readResultOK()
 		}
-		_, err = mc.readResultOK()
 	}
+
 	return err
 }
 
diff --git a/packets.go b/packets.go
@@ -203,7 +203,7 @@ func (mc *mysqlConn) readInitPacket() ([]byte, string, error) {
 	}
 	pos += 2
 
-	pluginName := ""
+	pluginName := "mysql_native_password"
 	if len(data) > pos {
 		// character set [1 byte]
 		// status flags [2 bytes]
@@ -367,7 +367,6 @@ func (mc *mysqlConn) writeAuthPacket(cipher []byte, pluginName string) error {
 		pos++
 	}
 
-	// Assume native client during response
 	pos += copy(data[pos:], pluginName)
 	data[pos] = 0x00
 
@@ -544,55 +543,70 @@ func (mc *mysqlConn) writeCommandPacketUint32(command byte, arg uint32) error {
 *                              Result Packets                                 *
 ******************************************************************************/
 
+func readAuthSwitch(data []byte) ([]byte, error) {
+	if len(data) > 1 {
+		pluginEndIndex := bytes.IndexByte(data, 0x00)
+		plugin := string(data[1:pluginEndIndex])
+		cipher := data[pluginEndIndex+1:]
+
+		switch plugin {
+		case "mysql_old_password":
+			// using old_passwords
+			return cipher, ErrOldPassword
+		case "mysql_clear_password":
+			// using clear text password
+			return cipher, ErrCleartextPassword
+		case "mysql_native_password":
+			// using mysql default authentication method
+			return cipher, ErrNativePassword
+		default:
+			return cipher, ErrUnknownPlugin
+		}
+	}
+
+	// https://dev.mysql.com/doc/internals/en/connection-phase-packets.html#packet-Protocol::OldAuthSwitchRequest
+	return nil, ErrOldPassword
+}
+
 // Returns error if Packet is not an 'Result OK'-Packet
 func (mc *mysqlConn) readResultOK() ([]byte, error) {
 	data, err := mc.readPacket()
-	if err == nil {
-		// packet indicator
-		switch data[0] {
+	if err != nil {
+		return nil, err
+	}
 
-		case iOK:
-			return nil, mc.handleOkPacket(data)
+	// packet indicator
+	switch data[0] {
 
-		case iEOF:
-			if len(data) > 1 {
-				pluginEndIndex := bytes.IndexByte(data, 0x00)
-				plugin := string(data[1:pluginEndIndex])
-				cipher := data[pluginEndIndex+1:]
-
-				switch plugin {
-				case "mysql_old_password":
-					// using old_passwords
-					return cipher, ErrOldPassword
-				case "mysql_clear_password":
-					// using clear text password
-					return cipher, ErrCleartextPassword
-				case "mysql_native_password":
-					// using mysql default authentication method
-					return cipher, ErrNativePassword
-				default:
-					return cipher, ErrUnknownPlugin
-				}
-			}
+	case iOK:
+		return nil, mc.handleOkPacket(data)
 
-			// https://dev.mysql.com/doc/internals/en/connection-phase-packets.html#packet-Protocol::OldAuthSwitchRequest
-			return nil, ErrOldPassword
+	case iEOF:
+		return readAuthSwitch(data)
 
-		default: // Error otherwise
-			return nil, mc.handleErrorPacket(data)
-		}
+	default: // Error otherwise
+		return nil, mc.handleErrorPacket(data)
 	}
-	return nil, err
 }
 
+// https://insidemysql.com/preparing-your-community-connector-for-mysql-8-part-2-sha256/
 func (mc *mysqlConn) readCachingSha2PasswordAuthResult() (int, error) {
 	data, err := mc.readPacket()
-	if err == nil {
-		if data[0] != 1 {
-			return 0, ErrMalformPkt
-		}
+	if err != nil {
+		return 0, err
+	}
+
+	// packet indicator
+	switch data[0] {
+	case iOK:
+		return 0, nil
+
+	case iAuthMoreData:
+		return int(data[1]), nil
+
+	default: // Error otherwise
+		return 0, mc.handleErrorPacket(data)
 	}
-	return int(data[1]), err
 }
 
 // Result Set Header Packet
