Support authentication switch request. Fixes #1396

Rename UseOldPasswordPacket to AuthenticationMethodSwitchRequestPacket
and implement its two other fields: plugin name & data.

Support mysql_native_password and mysql_old_password as potential
authentication methods (but still require 'insecureAuth:true' for the
latter).

Author: bgrainger

lib/protocol/Parser.js

@@ -217,6 +217,11 @@ Parser.prototype.parseLengthCodedBuffer = function() {
   return this.parseBuffer(length);
 };
 
+Parser.prototype.parsePacketTerminatedBuffer = function() {
+  var length = this._packetEnd - this._offset;
+  return this.parseBuffer(length);
+};
+
 Parser.prototype.parseLengthCodedNumber = function parseLengthCodedNumber() {
   if (this._offset >= this._buffer.length) {
     var err    = new Error('Parser: read past end');

lib/protocol/packets/AuthenticationMethodSwitchRequestPacket.js

@@ -0,0 +1,20 @@
+module.exports = AuthenticationMethodSwitchRequestPacket;
+function AuthenticationMethodSwitchRequestPacket(options) {
+  options = options || {};
+
+  this.command        = 0xfe;
+  this.authMethodName = options.authMethodName || 'mysql_native_password';
+  this.authPluginData = options.authPluginData;
+}
+
+AuthenticationMethodSwitchRequestPacket.prototype.parse = function(parser) {
+  this.command        = parser.parseUnsignedNumber(1);
+  this.authMethodName = parser.parseNullTerminatedString();
+  this.authPluginData = parser.parsePacketTerminatedBuffer();
+};
+
+AuthenticationMethodSwitchRequestPacket.prototype.write = function(writer) {
+  writer.writeUnsignedNumber(1, this.command);
+  writer.writeNullTerminatedString(this.authMethodName);
+  writer.writeBuffer(this.authPluginData);
+};

lib/protocol/packets/AuthenticationSwitchResponsePacket.js

@@ -0,0 +1,14 @@
+module.exports = AuthenticationSwitchResponsePacket;
+function AuthenticationSwitchResponsePacket(options) {
+  options = options || {};
+
+  this.scrambleBuff = options.scrambleBuff;
+}
+
+AuthenticationSwitchResponsePacket.prototype.parse = function(parser) {
+  this.scrambleBuff = parser.parsePacketTerminatedBuffer();
+};
+
+AuthenticationSwitchResponsePacket.prototype.write = function(writer) {
+  writer.writeBuffer(this.scrambleBuff);
+};

lib/protocol/packets/UseOldPasswordPacket.js

@@ -1,3 +1,5 @@
+exports.AuthenticationMethodSwitchRequestPacket = require('./AuthenticationMethodSwitchRequestPacket');
+exports.AuthenticationSwitchResponsePacket = require('./AuthenticationSwitchResponsePacket');
 exports.ClientAuthenticationPacket = require('./ClientAuthenticationPacket');
 exports.ComChangeUserPacket = require('./ComChangeUserPacket');
 exports.ComPingPacket = require('./ComPingPacket');
@@ -17,4 +19,3 @@ exports.ResultSetHeaderPacket = require('./ResultSetHeaderPacket');
 exports.RowDataPacket = require('./RowDataPacket');
 exports.SSLRequestPacket = require('./SSLRequestPacket');
 exports.StatisticsPacket = require('./StatisticsPacket');
-exports.UseOldPasswordPacket = require('./UseOldPasswordPacket');

lib/protocol/packets/index.js

@@ -25,7 +25,7 @@ Handshake.prototype.determinePacket = function(firstByte) {
   }
 
   if (firstByte === 0xfe) {
-    return Packets.UseOldPasswordPacket;
+    return Packets.AuthenticationMethodSwitchRequestPacket;
   }
 
   return undefined;
@@ -80,23 +80,46 @@ Handshake.prototype._sendCredentials = function() {
   }));
 };
 
-Handshake.prototype['UseOldPasswordPacket'] = function() {
-  if (!this._config.insecureAuth) {
+Handshake.prototype['AuthenticationMethodSwitchRequestPacket'] = function(packet) {
+  if (packet.authMethodName === 'mysql_native_password') {
+    // "auth plugin data" is documented as "string[EOF]", but MySQL Server will send a
+    // null-terminated byte array for mysql_native_password; we only need to hash with
+    // the first 20 bytes
+    var challenge = packet.authPluginData;
+    if (challenge.length === 21) {
+      challenge = challenge.slice(0, 20);
+    }
+
+    this.emit('packet', new Packets.AuthenticationSwitchResponsePacket({
+      scrambleBuff: Auth.token(this._config.password, challenge)
+    }));
+  } else if (packet.authMethodName === 'mysql_old_password') {
+    if (!this._config.insecureAuth) {
+      var err = new Error(
+        'MySQL server is requesting the old and insecure pre-4.1 auth mechanism.' +
+        'Upgrade the user password or use the {insecureAuth: true} option.'
+      );
+
+      err.code = 'HANDSHAKE_INSECURE_AUTH';
+      err.fatal = true;
+
+      this.end(err);
+      return;
+    }
+
+    this.emit('packet', new Packets.OldPasswordPacket({
+      scrambleBuff: Auth.scramble323(this._handshakeInitializationPacket.scrambleBuff(), this._config.password)
+    }));
+  } else {
     var err = new Error(
-      'MySQL server is requesting the old and insecure pre-4.1 auth mechanism.' +
-      'Upgrade the user password or use the {insecureAuth: true} option.'
+      'MySQL is requesting the ' + packet.authMethodName + ' authentication method, which is not supported.'
     );
 
-    err.code = 'HANDSHAKE_INSECURE_AUTH';
+    err.code = 'UNSUPPORTED_AUTH_METHOD';
     err.fatal = true;
 
     this.end(err);
-    return;
   }
-
-  this.emit('packet', new Packets.OldPasswordPacket({
-    scrambleBuff: Auth.scramble323(this._handshakeInitializationPacket.scrambleBuff(), this._config.password)
-  }));
 };
 
 Handshake.prototype['ErrorPacket'] = function(packet) {

lib/protocol/sequences/Handshake.js

@@ -268,7 +268,7 @@ FakeConnection.prototype._parsePacket = function(header) {
     case Packets.ClientAuthenticationPacket:
       this._clientAuthenticationPacket = packet;
       if (this._handshakeOptions.oldPassword) {
-        this._sendPacket(new Packets.UseOldPasswordPacket());
+        this._sendPacket(new Packets.AuthenticationMethodSwitchRequestPacket({ authMethodName: 'mysql_old_password' }));
       } else if (this._handshakeOptions.password === 'passwd') {
         var expected = Buffer.from('3DA0ADA7C9E1BB3A110575DF53306F9D2DE7FD09', 'hex');
         this._sendAuthResponse(packet, expected);