Merge d06a41a into 32a0293

mysqljs · Mar 28, 2020 · f266f57 · f266f57
2 parents 32a0293 + d06a41a
commit f266f57
Show file tree

Hide file tree

Showing 7 changed files with 108 additions and 7 deletions.
diff --git a/lib/ConnectionConfig.js b/lib/ConnectionConfig.js
@@ -69,7 +69,7 @@ ConnectionConfig.mergeFlags = function mergeFlags(defaultFlags, userFlags) {
 
   // Merge the new flags
   for (var flag in newFlags) {
-    if (allFlags[flag] !== false) {
+    if (allFlags[flag] !== newFlags[flag]) {
       allFlags[flag] = newFlags[flag];
     }
   }

diff --git a/lib/protocol/Auth.js b/lib/protocol/Auth.js
@@ -2,12 +2,18 @@ var Buffer = require('safe-buffer').Buffer;
 var Crypto = require('crypto');
 var Auth   = exports;
 
-function auth(name, data, options) {
+function auth(name, data, options, isSecure) {
   options = options || {};
 
   switch (name) {
     case 'mysql_native_password':
       return Auth.token(options.password, data.slice(0, 20));
+    case 'mysql_clear_password':
+      if (!isSecure) {
+        throw new Error('Authentication method mysql_clear_password not supported on insecure connections');
+      } else {
+        return Buffer.from(options.password);
+      }
     default:
       return undefined;
   }

diff --git a/lib/protocol/sequences/Handshake.js b/lib/protocol/sequences/Handshake.js
@@ -35,16 +35,21 @@ Handshake.prototype.determinePacket = function determinePacket(firstByte, parser
 
 Handshake.prototype['AuthSwitchRequestPacket'] = function (packet) {
   var name = packet.authMethodName;
-  var data = Auth.auth(name, packet.authMethodData, {
-    password: this._config.password
-  });
+  var data, error;
+  try {
+    data = Auth.auth(name, packet.authMethodData, {
+      password: this._config.password
+    }, this._tls);
+  } catch (e) {
+    error = e;
+  }
 
   if (data !== undefined) {
     this.emit('packet', new Packets.AuthSwitchResponsePacket({
       data: data
     }));
   } else {
-    var err   = new Error('MySQL is requesting the ' + name + ' authentication method, which is not supported.');
+    var err   = error || new Error('MySQL is requesting the ' + name + ' authentication method, which is not supported.');
     err.code  = 'UNSUPPORTED_AUTH_METHOD';
     err.fatal = true;
     this.end(err);
@@ -82,6 +87,7 @@ Handshake.prototype['HandshakeInitializationPacket'] = function(packet) {
 };
 
 Handshake.prototype._tlsUpgradeCompleteHandler = function() {
+  this._tls = true;
   this._sendCredentials();
 };
 

diff --git a/test/FakeServer.js b/test/FakeServer.js
@@ -95,7 +95,7 @@ FakeConnection.prototype.handshake = function(options) {
   var packetOptions = common.extend({
     scrambleBuff1       : Buffer.from('1020304050607080', 'hex'),
     scrambleBuff2       : Buffer.from('0102030405060708090A0B0C', 'hex'),
-    serverCapabilities1 : 512, // only 1 flag, PROTOCOL_41
+    serverCapabilities1 : 512 | 1 << 11, // only 2 flags, PROTOCOL_41 and SSL
     protocol41          : true
   }, this._handshakeOptions);
 

diff --git a/test/integration/connection/test-clear-auth.js b/test/integration/connection/test-clear-auth.js
@@ -0,0 +1,7 @@
+var assert = require('assert');
+var common = require('../../common');
+
+common.getTestConnection({ flags: ['+PLUGIN_AUTH'] }, function (err, connection) {
+  assert.ifError(err, 'got error');
+  connection.destroy();
+});
diff --git a/test/unit/connection/test-auth-switch-clear-insecure.js b/test/unit/connection/test-auth-switch-clear-insecure.js
@@ -0,0 +1,38 @@
+var assert     = require('assert');
+var common     = require('../../common');
+var connection = common.createConnection({
+  port     : common.fakeServerPort,
+  password : 'authswitch'
+});
+
+var server = common.createFakeServer();
+
+var error;
+server.listen(common.fakeServerPort, function (err) {
+  assert.ifError(err);
+
+  connection.connect(function (err) {
+    error = err;
+    connection.destroy();
+    server.destroy();
+  });
+});
+
+server.on('connection', function(incomingConnection) {
+  incomingConnection.on('authSwitchResponse', function (packet) {
+    this._sendAuthResponse(packet.data, Buffer.from('authswitch'));
+  });
+
+  incomingConnection.on('clientAuthentication', function () {
+    this.authSwitchRequest({
+      authMethodName : 'mysql_clear_password',
+      authMethodData : Buffer.alloc(0)
+    });
+  });
+
+  incomingConnection.handshake();
+});
+
+process.on('exit', function() {
+  assert.equal(error.message, 'Authentication method mysql_clear_password not supported on insecure connections');
+});
diff --git a/test/unit/connection/test-auth-switch-clear-secure.js b/test/unit/connection/test-auth-switch-clear-secure.js
@@ -0,0 +1,44 @@
+var assert     = require('assert');
+var common     = require('../../common');
+var connection = common.createConnection({
+  port     : common.fakeServerPort,
+  password : 'authswitch',
+  ssl      : {
+    rejectUnauthorized: false
+  }
+});
+
+var server = common.createFakeServer();
+
+var connected;
+server.listen(common.fakeServerPort, function (err) {
+  assert.ifError(err);
+
+  connection.connect(function (err, result) {
+    assert.ifError(err);
+
+    connected = result;
+
+    connection.destroy();
+    server.destroy();
+  });
+});
+
+server.on('connection', function(incomingConnection) {
+  incomingConnection.on('authSwitchResponse', function (packet) {
+    this._sendAuthResponse(packet.data, Buffer.from('authswitch'));
+  });
+
+  incomingConnection.on('clientAuthentication', function () {
+    this.authSwitchRequest({
+      authMethodName : 'mysql_clear_password',
+      authMethodData : Buffer.alloc(0)
+    });
+  });
+
+  incomingConnection.handshake();
+});
+
+process.on('exit', function() {
+  assert.equal(connected.fieldCount, 0);
+});