Major fixes to authentication support
This patch was authored and released by @gwynne.
Fixes the following failure modes:
- In tests, certain errors would crash instead of failing
- The
xor(_:_:)
utility did not correctly apply the operation to the entire buffer. - Most protocol errors now throw a much more specific error.
- Trace logging is now more verbose during authentication.
- The
AuthSwitchRequest
packet (tagged with0xfe
during the authentication phase, incorrectly treated as EOF before) is now correctly handled; this permits both the use of arbitrary auth plugins and the use of the "fast auth" mechanism. - The
caching_sha2_password
handling would previously incorrectly treat the trailingNUL
as part of the auth data. - The
fast_auth_success
(0x1 0x3
) packet during authentication is now correctly handled. - When the
caching_sha2_password
plugin fails to authenticate on non-TLS connections, we now log a useful error message and throw a meaningful error. The framework is in place to implement this fully as soon as a usable implementation of the RSA public-key encrypt operation (with PEM armor and PKCS#1-OAEP padding support) is available.
This massively increases compatibility with all supported versions of MySQL and MariaDB and paves the way for further improvements.
Tagged semver-minor
due to the new enumerators for the more specific errors.