Merge pull request #1062 from sidorares/fix-old-noplugin-auth

Fix 4.1 auth on servers not supporting PLUGIN_AUTH
sidorares · Nov 19, 2019 · cad0f55 · cad0f55
2 parents 106289a + fb8b7cf
commit cad0f55
Show file tree

Hide file tree

Showing 3 changed files with 96 additions and 29 deletions.
diff --git a/.travis.yml b/.travis.yml
@@ -5,39 +5,87 @@ services:
   - docker
 
 language: node_js
-matrix:
-  include:
-    - node_js: "8"
-      env: LINT=1 DOCKER_MYSQL_VERSION=5.7
-    - node_js: "10"
-      env: LINT=1 DOCKER_MYSQL_VERSION=5.7
-    - node_js: "11"
-      env: LINT=0 DOCKER_MYSQL_VERSION=5.7
-    - node_js: "12"
-      env: MYSQL_USE_COMPRESSION=1 LINT=0 DOCKER_MYSQL_VERSION=5.7
-    - node_js: "12"
-      env: LINT=0 DOCKER_MYSQL_VERSION=8.0.18
-    - node_js: "12"
-      env: LINT=0 DOCKER_MYSQL_VERSION=8.0.17
-    - node_js: "12"
-      env: MYSQL_USE_COMPRESSION=1 LINT=0 DOCKER_MYSQL_VERSION=8.0.17
-    - node_js: "12"
-      env: MYSQL_USE_TLS=1 LINT=0 DOCKER_MYSQL_VERSION=8.0.17
-    - node_js: "12"
-      env: MYSQL_USE_TLS=1 MYSQL_USE_COMPRESSION=1 LINT=0 DOCKER_MYSQL_VERSION=8.0.17
 
 cache:
   yarn: true
   directories:
     - node_modules
     - $HOME/.yarn-cache
 
-notifications:
-  email: false
+# Node.js version:
+# we test only maintained LTS versions
+# and lastest dev version
+node_js:
+  - 8
+  - 10
+  - 12
+  - 13
+
+env:
+  # use env `DOCKER_IMAGE to specify a docker image.
+  # env:
+  #   `DOCKER_IMAGE` docker image identifier, like `mysql:8.0.18`, `datagrip/mysql:5.1`
+  #   `MYSQL_PASSWORD` MySQL root password
+  #
+  # e.g.,
+  #  use `DOCKER_IMAGE=mariadb:10.0.21`, to test MariaDB, :)
+  #
+  # or, test the old ones:
+  #
+  # - DOCKER_IMAGE=reducible/mysql:5.0.95
+  # - DOCKER_IMAGE=datagrip/mysql:5.1
+  #
+  # add more or remove any below
+  - DOCKER_IMAGE=mysql:8.0.18
+  - DOCKER_IMAGE=mysql:8.0.18 MYSQL_USE_TLS=1
+  - DOCKER_IMAGE=mysql:8.0.18 MYSQL_USE_COMPRESSION=1
+  - DOCKER_IMAGE=mysql:8.0.18 MYSQL_USE_TLS=1 MYSQL_USE_COMPRESSION=1
+  #- DOCKER_IMAGE=mysql:8.0.17
+  #- DOCKER_IMAGE=mysql:8.0.17 MYSQL_USE_COMPRESSION=1
+  - DOCKER_IMAGE=mysql:5.7
+  - DOCKER_IMAGE=mysql:5.7 MYSQL_USE_COMPRESSION=1
+
+stages:
+  - lint
+  - test
+
+# test matrix:
+# we test <node.js version> - <env> combined cases,
+# and the `include` parts below
+jobs:
+  fast_finish: true
+  allow_failures:
+    - node_js: 13
+  include:
+    - &lint-staging
+      stage: lint
+      node_js: 8
+      env: # no env
+      script: &lint
+        - yarn --version
+        - yarn run lint
+    - <<: *lint-staging
+      node_js: 10
+    - <<: *lint-staging
+      node_js: 12
+    # - stage: test
+    #   name: test handshake reducible/mysql:5.0.95
+    #   node_js: 12
+    #   env: DOCKER_IMAGE=reducible/mysql:5.0.95 MYSQL_PASSWORD=my-secret-pw
+    #######
+    # we use this test connect to server with a password
+    # only do this, we could reproduce issue #1053 on v2.0.0
+    # for later version, use this test handshake with auth 41
+    - stage: test
+      name: test handshake datagrip/mysql:5.1
+      node_js: 12
+      env: DOCKER_IMAGE=datagrip/mysql:5.1 MYSQL_PASSWORD=my-secret-pw FILTER=5.1only
 
 script:
-  - docker run -d -e MYSQL_ALLOW_EMPTY_PASSWORD=1 -e MYSQL_DATABASE=test -v $PWD/mysqldata:/var/lib/mysql/ -v $PWD/examples/custom-conf:/etc/mysql/conf.d -v $PWD/examples/ssl/certs:/certs -p 33306:3306 mysql:$DOCKER_MYSQL_VERSION
+  - docker run -d -e MYSQL_ALLOW_EMPTY_PASSWORD=1 -e FILTER=$FILTER -e MYSQL_ROOT_PASSWORD=$MYSQL_PASSWORD -e MYSQL_DATABASE=test -v $PWD/mysqldata:/var/lib/mysql/ -v $PWD/examples/custom-conf:/etc/mysql/conf.d -v $PWD/examples/ssl/certs:/certs -p 33306:3306 $DOCKER_IMAGE
   - MYSQL_PORT=33306 node tools/wait-up.js
   - yarn --version
-  - if [ "$LINT" = "1" ]; then yarn run lint; fi
   - MYSQL_PORT=33306 yarn run test:raw
+
+notifications:
+  email: false
diff --git a/lib/auth_41.js b/lib/auth_41.js
@@ -73,8 +73,11 @@ exports.calculateTokenFromPasswordSha = function(
   scramble1,
   scramble2
 ) {
+  // we use AUTH 41 here, and we need only the bytes we just need.
+  const authPluginData1 = scramble1.slice(0, 8);
+  const authPluginData2 = scramble2.slice(0, 12);
   const stage2 = sha1(passwordSha);
-  const stage3 = sha1(scramble1, scramble2, stage2);
+  const stage3 = sha1(authPluginData1, authPluginData2, stage2);
   return xor(stage3, passwordSha);
 };
 

diff --git a/lib/packets/handshake.js b/lib/packets/handshake.js
@@ -76,19 +76,35 @@ class Handshake {
       if (args.capabilityFlags & ClientConstants.PLUGIN_AUTH) {
         args.authPluginDataLength = packet.readInt8();
       } else {
-        args.authPluginDataLength = 12;
+        args.authPluginDataLength = 0;
+        packet.skip(1);
       }
       packet.skip(10);
     } else {
       args.capabilityFlags = capabilityFlagsBuffer.readUInt16LE(0);
     }
-    const len = Math.max(12, args.authPluginDataLength - 9);
-    args.authPluginData2 = packet.readBuffer(len);
-    packet.skip(1);
+
+    const isSecureConnection =
+      args.capabilityFlags & ClientConstants.SECURE_CONNECTION;
+    if (isSecureConnection) {
+      const authPluginDataLength = args.authPluginDataLength;
+      if (authPluginDataLength === 0) {
+        // for Secure Password Authentication
+        args.authPluginDataLength = 20;
+        args.authPluginData2 = packet.readBuffer(12);
+        packet.skip(1);
+      } else {
+        // length > 0
+        // for Custom Auth Plugin (PLUGIN_AUTH)
+        const len = Math.max(13, authPluginDataLength - 8);
+        args.authPluginData2 = packet.readBuffer(len);
+      }
+    }
 
     if (args.capabilityFlags & ClientConstants.PLUGIN_AUTH) {
       args.autPluginName = packet.readNullTerminatedString('ascii');
     }
+
     return new Handshake(args);
   }
 }