diff --git a/lib/protocol/Auth.js b/lib/protocol/Auth.js index a1033d1b9..45a786edc 100644 --- a/lib/protocol/Auth.js +++ b/lib/protocol/Auth.js @@ -8,6 +8,12 @@ function auth(name, data, options) { switch (name) { case 'mysql_native_password': return Auth.token(options.password, data.slice(0, 20)); + case 'mysql_clear_password': + if (!options.secureConnection && !options.insecureAuth) { + throw new Error('Authentication method mysql_clear_password not supported on insecure connections'); + } else { + return Buffer.from(options.password); + } default: return undefined; } diff --git a/lib/protocol/sequences/Handshake.js b/lib/protocol/sequences/Handshake.js index 8fad0fcf3..75a89e6ba 100644 --- a/lib/protocol/sequences/Handshake.js +++ b/lib/protocol/sequences/Handshake.js @@ -35,16 +35,23 @@ Handshake.prototype.determinePacket = function determinePacket(firstByte, parser Handshake.prototype['AuthSwitchRequestPacket'] = function (packet) { var name = packet.authMethodName; - var data = Auth.auth(name, packet.authMethodData, { - password: this._config.password - }); + var data, error; + try { + data = Auth.auth(name, packet.authMethodData, { + password : this._config.password, + insecureAuth : this._config.insecureAuth, + secureConnection : this._secureConnection + }); + } catch (e) { + error = e; + } if (data !== undefined) { this.emit('packet', new Packets.AuthSwitchResponsePacket({ data: data })); } else { - var err = new Error('MySQL is requesting the ' + name + ' authentication method, which is not supported.'); + var err = error || new Error('MySQL is requesting the ' + name + ' authentication method, which is not supported.'); err.code = 'UNSUPPORTED_AUTH_METHOD'; err.fatal = true; this.end(err); @@ -82,6 +89,7 @@ Handshake.prototype['HandshakeInitializationPacket'] = function(packet) { }; Handshake.prototype._tlsUpgradeCompleteHandler = function() { + this._secureConnection = true; this._sendCredentials(); }; diff --git a/test/integration/connection/test-clear-auth.js b/test/integration/connection/test-clear-auth.js new file mode 100644 index 000000000..46c9cc808 --- /dev/null +++ b/test/integration/connection/test-clear-auth.js @@ -0,0 +1,7 @@ +var assert = require('assert'); +var common = require('../../common'); + +common.getTestConnection({ flags: ['+PLUGIN_AUTH'] }, function (err, connection) { + assert.ifError(err, 'got error'); + connection.destroy(); +}); \ No newline at end of file diff --git a/test/unit/connection/test-auth-switch-clear-insecure.js b/test/unit/connection/test-auth-switch-clear-insecure.js new file mode 100644 index 000000000..b8fc20f8e --- /dev/null +++ b/test/unit/connection/test-auth-switch-clear-insecure.js @@ -0,0 +1,39 @@ +var assert = require('assert'); +var Buffer = require('safe-buffer').Buffer; +var common = require('../../common'); +var connection = common.createConnection({ + port : common.fakeServerPort, + password : 'authswitch' +}); + +var server = common.createFakeServer(); + +var error; +server.listen(common.fakeServerPort, function (err) { + assert.ifError(err); + + connection.connect(function (err) { + error = err; + connection.destroy(); + server.destroy(); + }); +}); + +server.on('connection', function(incomingConnection) { + incomingConnection.on('authSwitchResponse', function (packet) { + this._sendAuthResponse(packet.data, Buffer.from('authswitch')); + }); + + incomingConnection.on('clientAuthentication', function () { + this.authSwitchRequest({ + authMethodName : 'mysql_clear_password', + authMethodData : Buffer.alloc(0) + }); + }); + + incomingConnection.handshake(); +}); + +process.on('exit', function() { + assert.equal(error.message, 'Authentication method mysql_clear_password not supported on insecure connections'); +}); diff --git a/test/unit/connection/test-auth-switch-clear-secure.js b/test/unit/connection/test-auth-switch-clear-secure.js new file mode 100644 index 000000000..08f420eda --- /dev/null +++ b/test/unit/connection/test-auth-switch-clear-secure.js @@ -0,0 +1,47 @@ +var assert = require('assert'); +var Buffer = require('safe-buffer').Buffer; +var common = require('../../common'); +var connection = common.createConnection({ + port : common.fakeServerPort, + password : 'authswitch', + ssl : { + rejectUnauthorized: false + } +}); + +var server = common.createFakeServer(); + +var connected; +server.listen(common.fakeServerPort, function (err) { + assert.ifError(err); + + connection.connect(function (err, result) { + assert.ifError(err); + + connected = result; + + connection.destroy(); + server.destroy(); + }); +}); + +server.on('connection', function(incomingConnection) { + incomingConnection.on('authSwitchResponse', function (packet) { + this._sendAuthResponse(packet.data, Buffer.from('authswitch')); + }); + + incomingConnection.on('clientAuthentication', function () { + this.authSwitchRequest({ + authMethodName : 'mysql_clear_password', + authMethodData : Buffer.alloc(0) + }); + }); + + incomingConnection.handshake({ + serverCapabilities1: 512 | 1 << 11 // PROTOCOL_41 and SSL + }); +}); + +process.on('exit', function() { + assert.equal(connected.fieldCount, 0); +}); diff --git a/test/unit/connection/test-auth-switch-native.js b/test/unit/connection/test-auth-switch-native.js index 0d31dccb5..6c486f1ae 100644 --- a/test/unit/connection/test-auth-switch-native.js +++ b/test/unit/connection/test-auth-switch-native.js @@ -38,7 +38,9 @@ server.on('connection', function(incomingConnection) { }); }); - incomingConnection.handshake(); + incomingConnection.handshake({ + serverCapabilities1: 512 | 1 << 11 // PROTOCOL_41 and SSL + }); }); });