Fixed bug in caching_sha2_password authentication that caused it to fail for passwords longer than 19 characters.

Thanks to sidorares and normano for their guidance.

Refer to:

mysqljs#2233 (comment)
sidorares/node-mysql2#1044
sidorares/node-mysql2#1045

Updated version to 2.18.3

Author: vlasky

lib/protocol/Auth.js

@@ -47,6 +47,25 @@ function xor(a, b) {
 }
 Auth.xor = xor;
 
+function xorRotating(a, seed) {
+  if (!Buffer.isBuffer(a)) {
+    a = Buffer.from(a, 'binary');
+  }
+
+  if (!Buffer.isBuffer(seed)) {
+    seed = Buffer.from(seed, 'binary');
+  }
+
+  const result = Buffer.allocUnsafe(a.length);
+  const seedLen = seed.length;
+
+  for (let i = 0; i < a.length; i++) {
+    result[i] = a[i] ^ seed[i % seedLen];
+  }
+  return result;
+}
+Auth.xorRotating = xorRotating;
+
 Auth.token = function(password, scramble) {
   if (!password) {
     return Buffer.alloc(0);
@@ -78,7 +97,7 @@ Auth.encrypt = function(password, scramble, key) {
     throw err;
   }
 
-  var stage1 = xor((Buffer.from(password + '\0', 'utf8')).toString('binary'), scramble.toString('binary'));
+  var stage1 = xorRotating((Buffer.from(password + '\0', 'utf8')).toString('binary'), scramble.toString('binary'));
   return Crypto.publicEncrypt(key, stage1);
 };
 

package.json

@@ -1,7 +1,7 @@
 {
   "name": "@vlasky/mysql",
   "description": "A fork of mysqljs/mysql with partial support for the MySQL compressed protocol (reads compressed data sent by server). It is written in JavaScript, does not require compiling, and is 100% MIT licensed.",
-  "version": "2.18.2",
+  "version": "2.18.3",
   "license": "MIT",
   "author": "Vlad Lasky <[email protected]> (https://github.com/vlasky)",
   "contributors": [