auth: sync NUL termination with official connectors

Author: julienschmidt

auth.go

@@ -154,39 +154,42 @@ func scrambleSHA256Password(scramble []byte, password string) []byte {
 	return message1
 }
 
-func (mc *mysqlConn) auth(authData []byte, plugin string) ([]byte, error) {
+func (mc *mysqlConn) auth(authData []byte, plugin string) ([]byte, bool, error) {
 	switch plugin {
 	case "caching_sha2_password":
-		return scrambleSHA256Password(authData, mc.cfg.Passwd), nil
+		authResp := scrambleSHA256Password(authData, mc.cfg.Passwd)
+		return authResp, (authResp == nil), nil
 
 	case "mysql_old_password":
 		if !mc.cfg.AllowOldPasswords {
-			return nil, ErrOldPassword
+			return nil, false, ErrOldPassword
 		}
 		// Note: there are edge cases where this should work but doesn't;
 		// this is currently "wontfix":
 		// https://github.com/go-sql-driver/mysql/issues/184
-		return scrambleOldPassword(authData[:8], mc.cfg.Passwd), nil
+		authResp := scrambleOldPassword(authData[:8], mc.cfg.Passwd)
+		return authResp, true, nil
 
 	case "mysql_clear_password":
 		if !mc.cfg.AllowCleartextPasswords {
-			return nil, ErrCleartextPassword
+			return nil, false, ErrCleartextPassword
 		}
 		// http://dev.mysql.com/doc/refman/5.7/en/cleartext-authentication-plugin.html
 		// http://dev.mysql.com/doc/refman/5.7/en/pam-authentication-plugin.html
-		return []byte(mc.cfg.Passwd), nil
+		return []byte(mc.cfg.Passwd), true, nil
 
 	case "mysql_native_password":
 		if !mc.cfg.AllowNativePasswords {
-			return nil, ErrNativePassword
+			return nil, false, ErrNativePassword
 		}
 		// https://dev.mysql.com/doc/internals/en/secure-password-authentication.html
 		// Native password authentication only need and will need 20-byte challenge.
-		return scramblePassword(authData[0:20], mc.cfg.Passwd), nil
+		authResp := scramblePassword(authData[:20], mc.cfg.Passwd)
+		return authResp, (authResp == nil), nil
 
 	default:
 		errLog.Print("unknown auth plugin:", plugin)
-		return nil, ErrUnknownPlugin
+		return nil, false, ErrUnknownPlugin
 	}
 }
 
@@ -207,11 +210,11 @@ func (mc *mysqlConn) handleAuthResult(oldAuthData []byte, plugin string) error {
 
 		plugin = newPlugin
 
-		authResp, err := mc.auth(authData, plugin)
+		authResp, addNUL, err := mc.auth(authData, plugin)
 		if err != nil {
 			return err
 		}
-		if err = mc.writeAuthSwitchPacket(authResp); err != nil {
+		if err = mc.writeAuthSwitchPacket(authResp, addNUL); err != nil {
 			return err
 		}
 
@@ -242,9 +245,9 @@ func (mc *mysqlConn) handleAuthResult(oldAuthData []byte, plugin string) error {
 
 			case cachingSha2PasswordPerformFullAuthentication:
 				if mc.cfg.tls != nil || mc.cfg.Net == "unix" {
-					// write cleartext auth packet
-					authData := []byte(mc.cfg.Passwd)
-					if err = mc.writeAuthSwitchPacket(authData); err != nil {
+					// write cleartext auth packets
+					err = mc.writeAuthSwitchPacket([]byte(mc.cfg.Passwd), true)
+					if err != nil {
 						return err
 					}
 				} else {
@@ -283,7 +286,7 @@ func (mc *mysqlConn) handleAuthResult(oldAuthData []byte, plugin string) error {
 						return err
 					}
 
-					if err = mc.writeAuthSwitchPacket(enc); err != nil {
+					if err = mc.writeAuthSwitchPacket(enc, false); err != nil {
 						return err
 					}
 				}

auth_test.go

@@ -89,11 +89,12 @@ func TestAuthFastCachingSHA256PasswordCached(t *testing.T) {
 	plugin := "caching_sha2_password"
 
 	// Send Client Authentication Packet
-	authResp, err := mc.auth(authData, plugin)
+	authResp, addNUL, err := mc.auth(authData, plugin)
 	if err != nil {
 		t.Fatal(err)
 	}
-	if err = mc.writeHandshakeResponsePacket(authResp, plugin); err != nil {
+	err = mc.writeHandshakeResponsePacket(authResp, addNUL, plugin)
+	if err != nil {
 		t.Fatal(err)
 	}
 
@@ -133,11 +134,12 @@ func TestAuthFastCachingSHA256PasswordEmpty(t *testing.T) {
 	plugin := "caching_sha2_password"
 
 	// Send Client Authentication Packet
-	authResp, err := mc.auth(authData, plugin)
+	authResp, addNUL, err := mc.auth(authData, plugin)
 	if err != nil {
 		t.Fatal(err)
 	}
-	if err = mc.writeHandshakeResponsePacket(authResp, plugin); err != nil {
+	err = mc.writeHandshakeResponsePacket(authResp, addNUL, plugin)
+	if err != nil {
 		t.Fatal(err)
 	}
 
@@ -174,11 +176,12 @@ func TestAuthFastCachingSHA256PasswordFullRSA(t *testing.T) {
 	plugin := "caching_sha2_password"
 
 	// Send Client Authentication Packet
-	authResp, err := mc.auth(authData, plugin)
+	authResp, addNUL, err := mc.auth(authData, plugin)
 	if err != nil {
 		t.Fatal(err)
 	}
-	if err = mc.writeHandshakeResponsePacket(authResp, plugin); err != nil {
+	err = mc.writeHandshakeResponsePacket(authResp, addNUL, plugin)
+	if err != nil {
 		t.Fatal(err)
 	}
 
@@ -228,11 +231,12 @@ func TestAuthFastCachingSHA256PasswordFullSecure(t *testing.T) {
 	plugin := "caching_sha2_password"
 
 	// Send Client Authentication Packet
-	authResp, err := mc.auth(authData, plugin)
+	authResp, addNUL, err := mc.auth(authData, plugin)
 	if err != nil {
 		t.Fatal(err)
 	}
-	if err = mc.writeHandshakeResponsePacket(authResp, plugin); err != nil {
+	err = mc.writeHandshakeResponsePacket(authResp, addNUL, plugin)
+	if err != nil {
 		t.Fatal(err)
 	}
 
@@ -268,7 +272,7 @@ func TestAuthFastCachingSHA256PasswordFullSecure(t *testing.T) {
 		t.Errorf("got error: %v", err)
 	}
 
-	if !bytes.Equal(conn.written, []byte{6, 0, 0, 3, 115, 101, 99, 114, 101, 116}) {
+	if !bytes.Equal(conn.written, []byte{7, 0, 0, 3, 115, 101, 99, 114, 101, 116, 0}) {
 		t.Errorf("unexpected written data: %v", conn.written)
 	}
 }
@@ -283,7 +287,7 @@ func TestAuthFastCleartextPasswordNotAllowed(t *testing.T) {
 	plugin := "mysql_clear_password"
 
 	// Send Client Authentication Packet
-	_, err := mc.auth(authData, plugin)
+	_, _, err := mc.auth(authData, plugin)
 	if err != ErrCleartextPassword {
 		t.Errorf("expected ErrCleartextPassword, got %v", err)
 	}
@@ -300,11 +304,12 @@ func TestAuthFastCleartextPassword(t *testing.T) {
 	plugin := "mysql_clear_password"
 
 	// Send Client Authentication Packet
-	authResp, err := mc.auth(authData, plugin)
+	authResp, addNUL, err := mc.auth(authData, plugin)
 	if err != nil {
 		t.Fatal(err)
 	}
-	if err = mc.writeHandshakeResponsePacket(authResp, plugin); err != nil {
+	err = mc.writeHandshakeResponsePacket(authResp, addNUL, plugin)
+	if err != nil {
 		t.Fatal(err)
 	}
 
@@ -342,11 +347,12 @@ func TestAuthFastCleartextPasswordEmpty(t *testing.T) {
 	plugin := "mysql_clear_password"
 
 	// Send Client Authentication Packet
-	authResp, err := mc.auth(authData, plugin)
+	authResp, addNUL, err := mc.auth(authData, plugin)
 	if err != nil {
 		t.Fatal(err)
 	}
-	if err = mc.writeHandshakeResponsePacket(authResp, plugin); err != nil {
+	err = mc.writeHandshakeResponsePacket(authResp, addNUL, plugin)
+	if err != nil {
 		t.Fatal(err)
 	}
 
@@ -384,7 +390,7 @@ func TestAuthFastNativePasswordNotAllowed(t *testing.T) {
 	plugin := "mysql_native_password"
 
 	// Send Client Authentication Packet
-	_, err := mc.auth(authData, plugin)
+	_, _, err := mc.auth(authData, plugin)
 	if err != ErrNativePassword {
 		t.Errorf("expected ErrNativePassword, got %v", err)
 	}
@@ -400,11 +406,12 @@ func TestAuthFastNativePassword(t *testing.T) {
 	plugin := "mysql_native_password"
 
 	// Send Client Authentication Packet
-	authResp, err := mc.auth(authData, plugin)
+	authResp, addNUL, err := mc.auth(authData, plugin)
 	if err != nil {
 		t.Fatal(err)
 	}
-	if err = mc.writeHandshakeResponsePacket(authResp, plugin); err != nil {
+	err = mc.writeHandshakeResponsePacket(authResp, addNUL, plugin)
+	if err != nil {
 		t.Fatal(err)
 	}
 
@@ -442,11 +449,12 @@ func TestAuthFastNativePasswordEmpty(t *testing.T) {
 	plugin := "mysql_native_password"
 
 	// Send Client Authentication Packet
-	authResp, err := mc.auth(authData, plugin)
+	authResp, addNUL, err := mc.auth(authData, plugin)
 	if err != nil {
 		t.Fatal(err)
 	}
-	if err = mc.writeHandshakeResponsePacket(authResp, plugin); err != nil {
+	err = mc.writeHandshakeResponsePacket(authResp, addNUL, plugin)
+	if err != nil {
 		t.Fatal(err)
 	}
 
@@ -530,7 +538,7 @@ func TestAuthSwitchCachingSHA256PasswordEmpty(t *testing.T) {
 		t.Errorf("got error: %v", err)
 	}
 
-	expectedReply := []byte{0, 0, 0, 3}
+	expectedReply := []byte{1, 0, 0, 3, 0}
 	if !bytes.Equal(conn.written, expectedReply) {
 		t.Errorf("got unexpected data: %v", conn.written)
 	}
@@ -619,7 +627,7 @@ func TestAuthSwitchCachingSHA256PasswordFullSecure(t *testing.T) {
 		153, 9, 130,
 
 		// 2. Packet: Cleartext password
-		6, 0, 0, 5, 115, 101, 99, 114, 101, 116,
+		7, 0, 0, 5, 115, 101, 99, 114, 101, 116, 0,
 	}
 	if !bytes.Equal(conn.written, expectedReply) {
 		t.Errorf("got unexpected data: %v", conn.written)
@@ -662,7 +670,7 @@ func TestAuthSwitchCleartextPassword(t *testing.T) {
 		t.Errorf("got error: %v", err)
 	}
 
-	expectedReply := []byte{6, 0, 0, 3, 115, 101, 99, 114, 101, 116}
+	expectedReply := []byte{7, 0, 0, 3, 115, 101, 99, 114, 101, 116, 0}
 	if !bytes.Equal(conn.written, expectedReply) {
 		t.Errorf("got unexpected data: %v", conn.written)
 	}
@@ -689,7 +697,7 @@ func TestAuthSwitchCleartextPasswordEmpty(t *testing.T) {
 		t.Errorf("got error: %v", err)
 	}
 
-	expectedReply := []byte{0, 0, 0, 3}
+	expectedReply := []byte{1, 0, 0, 3, 0}
 	if !bytes.Equal(conn.written, expectedReply) {
 		t.Errorf("got unexpected data: %v", conn.written)
 	}
@@ -766,7 +774,7 @@ func TestAuthSwitchNativePasswordEmpty(t *testing.T) {
 		t.Errorf("got error: %v", err)
 	}
 
-	expectedReply := []byte{0, 0, 0, 3}
+	expectedReply := []byte{1, 0, 0, 3, 0}
 	if !bytes.Equal(conn.written, expectedReply) {
 		t.Errorf("got unexpected data: %v", conn.written)
 	}
@@ -810,7 +818,7 @@ func TestAuthSwitchOldPassword(t *testing.T) {
 		t.Errorf("got error: %v", err)
 	}
 
-	expectedReply := []byte{8, 0, 0, 3, 86, 83, 83, 79, 74, 78, 65, 66}
+	expectedReply := []byte{9, 0, 0, 3, 86, 83, 83, 79, 74, 78, 65, 66, 0}
 	if !bytes.Equal(conn.written, expectedReply) {
 		t.Errorf("got unexpected data: %v", conn.written)
 	}
@@ -838,7 +846,7 @@ func TestAuthSwitchOldPasswordEmpty(t *testing.T) {
 		t.Errorf("got error: %v", err)
 	}
 
-	expectedReply := []byte{0, 0, 0, 3}
+	expectedReply := []byte{1, 0, 0, 3, 0}
 	if !bytes.Equal(conn.written, expectedReply) {
 		t.Errorf("got unexpected data: %v", conn.written)
 	}

driver.go

@@ -114,18 +114,18 @@ func (d MySQLDriver) Open(dsn string) (driver.Conn, error) {
 	}
 
 	// Send Client Authentication Packet
-	authResp, err := mc.auth(authData, plugin)
+	authResp, addNUL, err := mc.auth(authData, plugin)
 	if err != nil {
 		// try the default auth plugin, if using the requested plugin failed
 		errLog.Print("could not use requested auth plugin '"+plugin+"': ", err.Error())
 		plugin = defaultAuthPlugin
-		authResp, err = mc.auth(authData, plugin)
+		authResp, addNUL, err = mc.auth(authData, plugin)
 		if err != nil {
 			mc.cleanup()
 			return nil, err
 		}
 	}
-	if err = mc.writeHandshakeResponsePacket(authResp, plugin); err != nil {
+	if err = mc.writeHandshakeResponsePacket(authResp, addNUL, plugin); err != nil {
 		mc.cleanup()
 		return nil, err
 	}

packets.go

@@ -246,7 +246,7 @@ func (mc *mysqlConn) readHandshakePacket() ([]byte, string, error) {
 
 // Client Authentication Packet
 // http://dev.mysql.com/doc/internals/en/connection-phase-packets.html#packet-Protocol::HandshakeResponse
-func (mc *mysqlConn) writeHandshakeResponsePacket(authResp []byte, plugin string) error {
+func (mc *mysqlConn) writeHandshakeResponsePacket(authResp []byte, addNUL bool, plugin string) error {
 	// Adjust client flags based on server support
 	clientFlags := clientProtocol41 |
 		clientSecureConn |
@@ -271,6 +271,9 @@ func (mc *mysqlConn) writeHandshakeResponsePacket(authResp []byte, plugin string
 	}
 
 	pktLen := 4 + 4 + 1 + 23 + len(mc.cfg.User) + 1 + 1 + len(authResp) + 21 + 1
+	if addNUL {
+		pktLen++
+	}
 
 	// To specify a db name
 	if n := len(mc.cfg.DBName); n > 0 {
@@ -341,6 +344,10 @@ func (mc *mysqlConn) writeHandshakeResponsePacket(authResp []byte, plugin string
 	// Auth Data [length encoded integer]
 	data[pos] = byte(len(authResp))
 	pos += 1 + copy(data[pos+1:], authResp)
+	if addNUL {
+		data[pos] = 0x00
+		pos++
+	}
 
 	// Databasename [null terminated string]
 	if len(mc.cfg.DBName) > 0 {
@@ -357,8 +364,12 @@ func (mc *mysqlConn) writeHandshakeResponsePacket(authResp []byte, plugin string
 }
 
 // http://dev.mysql.com/doc/internals/en/connection-phase-packets.html#packet-Protocol::AuthSwitchResponse
-func (mc *mysqlConn) writeAuthSwitchPacket(authData []byte) error {
-	data := mc.buf.takeSmallBuffer(4 + len(authData))
+func (mc *mysqlConn) writeAuthSwitchPacket(authData []byte, addNUL bool) error {
+	pktLen := 4 + len(authData)
+	if addNUL {
+		pktLen++
+	}
+	data := mc.buf.takeSmallBuffer(pktLen)
 	if data == nil {
 		// cannot take the buffer. Something must be wrong with the connection
 		errLog.Print(ErrBusyBuffer)
@@ -367,6 +378,9 @@ func (mc *mysqlConn) writeAuthSwitchPacket(authData []byte) error {
 
 	// Add the auth data [EOF]
 	copy(data[4:], authData)
+	if addNUL {
+		data[pktLen-1] = 0x00
+	}
 
 	return mc.writePacket(data)
 }