Minor code cleanup.

Signed-off-by: Bradley Grainger <[email protected]>

Author: bgrainger

src/MySqlConnector.Authentication.Ed25519/Ed25519AuthenticationPlugin.cs

@@ -45,9 +45,6 @@ public byte[] CreatePasswordHash(string password, ReadOnlySpan<byte> authenticat
 		return passwordHash;
 	}
 
-	/// <summary>
-	/// Creates the authentication response.
-	/// </summary>
 	private static void CreateResponseAndHash(string password, ReadOnlySpan<byte> authenticationData, out byte[] passwordHash, out byte[] authenticationResponse)
 	{
 		// Java reference: https://github.com/MariaDB/mariadb-connector-j/blob/master/src/main/java/org/mariadb/jdbc/internal/com/send/authentication/Ed25519PasswordPlugin.java

src/MySqlConnector/Core/ServerSession.cs

@@ -438,13 +438,13 @@ public async Task DisposeAsync(IOBehavior ioBehavior, CancellationToken cancella
 			var initialHandshake = InitialHandshakePayload.Create(payload.Span);
 
 			// if PluginAuth is supported, then use the specified auth plugin; else, fall back to protocol capabilities to determine the auth type to use
-			var authPluginName = (initialHandshake.ProtocolCapabilities & ProtocolCapabilities.PluginAuth) != 0 ? initialHandshake.AuthPluginName! :
+			m_currentAuthenticationMethod = (initialHandshake.ProtocolCapabilities & ProtocolCapabilities.PluginAuth) != 0 ? initialHandshake.AuthPluginName! :
 				(initialHandshake.ProtocolCapabilities & ProtocolCapabilities.SecureConnection) == 0 ? "mysql_old_password" :
 				"mysql_native_password";
-			Log.ServerSentAuthPluginName(m_logger, Id, authPluginName);
-			if (authPluginName is not "mysql_native_password" and not "sha256_password" and not "caching_sha2_password")
+			Log.ServerSentAuthPluginName(m_logger, Id, m_currentAuthenticationMethod);
+			if (m_currentAuthenticationMethod is not "mysql_native_password" and not "sha256_password" and not "caching_sha2_password")
 			{
-				Log.UnsupportedAuthenticationMethod(m_logger, Id, authPluginName);
+				Log.UnsupportedAuthenticationMethod(m_logger, Id, m_currentAuthenticationMethod);
 				throw new NotSupportedException($"Authentication method '{initialHandshake.AuthPluginName}' is not supported.");
 			}
 
@@ -608,30 +608,27 @@ public async Task DisposeAsync(IOBehavior ioBehavior, CancellationToken cancella
 	}
 
 	/// <summary>
-	/// Validate SSL validation has
+	/// Validate SSL validation hash (from OK packet).
 	/// </summary>
-	/// <param name="validationHash">received validation hash</param>
-	/// <param name="challenge">initial seed</param>
-	/// <param name="password">password</param>
-	/// <returns>true if validated</returns>
+	/// <param name="validationHash">The validation hash received from the server.</param>
+	/// <param name="challenge">The auth plugin data from the initial handshake.</param>
+	/// <param name="password">The user's password.</param>
+	/// <returns><c>true</c> if the validation hash matches the locally-computed value; otherwise, <c>false</c>.</returns>
 	private bool ValidateFingerprint(byte[]? validationHash, ReadOnlySpan<byte> challenge, string password)
 	{
-		if (validationHash?.Length != 65)
+		// expect 0x01 followed by 64 hex characters giving a SHA2 hash
+		if (validationHash?.Length != 65 || validationHash[0] != 1)
 			return false;
 
-		// ensure using SHA256 encryption
-		if (validationHash[0] != 0x01)
-			throw new FormatException($"Unexpected validation hash format. expected 0x01 but got 0x{validationHash[0]:X2}");
-
 		byte[]? passwordHashResult = null;
-		switch (m_pluginName)
+		switch (m_currentAuthenticationMethod)
 		{
 			case "mysql_native_password":
 				passwordHashResult = AuthenticationUtility.HashPassword([], password, onlyHashPassword: true);
 				break;
 
 			case "client_ed25519":
-				AuthenticationPlugins.TryGetPlugin(m_pluginName, out var ed25519Plugin);
+				AuthenticationPlugins.TryGetPlugin(m_currentAuthenticationMethod, out var ed25519Plugin);
 				if (ed25519Plugin is IAuthenticationPlugin2 plugin2)
 					passwordHashResult = plugin2.CreatePasswordHash(password, challenge);
 				break;
@@ -836,7 +833,7 @@ private async Task<PayloadData> SwitchAuthenticationAsync(ConnectionSettings cs,
 		// if the server didn't support the hashed password; rehash with the new challenge
 		var switchRequest = AuthenticationMethodSwitchRequestPayload.Create(payload.Span);
 		Log.SwitchingToAuthenticationMethod(m_logger, Id, switchRequest.Name);
-		m_pluginName = switchRequest.Name;
+		m_currentAuthenticationMethod = switchRequest.Name;
 		switch (switchRequest.Name)
 		{
 			case "mysql_native_password":
@@ -2140,7 +2137,7 @@ protected override void OnStatementBegin(int index)
 	private PayloadData m_setNamesPayload;
 	private byte[]? m_pipelinedResetConnectionBytes;
 	private Dictionary<string, PreparedStatements>? m_preparedStatements;
-	private string m_pluginName = "mysql_native_password";
+	private string? m_currentAuthenticationMethod;
 	private byte[]? m_remoteCertificateSha2Thumbprint;
 	private SslPolicyErrors m_sslPolicyErrors;
 }

src/MySqlConnector/Protocol/Serialization/AuthenticationUtility.cs

@@ -25,7 +25,7 @@ public static byte[] GetNullTerminatedPasswordBytes(string password)
 	}
 
 	public static byte[] CreateAuthenticationResponse(ReadOnlySpan<byte> challenge, string password) =>
-		string.IsNullOrEmpty(password) ? [] : HashPassword(challenge, password, false);
+		string.IsNullOrEmpty(password) ? [] : HashPassword(challenge, password, onlyHashPassword: false);
 
 	/// <summary>
 	/// Hashes a password with the "Secure Password Authentication" method.

tests/IntegrationTests/ServerFeatures.cs

@@ -37,12 +37,12 @@ public enum ServerFeatures
 	CancelSleepSuccessfully = 0x40_0000,
 
 	/// <summary>
-	/// Server permit redirection, available on first OK_Packet
+	/// Server permits redirection (sent as a server variable in first OK packet).
 	/// </summary>
 	Redirection = 0x80_0000,
 
 	/// <summary>
-	/// Server permit redirection, available on first OK_Packet
+	/// Server provides hash of TLS certificate in first OK packet.
 	/// </summary>
 	TlsFingerprintValidation = 0x100_0000,
 }

tests/README.md

@@ -27,6 +27,7 @@ Otherwise, set the following options appropriately:
   * `ErrorCodes`: server returns error codes in error packet (some MySQL proxies do not)
   * `Json`: the `JSON` data type (MySQL 5.7 and later)
   * `LargePackets`: large packets (over 4MB)
+  * `Redirection`: server supports sending redirection information in a server variable in the first OK packet
   * `RoundDateTime`: server rounds `datetime` values to the specified precision (not implemented in MariaDB)
   * `RsaEncryption`: server supports RSA public key encryption (for `sha256_password` and `caching_sha2_password`)
   * `SessionTrack`: server supports `CLIENT_SESSION_TRACK` capability (MySQL 5.7 and later)
@@ -36,9 +37,9 @@ Otherwise, set the following options appropriately:
   * `Tls11`: server supports TLS 1.1
   * `Tls12`: server supports TLS 1.2
   * `Tls13`: server supports TLS 1.3
+  * `TlsFingerprintValidation`: server provides a hash of the TLS certificate fingerprint in the first OK packet
   * `UnixDomainSocket`: server is accessible via a Unix domain socket
   * `UuidToBin`: server supports `UUID_TO_BIN` (MySQL 8.0 and later)
-  * `UnsupportedFeatures`: server supports
 
 ## Running Tests