Ensure that mysql_clear_password is never used over insecure connections.

Author: ZJONSSON

lib/protocol/Auth.js

@@ -2,14 +2,18 @@ var Buffer = require('safe-buffer').Buffer;
 var Crypto = require('crypto');
 var Auth   = exports;
 
-function auth(name, data, options) {
+function auth(name, data, options, isSecure) {
   options = options || {};
 
   switch (name) {
     case 'mysql_native_password':
       return Auth.token(options.password, data.slice(0, 20));
     case 'mysql_clear_password':
-      return Buffer.from(options.password);
+      if (!isSecure) {
+        throw new Error('Authentication method mysql_clear_password not supported on insecure connections');
+      } else {
+        return Buffer.from(options.password);
+      }
     default:
       return undefined;
   }

lib/protocol/sequences/Handshake.js

@@ -35,16 +35,21 @@ Handshake.prototype.determinePacket = function determinePacket(firstByte, parser
 
 Handshake.prototype['AuthSwitchRequestPacket'] = function (packet) {
   var name = packet.authMethodName;
-  var data = Auth.auth(name, packet.authMethodData, {
-    password: this._config.password
-  });
+  var data, error;
+  try {
+    data = Auth.auth(name, packet.authMethodData, {
+      password: this._config.password
+    }, this._tls);
+  } catch (e) {
+    error = e;
+  }
 
   if (data !== undefined) {
     this.emit('packet', new Packets.AuthSwitchResponsePacket({
       data: data
     }));
   } else {
-    var err   = new Error('MySQL is requesting the ' + name + ' authentication method, which is not supported.');
+    var err   = error || new Error('MySQL is requesting the ' + name + ' authentication method, which is not supported.');
     err.code  = 'UNSUPPORTED_AUTH_METHOD';
     err.fatal = true;
     this.end(err);
@@ -82,6 +87,7 @@ Handshake.prototype['HandshakeInitializationPacket'] = function(packet) {
 };
 
 Handshake.prototype._tlsUpgradeCompleteHandler = function() {
+  this._tls = true;
   this._sendCredentials();
 };
 

test/FakeServer.js

@@ -95,7 +95,7 @@ FakeConnection.prototype.handshake = function(options) {
   var packetOptions = common.extend({
     scrambleBuff1       : Buffer.from('1020304050607080', 'hex'),
     scrambleBuff2       : Buffer.from('0102030405060708090A0B0C', 'hex'),
-    serverCapabilities1 : 512, // only 1 flag, PROTOCOL_41
+    serverCapabilities1 : 512 | 1 << 11, // only 2 flags, PROTOCOL_41 and SSL
     protocol41          : true
   }, this._handshakeOptions);
 

test/unit/connection/test-auth-switch-clear-insecure.js

@@ -0,0 +1,38 @@
+var assert     = require('assert');
+var common     = require('../../common');
+var connection = common.createConnection({
+  port     : common.fakeServerPort,
+  password : 'authswitch'
+});
+
+var server = common.createFakeServer();
+
+var error;
+server.listen(common.fakeServerPort, function (err) {
+  assert.ifError(err);
+
+  connection.connect(function (err) {
+    error = err;
+    connection.destroy();
+    server.destroy();
+  });
+});
+
+server.on('connection', function(incomingConnection) {
+  incomingConnection.on('authSwitchResponse', function (packet) {
+    this._sendAuthResponse(packet.data, Buffer.from('authswitch'));
+  });
+
+  incomingConnection.on('clientAuthentication', function () {
+    this.authSwitchRequest({
+      authMethodName : 'mysql_clear_password',
+      authMethodData : Buffer.alloc(0)
+    });
+  });
+
+  incomingConnection.handshake();
+});
+
+process.on('exit', function() {
+  assert.equal(error.message, 'Authentication method mysql_clear_password not supported on insecure connections');
+});

test/unit/connection/test-auth-switch-clear.js renamed to test/unit/connection/test-auth-switch-clear-secure.js

@@ -2,7 +2,10 @@ var assert     = require('assert');
 var common     = require('../../common');
 var connection = common.createConnection({
   port     : common.fakeServerPort,
-  password : 'authswitch'
+  password : 'authswitch',
+  ssl      : {
+    rejectUnauthorized: false
+  }
 });
 
 var server = common.createFakeServer();