polyfill crypto lib

Author: Mini256

lib/auth_41.js

@@ -24,21 +24,7 @@
 server stores sha1(sha1(password)) ( hash_stag2)
 */
 
-const crypto = require('crypto');
-
-function sha1(msg, msg1, msg2) {
-  const hash = crypto.createHash('sha1');
-  hash.update(msg);
-  if (msg1) {
-    hash.update(msg1);
-  }
-
-  if (msg2) {
-    hash.update(msg2);
-  }
-
-  return hash.digest();
-}
+const crypto = require('./utils/crypto');
 
 function xor(a, b) {
   const result = Buffer.allocUnsafe(a.length);
@@ -50,37 +36,37 @@ function xor(a, b) {
 
 exports.xor = xor;
 
-function token(password, scramble1, scramble2) {
+async function token(password, scramble1, scramble2) {
   if (!password) {
     return Buffer.alloc(0);
   }
-  const stage1 = sha1(password);
-  return exports.calculateTokenFromPasswordSha(stage1, scramble1, scramble2);
+  const stage1 = await crypto.sha1(password);
+  return await exports.calculateTokenFromPasswordSha(stage1, scramble1, scramble2);
 }
 
-exports.calculateTokenFromPasswordSha = function(
+exports.calculateTokenFromPasswordSha = async function(
   passwordSha,
   scramble1,
   scramble2
 ) {
   // we use AUTH 41 here, and we need only the bytes we just need.
   const authPluginData1 = scramble1.slice(0, 8);
   const authPluginData2 = scramble2.slice(0, 12);
-  const stage2 = sha1(passwordSha);
-  const stage3 = sha1(authPluginData1, authPluginData2, stage2);
+  const stage2 = await crypto.sha1(passwordSha);
+  const stage3 = await crypto.sha1(authPluginData1, authPluginData2, stage2);
   return xor(stage3, passwordSha);
 };
 
 exports.calculateToken = token;
 
-exports.verifyToken = function(publicSeed1, publicSeed2, token, doubleSha) {
-  const hashStage1 = xor(token, sha1(publicSeed1, publicSeed2, doubleSha));
-  const candidateHash2 = sha1(hashStage1);
+exports.verifyToken = async function(publicSeed1, publicSeed2, token, doubleSha) {
+  const hashStage1 = xor(token, await crypto.sha1(publicSeed1, publicSeed2, doubleSha));
+  const candidateHash2 = await crypto.sha1(hashStage1);
   return candidateHash2.compare(doubleSha) === 0;
 };
 
-exports.doubleSha1 = function(password) {
-  return sha1(sha1(password));
+exports.doubleSha1 = async function(password) {
+  return await crypto.sha1(await crypto.sha1(password));
 };
 
 function xorRotating(a, seed) {

lib/auth_plugins/mysql_native_password.js

@@ -10,18 +10,18 @@ module.exports = pluginOptions => ({ connection, command }) => {
     command.passwordSha1 ||
     pluginOptions.passwordSha1 ||
     connection.config.passwordSha1;
-  return data => {
+  return async data => {
     const authPluginData1 = data.slice(0, 8);
     const authPluginData2 = data.slice(8, 20);
     let authToken;
     if (passwordSha1) {
-      authToken = auth41.calculateTokenFromPasswordSha(
+      authToken = await auth41.calculateTokenFromPasswordSha(
         passwordSha1,
         authPluginData1,
         authPluginData2
       );
     } else {
-      authToken = auth41.calculateToken(
+      authToken = await auth41.calculateToken(
         password,
         authPluginData1,
         authPluginData2

lib/commands/change_user.js

@@ -46,7 +46,11 @@ class ChangeUser extends Command {
     connection.clientEncoding = CharsetToEncoding[this.charsetNumber];
     // clear prepared statements cache as all statements become invalid after changeUser
     connection._statements.clear();
-    connection.writePacket(newPacket.toPacket());
+    newPacket.toPacket().then(packet => {
+      connection.writePacket(packet);
+    }).catch(err => {
+      this.onResult(err);
+    });
     // check if the server supports multi-factor authentication
     const multiFactorAuthentication = connection.serverCapabilityFlags & ClientConstants.MULTI_FACTOR_AUTHENTICATION;
     if (multiFactorAuthentication) {

lib/commands/client_handshake.js

@@ -46,7 +46,7 @@ class ClientHandshake extends Command {
     connection.writePacket(sslRequest.toPacket());
   }
 
-  sendCredentials(connection) {
+  async sendCredentials(connection) {
     if (connection.config.debug) {
       // eslint-disable-next-line
       console.log(
@@ -80,22 +80,22 @@ class ClientHandshake extends Command {
       compress: connection.config.compress,
       connectAttributes: connection.config.connectAttributes
     });
-    connection.writePacket(handshakeResponse.toPacket());
+    connection.writePacket(await handshakeResponse.toPacket());
   }
 
-  calculateNativePasswordAuthToken(authPluginData) {
+  async calculateNativePasswordAuthToken(authPluginData) {
     // TODO: dont split into authPluginData1 and authPluginData2, instead join when 1 & 2 received
     const authPluginData1 = authPluginData.slice(0, 8);
     const authPluginData2 = authPluginData.slice(8, 20);
     let authToken;
     if (this.passwordSha1) {
-      authToken = auth41.calculateTokenFromPasswordSha(
+      authToken = await auth41.calculateTokenFromPasswordSha(
         this.passwordSha1,
         authPluginData1,
         authPluginData2
       );
     } else {
-      authToken = auth41.calculateToken(
+      authToken = await auth41.calculateToken(
         this.password,
         authPluginData1,
         authPluginData2
@@ -156,10 +156,14 @@ class ClientHandshake extends Command {
           return;
         }
         // rest of communication is encrypted
-        this.sendCredentials(connection);
+        this.sendCredentials(connection).catch(err => {
+          this.emit('error', err);
+        });
       });
     } else {
-      this.sendCredentials(connection);
+      this.sendCredentials(connection).catch(err => {
+        this.emit('error', err);
+      });
     }
     if (multiFactorAuthentication) {
       // if the server supports multi-factor authentication, we enable it in

lib/connection.js

@@ -43,7 +43,7 @@ class Connection extends EventEmitter {
     // TODO: use `/usr/local/mysql/bin/mysql_config --socket` output? as default socketPath
     // if there is no host/port and no socketPath parameters?
     if (!opts.config.stream) {
-      this.stream = getStream(opts.config.ssl);
+      this.stream = getStream(!!opts.config.ssl);
       if (opts.config.socketPath) {
         // FIXME
         this.stream.connect(opts.config.socketPath);

lib/packets/change_user.js

@@ -17,28 +17,33 @@ class ChangeUser {
     this.authPluginData1 = opts.authPluginData1;
     this.authPluginData2 = opts.authPluginData2;
     this.connectAttributes = opts.connectAttrinutes || {};
+    this.authTokenReadly = this.initAuthToken();
+    this.charsetNumber = opts.charsetNumber;
+  }
+
+  async initAuthToken() {
     let authToken;
     if (this.passwordSha1) {
-      authToken = auth41.calculateTokenFromPasswordSha(
+      authToken = await auth41.calculateTokenFromPasswordSha(
         this.passwordSha1,
         this.authPluginData1,
         this.authPluginData2
       );
     } else {
-      authToken = auth41.calculateToken(
+      authToken = await auth41.calculateToken(
         this.password,
         this.authPluginData1,
         this.authPluginData2
       );
     }
     this.authToken = authToken;
-    this.charsetNumber = opts.charsetNumber;
   }
 
   // TODO
   // ChangeUser.fromPacket = function(packet)
   // };
-  serializeToBuffer(buffer) {
+  async serializeToBuffer(buffer) {
+    await this.authTokenReadly;
     const isSet = flag => this.flags & ClientConstants[flag];
     const packet = new Packet(0, buffer, 0, buffer.length);
     packet.offset = 4;
@@ -81,16 +86,17 @@ class ChangeUser {
     return packet;
   }
 
-  toPacket() {
+  async toPacket() {
+    await this.authTokenReadly;
     if (typeof this.user !== 'string') {
       throw new Error('"user" connection config property must be a string');
     }
     if (typeof this.database !== 'string') {
       throw new Error('"database" connection config property must be a string');
     }
     // dry run: calculate resulting packet length
-    const p = this.serializeToBuffer(Packet.MockBuffer());
-    return this.serializeToBuffer(Buffer.allocUnsafe(p.offset));
+    const p = await this.serializeToBuffer(Packet.MockBuffer());
+    return await this.serializeToBuffer(Buffer.allocUnsafe(p.offset));
   }
 }
 

lib/packets/handshake_response.js

@@ -16,28 +16,34 @@ class HandshakeResponse {
     this.authPluginData2 = handshake.authPluginData2;
     this.compress = handshake.compress;
     this.clientFlags = handshake.flags;
+    this.authTokenReady = this.initAuthToken();
+    this.charsetNumber = handshake.charsetNumber;
+    this.encoding = CharsetToEncoding[handshake.charsetNumber];
+    this.connectAttributes = handshake.connectAttributes;
+  }
+
+  async initAuthToken() {
     // TODO: pre-4.1 auth support
     let authToken;
     if (this.passwordSha1) {
-      authToken = auth41.calculateTokenFromPasswordSha(
+      authToken = await auth41.calculateTokenFromPasswordSha(
         this.passwordSha1,
         this.authPluginData1,
         this.authPluginData2
       );
     } else {
-      authToken = auth41.calculateToken(
+      authToken = await auth41.calculateToken(
         this.password,
         this.authPluginData1,
         this.authPluginData2
       );
     }
     this.authToken = authToken;
-    this.charsetNumber = handshake.charsetNumber;
-    this.encoding = CharsetToEncoding[handshake.charsetNumber];
-    this.connectAttributes = handshake.connectAttributes;
   }
 
-  serializeResponse(buffer) {
+  async serializeResponse(buffer) {
+    await this.authTokenReady;
+
     const isSet = flag => this.clientFlags & ClientConstants[flag];
     const packet = new Packet(0, buffer, 0, buffer.length);
     packet.offset = 4;
@@ -88,17 +94,19 @@ class HandshakeResponse {
     return packet;
   }
 
-  toPacket() {
+  async toPacket() {
+    await this.authTokenReady;
     if (typeof this.user !== 'string') {
       throw new Error('"user" connection config property must be a string');
     }
     if (typeof this.database !== 'string') {
       throw new Error('"database" connection config property must be a string');
     }
     // dry run: calculate resulting packet length
-    const p = this.serializeResponse(Packet.MockBuffer());
-    return this.serializeResponse(Buffer.alloc(p.offset));
+    const p = await this.serializeResponse(Packet.MockBuffer());
+    return await this.serializeResponse(Buffer.alloc(p.offset));
   }
+
   static fromPacket(packet) {
     const args = {};
     args.clientFlags = packet.readInt32();

lib/stream.js

@@ -7,8 +7,10 @@
 module.exports.getStream = function getStream(ssl = false) {
   const net = require('net')
   if (typeof net.Socket === 'function') {
-    return net.Socket
+    console.log('using node socket');
+    return net.Socket()
   }
   const { CloudflareSocket } = require('pg-cloudflare')
+  console.log('using cloudflare socket');
   return new CloudflareSocket(ssl);
 }

lib/utils/crypto.js

@@ -0,0 +1,9 @@
+'use strict'
+
+const useLegacyCrypto = parseInt(process.versions && process.versions.node && process.versions.node.split('.')[0]) < 15
+if (useLegacyCrypto) {
+  // We are on an old version of Node.js that requires legacy crypto utilities.
+  module.exports = require('./nodecrypto')
+} else {
+  module.exports = require('./webcrypto');
+}

lib/utils/nodecrypto.js

@@ -0,0 +1,69 @@
+'use strict'
+// This file contains crypto utility functions for versions of Node.js < 15.0.0,
+// which does not support the WebCrypto.subtle API.
+
+const nodeCrypto = require('crypto')
+
+function md5(string) {
+  return nodeCrypto.createHash('md5').update(string, 'utf-8').digest('hex')
+}
+
+// See AuthenticationMD5Password at https://www.postgresql.org/docs/current/static/protocol-flow.html
+function postgresMd5PasswordHash(user, password, salt) {
+  const inner = md5(password + user);
+  const outer = md5(Buffer.concat([Buffer.from(inner), salt]));
+  return `md5${outer}`
+}
+
+function sha256(text) {
+  return nodeCrypto.createHash('sha256').update(text).digest()
+}
+
+async function sha1(msg,msg1,msg2) {
+  const hash = nodeCrypto.createHash('sha1');
+  hash.update(msg);
+  if (msg1) {
+    hash.update(msg1);
+  }
+  if (msg2) {
+    hash.update(msg2);
+  }
+  return hash.digest();
+}
+
+function xorRotating(a, seed) {
+  const result = Buffer.allocUnsafe(a.length);
+  const seedLen = seed.length;
+
+  for (let i = 0; i < a.length; i++) {
+    result[i] = a[i] ^ seed[i % seedLen];
+  }
+  return result;
+}
+
+function encrypt(password, scramble, key) {
+  const stage1 = xorRotating(
+    Buffer.from(`${password}\0`, 'utf8'),
+    scramble
+  );
+  return nodeCrypto.publicEncrypt(key, stage1);
+}
+
+function hmacSha256(key, msg) {
+  return nodeCrypto.createHmac('sha256', key).update(msg).digest()
+}
+
+function deriveKey(password, salt, iterations) {
+  return nodeCrypto.pbkdf2Sync(password, salt, iterations, 32, 'sha256')
+}
+
+module.exports = {
+  postgresMd5PasswordHash,
+  randomBytes: nodeCrypto.randomBytes,
+  deriveKey,
+  sha256,
+  hmacSha256,
+  md5,
+  sha1,
+  encrypt,
+}