Minor bug fixes for caching_sha2_password auth logic

dolthub · Dec 10, 2024 · 3719861 · 3719861
1 parent 588631a
commit 3719861
Show file tree

Hide file tree

Showing 2 changed files with 22 additions and 17 deletions.
diff --git a/go/mysql/auth_server.go b/go/mysql/auth_server.go
@@ -601,19 +601,23 @@ func (n *mysqlCachingSha2AuthMethod) HandleAuthPluginData(c *Conn, user string,
 	if cacheState == AuthRejected {
 		return nil, NewSQLError(ERAccessDeniedError, SSAccessDeniedError, "Access denied for user '%v'", user)
 	}
-	// If we get a result back from the cache that's valid, we can return that immediately.
+	// If we get a result back from the cache that's valid, we have successfully authenticated
 	if cacheState == AuthAccepted {
-		// We need to write a more data packet to indicate the
-		// handshake completed properly. This  will be followed
-		// by a regular OK packet which the caller of this method will send.
-
-		data := c.startEphemeralPacket(2)
-		pos := 0
-		pos = writeByte(data, pos, AuthMoreDataPacket)
-		_ = writeByte(data, pos, CachingSha2FastAuth)
-		err = c.writeEphemeralPacket()
-		if err != nil {
-			return nil, err
+		// If the client hasn't sent any authentication data (i.e. a scrambled password), then don't send
+		// the CachingSha2FastAuth packet, since clients don't expect it and error with "Malformed packet"
+		emptyClientAuthResponse := len(clientAuthPluginData) == 0 || (len(clientAuthPluginData) == 1 && clientAuthPluginData[0] == 0)
+		if !emptyClientAuthResponse {
+			// Otherwise, we need to write a more data packet to indicate the
+			// handshake completed properly. This will be followed
+			// by a regular OK packet which the caller of this method will send.
+			data := c.startEphemeralPacket(2)
+			pos := 0
+			pos = writeByte(data, pos, AuthMoreDataPacket)
+			_ = writeByte(data, pos, CachingSha2FastAuth)
+			err = c.writeEphemeralPacket()
+			if err != nil {
+				return nil, err
+			}
 		}
 		return result, nil
 	}

diff --git a/go/mysql/server.go b/go/mysql/server.go
@@ -439,7 +439,6 @@ func (l *Listener) handle(ctx context.Context, conn net.Conn, connectionID uint3
 	// The latter case happens for example for MySQL 8.0 clients until 8.0.25 who advertise
 	// support for caching_sha2_password by default but with no plugin data.
 	if err != nil || (len(clientAuthResponse) == 0 && clientAuthMethod == CachingSha2Password) {
-		l.handleConnectionError(c, "auth server failed to determine auth method")
 		if err != nil {
 			// The client will disconnect if it doesn't understand
 			// the first auth method that we send, so we only have to send the
@@ -452,37 +451,39 @@ func (l *Listener) handle(ctx context.Context, conn net.Conn, connectionID uint3
 			}
 		}
 		if negotiatedAuthMethod == nil {
+			l.handleConnectionError(c, "No authentication methods available for authentication.")
 			c.writeErrorPacket(CRServerHandshakeErr, SSUnknownSQLState, "No authentication methods available for authentication.")
 			return
 		}
 
 		if !l.AllowClearTextWithoutTLS.Get() && !c.TLSEnabled() && !negotiatedAuthMethod.AllowClearTextWithoutTLS() {
+			l.handleConnectionError(c, "Cannot use clear text authentication over non-SSL connections.")
 			c.writeErrorPacket(CRServerHandshakeErr, SSUnknownSQLState, "Cannot use clear text authentication over non-SSL connections.")
 			return
 		}
 
 		serverAuthPluginData, err = negotiatedAuthMethod.AuthPluginData()
 		if err != nil {
-			log.Errorf("Error generating auth switch packet for %s: %v", c, err)
+			l.handleConnectionError(c, fmt.Sprintf("Error generating auth switch packet for %s: %v", c, err))
 			return
 		}
 
 		if err := c.writeAuthSwitchRequest(string(negotiatedAuthMethod.Name()), serverAuthPluginData); err != nil {
-			log.Errorf("Error writing auth switch packet for %s: %v", c, err)
+			l.handleConnectionError(c, fmt.Sprintf("Error writing auth switch packet for %s: %v", c, err))
 			return
 		}
 
 		clientAuthResponse, err = c.readEphemeralPacket(context.Background())
 		if err != nil {
-			log.Errorf("Error reading auth switch response for %s: %v", c, err)
+			l.handleConnectionError(c, fmt.Sprintf("Error reading auth switch response for %s: %v", c, err))
 			return
 		}
 		c.recycleReadPacket()
 	}
 
 	userData, err := negotiatedAuthMethod.HandleAuthPluginData(c, user, serverAuthPluginData, clientAuthResponse, conn.RemoteAddr())
 	if err != nil {
-		log.Warningf("Error authenticating user %s using: %s", user, negotiatedAuthMethod.Name())
+		l.handleConnectionWarning(c, fmt.Sprintf("Error authenticating user %s using: %s", user, negotiatedAuthMethod.Name()))
 		c.writeErrorPacketFromError(err)
 		return
 	}