[CONJ-383] OldAuthSwitchRequest not handled correctly Created: 2016-11-02  Updated: 2016-11-07  Resolved: 2016-11-07

Status: Closed
Project: MariaDB Connector/J
Component/s: Other
Affects Version/s: 1.5.4
Fix Version/s: 1.5.5

Type: Bug Priority: Major
Reporter: Glen Ritchie Assignee: Diego Dupin
Resolution: Fixed Votes: 0
Labels: None
Environment:

5.5.31-MariaDB
jdk_1.8.0_77


 Description   

Description

MariaDB Connector/J does not check the packet length of a OldAuthSwitchRequest and assumes it is AuthSwitchRequest.

During authentication, if a OldAuthSwitchRequest is recieved and the server has PLUGIN_AUTH capability, the Connector/J assumes the request is a AuthSwitchRequest.

As per the protocol documentation: https://dev.mysql.com/doc/internals/en/connection-phase-packets.html#packet-Protocol::AuthSwitchRequest
Both AuthSwitchRequest and OldAuthSwitchRequest have the starting payload of [fe], however, OldAuthSwitchRequest is only one byte, and does not contain a plugin or auth data.

When the Connector/J recieves a OldAuthSwitchRequest it will assume it is a AuthSwitchRequest and throw an exception:

Exception in thread "main" java.sql.SQLNonTransientConnectionException: Client does not support authentication protocol requested by server. Consider upgrading MariaDB client. plugin was = 
	at org.mariadb.jdbc.internal.util.ExceptionMapper.get(ExceptionMapper.java:125)
 
	at org.mariadb.jdbc.internal.util.ExceptionMapper.throwException(ExceptionMapper.java:71)
 
	at org.mariadb.jdbc.Driver.connect(Driver.java:109)
 
	at java.sql.DriverManager.getConnection(DriverManager.java:664)
 
	at java.sql.DriverManager.getConnection(DriverManager.java:247)
 
	at TestConnect.main(TestConnect.java:23)
 
Caused by: org.mariadb.jdbc.internal.util.dao.QueryException: Client does not support authentication protocol requested by server. Consider upgrading MariaDB client. plugin was = 
	at org.mariadb.jdbc.internal.protocol.authentication.DefaultAuthenticationProvider.processAuthPlugin(DefaultAuthenticationProvider.java:94)
 
	at org.mariadb.jdbc.internal.protocol.authentication.AuthenticationProviderHolder$1.processAuthPlugin(AuthenticationProviderHolder.java:69)
 
	at org.mariadb.jdbc.internal.protocol.AbstractConnectProtocol.authentication(AbstractConnectProtocol.java:514)
 
	at org.mariadb.jdbc.internal.protocol.AbstractConnectProtocol.handleConnectionPhases(AbstractConnectProtocol.java:472)
 
	at org.mariadb.jdbc.internal.protocol.AbstractConnectProtocol.connect(AbstractConnectProtocol.java:374)
 
	at org.mariadb.jdbc.internal.protocol.AbstractConnectProtocol.connectWithoutProxy(AbstractConnectProtocol.java:763)
 
	at org.mariadb.jdbc.internal.util.Utils.retrieveProxy(Utils.java:469)
 
	at org.mariadb.jdbc.Driver.connect(Driver.java:104)
 
	... 3 more

Reproduction

I was able to reproduce this by using MariaDB ( 5.5.31-MariaDB ) and setting a user with an OLD_PASSWORD format.

set password for 'testuser'@'testserver' = OLD_PASSWORD('testuser')

Then connecting with a simple JDBC test program.

Workaround

Update the password on the server to the new format

Resolution

Add a check for the packet length into AbstractConnectProtocol.java and only treat it as a AuthSwitchRequest if it's length is greater than 1

From:

if ((serverCapabilities & MariaDbServerCapabilities.PLUGIN_AUTH) != 0) {

To:

if ((serverCapabilities & MariaDbServerCapabilities.PLUGIN_AUTH) != 0 && buffer.remaining() > 1) {



 Comments   
Comment by Glen Ritchie [ 2016-11-02 ]

On subsequent reading of the page linked, I don't think this is a "bug" as such, more of a protocol 'quirk'.

Old Authentication Method Switch Request Packet consisting of a single 0xfe byte. It is sent by server to request client to switch to Old Password Authentication if CLIENT_PLUGIN_AUTH capability is not supported (by either the client or the server)

If the server and client both advertised CLIENT_PLUGIN_AUTH support, then that paragraph implies that an Old Password Request should never have been sent in the first place.

Though it would be nice for the client to downgrade itself to talk to the server, it probably isn't best practice ( Indeed, support for old passwords has been removed entirely in MySQL 5.7.5 )

I think here, the biggest issue might be that the client doesn't indicate why the server rejected the connection, rather it just echoes the server response about the client being too old!

Perhaps it would be better if this specific case of OldAuthSwitchRequest handling could be enabled with a configuration option rather than being part of the main protocol logic.

Or, it could simply be an addendum that this particular old-password/server/client configuration is not supported.

Generated at Thu Feb 08 03:15:15 UTC 2024 using Jira 8.20.16#820016-sha1:9d11dbea5f4be3d4cc21f03a88dd11d8c8687422.