Skip to content

Commit d8a5f6c

Browse files
julienschmidtjulienschmidt
committed
Merge pull request #390 from daniel-nichter/fix-389-socket-auth-fail-broken-pipe-error
Fixes #389 by not sending COM_QUIT until authenticated. Also refactor…
2 parents c9c5955 + 0f5d83a commit d8a5f6c

File tree

4 files changed

+108
-37
lines changed

4 files changed

+108
-37
lines changed

AUTHORS

Lines changed: 2 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -15,6 +15,7 @@ Aaron Hopkins <go-sql-driver at die.net>
1515
Arne Hormann <arnehormann at gmail.com>
1616
Carlos Nieto <jose.carlos at menteslibres.net>
1717
Chris Moos <chris at tech9computers.com>
18+
Daniel Nichter <nil at codenode.com>
1819
DisposaBoy <disposaboy at dby.me>
1920
Frederick Mayle <frederickmayle at gmail.com>
2021
Gustavo Kristic <gkristic at gmail.com>
@@ -25,6 +26,7 @@ INADA Naoki <songofacandy at gmail.com>
2526
James Harr <james.harr at gmail.com>
2627
Jian Zhen <zhenjl at gmail.com>
2728
Joshua Prunier <joshua.prunier at gmail.com>
29+
Julien Lefevre <julien.lefevr at gmail.com>
2830
Julien Schmidt <go-sql-driver at julienschmidt.com>
2931
Kamil Dziedzic <kamil at klecza.pl>
3032
Kevin Malachowski <kevin at chowski.com>
@@ -38,7 +40,6 @@ Soroush Pour <me at soroushjp.com>
3840
Stan Putrya <root.vagner at gmail.com>
3941
Xiaobing Jiang <s7v7nislands at gmail.com>
4042
Xiuming Chen <cc at cxm.cc>
41-
Julien Lefevre <julien.lefevr at gmail.com>
4243

4344
# Organizations
4445

connection.go

Lines changed: 16 additions & 7 deletions
Original file line numberDiff line numberDiff line change
@@ -120,18 +120,27 @@ func (mc *mysqlConn) Close() (err error) {
120120
// Makes Close idempotent
121121
if mc.netConn != nil {
122122
err = mc.writeCommandPacket(comQuit)
123-
if err == nil {
124-
err = mc.netConn.Close()
125-
} else {
126-
mc.netConn.Close()
123+
}
124+
125+
mc.cleanup()
126+
127+
return
128+
}
129+
130+
// Closes the network connection and unsets internal variables. Do not call this
131+
// function after successfully authentication, call Close instead. This function
132+
// is called before auth or on auth failure because MySQL will have already
133+
// closed the network connection.
134+
func (mc *mysqlConn) cleanup() {
135+
// Makes cleanup idempotent
136+
if mc.netConn != nil {
137+
if err := mc.netConn.Close(); err != nil {
138+
errLog.Print(err)
127139
}
128140
mc.netConn = nil
129141
}
130-
131142
mc.cfg = nil
132143
mc.buf.rd = nil
133-
134-
return
135144
}
136145

137146
func (mc *mysqlConn) Prepare(query string) (driver.Stmt, error) {

driver.go

Lines changed: 41 additions & 29 deletions
Original file line numberDiff line numberDiff line change
@@ -84,43 +84,23 @@ func (d MySQLDriver) Open(dsn string) (driver.Conn, error) {
8484
// Reading Handshake Initialization Packet
8585
cipher, err := mc.readInitPacket()
8686
if err != nil {
87-
mc.Close()
87+
mc.cleanup()
8888
return nil, err
8989
}
9090

9191
// Send Client Authentication Packet
9292
if err = mc.writeAuthPacket(cipher); err != nil {
93-
mc.Close()
93+
mc.cleanup()
9494
return nil, err
9595
}
9696

97-
// Read Result Packet
98-
err = mc.readResultOK()
99-
if err != nil {
100-
// Retry with old authentication method, if allowed
101-
if mc.cfg != nil && mc.cfg.allowOldPasswords && err == ErrOldPassword {
102-
if err = mc.writeOldAuthPacket(cipher); err != nil {
103-
mc.Close()
104-
return nil, err
105-
}
106-
if err = mc.readResultOK(); err != nil {
107-
mc.Close()
108-
return nil, err
109-
}
110-
} else if mc.cfg != nil && mc.cfg.allowCleartextPasswords && err == ErrCleartextPassword {
111-
if err = mc.writeClearAuthPacket(); err != nil {
112-
mc.Close()
113-
return nil, err
114-
}
115-
if err = mc.readResultOK(); err != nil {
116-
mc.Close()
117-
return nil, err
118-
}
119-
} else {
120-
mc.Close()
121-
return nil, err
122-
}
123-
97+
// Handle response to auth packet, switch methods if possible
98+
if err = handleAuthResult(mc, cipher); err != nil {
99+
// Authentication failed and MySQL has already closed the connection
100+
// (https://dev.mysql.com/doc/internals/en/authentication-fails.html).
101+
// Do not send COM_QUIT, just cleanup and return the error.
102+
mc.cleanup()
103+
return nil, err
124104
}
125105

126106
// Get max allowed packet size
@@ -144,6 +124,38 @@ func (d MySQLDriver) Open(dsn string) (driver.Conn, error) {
144124
return mc, nil
145125
}
146126

127+
func handleAuthResult(mc *mysqlConn, cipher []byte) error {
128+
// Read Result Packet
129+
err := mc.readResultOK()
130+
if err == nil {
131+
return nil // auth successful
132+
}
133+
134+
if mc.cfg == nil {
135+
return err // auth failed and retry not possible
136+
}
137+
138+
// Retry auth if configured to do so.
139+
if mc.cfg.allowOldPasswords && err == ErrOldPassword {
140+
// Retry with old authentication method. Note: there are edge cases
141+
// where this should work but doesn't; this is currently "wontfix":
142+
// https://github.com/go-sql-driver/mysql/issues/184
143+
if err = mc.writeOldAuthPacket(cipher); err != nil {
144+
return err
145+
}
146+
err = mc.readResultOK()
147+
} else if mc.cfg.allowCleartextPasswords && err == ErrCleartextPassword {
148+
// Retry with clear text password for
149+
// http://dev.mysql.com/doc/refman/5.7/en/cleartext-authentication-plugin.html
150+
// http://dev.mysql.com/doc/refman/5.7/en/pam-authentication-plugin.html
151+
if err = mc.writeClearAuthPacket(); err != nil {
152+
return err
153+
}
154+
err = mc.readResultOK()
155+
}
156+
return err
157+
}
158+
147159
func init() {
148160
sql.Register("mysql", &MySQLDriver{})
149161
}

driver_test.go

Lines changed: 49 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -9,12 +9,14 @@
99
package mysql
1010

1111
import (
12+
"bytes"
1213
"crypto/tls"
1314
"database/sql"
1415
"database/sql/driver"
1516
"fmt"
1617
"io"
1718
"io/ioutil"
19+
"log"
1820
"net"
1921
"net/url"
2022
"os"
@@ -1679,3 +1681,50 @@ func TestInsertRetrieveEscapedData(t *testing.T) {
16791681
runTests(t, testdsn, testData)
16801682
}
16811683
}
1684+
1685+
func TestUnixSocketAuthFail(t *testing.T) {
1686+
runTests(t, dsn, func(dbt *DBTest) {
1687+
// Save the current logger so we can restore it.
1688+
oldLogger := errLog
1689+
1690+
// Set a new logger so we can capture its output.
1691+
buffer := bytes.NewBuffer(make([]byte, 0, 64))
1692+
newLogger := log.New(buffer, "prefix: ", 0)
1693+
SetLogger(newLogger)
1694+
1695+
// Restore the logger.
1696+
defer SetLogger(oldLogger)
1697+
1698+
// Make a new DSN that uses the MySQL socket file and a bad password, which
1699+
// we can make by simply appending any character to the real password.
1700+
badPass := pass + "x"
1701+
socket := ""
1702+
if prot == "unix" {
1703+
socket = addr
1704+
} else {
1705+
// Get socket file from MySQL.
1706+
err := dbt.db.QueryRow("SELECT @@socket").Scan(&socket)
1707+
if err != nil {
1708+
t.Fatalf("Error on SELECT @@socket: %s", err.Error())
1709+
}
1710+
}
1711+
t.Logf("socket: %s", socket)
1712+
badDSN := fmt.Sprintf("%s:%s@unix(%s)/%s?timeout=30s&strict=true", user, badPass, socket, dbname)
1713+
db, err := sql.Open("mysql", badDSN)
1714+
if err != nil {
1715+
t.Fatalf("Error connecting: %s", err.Error())
1716+
}
1717+
defer db.Close()
1718+
1719+
// Connect to MySQL for real. This will cause an auth failure.
1720+
err = db.Ping()
1721+
if err == nil {
1722+
t.Error("expected Ping() to return an error")
1723+
}
1724+
1725+
// The driver should not log anything.
1726+
if actual := buffer.String(); actual != "" {
1727+
t.Errorf("expected no output, got %q", actual)
1728+
}
1729+
})
1730+
}

0 commit comments

Comments
 (0)