jasync-sql
diff --git a/‎db-async-common/src/main/java/com/github/jasync/sql/db/Configuration.kt
Lines changed: 9 additions & 2 deletions b/‎db-async-common/src/main/java/com/github/jasync/sql/db/Configuration.kt
Lines changed: 9 additions & 2 deletions
diff --git a/‎mysql-async/src/main/java/com/github/jasync/sql/db/mysql/MySQLConnection.kt
Lines changed: 40 additions & 2 deletions b/‎mysql-async/src/main/java/com/github/jasync/sql/db/mysql/MySQLConnection.kt
Lines changed: 40 additions & 2 deletions
diff --git a/‎mysql-async/src/main/java/com/github/jasync/sql/db/mysql/codec/MySQLConnectionHandler.kt
Lines changed: 1 addition & 13 deletions b/‎mysql-async/src/main/java/com/github/jasync/sql/db/mysql/codec/MySQLConnectionHandler.kt
Lines changed: 1 addition & 13 deletions
diff --git a/‎mysql-async/src/main/java/com/github/jasync/sql/db/mysql/codec/MySQLHandlerDelegate.kt
Lines changed: 2 additions & 0 deletions b/‎mysql-async/src/main/java/com/github/jasync/sql/db/mysql/codec/MySQLHandlerDelegate.kt
Lines changed: 2 additions & 0 deletions
diff --git a/‎mysql-async/src/main/java/com/github/jasync/sql/db/mysql/encoder/AuthenticationSwitchResponseEncoder.kt
Lines changed: 7 additions & 2 deletions b/‎mysql-async/src/main/java/com/github/jasync/sql/db/mysql/encoder/AuthenticationSwitchResponseEncoder.kt
Lines changed: 7 additions & 2 deletions
diff --git a/‎mysql-async/src/main/java/com/github/jasync/sql/db/mysql/encoder/HandshakeResponseEncoder.kt
Lines changed: 1 addition & 1 deletion b/‎mysql-async/src/main/java/com/github/jasync/sql/db/mysql/encoder/HandshakeResponseEncoder.kt
Lines changed: 1 addition & 1 deletion
diff --git a/‎mysql-async/src/main/java/com/github/jasync/sql/db/mysql/encoder/auth/AuthenticationMethod.kt
Lines changed: 9 additions & 1 deletion b/‎mysql-async/src/main/java/com/github/jasync/sql/db/mysql/encoder/auth/AuthenticationMethod.kt
Lines changed: 9 additions & 1 deletion
diff --git a/‎mysql-async/src/main/java/com/github/jasync/sql/db/mysql/encoder/auth/AuthenticationScrambler.kt
Lines changed: 2 additions & 6 deletions b/‎mysql-async/src/main/java/com/github/jasync/sql/db/mysql/encoder/auth/AuthenticationScrambler.kt
Lines changed: 2 additions & 6 deletions
diff --git a/‎mysql-async/src/main/java/com/github/jasync/sql/db/mysql/encoder/auth/CachingSha2PasswordAuthentication.kt
Lines changed: 10 additions & 10 deletions b/‎mysql-async/src/main/java/com/github/jasync/sql/db/mysql/encoder/auth/CachingSha2PasswordAuthentication.kt
Lines changed: 10 additions & 10 deletions
diff --git a/‎mysql-async/src/main/java/com/github/jasync/sql/db/mysql/encoder/auth/MySQLNativePasswordAuthentication.kt
Lines changed: 9 additions & 3 deletions b/‎mysql-async/src/main/java/com/github/jasync/sql/db/mysql/encoder/auth/MySQLNativePasswordAuthentication.kt
Lines changed: 9 additions & 3 deletions
@@ -10,6 +10,7 @@ import io.netty.channel.nio.NioEventLoopGroup
 import io.netty.util.CharsetUtil
 import mu.KotlinLogging
 import java.nio.charset.Charset
+import java.nio.file.Path
 import java.time.Duration
 import java.util.concurrent.CompletionStage
 import java.util.concurrent.Executor
@@ -43,6 +44,7 @@ private val logger = KotlinLogging.logger {}
  * @param currentSchema optional database schema - postgresql only.
  * @param socketPath path to unix domain socket file (on the local machine)
  * @param credentialsProvider a credential provider used to inject credentials on demand
+ * @param rsaPublicKey path to the RSA public key, used for password encryption over unsafe connections
  *
  */
 class Configuration @JvmOverloads constructor(
@@ -63,7 +65,8 @@ class Configuration @JvmOverloads constructor(
     val executionContext: Executor = ExecutorServiceUtils.CommonPool,
     val currentSchema: String? = null,
     val socketPath: String? = null,
-    val credentialsProvider: CredentialsProvider? = null
+    val credentialsProvider: CredentialsProvider? = null,
+    val rsaPublicKey: Path? = null,
 ) {
     init {
         if (socketPath != null && eventLoopGroup is NioEventLoopGroup) {
@@ -96,6 +99,7 @@ class Configuration @JvmOverloads constructor(
         currentSchema: String? = null,
         socketPath: String? = null,
         credentialsProvider: CredentialsProvider? = null,
+        rsaPublicKey: Path? = null,
     ): Configuration {
         return Configuration(
             username = username ?: this.username,
@@ -116,6 +120,7 @@ class Configuration @JvmOverloads constructor(
             currentSchema = currentSchema ?: this.currentSchema,
             socketPath = socketPath ?: this.socketPath,
             credentialsProvider = credentialsProvider ?: this.credentialsProvider,
+            rsaPublicKey = rsaPublicKey ?: this.rsaPublicKey,
         )
     }
 
@@ -143,6 +148,7 @@ class Configuration @JvmOverloads constructor(
         if (currentSchema != other.currentSchema) return false
         if (socketPath != other.socketPath) return false
         if (credentialsProvider != other.credentialsProvider) return false
+        if (rsaPublicKey != other.rsaPublicKey) return false
 
         return true
     }
@@ -166,11 +172,12 @@ class Configuration @JvmOverloads constructor(
         result = 31 * result + (currentSchema?.hashCode() ?: 0)
         result = 31 * result + (socketPath?.hashCode() ?: 0)
         result = 31 * result + (credentialsProvider?.hashCode() ?: 0)
+        result = 31 * result + (rsaPublicKey?.hashCode() ?: 0)
         return result
     }
 
     override fun toString(): String {
-        return "Configuration(username='$username', host='$host', port=$port, password=****, database=$database, ssl=$ssl, charset=$charset, maximumMessageSize=$maximumMessageSize, allocator=$allocator, connectionTimeout=$connectionTimeout, queryTimeout=$queryTimeout, applicationName=$applicationName, interceptors=$interceptors, eventLoopGroup=$eventLoopGroup, executionContext=$executionContext, currentSchema=$currentSchema, socketPath=$socketPath, credentialsProvider=$credentialsProvider)"
+        return "Configuration(username='$username', host='$host', port=$port, password=****, database=$database, ssl=$ssl, charset=$charset, maximumMessageSize=$maximumMessageSize, allocator=$allocator, connectionTimeout=$connectionTimeout, queryTimeout=$queryTimeout, applicationName=$applicationName, interceptors=$interceptors, eventLoopGroup=$eventLoopGroup, executionContext=$executionContext, currentSchema=$currentSchema, socketPath=$socketPath, credentialsProvider=$credentialsProvider, rsaPublicKey=$rsaPublicKey)"
     }
 }
 
 
@@ -13,10 +13,12 @@ import com.github.jasync.sql.db.exceptions.InsufficientParametersException
 import com.github.jasync.sql.db.interceptor.PreparedStatementParams
 import com.github.jasync.sql.db.mysql.codec.MySQLConnectionHandler
 import com.github.jasync.sql.db.mysql.codec.MySQLHandlerDelegate
+import com.github.jasync.sql.db.mysql.encoder.auth.AuthenticationMethod
 import com.github.jasync.sql.db.mysql.exceptions.MySQLException
 import com.github.jasync.sql.db.mysql.message.client.AuthenticationSwitchResponse
 import com.github.jasync.sql.db.mysql.message.client.CapabilityRequestMessage
 import com.github.jasync.sql.db.mysql.message.client.HandshakeResponseMessage
+import com.github.jasync.sql.db.mysql.message.server.AuthMoreDataMessage
 import com.github.jasync.sql.db.mysql.message.server.AuthenticationSwitchRequest
 import com.github.jasync.sql.db.mysql.message.server.EOFMessage
 import com.github.jasync.sql.db.mysql.message.server.ErrorMessage
@@ -93,6 +95,8 @@ class MySQLConnection @JvmOverloads constructor(
     private var connected = false
     private var lastException: Throwable? = null
     private var serverVersion: Version? = null
+    private var authenticationMethod: String? = null
+    private var authenticationSeed: ByteArray? = null
 
     object StatusFlags {
         // https://dev.mysql.com/doc/internals/en/status-flags.html
@@ -259,6 +263,8 @@ class MySQLConnection @JvmOverloads constructor(
     override fun onHandshake(message: HandshakeMessage) {
         this.serverVersion = parseVersion(message.serverVersion)
         this.serverStatus = message.statusFlags
+        this.authenticationMethod = message.authenticationMethod
+        this.authenticationSeed = message.seed
 
         val switchToSsl = when (this.configuration.ssl.mode) {
             SSLConfiguration.Mode.Disable -> false
@@ -298,7 +304,9 @@ class MySQLConnection @JvmOverloads constructor(
             message.authenticationMethod,
             database = configuration.database,
             password = configuration.password,
-            appName = configuration.applicationName
+            appName = configuration.applicationName,
+            sslConfiguration = configuration.ssl,
+            rsaPublicKey = configuration.rsaPublicKey,
         )
 
         if (!switchToSsl) {
@@ -336,7 +344,37 @@ class MySQLConnection @JvmOverloads constructor(
     }
 
     override fun switchAuthentication(message: AuthenticationSwitchRequest) {
-        this.connectionHandler.write(AuthenticationSwitchResponse(configuration.password, message))
+        val response = AuthenticationSwitchResponse(
+            configuration.password,
+            configuration.ssl,
+            configuration.rsaPublicKey,
+            message
+        )
+
+        this.connectionHandler.write(response)
+    }
+
+    override fun onAuthMoreData(message: AuthMoreDataMessage) {
+        if (message.isSuccess()) {
+            // Do nothing. This message will be followed by an `OkMessage`.
+            return
+        }
+
+        if (authenticationMethod != AuthenticationMethod.CachingSha2) {
+            throw IllegalStateException(
+                "AuthMoreDataMessage is only supported for '${AuthenticationMethod.CachingSha2}' method"
+            )
+        }
+
+        val request = AuthenticationSwitchRequest(AuthenticationMethod.Sha256, authenticationSeed!!)
+        val response = AuthenticationSwitchResponse(
+            configuration.password,
+            configuration.ssl,
+            configuration.rsaPublicKey,
+            request
+        )
+
+        this.connectionHandler.write(response)
     }
 
     override fun sendQueryDirect(query: String): CompletableFuture<QueryResult> {
 
@@ -4,7 +4,6 @@ import com.github.jasync.sql.db.Configuration
 import com.github.jasync.sql.db.exceptions.DatabaseException
 import com.github.jasync.sql.db.general.MutableResultSet
 import com.github.jasync.sql.db.mysql.binary.BinaryRowDecoder
-import com.github.jasync.sql.db.mysql.encoder.auth.AuthenticationMethod
 import com.github.jasync.sql.db.mysql.message.client.AuthenticationSwitchResponse
 import com.github.jasync.sql.db.mysql.message.client.CapabilityRequestMessage
 import com.github.jasync.sql.db.mysql.message.client.CloseStatementMessage
@@ -132,18 +131,7 @@ class MySQLConnectionHandler(
                         this.handleEOF(message)
                     }
                     ServerMessage.AuthMoreData -> {
-                        val m = message as AuthMoreDataMessage
-
-                        if (!m.isSuccess()) {
-                            if (!sslEstablished) {
-                                throw IllegalStateException(
-                                    "Full authentication mode for ${AuthenticationMethod.CachingSha2} requires SSL"
-                                )
-                            }
-
-                            val request = AuthenticationSwitchRequest(AuthenticationMethod.CachingSha2, null)
-                            handlerDelegate.switchAuthentication(request)
-                        }
+                        handlerDelegate.onAuthMoreData(message as AuthMoreDataMessage)
                     }
                     ServerMessage.ColumnDefinition -> {
                         val m = message as ColumnDefinitionMessage
 
@@ -1,6 +1,7 @@
 package com.github.jasync.sql.db.mysql.codec
 
 import com.github.jasync.sql.db.ResultSet
+import com.github.jasync.sql.db.mysql.message.server.AuthMoreDataMessage
 import com.github.jasync.sql.db.mysql.message.server.AuthenticationSwitchRequest
 import com.github.jasync.sql.db.mysql.message.server.EOFMessage
 import com.github.jasync.sql.db.mysql.message.server.ErrorMessage
@@ -18,5 +19,6 @@ interface MySQLHandlerDelegate {
     fun connected(ctx: ChannelHandlerContext)
     fun onResultSet(resultSet: ResultSet, message: EOFMessage)
     fun switchAuthentication(message: AuthenticationSwitchRequest)
+    fun onAuthMoreData(message: AuthMoreDataMessage)
     fun unregistered()
 }
@@ -20,8 +20,13 @@ class AuthenticationSwitchResponseEncoder(val charset: Charset) : MessageEncoder
 
         val buffer = ByteBufferUtils.packetBuffer()
 
-        val bytes =
-            authenticator.generateAuthentication(charset, switch.password, switch.request.seed)
+        val bytes = authenticator.generateAuthentication(
+            charset,
+            switch.password,
+            switch.request.seed,
+            switch.sslConfiguration,
+            switch.rsaPublicKey,
+        )
         buffer.writeBytes(bytes)
 
         return buffer
 
@@ -31,7 +31,7 @@ class HandshakeResponseEncoder(private val charset: Charset, private val headerE
             val authenticator = this.authenticationMethods.getOrElse(
                 method
             ) { throw UnsupportedAuthenticationMethodException(method) }
-            val bytes = authenticator.generateAuthentication(charset, m.password, m.seed)
+            val bytes = authenticator.generateAuthentication(charset, m.password, m.seed, m.sslConfiguration, m.rsaPublicKey)
             buffer.writeByte(bytes.length)
             buffer.writeBytes(bytes)
         } else {
 
@@ -1,10 +1,18 @@
 package com.github.jasync.sql.db.mysql.encoder.auth
 
+import com.github.jasync.sql.db.SSLConfiguration
 import java.nio.charset.Charset
+import java.nio.file.Path
 
 interface AuthenticationMethod {
 
-    fun generateAuthentication(charset: Charset, password: String?, seed: ByteArray?): ByteArray
+    fun generateAuthentication(
+        charset: Charset,
+        password: String?,
+        seed: ByteArray,
+        sslConfiguration: SSLConfiguration,
+        rsaPublicKey: Path?,
+    ): ByteArray
 
     companion object {
         const val CachingSha2 = "caching_sha2_password"
 
@@ -1,6 +1,5 @@
 package com.github.jasync.sql.db.mysql.encoder.auth
 
-import com.github.jasync.sql.db.util.length
 import java.nio.charset.Charset
 import java.security.MessageDigest
 import kotlin.experimental.xor
@@ -32,11 +31,8 @@ object AuthenticationScrambler {
         }
 
         val result = messageDigest.digest()
-        var counter = 0
-
-        while (counter < result.length) {
-            result[counter] = (result[counter] xor initialDigest[counter])
-            counter += 1
+        for ((index, byte) in result.withIndex()) {
+            result[index] = byte xor initialDigest[index]
         }
 
         return result
 
@@ -1,22 +1,22 @@
 package com.github.jasync.sql.db.mysql.encoder.auth
 
+import com.github.jasync.sql.db.SSLConfiguration
 import java.nio.charset.Charset
+import java.nio.file.Path
 
 object CachingSha2PasswordAuthentication : AuthenticationMethod {
 
     private val EmptyArray = ByteArray(0)
 
-    override fun generateAuthentication(charset: Charset, password: String?, seed: ByteArray?): ByteArray {
+    override fun generateAuthentication(
+        charset: Charset,
+        password: String?,
+        seed: ByteArray,
+        sslConfiguration: SSLConfiguration,
+        rsaPublicKey: Path?,
+    ): ByteArray {
         return if (password != null) {
-            if (seed != null) {
-                // Fast authentication mode. Requires seed, but not SSL.
-                AuthenticationScrambler.scramble411("SHA-256", password, charset, seed, false)
-            } else {
-                // Full authentication mode.
-                // Since this sends the plaintext password, SSL is required.
-                // Without SSL, the server always rejects the password.
-                Sha256PasswordAuthentication.generateAuthentication(charset, password, null)
-            }
+            AuthenticationScrambler.scramble411("SHA-256", password, charset, seed, false)
         } else {
             EmptyArray
         }
 
@@ -1,14 +1,20 @@
 package com.github.jasync.sql.db.mysql.encoder.auth
 
+import com.github.jasync.sql.db.SSLConfiguration
 import java.nio.charset.Charset
+import java.nio.file.Path
 
 object MySQLNativePasswordAuthentication : AuthenticationMethod {
 
     private val EmptyArray = ByteArray(0)
 
-    override fun generateAuthentication(charset: Charset, password: String?, seed: ByteArray?): ByteArray {
-        requireNotNull(seed) { "Seed should not be null" }
-
+    override fun generateAuthentication(
+        charset: Charset,
+        password: String?,
+        seed: ByteArray,
+        sslConfiguration: SSLConfiguration,
+        rsaPublicKey: Path?,
+    ): ByteArray {
         return if (password != null) {
             AuthenticationScrambler.scramble411("SHA-1", password, charset, seed, true)
         } else {