BUG21420906: Fix connect using SHA256 user with blank password

Connect was failing with "Access denied" error while connecting
to MySQL server with a user identified with "sha256_password"
plugin and a blank password. We fix this issue by correctly
sending the auth_response packet.

Unit tests are updated with this patch.

Author: peeyushgupta

lib/mysql/connector/authentication.py

@@ -92,7 +92,7 @@ def prepare_password(self):
             raise errors.InterfaceError("Missing authentication data (seed)")
 
         if not self._password:
-            return b'\x00'
+            return b''
         password = self._password
 
         if isstr(self._password):

lib/mysql/connector/connection.py

@@ -167,10 +167,7 @@ def _auth_switch_request(self, username=None, password=None):
             auth = get_auth_plugin(new_auth_plugin)(
                 auth_data, password=password, ssl_enabled=self._ssl_active)
             response = auth.auth_response()
-            if response == b'\x00':
-                self._socket.send(b'')
-            else:
-                self._socket.send(response)
+            self._socket.send(response)
             packet = self._socket.recv()
             if packet[4] != 1:
                 return self._handle_ok(packet)

tests/test_authentication.py

@@ -1,6 +1,6 @@
 # -*- coding: utf-8 -*-
 # MySQL Connector/Python - MySQL driver written in Python.
-# Copyright (c) 2014, Oracle and/or its affiliates. All rights reserved.
+# Copyright (c) 2014, 2015, Oracle and/or its affiliates. All rights reserved.
 
 # MySQL Connector/Python is licensed under the terms of the GPLv2
 # <http://www.gnu.org/licenses/old-licenses/gpl-2.0.html>, like most
@@ -125,7 +125,7 @@ def test_prepare_password(self):
                           auth_plugin.prepare_password)
 
         if PY2:
-            empty = '\x00'
+            empty = ''
             auth_data = (
                 '\x3b\x55\x78\x7d\x2c\x5f\x7c\x72\x49\x52'
                 '\x3f\x28\x47\x6f\x77\x28\x5f\x28\x46\x69'
@@ -135,7 +135,7 @@ def test_prepare_password(self):
                 '\x29\x88\xaa\xae\xdb\x00\xb3\x4d\x91\x5b'
             )
         else:
-            empty = b'\x00'
+            empty = b''
             auth_data = (
                 b'\x3b\x55\x78\x7d\x2c\x5f\x7c\x72\x49\x52'
                 b'\x3f\x28\x47\x6f\x77\x28\x5f\x28\x46\x69'

tests/test_bugs.py

@@ -2220,6 +2220,16 @@ class BugOra16217765(tests.MySQLConnectorTests):
             'password': 'nativeP@ss',
         },
     }
+    users_nopass = {
+        'sha256_password': {
+            'username': 'sha256user_np',
+            'password': '',
+        },
+        'mysql_native_password': {
+            'username': 'nativeuser_np',
+            'password': '',
+        },
+    }
 
     def _create_user(self, cnx, user, password, host, database,
                      plugin):
@@ -2281,28 +2291,28 @@ def test_sha256(self):
         })
 
         auth_plugin = 'sha256_password'
-        user = self.users[auth_plugin]
-        self._create_user(self.admin_cnx, user['username'],
-                          user['password'],
-                          self.host,
-                          config['database'],
-                          plugin=auth_plugin)
+        for user in (self.users[auth_plugin], self.users_nopass[auth_plugin]):
+            self._create_user(self.admin_cnx, user['username'],
+                              user['password'],
+                              self.host,
+                              config['database'],
+                              plugin=auth_plugin)
 
-        config['user'] = user['username']
-        config['password'] = user['password']
-        config['client_flags'] = [constants.ClientFlag.PLUGIN_AUTH]
+            config['user'] = user['username']
+            config['password'] = user['password']
+            config['client_flags'] = [constants.ClientFlag.PLUGIN_AUTH]
 
-        try:
-            cnx = connection.MySQLConnection(**config)
-        except:
-            import traceback
-            traceback.print_exc()
-            self.fail("Connecting using sha256_password auth failed")
+            try:
+                cnx = connection.MySQLConnection(**config)
+            except:
+                import traceback
+                traceback.print_exc()
+                self.fail("Connecting using sha256_password auth failed")
 
-        try:
-            cnx.cmd_change_user(config['user'], config['password'])
-        except:
-            self.fail("Changing user using sha256_password auth failed")
+            try:
+                cnx.cmd_change_user(config['user'], config['password'])
+            except:
+                self.fail("Changing user using sha256_password auth failed")
 
     @unittest.skipIf(tests.MYSQL_VERSION < (5, 6, 6),
                      "MySQL {0} does not support sha256_password auth".format(
@@ -2312,18 +2322,18 @@ def test_sha256_nonssl(self):
         config['unix_socket'] = None
 
         auth_plugin = 'sha256_password'
-        user = self.users[auth_plugin]
-        self._create_user(self.admin_cnx, user['username'],
-                          user['password'],
-                          self.host,
-                          config['database'],
-                          plugin=auth_plugin)
-
-        config['user'] = user['username']
-        config['password'] = user['password']
-        config['client_flags'] = [constants.ClientFlag.PLUGIN_AUTH]
-        self.assertRaises(errors.InterfaceError, connection.MySQLConnection,
-                          **config)
+        for user in (self.users[auth_plugin], self.users_nopass[auth_plugin]):
+            self._create_user(self.admin_cnx, user['username'],
+                              user['password'],
+                              self.host,
+                              config['database'],
+                              plugin=auth_plugin)
+
+            config['user'] = user['username']
+            config['password'] = user['password']
+            config['client_flags'] = [constants.ClientFlag.PLUGIN_AUTH]
+            self.assertRaises(errors.InterfaceError, connection.MySQLConnection,
+                              **config)
 
     @unittest.skipIf(tests.MYSQL_VERSION < (5, 5, 7),
                      "MySQL {0} does not support authentication plugins".format(
@@ -2333,21 +2343,21 @@ def test_native(self):
         config['unix_socket'] = None
 
         auth_plugin = 'mysql_native_password'
-        user = self.users[auth_plugin]
-        self._create_user(self.admin_cnx, user['username'],
-                          user['password'],
-                          self.host,
-                          config['database'],
-                          plugin=auth_plugin)
-
-        config['user'] = user['username']
-        config['password'] = user['password']
-        config['client_flags'] = [constants.ClientFlag.PLUGIN_AUTH]
-        try:
-            cnx = connection.MySQLConnection(**config)
-        except Exception as exc:
-            self.fail("Connecting using {0} auth failed: {1}".format(
-                auth_plugin, exc))
+        for user in (self.users[auth_plugin], self.users_nopass[auth_plugin]):
+            self._create_user(self.admin_cnx, user['username'],
+                              user['password'],
+                              self.host,
+                              config['database'],
+                              plugin=auth_plugin)
+
+            config['user'] = user['username']
+            config['password'] = user['password']
+            config['client_flags'] = [constants.ClientFlag.PLUGIN_AUTH]
+            try:
+                cnx = connection.MySQLConnection(**config)
+            except Exception as exc:
+                self.fail("Connecting using {0} auth failed: {1}".format(
+                    auth_plugin, exc))
 
 
 class BugOra18144971(tests.MySQLConnectorTests):