From 4ac31a97ccff97de60ba3c630bfb4733c1bb6d0e Mon Sep 17 00:00:00 2001
From: Julien Schmidt <julienschmidt@users.noreply.github.com>
Date: Tue, 29 Nov 2016 13:30:45 +0800
Subject: [PATCH] Fix old_password authentication via OldAuthSwitchRequest
 (#524)

If CLIENT_PLUGIN_AUTH capability is not supported, no new cipher is
sent have to keep using the cipher sent in the init packet.

Fixes #518
---
 driver.go  | 11 +++++++++--
 packets.go |  1 +
 2 files changed, 10 insertions(+), 2 deletions(-)

diff --git a/driver.go b/driver.go
index f5ee4728e..0022d1f1e 100644
--- a/driver.go
+++ b/driver.go
@@ -101,7 +101,7 @@ func (d MySQLDriver) Open(dsn string) (driver.Conn, error) {
 	}
 
 	// Handle response to auth packet, switch methods if possible
-	if err = handleAuthResult(mc); err != nil {
+	if err = handleAuthResult(mc, cipher); err != nil {
 		// Authentication failed and MySQL has already closed the connection
 		// (https://dev.mysql.com/doc/internals/en/authentication-fails.html).
 		// Do not send COM_QUIT, just cleanup and return the error.
@@ -134,7 +134,7 @@ func (d MySQLDriver) Open(dsn string) (driver.Conn, error) {
 	return mc, nil
 }
 
-func handleAuthResult(mc *mysqlConn) error {
+func handleAuthResult(mc *mysqlConn, oldCipher []byte) error {
 	// Read Result Packet
 	cipher, err := mc.readResultOK()
 	if err == nil {
@@ -150,6 +150,13 @@ func handleAuthResult(mc *mysqlConn) error {
 		// Retry with old authentication method. Note: there are edge cases
 		// where this should work but doesn't; this is currently "wontfix":
 		// https://github.com/go-sql-driver/mysql/issues/184
+
+		// If CLIENT_PLUGIN_AUTH capability is not supported, no new cipher is
+		// sent and we have to keep using the cipher sent in the init packet.
+		if cipher == nil {
+			cipher = oldCipher
+		}
+
 		if err = mc.writeOldAuthPacket(cipher); err != nil {
 			return err
 		}
diff --git a/packets.go b/packets.go
index 481f1ddea..aafe9793e 100644
--- a/packets.go
+++ b/packets.go
@@ -499,6 +499,7 @@ func (mc *mysqlConn) readResultOK() ([]byte, error) {
 					return cipher, ErrUnknownPlugin
 				}
 			} else {
+				// https://dev.mysql.com/doc/internals/en/connection-phase-packets.html#packet-Protocol::OldAuthSwitchRequest
 				return nil, ErrOldPassword
 			}