RubyGems - mysql-pr - Versions diffs - 2.9.11 → 3.0.1 - Mend

mysql-pr 2.9.11 → 3.0.1

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (20) hide show

data/lib/mysql-pr/protocol.rb CHANGED Viewed

@@ -1,17 +1,20 @@
+# frozen_string_literal: true
 # Copyright (C) 2008-2012 TOMITA Masahiro
 # mailto:tommy@tmtm.org
 require "socket"
 require "timeout"
 require "digest/sha1"
+require "digest/sha2"
 require "stringio"
+require "openssl"
 class MysqlPR
   # MySQL network protocol
   class Protocol
     VERSION = 10
-    MAX_PACKET_LENGTH = 2**24-1
+    MAX_PACKET_LENGTH = 2**24 - 1
     # Convert netdata to Ruby value
     # === Argument
@@ -23,42 +26,59 @@ class MysqlPR
     def self.net2value(pkt, type, unsigned)
       case type
       when Field::TYPE_STRING, Field::TYPE_VAR_STRING, Field::TYPE_NEWDECIMAL, Field::TYPE_BLOB
-        return pkt.lcs
+        pkt.lcs
       when Field::TYPE_TINY
         v = pkt.utiny
-        return unsigned ? v : v < 128 ? v : v-256
+        if unsigned
+          v
+        else
+          v < 128 ? v : v - 256
+        end
       when Field::TYPE_SHORT
         v = pkt.ushort
-        return unsigned ? v : v < 32768 ? v : v-65536
+        if unsigned
+          v
+        else
+          v < 32_768 ? v : v - 65_536
+        end
       when Field::TYPE_INT24, Field::TYPE_LONG
         v = pkt.ulong
-        return unsigned ? v : v < 2**32/2 ? v : v-2**32
+        if unsigned
+          v
+        else
+          v < 2**32 / 2 ? v : v - 2**32
+        end
       when Field::TYPE_LONGLONG
-        n1, n2 = pkt.ulong, pkt.ulong
+        n1 = pkt.ulong
+        n2 = pkt.ulong
         v = (n2 << 32) | n1
-        return unsigned ? v : v < 2**64/2 ? v : v-2**64
+        if unsigned
+          v
+        else
+          v < 2**64 / 2 ? v : v - 2**64
+        end
       when Field::TYPE_FLOAT
-        return pkt.read(4).unpack('e').first
+        pkt.read(4).unpack1("e")
       when Field::TYPE_DOUBLE
-        return pkt.read(8).unpack('E').first
+        pkt.read(8).unpack1("E")
       when Field::TYPE_DATE
         len = pkt.utiny
         y, m, d = pkt.read(len).unpack("vCC")
-        t = MysqlPR::Time.new(y, m, d, nil, nil, nil)
-        return t
+        MysqlPR::Time.new(y, m, d, nil, nil, nil)
       when Field::TYPE_DATETIME, Field::TYPE_TIMESTAMP
         len = pkt.utiny
         y, m, d, h, mi, s, sp = pkt.read(len).unpack("vCCCCCV")
-        return MysqlPR::Time.new(y, m, d, h, mi, s, false, sp)
+        MysqlPR::Time.new(y, m, d, h, mi, s, false, sp)
       when Field::TYPE_TIME
         len = pkt.utiny
         sign, d, h, mi, s, sp = pkt.read(len).unpack("CVCCCV")
         h = d.to_i * 24 + h.to_i
-        return MysqlPR::Time.new(0, 0, 0, h, mi, s, sign!=0, sp)
+        MysqlPR::Time.new(0, 0, 0, h, mi, s, sign != 0, sp)
       when Field::TYPE_YEAR
-        return pkt.ushort
+        pkt.ushort
       when Field::TYPE_BIT
-        return pkt.lcs
+        pkt.lcs
       else
         raise "not implemented: type=#{type}"
       end
@@ -90,26 +110,24 @@ class MysqlPR
             val = [v].pack("V")
           elsif v < 256**8
             type = Field::TYPE_LONGLONG | 0x8000
-            val = [v&0xffffffff, v>>32].pack("VV")
+            val = [v & 0xffffffff, v >> 32].pack("VV")
           else
             raise ProtocolError, "value too large: #{v}"
           end
+        elsif -v <= 256 / 2
+          type = Field::TYPE_TINY
+          val = [v].pack("C")
+        elsif -v <= 256**2 / 2
+          type = Field::TYPE_SHORT
+          val = [v].pack("v")
+        elsif -v <= 256**4 / 2
+          type = Field::TYPE_LONG
+          val = [v].pack("V")
+        elsif -v <= 256**8 / 2
+          type = Field::TYPE_LONGLONG
+          val = [v & 0xffffffff, v >> 32].pack("VV")
         else
-          if -v <= 256/2
-            type = Field::TYPE_TINY
-            val = [v].pack("C")
-          elsif -v <= 256**2/2
-            type = Field::TYPE_SHORT
-            val = [v].pack("v")
-          elsif -v <= 256**4/2
-            type = Field::TYPE_LONG
-            val = [v].pack("V")
-          elsif -v <= 256**8/2
-            type = Field::TYPE_LONGLONG
-            val = [v&0xffffffff, v>>32].pack("VV")
-          else
-            raise ProtocolError, "value too large: #{v}"
-          end
+          raise ProtocolError, "value too large: #{v}"
         end
       when Float
         type = Field::TYPE_DOUBLE
@@ -123,18 +141,11 @@ class MysqlPR
       else
         raise ProtocolError, "class #{v.class} is not supported"
       end
-      return type, val
+      [type, val]
     end
-    attr_reader :server_info
-    attr_reader :server_version
-    attr_reader :thread_id
-    attr_reader :sqlstate
-    attr_reader :affected_rows
-    attr_reader :insert_id
-    attr_reader :server_status
-    attr_reader :warning_count
-    attr_reader :message
+    attr_reader :server_info, :server_version, :thread_id, :sqlstate, :affected_rows, :insert_id, :server_status,
+                :warning_count, :message
     attr_accessor :charset
     # @state variable keep state for connection.
@@ -151,22 +162,29 @@ class MysqlPR
     # conn_timeout :: [Integer] connect timeout (sec).
     # read_timeout :: [Integer] read timeout (sec).
     # write_timeout :: [Integer] write timeout (sec).
+    # ssl_options :: [Hash / nil] SSL options. nil means no SSL.
     # === Exception
     # [ClientError] :: connection timeout
-    def initialize(host, port, socket, conn_timeout, read_timeout, write_timeout)
+    def initialize(host, port, socket, conn_timeout, read_timeout, write_timeout, ssl_options = nil)
       @insert_id = 0
       @warning_count = 0
-      @gc_stmt_queue = []   # stmt id list which GC destroy.
+      @gc_stmt_queue = [] # stmt id list which GC destroy.
       set_state :INIT
       @read_timeout = read_timeout
       @write_timeout = write_timeout
+      @ssl_options = ssl_options
+      @ssl_enabled = false
       begin
         Timeout.timeout conn_timeout do
-          if host.nil? or host.empty? or host == "localhost"
+          if host.nil? || host.empty? || (host == "localhost")
             socket ||= ENV["MYSQL_UNIX_PORT"] || MYSQL_UNIX_PORT
             @sock = UNIXSocket.new socket
           else
-            port ||= ENV["MYSQL_TCP_PORT"] || (Socket.getservbyname("mysql","tcp") rescue MYSQL_TCP_PORT)
+            port ||= ENV["MYSQL_TCP_PORT"] || begin
+              Socket.getservbyname("mysql", "tcp")
+            rescue StandardError
+              MYSQL_TCP_PORT
+            end
             @sock = TCPSocket.new host, port
           end
         end
@@ -175,6 +193,18 @@ class MysqlPR
       end
     end
+    # Returns true if SSL is enabled for this connection
+    def ssl_enabled?
+      @ssl_enabled
+    end
+    # Returns SSL cipher info if SSL is enabled
+    def ssl_cipher
+      return nil unless @ssl_enabled && @sock.respond_to?(:cipher)
+      @sock.cipher
+    end
     def close
       @sock.close
     end
@@ -194,22 +224,170 @@ class MysqlPR
       reset
       init_packet = InitialPacket.parse read
       @server_info = init_packet.server_version
-      @server_version = init_packet.server_version.split(/\D/)[0,3].inject{|a,b|a.to_i*100+b.to_i}
+      @server_version = init_packet.server_version.split(/\D/)[0, 3].inject { |a, b| a.to_i * 100 + b.to_i }
       @thread_id = init_packet.thread_id
-      client_flags = CLIENT_LONG_PASSWORD | CLIENT_LONG_FLAG | CLIENT_TRANSACTIONS | CLIENT_PROTOCOL_41 | CLIENT_SECURE_CONNECTION
+      client_flags = CLIENT_LONG_PASSWORD | CLIENT_LONG_FLAG | CLIENT_TRANSACTIONS |
+                     CLIENT_PROTOCOL_41 | CLIENT_SECURE_CONNECTION
+      client_flags |= CLIENT_PLUGIN_AUTH
       client_flags |= CLIENT_CONNECT_WITH_DB if db
       client_flags |= flag
       @charset = charset
       unless @charset
         @charset = Charset.by_number(init_packet.server_charset)
-        @charset.encoding       # raise error if unsupported charset
+        @charset.encoding # raise error if unsupported charset
       end
-      netpw = encrypt_password passwd, init_packet.scramble_buff
-      write AuthenticationPacket.serialize(client_flags, 1024**3, @charset.number, user, netpw, db)
-      raise ProtocolError, 'The old style password is not supported' if read.to_s == "\xfe"
-      set_state :READY
+      # SSL handshake if requested and server supports it
+      if @ssl_options && (init_packet.server_capabilities & CLIENT_SSL) != 0
+        client_flags |= CLIENT_SSL
+        # Send SSL request packet (partial auth packet with SSL flag)
+        write SSLRequestPacket.serialize(client_flags, 1024**3, @charset.number)
+        # Upgrade connection to SSL
+        upgrade_to_ssl
+      elsif @ssl_options && @ssl_options[:required]
+        raise ClientError, "SSL required but server does not support SSL"
+      end
+      auth_plugin = init_packet.auth_plugin_name || "mysql_native_password"
+      scramble = init_packet.scramble_buff
+      # Choose password encryption based on auth plugin
+      netpw = if auth_plugin == "caching_sha2_password"
+                encrypt_password_sha256(passwd, scramble)
+              else
+                encrypt_password(passwd, scramble)
+              end
+      write AuthenticationPacket.serialize(client_flags, 1024**3, @charset.number, user, netpw, db, auth_plugin)
+      # Read response
+      response = read
+      response_data = response.to_s
+      # Handle different response types
+      case response_data.getbyte(0)
+      when 0x00
+        # OK packet - authentication successful
+        set_state :READY
+      when 0xfe
+        # Auth switch request
+        handle_auth_switch(response_data, passwd)
+      when 0x01
+        # More data - caching_sha2_password specific
+        handle_caching_sha2_more_data(response_data, passwd, scramble)
+      else
+        raise ProtocolError, "Unexpected auth response: #{response_data.getbyte(0)}"
+      end
+    end
+    # Handle auth switch request
+    def handle_auth_switch(response_data, passwd)
+      # Parse auth switch request: 0xfe + plugin_name + scramble
+      pkt = Packet.new(response_data[1..])
+      plugin_name = pkt.string
+      scramble = pkt.to_s
+      if plugin_name == "mysql_native_password"
+        netpw = encrypt_password(passwd, scramble)
+        write netpw
+        read # OK or error
+        set_state :READY
+      elsif plugin_name == "caching_sha2_password"
+        netpw = encrypt_password_sha256(passwd, scramble)
+        write netpw
+        response = read
+        if response.to_s.getbyte(0) == 0x01
+          handle_caching_sha2_more_data(response.to_s, passwd, scramble)
+        else
+          set_state :READY
+        end
+      else
+        raise ProtocolError, "Unsupported auth plugin: #{plugin_name}"
+      end
+    end
+    # Handle caching_sha2_password "more data" response
+    def handle_caching_sha2_more_data(response_data, passwd, scramble)
+      # 0x01 + status byte
+      status = response_data.getbyte(1)
+      case status
+      when 0x03
+        # Fast auth success - server already has cached password hash
+        read # Read the final OK packet
+        set_state :READY
+      when 0x04
+        # Full authentication required
+        if @ssl_enabled
+          # Send plaintext password over SSL
+          write "#{passwd}\x00"
+        else
+          # Need RSA encryption - request public key
+          write "\x02" # Request public key
+          pubkey_response = read
+          pubkey_data = pubkey_response.to_s
+          raise ProtocolError, "Failed to get server public key" unless pubkey_data.getbyte(0) == 0x01
+          # Got public key
+          public_key = pubkey_data[1..]
+          encrypted_password = rsa_encrypt_password(passwd, scramble, public_key)
+          write encrypted_password
+        end
+        read
+        set_state :READY
+      else
+        raise ProtocolError, "Unknown caching_sha2_password status: #{status}"
+      end
+    end
+    # RSA encrypt password for caching_sha2_password
+    def rsa_encrypt_password(passwd, scramble, public_key_pem)
+      # XOR password with scramble
+      passwd_bytes = "#{passwd}\x00".bytes
+      scramble_bytes = scramble.bytes
+      xored = passwd_bytes.each_with_index.map { |b, i| b ^ scramble_bytes[i % scramble_bytes.length] }
+      # Encrypt with RSA public key
+      rsa = OpenSSL::PKey::RSA.new(public_key_pem)
+      rsa.public_encrypt(xored.pack("C*"), OpenSSL::PKey::RSA::PKCS1_OAEP_PADDING)
+    end
+    private
+    # Upgrade the connection to SSL/TLS
+    def upgrade_to_ssl
+      ssl_context = OpenSSL::SSL::SSLContext.new
+      # Configure SSL context based on options
+      ssl_context.ca_file = @ssl_options[:ca] if @ssl_options[:ca]
+      ssl_context.cert = OpenSSL::X509::Certificate.new(File.read(@ssl_options[:cert])) if @ssl_options[:cert]
+      ssl_context.key = OpenSSL::PKey::RSA.new(File.read(@ssl_options[:key])) if @ssl_options[:key]
+      ssl_context.ca_path = @ssl_options[:ca_path] if @ssl_options[:ca_path]
+      # Set verification mode
+      ssl_context.verify_mode = if @ssl_options[:verify] == false
+                                  OpenSSL::SSL::VERIFY_NONE
+                                else
+                                  OpenSSL::SSL::VERIFY_PEER
+                                end
+      # Set minimum TLS version if specified
+      ssl_context.min_version = @ssl_options[:min_version] if @ssl_options[:min_version]
+      # Wrap socket in SSL
+      ssl_socket = OpenSSL::SSL::SSLSocket.new(@sock, ssl_context)
+      ssl_socket.hostname = @ssl_options[:hostname] if @ssl_options[:hostname]
+      ssl_socket.sync_close = true
+      ssl_socket.connect
+      @sock = ssl_socket
+      @ssl_enabled = true
     end
+    public
     # Quit command
     def quit_command
       synchronize do
@@ -230,7 +408,7 @@ class MysqlPR
         reset
         write [COM_QUERY, @charset.convert(query)].pack("Ca*")
         get_result
-      rescue
+      rescue StandardError
         set_state :READY
         raise
       end
@@ -240,26 +418,27 @@ class MysqlPR
     # === Return
     # [integer / nil] number of fields of results. nil if no results.
     def get_result
-      begin
-        res_packet = ResultPacket.parse read
-        if res_packet.field_count.to_i > 0  # result data exists
-          set_state :FIELD
-          return res_packet.field_count
-        end
-        if res_packet.field_count.nil?      # LOAD DATA LOCAL INFILE
-          filename = res_packet.message
-          File.open(filename){|f| write f}
-          write nil  # EOF mark
-          read
-        end
-        @affected_rows, @insert_id, @server_status, @warning_count, @message =
-          res_packet.affected_rows, res_packet.insert_id, res_packet.server_status, res_packet.warning_count, res_packet.message
-        set_state :READY
-        return nil
-      rescue
-        set_state :READY
-        raise
-      end
+      res_packet = ResultPacket.parse read
+      if res_packet.field_count.to_i.positive? # result data exists
+        set_state :FIELD
+        return res_packet.field_count
+      end
+      if res_packet.field_count.nil? # LOAD DATA LOCAL INFILE
+        filename = res_packet.message
+        File.open(filename) { |f| write f }
+        write nil # EOF mark
+        read
+      end
+      @affected_rows = res_packet.affected_rows
+      @insert_id = res_packet.insert_id
+      @server_status = res_packet.server_status
+      @warning_count = res_packet.warning_count
+      @message = res_packet.message
+      set_state :READY
+      nil
+    rescue StandardError
+      set_state :READY
+      raise
     end
     # Retrieve n fields
@@ -270,11 +449,11 @@ class MysqlPR
     def retr_fields(n)
       check_state :FIELD
       begin
-        fields = n.times.map{Field.new FieldPacket.parse(read)}
+        fields = n.times.map { Field.new FieldPacket.parse(read) }
         read_eof_packet
         set_state :RESULT
         fields
-      rescue
+      rescue StandardError
         set_state :READY
         raise
       end
@@ -328,11 +507,11 @@ class MysqlPR
         reset
         write [COM_PROCESS_INFO].pack("C")
         field_count = read.lcb
-        fields = field_count.times.map{Field.new FieldPacket.parse(read)}
+        fields = field_count.times.map { Field.new FieldPacket.parse(read) }
         read_eof_packet
         set_state :RESULT
-        return fields
-      rescue
+        fields
+      rescue StandardError
         set_state :READY
         raise
       end
@@ -380,12 +559,12 @@ class MysqlPR
         reset
         write [COM_STMT_PREPARE, charset.convert(stmt)].pack("Ca*")
         res_packet = PrepareResultPacket.parse read
-        if res_packet.param_count > 0
-          res_packet.param_count.times{read}    # skip parameter packet
+        if res_packet.param_count.positive?
+          res_packet.param_count.times { read } # skip parameter packet
           read_eof_packet
         end
-        if res_packet.field_count > 0
-          fields = res_packet.field_count.times.map{Field.new FieldPacket.parse(read)}
+        if res_packet.field_count.positive?
+          fields = res_packet.field_count.times.map { Field.new FieldPacket.parse(read) }
           read_eof_packet
         else
           fields = []
@@ -406,7 +585,7 @@ class MysqlPR
         reset
         write ExecutePacket.serialize(stmt_id, MysqlPR::Stmt::CURSOR_TYPE_NO_CURSOR, values)
         get_result
-      rescue
+      rescue StandardError
         set_state :READY
         raise
       end
@@ -449,36 +628,34 @@ class MysqlPR
     private
     def check_state(st)
-      raise 'command out of sync' unless @state == st
+      raise "command out of sync" unless @state == st
     end
     def set_state(st)
       @state = st
-      if st == :READY
-        gc_disabled = GC.disable unless RUBY_PLATFORM == 'java'
-        begin
-          while st = @gc_stmt_queue.shift
-            reset
-            write [COM_STMT_CLOSE, st].pack("CV")
-          end
-        ensure
-          GC.enable unless gc_disabled unless RUBY_PLATFORM == 'java'
+      return unless st == :READY
+      gc_disabled = GC.disable unless RUBY_PLATFORM == "java"
+      begin
+        while (st = @gc_stmt_queue.shift)
+          reset
+          write [COM_STMT_CLOSE, st].pack("CV")
         end
+      ensure
+        GC.enable if RUBY_PLATFORM != "java" && !gc_disabled
       end
     end
     def synchronize
-      begin
-        check_state :READY
-        return yield
-      ensure
-        set_state :READY
-      end
+      check_state :READY
+      yield
+    ensure
+      set_state :READY
     end
     # Reset sequence number
     def reset
-      @seq = 0    # packet counter. reset by each command
+      @seq = 0 # packet counter. reset by each command
     end
     # Read one packet data
@@ -489,35 +666,39 @@ class MysqlPR
     def read
       ret = ""
       len = nil
-      begin
+      loop do
         Timeout.timeout @read_timeout do
           header = @sock.read(4)
           raise EOFError unless header && header.length == 4
           len1, len2, seq = header.unpack("CvC")
           len = (len2 << 8) + len1
           raise ProtocolError, "invalid packet: sequence number mismatch(#{seq} != #{@seq}(expected))" if @seq != seq
           @seq = (@seq + 1) % 256
           ret = @sock.read(len)
           raise EOFError unless ret && ret.length == len
         end
       rescue EOFError
-        raise ClientError::ServerGoneError, 'The MySQL server has gone away'
+        raise ClientError::ServerGoneError, "The MySQL server has gone away"
       rescue Timeout::Error
         raise ClientError, "read timeout"
-      end while len == MAX_PACKET_LENGTH
+        break unless len == MAX_PACKET_LENGTH
+      end
       @sqlstate = "00000"
-      # Error packet
-      if ret[0] == ?\xff
-        f, errno, marker, @sqlstate, message = ret.unpack("Cvaa5a*")
+      # Error packet (use getbyte for encoding-safe comparison)
+      if ret.getbyte(0) == 0xff
+        _, errno, marker, @sqlstate, message = ret.unpack("Cvaa5a*")
         unless marker == "#"
-          f, errno, message = ret.unpack("Cva*")    # Version 4.0 Error
+          _, errno, message = ret.unpack("Cva*") # Version 4.0 Error
           @sqlstate = ""
         end
         if MysqlPR::ServerError::ERROR_MAP.key? errno
           raise MysqlPR::ServerError::ERROR_MAP[errno].new(message, @sqlstate)
         end
         raise MysqlPR::ServerError.new(message, @sqlstate)
       end
       Packet.new(ret)
@@ -527,32 +708,30 @@ class MysqlPR
     # === Argument
     # data :: [String / IO] packet data. If data is nil, write empty packet.
     def write(data)
-      begin
-        @sock.sync = false
-        if data.nil?
+      @sock.sync = false
+      if data.nil?
+        Timeout.timeout @write_timeout do
+          @sock.write [0, 0, @seq].pack("CvC")
+        end
+        @seq = (@seq + 1) % 256
+      else
+        data = StringIO.new data if data.is_a? String
+        while (d = data.read(MAX_PACKET_LENGTH))
           Timeout.timeout @write_timeout do
-            @sock.write [0, 0, @seq].pack("CvC")
+            @sock.write [d.length % 256, d.length / 256, @seq].pack("CvC")
+            @sock.write d
           end
           @seq = (@seq + 1) % 256
-        else
-          data = StringIO.new data if data.is_a? String
-          while d = data.read(MAX_PACKET_LENGTH)
-            Timeout.timeout @write_timeout do
-              @sock.write [d.length%256, d.length/256, @seq].pack("CvC")
-              @sock.write d
-            end
-            @seq = (@seq + 1) % 256
-          end
-        end
-        @sock.sync = true
-        Timeout.timeout @write_timeout do
-          @sock.flush
         end
-      rescue Errno::EPIPE
-        raise ClientError::ServerGoneError, 'The MySQL server has gone away'
-      rescue Timeout::Error
-        raise ClientError, "write timeout"
       end
+      @sock.sync = true
+      Timeout.timeout @write_timeout do
+        @sock.flush
+      end
+    rescue Errno::EPIPE
+      raise ClientError::ServerGoneError, "The MySQL server has gone away"
+    rescue Timeout::Error
+      raise ClientError, "write timeout"
     end
     # Read EOF packet
@@ -575,17 +754,36 @@ class MysqlPR
       end
     end
-    # Encrypt password
+    # Encrypt password for mysql_native_password (SHA1)
     # === Argument
     # plain    :: [String] plain password.
     # scramble :: [String] scramble code from initial packet.
     # === Return
     # [String] encrypted password
     def encrypt_password(plain, scramble)
-      return "" if plain.nil? or plain.empty?
+      return "" if plain.nil? || plain.empty?
       hash_stage1 = Digest::SHA1.digest plain
       hash_stage2 = Digest::SHA1.digest hash_stage1
-      return hash_stage1.unpack("C*").zip(Digest::SHA1.digest(scramble+hash_stage2).unpack("C*")).map{|a,b| a^b}.pack("C*")
+      hash_stage1.unpack("C*").zip(Digest::SHA1.digest(scramble + hash_stage2).unpack("C*")).map do |a, b|
+        a ^ b
+      end.pack("C*")
+    end
+    # Encrypt password for caching_sha2_password (SHA256)
+    # === Argument
+    # plain    :: [String] plain password.
+    # scramble :: [String] scramble code from initial packet.
+    # === Return
+    # [String] encrypted password
+    def encrypt_password_sha256(plain, scramble)
+      return "" if plain.nil? || plain.empty?
+      hash_stage1 = Digest::SHA256.digest(plain)
+      hash_stage2 = Digest::SHA256.digest(hash_stage1)
+      hash_stage1.unpack("C*").zip(Digest::SHA256.digest(hash_stage2 + scramble).unpack("C*")).map do |a, b|
+        a ^ b
+      end.pack("C*")
     end
     # Initial packet
@@ -599,18 +797,34 @@ class MysqlPR
         server_capabilities = pkt.ushort
         server_charset = pkt.utiny
         server_status = pkt.ushort
-        f1 = pkt.read(13)
-        rest_scramble_buff = pkt.string
+        server_capabilities_upper = pkt.ushort
+        auth_plugin_data_length = pkt.utiny
+        pkt.read(10) # reserved
+        # Read rest of scramble (12 bytes for caching_sha2_password, or variable)
+        rest_scramble_len = [auth_plugin_data_length - 8, 12].max
+        rest_scramble_buff = pkt.read(rest_scramble_len)
+        # Remove trailing null if present
+        rest_scramble_buff = rest_scramble_buff.sub(/\x00+\z/, "")
+        auth_plugin_name = begin
+          pkt.string
+        rescue StandardError
+          "mysql_native_password"
+        end
         raise ProtocolError, "unsupported version: #{protocol_version}" unless protocol_version == VERSION
-        raise ProtocolError, "invalid packet: f0=#{f0}" unless f0 == 0
+        raise ProtocolError, "invalid packet: f0=#{f0}" unless f0.zero?
         scramble_buff.concat rest_scramble_buff
-        self.new protocol_version, server_version, thread_id, server_capabilities, server_charset, server_status, scramble_buff
+        server_capabilities |= (server_capabilities_upper << 16)
+        new protocol_version, server_version, thread_id, server_capabilities, server_charset, server_status,
+            scramble_buff, auth_plugin_name
       end
-      attr_reader :protocol_version, :server_version, :thread_id, :server_capabilities, :server_charset, :server_status, :scramble_buff
+      attr_reader :protocol_version, :server_version, :thread_id, :server_capabilities, :server_charset,
+                  :server_status, :scramble_buff, :auth_plugin_name
       def initialize(*args)
-        @protocol_version, @server_version, @thread_id, @server_capabilities, @server_charset, @server_status, @scramble_buff = args
+        @protocol_version, @server_version, @thread_id, @server_capabilities,
+          @server_charset, @server_status, @scramble_buff, @auth_plugin_name = args
       end
     end
@@ -618,17 +832,17 @@ class MysqlPR
     class ResultPacket
       def self.parse(pkt)
         field_count = pkt.lcb
-        if field_count == 0
+        if field_count.zero?
           affected_rows = pkt.lcb
           insert_id = pkt.lcb
           server_status = pkt.ushort
           warning_count = pkt.ushort
           message = pkt.lcs
-          return self.new(field_count, affected_rows, insert_id, server_status, warning_count, message)
-        elsif field_count.nil?   # LOAD DATA LOCAL INFILE
-          return self.new(nil, nil, nil, nil, nil, pkt.to_s)
+          new(field_count, affected_rows, insert_id, server_status, warning_count, message)
+        elsif field_count.nil? # LOAD DATA LOCAL INFILE
+          new(nil, nil, nil, nil, nil, pkt.to_s)
         else
-          return self.new(field_count)
+          new(field_count)
         end
       end
@@ -642,13 +856,13 @@ class MysqlPR
     # Field packet
     class FieldPacket
       def self.parse(pkt)
-        first = pkt.lcs
+        pkt.lcs
         db = pkt.lcs
         table = pkt.lcs
         org_table = pkt.lcs
         name = pkt.lcs
         org_name = pkt.lcs
-        f0 = pkt.utiny
+        pkt.utiny
         charsetnr = pkt.ushort
         length = pkt.ulong
         type = pkt.utiny
@@ -656,9 +870,10 @@ class MysqlPR
         decimals = pkt.utiny
         f1 = pkt.ushort
-        raise ProtocolError, "invalid packet: f1=#{f1}" unless f1 == 0
+        raise ProtocolError, "invalid packet: f1=#{f1}" unless f1.zero?
         default = pkt.lcs
-        return self.new(db, table, org_table, name, org_name, charsetnr, length, type, flags, decimals, default)
+        new(db, table, org_table, name, org_name, charsetnr, length, type, flags, decimals, default)
       end
       attr_reader :db, :table, :org_table, :name, :org_name, :charsetnr, :length, :type, :flags, :decimals, :default
@@ -671,14 +886,16 @@ class MysqlPR
     # Prepare result packet
     class PrepareResultPacket
       def self.parse(pkt)
-        raise ProtocolError, "invalid packet" unless pkt.utiny == 0
+        raise ProtocolError, "invalid packet" unless pkt.utiny.zero?
         statement_id = pkt.ulong
         field_count = pkt.ushort
         param_count = pkt.ushort
         f = pkt.utiny
         warning_count = pkt.ushort
-        raise ProtocolError, "invalid packet" unless f == 0x00
-        self.new statement_id, field_count, param_count, warning_count
+        raise ProtocolError, "invalid packet" unless f.zero?
+        new statement_id, field_count, param_count, warning_count
       end
       attr_reader :statement_id, :field_count, :param_count, :warning_count
@@ -688,18 +905,35 @@ class MysqlPR
       end
     end
+    # SSL Request packet - sent before SSL handshake
+    class SSLRequestPacket
+      def self.serialize(client_flags, max_packet_size, charset_number)
+        [
+          client_flags,
+          max_packet_size,
+          charset_number,
+          "" # filler: 23 bytes of 0x00
+        ].pack("VVCa23")
+      end
+    end
     # Authentication packet
     class AuthenticationPacket
-      def self.serialize(client_flags, max_packet_size, charset_number, username, scrambled_password, databasename)
-        [
+      def self.serialize(client_flags, max_packet_size, charset_number, username, scrambled_password, databasename,
+                         auth_plugin_name = nil)
+        packet = [
           client_flags,
           max_packet_size,
-          Packet.lcb(charset_number),
-          "",                   # always 0x00 * 23
-          username,
-          Packet.lcs(scrambled_password),
-          databasename
-        ].pack("VVa*a23Z*A*Z*")
+          charset_number,
+          "" # reserved 23 bytes
+        ].pack("VVCa23")
+        packet << "#{username}\x00"
+        packet << Packet.lcs(scrambled_password)
+        packet << "#{databasename}\x00" if databasename && (client_flags & MysqlPR::CLIENT_CONNECT_WITH_DB) != 0
+        packet << "#{auth_plugin_name}\x00" if auth_plugin_name && (client_flags & MysqlPR::CLIENT_PLUGIN_AUTH) != 0
+        packet
       end
     end
@@ -713,30 +947,32 @@ class MysqlPR
           netvalues.concat n if v
           t
         end
-        [MysqlPR::COM_STMT_EXECUTE, statement_id, cursor_type, 1, nbm, 1, types.pack("v*"), netvalues].pack("CVCVa*Ca*a*")
+        [MysqlPR::COM_STMT_EXECUTE, statement_id, cursor_type, 1, nbm, 1, types.pack("v*"),
+         netvalues].pack("CVCVa*Ca*a*")
       end
       # make null bitmap
       #
       # If values is [1, nil, 2, 3, nil] then returns "\x12"(0b10010).
       def self.null_bitmap(values)
-        bitmap = values.enum_for(:each_slice,8).map do |vals|
-          vals.reverse.inject(0){|b, v|(b << 1 | (v ? 0 : 1))}
+        bitmap = values.enum_for(:each_slice, 8).map do |vals|
+          vals.reverse.inject(0) { |b, v| (b << 1 | (v ? 0 : 1)) }
         end
-        return bitmap.pack("C*")
+        bitmap.pack("C*")
       end
     end
   end
   class RawRecord
     def initialize(packet, nfields, encoding)
-      @packet, @nfields, @encoding = packet, nfields, encoding
+      @packet = packet
+      @nfields = nfields
+      @encoding = encoding
     end
     def to_a
       @nfields.times.map do
-        if s = @packet.lcs
+        if (s = @packet.lcs)
           s = Charset.convert_encoding(s, @encoding)
         end
         s
@@ -750,34 +986,34 @@ class MysqlPR
     # fields  :: [Array of Fields]
     # encoding:: [Encoding]
     def initialize(packet, fields, encoding)
-      @packet, @fields, @encoding = packet, fields, encoding
+      @packet = packet
+      @fields = fields
+      @encoding = encoding
     end
     # Parse statement result packet
     # === Return
     # [Array of Object] one record
     def parse_record_packet
-      @packet.utiny  # skip first byte
-      null_bit_map = @packet.read((@fields.length+7+2)/8).unpack("b*").first
-      rec = @fields.each_with_index.map do |f, i|
-        if null_bit_map[i+2] == ?1
+      @packet.utiny # skip first byte
+      null_bit_map = @packet.read((@fields.length + 7 + 2) / 8).unpack1("b*")
+      @fields.each_with_index.map do |f, i|
+        if null_bit_map[i + 2] == "1"
           nil
         else
           unsigned = f.flags & Field::UNSIGNED_FLAG != 0
           v = Protocol.net2value(@packet, f.type, unsigned)
-          if v.is_a? Numeric or v.is_a? MysqlPR::Time
+          if v.is_a?(Numeric) || v.is_a?(MysqlPR::Time)
             v
-          elsif f.type == Field::TYPE_BIT or f.charsetnr == Charset::BINARY_CHARSET_NUMBER
+          elsif (f.type == Field::TYPE_BIT) || (f.charsetnr == Charset::BINARY_CHARSET_NUMBER)
             Charset.to_binary(v)
           else
             Charset.convert_encoding(v, @encoding)
           end
         end
       end
-      rec
     end
     alias to_a parse_record_packet
   end
 end