Add clear text password authentication

desdic · desdic · commit dc28bcee049a · 2025-10-20T11:01:56.000+02:00
diff --git a/client/auth.go b/client/auth.go
@@ -15,7 +15,7 @@ import (
 const defaultAuthPluginName = mysql.AUTH_NATIVE_PASSWORD
 
 // defines the supported auth plugins
-var supportedAuthPlugins = []string{mysql.AUTH_NATIVE_PASSWORD, mysql.AUTH_SHA256_PASSWORD, mysql.AUTH_CACHING_SHA2_PASSWORD, mysql.AUTH_MARIADB_ED25519}
+var supportedAuthPlugins = []string{mysql.AUTH_CLEAR_PASSWORD, mysql.AUTH_NATIVE_PASSWORD, mysql.AUTH_SHA256_PASSWORD, mysql.AUTH_CACHING_SHA2_PASSWORD, mysql.AUTH_MARIADB_ED25519}
 
 // helper function to determine what auth methods are allowed by this client
 func authPluginAllowed(pluginName string) bool {
diff --git a/server/auth.go b/server/auth.go
@@ -1,6 +1,7 @@
 package server
 
 import (
+	"bytes"
 	"crypto/rand"
 	"crypto/rsa"
 	"crypto/sha1"
@@ -28,6 +29,9 @@ func (c *Conn) compareAuthData(authPluginName string, clientAuthData []byte) err
 	}
 
 	switch authPluginName {
+	case mysql.AUTH_CLEAR_PASSWORD:
+		return c.compareClearPasswordAuthData(clientAuthData, c.credential)
+
 	case mysql.AUTH_NATIVE_PASSWORD:
 		return c.compareNativePasswordAuthData(clientAuthData, c.credential)
 
@@ -102,6 +106,16 @@ func scrambleValidation(cached, nonce, scramble []byte) bool {
 	return subtle.ConstantTimeCompare(m, cached) == 1
 }
 
+func (c *Conn) compareClearPasswordAuthData(clientAuthData []byte, credential Credential) error {
+	clearText := bytes.TrimRight(clientAuthData, "\x00")
+
+	if bytes.Equal([]byte(credential.Password), clearText) {
+		return nil
+	}
+
+	return errAccessDenied(credential)
+}
+
 func (c *Conn) compareNativePasswordAuthData(clientAuthData []byte, credential Credential) error {
 	password, err := mysql.DecodePasswordHex(c.credential.Password)
 	if err != nil {
diff --git a/server/server_conf.go b/server/server_conf.go
@@ -95,7 +95,7 @@ func NewServer(serverVersion string, collationId uint8, defaultAuthMethod string
 }
 
 func isAuthMethodSupported(authMethod string) bool {
-	return authMethod == mysql.AUTH_NATIVE_PASSWORD || authMethod == mysql.AUTH_CACHING_SHA2_PASSWORD || authMethod == mysql.AUTH_SHA256_PASSWORD
+	return authMethod == mysql.AUTH_CLEAR_PASSWORD || authMethod == mysql.AUTH_NATIVE_PASSWORD || authMethod == mysql.AUTH_CACHING_SHA2_PASSWORD || authMethod == mysql.AUTH_SHA256_PASSWORD
 }
 
 func (s *Server) InvalidateCache(username string, host string) {

Original file line number	Diff line number	Diff line change
`@@ -95,7 +95,7 @@ func NewServer(serverVersion string, collationId uint8, defaultAuthMethod string`
`95`	`95`	`}`
`96`	`96`
`97`	`97`	`func isAuthMethodSupported(authMethod string) bool {`
`98`		`- return authMethod == mysql.AUTH_NATIVE_PASSWORD \|\| authMethod == mysql.AUTH_CACHING_SHA2_PASSWORD \|\| authMethod == mysql.AUTH_SHA256_PASSWORD`
	`98`	`+ return authMethod == mysql.AUTH_CLEAR_PASSWORD \|\| authMethod == mysql.AUTH_NATIVE_PASSWORD \|\| authMethod == mysql.AUTH_CACHING_SHA2_PASSWORD \|\| authMethod == mysql.AUTH_SHA256_PASSWORD`
`99`	`99`	`}`
`100`	`100`
`101`	`101`	`func (s *Server) InvalidateCache(username string, host string) {`