Add clear text password authentication

desdic · desdic · commit 3f99e821d7cc · 2025-10-20T12:38:50.000+02:00
diff --git a/client/auth.go b/client/auth.go
@@ -15,7 +15,7 @@ import (
 const defaultAuthPluginName = mysql.AUTH_NATIVE_PASSWORD
 
 // defines the supported auth plugins
-var supportedAuthPlugins = []string{mysql.AUTH_NATIVE_PASSWORD, mysql.AUTH_SHA256_PASSWORD, mysql.AUTH_CACHING_SHA2_PASSWORD, mysql.AUTH_MARIADB_ED25519}
+var supportedAuthPlugins = []string{mysql.AUTH_CLEAR_PASSWORD, mysql.AUTH_NATIVE_PASSWORD, mysql.AUTH_SHA256_PASSWORD, mysql.AUTH_CACHING_SHA2_PASSWORD, mysql.AUTH_MARIADB_ED25519}
 
 // helper function to determine what auth methods are allowed by this client
 func authPluginAllowed(pluginName string) bool {
diff --git a/server/auth.go b/server/auth.go
@@ -1,6 +1,7 @@
 package server
 
 import (
+	"bytes"
 	"crypto/rand"
 	"crypto/rsa"
 	"crypto/sha1"
@@ -28,6 +29,9 @@ func (c *Conn) compareAuthData(authPluginName string, clientAuthData []byte) err
 	}
 
 	switch authPluginName {
+	case mysql.AUTH_CLEAR_PASSWORD:
+		return c.compareClearPasswordAuthData(clientAuthData, c.credential)
+
 	case mysql.AUTH_NATIVE_PASSWORD:
 		return c.compareNativePasswordAuthData(clientAuthData, c.credential)
 
@@ -102,6 +106,16 @@ func scrambleValidation(cached, nonce, scramble []byte) bool {
 	return subtle.ConstantTimeCompare(m, cached) == 1
 }
 
+func (c *Conn) compareClearPasswordAuthData(clientAuthData []byte, credential Credential) error {
+	clearText := bytes.TrimRight(clientAuthData, "\x00")
+
+	if bytes.Equal([]byte(credential.Password), clearText) {
+		return nil
+	}
+
+	return errAccessDenied(credential)
+}
+
 func (c *Conn) compareNativePasswordAuthData(clientAuthData []byte, credential Credential) error {
 	password, err := mysql.DecodePasswordHex(c.credential.Password)
 	if err != nil {
diff --git a/server/server_conf.go b/server/server_conf.go
@@ -63,11 +63,13 @@ func NewDefaultServer() *Server {
 //
 // NOTES:
 // You can control the authentication methods and TLS settings here.
-// For auth method, you can specify one of the supported methods 'mysql_native_password', 'caching_sha2_password', and 'sha256_password'.
+// For auth method, you can specify one of the supported methods 'mysql_clear_password', mysql_native_password', 'caching_sha2_password', and 'sha256_password'.
 // The specified auth method will be enforced by the server in the connection phase. That means, client will be asked to switch auth method
 // if the supplied auth method is different from the server default.
 // And for TLS support, you can specify self-signed or CA-signed certificates and decide whether the client needs to provide
 // a signed or unsigned certificate to provide different level of security.
+// WARNING:
+// Be carefull using mysql_clear_password since it will transmit the password in clear text
 func NewServer(serverVersion string, collationId uint8, defaultAuthMethod string, pubKey []byte, tlsConfig *tls.Config) *Server {
 	if !isAuthMethodSupported(defaultAuthMethod) {
 		panic(fmt.Sprintf("server authentication method '%s' is not supported", defaultAuthMethod))
@@ -95,7 +97,7 @@ func NewServer(serverVersion string, collationId uint8, defaultAuthMethod string
 }
 
 func isAuthMethodSupported(authMethod string) bool {
-	return authMethod == mysql.AUTH_NATIVE_PASSWORD || authMethod == mysql.AUTH_CACHING_SHA2_PASSWORD || authMethod == mysql.AUTH_SHA256_PASSWORD
+	return authMethod == mysql.AUTH_CLEAR_PASSWORD || authMethod == mysql.AUTH_NATIVE_PASSWORD || authMethod == mysql.AUTH_CACHING_SHA2_PASSWORD || authMethod == mysql.AUTH_SHA256_PASSWORD
 }
 
 func (s *Server) InvalidateCache(username string, host string) {
diff --git a/server/server_test.go b/server/server_test.go
@@ -54,6 +54,8 @@ func prepareServerConf() []*Server {
 		NewServer("8.0.12", mysql.DEFAULT_COLLATION_ID, mysql.AUTH_CACHING_SHA2_PASSWORD, test_keys.PubPem, tlsConf),
 		// test auth switch: server permits MYSQL_NATIVE_PASSWORD only but sent different method CACHING_SHA2_PASSWORD in handshake response
 		NewServer("8.0.12", mysql.DEFAULT_COLLATION_ID, mysql.AUTH_CACHING_SHA2_PASSWORD, test_keys.PubPem, tlsConf),
+
+		NewServer("8.0.12", mysql.DEFAULT_COLLATION_ID, mysql.AUTH_CLEAR_PASSWORD, test_keys.PubPem, tlsConf),
 	}
 	return servers
 }
@@ -115,7 +117,8 @@ func (s *serverTestSuite) SetupSuite() {
 
 	time.Sleep(20 * time.Millisecond)
 
-	s.db, err = sql.Open("mysql", fmt.Sprintf("%s:%s@tcp(%s)/%s?tls=%s", *testUser, *testPassword, addr, *testDB, s.tlsPara))
+	// We allow clear text password to test MYSQL_CLEAR_PASSWORD
+	s.db, err = sql.Open("mysql", fmt.Sprintf("%s:%s@tcp(%s)/%s?tls=%s&allowCleartextPasswords=1", *testUser, *testPassword, addr, *testDB, s.tlsPara))
 	require.NoError(s.T(), err)
 
 	s.db.SetMaxIdleConns(4)
