| 275 | } |
| 276 | |
| 277 | func (mc *mysqlConn) auth(authData []byte, plugin string) ([]byte, error) { |
| 278 | switch plugin { |
| 279 | case "caching_sha2_password": |
| 280 | authResp := scrambleSHA256Password(authData, mc.cfg.Passwd) |
| 281 | return authResp, nil |
| 282 | |
| 283 | case "mysql_old_password": |
| 284 | if !mc.cfg.AllowOldPasswords { |
| 285 | return nil, ErrOldPassword |
| 286 | } |
| 287 | if len(mc.cfg.Passwd) == 0 { |
| 288 | return nil, nil |
| 289 | } |
| 290 | // Note: there are edge cases where this should work but doesn't; |
| 291 | // this is currently "wontfix": |
| 292 | // https://github.com/go-sql-driver/mysql/issues/184 |
| 293 | authResp := append(scrambleOldPassword(authData[:8], mc.cfg.Passwd), 0) |
| 294 | return authResp, nil |
| 295 | |
| 296 | case "mysql_clear_password": |
| 297 | if !mc.cfg.AllowCleartextPasswords { |
| 298 | return nil, ErrCleartextPassword |
| 299 | } |
| 300 | // http://dev.mysql.com/doc/refman/5.7/en/cleartext-authentication-plugin.html |
| 301 | // http://dev.mysql.com/doc/refman/5.7/en/pam-authentication-plugin.html |
| 302 | return append([]byte(mc.cfg.Passwd), 0), nil |
| 303 | |
| 304 | case "mysql_native_password": |
| 305 | if !mc.cfg.AllowNativePasswords { |
| 306 | return nil, ErrNativePassword |
| 307 | } |
| 308 | // https://dev.mysql.com/doc/dev/mysql-server/8.4.5/page_protocol_connection_phase_authentication_methods_native_password_authentication.html |
| 309 | // Native password authentication only need and will need 20-byte challenge. |
| 310 | authResp := scramblePassword(authData[:20], mc.cfg.Passwd) |
| 311 | return authResp, nil |
| 312 | |
| 313 | case "sha256_password": |
| 314 | if len(mc.cfg.Passwd) == 0 { |
| 315 | return []byte{0}, nil |
| 316 | } |
| 317 | // unlike caching_sha2_password, sha256_password does not accept |
| 318 | // cleartext password on unix transport. |
| 319 | if mc.cfg.TLS != nil { |
| 320 | // write cleartext auth packet |
| 321 | return append([]byte(mc.cfg.Passwd), 0), nil |
| 322 | } |
| 323 | |
| 324 | pubKey := mc.cfg.pubKey |
| 325 | if pubKey == nil { |
| 326 | // request public key from server |
| 327 | return []byte{1}, nil |
| 328 | } |
| 329 | |
| 330 | // encrypted password |
| 331 | enc, err := encryptPassword(mc.cfg.Passwd, authData, pubKey) |
| 332 | return enc, err |
| 333 | |
| 334 | case "client_ed25519": |