Handle empty password from broader set of MySQL clients

ramnes · ramnes · commit d089c65a701e · 2025-12-19T23:41:26.000+01:00
Some MySQL clients (e.g. libmysql) send a single null byte to indicate an empty password, while others (e.g. mariadb) send an empty packet. This matches MySQL server's own handling: ```c if (!pkt_len || (pkt_len == 1 && *pkt == 0)) ``` (Source: https://github.com/mysql/mysql-server/blob/8.0/sql/auth/sha2_password.cc)
diff --git a/server/auth.go b/server/auth.go
@@ -18,6 +18,15 @@ var (
 	ErrAccessDeniedNoPassword = fmt.Errorf("%w without password", ErrAccessDenied)
 )
 
+// isEmptyPassword returns true if the auth data represents an empty password.
+// Some clients send an empty packet (len == 0), while others (e.g. MySQL's libmysql)
+// send a single null byte. This matches MySQL server's own handling:
+// if (!pkt_len || (pkt_len == 1 && *pkt == 0))
+// See: https://github.com/mysql/mysql-server/blob/8.0/sql/auth/sha2_password.cc
+func isEmptyPassword(authData []byte) bool {
+	return len(authData) == 0 || (len(authData) == 1 && authData[0] == 0)
+}
+
 func (c *Conn) compareAuthData(authPluginName string, clientAuthData []byte) error {
 	if authPluginName != c.credential.AuthPluginName {
 		err := c.writeAuthSwitchRequest(c.credential.AuthPluginName)
@@ -66,7 +75,7 @@ func scrambleValidation(cached, nonce, scramble []byte) bool {
 }
 
 func (c *Conn) compareNativePasswordAuthData(clientAuthData []byte, credential Credential) error {
-	if len(clientAuthData) == 0 {
+	if isEmptyPassword(clientAuthData) {
 		if credential.Password == "" {
 			return nil
 		}
@@ -84,8 +93,7 @@ func (c *Conn) compareNativePasswordAuthData(clientAuthData []byte, credential C
 }
 
 func (c *Conn) compareSha256PasswordAuthData(clientAuthData []byte, credential Credential) error {
-	// Empty passwords are not hashed, but sent as empty string
-	if len(clientAuthData) == 0 {
+	if isEmptyPassword(clientAuthData) {
 		if credential.Password == "" {
 			return nil
 		}
@@ -123,8 +131,7 @@ func (c *Conn) compareSha256PasswordAuthData(clientAuthData []byte, credential C
 }
 
 func (c *Conn) compareCacheSha2PasswordAuthData(clientAuthData []byte) error {
-	// Empty passwords are not hashed, but sent as empty string
-	if len(clientAuthData) == 0 {
+	if isEmptyPassword(clientAuthData) {
 		if c.credential.Password == "" {
 			return nil
 		}
diff --git a/server/auth_switch_response.go b/server/auth_switch_response.go
@@ -71,7 +71,7 @@ func (c *Conn) handleCachingSha2PasswordFullAuth(authData []byte) error {
 }
 
 func (c *Conn) checkSha2CacheCredentials(clientAuthData []byte, credential Credential) error {
-	if len(clientAuthData) == 0 {
+	if isEmptyPassword(clientAuthData) {
 		if credential.Password == "" {
 			return nil
 		}
diff --git a/server/auth_switch_response_test.go b/server/auth_switch_response_test.go
@@ -25,6 +25,18 @@ func TestCheckSha2CacheCredentials_EmptyPassword(t *testing.T) {
 			serverPassword: "secret",
 			wantErr:        ErrAccessDeniedNoPassword,
 		},
+		{
+			name:           "null byte client auth, empty server password",
+			clientAuthData: []byte{0x00},
+			serverPassword: "",
+			wantErr:        nil,
+		},
+		{
+			name:           "null byte client auth, non-empty server password",
+			clientAuthData: []byte{0x00},
+			serverPassword: "secret",
+			wantErr:        ErrAccessDeniedNoPassword,
+		},
 	}
 
 	for _, tt := range tests {
diff --git a/server/auth_test.go b/server/auth_test.go
@@ -32,6 +32,18 @@ func TestCompareNativePasswordAuthData_EmptyPassword(t *testing.T) {
 			serverPassword: "secret",
 			wantErr:        ErrAccessDeniedNoPassword,
 		},
+		{
+			name:           "null byte client auth, empty server password",
+			clientAuthData: []byte{0x00},
+			serverPassword: "",
+			wantErr:        nil,
+		},
+		{
+			name:           "null byte client auth, non-empty server password",
+			clientAuthData: []byte{0x00},
+			serverPassword: "secret",
+			wantErr:        ErrAccessDeniedNoPassword,
+		},
 	}
 
 	for _, tt := range tests {
@@ -68,6 +80,18 @@ func TestCompareSha256PasswordAuthData_EmptyPassword(t *testing.T) {
 			serverPassword: "secret",
 			wantErr:        ErrAccessDeniedNoPassword,
 		},
+		{
+			name:           "null byte client auth, empty server password",
+			clientAuthData: []byte{0x00},
+			serverPassword: "",
+			wantErr:        nil,
+		},
+		{
+			name:           "null byte client auth, non-empty server password",
+			clientAuthData: []byte{0x00},
+			serverPassword: "secret",
+			wantErr:        ErrAccessDeniedNoPassword,
+		},
 	}
 
 	for _, tt := range tests {
@@ -104,6 +128,18 @@ func TestCompareCacheSha2PasswordAuthData_EmptyPassword(t *testing.T) {
 			serverPassword: "secret",
 			wantErr:        ErrAccessDeniedNoPassword,
 		},
+		{
+			name:           "null byte client auth, empty server password",
+			clientAuthData: []byte{0x00},
+			serverPassword: "",
+			wantErr:        nil,
+		},
+		{
+			name:           "null byte client auth, non-empty server password",
+			clientAuthData: []byte{0x00},
+			serverPassword: "secret",
+			wantErr:        ErrAccessDeniedNoPassword,
+		},
 	}
 
 	for _, tt := range tests {

Original file line number	Diff line number	Diff line change
`@@ -18,6 +18,15 @@ var (`
`18`	`18`	`ErrAccessDeniedNoPassword = fmt.Errorf("%w without password", ErrAccessDenied)`
`19`	`19`	`)`
`20`	`20`
	`21`	`+// isEmptyPassword returns true if the auth data represents an empty password.`
	`22`	`+// Some clients send an empty packet (len == 0), while others (e.g. MySQL's libmysql)`
	`23`	`+// send a single null byte. This matches MySQL server's own handling:`
	`24`	`+// if (!pkt_len \|\| (pkt_len == 1 && *pkt == 0))`
	`25`	`+// See: https://github.com/mysql/mysql-server/blob/8.0/sql/auth/sha2_password.cc`
	`26`	`+func isEmptyPassword(authData []byte) bool {`
	`27`	`+ return len(authData) == 0 \|\| (len(authData) == 1 && authData[0] == 0)`
	`28`	`+}`
	`29`	`+`
`21`	`30`	`func (c *Conn) compareAuthData(authPluginName string, clientAuthData []byte) error {`
`22`	`31`	`if authPluginName != c.credential.AuthPluginName {`
`23`	`32`	`err := c.writeAuthSwitchRequest(c.credential.AuthPluginName)`
`@@ -66,7 +75,7 @@ func scrambleValidation(cached, nonce, scramble []byte) bool {`
`66`	`75`	`}`
`67`	`76`
`68`	`77`	`func (c *Conn) compareNativePasswordAuthData(clientAuthData []byte, credential Credential) error {`
`69`		`- if len(clientAuthData) == 0 {`
	`78`	`+ if isEmptyPassword(clientAuthData) {`
`70`	`79`	`if credential.Password == "" {`
`71`	`80`	`return nil`
`72`	`81`	`}`
`@@ -84,8 +93,7 @@ func (c *Conn) compareNativePasswordAuthData(clientAuthData []byte, credential C`
`84`	`93`	`}`
`85`	`94`
`86`	`95`	`func (c *Conn) compareSha256PasswordAuthData(clientAuthData []byte, credential Credential) error {`
`87`		`- // Empty passwords are not hashed, but sent as empty string`
`88`		`- if len(clientAuthData) == 0 {`
	`96`	`+ if isEmptyPassword(clientAuthData) {`
`89`	`97`	`if credential.Password == "" {`
`90`	`98`	`return nil`
`91`	`99`	`}`
`@@ -123,8 +131,7 @@ func (c *Conn) compareSha256PasswordAuthData(clientAuthData []byte, credential C`
`123`	`131`	`}`
`124`	`132`
`125`	`133`	`func (c *Conn) compareCacheSha2PasswordAuthData(clientAuthData []byte) error {`
`126`		`- // Empty passwords are not hashed, but sent as empty string`
`127`		`- if len(clientAuthData) == 0 {`
	`134`	`+ if isEmptyPassword(clientAuthData) {`
`128`	`135`	`if c.credential.Password == "" {`
`129`	`136`	`return nil`
`130`	`137`	`}`
Original file line number	Diff line number	Diff line change
`@@ -71,7 +71,7 @@ func (c *Conn) handleCachingSha2PasswordFullAuth(authData []byte) error {`
`71`	`71`	`}`
`72`	`72`
`73`	`73`	`func (c *Conn) checkSha2CacheCredentials(clientAuthData []byte, credential Credential) error {`
`74`		`- if len(clientAuthData) == 0 {`
	`74`	`+ if isEmptyPassword(clientAuthData) {`
`75`	`75`	`if credential.Password == "" {`
`76`	`76`	`return nil`
`77`	`77`	`}`