Handle empty password from broader set of MySQL clients

ramnes · ramnes · commit 45651f0c28fa · 2025-12-22T14:32:15.000+01:00
Some MySQL clients (e.g. libmysql) send a single null byte to indicate an empty password, while others (e.g. mariadb) send an empty packet. This matches MySQL server's own handling: ```c if (!pkt_len || (pkt_len == 1 && *pkt == 0)) ``` (Source: https://github.com/mysql/mysql-server/blob/8.0/sql/auth/sha2_password.cc)
diff --git a/server/auth.go b/server/auth.go
@@ -18,6 +18,16 @@ var (
 	ErrAccessDeniedNoPassword = fmt.Errorf("%w without password", ErrAccessDenied)
 )
 
+// isEmptyPassword returns true if the auth data represents an empty password.
+// Some clients send an empty packet (len == 0), while others (e.g. MySQL's libmysql)
+// send a single null byte. This matches MySQL server's own handling:
+// if (!pkt_len || (pkt_len == 1 && *pkt == 0))
+// https://github.com/mysql/mysql-server/blob/8.0/sql/auth/sha2_password.cc
+// https://github.com/mysql/mysql-server/blob/8.0/sql/auth/sql_authentication.cc
+func isEmptyPassword(authData []byte) bool {
+	return len(authData) == 0 || (len(authData) == 1 && authData[0] == 0)
+}
+
 func (c *Conn) compareAuthData(authPluginName string, clientAuthData []byte) error {
 	if authPluginName != c.credential.AuthPluginName {
 		err := c.writeAuthSwitchRequest(c.credential.AuthPluginName)
@@ -66,7 +76,7 @@ func scrambleValidation(cached, nonce, scramble []byte) bool {
 }
 
 func (c *Conn) compareNativePasswordAuthData(clientAuthData []byte, credential Credential) error {
-	if len(clientAuthData) == 0 {
+	if isEmptyPassword(clientAuthData) {
 		if credential.hasEmptyPassword() {
 			return nil
 		}
@@ -90,8 +100,7 @@ func (c *Conn) compareNativePasswordAuthData(clientAuthData []byte, credential C
 }
 
 func (c *Conn) compareSha256PasswordAuthData(clientAuthData []byte, credential Credential) error {
-	// Empty passwords are not hashed, but sent as empty string
-	if len(clientAuthData) == 0 {
+	if isEmptyPassword(clientAuthData) {
 		if credential.hasEmptyPassword() {
 			return nil
 		}
@@ -135,8 +144,7 @@ func (c *Conn) compareSha256PasswordAuthData(clientAuthData []byte, credential C
 }
 
 func (c *Conn) compareCacheSha2PasswordAuthData(clientAuthData []byte) error {
-	// Empty passwords are not hashed, but sent as empty string
-	if len(clientAuthData) == 0 {
+	if isEmptyPassword(clientAuthData) {
 		if c.credential.hasEmptyPassword() {
 			return nil
 		}
diff --git a/server/auth_switch_response.go b/server/auth_switch_response.go
@@ -71,7 +71,7 @@ func (c *Conn) handleCachingSha2PasswordFullAuth(authData []byte) error {
 }
 
 func (c *Conn) checkSha2CacheCredentials(clientAuthData []byte, credential Credential) error {
-	if len(clientAuthData) == 0 {
+	if isEmptyPassword(clientAuthData) {
 		if credential.hasEmptyPassword() {
 			return nil
 		}
diff --git a/server/auth_switch_response_test.go b/server/auth_switch_response_test.go
@@ -25,6 +25,18 @@ func TestCheckSha2CacheCredentials_EmptyPassword(t *testing.T) {
 			serverPassword: "secret",
 			wantErr:        ErrAccessDeniedNoPassword,
 		},
+		{
+			name:           "null byte client auth, empty server password",
+			clientAuthData: []byte{0x00},
+			serverPassword: "",
+			wantErr:        nil,
+		},
+		{
+			name:           "null byte client auth, non-empty server password",
+			clientAuthData: []byte{0x00},
+			serverPassword: "secret",
+			wantErr:        ErrAccessDeniedNoPassword,
+		},
 	}
 
 	for _, tt := range tests {
diff --git a/server/auth_test.go b/server/auth_test.go
@@ -32,6 +32,18 @@ func TestCompareNativePasswordAuthData_EmptyPassword(t *testing.T) {
 			serverPassword: "secret",
 			wantErr:        ErrAccessDeniedNoPassword,
 		},
+		{
+			name:           "null byte client auth, empty server password",
+			clientAuthData: []byte{0x00},
+			serverPassword: "",
+			wantErr:        nil,
+		},
+		{
+			name:           "null byte client auth, non-empty server password",
+			clientAuthData: []byte{0x00},
+			serverPassword: "secret",
+			wantErr:        ErrAccessDeniedNoPassword,
+		},
 	}
 
 	for _, tt := range tests {
@@ -68,6 +80,18 @@ func TestCompareSha256PasswordAuthData_EmptyPassword(t *testing.T) {
 			serverPassword: "secret",
 			wantErr:        ErrAccessDeniedNoPassword,
 		},
+		{
+			name:           "null byte client auth, empty server password",
+			clientAuthData: []byte{0x00},
+			serverPassword: "",
+			wantErr:        nil,
+		},
+		{
+			name:           "null byte client auth, non-empty server password",
+			clientAuthData: []byte{0x00},
+			serverPassword: "secret",
+			wantErr:        ErrAccessDeniedNoPassword,
+		},
 	}
 
 	for _, tt := range tests {
@@ -104,6 +128,18 @@ func TestCompareCacheSha2PasswordAuthData_EmptyPassword(t *testing.T) {
 			serverPassword: "secret",
 			wantErr:        ErrAccessDeniedNoPassword,
 		},
+		{
+			name:           "null byte client auth, empty server password",
+			clientAuthData: []byte{0x00},
+			serverPassword: "",
+			wantErr:        nil,
+		},
+		{
+			name:           "null byte client auth, non-empty server password",
+			clientAuthData: []byte{0x00},
+			serverPassword: "secret",
+			wantErr:        ErrAccessDeniedNoPassword,
+		},
 	}
 
 	for _, tt := range tests {

Original file line number	Diff line number	Diff line change
`@@ -18,6 +18,16 @@ var (`
`18`	`18`	`ErrAccessDeniedNoPassword = fmt.Errorf("%w without password", ErrAccessDenied)`
`19`	`19`	`)`
`20`	`20`
	`21`	`+// isEmptyPassword returns true if the auth data represents an empty password.`
	`22`	`+// Some clients send an empty packet (len == 0), while others (e.g. MySQL's libmysql)`
	`23`	`+// send a single null byte. This matches MySQL server's own handling:`
	`24`	`+// if (!pkt_len \|\| (pkt_len == 1 && *pkt == 0))`
	`25`	`+// https://github.com/mysql/mysql-server/blob/8.0/sql/auth/sha2_password.cc`
	`26`	`+// https://github.com/mysql/mysql-server/blob/8.0/sql/auth/sql_authentication.cc`
	`27`	`+func isEmptyPassword(authData []byte) bool {`
	`28`	`+ return len(authData) == 0 \|\| (len(authData) == 1 && authData[0] == 0)`
	`29`	`+}`
	`30`	`+`
`21`	`31`	`func (c *Conn) compareAuthData(authPluginName string, clientAuthData []byte) error {`
`22`	`32`	`if authPluginName != c.credential.AuthPluginName {`
`23`	`33`	`err := c.writeAuthSwitchRequest(c.credential.AuthPluginName)`
`@@ -66,7 +76,7 @@ func scrambleValidation(cached, nonce, scramble []byte) bool {`
`66`	`76`	`}`
`67`	`77`
`68`	`78`	`func (c *Conn) compareNativePasswordAuthData(clientAuthData []byte, credential Credential) error {`
`69`		`- if len(clientAuthData) == 0 {`
	`79`	`+ if isEmptyPassword(clientAuthData) {`
`70`	`80`	`if credential.hasEmptyPassword() {`
`71`	`81`	`return nil`
`72`	`82`	`}`
`@@ -90,8 +100,7 @@ func (c *Conn) compareNativePasswordAuthData(clientAuthData []byte, credential C`
`90`	`100`	`}`
`91`	`101`
`92`	`102`	`func (c *Conn) compareSha256PasswordAuthData(clientAuthData []byte, credential Credential) error {`
`93`		`- // Empty passwords are not hashed, but sent as empty string`
`94`		`- if len(clientAuthData) == 0 {`
	`103`	`+ if isEmptyPassword(clientAuthData) {`
`95`	`104`	`if credential.hasEmptyPassword() {`
`96`	`105`	`return nil`
`97`	`106`	`}`
`@@ -135,8 +144,7 @@ func (c *Conn) compareSha256PasswordAuthData(clientAuthData []byte, credential C`
`135`	`144`	`}`
`136`	`145`
`137`	`146`	`func (c *Conn) compareCacheSha2PasswordAuthData(clientAuthData []byte) error {`
`138`		`- // Empty passwords are not hashed, but sent as empty string`
`139`		`- if len(clientAuthData) == 0 {`
	`147`	`+ if isEmptyPassword(clientAuthData) {`
`140`	`148`	`if c.credential.hasEmptyPassword() {`
`141`	`149`	`return nil`
`142`	`150`	`}`
Original file line number	Diff line number	Diff line change
`@@ -71,7 +71,7 @@ func (c *Conn) handleCachingSha2PasswordFullAuth(authData []byte) error {`
`71`	`71`	`}`
`72`	`72`
`73`	`73`	`func (c *Conn) checkSha2CacheCredentials(clientAuthData []byte, credential Credential) error {`
`74`		`- if len(clientAuthData) == 0 {`
	`74`	`+ if isEmptyPassword(clientAuthData) {`
`75`	`75`	`if credential.hasEmptyPassword() {`
`76`	`76`	`return nil`
`77`	`77`	`}`