Error should be decided against client data, not server password

Author: ramnes

server/auth.go

@@ -45,14 +45,6 @@ func (c *Conn) acquirePassword() error {
 	return nil
 }
 
-func errAccessDenied(credential Credential) error {
-	if credential.Password == "" {
-		return ErrAccessDeniedNoPassword
-	}
-
-	return ErrAccessDenied
-}
-
 func scrambleValidation(cached, nonce, scramble []byte) bool {
 	// SHA256(SHA256(SHA256(STORED_PASSWORD)), NONCE)
 	crypt := sha256.New()
@@ -74,14 +66,21 @@ func scrambleValidation(cached, nonce, scramble []byte) bool {
 }
 
 func (c *Conn) compareNativePasswordAuthData(clientAuthData []byte, credential Credential) error {
+	if len(clientAuthData) == 0 {
+		if credential.Password == "" {
+			return nil
+		}
+		return ErrAccessDeniedNoPassword
+	}
+
 	password, err := mysql.DecodePasswordHex(c.credential.Password)
 	if err != nil {
-		return errAccessDenied(credential)
+		return ErrAccessDenied
 	}
 	if mysql.CompareNativePassword(clientAuthData, password, c.salt) {
 		return nil
 	}
-	return errAccessDenied(credential)
+	return ErrAccessDenied
 }
 
 func (c *Conn) compareSha256PasswordAuthData(clientAuthData []byte, credential Credential) error {
@@ -141,7 +140,7 @@ func (c *Conn) compareCacheSha2PasswordAuthData(clientAuthData []byte) error {
 			return c.writeAuthMoreDataFastAuth()
 		}
 
-		return errAccessDenied(c.credential)
+		return ErrAccessDenied
 	}
 	// cache miss, do full auth
 	if err := c.writeAuthMoreDataFullAuth(); err != nil {

server/auth_switch_response.go

@@ -75,7 +75,7 @@ func (c *Conn) checkSha2CacheCredentials(clientAuthData []byte, credential Crede
 	if match && err == nil {
 		return nil
 	}
-	return errAccessDenied(credential)
+	return ErrAccessDenied
 }
 
 func (c *Conn) writeCachingSha2Cache(authData []byte) {