go-sql-driver · Apr 16, 2025
diff --git a/‎AUTHORS
Lines changed: 1 addition & 0 deletions b/‎AUTHORS
Lines changed: 1 addition & 0 deletions
diff --git a/‎README.md
Lines changed: 11 additions & 0 deletions b/‎README.md
Lines changed: 11 additions & 0 deletions
diff --git a/‎auth.go
Lines changed: 46 additions & 398 deletions b/‎auth.go
Lines changed: 46 additions & 398 deletions
diff --git a/‎auth_caching_sha2.go
Lines changed: 176 additions & 0 deletions b/‎auth_caching_sha2.go
Lines changed: 176 additions & 0 deletions
diff --git a/‎auth_cleartext.go
Lines changed: 46 additions & 0 deletions b/‎auth_cleartext.go
Lines changed: 46 additions & 0 deletions
diff --git a/‎auth_ed25519.go
Lines changed: 64 additions & 0 deletions b/‎auth_ed25519.go
Lines changed: 64 additions & 0 deletions
diff --git a/‎auth_mysql_native.go
Lines changed: 64 additions & 0 deletions b/‎auth_mysql_native.go
Lines changed: 64 additions & 0 deletions
diff --git a/‎auth_old_password.go
Lines changed: 108 additions & 0 deletions b/‎auth_old_password.go
Lines changed: 108 additions & 0 deletions
diff --git a/‎auth_plugin.go
Lines changed: 63 additions & 0 deletions b/‎auth_plugin.go
Lines changed: 63 additions & 0 deletions
diff --git a/‎auth_sha256.go
Lines changed: 130 additions & 0 deletions b/‎auth_sha256.go
Lines changed: 130 additions & 0 deletions
diff --git a/‎auth_test.go
Lines changed: 159 additions & 127 deletions b/‎auth_test.go
Lines changed: 159 additions & 127 deletions
diff --git a/‎connector.go
Lines changed: 12 additions & 10 deletions b/‎connector.go
Lines changed: 12 additions & 10 deletions
diff --git a/‎const.go
Lines changed: 0 additions & 6 deletions b/‎const.go
Lines changed: 0 additions & 6 deletions
diff --git a/‎driver.go
Lines changed: 3 additions & 2 deletions b/‎driver.go
Lines changed: 3 additions & 2 deletions
diff --git a/‎packets.go
Lines changed: 0 additions & 38 deletions b/‎packets.go
Lines changed: 0 additions & 38 deletions
@@ -37,6 +37,7 @@ Daniel Montoya <dsmontoyam at gmail.com>
 Daniel Nichter <nil at codenode.com>
 Daniël van Eeden <git at myname.nl>
 Dave Protasowski <dprotaso at gmail.com>
+Diego Dupin <diego.dupin at gmail.com>
 Dirkjan Bussink <d.bussink at gmail.com>
 DisposaBoy <disposaboy at dby.me>
 Egor Smolyakov <egorsmkv at gmail.com>
 
@@ -534,6 +534,17 @@ See [context support in the database/sql package](https://golang.org/doc/go1.8#d
 > The `QueryContext`, `ExecContext`, etc. variants provided by `database/sql` will cause the connection to be closed if the provided context is cancelled or timed out before the result is received by the driver.
 
 
+### Authentication Plugin System
+
+The driver implements a pluggable authentication system that supports various authentication methods used by MySQL and MariaDB servers. The built-in authentication plugins include:
+
+- `mysql_native_password` - The default MySQL authentication method
+- `caching_sha2_password` - Default authentication method in MySQL 8.0+
+- `mysql_clear_password` - Cleartext authentication (requires `allowCleartextPasswords=true`)
+- `mysql_old_password` - Old MySQL authentication (requires `allowOldPasswords=true`)
+- `sha256_password` - SHA256 authentication
+- `client_ed25519` - MariaDB Ed25519 authentication
+
 ### `LOAD DATA LOCAL INFILE` support
 For this feature you need direct access to the package. Therefore you must change the import path (no `_`):
 ```go
 
@@ -0,0 +1,176 @@
+// Go MySQL Driver - A MySQL-Driver for Go's database/sql package
+//
+// Copyright 2023 The Go-MySQL-Driver Authors. All rights reserved.
+//
+// This Source Code Form is subject to the terms of the Mozilla Public
+// License, v. 2.0. If a copy of the MPL was not distributed with this file,
+// You can obtain one at http://mozilla.org/MPL/2.0/.
+
+package mysql
+
+import (
+	"crypto/rsa"
+	"crypto/sha256"
+	"crypto/x509"
+	"encoding/pem"
+	"fmt"
+)
+
+// CachingSha2PasswordPlugin implements the caching_sha2_password authentication
+// This plugin provides secure password-based authentication using SHA256 and RSA encryption,
+// with server-side caching of password verifiers for improved performance.
+type CachingSha2PasswordPlugin struct {
+	AuthPlugin
+}
+
+func init() {
+	RegisterAuthPlugin(&CachingSha2PasswordPlugin{})
+}
+
+func (p *CachingSha2PasswordPlugin) GetPluginName() string {
+	return "caching_sha2_password"
+}
+
+// InitAuth initializes the authentication process by scrambling the password.
+//
+// The scrambling process uses a three-step SHA256 hash:
+// 1. SHA256(password)
+// 2. SHA256(SHA256(password))
+// 3. XOR(SHA256(password), SHA256(SHA256(SHA256(password)), scramble))
+func (p *CachingSha2PasswordPlugin) InitAuth(authData []byte, cfg *Config) ([]byte, error) {
+	return scrambleSHA256Password(authData, cfg.Passwd), nil
+}
+
+// ContinuationAuth processes the server's response to our authentication attempt.
+//
+// The authentication flow can take several paths:
+//  1. Fast auth success (password found in cache)
+//  2. Full authentication needed:
+//     a. With TLS: send cleartext password
+//     b. Without TLS:
+//     - Request server's public key if not cached
+//     - Encrypt password with RSA public key
+//     - Send encrypted password
+func (p *CachingSha2PasswordPlugin) ContinuationAuth(packet []byte, authData []byte, mc *mysqlConn) ([]byte, error) {
+	if len(packet) == 0 {
+		return nil, fmt.Errorf("%w: empty auth response packet", ErrMalformPkt)
+	}
+
+	switch packet[0] {
+	case iOK, iERR, iEOF:
+		return packet, nil
+	case iAuthMoreData:
+		switch len(packet) {
+		case 1:
+			return mc.readPacket() // Auth successful
+
+		case 2:
+			switch packet[1] {
+			case 3:
+				// the password was found in the server's cache
+				return mc.readPacket()
+
+			case 4:
+				// indicates full authentication is needed
+				// For TLS connections or Unix socket, send cleartext password
+				if mc.cfg.TLS != nil || mc.cfg.Net == "unix" {
+					err := mc.writeAuthSwitchPacket(append([]byte(mc.cfg.Passwd), 0))
+					if err != nil {
+						return nil, fmt.Errorf("failed to send cleartext password: %w", err)
+					}
+				} else {
+					// For non-TLS connections, use RSA encryption
+					pubKey := mc.cfg.pubKey
+					if pubKey == nil {
+						// Request public key from server
+						packet, err := mc.buf.takeSmallBuffer(4 + 1)
+						if err != nil {
+							return nil, fmt.Errorf("failed to allocate buffer: %w", err)
+						}
+						packet[4] = 2
+						if err = mc.writePacket(packet); err != nil {
+							return nil, fmt.Errorf("failed to request public key: %w", err)
+						}
+
+						// Read public key packet
+						if packet, err = mc.readPacket(); err != nil {
+							return nil, fmt.Errorf("failed to read public key: %w", err)
+						}
+
+						if packet[0] != iAuthMoreData {
+							return nil, fmt.Errorf("unexpected packet type %d when requesting public key", packet[0])
+						}
+
+						// Parse public key from PEM format
+						block, rest := pem.Decode(packet[1:])
+						if block == nil {
+							return nil, fmt.Errorf("invalid PEM data in auth response: %q", rest)
+						}
+
+						// Parse the public key
+						pkix, err := x509.ParsePKIXPublicKey(block.Bytes)
+						if err != nil {
+							return nil, fmt.Errorf("failed to parse public key: %w", err)
+						}
+						pubKey = pkix.(*rsa.PublicKey)
+					}
+
+					// Encrypt and send password
+					enc, err := encryptPassword(mc.cfg.Passwd, authData, pubKey)
+					if err != nil {
+						return nil, fmt.Errorf("failed to encrypt password: %w", err)
+					}
+					if err = mc.writeAuthSwitchPacket(enc); err != nil {
+						return nil, fmt.Errorf("failed to send encrypted password: %w", err)
+					}
+				}
+				return mc.readPacket()
+
+			default:
+				return nil, fmt.Errorf("%w: unknown auth state %d", ErrMalformPkt, packet[1])
+			}
+
+		default:
+			return nil, fmt.Errorf("%w: unexpected packet length %d", ErrMalformPkt, len(packet))
+		}
+	default:
+		return nil, fmt.Errorf("%w: expected auth more data packet", ErrMalformPkt)
+	}
+}
+
+// scrambleSHA256Password implements MySQL 8+ password scrambling.
+//
+// The algorithm is:
+// 1. SHA256(password)
+// 2. SHA256(SHA256(SHA256(password)))
+// 3. XOR(SHA256(password), SHA256(SHA256(SHA256(password)), scramble))
+//
+// This provides a way to verify the password without storing it in cleartext.
+func scrambleSHA256Password(scramble []byte, password string) []byte {
+	if len(password) == 0 {
+		return []byte{}
+	}
+
+	// First hash: SHA256(password)
+	crypt := sha256.New()
+	crypt.Write([]byte(password))
+	message1 := crypt.Sum(nil)
+
+	// Second hash: SHA256(SHA256(password))
+	crypt.Reset()
+	crypt.Write(message1)
+	message1Hash := crypt.Sum(nil)
+
+	// Third hash: SHA256(SHA256(SHA256(password)), scramble)
+	crypt.Reset()
+	crypt.Write(message1Hash)
+	crypt.Write(scramble)
+	message2 := crypt.Sum(nil)
+
+	// XOR the first hash with the third hash
+	for i := range message1 {
+		message1[i] ^= message2[i]
+	}
+
+	return message1
+}
@@ -0,0 +1,46 @@
+// Go MySQL Driver - A MySQL-Driver for Go's database/sql package
+//
+// Copyright 2023 The Go-MySQL-Driver Authors. All rights reserved.
+//
+// This Source Code Form is subject to the terms of the Mozilla Public
+// License, v. 2.0. If a copy of the MPL was not distributed with this file,
+// You can obtain one at http://mozilla.org/MPL/2.0/.
+
+package mysql
+
+// ClearPasswordPlugin implements the mysql_clear_password authentication.
+//
+// This plugin sends passwords in cleartext and should only be used:
+// 1. Over TLS/SSL connections
+// 2. Over Unix domain sockets
+// 3. When required by authentication methods like PAM
+//
+// See: http://dev.mysql.com/doc/refman/5.7/en/cleartext-authentication-plugin.html
+//
+//	http://dev.mysql.com/doc/refman/5.7/en/pam-authentication-plugin.html
+type ClearPasswordPlugin struct {
+	SimpleAuth
+}
+
+func init() {
+	RegisterAuthPlugin(&ClearPasswordPlugin{})
+}
+
+func (p *ClearPasswordPlugin) GetPluginName() string {
+	return "mysql_clear_password"
+}
+
+// InitAuth implements the cleartext password authentication.
+// It will return an error if AllowCleartextPasswords is false.
+//
+// The cleartext password is sent as a null-terminated string.
+// This is required by the server to support external authentication
+// systems that need access to the original password.
+func (p *ClearPasswordPlugin) InitAuth(authData []byte, cfg *Config) ([]byte, error) {
+	if !cfg.AllowCleartextPasswords {
+		return nil, ErrCleartextPassword
+	}
+
+	// Send password as null-terminated string
+	return append([]byte(cfg.Passwd), 0), nil
+}
@@ -0,0 +1,64 @@
+// Go MySQL Driver - A MySQL-Driver for Go's database/sql package
+//
+// Copyright 2023 The Go-MySQL-Driver Authors. All rights reserved.
+//
+// This Source Code Form is subject to the terms of the Mozilla Public
+// License, v. 2.0. If a copy of the MPL was not distributed with this file,
+// You can obtain one at http://mozilla.org/MPL/2.0/.
+
+package mysql
+
+import (
+	"crypto/sha512"
+	"filippo.io/edwards25519"
+)
+
+// ClientEd25519Plugin implements the client_ed25519 authentication
+type ClientEd25519Plugin struct {
+	SimpleAuth
+}
+
+func init() {
+	RegisterAuthPlugin(&ClientEd25519Plugin{})
+}
+
+func (p *ClientEd25519Plugin) GetPluginName() string {
+	return "client_ed25519"
+}
+
+func (p *ClientEd25519Plugin) InitAuth(authData []byte, cfg *Config) ([]byte, error) {
+	// Derived from https://github.com/MariaDB/server/blob/d8e6bb00888b1f82c031938f4c8ac5d97f6874c3/plugin/auth_ed25519/ref10/sign.c
+	// Code style is from https://cs.opensource.google/go/go/+/refs/tags/go1.21.5:src/crypto/ed25519/ed25519.go;l=207
+	h := sha512.Sum512([]byte(cfg.Passwd))
+
+	s, err := edwards25519.NewScalar().SetBytesWithClamping(h[:32])
+	if err != nil {
+		return nil, err
+	}
+	A := (&edwards25519.Point{}).ScalarBaseMult(s)
+
+	mh := sha512.New()
+	mh.Write(h[32:])
+	mh.Write(authData)
+	messageDigest := mh.Sum(nil)
+	r, err := edwards25519.NewScalar().SetUniformBytes(messageDigest)
+	if err != nil {
+		return nil, err
+	}
+
+	R := (&edwards25519.Point{}).ScalarBaseMult(r)
+
+	kh := sha512.New()
+	kh.Write(R.Bytes())
+	kh.Write(A.Bytes())
+	kh.Write(authData)
+	hramDigest := kh.Sum(nil)
+	k, err := edwards25519.NewScalar().SetUniformBytes(hramDigest)
+	if err != nil {
+		return nil, err
+	}
+
+	S := k.MultiplyAdd(k, s, r)
+
+	return append(R.Bytes(), S.Bytes()...), nil
+}
@@ -0,0 +1,64 @@
+// Go MySQL Driver - A MySQL-Driver for Go's database/sql package
+//
+// Copyright 2023 The Go-MySQL-Driver Authors. All rights reserved.
+//
+// This Source Code Form is subject to the terms of the Mozilla Public
+// License, v. 2.0. If a copy of the MPL was not distributed with this file,
+// You can obtain one at http://mozilla.org/MPL/2.0/.
+
+package mysql
+
+import "crypto/sha1"
+
+// NativePasswordPlugin implements the mysql_native_password authentication
+type NativePasswordPlugin struct {
+	SimpleAuth
+}
+
+func init() {
+	RegisterAuthPlugin(&NativePasswordPlugin{})
+}
+
+func (p *NativePasswordPlugin) GetPluginName() string {
+	return "mysql_native_password"
+}
+
+func (p *NativePasswordPlugin) InitAuth(authData []byte, cfg *Config) ([]byte, error) {
+	if !cfg.AllowNativePasswords {
+		return nil, ErrNativePassword
+	}
+	if cfg.Passwd == "" {
+		return nil, nil
+	}
+	return p.scramblePassword(authData[:20], cfg.Passwd), nil
+}
+
+// Hash password using 4.1+ method (SHA1)
+func (p *NativePasswordPlugin) scramblePassword(scramble []byte, password string) []byte {
+	if len(password) == 0 {
+		return nil
+	}
+
+	// stage1Hash = SHA1(password)
+	crypt := sha1.New()
+	crypt.Write([]byte(password))
+	stage1 := crypt.Sum(nil)
+
+	// scrambleHash = SHA1(scramble + SHA1(stage1Hash))
+	// inner Hash
+	crypt.Reset()
+	crypt.Write(stage1)
+	hash := crypt.Sum(nil)
+
+	// outer Hash
+	crypt.Reset()
+	crypt.Write(scramble)
+	crypt.Write(hash)
+	scramble = crypt.Sum(nil)
+
+	// token = scrambleHash XOR stage1Hash
+	for i := range scramble {
+		scramble[i] ^= stage1[i]
+	}
+	return scramble
+}
@@ -0,0 +1,108 @@
+// Go MySQL Driver - A MySQL-Driver for Go's database/sql package
+//
+// Copyright 2023 The Go-MySQL-Driver Authors. All rights reserved.
+//
+// This Source Code Form is subject to the terms of the Mozilla Public
+// License, v. 2.0. If a copy of the MPL was not distributed with this file,
+// You can obtain one at http://mozilla.org/MPL/2.0/.
+
+package mysql
+
+// OldPasswordPlugin implements the mysql_old_password authentication
+type OldPasswordPlugin struct{ SimpleAuth }
+
+func init() {
+	RegisterAuthPlugin(&OldPasswordPlugin{})
+}
+
+func (p *OldPasswordPlugin) GetPluginName() string {
+	return "mysql_old_password"
+}
+
+func (p *OldPasswordPlugin) InitAuth(authData []byte, cfg *Config) ([]byte, error) {
+	if !cfg.AllowOldPasswords {
+		return nil, ErrOldPassword
+	}
+	if cfg.Passwd == "" {
+		return nil, nil
+	}
+	// Note: there are edge cases where this should work but doesn't;
+	// this is currently "wontfix":
+	// https://github.com/go-sql-driver/mysql/issues/184
+	return append(p.scrambleOldPassword(authData[:8], cfg.Passwd), 0), nil
+}
+
+// Hash password using insecure pre 4.1 method
+func (p *OldPasswordPlugin) scrambleOldPassword(scramble []byte, password string) []byte {
+	scramble = scramble[:8]
+
+	hashPw := pwHash([]byte(password))
+	hashSc := pwHash(scramble)
+
+	r := newMyRnd(hashPw[0]^hashSc[0], hashPw[1]^hashSc[1])
+
+	var out [8]byte
+	for i := range out {
+		out[i] = r.NextByte() + 64
+	}
+
+	mask := r.NextByte()
+	for i := range out {
+		out[i] ^= mask
+	}
+
+	return out[:]
+}
+
+// Hash password using pre 4.1 (old password) method
+// https://github.com/atcurtis/mariadb/blob/master/mysys/my_rnd.c
+type myRnd struct {
+	seed1, seed2 uint32
+}
+
+// Tested to be equivalent to MariaDB's floating point variant
+// http://play.golang.org/p/QHvhd4qved
+// http://play.golang.org/p/RG0q4ElWDx
+func (r *myRnd) NextByte() byte {
+	r.seed1 = (r.seed1*3 + r.seed2) % myRndMaxVal
+	r.seed2 = (r.seed1 + r.seed2 + 33) % myRndMaxVal
+
+	return byte(uint64(r.seed1) * 31 / myRndMaxVal)
+}
+
+const myRndMaxVal = 0x3FFFFFFF
+
+// Pseudo random number generator
+func newMyRnd(seed1, seed2 uint32) *myRnd {
+	return &myRnd{
+		seed1: seed1 % myRndMaxVal,
+		seed2: seed2 % myRndMaxVal,
+	}
+}
+
+// Generate binary hash from byte string using insecure pre 4.1 method
+func pwHash(password []byte) (result [2]uint32) {
+	var add uint32 = 7
+	var tmp uint32
+
+	result[0] = 1345345333
+	result[1] = 0x12345671
+
+	for _, c := range password {
+		// skip spaces and tabs in password
+		if c == ' ' || c == '\t' {
+			continue
+		}
+
+		tmp = uint32(c)
+		result[0] ^= (((result[0] & 63) + add) * tmp) + (result[0] << 8)
+		result[1] += (result[1] << 8) ^ result[0]
+		add += tmp
+	}
+
+	// Remove sign bit (1<<31)-1)
+	result[0] &= 0x7FFFFFFF
+	result[1] &= 0x7FFFFFFF
+
+	return
+}
@@ -0,0 +1,63 @@
+// Go MySQL Driver - A MySQL-Driver for Go's database/sql package
+//
+// Copyright 2023 The Go-MySQL-Driver Authors. All rights reserved.
+//
+// This Source Code Form is subject to the terms of the Mozilla Public
+// License, v. 2.0. If a copy of the MPL was not distributed with this file,
+// You can obtain one at http://mozilla.org/MPL/2.0/.
+
+package mysql
+
+// AuthPlugin represents an authentication plugin for MySQL/MariaDB
+type AuthPlugin interface {
+	// GetPluginName returns the name of the authentication plugin
+	GetPluginName() string
+
+	// InitAuth initializes the authentication process and returns the initial response
+	// authData is the challenge data from the server
+	// password is the password for authentication
+	InitAuth(authData []byte, cfg *Config) ([]byte, error)
+
+	// ContinuationAuth processes the authentication response from the server
+	// packet is the data from the server's auth response
+	// authData is the initial auth data from the server
+	// conn is the MySQL connection (for performing additional interactions if needed)
+	ContinuationAuth(packet []byte, authData []byte, conn *mysqlConn) ([]byte, error)
+}
+
+type SimpleAuth struct {
+	AuthPlugin
+}
+
+func (s SimpleAuth) ContinuationAuth(packet []byte, authData []byte, conn *mysqlConn) ([]byte, error) {
+	return packet, nil
+}
+
+// PluginRegistry is a registry of available authentication plugins
+type PluginRegistry struct {
+	plugins map[string]AuthPlugin
+}
+
+// NewPluginRegistry creates a new plugin registry
+func NewPluginRegistry() *PluginRegistry {
+	registry := &PluginRegistry{
+		plugins: make(map[string]AuthPlugin),
+	}
+	return registry
+}
+
+// Register adds a plugin to the registry
+func (r *PluginRegistry) Register(plugin AuthPlugin) {
+	r.plugins[plugin.GetPluginName()] = plugin
+}
+
+// GetPlugin returns the plugin for the given name
+func (r *PluginRegistry) GetPlugin(name string) (AuthPlugin, bool) {
+	plugin, ok := r.plugins[name]
+	return plugin, ok
+}
+
+// RegisterAuthPlugin registers the plugin to the global plugin registry
+func RegisterAuthPlugin(plugin AuthPlugin) {
+	globalPluginRegistry.Register(plugin)
+}
@@ -0,0 +1,130 @@
+// Go MySQL Driver - A MySQL-Driver for Go's database/sql package
+//
+// Copyright 2023 The Go-MySQL-Driver Authors. All rights reserved.
+//
+// This Source Code Form is subject to the terms of the Mozilla Public
+// License, v. 2.0. If a copy of the MPL was not distributed with this file,
+// You can obtain one at http://mozilla.org/MPL/2.0/.
+
+package mysql
+
+import (
+	"crypto/rand"
+	"crypto/rsa"
+	"crypto/sha1"
+	"crypto/x509"
+	"encoding/pem"
+	"fmt"
+)
+
+// Sha256PasswordPlugin implements the sha256_password authentication
+// This plugin provides secure password-based authentication using SHA256 and RSA encryption.
+type Sha256PasswordPlugin struct{ AuthPlugin }
+
+func init() {
+	RegisterAuthPlugin(&Sha256PasswordPlugin{})
+}
+
+func (p *Sha256PasswordPlugin) GetPluginName() string {
+	return "sha256_password"
+}
+
+// InitAuth initializes the authentication process.
+//
+// The function follows these rules:
+// 1. If no password is configured, sends a single byte indicating empty password
+// 2. If TLS is enabled, sends the password in cleartext
+// 3. If a public key is available, encrypts the password and sends it
+// 4. Otherwise, requests the server's public key
+func (p *Sha256PasswordPlugin) InitAuth(authData []byte, cfg *Config) ([]byte, error) {
+	if len(cfg.Passwd) == 0 {
+		return []byte{0}, nil
+	}
+
+	// Unlike caching_sha2_password, sha256_password does not accept
+	// cleartext password on unix transport.
+	if cfg.TLS != nil {
+		// Write cleartext auth packet
+		return append([]byte(cfg.Passwd), 0), nil
+	}
+
+	if cfg.pubKey == nil {
+		// Request public key from server
+		return []byte{1}, nil
+	}
+
+	// Encrypt password using the public key
+	enc, err := encryptPassword(cfg.Passwd, authData, cfg.pubKey)
+	if err != nil {
+		return nil, fmt.Errorf("failed to encrypt password: %w", err)
+	}
+	return enc, nil
+}
+
+// ContinuationAuth processes the server's response to our authentication attempt.
+//
+// The server can respond in three ways:
+// 1. OK packet - Authentication successful
+// 2. Error packet - Authentication failed
+// 3. More data packet - Contains the server's public key for password encryption
+func (p *Sha256PasswordPlugin) ContinuationAuth(packet []byte, authData []byte, mc *mysqlConn) ([]byte, error) {
+
+	switch packet[0] {
+	case iOK, iERR, iEOF:
+		return packet, nil
+
+	case iAuthMoreData:
+		// Parse public key from PEM format
+		block, rest := pem.Decode(packet[1:])
+		if block == nil {
+			return nil, fmt.Errorf("invalid PEM data in auth response: %q", rest)
+		}
+
+		// Parse the public key
+		pub, err := x509.ParsePKIXPublicKey(block.Bytes)
+		if err != nil {
+			return nil, fmt.Errorf("failed to parse public key: %w", err)
+		}
+
+		// Send encrypted password
+		enc, err := encryptPassword(mc.cfg.Passwd, authData, pub.(*rsa.PublicKey))
+		if err != nil {
+			return nil, fmt.Errorf("failed to encrypt password with server key: %w", err)
+		}
+
+		// Send the encrypted password
+		if err = mc.writeAuthSwitchPacket(enc); err != nil {
+			return nil, fmt.Errorf("failed to send encrypted password: %w", err)
+		}
+
+		return mc.readPacket()
+
+	default:
+		return nil, fmt.Errorf("%w: unexpected packet type %d", ErrMalformPkt, packet[0])
+	}
+}
+
+// encryptPassword encrypts the password using RSA-OAEP with SHA1 hash.
+//
+// The process:
+// 1. XORs the password with the auth seed to prevent replay attacks
+// 2. Encrypts the XORed password using RSA-OAEP with SHA1
+//
+// The encryption uses OAEP padding which is more secure than PKCS#1 v1.5 padding.
+func encryptPassword(password string, seed []byte, pub *rsa.PublicKey) ([]byte, error) {
+	if pub == nil {
+		return nil, fmt.Errorf("public key is nil")
+	}
+
+	// Create the plaintext by XORing password with seed
+	plain := make([]byte, len(password)+1)
+	copy(plain, password)
+	for i := range plain {
+		j := i % len(seed)
+		plain[i] ^= seed[j]
+	}
+
+	// Encrypt using RSA-OAEP with SHA1
+	sha1Hash := sha1.New()
+	return rsa.EncryptOAEP(sha1Hash, rand.Reader, pub, plain, nil)
+}
@@ -18,6 +18,10 @@ import (
 	"strings"
 )
 
+const (
+	authMaximumSwitch = 5
+)
+
 type connector struct {
 	cfg               *Config // immutable private copy.
 	encodedAttributes string  // Encoded connection attributes.
@@ -140,26 +144,24 @@ func (c *connector) Connect(ctx context.Context) (driver.Conn, error) {
 	if plugin == "" {
 		plugin = defaultAuthPlugin
 	}
+	authPlugin, exists := globalPluginRegistry.GetPlugin(plugin)
+	if !exists {
+		return nil, fmt.Errorf("this authentication plugin '%s' is not supported", plugin)
+	}
 
 	// Send Client Authentication Packet
-	authResp, err := mc.auth(authData, plugin)
+	authResp, err := authPlugin.InitAuth(authData, mc.cfg)
 	if err != nil {
-		// try the default auth plugin, if using the requested plugin failed
-		c.cfg.Logger.Print("could not use requested auth plugin '"+plugin+"': ", err.Error())
-		plugin = defaultAuthPlugin
-		authResp, err = mc.auth(authData, plugin)
-		if err != nil {
-			mc.cleanup()
-			return nil, err
-		}
+		mc.cleanup()
+		return nil, err
 	}
 	if err = mc.writeHandshakeResponsePacket(authResp, plugin); err != nil {
 		mc.cleanup()
 		return nil, err
 	}
 
 	// Handle response to auth packet, switch methods if possible
-	if err = mc.handleAuthResult(authData, plugin); err != nil {
+	if err = mc.handleAuthResult(authMaximumSwitch, authData, authPlugin); err != nil {
 		// Authentication failed and MySQL has already closed the connection
 		// (https://dev.mysql.com/doc/internals/en/authentication-fails.html).
 		// Do not send COM_QUIT, just cleanup and return the error.
 
@@ -184,9 +184,3 @@ const (
 	statusInTransReadonly
 	statusSessionStateChanged
 )
-
-const (
-	cachingSha2PasswordRequestPublicKey          = 2
-	cachingSha2PasswordFastAuthSuccess           = 3
-	cachingSha2PasswordPerformFullAuthentication = 4
-)
@@ -39,8 +39,9 @@ type DialFunc func(addr string) (net.Conn, error)
 type DialContextFunc func(ctx context.Context, addr string) (net.Conn, error)
 
 var (
-	dialsLock sync.RWMutex
-	dials     map[string]DialContextFunc
+	dialsLock            sync.RWMutex
+	dials                map[string]DialContextFunc
+	globalPluginRegistry = NewPluginRegistry()
 )
 
 // RegisterDialContext registers a custom dial function. It can then be used by the
 
@@ -482,44 +482,6 @@ func (mc *mysqlConn) writeCommandPacketUint32(command byte, arg uint32) error {
 *                              Result Packets                                 *
 ******************************************************************************/
 
-func (mc *mysqlConn) readAuthResult() ([]byte, string, error) {
-	data, err := mc.readPacket()
-	if err != nil {
-		return nil, "", err
-	}
-
-	// packet indicator
-	switch data[0] {
-
-	case iOK:
-		// resultUnchanged, since auth happens before any queries or
-		// commands have been executed.
-		return nil, "", mc.resultUnchanged().handleOkPacket(data)
-
-	case iAuthMoreData:
-		return data[1:], "", err
-
-	case iEOF:
-		if len(data) == 1 {
-			// https://dev.mysql.com/doc/internals/en/connection-phase-packets.html#packet-Protocol::OldAuthSwitchRequest
-			return nil, "mysql_old_password", nil
-		}
-		pluginEndIndex := bytes.IndexByte(data, 0x00)
-		if pluginEndIndex < 0 {
-			return nil, "", ErrMalformPkt
-		}
-		plugin := string(data[1:pluginEndIndex])
-		authData := data[pluginEndIndex+1:]
-		if len(authData) > 0 && authData[len(authData)-1] == 0 {
-			authData = authData[:len(authData)-1]
-		}
-		return authData, plugin, nil
-
-	default: // Error otherwise
-		return nil, "", mc.handleErrorPacket(data)
-	}
-}
-
 // Returns error if Packet is not a 'Result OK'-Packet
 func (mc *okHandler) readResultOK() error {
 	data, err := mc.conn().readPacket()