dolthub · fulghum · Nov 7, 2025 · Nov 6, 2025
@@ -24,7 +24,6 @@ import (
 	"crypto/sha1"
 	"crypto/sha256"
 	"crypto/subtle"
-	"crypto/x509"
 	"encoding/hex"
 	"net"
 	"strings"
@@ -132,7 +131,7 @@ const (
 // such a hash based on the salt and auth response provided here after retrieving
 // the hashed password from the storage.
 type HashStorage interface {
-	UserEntryWithHash(userCerts []*x509.Certificate, salt []byte, user string, authResponse []byte, remoteAddr net.Addr) (Getter, error)
+	UserEntryWithHash(conn *Conn, salt []byte, user string, authResponse []byte, remoteAddr net.Addr) (Getter, error)
 }
 
 // PlainTextStorage describes an object that is suitable to retrieve user information
@@ -146,7 +145,7 @@ type HashStorage interface {
 // When comparing plain text passwords directly, please ensure to use `subtle.ConstantTimeCompare`
 // to prevent timing based attacks on the password.
 type PlainTextStorage interface {
-	UserEntryWithPassword(userCerts []*x509.Certificate, user string, password string, remoteAddr net.Addr) (Getter, error)
+	UserEntryWithPassword(conn *Conn, user string, password string, remoteAddr net.Addr) (Getter, error)
 }
 
 // CachingStorage describes an object that is suitable to retrieve user information
@@ -159,7 +158,7 @@ type PlainTextStorage interface {
 // such a hash based on the salt and auth response provided here after retrieving
 // the hashed password from the cache.
 type CachingStorage interface {
-	UserEntryWithCacheHash(userCerts []*x509.Certificate, salt []byte, user string, authResponse []byte, remoteAddr net.Addr) (Getter, CacheState, error)
+	UserEntryWithCacheHash(conn *Conn, salt []byte, user string, authResponse []byte, remoteAddr net.Addr) (Getter, CacheState, error)
 }
 
 // NewMysqlNativeAuthMethod will create a new AuthMethod that implements the
@@ -507,7 +506,7 @@ func (n *mysqlNativePasswordAuthMethod) HandleAuthPluginData(conn *Conn, user st
 		return nil, NewSQLError(ERAccessDeniedError, SSAccessDeniedError, "Access denied for user '%v'", user)
 	}
 	salt := serverAuthPluginData[:len(serverAuthPluginData)-1]
-	return n.storage.UserEntryWithHash(conn.GetTLSClientCerts(), salt, user, clientAuthPluginData, remoteAddr)
+	return n.storage.UserEntryWithHash(conn, salt, user, clientAuthPluginData, remoteAddr)
 }
 
 type mysqlClearAuthMethod struct {
@@ -532,7 +531,7 @@ func (n *mysqlClearAuthMethod) HandleAuthPluginData(conn *Conn, user string, ser
 	if len(clientAuthPluginData) > 0 {
 		password = string(clientAuthPluginData[:len(clientAuthPluginData)-1])
 	}
-	return n.storage.UserEntryWithPassword(conn.GetTLSClientCerts(), user, password, remoteAddr)
+	return n.storage.UserEntryWithPassword(conn, user, password, remoteAddr)
 }
 
 type mysqlDialogAuthMethod struct {
@@ -557,7 +556,7 @@ func (n *mysqlDialogAuthMethod) AuthPluginData() ([]byte, error) {
 	return result, nil
 }
 func (n *mysqlDialogAuthMethod) HandleAuthPluginData(conn *Conn, user string, serverAuthPluginData []byte, clientAuthPluginData []byte, remoteAddr net.Addr) (Getter, error) {
-	return n.storage.UserEntryWithPassword(conn.GetTLSClientCerts(), user, string(clientAuthPluginData[:len(clientAuthPluginData)-1]), remoteAddr)
+	return n.storage.UserEntryWithPassword(conn, user, string(clientAuthPluginData[:len(clientAuthPluginData)-1]), remoteAddr)
 }
 
 type mysqlCachingSha2AuthMethod struct {
@@ -594,7 +593,7 @@ func (n *mysqlCachingSha2AuthMethod) HandleAuthPluginData(c *Conn, user string,
 		return nil, NewSQLError(ERAccessDeniedError, SSAccessDeniedError, "Access denied for user '%v'", user)
 	}
 	salt := serverAuthPluginData[:len(serverAuthPluginData)-1]
-	result, cacheState, err := n.cache.UserEntryWithCacheHash(c.GetTLSClientCerts(), salt, user, clientAuthPluginData, remoteAddr)
+	result, cacheState, err := n.cache.UserEntryWithCacheHash(c, salt, user, clientAuthPluginData, remoteAddr)
 	if err != nil {
 		return nil, err
 	}
@@ -638,7 +637,7 @@ func (n *mysqlCachingSha2AuthMethod) HandleAuthPluginData(c *Conn, user string,
 	if err != nil {
 		return nil, err
 	}
-	return n.storage.UserEntryWithPassword(c.GetTLSClientCerts(), user, password, remoteAddr)
+	return n.storage.UserEntryWithPassword(c, user, password, remoteAddr)
 }
 
 // ScrambleMysqlNativePassword computes the hash of the password using 4.1+ method.

@@ -17,7 +17,6 @@ limitations under the License.
 package mysql
 
 import (
-	"crypto/x509"
 	"flag"
 	"fmt"
 	"net"
@@ -83,7 +82,8 @@ func (asl *AuthServerClientCert) HandleUser(user string, remoteAddr net.Addr) bo
 }
 
 // UserEntryWithPassword is part of the PlaintextStorage interface
-func (asl *AuthServerClientCert) UserEntryWithPassword(userCerts []*x509.Certificate, user string, password string, remoteAddr net.Addr) (Getter, error) {
+func (asl *AuthServerClientCert) UserEntryWithPassword(conn *Conn, user string, password string, remoteAddr net.Addr) (Getter, error) {
+	userCerts := conn.GetTLSClientCerts()
 	if len(userCerts) == 0 {
 		return nil, fmt.Errorf("no client certs for connection")
 	}

@@ -17,7 +17,6 @@ limitations under the License.
 package mysql
 
 import (
-	"crypto/x509"
 	"net"
 
 	querypb "github.com/dolthub/vitess/go/vt/proto/query"
@@ -51,7 +50,7 @@ func (a *AuthServerNone) HandleUser(user string, remoteAddr net.Addr) bool {
 
 // UserEntryWithHash validates the user if it exists and returns the information.
 // Always accepts any user.
-func (a *AuthServerNone) UserEntryWithHash(userCerts []*x509.Certificate, salt []byte, user string, authResponse []byte, remoteAddr net.Addr) (Getter, error) {
+func (a *AuthServerNone) UserEntryWithHash(conn *Conn, salt []byte, user string, authResponse []byte, remoteAddr net.Addr) (Getter, error) {
 	return &NoneGetter{}, nil
 }
 

@@ -19,7 +19,6 @@ package mysql
 import (
 	"bytes"
 	"crypto/subtle"
-	"crypto/x509"
 	"encoding/json"
 	"flag"
 	"net"
@@ -165,7 +164,7 @@ func (a *AuthServerStatic) HandleUser(user string, remoteAddr net.Addr) bool {
 
 // UserEntryWithPassword implements password lookup based on a plain
 // text password that is negotiated with the client.
-func (a *AuthServerStatic) UserEntryWithPassword(userCerts []*x509.Certificate, user string, password string, remoteAddr net.Addr) (Getter, error) {
+func (a *AuthServerStatic) UserEntryWithPassword(conn *Conn, user string, password string, remoteAddr net.Addr) (Getter, error) {
 	a.mu.Lock()
 	entries, ok := a.entries[user]
 	a.mu.Unlock()
@@ -183,7 +182,7 @@ func (a *AuthServerStatic) UserEntryWithPassword(userCerts []*x509.Certificate,
 
 // UserEntryWithHash implements password lookup based on a
 // mysql_native_password hash that is negotiated with the client.
-func (a *AuthServerStatic) UserEntryWithHash(userCerts []*x509.Certificate, salt []byte, user string, authResponse []byte, remoteAddr net.Addr) (Getter, error) {
+func (a *AuthServerStatic) UserEntryWithHash(conn *Conn, salt []byte, user string, authResponse []byte, remoteAddr net.Addr) (Getter, error) {
 	a.mu.Lock()
 	entries, ok := a.entries[user]
 	a.mu.Unlock()
@@ -213,7 +212,7 @@ func (a *AuthServerStatic) UserEntryWithHash(userCerts []*x509.Certificate, salt
 
 // UserEntryWithCacheHash implements password lookup based on a
 // caching_sha2_password hash that is negotiated with the client.
-func (a *AuthServerStatic) UserEntryWithCacheHash(userCerts []*x509.Certificate, salt []byte, user string, authResponse []byte, remoteAddr net.Addr) (Getter, CacheState, error) {
+func (a *AuthServerStatic) UserEntryWithCacheHash(conn *Conn, salt []byte, user string, authResponse []byte, remoteAddr net.Addr) (Getter, CacheState, error) {
 	a.mu.Lock()
 	entries, ok := a.entries[user]
 	a.mu.Unlock()