Support mysql_clear_password auth switch. Fixes #268

For safety, sending the password in cleartext requires a secure
connection.

Author: bgrainger

src/MySqlConnector/Serialization/ConnectionSettings.cs

@@ -59,9 +59,10 @@ public ConnectionSettings(MySqlConnectionStringBuilder csb)
 			UseCompression = csb.UseCompression;
 		}
 
-		public ConnectionSettings WithUseCompression(bool useCompression) => new ConnectionSettings(this, useCompression);
+		public ConnectionSettings WithSecureConnection(bool isSecureConnection) => new ConnectionSettings(this, isSecureConnection: isSecureConnection);
+		public ConnectionSettings WithUseCompression(bool useCompression) => new ConnectionSettings(this, useCompression: useCompression);
 
-		private ConnectionSettings(ConnectionSettings other, bool? useCompression)
+		private ConnectionSettings(ConnectionSettings other, bool? useCompression = null, bool? isSecureConnection = null)
 		{
 			// Base Options
 			ConnectionString = other.ConnectionString;
@@ -77,6 +78,7 @@ private ConnectionSettings(ConnectionSettings other, bool? useCompression)
 			SslMode = other.SslMode;
 			CertificateFile = other.CertificateFile;
 			CertificatePassword = other.CertificatePassword;
+			IsSecureConnection = isSecureConnection ?? other.IsSecureConnection;
 
 			// Connection Pooling Options
 			Pooling = other.Pooling;
@@ -115,6 +117,7 @@ private ConnectionSettings(ConnectionSettings other, bool? useCompression)
 		internal readonly MySqlSslMode SslMode;
 		internal readonly string CertificateFile;
 		internal readonly string CertificatePassword;
+		internal readonly bool IsSecureConnection;
 
 		// Connection Pooling Options
 		internal readonly bool Pooling;

src/MySqlConnector/Serialization/MySqlSession.cs

@@ -231,6 +231,7 @@ public async Task ConnectAsync(ConnectionSettings cs, IOBehavior ioBehavior, Can
 				if (!serverSupportsSsl)
 					throw new MySqlException("Server does not support SSL");
 				await InitSslAsync(initialHandshake.ProtocolCapabilities, cs, ioBehavior, cancellationToken).ConfigureAwait(false);
+				cs = cs.WithSecureConnection(true);
 			}
 
 			var response = HandshakeResponse41Packet.Create(initialHandshake, cs);
@@ -286,12 +287,25 @@ private async Task SwitchAuthenticationAsync(PayloadData payload, ConnectionSett
 		{
 			// if the server didn't support the hashed password; rehash with the new challenge
 			var switchRequest = AuthenticationMethodSwitchRequestPayload.Create(payload);
-			if (switchRequest.Name != "mysql_native_password")
+			switch (switchRequest.Name)
+			{
+			case "mysql_native_password":
+				AuthPluginData = switchRequest.Data;
+				var hashedPassword = AuthenticationUtility.CreateAuthenticationResponse(AuthPluginData, 0, cs.Password);
+				payload = new PayloadData(new ArraySegment<byte>(hashedPassword));
+				await SendReplyAsync(payload, ioBehavior, cancellationToken).ConfigureAwait(false);
+				break;
+
+			case "mysql_clear_password":
+				if (!cs.IsSecureConnection)
+					throw new MySqlException("Authentication method '{0}' requires a secure connection.".FormatInvariant(switchRequest.Name));
+				payload = new PayloadData(new ArraySegment<byte>(Encoding.UTF8.GetBytes(cs.Password)));
+				await SendReplyAsync(payload, ioBehavior, cancellationToken).ConfigureAwait(false);
+				break;
+
+			default:
 				throw new NotSupportedException("Authentication method '{0}' is not supported.".FormatInvariant(switchRequest.Name));
-			AuthPluginData = switchRequest.Data;
-			var hashedPassword = AuthenticationUtility.CreateAuthenticationResponse(AuthPluginData, 0, cs.Password);
-			payload = new PayloadData(new ArraySegment<byte>(hashedPassword));
-			await SendReplyAsync(payload, ioBehavior, cancellationToken).ConfigureAwait(false);
+			}
 		}
 
 		public async Task<bool> TryPingAsync(IOBehavior ioBehavior, CancellationToken cancellationToken)