Added xor as part of rsa encryption

Signed-off-by: S V <vats02581@gmail.com>

Author: svats0001

r2dbc-mysql/src/main/java/io/asyncer/r2dbc/mysql/InitFlow.java

@@ -615,7 +615,7 @@ private AuthResponse createAuthResponse(String phase) {
             if (serverRSAPublicKeyFile != null && sslMode.equals(SslMode.DISABLED)) {
                 return new AuthResponse(MySqlAuthProvider.rsaEncryption(authProvider.authentication(
                     password, salt, client.getContext().getClientCollation()), serverRSAPublicKeyFile,
-                    client.getContext().getServerVersion()));
+                    client.getContext().getServerVersion(), salt));
             }
             throw new R2dbcPermissionDeniedException(authFails(authProvider.getType(), phase), CLI_SPECIFIC);
         }
@@ -729,7 +729,7 @@ private HandshakeResponse createHandshakeResponse(Capability capability) {
 
         if (authProvider.isSslNecessary() && !sslCompleted && sslMode.equals(SslMode.DISABLED)) {
             authorization = MySqlAuthProvider.rsaEncryption(authorization, serverRSAPublicKeyFile,
-            client.getContext().getServerVersion());
+            client.getContext().getServerVersion(), salt);
         }
 
         String authType = authProvider.getType();

r2dbc-mysql/src/main/java/io/asyncer/r2dbc/mysql/MySqlConnectionFactoryProvider.java

@@ -343,8 +343,8 @@ public final class MySqlConnectionFactoryProvider implements ConnectionFactoryPr
 
     /**
      * Option to configure the database server's RSA Public Key file path on the local system if RSA encryption
-     * is desired such as when using caching_sha2_password authentication type while {@link SSLMode} is DISABLED. If
-     * serverRSAPublicKeyFile not {@code null} and {@link SSLMode} is not DISABLED, SSL encryption takes precedence.
+     * is desired such as when using caching_sha2_password authentication type while {@link io.asyncer.r2dbc.mysql.constant.SslMode} is DISABLED. If
+     * serverRSAPublicKeyFile not {@code null} and {@link io.asyncer.r2dbc.mysql.constant.SslMode} is not DISABLED, SSL encryption takes precedence.
      *
      * @since 1.4.2
      */

r2dbc-mysql/src/main/java/io/asyncer/r2dbc/mysql/authentication/AuthUtils.java

@@ -113,5 +113,15 @@ private static byte[] allBytesXor(byte[] left, byte[] right) {
         return left;
     }
 
+    static byte[] rotatingXor(byte[] password, byte[] seedBytes) {
+        int seedLength = seedBytes.length;
+        
+        for (int i = 0; i < password.length; i++) {
+            password[i] ^= seedBytes[i % seedLength];
+        }
+
+        return password;
+    }
+
     private AuthUtils() { }
 }

r2dbc-mysql/src/main/java/io/asyncer/r2dbc/mysql/authentication/MySqlAuthProvider.java

@@ -148,10 +148,13 @@ static MySqlAuthProvider build(String type) {
      * @param bytesToEncrypt the data to encrypt
      * @param serverRSAPublicKeyFile the file path on the local system of the database server's RSA Public Key
      * @param serverVersion the version of the MySQL server
+     * @param seed the seed bytes for rotating XOR obfuscation
      * @return the encrypted bytes
      */
-    static byte[] rsaEncryption(byte[] bytesToEncrypt, String serverRsaPublicKeyFile, ServerVersion serverVersion) {
+    static byte[] rsaEncryption(byte[] bytesToEncrypt, String serverRsaPublicKeyFile, ServerVersion serverVersion, byte[] seed) {
         try {
+            bytesToEncrypt = AuthUtils.rotatingXor(bytesToEncrypt, seed);
+
             String key = new String(Files.readAllBytes(Paths.get(serverRsaPublicKeyFile)), Charset.defaultCharset());
 
             String publicKeyPEM = key

r2dbc-mysql/src/test/java/io/asyncer/r2dbc/mysql/authentication/AuthUtilsTest.java

@@ -0,0 +1,54 @@
+/*
+ * Copyright 2025 asyncer.io projects
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     https://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package io.asyncer.r2dbc.mysql.authentication;
+
+import org.junit.jupiter.api.Test;
+
+import static org.junit.jupiter.api.Assertions.assertDoesNotThrow;
+
+import java.security.NoSuchAlgorithmException;
+import java.security.SecureRandom;
+
+/**
+ * Unit tests for {@link AuthUtils}
+ */
+public class AuthUtilsTest {
+
+    static byte[] seedBytes;
+
+    static {
+        try {
+            seedBytes = generateSalt(20);
+        } catch (NoSuchAlgorithmException e) {
+            seedBytes = "random".getBytes();
+        }
+    }
+    
+    @Test
+    void rotatingXor() {
+        byte[] password = "abc123".getBytes();
+
+        assertDoesNotThrow(() -> AuthUtils.rotatingXor(password, seedBytes));
+    }
+
+    static byte[] generateSalt(int length) throws NoSuchAlgorithmException {
+        SecureRandom sr = SecureRandom.getInstance("SHA1PRNG");
+        byte[] salt = new byte[length];
+        sr.nextBytes(salt);
+        return salt;
+    }
+}