In case somebody needs the same thing:
1. An absolute prerequisite - the server-side plugin must "know" the digests (without nonce/salt) of users' passwords =sha1(sha1(passwd)) to be able to perform the authentication. Since there's no client-side plugin, the server plugin must mimic the original mysqld behavior.
2. st_mysql_auth::client_auth_plugin for the server plugin should be "mysql_native_password".
3. In sql/sql_acl.cc the "old client" cases (mpvio->client_capabilities & CLIENT_PLUGIN_AUTH) in two places next to the lines 8223 and 8815 (v5.5.28) need special handling - if the server uses a non-default plugin, but the expected client is "native". This is not a perfect, but the least intrusive solution I was able to find.
4. The server plugin needs to access the members in 'struct MPVIO_EXT' and 'class ACL_USER' - their definitions along with extra dependencies can be extracted from sql/sql_acl.cc.
5. mpvio->cached_client_reply can immediately be processed by the st_mysql_auth::authenticate_user handler - without any extra interactions with the client.