Details
-
Task
-
Status: Closed (View Workflow)
-
Critical
-
Resolution: Fixed
-
None
-
None
-
None
Description
MySQL 8.0 introduced a new authentication plugin "caching_sha2_password" plugin, which is enabled by default and will be used as standard plugin:
Workflow:
1) Server sends scramble packet
2) Clients generates a sha256 hashed authentication string with the following mechanism:
digest1= sha256(password)
|
digest2= sha256(digest1)
|
digest3= sha256(digest2, scramble)
|
digest4= xor(digest1, digest3)
|
3) Client sends digest4 as authentication string
On success server sends a packet with length=1 and content=3. In case the password was not cached, server requires same authentication mechanism as in sha256_password with a little difference, the padding algorithm is PKCS1 v1.5 padding instead of OAEP.
Attachments
Issue Links
- relates to
-
-
- Closed
-
-
-
- Closed
-
-
-
- Closed
-
-
-
- Closed
-
-
-
- Closed
-
-
MDEV-9804 Implement a caching_sha256_password plugin
-
- Open
-
-
-
- Closed
-
-
-
- Closed
-
Activity
| Field | Original Value | New Value |
|---|---|---|
| Description |
MySQL 8.0 introduced a new authentication plugin "caching_sha2_password" plugin, which is enabled by default and will be used as standard plugin:
Workflow: 1) Server sends scramble packet 2) Clients generates a sha256 hashed authentication string with the following mechanism: digest1= sha256(password) digest2= sha256(digest1) digest3= sha256(digest2, scramble) digest4= xor(digest1, digest3) 3) Client sends digest4 as authentication string On success server sends a packet with length=1 and content=3. In case the password was not cached, server requires same authentication mechanism as in sha256_password with a little difference, the padding algorithm is PKCS1 v1.5 padding instead of OAEP. |
MySQL 8.0 introduced a new authentication plugin "caching_sha2_password" plugin, which is enabled by default and will be used as standard plugin:
Workflow: 1) Server sends scramble packet 2) Clients generates a sha256 hashed authentication string with the following mechanism: {noformat} digest1= sha256(password) digest2= sha256(digest1) digest3= sha256(digest2, scramble) digest4= xor(digest1, digest3) {noformat} 3) Client sends digest4 as authentication string On success server sends a packet with length=1 and content=3. In case the password was not cached, server requires same authentication mechanism as in sha256_password with a little difference, the padding algorithm is PKCS1 v1.5 padding instead of OAEP. |
| Status | Open [ 1 ] | In Progress [ 3 ] |
| Assignee | Georg Richter [ georg ] | Vladislav Vaintroub [ wlad ] |
| Status | In Progress [ 3 ] | In Review [ 10002 ] |
| Assignee | Vladislav Vaintroub [ wlad ] | Georg Richter [ georg ] |
| Status | In Review [ 10002 ] | Stalled [ 10000 ] |
| Fix Version/s | 3.0.5 [ 23023 ] | |
| Fix Version/s | 3.0.4 [ 22922 ] |
| Resolution | Won't Fix [ 2 ] | |
| Status | Stalled [ 10000 ] | Closed [ 6 ] |
| Resolution | Won't Fix [ 2 ] | |
| Status | Closed [ 6 ] | Stalled [ 10000 ] |
| Fix Version/s | 3.1.0 [ 22519 ] | |
| Fix Version/s | 3.0.5 [ 23023 ] |
| Status | Stalled [ 10000 ] | In Progress [ 3 ] |
| Priority | Major [ 3 ] | Critical [ 2 ] |
| issue.field.resolutiondate | 2018-10-10 13:51:08.0 | 2018-10-10 13:51:08.722 |
| Resolution | Fixed [ 1 ] | |
| Status | In Progress [ 3 ] | Closed [ 6 ] |
| Fix Version/s | 3.0.8 [ 23233 ] |
| Workflow | MariaDB connectors [ 85671 ] | MariaDB v4 [ 161100 ] |