Details
-
Task
-
Status: Open (View Workflow)
-
Major
-
Resolution: Unresolved
-
None
-
None
-
None
Description
Current parsec implementation decription has many steps :
- receiving an Authentication Switch Request packet with 'parsec' plugin type with a 32-byte server random scramble
- if the ext-salt was specified in the .my.cnf, the client skips to step 4, otherwise it sends the user name (and nothing else) to the server
- Server sends the ext-salt to the client
- Client sends the random 32-byte scramble, and the concat(server scramble, client scramble) ed25519-signed by a secret key generated from the PBKDF2(password, ext-salt)
- Server replies with "ok" or "acces denied"
Sending an empty packet requesting to ext-salt is actually mandatory (if ext-salt is known by connector, and go directly to step 4, connection fails). But better than correct this bug, the best would be to skip this exchange : Authentication Switch Request's authentication plugin data field actually contains 32 bytes of data corresponding to server random scramble, but it would be better to have this scramble + ext-salt directly, avoiding one exchange.
Attachments
Issue Links
- relates to
-
MDEV-32618 PARSEC Authentication Plugin
- Closed