[CONC-229] SHA256 authentication plugin Created: 2017-01-27  Updated: 2019-05-20  Resolved: 2017-05-08

Status: Closed
Project: MariaDB Connector/C
Component/s: None
Affects Version/s: None
Fix Version/s: 3.0.2

Type: Task Priority: Major
Reporter: Georg Richter Assignee: Georg Richter
Resolution: Fixed Votes: 0
Labels: None

Issue Links:
Relates
relates to CONJ-327 Handle sha256_password plugin Closed
relates to CONJ-663 Implement caching_sha2_password plugin Closed
relates to CONJS-76 Implement sha256_password support Closed
relates to CONJS-77 Implement caching_sha256_password sup... Closed
relates to MXS-1325 Add sha256_password authenticator Closed
relates to ODBC-241 Add parameter that corresponds to MYS... Closed
relates to CONC-312 Implement caching_sha2_password plugin Closed
relates to MDEV-9804 Implement a sha256_password / caching... Open

 Description   

Provide an authentication plugin which supports authentication via SHA256 password.
SHA256 authentication is not used if a TLS connection was established before, or if the password is empty.

Protocol for sha256 authentication.

  1. server sends 2nd scramble packet to client (length = SCRAMBLE_LENGTH)
  2. if server public key was not specified via mysql_options, client will send 0x01 to server
  3. server will return it's public key in pem format.
  4. client xors password with scramble packet
  5. client encrypts the xored password with server public key (server requires OAEP padding)
  6. client sends encrypted password to server

 Comments   
Comment by Georg Richter [ 2017-02-10 ]

OAEP padding is supported by OpenSSL and Windows Crypto provider, but not by GnuTLS.
FreeTDS has an alternative implementation licensed under LGPL (using GnuTLS/nettle).

Comment by Georg Richter [ 2017-05-08 ]

rev. commit 5c4cf7a9b602db558c8c9d1cd720cdb607313e4a

Generated at Thu Feb 08 03:03:48 UTC 2024 using Jira 8.20.16#820016-sha1:9d11dbea5f4be3d4cc21f03a88dd11d8c8687422.