[CONJ-663] Implement caching_sha2_password plugin Created: 2018-12-02  Updated: 2019-10-11  Resolved: 2019-09-27

Status: Closed
Project: MariaDB Connector/J
Component/s: MySQL compatibility, mysql_compatibility
Affects Version/s: 2.3.0
Fix Version/s: 2.5.0

Type: Task Priority: Critical
Reporter: Ryan Leach Assignee: Diego Dupin
Resolution: Fixed Votes: 4
Labels: None

Issue Links:
Relates
relates to CONJ-327 Handle sha256_password plugin Closed
relates to CONJS-76 Implement sha256_password support Closed
relates to CONJS-77 Implement caching_sha256_password sup... Closed
relates to MDEV-9804 Implement a sha256_password / caching... Open
relates to MXS-1325 Add sha256_password authenticator Closed
relates to ODBC-241 Add parameter that corresponds to MYS... Closed
relates to CONC-229 SHA256 authentication plugin Closed
relates to CONC-312 Implement caching_sha2_password plugin Closed

 Description   

MySQL 8.0 introduced a new authentication plugin "caching_sha2_password" plugin, which is enabled by default and will be used as standard plugin:

Workflow:

1) Server sends scramble packet
2) Clients generates a sha256 hashed authentication string with the following mechanism:

digest1= sha256(password)
digest2= sha256(digest1)
digest3= sha256(digest2, scramble)
digest4= xor(digest1, digest3)
3) Client sends digest4 as authentication string

On success server sends a packet with length=1 and content=3. In case the password was not cached, server requires same authentication mechanism as in sha256_password with a little difference, the padding algorithm is PKCS1 v1.5 padding instead of OAEP.

 Comments   
Comment by Varun Agrawal [ 2019-02-20 ]

Is this in progress?

Comment by balyn [ 2019-04-10 ]

guys, why mariadb-connector-odbc is not exists in mariadb centos repo?

Comment by Geoff Montee (Inactive) [ 2019-04-10 ]

omavel,

We don't build RPMs for MariaDB Connector/ODBC yet. That is tracked at ODBC-153.

To install MariaDB Connector/ODBC on Linux, see here:

https://mariadb.com/kb/en/library/about-mariadb-connector-odbc/#installing-mariadb-connectorodbc-on-linux

Comment by balyn [ 2019-04-10 ]

Thank you for the answer! Will wait for rpm

Comment by Yanming Zhou [ 2019-10-10 ]

mariadb-java-client-2.5.0 and 8.0.17 MySQL Community Server

Caused by: java.sql.SQLException: Protocol exchange error. Expect login success or RSA login request message
 
	at org.mariadb.jdbc.internal.com.send.authentication.CachingSha2PasswordPlugin.process(CachingSha2PasswordPlugin.java:207)
 
	at org.mariadb.jdbc.internal.protocol.AbstractConnectProtocol.authenticationHandler(AbstractConnectProtocol.java:703)
 
	at org.mariadb.jdbc.internal.protocol.AbstractConnectProtocol.createConnection(AbstractConnectProtocol.java:507)
 
	at org.mariadb.jdbc.internal.protocol.AbstractConnectProtocol.connectWithoutProxy(AbstractConnectProtocol.java:1236)
 
	... 6 more

buffer.getByteAt(1) return unexpected 25

Comment by Diego Dupin [ 2019-10-10 ]

Can you provide some other informations? Windows/Linux, connection string ... ?

Comment by Diego Dupin [ 2019-10-10 ]

And if you can retry with SNAPSHOT repository : 

<repositories>
 
    <repository>
 
        <id>sonatype-nexus-snapshots</id>
 
        <name>Sonatype Nexus Snapshots</name>
 
        <url>https://oss.sonatype.org/content/repositories/snapshots</url>
 
    </repository>
 
</repositories>
 
 
 
<dependencies>
 
    <dependency>
 
        <groupId>org.mariadb.jdbc</groupId>
 
        <artifactId>mariadb-java-client</artifactId>
 
        <version>2.5.1-SNAPSHOT</version>
 
    </dependency>
 
</dependencies>

The error will now log the packet in case of unexpected protocol. That would help a lot

Comment by Yanming Zhou [ 2019-10-11 ] 

public class Main {
 
 
 
	public static void main(String[] args) throws Exception {
 
		try (Connection conn = DriverManager.getConnection("jdbc:mysql://localhost:3307/test?useSSL=false", "root", "")) {
 
			System.out.println(conn.getMetaData().getDatabaseProductName());
 
		}
 
	}
 
 
 
}

Oracle JDK 1.8.0_221, macOS Mojave, mysql 8.0.17 run with docker, works fine with mysql-connector-java.
Upgrade to 2.5.1-snapshot, same error message.

Comment by Diego Dupin [ 2019-10-11 ]

ok, reproduced.
Issue https://jira.mariadb.org/browse/CONJ-737 created. Driver doesn't return the server message when fast authentication return an error, but this "Expect login success or RSA login request message"

Generated at Thu Feb 08 03:17:24 UTC 2024 using Jira 8.20.16#820016-sha1:9d11dbea5f4be3d4cc21f03a88dd11d8c8687422.