# Connecting via caching\_sha2\_password

## Overview

Caching `SHA256` first sends an `SHA256`-encrypted password. MySQL server has an in-memory cache of `SHA256` key for successful authentication. When a cache hit occurs, the connection is validated, if not, using some more steps to a process similar to [sha256\_password](https://mariadb.com/docs/server/reference/clientserver-protocol/1-connecting/sha256_password-plugin).

Caching SHA256 authentication possible exchanges:

* Client sends an [SHA-2 encrypted password](#sha-2-encrypted-password).
* Server result is either [OK\_Packet](https://mariadb.com/docs/server/reference/clientserver-protocol/4-server-response-packets/ok_packet) , [ERR\_Packet](https://mariadb.com/docs/server/reference/clientserver-protocol/4-server-response-packets/err_packet), or ["fast" authentication result](#fast-authentication-result).
* If fast authentication result:
  * If connection uses SSL ([SSLRequest](https://mariadb.com/docs/server/reference/clientserver-protocol/connection#sslrequest-packet) Packet sent):
    * Client sends a [clear password answer](#client-clear-password-answer).
  * Else:
    * If client doesn't know server RSA public key:
      * Client sends a [public key request](#public-key-request).
      * Server sends a [public key response](#public-key-response).
    * Client sends an [RSA encrypted password](#rsa-encrypted-password).
    * Ends with server sending either [OK\_Packet](https://mariadb.com/docs/server/reference/clientserver-protocol/4-server-response-packets/ok_packet) , [ERR\_Packet](https://mariadb.com/docs/server/reference/clientserver-protocol/4-server-response-packets/err_packet).

## Authentication

### SHA-2 Encrypted Password

Encryption is `XOR`(`SHA256`(password), `SHA256`(seed, `SHA256`(`SHA256`(password)))).

* [byte<32>](https://mariadb.com/docs/server/reference/protocol-data-types#fixed-length-bytes) encrypted password.

### "Fast" Authentication Result

Result of fast authentication.

* [byte\<lenenc>](https://mariadb.com/docs/server/reference/protocol-data-types#length-encoded-bytes) authentication result.

`0x03` value means success authentication.\
`0x04` value means continue.

### Client Clear Password Answer

* [string\<NUL>](https://mariadb.com/docs/server/reference/protocol-data-types#null-terminated-strings) password without encryption.

### Public Key Request

{% hint style="warning" %}
Value send is not `0x01` like sha256\_password use, but `0x02`.
{% endhint %}

* [byte<1>](https://mariadb.com/docs/server/reference/protocol-data-types#fixed-length-bytes) fixed 0x02 value.

### Public Key Response

* [byte<1>](https://mariadb.com/docs/server/reference/protocol-data-types#fixed-length-bytes) fixed 0x01 value.
* [byte\<EOF>](https://mariadb.com/docs/server/reference/protocol-data-types#end-of-file-length-bytes) public key data.

### RSA Encrypted Password

* [byte<256>](https://mariadb.com/docs/server/reference/protocol-data-types#fixed-length-bytes) RSA encrypted password.

RSA encrypted value of `XOR` (password, seed) using server public key (`RSA_PKCS1_OAEP_PADDING`).

<sub>*This page is licensed: CC BY-SA / Gnu FDL*</sub>

{% @marketo/form formId="4316" %}