Connecting

You are viewing an old version of this article. View the current version here.

Connection is done by many exchanges:

  • (Create socket)
  • Server sends Initial handshake packet
  • If SSL/TLS connection
    • Client sends SSLRequest packet and switches to SSL mode for sending and receiving the following messages:
  • Client sends Handshake response packet
  • Server sends either:
    • An OK packet in case of success OK_Packet
    • An error packet in case of error ERR_Packet
    • Authentication switch
      • If the client or server doesn't have PLUGIN_AUTH capability:
        • Server sends 0xFE byte
        • Client sends old_password
      • else
      • Authentication switch ends with server sending either OK_Packet or ERR_Packet



Initial handshake packet

  • int<1> protocol version
  • string<NUL> server version (MariaDB server version is by default prefixed by "5.5.5-")
  • int<4> connection id
  • string<8> scramble 1st part (authentication seed)
  • string<1> reserved byte
  • int<2> server capabilities (1st part)
  • int<1> server default collation
  • int<2> status flags
  • int<2> server capabilities (2nd part)
  • int<1> length of scramble's 2nd part
  • if (server_capabilities & PLUGIN_AUTH)
  • else
  • string<6> filler
  • if (server_capabilities & CLIENT_MYSQL)
  • else
  • if (server_capabilities & CLIENT_SECURE_CONNECTION)
    • string<n> scramble 2nd part . Length = max(12, plugin data length - 9)
    • string<1> reserved byte
  • if (server_capabilities & PLUGIN_AUTH)



Client handshake response

If the client requests a TLS/SSL connection, first response will be an SSL connection request packet, then a handshake response packet. If no TLS is required, client send directly a handshake response packet.

SSLRequest packet



Handshake response packet

  • int<4> client capabilities
  • int<4> max packet size
  • int<1> client character collation
  • string<19> reserved
  • if not (server_capabilities & CLIENT_MYSQL)
    • int<4> extended client capabilities
  • else
  • string<NUL> username
  • if (server_capabilities & PLUGIN_AUTH_LENENC_CLIENT_DATA)
  • else if (server_capabilities & CLIENT_SECURE_CONNECTION)
    • int<1> length of authentication response
    • string<fix> authentication response (length is indicated by previous field)
  • else
  • if (server_capabilities & CLIENT_CONNECT_WITH_DB)
  • if (server_capabilities & CLIENT_PLUGIN_AUTH)
  • if (server_capabilities & CLIENT_CONNECT_ATTRS)

Authentication switch request

(If client and server support CLIENT_AUTH capability)



Plugin list



plugin "mysql_old_password"

deprecated
send a 8 byte encrypted password

authentication plugin data format :

Client response :



plugin "mysql_clear_password"

deprecated
send clear password to server

Client response :



plugin "mysql_native_password"

SHA-1 encrypted password with server seed

authentication plugin data format :

Client response :

TODO describe encryption



plugin "dialog"

Interractive exchanges to permit fill passwords - for example for 2-Step authentication.

Server can send one or many request, each containing a prompt in string<EOF> format. For each of them, client must display this prompt to user, to permit user to type requested informations, then send it to server in string<NUL> format.

First prompt value is contain in Authentication plugin data ( in string<EOF> format).

This end when server send an EOF_Packet, OK_Packet or ERROR_packet.



plugin "auth_gssapi_client"

gssapi implementation

authentication plugin data format :

Client must exchange packet with server untail having a mutual |https:en.wikipedia.org/wiki/Generic_Security_Services_Application_Program_Interface authentication. The only difference compare to standard client-server GSSAPI authentication is that exchanges contain standard protocol with packet headers.



Capabilities

Server and Client have different capabilities, here is the possibles values.
client with capabilities CLIENT_MYSQL + CONNECT_WITH_DB will have a value of 9 (1 + 8).

CLIENT_MYSQL1
FOUND_ROWS2
CONNECT_WITH_DB8One can specify db on connect
COMPRESS32Can use compression protocol
LOCAL_FILES128Can use LOAD DATA LOCAL
IGNORE_SPACE256Ignore spaces before '('
CLIENT_PROTOCOL_411 << 94.1 protocol
CLIENT_INTERACTIVE1 << 10
SSL1 << 11Can use SSL
TRANSACTIONS1 << 12
SECURE_CONNECTION1 << 134.1 authentication
MULTI_STATEMENTS1 << 16Enable/disable multi-stmt support
MULTI_RESULTS1 << 17Enable/disable multi-results
PS_MULTI_RESULTS1 << 18Enable/disable multi-results for PrepareStatement
PLUGIN_AUTH1 << 19Client supports plugin authentication
CONNECT_ATTRS1 << 20Client send connection attributes
PLUGIN_AUTH_LENENC_CLIENT_DATA1 << 21Enable authentication response packet to be larger than 255 bytes
CLIENT_SESSION_TRACK1 << 23Enable/disable session tracking in OK_Packet
CLIENT_DEPRECATE_EOF1 << 24EOF_Packet deprecation :
* OK_Packet replace EOF_Packet in end of Resulset when in text format
* EOF_Packet between columns definition and resultsetRows is deleted
MARIADB_CLIENT_PROGRESS1 << 32Client support progress indicator (since 10.2)
MARIADB_CLIENT_COM_MULTI1 << 33Permit COM_MULTI protocol
MARIADB_CLIENT_STMT_BULK_OPERATIONS1 << 34Permit bulk insert


Native password authentication

The 20 byte string 'seed' is calculated by concatenating scramble first part (8 bytes) and scramble second part from Initial handshake packet. After that, the client calculates a password hash using the password and seed by using ^ (bitwise xor), + (string concatenation) and SHA1 as follows:

SHA1( passwd) ^ SHA1( seed + SHA1( SHA1( passwd ) ) )

Comments

Comments loading...
Content reproduced on this site is the property of its respective owners, and this content is not reviewed in advance by MariaDB. The views, information and opinions expressed by this content do not necessarily represent those of MariaDB or any other party.