Connecting
Connecting
Connection is done by many exchanges :
- (create socket)
- server send Initial handshake packet
- if SSL/TLS connection
- client send SSLRequest packet ans switches to SSL mode for sending and receivbing following messages
- client send Handshake response packet
- server send either
- an OK packet in case of success OK_Packet
- an error packet in case of error ERR_Packet
- authentication switch
- if client or server doesn't have PLUGIN_AUTH capability
- server send 0xFE byte
- client send old_password
- else
- server send Authentication switch request
- client may have many exchange with server according to [[#plugin-list|Plugin].
- authentication switch ends with server sending either OK_Packet or ERR_Packet
- if client or server doesn't have PLUGIN_AUTH capability
Initial handshake packet
- int<1> protocol version
- string<NUL> server version (MariaDB server version is by default prefixed by "5.5.5-")
- int<4> connection id
- string<8> scramble 1st part (authentication seed)
- string<1> reserved byte
- int<2> server capabilities (1st part)
- int<1> server default collation
- int<2> status flags
- int<2> server capabilities (2nd part)
- int<1> length of scramble's 2nd part
- if (server_capabilities & PLUGIN_AUTH)
- int<1> plugin data length
- else
- int<1> 0x00
- string<6> filler
- if (server_capabilities & CLIENT_MYSQL)
- string<4> filler
- else
- int<4> server capabilities 3rd part . MariaDB specific flags /* MariaDB 10.2 or later */
- if (server_capabilities & CLIENT_SECURE_CONNECTION)
- if (server_capabilities & PLUGIN_AUTH)
- string<NUL> authentication plugin name
Client handshake response
If the client requests a TLS/SSL connection, first response will be an SSL connection request packet, then a handshake response packet. If no TLS is required, client send directly a handshake response packet.
SSLRequest packet
Handshake response packet
- int<4> client capabilities
- int<4> max packet size
- int<1> client character collation
- string<19> reserved
- if not (server_capabilities & CLIENT_MYSQL)
- int<4> extended client capabilities
- else
- string<4> reserved
- string<NUL> username
- if (server_capabilities & PLUGIN_AUTH_LENENC_CLIENT_DATA)
- string<lenenc> authentication data
- else if (server_capabilities & CLIENT_SECURE_CONNECTION)
- int<1> length of authentication response
- string<lenenc> authentication response
- else
- int<1> 0x00
- if (server_capabilities & CLIENT_CONNECT_WITH_DB)
- string<NUL> default schema name
- if (server_capabilities & CLIENT_PLUGIN_AUTH)
- string<NUL> authentication plugin name
- if (server_capabilities & CLIENT_CONNECT_ATTRS)
- int<lenenc> size of connection attributes
- loop {
- string<lenenc> key
- string<lenenc> value
Authentication switch request
(If client and server support CLIENT_AUTH capability)
- int<1> 0xFE : Authentication switch request header
- string<NUL> authentication plugin name
- string<NUL> authentication plugin data
Plugin list
mysql_old_password | deprecated send a 8 byte encrypted password |
mysql_clear_password | deprecated clear password is send to server |
mysql_native_password | SHA-1 encrypted password with server seed |
auth_gssapi_client | gssapi implementation |
dialog | have interactive dialog - for example for 2-Step authentication - |
Capabilities
Server and Client have different capabilities, here is the possibles values.
client with capabilities CLIENT_MYSQL + CONNECT_WITH_DB will have a value of 9 (1 + 8).
CLIENT_MYSQL | 1 | |
FOUND_ROWS | 2 | |
CONNECT_WITH_DB | 8 | One can specify db on connect |
COMPRESS | 32 | Can use compression protocol |
LOCAL_FILES | 128 | Can use LOAD DATA LOCAL |
IGNORE_SPACE | 256 | Ignore spaces before '(' |
CLIENT_PROTOCOL_41 | 1 << 9 | 4.1 protocol |
CLIENT_INTERACTIVE | 1 << 10 | |
SSL | 1 << 11 | Can use SSL |
TRANSACTIONS | 1 << 12 | |
SECURE_CONNECTION | 1 << 13 | 4.1 authentication |
MULTI_STATEMENTS | 1 << 16 | Enable/disable multi-stmt support |
MULTI_RESULTS | 1 << 17 | Enable/disable multi-results |
PS_MULTI_RESULTS | 1 << 18 | Enable/disable multi-results for PrepareStatement |
PLUGIN_AUTH | 1 << 19 | Client supports plugin authentication |
CONNECT_ATTRS | 1 << 20 | Client send connection attributes |
PLUGIN_AUTH_LENENC_CLIENT_DATA | 1 << 21 | authentication data length is a length auth integer |
CLIENT_SESSION_TRACK | 1 << 23 | Enable/disable session tracking in OK_Packet |
MARIADB_CLIENT_PROGRESS | 1 << 32 | Client support progress indicator (since 10.2) |
MARIADB_CLIENT_COM_MULTI | 1 << 33 | Permit COM_MULTI protocol |
Native password authentication
The 20 byte string 'seed' is calculated by concatentating scramble first part (8 bytes) and scramble second part from Initial handshake packet. After that, client calculates a password hash using password and seed by using ^ (bitwise xor), + (string concatenation) and SHA1 as follows
SHA1( passwd) ^ SHA1( seed + SHA1( SHA1( passwd ) ) )