mysql-server/plugin/x/protocol/doc/mysqlx-protocol-authentication.dox at trunk · mysql/mysql-server · GitHub

Name: mysql-server/plugin/x/protocol/doc/mysqlx-protocol-authentication.dox at trunk · mysql/mysql-server · GitHub
Rating: 4.6 (6147 reviews)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
/*
 * Copyright (c) 2015, 2025, Oracle and/or its affiliates.
 *
 * This program is free software; you can redistribute it and/or modify
 * it under the terms of the GNU General Public License, version 2.0,
 * as published by the Free Software Foundation.
 *
 * This program is designed to work with certain software (including
 * but not limited to OpenSSL) that is licensed under separate terms,
 * as designated in a particular file or component or in included license
 * documentation. The authors of MySQL hereby grant you an additional
 * permission to link the program and your derivative works with the
 * separately licensed software that they have either included with
 * the program or referenced in the documentation.
 *
 * This program is distributed in the hope that it will be useful,
 * but WITHOUT ANY WARRANTY; without even the implied warranty of
 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
 * GNU General Public License, version 2.0, for more details.
 *
 * You should have received a copy of the GNU General Public License
 * along with this program; if not, write to the Free Software
 * Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA
 */

/** @page mysqlx_protocol_authentication Authentication


Topics in this section:

- @ref authentication_PLAIN
- @ref authentication_MYSQL41
- @ref authentication_SHA256_MEMORY


Authentication is implemented according to RFC;
[RFC 4422](https://tools.ietf.org/html/rfc4422.html) (SASL):

@par service-name
 ``mysql`` (see
 http://www.iana.org/assignments/gssapi-service-names/gssapi-service-names.xhtml)

@par mechanism-negotiation
 @ref Mysqlx::Connection::CapabilitiesGet

@par messages
 1. @ref Mysqlx::Session::AuthenticateStart

 2. @ref Mysqlx::Session::AuthenticateContinue

 3. @ref Mysqlx::Error

 4. @ref Mysqlx::Session::AuthenticateOk


PLAIN Authentication {#authentication_PLAIN}
====================


@startuml "PLAIN Authentication"
== Authentication ==

Client -> Server: AuthenticateStart(mech="PLAIN", auth_data="\0foo\0bar")
Server --> Client: AuthenticateOk
@enduml

@note
 This authentication method ia avaiable only at secure-channels,
 like after enabling TLS

MYSQL41 Authentication {#authentication_MYSQL41}
======================

MYSQL41 authentication is:

- supported by MySQL 4.1 and later

- a challenge/response protocol using SHA1

- similar to CRAM-MD5
 (RFC; [RFC 2195](https://tools.ietf.org/html/rfc2195.html))

@code{unparsed}
 1. C: AuthenticateStart
 2. S: challenge
 3. C: [ authzid ] \0 authcid \0 response \0
 4. S: AuthenticateOk
@endcode

@par authzid
 empty

@par authcid
 user name

@par challenge
 server side, one time random challenge

@par response
 ``HEX(SHA1(password) ^ SHA1(challenge + SHA1(SHA1(password))))``

@startuml "MYSQL41 Authentication"
== Authentication ==

Client -> Server: AuthenticateStart(mech="MYSQL41")
Server --> Client: AuthenticateContinue(auth_data="98765432100123456789")
Client --> Server: AuthenticateContinue(auth_data="\0myuser\09876543210987654321098765432109876543210\0")
Server --> Client: AuthenticateOk
@enduml


SHA256_MEMORY Authentication {#authentication_SHA256_MEMORY}
============================

SHA256_MEMORY authentication is:

- a mechanism that reaches to user that already authenticated using PLAIN method

- a challenge/response protocol using SHA256

- similar to MYSQL41, instead using SHA1, it uses SHA256

- similar to CRAM-MD5
 (RFC; [RFC 2195](https://tools.ietf.org/html/rfc2195.html))

@code{unparsed}
 1. C: AuthenticateStart
 2. S: challenge
 3. C: [ authzid ] \0 authcid \0 response \0
 4. S: AuthenticateOk
@endcode

@par authzid
 empty

@par authcid
 user name

@par challenge
 server side, one time random challenge

@par response
 ``HEX(SHA256(password) ^ SHA256(challenge + SHA256(SHA256(password))))``

@startuml "SHA256_MEMORY Authentication"
== Authentication ==

Client -> Server: AuthenticateStart(mech="SHA256_MEMORY")
Server --> Client: AuthenticateContinue(auth_data="98765432100123456789")
Client --> Server: AuthenticateContinue(auth_data="\0myuser\0DCF9AF7246E9B5F45D8C7B6FA760C72874F296A7EFA97A537CA88716C93D7887")
Server --> Client: AuthenticateOk
@enduml

*/