Support caching_sha2_password full auth via RSA on non-TLS connections#81
Merged
jappeace merged 1 commit intowinterland1989:masterfrom Apr 12, 2026
Merged
Conversation
plainFullAuth previously threw an AuthException when the MySQL server requested full authentication (0x04) on a plain TCP or Unix socket connection. This meant caching_sha2_password only worked when the password verifier was already cached on the server (fast auth path) or when using TLS. Replace the error with an RSA-based full authentication flow: request the server's RSA public key (0x02), parse the PEM-encoded SubjectPublicKeyInfo, encrypt (password XOR cycled_nonce) using RSA-OAEP with SHA1, and send the ciphertext. The nonce is captured via partial application at the call site, keeping the completeAuth callback signature unchanged.
Collaborator
|
Best would be if we had integration tests as well for this code path. |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
This PR implements the RSA public key encryption path for
caching_sha2_passwordfull authentication on non-TLS (plain TCP and Unix socket) connections.Previously, when the server requested full authentication (status
0x04) on a non-TLS connection,plainFullAuththrew anAuthException— as noted in #72 ("Plain TCP connections throw an informativeAuthExceptionwhen full auth isrequired (RSA not yet implemented)"). This meant
caching_sha2_passwordonly worked when:With this change, the client performs the full RSA handshake:
0x02to request the server's RSA public key(password ++ NUL) XOR cycled_nonceusing RSA-OAEP with SHA1The nonce is passed to
plainFullAuthvia partial application, keeping thecompleteAuthcallback signature and the TLS module unchanged.New dependencies
asn1-encoding— DER decoding for the RSA public keyasn1-types— ASN1 type definitions (SubjectPublicKeyInfo parsing)