Details
-
Bug
-
Status: Closed (View Workflow)
-
Minor
-
Resolution: Won't Fix
-
10.2.23, 10.3.14
Description
We are attempting to implement ed25519 authentication for the PyMySQL Python client library, which implements the MySQL protocol using pure Python, no mysql/mariadb client linkage.
However, per the README, MariaDB has made their own implementation of ed25519 that uses the "password" as the secret key, accepting a password string of arbitrary length.
However, the most widely available ed25519 libraries pynacl (against libsodium) and python-ed25519 (against SUPERCOP) both accept secret keys that are exactly 32 or 64 bytes long. If the key is not either of those lengths, the algorithm does not work.
For example, I made a quick auth plugin in PyMySQL using python-ed25519 like this:
def ed25519_password(password, scramble): |
|
|
import ed25519 |
|
|
signing_key = ed25519.SigningKey(password) |
sig = signing_key.sign(scramble) |
return sig |
|
the above works if the password is exactly 32 characters long. Otherwise, it fails. I also tried removing python-ed25519's check for 32-byte secret key so that it produces an answer, but the signature it provides fails against MariaDB server.
There is no publicly available implementation of MariaDB's fork of this encryption code, it is of course open source within MariaDB but is not exported as an available library function.
I am of course not a cryptology person and I am sure there are lots of interesting mathematical details as to why MariaDB's algo doesn't need a 32 byte key and why these other ones do, etc., however, the point of encryption libraries is that the end users should never be trying to hand roll this stuff themselves in any case, since any kind of "tweaks" to an algorithm by nature render it insecure until it is again validated by an open community of crypto experts. We non-crypto's need to have access to high level functions that will do the signatures / signing / etc correctly.
The community could use a little more guidance in what we are supposed to do here. thanks!
Attachments
Activity
Thanks for the info!
My current thinking (over the last couple of weeks) is that it was a mistake to "optimize" the plugin in a way that made it incompatible with the standard ed25519 implementations. But unfortunately I still don't see any solution for this that wouldn't invalidate all current users' passwords.
It's great to know that libsodium provided a workaround.
Hey Mike, that was just for the sake of the example (and to convince myself that libsodium has what we need to implement auth_ed25519).
For our immediate use in OpenStack we'll probably do a similar python implementation that uses PyNaCl (py binding to libsodium)
I acknowledge, it was a mistake to deviate from the "standard" ed25519, the minor benefit wasn't worth the broken compatibility with 3rd party libraries.
Unfortunately, I don't see anything we can do now. In the next authentication plugin we'll know to avoid this.
If you have any idea how we can fix it without forcing all users to recreate their passwords — please do tell and we'll reopen this issue.
I've done more testing, and starting version 1.0.17,libsodium provides a new low-level crypto API that exposes the functions which are called by crypto_sign_keypair (scalar multiplication on the Ed25519 curve and modular arithmetic).
That means that we can now implement our own Ed25519 signature with arbitrary length passwords like what MariaDB auth_ed25519 does. I published a gist [1] to show what my libsodium-based implementation looks like.
I think we can close this issue now that we have a clean path forward with libsodium 1.0.17.
[1] https://gist.github.com/dciabrin/1295fa9900147ae1de0df9d9e106a278