Uploaded image for project: 'MariaDB Server'
  1. MariaDB Server
  2. MDEV-19217

ed25519 algorithm is not publicly available except for passwords that are 32 characters long

    XMLWordPrintable

    Details

      Description

      We are attempting to implement ed25519 authentication for the PyMySQL Python client library, which implements the MySQL protocol using pure Python, no mysql/mariadb client linkage.

      However, per the README, MariaDB has made their own implementation of ed25519 that uses the "password" as the secret key, accepting a password string of arbitrary length.

      However, the most widely available ed25519 libraries pynacl (against libsodium) and python-ed25519 (against SUPERCOP) both accept secret keys that are exactly 32 or 64 bytes long. If the key is not either of those lengths, the algorithm does not work.

      For example, I made a quick auth plugin in PyMySQL using python-ed25519 like this:

      def ed25519_password(password, scramble):
       
          import ed25519
       
          signing_key = ed25519.SigningKey(password)
          sig = signing_key.sign(scramble)
          return sig
      
      

      the above works if the password is exactly 32 characters long. Otherwise, it fails. I also tried removing python-ed25519's check for 32-byte secret key so that it produces an answer, but the signature it provides fails against MariaDB server.

      There is no publicly available implementation of MariaDB's fork of this encryption code, it is of course open source within MariaDB but is not exported as an available library function.

      I am of course not a cryptology person and I am sure there are lots of interesting mathematical details as to why MariaDB's algo doesn't need a 32 byte key and why these other ones do, etc., however, the point of encryption libraries is that the end users should never be trying to hand roll this stuff themselves in any case, since any kind of "tweaks" to an algorithm by nature render it insecure until it is again validated by an open community of crypto experts. We non-crypto's need to have access to high level functions that will do the signatures / signing / etc correctly.

      The community could use a little more guidance in what we are supposed to do here. thanks!

        Attachments

          Activity

            People

            Assignee:
            serg Sergei Golubchik
            Reporter:
            zzzeek Mike Bayer
            Votes:
            0 Vote for this issue
            Watchers:
            5 Start watching this issue

              Dates

              Created:
              Updated:
              Resolved:

                Git Integration

                Error rendering 'com.xiplink.jira.git.jira_git_plugin:git-issue-webpanel'. Please contact your Jira administrators.