Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Support MariaDB's ed25519 authentication plugin #639

Closed
GeoffMonteeMariaDB opened this issue May 21, 2019 · 7 comments
Closed

Support MariaDB's ed25519 authentication plugin #639

GeoffMonteeMariaDB opened this issue May 21, 2019 · 7 comments
Assignees

Comments

@GeoffMonteeMariaDB
Copy link

@GeoffMonteeMariaDB GeoffMonteeMariaDB commented May 21, 2019

MariaDB 10.1 and later supports the ed25519 authentication plugin.

https://mariadb.com/kb/en/library/authentication-plugin-ed25519/

It looks like MySqlConnector doesn't support this yet.

https://mariadb.com/kb/en/library/authentication-plugin-ed25519/#using-the-plugin-with-mysqlconnector-for-net

https://github.com/mysql-net/MySqlConnector/blob/0.54.0/src/MySqlConnector/Core/ServerSession.cs#L463

@bgrainger
Copy link
Member

@bgrainger bgrainger commented May 22, 2019

One potential problem is that I don't know of any built-in Ed25519 functionality in .NET Core/Standard. So this would likely have to either add a dependency on a third-party library or integrate appropriately-licensed code.

Neither of those is really appealing for an optional (and uncommon?) authentication method, so it might be time to develop a simple extensibility model, and put the code for this feature in a separate NuGet package.

Finally, I'm not familiar with Ed25519 so it's still not clear to me how the authentication algorithm works. The best description I've found so far is at https://mariadb.org/history-of-mysql-mariadb-authentication-protocols/ but it still contains this sentence without further details:

The user’s password is the secret key. We calculate SHA512(password) and applying some math magic convert it into a public key.

Presumably some KDF is used on the password (which one?) and what is the "math magic"?

@bgrainger
Copy link
Member

@bgrainger bgrainger commented May 22, 2019

Still haven't found any official documentation on the auth plugin, but this appears to be the code that signs a nonce using the user's password as a key: https://github.com/MariaDB/server/blob/592fe954ef82be1bc08b29a8e54f7729eb1e1343/plugin/auth_ed25519/ref10/sign.c#L7

@bgrainger
Copy link
Member

@bgrainger bgrainger commented May 22, 2019

Even worse, according to the discussion on https://jira.mariadb.org/browse/MDEV-19217, MariaDB's auth plugin may be using Ed25519 in a non-standard way that can make it difficult to use third-party library code to implement the authentication (depending on the API the library exposes):

My current thinking (over the last couple of weeks) is that it was a mistake to "optimize" the plugin in a way that made it incompatible with the standard ed25519 implementations.

@bgrainger bgrainger self-assigned this May 25, 2019
@bgrainger
Copy link
Member

@bgrainger bgrainger commented May 25, 2019

I ported the Java and C implementations to C#, using a public domain .NET Ed25519 library.

WIP here: https://github.com/bgrainger/MySqlConnector/tree/ed25519

@bgrainger
Copy link
Member

@bgrainger bgrainger commented May 26, 2019

Implemented in fe578cf; included in 0.56.0.

@GeoffMonteeMariaDB
Copy link
Author

@GeoffMonteeMariaDB GeoffMonteeMariaDB commented May 26, 2019

Wow, you added support for that quickly. Thanks, @bgrainger!

@bgrainger
Copy link
Member

@bgrainger bgrainger commented May 26, 2019

No problem! It was a "fun" reverse engineering challenge. 😀

Thanks for updating the KB! https://mariadb.com/kb/en/library/authentication-plugin-ed25519/

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Development

Successfully merging a pull request may close this issue.

2 participants