puppet-tripleo/files/mysql_ed25519_password.py

#!/usr/bin/env python3
import hashlib
import base64
import sys

from nacl.bindings.crypto_scalarmult import \
     crypto_scalarmult_ed25519_base_noclamp

# https://github.com/MariaDB/server/blob/10.4/plugin/auth_ed25519/ref10/sign.c
# mariadb's use of ed25519:
#  . password is the secret seed
#  . ed25519's public key (computed from password) is what is stored in mariadb
#  . the hash in mariadb is the base64 encoding of the pk minus the last '='


def _scalar_clamp(s32):
    ba = bytearray(s32)
    ba0 = bytes(bytearray([ba[0] & 248]))
    ba31 = bytes(bytearray([(ba[31] & 127) | 64]))
    return ba0 + bytes(s32[1:31]) + ba31


def mysql_ed25519_password(pwd):
    # h = SHA512(password)
    h = hashlib.sha512(pwd).digest()
    # s = prune(first_half(h))
    s = _scalar_clamp(h[:32])
    # A = encoded point [s]B
    A = crypto_scalarmult_ed25519_base_noclamp(s)
    # encoded pk
    encoded = base64.b64encode(A)[:-1]
    return encoded


if __name__ == "__main__":
    if len(sys.argv) <= 1:
        print("Usage: %s PASSWORD" % sys.argv[0], file=sys.stderr)
        sys.exit(1)
    else:
        pwd = sys.argv[1].encode()
        res = mysql_ed25519_password(pwd)
        print(res.decode(), end='')
Support for mariadb's ed25519 authentication Add the ability to configure all mysql users to require authenticating to the server via mariadb's ed25519 auth plugin [1], rather than the default native authentication [2]. [1] https://mariadb.com/kb/en/authentication-plugin-ed25519/ [2] https://mariadb.com/kb/en/authentication-plugin-mysql_native_password/ Change-Id: I430ea8e1fa15fb263d1d4ef8c39615021d907f8a Partial-Bug: #1866093 2020-03-06 13:17:57 +01:00			`#!/usr/bin/env python3`
			`import hashlib`
			`import base64`
			`import sys`

			`from nacl.bindings.crypto_scalarmult import \`
			`crypto_scalarmult_ed25519_base_noclamp`

			`# https://github.com/MariaDB/server/blob/10.4/plugin/auth_ed25519/ref10/sign.c`
			`# mariadb's use of ed25519:`
			`# . password is the secret seed`
			`# . ed25519's public key (computed from password) is what is stored in mariadb`
			`# . the hash in mariadb is the base64 encoding of the pk minus the last '='`


			`def _scalar_clamp(s32):`
			`ba = bytearray(s32)`
			`ba0 = bytes(bytearray([ba[0] & 248]))`
			`ba31 = bytes(bytearray([(ba[31] & 127) \| 64]))`
			`return ba0 + bytes(s32[1:31]) + ba31`


			`def mysql_ed25519_password(pwd):`
			`# h = SHA512(password)`
			`h = hashlib.sha512(pwd).digest()`
			`# s = prune(first_half(h))`
			`s = _scalar_clamp(h[:32])`
			`# A = encoded point [s]B`
			`A = crypto_scalarmult_ed25519_base_noclamp(s)`
			`# encoded pk`
			`encoded = base64.b64encode(A)[:-1]`
			`return encoded`


			`if __name__ == "__main__":`
			`if len(sys.argv) <= 1:`
			`print("Usage: %s PASSWORD" % sys.argv[0], file=sys.stderr)`
			`sys.exit(1)`
			`else:`
			`pwd = sys.argv[1].encode()`
			`res = mysql_ed25519_password(pwd)`
			`print(res.decode(), end='')`