add support for ed25519 authentication

AUTHORS

@@ -52,6 +52,7 @@ Jeffrey Charles <jeffreycharles at gmail.com>
 Jerome Meyer <jxmeyer at gmail.com>
 Jiajia Zhong <zhong2plus at gmail.com>
 Jian Zhen <zhenjl at gmail.com>
+Jon Penn <[email protected]>
 Joshua Prunier <joshua.prunier at gmail.com>
 Julien Lefevre <julien.lefevr at gmail.com>
 Julien Schmidt <go-sql-driver at julienschmidt.com>
@@ -74,6 +75,7 @@ Michael Woolnough <michael.woolnough at gmail.com>
 Nathanial Murphy <nathanial.murphy at gmail.com>
 Nicola Peduzzi <thenikso at gmail.com>
 Olivier Mengué <dolmen at cpan.org>
+Orson Peters <[email protected]>
 oscarzhao <oscarzhaosl at gmail.com>
 Paul Bonser <misterpib at gmail.com>
 Peter Schultz <peter.schultz at classmarkets.com>
@@ -95,6 +97,7 @@ Tan Jinhua <312841925 at qq.com>
 Thomas Wodarek <wodarekwebpage at gmail.com>
 Tim Ruffles <timruffles at gmail.com>
 Tom Jenkinson <tom at tjenkinson.me>
+Tom St Denis <[email protected]>
 Vladimir Kovpak <cn007b at gmail.com>
 Vladyslav Zhelezniak <zhvladi at gmail.com>
 Xiangyu Hu <xiangyu.hu at outlook.com>

auth.go

@@ -17,6 +17,8 @@ import (
 	"encoding/pem"
 	"fmt"
 	"sync"
+
+	"github.com/go-sql-driver/mysql/ed25519auth"
 )
 
 // server pub keys registry
@@ -291,6 +293,18 @@ func (mc *mysqlConn) auth(authData []byte, plugin string) ([]byte, error) {
 		enc, err := encryptPassword(mc.cfg.Passwd, authData, pubKey)
 		return enc, err
 
+	case "client_ed25519":
+		if len(authData) != 32 {
+			return nil, ErrMalformPkt
+		}
+		// random number generated by the server
+		var challenge [32]byte
+		copy(challenge[:], authData)
+
+		response := ed25519auth.Sign(challenge, []byte(mc.cfg.Passwd))
+
+		return response[:], nil
+
 	default:
 		errLog.Print("unknown auth plugin:", plugin)
 		return nil, ErrUnknownPlugin

auth_test.go

@@ -708,6 +708,58 @@ func TestAuthFastSHA256PasswordSecure(t *testing.T) {
 	}
 }
 
+// test case from
+// https://github.com/MariaDB/server/blob/c0ac0b8/plugin/auth_ed25519/ed25519-t.c
+func TestAuthFastEd25519Password(t *testing.T) {
+	conn, mc := newRWMockConn(1)
+	mc.cfg.User = "root"
+	mc.cfg.Passwd = "foobar"
+
+	authData := []byte("AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA")
+	plugin := "client_ed25519"
+
+	// Send Client Authentication Packet
+	authResp, err := mc.auth(authData, plugin)
+	if err != nil {
+		t.Fatal(err)
+	}
+	err = mc.writeHandshakeResponsePacket(authResp, plugin)
+	if err != nil {
+		t.Fatal(err)
+	}
+
+	// check written auth response
+	authRespStart := 4 + 4 + 4 + 1 + 23 + len(mc.cfg.User) + 1
+	authRespEnd := authRespStart + 1 + len(authResp)
+	writtenAuthRespLen := conn.written[authRespStart]
+	writtenAuthResp := conn.written[authRespStart+1 : authRespEnd]
+	expectedAuthResp := []byte{
+		232, 61, 201, 63, 67, 63, 51, 53, 86, 73, 238, 35, 170, 117, 146,
+		214, 26, 17, 35, 9, 8, 132, 245, 141, 48, 99, 66, 58, 36, 228, 48,
+		84, 115, 254, 187, 168, 88, 162, 249, 57, 35, 85, 79, 238, 167, 106,
+		68, 117, 56, 135, 171, 47, 20, 14, 133, 79, 15, 229, 124, 160, 176,
+		100, 138, 14,
+	}
+	if writtenAuthRespLen != 64 {
+		t.Fatalf("expected 64 bytes from client, got %d", writtenAuthRespLen)
+	}
+	if !bytes.Equal(writtenAuthResp, expectedAuthResp) {
+		t.Fatalf("auth response did not match expected value: %v", writtenAuthResp)
+	}
+	conn.written = nil
+
+	// auth response
+	conn.data = []byte{
+		7, 0, 0, 2, 0, 0, 0, 2, 0, 0, 0, // OK
+	}
+	conn.maxReads = 1
+
+	// Handle response to auth packet
+	if err := mc.handleAuthResult(authData, plugin); err != nil {
+		t.Errorf("got error: %v", err)
+	}
+}
+
 func TestAuthSwitchCachingSHA256PasswordCached(t *testing.T) {
 	conn, mc := newRWMockConn(2)
 	mc.cfg.Passwd = "secret"

ed25519auth/fe.h

@@ -0,0 +1,59 @@
+/*
+ * Copyright (c) 2015 Orson Peters <orsonpeters@gmail.com>
+ * 
+ * This software is provided 'as-is', without any express or implied warranty. In no event will the
+ * authors be held liable for any damages arising from the use of this software.
+ * 
+ * Permission is granted to anyone to use this software for any purpose, including commercial
+ * applications, and to alter it and redistribute it freely, subject to the following restrictions:
+ * 
+ * 1. The origin of this software must not be misrepresented; you must not claim that you wrote the
+ *    original software. If you use this software in a product, an acknowledgment in the product
+ *    documentation would be appreciated but is not required.
+ * 
+ * 2. Altered source versions must be plainly marked as such, and must not be misrepresented as
+ *    being the original software.
+ * 
+ * 3. This notice may not be removed or altered from any source distribution.
+ */
+#ifndef FE_H
+#define FE_H
+
+#include "fixedint.h"
+
+
+/*
+    fe means field element.
+    Here the field is \Z/(2^255-19).
+    An element t, entries t[0]...t[9], represents the integer
+    t[0]+2^26 t[1]+2^51 t[2]+2^77 t[3]+2^102 t[4]+...+2^230 t[9].
+    Bounds on each t[i] vary depending on context.
+*/
+
+
+typedef int32_t fe[10];
+
+
+void fe_0(fe h);
+void fe_1(fe h);
+
+void fe_frombytes(fe h, const unsigned char *s);
+void fe_tobytes(unsigned char *s, const fe h);
+
+void fe_copy(fe h, const fe f);
+int fe_isnegative(const fe f);
+int fe_isnonzero(const fe f);
+void fe_cmov(fe f, const fe g, unsigned int b);
+void fe_cswap(fe f, fe g, unsigned int b);
+
+void fe_neg(fe h, const fe f);
+void fe_add(fe h, const fe f, const fe g);
+void fe_invert(fe out, const fe z);
+void fe_sq(fe h, const fe f);
+void fe_sq2(fe h, const fe f);
+void fe_mul(fe h, const fe f, const fe g);
+void fe_mul121666(fe h, fe f);
+void fe_pow22523(fe out, const fe z);
+void fe_sub(fe h, const fe f, const fe g);
+
+#endif

ed25519auth/fixedint.h

@@ -0,0 +1,90 @@
+/*
+ * Copyright (c) 2015 Orson Peters <orsonpeters@gmail.com>
+ * 
+ * This software is provided 'as-is', without any express or implied warranty. In no event will the
+ * authors be held liable for any damages arising from the use of this software.
+ * 
+ * Permission is granted to anyone to use this software for any purpose, including commercial
+ * applications, and to alter it and redistribute it freely, subject to the following restrictions:
+ * 
+ * 1. The origin of this software must not be misrepresented; you must not claim that you wrote the
+ *    original software. If you use this software in a product, an acknowledgment in the product
+ *    documentation would be appreciated but is not required.
+ * 
+ * 2. Altered source versions must be plainly marked as such, and must not be misrepresented as
+ *    being the original software.
+ * 
+ * 3. This notice may not be removed or altered from any source distribution.
+ */
+/*
+    Portable header to provide the 32 and 64 bits type.
+
+    Not a compatible replacement for <stdint.h>, do not blindly use it as such.
+*/
+
+#if ((defined(__STDC__) && __STDC__ && __STDC_VERSION__ >= 199901L) || (defined(__WATCOMC__) && (defined(_STDINT_H_INCLUDED) || __WATCOMC__ >= 1250)) || (defined(__GNUC__) && (defined(_STDINT_H) || defined(_STDINT_H_) || defined(__UINT_FAST64_TYPE__)) )) && !defined(FIXEDINT_H_INCLUDED)
+    #include <stdint.h>
+    #define FIXEDINT_H_INCLUDED
+
+    #if defined(__WATCOMC__) && __WATCOMC__ >= 1250 && !defined(UINT64_C)
+        #include <limits.h>
+        #define UINT64_C(x) (x + (UINT64_MAX - UINT64_MAX))
+    #endif
+#endif
+
+
+#ifndef FIXEDINT_H_INCLUDED
+    #define FIXEDINT_H_INCLUDED
+
+    #include <limits.h>
+
+    /* (u)int32_t */
+    #ifndef uint32_t
+        #if (ULONG_MAX == 0xffffffffUL)
+            typedef unsigned long uint32_t;
+        #elif (UINT_MAX == 0xffffffffUL)
+            typedef unsigned int uint32_t;
+        #elif (USHRT_MAX == 0xffffffffUL)
+            typedef unsigned short uint32_t;
+        #endif
+    #endif
+
+
+    #ifndef int32_t
+        #if (LONG_MAX == 0x7fffffffL)
+            typedef signed long int32_t;
+        #elif (INT_MAX == 0x7fffffffL)
+            typedef signed int int32_t;
+        #elif (SHRT_MAX == 0x7fffffffL)
+            typedef signed short int32_t;
+        #endif
+    #endif
+
+
+    /* (u)int64_t */
+    #if (defined(__STDC__) && defined(__STDC_VERSION__) && __STDC__ && __STDC_VERSION__ >= 199901L)
+        typedef long long int64_t;
+        typedef unsigned long long uint64_t;
+
+        #define UINT64_C(v) v ##ULL
+        #define INT64_C(v) v ##LL
+    #elif defined(__GNUC__)
+        __extension__ typedef long long int64_t;
+        __extension__ typedef unsigned long long uint64_t;
+
+        #define UINT64_C(v) v ##ULL
+        #define INT64_C(v) v ##LL
+    #elif defined(__MWERKS__) || defined(__SUNPRO_C) || defined(__SUNPRO_CC) || defined(__APPLE_CC__) || defined(_LONG_LONG) || defined(_CRAYC)
+        typedef long long int64_t;
+        typedef unsigned long long uint64_t;
+
+        #define UINT64_C(v) v ##ULL
+        #define INT64_C(v) v ##LL
+    #elif (defined(__WATCOMC__) && defined(__WATCOM_INT64__)) || (defined(_MSC_VER) && _INTEGRAL_MAX_BITS >= 64) || (defined(__BORLANDC__) && __BORLANDC__ > 0x460) || defined(__alpha) || defined(__DECC)
+        typedef __int64 int64_t;
+        typedef unsigned __int64 uint64_t;
+
+        #define UINT64_C(v) v ##UI64
+        #define INT64_C(v) v ##I64
+    #endif
+#endif

ed25519auth/ge.h

@@ -0,0 +1,92 @@
+/*
+ * Copyright (c) 2015 Orson Peters <orsonpeters@gmail.com>
+ * 
+ * This software is provided 'as-is', without any express or implied warranty. In no event will the
+ * authors be held liable for any damages arising from the use of this software.
+ * 
+ * Permission is granted to anyone to use this software for any purpose, including commercial
+ * applications, and to alter it and redistribute it freely, subject to the following restrictions:
+ * 
+ * 1. The origin of this software must not be misrepresented; you must not claim that you wrote the
+ *    original software. If you use this software in a product, an acknowledgment in the product
+ *    documentation would be appreciated but is not required.
+ * 
+ * 2. Altered source versions must be plainly marked as such, and must not be misrepresented as
+ *    being the original software.
+ * 
+ * 3. This notice may not be removed or altered from any source distribution.
+ */
+#ifndef GE_H
+#define GE_H
+
+#include "fe.h"
+
+
+/*
+ge means group element.
+
+Here the group is the set of pairs (x,y) of field elements (see fe.h)
+satisfying -x^2 + y^2 = 1 + d x^2y^2
+where d = -121665/121666.
+
+Representations:
+  ge_p2 (projective): (X:Y:Z) satisfying x=X/Z, y=Y/Z
+  ge_p3 (extended): (X:Y:Z:T) satisfying x=X/Z, y=Y/Z, XY=ZT
+  ge_p1p1 (completed): ((X:Z),(Y:T)) satisfying x=X/Z, y=Y/T
+  ge_precomp (Duif): (y+x,y-x,2dxy)
+*/
+
+typedef struct {
+  fe X;
+  fe Y;
+  fe Z;
+} ge_p2;
+
+typedef struct {
+  fe X;
+  fe Y;
+  fe Z;
+  fe T;
+} ge_p3;
+
+typedef struct {
+  fe X;
+  fe Y;
+  fe Z;
+  fe T;
+} ge_p1p1;
+
+typedef struct {
+  fe yplusx;
+  fe yminusx;
+  fe xy2d;
+} ge_precomp;
+
+typedef struct {
+  fe YplusX;
+  fe YminusX;
+  fe Z;
+  fe T2d;
+} ge_cached;
+
+void ge_p3_tobytes(unsigned char *s, const ge_p3 *h);
+void ge_tobytes(unsigned char *s, const ge_p2 *h);
+int ge_frombytes_negate_vartime(ge_p3 *h, const unsigned char *s);
+
+void ge_add(ge_p1p1 *r, const ge_p3 *p, const ge_cached *q);
+void ge_sub(ge_p1p1 *r, const ge_p3 *p, const ge_cached *q);
+void ge_double_scalarmult_vartime(ge_p2 *r, const unsigned char *a, const ge_p3 *A, const unsigned char *b);
+void ge_madd(ge_p1p1 *r, const ge_p3 *p, const ge_precomp *q);
+void ge_msub(ge_p1p1 *r, const ge_p3 *p, const ge_precomp *q);
+void ge_scalarmult_base(ge_p3 *h, const unsigned char *a);
+
+void ge_p1p1_to_p2(ge_p2 *r, const ge_p1p1 *p);
+void ge_p1p1_to_p3(ge_p3 *r, const ge_p1p1 *p);
+void ge_p2_0(ge_p2 *h);
+void ge_p2_dbl(ge_p1p1 *r, const ge_p2 *p);
+void ge_p3_0(ge_p3 *h);
+void ge_p3_dbl(ge_p1p1 *r, const ge_p3 *p);
+void ge_p3_to_cached(ge_cached *r, const ge_p3 *p);
+void ge_p3_to_p2(ge_p2 *r, const ge_p3 *p);
+
+#endif

ed25519auth/sc.h

@@ -0,0 +1,30 @@
+/*
+ * Copyright (c) 2015 Orson Peters <orsonpeters@gmail.com>
+ * 
+ * This software is provided 'as-is', without any express or implied warranty. In no event will the
+ * authors be held liable for any damages arising from the use of this software.
+ * 
+ * Permission is granted to anyone to use this software for any purpose, including commercial
+ * applications, and to alter it and redistribute it freely, subject to the following restrictions:
+ * 
+ * 1. The origin of this software must not be misrepresented; you must not claim that you wrote the
+ *    original software. If you use this software in a product, an acknowledgment in the product
+ *    documentation would be appreciated but is not required.
+ * 
+ * 2. Altered source versions must be plainly marked as such, and must not be misrepresented as
+ *    being the original software.
+ * 
+ * 3. This notice may not be removed or altered from any source distribution.
+ */
+#ifndef SC_H
+#define SC_H
+
+/*
+The set of scalars is \Z/l
+where l = 2^252 + 27742317777372353535851937790883648493.
+*/
+
+void sc_reduce(unsigned char *s);
+void sc_muladd(unsigned char *s, const unsigned char *a, const unsigned char *b, const unsigned char *c);
+
+#endif

ed25519auth/sha512.c

@@ -0,0 +1,275 @@
+/* LibTomCrypt, modular cryptographic library -- Tom St Denis
+ *
+ * LibTomCrypt is a library that provides various cryptographic
+ * algorithms in a highly modular and flexible manner.
+ *
+ * The library is free for all purposes without any express
+ * guarantee it works.
+ *
+ * Tom St Denis, tomstdenis@gmail.com, http://libtom.org
+ */
+
+#include "fixedint.h"
+#include "sha512.h"
+
+/* the K array */
+static const uint64_t K[80] = {
+    UINT64_C(0x428a2f98d728ae22), UINT64_C(0x7137449123ef65cd), 
+    UINT64_C(0xb5c0fbcfec4d3b2f), UINT64_C(0xe9b5dba58189dbbc),
+    UINT64_C(0x3956c25bf348b538), UINT64_C(0x59f111f1b605d019), 
+    UINT64_C(0x923f82a4af194f9b), UINT64_C(0xab1c5ed5da6d8118),
+    UINT64_C(0xd807aa98a3030242), UINT64_C(0x12835b0145706fbe), 
+    UINT64_C(0x243185be4ee4b28c), UINT64_C(0x550c7dc3d5ffb4e2),
+    UINT64_C(0x72be5d74f27b896f), UINT64_C(0x80deb1fe3b1696b1), 
+    UINT64_C(0x9bdc06a725c71235), UINT64_C(0xc19bf174cf692694),
+    UINT64_C(0xe49b69c19ef14ad2), UINT64_C(0xefbe4786384f25e3), 
+    UINT64_C(0x0fc19dc68b8cd5b5), UINT64_C(0x240ca1cc77ac9c65),
+    UINT64_C(0x2de92c6f592b0275), UINT64_C(0x4a7484aa6ea6e483), 
+    UINT64_C(0x5cb0a9dcbd41fbd4), UINT64_C(0x76f988da831153b5),
+    UINT64_C(0x983e5152ee66dfab), UINT64_C(0xa831c66d2db43210), 
+    UINT64_C(0xb00327c898fb213f), UINT64_C(0xbf597fc7beef0ee4),
+    UINT64_C(0xc6e00bf33da88fc2), UINT64_C(0xd5a79147930aa725), 
+    UINT64_C(0x06ca6351e003826f), UINT64_C(0x142929670a0e6e70),
+    UINT64_C(0x27b70a8546d22ffc), UINT64_C(0x2e1b21385c26c926), 
+    UINT64_C(0x4d2c6dfc5ac42aed), UINT64_C(0x53380d139d95b3df),
+    UINT64_C(0x650a73548baf63de), UINT64_C(0x766a0abb3c77b2a8), 
+    UINT64_C(0x81c2c92e47edaee6), UINT64_C(0x92722c851482353b),
+    UINT64_C(0xa2bfe8a14cf10364), UINT64_C(0xa81a664bbc423001),
+    UINT64_C(0xc24b8b70d0f89791), UINT64_C(0xc76c51a30654be30),
+    UINT64_C(0xd192e819d6ef5218), UINT64_C(0xd69906245565a910), 
+    UINT64_C(0xf40e35855771202a), UINT64_C(0x106aa07032bbd1b8),
+    UINT64_C(0x19a4c116b8d2d0c8), UINT64_C(0x1e376c085141ab53), 
+    UINT64_C(0x2748774cdf8eeb99), UINT64_C(0x34b0bcb5e19b48a8),
+    UINT64_C(0x391c0cb3c5c95a63), UINT64_C(0x4ed8aa4ae3418acb), 
+    UINT64_C(0x5b9cca4f7763e373), UINT64_C(0x682e6ff3d6b2b8a3),
+    UINT64_C(0x748f82ee5defb2fc), UINT64_C(0x78a5636f43172f60), 
+    UINT64_C(0x84c87814a1f0ab72), UINT64_C(0x8cc702081a6439ec),
+    UINT64_C(0x90befffa23631e28), UINT64_C(0xa4506cebde82bde9), 
+    UINT64_C(0xbef9a3f7b2c67915), UINT64_C(0xc67178f2e372532b),
+    UINT64_C(0xca273eceea26619c), UINT64_C(0xd186b8c721c0c207), 
+    UINT64_C(0xeada7dd6cde0eb1e), UINT64_C(0xf57d4f7fee6ed178),
+    UINT64_C(0x06f067aa72176fba), UINT64_C(0x0a637dc5a2c898a6), 
+    UINT64_C(0x113f9804bef90dae), UINT64_C(0x1b710b35131c471b),
+    UINT64_C(0x28db77f523047d84), UINT64_C(0x32caab7b40c72493), 
+    UINT64_C(0x3c9ebe0a15c9bebc), UINT64_C(0x431d67c49c100d4c),
+    UINT64_C(0x4cc5d4becb3e42b6), UINT64_C(0x597f299cfc657e2a), 
+    UINT64_C(0x5fcb6fab3ad6faec), UINT64_C(0x6c44198c4a475817)
+};
+
+/* Various logical functions */
+
+#define ROR64c(x, y) \
+    ( ((((x)&UINT64_C(0xFFFFFFFFFFFFFFFF))>>((uint64_t)(y)&UINT64_C(63))) | \
+      ((x)<<((uint64_t)(64-((y)&UINT64_C(63)))))) & UINT64_C(0xFFFFFFFFFFFFFFFF))
+
+#define STORE64H(x, y)                                                                     \
+   { (y)[0] = (unsigned char)(((x)>>56)&255); (y)[1] = (unsigned char)(((x)>>48)&255);     \
+     (y)[2] = (unsigned char)(((x)>>40)&255); (y)[3] = (unsigned char)(((x)>>32)&255);     \
+     (y)[4] = (unsigned char)(((x)>>24)&255); (y)[5] = (unsigned char)(((x)>>16)&255);     \
+     (y)[6] = (unsigned char)(((x)>>8)&255); (y)[7] = (unsigned char)((x)&255); }
+
+#define LOAD64H(x, y)                                                      \
+   { x = (((uint64_t)((y)[0] & 255))<<56)|(((uint64_t)((y)[1] & 255))<<48) | \
+         (((uint64_t)((y)[2] & 255))<<40)|(((uint64_t)((y)[3] & 255))<<32) | \
+         (((uint64_t)((y)[4] & 255))<<24)|(((uint64_t)((y)[5] & 255))<<16) | \
+         (((uint64_t)((y)[6] & 255))<<8)|(((uint64_t)((y)[7] & 255))); }
+
+
+#define Ch(x,y,z)       (z ^ (x & (y ^ z)))
+#define Maj(x,y,z)      (((x | y) & z) | (x & y)) 
+#define S(x, n)         ROR64c(x, n)
+#define R(x, n)         (((x) &UINT64_C(0xFFFFFFFFFFFFFFFF))>>((uint64_t)n))
+#define Sigma0(x)       (S(x, 28) ^ S(x, 34) ^ S(x, 39))
+#define Sigma1(x)       (S(x, 14) ^ S(x, 18) ^ S(x, 41))
+#define Gamma0(x)       (S(x, 1) ^ S(x, 8) ^ R(x, 7))
+#define Gamma1(x)       (S(x, 19) ^ S(x, 61) ^ R(x, 6))
+#ifndef MIN
+   #define MIN(x, y) ( ((x)<(y))?(x):(y) )
+#endif
+
+/* compress 1024-bits */
+static int sha512_compress(sha512_context *md, unsigned char *buf)
+{
+    uint64_t S[8], W[80], t0, t1;
+    int i;
+
+    /* copy state into S */
+    for (i = 0; i < 8; i++) {
+        S[i] = md->state[i];
+    }
+
+    /* copy the state into 1024-bits into W[0..15] */
+    for (i = 0; i < 16; i++) {
+        LOAD64H(W[i], buf + (8*i));
+    }
+
+    /* fill W[16..79] */
+    for (i = 16; i < 80; i++) {
+        W[i] = Gamma1(W[i - 2]) + W[i - 7] + Gamma0(W[i - 15]) + W[i - 16];
+    }        
+
+/* Compress */
+    #define RND(a,b,c,d,e,f,g,h,i) \
+    t0 = h + Sigma1(e) + Ch(e, f, g) + K[i] + W[i]; \
+    t1 = Sigma0(a) + Maj(a, b, c);\
+    d += t0; \
+    h  = t0 + t1;
+
+    for (i = 0; i < 80; i += 8) {
+       RND(S[0],S[1],S[2],S[3],S[4],S[5],S[6],S[7],i+0);
+       RND(S[7],S[0],S[1],S[2],S[3],S[4],S[5],S[6],i+1);
+       RND(S[6],S[7],S[0],S[1],S[2],S[3],S[4],S[5],i+2);
+       RND(S[5],S[6],S[7],S[0],S[1],S[2],S[3],S[4],i+3);
+       RND(S[4],S[5],S[6],S[7],S[0],S[1],S[2],S[3],i+4);
+       RND(S[3],S[4],S[5],S[6],S[7],S[0],S[1],S[2],i+5);
+       RND(S[2],S[3],S[4],S[5],S[6],S[7],S[0],S[1],i+6);
+       RND(S[1],S[2],S[3],S[4],S[5],S[6],S[7],S[0],i+7);
+   }
+
+   #undef RND
+
+
+
+    /* feedback */
+   for (i = 0; i < 8; i++) {
+        md->state[i] = md->state[i] + S[i];
+    }
+
+    return 0;
+}
+
+
+/**
+   Initialize the hash state
+   @param md   The hash state you wish to initialize
+   @return 0 if successful
+*/
+int sha512_init(sha512_context * md) {
+    if (md == NULL) return 1;
+
+    md->curlen = 0;
+    md->length = 0;
+    md->state[0] = UINT64_C(0x6a09e667f3bcc908);
+    md->state[1] = UINT64_C(0xbb67ae8584caa73b);
+    md->state[2] = UINT64_C(0x3c6ef372fe94f82b);
+    md->state[3] = UINT64_C(0xa54ff53a5f1d36f1);
+    md->state[4] = UINT64_C(0x510e527fade682d1);
+    md->state[5] = UINT64_C(0x9b05688c2b3e6c1f);
+    md->state[6] = UINT64_C(0x1f83d9abfb41bd6b);
+    md->state[7] = UINT64_C(0x5be0cd19137e2179);
+
+    return 0;
+}
+
+/**
+   Process a block of memory though the hash
+   @param md     The hash state
+   @param in     The data to hash
+   @param inlen  The length of the data (octets)
+   @return 0 if successful
+*/
+int sha512_update (sha512_context * md, const unsigned char *in, size_t inlen)               
+{                                                                                           
+    size_t n;
+    size_t i;                                                                        
+    int           err;     
+    if (md == NULL) return 1;  
+    if (in == NULL) return 1;                                                              
+    if (md->curlen > sizeof(md->buf)) {                             
+       return 1;                                                            
+    }                                                                                       
+    while (inlen > 0) {                                                                     
+        if (md->curlen == 0 && inlen >= 128) {                           
+           if ((err = sha512_compress (md, (unsigned char *)in)) != 0) {               
+              return err;                                                                   
+           }                                                                                
+           md->length += 128 * 8;                                        
+           in             += 128;                                                    
+           inlen          -= 128;                                                    
+        } else {                                                                            
+           n = MIN(inlen, (128 - md->curlen));
+
+           for (i = 0; i < n; i++) {
+            md->buf[i + md->curlen] = in[i];
+           }
+
+
+           md->curlen += n;                                                     
+           in             += n;                                                             
+           inlen          -= n;                                                             
+           if (md->curlen == 128) {                                      
+              if ((err = sha512_compress (md, md->buf)) != 0) {            
+                 return err;                                                                
+              }                                                                             
+              md->length += 8*128;                                       
+              md->curlen = 0;                                                   
+           }                                                                                
+       }                                                                                    
+    }                                                                                       
+    return 0;                                                                        
+}
+
+/**
+   Terminate the hash to get the digest
+   @param md  The hash state
+   @param out [out] The destination of the hash (64 bytes)
+   @return 0 if successful
+*/
+   int sha512_final(sha512_context * md, unsigned char *out)
+   {
+    int i;
+
+    if (md == NULL) return 1;
+    if (out == NULL) return 1;
+
+    if (md->curlen >= sizeof(md->buf)) {
+     return 1;
+ }
+
+    /* increase the length of the message */
+ md->length += md->curlen * UINT64_C(8);
+
+    /* append the '1' bit */
+ md->buf[md->curlen++] = (unsigned char)0x80;
+
+    /* if the length is currently above 112 bytes we append zeros
+     * then compress.  Then we can fall back to padding zeros and length
+     * encoding like normal.
+     */
+     if (md->curlen > 112) {
+        while (md->curlen < 128) {
+            md->buf[md->curlen++] = (unsigned char)0;
+        }
+        sha512_compress(md, md->buf);
+        md->curlen = 0;
+    }
+
+    /* pad upto 120 bytes of zeroes 
+     * note: that from 112 to 120 is the 64 MSB of the length.  We assume that you won't hash
+     * > 2^64 bits of data... :-)
+     */
+while (md->curlen < 120) {
+    md->buf[md->curlen++] = (unsigned char)0;
+}
+
+    /* store length */
+STORE64H(md->length, md->buf+120);
+sha512_compress(md, md->buf);
+
+    /* copy output */
+for (i = 0; i < 8; i++) {
+    STORE64H(md->state[i], out+(8*i));
+}
+
+return 0;
+}
+
+int sha512(const unsigned char *message, size_t message_len, unsigned char *out)
+{
+    sha512_context ctx;
+    int ret;
+    if ((ret = sha512_init(&ctx))) return ret;
+    if ((ret = sha512_update(&ctx, message, message_len))) return ret;
+    if ((ret = sha512_final(&ctx, out))) return ret;
+    return 0;
+}

ed25519auth/sha512.h

@@ -0,0 +1,32 @@
+/* LibTomCrypt, modular cryptographic library -- Tom St Denis
+ *
+ * LibTomCrypt is a library that provides various cryptographic
+ * algorithms in a highly modular and flexible manner.
+ *
+ * The library is free for all purposes without any express
+ * guarantee it works.
+ *
+ * Tom St Denis, tomstdenis@gmail.com, http://libtom.org
+ */
+
+#ifndef SHA512_H
+#define SHA512_H
+
+#include <stddef.h>
+
+#include "fixedint.h"
+
+/* state */
+typedef struct sha512_context_ {
+    uint64_t  length, state[8];
+    size_t curlen;
+    unsigned char buf[128];
+} sha512_context;
+
+
+int sha512_init(sha512_context * md);
+int sha512_final(sha512_context * md, unsigned char *out);
+int sha512_update(sha512_context * md, const unsigned char *in, size_t inlen);
+int sha512(const unsigned char *message, size_t message_len, unsigned char *out);
+
+#endif

ed25519auth/sign.c

@@ -0,0 +1,39 @@
+#include <string.h>
+#include "sign.h"
+#include "sha512.h"
+#include "ge.h"
+#include "sc.h"
+
+void sign(
+  unsigned char sm[64],
+  const unsigned char m[32],
+  const unsigned char *pw, size_t pwlen
+)
+{
+  unsigned char az[64];
+  unsigned char nonce[64];
+  unsigned char hram[64];
+  unsigned char buff[96];
+  ge_p3 A, R;
+
+  sha512(pw,pwlen,az);
+  az[0] &= 248;
+  az[31] &= 63;
+  az[31] |= 64;
+
+  memmove(buff + 64,m,32);
+  memmove(buff + 32,az + 32,32);
+  sha512(buff + 32,64,nonce);
+
+  ge_scalarmult_base(&A,az);
+  ge_p3_tobytes(buff + 32,&A);
+
+  sc_reduce(nonce);
+  ge_scalarmult_base(&R,nonce);
+  ge_p3_tobytes(buff,&R);
+  memcpy(sm, buff, 32);
+
+  sha512(buff,96,hram);
+  sc_reduce(hram);
+  sc_muladd(sm + 32,hram,az,nonce);
+}

ed25519auth/sign.go

@@ -0,0 +1,14 @@
+package ed25519auth
+
+// #include "sign.h"
+import "C"
+
+func Sign(challenge [32]byte, password []byte) (response [64]byte) {
+	C.sign(
+		(*C.uchar)(&response[0]),
+		(*C.uchar)(&challenge[0]),
+		(*C.uchar)(&password[0]),
+		C.size_t(len(password)),
+	)
+	return
+}

ed25519auth/sign.h

@@ -0,0 +1,12 @@
+#ifndef SIGN_H
+#define SIGN_H
+
+#include <stddef.h>
+
+void sign(
+  unsigned char sm[64],
+  const unsigned char m[32],
+  const unsigned char *pw, size_t pwlen
+);
+
+#endif

ed25519auth/sign_test.go

@@ -0,0 +1,26 @@
+package ed25519auth
+
+import "testing"
+
+// https://github.com/MariaDB/server/blob/c0ac0b8/plugin/auth_ed25519/ed25519-t.c
+func TestSign(t *testing.T) {
+	challenge := [32]byte{
+		'A', 'A', 'A', 'A', 'A', 'A', 'A', 'A', 'A', 'A', 'A', 'A', 'A',
+		'A', 'A', 'A', 'A', 'A', 'A', 'A', 'A', 'A', 'A', 'A', 'A', 'A',
+		'A', 'A', 'A', 'A', 'A', 'A',
+	}
+	password := []byte("foobar")
+	expectedSignature := [64]byte{
+		232, 61, 201, 63, 67, 63, 51, 53, 86, 73, 238, 35, 170, 117, 146,
+		214, 26, 17, 35, 9, 8, 132, 245, 141, 48, 99, 66, 58, 36, 228, 48,
+		84, 115, 254, 187, 168, 88, 162, 249, 57, 35, 85, 79, 238, 167, 106,
+		68, 117, 56, 135, 171, 47, 20, 14, 133, 79, 15, 229, 124, 160, 176,
+		100, 138, 14,
+	}
+
+	signature := Sign(challenge, password)
+
+	if signature != expectedSignature {
+		t.Fatal("Signature did not match expected value")
+	}
+}