Implement PARSEC authentication protocol in ParsecAuthenticationPlugin.

bgrainger · bgrainger · commit 1d8f30687aaa · 2025-01-26T13:22:56.000-08:00
diff --git a/src/MySqlConnector.Authentication.Ed25519/ParsecAuthenticationPlugin.cs b/src/MySqlConnector.Authentication.Ed25519/ParsecAuthenticationPlugin.cs
@@ -1,4 +1,7 @@
 using System;
+using System.Buffers.Binary;
+using System.Security.Cryptography;
+using System.Text;
 using System.Threading;
 
 namespace MySqlConnector.Authentication.Ed25519;
@@ -21,24 +24,86 @@ public static void Install()
 	/// <summary>
 	/// Gets the authentication plugin name.
 	/// </summary>
-	public string Name => "client_parsec"; // TODO: Update with correct name from parsec-spec.txt
+	public string Name => "client_parsec";
 
 	/// <summary>
 	/// Creates the authentication response.
 	/// </summary>
 	public byte[] CreateResponse(string password, ReadOnlySpan<byte> authenticationData)
 	{
-		// TODO: Implement Parsec authentication protocol
-		throw new NotImplementedException();
+		// First 32 bytes are server scramble
+		var serverScramble = authenticationData[..32];
+		
+		// Generate client scramble
+		var clientScramble = new byte[32];
+		RandomNumberGenerator.Fill(clientScramble);
+
+		// Parse extended salt from remaining auth data
+		var extSalt = Encoding.UTF8.GetString(authenticationData[32..]);
+		var parts = extSalt.Split(':');
+		
+		// Parse iteration count (P0 = 1024, P1 = 2048, etc)
+		var iterationCount = 1024 << (parts[0][1] - '0');
+		var salt = Convert.FromBase64String(parts[1]);
+
+		// Derive private key using PBKDF2-SHA512
+		var privateKey = new byte[32];
+		using (var pbkdf2 = new Rfc2898DeriveBytes(
+			password,
+			salt,
+			iterationCount,
+			HashAlgorithmName.SHA512))
+		{
+			privateKey = pbkdf2.GetBytes(32);
+		}
+
+		// Generate Ed25519 keypair and sign concatenated scrambles
+		var keyPair = Ed25519.GenerateKeyPair(privateKey);
+		var message = new byte[serverScramble.Length + clientScramble.Length];
+		serverScramble.CopyTo(message);
+		clientScramble.CopyTo(message.AsSpan(serverScramble.Length));
+		
+		var signature = Ed25519.Sign(message, keyPair.PrivateKey);
+
+		// Return client scramble followed by signature
+		var response = new byte[clientScramble.Length + signature.Length];
+		clientScramble.CopyTo(response);
+		signature.CopyTo(response.AsSpan(clientScramble.Length));
+		
+		return response;
 	}
 
 	/// <summary>
 	/// Creates the Parsec password hash.
 	/// </summary>
 	public byte[] CreatePasswordHash(string password, ReadOnlySpan<byte> authenticationData)
 	{
-		// TODO: Implement Parsec password hashing
-		throw new NotImplementedException();
+		// Parse extended salt from auth data
+		var extSalt = Encoding.UTF8.GetString(authenticationData);
+		var parts = extSalt.Split(':');
+		
+		// Parse iteration count (P0 = 1024, P1 = 2048, etc)
+		var iterationCount = 1024 << (parts[0][1] - '0');
+		var salt = Convert.FromBase64String(parts[1]);
+
+		// Derive private key using PBKDF2-SHA512
+		var privateKey = new byte[32];
+		using (var pbkdf2 = new Rfc2898DeriveBytes(
+			password,
+			salt,
+			iterationCount,
+			HashAlgorithmName.SHA512))
+		{
+			privateKey = pbkdf2.GetBytes(32);
+		}
+
+		// Generate Ed25519 keypair and get public key
+		var keyPair = Ed25519.GenerateKeyPair(privateKey);
+		var publicKey = keyPair.PublicKey;
+
+		// Format hash string: P<iter>:<salt-b64>:<pubkey-b64>
+		var hashString = $"{parts[0]}:{parts[1]}:{Convert.ToBase64String(publicKey)}";
+		return Encoding.UTF8.GetBytes(hashString);
 	}
 
 	private ParsecAuthenticationPlugin()
