← Back to team overview

maria-discuss team mailing list archive

Re: Is it possible to upgrade SHA-1 and MD5 algorithms in Mariadb-10.5?

 

md5:

extra/mariabackup/xbcloud.cc - old bit, however for old reasons used md5 as
a checksum on a storage format. I'm think can be removed before RHEL9

In SQL there is a MD5 function, we can't just replace that as it will break
user applications.

sha1:

also a SQL function.

plugin/file_key_management/parser.cc is a digest on the keys, however if
this is a point of attack you've lost already. I suspect this can be fixed.

sha1 forms part of the mysql_native_password implementation, there's no
known vulnerabilities in this due to its sha1 usage.

https://mariadb.com/kb/en/authentication-plugin-ed25519/ is available,
however not everything supports in on the client side.
A mistake was also made (ref MDEV-19217), so a v2 might be needed.

As things like php have mysqlnd and are more strictly tied to MySQL rather
than MariaDB compatibility so adding MariaDB authentication
plugins hasn't been accepted yet.

On SQL functions, is this going to be a problem? or would a compile option
that issues a user SQL warning if they are used be useful?




On Thu, Mar 18, 2021 at 2:29 PM Eliezer Croitoru <ngtech1ltd@xxxxxxxxx>
wrote:

> Hey Sergei,
>
> I cannot speak in the name of Lukas but I assume that he is talking about
> the payload signature of RPM files.
> Technically speaking SHA1 and MD5 can collide but only to specific file
> sizes.
> It's not that simple to create an RPM in a size of 10+ MB which will
> provide the exact same
> functionality ie DB which will include errors and/or other things.
>
> I know it's pretty simple to upgrade the signature so I do not find any
> reason to not add a SHA256 sig.
>
> All The Bests,
> Eliezer
>
> ----
> Eliezer Croitoru
> Tech Support
> Mobile: +972-5-28704261
> Email: ngtech1ltd@xxxxxxxxx
> Zoom: Coming soon
>
>
> -----Original Message-----
> From: Maria-discuss <maria-discuss-bounces+ngtech1ltd=
> gmail.com@xxxxxxxxxxxxxxxxxxx> On Behalf Of Sergei Golubchik
> Sent: Wednesday, March 17, 2021 5:24 PM
> To: Lukas Javorsky <ljavorsk@xxxxxxxxxx>
> Cc: maria-discuss@xxxxxxxxxxxxxxxxxxx
> Subject: Re: [Maria-discuss] Is it possible to upgrade SHA-1 and MD5
> algorithms in Mariadb-10.5?
>
> Hi, Lukas!
>
> What do you mean by "upgrade SHA-1 and MD5 algorithms in MariaDB" ?
>
> Regards,
> Sergei
> VP of MariaDB Server Engineering
> and security@xxxxxxxxxxx
>
> On Mar 17, Lukas Javorsky wrote:
> > Hi,
> >
> > In RHEL-9 we are deprecating, old SHA-1 and MD5 and that's why I want to
> > ask you if there is any chance that upstream is going to change it, or we
> > should do it downstream.
> >
> > These algorithms are no longer considered as safe, so it may be a good
> > thing to upgrade them.
> >
> > AFAIK mariadb uses these algorithms in *mariadb* and
> *mariadb-connector-c.*
> >
> > Also if you have no intention to change it, is there any chance you could
> > help us somehow. Maybe point out what we should be aware of.
> >
> > Please let me know what you think
> >
> > Lukas
> >
> > --
> > S pozdravom/ Best regards
> >
> > Lukáš Javorský
> >
> > Associate Software Engineer, Core service - Databases
> >
> > Red Hat <https://www.redhat.com>
> >
> > Purkyňova 115 (TPB-C)
> >
> > 612 00 Brno - Královo Pole
> >
> > ljavorsk@xxxxxxxxxx
> > <https://www.redhat.com>
>
> _______________________________________________
> Mailing list: https://launchpad.net/~maria-discuss
> Post to     : maria-discuss@xxxxxxxxxxxxxxxxxxx
> Unsubscribe : https://launchpad.net/~maria-discuss
> More help   : https://help.launchpad.net/ListHelp
>
>
> _______________________________________________
> Mailing list: https://launchpad.net/~maria-discuss
> Post to     : maria-discuss@xxxxxxxxxxxxxxxxxxx
> Unsubscribe : https://launchpad.net/~maria-discuss
> More help   : https://help.launchpad.net/ListHelp
>

Follow ups

References