New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Add support for Chacha wire encryption plugin [JDBC613] #644
Comments
Commented by: @mrotteveel Since the 21st of April, Firebird will stretch (or reduce) the key to 256 bit using SHA-256, though it will reject keys shorter than 128 bits (16 bytes). The easy way out is to only support this in Java 11, or possibly allow or support selection of chacha from an alternative implementation like BouncyCastle. |
Commented by: @mrotteveel Planned support for 4.0.2 is tentative. |
Modified by: @mrotteveelFix Version: Jaybird 4.0.3 [ 10981 ] Fix Version: Jaybird 4.0.2 [ 10950 ] => |
Commented by: @mrotteveel Not done for 4.0.2, planned support for 4.0.3 is tentative. |
Modified by: @mrotteveelFix Version: Jaybird 4.0.4 [ 10991 ] Fix Version: Jaybird 4.0.3 [ 10981 ] => |
Commented by: @mrotteveel Not done for 4.0.3, planned support for 4.0.4 is tentative. |
Decided to only implement this in Jaybird 5, and only for Java 11 and higher. |
Submitted by: @mrotteveel
Firebird 4 adds support for the chacha wire encryption plugin. However, its implementation comes with the caveat that it doesn't implement the RFC-8439 variant of Chacha, but instead Firebird supports 128 bit and 256 bit keys, and given SRP produces 160 bit keys, will use the first 128 bits of that key. Java provides Chacha (RFC-8439 variant, requiring 256 bit keys) support since Java 11, so to support it in an earlier Java versions would require implementing a custom cipher (for example based on the BouncyCastle implementation).
Implementing a custom cipher would allow us to support both the 128 bit and 256 bit variant, but comes with the obvious overhead of having to implement crypto code in Jaybird.
The text was updated successfully, but these errors were encountered: