Skip to content

mysqlnd MariaDB ed25519 authentication plugin #19176

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
wants to merge 1 commit into
base: master
Choose a base branch
from

Conversation

rusher
Copy link

@rusher rusher commented Jul 18, 2025

implementation for #14258

This requires libsodium 1.0.17 or later

implementation for php#14258.

This requires libsodium 1.0.17 or later
@rusher
Copy link
Author

rusher commented Jul 18, 2025

I've submitted this to current 8.5 branch, it would be great if this is backported to 8.4 as well, since 8.5 release date is 4 month from now

@bukka
Copy link
Member

bukka commented Jul 18, 2025

Why can't you use OpenSSL?

@rusher
Copy link
Author

rusher commented Jul 19, 2025

OpenSSL doesn't expose the low-level scalar multiplication directly, while libsodium (since 1.0.17) does

@bukka
Copy link
Member

bukka commented Jul 19, 2025

I thought that this is being addressed as per #14258 (comment) so it will be possible to use OpenSSL. Is that not the case?

@bukka
Copy link
Member

bukka commented Jul 19, 2025

You really need to do something that is possible to do using OpenSSL. Otherwise I don't think we can accept this without RFC.

@bukka
Copy link
Member

bukka commented Jul 19, 2025

Just to clarify my reservation here. The issue here is that libsodium stayed a single maintainer library and it's development slowed down a bit - it is still maintained but if that one person stops maintaining it, we will have to start considering removing the extension so I would prefer we do not add additional core dependencies on it. Or at least any new dependency on it really needs to be discussed and we will need to vote about it.

@rusher
Copy link
Author

rusher commented Jul 21, 2025

To clarify, mariadb has 2 authentication plugins:

  • ed25519 (2017, available in all supported version)
  • parsec (2024, available only in latest LTS 11.8)

ed25519 is the subject to this PR
parsec is a KDF authentication signed with ed25519 that can be implemented using openssl

@bukka
Copy link
Member

bukka commented Jul 22, 2025

Ok I have done some investigation and I agree that it would be good for PHP users to be able to use ed25519 as it seems like preferred auth plugin in MariaDB (at least for older versions) atm.

That said, I'm not sure this is the right approach to get it to them quickly. First of all it depends on extra compilation flag and availability of sodium so it is quite unlikely that distributors would build multiple versions of mysqlnd. It means it is quite likely that this wouldn't be available for most users. Also it could go soonest to PHP 8.5 (we do not do any backports of features) but we are quite close to feature freeze so it might not even get there.

The thing is that it might not be actually necessary to have it in the core at all. I just had a quick look to https://pecl.php.net/package/mysqlnd_krb (downloaded the source and checked the code) and it register auth plugin externally in MINIT using mysqlnd_plugin_register_ex so I think this should work for ed25519. Could you look into that and report if there is any issue with such approach?

The main advantage of the external extension is that it could be added to PECL (or available through PIE) and users could use it straight away. So I think this would be ideal for users. In terms of parsec, it would make more sense to get it to the core as it can work with OpenSSL and slower adoption might not be such a big issue.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Development

Successfully merging this pull request may close these issues.

2 participants