mysqlnd MariaDB ed25519 authentication plugin

[rusher]

implementation for #14258

This requires libsodium 1.0.17 or later

[rusher]

I've submitted this to current 8.5 branch, it would be great if this is backported to 8.4 as well, since 8.5 release date is 4 month from now

[bukka]

Why can't you use OpenSSL?

[rusher]

OpenSSL doesn't expose the low-level scalar multiplication directly, while libsodium (since 1.0.17) does

[bukka]

I thought that this is being addressed as per #14258 (comment) so it will be possible to use OpenSSL. Is that not the case?

[bukka]

You really need to do something that is possible to do using OpenSSL. Otherwise I don't think we can accept this without RFC.

[bukka]

Just to clarify my reservation here. The issue here is that libsodium stayed a single maintainer library and it's development slowed down a bit - it is still maintained but if that one person stops maintaining it, we will have to start considering removing the extension so I would prefer we do not add additional core dependencies on it. Or at least any new dependency on it really needs to be discussed and we will need to vote about it.

[rusher]

To clarify, mariadb has 2 authentication plugins:

• ed25519 (2017, available in all supported version)
• parsec (2024, available only in latest LTS 11.8)

ed25519 is the subject to this PR
parsec is a KDF authentication signed with ed25519 that can be implemented using openssl

[bukka]

Ok I have done some investigation and I agree that it would be good for PHP users to be able to use ed25519 as it seems like preferred auth plugin in MariaDB (at least for older versions) atm.

That said, I'm not sure this is the right approach to get it to them quickly. First of all it depends on extra compilation flag and availability of sodium so it is quite unlikely that distributors would build multiple versions of mysqlnd. It means it is quite likely that this wouldn't be available for most users. Also it could go soonest to PHP 8.5 (we do not do any backports of features) but we are quite close to feature freeze so it might not even get there.

The thing is that it might not be actually necessary to have it in the core at all. I just had a quick look to https://pecl.php.net/package/mysqlnd_krb (downloaded the source and checked the code) and it register auth plugin externally in MINIT using mysqlnd_plugin_register_ex so I think this should work for ed25519. Could you look into that and report if there is any issue with such approach?

The main advantage of the external extension is that it could be added to PECL (or available through PIE) and users could use it straight away. So I think this would be ideal for users. In terms of parsec, it would make more sense to get it to the core as it can work with OpenSSL and slower adoption might not be such a big issue.