-
Notifications
You must be signed in to change notification settings - Fork 7.9k
mysqlnd MariaDB ed25519 authentication plugin #19176
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
base: master
Are you sure you want to change the base?
Conversation
implementation for php#14258. This requires libsodium 1.0.17 or later
I've submitted this to current 8.5 branch, it would be great if this is backported to 8.4 as well, since 8.5 release date is 4 month from now |
Why can't you use OpenSSL? |
OpenSSL doesn't expose the low-level scalar multiplication directly, while libsodium (since 1.0.17) does |
I thought that this is being addressed as per #14258 (comment) so it will be possible to use OpenSSL. Is that not the case? |
You really need to do something that is possible to do using OpenSSL. Otherwise I don't think we can accept this without RFC. |
Just to clarify my reservation here. The issue here is that libsodium stayed a single maintainer library and it's development slowed down a bit - it is still maintained but if that one person stops maintaining it, we will have to start considering removing the extension so I would prefer we do not add additional core dependencies on it. Or at least any new dependency on it really needs to be discussed and we will need to vote about it. |
To clarify, mariadb has 2 authentication plugins:
ed25519 is the subject to this PR |
Ok I have done some investigation and I agree that it would be good for PHP users to be able to use ed25519 as it seems like preferred auth plugin in MariaDB (at least for older versions) atm. That said, I'm not sure this is the right approach to get it to them quickly. First of all it depends on extra compilation flag and availability of sodium so it is quite unlikely that distributors would build multiple versions of mysqlnd. It means it is quite likely that this wouldn't be available for most users. Also it could go soonest to PHP 8.5 (we do not do any backports of features) but we are quite close to feature freeze so it might not even get there. The thing is that it might not be actually necessary to have it in the core at all. I just had a quick look to https://pecl.php.net/package/mysqlnd_krb (downloaded the source and checked the code) and it register auth plugin externally in MINIT using The main advantage of the external extension is that it could be added to PECL (or available through PIE) and users could use it straight away. So I think this would be ideal for users. In terms of parsec, it would make more sense to get it to the core as it can work with OpenSSL and slower adoption might not be such a big issue. |
implementation for #14258
This requires libsodium 1.0.17 or later