search

php / php-src

The PHP Interpreter
https://www.php.net
Other
37.93k stars 7.72k forks source link

Implement ED25519 auth for mysqlnd #14258

Open h3ssan opened 3 months ago

h3ssan commented 3 months ago

Description

Overview

Since MariaDB 10.4 (released ~5 years ago) introduced an authentication method called auth_ed25519 and still supported till now in the latest versions of MariaDB which is now 11.3, here's official to read more about auth_ed25519

Right now, all MariaDB supported versions are support auth_ed25519 which as I said, since MariaDB 10.4

The Problem

As this code of PHP 8.1.0 ( Located in https://github.com/php/php-src/blob/php-8.1.0/ext/mysqlnd/mysqlnd_auth.c#L1315-L1326 ) mentioned below that auth_ed25519 is not supported yet.

/* {{{ mysqlnd_register_builtin_authentication_plugins */
void
mysqlnd_register_builtin_authentication_plugins(void)
{
    mysqlnd_plugin_register_ex((struct st_mysqlnd_plugin_header *) &mysqlnd_native_auth_plugin);
    mysqlnd_plugin_register_ex((struct st_mysqlnd_plugin_header *) &mysqlnd_pam_authentication_plugin);
#ifdef MYSQLND_HAVE_SSL
    mysqlnd_plugin_register_ex((struct st_mysqlnd_plugin_header *) &mysqlnd_caching_sha2_auth_plugin);
    mysqlnd_plugin_register_ex((struct st_mysqlnd_plugin_header *) &mysqlnd_sha256_authentication_plugin);
#endif
}
/* }}} */

Also, here's what official MariaDB said about mysql_native_password:

The Requested Features

More on this

nielsdos commented 3 months ago

I remember looking into this some time ago. And I noped out when I learned that MariaDB invented their own variant of ED25519: https://jira.mariadb.org/browse/MDEV-19217

h3ssan commented 3 months ago

I remember looking into this some time ago. And I noped out when I learned that MariaDB invented their own variant of ED25519: https://jira.mariadb.org/browse/MDEV-19217

Hey @nielsdos At some point MySQL will eventually implement ed25519 too. Since sha-1 is freaking weak nowadays they must implement a stronger mechanism for authentication.

SakiTakamachi commented 3 months ago

At least, MariaDB's deviates from standard ed25519, so I'm not sure if we should rush to deal with it now...

vuvova commented 3 weeks ago

Sometimes doing nothing pays out.

We're releasing a new authentication plugin https://mariadb.com/kb/en/authentication-plugin-parsec/ — it uses stock ed25519 from OpenSSL or GnuTLS, not modified.

h3ssan commented 3 weeks ago

Sometimes doing nothing pays out.

We're releasing a new authentication plugin https://mariadb.com/kb/en/authentication-plugin-parsec/ — it uses stock ed25519 from OpenSSL or GnuTLS, not modified.

That’s great. @SakiTakamachi could you take a look into it please?