Implement ED25519 auth for mysqlnd

[h3ssan]

Description

Overview

Since MariaDB 10.4 (released ~5 years ago) introduced an authentication method called auth_ed25519 and still supported till now in the latest versions of MariaDB which is now 11.3, here's official to read more about auth_ed25519

Right now, all MariaDB supported versions are support auth_ed25519 which as I said, since MariaDB 10.4

The Problem

As this code of PHP 8.1.0 ( Located in https://github.com/php/php-src/blob/php-8.1.0/ext/mysqlnd/mysqlnd_auth.c#L1315-L1326 ) mentioned below that auth_ed25519 is not supported yet.

/* {{{ mysqlnd_register_builtin_authentication_plugins */
void
mysqlnd_register_builtin_authentication_plugins(void)
{
	mysqlnd_plugin_register_ex((struct st_mysqlnd_plugin_header *) &mysqlnd_native_auth_plugin);
	mysqlnd_plugin_register_ex((struct st_mysqlnd_plugin_header *) &mysqlnd_pam_authentication_plugin);
#ifdef MYSQLND_HAVE_SSL
	mysqlnd_plugin_register_ex((struct st_mysqlnd_plugin_header *) &mysqlnd_caching_sha2_auth_plugin);
	mysqlnd_plugin_register_ex((struct st_mysqlnd_plugin_header *) &mysqlnd_sha256_authentication_plugin);
#endif
}
/* }}} */

Also, here's what official MariaDB said about mysql_native_password:

The Requested Features

• Implement ED25519 authentication for MySQL Native Driver (mysqlnd)

More on this

• MariaDB - Authentication with ed25519
• MariaDB - Authentication Plugin - ed25519

[nielsdos]

I remember looking into this some time ago. And I noped out when I learned that MariaDB invented their own variant of ED25519: https://jira.mariadb.org/browse/MDEV-19217

[h3ssan]

I remember looking into this some time ago. And I noped out when I learned that MariaDB invented their own variant of ED25519: https://jira.mariadb.org/browse/MDEV-19217

Hey @nielsdos
At some point MySQL will eventually implement ed25519 too. Since sha-1 is freaking weak nowadays they must implement a stronger mechanism for authentication.

[SakiTakamachi]

At least, MariaDB's deviates from standard ed25519, so I'm not sure if we should rush to deal with it now...

[vuvova]

Sometimes doing nothing pays out.

We're releasing a new authentication plugin https://mariadb.com/kb/en/authentication-plugin-parsec/ — it uses stock ed25519 from OpenSSL or GnuTLS, not modified.

[h3ssan]

Sometimes doing nothing pays out.

We're releasing a new authentication plugin https://mariadb.com/kb/en/authentication-plugin-parsec/ — it uses stock ed25519 from OpenSSL or GnuTLS, not modified.

That’s great.
@SakiTakamachi could you take a look into it please?

[Rudis1261]

Plez sir, can we have it

[leonardo0014]

Hello @nielsdos
Thank you for taking on this topic.
What is the current status of the implementation? Have you had time yet or is there an estimate of when this function might be available in this PHP extension? The background to my question is that the mariadb product can only do SHA1 or ed25519, but nothing in between and we all know that sha1 is no longer secure for passwords. Unfortunately, my C programming skills leave a lot to be desired and I am dependent on your support here.
Thank you in advance for your help

[nielsdos]

It's still in my TODO list, and I have a partial implementation of the parsec protocol. The ed25519 protocol from MariaDB is actually non-standard, while the parsec protocol (based on the same algorithms) is, so that's why I favor the latter.