Hallo Georg,
there are some inconsistencies in the indentation in mariadb_ed25519_auth()
You might take a look at
https://github.com/php/php-src/blob/master/ext/mysqlnd/mysqlnd_auth.c ::
mysqlnd_caching_sha2_handle_server_response(). mysqlnd's auth plugin
design was finished without support for chatty auth plugins, so the
solution there is not the cleanest but works.
LG,
Andrey
On 24.07.25 г. 11:44 ч., Georg Richter wrote:
Hi,
I would like to upload a new package for mysqlnd ed25519 authentication
to PECL
Currently, PHP can only connect to MariaDB servers using the
mysql_native_password authentication plugin, which relies on SHA-1.
SHA-1 is considered insecure, as noted in RFC 6194, 9155, 9157, RFC
9157, NIST SP 800-131A, etc.
This module provides an authentication plugin (ed25519) that uses
libsodium for authentication, allowing PHP clients to authenticate
against MariaDB servers using Ed25519 instead of SHA-1.
The new package, mysqlnd_ed25519, is currently hosted here: https://
github.com/9EOR9/mysqlnd_ed25519.git <https://github.com/9EOR9/
mysqlnd_ed25519.git>
Also support for the MariaDB PARSEC authentication plugin is planned.
However, implementing it requires additional round trips, and the
current mysqlnd plugin API does not seem to support multiple round trips
without accessing mysqlnd’s internal functions. If anyone has experience
implementing a mysqlnd authentication plugin that requires extra round
trips, I would greatly appreciate advice or examples.
Please let me know if there are any objections to uploading this to PECL
or if you have questions or suggestions.
About me:
I am a member of MariaDB’s Connector team and a retired author/
maintainer of PHP’s mysql, mysqli, mysqlnd, and ncurses extensions, as
well as a retired member of the PHP documentation team.
Best regards,
Georg Richter
--
Georg Richter, Staff Software Engineer
Client Connectivity
MariaDB Corporation Ab
