Add support for SCRAM-SHA-256 authentication. #608
Conversation
Upcoming PostgreSQL version 10 adds SCRAM-SHA-256 authentication. Implement it in the driver. This includes a built-in implementation of SASLPrep.
|
1 commit with 1,337 additions and 0 deletions 🤔 Slightly surprised how much code went into this (considering how much cryptography Go has in its standard library), but it looks like a lot of it is just magic tables. I can review this work this weekend, but I'd appreciate if someone else did that as well. |
|
I'll devote some time this weekend as well, though probably not enough for a complete review. I'm not sure if/how we should consider external dependencies. A quick search pointed me to the following:
So I have an idea of how to approach this, @hlinnaka, is this a port of some other implementation? |
|
On 05/05/2017 10:35 PM, Chris Bandy wrote:
I'll devote _some_ time this weekend as well, though probably not enough for a complete review.
Thanks!
I'm not sure if/how we should consider external dependencies. A quick search pointed me to the following:
- golang/go#16257
- https://godoc.org/golang.org/x/text/secure/precis
So I have an idea of how to approach this, @hlinnaka, is this a port of some other implementation?
Ah, I saw issue #16257 earlier, when I googled around, but I didn't
notice there was a SCRAM-SHA-256 implementation included in that.
Looking at that implementation, it doesn't do SASLprep (yet). Could
improve that, of course.
I'm OK with using that implementation, although it seems like it's still
in early stages. I bet it will still change a lot until it becomes
stable. SCRAM is simple enough that it wouldn't save much in terms of
lines of code. My guess would be that having the extra dependency would
outweight the benefits, but this is the first time I dabble into Go, I'm
not sure how much trouble that is in practice.
I ported the SASLprep code from the implementation in upstream
PostgreSQL libpq library, see
https://git.postgresql.org/gitweb/?p=postgresql.git;a=blob;f=src/common/saslprep.c;hb=HEAD.
The rest I wrote from scratch. (I wrote that upstream SASLprep
implementation, too.)
PRECIS isn't identical to SASLprep, although it's close. I'm not sure
what exactly the differences are.
- Heikki
|
|
My health unfortunately won't let me spend any time on this this weekend. I'll try and organize some time some other weekend, but I can't promise anything. |
This is trivial to add, I just didn't have an RFC 7613 implementation yet when I started on the SASL implementation. The credentials API (where this change would be introduced) probably also will be part of the change when adding server support though. Having it as an option doesn't make a lot of sense since credentials may be just about anything, not just usernames and passwords.
PRECIS attempted to be as backwards compatible as possible and, in the particular case of SASLprep, most likely won't cause any problems as long as you re-normalize your data. See: RFC 7613 §6 |
|
Any update on this? |
|
Also curious on updates as they are needed for continued usage of Gitea. |
|
Any chance of an ETA on merging this PR? |
|
Any progress? |
|
Also interested on this. How can I help this to be merged? |
|
I haven't done a review of the PR, but at a minimum it needs a test that connects to a real postgres server using this method. My read of the tests suggests this is missing. |
|
@johto Hi, we very much need this feature for our Sept release. Is there any possible way to get this test case working so we can get this feature from last year merged? |
|
This also needs a rebase onto master. |
|
maybe the tests could be used for the merged scram auth? |
|
This PR has been superseded by #833 and can be closed. |
Upcoming PostgreSQL version 10 adds SCRAM-SHA-256 authentication. Implement
it in the driver.
This includes a built-in implementation of SASLPrep.