Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

scram: SASLPrep for passwords #181

Open
will opened this issue Aug 5, 2019 · 1 comment
Open

scram: SASLPrep for passwords #181

will opened this issue Aug 5, 2019 · 1 comment

Comments

@will
Copy link
Owner

will commented Aug 5, 2019

Right now the scram support does not run the password through sasl prep, so not all technically valid passwords will be able to authenticate using scram. I decided to release scram support even with this deficiency, since without scram support 100% of the passwords for scram would fail ;)

Some information from copied from @jkatz's comments on #176

The password needs to be normalized with SASLPrep (well, PostgreSQL flavored SASLPrep), otherwise some valid passwords will fail. Here is an example of how to do it:
https://github.com/MagicStack/asyncpg/blob/master/asyncpg/protocol/scram.pyx#L263

and

So what PostgreSQL does is that any UTF8 string goes through SASLprep. If it's not a UTF-8 string, or if it fails at certain parts of the SASLprep, then it just passes the string through. The server-side implementation can be found here:

https://git.postgresql.org/gitweb/?p=postgresql.git;a=blob;f=src/common/saslprep.c

Certain password will fail without following it. Here's an example of some of the test cases to try:

https://github.com/MagicStack/asyncpg/blob/master/tests/test_connect.py#L238

It doesn't look like Crystal has unicode_normalize_kc or any sort of unicode normalization yet.

Also I'm not sure all of the tables in crystal's stdlib src/unicode/data.cr exactly match up for the things needed for saslprep, so some custom tables might need to be added.

I pushed a branch that mostly just has failing tests, but this seems like it'll be a bit of work before it comes together. So any help here would be welcome.

@will
Copy link
Owner Author

will commented Aug 5, 2019

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Development

No branches or pull requests

1 participant