Join GitHub today
GitHub is home to over 28 million developers working together to host and review code, manage projects, and build software together.Sign up
Add support for SCRAM-SHA-256 authentication. #608
1 commit with 1,337 additions and 0 deletions
Slightly surprised how much code went into this (considering how much cryptography Go has in its standard library), but it looks like a lot of it is just magic tables.
I can review this work this weekend, but I'd appreciate if someone else did that as well.
I'll devote some time this weekend as well, though probably not enough for a complete review.
I'm not sure if/how we should consider external dependencies. A quick search pointed me to the following:
So I have an idea of how to approach this, @hlinnaka, is this a port of some other implementation?
On 05/05/2017 10:35 PM, Chris Bandy wrote: I'll devote _some_ time this weekend as well, though probably not enough for a complete review.
I'm not sure if/how we should consider external dependencies. A quick search pointed me to the following: - golang/go#16257 - https://godoc.org/golang.org/x/text/secure/precis So I have an idea of how to approach this, @hlinnaka, is this a port of some other implementation?
Ah, I saw issue #16257 earlier, when I googled around, but I didn't notice there was a SCRAM-SHA-256 implementation included in that. Looking at that implementation, it doesn't do SASLprep (yet). Could improve that, of course. I'm OK with using that implementation, although it seems like it's still in early stages. I bet it will still change a lot until it becomes stable. SCRAM is simple enough that it wouldn't save much in terms of lines of code. My guess would be that having the extra dependency would outweight the benefits, but this is the first time I dabble into Go, I'm not sure how much trouble that is in practice. I ported the SASLprep code from the implementation in upstream PostgreSQL libpq library, see https://git.postgresql.org/gitweb/?p=postgresql.git;a=blob;f=src/common/saslprep.c;hb=HEAD. The rest I wrote from scratch. (I wrote that upstream SASLprep implementation, too.) PRECIS isn't identical to SASLprep, although it's close. I'm not sure what exactly the differences are. - Heikki
This is trivial to add, I just didn't have an RFC 7613 implementation yet when I started on the SASL implementation. The credentials API (where this change would be introduced) probably also will be part of the change when adding server support though. Having it as an option doesn't make a lot of sense since credentials may be just about anything, not just usernames and passwords.
PRECIS attempted to be as backwards compatible as possible and, in the particular case of SASLprep, most likely won't cause any problems as long as you re-normalize your data. See: RFC 7613 §6