Re: [HACKERS] Letting the client choose the protocol to use during aSASL exchange - Mailing list pgsql-hackers

On 11/04/17 08:50, Heikki Linnakangas wrote:
> On 04/10/2017 11:03 PM, Álvaro Hernández Tortosa wrote:
>>      Channel binding needs to specify actually three things:
>> - The mechanism, which is indeed suffixed "-PLUS".
>> - The channel binding name, which is described here:
>> https://tools.ietf.org/html/rfc5056. Types are also IANA-registered (see
>> https://www.iana.org/assignments/channel-binding-types/channel-binding-types.xhtml). 
>>
>> SCRAM mandates to implement 'tls-unique', but other channel binding
>> types could be supported (like 'tls-server-end-point' for example).
>> - The channel binding data, which is channel binding mechanism
>> dependent, and is sent as part of the client last message.
>>
>>      What I'm talking about here is the second one, the channel binding
>> type (name).
>
> Oh, I see. According to the SCRAM RFC, "tls-unique" is used by 
> default. I don't see us implementing anything else any time soon. 
> PostgreSQL doesn't support any other "channel type" than TLS, and 
> tls-unique is the only one that makes sense for TLS.
>
> If we do need it after all, the server could advertise the additional 
> channel binding types as additional SASL mechanisms in the 
> AuthenticationSASL message, maybe something like:
>
> "SCRAM-SHA-256"
> "SCRAM-SHA-256-PLUS" (for tls-unique)
> "SCRAM-SHA-256-PLUS ssh-unique" (for hypothetical ssh channel binding)
>
> The same trick can be used to advertise any other SASL mechanism 
> specific options, if needed in the future.
    Why not add an extra field to the message? This scheme has in my 
opinion some disadvantages:

- You assume no extensibility. Maybe Postgres will implement other 
mechanisms for channel binding. Maybe not. But why limit ourselves?
- Apart from tls-unique there are others today, like 
tls-server-end-point and who knows if in the future TLS 1.x comes with 
something like 'tls-unique-1.x'
- Why have to parse the string (separated by spaces) when you could use 
different fields and have no parsing at all?
- How do you advertise different SCRAM mechanisms with different channel 
binding types? And a mix of SCRAM mechanisms with and without channel 
binding? If I got it right, with your proposal it would be something like:

Field 1: SCRAM-SHA-256,SCRAM-SHA-256-PLUS tls-unique,SCRAM-SHA-1-PLUS 
tls-unique,SCRAM-SHA-512-PLUS tls-unique

(which is basically a CSV of pairs where the right part of the pair 
might be empty; too much IMHO for a single field)

vs

Field 1: 
SCRAM-SHA-256,SCRAM-SHA-256-PLUS,SCRAM-SHA-1-PLUS,SCRAM-SHA-512-PLUS 
(simple CSV)
Field 2: tls-unique (String)
    Is there any reason not to use two fields? AuthenticationSASL is a 
new message, I guess we can freely choose its format, right?



>
>>> I'm not sure I follow. The username is sent from client to server, and
>>> currently, the server will ignore it. If you're writing a client
>>> library, it can send whatever it wants. (Although again I would
>>> recommend an empty string, to avoid confusion. Sending the same
>>> username as in the startup packet, as long as it's in UTF-8, seems
>>> reasonable too.)
>>
>>      OK, understood. I will not let then the SCRAM implementation I'm
>> writing to allow for empty string as the user name, but in the pgjdbc
>> glue code send "ignore" as the user name or something like that ;P
>
> Hmm, so the SASL library you're using doesn't like sending an empty 
> string as the username? Now that I look at RFC5802 more closely, it says:
>
>> If the preparation of the username fails or results in an empty
>> string, the server SHOULD abort the authentication exchange.
>
> Perhaps we should reserve a magic user name to mean "same as startup 
> message", in addition or instead of the empty string. We actually 
> discussed that already at [1], but we forgot about it since.
    That works. Please let me know what is the "magic constant" chosen ;P

    Thanks,
    Álvaro


-- 

Álvaro Hernández Tortosa


-----------
<8K>data