Uploaded image for project: 'C Driver'
  1. C Driver
  2. CDRIVER-2539

SCRAM secrets should be cached by hashed password, salt, and iterations

    • Type: Icon: Bug Bug
    • Resolution: Fixed
    • Priority: Icon: Major - P3 Major - P3
    • 1.10.0
    • Affects Version/s: 1.7.0
    • Component/s: auth
    • Labels:

      CDRIVER-2150 implemented caching for SCRAM-SHA-1 by tracking the client key, server key, and salted password on the mongoc_cluster_t object. Once cached, those values are then used for all subsequent SCRAM authentications for the same cluster/client.

      In PHPC-1022, we discovered that this behavior was the cause of occasional authentication failures for persisted libmongoc clients. While the client error was vague, the server logs indicated:

      AuthenticationFailed: SCRAM-SHA-1 authentication failed, storedKey mismatch

      Looking at 16e8333 for SERVER-26952,
      scram_sha1_client_cache.cpp uses the following pre-secrets as its hash key:

      • hashed password
      • salt
      • iteration count

      Rather than maintain a single cache entry for the entire cluster, libmongoc should cache its secrets by an n-tuple of the above pre-secrets. This cache need not be limited to mongoc_cluster_t. We can have _mongoc_scram_startup() (called by _mongoc_do_init() initialize a global hash table for use by all libmongoc clients. This will allow us to remove any notion of caching from mongoc-cluster.c and contain it within mongoc-scram.c. That hash table can later be freed in a new _mongoc_scram_cleanup() function, which can be invoked by _mongoc_do_cleanup().

            jmikola@mongodb.com Jeremy Mikola
            jmikola@mongodb.com Jeremy Mikola
            0 Vote for this issue
            2 Start watching this issue