Uploaded image for project: 'C Driver'
  1. C Driver
  2. CDRIVER-2539

SCRAM secrets should be cached by hashed password, salt, and iterations

    XMLWordPrintableJSON

Details

    • Bug
    • Status: Closed
    • Major - P3
    • Resolution: Fixed
    • 1.7.0
    • 1.10.0
    • auth
    • None

    Description

      CDRIVER-2150 implemented caching for SCRAM-SHA-1 by tracking the client key, server key, and salted password on the mongoc_cluster_t object. Once cached, those values are then used for all subsequent SCRAM authentications for the same cluster/client.

      In PHPC-1022, we discovered that this behavior was the cause of occasional authentication failures for persisted libmongoc clients. While the client error was vague, the server logs indicated:

      AuthenticationFailed: SCRAM-SHA-1 authentication failed, storedKey mismatch

      Looking at 16e8333 for SERVER-26952,
      scram_sha1_client_cache.cpp uses the following pre-secrets as its hash key:

      • hashed password
      • salt
      • iteration count

      Rather than maintain a single cache entry for the entire cluster, libmongoc should cache its secrets by an n-tuple of the above pre-secrets. This cache need not be limited to mongoc_cluster_t. We can have _mongoc_scram_startup() (called by _mongoc_do_init() initialize a global hash table for use by all libmongoc clients. This will allow us to remove any notion of caching from mongoc-cluster.c and contain it within mongoc-scram.c. That hash table can later be freed in a new _mongoc_scram_cleanup() function, which can be invoked by _mongoc_do_cleanup().

      Attachments

        Issue Links

          Activity

            People

              jmikola@mongodb.com Jeremy Mikola
              jmikola@mongodb.com Jeremy Mikola
              Votes:
              0 Vote for this issue
              Watchers:
              2 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved: