[CDRIVER-2475] Implement SASLPrep Created: 27/Jan/18 Updated: 28/Oct/23 Resolved: 23/May/18 |
|
| Status: | Closed |
| Project: | C Driver |
| Component/s: | auth |
| Affects Version/s: | None |
| Fix Version/s: | 1.11.0 |
| Type: | New Feature | Priority: | Major - P3 |
| Reporter: | A. Jesse Jiryu Davis | Assignee: | Kevin Albertson |
| Resolution: | Fixed | Votes: | 0 |
| Labels: | None | ||
| Remaining Estimate: | Not Specified | ||
| Time Spent: | Not Specified | ||
| Original Estimate: | Not Specified | ||
| Issue Links: |
|
||||||||||||||||
| Description |
|
SASLPrep prepares strings that contain non-ASCII characters for use as username and password with SCRAM-SHA-256 auth for MongoDB 4+. Watch The C Driver already depends (optionally) on the Cyrus SASL library on Linux to implement Kerberos/GSSAPI auth. For normal SCRAM-SHA-1 auth we only depend on an SSL library, without requiring Cyrus. Cyrus SASL claims to support SASLPrep but I don't know how to access its SASLPrep implementation for our own SCRAM-SHA-256 mechanism. If we can figure that out, then one option we have is to use Cyrus's SASLPrep on Linux if Cyrus is available, otherwise don't do SASLPrep and risk users being unable to log in with non-ASCII credentials. Another option there is to just vendor in a license-compliant implementation of SASLPrep so we can continue to support the default auth mechanism using only an SSL library, without Cyrus. Another option is to copy this code and everything it depends upon from Heimdal and use it on all platforms. Check with Legal if this is ok. Or, go ask the Platforms Team what they're doing in the server to implement SASLPrep. I think they're using libicu for it, perhaps that's widely enough available that we could depend on it for auth. Here's Windows: https://msdn.microsoft.com/en-us/library/windows/desktop/mt823414(v=vs.85).aspx |
| Comments |
| Comment by Githook User [ 23/May/18 ] |
|
Author: {'username': 'kevinAlbs', 'name': 'Kevin Albertson', 'email': 'kevin.albertson@10gen.com'}Message: |
| Comment by A. Jesse Jiryu Davis [ 21/May/18 ] |
|
Let's merge this to master and close the ticket now that 1.10 is out. |
| Comment by Kevin Albertson [ 26/Feb/18 ] |
|
SASLPrep has been pushed to the branch sasl-prep. It uses libicu. SASLPrep is only needed when usernames and passwords have non-ASCII or control characters. Since SASLPrep is the only function requiring libicu it was decided that libicu not be bundled in with the driver. Instead, a user must have libicu installed on their system. In the implementation of SCRAM-SHA-256, if a username or password is detected as having non-ASCII or control characters that may require SASLPrep, we can show an error. The FindICU CMake module also requires CMake 3.7. |
| Comment by Githook User [ 26/Feb/18 ] |
|
Author: {'email': 'kevin.albertson@10gen.com', 'name': 'Kevin Albertson', 'username': 'kevinAlbs'}Message: |
| Comment by Githook User [ 26/Feb/18 ] |
|
Author: {'email': 'kevin.albertson@10gen.com', 'name': 'Kevin Albertson', 'username': 'kevinAlbs'}Message: |