[CDRIVER-2475] Implement SASLPrep Created: 27/Jan/18  Updated: 28/Oct/23  Resolved: 23/May/18

Status: Closed
Project: C Driver
Component/s: auth
Affects Version/s: None
Fix Version/s: 1.11.0

Type: New Feature Priority: Major - P3
Reporter: A. Jesse Jiryu Davis Assignee: Kevin Albertson
Resolution: Fixed Votes: 0
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified

Issue Links:
Depends
is depended on by CXX-1505 Implement SASLPrep Closed
is depended on by DRIVERS-444 Implement SASLPrep Closed
is depended on by PHPC-1105 Implement SASLPrep Closed

 Description   

SASLPrep prepares strings that contain non-ASCII characters for use as username and password with SCRAM-SHA-256 auth for MongoDB 4+. Watch DRIVERS-444 for details.

The C Driver already depends (optionally) on the Cyrus SASL library on Linux to implement Kerberos/GSSAPI auth. For normal SCRAM-SHA-1 auth we only depend on an SSL library, without requiring Cyrus.

Cyrus SASL claims to support SASLPrep but I don't know how to access its SASLPrep implementation for our own SCRAM-SHA-256 mechanism. If we can figure that out, then one option we have is to use Cyrus's SASLPrep on Linux if Cyrus is available, otherwise don't do SASLPrep and risk users being unable to log in with non-ASCII credentials. Another option there is to just vendor in a license-compliant implementation of SASLPrep so we can continue to support the default auth mechanism using only an SSL library, without Cyrus.

Another option is to copy this code and everything it depends upon from Heimdal and use it on all platforms. Check with Legal if this is ok.

Or, go ask the Platforms Team what they're doing in the server to implement SASLPrep. I think they're using libicu for it, perhaps that's widely enough available that we could depend on it for auth. Here's Windows: https://msdn.microsoft.com/en-us/library/windows/desktop/mt823414(v=vs.85).aspx



 Comments   
Comment by Githook User [ 23/May/18 ]

Author:

{'username': 'kevinAlbs', 'name': 'Kevin Albertson', 'email': 'kevin.albertson@10gen.com'}

Message: CDRIVER-2475 implement SASLPrep
Branch: master
https://github.com/mongodb/mongo-c-driver/commit/15e89fd494d6a33b93a9e4d655b88762739d12b1

Comment by A. Jesse Jiryu Davis [ 21/May/18 ]

Let's merge this to master and close the ticket now that 1.10 is out.

Comment by Kevin Albertson [ 26/Feb/18 ]

SASLPrep has been pushed to the branch sasl-prep. It uses libicu.

SASLPrep is only needed when usernames and passwords have non-ASCII or control characters. Since SASLPrep is the only function requiring libicu it was decided that libicu not be bundled in with the driver. Instead, a user must have libicu installed on their system. In the implementation of SCRAM-SHA-256, if a username or password is detected as having non-ASCII or control characters that may require SASLPrep, we can show an error.

The FindICU CMake module also requires CMake 3.7.

Comment by Githook User [ 26/Feb/18 ]

Author:

{'email': 'kevin.albertson@10gen.com', 'name': 'Kevin Albertson', 'username': 'kevinAlbs'}

Message: CDRIVER-2475 implement SASLPrep
Branch: sasl-prep
https://github.com/mongodb/mongo-c-driver/commit/21c3180c805766d30704036485dbd7f53aa54d54

Comment by Githook User [ 26/Feb/18 ]

Author:

{'email': 'kevin.albertson@10gen.com', 'name': 'Kevin Albertson', 'username': 'kevinAlbs'}

Message: CDRIVER-2475 implement SASLPrep
Branch: sasl-prep
https://github.com/mongodb/mongo-c-driver/commit/c0c4ce3dd3d1908933af784830c26305da1f6194

Generated at Wed Feb 07 21:15:20 UTC 2024 using Jira 9.7.1#970001-sha1:2222b88b221c4928ef0de3161136cc90c8356a66.