[CDRIVER-2539] SCRAM secrets should be cached by hashed password, salt, and iterations Created: 08/Mar/18  Updated: 28/Oct/23  Resolved: 13/Mar/18

Status: Closed
Project: C Driver
Component/s: auth
Affects Version/s: 1.7.0
Fix Version/s: 1.10.0

Type: Bug Priority: Major - P3
Reporter: Jeremy Mikola Assignee: Jeremy Mikola
Resolution: Fixed Votes: 0
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified

Issue Links:
Depends
is depended on by PHPC-1022 Sporadic SCRAM-SHA-1 authentication f... Closed
Related
is related to CDRIVER-2150 Cache SCRAM-SHA-1 ClientKey Closed
is related to DRIVERS-343 Cache SCRAM ClientKey Closed

 Description   

CDRIVER-2150 implemented caching for SCRAM-SHA-1 by tracking the client key, server key, and salted password on the mongoc_cluster_t object. Once cached, those values are then used for all subsequent SCRAM authentications for the same cluster/client.

In PHPC-1022, we discovered that this behavior was the cause of occasional authentication failures for persisted libmongoc clients. While the client error was vague, the server logs indicated:

AuthenticationFailed: SCRAM-SHA-1 authentication failed, storedKey mismatch

Looking at 16e8333 for SERVER-26952,
scram_sha1_client_cache.cpp uses the following pre-secrets as its hash key:

  • hashed password
  • salt
  • iteration count

Rather than maintain a single cache entry for the entire cluster, libmongoc should cache its secrets by an n-tuple of the above pre-secrets. This cache need not be limited to mongoc_cluster_t. We can have _mongoc_scram_startup() (called by _mongoc_do_init() initialize a global hash table for use by all libmongoc clients. This will allow us to remove any notion of caching from mongoc-cluster.c and contain it within mongoc-scram.c. That hash table can later be freed in a new _mongoc_scram_cleanup() function, which can be invoked by _mongoc_do_cleanup().



 Comments   
Comment by A. Jesse Jiryu Davis [ 13/Mar/18 ]

Thanks Jeremy!

Comment by Githook User [ 13/Mar/18 ]

Author:

{'email': 'jmikola@gmail.com', 'name': 'Jeremy Mikola', 'username': 'jmikola'}

Message: CDRIVER-2539 use pre-secrets for SCRAM caching
Branch: master
https://github.com/mongodb/mongo-c-driver/commit/bfcbed2aaed6082f6eaacf490858bb73eb1c042b

Generated at Wed Feb 07 21:15:32 UTC 2024 using Jira 9.7.1#970001-sha1:2222b88b221c4928ef0de3161136cc90c8356a66.