[SERVER-29915] SCRAM-SHA-1 mechanism should respect "y" in gs2-cbind-flag Created: 29/Jun/17  Updated: 30/Oct/23  Resolved: 03/Aug/17

Status: Closed
Project: Core Server
Component/s: Security
Affects Version/s: None
Fix Version/s: 3.5.12

Type: Bug Priority: Major - P3
Reporter: Spencer Jackson Assignee: Spencer Jackson
Resolution: Fixed Votes: 0
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified

Backwards Compatibility: Fully Compatible
Operating System: ALL
Sprint: Platforms 2017-07-10, Platforms 2017-07-31, Platforms 2017-08-21
Participants:

 Description   

SCRAM defines the gs2-cbind-flag parameter as follows:

   gs2-cbind-flag  = ("p=" cb-name) / "n" / "y"
                     ;; "n" -> client doesn't support channel binding.
                     ;; "y" -> client does support channel binding
                     ;;        but thinks the server does not.
                     ;; "p" -> client requires channel binding.
                     ;; The selected channel binding follows "p=".

This is a Man-in-the-Middle protection measure, for clients which must detect if a remote server supports channel binding. If a Man-in-the-Middle manipulates traffic, and tricks the client into believing that the server did not support channel binding, the client must set this flag to "y". If the server supports channel binding and sees "y", that is an error. If, more likely, the MitM edits the client's message, and the server sees "n", then the client and server will not be able to negotiate a shared secret and authentication will fail.

MongoDB currently fails authentication attempts which send anything other than "n". Our server and our drivers do not support channel binding, so they send "n", so this hasn't been an issue. However, if a future driver did support channel binding, and detected that an old server did not support it, it would have to send the server "y". Today, that would cause authentication to fail.



 Comments   
Comment by Githook User [ 10/Aug/17 ]

Author:

{'name': 'Spencer Jackson', 'email': 'spencer.jackson@mongodb.com'}

Message: SERVER-29915: Respect "y" in gs2-cbind-flag in SCRAM
Branch: master
https://github.com/mongodb/mongo/commit/07d4d94b06c6899699410312e20ef33d954ddbd1

Generated at Thu Feb 08 04:22:09 UTC 2024 using Jira 9.7.1#970001-sha1:2222b88b221c4928ef0de3161136cc90c8356a66.