Received: from malur.postgresql.org ([217.196.149.56]) by arkaria.postgresql.org with esmtps (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.94.2) (envelope-from ) id 1r7XZ7-005l9d-W8 for pgsql-hackers@arkaria.postgresql.org; Mon, 27 Nov 2023 09:06:06 +0000 Received: from localhost ([127.0.0.1] helo=malur.postgresql.org) by malur.postgresql.org with esmtp (Exim 4.94.2) (envelope-from ) id 1r7XZ5-00Bjkn-1J for pgsql-hackers@arkaria.postgresql.org; Mon, 27 Nov 2023 09:06:03 +0000 Received: from makus.postgresql.org ([2001:4800:3e1:1::229]) by malur.postgresql.org with esmtps (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.94.2) (envelope-from ) id 1r7XZ4-00Bjkf-Ns for pgsql-hackers@lists.postgresql.org; Mon, 27 Nov 2023 09:06:02 +0000 Received: from smtp.outgoing.loopia.se ([93.188.3.37]) by makus.postgresql.org with esmtps (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.94.2) (envelope-from ) id 1r7XYw-007Zch-Mb for pgsql-hackers@lists.postgresql.org; Mon, 27 Nov 2023 09:06:01 +0000 Received: from s807.loopia.se (localhost [127.0.0.1]) by s807.loopia.se (Postfix) with ESMTP id 122D52FCDB16 for ; Mon, 27 Nov 2023 10:05:51 +0100 (CET) Received: from s981.loopia.se (unknown [172.22.191.6]) by s807.loopia.se (Postfix) with ESMTP id 01A062E2814A; Mon, 27 Nov 2023 10:05:51 +0100 (CET) Received: from s474.loopia.se (unknown [172.22.191.5]) by s981.loopia.se (Postfix) with ESMTP id E827022B227E; Mon, 27 Nov 2023 10:05:50 +0100 (CET) X-Virus-Scanned: amavisd-new at amavis.loopia.se X-Spam-Flag: NO X-Spam-Score: -1.01 X-Spam-Level: X-Spam-Status: No, score=-1.01 tagged_above=-999 required=6.2 tests=[ALL_TRUSTED=-1, T_SCC_BODY_TEXT_LINE=-0.01] autolearn=disabled Received: from s979.loopia.se ([172.22.191.5]) by s474.loopia.se (s474.loopia.se [172.22.190.14]) (amavisd-new, port 10024) with UTF8LMTP id o_dd6GAtm5T1; Mon, 27 Nov 2023 10:05:50 +0100 (CET) X-Loopia-Auth: user X-Loopia-User: daniel@yesql.se X-Loopia-Originating-IP: 89.255.232.193 Received: from smtpclient.apple (customer-89-255-232-193.stosn.net [89.255.232.193]) (Authenticated sender: daniel@yesql.se) by s979.loopia.se (Postfix) with ESMTPSA id 39D0710BCA23; Mon, 27 Nov 2023 10:05:50 +0100 (CET) Content-Type: text/plain; charset=us-ascii Mime-Version: 1.0 (Mac OS X Mail 16.0 \(3696.120.41.1.3\)) Subject: Re: [PATCH] Add CHECK_FOR_INTERRUPTS in scram_SaltedPassword loop. From: Daniel Gustafsson In-Reply-To: Date: Mon, 27 Nov 2023 10:05:49 +0100 Cc: Aleksander Alekseev , Postgres hackers , Bowen Shi , Tom Lane Content-Transfer-Encoding: quoted-printable Message-Id: <137DA8EC-397D-4DF8-A573-4A18D80DC0A1@yesql.se> References: <1674901.1700665447@sss.pgh.pa.us> To: Michael Paquier X-Mailer: Apple Mail (2.3696.120.41.1.3) List-Id: List-Help: List-Subscribe: List-Post: List-Owner: List-Archive: Archived-At: Precedence: bulk > On 25 Nov 2023, at 02:20, Michael Paquier wrote: >=20 > On Thu, Nov 23, 2023 at 11:19:51AM +0300, Aleksander Alekseev wrote: >>>> I don't think it would be useful to limit this at an arbitrary = point, iteration >>>> count can be set per password and if someone wants a specific = password to be >>>> super-hard to brute force then why should we limit that? >>>=20 >>> I agree with that. Maybe some users do want a super-hard password. >>> RFC 7677 and RFC 5802 don't specify the maximum number of = iterations. >>=20 >> That's a fairly good point. However we are not obligated not to >> implement everything that is missing in RFC. Also in fact we already >> limit the number of iterations to INT_MAX. >=20 > INT_MAX, as in the limit that we have for integer GUCs and the > routines building the hashed entry, so the Postgres internals are what > defines the limit here. I doubt that we'll see cases where somebody > would want more than that, but who knows in 10/20 years. >=20 >> If we decide to limit this number even further the actual problem is >> to figure out what the new practical limit would be. Regardless of = the >> chosen number there is a possibility of breaking backward >> compatibility for certain users. >=20 > No idea what the limit should be if it were to be lowered down, but > I suspect that even a new lower limit could be an issue for hosts in > the low-end specs when it comes to DOS. It's not like there are no > ways to eat CPU when you are already logged in. The whole point of this GUC (and the iteration count construct in the = spec) is to allow hardened setups to make brute forcing passwords as hard as they = choose them to be, setting an upper limit (apart from the INT_MAX = implementation detail) where one isn't even mentioned in the RFC makes little sense = when the loop can be canceled. On the flip side, setups which have low end clients can choose to reduce = it from the default to make scram an option at all where it previously was = too expensive and less secure schemes had to be used. >> For this reason I believe merging the proposed patch would be the >> right move at this point. It doesn't make anything worse for the >> existing users and solves a potential problem for some of them. >=20 > Yeah, agreed. Being stuck on a potential large tight loops is > something we tend to avoid in the backend, so I agree that this is a > thing to keep in the backend especially because we have > scram_iterations and that it is user-settable. >=20 > I think that we should backpatch that down to v16 at least where the > GUC has been introduced as it's more like a nuisance if one sets the > GUC to an incorrect value, and I'd like to apply the patch this way. > Any objections or comments regarding that? I don't see any reason to backpatch further down than 16 given how low = the hardcoded value is set there, scanning the archives I see no complaints = about it either. As a reference, CREATE ROLE using 4096 iterations takes 14ms = on my 10 year old laptop (1M iterations, 244x the default, takes less than a = second). -- Daniel Gustafsson