Received: from malur.postgresql.org ([217.196.149.56]) by arkaria.postgresql.org with esmtps (TLS1.3:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.92) (envelope-from ) id 1p5bYS-0003kk-UV for pgsql-hackers@arkaria.postgresql.org; Wed, 14 Dec 2022 23:52:53 +0000 Received: from localhost ([127.0.0.1] helo=malur.postgresql.org) by malur.postgresql.org with esmtp (Exim 4.92) (envelope-from ) id 1p5bYQ-0002Rw-Mo for pgsql-hackers@arkaria.postgresql.org; Wed, 14 Dec 2022 23:52:50 +0000 Received: from makus.postgresql.org ([2001:4800:3e1:1::229]) by malur.postgresql.org with esmtps (TLS1.3:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.92) (envelope-from ) id 1p5bYO-0002Rn-VE for pgsql-hackers@lists.postgresql.org; Wed, 14 Dec 2022 23:52:50 +0000 Received: from wout4-smtp.messagingengine.com ([64.147.123.20]) by makus.postgresql.org with esmtps (TLS1.3:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.92) (envelope-from ) id 1p5bYL-00023E-Gu for pgsql-hackers@lists.postgresql.org; Wed, 14 Dec 2022 23:52:47 +0000 Received: from compute3.internal (compute3.nyi.internal [10.202.2.43]) by mailout.west.internal (Postfix) with ESMTP id F07A8320051E; Wed, 14 Dec 2022 18:52:40 -0500 (EST) Received: from mailfrontend2 ([10.202.2.163]) by compute3.internal (MEProxy); Wed, 14 Dec 2022 18:52:41 -0500 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=paquier.xyz; h= cc:cc:content-type:date:date:from:from:in-reply-to:in-reply-to :message-id:mime-version:references:reply-to:sender:subject :subject:to:to; s=fm2; t=1671061960; x=1671148360; bh=x6VjgLpoOM yddxvlARKKo1Fv+uLcU51FhJtZmpV75pA=; b=B74bJ2JOQdnIM1XvW+VR5VlrxH GwD6gPSP27FO/D9hSkEqWWvzNzssB8j5CCfH7YqrjXiFbjfWdb85yDjOoH5Tfa72 64BQ7rddaRxefjn76T3BMqBqdaMvTSd0JcQMUOOQSIps8LtnLMXHiPfmQGDs6Dtr CQQSirKeFeceT8L40qMDNlT6RR6ZOMUmC06Dfy08ZkR3ZUO55+D7M+8dXOdwYJs2 DjhZXbChXjO4Y97sBl2arIiSkQuKuwx2YET5Cxpi5crahzSfREB2w4EIdzOu24nP DZFTeCjtd2042AJs0VCbWPrRQ/gT90INg29ZiFMdDlVtDhsFomjuj0zMJJvQ== DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d= messagingengine.com; h=cc:cc:content-type:date:date:feedback-id :feedback-id:from:from:in-reply-to:in-reply-to:message-id :mime-version:references:reply-to:sender:subject:subject:to:to :x-me-proxy:x-me-proxy:x-me-sender:x-me-sender:x-sasl-enc; s= fm2; t=1671061960; x=1671148360; bh=x6VjgLpoOMyddxvlARKKo1Fv+uLc U51FhJtZmpV75pA=; b=D83YGzxgORYdSHBvm5+/0FcKCYWtI0rC4zvtFN9lQXuU pcpLHasceqyPcNNwONmic7YOvjwx79i6McGw3x6L6xz2x2ywN1afAKIMIn8MuUl3 O+Xi7knR8U4ugPpkkQHaG99dsOpjORLIdgUx2awDmE2qqgqhruQJrhgrjNZNC/BO C/M9O98qulrz91Fi8pErV67CV4DxKzCx5gcyvxogmgiXT1m3DQJI5TCuGoSj9QMa cU/T9D4BiyPfsJDUz2wt+4S4pb57Msydh2Y47iCVktRdUJ0TfkJI94acP9kNzGor 4Da7NsuuKk9UQBiFJ0QfCrT2jP/soL8h71ffpX8Zqg== X-ME-Sender: X-ME-Received: X-ME-Proxy-Cause: gggruggvucftvghtrhhoucdtuddrgedvhedrfeeggdduvdcutefuodetggdotefrodftvf curfhrohhfihhlvgemucfhrghsthforghilhdpqfgfvfdpuffrtefokffrpgfnqfghnecu uegrihhlohhuthemuceftddtnecusecvtfgvtghiphhivghnthhsucdlqddutddtmdenfg hrlhcuvffnffculdefhedmnecujfgurhepfffhvfevuffkfhggtggujgesghdtreertddt vdenucfhrhhomhepofhitghhrggvlhcurfgrqhhuihgvrhcuoehmihgthhgrvghlsehprg hquhhivghrrdighiiiqeenucggtffrrghtthgvrhhnpeevueeifeegvdeuhffhhfeuhfev ffevtedvheejgfeiudeuvdejleejvddvvddtfeenucffohhmrghinhepihgvthhfrdhorh hgpdhthhgrthdrhhhmnecuvehluhhsthgvrhfuihiivgeptdenucfrrghrrghmpehmrghi lhhfrhhomhepmhhitghhrggvlhesphgrqhhuihgvrhdrgiihii X-ME-Proxy: Feedback-ID: i0fe9450f:Fastmail Received: by mail.messagingengine.com (Postfix) with ESMTPA; Wed, 14 Dec 2022 18:52:37 -0500 (EST) Date: Thu, 15 Dec 2022 08:52:32 +0900 From: Michael Paquier To: "Jonathan S. Katz" Cc: Daniel Gustafsson , Andres Freund , PostgreSQL Hackers Subject: Re: Raising the SCRAM iteration count Message-ID: References: <20221210001538.czikyvk3xtkphxfu@awork3.anarazel.de> <4880738a-cbf7-c9a1-4faf-ba861c731c63@postgresql.org> <75619A47-4CD0-4E0F-8A30-32F83FF593DD@yesql.se> <869f3aee-5c46-998d-be42-b3b232415bef@postgresql.org> MIME-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha512; protocol="application/pgp-signature"; boundary="2NovYXgAkcdQF9sh" Content-Disposition: inline In-Reply-To: <869f3aee-5c46-998d-be42-b3b232415bef@postgresql.org> List-Id: List-Help: List-Subscribe: List-Post: List-Owner: List-Archive: Archived-At: Precedence: bulk --2NovYXgAkcdQF9sh Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Wed, Dec 14, 2022 at 01:59:04PM -0500, Jonathan S. Katz wrote: > On 12/14/22 6:25 AM, Daniel Gustafsson wrote: >> I was thinking about it but opted for the simpler approach of a GUC name= with >> the algorithm baked into it: scram_sha256_iterations. It doesn't seem a= ll that >> likely that we'll have more than two versions of SCRAM (sha256/sha512) so >> the additional complexity doesn't seem worth it. >=20 > I would not rule this out. There is a RFC draft for SCRAM-SHA3-512[1]. >=20 > I do have mixed feelings on the 'x1=3Dy1,x2=3Dy2' style GUC, but we do ha= ve > machinery to handle it and it gives a bit more flexibility over how many > SCRAM hash methods get added. I'd like to hear more feedback. Technically, I would put the logic to parse the GUC to scram-common.c and let libpq and the backend use it. Saying that, we are just talking about what looks like one new hashing method, so a separate GUC is fine by me. > (I don't know if there will be a world if we ever let users BYO-hash, but > that case may force separate GUCs anyway). >=20 > [1] https://datatracker.ietf.org/doc/draft-melnikov-scram-sha3-512/ Still, the odds is that we are going to see one update to SCRAM-SHA-256 that we will just need to pick up? >> The attached v2 has the GUC rename and a change to GUC_REPORT such that = the >> frontend can use the real value rather than the default. I kept it for = super >> users so far, do you think it should be a user setting being somewhat se= nsitive? >=20 > No, because a user can set the number of iterations today if they build > their own SCRAM secret. I think it's OK if they change it in a session. >=20 > If a superuser wants to enforce a minimum iteration count, they can write= a > password_check_hook. (Or we could add another GUC to enforce that). Hm? check_password_hook does not allow one to recompile the password given by the user, except if I am missing your point? > -pg_fe_scram_build_secret(const char *password, const char **errstr) > +pg_fe_scram_build_secret(const char *password, int iterations, const char > **errstr) >=20 > I have mild worry about changing this function definition for downstream > usage, esp. for drivers. Perhaps it's not that big of a deal, and perhaps > this will end up being needed for the work we've discussed around > "\password" but I do want to note that this could be a breaking change. FWIW, an extension would be required to enforce the type of hash used, which is an extra parameter on top of the iteration number when building the SCRAM verifier. > + else if (strcmp(name, "scram_sha256_iterations") =3D=3D 0) > + { > + conn->scram_iterations =3D atoi(value); > + } >=20 > Maybe out of scope for this patch based on what else is in the patch, but= I > was wondering why we don't use a "strncmp" here? What would that change? This needs an equal match. conn->in_hot_standby =3D PG_BOOL_UNKNOWN; + conn->scram_iterations =3D SCRAM_DEFAULT_ITERATIONS; s/SCRAM_DEFAULT_ITERATIONS/SCRAM_SHA_256_DEFAULT_ITERATIONS/ and s/scram_iterations/scram_sha_256_interations/ perhaps? It does not look like we'd have the same default across the various SHA variations if we stick with the RFC definitions.. +#ifndef FRONTEND +/* + * Number of iterations when generating new secrets. + */ +extern PGDLLIMPORT int scram_sha256_iterations; +#endif It looks like libpq/scram.h, which is backend-only, would be a better location. @@ -692,7 +697,7 @@ mock_scram_secret(const char *username, int *iterations= , char **salt, encoded_salt[encoded_len] =3D '\0'; =20 *salt =3D encoded_salt; - *iterations =3D SCRAM_DEFAULT_ITERATIONS; + *iterations =3D scram_sha256_iterations; This looks incorrect to me? The mock authentication is here to produce a realistic verifier, still it will fail. It seems to me that we'd better stick to the default in all the cases. (FWIW, extending \password with custom options would have the advantage to allow older server versions to use a custom iteration number. Perhaps that's not worth bothering about, just saying as a separate thing to consider.) -- Michael --2NovYXgAkcdQF9sh Content-Type: application/pgp-signature; name="signature.asc" -----BEGIN PGP SIGNATURE----- iQIzBAABCgAdFiEEG72nH6vTowiyblFKnvQgOdbyQH0FAmOaYcAACgkQnvQgOdby QH1G6w//YoH5BmVbsXkcHwpdZpyzUe4kup2+YaNQlkl3V8x2Z9B1lwRiGwL66JvP SKMIdFgMrsRm5ftATYwaoXDORjue0EUL38DuH+IDa2gObrHUr4o6XXipbbGho/BV lsvhRKzTsnYBrO0i8+GtrMoiwvaUiEZx9UniZVaIEcBgazhcR5trex6s/LIzoFeh GilvVRLsWKgiTUtqbToKbP4qZXE0Xi1POzvJ1UYJCQ/tN3R8wkJ6ih5YwhobnXhp 4G6M6BKLjJmxmSxYFUGT82eXh5AHpOIfaXac6nxWT+O7KjJrtoFgVDEAanui5LwV R8kxYxkqpDfR7VQ/mSnIPAlapW6VCjOdE/tQK3FlFN9BopfbRsW0AhhR3RZxB7Hx qNpuFFyaBVZPE2n3bcxawAuBioy1Zqnxn6RkVdA9XeAoIKYPuCKzViKoMm+TMjaT aohc2etW7JiJAkaqkmsnOfT8wlLphMyNKIDPM1morlXqHEGhUoQH6f39IZ68Vqi7 r8F/yDU5+w/4/FX7b637n9GqEOI2XUJ58l94hrJbTW57HaRguGaQzX8tP82etMBe xAtWYnPA/buoU6R7C81XGXwMkYA9ca+P71fGrXrGt11vrU57hQR2ZHBySSRw6blA vbUKOHyLepEvJuF5ceXtUHUBw3z2pEjfpt/NT5XHY7YJgSd9Q5I= =EuLT -----END PGP SIGNATURE----- --2NovYXgAkcdQF9sh--