crystal-lang / crystal

The Crystal Programming Language
https://crystal-lang.org
Apache License 2.0
19.47k stars 1.62k forks source link

SCRAM-SHA-1(-PLUS) + SCRAM-SHA-256(-PLUS) + SCRAM-SHA-512(-PLUS) + SCRAM-SHA3-512(-PLUS) supports #11730

Open Neustradamus opened 2 years ago

Neustradamus commented 2 years ago

Dear @crystal-lang team,

In first, I wish you a Happy New Year!


Note: @naqvis has already worked on a part here: https://github.com/naqvis/cr-xmpp I think that he can added directly here:

Can you add in https://github.com/crystal-lang/crystal supports of:

You can add too:

"When using the SASL SCRAM mechanism, the SCRAM-SHA-256-PLUS variant SHOULD be preferred over the SCRAM-SHA-256 variant, and SHA-256 variants [RFC7677] SHOULD be preferred over SHA-1 variants [RFC5802]".

https://xmpp.org/extensions/inbox/hash-recommendations.html

-PLUS variants:

IMAP:

LDAP:

HTTP:

2FA:

IANA:

Linked to:

straight-shoota commented 2 years ago

Happy New Year to you as well!

Thanks for bringing this up. However, I can't make much sense of this largely uncommented collection of references. I get that you propose adding a number of SCRAM-SHA algorithms to Crystal's standard library. I can find no comprehensible reason for that. Please detail why you think those should be added to the standard library (as opposed to being provided in a shard such https://github.com/naqvis/cr-xmpp).

Neustradamus commented 2 years ago

@straight-shoota: Thanks for your reply and your wishes.

It is to replace old and unsecure DIGEST-MD5 included in this lib by SCRAM-SHA- and SCRAM-SHA--PLUS.

I inform you that there are already 3 versions in cr-xmpp to help.

Of course you need to read, SCRAM informations are in this ticket and a list of libs/softs already compatible here:

It is important to security because DIGEST-MD5 is obsolete and unsecure.

jhass commented 2 years ago

AFAIR Crystal's standard library does not implement CRAM-MD5 anywhere. The Digest namespace refers to hash digests in the general sense and is collecting different hash digest algorithms. What these then are then are applied for is outside the scope of the Crystal standard library. Removing any and all possibility to compute an MD5 hash digest does not seem reasonable. Likewise AFAIR there's no precedent for providing specific challenge response authentication mechanisms, so we need to have some actual good motivations brought forward to consider this.

Neustradamus commented 2 years ago

Good comment from @konovod: https://github.com/crystal-lang/crystal/issues/11731#issuecomment-1008302600.

But here, the goal is to have SCRAM supports.

It is not possible to add?

straight-shoota commented 2 years ago

It can be added if there's a good reason to have this in stdlib. I don't see such good reason. It's probably better placed in a shard.