leafo / pgmoon

A pure Lua Postgres driver for use in OpenResty & more
MIT License
398 stars 93 forks source link

add support for scram-sha-256 with channel binding #101

Closed ghost closed 3 years ago

ghost commented 3 years ago

add support for scram-sha-256 with channel binding

Setting password_encryption to scram-sha-256 in postgresql.conf will encrypt the password with SCRAM-SHA-256. The default is md5, which will encrypt the password with MD5.

If the password was encrypted with SCRAM-SHA-256 in postgres (by setting password_enc56 in postgresql.conf), then postgres clients can authenticate to the postgres server by setting the ff the password was encrypted with SCRAM-SHA-256 in postgres (by setting password_encryption to scram-sha-256 in postgresql.conf), then postgres cl ients can authenticate to the postgres server by setting the authentication method specification to scram-sha-256 in pg_hba.conf.

The problem is that the pgmoon client doesn't support the SCRAM-SHA-256 authentication method. So the postgres server supports SCRAM-SHA-256, but the client doesn't. If the password is encrypted with SCRAM-SHA-256 (by setting password_encryption to scram-sha-256 in postgresql.conf) and if the postgres method authentication is set to SCRAM-SHA-256 (by setting the authentication method specification to scram-sha-256 in pg_hba.conf) then pgmoon won't be able to authenticate to postgres because the password will be sent as SCRAM-SHA-256 encrypted and not MD5 or plaintext (the ones supported by pgmoon).

Here we are implementing the client-side support for SCRAM-SHA-256 as defined by [3]. Per the postgres docs [2] only SASL is supported as per the RFC 7677 [3]. So the client implementation should be conformant to that RFC only, not for the HTTP version of SCRAM-SHA-256 (RFC 7804).

Implementation details:

[1] https://github.com/postgres/postgres/blob/REL_13_1/src/backend/libpq/auth-scram.c#L1011-L1013 [2] https://www.postgresql.org/docs/13/auth-password.html [3] https://www.rfcreader.com/#rfc7677 [4] https://www.rfcreader.com/#rfc5929

leafo commented 3 years ago

Sorry this hasn't been merged yet, the source code changes are in Lua, but this repository is written in MoonScript, so someone will have to port the code before the changes can be merged. I'm willing to do that, but I just haven't had time yet.

ozsoyler commented 3 years ago

Hello. Is it possible to merge these commits for being able to use in updated kong. Thanks.

tingeltangelthomas commented 3 years ago

+1

leafo commented 3 years ago

This has been rewritten into MoonScript with some minor changes and merged into master. Thanks for the contribution!