pgagroal icon indicating copy to clipboard operation
pgagroal copied to clipboard

Published 20 hours ago verified publisher icon agroal

Support UTF8 passwords

Open jesperpedersen opened this issue 4 years ago • 4 comments

Requires updates to SASL prep

jesperpedersen avatar Feb 26 '20 14:02 jesperpedersen

As far as I can tell, strlen seems to support multibytes strings (I thought wcslen and friends). Apparently the following code snippet works finr on my machine, but I'm sure I'm missing something:

#include <stdio.h>
#include <string.h>
#include <stdlib.h>


static int
sasl_prep(char* password, char** password_prep)
{
    int length = strlen( password );
    *password_prep = (char*) malloc( length );
    strncpy( *password_prep, password, length);

    return 0;
}

#define SIZE 64
#define PWD1 "I ❤ pgagroal, the 🐘 PostgreSQL connection pooler! 🎉"
#define PWD2 "LÙCA FERRÀRÌ"

void
main()
{
    char *src_password, *dst_password;

    src_password = (char*) malloc( SIZE );
    dst_password = (char*) malloc( SIZE );
    memset( src_password, 0, SIZE );
    memset( dst_password, 0, SIZE );

    memcpy( src_password, PWD1 , sizeof( PWD1 ) );
    printf( "\nOriginal : [%s]\n", src_password );
    sasl_prep( src_password, &dst_password );
    printf( "\nSASL : [%s]\n", dst_password );

    memcpy( src_password, PWD2 , sizeof( PWD2 ) );
    printf( "\nOriginal : [%s]\n", src_password );
    sasl_prep( src_password, &dst_password );
    printf( "\nSASL : [%s]\n", dst_password );

}

If that is right, the only need is to change strdup to strncpy. Probably there shold be something else to check for longer strings (overflows?). This is surely not my area of experise, so forgive me in case the above is totally wrong.

fluca1978 avatar May 26 '22 10:05 fluca1978

Unfortunately it isn't as simple.

See section 2.2 in https://datatracker.ietf.org/doc/html/rfc5802 for the overall requirements (Normalize(str)). It requires an implementation of

  • https://datatracker.ietf.org/doc/html/rfc4013
  • https://datatracker.ietf.org/doc/html/rfc3454
  • https://datatracker.ietf.org/doc/html/rfc3629

These checks needs to be implemented in admin.c as well.

jesperpedersen avatar May 26 '22 11:05 jesperpedersen

Definitely something out of my expertise. Any chance we can reuse PostgreSQL code here? https://github.com/postgres/postgres/blob/master/src/common/saslprep.c#L1044

fluca1978 avatar May 26 '22 13:05 fluca1978

It ihas to be a clean-room implementation - although you can look at it if you give credit.

We can't have a dependency on postgresql-devel.

jesperpedersen avatar May 26 '22 13:05 jesperpedersen