[Modules] mod_gnutls support for looking up SRP user params in SQL DB (e.g., GNUTLSSRPPasswdQuery)

Quinn Slack sqs at cs.stanford.edu
Mon May 2 04:48:27 EDT 2011


> Quinn Slack <sqs at cs.stanford.edu> writes:
>
>> Right now, mod_gnutls uses a flat-file SRP verifier to store SRP user
>> params for TLS-SRP. I would like to implement a database backend
>> similar to mod_authn_dbd so that mod_gnutls can query an SQL database
>> for a user's SRP parameters.

OK, I've attached a patch that adds this feature. Example config:

    # requires mod_dbd
    DBDriver sqlite3
    DBDParams "db.sqlite3"
    DBDPrepareSQL "SELECT srp_group, srp_v, srp_s FROM srpusers WHERE
user = %s;" srp_lookup_user
    GnuTLSSRPPasswdQuery srp_lookup_user
    GnuTLSSRPPasswdConfFile srp.conf

To try it out, here are the commands to create an SQLite3 table with
one user named "user" with password "secret":

    CREATE TABLE srpusers(user TEXT PRIMARY KEY, srp_group INTEGER,
srp_v TEXT, srp_s TEXT);
    INSERT INTO "srpusers" VALUES('user', 1024,
'nKSKOitJs7z1FcFBsTjvLIOzGQajVYh9NsA6kovP8ju01QQoCDgYl3N8Hy+uR8JdRyB9eQRTV7KQSr5Q+ELQ5iCNlncQkgQP+uNcwMFFpOlk/rqbbRzBXuLU+Pm97TtDEfu/xyWszL9pw2LDIn0HKTFcjQbn80vgNFGjns8tovk=','2kG2UNO7YtbViXyOkmn8zg==');

You can create srp.conf with `srptool --create-conf srp.conf`. Then
connect to your server with, e.g., `gnutls-cli --srpusername user
--srppasswd secret 127.0.0.1`.

A few things...

* Since query labels prepared with DBDPrepareSQL are namedspaced
per-VirtualHost (DBD handles are specific to a server), I need to
access the VirtualHost's server_rec in the mgs_srp_server_credentials
callback. So, I added a new server_rec* member to mgs_srvconf_rec. It
seemed impossible to instead find the corresponding server_rec*
through the new 2.1+ mgs_find_sni_server, since it looks up
vhost_cb_rec, not server_rec. If anybody has a better idea of how to
do this, please do tell.

* It expects the query to return results with columns named
"srp_group", "srp_v", and "srp_s". Since it's easy to use "SELECT abcd
AS srp_group, ..." to rename columns in the result set, I think this
OK.

* srptool has defined its own incompatible Base64 encoding. Instead of
perpetuating that non-standard encoding, this code expects the srp_v
and srp_s values to be standard Base64-encoded values. For existing
SRP passwd files, I have a Python script to convert between SRP Base64
and standard Base64 at [1].

* This code only supports the standard SRP groups in GnuTLS (1024-,
1536-, and 2048-bit). This can easily be changed later, if needed.

On Wed, Apr 27, 2011 at 11:58 PM, Simon Josefsson <simon at josefsson.org> wrote:
> I think this sounds great.  If it is possible, please design this in a
> modular way internally so that it is will be easy to write a LDAP
> backend eventually.

Coo. It is fairly modular. If you look at the code and had something
else in mind for modularity, let me know.

[1] http://trustedhttp.org/wiki/Converting_between_SRP_Base64_and_standard_Base64
-------------- next part --------------
A non-text attachment was scrubbed...
Name: mod_gnutls-GnuTLSSRPPasswdQuery-20110502.patch
Type: text/x-patch
Size: 11535 bytes
Desc: not available
Url : http://lists.outoforder.cc/pipermail/modules/attachments/20110502/0bc91a51/attachment.bin 


More information about the Modules mailing list