I think it's a fairly big change, especially since we'd then have a lot of
conditional if (sasl) { wrap_bytes } else { dont_wrap }. And then it
affects all communication between server and client, which is quite risky.On Fri, Oct 9, 2015 at 4:54 PM Flavio Junqueira <[email protected]> wrote: > Ok, got it, but it sounds like we can just wrap and unwrap the bytes we > are sending, no? Do you think that will end up being a lot of changes? > > -Flavio > > > On 09 Oct 2015, at 15:38, Ivan Kelly <[email protected]> wrote: > > > > To protect the integrity of each packet, each packet needs to be wrapped > by > > SaslClient/SaslServer (see wrap/unwrap in > > > http://docs.oracle.com/javase/8/docs/api/javax/security/sasl/SaslClient.html > ). > > Currently sasl is only used to initialize the connection, and then we > send > > over the raw socket. This changes the lifetime of the sasl components, as > > it needs to be used with all communication. It's not like SSL, where we > > negotiate SSL at the start and then the SSL engine provides a socket > which > > we use to send data. > > > > -Ivan > > > > On Fri, Oct 9, 2015 at 4:33 PM Flavio Junqueira <[email protected]> wrote: > > > >> I'm not sure based on what you say that it'd be invasive. Enabling > >> different types of QOP seems to be relatively straightforward, unless > I'm > >> missing something here. Chris did a good job describing what needs to be > >> done, and this far I have the same understanding of the changes. > >> > >> -Flavio > >> > >>> On 09 Oct 2015, at 15:30, Ivan Kelly <[email protected]> wrote: > >>> > >>> IMO, adding QOP to 3.4 would be a fairly large and invasive change, > which > >>> is something which shouldn't be done on the stable branch. > >>> > >>> -Ivan > >>> > >>> On Fri, Oct 9, 2015 at 4:02 PM Flavio Junqueira <[email protected]> > wrote: > >>> > >>>> Not in the 3.4 branch, which is the latest stable branch at the > moment. > >>>> > >>>> -Flavio > >>>> > >>>>> On 09 Oct 2015, at 15:00, Ivan Kelly <[email protected]> wrote: > >>>>> > >>>>> Is auth-int necessary if we have SSL on the client (as there is in > >>>> trunk)? > >>>>> My understanding is that all comms would have to be wrapped by sasl > if > >>>> you > >>>>> have QOP enabled. > >>>>> > >>>>> -Ivan > >>>>> > >>>>> On Fri, Oct 9, 2015 at 9:42 AM Flavio Junqueira <[email protected]> > >> wrote: > >>>>> > >>>>>> Hi Chris, > >>>>>> > >>>>>> Yeah, I was thinking along the same lines, so sounds like a plan. I > >> know > >>>>>> Raul is going to hate me for this, but I'd really like to have this > in > >>>>>> 3.4.7. It sounds like a simple enough change that we can have in > >>>> shortly, > >>>>>> does it sound right? > >>>>>> > >>>>>> Please go ahead with the jira if you have time, and if you don't > have > >>>> time > >>>>>> to work on the patch, just assign it to me. > >>>>>> > >>>>>> -Flavio > >>>>>> > >>>>>> > >>>>>>> On 08 Oct 2015, at 23:16, Chris Nauroth <[email protected]> > >>>>>> wrote: > >>>>>>> > >>>>>>> Hi Flavio, > >>>>>>> > >>>>>>> It appears that the current code doesn't give us any way to control > >> the > >>>>>>> QOP, so it must be always using the default QOP of "auth" > >>>> (authentication > >>>>>>> only). This is because the calls to Sasl#createSaslClient and > >>>>>>> Sasl#createSaslServer pass a hard-coded null for the properties > map. > >>>>>>> > >>>>>>> > >>>>>> > >>>> > >> > https://github.com/apache/zookeeper/blob/trunk/src/java/main/org/apache/zoo > >>>>>>> keeper/client/ZooKeeperSaslClient.java#L240 > >>>>>>> > >>>>>>> > >>>>>>> > >>>>>> > >>>> > >> > https://github.com/apache/zookeeper/blob/trunk/src/java/main/org/apache/zoo > >>>>>>> keeper/client/ZooKeeperSaslClient.java#L288 > >>>>>>> > >>>>>>> > >>>>>>> > >>>>>> > >>>> > >> > https://github.com/apache/zookeeper/blob/trunk/src/java/main/org/apache/zoo > >>>>>>> keeper/server/ZooKeeperSaslServer.java#L118 > >>>>>>> > >>>>>>> > >>>>>>> > >>>>>> > >>>> > >> > https://github.com/apache/zookeeper/blob/trunk/src/java/main/org/apache/zoo > >>>>>>> keeper/server/ZooKeeperSaslServer.java#L144 > >>>>>>> > >>>>>>> > >>>>>>> If we want to support setting QOP to "auth-int" (authentication + > >>>>>>> integrity/man-in-the-middle tampering protection) or "auth-conf" > >>>>>>> (authentication + integrity + confidentiality/encryption), then I > >> think > >>>>>>> we'll need to make code changes to read a new QOP configuration > >>>> property, > >>>>>>> put it into a Map using Sasl#QOP as the key, and then pass it along > >> to > >>>>>> the > >>>>>>> Sasl#createSaslClient and Sasl#createSaslServer calls. > >>>>>>> > >>>>>>> Is this what you need? If so, then I'd be happy to write up the > >>>> proposal > >>>>>>> in a new JIRA. I didn't find any existing open JIRAs that look > >>>> relevant. > >>>>>>> > >>>>>>> --Chris Nauroth > >>>>>>> > >>>>>>> > >>>>>>> > >>>>>>> > >>>>>>> On 10/8/15, 2:06 PM, "Flavio Junqueira" <[email protected]> wrote: > >>>>>>> > >>>>>>>> Has anyone tried to use the QOP (Quality of Protection) property > for > >>>>>> SASL > >>>>>>>> when running ZooKeeper? > >>>>>>>> > >>>>>>>> -Flavio > >>>>>>> > >>>>>> > >>>>>> > >>>> > >>>> > >> > >> > >
