[Firebird-devel] Fwd: [FirebirdSQL/firebird] Connection hangs after delivery of 2**32 - 1 packets (Issue #7065)

2021-12-12 Thread Mark Rotteveel 
I strongly disagree with the chosen fix to make the counter size 
configurable. ChaCha20 is standardized in RFC-7539 with a 32-bit counter 
size[1]. Making the counter size configurable has two problems:


1) It is harder to support (as non-standard forms of ChaCha are not 
always available)
2) The client has no way to know which counter variant the server 
expects, and this needs to be explicitly configured both by the client 
and the server, which is really not ideal, and will lead to hard to 
diagnose connection problems.


The proper way to fix this is to define a separate encryption plugin 
name for the variant with a 64-bit counter, so that client and server 
can negotiate the appropriate plugin that is supported.


Alternatively, re-keying could be supported, so that client and server 
can change keys during a connection, but this comes with additional 
challenges.


Mark

 [1]: https://datatracker.ietf.org/doc/html/rfc7539#section-2.4

 Original Message 
Subject: [FirebirdSQL/firebird] Connection hangs after delivery of 2**32 
- 1 packets (Issue #7065)

Date: 2021-12-12 18:26
From: Alexander Peshkov 
To: FirebirdSQL/firebird 
Cc: Subscribed 
Reply-To: FirebirdSQL/firebird 



ChaCha wire encryption, used by default since FB4, is using 32-bit
counter. When counter overflows secure packets delivery becomes
impossible without reconnect.

--
You are receiving this because you are subscribed to this thread.
Reply to this email directly, view it on GitHub [1], or unsubscribe [2].
Triage notifications on the go with GitHub Mobile for iOS [3] or Android
[4].

Links:
--
[1] https://github.com/FirebirdSQL/firebird/issues/7065
[2] 
https://github.com/notifications/unsubscribe-auth/ABI2Z4J2M42KMEBDP2KTWQDUQTLNJANCNFSM5J4PIROA
[3] 
https://apps.apple.com/app/apple-store/id1477376905?ct=notification-emailmt=8pt=524675
[4] 
https://play.google.com/store/apps/details?id=com.github.androidreferrer=utm_campaign%3Dnotification-email%26utm_medium%3Demail%26utm_source%3Dgithub



Firebird-Devel mailing list, web interface at 
https://lists.sourceforge.net/lists/listinfo/firebird-devel

Re: [Firebird-devel] UDR for reading server configuration for Firebird QA

2021-12-12 Thread Dimitry Sibiryakov 

Alex Peshkoff via Firebird-devel wrote 12.12.2021 18:52:


If it does not return sensitive information, I see no problem in add it to 
examples UDR project.


With a check for SYSDBA I see no security risk with this UDR


  Isn't GRANT EXECUTE to RDB$ADMIN enough? Or UDRs are not subject of SQL 
rights?

--
  WBR, SD.


Firebird-Devel mailing list, web interface at 
https://lists.sourceforge.net/lists/listinfo/firebird-devel

Re: [Firebird-devel] UDR for reading server configuration for Firebird QA

2021-12-12 Thread Alex Peshkoff via Firebird-devel 

On 12/12/21 01:21, Adriano dos Santos Fernandes wrote:



Em sáb., 11 de dez. de 2021 18:03, Alex Peshkoff via Firebird-devel 
 escreveu:


I see no big use in full support of v.3. Requested UDR is trivial
but I
highly displike requirement of keeping it in std distro of firebird.


If it does not return sensitive information, I see no problem in add 
it to examples UDR project.




With a check for SYSDBA I see no security risk with this UDR



Firebird-Devel mailing list, web interface at 
https://lists.sourceforge.net/lists/listinfo/firebird-devel