From: | Michael Paquier <michael(dot)paquier(at)gmail(dot)com> |
---|---|
To: | Peter Eisentraut <peter(dot)eisentraut(at)2ndquadrant(dot)com> |
Cc: | Robert Haas <robertmhaas(at)gmail(dot)com>, Álvaro Hernández Tortosa <aht(at)8kdata(dot)com>, "pgsql-hackers(at)postgresql(dot)org" <pgsql-hackers(at)postgresql(dot)org> |
Subject: | Re: [JDBC] [HACKERS] Channel binding support for SCRAM-SHA-256 |
Date: | 2017-12-22 02:59:08 |
Message-ID: | 20171222025908.GA11776@paquier.xyz |
Views: | Raw Message | Whole Thread | Download mbox | Resend email |
Thread: | |
Lists: | pgsql-hackers pgsql-jdbc |
On Wed, Dec 20, 2017 at 09:35:55AM +0900, Michael Paquier wrote:
> However, it is possible to simply optimize the frontend code as in
> pg_SASL_init() we already know the channel binding type selected when
> calling pgtls_get_finished() and pgtls_get_peer_certificate_hash(). So
> while I agree with your point, my opinion is to keep the code as
> simple as possible, and then just optimize the frontend code. What do
> you think?
I have looked at how things could be done in symmetry for both the frontend
and backend code, and I have produced the attached patch 0002, which
can be applied on top of 0001 implementing tls-server-end-point. This
simplifies the interfaces to initialize the SCRAM status data by saving
into scram_state and fe_scram_state respectively Port* and PGconn* which
holds most of the data needed for the exchange. With this patch, cbind_data
is generated only if a specific channel binding type is used with the
appropriate data. So if no channel binding is used there is no additional
SSL call done to get the TLS finished data or the server certificate hash.
0001 has no real changes compared to the last versions.
Peter, thoughts?
--
Michael
Attachment | Content-Type | Size |
---|---|---|
0001-Implement-channel-binding-tls-server-end-point-for-S.patch | text/plain | 17.0 KB |
0002-Refactor-channel-binding-code-to-fetch-cbind_data-on.patch | text/plain | 19.2 KB |
From | Date | Subject | |
---|---|---|---|
Next Message | Thomas Munro | 2017-12-22 03:46:21 | Condition variable live lock |
Previous Message | Gene Selkov | 2017-12-22 02:23:35 | Re: genomic locus |
From | Date | Subject | |
---|---|---|---|
Next Message | Michael Paquier | 2017-12-22 08:10:30 | Re: [JDBC] [HACKERS] Channel binding support for SCRAM-SHA-256 |
Previous Message | Michael Paquier | 2017-12-20 00:35:55 | Re: [JDBC] [HACKERS] Channel binding support for SCRAM-SHA-256 |