| From: | Michael Paquier <michael(dot)paquier(at)gmail(dot)com> |
|---|---|
| To: | Victor Wagner <vitus(at)wagner(dot)pp(dot)ru> |
| Cc: | PostgreSQL mailing lists <pgsql-hackers(at)postgresql(dot)org> |
| Subject: | Re: Password identifiers, protocol aging and SCRAM protocol |
| Date: | 2016-11-09 06:23:11 |
| Message-ID: | CAB7nPqTGk+F2dw8=Gv8wXfm6eVHr=n9aAiMi_xtO7Or4r0AD+g@mail.gmail.com |
| Views: | Raw Message | Whole Thread | Download mbox | Resend email |
| Thread: | |
| Lists: | pgsql-hackers |
On Wed, Nov 9, 2016 at 3:13 PM, Victor Wagner <vitus(at)wagner(dot)pp(dot)ru> wrote:
> On Tue, 18 Oct 2016 16:35:27 +0900
> Michael Paquier <michael(dot)paquier(at)gmail(dot)com> wrote:
>
> Hi
>> Attached is a rebased patch set for SCRAM, with the following things:
>> - 0001, moving all the SHA2 functions to src/common/ and introducing a
>> PG-like interface. No actual changes here.
>
> It seems, that client nonce generation in this patch is not
> RFC-compliant.
>
> RFC 5802 states that SCRAM nonce should be
>
> a sequence of random printable ASCII
> characters excluding ','
>
> while this patch uses sequence of random bytes from pg_strong_random
> function with zero byte appended.
(This is about patch 0007, not 0001)
Thanks, you are right. That's not good as-is. So this basically means
that the characters here should be from 32 to 127 included.
generate_nonce needs just to be made smarter in the way it selects the
character bytes.
--
Michael
| From | Date | Subject | |
|---|---|---|---|
| Next Message | Michael Paquier | 2016-11-09 06:55:52 | Re: WAL logging problem in 9.4.3? |
| Previous Message | Victor Wagner | 2016-11-09 06:13:09 | Re: Password identifiers, protocol aging and SCRAM protocol |