On Mon, Jul 4, 2016 at 6:34 AM, Peter Eisentraut <peter.eisentr...@2ndquadrant.com> wrote: > On 7/2/16 3:54 PM, Heikki Linnakangas wrote: >> >> In related news, RFC 7677 that describes a new SCRAM-SHA-256 >> authentication mechanism, was published in November 2015. It's identical >> to SCRAM-SHA-1, which is what this patch set implements, except that >> SHA-1 has been replaced with SHA-256. Perhaps we should forget about >> SCRAM-SHA-1 and jump straight to SCRAM-SHA-256. > > I think a global change from SHA-1 to SHA-256 is in the air already, so if > we're going to release something brand new in 2017 or so, it should be > SHA-256. > > I suspect this would be a relatively simple change, so I wouldn't mind > seeing a SHA-1-based variant in CF1 to get things rolling.
I'd just move this thing to SHA256, we are likely going to use that at the end. As I am coming back into that, I would as well suggest do the following, that the current set of patches is clearly missing: - Put the HMAC infrastructure stuff of pgcrypto into src/common/. It is a bit a shame to not reuse what is currently available, then I would suggest to reuse that with HMAC_SCRAM_SHAXXX as label. - Move *all* the SHA-related things of pgcrypto to src/common, including SHA1, SHA224 and SHA256. px_memset is a simple wrapper on top of memset, we should clean up that first. Any other things to consider that I am forgetting? -- Michael -- Sent via pgsql-hackers mailing list (pgsql-hackers@postgresql.org) To make changes to your subscription: http://www.postgresql.org/mailpref/pgsql-hackers
