On Mon, Apr 10, 2017 at 12:53 PM, Noah Misch <n...@leadboat.com> wrote: > On Wed, Apr 05, 2017 at 08:11:25PM +0300, Heikki Linnakangas wrote: >> >Heikki, are you going to do something about these? We're running out of >> >time. >> >> Sorry I've been procrastinating. I'm on it now. (We need to do something >> about this, feature freeze or not..)
As there have been some conflicts because of the commit of SASLprep, here is a rebased set of patches. A couple of things worth noting: - SASLprep does an allocation of the prepared password string. It is definitely better to do all the ground work in pg_saslprep but this costs a free() call with a #ifdef FRONTEND at the end of scram_build_verifier(). - Patch 0005 does that: + /* + * Hash password using SCRAM-SHA-256 when connecting to servers + * newer than Postgres 10, and hash with MD5 otherwise. + */ + if (pset.sversion < 100000) + encrypted_password = PQencryptPassword(pw1, user, "md5"); + else + encrypted_password = PQencryptPassword(pw1, user, "scram"); Actually I am thinking that guessing the hashing function according to the value of password_encryption would make the most sense. Thoughts? -- Michael VMware vCenter server www.vmware.com
0001-Use-base64-based-encoding-for-stored-and-server-keys.patch
Description: Binary data
0002-Move-routine-to-build-SCRAM-verifier-into-src-common.patch
Description: Binary data
0003-Refactor-frontend-side-random-number-generation.patch
Description: Binary data
0004-Extend-PQencryptPassword-with-a-hashing-method.patch
Description: Binary data
0005-Extend-psql-s-password-and-createuser-to-handle-SCRA.patch
Description: Binary data
-- Sent via pgsql-hackers mailing list (pgsql-hackers@postgresql.org) To make changes to your subscription: http://www.postgresql.org/mailpref/pgsql-hackers
