Re: [JDBC] [HACKERS] Channel binding support for SCRAM-SHA-256

From: Michael Paquier <michael(dot)paquier(at)gmail(dot)com>
To: Peter Eisentraut <peter(dot)eisentraut(at)2ndquadrant(dot)com>
Cc: Robert Haas <robertmhaas(at)gmail(dot)com>, Álvaro Hernández Tortosa <aht(at)8kdata(dot)com>, "pgsql-hackers(at)postgresql(dot)org" <pgsql-hackers(at)postgresql(dot)org>
Subject: Re: [JDBC] [HACKERS] Channel binding support for SCRAM-SHA-256
Date: 2017-12-22 02:59:08
Message-ID: 20171222025908.GA11776@paquier.xyz
Views: Raw Message | Whole Thread | Download mbox | Resend email
Thread:
Lists: pgsql-hackers pgsql-jdbc

On Wed, Dec 20, 2017 at 09:35:55AM +0900, Michael Paquier wrote:
> However, it is possible to simply optimize the frontend code as in
> pg_SASL_init() we already know the channel binding type selected when
> calling pgtls_get_finished() and pgtls_get_peer_certificate_hash(). So
> while I agree with your point, my opinion is to keep the code as
> simple as possible, and then just optimize the frontend code. What do
> you think?

I have looked at how things could be done in symmetry for both the frontend
and backend code, and I have produced the attached patch 0002, which
can be applied on top of 0001 implementing tls-server-end-point. This
simplifies the interfaces to initialize the SCRAM status data by saving
into scram_state and fe_scram_state respectively Port* and PGconn* which
holds most of the data needed for the exchange. With this patch, cbind_data
is generated only if a specific channel binding type is used with the
appropriate data. So if no channel binding is used there is no additional
SSL call done to get the TLS finished data or the server certificate hash.

0001 has no real changes compared to the last versions.

Peter, thoughts?
--
Michael

Attachment Content-Type Size
0001-Implement-channel-binding-tls-server-end-point-for-S.patch text/plain 17.0 KB
0002-Refactor-channel-binding-code-to-fetch-cbind_data-on.patch text/plain 19.2 KB

In response to

Responses

Browse pgsql-hackers by date

  From Date Subject
Next Message Thomas Munro 2017-12-22 03:46:21 Condition variable live lock
Previous Message Gene Selkov 2017-12-22 02:23:35 Re: genomic locus

Browse pgsql-jdbc by date

  From Date Subject
Next Message Michael Paquier 2017-12-22 08:10:30 Re: [JDBC] [HACKERS] Channel binding support for SCRAM-SHA-256
Previous Message Michael Paquier 2017-12-20 00:35:55 Re: [JDBC] [HACKERS] Channel binding support for SCRAM-SHA-256