Re: [JDBC] [HACKERS] Channel binding support for SCRAM-SHA-256

From: Michael Paquier <michael(dot)paquier(at)gmail(dot)com>
To: Peter Eisentraut <peter(dot)eisentraut(at)2ndquadrant(dot)com>
Cc: Robert Haas <robertmhaas(at)gmail(dot)com>, Álvaro Hernández Tortosa <aht(at)8kdata(dot)com>, "pgsql-hackers(at)postgresql(dot)org" <pgsql-hackers(at)postgresql(dot)org>
Subject: Re: [JDBC] [HACKERS] Channel binding support for SCRAM-SHA-256
Date: 2017-12-01 02:11:14
Message-ID: CAB7nPqRrAFZCSk3xMd7=sXtVO2Y_N=NCGG14Mivu_L9XpP4mEQ@mail.gmail.com
Views: Raw Message | Whole Thread | Download mbox | Resend email
Thread:
Lists: pgsql-hackers pgsql-jdbc

On Wed, Nov 29, 2017 at 7:42 AM, Peter Eisentraut
<peter(dot)eisentraut(at)2ndquadrant(dot)com> wrote:
> On 11/28/17 17:33, Michael Paquier wrote:
>> 1) Have a special value in the parameter saslchannelbinding proposed
>> in patch 0001. For example by specifying "none" then no channel
>> binding is used.
>
> I was thinking if it's empty then don't use channel binding. Right now,
> empty means the same thing as tls-unique. In any case, some variant of
> that should be fine. I don't think we need a separate server option
> that this point.

OK, here is a reworked version with the following changes:
- renamed saslchannelbinding to scramchannelbinding, with a default
set to tls-unique.
- An empty value of scramchannelbinding allows client to not use
channel binding, or in short use use SCRAM-SHA-256 and cbind-flag set
to 'n'.

While reviewing the code, I have found something a bit disturbing with
the header definitions: the libpq frontend code includes scram.h,
which references backend-side routines. So I think that the definition
of the SCRAM mechanisms as well as the channel binding types should be
moved to scram-common.h. This cleanup is included in 0001.
--
Michael

Attachment Content-Type Size
0001-Move-SCRAM-related-name-definitions-to-scram-common..patch application/octet-stream 3.1 KB
0002-Add-connection-parameter-scramchannelbinding.patch application/octet-stream 9.1 KB
0003-Implement-channel-binding-tls-server-end-point-for-S.patch application/octet-stream 17.0 KB

In response to

Responses

Browse pgsql-hackers by date

  From Date Subject
Next Message Simon Riggs 2017-12-01 02:27:45 Re: [HACKERS] INSERT ON CONFLICT and partitioned tables
Previous Message Amit Langote 2017-12-01 02:01:35 Re: [HACKERS] INSERT ON CONFLICT and partitioned tables

Browse pgsql-jdbc by date

  From Date Subject
Next Message Rémi Aubel 2017-12-05 15:11:35 "could not determine data type of parameter" with timestamp
Previous Message Jorge Solorzano 2017-11-30 11:20:27 [pgjdbc/pgjdbc] 405f14: drop old and unused crypt auth (#1026)