Re: scram and \password

On Mon, Apr 10, 2017 at 12:53 PM, Noah Misch <noah(at)leadboat(dot)com> wrote:
> On Wed, Apr 05, 2017 at 08:11:25PM +0300, Heikki Linnakangas wrote:
>> >Heikki, are you going to do something about these? We're running out of time.
>>
>> Sorry I've been procrastinating. I'm on it now. (We need to do something
>> about this, feature freeze or not..)

As there have been some conflicts because of the commit of SASLprep,
here is a rebased set of patches. A couple of things worth noting:
- SASLprep does an allocation of the prepared password string. It is
definitely better to do all the ground work in pg_saslprep but this
costs a free() call with a #ifdef FRONTEND at the end of
scram_build_verifier().
- Patch 0005 does that:
+ /*
+ * Hash password using SCRAM-SHA-256 when connecting to servers
+ * newer than Postgres 10, and hash with MD5 otherwise.
+ */
+ if (pset.sversion < 100000)
+ encrypted_password = PQencryptPassword(pw1, user, "md5");
+ else
+ encrypted_password = PQencryptPassword(pw1, user, "scram");
Actually I am thinking that guessing the hashing function according to
the value of password_encryption would make the most sense. Thoughts?
--
Michael
VMware vCenter server
www.vmware.com