Re: Letting the client choose the protocol to use during a SASL exchange

Heikki Linnakangas <hlinnaka@iki.fi>

From: Heikki Linnakangas <hlinnaka@iki.fi>
To: Álvaro Hernández Tortosa <aht@8kdata.com>, Michael Paquier <michael.paquier@gmail.com>
Cc: Tom Lane <tgl@sss.pgh.pa.us>, Simon Riggs <simon@2ndquadrant.com>, PostgreSQL mailing lists <pgsql-hackers@postgresql.org>
Date: 2017-04-12T17:34:38Z
Lists: pgsql-hackers

Attachments

On 04/11/2017 02:32 PM, Álvaro Hernández Tortosa wrote:
>      So I still see your proposal more awkward and less clear, mixing
> things that are separate. But again, your choice  :)

So, here's my more full-fledged proposal.

The first patch refactors libpq code, by moving the responsibility of 
reading the GSS/SSPI/SASL/MD5 specific data from the authentication 
request packet, from the enormous switch-case construct in 
PQConnectPoll(), into pg_fe_sendauth(). This isn't strictly necessary, 
but I think it's useful cleanup anyway, and now that there's a bit more 
structure in the AuthenticationSASL message, the old way was getting 
awkward.

The second patch contains the protocol changes, and adds the 
documentation for it.

- Heikki

Commits

  1. Improve the SASL authentication protocol.

  2. Refactor libpq authentication request processing.

  3. Minor cleanup of backend SCRAM code.