Re: SCRAM authentication, take three

Heikki Linnakangas <hlinnaka@iki.fi>

From: Heikki Linnakangas <hlinnaka@iki.fi>
To: Michael Paquier <michael.paquier@gmail.com>, Aleksander Alekseev <a.alekseev@postgrespro.ru>
Cc: Alvaro Herrera <alvherre@2ndquadrant.com>, pgsql-hackers <pgsql-hackers@postgresql.org>
Date: 2017-02-15T11:28:38Z
Lists: pgsql-hackers

Attachments

On 02/07/2017 04:20 AM, Michael Paquier wrote:
> On Tue, Feb 7, 2017 at 3:12 AM, Aleksander Alekseev
> <a.alekseev@postgrespro.ru> wrote:
>> No, I'm afraid `make distclean` doesn't help. I've re-checked twice.
>
> Hm. I can see the failure on macos and python2 builds as well with the
> set of patches applied. And the master branch is working properly.
> This needs some investigation.

Ah, found it. It was because of this change:

> --- a/src/backend/utils/errcodes.txt
> +++ b/src/backend/utils/errcodes.txt
> @@ -247,6 +247,7 @@ Section: Class 28 - Invalid Authorization Specification
>
>  28000    E    ERRCODE_INVALID_AUTHORIZATION_SPECIFICATION                    invalid_authorization_specification
>  28P01    E    ERRCODE_INVALID_PASSWORD                                       invalid_password
> +28P01    E    ERRCODE_INVALID_NONCE                                          invalid_nonce
>

Having two error codes with the same SQLSTATE is not cool, and tripped 
the assertion in PL/python. I removed the new error code, it was only 
used in one place, and ERRCODE_PROTOCOL_VIOLATIOn was more appropriate 
there anyway.

Attached is a new set of patches, with that fixed. Thanks for the report 
Aleksander!

- Heikki

Commits

  1. Rename "scram" to "scram-sha-256" in pg_hba.conf and password_encryption.

  2. Support SCRAM-SHA-256 authentication (RFC 5802 and 7677).