• Heikki Linnakangas's avatar
    Support SCRAM-SHA-256 authentication (RFC 5802 and 7677). · 818fd4a6
    Heikki Linnakangas authored
    This introduces a new generic SASL authentication method, similar to the
    GSS and SSPI methods. The server first tells the client which SASL
    authentication mechanism to use, and then the mechanism-specific SASL
    messages are exchanged in AuthenticationSASLcontinue and PasswordMessage
    messages. Only SCRAM-SHA-256 is supported at the moment, but this allows
    adding more SASL mechanisms in the future, without changing the overall
    protocol.
    
    Support for channel binding, aka SCRAM-SHA-256-PLUS is left for later.
    
    The SASLPrep algorithm, for pre-processing the password, is not yet
    implemented. That could cause trouble, if you use a password with
    non-ASCII characters, and a client library that does implement SASLprep.
    That will hopefully be added later.
    
    Authorization identities, as specified in the SCRAM-SHA-256 specification,
    are ignored. SET SESSION AUTHORIZATION provides more or less the same
    functionality, anyway.
    
    If a user doesn't exist, perform a "mock" authentication, by constructing
    an authentic-looking challenge on the fly. The challenge is derived from
    a new system-wide random value, "mock authentication nonce", which is
    created at initdb, and stored in the control file. We go through these
    motions, in order to not give away the information on whether the user
    exists, to unauthenticated users.
    
    Bumps PG_CONTROL_VERSION, because of the new field in control file.
    
    Patch by Michael Paquier and Heikki Linnakangas, reviewed at different
    stages by Robert Haas, Stephen Frost, David Steele, Aleksander Alekseev,
    and many others.
    
    Discussion: https://www.postgresql.org/message-id/CAB7nPqRbR3GmFYdedCAhzukfKrgBLTLtMvENOmPrVWREsZkF8g%40mail.gmail.com
    Discussion: https://www.postgresql.org/message-id/CAB7nPqSMXU35g%3DW9X74HVeQp0uvgJxvYOuA4A-A3M%2B0wfEBv-w%40mail.gmail.com
    Discussion: https://www.postgresql.org/message-id/55192AFE.6080106@iki.fi
    818fd4a6
scram.h 1.13 KB